I had given a seminar on last Wednesday about Reconnaissance step of a Penetration Test. During the presentation, the importance of this step had been emphasized. Well known tools about information gathering had been also demonstrated.
As well as I know, widely accepted categorization of a penetration test contains five (5) major steps. Pentest Standard Organization divides these steps in to seven (7) parts. The output of every step helps to the next one as an input. This is the list of categories;

Penetration Test Steps

  • Reconnaissance
  • Scanning
  • Exploitation
  • Post Exploitation
  • Report

Reconnaissance activity can be defined as an information gathering effort. It has also two different approach according to connection type to the target system. Passive and Active Approach.
Passive Approach: While trying to collect information, Penetration Tester do not directly connect to the target. The Pen-tester (officially permitted team or person) tries to collect information with the help of various search engines or the tools coded for dig.
Active Approach: But with this type of information collecting, a direct connection can be achieved to the target. Let’s say that, if you are sending signal to the target system for whatever purpose it is, those signals will be logged.
There are various tools and web sites designed for Reconnaissance. These tool options can be increased. I just want to give them as an example. Some of them are listed below.

Reconnaissance Tools

  • Archive.org
  • mail-archive.com
  • theharvester
  • foundstone sitedigger
  • searchdiggity
  • whois
  • nslookup
  • shodan
  • pipl
  • dmitry

There is an interesting point that I should add about especially command line tools. There are some parameters which works for passive gathering within the command line but some of parameter acts at the active side. For example, -w parameter for dmitry program will trigger the software for looking up to whois server, which is considered as a passive information search. But -p parameter tells the software for detecting the active TCP Ports of given domain name.
While we are writing about Reconnaissance, “The father of information indexing” -Google and its search directives must be stated. There are many useful search directives for narrowing the results. In our standard daily actions, almost none of us is using these directives. After beginning to learn them, you will be able to see the power of filtering. Detailed search directives can be learned from Google Guide pages.
The last point that should be specifically focused is Social Networks. Almost every individual who connected to the Internet and establishments have social network accounts. Penetration Testers should search these networks to find any piece of information which can be used for bad purposes against the information systems.