What is Active Reconnaissance?
Active reconnaissance is a phase of the hacking lifecycle where the attacker (or ethical hacker) interacts directly with the target system to gather detailed information about services, open ports, technologies in use, and more. Unlike passive recon, these actions can be logged or detected by defensive systems.
🔧 Key Techniques in Active Recon
Port Scanning
Identify which ports are open and what services are running. Essential for attack surface mapping.
nmap -sS -Pn -T4 target.com
Service Enumeration
Detect the version and details of a service. Used to match known vulnerabilities.
nmap -sV target.com
Banner Grabbing
Manually or automatically retrieve banners to identify services, versions, and misconfigurations.
nc target.com 80
Directory Bruteforcing
Discover hidden files and directories using wordlists and automation tools.
gobuster dir -u https://target.com -w wordlist.txt
📌 Step-by-Step Process
Step 1: Scan for Live Hosts
Use ping sweeps or ARP scans to detect online systems (if within same network).
nmap -sn 192.168.1.0/24Step 2: Scan for Open Ports
Identify common and uncommon ports:
nmap -sS -p- target.comStep 3: Identify Services and Versions
Determine what software is running and its version:
nmap -sV -sC target.comStep 4: Web Directory Discovery
Find admin panels, login pages, or misconfigured endpoints:
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt -x php,html,txt🌐 Real-World Example
Target: insecure-website.local
# Step 1: Port scan
nmap -T4 -sS -p- insecure-website.local
# Step 2: Service and version detection
nmap -sV -sC -p 22,80,443 insecure-website.local
# Step 3: Directory brute-force
gobuster dir -u http://insecure-website.local -w common.txt -x php,html💡 Practical Tips
- Use
-T4in Nmap for faster scanning, but test-T3if rate-limiting is present. - Never run active recon on systems without authorization.
- Use VPNs or isolated labs to avoid exposing your real IP.
- Correlate Nmap results with vulnerability databases (e.g., CVE, Exploit-DB).