Ethical Hacking & VAPT
Ethics, Law & Pentest Methodology Reconnaissance & OSINT Scanning, Enumeration & Exploitation Password Attacks & Privilege Escalation Pentest Reporting & Bug Bounty
Progress: 0%
Ethical Hacking & VAPT

Reconnaissance & OSINT

60 min

Reconnaissance — The Art of Intelligence Gathering

Reconnaissance (recon) is the first and most important phase of ethical hacking. The more information gathered about a target, the higher the likelihood of finding exploitable vulnerabilities. It is divided into two types:

Passive Reconnaissance

Gather information without directly interacting with the target. Leaves no traces in target logs.

PASSIVE OSINT TECHNIQUES & TOOLS ───────────────────────────────────────────────────────── Google Dorks → Advanced search operators site:target.com filetype:pdf intitle:"index of" site:target.com inurl:admin site:target.com WHOIS Lookup → Domain registration info whois target.com → Registrant, name servers DNS Analysis → subdomain discovery dnsx, subfinder, amass, assetfinder Shodan.io → Internet-connected device search "apache" org:"Target Corp" default password port:23 theHarvester → Emails, subdomains, hosts from public sources LinkedIn/Social → Employee names, job roles, technologies used Wayback Machine → Historical website content (web.archive.org) Certificate CT → crt.sh — SSL certificate transparency logs GitHub/GitLab → Exposed credentials, API keys, source code ─────────────────────────────────────────────────────────

Active Reconnaissance

Directly interact with target systems. May leave traces in logs. Only perform with authorization.

NMAP — THE ESSENTIAL SCANNER ────────────────────────────────────────────── # Host Discovery nmap -sn 192.168.1.0/24 # Ping sweep # Port Scan nmap -sV -sC -p- target.com # Full scan + service detection + scripts # Stealth Scan nmap -sS -T2 target.com # SYN scan (half-open) # OS Detection nmap -O target.com # OS fingerprinting # Vulnerability Scan nmap --script vuln target.com # Run vulnerability scripts ──────────────────────────────────────────────

Subdomain Enumeration

Finding subdomains expands the attack surface significantly. Tools: subfinder, amass, dnsx, gobuster dns

  • Brute-force using wordlists (SecLists)
  • DNS zone transfer (if misconfigured): dig axfr @ns1.target.com target.com
  • Certificate transparency logs (crt.sh)
Previous
Login to Track Progress Next