Key Terms
Reconnaissance
The first phase of hacking — systematic intelligence gathering about a target before any attack begins. The quality of reconnaissance determines the quality of everything that follows.
OSINT
Open Source Intelligence — information gathered entirely from publicly available sources. No hacking required. Legally available and highly effective.
Passive Recon
Intelligence gathering that does not involve any direct interaction with the target's systems — leaves no trace in their logs and is entirely undetectable.
Active Recon
Intelligence gathering that involves direct contact with target systems — such as port scans or DNS queries. Faster, but detectable if monitoring is in place.

What reconnaissance means in cybersecurity

Reconnaissance is the first and most critical phase of every cyberattack. Before a single exploit is attempted, a skilled attacker will spend significant time — often the majority of the entire operation — building a comprehensive picture of the target: its technology, its people, its suppliers, and its publicly visible exposure.

Sun Tzu wrote: "If you know the enemy and know yourself, you need not fear the result of a hundred battles." The principle holds entirely in cybersecurity. Attackers who complete thorough reconnaissance can be surgical and quiet — targeting specific vulnerabilities in specific systems, approaching through the weakest entry points, and using the language and context of the organisation to make social engineering attacks credible. Defenders who understand what reconnaissance looks like can reduce the intelligence available and detect when it is being conducted.

In the CEH v13 methodology, reconnaissance is Phase 1 of the five-phase hacking lifecycle and typically consumes 60–70% of total attack time.

Passive reconnaissance — no footprint

Passive reconnaissance involves gathering intelligence entirely from public sources without touching the target's systems. It is completely undetectable — the target's logs will show nothing. Effective passive recon techniques include:

  • Google dorking: Using advanced search operators — site:, filetype:, inurl:, intitle: — to find sensitive documents, admin panels, login pages, and exposed configuration files indexed by search engines.
  • Shodan: A search engine for internet-connected devices. A Shodan query can reveal IP cameras, industrial control systems, routers, and servers with default credentials — all without touching the target.
  • LinkedIn: Employee names, job titles, team structures, and technology mentions in job postings. A listing for a "Splunk Administrator" reveals the organisation's SIEM platform. A developer profile listing "AWS, Terraform, Kubernetes" reveals the cloud infrastructure.
  • WHOIS and DNS: Domain registration details, nameservers, hosting providers, and IP range allocations. Reveals infrastructure ownership and hosting relationships.
  • Job postings: Arguably the most underappreciated passive recon source. Every technology mentioned in a job listing is a technology the attacker now knows to target.
  • GitHub: Public repositories frequently contain hardcoded API keys, database connection strings, cloud credentials, and internal infrastructure details — left there accidentally by developers.

None of these techniques touch the target's systems. All of them are entirely legal to perform. All of them yield intelligence that is directly actionable in subsequent attack phases.

Active reconnaissance — direct contact

Active reconnaissance involves making direct contact with target systems to extract technical information. It is faster and yields richer technical data than passive recon, but it leaves traces — log entries, firewall alerts, and IDS notifications — that a monitored organisation may detect.

Common active recon techniques include ping sweeps to identify live hosts, DNS zone transfer attempts to obtain complete domain records, Nmap port scans to identify open ports and running services, and banner grabbing to determine exact software versions running on those services. Skilled attackers minimise active recon until they are confident passive methods have been exhausted — or until they are already inside the network and less concerned about detection.

The distinction matters in authorised engagements too: a penetration test's rules of engagement will typically specify whether active scanning is permitted from an external perspective, or whether the tester begins from an assumed internal position.

MGM Resorts 2023 — 10 Minutes of LinkedIn, $100M+ in Losses

Before the MGM Resorts breach, Scattered Spider spent 10 minutes on LinkedIn finding the name of an IT help desk employee. That single passive recon step enabled a vishing call impersonating that employee, a credential reset, and full network access. No malware. No CVE. Just intelligence gathering.

Key reconnaissance tools

Ethical hackers and penetration testers use a well-established toolkit for systematic reconnaissance. Understanding these tools is central to the CEH v13 curriculum:

  • Maltego (Passive) — graphical link analysis tool that maps relationships between people, organisations, domains, IP addresses, and social profiles. Turns scattered OSINT into a visual intelligence picture.
  • theHarvester (Passive) — collects email addresses, subdomains, hostnames, employee names, open ports, and banners from public sources including search engines and LinkedIn.
  • Shodan (Passive) — internet device search engine. Searches for exposed services, default credentials, and unpatched systems globally.
  • Recon-ng (Passive/Active) — modular web reconnaissance framework with modules for WHOIS, DNS, social media harvesting, and credential breach lookups.
  • Censys (Passive) — similar to Shodan but indexes SSL certificates, which can reveal subdomains and infrastructure relationships not visible via DNS.
  • OSINT Framework (Passive) — a categorised directory of OSINT tools and data sources, organised by information type. Useful for structured investigations.
  • SpiderFoot (Passive/Active) — automated OSINT reconnaissance platform that queries over 200 data sources and generates relationship graphs.
  • Nmap (Active) — the industry-standard network scanner for host discovery, port scanning, and service version detection.
60–70%
Of total attack time is spent in the reconnaissance phase
90%
Of targeted phishing attacks use OSINT-based personalisation
23K+
New Shodan-discoverable devices indexed every day

Limiting your recon exposure

Defenders cannot make themselves invisible, but they can significantly reduce the intelligence available to an attacker conducting reconnaissance. Effective countermeasures include:

  • Audit your public footprint: Regularly run OSINT assessments against your own organisation. Search for exposed credentials, leaked documents, and overshared technical details before attackers find them first.
  • Disable DNS zone transfers: Zone transfer misconfigurations hand attackers a complete list of internal hostnames and IP addresses. Restrict zone transfers to authorised secondary DNS servers only.
  • Private WHOIS registration: Reduces the amount of contact and infrastructure information available to passive reconnaissance tools.
  • Monitor for credential leaks: Services like Have I Been Pwned and commercial threat intelligence feeds alert when employee credentials appear in breach databases. An attacker finding these via recon can use them directly.
  • Employee OSINT awareness training: Employees who understand how their public profiles are used in recon are more cautious about what they post — technology stacks, project names, internal processes.
  • Honeytokens: Fake credentials, API keys, or documents that appear legitimate but trigger an alert when accessed. If an attacker finds and uses a honeytoken discovered via recon, you know reconnaissance is underway.
Train with VAPTIC
CEH v13 — Certified Ethical Hacker
Module 2 covers the full recon methodology including OSINT tools
Enrol Now