How Pentesters Map a Target Without Sending a Single Packet

Passive reconnaissance is where every professional pentest should start. Before you touch the target, you gather everything the internet already knows about them. In this lecture, I walk through three of the most valuable passive recon techniques: WHOIS lookups, Shodan searches, and Google dorking. Done right, these methods surface domains, exposed services, leaked credentials, and misconfigurations without sending a single packet to the target. I'm Thomas Wilhelm. 30 years in offensive security, former practice director, Army cryptanalyst, and author of "Professional Penetration Testing" and "Basics of Hacking and Penetration Testing." On this channel, I teach the methodology, scoping, and execution side of pentesting that most tutorials skip. TECHNIQUES AND TOOLS COVERED WHOIS lookups Domain registration and ownership data Registrar, nameservers, and historical records Pivoting from WHOIS to related infrastructure Shodan.io Searching by IP, organization, and product Filters for ports, services, and vulnerabilities Identifying exposed industrial systems and devices Google dorks Operators: site:, filetype:, inurl:, intitle:, intext: Finding exposed documents, configs, and credentials The Google Hacking Database (GHDB) as a starting point RESOURCES: Join this channel to get access to perks →    / @pentest_tv   Get my newsletter → https://tinyurl.com/pentest-mailing-list Visit the website → https://Pentest.TV Join the Pentest.TV Discord →   / discord   #PassiveReconnaissance #PenetrationTesting #EthicalHacking #Shodan #GoogleDorks #WHOIS #OSINT #CyberSecurity #InfoSec #PentestTutorial #ReconTechniques #RedTeam #HackingTutorial #CyberSecurityTraining #Pentesting