Passive Reconnaissance

Passive Reconnaissance

Passive reconnaissance is the process of gathering information about a target without directly interacting with its systems or infrastructure. Unlike active recon, this method is stealthier, making it ideal for red teams, penetration testers, and OSINT researchers aiming to remain undetected.

1. Location-Based Intelligence (Physical Recon)

Understanding the physical environment of a target can offer valuable insight into potential entry points, routines, and vulnerabilities.

Key Information to Collect:

  • Satellite imagery (e.g., Google Earth, Bing Maps)

  • Drone footage (if legally permissible)

  • Building layout including:

    • Badge readers

    • Break areas

    • Fence lines and security checkpoints

    • Parking lot access and staff entrance

Example Tools:

2. Job & Employee Intelligence (Social Engineering Prep)

Information about employees and organizational structure can assist in crafting phishing emails, pretexting, or badge cloning strategies.

What to Look For:

  • Names, titles, contact numbers

  • Manager-employee hierarchy

  • Photos showing:

    • ID badges

    • Computer screens or terminals

    • Desk setups and internal documentation

Tools & Platforms:

  • LinkedIn

  • Hunter.io – for discovering company email formats

  • Google Dorking – e.g.:

    site:linkedin.com/in "Company Name" AND "Analyst"
site:facebook.com "XYZ Corp"

3. Web & Host Reconnaissance

Objective: Validate the target and identify entry points in its online presence.

Key Activities:

  • Discover subdomains and hosting infrastructure

  • Fingerprint technologies used on web applications

  • Check for leaked credentials and breaches

Subdomain Enumeration

Identify public-facing subdomains to broaden the attack surface.

Example Tools:

  • Sublist3r

    sublist3r -d targetdomain.com

  • crt.sh (Certificate Transparency logs) Search:

    %.targetdomain.com

Domain & DNS Intelligence

WHOIS Lookup:

whois targetdomain.com

DNS Enumeration with dnsrecon:

dnsrecon -d targetdomain.com -a

Nslookup:

nslookup targetdomain.com

Web Technology Fingerprinting

Identify the backend tech stack used by the target website.

Tools:

  • WhatWeb

    whatweb https://targetdomain.com

  • Wappalyzer (browser extension)

  • BuiltWith (https://builtwith.com)

Data Breaches & Credential Leaks

Check if any user accounts related to the target have been exposed.

Tools:

  • HaveIBeenPwned

  • BreachParse – Parses large breach datasets

  • WeLeakInfo (Note: offline now, was used for leaked credential databases)

4. Port Scanning & Banner Grabbing (Cautious Use)

Though typically considered active, scanning can sometimes be performed in a less intrusive way depending on the method and frequency.

Example using Netcat:

nc -nv targetdomain.com 80

You can manually send an HTTP request:

GET / HTTP/1.0

PreviousInformation Gathering (Reconnaissance)NextIdentifying Our Target

Last updated