Active Reconnaissance / Active Recon

Active recon (or active attack) is a type of reconnaissance in which the tester obtains information from the target server/system using either their own system or a pre-owned Virtual Private Server (VPS).  Because it involves the process of automated scanning and manual testing using various tools such as nmap, traceroute, and others that we will discuss later, this type of reconnaissance is faster and generally delivers more actionable information than its counterpart.

What Happens During Active Recon?

We communicate directly with the target during the active recon phase to obtain information that will be useful later in the attack. We’re specifically looking for a vulnerability or weakness that can be leveraged in the kill’s next stage. Active methodology is focused on tools that send various types of queries to the machine. The purpose is to gather information about that device and other devices on the same network that are connected to it. Active recon can be used to uncover information such as open/closed ports, a machine’s OS, running services, banner capturing, new host discovery, and finding vulnerable applications on a host.

Major Techniques Used For Active Recon

Port Scanning

Before directly moving into port scan, let us first discuss what a basic port is? what it is used for? and many more. A Port is a point on a computer where data is exchanged between different programs and the internet. As well as between devices and other computers to ensure consistency and simplify programming operations. Ports are generally managed by the Transmission Control Protocol (TCP), a network communication standard that allows application programs and computing devices to send and receive messages, and User Datagram Protocol (UDP), is a communication protocol that is used on the internet designed with time-sensitive applications in mind, such as gaming, video playback, and DNS lookups because it does not spend time establishing a secure connection with the destination before delivering data.

Port Numbers

Generally ranged from 0 through to 65536 and sorted by Popularity:
0 – 1023 : Well-Known or Standard Ports
1024 – 49,151 : Registered Ports
49,152 – 65,536 : Dynamic or Private Ports

Port Scan

By accessing different ports on a host (a device connected to the network) or the  same port on several hosts, port scanning is a way of discovering susceptible nodes in a network. Basically, a port scan sends a network request to connect a specified TCP or UDP Port and records one of three responses which are stated below:
Open Ports: Accepted; It means the request is accepted and will provide a legitimate response.
Closed Ports: Not Listening: It means that the port is closed and will provide an error response.
Filtered Ports: Dropped or Blocked, It means that the ports are filtered with firewalls and IPS (Intrusion Prevention System) and will provide no response.

Port scanning Techniques

Various approaches are used to send packets to destination port numbers during a port search. Among them are the following:
Ping Scans
The simplest type of scan, also known as ICMP (Internet Control Message Protocol) requests. It performs several ICMP requests to a targeted host in order to know whether the host is alive or not.
TCP Half-Open
Most common and popular scanning technique also referred as SYN Scan. It is quick and stealthy scan that looks for open ports on the target computer . As it never completes the full TCP 3-way Handshake, i.e. it only records the SYN-ACK answers after sending a SYN message and does not transmit the final ACK to complete the connection, leaving the target hanging.

Special note: How a Connection is Established

When you start a TCP connection, you send a packet to the destination with the SYN (synchronize) flag set. The destination responds with a packet with the SYN-ACK (synchronize-acknowledge) flag set, acknowledging the synchronized request. Finally, by sending the destination a packet with the ACK flag set, the sender acknowledges that it received the SYN-ACK response packet. A connection has now been established.

TCP Connect
This is the most basic scanning method that does not require any special permission. Similar to the TCP Half-Open scan, only the port scanner completes the TCP connection, i.e. 3-way Handshake Process by sending the final ACK Packet rather than leaving the target hanging. This scan can be considered a much slower process. Because you must send one more packet per scan, increasing the amount of network traffic you generate which may alert firewalls and IPS.
UDP Scans
UDP scans operate by transmitting a packet that is typically empty. For each port, this can be adjusted or even set to a random payload. These scans are mostly used to detect DNS, SNMP and DHCP Services and considered to be unreliable since it lacks the ability to create a connection or synchronize packets like TCP does. The port is deemed closed if the target answers with an ICMP unreachable error (type 3, code 3) packet. The packet is considered filtered if it responds with an ICMP unreachable error message with other codes. The port is regarded as open or filtered if no answer is received at all.
Stealth Scanning – NULL, FIN and X-MAS
Stealth scanning is named after the fact that you build the packet flags in such a way that you try to provoke a response from the target without really going through the handshaking process and establishing a connection.

Side Note

In this type of scan, if a RST Packet is received then the port is considered to be closed and if no packet is received then the port is considered to be opened.
It sends a TCP packet without setting any flags and fires it at the target.
FIN Scan
It sends a TCP packet with the FIN Flag set without first establishing connection with the target.
X-MAS Scan
It sends a TCP packet with URG, PUSH and FIN flags and fires it at the target.
The good thing about this scan is that they are unlikely to appear in logs. But the bad thing is that if the target system is Microsoft OS then every port will be closed because it implements the TCP/IP Stack.

Most Common Tools Used in Port Scanning


Nmap (Network Mapper) is a free open source security auditing and network scanning program. When performing network penetration testing, Nmap comes in handy. It not only provides network information but also aids in the discovery of system security concerns.

Most of the common commands that are used by Nmap are stated below:



-spHost Scanning
-sSTCP SYN Port Scan
-sTTCP Connect Port Scan 
-sUUDP Port Scan
-sATCP ACK Port Scan
-p-Scan Every Ports
-O Provides OS Information
-PnDisable Host Discovery
-sVVersion Information
-sCScan with default NSE Scripts
Nmap Scan Example

Zenmap is a user interface for the Nmap security scanner (Graphical User Interface). It is a free and open source multi-platform program with a user-friendly interface.

Key Features

  • Multiple Port Scanning Same as Nmap.
  • Save Scan Result in Database.
  • Can compare current scan results with past scans.
  • For regularly used port discovery methods, save port scan profiles.

Some Other alternatives tools that can be used for Port scanning are listed below:

  • Angry IP Scanner
  • NetCat
  • Advanced IP Scanner
  • Unicorn Scan

Web Vulnerability Scanning

Before moving to our main topic let us first discuss, what is vulnerability, vulnerability scanner, types of vulnerability scans and many more.


Vulnerabilities are defects in software or misconfigurations in systems that allow attackers to obtain unauthorized and privileged access to a system or network.

Vulnerability Scanner

A vulnerability scanner is a vulnerability assessment testing tool that looks for misconfigurations or coding defects that could put your system at risk of being hacked. To find undiscovered vulnerabilities, vulnerability scanners can use a database of known vulnerabilities like CVE(Common Vulnerabilities and Exposures) or NVD(National Vulnerability Database) or probe for common defect kinds.

Types of Vulnerability Scans

A corporation can run a variety of vulnerability scans, each with its own set of strengths and limitations. But the main focus will be on external and internal scans and how performing these scans could be useful for a corporation or a company  to stay secure.

External Scans

External vulnerability scans are conducted from outside the network being tested in order to locate, identify, and assist in the closure of potential external entry points for unwanted intrusion. An external scan is conducted without access to the network and from the perspective of an outsider. In recent years, cloud based infrastructures are mostly developed and an external scan will be more crucial in this context because misconfigured and unsecured cloud deployments of databases and other services have been widespread. External Vulnerability scans often look at Firewalls, Routers, DNS Servers and Web services.

Key Features of External Scans
  • Identify potential devices or services that could offer possible threats or vulnerabilities to the company.
  • Identify the most critical threats and risks in your company’s network.
  • Assist in determining the security posture of your services that are exposed to the public.
  • Demonstrate known flaws in network topologies that could lead to a security breach.
Internal Scans

Internal Vulnerability scans is a process of searching for vulnerabilities inside the network’s internal components.  A common misconception is that data breaches occur outside an organization, but trouble can occur inside the system as well. Internal network vulnerability scans thoroughly check the company’s IT infrastructure for vulnerabilities or holes in the firewall that leave it susceptible to an attack or breach from the inside. An insider’s perspective is used in an internal vulnerability scan: someone who has access to your company’s network and systems. A frustrated employee, for example, could be a security issue. As a result, the scan is carried out internally, simulating regular network access.

Key Features of Internal Scans
  • To uncover vulnerabilities that could potentially degrade business-critical systems, functions, and operations, simulate the behaviors and activities of someone with standard privileges.
  • Validate insider access to rights and privileges, and identify at-risk systems and prioritize vulnerability remediation.
  • Provide important information to help with patch management and security management.
  • It helps to increase compliance with regulatory requirements or security standards like HIPAA, PCI DSS or ISO 27001/27002.

Web Application Vulnerability is a piece of automated security tool that scans all web servers, proxy servers, web application servers and looks for malwares, vulnerabilities and logical problems in online applications. Black box tests are used by web application vulnerability scanners since they do not require access to the source code and instead run external assaults to test for security issues. 

These scanners work against a known list of vulnerabilities provided by OWASP (Open Web Application Security Project) and others.  These attacks “hijack” web applications and websites using various injection and evasion techniques like SQL Injection, Command Injection, Directory Traversal, Cross-Site Scripting (XSS) and many more in order to exfiltrate data or disrupt application performance.

Web Application Vulnerability Management

The only viable vulnerability management strategy for Web Applications is to use a shift-left DevSecOps strategy (Technology that releases softwares by minimizing common bugs and security issue bottlenecks) and deploying scanners throughout a robust SDLC (Software Development Life Cycle). Static Application Security Tools (SAST) automatically scan uncompiled code for vulnerabilities, while Dynamic application Security Solutions (DAST) automatically scan compiled code across all environments, from development to production. 

Key Features of Web Vulnerability Scanner

  • It helps to crawl a vast number of web pages and other web assets. They are usually online and cloud based, so they run on the backend without slowing down the site.
  • It helps organizations to identify all known security vulnerabilities such as Injection attacks, Directory Traversal, Cross-Site Scripting, Cross-Site Request Forgery, Broken authentication and many more using vulnerability scanners tools on daily and on demand basis.
  • Helps in identifying Business Logic Flaws, allowing enterprises to create the scanner contextually and with surgical precision, as well as tweak the rules to ensure that unexpected and logical vulnerabilities are not missed.
  • It can be implemented into the SDLC phases to detect errors, vulnerabilities and misconfigurations early in the development process so that developers should not have to wait for testing stages to remedy vulnerabilities.
  • It helps IT security teams to receive real time defacement and vandalism notifications, allowing them to take immediate actions.
  • It offers detailed reporting and extensive documentation along with remediation guides.

Most Common Tools Used in Website Vulnerability Scanning

Burp Suite

Burp Suite is a graphical tool and integrated java platform for performing web application security testing. It supports the entire test cases, from preliminary mapping and monitoring of an application’s attack surface through detecting and exploiting security vulnerabilities. The Burp Suite consists of different tools like the Proxy Server (It lets the user control the traffic that flows through it, that is, traffic between the web browser client and the web server), Spider (Enumerate and map out all of a website’s pages and parameters), Intruder (Perform automated attacks on web applications), Repeater (Modify request to the server) and many more.

BurpSuite Repeater Instance

Nikto is a Perl-based Open Source web application scanner that scans a web server for vulnerabilities that can be exploited and used to attack the server. 
It runs comprehensive checks on web servers for a variety of security vulnerabilities, including checking for outdated version information, detecting problems with specific version information, and fingerprinting servers using favicon.ico.

Nikto Command-line Scanner Tool

Wpscan is an open source web application scanner that only examines WordPress-powered websites for vulnerabilities. It scans for WordPress vulnerabilities, plugin vulnerabilities, and theme vulnerabilities using the “” vulnerability database.
It aids in the execution of multiple enumeration scans that aid in the detection of WordPress core, plugins, and theme versions. It can also perform brute force attacks against weak passwords and also checks for publicly accessible wp-config.php backups or other database exports.

Wpscan Command-Line (WordPress Scanner Tool)

There are other tools for web application scanning such as:

  •  ZAP (Zed Attack Proxy)
  • SQLMap
  • Netsparker
  • Wfuzz
  • W3af
  • GoBuster
  • Wapiti
  • Acunetix

Network Vulnerability Scanning

The practice of discovering holes on a computer, network, or other IT asset that could be exploited by threat actors is known as network vulnerability scanning. They are used to detect network security concerns by conducting a thorough study of the network in order to find security flaws.

Network vulnerability scanners are utilizing A database of known vulnerabilities i.e CVE to find and reveal vulnerabilities.

CVE (Common Vulnerabilities and Exposures)

MITRE, a nonprofit that conducts federal government-sponsored research and development facilities, launched the Common Vulnerabilities and Exposures (CVE) initiative to uncover and classify vulnerabilities in software and firmware into a free “dictionary” for enterprises to utilize as a resource to improve their security.

In normal terms, explaining how CVE works, the CVE project creates a system for discovering and cataloging security flaws and exposures. Identifying a vulnerability or exposure is the first step in establishing a CVE listing. The CNA will then assign a CVE identification number to the vulnerability. The CNA then produces a description of the problem using citations. Finally, the CVE entry is published on the CVE website and added to the CVE list.

It provides a single, unique identification for each specific exposure or vulnerability. Which contains simply a description and no technical details, impacts, or information regarding remedies. This information can instead be available in other databases, such as NVD or CERT.

NVD (National Vulnerability Database)

The National Vulnerability Database (NVD) is a federal project in the United States that was designed to assist individuals and businesses in researching vulnerability management automation, as well as other security and compliance aims. This database contains tabulated information on several types of security risks and other cybersecurity aspects.

Key Features of Network Vulnerability Scanner

  • It aids in the discovery of open ports and exposed services such as FTP, SSH, Telnet, or any other database servers. These can lead to large data breaches, especially when used in conjunction with weak passwords.

  • A network vulnerability scanner can also assist you find out whether your network devices, web servers, or operating systems are missing security fixes.

  • It helps in detecting and fixing software flaws, missing patches, malware, and misconfiguration issues in a wide range of operating systems, devices, and applications.

  • It helps in finding the vulnerabilities in a system’s security that could allow unauthorized access to or control of sensitive data. 

  • Users can perform security auditing and perform internal network scans as required by PCI DSS.

  • It offers detailed reporting and extensive documentation along with remediation guides.

Most Common Tools Used in Network Vulnerability Scanning


Tenable, Inc developed Nessus, a proprietary open-source network vulnerability scanner. It employs the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. It aids in the detection, assessment, remediation, and reporting of security vulnerabilities in systems and software, and it is critical for businesses to prioritize possible risks and limit their ‘attack surface.’ 

Nessus vulnerability scanner is flexible and efficient that supports a wide range of scan capabilities for network devices (firewalls, Cisco, Juniper), Virtual machines, Operating systems (Linux, Windows, BSD, Solaris, IBM), databases (Oracle, MS-SQL, DB2, MySQL) and web applications (web servers, web services and OWASP top 10).


The Open Vulnerability Assessment System (OpenVAS) is a vulnerability scanner maintained and distributed by Greenbone Networks. It maintains networks, systems, and applications by checking for security flaws using a vulnerability scanner. OpenVAS and other vulnerability management scanners locate and categorize potential weak places in your infrastructure, estimate the potential risk, and provide mitigations to fix the issue. By focusing on known network exploits, keeping attacks to minimum is possible.

It can test a system for security holes using a database of over 950000 NVT test plugins and covers more than 185000 CVE’s.

There are many other tools for network vulnerability scanning which are as below:

  • Rapid7 Nexpose
  • QualysGuard
  • Amass
  • Aircrack-ng
  • Microsoft Baseline Security Analyzer (MBSA)
  • Intruder
  • TripWire IP360
  • BeyondTrust Retina Network Security Scanner
  • SolarWinds Network Configuration Manager

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
Scroll to Top