The 80% Rule
In Part 1, we established the penetration testing methodology. Now we enter the most critical phase—Reconnaissance. Ask any professional pentester, and they’ll tell you: reconnaissance is 80% of the job. The more you know about your target before launching a single scan, the more surgical your attack can be.
Passive Reconnaissance is intelligence gathering without directly interacting with the target’s systems. You leave no logs, trigger no alerts, and remain completely invisible.
Why Passive Recon Matters
Imagine two scenarios:
Scenario A: You run Nmap against a company’s IP range. Their SIEM triggers. Security team investigates. Your IP is blocked. Engagement compromised.
Scenario B: You spend two days gathering publicly available information. You find an employee’s GitHub with hardcoded credentials, an old subdomain running a vulnerable app, and the company’s cloud provider from job postings. You craft a targeted attack with minimal noise.
Passive recon transforms a loud breach attempt into a precision strike.
OSINT: Open Source Intelligence
OSINT is the foundation of passive reconnaissance. It involves collecting data from publicly accessible sources:
- Company websites
- Social media
- Public records
- Search engines
- Code repositories
- DNS records
- Leaked databases
The OSINT Mindset
Think like a stalker (ethically). Every piece of information is a puzzle piece:
- That LinkedIn profile reveals the tech stack.
- That error message in a tweet exposes the server version.
- That PDF metadata contains the author’s username.
Google Dorking: Weaponizing Search
Google is the world’s most powerful reconnaissance tool. Google Dorks are advanced search operators that uncover hidden information.
Essential Operators
| Operator | Description | Example |
|---|---|---|
site: |
Limit to specific domain | site:target.com |
filetype: |
Search for file types | filetype:pdf |
inurl: |
Keywords in URL | inurl:admin |
intitle: |
Keywords in page title | intitle:"index of" |
intext: |
Keywords in body text | intext:password |
- |
Exclude results | site:target.com -www |
Dangerous Dorks
# Find exposed configuration files
site:target.com filetype:env OR filetype:config OR filetype:yml
# Find login portals
site:target.com inurl:login OR inurl:admin OR inurl:portal
# Find directory listings
site:target.com intitle:"index of" "parent directory"
# Find exposed documents
site:target.com filetype:pdf OR filetype:xlsx OR filetype:docx
# Find subdomains
site:*.target.com -www
# Find AWS S3 buckets
site:s3.amazonaws.com "target"
Google Hacking Database (GHDB)
The Exploit-DB GHDB contains thousands of pre-built dorks for finding:
- Vulnerable servers
- Exposed webcams
- Database dumps
- Sensitive directories
Subdomain Enumeration
Subdomains are treasure troves. Companies often forget about old subdomains running outdated software.
Passive Tools
Sublist3r
python sublist3r.py -d target.com -o subdomains.txt
Amass (Passive Mode)
amass enum -passive -d target.com
crt.sh (Certificate Transparency)
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u
SecurityTrails API access to historical DNS records and subdomains.
Email Harvesting
Valid email addresses enable phishing attacks and credential stuffing.
theHarvester
theHarvester -d target.com -b google,linkedin,twitter -l 500
Hunter.io
Web-based tool that finds email patterns: firstname.lastname@target.com
Phonebook.cz
Free email and subdomain search from leaked datasets.
Technology Stack Discovery
Knowing what technologies a target uses helps identify vulnerabilities.
Wappalyzer
Browser extension that identifies CMS, frameworks, servers, and libraries.
BuiltWith
Web service showing historical technology usage.
WhatWeb
whatweb target.com
HTTP Headers
curl -I https://target.com
# Look for: Server, X-Powered-By, X-AspNet-Version
Social Media Intelligence
Employees are a goldmine of information.
- Job postings reveal tech stack requirements.
- Employee profiles show internal tools (“Experienced with Jira, Confluence, Jenkins”).
- Org charts for social engineering.
Twitter/X
- Developers venting about bugs.
- Screenshots with internal information.
- Announcements about new infrastructure.
GitHub
- Company repositories with leaked secrets.
- Employee personal repos with work-related code.
- Commit history with removed credentials (they’re still in history).
# Search GitHub for secrets
trufflehog github --org=target-org
Shodan: The Search Engine for Hackers
Shodan indexes internet-connected devices—servers, webcams, industrial systems, IoT.
Basic Queries
# Find all target IP assets
org:"Target Company"
# Find specific services
hostname:target.com port:22
# Find vulnerable services
vuln:CVE-2021-44228 org:"Target Company"
# Find exposed databases
port:27017 org:"Target Company"
Shodan Dorks
# Exposed MongoDB
"MongoDB Server Information" port:27017
# Exposed Elasticsearch
port:9200 "elastic indices"
# Vulnerable Exchange servers
http.title:"Outlook" "X-OWA-Version"
Wayback Machine: The Internet’s Memory
The Wayback Machine archives old versions of websites. Forgotten pages, removed content, and old endpoints are all preserved.
Use Cases
- Find old admin panels removed from current site.
- Discover deprecated APIs still active.
- View historical robots.txt for hidden directories.
# Automate with waybackurls
echo target.com | waybackurls | sort -u > urls.txt
Leaked Credentials
Databases are breached constantly. Credentials get dumped online.
Have I Been Pwned
Check if emails appear in known breaches.
DeHashed / Intelligence X
Search leaked databases for target domain credentials.
Caution
Using leaked credentials without authorization is illegal. This information is for understanding your exposure or with explicit permission.
Putting It Together: A Recon Report
After passive recon, you should have:
- Attack Surface: All subdomains, IPs, and endpoints.
- Technology Stack: Servers, frameworks, CMS, third-party services.
- Email Addresses: For phishing or credential attacks.
- Usernames: From social media, GitHub, metadata.
- Potential Vulnerabilities: Old software versions, exposed services.
- Organizational Structure: Key employees, reporting chains.
Document everything. In a professional engagement, this becomes part of your final report.
Legal Reminder
Passive reconnaissance is generally legal—you’re accessing public information. However:
- Don’t access leaked credentials for unauthorized access.
- Don’t scrape sites in violation of ToS (gray area).
- Always have written authorization for the engagement.
Next Part: We move from observation to interaction—Active Reconnaissance with port scanning, service enumeration, and vulnerability discovery.
Discussion