How to Conduct Passive Reconnaissance of a Potential Target

Why Passive Recon?

Reconnaissance can be divided into at least two categories, active and passive. Active reconnaissance requires that you interact with the target computer system to gain information about it. Although this can be very useful and accurate, it risks detection. If you're detected doing reconnaissance on a system, the system admin may choose to block your IP address and you'll leave a trail to your subsequent activity.
If possible, we would prefer to gather the essential information without ever interacting with the system, thus leaving no trail to trace back to us. That's what passive reconnaissance is.

Although there are a number of ways to conduct passive recon, one of the best ways is to use a website like Netcraft.

Step 1Navigate a Browser to Netcraft

Let's open a browser and navigate to the Netcraft website. We should see a webpage that looks like this.

Netcraft is a UK company that tracks virtually every website on the planet. From this data, they're able to calculate market share for web servers, uptime, etc., becoming one of the leading authorities for this type of information. They also offer some security services such an anti-phishing extension and phishing alerts.

Another service that Netcraft offers is data about nearly every website. This data can be extremely valuable to the hacker. Notice on the right side of the webpage, the area that asks "What's that site running?"

We can simply type in a domain name and hit enter.

Step 2Search a Domain

As we can see in the screenshot below, We simply typed in a domain and Netcraft returns results for the domain. Notice that in this case, it returned two sites.

Let's click on the report of the second one.

Step 3Open the Site Report

Now we can open the site report and get some critical information about this site. We can see at the top of this report, such information as site rank, primary language, IP address, and nameserver.

If we scroll down a bit, we can get some excellent information that would be useful to a potential attacker.

We can see under the heading "Hosting History" the netblock owner, IP address(es), operating system, web server, and when the server was last changed. All of this can be useful to the hacker, including the date last changed. This date generally represents the date the system was last rebooted or updated.
In the case above, we can see it was last updated Sept. 28, 2007. This would imply that any security OS patches that have been supplied in the interim have NOT been applied to this system. As a hacker, this is juicy information as it tells us that any vulnerabilities to this system that have been found since Sept. 28, 2007 are still available on this system as no vulnerability patches have been applied.

Step 4Site Technology

When we scroll down a bit further, we come to a section titled "Site Technology". Here we get a rundown on the technology the site's running.

This listing provides us with information of what technologies the site is running and from here the hacker can seek out vulnerabilities in these named technologies. This is a boon for the hacker as they don't have to guess what technologies are behind the website. As every hack is specific to a technology, knowing what technologies they are running makes it easier for the hacker to find the appropriate hack.
It's important to note here that Netcraft data is not foolproof. I would give it an 80-85% probability of being correct, and that's high enough to garner valuable recon info on a website.