Introduction
Before any real penetration test begins, there's one critical step that often gets overlooked by beginners — reconnaissance.
You can have the best tools, the best exploits, and strong technical knowledge. But if you don't know your target, none of that matters.
Think of it this way:
A successful attack doesn't start with exploitation. It starts with information.
This phase is where you map the target, understand its structure, and identify possible entry points.
What is Information Gathering?
Information gathering is the process of collecting data about a target system, network, or organization.
The goal is simple:
- Identify systems
- Discover services
- Understand how everything is connected
This phase directly impacts everything that comes after it.
A weak reconnaissance phase leads to missed vulnerabilities. A strong one reveals opportunities others don't see.
Passive vs Active Reconnaissance
Reconnaissance can be divided into two main types.
Passive Reconnaissance
Passive reconnaissance involves collecting information without directly interacting with the target system.
This means:
- No traffic is sent to the target
- No alerts are triggered
Common tools include:
- Whois lookups
- DNS queries using nslookup and dig
What you can gather:
- Domain ownership details
- IP ranges
- DNS records
Passive recon is safe, silent, and often the first step in any assessment.
Active Reconnaissance
Active reconnaissance involves direct interaction with the target.
This includes sending requests and observing responses.
Common tools:
- Ping
- Traceroute
- Telnet
- Web browsers
What you can discover:
- Whether a host is alive
- Network paths
- Open services
The trade-off is simple:
- More information
- Higher chance of detection
Discovering Live Hosts with Nmap
Nmap is one of the most important tools in penetration testing, especially during reconnaissance.
Before scanning ports, you first need to know which systems are actually online.
Nmap helps identify live hosts using multiple techniques:
- ARP scan (for local networks)
- ICMP echo requests (ping-based discovery)
- TCP/UDP ping scans
This step ensures you focus only on active systems, making your scanning more efficient.
Basic Port Scanning Techniques
Once live hosts are identified, the next step is to check which ports are open.
Ports reveal running services, and services often contain vulnerabilities.
Common scanning techniques in Nmap include:
- TCP Connect Scan Completes the full handshake. Reliable but easily detectable.
- TCP SYN Scan Also known as a stealth scan. Faster and less likely to be logged.
- UDP Scan Used to identify UDP services, though slower and less responsive.
Each scan provides different levels of visibility and stealth.
Advanced Scanning Techniques
As you move deeper into reconnaissance, more advanced techniques come into play.
These are designed to bypass basic detection systems and firewalls.
Some advanced scans include:
- NULL scan
- FIN scan
- Xmas scan
- Idle (zombie) scan
In addition to this, techniques like:
- Packet spoofing
- Firewall evasion
- IDS avoidance
are used to reduce the chances of being detected.
These methods require a deeper understanding of networking and should be used carefully in controlled environments.
How It All Connects
A typical reconnaissance flow looks like this:
- Start with passive recon to gather basic information
- Move to active recon to validate targets
- Use Nmap to discover live hosts
- Perform port scanning to identify services
- Apply advanced techniques if needed
Each step builds on the previous one.
Skipping steps often leads to incomplete or misleading results.
Final Thoughts
Reconnaissance is not just a starting phase — it is the foundation of penetration testing.
The more accurately you understand your target, the more effective your testing becomes.
Tools like Nmap are powerful, but their real value comes from how you use them.
Focus on the process, not just the commands.
What's Next
Next, we move into attacks and exploitation — understanding how vulnerabilities are actually used against web applications, Windows systems, Active Directory, and Linux environments.