Active Vs Passive Reconnaissance |

Penetration Testing Concepts 1

Active Vs Passive Reconnaissance

CompTIA Sec+ Section 1.4

Active Reconnaissance

Active reconnaissance is a type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities. This may be through automated scanning or manual testing using various tools like ping, traceroute, netcat etc. This type of recon requires that attacker interact with the target. This recon is faster and more accurate, however it also makes much more noise. Since the attacker have to interact with the target to gain information, there’s an increased chance that the recon will get caught by a firewall or one of the network security devices. (Intrusion Detection Systems, network firewalls, etc.)

Tools and Techniques Used

In order to gather information from the target host, attacker normally use port scanning techniques.

Nmap is probably the most well-known tool for active network reconnaissance. Nmap is a network scanner designed to determine details about a system and the programs running on it. This is accomplished through the use of a suite of different scan types that take advantage of the details of how a system or service operates. By launching scans against a system or a range of IP addresses under a target’s control, a hacker can learn a significant amount of information about the target network.

Metasploit is primarily designed as an exploitation toolkit. It contains a variety of different modules that have prepackaged exploits for a number of vulnerabilities. With Metasploit, even a novice hacker has the potential to break into a wide range of vulnerable machines.

Although it was designed as an exploit toolkit, Metasploit can also be effectively used for reconnaissance. At the minimum, using the autopwn option on Metasploit allows a hacker to try to exploit a target using any means necessary. More targeted analysis can allow a hacker to perform reconnaissance using Metasploit with more subtlety.

Port Scanning

Port Scanning is a systematically scanning computer ports as whole information is going in and out is through portand port scanning identifies open ports to a computer.Through port scanning attacker infer which services are visible and where attack is possible. Basic principal of port scanning is that to retrieve data from the opened port and analyze it.

Passive Reconnaissance

Passive reconnaissance is an attempt to gain information about targeted computers and networks without actively engaging with the systems. It is a gathering the information without alerting victim. If the victim host alerted then it drastically increases security against the attack.

Tools and Techniques Used

Wireshark is best known as a network traffic analysis tool, but it can also be invaluable for passive network reconnaissance. If an attacker can gain access to an organization’s Wi-Fi network or otherwise eavesdrop on the network traffic of an employee (e.g., by eavesdropping on traffic in a coffee shop), analyzing it in Wireshark can provide a great deal of useful intelligence about the target network.

Shodan is a search engine for internet-connected devices. As the Internet of Things grows, individuals and organizations increasingly are connecting insecure devices to the internet.

Using Shodan, a hacker may be able to find devices within the IP address range belonging to a company, indicating that they have the device deployed on their network. Since many IoT devices are vulnerable by default, identifying one or more on the network may give a hacker a good starting point for a future attack.

OS Fingerprinting

OS Fingerprinting is a method for determining which operating system does the remote computer runs.OS Fingerprinting is mostly used for cyber reconnaissance as most exploitable vulnerabilities are operating system specific.


There is a remarkable research work done to detect cyber attack at reconnaissance phase. Reconnaissance is a primary and starting phase of any cyber attack so if any solution for detecting cyber reconnaissance can be a good achievement in the course development of effective early warning system.Cyber attack is sequence of reconnaissance, infiltration and conclusion phase. A layered protection is always best but defense strategies for different network will be different. Stateful firewall, Intrusion Detection System, Intrusion Prevention System and NAT are preferable solutions. Firewall should be configured to allow only necessary traffic and also configured to log multiple connections from the same IP address. This implementation assures block scans such as FIN, NULL, XMAS and detect SYN scan as firewall is stateful. Snort like tool should be used which work as IDS that monitors traffic and detect anomalous activity. Snort should be configured to detect multiple connection from the same IP address. Using NAT is a good practice as it will put only single IP visible and block OS fingerprinting attempts. Apply all latest patches to block vulnerable points.

Are you looking to break into the exciting field of Cybersecurity? Join our 5-day CompTIA Security+ Bootcamp and build your cybersecurity knowledge and skills.


Become a certified ethical hacker! Our 5-day CEH Bootcamp is unlike other strictly theoretical training, you will be immersed in interactive sessions with hands-on labs after each topic. You can explore your newly gained knowledge right away in your classroom by pentesting, hacking and securing your own systems. Learn more