HomeEthical Hacking in 5 DaysDay 1
Day 1 of 5
⏱ ~60 minutes
Ethical Hacking in 5 Days — Day 1

Recon & OSINT

Every successful penetration test starts with information gathering. Today you master passive and active reconnaissance — collecting data about a target without touching its systems, then performing active scanning to map the attack surface.

What Is Ethical Hacking?

Ethical hacking (penetration testing) is the authorized practice of attacking systems to find vulnerabilities before malicious actors do. You operate under a written scope agreement, document everything, and report findings to help defenders fix gaps. Without authorization, the same actions are criminal.

Passive Recon with OSINT

Open Source Intelligence (OSINT) uses publicly available data: WHOIS records, DNS lookups, LinkedIn profiles, Shodan searches, and Google dorks. Tools like theHarvester, Maltego, and Recon-ng automate collection. The goal is to build a target profile without alerting anyone.

Active Recon with Nmap

Active recon sends packets to the target. Nmap is the industry standard: it discovers live hosts, open ports, running services, and OS fingerprints. Start with a ping sweep, then run service version detection. Always stay inside your authorized scope.

bash
# Passive: DNS enumeration
nslookup target.com
dig target.com ANY
host -t mx target.com

# theHarvester email/subdomain OSINT
theHarvester -d target.com -b google,bing,linkedin

# Active: Nmap port scan
nmap -sV -sC -O 192.168.1.0/24

# Nmap specific port range
nmap -p 1-1000 --open 192.168.1.100

# Google dork examples
# site:target.com filetype:pdf
# intitle:"index of" site:target.com
💡
Always get written authorization (a Rules of Engagement document) before any active scanning. IP addresses change hands; a signed scope document protects you legally.
📝 Day 1 Exercise
OSINT Target Profile
  1. Set up a Kali Linux VM (VirtualBox or VMware) — this is your attack platform for the course
  2. Register a free account on HackTheBox or TryHackMe to get a legal practice target
  3. Run theHarvester against the lab target: theHarvester -d hackthebox.com -b google
  4. Run an Nmap SYN scan against your lab machine: nmap -sS -sV [lab-ip]
  5. Document all open ports and services in a recon worksheet

Day 1 Summary

  • Ethical hacking requires written authorization and defined scope
  • Passive recon collects data without touching the target
  • OSINT tools: theHarvester, Maltego, Recon-ng, Shodan
  • Active recon maps ports and services with Nmap
  • Documentation is non-negotiable at every phase
Challenge

Find 3 subdomains of a bug-bounty program target using only passive OSINT. Record your methodology and which tools found each subdomain.

Next →
Day 2: Scanning & Enumeration
Finished this lesson?