Reconnaissance Phase — Comprehensive Guide for

Ethical Hacking (Recon)

Author: Generated by ChatGPT (Aashish's study guide)

Introduction
This guide covers the Reconnaissance (recon) phase in ethical hacking: objectives, scenarios, techniques,
hands-on tools, command examples, workflows, reporting templates, and legal/ethical considerations. It is
intended for defensive security professionals and ethical penetration testers performing authorized
assessments only.

Recon Overview
Reconnaissance is the first phase of a penetration test. Goal: collect information about target(s) to identify
attack surface and plan next steps. Key goals: • Map assets (domains, subdomains, IP ranges, hosts) •
Enumerate services and versions • Discover public-facing applications, endpoints and technologies •
Gather leak/secret evidence (public repos, config leaks) • Identify personnel, org
structure and social attack vectors

Passive vs Active Recon

Passive recon: collect info without interacting directly with target; lower noise and stealthier. Examples:
OSINT (public websites, DNS records, search engines, certificates, social media), Passive DNS,
archive.org, crt.sh, Shodan/Censys read-only queries. Active recon: direct interaction with target
(scanning, probing). Higher speed but noisy and requires permission. Examples: Nmap port/service
scans, web directory brute force, banner grabs, service probes, traceroute.

Common Recon Scenarios

1) External corporate network (web servers, mail, DNS) 2) Web application recon (subdomains, endpoints,
directories, parameters) 3) Cloud & container environments (S3 buckets, misconfigurations) 4) Wireless
recon (APs, clients, WPS, SSIDs) 5) Social engineering / people recon (LinkedIn, email formats, OSINT)
6) Mobile app backend discovery (API endpoints, certs, mobile telemetry) 7) Third-party
suppliers / supply-chain exposure 8) Physical recon (public CCTV, facility info, default credentials on
devices)

Essential Tools (by purpose)

Below is a categorized list of widely used recon tools. Use official project sites and package managers to
install the latest versions.

Tools & Short Description

Category Tool (examples) Short Notes / Typical Commands
DNS & Subdomain Discoverydig, host, nslookup, Sublist3r, Amass, Subfinder,
amass enum Knockpy
-d example.com ; subfinder -d example
Port & Service Scanning nmap, masscan, unicornscan nmap -sC -sV -p- -oA nmap_scan example.com ; ma
Web Recon & Fuzzing Gobuster, Dirb, Dirbuster, ffuf, Burp Suite,
ffuf -u
OWASP
https://target/FUZZ
ZAP -w wordlist.txt -mc 200 ; g
Certificate & CDN crt.sh, Censys, Wayback Machine, Cloudflare
Use crt.sh
bypass
for subdomain
techniquesdiscovery; check cdn head
OSINT & People theHarvester, Maltego, SpiderFoot, Recon-ng,
theHarvester
LinkedIn,
-d example.com
Google dorking
-b all ; maltego transfo
Shodan & IoT search Shodan, Censys, ZoomEye shodan search apache 2.4 ; check exposed devices
 Source code & Secret leaks GitHub search, TruffleHog, Gitrob, gitleaks
gitleaks detect --source . ; trufflehog --json https://git
Passive DNS & Historical PassiveTotal, SecurityTrails, VirusTotalLook up passive DNS to find historical A records
Cloud Recon AWSBucketDump, S3Scanner, Pacu (cloud
aws s3pentest),
ls s3://bucket-name
ScoutSuite (only if public). Use Pac
Email & Phishing spray tools, knock email format discovery,
verify
hunter.io,
email pattern
HaveIBeenPwned
using hunter.io ; check breaches
Automation Frameworks Recon-ng, SpiderFoot, Amass (monolithic)
Use recon-ng modules for enumerations and export

Practical Command Examples (starter cheat-sheet)

Subdomain enumeration (Amass)
amass enum -passive -d example.com -o amass_passive.txt

Subdomain discovery (subfinder)

subfinder -d example.com -o subfinder.txt

DNS lookup and zone transfer attempt

dig AXFR @ns1.example.com example.com ; host -t AXFR ns1.example.com example.com

Port scan (nmap quick)

nmap -sC -sV -p- -T4 -oA nmap_full example.com

Mass host discovery (masscan)

masscan x.x.x.x/16 -p1-65535 --rate=10000 -oL masscan_results.txt

Web fuzzing (ffuf)

ffuf -u https://target/FUZZ -w /path/wordlist.txt -t 40 -mc 200

Directory brute force (gobuster)

gobuster dir -u https://target -w /usr/share/wordlists/dirb/common.txt -t 50 -x
php,html,txt -o gobuster.txt

Banner grab (nc)

nc -vz target 80 ; telnet target 22 and read banner

Grab SSL info (sslyze)

sslyze --regular example.com:443

Search public repos for secrets (gitleaks)

gitleaks detect --source https://github.com/org/repo --report-path report.json

Recon Workflow (recommended)

1. Scoping & Authorization: Confirm written permission & scope (IP ranges, domains, time windows). 2.
Passive OSINT: Collect public info (WHOIS, certificates, search engines, archives, social media). 3.
Subdomain discovery & passive DNS: Amass, subfinder, crt.sh, Censys. 4. Host discovery & port scan:
masscan (careful rate) then nmap service/version scans. 5. Web app mapping: Burp/OWASP ZAP proxy,
spider, intercept, directory fuzzing, JS & API discovery. 6. Vulnerability fingerprinting: banner
grab, nikto, CMS detectors (wpscan, whatweb), dependency checks. 7. Credential & secret search: public
repos, leak databases, paste sites. 8. Pivot / prioritize findings and prepare for authenticated tests (if in
scope). 9. Reporting: document evidence, PoC, risk, exploitation steps, and recommended remediation.

Legal / Ethical Considerations

Always have explicit, written authorization before conducting active recon. Unauthorized scanning or
probing can be illegal and disruptive. • Use activity windows and safe rates to avoid DoS. • Never attempt
exploitation outside scope. • If you discover critical data exposure (e.g., active credentials), follow
responsible disclosure or client rules. • Keep logs and evidence of authorization.

Reporting — Quick template

Title: Reconnaissance Phase Findings

Scope: enumerated domains, IP ranges, time-window
Summary: high-level exposure summary and critical findings
Details: list per host/subdomain with evidence (screenshots, headers, curl output), commands used,
timestamps
Risk rating: CVSS or custom rating per finding
Remediation: prioritized action items (patch, remove public data, rotate keys, implement WAF, limit zone
transfers)
Appendix: full command logs, wordlists, scripts, and raw outputs
Further Reading & Resources
• Official project pages: Nmap, Amass, Subfinder, Recon-ng, Burp Suite • OWASP Testing Guide &
OWASP Top 10 • Practical OSINT manuals and SpiderFoot documentation • Cloud security guides (AWS,
Azure, GCP) for cloud misconfiguration detection • Books: 'The Hacker Playbook' series, 'OSINT Toolkit'
and 'Practical Web Penetration Testing'

Generated: Sept 22, 2025 — Use only with explicit authorization. Good luck!