Reconnaissance

cybermad0 March 04, 2026

                     

 

Recon, short for reconnaissance, involves gathering information, typically for military, strategic, or security purposes. It includes a range of activities such as surveillance, scouting, and intelligence collection. Recon can be carried out using various methods, including human observation, drones, satellite imagery, and electronic monitoring.
In a more general context, recon can refer to any effort to gather information or understand a situation better. For example, doing recon before a meeting might involve researching the participants and topics to be discussed. Reconnaissance is always the initial step in a cyber attack. An attacker must first gather information about the target in order to be successful. there are two type reconnaissance. Active and passive .in one word if we say that what is active and passive recon? Active recon means is a method of information gathering in which the tools interact directly with the target device or network and passive recon is a method of information gathering in which the tools do not interact directly with the target device or network.

Common active reconnaissance tools and methods include the following:
  • Host enumeration
  • Network enumeration
  • User enumeration
  • Group enumeration
  • Network share enumeration
  • Web page enumeration
  • Application enumeration
  • Service enumeration
  • Packet crafting

Common passive reconnaissance tools and methods include the following:

  • Domain enumeration
  • Packet inspection
  • Open-source intelligence (OSINT)
  • Recon-ng
  • Eavesdropping
most of the point you may have a good idea but some of this may have listen now or have a less idea. lets learn about some knowledge about this . 

1.User enumeration: User enumeration is a technique used by attackers to identify valid usernames within a system. By systematically probing a target, malicious actors can gather information about existing users, which can then be leveraged for further attacks. This process often involves submitting various username combinations and analyzing the system's responses to determine which usernames are valid. For example, if a login form responds differently to an invalid username versus an invalid password, attackers can infer which usernames are valid. Another method involves analyzing server response times, where valid usernames might result in quicker responses compared to invalid ones.

2.Group enumeration: Group enumeration involves identifying and listing groups within a system, typically in the context of network security or Active Directory environments. This process helps administrators and security professionals understand the structure and membership of groups, which is crucial for managing permissions and access controls.

3.Network share enumeration: Network share enumeration involves identifying and listing shared resources, such as folders and drives, within a network. This process is crucial for both offensive and defensive security measures.

4.Packet crafting: Packet crafting is a technique used to manually create or modify network packets to test network devices, firewalls, and other components. This process is essential for network administrators and security professionals to understand network behavior, identify vulnerabilities, and ensure robust security measures.

5.Packet inspection: Packet inspection is a technique used to analyze network packets as they pass through a network device, such as a router, firewall, or intrusion detection system (IDS). The primary goal of packet inspection is to examine the contents of packets to detect and mitigate security threats, ensure compliance with policies, and optimize network performance.

6.Eavesdropping: Eavesdropping is the act of secretly listening to private conversations or communications without the consent of the parties involved. In the context of cybersecurity, eavesdropping refers to intercepting and monitoring network traffic to gain unauthorized access to sensitive information.

Now we have a general idea of recon methods. let's div into the process.  first of all we start with passive recon. 

Passive Reconnaissance: 

1.SpiderFoot is an automated OSINT scanner. It is included with Kali. SpiderFoot queries over 1000 open-information sources and presents the results in an easy-to-use GUI. SpiderFoot can also be run from a console. SpiderFoot seeds its scan with one of the following:

  • Domain names
  • IP addresses
  • Subnet addresses
  • Autonomous System Numbers (ASN)
  • Email addresses
  • Phone numbers
  • Personal names
let see practical. this is a test side .here is my terminal and you see what i do here .first open your kali terminal and type spiderfoot and then -l which means listening and type your localhost ip and port number where you want to run. see the demo below.


here you can see that the spiderfoot -l 127.0.0.1:5001. 127.0.0.1 is our localhost ip address and 5001 is our port number. you can use this as you wish. just below you also see another mark url if you open your browser you can see that the spiderfoot graphical interface . how you use command for run after open gui you can see this here they explain how to use it .


DNS tools such as the nslookuphost, and dig,dnsrecon, You can easily identify domain technical and administrative contacts by using the Whois tool. File metadata
 check exiftool, emailharvester , h8mail for password dump and retrive the organization email address. For more information gathering tools recon-ng, wayback , shodan.

                           DNS Search tools.

1. nslookup: it is a nice tools for find out domain name server or ip addresses. here you can see that the two type of use. directly or under the nslookup directory.



here is some use of nslookup. 


2. dig: dig is another command base tools that is very useful for providing details information about dns.



3. host: another tools for dns find out . it discover host and ip addresses .


4.dnsrecon: it also provide the dns information.


5. whois : very important tools for  see the domain regestration info and administrator information. here you can see the all information and contact number with details.


6.h8mail: this is very powerful tools for email OSINT and password breach tools. here you can see that it's find out the mail address that was in the website and also check that it has been facke or not and password dump or not.


if you want to check only the email address that it is ok or not. just use -t insteat of -u and email address.

7.exiftools: it is very powerful tools for check the file metadata  check.
as you can see that this tools told me everything what is in it.



you can also edit metadata and move one to another. command for edit exiftool -Artist="your name" file name ,  for move exiftool -TagsFromFile src.jpg dst.jpg. its means the source file from which file you want move data and dst means destinations where you want to move this file name.

8. recon-ng: Recon-ng is a powerful open-source reconnaissance framework designed for web-based open-source intelligence (OSINT) gathering. It has a similar interface to Metasploit, which makes it easier for users familiar with Metasploit to get started with Recon-ng.

first lets know about how solve problem in the module of different option. like in the marketplaces option I don't know how to use it than what i do . just simply type marketplaces help it show you that what you can do .you can also see the all module by typing help. than just type the module name and than type the options every step you can do it . see the following screenshot.




let's drive into the deep. we know that it is very powerful tools for osint.
when you open it first time it show you some error like this.



but don't worry this error for api keys . for this some modules you can't access just. first we need to create a workspaces where we can do our work smoothly . it is not must needed . just for work . let's create workspaces. type workspaces create then name. you can see that you have any workspace created or not. type workspaces list.



then if we look for marketplace we can see the all modules that we use for gather information . but some modules we can't use because of some reason . in modules sections we see it in well organised  paet by part  and different sections with different modules. for discovery has some modules exploitation has some , for file import has some , for recon has some.



 lets see 1 modules from every modules.

Discovery: discovery/info_disclosure/cache_snoop. 
When we talk about "snooping a domain" in the context of DNS cache snooping, we're referring to the process of checking if a specific domain (like example.com) has been recently queried by users of a DNS server. The snooping process helps determine whether the domain's information is present in the DNS cache of the nameserver. it's take may some time . so let's the next.



Exploit: As you can the screenshot that the site is vulnerable for xpath.


Import: now we see that how to import a file in recon-ng.
as you can see the below that i have import a file which contain some password . when I import it it show me the everything with well format.


you can also import your nmap scan report and amass scan report directly.

Recon: now this is the recon part how to gather information from a site or source. in this recon part we will discover the migreate_host.



Report: now let's write a report. be careful which information do you want to report call report module just after this and it is batter for if you create a blank file previous.







Active Recon with NMAP: Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. Here are some common use cases and commands to get you started:

Basic Scan: To perform a basic scan on a single target IP address.
Ex: nmap 192.168.1.1

Scanning Multiple IPsTo scan multiple IP addresses or a range of IPs.
Ex: nmap 192.168.1.1,192.168.1.2
nmap 192.168.1.1-5

Scanning a Subnet: To scan an entire subnet.
Ex: nmap 192.168.1.0/24

Service Version Detection: To detect the version of services   running on open ports.
Ex: nmap -sV 192.168.1.1

Operating System Detection: To detect the operating system of a target.
Ex: nmap -O 192.168.1.1

Aggressive Scan: To perform an aggressive scan that includes OS detection, version detection, script scanning, and traceroute.
Ex: nmap -A 192.168.1.1

Scan Specific Ports: To scan specific ports on a target.
Ex: nmap -p 22,80,443 192.168.1.1

UDP Scan: To perform a UDP scan.
Ex: nmap -sU 192.168.1.1

Stealth Scan: To perform a TCP SYN scan (often referred to as a stealth scan).
Ex: nmap -sS 192.168.1.1

Save Output: To save the scan results to a file.
Ex: nmap -oN scan_results.txt 192.168.1.1

this is the basic of nmap in the post you can see the full information of it.


0 Comments

Thanks For your comment