Chapter 2. Reconnaissance

The term Reconnaissance by definition comes from the military warfare strategy of exploring beyond the area occupied by friendly forces to gain information about the enemy for future analysis or attack. Reconnaissance of computer systems is similar in nature, meaning typically a Penetration Tester or hacker will attempt to learn as much as possible about a target's environment and system traits prior to launching an attack. This is also known as establishing a Footprint of a target. Reconnaissance is typically passive in nature and in many cases not illegal (however, we are not lawyers and cannot offer legal advice) to perform as long as you don't complete a three-way handshake with an unauthorized system.

Examples of Reconnaissance include anything from researching a target on public sources such as Google, monitoring employee activity to learn operation patterns, and scanning networks or systems to gather information, such as manufacture type, operating system, and open communication ports. The more information that can be gathered about a target brings a better chance of identifying the easiest and fastest method to achieve a penetration goal, as well as best method to avoid existing security. Also, alerting a target will most likely cause certain attack avenues to close as a reaction to preparing for an attack. Kali's official slogan says this best:

Reconnaissance services should include heavy documentation, because data found may be relevant at a later point in the penetration exercise. Clients will also want to know how specific data was obtained, and ask for references to resources. Examples are what tools were used to obtain the data or what publicfacing resources; for example, the specific search query in Google that was submitted to obtain the data. Informing a customer "you obtained the goal" isn't good enough, because the purpose of a Penetration Test is to identify weakness for future repairs.