Reconnaissance

Intelligence gathering is the foundation of any successful penetration test. The more you know about your target, the more effective your attacks will be.

🔍 Why Reconnaissance Matters

Attack Surface Discovery: Find all entry points before testing - subdomains, APIs, and forgotten assets
Technology Mapping: Identify frameworks, versions, and known vulnerabilities to target
Social Engineering Intel: Gather employee info, org structure, and email formats for phishing
Efficient Testing: Focus efforts on high-value targets instead of testing blindly

💡 Pro Tip: Spend 30-40% of your engagement time on reconnaissance - thorough recon dramatically increases success rates in later phases.

📚 Reconnaissance Guides

Explore in-depth guides for each reconnaissance technique. Each guide includes tools, techniques, examples, and practical exercises.

Passive Reconnaissance

OSINT

OSINT fundamentals, WHOIS analysis, DNS enumeration, certificate transparency logs, Google dorking, Shodan/Censys, and leaked credential discovery.

WHOIS DNS Shodan Dorking

Subdomain Discovery

Enumeration

Passive sources (CT logs, SecurityTrails), DNS brute-forcing, permutation discovery, automation pipelines, and subdomain takeover detection.

Subfinder Amass CT Logs Brute Force

Active Reconnaissance

Active

Technology fingerprinting, web crawling, JavaScript analysis, screenshot capture, service detection, and automated enumeration pipelines.

WhatWeb httpx GoWitness Katana

Subdomain Takeover

Critical

Identifying dangling DNS records, exploiting unclaimed cloud resources, and claiming subdomains via GitHub Pages, S3, Azure, and other services.

Nuclei subjack dnsx CNAME

🛠️ Essential Reconnaissance Tools

Subfinder

Fast passive subdomain enumeration

go install ...subfinder@latest GitHub →

Amass

Attack surface mapping & discovery

go install ...amass/v4@master GitHub →

httpx

Fast HTTP probing toolkit

go install ...httpx@latest GitHub →

Shodan CLI

Internet-wide scan database

pip install shodan Docs →

Reconnaissance Workflow

flowchart TD A[Start Reconnaissance] --> B[Passive Recon] A --> C[Active Recon] B --> D[OSINT] B --> E[DNS Analysis] B --> F[Search Engines] C --> G[Port Scanning] C --> H[Service Detection] C --> I[Web Crawling] D --> J[Target Profile] E --> J F --> J G --> J H --> J I --> J J --> K[Attack Surface Map] style A fill:#00ff00,stroke:#000,color:#000 style K fill:#00ffff,stroke:#000,color:#000

✅ Quick Checklist

Ensure you've completed reconnaissance across all categories:

Passive
  • ☐ WHOIS analysis
  • ☐ DNS enumeration
  • ☐ CT log subdomains
  • ☐ Google dorking
Subdomain Discovery
  • ☐ Passive sources
  • ☐ DNS brute-forcing
  • ☐ Permutation scanning
  • ☐ Takeover detection
Active
  • ☐ Tech fingerprinting
  • ☐ Web crawling
  • ☐ JS analysis
  • ☐ Screenshot capture

Next Steps

With a comprehensive understanding of your target's attack surface, proceed to the Scanning phase to identify specific vulnerabilities in the discovered assets.

Related Topics

Pre-Engagement

Scope and authorization setup

Scanning

Active scanning and enumeration

Domain OSINT

Deep dive into domain intelligence

Tools Reference

Complete tools listing