# Week 4: Passive OSINT

**Hacking in Five Steps** - This lesson will introduce the five key components of hacking: reconnaissance, enumeration, exploitation, maintaining access, and covering tracks. These five key concepts will be built upon as we progress, with at least one part dedicated to each component.\
**The Art of Reconnaissance** - This lesson will discuss reconnaissance in depth and cover common tools used in the process. Some of the tools that will be covered are the OSINT Framework, SET, theHarvester, Bluto, Google Dorks, and Shodan. More tools will likely be added as the lesson is written.

## Five Stages of Hacking

| 01             | 02                       | 03             | 04                 | 05              |
| -------------- | ------------------------ | -------------- | ------------------ | --------------- |
| Reconnaissance | Scanning and Enumeration | Gaining Access | Maintaining Access | Covering Tracks |

### **Passive Recon - Physical / Social**

#### Location Information

• Satellite images\
• drone recon\
• building layout (badge readers, break areas, security, fencing)

#### Job Information

• Employees (name, job title, phone number, manager, etc.)\
• Pictures (badge photos, desk photos, computer photos, etc.)

### **Passive Recon - Web / Host**

#### Target Validation

• WHOIS, nslookup, dnsrecon

#### Finding Subdomains

• Google-fu, dig, Nmap, Sublist3r, Bluto, crt.sh, etc.

#### Fingerprinting

• Nmap, Wappalyzer, WhatWeb, BuiltWith, Netcat

#### Data Breaches

• HaveIBeenPwned and similar lists\ <br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.zacheller.dev/pentest/courses/beginner-network-pentesting/week-4-passive-osint.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.