Reconnaissance

Overview

Reconnaissance is the systematic process of gathering intelligence about a target before any active attack begins. It divides cleanly into two modes: passive (no packets touch the target) and active (direct interaction with target systems). The distinction matters both operationally and legally.

A well-executed recon phase determines everything that follows — which vulnerabilities to probe, which credentials to attempt, which services are exposed. Skipping it is the fastest path to noisy, ineffective attacks.

Prerequisites

• Basic networking: IP addresses, subnets, ports, TCP/UDP behaviour
• Comfortable on the Linux command line — every tool here runs from a terminal
• A Kali Linux environment or equivalent (ParrotOS, BlackArch)

Recommended lab: Any HackTheBox Starting Point machine, TryHackMe "Network Fundamentals" room, or a home lab with VirtualBox + a vulnerable VM (Metasploitable, VulnHub).

Passive Reconnaissance

Passive recon collects publicly available information without alerting the target. The attack surface here is enormous — DNS records, WHOIS data, job postings, GitHub repos, social media, archived web pages.

DNS Enumeration

DNS is one of the richest passive recon sources. A single domain leaks subdomains, mail infrastructure, CDN providers, and sometimes internal naming conventions.

# Brute-force subdomains with a wordlist
gobuster dns -d target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Zone transfer attempt (often misconfigured)
dig axfr @ns1.target.com target.com

# Passive DNS — no direct contact
amass enum -passive -d target.com

WHOIS & Certificate Transparency

whois target.com

# Certificate transparency logs reveal subdomains
curl "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value' | sort -u

OSINT Frameworks

Active Reconnaissance

Active recon sends packets to the target. Detectable, but necessary for accurate intelligence.

Host Discovery

# Ping sweep — find live hosts on a subnet
nmap -sn 192.168.1.0/24

# ARP scan (local network only, more reliable)
netdiscover -r 192.168.1.0/24
arp-scan --localnet

Port Scanning

# Full TCP scan with service/version detection
nmap -sV -sC -p- --min-rate 5000 -oA scan_output 10.10.10.5

# Top 1000 ports, OS detection
nmap -A -T4 10.10.10.5

# UDP scan (slow — target specific ports)
nmap -sU -p 53,67,68,69,123,161,500 10.10.10.5

Service Fingerprinting

# Grab banners manually
nc -nv 10.10.10.5 22
nc -nv 10.10.10.5 80

# Identify web technologies
whatweb http://10.10.10.5
nikto -h http://10.10.10.5

SMB Enumeration

SMB is a goldmine in Windows environments. Even unauthenticated, it leaks OS version, hostname, workgroup, and share names.

# Null session share enumeration
smbclient -L //10.10.10.5 -N

# Enumerate with enum4linux
enum4linux -a 10.10.10.5

# Check for EternalBlue/MS17-010
nmap --script smb-vuln-ms17-010 10.10.10.5

OSINT for Social Engineering

People are attack surfaces too. LinkedIn reveals org structure, technology stacks (from job postings), and target employees. GitHub leaks credentials in commit history more often than anyone admits.

# Search GitHub for secrets
trufflehog github --repo https://github.com/target/repo

# Check for exposed credentials in git history
git log --all --full-history -- "*.env"

Operational Notes

• Document everything — screenshots, Nmap XML output, notes. Recon without records is worthless.
• Rate limit active scans — --max-rate and -T2 reduce detection likelihood.
• Cross-reference sources — one DNS record is a hint; three sources confirming it is a fact.
• Time your scans — business hours blend into legitimate traffic. Off-hours stand out in logs.

What to Read Next

• Web Application Analysis — web apps are usually the richest attack surface discovered during recon
• Exploitation — apply the intelligence gathered here to gain initial access
• Password Attacks — credentials and hashes found during recon feed directly into cracking workflows