Information Gathering
Passive Reconnaissance
Passive techniques involve no direct interaction with the target system. They rely on publicly available data, and are less likely to trigger detection mechanisms.
Common Techniques
- Monitoring public websites and content (company pages, blogs, changelogs)
- Analyzing social media presence of employees or departments
- Querying DNS and WHOIS records using tools like whois, dnsdumpster, crt.sh
- Reviewing pastebin dumps and breach databases
- Harvesting metadata from exposed documents and images
- Searching public repositories (GitHub leaks, internal code or config files)
- Mapping infrastructure using Shodan and Censys
Tools
- theHarvester
- Recon-ng
- SpiderFoot
- Maltego
- FOCA (for metadata extraction)
- GitHub Dorking Tools
Active Reconnaissance
Active techniques involve sending packets to the target system and observing responses. This can reveal detailed technical data but may trigger logging or alerts.
Common Techniques
- Scanning open ports using Nmap or Masscan
- Banner grabbing to identify services
- OS fingerprinting using TCP/IP stack behavior
- DNS zone transfers and brute-forcing with dnsrecon or dnsenum
- Detecting WAFs, proxies, or CDNs
- Enumerating services like SMB, FTP, HTTP, SNMP
Tools
Hybrid / Semi-Passive Techniques
Some techniques blur the line between passive and active.
- Certificate Transparency Log monitoring (e.g. crt.sh)
- Passive DNS databases
- Third-party subdomain enumeration (without DNS queries)
- Crawling public GitHub issues for leaked credentials
- Using APIs to gather external data (e.g. SecurityTrails, Shodan API)
Structuring Your Recon
A common workflow combines both passive and active methods:
1. **Start passive:** collect domains, emails, tech stack, leaked info 2. **Enumerate targets:** subdomains, IPs, related infrastructure 3. **Engage actively:** scan ports, fingerprint services, probe for weaknesses 4. **Document everything:** maintain structured notes and timestamps