Passive Reconnaissance

beginner25 minWriteup

Gathering information without touching the target

Learning Objectives

  • Understand passive vs active reconnaissance
  • Use OSINT tools and techniques
  • Enumerate subdomains passively
  • Gather information from public sources

Imagine you're a detective investigating someone without them knowing. You'd check their social media, public records, maybe drive past their house - but never knock on the door. That's passive reconnaissance: gathering information without touching the target directly.

Why Passive First?

Active scanning leaves logs and triggers alarms. Passive recon is invisible - you're only looking at publicly available information. The target has no idea you're investigating them.

The OSINT Mindset

Good OSINT practitioners think like journalists. Every piece of information leads to another. A domain reveals registration info, which reveals an email, which reveals social profiles, which reveals technologies...

  • Domain Info: Subdomains, DNS records, historical data
  • Emails: Patterns, individual addresses
  • Employees: Names, roles, social media
  • Tech Stack: Software, frameworks, services
  • Network: IP ranges, ASN, hosting providers
  • Leaks: Credentials, code repos, documents

Domain Intelligence

WHOIS Lookups

Every domain has WHOIS records - like DMV records for websites. Many use privacy protection now, but older or internal domains often don't.

bash
1606070;"># Basic WHOIS lookup
2whois example.com
3 
4606070;"># Web-based for historical data
5606070;"># https://who.is/
6606070;"># https://whois.domaintools.com/

Subdomain Enumeration

Subdomains are goldmines: dev.company.com, vpn.company.com, staging.company.com - often poorly secured forgotten services.

bash
1606070;"># Using subfinder (passive only)
2subfinder -d example.com -silent
3 
4606070;"># Using amass passive mode
5amass enum -passive -d example.com
6 
7606070;"># Certificate Transparency logs
8curl -s 606070;">#a5d6ff;">"https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u

DNS Records

bash
1dig example.com ANY +noall +answer
2dig example.com MX +short    606070;"># Mail servers
3dig example.com TXT +short   606070;"># SPF, DKIM, verification tokens
4dig example.com NS +short    606070;"># Name servers

TXT Records Talk

TXT records contain SPF (email servers), domain verification tokens (revealing services like Google, Salesforce), and sometimes admin notes.

Google Dorking

Google is the most powerful OSINT tool. Special operators find information companies never intended to be discoverable.

bash
1606070;"># All indexed pages
2site:example.com
3 
4606070;"># Specific file types
5site:example.com filetype:pdf
6site:example.com filetype:xlsx
7 
8606070;"># Login pages
9site:example.com inurl:login
10 
11606070;"># Exposed configs
12site:example.com filetype:env
13site:example.com filetype:conf
14 
15606070;"># Directory listings
16site:example.com intitle:606070;">#a5d6ff;">"index of"
17 
18606070;"># Exposed git repos
19site:example.com inurl:.git
20 
21606070;"># Error messages
22site:example.com 606070;">#a5d6ff;">"fatal error"

Rate Limits

Automated mass dorking gets your IP banned. Space queries and use multiple search engines (Bing, DuckDuckGo, Yandex).

Email & Employee Intel

bash
1606070;"># theHarvester - emails, subdomains, IPs
2theHarvester -d example.com -b google,bing,linkedin
3 
4606070;"># Hunter.io for email patterns
5curl 606070;">#a5d6ff;">"https://api.hunter.io/v2/domain-search?domain=example.com&api_key=KEY"

Common email patterns to guess:

  • jsmith@company.com (initial + last)
  • john.smith@company.com (first.last)
  • john_smith@company.com (first_last)

Shodan - Hacker's Search Engine

Shodan indexes the entire internet. Search for services, vulnerabilities, and configurations without touching targets.

bash
1606070;"># Shodan CLI
2shodan search 606070;">#a5d6ff;">"org:Example Corp"
3shodan search 606070;">#a5d6ff;">"hostname:example.com"
4shodan host 93.184.216.34
5 
6606070;"># Useful dorks
7hostname:example.com port:22
8org:606070;">#a5d6ff;">"Example Corp" vuln:CVE-2021-44228
9ssl.cert.subject.cn:example.com

Code & Document Leaks

bash
1606070;"># GitHub secrets
2org:examplecorp password
3org:examplecorp filename:.env
4org:examplecorp filename:config.json
5 
6606070;"># Wayback Machine
7echo 606070;">#a5d6ff;">"example.com" | waybackurls | sort -u
8echo 606070;">#a5d6ff;">"example.com" | waybackurls | grep -E "\.(js|json|config|env)"

Methodology

Passive Recon Checklist

1
Domain IntelWHOIS, subdomains via CT logs, DNS records
2
Search EnginesGoogle dorks for files, pages, directories
3
Email EnumFind patterns, enumerate employees
4
Tech FingerprintShodan/Censys for exposed services
5
Leak SearchGitHub, Wayback, paste sites
6
DocumentCompile findings for active phase

Knowledge Check

Quick Quiz
Question 1 of 2

What distinguishes passive from active reconnaissance?

Challenges

Subdomain Discovery

Challenge
🌱 beginner

Using only passive techniques, find 10+ subdomains for a major company. Document your sources.

Need a hint? (3 available)

Key Takeaways

  • Passive recon leaves no trace - completely invisible to target
  • Sources: WHOIS, DNS, search engines, social media, code repos
  • CT logs are goldmines for subdomain discovery
  • Google dorks reveal accidentally indexed sensitive files
  • Shodan/Censys show internet-exposed services passively