5 stages of penetration testing explained

Active and passive reconnaissance

Passive reconnaissance

Passive reconnaissance doesn’t include using actual pentesting utils, but rather is an analysis of what the organization looks like from within. The good start is to google as much information as you can about the target. You can search for job openings, financial reports, office photos. Especially useful information can be found on LinkedIn, Glassdoor, and the company’s blog.

Passive reconnaissance tools


  • crt.sh analyzes website certificates and shows you all subdomains attached (e.g. you can learn the company’s less secure development environment)
  • hunter.io searches known emails with a company’s domain
  • crunchbase.com has a ton of information about companies and employees
  • HaveIBeenPwned provides you information about company’s emails that been hacked
  • theharvester collects target’s footprint on the web using most of the popular search engines


Active reconnaissance

Active reconnaissance is performed on a target company’s website or network directly.

Active reconnaissance tools


  • dig, nmap, nslookup, dnsrecon, netcat for network analysis
  • bluto for DNS lookup and multiple other recon activities

Enumerating information about the target

Accessing the target

Keeping access to the target

Hiding traces