Introduction

Purpose of This Phase is to collect maximum intelligence about the target before launching any attacks. The more you know, the higher your success rate and the lower the noise.

Two Main Approaches

• Passive Recon → Gather data without touching the target (OSINT, Google dorks, WHOIS, leaked credentials, etc.).
• Active Recon → Directly interact with target systems (DNS queries, port scanning, service enumeration, etc.).
  

Information gathering is never a one-time task. It is a continuous, cyclic process that repeats at every stage of the engagement:

1. Initial external recon → discover domains, IPs, technologies
2. Gain initial access → enumerate the compromised host & local network
3. Move laterally → repeat recon on every new system or subnet you reach
4. Escalate privileges → discover new services, users, and trust relationships
   

Each new foothold expands the attack surface and reveals fresh targets. Top red teams never stop enumerating until the final flag is captured (or the report is delivered). The quality and depth of your information gathering directly determines how far you’ll go in the assessment. Treat it as an ongoing habit, not a checkbox.

Passive reconnaissance is all about learning everything you can about a target while remaining completely invisible. You collect information exclusively from public sources and never send traffic directly to the target’s infrastructure.

In its strictest form, you avoid any interaction at all: you search Google and other engines, check historical DNS and WHOIS records, explore archived copies of websites, study employee profiles and company posts on social platforms, review job listings, and pull data from past breaches. Nothing ever reaches the target, so detection is impossible.

In everyday professional work, the definition loosens a little: as long as your actions look like those of an ordinary visitor (browsing the public website, registering for a free account, downloading whitepapers or mobile apps), the reconnaissance is still considered passive. You’re not probing or testing; you’re simply behaving like any normal user.

Either way, this quiet phase produces a surprisingly detailed picture: domains and subdomains, IP ranges, technologies in use, employee names and email patterns, forgotten servers, cloud buckets, and much more. Because the target never sees you coming, passive OSINT gives you a solid, stealthy foundation for the active stages that follow.

In this module we move from silent, passive research into active reconnaissance: we start directly interacting with the target’s systems to pull out much more detailed information.

You will master the core active techniques that professionals use every day, such as

• port scanning
• deep enumeration of DNS, SMB, SMTP, and SNMP services

Most hands-on examples are run with the powerful tools that come pre-installed on Kali Linux. At the same time, you’ll also see how to achieve the same results when you only have a standard Windows machine available. In those real-world scenarios, we rely on Living off the Land (LotL) techniques: using trusted, built-in Windows binaries (commonly called LOLBins or LOLBAS) so you can gather intelligence without ever installing or downloading anything extra.

By the end of this section, you’ll be comfortable performing active recon from both Linux and Windows environments, exactly the way it’s done on actual engagements.