Course 8 - Penetration Testing OSINT Gathering with Recon-ng | Episode 3: Harvesting Data, Optimizing Contacts, Geolocation

In this lesson, you’ll learn about: Conducting a Multi‑Stage OSINT Campaign Using Recon‑ng 1. Initial Data Harvesting & Database Population The OSINT campaign begins by creating a dedicated workspace and planning the stages of information gathering. The first objective is to populate core database tables—contacts and hosts. Contact Gatheringwhois_pocs module collects domain registration information, extracting email addresses and owner details.PGP search modules identify additional contacts by searching for PGP keys associated with the target domain.Host Discoverybing_domain_web module scans the domain to enumerate subdomains and hostnames.brute_hosts module brute‑forces common hostnames to uncover additional active hosts not found through search engines.File AnalysisOnce the hosts table is filled, the interesting_files module scans discovered hosts for publicly accessible files such as:sitemap.xmlphpinfo.phpTest filesThese files may contain operational details useful for further analysis.2. Contact Optimization & Breach Assessment This phase enhances collected contact data and checks whether employees or organizational accounts have been compromised. Email Construction Using MangleThe mangle module builds complete email addresses using partial names and organizational naming patterns.It combines first/last names with the domain to produce likely valid addresses.Breach Monitoring Using HIBPhibp_breach module checks if collected or constructed emails were exposed in known credential leaks.hibp_paste module searches paste sites for leaked emails or credentials.Any hits are stored in the credentials table for responsible reporting and remediation.3. Geolocation of Target Servers This stage identifies the physical locations of the target’s online infrastructure. IP ResolutionThe resolve module converts hostnames into IP addresses and updates host entries.GeolocationThe free_geoip module geolocates IPs, revealing the server’s approximate city, region, and country.Location details are appended to the host’s database record.Shodan Integration (Optional)When a Shodan API key is available:Latitude/longitude data is used by the shodan module to gather additional OSINT such as services, banners, and exposed ports.4. Comprehensive Software Stack Profiling The final stage performs a deep analysis of the technologies behind the target website. BuiltWith Technology ScanThe BuiltWith module identifies:Web technologies (e.g., Apache, Nginx, Ubuntu)Infrastructure providers (e.g., AWS)Associated tools (jQuery, New Relic, Analytics services)For large domains, the scan may return hundreds of data points, greatly enriching the OSINT profile.Additional DiscoveriesAdministrative contactsSocial media integrationsCDN detailsHeat‑mapping and analytics tools (e.g., Mouseflow)Optimization platforms (e.g., Optimizely)Summary By the end of this lesson, students understand how to conduct a complete OSINT workflow using Recon‑ng:Populate key database tablesForm accurate contact and host profilesIdentify data breaches ethicallyGeolocate infrastructureProfile the full technology stack of a target domainThis staged approach reflects real-world ethical OSINT methodology and supports responsible security research.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy