[ Pen Testing ] :: Step by Step: Reconnaissance


In this “passive” phase of a pen test, the tester will be exploring the scope of their pen test contract. This may be an IP range, a domain, a company or anything else with digital assets.

In a real pen test, you can’t expect to make a lot of noise and be ignored, not unless you want to get banned by an IDS for an hour or three. (Be ready to change MAC addresses often.) So while the tools, like nmap, may be familiar, the techniques are necessarily a lot more careful.


This tool, which automates Censys and Shodan searches, is available in both Javascript and Python versions:



You will need Censys and Shodan API keys:



Follow the installation instructions on GitHub, then run it like this:

./csrecon.py target_org_name

Don’t scan directly from your Kali machine; get someone else to do it for you! Scanless is a “command-line utility for using websites that can perform port scans on your behalf.”

See https://github.com/vesche/scanless . You’ll have to compile this tool yourself, though.

Database Recon

Probably the king of these kind of tools is sqlmap. It’s noisy and will likely be detected by an IDS (and get you banned). But it does allow you to change the user-agent flag to disguise the source:

sqlmap --user-agent=Firefox/4.0


nmap -sS

… is NOT silent or stealthy! Use a ping scan instead:

nmap -sn

Then run an -sS scan only on a single target.

Remember to create an iptables rule that drops packets from your IP address so that it’s not disclosed:

iptables -A OUTPUT --dest -j DROP



Leave a Reply