Penetration Testing: Passive Recon

The following tools and resources can be valuable for passive recon:

• Internet registration records, such as whois data, DNS records, TLS/SSL certifiates, etc.
• Archival websites (e.g. archive.org's Wayback Machine), search engine previews and cached content, etc.
• Social Media presence - particularly LinkedIn, as that tends to be all about the who's who of a target - useful for social engineering, and if they have an SQL database admin on their payroll, they're probably using SQL.
• Job listings, particularly management, C-Suite, IT - if they list Microsoft Office as a required skill, want people with experience with Active Directory, and so on, they just might be a Microsoft shop.