SY110: Passive and Active Reconnaissance


Passive and Active Reconnaissance

Learning Outcomes

After completing these activities you should be able to:


Cyber Operation Overview


In previous discussions, we've covered individual security-related concepts like password policies, encryption, and malware. However, these elements are often parts of larger offensive operations aimed at achieving specific objectives, such as stealing data, disrupting services, or compromising devices—actions that violate the CIA triad. In military terms, these objectives are often referred to as effects, such as denying, degrading, disrupting, destroying, or manipulating an adversary’s capabilities. A singular technical component - such as cracking a password hash - is relatively insignificant on its own, but can play an important role in an overall operation.

Successful operations typically involve multiple steps. An attacker might start with a phishing attack to gain initial access, then use a different exploit to escalate privileges, and finally achieve their goal, such as altering system information. The specifics of each operation vary, but the general approach is consistent across different scenarios. The graphics below (one from the DoD, one from Mandiant, a private firm) provide high-level overviews of this concept:

DoD's Cyber Kill Chain

Mandiant's Targeted Attack Life Cycle

Reconnaissance Overview

Cyber reconnaissance (recon) involves passive and active techniques that gathers organizational and technical information on a target in order to support follow on actions that will increase the success of initial access. Passive recon techniques leverages public information and databases that contain information on a desired target, while active techniques attempts to probe a target infrastructure by direct interaction. The level of interaction with the target - direct for active recon, indirect for passive recon - is generally considered the distinguishing factor, although some activities may straddle the line between the two. Something an attacker must keep in mind is the risk of attribution, which generally increases with direct interaction.

The list below contains some examples of information that would be useful for an adversary to conduct successful cyber attacks against a target:

Passive Recon

There are many online tools available to conduct passive recon against a target but understanding why is essential to planning a successful Computer Network Attack (CNA). Collectively, these tools and resources that are available to conduct technical and operational analysis. This includes online database searches through publicly accessible, open-source network information, closed-source information, and fine-tuning searches in Google, or Dorking, which will allow for narrowing down parameters for really enhancing the power of web crawling.

Open-source databases, like WHOIS and DNS, are available to the public and can be queried anytime. There is a significant amount of information that can be derived from the analysis of these databases, requiring little active recon to verify the information already made available. Below are the main sources of data for WHOIS and DNS:

WHOIS Databases Website
American Registry for Internet Numbers (ARIN) https://search.arin.net/rdap/
Asia Pacific Network Information Centre (APNIC) https://wq.apnic.net//static/search.html
Réseaux IP Européens (RIPE) https://apps.db.ripe.net/db-web-ui/query
DNS Databases Website
Internet Corporation for Assigned Names and Numbers (ICANN) https://lookup.icann.org/en/lookup
MX Toolbox DNS Lookup https://mxtoolbox.com/DNSLookup.aspx

Closed-source data aggregation is made available behind paywals (and sometimes, the dark web) as private sources of information. Sites like Have I Been Pwnd (HIBP) also provide useful information, although they also attempt to protect the integrity of user information that have been compromised by publishing anonymous data containing emails, phone numbers, usernames, passwords, birth dates, and more, but there are many others that sell similar collections of millions of data breaches for the purpose of illegal and illicit activities. This passive data aggregation allows for the verification of corporate data, geolocation information, and internal workings of user-to-account relationships.


Google Dorking

The Google search engine can be a very powerful tool when properly utilized. For example, searching for usna cyber will return over 35,000 results, but Dorking usna cyber site:linkedin.com type:pdf will only return a few dozen results. Understanding the power of information that is published online is vital to your role as a leader and the ability to control your own digital footprint!

Below are some other examples of Dorking in action. NOTE:Do NOT click on any of the links as navigating sites without authorized access can constitute as trespassing.

  1. Perform a Google search for intitle:"index of" inurl:ftp to see potentially exposed File Transfer Protocol (FTP) servers.
  2. Next, search for the following: site:instagram.com usna
     Note the number of search results returned (under the Tools dropdown).
  3. Refine the search by changing search parameter to: site:instagram.com intitle:usna company
     Note the change in the number of search results returned.
  4. Search for inurl:_cpanel/forgotpwd to look for password reset pages
  5. Search for allintext:username filetype:log to look up usernames in log files


Internet Device Search Engines: Shodan and Censys

Some tools, such as Shodan.io and Censys.io, perform active scanning of internet-connected devices around the world, and then provides a search engine-like interace to query their results. This can identify vulnerable and/or publicly facing, internet-connect devices, such as webcams or workstations with open remote desktop sessions. While these sites actively scan devices to gather this information, querying them does not initiate a connection to the device itself, so it can be used in a passive manner by an attacker.



Vulnerability and Exploit Databases

If an attacker identifies the service or software on a target, they may query publicly available vulnerability databases (CVE Details, NIST Vulnerability Database, CVE.org, etc.) to identify known security issues with target systems. Additionally, they may query exploit databases, especially if they integrate with common hacking tools (such as Metasploit and the accompanying Rapid7 exploit database) to find existing code for attacking these vulnerabilities. Not only does this significantly save time for an attacker, but using an existing exploit on a known vulnerability can make attribution harder, as it becomes more difficult to identify tradecraft or tools uniquely associated to a particular attacker.

OPSEC and Non-Technical Reconnaissance

Not all the information attackers care about is technical in nature. Information such as work schedules, corporate hierarchies and dynamics, and even clothing can be valuable to an attacker. An attacker may want to attack when staffing is minimal (company picnic, etc.), then exfiltrate data when it can more easily blend in with daily network traffic. A savvy social engineer may use information gained about a company's culture, uniform, or terminology to appear like a legitimate worker. This information may itself be gleaned from technical sources (e.g., social media) and non-technical sources (e.g., physical observation).

Protecting against all forms of passive reconnaissance may be impossible - some details, such as the IP address of an external website, must be public for internet traffic to reach it. Similarly, in the military context, some information is unclassified, and travels along the same internet backbone as regular traffic. As a result, organizations may try to enforce Operations Security (OPSEC) policies to identify and protect critical information; some simple examples from the Fleet are restrictions on discussing ship movements or posting detailed photos of Common Access Cards.

Active Recon

Critical Infrastructure A Major Target
Scanning a target for vulnerabilities is often not much of a concern, unless that target is the US Power Grid, and the people scanning are responsible for some of the most destructive cyberattacks in history. The Triton hacker group has probed the US Power Grid at least 20 times since 2018. The article THE HIGHLY DANGEROUS 'TRITON' HACKERS HAVE PROBED THE US GRID, from Wired Magazine, describes in some detail the potential repercussions of such actions.

Locard's Exchange Principle postulates that every time you make contact with another person, place, or thing, it results in an exchange of physical materials. This principle can also be applied across the board for all digital interactions, which increases the risk of attributing an adversary to activities conducted as a result of active recon. Visiting a website, scanning networks, and using network-based tools have the potential to uncover the origin of an attack before it happens.

Establishing a connection to a website based on client-server interactions will create a HTTP GET Response that provides website data and images back to the requesting client. The act of establishing an HTTP GET connection will reveal the adversary's IP address unless they are using a VPN and methods to obfuscate their origin and identity. (Some browsers support a dorking technique such as cache:westpoint.edu; this loads a cached version of the website saved by the search engine, instead of establishing an HTTP GET connection to the site. Google no longer supports this feature.)

Banner Grabbing. Using the curl command to grab the HTTP banner of a website could potentially reveal server version and information that could lead to uncovering a vulnerability that is used for an attack. The Apache Web Server 2.4.49 vulnerability (CVE-2021-41773) was a 0-day that resulted in Remote Code Execution (RCE), allowing attackers to traverse the system's file path and run binaries remotely. While not associated to the Apache Web Server, Apache Struts Log4j vulnerabilities were exploited using banner grabbing because it revealed out-dated software versions when the network was enumerated, or scanned.

When banner grabbing from the server, the current version (Apache 2.4.58) is not vulnerable to the CVE-2021-41773 RCE attack. 

m9999@ubuntu:~$ curl -s -I 
HTTP/1.1 302 Found
Date: Thu, 31 Jul 2025 15:21:48 GMT
Server: Apache/2.4.58 (Ubuntu)
Location: https://courses.cyber.usna.edu
Content-Type: text/html; charset=UTF-8


Network Mapper (NMAP). nmap is a very powerful network scanner that is used to discover hosts on a target network, with the ability to use ICMP to determine hosts online and probe open ports on systems. As we discussed during our TCP/IP Stack lectures, certain ports are often associated with certain services, giving an attacker insight into the nature of a device (e.g., if it's acting as a web server, DNS server, etc.). You will use nmap in your final labs as part of active reconnaissance operations.

Common Networking Tools. The common networking tools used during the TCP/IP Stack classes are leveraged to discover information about networks and their hosts (though improved security and Content Delivery Networks (CDNs) make it harder to recon internal network infrastructure). In the tracert ouput to google.com below, Google networks are immediately accessed outside of the network and a series of ICMP packets are dropped until the final destination. 

PS C:\Users\m9999> tracert google.com

Tracing route to google.com [142.251.179.100]
over a maximum of 30 hops:

  1    18 ms    31 ms    21 ms  maryland-r2-gi0_0_0s2001.net.usna.edu [136.160.88.12]
  2    22 ms    19 ms    13 ms  ten2-4.usna-core.net.ums.edu [136.160.255.57]
  3    15 ms    25 ms    33 ms  ten2-3.annap-gw.net.ums.edu [136.160.254.145]
  4    29 ms    21 ms    18 ms  hun2-1.ashburn-core.net.ums.edu [131.118.255.250]
  5    20 ms    18 ms    20 ms  google1.net.ums.edu [131.118.255.178]
  6    18 ms    20 ms    20 ms  108.170.246.67        ==========+
  7    21 ms     *        *     142.251.49.19                   |
  8    29 ms    21 ms    18 ms  216.239.63.53                   |=> Google Networks
  9    83 ms    19 ms    18 ms  72.14.236.149                   |    (Likely CDN)
 10    19 ms    20 ms    21 ms  142.251.249.243       ==========+
 11     *        *        *     Request timed out.    ==========+
 12     *        *        *     Request timed out.              |
 13     *        *        *     Request timed out.              |
 14     *        *        *     Request timed out.              |
 15     *        *        *     Request timed out.              |
 16     *        *        *     Request timed out.              |=> ICMP Dropped
 17     *        *        *     Request timed out.              |
 18     *        *        *     Request timed out.              |
 19     *        *        *     Request timed out.              |
 20     *        *        *     Request timed out.              |
 21     *        *        *     Request timed out.    ==========+
 22    19 ms    26 ms    19 ms  pd-in-f100.1e100.net [142.251.179.100]

Trace complete.
C:\Users\m999>

Supplemental Media:

Security+: Active vs. Passive Reconnaissance

Review Questions:

  1. What are the primary types of information an attacker aims to gather during cyber reconnaissance?
  2. Explain why understanding an organization's digital footprint is crucial during the reconnaissance phase. What kind of information contributes to this footprint?
  3. Describe the significance of identifying publicly available information about an organization's employees during cyber reconnaissance. What risks can this information pose?
  4. Give some examples of information about a target's technology infrastructure that an attacker might seek during reconnaissance.
  5. What is the key distinction between passive and active cyber reconnaissance techniques?
  6. Provide two examples of passive reconnaissance methods and explain why they are considered "passive."
  7. Provide two examples of active reconnaissance methods and explain why they are considered "active."
  8. Discuss the relative risks associated with passive versus active reconnaissance for the attacker.
  9. Under what circumstances might an attacker prefer to use primarily passive reconnaissance? When might they opt for active reconnaissance?
  10. What is the main goal of conducting network reconnaissance as part of a cyber attack?
  11. How does information gathered during network reconnaissance help an attacker plan and execute subsequent stages of an attack?
  12. Explain the importance of identifying network topology and connected devices during network reconnaissance.
  13. Why would an attacker be interested in identifying open ports and running services on a target network?
  14. Describe how network reconnaissance can help an attacker identify potential vulnerabilities in a target system or network.
  15. List at least three commonly used command-line tools for basic network reconnaissance. For each tool you listed, briefly describe its primary function in network reconnaissance.
  16. What type of information can tools like ping and traceroute reveal during network reconnaissance?


References

  1. The Navy's Cybersecurity Focus - https://www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?ID=9606 October 2017
  2. What is Defense in Depth? - https://www.forcepoint.com/cyber-edu/defense-depth July 2019
  3. Metasploit - https://www.metasploit.com/ July 2019
  4. THE HIGHLY DANGEROUS 'TRITON' HACKERS HAVE PROBED THE US GRID - https://www.wired.com/story/triton-hackers-scan-us-power-grid/ June 2019