Ethical Hacking #passive recon#osint#google dorks

Passive Reconnaissance Techniques: OSINT Without Touching

Learn passive recon methods: WHOIS lookups, Google dorks, certificate transparency, LinkedIn OSINT, and Shodan — all without touching your target.

7 min read

Passive reconnaissance is the art of gathering intelligence about a target without sending a single packet to their infrastructure. You rely entirely on publicly available data — DNS records, certificate logs, search engine indexes, social media, and third-party databases. Because you never interact with the target directly, passive recon is essentially risk-free from a detection standpoint, and it is where every professional penetration test should begin.

This guide covers the most effective passive techniques used by security professionals today.

Why Passive Recon First?

Before touching a target (even with a ping), skilled pentesters gather as much open-source intelligence (OSINT) as possible. The goals are:

  • Map the attack surface — domains, IPs, subdomains, email formats
  • Identify technologies — CMS, frameworks, server software versions
  • Find exposed credentials or sensitive data in leaks
  • Understand organizational structure — key personnel, departments
  • Discover forgotten assets — old subdomains, decommissioned services

All of this shapes your active testing strategy and keeps your initial footprint invisible.

WHOIS Lookups

WHOIS records reveal domain registration details — registrar, creation date, nameservers, and sometimes registrant contact information (though GDPR has hidden much of this for European domains).

# Command-line WHOIS
whois example.com

# Network range lookup
whois 93.184.216.0

# ASN lookup
whois -h whois.radb.net AS15169

Online WHOIS tools offer historical data that reveals past registrant information even after privacy guard was enabled:

  • whois.domaintools.com — historical WHOIS with ownership timeline
  • viewdns.info — WHOIS, reverse IP, IP history
  • bgp.he.net — ASN and network block information

What to look for:

  • Nameservers (reveal hosting provider or CDN)
  • Registration date (older = more likely to have forgotten assets)
  • Registrar (sometimes reveals provisioning patterns)
  • Organization name (cross-reference with LinkedIn)

Google Dorking

Google dorks are advanced search operators that filter results to expose sensitive information indexed by Google. The key operator is site: combined with others:

DorkWhat It Finds
site:example.comAll indexed pages on the domain
site:example.com filetype:pdfPDF files on the domain
site:example.com inurl:adminAdmin panels
site:example.com intitle:"index of"Directory listings
site:example.com ext:sql OR ext:bak OR ext:envExposed database files
"example.com" filetype:xlsExcel files mentioning the org
"@example.com" filetype:pdfPDFs with corporate email addresses
site:pastebin.com "example.com"Paste sites mentioning the domain
site:github.com "example.com" passwordCode repos with credentials
cache:example.com/loginCached version of login page

The Google Hacking Database (GHDB) at exploit-db.com maintains thousands of vetted dorks organized by category. Search it for your target’s technology stack.

Run systematic dork campaigns:

# Find subdomains Google has indexed
site:*.example.com -www

# Find login portals
site:example.com inurl:login OR inurl:signin OR inurl:portal

# Find configuration files
site:example.com ext:xml OR ext:conf OR ext:cnf OR ext:config OR ext:ini

# Find exposed Git repositories
site:example.com intext:"Index of /.git"

Certificate Transparency Logs

Every SSL/TLS certificate issued by a trusted Certificate Authority is recorded in publicly auditable Certificate Transparency (CT) logs. This is a goldmine for discovering subdomains — including internal staging environments, API endpoints, and forgotten services.

Tools and sites to query CT logs:

  • crt.sh — web interface and API: https://crt.sh/?q=%.example.com
  • Censyshttps://search.censys.io/
  • certspotter — command-line tool
# Query crt.sh via curl
curl -s "https://crt.sh/?q=%.example.com&output=json" | \
  python3 -m json.tool | \
  grep "name_value" | \
  sed 's/.*"name_value": "//;s/".*//' | \
  sort -u

# Install and use certspotter
go install software.sslmate.com/src/certspotter/cmd/certspotter@latest
certspotter -since 0 -verbose -no-follow example.com

CT logs often reveal internal hostnames like dev.internal.example.com, vpn.corp.example.com, or jenkins.staging.example.com that were never meant to be public.

Shodan for Passive IP Recon

Shodan is a search engine for internet-connected devices. It continuously scans the internet and stores banner information for every open port it finds. You can query this data without ever scanning the target yourself.

Find the target’s IP range first via WHOIS or BGP, then search Shodan:

  • org:"Example Corp" — all IPs registered to the organization
  • hostname:example.com — hosts with that domain in reverse DNS
  • ssl:"example.com" — servers presenting a certificate for that domain
  • net:93.184.216.0/24 — scan an entire subnet
# Using the Shodan CLI
pip install shodan
shodan init <your_api_key>

shodan search --fields ip_str,port,org,hostnames "org:\"Example Corp\""
shodan host 93.184.216.34
shodan domain example.com

What Shodan reveals without touching the target:

  • Open ports and running services
  • Software versions and CVEs (Shodan flags known vulnerabilities)
  • HTTP/S response headers and page titles
  • SSL certificate details and cipher suites
  • Geographic distribution of infrastructure
  • Industrial control systems (SCADA/ICS) accidentally exposed

DNS Record Enumeration

DNS is a public service by design. Query it aggressively:

# Basic record enumeration
dig example.com ANY
dig example.com MX
dig example.com TXT
dig example.com NS
dig example.com AAAA

# Zone transfer attempt (mostly blocked but worth trying)
dig axfr @ns1.example.com example.com

# SPF/DKIM/DMARC records reveal email infrastructure
dig TXT example.com | grep -E "spf|dkim|dmarc"

# Reverse DNS
dig -x 93.184.216.34

TXT records are particularly useful — SPF records enumerate all mail servers and cloud services the organization uses. A record like v=spf1 include:sendgrid.net include:mailchimp.com include:google.com ~all tells you exactly which email platforms they rely on.

DNS History

Past DNS records reveal infrastructure that may still be accessible:

  • SecurityTrailshttps://securitytrails.com/domain/example.com/history/a
  • DNSdumpsterhttps://dnsdumpster.com/
  • ViewDNShttps://viewdns.info/iphistory/?domain=example.com

LinkedIn OSINT

LinkedIn is an incredibly rich source of organizational intelligence:

What to gather:

  • Employee names and roles — identify administrators, developers, IT staff
  • Technology stack — employees listing “AWS”, “Kubernetes”, “Splunk” in their skills reveal the tech stack
  • Email format — one confirmed email like john.doe@example.com reveals the format for everyone
  • Org structure — who reports to whom; useful for pretexting in social engineering tests
  • Job postings — “We are seeking a FortiGate administrator” reveals firewall vendor; “Experience with GitLab self-hosted” reveals CI/CD platform
# theHarvester automates LinkedIn email harvesting
theHarvester -d example.com -b linkedin -l 200

# CrossLinked generates email permutations from LinkedIn profiles
pip install crosslinked
crosslinked -f '{first}.{last}@example.com' "Example Corp"

Public Code Repositories

Developers accidentally commit credentials, API keys, and internal infrastructure details to public repositories:

# Search GitHub directly
# Use the GitHub search API: site:github.com "example.com" "api_key"

# truffleHog scans repos for secrets
pip install trufflehog
trufflehog github --org=examplecorp

# gitleaks
gitleaks detect --source /path/to/cloned/repo

# Search for exposed .env files
site:github.com "example.com" filename:.env
site:github.com "example.com" "DB_PASSWORD"

Data Breach Databases

Check whether corporate email addresses appear in known data breaches:

  • HaveIBeenPwned (HIBP)https://haveibeenpwned.com/ — check individual emails or entire domains
  • DeHashed — search by domain, username, IP, or password hash
  • Breach Directoryhttps://breachdirectory.org/
# HIBP API (requires free API key)
curl -H "hibp-api-key: <key>" \
  "https://haveibeenpwned.com/api/v3/breachesforaccount/user@example.com"

Leaked credentials are gold for password spraying during authorized tests.

Organizing Your Findings

Keep passive recon findings in a structured document:

CategoryToolFindings
Domains/SubdomainsCT logs, DNSdumpsterdev.example.com, api.example.com
IP RangesWHOIS, BGP.he.net93.184.216.0/24, AS15169
Open Ports/ServicesShodan22,80,443,8443 on 93.184.216.34
Email FormatLinkedIn, HIBPfirstname.lastname@example.com
TechnologiesShodan, WappalyzerNginx 1.18, WordPress 6.4
Leaked CredsHIBP, DeHashed3 accounts in Collections #1

Summary

Passive reconnaissance sets the foundation for every other phase of a penetration test. By combining WHOIS records, Google dorks, certificate transparency logs, Shodan queries, DNS history, LinkedIn profiling, and breach data — all without touching the target — you can build a surprisingly complete picture of an organization’s attack surface before writing a single exploit. The quality of your recon directly determines the quality of your test.

#reconnaissance #google dorks #osint #passive recon

// related articles

ethical-hacking Web Application Reconnaissance Methodology 7 min read ethical-hacking Recon-ng OSINT Framework Tutorial for Beginners 7 min read ethical-hacking SpiderFoot OSINT Automation: Complete Guide for 2026 7 min read