Every authorized penetration test starts the same way — not with an exploit, but with information. In my experience, 60-70% of a real engagement is reconnaissance. The exploit is often the easy part once you actually understand the target.
A note on legality
Everything below applies only within the scope of an authorized engagement with signed permission from the asset owner. Scanning or probing systems you don't own or have explicit written authorization to test is illegal in virtually every jurisdiction.
1. Passive Reconnaissance (OSINT)
Passive recon gathers information without ever touching the target directly — no packets sent to their infrastructure, so nothing to detect.
- WHOIS & DNS records: Reveal registrar info, mail servers, and sometimes internal hostnames leaked via subdomains.
- Search engine dorking:
site:target.com filetype:pdfstyle queries surface exposed documents, backup files, and config leaks indexed by accident. - Certificate transparency logs: Every SSL certificate issued is publicly logged — a goldmine for discovering subdomains a company forgot existed.
- Employee & technology footprint: LinkedIn and job postings often reveal exactly which frameworks, cloud provider, and tools a company runs internally.
2. Active Reconnaissance
Active recon touches the target directly and is where most tests actually start generating log entries on the defender's side.
The goal isn't just "what ports are open" — it's building a map of the attack surface: which services are outdated, which are misconfigured, and which give away information they shouldn't (banner grabbing on an old Apache version, for instance).
3. Web Application Recon
- Directory & endpoint discovery: Tools like
ffuforgobusterfind hidden admin panels, backup files, and forgotten API routes. - Technology fingerprinting: Response headers, cookies, and JS bundle names reveal the framework and often the exact version in use.
- API surface mapping: Modern apps are largely APIs behind a frontend. Intercepting traffic through a proxy like Burp Suite reveals routes a URL scanner would never find.
4. Turning Recon into Findings
Good recon isn't a pile of raw scan output — it's a prioritized map: which exposed service is the oldest, which subdomain looks abandoned, which employee's public GitHub repo has a hardcoded API key. That prioritization is what separates a useful pentest report from a Nmap dump nobody reads.
5. Why This Matters for Defenders Too
If you run infrastructure, the exact same techniques are your best audit tool. Run your own certificate transparency search. Run your own site: dork. If an attacker can find it in five minutes of passive recon, so can you — before they do.