Reconnaissance

Passive Reconnaissance

Passive reconnaissance gathers information without directly interacting with target systems, leaving no traces in target logs. This is the foundation of any engagement and should be conducted extensively before any active testing.

Why Passive Recon Matters

Passive reconnaissance leaves no footprint on target systems. Information gathered from public sources provides attack surface knowledge while maintaining stealth. This phase often reveals forgotten assets, sensitive documents, and organizational information critical for social engineering.

Information

Spend 30-40% of your engagement time on reconnaissance. Thorough recon dramatically increases success rates in later phases.

Tools & Resources

theHarvester

Emails, subdomains, hosts from public sources

pip install theHarvester GitHub →

Amass

Comprehensive attack surface mapping

go install ...amass/v4@master GitHub →

Shodan CLI

Query internet-wide scan database

pip install shodan Docs →

Recon-ng

Full-featured recon framework

pip install recon-ng GitHub →

WHOIS Lookup

WHOIS provides domain registration information including registrant details, name servers, registration dates, and contact information.

whois-lookup.sh
bash 
# Basic WHOIS lookup
whois example.com

# Query specific WHOIS server
whois -h whois.verisign-grs.com example.com

# Using online tools for privacy-protected domains
curl -s "https://www.whois.com/whois/example.com" | grep -i "registrant"

# Reverse WHOIS - find domains by registrant
# ViewDNS.info, WhoisXML API, DomainTools

# WHOIS for IP addresses
whois 192.168.1.1

# ASN lookup
whois -h whois.radb.net AS15169

WHOIS Information to Extract

Registration Details

  • • Registrant name & organization
  • • Admin/tech contact emails
  • • Registration & expiry dates
  • • Registrar information

Infrastructure Intel

  • • Name servers (NS records)
  • • DNS provider
  • • Historical changes
  • • Related domains (reverse WHOIS)

DNS Enumeration

DNS records reveal infrastructure details, mail servers, third-party services, and potential subdomains through various record types.

dns-enumeration.sh
bash 
# Query all DNS record types
dig example.com ANY +noall +answer

# Individual record types
dig example.com A        # IPv4 addresses
dig example.com AAAA     # IPv6 addresses
dig example.com MX       # Mail servers
dig example.com NS       # Name servers
dig example.com TXT      # TXT records (SPF, DKIM, DMARC)
dig example.com CNAME    # Canonical names
dig example.com SOA      # Start of Authority

# Zone transfer attempt (usually blocked)
dig axfr @ns1.example.com example.com

# Using host command
host -t any example.com

# Reverse DNS lookup
dig -x 192.168.1.1

# DNS over HTTPS (bypasses local filtering)
curl -s "https://dns.google/resolve?name=example.com&type=A" | jq

DNS Record Analysis

Record Purpose Intelligence Value
A/AAAA IP addresses Server infrastructure, hosting provider
MX Mail servers Email infrastructure, cloud provider (O365, GSuite)
NS Name servers DNS provider, potential zone transfer targets
TXT Text records SPF (email sources), verification tokens, config
CNAME Aliases Third-party services, CDN, subdomain takeover
SOA Zone authority Primary NS, admin email, zone serial

Certificate Transparency

Certificate Transparency (CT) logs record all SSL/TLS certificates issued for domains, revealing subdomains that may not be discoverable through other means.

ct-logs.sh
bash 
# crt.sh - Search CT logs
curl -s "https://crt.sh/?q=%25.example.com&output=json" | \
  jq -r '.[].name_value' | sort -u

# With wildcard (finds all subdomains)
curl -s "https://crt.sh/?q=%.example.com&output=json" | \
  jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > ct_subdomains.txt

# censys.io certificates
# Requires API key
curl -s "https://search.censys.io/api/v2/certificates/search" \
  -H "Accept: application/json" \
  -u "API_ID:API_SECRET" \
  -d '{"q": "parsed.names: example.com"}'

# Using certspotter
curl -s "https://api.certspotter.com/v1/issuances?domain=example.com&include_subdomains=true" | jq

# Google Certificate Transparency
# https://transparencyreport.google.com/https/certificates

Google Dorking

Advanced Google searches reveal sensitive information, exposed files, login pages, and potential vulnerabilities indexed by search engines.

Google Operators

Operator Description Example
site: Restrict to domain site:example.com
inurl: Search in URL inurl:admin site:example.com
intitle: Search page titles intitle:"index of" site:example.com
filetype: File type search filetype:pdf site:example.com
ext: File extension ext:sql site:example.com
intext: Search page content intext:"password" site:example.com
google-dorks.txt
text 
# Find login/admin pages
site:example.com inurl:login OR inurl:signin OR inurl:admin OR inurl:dashboard

# Exposed configuration files
site:example.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:cfg | ext:txt | ext:ini | ext:env

# Database files
site:example.com ext:sql | ext:dbf | ext:mdb | ext:sqlite

# Backup files
site:example.com ext:bkf | ext:bkp | ext:bak | ext:old | ext:backup

# Sensitive documents
site:example.com ext:doc | ext:docx | ext:pdf | ext:xls | ext:xlsx | ext:ppt

# Log files
site:example.com ext:log | inurl:log

# PHP/Application errors
site:example.com "PHP Parse error" | "PHP Warning" | "PHP Error"
site:example.com "mysql_fetch" | "mysql_connect" | "pg_connect"

# Directory listings
site:example.com intitle:"index of" | intitle:"directory listing"

# WordPress specific
site:example.com inurl:wp-content | inurl:wp-includes | inurl:wp-admin

# Git/SVN exposure
site:example.com inurl:.git | inurl:.svn

# API documentation
site:example.com inurl:api | inurl:swagger | inurl:graphql

Tip

Check the Google Hacking Database (GHDB) on Exploit-DB for thousands of pre-built dorks categorized by vulnerability type.

Shodan & Censys

Internet-wide scanning databases reveal exposed services, technologies, default credentials, and known vulnerabilities without active scanning.

shodan-queries.sh
bash 
# Initialize Shodan CLI
shodan init YOUR_API_KEY

# Search by hostname
shodan search hostname:example.com

# Search by IP
shodan host 192.168.1.1

# Search by organization
shodan search "org:Example Company"

# SSL certificate search
shodan search "ssl.cert.subject.cn:example.com"

# Find specific services
shodan search "apache" hostname:example.com
shodan search "port:443" hostname:example.com
shodan search "http.title:Dashboard" hostname:example.com

# Vulnerable services
shodan search "vuln:CVE-2021-44228" org:"Example Company"

# Export results
shodan search --limit 1000 hostname:example.com -O results.json
censys-queries.sh
bash 
# Censys CLI
pip install censys

# Configure API
censys config

# Search hosts
censys search "services.tls.certificates.leaf_data.subject.common_name: example.com"

# Search certificates
censys search certificates "parsed.names: example.com"

# Get host details
censys view hosts 192.168.1.1

OSINT Frameworks

theHarvester

theharvester.sh
bash 
# Comprehensive search across all sources
theHarvester -d example.com -b all

# Specific sources
theHarvester -d example.com -b google,linkedin,twitter,dnsdumpster

# Save output
theHarvester -d example.com -b all -f output.html

# Common sources:
# google, bing, yahoo, linkedin, twitter
# dnsdumpster, crtsh, virustotal, shodan
# hunter, securitytrails, threatcrowd

Recon-ng

recon-ng.sh
bash 
# Start recon-ng
recon-ng

# Create workspace
workspaces create example_com
workspaces load example_com

# Add seed domain
db insert domains
# Enter: example.com

# Load and run modules
modules search domains
modules load recon/domains-hosts/hackertarget
run

# Other useful modules
modules load recon/domains-hosts/certificate_transparency
modules load recon/domains-contacts/whois_pocs
modules load recon/hosts-hosts/resolve
run

# Export results
modules load reporting/html
options set FILENAME /path/to/report.html
run

SpiderFoot

spiderfoot.sh
bash 
# Start web interface
python3 sf.py -l 127.0.0.1:5001

# CLI scan
python3 sf.py -s example.com -t DOMAIN_NAME -o output.json

# Scan types:
# DOMAIN_NAME - Domain-focused scan
# IP_ADDRESS - IP-focused scan
# EMAILADDR - Email-focused scan
# HUMAN_NAME - Person-focused scan

Passive Recon Checklist

🔍 Domain Intelligence

  • ☐ WHOIS lookup completed
  • ☐ Registrant information gathered
  • ☐ Related domains identified (reverse WHOIS)
  • ☐ Historical WHOIS checked
  • ☐ ASN/IP ownership mapped

🌐 DNS Analysis

  • ☐ All DNS record types queried
  • ☐ Certificate Transparency logs searched
  • ☐ Zone transfer attempted
  • ☐ SPF/DKIM/DMARC analyzed
  • ☐ Third-party services identified (CNAME)

🔎 Search Engine OSINT

  • ☐ Google dorking completed
  • ☐ Exposed files searched
  • ☐ Error pages indexed
  • ☐ Cached pages reviewed
  • ☐ Wayback Machine checked

📡 Internet Intelligence

  • ☐ Shodan searched
  • ☐ Censys searched
  • ☐ Exposed services documented
  • ☐ Technology stack identified
  • ☐ Known vulnerabilities checked

Practice Labs

TryHackMe - Passive Recon

Learn passive reconnaissance fundamentals

OSINT Framework

Collection of OSINT tools by category

IntelTechniques Tools

Michael Bazzell's OSINT tools collection

Google Hacking Database

Pre-built Google dorks by category

Related Topics

Subdomain Discovery

Enumerate subdomains

Active Reconnaissance

Direct target interaction

Reconnaissance Overview

Back to main recon guide

Domain OSINT

Deep dive domain intelligence