The topics we'll cover.
Under passive, we'll look at WHOIS, Google Dorking, and Shodan.
Under active, we'll cover host scanning and port scanning.
At its simplest level, passive scanning means you observe, but you do not interact. You collect information that is already available through legitimate channels, without sending any packets, making any connections, or triggering any logs on the target's infrastructure.
You are simply collect the available information that is already available, either because the target has made it public or because it's leaked inadvertently.
1. Non-Intrusive
The scanner does not send any requests, or packets that could affect the target. No scanning tools touch the target's systems. No network traffic is generated toward the target.
2. Observational
The scanner gathers information from sources that already exist. It does not create new data; it consumes existing data.
The scanner is a consumer, not a producer. It reads what is already there.
3. Low Visibility (Undetectable)
The target has no way of knowing they are being observed. Because no active interaction occurs, there is no evidence left behind.
Why This Is True:
The Result:
Passive reconnaissance is completely invisible. The target continues operating normally, unaware that an external party is gathering intelligence about them.
Why is this important for us? As attackers or penetration testers, we start with passive reconnaissance because it's safe. We can gather a massive amount of information with zero risk of detection.
WHOIS is a protocol and a database. When someone registers a domain name (e.g. let's say example.com) they have to provide information to the domain registrar.
This information is stored in a public database called WHOIS.
By querying this database, anyone can find out:
Also called Google Hacking.
Google Dorking is an advanced searching technique that uses specialized operators and filters in Google Search to uncover information that isn't typically accessible through basic searches.
What are search operators?
You probably use Google by typing simple words. But Google has special commands called 'operators' that let you refine your search with incredible precision. When attackers combine these operators in clever ways, it's called Google Dorking.
These operators are the building blocks of any good dork. They allow you to narrow down Google's massive index to just the information relevant to your target .
| Operator | Description | Example | Why it's Useful for OSINT |
|---|---|---|---|
| site: | Limits results to a specific domain or website . | site:example.com | Focuses your entire search on a single target, like example.com, excluding all other sites. This is the foundation of target-specific recon . |
| filetype: | Searches for files of a specific type . | filetype:pdf | Finds documents, reports, or sensitive files like PDFs, DOCs, XLSXs, or even database dumps (sql) that are publicly exposed . |
| intitle: | Finds pages with a specific word in the HTML title . | intitle:"index of" | The classic example. It finds directory listing pages, which can inadvertently expose a server's file structure . |
| inurl: | Finds pages with a specific word in the URL . | inurl:admin | Excellent for finding admin panels, login pages (inurl:login), or specific application paths that aren't linked on the main site . |
| intext: | Searches for a specific word within the body text of a page . | intext:"confidential" | Helps find pages where specific keywords, like "confidential" or "sensitive," appear in the content, potentially flagging exposed internal documents . |
| cache: | Shows Google's cached (snapshot) version of a page . | cache:example.com | Useful for viewing a page's content even if it has been recently changed or taken offline . |
The slide gives an example: site:example.com filetype:pdf
Let's break that down:
So together, this search finds every PDF file on example.com that Google has indexed.
Let’s use nasa.gov as a teaching target.
1. site: operator (foundation of recon)
site:nasa.govShows only pages indexed from NASA.
2. filetype: operator
site:nasa.gov filetype:pdf3. inurl: operator
site:nasa.gov inurl:login4. intext: keyword discovery
site:nasa.gov intext:"report"Example:
site:nasa.gov filetype:pdf "mission"We are filtering by domain + file type + keyword simultaneously.
Why this works: Companies often put files on public web servers without realizing search engines will find and index them. Error messages, login pages, configuration files—if it's accessible on the web and not password-protected, Google can find it.
The third technique: Shodan.io.
Shodan.io is a search engine.
A search engine is a software system designed to carry out web searches. It searches the World Wide Web in a systematic way for particular information specified in a textual web search query.
Example: Google
How general-purpose search engines work:
If shodan is a search engine, What makes it different from Google?Google searches websites. Shodan searches devices connected to the internet.
- General‑purpose search engine for indexing and retrieving web pages and public content.
- news, websites, images, maps, shopping, etc.
Shodan
- A specialized search engine for internet‑connected devices (IoT, servers, webcams, routers, etc.).
- Indexes services, open ports, and device banners, not web pages.
What They Search?
- HTML pages, documents, videos, images, and public web content.
- Uses crawlers to follow hyperlinks and index content.
Shodan
- Networked devices and services.
- Scans IP addresses and records things like:
- Open ports (e.g., 80, 443, 22)
- Protocols (HTTP, SSH, FTP, Modbus, etc.)
- Banner info (software versions, headers)
Example Outputs
Google query:
best coffee shops in Tokyo
→ list of webpages, maps, reviews
Shodan query:
port:22 country:US
→ list of devices with SSH open in the U.S.
Shodan constantly scans the entire internet, connecting to every IP address and collecting 'banners.'
A banner is the initial information a service sends when you connect to it. like 'Hello, I'm an Apache web server version 2.4.49' or 'Hello, I'm a default login screen for a security camera.'
(Demonstration with examples): An attacker might search Shodan for:
We've gathered all the public information we can (IP addresses, hostnames, etc). Now it's time to engage directly with the target. This is Active Scanning.
(Definition): 'Active scanning is a proactive cybersecurity technique involving the intentional probing and examination of systems, networks, or applications to identify vulnerabilities, weaknesses, or security issues.'
Characteristics:
You are no longer just observing. You are initiating contact with the target. You send packets, establish connections, and request information. You are actively asking questions:
How It Works:
Examples of Proactive Engagement:
Proactive engagement is the only way to discover certain information:
Active scanning is the core activity of penetration testing. When an ethical hacker is authorized to assess a system, they actively probe it to find weaknesses before real attackers do.
The Ethical Framework:
Common Tools: Nmap, Nessus, and OpenVAS.
There are two main categories of active scanning: Host Scanning and Port Scanning.
But before exploring the host and port scanning, what is the host and what is the port?
Host
A host is any device connected to a network that has an IP address and can send or receive data.
Examples of hosts:
In simple terms:
If it has an IP address and communicates on a network, it’s a host.
When we talk about host scanning, we are asking:
“Which IP addresses are alive?”
Port
While the IP address identifies the device, the port identifies the specific service running on that device.
When we talk about port scanning, we are asking:
“Which services are open on this live host?”
Host Scanning answers a simple question: 'Which systems on this network are actually alive and responding?'
Think about a typical company network. It might have thousands of IP addresses. But not every IP address corresponds to an active computer. Some might be unused. Some might be printers. Some might be servers. Before an attacker can dig deeper, they need a map of live targets.
(How do you know if a host is alive?)
You ask it. You send a packet and see if it replies.
The slide lists three techniques:
This is the most basic. You send an ICMP Echo Request packet. If the host is alive and not blocking ICMP, it sends back an Echo Reply. Simple. But many organizations block ICMP at their firewalls, so a lack of reply doesn't always mean the host is dead.
Even if ICMP is blocked, many hosts will still respond to TCP probes. You send a TCP packet with the ACK flag set, or the SYN flag set, to a common port (like port 80 for web, or port 443 for HTTPS). If the host is alive, it will often respond with a RST (reset) packet, even if the port is closed. That response tells you the host exists.
This one only works on your local subnet—the network segment you're directly connected to. ARP (Address Resolution Protocol) is how your computer asks, 'Who has this IP address?' Every device on the local subnet must respond to ARP requests. So ARP scanning is the fastest and most reliable way to find live hosts on your own local network. It's like shouting in a room—everyone has to answer.
Once you know a host is alive, the next question is: 'What services is it running?' That's Port Scanning.
There are 65,535 possible TCP ports and 65,535 possible UDP ports.
A port scanner tries connecting to each port to see which ones are 'open', meaning a service is listening there.
The slide mentions three scanning techniques:
Key characteristics:
Example handshake:
Scanner → SYN → Target
Target → SYN-ACK → Scanner
Scanner → ACK → Target (connection established)So the connection is never fully established.
Example:
Scanner → SYN → Target
Target → SYN-ACK → Scanner
Scanner → RST → TargetKey characteristics:
(Nmap demonstration): The most famous port scanner is Nmap. A basic command like nmap -sS 192.168.1.100 performs a SYN scan on the most common 1000 ports.
Within seconds, you get a list:
'22/tcp open ssh
80/tcp open http
443/tcp open https.'
Before enumeration and fingerprinting, you know basic facts:
After enumeration and fingerprinting, you know:
This is the difference between a map and a detailed reconnaissance report. The map tells you where things are. The report tells you exactly what those things are, how they're configured, and how to exploit them.
Enumeration is the active process of extracting detailed information about network resources, users, shares, services, and configurations. It often involves authenticated or unauthenticated queries to systems to gather data such as user accounts, group memberships, and shared folders.
Key Characteristics:
What Enumeration Reveals:
| Category | Examples |
|---|---|
| Users | Local usernames, domain users, administrator accounts |
| Groups | User groups, administrative groups, group memberships |
| Shares | Network file shares, printer shares, hidden shares |
| Services | Running services, service accounts, service configurations |
| Applications | Installed software, versions, patch levels |
| System Information | Hostname, domain membership, time zone, roles |
| Network Information | Interfaces, routes, DNS servers, trust relationships |
| Security Policies | Password policies, account lockout thresholds, audit settings |
Fingerprinting is about identifying specific characteristics of systems such as the operating system, running services, and software versions typically to assess potential vulnerabilities. It can be active (sending crafted packets and analyzing responses) or passive (monitoring network traffic).
Key Characteristics:
What Fingerprinting Reveals:
| Category | Examples |
|---|---|
| Operating System | Windows 10, Ubuntu 20.04, iOS 15, Cisco IOS 12.4 |
| Service Versions | Apache 2.4.41, OpenSSH 8.2p1, MySQL 5.7.35 |
| Application Versions | WordPress 5.8, Jenkins 2.303, Exchange 2016 CU22 |
| Hardware Models | Cisco 2911 router, HP ProLiant DL380, iPhone 12 |
| Firmware Versions | BIOS version, router firmware, printer firmware |
| Aspect | Enumeration | Fingerprinting |
|---|---|---|
| Primary Focus | Resources, users, shares, configurations | OS, services, versions |
| Nature | Extractive - pulls data from system | Identificative - determines what something is |
| Interaction Level | Often deeper (listing, querying, browsing) | Often lighter (banner grabbing, packet analysis) |
| Authentication | Often requires credentials for depth | Usually unauthenticated |
| Output | Lists of users, shares, groups | OS type, version numbers, service names |
| Example | enum4linux listing SMB shares | nmap -sV identifying Apache version |
They Work Together:
This slide lists the specific services we're going to dive into. These are the most common services you'll encounter in penetration testing and real-world attacks:
Each of these services leaks information. Each can be misconfigured. Each can be a pathway into a network.
SMB (Server Message Block) is the primary protocol used by Windows systems for file sharing, printer sharing, and inter-process communication over a network.
How SMB Works
SMB operates in a client-server model:
The Basic Process:
Why attackers love SMB:
EternalBlue was an SMBv1 vulnerability that powered the WannaCry ransomware outbreak in 2017. It allowed attackers to take over entire systems without any credentials.
What Is a Null Session?
A null session is an SMB connection established without a username or password. The client essentially says, "I'm nobody," and the server responds with whatever information it's configured to share anonymously.
Guest Sessions:
The Guest account is a built-in Windows account with no password. If enabled, anyone can authenticate as Guest and gain access to resources the Guest account can access. Often, this includes the ability to enumerate significant information.
What Attackers Get from Null/Guest Sessions:
| Information | How It Helps Attackers |
|---|---|
| User Lists | Valid usernames for password attacks or phishing |
| Share Lists | Targets for data theft; potential entry points |
| Domain Information | Understanding network structure for lateral movement |
| Password Policies | Fine-tune brute-force attacks to avoid lockouts |
| SID Mapping | Translate between usernames and security identifiers |
Common Problems:
1. List shares with smbclient (Null Session)
smbclient --no-pass -L //<IP>Breaking it down:
Why this works:
This tries a "null session" - connecting with no credentials. On poorly configured Windows systems (especially older ones), this is allowed and reveals all shared folders. It's like walking up to a building and the receptionist giving you a complete directory without asking who you are.
Example output:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Documents Disk
Printers Disk2. List shares with CrackMapExec
crackmapexec smb <IP> -u user -p pass --sharesBreaking it down:
Why this is different:
Unlike the null session approach, this uses actual credentials. CrackMapExec is more sophisticated and can also check for vulnerabilities, password policies, and other system information.
What makes it powerful:
3. Access a share with smbclient
smbclient //<IP>/<share>Breaking it down:
What happens next:
It may ask you to enter the username and password / It also may not
Once connected, you get an FTP-like interface with commands:
Example session:
smb: \> ls
. D 0 Mon Jan 15 10:30:00 2024
.. D 0 Mon Jan 15 10:30:00 2024
reports D 0 Mon Jan 15 09:15:00 2024
invoice.pdf A 24576 Mon Jan 15 08:45:00 2024
smb: \> get invoice.pdf
getting file \invoice.pdf of size 24576 as invoice.pdf (125.8 kb/s)4. Mount a share
What is "Mounting" in Simple Terms?
Think of mounting like plugging in a USB drive:
- When you plug in a USB drive, it "appears" as a new folder on your computer (like /media/usb or D:\ on Windows)
- You can then open files from that USB drive using normal programs like they're on your own computer
- When you're done, you "eject" it safely
Mounting a network share is exactly the same concept, but instead of a physical USB drive, the files are coming from another computer over the network.
mount -t cifs //<IP>/<share> /mnt/shareBreaking it down:
When you specify -t cifs, you're telling Linux: "Use the CIFS driver to handle all interactions with this remote folder." This driver acts like a translator between your Linux system and the Windows/SMB server.
Why mounting is useful:
Instead of using a special client with limited commands, mounting integrates the remote share into your normal filesystem. You can then:
Before mounting:
# You have to use special commands:
smbclient //192.168.1.100/Reports
smb: \> ls
smb: \> cd finance
smb: \> get quarterly-report.pdf
# Then you have to exit and open the file locallyAfter mounting:
# After mounting, the remote files just look like local files:
cd /mnt/company-reports
ls # Works like normal!
cd finance # Just like a local folder
cp quarterly-report.pdf ~/Documents/ # Copy like any file
firefox /mnt/company-reports/index.html # Open directly in browserFTP, File Transfer Protocol, is one of the oldest protocols on the internet. It's designed for transferring files between a client and a server.
Key weaknesses:
Key commands:
ftp <IP>
This opens an FTP session. You'll be prompted for username and password.
Username: anonymous
Password: anonymous
This is the standard way to test for anonymous FTP access.
get <filename>
Once connected, this downloads a file from the server.
put <filename>
If you have write permissions, this uploads a file to the server. Attackers love this—they might upload a web shell or malicious script.
hydra -L users.txt -P passwords.txt <IP> ftp
Hydra is a fast login cracker. This command tries every combination of usernames from users.txt and passwords from passwords.txt against the FTP service.
RDP, Remote Desktop Protocol, is Microsoft's protocol for remote GUI access. It's what you use when you connect to another Windows computer and see its desktop on your screen. System administrators love it because they can manage servers from anywhere.
Attack surface:
Mainly authentication weaknesses and misconfigurations: Because RDP’s network exposure is limited, most attacks target how it’s configured or accessed, not some obscure protocol flaw.
Common issues include:
Key tools and commands:
rdesktop -g 1600x800 -r disk:tmp=/usr/share/windows-binaries <IP> -u <Username> -p <Password>
This connects with a specific screen size (-g) and mounts a local folder (/usr/share/windows-binaries) as a drive on the remote system. That's powerful—you can transfer files both ways.
xfreerdp /u:<username> /v:<IP>:<Port>
FreeRDP is another excellent RDP client with many features.
hydra -t 1 -V -f -L users.txt -P passwords.txt rdp://<IP>
crackmapexec rdp <IP> -u users.txt -p passwords.txt
CrackMapExec can also test credentials against RDP.
SSH stands for Secure Shell. It is a network protocol that allows you to securely operate network services over an unsecured network. Its most common use is for remote login to computer systems by system administrators or developers.
In simple terms, using it you can open someone else's terminal remotely.
Unlike FTP, which send everything in cleartext, SSH encrypts all communication: usernames, passwords, and the session data itself.
Why it's secure:
SSH uses a standard client-server model:
Key commands:
ssh <username>@<IP>
You'll be prompted for the password.
For example, to connect to a server with IP 192.168.1.100 as the user root:
ssh root@192.168.1.100First, set proper permissions on your private key:
chmod 600 <private_key>
SSH is strict about permissions. If your private key is readable by anyone else, SSH refuses to use it for security.
Then connect:
ssh <username>@<IP> -i <private_key>
The -i specifies which private key file to use.
Some older versions have vulnerabilities that allow authentication bypass or information disclosure.
You can often see the version by connecting with a tool like Netcat or Nmap.
Example:
# Method 1: From outside (like an attacker would)
nmap -sV -p 22 target-server.com
# or
nc target-server.com 22
# Returns: SSH-2.0-OpenSSH_7.4What is DNS?
When you type www.google.com into your browser, your computer doesn't know what IP address that is. It asks a DNS server, which responds with something like 142.250.185.46. Then your browser can connect.
But DNS does much more than just translate names to IPs.
The slide lists key purposes:
Example: You open a web browser and type www.google.com.
Example: In an office, you don't want employees walking around with a sticky note full of IP addresses. You want them to access resources by a consistent name that IT can manage centrally.
Example: A massive multinational corporation has branches in the USA, Europe, and Asia.
Why attackers love DNS:
DNS servers know a lot about an organization's internal structure. If an attacker can query an internal DNS server, they can discover:
This slide shows the DNS hierarchy, which is crucial to understanding how DNS works and what information is available."
Let me draw this for you:
[Root] (.)
|
[Top-Level Domains]
.com .org .net .edu
|
[Second-Level Domain]
example.com
|
[Subdomains]
www.example.com
mail.example.com
admin.example.comWhat Happens During a DNS Request?
If a computer wants to find dev.example.com:
Why this matters for reconnaissance: If you can get a list of all subdomains for a target, you've discovered their entire internet-facing infrastructure. Tools like dnsrecon, dnsenum, and even search engines can help find subdomains."
Common DNS record types:
What attackers look for:
dig ANY @<DNS_IP> <DOMAIN>
Let's break this command down:
Example: dig ANY @8.8.8.8 example.com
What you might get back:
Why this is powerful: One command can reveal the entire public DNS configuration of a target domain. From there, you can start investigating each discovered server, each mail server, each nameserver.