Before starting an intrusive test in our client is necessary to perform some reconnaissance about the network to identify all information possible about the system. Some information can be collected without sending any probes to the target system this is called passive recon.
nmap -sS poplabsec.com --reason
nmap -sS -A poplabsec.com
DNS brute force