Reconnaissance & Scanning in Cybersecurity
What Is Reconnaissance?
Reconnaissance (Recon) is the first phase of ethical hacking. It involves gathering information about a target system, organization, or individual before launching any attack. Think of it as cyber “spying”—but for ethical or educational purposes.
Objectives of Reconnaissance
- Identify Target Systems and Networks
Goal: Discover which hosts, domains, IP addresses, and networks belong to the target.
Example: Finding out that hacklivly.com runs on a server with IP 192.168.1.1.
- Collect Organizational Details
Goal: Understand the target’s internal structure and technologies used.
Details Collected:
Company employees and email addresses
Subdomains and hosting providers
Software versions, CMS platforms
Example: Finding that the target uses WordPress and has staff emails like admin@target.com.
- Enumerate Services and Ports
Goal: Detect open ports and services running on the target.
Tools Used: Nmap, Masscan
Example: Discovering that port 22 (SSH) and 80 (HTTP) are open.
- Assess Human Targets
Goal: Profile employees for social engineering or phishing
Sources: LinkedIn, Facebook, job portals
Example: Learning that an IT admin posted about using outdated software on social media.
- Detect Vulnerabilities (Passive Only)
Goal: Spot weaknesses based on public data (e.g., old WordPress plugins, exposed directories).
Note: Full vulnerability scanning is part of the Scanning phase, but basic exposure info may surface here.
- Map the Attack Surface
Goal: Determine how wide and deep the organization’s digital footprint is.
Includes:
Cloud assets
APIs
Forgotten subdomains
Example: Finding an old dev environment on dev.target.com.
- Avoid Detection
Goal: Perform information gathering silently to avoid alerting the target.
Types:
Passive Recon (through public sources)
Active Recon (direct probing, may trigger alarms)
Example: Using WHOIS, Shodan, and Google dorking without touching the target server.
Types of Reconnaissance
1. Passive Reconnaissance
No direct interaction with the target. It’s stealthy and difficult to detect.
Examples:
Searching Google for emails (site:example.com)
Using social media or LinkedIn for employee details
Looking up WHOIS records
Reading press releases or blogs
Checking public GitHub repos
Tools & Techniques:
Google Dorking
WHOIS lookup
Nslookup / dig
Shodan
Maltego (OSINT tool)
Censys
Recon-ng
2. Active Reconnaissance
Involves direct interaction with the target. Higher risk of detection but gathers more detailed information.
Examples:
Port scanning
OS fingerprinting
Banner grabbing
Tools & Techniques:
Nmap
Netcat
Nikto (for web scanning)
WhatWeb
Wappalyzer
theHarvester
Scanning
Scanning digs deeper into the information obtained from reconnaissance. It involves actively probing systems for live hosts, open ports, and vulnerabilities.
Types of Scanning
1. Port Scanning
Detect open ports on target systems.
Tools:
Nmap
Masscan
Zenmap (GUI for Nmap)
Examples:
nmap -sS 192.168.1.1
nmap -p 1-65535 -T4 192.168.1.10
2. Network Scanning
Identifies active devices and IP addresses on the network.
Examples
Ping sweep
ARP scan
NetDiscover
Angry IP Scanner
3. Vulnerability Scanning
Scans systems for known security flaws.
Tools:
Nessus
OpenVAS
Nexpose
Nikto (Web app vulnerabilities)
WPScan (for WordPress sites)
4. OS Detection & Fingerprinting
Identifies operating systems running on target hosts
Command:
nmap -O 192.168.1.1
5. Banner Grabbing
Captures banner information from services to determine versions.
nc target.com 80
HEAD / HTTP/1.0
6. Service Enumeration
Identifies running services and versions on open ports.
Example:
nmap -sV 192.168.1.1
Ethical Implications
Recon and scanning can both be used and misused:
✅ For ethical hacking and security audits
❌ Illegal without permission (can be treated as cybercrime)
Always have proper authorization before scanning any network.
Real-World Case Studies
Case Study 1: Equifax Data Breach (2017)
What Happened?
Attackers exploited a known vulnerability in Apache Struts, a web application framework.
Before the breach, hackers conducted extensive reconnaissance to identify companies using the vulnerable version.
⚙ Recon Techniques Used:
Passive scanning to detect open web servers.
Banner grabbing to detect Apache Struts.
Monitoring developer forums and GitHub to track companies using specific tech.
Impact:
147 million people’s personal data exposed.
Cost over $700 million in settlements.
Lesson:
Reconnaissance can expose software vulnerabilities, even before an exploit is developed.
Case Study 2: Target Corporation Attack (2013)
What Happened?
Attackers gained entry through a third-party HVAC vendor.
Initial access obtained using phishing and credential harvesting.
Used network scanning tools to move laterally within Target’s internal network.
⚙ Recon Techniques Used:
Internal scanning using stolen credentials.
Identification of Point-of-Sale (POS) systems.
Exfiltration servers were carefully placed and disguised.
Impact:
Data of 40 million credit cards and 70 million customers stolen.
Estimated cost: $200 million.
Lesson:
Even small-scale recon (like phishing one employee) can lead to massive breaches if networks are poorly segmented.
Case Study 3: SolarWinds Orion Supply Chain Attack (2020)
What Happened?
Nation-state attackers compromised SolarWinds software updates.
Once the trojanized updates were installed by clients (including government agencies), attackers began recon.
⚙ Recon Techniques Used:
Internal network mapping of victim environments (e.g., Microsoft, U.S. Treasury).
Privilege escalation and Active Directory enumeration.
Stealthy scanning using legitimate admin tools.
Impact:
Breach of U.S. federal agencies, Microsoft, FireEye.
Global exposure affecting over 18,000 organizations.
Lesson:
Recon can happen after access is gained too—especially in Advanced Persistent Threats (APTs).
Case Study 4: Capital One Breach (2019)
What Happened?
A former AWS employee exploited a server misconfiguration.
Used server-side request forgery (SSRF) and scanned AWS metadata service.
⚙ Recon Techniques Used:
Scanned cloud resources for IAM credentials.
Enumerated S3 buckets and downloaded 106 million user records.
Impact:
$80 million fine.
100 million U.S. and 6 million Canadian records exposed.
Lesson:
Cloud misconfigurations are a goldmine during recon. Tools like ScoutSuite and Pacu are commonly used.
Case Study 5: WannaCry Ransomware (2017)
What Happened?
Exploited the EternalBlue SMB vulnerability.
Once inside one system, malware scanned entire networks to propagate.
⚙ Recon Techniques Used:
Port scanning for SMB (port 445).
Internal host detection and self-spreading worm tactics.
Impact:
Affected 200,000+ computers across 150 countries.
Crippled UK’s NHS, FedEx, and more.
Lesson:
Even automated worms use scanning to locate and infect new victims.
Defender’s Angle: Early Recon Can Prevent Breaches
Organizations like Facebook, Google, and Cloudflare invest heavily in early detection systems that flag:
Suspicious scanning activities
Recon tools like theHarvester, Nmap, or Shodan lookups
DNS zone transfer attempts or WHOIS queries
Example:
Google tracks unauthorized API access patterns through behavioral analytics.
If an attacker does a recon that looks like enumeration, their IP gets flagged instantly.
Practices in Recon & Scanning
Always start with passive recon to stay undetected.
Use multiple tools to cross-verify results.
Document everything in a report format.
Don’t forget to analyze subdomains, metadata, robots.txt.
Be stealthy in active scanning—rate limit your scans.
Tools List (Categorized)
1. Passive Recon Tools:
Google Dorking
Shodan
Censys
theHarvester
Maltego
2. Active Recon Tools:
Nmap
Netcat
Wappalyzer
WhatWeb
DNSenum
Scanning Tools:
Nmap
Nessus
OpenVAS
Masscan
Nikto
Workflow of Recon & Scanning
- Start with passive recon – Gather data anonymously
- Enumerate domains, subdomains, emails
- Use active scanning tools – Identify open ports and services
- Scan for vulnerabilities
- Document and prioritize vulnerabilities for further testing
