The Beginner’s Guide To Reconnaissance In Ethical Hacking

Do you want to succeed as an ethical hacker? The first step is understanding the basics of reconnaissance. So, what is reconnaissance in ethical hacking?

Reconnaissance is the first step in ethical hacking where white hat hackers gather information about the target, including IP addresses, directory listings, location, OS versions, who the target is, and what they do. These details can reveal system weaknesses that could be exploited.

This beginner’s guide to reconnaissance in ethical hacking explains what reconnaissance means and it shares some helpful tips on how you can do it effectively.

An investigative man

What Is Fingerprinting And Why Is It Important In Ethical Hacking?

Ethical hacking is the legal and authorized attempt of penetrating a computer system or network to find security loopholes and successfully exploit them. It provides a proof of concept that a system is vulnerable, highlights those vulnerability aspects as well as the possible attacks from malicious attackers.

Ethical hacking allows a preemptive approach to cybersecurity where potential threats are dealt with before real damage occurs. One of the most important steps in ethical hacking is reconnaissance or fingerprinting.

Here’s a scenario:

Assume you are an ethical hacker or ethical penetration tester working for a security company. Your job is to find vulnerabilities in companies, test their security systems, and provide recommendations on how to improve them.

On a seemingly ordinary day, your employer gives you a piece of paper with the name of a company on it. He says that the CEO of that company asked him to conduct a Pen Test on their company. The legal department will email you to confirm authorizations and insurance. The company’s name is “xyz.” It is a company you have never heard of with no further information.

Where do you start?

You start by researching your target. This is called fingerprinting or reconnaissance. It is the process of gathering information about a target system or network.

By the end of this step, you should have answers to questions like: Who is the target? What do they do? Where is the target located? What is their IP address? What operating system is the target running? What services and versions of software are running on the system? 

At this step, you cast your net as wide as possible. The more information you collect about the target, the more likely you are to succeed in the later stages. But, while conducting research, you are required to stay within the boundaries of the authority you have been given.

Unfortunately, it’s easy for inexperienced ethical hackers to overlook the reconnaissance step; they have an inclination to not perform it diligently in favour of more “exciting” steps.

But in truth, it is fundamental. Just as Abraham Lincoln reminded us, when he said, “If I had six hours to chop down a tree, I would use the first four of them for sharpening my axe.” One must sharpen their axe before chopping down a tree. One must walk before one runs.

The same goes for ethical hacking. One must do their due diligence and gather information before attempting to exploit any vulnerability. The more you know and understand about your target, the better you can assess their security posture and find potential vulnerabilities that can be exploited.

To make things easier, here are some tips for successful reconnaissance in ethical hacking:

10 Tips For Successful Reconnaissance In Ethical Hacking

Thankfully, these are some easy tips to help you conduct effective reconnaissance so that you can gather as much information as possible about your target. Let’s take a look:

Tip #1: Use HTTrack Tool To View Target’s Webiste Offline

The HTTrack tool is a website copying tool that can be used to view the entire contents of a target website offline. This means that you can freely browse the website of your target without having any activity logged by its server or being tracked in any way.

With this tool, you get the added benefit of being able to take as much time as you need to review all of the various pages, links, pictures, physical address, contacts, hours of operation, business relationships (partners), and HTML code.

Google has an immense amount of information about just about anything you can think of. But it’s not always easy to find what you’re looking for without using the right search terms and directives.

By taking advantage of Google’s advanced search functions, like “site:” or “inurl:” or “intitle:” or “allintitle:,”  you can narrow down your search and get more focused results.

For example, if you want to get the administrative pages of the target’s website, you can use the directive “inurl:admin” to filter out pages that aren’t related to administration.

You could also use the file type directive (“filetype:”) to filter out files with specific extensions, such as PDF or DOC. For example, you could search for “filetype:xls” if you are looking for Excel spreadsheets related to the target.

Tip #3: Analyze the Target Website Using Google’s Cache

Google not only allows you to search for information, but also saves a cached version of web pages that it visits. This can be useful in many scenarios, especially when the target website is down or inaccessible.

The cached version of a website can be a great way to access information that may have been removed from the website. It can also help you leave less of a digital trail, making it harder to detect any activity from your side and thus allowing you to remain undetected.

Woman turning on vpn on her laptop before she starts browsing

Tip #4: Use A Proxy Server Or A VPN

This one may seem obvious, but it’s important to remember. When conducting reconnaissance, you should always use a proxy server or VPN to hide your IP address and make sure that your activities are not tracked or noticed by the target.

As an ethical hacker, you have to emulate hackers with a break-in attempt, and as such, you must remain anonymous, and using a proxy server or VPN will help ensure this.

Tip #5: Go Over The Directory Listing Of The Target’s Website

When conducting reconnaissance for ethical hacking, it is important to go over the directory listing of the target’s website. A directory listing is a webpage that shows you a list of the files and directories on a website’s server.

Going through the directory listing can be helpful in figuring out if there are any private files or directories that are not meant for public viewing, as well as what software version the website server is using.

Having information about the version of the web server can be a great help to an ethical hacker, as it allows them to search for specific vulnerabilities that may exist in that particular version. 

Tip #6: Go Over Job Listing Pages

Job listing pages can provide a great deal of information about the target. By looking at the job descriptions, you can get an idea of what technologies the target is using and therefore determine potential attack points.

Social engineering employees to gather information about target organization

Tip #7: Use Social Engineering Tactics To Gather Information

Social engineering is an art form and should not be taken lightly. With the right technique, you can get access to a lot of useful information.

You can leverage various social media sites, and you can search for potential employees with specific roles.

For example, if your target is a network administrator, you can look for Twitter posts related to their duties. For example, if the administrator posts something like “Problem with the latest Microsoft patch; had to uninstall and reinstall Windows 7… “, you may be able to learn what operating system the target is running.

You can also email the sales team and pretend you are returning a product. When they write back, you can look at their email header to get information about the company’s email servers, such as the email server vendor and version.

Employees often post questions about problems they are facing on public forums. The questions might include information about a network configuration, hardware models, and specific software versions.

Link mapping is the process of discovering hyperlinks on a website. You can find this out by looking at the websites that your target’s website links to. This can give you insight into who your target is associated with and any vulnerabilities that may be present on their partner’s website.

Tip 9: Use MetaGoofil

MetaGoofil is a great tool that lets you read the metadata of documents made by the target. This tool will search the internet for any documents related to the target, then download them and pull out any useful metadata.

Metadata is known as “data about data,” and it can give you information such as keywords, creation date, system names, file shares, etc. This information can help you learn more about your target.

Tip 10: Gather All Of The Target’s IP Addresses

Find all the domain names and subdomains associated with the target. Then use tools like whatismyIP address to convert those to their related IP addresses. It is crucial that all these IP addresses be stored in a central repository so they can be easily accessed later on when conducting scanning. 

Final Thoughts

While this was a very basic introduction to the world of reconnaissance, hopefully it’s given you a foundation on which to build. For further reading, I recommend checking out LinkedIn Learning’s ethical hacking learning path for beginners. 

Mike Chu

Mike is a web developer and content writer living as a digital nomad. With more than 20 years of devops experience, he brings his "programmer with people skills" approach to help explain technology to the average user. Check out his full author bio by clicking here.

Recent Posts