Hack Like a Pro: How to Conduct Passive Reconnaissance of a Potential Target

How to Conduct Passive Reconnaissance of a Potential Target

Welcome back, my novice hackers!

Most of my tutorials up until this point have addressed how to exploit a target assuming that we already know some basic information about their system. These include their IP address, operating system, open ports, services running, and so on.

Several of you have written me asking how to find this information, so for the next few guides here in Null Byte, I'll be covering reconnaissance. In other words, how to get the information needed to hack your target system.

Why Passive Recon?

Reconnaissance can be divided into at least two categories, active and passive. Active reconnaissance requires that you interact with the target computer system to gain information about it. Although this can be very useful and accurate, it risks detection. If you're detected doing reconnaissance on a system, the system admin may choose to block your IP address and you'll leave a trail to your subsequent activity.

If possible, we would prefer to gather the essential information without ever interacting with the system, thus leaving no trail to trace back to us. That's what passive reconnaissance is.

Although there are a number of ways to conduct passive recon, one of the best ways is to use a website like Netcraft.

Step 1: Navigate a Browser to Netcraft

Let's open a browser and navigate to the Netcraft website. We should see a webpage that looks like this.

Netcraft is a UK company that tracks virtually every website on the planet. From this data, they're able to calculate market share for web servers, uptime, etc., becoming one of the leading authorities for this type of information. They also offer some security services such an anti-phishing extension and phishing alerts.

Another service that Netcraft offers is data about nearly every website. This data can be extremely valuable to the hacker. Notice on the right side of the webpage, the area that asks "What's that site running?"

We can simply type in a domain name and hit enter.

Step 2: Search a Domain

As we can see in the screenshot below, We simply typed in a domain and Netcraft returns results for the domain. Notice that in this case, it returned two sites.

Let's click on the report of the second one.

Step 3: Open the Site Report

Now we can open the site report and get some critical information about this site. We can see at the top of this report, such information as site rank, primary language, IP address, and nameserver.

If we scroll down a bit, we can get some excellent information that would be useful to a potential attacker.

We can see under the heading "Hosting History" the netblock owner, IP address(es), operating system, web server, and when the server was last changed. All of this can be useful to the hacker, including the date last changed. This date generally represents the date the system was last rebooted or updated.

In the case above, we can see it was last updated Sept. 28, 2007. This would imply that any security OS patches that have been supplied in the interim have NOT been applied to this system. As a hacker, this is juicy information as it tells us that any vulnerabilities to this system that have been found since Sept. 28, 2007 are still available on this system as no vulnerability patches have been applied.

Step 4: Site Technology

When we scroll down a bit further, we come to a section titled "Site Technology". Here we get a rundown on the technology the site's running.

This listing provides us with information of what technologies the site is running and from here the hacker can seek out vulnerabilities in these named technologies. This is a boon for the hacker as they don't have to guess what technologies are behind the website. As every hack is specific to a technology, knowing what technologies they are running makes it easier for the hacker to find the appropriate hack.

It's important to note here that Netcraft data is not foolproof. I would give it an 80-85% probability of being correct, and that's high enough to garner valuable recon info on a website.

In my coming coming articles, we will look at additional techniques to scan and do recon on potential targets. Until then, feel free to ask questions on this below, or head the Null Byte forum for any questions off topic.

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.

Camouflaged soldier and Binoculars soldier photos via Shutterstock


Very helpful, hope to learn more.

Hi there.

I've been through you lessons (or most of them, hopefully Ihavent missed one that covers this), very interesting. I've started working against the game-over iso (brilliant resource) but I'm not clear on how to access a private remote client... i was going to run some attacks against an off site network (belongs to my family it IS for educational purposes, have physical access and the outbound IP) but since the ISP provides what boils down to a NAT service I'm confused about how to go about it. Does this scenario boil down to having to run a social engineering vector or is there something I'm missing? I don't want to accidentally NMAP the ISP server...


Welcome to Null Byte!

Attacking a client with a private IP is a bit more difficult. Probably the simplest way is to use a social engineering vector or attack an application on their system such as their browser, Adobe Reader, etc.


Arigaito sensei. I had kind thought that may be the case, but just wanted to confirm with master OTW

what if I want to find out my friend's IP address? how to do that?

Use grabify. There's a video on the site on how it works.


What do you want to do with your friend's IP? If you looking to exploit them, you look at a client side attack.


so how to do that? will that attack allow me to get my friend's IP address? or will that allow me to access my friend's pc/laptop?


Do you want your friend's IP address or do you want access to your friend's PC?


what i really want is the access to my friend's pc. but as i read your post about MitM, i thought that i need my friend's ip address so that i can apply that MitM attack to him.


That attack will only get you the FTP credentials of their machine. If they don't have FTP installed, it won't work.

Attacking an individual machine behind a NAT device is best done through a client side attack such as a malicious link or sending a malicious doc or PDF.


ok i got it. thanks. now my problem is, how can i apply the steps from your post "Hack Like a Pro: Exploit MS Word to Embed a Listener on Your Roommate's Computer" on my pc using Backtrack on a VMware?


I'm not sure I understand your question. Can you be more specific?


how can I run metasploit on backtrack? I'm running backtrack on a vmware.


Metasploit is built into BackTrack.


how can i find this exploit/windows/fileformat/ms10087rtfpfragmentsbof ?
another thing, can I embed a listener to MS Excel?


In the metasploit console, type;

Search platform:windows ms10_087


thanks. last question for now, how can I embed a listener to MS Excel?


There are a number of exploits that take advantage of VBA in all the MS Office products.


Hey OTW,

When I go to the netcraft website and search a domain, under the Hosting History there is no Last Changed but Last Seen in its place. Did netcraft change this ?

Thanks for your efforts!

Hey, I notice most of your hack tutorials focus on websites / web servers. Will your hacks also work on a personal computer? I already know a bit about the target such as the IP address (assuming you mean the public one) and OS. I just need to get remote access and delete a few of my gf's sensitive files off his machine, nothing too complex (hopefully). I figured it could also be a fun project for me since I'm good with computers.


Welcome to Null Byte!

Yes, of course, the hacks will work with a PC. In many cases, it is easier to hack an ordinary PC as they don't have all the security of a web server. Also, it's important to note that every hack is specific to the circumstances of the machine being hacked, i.e. the OS, the apps, the services, the ports, the service pack, etc.

Good Luck!


can you tell me which tutorial do you have for this :

to check what system my victim is using? For example : i have an ip so it will detect victim's operating system. please give me link of that tutorial or tell me it's article. thanks :D


Check out my tutorials on nmap and xprobe2. The nmap -O command is the OS detection command.


i l used netcraft before but was not aware of checking the last date changed.

thanks occupytheweb for another great post

How would you rate the difficulty of exploiting this website based on this recon? And what kind of exploit is best to use?

Kudos !

Dude I love your articles. I learn a lot from them :D

Very useful one!!

I'm learning
thank you



I just use netcraft.com on a couple of website's and i couldnt find the "Site technology" . Did they removed it ?

netcraft doesn't keep this data for all websites.

i did run vulnerability on a website and found out that it has a poodle leakage, but it these type of vulnerability is difficult to exploit. can you please suggest me a way i can go around these..

Good. But may i ask one question out of topic. Or u can say its within. How do i understand how a website is hacked? Or which vulnerability is used by the crackers to hack a specific website? For eg: www.site.com/null.html

you see the / null.html is a page added by the cracker to that website. But how do we understand which method that they had adopted? I know some sites in this category. When they access /null.html

they are able to saw is the crackers deface page. Could any my doubt? Tnx in advance!

Good lesson. Please I'm new in the hacking business and would like to know if these hacking techniques still works with today's systems or if there are newer techniques in hacking companies database or servers.

Share Your Thoughts

  • Hot
  • Latest