Passive Reconnaissance Techniques For Penetration Testing

Reconnaissance is the first step of Penetration Testing after formal acceptance by a cybersecurity organization. Now the question arises, what is Reconnaissance? It is the first step where the attacker tries to gather more and more information about the environment, network-related information of the target. It is further classified into two types: Passive and Active Reconnaissance. In this article, we will cover passive reconnaissance techniques For penetration testing

Passive Reconnaissance: It is a penetration testing technique where attackers extract information related to the target without interacting with the target. That means no request has been sent directly to the target. Generally, the public resource is used to gather information. Security Experts first try to get information via passive reconnaissance.

Active Reconnaissance: It is a penetration testing technique where an attacker gets information related to the target by interacting with the target. Here, different vulnerability scanner such as Nessus, Nmap, Masscan etc. may be used to extract information. Refer this article to know more about Active Reconnaissance Tools for Penetration Testing.

In this article, we will concentrate on passive reconnaissance tools and techniques. I am listing some techniques as listed below:

(1) By using search engine: You can use google, bing and other search engines to extract information such as username, password, hidden web pages, technology, the file contains metadata, etc. You can also use the popular google hacking database which is available on https://www.exploit-db.com/google-hacking-database.

(2) Certificate Transparency (https://transparencyreport.google.com/https/certificates) - This resource can be used to identify issued certificates of targets. This will help the attacker to widen the scope of penetration testing.

(3) Guess Hostname - Use nslookup command followed by whois to get information related to the hostname. Alternatively, you can use https://www.ripe.net/ to gain the same information.

(4) Regional Internet Registries - Search online portals such AFRINIC, APNIC, ARIN, LACNIC etc. for subnets and technical contacts.

(5) Netcraft (https://sitereport.netcraft.com/): You can this website for getting information related to web server, network, SSL/TLS, hosting history, sender policy framework, etc.

(6) Platform Identification and CVE searching - Wappalyzer (https://www.wappalyzer.com/), BuiltWith (https://builtwith.com/) etc. can be used to identify technologies (programming languages, frameworks etc.) of a web application.

(7) Shodan (https://www.shodan.io/) - It can be used to identify connected IoT devices and network devices over the internet. This acts as a single point of source to provide a list of possible attack surfaces and vulnerabilites. Below is the list of queries you can use while using Shodan:

  • apache site:"NewYork"
  • OLD IIS
  • "iis/6.0"
  • city:
  • hostname:
  • port:

(8) Censys searches (https://censys.io/) : It helps in discovering exposures and entry points such as ports, whois data, etc for attackers.

(9) ExifTool by Phil Harvey: It is a command-line application for reading and writing meta information of different types of files.

(10) Find sensitive info -> search https://pastebin.com like websites to find sensitive data such as username, password, social security numbers, credit card numbers, etc.

(11) Archive.org

Sometimes an old version of a website in past gives you a lot of information. By using https://archive.org, you can see old versions of the website at different instant of history. Remember, it is not helpful in providing vulnerabilities in the current version of the website.

Automation Tools for Passive Reconnaissance

  1. Spiderfoot (https://github.com/smicallef/spiderfoot): This helps in automation of Open Source Intelligence (OSINT). OSINT is a technique of collection of data from publicly available sources to collect IP addresses, domain names, e-mail addresses, names, and more.
  2. theHarvester (https://github.com/laramies/theHarvester): This tool helps in identifying email, sub-domain, and other information of the target.
  3. Discover (https://github.com/leebaird/discover): This tool automates several pen testing tasks and uses for both active and passive.
  4. Recon-ng (https://github.com/lanmaster53/recon-ng): It is my favorite web reconnaissance framework which helps in analyzing a lot of data.
  5. OWASP Amass - This tool provide both active and passive recon techniques. Passive recon method

Conclusion

Passive reconnaissance is helpful in increasing attack surface and identifying low hanging vulnerabilities. Comment If I miss any technique, I will update article for same.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.