Network reconnaissance is the foundation of any successful penetration test or security assessment. This comprehensive guide covers passive and active reconnaissance techniques, essential tools, and methodologies for gathering intelligence about target networks and systems.

Understanding Network Reconnaissance

Network reconnaissance is the process of gathering information about a target network, its infrastructure, services, and potential vulnerabilities without directly exploiting them. It’s divided into two main categories:

• Passive Reconnaissance: Gathering information without directly interacting with the target
• Active Reconnaissance: Direct interaction with the target systems to gather information

Passive Reconnaissance Techniques

OSINT (Open Source Intelligence)

Search Engine Intelligence:

# Google dorking for sensitive information
site:example.com filetype:pdf
site:example.com intitle:"index of"
site:example.com "password" OR "login" filetype:xls

# Shodan queries for exposed services
shodan search "apache" country:US
shodan search "port:22" org:"Target Company"
shodan search "Server: nginx" net:192.168.1.0/24

DNS Intelligence Gathering:

# DNS enumeration with dig
dig example.com ANY
dig @8.8.8.8 example.com MX
dig -x 192.168.1.1

# DNS zone transfer attempts
dig @ns1.example.com example.com AXFR
fierce -dns example.com

# Certificate transparency logs
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u

Social Media and Professional Networks:

• LinkedIn for employee information
• GitHub for source code and credentials
• Twitter for technology stack information
• Company websites for infrastructure details

Domain and Subdomain Enumeration

Subdomain Discovery:

# Subfinder for passive subdomain enumeration
subfinder -d example.com -silent | tee subdomains.txt

# Amass for comprehensive subdomain discovery
amass enum -d example.com -o amass_results.txt

# Certificate transparency with sublist3r
sublist3r -d example.com -o sublist3r_results.txt

# DNS brute forcing
dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t brt

# Manual DNS enumeration
for subdomain in www mail ftp admin; do
    dig $subdomain.example.com +short
done

Advanced Subdomain Techniques:

# Using multiple wordlists
cat /usr/share/wordlists/bitquark-subdomains-top100000.txt | \
    head -10000 | \
    massdns -r /opt/massdns/lists/resolvers.txt -t A -o S -w massdns_results.txt

# Subdomain permutation
altdns -i subdomains.txt -o altdns_output.txt -w /usr/share/wordlists/altdns/words.txt

Public Database Searches

Whois Information:

# Basic whois lookup
whois example.com

# Historical whois data
curl -s "https://whoisjson.com/api/v1/whois?domain=example.com"

# ASN information
whois -h whois.radb.net AS15169

BGP and ASN Intelligence:

# BGP information
dig +short asn.cymru.com TXT `dig +short example.com | head -1`

# Hurricane Electric BGP toolkit
# Visit: https://bgp.he.net/

# ASN lookup
asnlookup -o example.com

Active Reconnaissance Techniques

Network Discovery and Mapping

Host Discovery:

# Ping sweep
nmap -sn 192.168.1.0/24

# ARP scan for local network
arp-scan -l
netdiscover -r 192.168.1.0/24

# UDP discovery
nmap -sU -PA21,22,25,3389 192.168.1.0/24

# ICMP discovery with different types
nmap -PE -PP -PM 192.168.1.0/24

Advanced Host Discovery:

# TCP SYN ping
nmap -PS21,22,25,53,80,110,443,993,995,1723,3389,5900 192.168.1.0/24

# TCP ACK ping
nmap -PA21,22,25,53,80,110,443,993,995,1723,3389,5900 192.168.1.0/24

# Masscan for ultra-fast scanning
masscan -p1-65535 192.168.1.0/24 --rate=1000

Port Scanning and Service Enumeration

Basic Port Scanning:

# TCP SYN scan (stealth)
nmap -sS target.com

# TCP connect scan
nmap -sT target.com

# UDP scan
nmap -sU target.com

# Comprehensive scan
nmap -sS -sV -sC -A -O target.com

Advanced Port Scanning Techniques:

# Scan with timing templates
nmap -T4 -sS target.com

# Scan specific ports
nmap -p 80,443,22,21,25,53,110,995,993,143,993 target.com

# Scan all ports
nmap -p- target.com

# Scan with custom source port
nmap --source-port 53 target.com

# Fragment packets to evade firewalls
nmap -f target.com
nmap --mtu 8 target.com

Service Version Detection:

# Service version detection
nmap -sV target.com

# Aggressive version detection
nmap -sV --version-intensity 9 target.com

# OS detection
nmap -O target.com

# Script scanning
nmap --script vuln target.com
nmap --script="http-*" target.com

Protocol-Specific Reconnaissance

HTTP/HTTPS Reconnaissance:

# Web server fingerprinting
curl -I http://target.com
whatweb target.com
nikto -h http://target.com

# Directory enumeration
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
ffuf -w /usr/share/wordlists/dirb/big.txt -u http://target.com/FUZZ

# Technology detection
httpx -u target.com -tech-detect -title -status-code

# SSL/TLS analysis
sslscan target.com
testssl.sh target.com

SMB/NetBIOS Reconnaissance:

# SMB enumeration
smbclient -L //target.com
enum4linux target.com
nbtscan target.com

# SMB shares discovery
smbmap -H target.com
crackmapexec smb target.com --shares

# Null session enumeration
rpcclient -U "" target.com

DNS Reconnaissance:

# DNS zone transfer
dig @target.com example.com AXFR

# DNS enumeration with dnsrecon
dnsrecon -d example.com -n target.com

# Reverse DNS lookup
nmap -sL 192.168.1.0/24

# DNS cache snooping
dnsrecon -d example.com -n target.com -t snoop

SNMP Reconnaissance:

# SNMP community string brute force
onesixtyone -c /usr/share/wordlists/metasploit/snmp_default_pass.txt target.com

# SNMP walk
snmpwalk -c public -v1 target.com

# SNMP enumeration with nmap
nmap -sU -p 161 --script snmp-brute target.com

Advanced Reconnaissance Techniques

IPv6 Reconnaissance

IPv6 Discovery:

# IPv6 neighbor discovery
ping6 ff02::1%eth0

# IPv6 scanning with nmap
nmap -6 target.com
nmap -6 -sS 2001:db8::1

# THC IPv6 toolkit
alive6 2001:db8::/64
detect-new-ip6 eth0

Cloud Infrastructure Reconnaissance

AWS Reconnaissance:

# S3 bucket enumeration
aws s3 ls s3://bucket-name --no-sign-request

# Subdomain enumeration for cloud services
subfinder -d example.com | grep -E "(amazonaws|azure|googleusercontent)"

# Cloud metadata service
curl http://169.254.169.254/latest/meta-data/
curl http://metadata.google.internal/computeMetadata/v1/

Azure and GCP Reconnaissance:

# Azure blob enumeration
gobuster dir -u https://example.blob.core.windows.net -w /usr/share/wordlists/dirb/common.txt

# GCP bucket enumeration
gsutil ls gs://bucket-name

Wireless Network Reconnaissance

WiFi Reconnaissance:

# Monitor mode setup
airmon-ng start wlan0

# Wireless network discovery
airodump-ng wlan0mon

# WPS discovery
wash -i wlan0mon

# Bluetooth discovery
hcitool scan
bluelog -o bluetooth_devices.log

Social Engineering Reconnaissance

Employee Information Gathering:

# LinkedIn automation (use responsibly)
theHarvester -d example.com -l 500 -b linkedin

# Email harvesting
theHarvester -d example.com -l 500 -b google
hunter.io searches
phonebook.cz searches

# Social media intelligence
sherlock username
maigret username

Reconnaissance Automation and Frameworks

Recon-ng Framework

Basic Recon-ng Usage:

# Start recon-ng
recon-ng

# Create workspace
workspaces create example_corp

# Install modules
marketplace install all

# Use modules
modules load recon/domains-hosts/google_site_web
options set SOURCE example.com
run

# Export results
show hosts

Advanced Recon-ng Workflows:

# Automated reconnaissance script
#!/bin/bash
recon-ng -w example_corp <<EOF
modules load recon/domains-hosts/google_site_web
options set SOURCE example.com
run
modules load recon/hosts-ports/shodan_ip
run
modules load recon/hosts-hosts/resolve
run
exit
EOF

Custom Automation Scripts

Bash Reconnaissance Script:

#!/bin/bash

TARGET=$1
OUTPUT_DIR="recon_$TARGET"

# Create output directory
mkdir -p $OUTPUT_DIR

# Subdomain enumeration
echo "[+] Starting subdomain enumeration..."
subfinder -d $TARGET -silent > $OUTPUT_DIR/subdomains.txt
amass enum -d $TARGET >> $OUTPUT_DIR/subdomains.txt

# HTTP probing
echo "[+] Probing for live hosts..."
cat $OUTPUT_DIR/subdomains.txt | httpx -silent > $OUTPUT_DIR/live_hosts.txt

# Port scanning
echo "[+] Port scanning live hosts..."
nmap -iL $OUTPUT_DIR/live_hosts.txt -T4 -sS -oN $OUTPUT_DIR/nmap_scan.txt

# Directory enumeration
echo "[+] Directory enumeration..."
while read host; do
    gobuster dir -u $host -w /usr/share/wordlists/dirb/common.txt -o $OUTPUT_DIR/gobuster_$host.txt &
done < $OUTPUT_DIR/live_hosts.txt

wait
echo "[+] Reconnaissance complete!"

Python Reconnaissance Tools

Custom Python Scanner:

#!/usr/bin/env python3
import socket
import threading
from datetime import datetime

def scan_port(host, port):
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(1)
        result = sock.connect_ex((host, port))
        if result == 0:
            print(f"Port {port}: Open")
        sock.close()
    except socket.gaierror:
        pass

def main():
    host = input("Enter host to scan: ")

    print(f"Starting port scan on {host}")
    print(f"Time started: {datetime.now()}")

    for port in range(1, 1025):
        thread = threading.Thread(target=scan_port, args=(host, port))
        thread.start()

if __name__ == "__main__":
    main()

Defensive Considerations and Evasion

Firewall and IDS Evasion

Timing and Rate Limiting:

# Slow scan to avoid detection
nmap -T1 target.com

# Random delay between probes
nmap --scan-delay 1s target.com

# Randomize host order
nmap --randomize-hosts target.com

Source Address Spoofing:

# Decoy scanning
nmap -D RND:10 target.com
nmap -D 192.168.1.100,192.168.1.101,ME target.com

# Idle scan
nmap -sI zombie_host target.com

Protocol and Packet Manipulation:

# Fragment packets
nmap -f target.com

# Use specific source port
nmap --source-port 53 target.com

# Bad checksum
nmap --badsum target.com

Reconnaissance Detection

Signs Your Reconnaissance is Being Detected:

• Unusual network latency
• Connection resets or timeouts
• Rate limiting responses
• Honeypot indicators
• Security alerts or notifications

Staying Under the Radar:

# Use proxy chains
proxychains nmap target.com

# Tor network routing
torify nmap target.com

# VPN rotation
# Use multiple VPN services and rotate connections

Documentation and Reporting

Organizing Reconnaissance Data

Directory Structure:

reconnaissance/
├── passive/
│   ├── osint/
│   ├── dns/
│   └── whois/
├── active/
│   ├── network_discovery/
│   ├── port_scans/
│   └── service_enumeration/
├── automation/
│   └── scripts/
└── reports/

Reconnaissance Report Template

Executive Summary:

• Scope of reconnaissance
• Key findings
• Security recommendations

Technical Findings:

## Network Infrastructure
- IP ranges: 192.168.1.0/24
- DNS servers: 8.8.8.8, 8.8.4.4
- Mail servers: mail.example.com

## Discovered Hosts
| Host | IP Address | Open Ports | Services |
|------|------------|------------|----------|
| web.example.com | 192.168.1.10 | 80,443 | Apache 2.4.41 |
| mail.example.com | 192.168.1.20 | 25,587,993 | Postfix |

## Vulnerabilities Identified
- Outdated Apache version (CVE-2021-44228)
- Open SMB shares
- Weak SSL configuration

Continuous Monitoring

Automated Monitoring Setup:

# Cron job for regular subdomain monitoring
0 0 * * * /opt/scripts/subdomain_monitor.sh example.com

# Domain monitoring with amass
amass track -d example.com

Legal and Ethical Considerations

Authorization Requirements

Before Starting Reconnaissance:

1. Obtain written authorization
2. Define scope boundaries
3. Establish communication channels
4. Set time limitations
5. Agree on documentation requirements

Responsible Disclosure

If You Discover Vulnerabilities:

1. Document findings securely
2. Report to appropriate contacts
3. Allow reasonable remediation time
4. Follow coordinated disclosure practices

Tools and Resources Summary

Essential Reconnaissance Tools

Network Discovery:

• Nmap - Network discovery and port scanning
• Masscan - Ultra-fast port scanner
• Zmap - Internet-wide network scanner

DNS Enumeration:

• Subfinder - Passive subdomain discovery
• Amass - In-depth DNS enumeration
• DNSRecon - DNS enumeration and zone transfers

Web Reconnaissance:

• HTTPx - HTTP toolkit
• Gobuster - Directory and file enumeration
• Nuclei - Vulnerability scanner

OSINT:

• Recon-ng - Reconnaissance framework
• theHarvester - Information gathering
• Shodan - Internet device search

Wordlists and Databases

Common Wordlists:

• SecLists - Comprehensive wordlist collection
• FuzzDB - Attack patterns and payloads
• Daniel Miessler’s wordlists

Useful Databases:

• CVE database
• Exploit-DB
• GHDB (Google Hacking Database)

Conclusion

Network reconnaissance is a critical skill for cybersecurity professionals. Success requires:

1. Methodical approach: Follow structured reconnaissance methodologies
2. Tool proficiency: Master essential reconnaissance tools
3. Legal compliance: Always operate within authorized boundaries
4. Continuous learning: Stay updated with new techniques and tools
5. Documentation: Maintain detailed records of all activities

Remember that reconnaissance is often the longest phase of a penetration test, but it’s also the most important. The quality of your reconnaissance directly impacts the success of subsequent testing phases.

Key Takeaways:

• Start with passive reconnaissance to avoid detection
• Use multiple tools and techniques for comprehensive coverage
• Automate repetitive tasks for efficiency
• Document everything for reporting and future reference
• Always respect legal and ethical boundaries

---

Disclaimer: This guide is for educational and authorized testing purposes only. Always ensure you have explicit written permission before conducting reconnaissance against any target. Unauthorized reconnaissance activities are illegal and unethical.