Passive Reconnaissance Techniques For Penetration Testing

Reconnaissance is the first step of Penetration Testing after formal acceptance by a cybersecurity organization. Now the question arises, what is Reconnaissance? It is the first step where the attacker tries to gather more and more information about the environment, and network-related information of the target. It is further classified into two types: Passive and Active Reconnaissance. In this article, we will cover passive reconnaissance techniques For penetration testing

Passive Reconnaissance: It is a penetration testing technique where attackers extract information related to the target without interacting with the target. That means no request has been sent directly to the target. Generally, public resource is used to gather information. Security Experts first try to get information via passive reconnaissance.

Active Reconnaissance: It is a penetration testing technique where an attacker gets information related to the target by interacting with the target. Here, different vulnerability scanners such as Nessus, Nmap, Masscan, etc. may be used to extract information. Refer this article to know more about Active Reconnaissance Tools for Penetration Testing.

In this article, we will concentrate on passive reconnaissance tools and techniques. I am listing some techniques as listed below:

(1) By using search engines: You can use google, bing, and other search engines to extract information such as username, password, hidden web pages, technology, the file containing metadata, etc. You can also use the popular google hacking database which is available at

(2) Certificate Transparency ( - This resource can be used to identify issued certificates of targets. This will help the attacker to widen the scope of penetration testing.

(3) Guess Hostname - Use nslookup command followed by whois to get information related to the hostname. Alternatively, you can use to gain the same information.

(4) Regional Internet Registries - Search online portals such AFRINIC, APNIC, ARIN, LACNIC, etc. for subnets and technical contacts.

(5) Netcraft ( You can this website for getting information related to web servers, networks, SSL/TLS, hosting history, sender policy framework, etc.

(6) Platform Identification and CVE searching - Wappalyzer (, BuiltWith (, etc. can be used to identify technologies (programming languages, frameworks etc.) of a web application.

(7) Shodan ( - It can be used to identify connected IoT devices and network devices over the internet. This acts as a single point of source to provide a list of possible attack surfaces and vulnerabilities. Below is the list of queries you can use while using Shodan:

  • apache site:"NewYork"
  • "iis/6.0"
  • city:
  • hostname:
  • port:

(8) Censys searches ( It helps in discovering exposures and entry points such as ports, whois data, etc for attackers.

(9) ExifTool by Phil Harvey: It is a command-line application for reading and writing meta information of different types of files.

(10) Find sensitive info -> search for websites to find sensitive data such as usernames, passwords, social security numbers, credit card numbers, etc.


Sometimes an old version of a website in past gives you a lot of information. By using, you can see old versions of the website at the different instant in history. Remember, it is not helpful in providing vulnerabilities in the current version of the website.

Automation Tools for Passive Reconnaissance

  1. Spiderfoot ( This helps in the automation of Open Source Intelligence (OSINT). OSINT is a technique of collection of data from publicly available sources to collect IP addresses, domain names, e-mail addresses, names, and more.
  2. theHarvester ( This tool helps in identifying email, sub-domain, and other information of the target.
  3. Discover ( This tool automates several pen testing tasks and uses both active and passive.
  4. Recon-ng ( It is my favorite web reconnaissance framework which helps in analyzing a lot of data.
  5. OWASP Amass - This tool provides both active and passive recon techniques. Passive recon method


Passive reconnaissance is helpful in increasing attack surface and identifying low-hanging vulnerabilities. Comment If I miss any technique, I will update the article for the same.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *