Information Gathering

Information gathering — also known as reconnaissance — is the very first stage of any penetration test, and arguably one of the most crucial. The aim is simple: collect as much relevant information as possible about your target, whether it’s an individual, a website, a company, or an entire system.

The specific details you collect will depend on the scope of the engagement, for example, on a website you would want to find which web technology is being used or the IP

Information Gathering

Passive

Passive information gathering means collecting data about the target without directly interacting with it. In other words, the target remains unaware of your reconnaissance activities. This typically involves exploring data that’s already publicly available online.

Example Looking up the IP address of a web server, checking its domain registration details, or inspecting the site through a browser to identify the underlying technologies.

Typical Data Collected Passively:

  • IP addresses, DNS records, domain names, and WHOIS data

  • Email addresses and social media accounts

  • Technologies used, subdomains, and infrastructure hints

Active

Active information gathering involves direct interaction with the target to uncover more detailed insights. Because this method engages the target’s systems, explicit authorization is mandatory. The activity will often be detectable by the target.

Example After finding the server’s IP address during passive recon, you could run a port scan with nmap to identify open ports and running services, then investigate those services for exploitable vulnerabilities.

Typical Data Collected Actively:

  • Open ports and running services

  • Details about internal infrastructure and network topology

  • Enumerated user accounts, shared resources, and other technical details

PreviousAssessment MethodologiesNextPassive Enumeration

Last updated