Information Gathering is the first and most critical phase of any penetration testing or offensive security engagement.
The objective is to collect as much relevant information as possible about a target environment while maintaining accuracy, context, and efficiency.
This section consolidates theoretical foundations and practical techniques used during the reconnaissance phase, combining structured study with real-world command usage. The focus is not on tools alone, but on understanding what information matters, why it matters, and how it guides later attack decisions.
This section contains distilled notes from my Hack The Box – Pentesting Path study.
Full repository (expanded notes, diagrams, screenshots):
https://github.com/lameiro0x/pentesting-path-htb
Intro Enumeration blends passive discovery with active validation. OSINT stays passive and should be treated apart. The objective is a clean map of exposure, not access.
Enumeration Principles We ask why something is visible and what it implies about the target, then compare that with what is missing or hidden to avoid assumption driven decisions.
Multiple viewpoints reduce blind spots by forcing you to compare independent signals before deciding what to probe. Visible facts outweigh assumptions because they can be verified and repeated under the same conditions. More context improves accuracy and keeps the test focused on the most relevant assets and interfaces. Enumeration Methodology We use six layers to structure external work. The layers move from public presence to OS setup. This keeps testing organized.
...
Intro Web reconnaissance is the foundation of a strong security test. It maps assets and technology choices before deeper testing begins and reduces blind spots.
Types of Recon Recon uses two approaches: active and passive. Active touches systems directly, while passive relies on public sources.
Active Recon Active recon interacts with the target to gather accurate data. It is effective but increases detection risk because requests are logged by servers and security tools.
...
Introduction to Web Fuzzing Web fuzzing is used when a site does not link to hidden pages or does not expose anything useful through normal navigation. The technique sends many controlled inputs to an interface to see how the server responds. In some notes, the Spanish verb for fuzzing is translated as borrar, but the actual goal is discovery. When you do this correctly, you can reveal directories, pages, subdomains, and parameters that are not linked anywhere.
...