Penetration testing

Red Team Assessment Phases: Reconnaissance

Howard Poston
December 10, 2018 by
Howard Poston

The second phase of a red team assessment is reconnaissance. In this phase, the red team attempts to collect information relevant to the assessment while keeping as low of a profile as possible. In order to successfully perform effective, largely passive reconnaissance, the red team members need to access a variety of data sources and have a means for organizing the collected information to maximize its usability for the assessment.

Scoping the Phase

Every organization and red team assessment is different, and this is reflected in the way that a red team does reconnaissance. Under some circumstances, a red team assignment may even be considered a white-box or gray-box assessment, mirroring the level of preparedness and information an adversary may have. In a white-box red team assessment, the red team is provided all relevant information about the network and can use this information to guide their reconnaissance efforts. In a gray or black-box assessment, the red team may be searching a bit more blindly for relevant information about the organization.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The goals and methodologies of the reconnaissance phase of a red team assessment are shaped by the goals of the assessment. The vast quantity of data available about an organization, its employees, and its business partners mean that it’s often impossible to collect and analyze all available data.

To be effective, a red team performing reconnaissance must determine what questions that they have and look for data that may help to answer these questions. For example, in an assessment that disallows social engineering, it is probably unnecessary to build a complete profile on the CEO and their personal habits. However, knowing that the CEO is a proponent of cloud services may be useful for finding AWS S3 buckets that may be accessible and contain sensitive information.

Achieving Phase Goals

The goal of the reconnaissance phase of a red team assessment is setting up the red team members for success by providing them with access to the information that they will need to plan their attack. The main goals of this stage in the assessment are collecting the necessary information and managing it in a way that ensures that all necessary information has been collected and is available when needed.

Data Collection

The main goal of reconnaissance is collecting data about the target of the red team assessment. Since the red team wishes to remain undetected, this is mainly performed using “passive” methods, i.e., nothing that involves interacting with the target in a way different from the average customer. Sources for useful data for reconnaissance include (but are not limited to) open-source intelligence, digital and physical monitoring and social engineering.

Open-Source Intelligence (OSINT)

An extremely powerful and often undervalued source of information for a red team assessment is open-source intelligence or OSINT. OSINT includes anything that is publicly available and can be accessed without drawing excessive attention to the red team. Examples of commonly-used sources of OSINT include:

  • The company website
    • Product information (useful for social engineering and identifying valuable data)
    • Organizational information (useful for identifying potential targets)
    • Contact information (can provide an access point for social engineering or a starting point for finding “secret” contact information)

  • Social media
    • Employee relationships (useful for social engineering)
    • Product information (useful for social engineering and identifying valuable data)

  • Job postings
    • Information about the company infrastructure (based on desired skill sets)
    • Job vacancies (basis for social engineering and identification of security holes like lacking a CISO)

  • Public databases
    • The Wayback Machine: Historical information from the company website
    • Information about specific people
    • ICANN: Information about IP addresses, domain registration and so on

A vast amount of information about an organization can be found using OSINT and applied to planning a red team assessment. Combining skill sets described in job posts and IP and DNS registration information can allow a red team to identify with a reasonable level of certainty the exact types of services running on a particular machine (and their potential vulnerabilities) without revealing any signs of their interest to the target organization.

Digital and Physical Monitoring

While active monitoring may be more efficient in gathering information about a target, it has the downside of being much more visible and likely to be detected and acted upon. Passive monitoring, whether of digital or physical attributes, can provide a great deal of information about an organization while being much more difficult to detect.

Passive digital monitoring of an organization’s network requires the ability to observe the network traffic without taking any unusual actions or initiating connections. If the organization has an open Wi-Fi network, joining it with a NIC set in promiscuous mode can provide a great deal of information about the number, types and even software details of machines on the network. Even if a Wi-Fi network is protected, learning of its existence is useful for network mapping and provides a clear target for future information gathering.

The physical side of security is just as important as the digital and often overlooked in cybersecurity planning. Physical access to an organization’s assets can lead to compromise of computers, planting of malicious devices and more. By monitoring the standard employee habits and physical security measures of an organization (security guards, cameras, smartcard-controlled access and so on), a red team can identify potential vulnerabilities that could lead to a way to bypass the site’s cybersecurity measures. While monitoring a site, the red team may even have to opportunity to collect or steal crucial information in the form of discarded or unguarded electronic or physical media.

Social Engineering

If permitted as part of the assessment, social engineering can be a powerful tool in a red team’s toolkit. Social engineering attacks take advantages of vulnerabilities in how humans think and act in order to bypass physical or digital defenses. Social engineering can help throughout the assessment process, but one of its main benefits is as a source of information that is otherwise not publicly accessible.

People are willing to give away all kinds of information without realizing its importance. Want to know when someone will be out of the office? Try to schedule a meeting with them. Want to get detailed information about a company’s operations and maybe an on-site tour? Apply for a job post and hopefully land an interview. Social engineering is a powerful tool for a red team, taking advantage of how people undervalue certain information or levels of access.

Data Management

There are three main ways to mess up reconnaissance: fail to collect the data that you need, collect too much data, and collect the right data but not be able to find it when it’s needed. If the reconnaissance phase of the red team assessment is appropriately scoped, the first two issues shouldn’t be a problem. A strong data management policy ensures that a red team won’t fall prey to the third.

Before beginning a red team assessment, the red team needs to decide on a system for storing the data collected throughout the assessment. This is valuable in every phase of the assessment, since the team may need to be able to access a fact at a moment’s notice and needs to be able to provide comprehensive records in the event of a mistake or when reporting to their customer.

During the reconnaissance phase, all members of the team should follow the data management policy. This ensures that all of the necessary questions are answered (if possible), removes duplication of effort and sets the team up for success in later stages.

Setting the Stage

Reconnaissance is the second phase in a red team assessment. The goal of this phase is to collect the information that the team will need in order to successfully perform the rest of the assessment. A reconnaissance phase is successfully completed when the red team has collected and organized any available and pertinent information about the target in a way that maximizes its utility for future phases.

Want to read more? Check out some of our other articles, such as:

Red Team Assessment Phases: Overview

Red Team Assessment Phases: Target Identification

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Everything You Need To Know About Red Teaming in 2018


  1. 10 social engineering exploits your users should be aware of, TechRepublic
Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at