How to do Reconnaissance?

Abdullah Baghuth
2 min readNov 29, 2020

Information Gathering

There are so many types of Passive Recon. we will go through physical and social Recon. Physical meaning actually going on-site and doing a physical engagement or the social engineering aspect or maybe doing phishing assessment or even including in a physical engagement just gathering this information from the physical aspect is incredibly useful. So we have location information so we might utilize something like satellite images or often we will go on-site and do drone recon. where we fly a drone around and try to gain information from that we can find out information like:

what is the building layout look like?
Are there badge readers?
Are there break areas?
Does security exist?
Do they have somebody posted out front?
Can you walk right in the door?
What is the fencing look like?
Are they just leaving the doors propped open?

The other aspect of this is job information so we might be looking for employees online, I might want somebody whose name job title phone number who their manager is, I will try to get a good idea about how people look like. I will also look for pictures there is so many bad photos posted in Linkedin.

Web and Host :
when we get a Web or Host assessment the first thing you really should do is what is called target validation, there are situations where a client will give you an IP address or website that may accidentally wrong number or wrong website, and then guess what you are attacking somebody else. for that, we can use tools like whois, nslookup, and dnsrecon.
On the website we going to look for subdomains there are so many tools to do that such as Google Fu, dig, Nmap, sublist3r, Bluto,, etc.
There is fingerprinting we need to know what is running on a website or what is running on a Host what kind of services are out there for that you can use tools like Nmap, Wappalyzer, Whatweb, BuiltWith, Netcat.

breaches data are the most common way when we are doing an external assessment that we got into the networks absolutely by far. when we talk about data breaches we talk about breached incidents from the past that have leaked data, these are like Home Depot, Equifax, Linkedin, all kinds of breaches out there that had credentials dumped, later we will try to use these to gain access.
In the end the better information gathering you can do the better hacker you are!