Post

Reconnaissance: Active & Passive Scanning

Posted Updated
Preview Image
By Cyb3rtr0n
4 min read
Reconnaissance: Active & Passive Scanning

Overview

Reconnaissance is a critical phase in network security and penetration testing, where attackers or security professionals gather information about a target to identify potential vulnerabilities. This post covers passive and active reconnaissance techniques, including tools, commands, and methodologies to collect data such as IP addresses, DNS information, subdomains, web technologies, and more.

Passive Reconnaissance

Passive reconnaissance involves gathering information without directly interacting with the target, reducing the risk of detection. The goal is to collect data like IP addresses, DNS records, directories, names, email addresses, phone numbers, physical addresses, web technologies, and subdomains.

What are we looking for?

  • IP addresses & DNS information

  • Directories & file locations

  • Names, email addresses, phone numbers, physical addresses

  • Web technologies & infrastructure

  • Subdomains & associated services

Website Recon & Footprinting

  • Resolve Domain to IP: Retrieves the IP address associated with a domain.
1
2

host <url>
nslookup <url>
  • Identify Web Technologies: Determines the technologies (e.g., CMS, frameworks, servers) used by a website. Tools like Wappalyzer and BuiltWith (browser extensions) can assist, or use command-line tools.
1
2
3
4

whatweb <url>             # Standard scan
whatweb -a 1 <url>       # Stealthy mode
whatweb -a 3 <url>       # Aggressive mode
webtech -u <url>         # Alternative tool
  • Check Robots.txt: Retrieves the robots.txt file, which may reveal restricted directories or sensitive paths.
1

curl http://<url>/robots.txt
  • Check Sitemap: Retrieves the sitemap.xml file, which lists accessible pages and resources.
1

curl http://<url>/sitemap.xml
  • WHOIS Lookup: Provides domain registration details, such as owner, registrar, and contact information.
1

whois <url> -h <ip>
  • DNS Reconnaissance: Collects DNS-related information, such as A, MX, NS, and TXT records.
1

dnsrecon -d <url>
  • Subdomain Enumeration: Identifies subdomains associated with a target domain.
1
2
3

sublist3r -d <url>        # Fast subdomain enumeration
amass enum -d <url>       # In-depth attack surface mapping
dnscan <url>              # Python-based subdomain scanner
  • Firewall Detection: Identifies if a web application firewall (WAF) is protecting the target.
1

wafw00f <url> -a

Website technology fingerprinting

What is that site running?

Google Dorks (Google Hacking)

Google can be used to discover hidden resources, files, and sensitive data.

1
2
3
4
5
6

intitle:admin                   # Admin pages
site:example.com inurl:admin    # Admin pages in example.com
site:*.example.com              # Find subdomains
filetype:pdf                    # Search for PDFs
inurl:uploads                   # Look for uploads directories
intitle:"index of" htpassword   # Search for index listing

Finding older versions of a website

Google Hacking Database (GHDB)

Leaked Password Databases

Active Reconnaissance

Active reconnaissance involves direct interaction with the target, such as scanning ports, enumerating DNS records, or probing services. This approach provides more detailed information but increases the risk of detection.

Nmap SYN Scan

Performs a stealthy TCP SYN scan across all ports with aggressive timing:

1

sudo nmap -sS -T5 -p- <ip>

Masscan

A high-speed TCP port scanner that sends SYN packets:

1

masscan <ip> -p1-65535

Rustscan

A modern, fast port scanner written in Rust:

1

rustscan -a <ip>

Visual Website Inspection

Tools like Aquatone or EyeWitness capture screenshots of websites across multiple hosts for visual analysis:

1
2

aquatone <url>
eyewitness --web -f <url-list>

DNS Enumeration

Collects DNS records using a wordlist for brute-forcing subdomains:

1

dnsrecon -d <url> -D /usr/share/wordlists/dnsmap.txt -t std --xml output.xml

DNS Records

Retrieves specific DNS records (A, MX, TXT, NS):

1
2

dig any <url>
dnsenum <url>

DNS Zone Transfer

Attempts to copy DNS zone data if the server is misconfigured:

1
2

dig axfr <url>
fierce -dns <url>

Website Download

Downloads an entire website for offline analysis:

1

httrack <url>

Host Discovery

Identifies active hosts in a network or subnet:

1

netdiscover -i eth0 -r <subnet>

Ping Sweep

Checks for live hosts across a subnet using ICMP:

1

fping -a -g <subnet> 2>/dev/null

Map IP to Domain Locally

Maps an IP to a domain in the local /etc/hosts file:

1
2
3

sudo nano /etc/hosts
# Add:
<ip> <domain>

DNS Zone Transfers

DNS zone transfers allow administrators to replicate DNS records between servers. If misconfigured, attackers can exploit this to retrieve a complete list of DNS records.Use Case: Identify subdomains, mail servers, or other infrastructure details:

1

dig axfr example.com

DNS Interrogation

Active DNS interrogation involves querying DNS servers directly to enumerate records. Unlike passive methods, active interrogation may yield more detailed records (e.g., A, MX, NS, TXT):

1

dig any example.com

Final Thoughts

  • Passive vs. Active: Passive reconnaissance minimizes detection risk but may yield less data. Active reconnaissance provides deeper insights at the cost of potential detection by firewalls or IDS.

  • Ethical Use: Always obtain permission before performing active reconnaissance on a target network or system.

The Hacker’s PlayBook
IntroToRecon
This post is licensed under CC BY 4.0 by the author.