- by x32x01 ||
Information Gathering Tools - Cyber Reconnaissance Overview 
Information gathering (recon) is the first and most important phase in ethical penetration testing and digital forensics. Good recon lets you map a target’s digital footprint, find attack surface, and focus your tests where they matter most. This guide breaks down the top recon tools you should know, explains what they do, gives quick command examples, and shares practical tips so you can work faster and smarter. 
Why recon matters
Recon is not just about running tools - it’s about asking the right questions: What subdomains exist? What services are exposed? What software versions run on the servers? Answers to these questions shape your testing plan and help you avoid wasted effort. Always work within program scope and legal limits.
Maltego - visual link analysis and OSINT graphs 
Maltego is a graph-based tool for mapping relationships between people, domains, email addresses, infrastructure, and more. It’s great for OSINT investigations when you need to turn scattered data into a visual picture.What you can do:
- Map domain → subdomain → IP → WHOIS → related domains.
- Import lists and run transforms to expand the graph.
- Export graphs for reporting.
TheHarvester - email, subdomains, and public data collection 
TheHarvester queries search engines, certificate transparency logs, and public sources to collect emails, subdomains, hosts, and URLs.Example:
Code:
theharvester -d example.com -b Google -l 500 -f theharvester.htmlFierce - domain and DNS discovery 
Fierce focuses on DNS: it finds hostnames, DNS zone issues, and potential targets that standard scans miss. It’s a lightweight but effective domain scanner for quickly expanding your target list.Quick use:
Code:
fierce -dns example.comPhoton - smart web crawler for metadata and endpoints 
Photon is a focused web crawler built for reconnaissance. It extracts endpoints, JavaScript files, comments, and metadata that often contain hidden endpoints or API URLs.Example:
Code:
python3 photon.py -u https://example.com -o photon_outputRecon-ng - automated recon framework 
Recon-ng is a modular, scriptable framework for collecting and organizing recon data. It supports many modules and integrates API keys (Shodan, VirusTotal, Censys, etc.) to pull structured data.Basic workflow:
- Start recon-ng.
- Add API keys: keys add shodan YOUR_KEY.
- Load modules and run them to gather data into the workspace.
Censys - search the internet for exposed services 
Censys indexes internet-wide scans and lets you search for exposed certificates, services, and hosts. It’s a great complement to Shodan for discovering publicly reachable systems.Example (web):
- Search for example.com or specific port/service signatures.
Tip: Use Censys queries to find misconfigured services or systems exposing sensitive data.
Nmap - host and port discovery (industry standard) 
Nmap is the go-to tool for port and service scanning. It helps you determine which hosts are up, what ports are open, and what services and versions are running.Common command:
Code:
nmap -sV -p- -T4 -oN nmap_full.txt example.com-sVprobes for service versions-p-scans all ports-T4speeds up the scan-oNwrites a normal-format output file
Nikto - web server vulnerability scanning 
Nikto is a web server scanner that checks for outdated software, misconfigurations, and known vulnerabilities. It’s not stealthy, but it’s thorough and shows common server issues quickly.Example:
Code:
nikto -h https://example.com -o nikto_report.txtShodan - search engine for connected devices 
Shodan indexes devices and services exposed on the internet - from web servers to IoT devices. Use it to find exposed admin panels, SSH servers, or unusual services tied to your target.Quick idea:
- Search Shodan for hostname:example.com or specific product banners.
Shodan can reveal legacy systems and forgotten services that often become high-value targets.
Putting tools together: a practical workflow
A typical recon sequence might look like this:- OSINT & domain mapping: Maltego, TheHarvester, Recon-ng.
- Subdomain enumeration: (combine results from TheHarvester, DNS tools, and passive sources).
- Port & service scans: Nmap to identify live hosts and services.
- Web crawling & endpoint discovery: Photon and other crawlers.
- Server checks: Nikto, WhatWeb/Wappalyzer for fingerprinting.
- Inventory exposed assets: Censys and Shodan to find internet-exposed systems.
- Consolidate and validate: Manually verify high-risk findings and prepare PoCs.
Example: quick bash script to combine TheHarvester, Nmap, and Photon
Bash:
#!/bin/bash
target="example.com"
theharvester -d $target -b all -l 500 -f theharvester.html
nmap -sV -p- -T4 -oN nmap_full.txt $target
python3 photon.py -u https://$target -o photon_out
echo "Recon done. Check theharvester.html, nmap_full.txt, and photon_out/"Tips to improve recon results 
- Correlate data from multiple tools to reduce false leads.
- Use API sources (Shodan, Censys, VirusTotal) for broader coverage.
- Customize wordlists for directory and endpoint discovery based on technology or naming patterns.
- Rate-limit and respect scope to avoid service disruptions and legal issues.
- Document everything: timestamps, commands, and outputs help during reporting.
Common mistakes and how to avoid them 
- Relying on a single tool - use multiple tools and cross-check results.
- Ignoring false positives - validate manually before reporting.
- Skipping passive recon - passive sources often reveal sensitive info without touching the target.
- Forgetting to record consent - always confirm scope and permissions.
Final thoughts 
Recon is the art of collecting actionable info with minimal noise. These tools - Maltego, TheHarvester, Fierce, Photon, Recon-ng, Censys, Nmap, Nikto, and Shodan - form a powerful toolkit for any ethical hacker or incident responder. Learn what each tool does best, combine their outputs, and always work ethically and within scope. Happy recon! 
