Beginner reconnaissance guide in five

When it comes to moral penetration test or penetration, it is possible that the initial stage is more important and the most important of which are beginners. It is known as the survey, or simply as.
Consider Recon as an information collection stage. Since thieves may plan to storm a house by examining windows, doors, warnings, or owner’s schedule, the hack test collects as much information as possible about the target before performing any active attacks.
In this blog, we will dissect the survey phase into pieces the size of the sting that you will understand, discuss the tools that you can use, and provide scenarios in the real world to make the idea concrete.
Do you prefer watching instead of reading? Here is a quick video guide
What is the survey?
The survey is the preparatory stage of the attack as it collects information test about a goal to find possible weaknesses. It is not direct harm or attacks, just collecting and analyzing data.
There are two basic types of survey:
- Passive survey – Collecting information without contacting the goal.
- Active poll – Involve the target directly to collect information, for example, wipe out ports or service checks.
Negative Recikon: No touch, no trace
Nealcon is all about collecting information in a secret way. Since you do not touch the targeted system directly, you are less likely to. This is what you can do:
Research
Use tools like Whois.domainTools.com or Linux’s Whois order to get:
- The name of the registrar for the field
- Registrar details
- Contact emails
- The name of the name
- Date of construction/expiration of the field
This can provide hints on the organization, officials, or internal preparation.
DNS census
Use tools such as Dig, Nslookup, or DNSDOMPster.com to:
- Determine sub -domains
- Recover DNS records such as MX (MX), TXT and A (IP address)
- Disclosure of hidden web gates or services
Google Dorking
Google is not only a search engine, it is an information treasure. Take advantage of special searches such as:
site:openexploit.in intitle:"index of"
site:openexploit.in filetype:pdf
This Dorks has the ability to detect sensitive evidence, documents, documents and files.
Social media and employee details
Platforms like LinkedIn, Twitter or Facebook have the ability to reveal:
- Employees names
- Job addresses (such as “system official”)
- Technology stack
- Internal designation agreements
- Email formats (for example, [email protected]))
This helps in social engineering or design hunting attacks at a later time.
Active poll: knocking on the door
After the negative Recon provides you with a picture, Active Recon helps you more, but this means direct interaction, which can be discovered.
Scan
Tools such as NMAP can check out ports and open services:
nmap -sS -Pn -T4 openexploit.in
You may find:
- Open outlets (such as 22 SSH, 80 for HTTP)
- Running services (for example, Apache, MySQL)
- OS fingerprints
This helps you discover attack surfaces such as old programs or ports that have been badly formed.
Service census
Use tools such as NMAP, Enum4linux or Nikto textual software to:
- Discover program versions
- Check the default accreditation data
- Exposing the lists of guide or weak additions
example:
nmap -sV --script vuln openexploit.in
Sub -domain census
Use tools such as:
- Sublist3r
- Assetfinder
- collection
Discovering hidden sub -domains such as Dev.opnexploit.in or traging.obenexploit.in can reveal weak entry points.
Tools you should know
Here are some commonly used reuse tools with brief description:
Example of Rikon
Suppose your goal is Openxploit.in. Below is a simplified workflow:
- Research – Collecting registered information and responsible email messages.
- DNS and Sublomain examination Use Amass and DNSDOMPster to discover sub -domains such as Dev.examplecorp.com.
- Google Dorking Search Site: Explecorp.com Filetype: PDF for internal documents.
- Search Shodan Search IPS Examplecorp.com uses the identification of open outlets.
- NMAP examination Wiping the open ports on the essential IPS.
- Service census Take advantage of NIAP or NIKTO textual programs to determine potential weaknesses.
- Social media mining LinkedIn search for employees’ names such as “John Doe – Network Engineer”.
You haven’t launched anything yet, but you now have open outlets, operate programs, employee information and potential attack encroachments.
Why is Rikun important
Recon skiing is similar to trying a blindfolded lock. This is why it is important:
- Reduces noise: not targeting every door, just weakness.
- Provides time: You only target potential weaknesses.
- Increases the ghost: with sufficient negative recycling, you may not need loud tests.
- It enhances accuracy: Don’t guess by creating the actual world map of the goal.
Legal aspects and ethics
You have permission first before implementing Recon. You may be unauthorized, and even negative, on living systems illegal under cyber security legislation such as the CFAA or IT law in India.
Place yourself to Bug Bounty software, test environments such as Tryhackme/Hack the Box, or consequent internal connections.
Latest words
Recon is the place where the great piles turn. The better, the more wisely your attacks, the greater value you offer to customers or companies.
Before you start hitting doors and taking advantage of services, breathing. You behave like the investigator, not the multiplication ram.
If you are studying the hacking test, make the survey your friend. Because in electronic war, knowledge is not just strength, it is the first blow.