[ Pen Testing ] :: Step by Step: Reconnaissance


In this “passive” phase of a pen test, the tester will be exploring the scope of their pen test contract. This may be an IP range, a domain, a company or anything else with digital assets.

In a real pen test, you can’t expect to make a lot of noise and be ignored, not unless you want to get banned by an IDS for an hour or three. (Be ready to change MAC addresses often.) So while the tools, like nmap, may be familiar, the techniques are necessarily a lot more careful.


This tool, which automates Censys and Shodan searches, is available in both Javascript and Python versions:



You will need Censys and Shodan API keys:



Follow the installation instructions on GitHub, then run it like this:

./csrecon.py target_org_name


Don’t scan directly from your Kali machine; get someone else to do it for you! Scanless is a “command-line utility for using websites that can perform port scans on your behalf.”

See https://github.com/vesche/scanless . You’ll have to compile this tool yourself, though.

Database Recon

Probably the king of these kind of tools is sqlmap. It’s noisy and will likely be detected by an IDS (and get you banned). But it does allow you to change the user-agent flag to disguise the source:

sqlmap --user-agent=Firefox/4.0


nmap -sS

… is NOT silent or stealthy! Use a ping scan instead:

nmap -sn

Then run an -sS scan only on a single target.

Remember to create an iptables rule that drops packets from your IP address so that it’s not disclosed:

iptables -A OUTPUT --dest -j DROP

Reducing Noise During Penetration Testing

From this excellent StackExchange article:


Do you already have the answer? Does someone else?

Have you already done a scan? Is it accurate enough for now?

Has someone else done a scan for you, like Shodan or CSrecon?

Does ARP provide enough info? (netdiscover, arp-scan, arping)

Try other tools for packet capture, like bettercap.

Try Xerosploit, a combo of bettercap and nmap.

Can someone else do the scan for you?

Try scanless above.

Use the nmap ipidseq NSE script to try idle scanning.

Use dnmap: “dnmap is a framework to distribute nmap scans among several clients. It reads an already created file with nmap commands and send those commands to each client connected to it.”

Use nmap cleverly, keeping your scans small, quiet and normal-looking. Check out this excellent article: http://blog.bonsaiviking.com/2015/07/they-see-me-scannin-part-2.html

Use a TCP connection scrambler, for instance sniffjoke.

Try hyper-minimized scans with pbscan.

Run Nmap and Metasploit simultaneously with metasploitHelper.

If you’re exploring Active Directory and already have some credentials, then do SPN scanning before IP/ICMP/TCP/UDP scanning.

Pivot with tools such as portia, autoDANE, and CrackMapExec.

Read the full article for more excellent advanced scanning techniques: