Skip to content
Lesson 3 of 8

Reconnaissance

4 min read

What Reconnaissance Is

Reconnaissance is the first technical phase of a pentest and consists of gathering as much information as possible about the target before interacting directly with its systems. The better you understand the attack surface — domains, subdomains, IP addresses, technologies, employees, vendors — the more effective and targeted every later phase will be.

Well-done reconnaissance saves time and reduces noise. Instead of scanning blindly, you reach the scanning phase with a clear map of which assets exist and which are most promising. A real attacker invests much of their effort here, and a professional pentester should do the same within their authorized scope.

It is important to remember that even reconnaissance must respect scope. Although much information is public, collecting it massively or intrusively about out-of-bounds assets can be problematic. Always stay within what is authorized.

Passive Reconnaissance

Passive reconnaissance gathers information without sending direct traffic to the target's systems, which makes it practically undetectable. You use third-party sources: public records, search engines, social media, TLS certificates, and intelligence databases. Because you do not directly touch the target's infrastructure, the risk of alerting defenses is minimal.

Classic examples include querying WHOIS records for domain data, using historical DNS records, reviewing certificates on crt.sh to discover subdomains, or searching Shodan and Censys for previously indexed exposed services. These platforms maintain data they already collected, so querying them generates no traffic toward the target.

Passive reconnaissance is the ideal starting point because it builds a broad picture without raising alarms. Only when you exhaust passive sources should you move to more active techniques.

OSINT: Open Source Intelligence

OSINT (Open Source Intelligence) is the discipline of obtaining intelligence from publicly available information. It includes employees' LinkedIn profiles, GitHub repositories where credentials or configurations sometimes leak, public documents with revealing metadata, and mentions on forums or social media.

Tools like theHarvester collect emails, subdomains, and names associated with a domain from multiple public sources. Maltego visualizes relationships between entities — people, domains, IPs, emails — helping to understand the organizational structure. SpiderFoot automates OSINT collection from hundreds of sources and correlates it automatically.

The value of OSINT lies in the human and organizational: employee names useful for social engineering (in engagements that include it), technologies revealed in job postings, or email naming conventions that facilitate authorized brute-force attacks. All this public information paints a portrait of the target before touching a single port.

Infrastructure Footprinting

Footprinting is the process of mapping the target's technical footprint: which domains and subdomains it owns, which IP ranges it uses, which hosting and CDN providers it employs, and which technologies it runs. The goal is to build a complete inventory of assets before scanning.

To enumerate subdomains passively you can use Amass in passive mode, subfinder, or query certificate transparency. To understand the DNS infrastructure, tools like dnsrecon and queries to MX, NS, TXT, and SPF records reveal mail providers, name servers, and policies. Each piece of data expands your attack-surface map.

Identifying web technologies — frameworks, servers, CMS — can be done with Wappalyzer or WhatWeb. Knowing that a site runs a specific version of WordPress or a particular server steers the following phases toward known vulnerabilities of those technologies.

Active Reconnaissance

Active reconnaissance involves interacting directly with the target's systems, which generates potentially detectable traffic. It includes targeted DNS resolution, pings, traceroutes, and direct queries to services. It is noisier than passive recon, but also more precise, since it confirms in real time which assets are alive and accessible.

For example, a misconfigured DNS zone transfer (AXFR) can reveal an organization's entire list of internal hosts. Live host discovery via ping sweeps or ARP probes confirms which addresses respond. These techniques mark the transition toward port scanning, which we will see in the next lesson.

Because active reconnaissance leaves a trace, it is wise to balance depth and stealth according to the rules of engagement. If the test's goal includes evaluating the client's detection capability, you can be deliberately noisy; if not, you moderate the intensity to avoid overloading systems.

From Information to Action

Reconnaissance only has value if you organize and analyze what you collect. Centralize domains, IPs, technologies, and people in a clear structure that feeds the following phases. A good practice is to maintain a spreadsheet or asset database that grows throughout the engagement.

Reconnaissance is not a one-time event: it is continuous. As you scan and exploit, you will discover new assets that warrant returning to recon techniques. Treat this phase as an iterative cycle and keep your attack-surface map always updated and within the authorized scope.