Reconnaissance and Information Gathering

Purpose of Reconnaissance

Reconnaissance is the first stage in penetration testing. Your goal is to collect as much information as possible about your target before attempting to find vulnerabilities. This step helps you understand the target's systems, networks, and people, which makes later testing more effective and realistic.

Common Reconnaissance Techniques

• Open source intelligence (OSINT): gathering data from public sources like websites, social media, and news articles;
• Domain and IP lookup: finding domain registration details and mapping IP addresses to identify servers and services;
• Google dorking: using advanced Google search queries to uncover sensitive files, login pages, or misconfigured directories;
• Social engineering: researching employees or staff to learn about internal structures, email formats, or potential weak points;
• Network scanning: identifying live hosts, open ports, and available services on a network (only with permission).

Collecting Publicly Available Information

Attackers often start by searching for information that is easy to find but can reveal a lot about an organization. This includes:

• Company websites: checking for staff directories, technology stacks, or forgotten subdomains;
• Social media profiles: looking for employee roles, project names, or upcoming changes;
• Job postings: discovering what software or systems the company uses by reading required skills;
• Public documents: examining PDFs or Word files for hidden metadata like usernames or server names.

Example: If you search for a company's name on LinkedIn, you might find the names and job titles of IT staff. This can help you guess email addresses or identify who manages critical systems.

By mastering reconnaissance, you gain a strong foundation for ethical hacking and can better understand how attackers think and operate.