Red Team Reconnaissance Techniques

Learn how to perform active and passive reconnaissance on targets

Prerequisites & Requirements

In order to follow along with the tools and techniques utilized in this document, you will need to use one of the following offensive Linux distributions:

  • Kali Linux
  • Parrot OS

The following is a list of recommended technical prerequisites that you will need in order to get the most out of this course:

  • Familiarity with Linux system administration.
  • Familiarity with Windows.
  • Functional knowledge of TCP/IP.
  • Familiarity with penetration testing concepts and life-cycle.

Note: The techniques and tools utilized in this document were performed on Kali Linux 2021.2 Virtual Machine

What is Reconnaissance?

Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts. – MITRE Website

Reconnaissance is split up into 2 categories based on the type of interaction with the target:

Active reconnaissance – Actively engaging/interacting with the target network, hosts, employees, etc. (Port scanning, vuln scans, web app scanning)

Passive reconnaissance – Utilizing publicly available information. (whois, OSINT, DNS, search engine dorks)

A search engine dork refers to search engine syntax which allows users to filter the type of results they get.

The objective of reconnaissance is to gather as much information as possible from the target in order to get a clear picture of the organizational structure, digital infrastructure and employees. This information is then utilized in preparation for initial access/exploitation.

We will be taking a look at the various tools and techniques that can be utilized to perform both passive and active reconnaissance, however, before we begin taking a look at the techniques, we need to get an understanding of the Reconnaissance MITRE ATT&CK framework tactic and the various techniques that fall under it.

The techniques outlined under the Reconnaissance tactic provide us with a clear and methodical way of approaching reconnaissance, however, as you may have noticed, some techniques will involve physical reconnaissance of employees and physical addresses. In this case, given the nature of our engagement, we will only be focusing on digital reconnaissance.

The following is a list of key techniques and sub techniques that we will be exploring:

  1. Active Scanning
    1. Port Scanning
    2. Vulnerability scanning
    3. Website Directory brute-force
  2. Search Open Technical Databases
    1. Search Engines
    2. Social Networks
  3. Search Open Website/Domains
    1. Whois information
    2. DNS records
    3. Subdomain enumeration
    4. Discover web technologies and stacks utilized
    5. Identify vulnerabilities
  4. Gather Victim Identity Information.
    1. Emails
    2. Credentials
    3. Employee Names
  5. Gather Victim Network Information
    1. Domain properties
    2. DNS
    3. Third-party domains
    4. Network topology
    5. IP addresses
    6. Security infrastructure

The techniques outlined above will fall under passive or active recon based on the type of information we will be gathering and the nature of our engagement with the target organization’s digital infrastructure.

We will begin the recon process by taking a look at the various techniques and the manual tools that can be utilized to enumerate and scan for information. We will then conclude by exploring various scripts, tools, and frameworks that can automate the entire recon process for us.

Passive Recon Techniques

Passive reconnaissance involves utilizing publicly available information sources like search engines and databases to find and identify information about our target domain or organization.

Additionally, passive recon does not actively engage or interact with the company’s/target’s digital infrastructure, hence the name passive.

Gathering Domain IP/DNS Information

The first step in this process is to identify the IP address and DNS records of your target domain, this can be done by utilizing the following tools:

  1. Host utility
  2. Nslookup
  3. DNSRecon
  4. Dig

Host utility

We can use the host utility on Linux/Unix systems to determine the IP address of our target domain, this can be done  by running the following command on your Kali Linux VM:




The host utility will output all relevant IPV4 and IPV6 addresses associated with the target domain, as highlighted in the following screenshot.


We can use the Nslookup utility to identify the IP address of our target domain, this can be done by running the following command:


nslookup DOMAIN.COM


The Nslookup utility will output all relevant IPV4 and IPV6 addresses associated with the target domain, as well as the DNS servers utilized for the lookup.

Now that we have been able to identify the IP address of our target domain, we can begin enumerating the DNS information and records of our target domain.


DNSRecon is an extremely useful utility that comes pre-packaged with Kali Linux and can be used to enumerate the DNS records for a particular domain, this information can reveal MX (Mail) server addresses as well as other useful DNS records that can expand our knowledge of the target’s infrastructure. We can run the DNSRecon utility by running the following command:


dnsrecon -d https://DOMAIN.COM


The DNSRecon utility should reveal all publicly accessible DNS records for the target domain as highlighted in the following screenshot.

From our results, we were able to identify that our target domain is utilizing CloudFlare’s DNS service for their domain. CloudFlare’s DNS service functions slightly differently than your typical DNS service provider as it also provides proxying and other security features that mask the real IP address of the target domain and act as a web application firewall.

Dig utility

We can also utilize the DNS lookup utility dig, to identify the target domain’s IP address and DNS records, this can be done by running the following command:




This command will reveal important information like the IP address of the target domain and the relevant nameservers as highlighted in the following screenshot.

You can also enumerate all the DNS records for a particular domain with dig. This can be done by running the following command:





WAF (Web Application Firewall) Detection With Wafw00f

We can identify whether our target domain is currently being protected by a WAF (Web Application Firewall)  by utilizing the Wafw00f utility on Kali Linux, this can be done by running the following command:


wafw00f https://DOMAIN.COM


As you can see in the following screenshot, the target domain is protected by CloudFlare’s WAF.

Gathering Domain/Website Information

Now that we have been able to identify our target’s domain IP addresses, name servers and DNS records, we can begin searching for the following information:

  1. Domain registrar and ownership information.
  2. Web technologies and frameworks used on the target website.

Whois information

WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system but is also used for a wider range of other information.

We can utilize the inbuilt whois query utility to identify the target domain’s registrar, ownership and expiry date. This can be done by running the following command:




As highlighted in the preceding screenshot, we were able to identify the domain registrar, registrant, and domain expiry date.

This information can give us an idea of how old the domain is when it expires and could potentially reveal the hosting provider utilized.

  • Domain network information
  • IP Delegation
  • Site technology

As highlighted in the screenshot below, we are able to obtain the target domain’s registrar, registrant, IP address, and hosting information.


DNS Dumpster

Another great online tool we can use to obtain DNS records, IP addresses, and other information pertinent to a target domain is

This can be done by accessing the website: in your browser and typing in the domain of the target as highlighted in the following screenshot.

Passive Subdomain Enumeration

Another important element of reconnaissance, both passive and active, is the process of identifying company subdomains.

Passive Subdomain Enumeration With Sublist3r

We can enumerate subdomains passively through the use of a utility called Sublist3r.

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.

Sublist3r can be installed on Kali Linux by running the following command:


sudo apt-get install Sublis


After you have installed Sublist3r, we can use it to enumerate the subdomains of our target domain by running the following command:


sublist3r -d https://DOMAIN.COM


Sublist3r will enumerate the subdomains for a specific domain by utilizing various search engines and publicly available databases that store domain and subdomain information as highlighted in the following screenshot.

In this case, we have identified various subdomains associated with our target domain, you can now repeat the process outlined earlier to identify the IP addresses and DNS records of the subdomains.


Subdomain Enumeration With Google Dorks

In addition to using automated tools like Sublist3r, we can also search for subdomains by leveraging various Google Dorks.

This can be done by specifying the site search filter and excluding the domain of your target. The following search term can be used to identify subdomains that have been indexed by Google:



As highlighted in the following screenshot the preceding search term will limit the search results to only the subdomains of the TLD.


Now that we have explored various passive recon techniques and tools, we can begin exploring active recon techniques.

Recommended For You

About the Author: Cryptus Team

CRYPTUS CYBER SECURITY is an Cyber Security Training and penetration testing Company in New Delhi, India. We have been delivering advance it security training and services with upgraded technology contents to IT Professionals. Our goal is to sustain performance level producing sterling results. We Stands Up to our commitments which are comiitted by Our Team.

Leave a Reply

Your email address will not be published. Required fields are marked *