Footprinting & reconnaissance
⏱ ~3-min readAceMark GuideWhat this topic is really about
Google dorking uses specialized search operators to uncover indexed sensitive content (config files, login pages, exposed documents) during passive reconnaissance. Port scanning actively probes hosts, privilege escalation raises rights post-compromise, and SQL injection attacks databases.
Passive collection of public information about a target — DNS, certs, Shodan, employee LinkedIn — is reconnaissance. Scanning is active probing (Nmap), gaining access is exploitation, covering tracks happens post-exploit.
See the mechanism
Passive collection of public information about a target — DNS, certs, Shodan, employee LinkedIn — is reconnaissance. A diagram for this topic isn't available yet — the worked example below walks the same reasoning step by step.
An exam-style question, fully explained
A pentester uses Shodan and certificate transparency logs to discover subdomains of a target. Which phase of the ethical hacking methodology is this?
- Identify what the question tests: A pentester uses Shodan and certificate transparency logs to discover subdomains of a target..
- Passive collection of public information about a target — DNS, certs, Shodan, employee LinkedIn — is reconnaissance.
- Scanning is active probing (Nmap), gaining access is exploitation, covering tracks happens post-exploit.
Traps the examiner sets
- Read each option carefully — distractors on Footprinting & reconnaissance are designed to look plausible.
- Re-check the exact wording of the question stem before committing to an answer.
- Watch the qualifiers ("always", "only", "except") that flip a correct-looking option.
Test your recall
Answer each from memory — you'll see instantly whether you're right and why.
Run a focused 10-question mini-mock on Footprinting & reconnaissance and see it stick.
Practice more of this topic →