Passive Reconnaissance

A Practical Guide for Penetration Testers

Passive reconnaissance—often called OSINT (Open-Source Intelligence) recon—is the first and most important phase of penetration testing. It allows testers to gather information about a target without directly interacting with its systems, minimizing detection risk and producing valuable intel for later active phases.

What Is Passive Reconnaissance?

Passive reconnaissance is the process of collecting information about a target using publicly available sources without sending packets to the target or performing intrusive actions.

This includes data from:

No direct probing of target assets happens. This limits risk and helps build a detailed understanding of:

• ✓ Attack surface
• ✓ Infrastructure map
• ✓ Technologies in use
• ✓ Employee roles
• ✓ Potential weak points

Benefits & Effects of Passive Reconnaissance

Low Risk of Detection

No packets are sent directly to the target—important for stealth testing scenarios such as red teaming.

High-Value Intelligence

Passive data often reveals:

• Subdomains
• Email formats
• Internal naming conventions
• Tech stack
• Historical DNS
• Leaked credentials
• DevOps mistakes on GitHub

Baseline for Active Testing

It reduces noise, prevents unnecessary scanning, and increases effectiveness of later exploit attempts.

Early Vulnerability Indicators

By mapping infrastructure from CT logs or public indexes, you may discover:

• Stale assets
• Forgotten subdomains
• Outdated services
• Shadow IT components

Legal Considerations

Passive reconnaissance is usually legal because it gathers publicly accessible information, but there are important limitations.

Typically Legal

Typically does not mean always, remember to get written permission before conducting a reconnaissance.

• ✓ Reviewing DNS records
• ✓ Searching Google
• ✓ Reading LinkedIn profiles
• ✓ Accessing public S3 buckets with “public” permission
• ✓ Examining SSL certificates
• ✓ Viewing GitHub repositories
• ✓ OSINT tools using aggregate public data

Potentially Illegal or Questionable

Even during passive recon, some actions may cross into illegality:

Bottom Line

Always work under a signed contract and explicit Scope of Work. When in doubt—ask the client's legal/compliance team.

Passive Reconnaissance Techniques & Tools (with Examples)

Below are practical, command-ready examples you can use in pentest engagements.

Search Engine Dorking

Google Dorks

site:target.com "password"
site:target.com "confidential"
site:target.com intitle:"index of"
site:target.com ext:log OR ext:bak OR ext:sql

Bing or Yandex equivalents also work.

Dorking exposes sensitive directories, forgotten backups, cloud console leaks, etc.

WHOIS & DNS Enumeration

WHOIS lookup

whois target.com

Passive DNS using dnsdumpster

curl -s https://dnsdumpster.com -d "target=target.com"

Historical DNS (SecurityTrails API example)

curl -H "apikey: YOUR_API_KEY" \
"https://api.securitytrails.com/v1/domain/target.com/history/dns/a"

Subdomain Enumeration (Passive)

Using crt.sh

curl -s "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value'

Using Subfinder (passive mode)

subfinder -d target.com -silent -all -recursive -passive

Searching GitHub for Leaks

gh search code 'target.com password' --language yaml

Example queries:

"target.com" AND "apikey"
"companyname" AND "DB_PASSWORD"
"internal" AND "confidential"

For automation:

git-hound --config config.yml --subdomain-file domains.txt

Shodan / Censys Querying

Shodan Query

shodan search org:"Target Company Name"

Specific tech exposure

shodan search ssl.cert.subject.cn:target.com
shodan search http.title:"Target"

Certificate Transparency Logs

curl -s "https://crt.sh/?q=target.com&output=json" | jq '.[].name_value'

You can discover forgotten subdomains like:

dev-api.old.target.com
staging.billing.target.com
vpn2.target.com
legacy-mail.target.com

Email Harvesting & Pattern Enumeration

Use theHarvester:

theHarvester -d target.com -b bing,linkedin,duckduckgo

Emails allow:

• Username pattern discovery
• Social engineering preparation
• Credential format guessing

Breach Data (Passive Only)

Using haveibeenpwned API:

curl -H "hibp-api-key: YOUR_API_KEY" \
"https://haveibeenpwned.com/api/v3/breachedaccount/user@target.com"

Important: You cannot log in with leaked passwords. It is illegal!

Public Cloud Bucket Discovery (Passive Mode)

AWS S3 (HEAD request only)

aws s3 ls s3://target-public-bucket --no-sign-request

GCP (public bucket check)

gsutil ls gs://target-bucket

If the bucket returns AccessDenied, stop. Listing only if the bucket is intentionally public is allowed.

Building Your Passive Recon Workflow

Below is a structured method you can apply to every engagement.

When Passive Recon Ends & Active Recon Begins?

Passive recon transitions to active once you start:

• Port scanning
• Network probing
• Dirbusting
• Crawling web apps at scale
• Sending crafted packets
• Attempting authentication

Until you interact directly with the target systems, the recon stays passive.

Conclusion

Passive reconnaissance is a core skill for penetration testers. It provides high-value intelligence while reducing the chance of detection and ensuring compliance with legal restrictions.

When performed correctly under a valid contract, passive recon:

• ✓ Improves accuracy of later tests
• ✓ Reduces risks
• ✓ Exposes deep insights into infrastructure
• ✓ Enables stealth and strategic advantage

Use the techniques in this guide to build a strong, repeatable, and legally compliant OSINT workflow.

Related Cybersecurity Guides and Tutorials:

Secure Coding: Building Software That Can Survive Attacks

Ready-to-Use Docker Compose Cybersecurity Practice Lab

Don't Click! The Essential Guide to Spotting Phishing and Scams

Stay Safe and Secure - The Power of Software Updates