Passive Recon
First lets talk about the goals of doing recon. When we do a recon we need to put objectives to follow them. some of the objectives that I think are important are:
Network info
IP Addresses, Ranges
Domain info
Systems
Server names/IPs
Applications
What are they running
Security Tools
Firewalls
IPS
Endpoint Protection
People
Admins, Engineers
Developers
Others?
Partners
Vendors
Hosting Providers
Types of Reconnaissance
There are two types of recon: Active and Passive Recon.
Active recon will might need to includes direct interacting with a target. Be aware that in this type of recon we need permission because the target will note our IP and you might get blocked. so In other words permission are required for this type.
Passive recon means we need to get as much information in internet about our target. in this type we note interacting directly with target because we are search for public information about the target.
Tools For Recon
whois if you want to learn more about it and how to use (windows, MacOS, and Linux) go to this link https://www.alphr.com/whois-windows-command-prompt/
we can use this command and to get more information about our target. an example of that is show below:
In this example I used this whois command in Linux to get information about hashimtech.com
if we want we can use it get the email address that the domain linked in
in the picture above I used the command grep to only grip the with ones with @
shodan is search engine that lets users search for various types of servers connected to the internet using a variety of filters. the link is https://www.shodan.io/
If you like to know more about it please go to this link https://www.safetydetectives.com/blog/what-is-shodan-and-how-to-use-it-most-effectively/
Another search engine is TheH/harvester that you can use but it is command line base.
Another one is Netcraft this will provide technical report for another websites
Metagoofil used to preform metadata analysis for accessible files that are public.