Reconnaissance

Remote Reconnaissance

Information gathering performed without physically visiting the target.

OSINT (Passive)

• Social media
• Company websites
• Job postings
• Public records
• Map services
• IP address databases
• Shodan

Active Recon

• Direct contact with target personnel to learn routines, when key personnel are present, and which vendors or contractors are expected.
• Port scanning, service fingerprinting, and infrastructure mapping when approved within scope.

Physical Reconnaissance

On-site observation of the target environment, typically without direct engagement.

• Access control system in use
• Reader brand and technology, including what can be identified with tools such as a field detector or Flipper Zero
• Whether readers require a PIN in addition to a badge
• Locks and locking mechanisms
• How long doors stay open when people enter or leave
• What can be seen through windows

Phase Output

• Interesting employees: Targets, roles, routines, and behaviors.
• Layout of the premises: External layout and internal layout where it can be determined.
• Entry points: Doors, gates, windows, and other practical access points.
• Third parties: Vendors and contractors that influence plausibility and access.
• Visual identity: Clothing style, lanyards, ID card design, and how credentials are actually used.
• Routines: Opening, lunch, and closing patterns.
• Security presence: Guards, patrol patterns, and procedures.
• Access control technology: Reader type, badge workflow, and whether any related systems appear to be exposed to the internet.

Transition

Reconnaissance ends when the team has enough intelligence to plan a realistic access path and realistic contingencies. The next phase is Planning.