Pentest Methodology & Recon · beginner · ~10 min
Distinguish passive from active recon and understand the OPSEC trade-off.
Passive recon gathers info from third parties without touching the target (DNS, WHOIS, CT logs, Shodan, OSINT). Active recon interacts directly (scans, banners) — richer but logged. Passive first, then active.
Choosing the right mode controls both how much you learn and how much noise you make. Passive recon is stealthy and needs no special authorization to read public data; active recon must stay strictly inside scope because it's detectable.
Passive. No packets to the target; query public/third-party sources. Active. Direct interaction (scans, crawls) — noisy and logged. OPSEC. Active recon leaves footprints. Order. Exhaust passive before going active.
Reconnaissance is information gathering. It comes in two flavours that differ by whether you touch the target.
Collect information without sending traffic to the target's systems. You query third parties and public sources:
Because you never touch the target, passive recon is essentially undetectable by them.
Directly interact with the target: ping sweeps, port scans, banner grabbing, web crawling. It's far richer — you learn what's actually running — but it's noisy and logged. Active recon must be inside your authorized scope and time window.
Passive first, active second. Build the fullest possible picture from public data (free and stealthy), then spend "loud" active probes efficiently on what you've already mapped. On a real engagement, active recon is where you start leaving footprints in the target's logs.
Passive recon reads public and third-party data without touching the target; active recon probes it directly and gets logged. Do passive first to map the surface, then aim active probes precisely — always within scope.