Knowing the Target
Sun Tzu said, "If you know the enemy and know yourself, you need not fear the result of a hundred battles." Reconnaissance (Recon) is gathering information about your target before you ever send a packet to them.
1. Passive Recon
Gathering info without interacting with the target's systems. They don't know you are looking.
- OSINT (Open Source Intelligence): Using public data (LinkedIn, Facebook, Corporate Registries) to find employee names, email structures, and technologies used.
- Google Dorking: using advanced search operators (e.g.,
site:target.com filetype:pdf "confidential") to find exposed documents. - Shodan: The search engine for connected devices (webcams, routers, servers).
2. Active Recon
Touching the target. This generates logs and can be detected.
- DNS Enumeration: Finding subdomains (e.g.,
dev.target.com,vpn.target.com). Tools:dnsrecon,sublist3r.
🔬 Lab Exercise: Google Dorking
Objective: Find sensitive info exposed on public sites.
Try these queries in Google (but don't hack anything you find!):
site:github.com "password"intitle:"index of" "backup"