Every test starts by learning about the target — mostly from public sources that touch nothing. Passive recon maps the attack surface before a single packet is sent.
Why: reconnaissance gathers information about the target, and passive recon uses only public sources (DNS, WHOIS, search engines, leaked data) without interacting with the target — so it is low-risk and often the most productive phase. When: exhaust passive sources before active scanning. Where: understanding the attack surface (domains, hosts, technologies, people) shapes everything that follows.
PASSIVE public sources only, target never sees you
WHOIS, DNS, certificate transparency, search engines, breaches
ACTIVE you interact with the target (next lesson: scanning)
Passive recon builds the map:
domains + subdomains, IP ranges, tech stack, emails, exposed servicesWhy: DNS and certificate records reveal an organization’s hosts and subdomains, expanding the known attack surface — often surfacing forgotten dev/staging servers. When: enumerate subdomains and DNS records during scoping (within authorized domains). Where: certificate transparency logs list every cert issued for a domain, a rich passive source.
# All within your authorized scope only:
whois example.com # registration, name servers, contacts
dig example.com ANY # DNS records
dig +short txt example.com # SPF/verification records
# Subdomain discovery from passive sources (cert transparency, etc.):
# crt.sh, Subfinder, Amass — reveal hosts like staging.example.com
subfinder -d example.comWhy: open-source intelligence about people and leaked data matters because credentials and emails feed later phases (and phishing) — an org’s exposed emails and breached passwords are part of its real risk. When: collect only what is in scope and relevant to the engagement’s goals. Where: this ties to the defensive side — knowing what is public about you is the first step to reducing it.
# Gather publicly-exposed emails/hosts for the authorized target:
theHarvester -d example.com -b all
# Check whether corporate emails appear in known breaches (informs
# credential-stuffing risk): the Have I Been Pwned dataset/API.
# Defensive takeaway: everything you find here, defenders should minimize —
# fewer exposed hosts, no leaked secrets, breach-aware password policies.