The Beginner Guide of Reconnaissance

What is Reconnaissance?

Let me explain the idea in simple words basically, reconnaissance also known as recon is a process to gather information. While approaching a BugBounty target we perform recon to collect information about our target, so we can use them for further assessment!

Recon Purpose

  • Scope Identification

    It’s possible to misunderstand your target scope and miss the assets related to the target! recon comes here for the rescue

  • Discover attack surface

    It doesn’t matter how strong you are, if you don’t know where to put your strength

  • Discover unseen parts

    If you are in a place where no one else came before. then welcome you are the king here!

Recon Category

  • Active Recon

    • DNS - Subdomain Enumeration
    • HTTP - Content Discovery
    • PORT - Open Port & Service Scan
  • Passive Recon

    • DNS - Subdomain Enumeration
    • HTTP - Content Discovery
    • PORT - Open Port & Service Scan

Active Recon

while performing active recon we ask our target if it has what we requested. Sometimes you will see no matter what you request you get valid but false results. well, here you have to perform some filtering. how! will discuss on next advance writeups. as this one is dedicated to beginners only.

Passive Recon

while performing passive recon we request third-party services to send us our target information from their collection database. by doing this we don’t send any request to our target, we only communicate with third parties

DNS - Subdomain Enumeration

you have your target, but is it the only thing you have? well, your target may have subdomains that you have to enumerate. how? by performing DNS enumeration. a good DNS enumeration may contain all Active, Passive & Permuted methodology.


HTTP - Content Discovery

In this process, our main aim is to discover our target assets. it can be files, folders, parameter, endpoint anything that our target build with.


PORT - Open Port & Service Scan

suppose you are in a room that has two different doors. so generally you will have two different entry points in a single room. in the same way, we use PORT to run different services from a single host. open ports may open the door for you to attack and information about services may help you to pick the right weapon for that specific target.



I am not going to mention any of the tools intentionally, It’s so pathetic to see how you guys blindly relay over random tools without even knowing the purpose. I am giving you this assessment to find out about the tooling section and let me know which tool or workflow worked great for you. in this way we can have a full discussion and may get back interesting stuff!


Well, you may think now you have good knowledge about recon and can find cool vulnerabilities. but wait, it’s not that easy & simple. recon has its own dark side as well. if you are not mature enough to understand the data you have, then welcome you are in the recon loop. what actually happens in this case, you will never know if your recon process is done or if you should do more!

For now, digest this small information & resources, see you next time with some advance and more detailed recon ideas!