Reconnaissance Basics

Without performing reconnaissance (information gathering) on the target, both threat actors and penetration testers will have difficulties moving on to the later phases of the Cyber Kill Chain. Hence, ethical hackers and penetration testers must conduct extensive research into gathering as much information as possible to create a profile of their target. Reconnaissance can be divided into two categories: • Passive: Uses an indirect approach and does not engage the target to gather information. • Active: Directly engages the target to gather specific details. ...

November 24, 2025 · 2 min · 376 words · 0x-s0M3n4th

Deep Passive Recon

Passive information gathering is when you use an indirect approach to obtain information about your target. Passive information gathering is when you use an indirect approach to obtain information about your target. This method obtains the information that’s publicly available from many sources, thus eliminating direct contact with the potential target. OSINT Gathering information before exploiting and gaining access to a network or system will help the penetration tester narrow the scope of the attack and focus on the security vulnerabilities of the target. This means the penetration tester can design specific types of attacks, exploits, and payloads that are suitable for the attack surface of the target. We will begin our information-gathering phase by utilizing the largest computer network in existence: the internet. ...

November 24, 2025 · 3 min · 541 words · 0x-s0M3n4th

Proxychains Configuration

A proxy is a system such as a server that sits between a source and a destination host on a network. If a sender wants to communicate with a destination server, the sender forwards the message to the proxy, which is then forwarded to the destination server. The destination server will think the message is originating from the proxy and not the actual source. Penetration testers use proxychains, which allow them to create a logical chain of connections between multiple proxy servers when sending traffic to a target network or the internet. Proxychains allow a penetration tester to configure various types of proxies, such as the following: HTTP HTTPS SOCK4 SOCK5 ...

November 24, 2025 · 2 min · 303 words · 0x-s0M3n4th

Anonymity with TOR

THE ONION ROUTER: The Onion Router (TOR) is a service and special network that allows users to gain anonymity when browsing the internet and accessing the dark web. TOR functions a little like proxy chaining, but it’s a lot cooler and complex. It encrypts traffic between each TOR relay node and does a lot more to ensure that a source and a destination host never know each other’s identities. Install tor: sudo apt update && sudo apt install tor Configuring the peoxychains4 config file: sudo vim /etc/proxychains4.conf come to the end where we edited the proxy servers and do this: ! Then save and exit using :wq Use these 2 commands to activate tor and check it’s status: ! check tor connection

November 24, 2025 · 1 min · 122 words · 0x-s0M3n4th

Whois & Recon-ng Framework

Gathering data using whois: whois command helps us to find publicly available data about domains. The following is a brief list of some information types that are usually stored for public records: Registrant contact information Administrative contact information Technical contact information Name servers Important dates, such as registration, update, and expiration dates Registry domain ID Registrar information Kali is having a built-in whois tool: Info Keep in mind that, as the need for online privacy increases around the world, domain registrars and organizations are paying a premium fee to ensure their contact data is not revealed by WHOIS databases to the general public. This means that you will not commonly find private contact data about domains that are no longer being revealed on WHOIS databases if the domain owner pays the premium for additional privacy features. ...

November 24, 2025 · 4 min · 848 words · 0x-s0M3n4th

TheHarvester

Commands: let’s gather the names of employees who work, or worked, at Microsoft and have a LinkedIn profile by using the following command: kali@kali  ~  theHarvester -d microsoft.com --dns-server 8.8.8.8 -b linkedin -d = : Specifies the target organization by using the domain name. --dns-server = : This allows you to specify a DNS server for all DNS queries. -b = Specifies the source to retrieve the information Sub-domain searching: kali@kali  ~  theHarvester -d microsoft.com -b bing ...

November 24, 2025 · 1 min · 81 words · 0x-s0M3n4th

Social Media Recon (SOCMINT)

Employees of an organization often leak too much information about themselves and their company. While many employees are very happy to be working in their organizations, sometimes, they share information that can be used during cyberattacks by a threat actor. As an aspiring penetration tester, this information can also be leveraged during a penetration test on the target organization. The following is some information that’s commonly leaked: Employee contact information, such as telephone numbers and email addresses, that can be used during social engineering and account takeover attacks. Sharing photos with their employee badges, which can be used by a threat actor to create a fake ID for impersonation. Pictures of an employee’s computing systems and desktop, which can inform a threat actor about the available device vendors and operating systems. Projects that have been completed by the employee may contain specific technical details, which can allow a threat actor to profile the internal network infrastructure. Gathering information from instagram: Using sherlock --timeout command ensures that sherlock doesn’t spend more than 5 seconds on a site. Gathering company’s infra data: we can use tools like wappalyzer to see what kind of tech a target website is using: We can also utilize a website called built-with for getting the technology profile of a target website. Shodan: Shodan is a search engine for Internet of Things (IoT), systems, and networks that are directly connected to the internet. Ethical hackers, penetration testers, and even threat actors use Shodan to identify their organization’s or target’s assets, and they check whether they have been publicly exposed on the internet. ...

November 24, 2025 · 5 min · 888 words · 0x-s0M3n4th