📌 What is Reconnaissance ?

Reconnaissance (Recon) is the first phase of ethical hacking where you collect information about a target system, network, or organization.

👉 In simple words:

“It’s like researching your target before taking any action.”

🎯 Goal of Recon:

• Identify IP addresses
• Discover domains & subdomains
• Find open ports & services
• Gather employee or organizational data 

🧠 Types of Reconnaissance :

🔎 1. Passive Reconnaissance

✔️ No direct interaction with the target

✔️ Safe and legal (if done ethically)

📌 Techniques:

• Google Dorking
• WHOIS Lookup
• Social Media Analysis
• OSINT (Open Source Intelligence)

📡 2. Active Reconnaissance

⚠️ Direct interaction with the target

⚠️ Can be detected by security system

📌 Techniques:

• Port Scanning
• Network Scanning
• Vulnerability Scanning

Top Reconnaissance Techniques (With Examples) :

🔎 1. Google Dorking :

Use advanced Google queries to find hidden data.

✅ Example:

site:example.com filetype:pdf

👉 Finds all PDF files on a website.

🌐 2. WHOIS Lookup :

Find domain ownership and registration details.

✅ Command (Linux/Kali):

whois example.com

👉 Output may include:

• Owner name
• Email
• Registrar details

📡 3. Network Scanning with Nmap :

Nmap is one of the most powerful tools for active reconnaissance.

✅ Basic Scan (Linux/Kali):

nmap 192.168.1.1

👉 Scans common ports on the target.

✅ Scan All Ports:

nmap -p- 192.168.1.1

👉 Checks all 65535 ports.

✅ Service Version Detection:

nmap -sV 192.168.1.1

👉 Detects services like HTTP, SSH, FTP.

✅ OS Detection:

nmap -O 192.168.1.1

👉 Tries to identify the operating system.

🕵️‍♂️ 4. OSINT using Recon-ng :

Recon-ng is a powerful framework for gathering open-source intelligence.

✅ Start Recon-ng (Linux/Kali):

recon-ng

✅ Create Workspace:

workspaces create myproject

✅ Load Module:

modules load recon/domains-hosts/bing_domain_web

✅ Add Target Domain:

options set SOURCE example.com

✅ Run Module:

run

👉 This will collect subdomains and related information.