This chapter covers OSINT (Open Source Intelligence) and passive reconnaissance — techniques used to gather information about a target without direct engagement. For the PT0-002 exam, these topics are critical because they form the foundation of the reconnaissance phase (Objective 2.1). Approximately 10-15% of exam questions touch on reconnaissance, with a significant portion focusing on OSINT tools and methods. You will learn how to collect data from public sources, leverage search engines, social media, and specialized tools, and understand what information is legally obtainable versus what crosses into active reconnaissance.
Jump to a section
Imagine you are a detective investigating a suspect without ever approaching them. You walk around their neighborhood, looking at what they leave behind: footprints in the sand, items in their trash, public records of their property, and social media posts visible from the street. You never knock on their door or speak to them. This is passive reconnaissance — gathering information without direct interaction. OSINT is like searching all public libraries, court records, news archives, and social platforms for any mention of the person. Each piece of data is a clue: their name, address, employer, hobbies, associates. The more you collect, the clearer their profile becomes. But you must be careful: some information may be outdated or planted to mislead. In cybersecurity, OSINT tools automate this process, scouring the internet for domains, IPs, email addresses, and leaked credentials. Just as a detective would compile a dossier from public sources, a penetration tester builds a target profile from open data — before ever scanning a port or sending a packet.
What is OSINT and Why It Exists
OSINT refers to intelligence gathered from publicly available sources. In penetration testing, passive reconnaissance means collecting data without directly interacting with the target systems. This is the first step in the ethical hacking methodology because it is low-risk, legal, and can reveal a wealth of information. The PT0-002 exam emphasizes that passive reconnaissance does not generate traffic to the target and thus avoids detection or triggering alarms.
How OSINT Works: The Mechanism
OSINT relies on aggregating data from multiple public sources: - Search engines: Google, Bing, DuckDuckGo — using advanced operators (dorks) to find specific file types, exposed directories, or login pages. - Social media: LinkedIn, Twitter, Facebook — to identify employees, technologies used, and organizational structure. - Public records: WHOIS data, DNS records, SEC filings, government databases. - Code repositories: GitHub, GitLab — for leaked credentials, API keys, or internal documentation. - Shodan/Censys: Search engines for internet-connected devices. - Wayback Machine: Archived versions of websites. - Certificates: Certificate Transparency logs reveal subdomains.
Each source contributes pieces to a puzzle. The tester correlates this data to build a comprehensive target profile including:
Domain names and subdomains
IP address ranges
Email addresses and usernames
Employee names and roles
Technologies in use (web servers, frameworks, CMS)
Third-party services (CDN, hosting providers)
Physical locations
Leaked credentials (via Have I Been Pwned or paste sites)
Key Components and Tools
WHOIS Lookup: Queries domain registration databases. Returns registrar, registrant contact, creation/expiration dates, name servers.
- Command: whois example.com
- Exam tip: The exam may ask what information is available via WHOIS — registrant name, organization, address, phone, email (unless privacy redacted).
DNS Enumeration: Passive DNS queries use public resolvers without contacting the target's servers. Tools: nslookup, dig, dnsrecon, theHarvester.
- Record types: A, AAAA, MX, NS, TXT, SOA, CNAME.
- Example: dig example.com ANY returns all records.
- Zone transfer (AXFR) is active, but querying public DNS is passive.
Google Dorking: Using search operators to find specific information. Common dorks:
- site:example.com filetype:pdf - find PDFs
- inurl:admin - find admin pages
- intitle:"index of" - find directory listings
- cache:example.com - show cached version
- Exam expects knowledge of operators like site:, filetype:, inurl:, intitle:, link:.
Shodan: Searches for devices exposed to the internet. Can find open ports, services, banners. Example query: apache country:US.
- Exam tip: Shodan is passive because it uses already indexed data; you are not scanning the target.
theHarvester: Python tool that collects emails, subdomains, IPs from public sources (Google, Bing, LinkedIn, etc.).
- Command: theHarvester -d example.com -b google
- Sources include: google, bing, linkedin, yahoo, baidu, shodan, dnsdumpster.
Recon-ng: Modular reconnaissance framework with over 100 modules. Can perform WHOIS, DNS, social media scraping, and more.
- Example: recon-ng then marketplace install recon/contacts/contacts.
Maltego: Graphical tool for link analysis. Transforms pull data from various sources and visualize relationships. - Exam may ask which tool is best for relationship mapping — Maltego.
Timers and Defaults
WHOIS data has no timer; it is static until the domain expires or is updated.
DNS TTL (Time to Live) values affect how long records are cached. Default TTL for most records is 3600 seconds (1 hour), but can be set lower (300s) or higher (86400s).
Google caches pages for varying periods; the cache: operator shows the most recent snapshot.
Certificate Transparency logs are updated in near real-time; subdomains appear minutes after certificate issuance.
Configuration and Verification
Most OSINT tools require no configuration beyond API keys for some sources (e.g., Shodan, Have I Been Pwned). Verification of findings involves cross-referencing multiple sources. For example, if WHOIS shows a domain registered to "John Doe" and LinkedIn shows an employee named John Doe at the target company, that confirms the identity.
Interaction with Related Technologies
OSINT feeds into active reconnaissance: discovered subdomains become targets for scanning. Email addresses harvested can be used for phishing simulations. Technologies identified (e.g., Apache 2.4.49) inform vulnerability research. The boundary between passive and active is critical: if you send a packet to the target (e.g., DNS query to their server), it becomes active. Using third-party services (like Shodan) that have already scanned the target keeps you passive.
Define the target scope
Begin by identifying the target organization or individual. For a company, note the primary domain name, known subsidiaries, and geographic locations. For an individual, collect their name, known usernames, and email domains. This scope guides all subsequent searches. The PT0-002 exam expects you to understand scope definition as per the rules of engagement. Example: target is "example.com" and its subdomains.
Perform WHOIS and DNS lookup
Query WHOIS databases for domain registration details. Use `whois example.com` to get registrant info, name servers, and dates. Then perform passive DNS enumeration: use `dig example.com ANY` to retrieve all DNS record types. Note MX records for mail servers, NS records for name servers, and TXT records for SPF, DKIM, and DMARC policies. This data reveals hosting providers and potential attack vectors. The exam may test your ability to interpret WHOIS output.
Conduct search engine reconnaissance
Use Google dorking to find exposed files, directories, and sensitive information. For example, `site:example.com intitle:"index of"` may reveal directory listings. `filetype:pdf` can find documents with metadata. Also use the `cache:` operator to view cached pages that may have been removed. Record all discovered URLs. The exam will test specific dork operators and what they reveal.
Harvest emails and usernames
Use tools like theHarvester or Recon-ng to collect email addresses associated with the domain. These tools query search engines and social networks. For example, `theHarvester -d example.com -b google` returns emails found in Google search results. Also search paste sites (e.g., Pastebin) for leaked credentials. The exam may ask which tool is best for email harvesting.
Analyze social media and public records
Search LinkedIn for employees, their roles, and technologies they mention. Twitter can reveal real-time incidents or technology stacks. Facebook may show organizational structure. Also check SEC filings (for public companies) for financial data and risk factors. Use Maltego to map relationships between people, domains, and IPs. The exam focuses on what information can be legally gathered from social media.
Check certificate transparency logs
Use services like crt.sh to query Certificate Transparency logs for SSL/TLS certificates issued for the domain. This reveals subdomains that may not be publicly listed. For example, `crt.sh/?q=%.example.com` returns all certificates with subdomains. This is a passive method because you query a public log, not the target's server. The exam expects you to know that CT logs help discover subdomains.
Correlate and document findings
Compile all collected data into a report. Cross-reference information: if WHOIS shows an IP range, check Shodan for devices in that range. If emails are found, verify against LinkedIn profiles. Document sources and confidence levels. This report will guide the active reconnaissance phase. The exam may test your ability to prioritize findings — e.g., which data is most useful for a phishing campaign.
In a typical enterprise penetration test, the first day is dedicated to OSINT. For a large financial institution, the tester begins by identifying the primary domain (e.g., bigbank.com) and all subsidiaries (bigbank-wealth.com, bigbank-insurance.com). WHOIS reveals the registrar is MarkMonitor, which often indicates a large organization. DNS enumeration shows multiple A records pointing to a CDN (Akamai), making direct IP scanning less useful. However, MX records point to on-premise Exchange servers (mail.bigbank.com). The tester then uses Google dorking to find a PDF of an internal network diagram accidentally uploaded to a public server — a critical find. LinkedIn reveals the IT team, including a network engineer who lists "Cisco ASA" in their profile, suggesting the firewall model. Shodan shows port 22 open on a server with an outdated OpenSSH version. Certificate Transparency logs reveal a staging subdomain (staging.bigbank.com) that is not in the public DNS. The tester also checks Have I Been Pwned and finds several employee emails in past breaches, which could be used for password spraying. A common misconfiguration occurs when testers rely on a single source. For example, WHOIS data may be redacted due to GDPR, but the tester might assume the domain is privately registered. In reality, the registrant organization is often still visible in the WHOIS output (e.g., "Registrant Organization: Big Bank Inc."). Another mistake is ignoring TXT records, which can contain SPF policies that reveal internal mail server IPs. In production, OSINT tools like Recon-ng are configured with API keys for Shodan and Have I Been Pwned to automate data collection. Performance is rarely an issue because queries are rate-limited by the sources. The biggest challenge is data overload — a large target may yield thousands of emails and subdomains. Testers must prioritize: focus on subdomains that resolve to internal IPs (RFC 1918) or show unusual ports. When OSINT is misconfigured, the tester may miss critical subdomains or waste time on outdated data. For example, using only WHOIS without CT logs might miss a recently added subdomain. Conversely, relying solely on automated tools may miss context that manual searching provides — like a tweet mentioning a new VPN portal.
The PT0-002 exam tests OSINT and passive reconnaissance under Objective 2.1: "Given a scenario, conduct passive reconnaissance." The exam expects you to distinguish between passive and active techniques. Common wrong answers include confusing passive DNS (querying public resolvers) with active DNS (zone transfer or direct queries to target's server). Another trap is selecting Shodan as an active tool — remember Shodan is passive because it uses pre-indexed data. The exam also tests specific Google dork operators: site:, filetype:, inurl:, intitle:, link:. A typical question might present a dork and ask what it reveals. The most common wrong answer is misinterpreting inurl:admin as finding admin login pages — it finds any URL containing "admin", not just login pages. Another frequent mistake is thinking that WHOIS always provides full registrant details; the exam may present a scenario where privacy redaction is enabled, and you must know that the registrant organization may still be visible. The exam also tests tools: theHarvester for email harvesting, Recon-ng for modular reconnaissance, Maltego for relationship mapping, Shodan for device discovery. Know the difference: theHarvester is command-line, Recon-ng has a console interface, Maltego is GUI. Edge cases: what if the target uses a privacy service? WHOIS may show the privacy provider's info, but historical WHOIS data might still have the real owner. The exam may ask about using the Wayback Machine to find old versions of a site that contained sensitive data. Another edge: certificate transparency logs can reveal subdomains even if DNS does not resolve them (e.g., internal subdomains). To eliminate wrong answers, focus on the mechanism: if the technique involves sending any packet to the target's infrastructure, it is active. If it queries a third-party database or search engine, it is passive. Also, remember that passive reconnaissance is always legal as long as no terms of service are violated (e.g., scraping LinkedIn may violate their ToS, but the exam generally considers it passive).
OSINT is the collection of publicly available information without direct interaction with the target.
Passive reconnaissance does not generate network traffic to the target, making it undetectable.
Google dork operators include site:, filetype:, inurl:, intitle:, link:, and cache:.
WHOIS provides domain registration details, but privacy services may redact personal info.
Shodan indexes internet-connected devices and is a passive source.
Certificate Transparency logs (crt.sh) reveal subdomains from SSL certificates.
theHarvester is a command-line tool for email and subdomain harvesting from public sources.
Recon-ng is a modular reconnaissance framework with an interactive console.
Maltego is a GUI tool for link analysis and relationship mapping.
Passive DNS queries public resolvers; active DNS queries the target's servers directly.
These come up on the exam all the time. Here's how to tell them apart.
theHarvester
Command-line tool focused on email and subdomain harvesting
Queries search engines (Google, Bing, LinkedIn, Yahoo) and Shodan
Limited to specific sources; uses -b flag to specify source
Outputs results to terminal or file; no interactive console
Lighter weight; ideal for quick, focused collection
Recon-ng
Modular framework with over 100 modules for various reconnaissance tasks
Can perform WHOIS, DNS, social media, geolocation, and more
Interactive console with workspaces; allows chaining modules
Requires API keys for some modules; more complex setup
Heavier; better for comprehensive, multi-source reconnaissance
Passive DNS
Queries public resolvers (e.g., 8.8.8.8) or passive DNS databases
No traffic sent to target's authoritative servers
Cannot perform zone transfers; limited to cached records
Undetectable by target; no logs generated
Examples: dig @8.8.8.8 example.com ANY, using SecurityTrails
Active DNS
Sends queries directly to target's authoritative name servers
Generates traffic visible in target's DNS logs
Can attempt zone transfer (AXFR) if allowed
Detectable; may trigger alerts
Examples: nslookup example.com ns1.example.com, dig axfr example.com @ns1.example.com
Mistake
WHOIS always provides the actual owner's name and contact info.
Correct
Many domains use WHOIS privacy services (e.g., WhoisGuard, Domains By Proxy) that mask the registrant's details. The registrant organization field may still show the real company name, but personal info is often redacted. The exam may test this by showing a WHOIS output with "REDACTED FOR PRIVACY" and asking what information is available.
Mistake
Google dorking is an active reconnaissance technique.
Correct
Google dorking is passive because you are querying Google's index, not the target's server. The target receives no traffic from your search. The exam explicitly lists Google dorking under passive reconnaissance.
Mistake
Shodan is an active scanning tool.
Correct
Shodan is passive because it provides pre-collected data from its own scans. You are not scanning the target; you are querying Shodan's database. However, if you use Shodan to trigger a new scan of a target, that would be active, but typical usage is passive.
Mistake
All DNS queries are passive.
Correct
Querying public DNS resolvers (like 8.8.8.8) is passive. However, performing a zone transfer (AXFR) directly from the target's authoritative name server is active because it sends a request to the target's infrastructure. The exam expects you to know the difference.
Mistake
Social media reconnaissance is always passive.
Correct
Browsing public profiles is passive. However, sending connection requests or messages is active. The exam considers passive as only viewing publicly available information without interacting with the target's accounts.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Passive reconnaissance involves gathering information without directly interacting with the target's systems. You use third-party sources like search engines, public databases, and social media. No packets are sent to the target. Active reconnaissance involves sending probes to the target's infrastructure, such as port scans, DNS queries to their servers, or banner grabbing. The PT0-002 exam emphasizes that passive is undetectable and low-risk, while active may trigger alarms.
Shodan is passive reconnaissance. Shodan continuously scans the internet and indexes the results. When you query Shodan, you are accessing its database, not scanning the target yourself. Therefore, no traffic is sent to the target. However, if you use Shodan to initiate a new scan of a target (via Shodan's scan API), that would be active. For the exam, standard Shodan queries are passive.
WHOIS provides domain registration details: registrant name, organization, address, phone, email, registrar, registration and expiration dates, name servers, and sometimes the registrant's IP address. However, privacy services may redact personal information, but the organization name may still appear. The exam may test that WHOIS can reveal the domain owner's contact information unless privacy is enabled.
Certificate Transparency (CT) logs record every SSL/TLS certificate issued by Certificate Authorities. By querying CT logs (e.g., via crt.sh), you can find all subdomains that have certificates, including those not listed in public DNS. This is passive because you query a public log, not the target. The exam expects you to know that CT logs are a valuable source for subdomain discovery.
Google dorking uses advanced search operators to find specific information indexed by Google. Examples: `site:example.com filetype:pdf` finds PDFs; `inurl:admin` finds pages with 'admin' in the URL; `intitle:"index of"` finds directory listings. In pen testing, it can uncover exposed sensitive files, login pages, or configuration files. The exam tests knowledge of operators and what they reveal.
Yes, viewing public social media profiles is passive. You can gather employee names, job titles, technologies mentioned, and organizational structure. LinkedIn is particularly useful for identifying IT staff and their skills. However, sending connection requests or messages is active. The exam considers passive as only reading publicly available information without interaction.
theHarvester is a simpler command-line tool focused on email and subdomain harvesting from a few sources (Google, Bing, LinkedIn, etc.). Recon-ng is a modular framework with an interactive console that supports many modules for different reconnaissance tasks (WHOIS, DNS, social media, geolocation). Recon-ng is more powerful but has a steeper learning curve. The exam may ask which tool is best for a specific task.
You've just covered OSINT and Passive Reconnaissance — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?