Part 2: Reconnaissance and Information Gathering
"Give me six hours to chop down a tree and I will spend the first four sharpening the axe." -- Attributed to Abraham Lincoln, but a principle every penetration tester lives by.
You have your lab set up. You understand the legal framework. You know the difference between a SYN scan and a script kiddie. Now what?
Now, you learn the most underrated and arguably most important phase of any penetration test: reconnaissance. If Part 1 was about building the foundation, Part 2 is about learning to see. And we mean really see -- not just what a target presents on the surface, but the organizational structure behind the firewall, the forgotten development server with a default password, the employee who just posted their badge photo on LinkedIn, the S3 bucket that a developer left public three years ago and everyone forgot about.
Here is a truth that separates good penetration testers from great ones: the quality of your exploitation phase is almost entirely determined by the quality of your reconnaissance. A skilled attacker with thorough recon will outperform a more technically gifted attacker with sloppy recon every single time. The vulnerability that wins the engagement is not usually found by running a scanner and clicking "exploit." It is found by discovering the asset that nobody remembered existed, the subdomain that was not in scope because the client did not know they owned it, or the third-party integration that creates an unexpected trust relationship.
What You Will Learn
Part 2 takes you through five chapters that cover the full spectrum of information gathering, from entirely passive techniques that leave no trace, through active probing that touches target systems, to the specialized discipline of social engineering reconnaissance.
Chapter 7: Passive Reconnaissance and OSINT teaches you how to build a comprehensive profile of a target organization without ever sending a single packet to their infrastructure. You will learn domain and DNS intelligence gathering, WHOIS and certificate transparency analysis, search engine dorking with Google, Shodan, and Censys, social media and people OSINT, code repository mining on GitHub and GitLab, and how to tie it all together with automated frameworks like Maltego, theHarvester, and Recon-ng. When we apply these techniques to ShopStack in our exercises, you will be surprised at how much you can learn about an organization before touching their network at all.
Chapter 8: Active Reconnaissance crosses the line from observation to interaction. Here we send packets to the target and analyze what comes back. You will learn DNS enumeration and zone transfers, subdomain discovery and the increasingly dangerous world of subdomain takeover, web application fingerprinting, and technology stack identification. We draw a sharp distinction between passive and active reconnaissance because the legal and ethical implications are meaningfully different -- active recon touches the target's systems, which means authorization becomes relevant even at this early stage.
Chapter 9: Social Engineering Reconnaissance adds the human element. Organizations are made of people, and people leak information in ways that network scanners cannot detect. You will learn organizational mapping and employee profiling, pretexting and elicitation techniques, physical reconnaissance methods, and how to build social engineering pretexts from OSINT data. We also cover deepfakes and synthetic media -- an increasingly relevant vector as AI-generated voice and video become indistinguishable from the real thing. In MedSecure's environment, we demonstrate how mapping the organizational chart and identifying employees with elevated access sets the stage for targeted phishing that could bypass even strong technical controls.
Chapter 10: Scanning and Enumeration moves from broad reconnaissance to targeted, detailed mapping of discovered assets. This is where Nmap becomes your best friend. You will go deep on port scanning fundamentals, service version detection, OS fingerprinting, and network enumeration across protocols like SMB, SNMP, LDAP, and NFS. We cover web server enumeration and introduce vulnerability scanners like Nessus, OpenVAS, and Nuclei. Crucially, we teach you how to organize and document your scan results -- because even the most thorough scanning is worthless if you cannot make sense of the data you collect.
Chapter 11: Vulnerability Assessment bridges reconnaissance and exploitation. You will learn the critical distinction between vulnerability assessment and penetration testing, how to use CVE databases and CVSS scoring, the art of manual vulnerability validation, and how to prioritize findings by actual risk rather than scanner severity ratings. We cover the persistent problem of false positives and false negatives, and we teach you to write vulnerability assessment reports that communicate risk effectively to both technical and business audiences.
Key Themes
Information is ammunition. Every piece of data you gather during reconnaissance is a potential avenue of attack. A single email format discovery (firstname.lastname@medsecure.com) combined with an employee directory gives you a credential stuffing target list. A JavaScript comment revealing an internal API endpoint opens doors that no amount of brute force could.
Patience is a professional skill. The temptation to rush through recon and start popping shells is real, but it is counterproductive. In professional engagements, it is common to spend 40 to 60 percent of total engagement time on reconnaissance and scanning. That ratio exists for a reason.
Passive before active, always. This is not just a technical preference -- it is operational discipline. Passive reconnaissance is stealthier, often more productive than expected, and establishes the context that makes active reconnaissance more targeted and effective. In a real engagement against MedSecure, we would spend days on passive OSINT before ever scanning a port.
The attack surface is wider than the network. People, processes, code repositories, job postings, conference presentations, social media -- the modern attack surface extends far beyond IP addresses and open ports. The best reconnaissance is holistic.
How This Part Connects
Part 1 gave you the legal framework to understand what you are allowed to do, the ethical framework to understand what you should do, and the networking knowledge to understand what you are looking at. Part 2 puts all three to work. Every technique in these chapters requires you to think about authorization (Am I allowed to probe this system?), ethics (Should I use this information I found?), and networking (What is this service, and why is it exposed?).
When you finish Part 2, you will have a detailed map of your target -- network topology, exposed services, employee information, technology stack, and a prioritized list of potential vulnerabilities. Part 3 takes that map and turns it into action. You will move from knowing what is vulnerable to actually exploiting those vulnerabilities, gaining access to systems, and escalating your privileges. The reconnaissance skills you build here will directly determine how efficient and effective your exploitation is in the chapters ahead.
The real work starts now. Let us sharpen the axe.