Reconnaissance in Ethical Hacking
What is Reconnaissance?
Reconnaissance, also known as Information Gathering or Footprinting, is the first phase of ethical hacking. It involves collecting as much information as possible about a target system, network, or organization before launching an actual attack.
Types of Reconnaissance
1. Passive Reconnaissance
- Definition: Collecting information without interacting directly with the target system.
- Objective: Stay undetected.
- Sources:
- WHOIS records
- DNS info
- Social media
- Job postings
- Public documents (PDFs, DOCs with metadata)
- Tools:
whoisnslookuptheHarvester- Google Dorking
2. Active Reconnaissance
- Definition: Direct interaction with the target (e.g., pinging, port scanning).
- Objective: Gather detailed technical data.
- Risk: Can trigger alarms (IDS/IPS).
- Examples:
- Port scanning
- OS fingerprinting
- Service enumeration
- Tools:
NmapNetcatNiktoTelnet
Key Reconnaissance Objectives
- Identify domain names and subdomains
- Find IP address ranges
- Enumerate open ports
- Discover services running on target
- Gather employee names, emails, passwords
- Learn about the organization’s structure and technology stack
Common Reconnaissance Tools
| Tool | Use |
|---|---|
| whois | Get domain ownership and registrar info |
| nslookup / dig | DNS info and zone transfers |
| Nmap | Port scanning, OS & service detection |
| theHarvester | Harvest emails and hosts |
| Shodan | Find exposed devices on the internet |
| Recon-ng | Recon automation framework |
| Maltego | Visual link analysis & relationship mapping |
| Google Dorks | Advanced Google queries to find sensitive data |
Real-World Footprinting Techniques
DNS Footprinting
- Use
dig,nslookup, ordnsenumto find:- Subdomains
- Mail servers
- Zone transfer vulnerabilities
Employee Footprinting
- Tools like
theHarvesteror LinkedIn scraping - Collect:
- Email addresses
- Names/titles for spear-phishing
- Internal tech info from resumes
Metadata Analysis
- Download publicly available PDFs or Word docs
- Use
exiftoolto extract:- Username of author
- System paths
- Software used
Company Tech Stack Discovery
- Use Wappalyzer, BuiltWith, or browser extensions
- Detect:
- Web servers (Apache, Nginx)
- CMS (WordPress, Joomla)
- Programming languages and plugins
Hidden Recon Tip No One Tells You
- Check Job Postings & GitHub Repos
- Job listings often reveal:
- Internal tools
- Tech stacks (e.g., “Looking for a Python/Django developer”)
- Cloud usage (e.g., “AWS experience required”)
- GitHub leaks:
- API keys
- Internal documentation
- Developer emails and commit logs
- Job listings often reveal:
- Why it's important: This info can lead to precise targeted attacks and gives you a hacker’s edge that automated scanners miss.
Type of Risk Description
| Type of Risk | Description |
|---|---|
| Detection | Active recon (e.g., Nmap, ping sweeps) can trigger firewalls or IDS/IPS. |
| IP Blocking | Suspicious scanning may lead to your IP getting blacklisted. |
| Legal Violation | Performing recon on unauthorized systems can be illegal and lead to prosecution. |
| Honeypots | Interacting with intentionally vulnerable systems can expose you as an intruder. |
| Incomplete Info | Misinterpreting data can lead to wrong assumptions and failed exploits. |
Legal Warning: Reconnaissance should only be performed on systems you have permission to test. Doing otherwise may be illegal and result in criminal charges.
Summary Checklist
Passive Recon:
- WHOIS Lookup
- DNS Enumeration
- Google Dorking
- Metadata Extraction
- Social Media Scraping
Active Recon:
- Ping Sweep
- Port Scan with Nmap
- Banner Grabbing (e.g., Netcat)
- OS Fingerprinting
- Service Enumeration
Tools Mastery:
- theHarvester
- Nmap
- Shodan
- Maltego
- Recon-ng
- DNSenum