# Reconnaissance

Information Gathering, also known as Reconnaissance, is the first and foundational phase of a penetration test. The purpose of this phase is to collect as much relevant data about the target entity as possible, whether it's an organization, network, or individual.

This process involves gathering both publicly available and potentially sensitive information. For example, details about employees such as names and email addresses can be particularly useful. Such information, when leveraged correctly, becomes valuable during later stages of the penetration test, where an attacker might use it to craft targeted attacks like phishing or deliver malicious attachments.

The more detailed and precise the information you collect during this stage, the higher the chances of success during the exploitation and post-exploitation phases of the pentest. A well-prepared penetration tester knows that thorough reconnaissance is key to exposing vulnerabilities in the target's defenses.

Examples of useful information:

* **Employee details:** Names, email addresses, roles
* **Systems and Networks:** Public IP addresses, domain names, infrastructure details
* **Technological Stack:** Web technologies, software, and platforms in use

The success of future phases often hinges on the quality and depth of information gathered during this phase.

## **Types of Reconnaissance**

There are two main types of reconnaissance in penetration testing: **Active Reconnaissance** and **Passive Reconnaissance**.

## **Active Reconnaissance**

Active Reconnaissance involves directly interacting with the target system to gather information. This means explicitly communicating with the target, often by sending data packets and monitoring the responses. The tester might:

* Gather the IP address of the target.
* Perform port scans using tools to identify which services and ports are open.
* Probe the network to learn about its internal infrastructure and perform enumeration.

The goal is to actively explore the target's systems to identify potential vulnerabilities by directly engaging with them.

## **Passive Reconnaissance**

Passive Reconnaissance, on the other hand, does not involve direct interaction with the target. Instead, the tester gathers information from public resources and external observation. This process could include:

* Analyzing the target's website, IP addresses, and DNS information.
* Identifying domain names and domain ownership.
* Collecting email addresses, social media profiles, and subdomains.
* Researching the web technologies and platforms the target uses.

This method is more subtle, as it doesn't alert the target that they are being observed or tested.

<figure><img src="/files/ePy6jphscoobH78TGrEr" alt="" width="563"><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security.navidnaf.com/dark-magic/reconnaissance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.