Recon 101 - The Hacker’s Guide to Playing Detective

Welcome back to our blog series on learning penetration testing! If you’ve been following along, you already know what pentesting is and how crucial the planning and scoping phase is. Now, it’s time to dive into the juicy stuff—Reconnaissance (or recon for short). Think of recon as the detective work of the hacking world. It’s where you gather all the clues about your target without (or sometimes with) them knowing. Ready to become a cyber sleuth? Let’s go! 🕵️‍♂️

What is Reconnaissance in Penetration Testing?

Reconnaissance is where the pentesting magic begins! It’s like being a digital detective, gathering intel on your target without setting off alarms. 🔔 The goal? Learn everything you can—open ports, subdomains, tech stacks, and juicy misconfigurations—while staying stealthy. It’s like sizing up an opponent before a big match; the more you know, the better your chances of winning. Here’s how to make your recon phase pop with just enough tech to impress but not bore. 😏

Why is it Important?

Recon is the foundation of a successful pentest. Skip it, and you’re basically trying to solve a puzzle blindfolded. With good recon, you’ll uncover details like:

• Open ports and services
• Domain names and subdomains
• Employee info (for social engineering)
• Hidden directories or files on web servers

In short, recon helps you plan your attack smarter, not harder. 🧠

Difference Between Passive and Active Reconnaissance

• Passive Reconnaissance: Stalking Without a Trace 🕶️: This is the ninja mode. 🥷 You’re gathering info without directly interacting with the target, so they have no idea you’re snooping. Think of it as eavesdropping from the shadows.

  Pro Tip: Check X for posts about the target. A disgruntled employee might spill the beans on their tech stack or vulnerabilities. Just don’t get lost in the meme threads! 😅

• Active Reconnaissance: Poking the Bear (Gently) 🐻: Now you’re knocking on doors. 🚪 You’re directly interacting with the target—like scanning their network or probing their web app. It’s louder and riskier, but it gives you deeper insights.

  Watch Out: Active scans can trigger IDS/IPS. Use randomized timing (–randomize-hosts) or proxies to stay sneaky. Nobody wants to get blocked before the fun starts! 😈

Both are essential, and knowing when to use each is key to staying stealthy and effective.

Passive Reconnaissance: The Art of Silent Snooping 🕵️‍♀️

Passive recon is all about gathering intel without making a sound, no pings, no alerts, just pure stealthy info collection. You’ve got the basics covered, and I’ve beefed it up with some additional goodies to level up your game. Let’s break it down:

1. WHOIS Lookups – Domain Detective Work 🕵️‍♂️

Ever wonder who owns a domain? WHOIS lookups are like peeking at the registration papers of a website. WHOIS lookups show who owns a domain, contact details (when available), and registration dates.

Here’s a little something to add: privacy protection services like WhoisGuard or DomainsByProxy often mask personal info. If you see “REDACTED FOR PRIVACY,” the owner’s hiding their tracks. 🛡️ Still, you can dig into historical WHOIS data (try whois history) to peek at older records that might spill the beans. You can find out:

• Who registered the domain
• Contact details (sometimes)
• When it was registered and when it expires

It’s public info, so no hacking required! Just visit a WHOIS service, type in the domain, and boom—intel. 🕵️‍♀️

# Using the whois command-line tool
whois example.com

# Sample output
Domain Name: EXAMPLE.COM
Registry Domain ID: 2336799_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.iana.org
Registrar URL: http://www.iana.org
Updated Date: 2022-08-14T07:01:38Z
Creation Date: 1995-08-14T04:00:00Z
Registry Expiry Date: 2023-08-13T04:00:00Z
Registrar: IANA
Registrar IANA ID: 376

# Check WHOIS history for past data
whois -h whois history example.com

Pro Tip: Fake contact info is common, but the expiration date can reveal how serious the owner is about the domain. Expiring soon? Maybe it’s not a high-priority target. ⏳

2. DNS Enumeration – Mapping the Digital Mansion 🏰

DNS is like the internet’s phonebook, and with DNS enumeration, you’re flipping through it to find subdomains, mail servers, and more. Tools like dig or dnsenum can help you uncover hidden parts of a target’s infrastructure. It’s like finding secret rooms in a mansion!

# Using dig for DNS reconnaissance
dig example.com ANY +noall +answer

# Finding mail servers
dig example.com MX +short

# Using dnsenum for more comprehensive enumeration
dnsenum --dnsserver 8.8.8.8 -o example_dns.xml example.com

# Use Sublist3r for subdomain enumeration
sublist3r -d example.com

Why It Matters: Subdomains can expose internal apps, APIs, or forgotten servers running outdated software—think of them as unlocked side doors in a fortress. 🚪

3. Google Dorking – Search Engine Ninjutsu 🥷

This is where you become a search engine ninja. 🥷 Google Dorking uses advanced search operators to find things like:

• Exposed login pages
• Sensitive documents
• Unprotected directories

For example, searching site:example.com filetype:pdf can reveal PDFs on the target site. It’s like finding hidden treasure without leaving your couch.

# Common Google dorks
site:example.com filetype:pdf                     # Find PDF files
site:example.com inurl:admin                      # Find admin pages
site:example.com intitle:"Index of"               # Find directory listings
site:example.com ext:php intext:mysql_connect     # Find potential SQL injection points
site:example.com inurl:backup                     # Hunt for backup files or directories.
site:example.com ext:sql                          # Sniff out exposed SQL dumps. 💾
site:example.com intext:"confidential"            # Find sensitive documents.

One stealth tip: don’t click the results—view the cached version or just note the URLs to avoid leaving traces. 👣

4. Social Media Intelligence (SOCMINT) – Stalking for Good 🕵️‍♂️

People love oversharing on social media, and as a pentester, you can use that. LinkedIn, Twitter, and even Instagram can reveal:

• Employee names and roles
• Company events or projects
• Tech stacks (from job postings)

You can get more Juicy info using below tricks:

• LinkedIn Advanced Search: Filter by job titles like “SysAdmin” or “DevOps” to pinpoint key employees. Their profiles might list tech stacks or project details.
• Twitter Hashtags: Search #CompanyName or #ProjectName for chatter about work—employees often spill juicy tidbits. 🐦
• Automate It: Tools like SpiderFoot or Maltego can map relationships between employees, domains, and social profiles. It’s like weaving a web of intel. 🕸️

It’s amazing what a little scrolling can uncover. Just remember, you’re gathering intel, not stalking! 😉

4a. Public Records & Metadata Analysis – Hidden Clues in Plain Sight 🕵️‍♀️

Documents and images often contain hidden data (metadata) like:

• Author names
• Software versions
• GPS coordinates (in photos)

Tools like exiftool can extract this info. It’s like reading the secret notes scribbled in the margins of a book.

# Using exiftool to extract metadata from an image
exiftool company_photo.jpg

# Sample output
ExifTool Version Number         : 12.30
File Name                       : company_photo.jpg
Directory                       : .
File Size                       : 3.2 MB
File Modification Date/Time     : 2023:01:15 10:30:15-05:00
File Access Date/Time           : 2023:01:15 10:30:15-05:00
File Creation Date/Time         : 2023:01:15 10:30:15-05:00
File Permissions                : rw-r--r--
File Type                       : JPEG
GPS Position                    : 40.7128 N, 74.0060 W
Create Date                     : 2023:01:10 08:15:30
Software                        : Adobe Photoshop 22.3 (Windows)
Author                          : John Smith

Don’t stop there—dig into public records:

• SEC Filings: For public companies, these reveal financials, partnerships, or IT investments.
• Job Postings: Sites like Indeed or Glassdoor often list skills like “AWS” or “Kubernetes,” hinting at the tech stack. 💼

Fun Fact: GPS coordinates in photo metadata could pinpoint an office or data center. Found 40.7128 N, 74.0060 W? That’s New York City! 🌍

Active Reconnaissance: Tiptoeing into the Target’s Territory 🚨

Active recon is where you get hands-on, interacting directly with the target to uncover vulnerabilities. It’s like knocking on doors to see which ones are unlocked—but do it quietly to avoid triggering alarms! 🚨 Here’s your enhanced guide with extra tools and tips to keep it exciting and effective.

1. Port Scanning with Nmap – – Your Network Swiss Army Knife 🔧

Nmap is the Swiss Army knife of network scanning. It helps you find:

• Open ports
• Running services
• Operating systems

Running a scan like nmap -sS target.com can reveal what doors are open on the target’s system. It’s like knocking on every door in a building to see which ones are unlocked.

# Basic Nmap scan
nmap example.com

# Stealth scan (-sS) with service version detection (-sV)
nmap -sS -sV example.com

# Comprehensive scan with OS detection, version detection, script scanning, and traceroute
nmap -A example.com

# Basic scan to find open ports
nmap example.com

# Stealth scan with version and script detection
nmap -sS -sV -sC --randomize-hosts example.com

# Sample output
Starting Nmap 7.92 ( https://nmap.org )
Nmap scan report for example.com (93.184.216.34)
Host is up (0.013s latency).
PORT    STATE SERVICE  VERSION
80/tcp  open  http     nginx 1.18.0
443/tcp open  ssl/http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Welcome to Example.com!
22/tcp  open  ssh      OpenSSH 7.6p1 (protocol 2.0)
|_ssh-hostkey: 2048-bit RSA key

Pro Tip: Use -T2 or -T3 for slower, stealthier scans to blend into normal traffic. Fast scans can scream “pentester!” and trigger alerts. 🚨 Also, consider -p- to scan all 65,535 ports for hidden gems, but be patient—it takes time! ⏳

2. Network Mapping with Traceroute – Charting the Digital Highway 🗺️

Traceroute shows you the path your data takes to reach the target, revealing routers and network topology. It’s like mapping out the roads before a heist. 🗺️

# Basic traceroute
traceroute example.com

# Using mtr for more comprehensive network path analysis
mtr --report example.com

# TCP-based traceroute for better accuracy
tcptraceroute example.com 80

# Sample output
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets
 1  router.home (192.168.1.1)  3.052 ms  3.045 ms  3.036 ms
 2  72.14.215.195  15.171 ms  17.477 ms  17.466 ms
 3  209.85.254.120  19.736 ms  19.728 ms  19.719 ms
 4  74.125.243.177  19.979 ms  19.971 ms  19.962 ms
 5  93.184.216.34 (93.184.216.34)  19.443 ms  19.129 ms  19.113 ms

3. Shodan Searches – The Internet’s Dark Corners 🔍

Shodan is the search engine for internet-connected devices. You can find:

• Exposed webcams
• Unsecured servers
• IoT devices

It’s a goldmine for pentesters (and a reminder to secure your own stuff!). Just search for your target’s IP or domain and see what’s out there.

# Using the Shodan CLI tool
shodan search hostname:example.com

# Search for specific services
shodan search "org:Example Inc" port:22

# Find exposed SSH servers
shodan search "org:Example Inc" port:22

# Using the Python API
python3 -c "
import shodan
api = shodan.Shodan('YOUR_API_KEY')
results = api.search('hostname:example.com')
for result in results['matches']:
    print(result['ip_str'], result['port'])
"

4. Web Application Reconnaissance – X-Ray Vision for Websites 🕶️

For web apps, tools like Burp Suite, OWASP ZAP, and Nikto are your best friends. They help you:

• Map out the app’s structure
• Find hidden directories
• Detect vulnerabilities

It’s like having x-ray vision for websites. 🕶️

# Using dirb to find hidden directories
dirb http://example.com /usr/share/dirb/wordlists/common.txt

# Gobuster for directory brute-forcing
gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt

# WhatWeb to identify tech stack
whatweb example.com

# Running Nikto scan against a web server
nikto -h example.com

# Sample Nikto output
- Nikto v2.1.6
--------------------------------------------------------------------
+ Target IP:          93.184.216.34
+ Target Hostname:    example.com
+ Target Port:        80
+ Start Time:         2023-01-15 11:24:12 (GMT-5)
--------------------------------------------------------------------
+ Server: nginx/1.18.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 6544 items checked: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2023-01-15 11:30:26 (GMT-5) (374 seconds)
--------------------------------------------------------------------

5. Email Harvesting & Employee Profiling – Social Engineering Fuel 🎣

Tools like theHarvester can scrape the web for:

• Email addresses
• Subdomains
• Employee names

This is gold for social engineering attacks. Imagine crafting the perfect phishing email with all this info!

# Using theHarvester to find emails and domains
theHarvester -d example.com -b all

# Sample output
*******************************************************************
*  _   _                                            _             *
* | |_| |__   ___    /\  /\__ _ _ ____   _____  ___| |_ ___ _ __  *
* | __|  _ \ / _ \  / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | |  __/ / __  / (_| | |   \ V /  __/\__ \ ||  __/ |    *
*  \__|_| |_|\___| \/ /_/ \__,_|_|    \_/ \___||___/\__\___|_|    *
*                                                                 *
* theHarvester 4.0.3                                              *
*******************************************************************

[*] Target: example.com
[*] Searching Google...
[*] Searching Bing...
[*] Searching LinkedIn...

[*] Emails found: 5
------------------
info@example.com
admin@example.com
sales@example.com
support@example.com
hr@example.com

[*] Hosts found: 3
-----------------
www.example.com:93.184.216.34
mail.example.com:93.184.216.35
ftp.example.com:93.184.216.36

Tools for Reconnaissance – Your Cyber Toolkit 🦸‍♂️

You can’t do recon without the right tools. Here are some must-haves:

• Nmap: The OG of network scanning. It’s like a metal detector for open ports.🔍
• Recon-ng: Automates recon tasks, pulling data from multiple sources. Think of it as your personal intel assistant.🦸‍♂️
• Maltego: Visualizes relationships between entities (like domains, IPs, and people). It’s like a conspiracy theorist’s dream board.🖼️
• theHarvester: Gathers emails, subdomains, and more from public sources. It’s like a vacuum cleaner for OSINT. 🧹
• SpiderFoot: Automates OSINT collection and maps out the data. Perfect for when you need to go deep.🌟

These tools will make you feel like a cyber superhero. Just remember: with great power comes great responsibility! 🦸‍♂️

# Using Recon-ng
# First, start recon-ng
recon-ng

# Inside recon-ng, create a workspace
[recon-ng][default] > workspaces create example

# Add the domain to the domains table
[recon-ng][example] > db insert domains
domain (TEXT): example.com

# Use a module to gather information
[recon-ng][example] > modules load recon/domains-hosts/google_site_web
[recon-ng][example][google_site_web] > run

# View the results
[recon-ng][example] > show hosts

Ethical Considerations & Best Practices📝

Before you go full hacker mode, let’s talk ethics. Pentesting is about helping, not harming, so keep these in mind:

• Legal Boundaries📝– Importance of Authorization: Always get written permission before testing. Unauthorized recon is illegal and can land you in hot water. 🚔

• Avoiding Detection⛔– Using Stealth Techniques: Use stealth techniques like slow scanning or spoofing to stay under the radar. You’re a ninja,🥷 not a bulldozer.🥷

• Documenting Findings🔎– Keeping Detailed Logs for Analysis: Keep detailed logs of everything you find. It’s not just for you—it’s for the client and your future self when you’re writing reports.💻

Think of yourself as a white-hat hacker, using your skills for good. No black hats allowed! 🎩

# Example of stealthier Nmap scanning
# Slow comprehensive scan (-T2) with minimal packet trace
nmap -T2 -sS -Pn --disable-arp-ping --data-length 15 example.com

# Documenting with screenshots and terminal logs
# Save terminal output to file
nmap -sV example.com | tee nmap_results.txt

# Taking screenshots with built-in tools
scrot 'recon_%Y-%m-%d_%H:%M:%S.png' -e 'mv $f ~/pentesting/example_project/screenshots/'

Conclusion & Next Steps

Whew😮‍💨, that was a lot—but you made it! Let’s recap:

• Reconnaissance is the art of gathering intel, both passively (ninja mode) and actively (knocking on doors).
• Passive Recon includes WHOIS, DNS enumeration, Google Dorking, SOCMINT, and metadata analysis.
• Active Recon involves tools like Nmap, Traceroute, Shodan, and web app scanners.
• Tools like Recon-ng, Maltego, and theHarvester make your life easier.
• Ethics are non-negotiable—always get permission and document everything.

Now that you’ve got the basics of recon down, it’s time to level up. Recon feeds directly into the next phase: vulnerability scanning, where you’ll use your findings to identify weak spots.

But first, practice makes perfect! Head over to legal platforms like Hack The Box or TryHackMe to hone your skills in a safe environment. You’ve got this, future pentester! 🚀

Stay tuned for the next post, where we’ll dive into vulnerability scanning. Until then, happy hacking (ethically, of course)! 😎