Passive Reconnaissance Fundamentals

Passive Reconnaissance Fundamentals

Passive information gathering extracts valuable intelligence without directly interacting with target systems, maintaining operational stealth during initial reconnaissance phases. Search engine dorking leverages Google, Bing, and specialized engines to discover exposed assets, sensitive documents, and technical information. Operators like site:, filetype:, and intitle: combined creatively reveal configuration files, database backups, and internal documentation accidentally exposed to the internet.

Social media intelligence (SOCMINT) provides human-focused intelligence often overlooked in technical assessments. LinkedIn profiles reveal employee names, roles, and technologies used within organizations. Twitter, Facebook, and Instagram posts sometimes expose internal information through careless sharing. While OSCP doesn't test social engineering, understanding information exposure through social media develops security awareness valuable throughout careers.

DNS intelligence gathering through passive sources reveals infrastructure relationships and potential targets. Services like DNSDumpster, SecurityTrails, and certificate transparency logs expose subdomains without sending packets to target infrastructure. Historical DNS records identify legacy systems, development environments, and forgotten assets often containing vulnerabilities. This archaeological approach to infrastructure mapping frequently reveals soft targets missed by active scanning.

Metadata analysis extracts hidden information from publicly available documents. PDF reports, Office documents, and images contain creation timestamps, author information, and software versions. Tools like ExifTool and FOCA automate metadata extraction from document collections. Internal usernames discovered through metadata provide valuable wordlists for password attacks, while software versions guide exploit selection.