Reconnaissance is the critical first phase of any security assessment. This comprehensive guide covers both passive and active techniques for discovering information about target systems, networks, and applications.
Overview
Information gathering can be divided into two main categories:
- Passive Reconnaissance: Collecting information without directly interacting with the target
- Active Reconnaissance: Direct interaction with target systems to gather information
Passive Reconnaissance (OSINT)
WHOIS Enumeration
WHOIS provides domain registration information including registrant details, nameservers, and important dates.
# Basic WHOIS query
whois example.com
# WHOIS for IP addresses
whois 192.168.1.1
# Alternative WHOIS servers
whois -h whois.arin.net example.com
whois -h whois.ripe.net example.comGoogle Hacking / Dorking
Google’s advanced search operators can reveal sensitive information inadvertently exposed online.
# Site-specific searches
site:example.com intitle:"index of"
site:target.com inurl:admin
site:example.com intext:"username" intext:"password"
site:target.com "confidential" OR "internal"
# File type discovery
filetype:pdf site:example.com
filetype:xls "password" site:target.com
filetype:cfg "password"
filetype:env "DB_PASSWORD"
filetype:log "password"
filetype:sql "INSERT INTO" site:example.com
# Error messages
site:target.com "sql syntax near"
site:example.com "Warning: mysql_"
# Directory listings
intitle:"index of" "parent directory"
intitle:"index of" ".ssh"
intitle:"index of" "config.php"
# Subdomain discovery
site:*.target.com
-site:www.target.com site:*.target.comGitHub/Code Repository Mining
Source code repositories often contain sensitive information like API keys, passwords, and internal documentation.
# Organization and user targeting
user:targetorganization password
org:companyname "api_key"
user:targetuser "secret"
# File-specific searches
filename:config.php password
filename:settings.py api_key
filename:.env DB_PASSWORD
extension:sql INSERT INTO users
# Language-specific searches
"password" language:python
"secret_key" language:javascript
"api_key" language:phpCertificate Transparency
SSL/TLS certificates logged in Certificate Transparency logs reveal subdomains and internal hostnames.
# Use online services
https://crt.sh/?q=example.comShodan Intelligence
Shodan indexes internet-connected devices and can reveal exposed services, vulnerabilities, and configurations.
# Organization targeting
org:"Target Organization"
org:"Company Name" country:"US"
# Network range analysis
net:192.168.1.0/24
net:203.0.113.0/24 port:80
# Service discovery
port:22 # SSH
port:80,443 # Web
port:3389 # RDP
product:"Apache httpd" version:"2.4.7"
# SSL certificate search
ssl:"target.com"
ssl.cert.subject.cn:"*.target.com"
# Vulnerability identification
vuln:CVE-2017-0144 # EternalBlue
ssl.cert.expired:true # Expired certificatesAdditional OSINT Resources
- Netcraft: https://toolbar.netcraft.com/site_report - Website technology profiling
- DNSDumpster: https://dnsdumpster.com - DNS reconnaissance tool
- SSL Labs: https://www.ssllabs.com/ssltest/ - SSL/TLS configuration analysis
- Security Headers: https://securityheaders.com - HTTP security header analysis
- WayBack Machine: https://archive.org/web/ - Historical website data
- ViewDNS.info: https://viewdns.info/ - Various DNS tools
- Censys: https://search.censys.io/ - Internet-wide scanning data
Active Reconnaissance
DNS Enumeration
DNS holds crucial information about an organization’s network infrastructure.
# Basic DNS queries
dig A example.com
dig MX example.com
dig NS example.com
dig TXT example.com
dig ANY example.com
# Zone transfer attempts
dig axfr @ns1.example.com example.com
for ns in $(dig +short NS example.com); do
echo "Testing $ns"
dig axfr @$ns example.com
done
# Reverse DNS lookups
dig -x 192.168.1.1
for ip in $(seq 1 254); do
dig -x 192.168.1.$ip +short | grep -v "^$"
done
# DNS enumeration tools
dnsrecon -d example.com
dnsrecon -d example.com -t axfr
dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t brt
dnsrecon -r 192.168.1.0/24
dnsenum example.com
dnsenum --dnsserver 8.8.8.8 -f /usr/share/wordlists/subdomains.txt example.com
fierce -dns example.com
fierce -dns example.com -wordlist /path/to/wordlist.txtNetwork Discovery
Host Discovery with Nmap
Identifying live hosts is the first step in mapping a network.
# ARP scan (local network)
sudo nmap -PR -sn 192.168.1.0/24
sudo arp-scan 192.168.1.0/24
# ICMP ping scan
sudo nmap -PE -sn 192.168.1.0/24 # Echo request
sudo nmap -PP -sn 192.168.1.0/24 # Timestamp request
sudo nmap -PM -sn 192.168.1.0/24 # Address mask request
# TCP ping scan
sudo nmap -PS22,80,443 -sn 192.168.1.0/24 # SYN ping
sudo nmap -PA80,443 -sn 192.168.1.0/24 # ACK ping
# UDP ping scan
sudo nmap -PU53,161,137 -sn 192.168.1.0/24
# Skip host discovery
nmap -Pn target.comPort Scanning Techniques
Port scanning reveals which services are running on discovered hosts.
# Basic port scans
nmap -sT target.com # TCP Connect scan
sudo nmap -sS target.com # TCP SYN scan (stealth)
sudo nmap -sU target.com # UDP scan
nmap -sA target.com # TCP ACK scan
nmap -sN target.com # TCP Null scan
nmap -sF target.com # TCP FIN scan
nmap -sX target.com # TCP Xmas scan
# Port ranges and selection
nmap -p 80,443 target.com # Specific ports
nmap -p 1-1000 target.com # Port range
nmap -p- target.com # All ports
nmap --top-ports 100 target.com
# Service and version detection
nmap -sV target.com
nmap -sV --version-intensity 9 target.com
nmap -sC target.com # Default scripts
nmap -A target.com # Aggressive scan
# Timing and performance
nmap -T0 target.com # Paranoid
nmap -T4 target.com # Aggressive
nmap --min-rate 1000 target.com
nmap --max-rate 5000 target.com
# Evasion techniques
nmap -f target.com # Fragment packets
nmap -D RND:10 target.com # Decoy scan
nmap --source-port 53 target.com
nmap --spoof-mac Dell target.comService Enumeration
SMB/NetBIOS Enumeration
SMB often exposes sensitive information about Windows environments.
# NetBIOS scanning
nbtscan 192.168.1.0/24
nbtscan -r 192.168.1.0/24
nmblookup -A target.com
# SMB enumeration with Nmap
nmap -p 445 --script smb-protocols target.com
nmap -p 445 --script smb-os-discovery target.com
nmap -p 445 --script smb-enum-shares target.com
nmap -p 445 --script smb-enum-users target.com
nmap -p 445 --script smb-vuln-* target.com
# SMBClient
smbclient -L //target.com -N
smbclient //target.com/sharename -N
smbclient //target.com/sharename -U username%password
# Within smbclient session
smb: \> ls
smb: \> cd directory
smb: \> get filename
smb: \> mget *.txt
smb: \> recurse ON
smb: \> prompt OFF
smb: \> mget *
# Enum4linux
enum4linux target.com
enum4linux -a target.com
enum4linux -u username -p password target.com
# SMBMap
smbmap -H target.com
smbmap -H target.com -u guest
smbmap -H target.com -u username -p password
smbmap -H target.com -R # Recursive listing
smbmap -H target.com --download share/file.txt
# CrackMapExec
crackmapexec smb target.com
crackmapexec smb target.com -u username -p password
crackmapexec smb target.com -u userlist.txt -p password123
crackmapexec smb target.com -u username -p password --shares
# RPC enumeration
rpcclient -U "" -N target.com
# Within rpcclient:
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> querydominfo
rpcclient $> netshareenum
rpcclient $> srvinfoSMTP Enumeration
SMTP can be used to enumerate valid email addresses and users.
# Manual SMTP enumeration
telnet target.com 25
nc target.com 25
openssl s_client -connect target.com:465
openssl s_client -starttls smtp -connect target.com:587
# SMTP commands
EHLO attacker.com
VRFY username
EXPN listname
RCPT TO: user@target.com
# Automated enumeration
smtp-user-enum -M VRFY -U userlist.txt -t target.com
smtp-user-enum -M EXPN -U userlist.txt -t target.com
smtp-user-enum -M RCPT -U userlist.txt -t target.com
# Nmap SMTP scripts
nmap -p 25 --script smtp-enum-users target.com
nmap -p 25 --script smtp-commands target.com
nmap -p 25 --script smtp-open-relay target.com
# Swaks (Swiss Army Knife for SMTP)
swaks --to user@target.com --server target.com
swaks --to user@target.com --server target.com --tlsSNMP Enumeration
SNMP often contains detailed system information when accessible.
# Basic SNMP walks
snmpwalk -v2c -c public target.com
snmpwalk -v2c -c public target.com system
snmpwalk -v2c -c public target.com .1
# Specific SNMP queries
snmpget -v2c -c public target.com sysDescr.0
snmpget -v2c -c public target.com sysName.0
snmpget -v2c -c public target.com sysContact.0
snmpget -v2c -c public target.com sysLocation.0
# Community string discovery
onesixtyone target.com
onesixtyone -c community.txt target.com
for community in public private manager admin guest; do
echo "Testing: $community"
snmpwalk -v2c -c $community target.com system 2>/dev/null
done
# Comprehensive SNMP enumeration
snmp-check target.com
snmp-check -c private target.com
# Important OIDs
# System info: 1.3.6.1.2.1.1
# Interfaces: 1.3.6.1.2.1.2.2.1
# Processes: 1.3.6.1.2.1.25.4.2.1.2
# Software: 1.3.6.1.2.1.25.6.3.1.2
# Storage: 1.3.6.1.2.1.25.2.3.1
# Nmap SNMP scripts
nmap -sU -p 161 --script snmp-info target.com
nmap -sU -p 161 --script snmp-brute target.com
nmap -sU -p 161 --script snmp-* target.comWeb Application Discovery
Directory and File Discovery
Discovering hidden directories and files can reveal administrative interfaces, backups, and sensitive information.
# Gobuster
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://target.com -w wordlist.txt -x php,txt,html
gobuster dir -u http://target.com -w wordlist.txt -t 50 -q
# Dirb
dirb http://target.com
dirb http://target.com /usr/share/wordlists/dirb/common.txt
# FFuF
ffuf -w wordlist.txt -u http://target.com/FUZZ
ffuf -w wordlist.txt -u http://target.com/FUZZ -e .php,.txt,.html
ffuf -w wordlist.txt -u http://target.com/FUZZ -fs 1234
# Technology identification
# Manual: Check HTTP headers, favicon, error messages
# Automated: Use Wappalyzer browser extensionSubdomain Enumeration
Passive Subdomain Discovery
# Certificate Transparency
# Visit: https://crt.sh/?q=%.example.com
# Google dorking
# Search: -site:www.example.com site:*.example.com
# Third-party tools
sublist3r -d example.com
amass enum -d example.com
assetfinder example.com
subfinder -d example.comActive Subdomain Discovery
# DNS brute force
dnsrecon -t brt -d example.com
fierce -dns example.com
# Virtual host discovery
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.example.com" -u http://target.com
ffuf -w wordlist.txt -H "Host: FUZZ.example.com" -u http://target.com -fs 1234
# Gobuster vhost mode
gobuster vhost -u http://example.com -w wordlist.txt
# Bash subdomain enumeration
for subdomain in $(cat subdomains.txt); do
dig $subdomain.example.com +short | grep -v "^$"
doneZone Transfer Testing
# Find nameservers
nslookup -type=NS example.com
dig NS example.com
# Attempt zone transfer
dig @nameserver axfr example.com
nslookup -type=any -ls example.com nameserver
# Automated zone transfer testing
dnsrecon -t axfr -d example.com
fierce -dns example.comProfessional Methodology
Phase 1: Passive Intelligence Gathering
- WHOIS lookups for domain/IP information
- Google dorking for exposed data
- GitHub/code repository searches
- Certificate transparency logs
- Shodan/Censys for exposed services
- Social media and public records
Phase 2: Active Network Discovery
- DNS enumeration and zone transfers
- Network host discovery
- Port scanning and service detection
- Service-specific enumeration
Phase 3: Service Analysis
- SMB/NetBIOS enumeration
- SMTP user discovery
- SNMP information gathering
- Web application mapping
- Subdomain enumeration
Key Tools Summary
- DNS: dig, nslookup, dnsrecon, dnsenum, fierce
- Network: nmap, masscan, arp-scan
- SMB: smbclient, enum4linux, smbmap, crackmapexec
- Web: gobuster, dirb, ffuf, nikto
- SNMP: snmpwalk, onesixtyone, snmp-check
- OSINT: Google, Shodan, GitHub, certificate transparency
Important Notes
- Always verify scope and authorization before active reconnaissance
- Use timing controls to avoid detection/blocking
- Document all findings systematically
- Consider using proxies/VPNs for anonymity
- Be aware of logging and monitoring on target systems