Information Gathering (Reconnaissance)

The term reconnaissance comes from its military use to describe an information-gathering mission. Both types of reconnaissance are sometimes referred to as passive attacks because the purpose is simply to obtain information, rather than to actively exploit the target. However, reconnaissance is often a preliminary step towards an active attempt to exploit the target system.

Passive reconnaissance is part of the pre-attack phase for hackers. Attackers first “get to know” their targets to ensure that they have all the relevant information to make their attacks successful. They can do so by gathering intelligence in two ways―passive or active reconnaissance. Let’s learn how these differ below.

What’s the Difference between Active and Passive Reconnaissance?

Penetration testing requires both active and passive reconnaissance. Passive reconnaissance ensues without alerting the target. Attackers commonly employ this method to prevent their intended victim from strengthening its security measures, which could drastically affect their approach.

In contrast, active reconnaissance requires hackers to engage with the target system or network. They do so to scan for open ports that can serve as attack entry points. They may thus carry out manual testing or automated scanning using several tools. Active recon is much riskier because the chance of getting caught by a firewall or security solution is higher. But many still do active recon to improve attack accuracy.

Both attackers and victims employ reconnaissance types. Their goals differ, though. While hackers research their targets to launch more successful attacks, ethical hackers do passive and active reconnaissance to identify system and network weaknesses to address problems before affected devices succumb to real attacks.

Find the technology stack of the target.

Before finding or discovering email addresses and other external information related to the target, finding the target’s technology stack is necessary. For instance, knowing that the target is built with PHP Laravel and MySQL helps the pentester to figure out which type of exploit to use against the target.


BuiltWith is a technology lookup or profiler. It provides pentesters with real-time information of the target via the domain API and domain live API. The domain API feeds pentesters with technical information such as analytics services, embedded plugins, frameworks, libraries, etc.

The domain API relies on a BuiltWith database to provide current and historical technology information about the target.

The Lookup search bar retrieves the same information provided by the domain API. On the other hand, the domain live API performs an extensive lookup on the domain or URL provided immediately or in real-time.

It is possible to integrate both APIs into a security product to feed end-users with technical information.


Wappalyzer is a technology profiler used to extract information related to the technology stack of the target. If you want to find out what CMS or libraries the target is using and any framework, Wappalyzer is the tool to use.

There are different ways to use it — you can access information on the target by using the Lookup API. This method is mostly used by security engineers or infosec developers to integrate Wappalyzer as a technology profiler in a security product. Otherwise, you can install Wappalyzer as a browser extension for Chrome, Firefox, and Edge.

Discover subdomains of the target

A domain is the name of a website. A subdomain is an additional part of the domain name.

Usually, the domain is associated with one or more subdomains. Hence, it is essential to know how to find or discover subdomains related to the target domain.


Dnsdumpster is a free domain research tool that can discover subdomains related to the domain of the target. It performs subdomain discovery by relaying data from Shodan, Maxmind, and other search engines. There is a limit to the number of domains you are allowed to search. If you want to overcome this limit, you can try their commercial product called domain profiler.

The way domain profiler performs domain discovery is quite similar to Dnsdumpster. However, the domain profiler includes additional information, such as DNS records. Unlike Dnsdumpster, the domain profiler is not free. It requires a full membership plan.

Both Dnsdumpster and domain profiler service belongs to


nmmapper leverages native reconnaissance tools such as Sublister, DNScan, Lepus, and Amass to search for subdomains.

NMMAPER got plenty of other tools like ping test, DNS lookup, WAF detector, etc.


Spyse is a commercial online tool for searching subdomains. It allows you to search for subdomains through the GUI or REST API. It is not limited to searching for subdomains but can perform IP lookup and reverse IP lookup.

There is more subdomain finder you can explore.

Find email addresses

To effectively test whether a company is vulnerable to phishing or not, you need to find the email addresses of workers working for the target company.


Hunter is a popular email finder service. It allows anyone to search for email addresses via the domain search method or email finder method. With the domain search method, you can search for an email address via domain name.

Hunter also offers API.


GUI or API — your choice.

EmailCrawlr returns a list of email addresses in JSON format.


Although Skrapp is suited for email marketing, it can search email addresses via the domain search feature. There is another feature known as a bulk email finder. It allows you to import a CSV file with the names of employees and companies. It returns email addresses in bulk.

There is a rest API available for those who prefer to search for email addresses programmatically.

Explore more Email finder tools.

Find Folders and Files

It is important to know which type of files or folders are hosted on the target web server in a pentest project. You will usually find sensitive information in files and folders such as administrator password, GitHub key, and so on a web server.

URL Fuzzer

Url Fuzzer is an online service by Pentest-Tools. It uses a custom-built wordlist for discovering hidden files and directories. The wordlist contains more than 1000 common names of known files and directories.

It allows you to scan for hidden resources via a light scan or full scan. The full scan mode is only for registered users.

Pentest Tools got more than 20 tools for information gathering, website security testing, infrastructure scanning, and exploit helpers.

Miscellaneous Information

In a situation where we need information on internet-connected devices such as routers, webcams, printers, refrigerators, and so on, we need to rely on Shodan.


We can rely on Shodan to feed us with detailed information. Like Google, Shodan is a search engine. It searches the invisible parts of the internet for information on internet-connected devices. Although Shodan is a search engine for cybersecurity, anybody interested in knowing more about these devices can use it.

For instance, you can use the Shodan search engine to find how many companies use the Nginx web server or how many apache servers are available in Germany or San Fransico. Shodan also provides filters to narrow down your search to a specific result.

Exploit Search Tools

In this section, we look at different online exploit search tools or services available for security researchers.

Packet Storm

Although packet storm is an information security service known for publishing current and historical security articles and tools, it also publishes current exploits to test CVE’s. A group of cybersecurity professionals operates it.


Exploit-DB is the most popular free database exploit. It is a project from Offensive security to collect exploits submitted by the public for penetration testing purposes.


Vulnerability-Lab provides access to a large database of vulnerability with exploits and proofs-of-concept for research purposes. You need to register an account before you can submit exploits or make use of them.


Cyber reconnaissance is a critical part of the penetration testing process. The information that you find in this step will dictate what you do in the other steps of the test. When doing reconnaissance you can do passive information gathering, using public resources to obtain information about the company, its employees, or the technology that they use. You can also use active information gathering techniques to gather system-level information about specific systems the target owns, such as the OS, the services that machines run, and open/closed ports. Both types of information gathering are important and a good penetration tester will utilize both to find the best method for breaching the company.

13 Online Pentest Tools for Reconnaissance and Exploit Search (
Passive Reconnaissance Techniques For Penetration Testing — All About Testing
Active vs Passive cybersecurity reconnaissance in Information Security — SecurityMadeSimple
What is passive reconnaissance? — Definition from (
Passive Reconnaissance — an overview | ScienceDirect Topics
What is Passive Reconnaissance? — Definition by Techslang
What’s the difference between active and passive reconnaissance? | IT PRO



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store