Art of Reconnaissance

Reconnaissance, It is the first step that is involved in the process of ethically hacking or penetrating a Cyber Asset. Reconnaissance is the process in which the preliminary information of a particular target has to find out to judge, its overall structure and the weak points. The information that is being extracted via the process of Reconnaissance can be further used in exploiting the target.
The sensitive information that can be gathered using Reconnaissance can be of various types like open ports, subdomains, os and network details, etc. Reconnaissance is believed to be one of the most crucial steps involved in the process of Ethical Hacking.

In this article, we will dive into how the Reconnaissance work, what are the steps involved, and what information one has to focus on while doing Reconnaissance.

Basics concept of Reconnaissance –

Reconnaissance is said to be the treasure of the critical information of a target. A tester may spend his few days, weeks, or even months on the process of Reconnaissance to gather the exact critical details of a target to whom he/she is going to pentest to have positive results after pen-testing.
Reconnaissance is of two types, like Active Reconnaissance and Passive Reconnaissance. While a tester works on the process of Reconnaissance, he/she prepares a recon sheet in which he specifies various sort of recon stuff that he gathered which includes:



  • Open Ports
  • S3 buckets
  • Whois Information
  • Networks

These are just a few things that a tester look for, apart from them are various sort of information which are used to be gathered for the process of Reconnaissance.

Ways to perform Reconnaissance –

Open Source Intelligence: OSINT is one of the most important and widely used technologies used by the Penetration testers and security researchers. OSINT framework is one of the critical key components of the recon process. Using OSINT, one can be able to get the public details of the target which may include databases, usernames & Passwords dumps, public records, metadata, emails, IoT data, and a lot more important stuff. Such data can be widely used to create a road map for pentesting the target.

Google Dorks: Google dorks are today widely used by hackers and testers to find out the hidden information from the websites. This extraction of the data is being done with the help of google dorks. Google Dorks are nothing but just a way smart searching the things. For example, if you want to search a book, you google it, look for two-three pages, and then you get the specified file. But in google dorks, we write inurl: book name filetype: pdf. In this way the there are two parameters in a query, i.e. inurl and file type. The Inurl will search for the specific book name, and the filetype will search for the particular extension of the file.

Recon Tools: Recon tools such as Maltego, theharvester, and ReconNg are some of the builtin tools that came with Kali Linux distro. However, we can also download these tools separately from their websites. All these tools play a very insightful role in the process of reconnaissance. Almost all of the mentioned frameworks are build up in python and are very popular among the Cyber Security analysts. Such frameworks help you find critical information from various sources such as Google search engine, PGP key servers, Bing, Baidu, Yahoo, and social networks like Linkedin, Twitter, and Google Plus regarding your target.

Shodan: Shodan is a sort of security-based search engine that generally focuses on the Internet of things and Deep Web. It is also known as “Hackers Search Engine” as it helps the security researchers find out various information about the devices that are connected with the internet in real-time such as Webcams, Routers, Servers, etc. A good part of reconnaissance can be done here with a specific target that has to be tested.

Nmap: Nmap or Network Mapper is a convenient tool for Network Pentesters. It allows a user to test a network with the help of specific inbuilt commands in the Nmap framework. Nmap can be used to find out various information regarding the target such as Operating System, Ip’s and DNS information, Open Ports, Versions, Hosts running on a network, etc. Nmap can be used to perform Active Reconnaissance during the initial phase of testing.

Conclusion –
So, the following stated frameworks and tools are some of the handy resources that can help security researchers to perform the process of Reconnaissance. As it is one of the key phases to gather the footprints of the target, this phase must be critically executed to make a security map on behalf of the collected information from this phase upon which the target can be attacked on specific weak points.

My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.