Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 07. The Killchain / 01. Reconnaissance

Reconnaissance

Reconnaissance is typically the first stage of an engagement. The objective is simple: gather as much information as possible about the target before interacting with it directly.

Reconnaissance is often referred to as passive information gathering because the attacker primarily relies on publicly available information rather than actively probing the target's systems. A well-executed reconnaissance phase can reveal valuable information while generating little or no visibility from the target's perspective.

A useful way to think about reconnaissance is as scouting. Before launching an attack, we want to understand the environment, identify potential targets and build a picture of the attack surface.

Examples of information that may be collected include:

  • Public IP addresses
  • Domains and subdomains
  • Employee information
  • Email addresses
  • Technology stacks
  • Public documents
  • Third-party services
  • Internet-exposed infrastructure

Common reconnaissance resources include:

Tool / SourcePurpose
GoogleGeneral information gathering
LinkedInEmployee and organizational information
GitHubPublic source code, secrets and developer activity
ShodanInternet-exposed devices and services
DNSDumpsterDNS and subdomain enumeration
WHOISDomain registration information
crt.shCertificate transparency logs and subdomains
Wayback MachineHistorical website content
Public Breach DataUsernames, emails and passwords from prior breaches

For example, an attacker targeting a company may discover:

company.com
├── vpn.company.com
├── mail.company.com
├── dev.company.com
└── git.company.com

None of these findings constitute a compromise by themselves. However, they help identify where future opportunities may exist.

One of the most important lessons in offensive security is that information has value. A seemingly insignificant detail discovered during reconnaissance may later become the critical piece required to gain access.

In many engagements, the reconnaissance phase continues throughout the entire operation. Every new system, account or network obtained becomes a new scope to enumerate and understand.


Shodan

Shodan is a search engine for internet-connected devices and services. Instead of indexing websites like Google, it indexes information collected from exposed systems across the Internet.

This can reveal information such as:

  • Public IP addresses
  • Open ports
  • Running services
  • Software versions
  • SSL certificates
  • Geographic location

For example, a Shodan search may reveal that a company exposes a VPN gateway, web server or remote management interface to the Internet.

Shodan


DNSDumpster

DNSDumpster is a DNS reconnaissance tool that helps identify infrastructure associated with a domain.

It commonly reveals:

  • Subdomains
  • Mail servers
  • Name servers
  • Related hosts
  • DNS relationships

For example, a search for a company's primary domain may reveal development, staging, VPN or mail systems that are not immediately visible from the public website.

This information is often useful for understanding the attack surface and identifying additional targets for investigation.

Example: https://dnsdumpster.com/

DNSDumpster


crt.sh

crt.sh is a Certificate Transparency search engine.

Modern Certificate Authorities publish issued SSL/TLS certificates into public transparency logs. crt.sh allows these logs to be searched.

This often reveals:

  • Subdomains
  • Historical hostnames
  • Internal naming conventions
  • Newly deployed infrastructure

For example, a company may issue certificates for:

vpn.company.com
mail.company.com
dev.company.com

Even if these systems are not publicly advertised, the certificate records may reveal their existence.

Example: https://crt.sh/

CRTSH


WHOIS

WHOIS is a protocol and database used to retrieve registration information about domains.

Depending on the registrar and privacy settings, WHOIS records may contain:

  • Domain registrar information
  • Registration dates
  • Expiration dates
  • Name servers
  • Administrative contacts
  • Technical contacts

Although modern privacy protections often hide personal information, WHOIS remains useful for understanding domain ownership and infrastructure relationships.

For example, multiple domains registered through the same organization may indicate systems that belong to the same company.

Example: https://www.whois.com/

WHOIS