Ethical Hacking

Ethical Hacking 101: The Reconnaissance Phase Every Pentester Must Master

👤 Vishal Naik 📅 ⏰ 8 Min Read
Ethical Hacking 101: The Reconnaissance Phase Every Pentester Must Master

Every authorized penetration test starts the same way — not with an exploit, but with information. In my experience, 60-70% of a real engagement is reconnaissance. The exploit is often the easy part once you actually understand the target.

A note on legality

Everything below applies only within the scope of an authorized engagement with signed permission from the asset owner. Scanning or probing systems you don't own or have explicit written authorization to test is illegal in virtually every jurisdiction.

1. Passive Reconnaissance (OSINT)

Passive recon gathers information without ever touching the target directly — no packets sent to their infrastructure, so nothing to detect.

  • WHOIS & DNS records: Reveal registrar info, mail servers, and sometimes internal hostnames leaked via subdomains.
  • Search engine dorking: site:target.com filetype:pdf style queries surface exposed documents, backup files, and config leaks indexed by accident.
  • Certificate transparency logs: Every SSL certificate issued is publicly logged — a goldmine for discovering subdomains a company forgot existed.
  • Employee & technology footprint: LinkedIn and job postings often reveal exactly which frameworks, cloud provider, and tools a company runs internally.

2. Active Reconnaissance

Active recon touches the target directly and is where most tests actually start generating log entries on the defender's side.

Terminal — Basic Nmap Service Scan
# Authorized scope only nmap -sV -sC -p- --min-rate 1000 target.example.com # -sV : detect service versions # -sC : run default safe scripts # -p- : scan all 65535 ports, not just the common 1000

The goal isn't just "what ports are open" — it's building a map of the attack surface: which services are outdated, which are misconfigured, and which give away information they shouldn't (banner grabbing on an old Apache version, for instance).

3. Web Application Recon

  • Directory & endpoint discovery: Tools like ffuf or gobuster find hidden admin panels, backup files, and forgotten API routes.
  • Technology fingerprinting: Response headers, cookies, and JS bundle names reveal the framework and often the exact version in use.
  • API surface mapping: Modern apps are largely APIs behind a frontend. Intercepting traffic through a proxy like Burp Suite reveals routes a URL scanner would never find.

4. Turning Recon into Findings

Good recon isn't a pile of raw scan output — it's a prioritized map: which exposed service is the oldest, which subdomain looks abandoned, which employee's public GitHub repo has a hardcoded API key. That prioritization is what separates a useful pentest report from a Nmap dump nobody reads.

5. Why This Matters for Defenders Too

If you run infrastructure, the exact same techniques are your best audit tool. Run your own certificate transparency search. Run your own site: dork. If an attacker can find it in five minutes of passive recon, so can you — before they do.

60-70%Time on Recon
0Packets in Passive
1stStep Always
100%Authorized Scope Only
#Ethical Hacking #Pentesting #Reconnaissance #OSINT