VOOZH about

URL: https://www.geeksforgeeks.org/ethical-hacking/art-of-reconnaissance/

⇱ Art of Reconnaissance - GeeksforGeeks

  • Courses
  • Tutorials
  • Interview Prep

Art of Reconnaissance

Last Updated : 25 May, 2026

Reconnaissance (Recon) is the initial phase of ethical hacking that focuses on gathering information about a target system, network or organization to understand its attack surface and identify potential vulnerabilities.

  • Maps digital footprint such as domains, IP addresses and technologies
  • Can be passive (stealthy) or active (direct interaction)
  • Uses sources like web data, network information and human intelligence
  • Forms the basis for identifying risks and planning further security actions

Types of Reconnaissance

1. Passive Reconnaissance

It focuses on observation rather than engagement, making it stealthy but less detailed than active methods.

👁 passive

Information gathering without directly interacting with the target systems.

  • Undetectable by the target
  • Uses publicly available information
  • No logs generated on target systems
  • Lower risk, but potentially limited information

Example: Like researching a company through newspaper articles and public records without ever calling them.

2. Active Reconnaissance

It involves hands-on probing of a target, trading stealth for more precise and up-to-date intelligence.

👁 personal_data

Direct interaction with target systems to gather information.

  • Direct queries to target systems
  • Potentially detectable (leaves traces)
  • More detailed and current information
  • Higher risk of detection

Example: Similar to contacting a company directly to inquire about its services or physically visiting its office to gather information.

Reconnaissance Categories

These reconnaissance techniques help security professionals and attackers alike map out targets, identify weaknesses and plan further exploitation steps effectively.

1. In-Person Reconnaissance (Human Intelligence)

Physical observation and social engineering techniques.

Methods:

  • Dumpster Diving: Searching discarded documents for sensitive information
  • Shoulder Surfing: Observing people entering passwords or sensitive data
  • Tailgating: Following authorized personnel into secure areas
  • Social Engineering: Manipulating people to divulge information

Example: A security tester finds employee badges in a company's trash, revealing the badge format and employee naming conventions.

2. Google Dorking (Search Engine Intelligence)

Using advanced Google search operators to find sensitive information.

Common Dorks:

GATE site:geeksforgeeks.org filetype:pdf cache:geeksforgeeks.org

Enter this command to get GATE related PDF filetypes on the website of geeksforgeeks.org

👁 google_dork

3. Web-Based Reconnaissance

Gathering information from websites, web applications and online services.

Techniques:

  • Website Analysis: Technology stack, CMS versions, plugins
  • Directory Enumeration: Finding hidden files and folders
  • Subdomain Discovery: Identifying all subdomains
  • Web Archive Analysis: Using Wayback Machine for historical data

Example: Discovering a forgotten subdomain dev.company.comthat contains development databases with test data.

4. IP Address-Based Reconnaissance

Information gathering using IP addresses and network infrastructure.

Methods:

  • WHOIS Lookups: Domain and IP ownership information
  • DNS Enumeration: Finding DNS records and configurations
  • Network Scanning: Port scans, service identification
  • Geolocation: Physical location of servers

Example: WHOIS lookup reveals that company.com uses AWS servers in Virginia, helping narrow down the infrastructure setup.

5. Social Media Intelligence (SOCMINT)

Extracting information from social media platforms.

Target Information:

  • Employee details and roles
  • Company culture and internal processes
  • Technology preferences
  • Personal information for social engineering
  • Business relationships and partnerships

Example: LinkedIn reveals that the company's IT manager recently posted about migrating to Microsoft Azure, indicating their cloud infrastructure.

👁 linkedIn_GFG

6. Physical Device Reconnaissance

Information gathering from physical devices and infrastructure.

Methods:

  • Wi-Fi Network Analysis: SSID enumeration, security protocols
  • Bluetooth Discovery: Nearby devices and services
  • RF Analysis: Radio frequency monitoring
  • IoT Device Discovery: Smart devices on networks

Example: Discovering an unsecured printer on the network that stores copies of all printed documents or Weak Wi-Fi signal Strength.

👁 airmongng

7. Email Intelligence (EMAILINT)

Gathering information through email addresses and email infrastructure.

Techniques:

  • Email Harvesting: Collecting email addresses from websites
  • Email Verification: Checking if emails exist
  • Email Header Analysis: Tracing email origins
  • Email Pattern Discovery: Understanding naming conventions

Example: Finding that a company uses firstname.lastname@company.com format helps create targeted phishing campaigns.

8. Digital Footprints & Metadata Analysis

Analyzing digital traces left by targets.

Sources:

  • Document Metadata: Author names, software versions, creation dates
  • Image EXIF Data: GPS coordinates, camera details, timestamps
  • Code Repositories: GitHub profiles, commit histories
  • Forum Posts: Technical discussions revealing infrastructure

Example: A PDF on the company website contains metadata showing it was created by "John.Smith" on a Windows 10 machine, revealing an employee name and OS information.

👁 geo_tag_image

9. Data Breach & Leaked Database Analysis

Leveraging compromised data from previous breaches.

Sources:

  • HaveIBeenPwned: Email breach checking
  • Pastebin Sites: Leaked credentials and data dumps
  • Dark Web Marketplaces: Sold databases and credentials
  • Public Data Breaches: Analysis of known breaches

Example: Discovering that several company email addresses were compromised in the 2019 Collection #1 breach, potentially providing password patterns.

👁 inteliX

10. DNS Intelligence

Deep analysis of DNS infrastructure and configurations.

Methods:

  • Zone Transfers: Attempting to download DNS zone files
  • DNS Cache Snooping: Checking DNS resolver caches
  • Reverse DNS Lookups: Finding domains associated with IP ranges
  • DNS History: Tracking historical DNS changes

Tools for Reconnaissance

Web-Based Tools

CategoryToolPurpose
WHOIS/DNSwhois.net, dnsdumpster.comDomain information and DNS records
Subdomainssublist3r.online, crt.shSubdomain discovery
Google Dorkinggoogle.com, dorksearch.comAdvanced search queries
Social Mediasherlock-project.github.ioUsername searches across platforms
Emailhunter.io, have-i-been-pwned.comEmail discovery and breach checking
Website Analysisbuiltwith.com, wappalyzer.comTechnology stack identification
Archivesweb.archive.orgHistorical website data
IP Intelligenceshodan.io, censys.ioInternet-connected device search
Leaked Databasesintelx.io, cracking.orgAccess to leaked databases and forum data

Kali Linux CLI Tools

Network & DNS Reconnaissance

  • Commands for DNS Enumeration
dnsrecon -d example.com -t std 
dig example.com ANY 
fierce -dns example.com
👁 dnsrecon
  • Commands for Subdomain discovery
sublist3r -d example.com
👁 sublister
  • Commands for Network scanning 
nmap -sS -A XX.XX.XX.XX
masscan -p1-65535 XX.XX.XX.XX --rate=10000
👁 nmap_GFG

Web Application Reconnaissance

  • Directory/File Discovery
dirb http://example.com/// 
gobuster dir -u http://example.com/// -w /usr/share/wordlists/dirb/common.txt 
dirsearch -u http://example.com///
👁 dirsearch
  • Web Technology Identification
whatweb http://example.com/// 
wapiti -u http://example.com///
  • Web crawling
wget --spider --recursive --no-verbose --output-file=spider.log http://example.com///

Social Media & OSINT

  • Username recon using sherlock tool
sherlock username
👁 sherlock
  • Email harvesting
theharvester -d example.com -l 500 -b google
maltego (GUI-based OSINT framework)
  • Metadata analysis
exiftool document.pdf 
metagoofil -d example.com -t pdf -l 100 -n 25 -o results/
👁 exiftool

Specialized Tools

  • WHOIS information
whois example.com
  • SSL Certificate analysis
sslscan target.com
sslyze target.com
  • Shodan Enumeration
shodan host 192.XX.XX.XX

Framework Tools

  • Recon-ng for Modular reconnaissance framework
recon-ng
  • Spiderfoot for Automated OSINT Framework
spiderfoot -s example.com
  • Killshot for Framework and Vulnerability Testing
git clone https://github.com/bahaabdelwahed/killshot%3C/span>

Note: Killshot is an open-source tool that integrates various pentesting tools. You may need to visit GitHub and refer to the README.txt file to understand its functionality and commands.

Comment