Passive Reconnaissance Explained [Methods & Tools]

By Leonard Cucos •  Updated: 05/30/21 •  16 min read

Passive reconnaissance and active reconnaissance are the two primary forms of reconnaissance used by an attacker or pentester to assess a target before exploiting it. 

An attacker would often devote up to 70% of its total penetration efforts to active or passive reconnaissance to gather as much intelligence as possible to mount a successful social engineering attack or other forms of attacks.

This article will take a deep dive into an attacker’s passive reconnaissance mindset and processes such as open-source intelligence, DNS reconnaissance, user information, and password profiling, as well as the most commonly used tools.

All the information gathered during this step is critical in preparing and executing a successful attack on a specific target. Experienced hackers never miss this step. 

Kali Linux comes preinstalled with a large suite of tools used for active and passive reconnaissance. However, most of these tools are built on Python and can be used on other operating systems as long as they match the prerequisites.

Without further ado, let’s get started.

What is Passive Reconnaissance?

In general, passive reconnaissance is involved with evaluating publicly available information. 

This information is generally obtained through various web sources or directly from the targeted organization’s employees.

During this process, the pentester or attacker does not interact directly with the target machine. No activities are logged or traced back to the attacker. 

Initially, passive reconnaissance is carried out in such a way as to avoid direct contact with the target that may indicate an approaching assault or reveal the attacker’s identity. 

For instance, an attacker may access the business website of a target company, read multiple pages, download documents for further investigation, etc. These interactions are considered normal behaviors and are seldom identified as a precursor to a targeted attack.

But wait! There’s more than meets the eye. 

Passive reconnaissance can include other more relevant sources of intelligence gathering. Here are some of the most commonly used methods:

Let’s find out what the above method is and which tools are available for each.

Step 1: Gathering Open-source Intelligence

Also known as OSINT, the open-source intelligence gathering is usually the first step in a planned attack or penetration test. 

NOTE: OSINT refers to information gathered from publicly available sources, most notably the Internet. 

The quantity of open-source information accessible is substantial. Most intelligence and military organizations actively collect OSINT to gather information on their targets while preventing potential leaks about their identity. 

The primary determines the primary purpose of an attack or penetration test purpose behind it.

If a social engineering technique is used, they may enhance this information with facts that lend credence to the demand for information. 

The target’s official online presence assessment is generally the first step in acquiring OSINT (website, blogs, social media pages, and third-party data repositories such as public financial records). The following are some items of interest:

NOTE: most search engines have since released APIs to facilitate automated lookups, making tools such as Maltego particularly effective.

Other online sources for passive reconnaissance may include:

Keeping track of all findings may be challenging. Fortunately, tools such as KeepNote, which allow for the quick import and maintenance of many sorts of data. KeepNote is available for Windows, macOS, Linux and it comes preinstalled on Kali Linux.

Step 2: DNS Reconnaissance and Route Mapping 

The second step in passive reconnaissance is to determine the target’s IP [IPv4 or IPv6] addresses and routes. 

DNS reconnaissance is concerned with determining who owns a particular domain or set of IP addresses (whois-type information), DNS information describing the actual domain names and IP addresses allocated to the target, and the path between the penetration tester or attacker the end target. 

Some of the DNS information comes from open sources, while some come from third parties like DNS registrars. Although the registrar may gather IP addresses and data about the attacker’s requests, it is seldom shared with the ultimate target. 

Information that the target might directly monitor, such as DNS server logs, is generally never inspected or kept.

NOTE: It’s important to remember that DNS information might include old or inaccurate entries. Cross-validate data using multiple tools and multiple source servers to reduce false information. Review the results and double-check any non-relevant findings. 

Here are some commonly used methods and tools used for DNS reconnaissance and route mapping:

1. WHOIS

Identifying the addresses allocated to the target site is the first step in exploring the IP address space. 

The whois command, which enables individuals to query databases that maintain information on the registered users of an Internet resource, such as a domain name or IP address, is generally used to achieve this. 

A whois query may return names, physical addresses, phone numbers, and e-mail addresses (which may be valuable in social engineering attacks), as well as IP addresses and DNS server names, depending on the database searched.

NOTE: third parties [Akamai, AWS, Cloudflare, etc.] are increasingly being used to protect this data, and whois information for domains such as .mil and .gov, may not be publicly available. 

The majority of requests to these sites are recorded. There are various internet lists that detail government-assigned domains and IP addresses; most tools permit no contact addresses, and government domains should be registered into these lists to prevent unwanted attention.

The most convenient way to perform a whois inquiry on a target is via command prompt using the whois <target IP or domain name> command, as seen in Figure 1.1.

Passive reconnaissance - whois nudesystems.com. Source: nudesystems.com
Figure 1.1: Passive reconnaissance – whois nudesystems.com

The whois command output can include information that can be used for social engineering attack purposes such as registrar, email, phone numbers, etc. 

2. DNS Lookup

DNS [Domain Name Service] is a distributed database that maps names to IP addresses, e.g., nudesystems.com, to 104.21.65.47.

Attackers mainly use the DNS information gathered to:

Essential command tools for DNS lookup such as nslookup are available on Windows and Linux/UNIX operating systems. On Linux/UNIX systems, there is an alternative command-line tool called dig [Figure 1.2]. 

Passive reconnaissance - dig nudesystems.com. Source: nudesystems.com
Figure 1.2: Passive reconnaissance – dig nudesystems.com

Unfortunately, both nslookup and dig commands can only query one machine at a time. Kali Linux offers various tools for iteratively querying DNS information for a specific target for IPv4 and IPv6 addresses.

3. IPv4 DNS Lookup

The IP address, or Internet Protocol address, is a numerical identifier for devices linked to a private or public Internet. The Internet nowadays is mostly built on IPv4. As seen in the table below, Kali contains numerous command-line tools to aid DNS reconnaissance.

CommandDescription
dnsrecon dnsmap dnsenumUsed for DNS record enumeration (A, MX, wildcard, TXT, etc.), Google lookup, subdomain brute-force attacks, reverse lookup, zone transfer, and zone walking. dnsrecon is the recommended option due to producing well-phrased results, and the data can be imported easily in the Metasploit Framework.
dnswalkUsed to assess the DNS information for internal consistency and accuracy of data. 
dnstracerUsed to find where a particular Domain Name System obtains its information and traces the chain of DNS servers back to the servers that recognize the info.
fierceUsed to locate non-contiguous IP space and hostnames against given domains by triggering zone transfers followed by brute-force DNS attacks to obtain DNS information. 
Table 1.1: Passive reconnaissance – Kali Linux DNS reconnaissance.

TIP: use fierce command first to ensure that all probable targets have been discovered, followed by dnsrecon and dnsenum to cross-validation of the captured DNS data.

The following capture shows dnsrecon generating a standard DNS and SRV search records search. As you can see, the SRV records for nudesystems.com are not publicly available [Figure 1.3].

Passive reconnaissance - IPv4 DNS and SRV record search for nudesystems.com. Source: nudesystems.com
Figure 1.3: Passive reconnaissance – IPv4 DNS and SRV record search for nudesystems.com.

4. IPv6 DNS Lookup

While IPv4 seems to provide for a wide address space, freely accessible IP addresses were exhausted some years ago, necessitating the use of NAT and DHCP to boost the number of accessible IPv4 addresses.

The implementation of an enhanced IP addressing method, IPv6, has provided a more lasting solution. Although it accounts for fewer than 5% of Internet addresses, its use is growing, and penetration testers must be prepared to deal with the variations between IPv4 and IPv6 addresses.

NOTE: IPv6 source and destination addresses are 128 bits long, resulting in 2128 potential addresses, or 340 undecillion possibilities.

Kali Linux contains a number of tools designed to take advantage of IPv6 addressing such as Nmap which supports IPv6 as seen in Table 1.2 below.

Command [Kali Linux]Description
dnsrevenum6Performs a reverse DNS enumeration for a given IPv6 address. Available here.

dnsdict6
Enumerates the subdomains of a parent domain and get IPv4 and IPv6 addresses using a brute force search based on its own internal list or provided dictionary list. Available here.
Table 1.2: Passive reconnaissance – DNS tools for IPv6 reconnaissance.

3. Mapping Route to Target 

Route mapping was developed as a diagnostic tool for seeing the path that an IP packet takes from one host to the next. 

Using the Time to Live (TTL) field in an IP packet, each hop from one point to the next causes the receiving router to send an ICMP TIME EXCEEDED message, decreasing the value in the TTL field by one. 

The packets keep track of the number of hops and the path followed. The traceroute data provides the following critical information to an attacker or pentester:

On Windows, tracert command-line is a utility that uses ICMP packets to map the route between an attacker and a target.

As seen in Figure 1.4, the tracert command on Windows will show the complete path [unfiltered] output.

Passive reconnaissance - tracert command on Windows 10. Source: nudesystems.com
Figure 1.4: Passive reconnaissance – tracert command on Windows 10. 

On Linux/UNIX, the utility is called traceroute [Figure 1.5]. If the traceroute command is triggered from Kali Linux, most of the hopes between source to destination will be filtered [* * *].

Passive reconnaissance - traceroute command on Kali Linux. Source: nudesystems.com
Table 1.5: Passive reconnaissance – traceroute command on Kali Linux.

Therefore, in Kali Linux, there are some additional tools to conduct route traces without filtering the output, as seen in Table 1.3.

Command
[Kali Linux]
Description
hping3A TCP/IP packet assembler and analyzer with a ping-like interface supporting TCP/UDP/ICMP protocols.
trace6A traceroute utility that uses ICMPV6
intraceA tool that allows users to enumerate IP hops by taking use of existing TCP connections, which may originate from the local system, network, or local hosts. This makes it ideal for getting beyond external filters like firewalls. 
Table 1.3: Passive reconnaissance – Kali Linux traceroute tools.

Because of the control over packet type, source packet, and destination packet, hping3 is one of the most valuable tools around providing a lot more options than the traditional ping. hping3 comes preinstalled on Kali Linux 2021.x.

Passive reconnaissance - hping3. Source: nudesystems.com
Figure 1.6: Passive reconnaissance – hping3

Step 3: Collecting User Information

Many penetration testers collect usernames and email addresses since they are regularly used for logging on to a target device. The browser is the most utilized tool for manually searching an organization’s website and third-party sites like, e.g., LinkedIn.

Many companies do not correctly deactivate employee accounts after they leave a firm. Thus these credentials may potentially provide access to the target system. 

When executing social engineering attacks, forwarding information requests to a former employee frequently results in a redirect, which provides the attacker with the “credibility” of having interacted with the prior employee. 

1. Gathering Names and Email Addresses 

theHarvester tool is a Python script, which looks for email addresses, hosts, and subdomains via major search engines. theHarvester is quite easy to use as a few command-line switches need to be configured to get it running. Table 1.4 shows some of the most used options available: 

Command Switch [theHarvester]Description
-dSpecify the domain [website] to be searched.

-b
Specify the source for data extraction. Must be: Google, Google-Profiles, Bing, BingAPI, LinkedIn, People123, Jigsaw, PGP,or all above.
-lSpecify the limit of data harvested from a number of search results 

-f
Save the results to a file [XML, HTTP]. Without this switch, the result will be displayed and not saved.
Table 1.4: Passive reconnaissance – The Harvester

theHarvester requires Python 3.7+ and is available on Linux/UNIX systems. theHarvester comes pre-installed in Kali Linux. Here is an example of theHarvester command against nudesystems.com using Google search.

NOTE: the command theharvester is deprecated and was replaced with theHarvester in the newest releases [Figure 1.7]

Passive reconnaissance - The Harvester [Kali Linux]. Source: nudesystems.com
Figure 1.7: Passive reconnaissance – The Harvester [Kali Linux]

Here is a dedicated post on how to install and use theHarvester in no time.

2. Gathering Document Metadata

The end-user cannot see metadata directly. Hence most documents are released with their intact metadata. Unfortunately, this data leakage can divulge valuable information to support an attack. 

Testers and attackers may at least collect user names using the comparison to documents, identify people related to certain sorts of data, e.g., yearly financial reports, technical documentation, etc. 

The risks associated with geolocation information have been growing as mobile devices become increasingly ubiquitous. Attackers are looking for less secure places [hotels and restaurants, airports, etc.] to begin an attack on users working outside a company perimeter.

Here are some examples of metadata usually attached to documents:

Metagoofil is an OSINT Python script that uses Google search to scan a specific website and extracts various information from documents. The supported file extensions are pdf, pptx, doc, docx, xls, xlsx

Metagoofil will download the specified number of documents into a temporary folder. Subsequently, the information is extracted and organized. 

Here is an example of Metagoofil in action in Kali Linux using the Microsoft website to scan and download the available .docx files [Figure 1.8].

Passive reconnaissance - Metagoofil [Kali Linux]. Source: nudesystems.com
 Figure 1.8: Passive reconnaissance – Metagoofil [Kali Linux]

NOTE: Metagoofil can be installed in Kali using the command: sudo apt install metagoofil

Step 4: Creating User Passwords Profiles

In the final step in the passive reconnaissance process, an attacker or pentester will attempt to create user-specific passwords based on the intelligence collected so far.  

If done manually, this process may take a long time, and the result is not always guaranteed. Furthermore, an application requires you to try every password in the list one at a time to assess if it is working or not. 

An alternative option is to use Common User Password Profiler (CUPP) to generate a customized wordlist. CUPP is a python 3 script that can be downloaded and installed from the CUPP official GitHub repository here. 

NOTE: On Kali Linux, CUPP can be installed using the command: sudo apt install cupp

Figure 1.9 below shows a list of 6624 generated passwords using information such as the target name, spouse name, pet name, dates of birth, specific keywords, etc. 

Passive reconnaissance - CUPP [Kali Linux].  Source: nudesystems.com
 Figure 1.9: Passive reconnaissance – CUPP [Kali Linux]

The list of generated passwords can be found in the CUPP directory on your computer. 

Conclusion

In conclusion, the aim of passive reconnaissance is to evaluate data freely accessible to the public. 

Due to the non-threatening nature of this method, the attacker’s actions or IP address are practically indistinguishable from a regular. 

This knowledge may be crucial for instrumenting social engineering attacks or other forms of sophisticated penetration strategies.

Before You Go

I hope this article sheds some light on what passive reconnaissance is, the process behind it, and the tools that are most commonly used by attackers or penetration testers to get relevant information on a target.

If you are looking for more tutorials for various tools used for active and passive reconnaissance, check the Cybersecurity section of this website.

See you there!

Leonard Cucos

Leonard Cucos is an engineer with over 20 years of IT/Telco experience managing large UNIX/Linux-based server infrastructures, IP and Optics core networks, Information Security [red/blue], Data Science, and FinTech.