✅ Reconnaissance

Penetration Testing Wiki

Passive reconnaissance

Passive reconnaissance is the process of collecting information in a covert manner about an intended target without the target knowing what is occurring. Mainly is done searching information about the target on the Internet (Google, Linkedin, etc) and also searching for metadata (i.e. domain registers information, OSINT tools, etc).

Sites for passive reconnaissance

NIC databases:

Commands

Direct lookup:

whois $DOMAIN

Reverse lookup:

whois $IP

Sniff network data (inside the target network):

wireshark
tcpdump -X -i $IFACE

Google hacks

"company|address" inurl:ip-address-lookup
"company|address" inurl:domaintools

OSINT Frameworks

theHarvester -d $DOMAIN -l 300 -b google

Active reconnaissance

Commands to execute inside the network to get which hosts are up and perform later on a port scanning to enumerate services (See Enumeration):

nmap -sn -PE $IP/24
netdiscover -r $IP/24
crackmapexec -t 100 $IP/24

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.