July 17, 2026
Passive Network Reconnaissance | JR Penetration Tester | TryHackMe
I completed the Network Reconnaissance room in the Jr Penetration Tester learning path on TryHackMe. This was the second room in the…
By Anas Rah
1 min read
I completed the Network Reconnaissance room in the Jr Penetration Tester learning path on TryHackMe. This was the second room in the series. The room introduces the concepts of passive reconnaissance, active reconnaissance, servers, and network protocols. The explanations were clear and informative, making the concepts easy to understand, especially for beginners.
Passive Reconnaissance
Passive reconnaissance is the process of gathering information about a target without directly interacting with it. Instead of scanning or attacking the target, we collect publicly available information from sources such as search engines, public databases, social media, company websites, DNS records, and other OSINT (Open Source Intelligence) resources.
Some common passive reconnaissance techniques include:
Google searching
Google Dorking
LinkedIn research
WHOIS lookups
DNS enumeration
OSINT websites
Since the information is already publicly available, these techniques are generally considered legal and do not directly interact with the target's systems.
Some of the commands and tools introduced in this room are:
whois target.com
curl target.com
nslookup target.com
dig target.comwhois target.com
curl target.com
nslookup target.com
dig target.comUseful websites include:
DNSDumpster
Shodan
WHOIS
whois is used to retrieve a domain's registration information. It provides details such as the domain registrar, registration date, expiration date, last updated date, and sometimes the owner's contact information (if it is not protected by privacy services).
curl
curl is a command-line tool used to send HTTP requests to web servers. During reconnaissance, it can be used to retrieve a webpage, inspect HTTP response headers, identify the web server, and gather useful information about a website without using a browser.
nslookup
nslookup is used to query DNS records for a domain. It can retrieve different types of DNS records, including:
A record (IPv4 address)
AAAA record (IPv6 address)
CNAME record (Canonical Name)
MX record (Mail Server)
TXT record
NS record (Name Server)
These record types can be queried using the -type= option.
dig
dig (Domain Information Groper) is another DNS lookup tool. It performs the same job as nslookup but provides more detailed and better-formatted output, making it one of the most commonly used DNS troubleshooting tools among security professionals.
DNSDumpster
DNSDumpster is an OSINT website that helps discover subdomains, DNS records, IP addresses, mail servers, and other publicly available information about a domain. It is particularly useful for identifying subdomains that may host additional services, which can become potential attack surfaces during a penetration test.
Shodan
Shodan is a search engine for internet-connected devices. It can reveal IP addresses, open ports, running services, technologies, server banners, operating systems, ASN information, and even the approximate geographic location of exposed devices. It is one of the most powerful OSINT tools used during passive reconnaissance.
Conclusion
This room covered the fundamental concepts of passive reconnaissance and introduced several useful tools that penetration testers use to gather publicly available information without directly interacting with the target. It provided a solid foundation for understanding how information gathering is performed before moving on to active reconnaissance and vulnerability assessment.