Information Gathering (Reconnaissance)

The term reconnaissance comes from its military use to describe an information-gathering mission. Both types of reconnaissance are sometimes referred to as passive attacks because the purpose is simply to obtain information, rather than to actively exploit the target. However, reconnaissance is often a preliminary step towards an active attempt to exploit the target system.

Passive reconnaissance is part of the pre-attack phase for hackers. Attackers first “get to know” their targets to ensure that they have all the relevant information to make their attacks successful. They can do so by gathering intelligence in two ways―passive or active reconnaissance. Let’s learn how these differ below.

What’s the Difference between Active and Passive Reconnaissance?

In contrast, active reconnaissance requires hackers to engage with the target system or network. They do so to scan for open ports that can serve as attack entry points. They may thus carry out manual testing or automated scanning using several tools. Active recon is much riskier because the chance of getting caught by a firewall or security solution is higher. But many still do active recon to improve attack accuracy.

Both attackers and victims employ reconnaissance types. Their goals differ, though. While hackers research their targets to launch more successful attacks, ethical hackers do passive and active reconnaissance to identify system and network weaknesses to address problems before affected devices succumb to real attacks.

Find the technology stack of the target.


The domain API relies on a BuiltWith database to provide current and historical technology information about the target.

The Lookup search bar retrieves the same information provided by the domain API. On the other hand, the domain live API performs an extensive lookup on the domain or URL provided immediately or in real-time.

It is possible to integrate both APIs into a security product to feed end-users with technical information.


There are different ways to use it — you can access information on the target by using the Lookup API. This method is mostly used by security engineers or infosec developers to integrate Wappalyzer as a technology profiler in a security product. Otherwise, you can install Wappalyzer as a browser extension for Chrome, Firefox, and Edge.

Discover subdomains of the target

Usually, the domain is associated with one or more subdomains. Hence, it is essential to know how to find or discover subdomains related to the target domain.


The way domain profiler performs domain discovery is quite similar to Dnsdumpster. However, the domain profiler includes additional information, such as DNS records. Unlike Dnsdumpster, the domain profiler is not free. It requires a full membership plan.

Both Dnsdumpster and domain profiler service belongs to


NMMAPER got plenty of other tools like ping test, DNS lookup, WAF detector, etc.


There is more subdomain finder you can explore.

Find email addresses


Hunter also offers API.


EmailCrawlr returns a list of email addresses in JSON format.


There is a rest API available for those who prefer to search for email addresses programmatically.

Explore more Email finder tools.

Find Folders and Files

URL Fuzzer

It allows you to scan for hidden resources via a light scan or full scan. The full scan mode is only for registered users.

Pentest Tools got more than 20 tools for information gathering, website security testing, infrastructure scanning, and exploit helpers.

Miscellaneous Information


For instance, you can use the Shodan search engine to find how many companies use the Nginx web server or how many apache servers are available in Germany or San Fransico. Shodan also provides filters to narrow down your search to a specific result.

Exploit Search Tools

Packet Storm




13 Online Pentest Tools for Reconnaissance and Exploit Search (
Passive Reconnaissance Techniques For Penetration Testing — All About Testing
Active vs Passive cybersecurity reconnaissance in Information Security — SecurityMadeSimple
What is passive reconnaissance? — Definition from (
Passive Reconnaissance — an overview | ScienceDirect Topics
What is Passive Reconnaissance? — Definition by Techslang
What’s the difference between active and passive reconnaissance? | IT PRO

Expert in data gathering, investigating, and documenting findings in the analysis.