What Is Active Reconnaissance

Active reconnaissance involves directly interacting with the target's systems to discover information about their infrastructure. Unlike passive techniques, active recon sends packets to the target -- probing ports, querying services, and fingerprinting operating systems. This produces more detailed and current results than passive methods, but it is detectable by the target's security monitoring systems.

Active reconnaissance is the natural next step after passive recon. The intelligence gathered during the passive phase informs which systems to scan, what IP ranges to focus on, and what services to expect. Active scanning then fills in the technical details needed for vulnerability analysis and exploitation planning.

⚠️
Only scan targets you are authorized to test.

Active reconnaissance sends traffic directly to the target's systems. Port scanning, service probing, and vulnerability scanning without explicit written authorization is illegal in most jurisdictions. It may violate the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), or equivalent laws in your country. Always have a signed Rules of Engagement document before performing any active scanning. For practice, use your own lab environment, intentionally vulnerable machines (HackTheBox, TryHackMe, VulnHub), or scanme.nmap.org.

Port Scanning with Nmap

Nmap (Network Mapper) is the industry-standard tool for network discovery and port scanning. It can determine which hosts are online, what ports are open, what services are running, and what operating systems are in use. Every ethical hacker needs to be proficient with Nmap.

Common Scan Types

# SYN scan (default with root) -- fast and relatively stealthy
sudo nmap -sS 10.10.10.100

# TCP connect scan (default without root) -- full TCP handshake
nmap -sT 10.10.10.100

# UDP scan -- detects UDP services (DNS, SNMP, DHCP)
sudo nmap -sU --top-ports 50 10.10.10.100

# Combined TCP and UDP scan
sudo nmap -sS -sU --top-ports 100 10.10.10.100

Port Selection and Speed

# Scan specific ports
nmap -p 22,80,443,8080,8443 10.10.10.100

# Scan a port range
nmap -p 1-1024 10.10.10.100

# Scan all 65535 TCP ports
nmap -p- 10.10.10.100

# Top 1000 ports (default behavior)
nmap 10.10.10.100

# Adjust timing template (T0=paranoid, T3=normal, T5=insane)
nmap -T4 -p- 10.10.10.100

# Limit scan rate for stealth
nmap --max-rate 100 -p- 10.10.10.100
💡
Understanding Nmap timing templates

Timing templates control how aggressively Nmap scans. -T0 and -T1 are extremely slow but evade most IDS systems. -T3 is the default balance of speed and reliability. -T4 is commonly used on reliable networks for faster results. -T5 sacrifices accuracy for speed and may miss open ports or trigger rate limiting. For penetration tests, -T4 is the most common choice.

Understanding Port States

  • open -- a service is actively accepting connections on this port
  • closed -- the port is reachable but no service is listening; responds with RST
  • filtered -- a firewall or filter is blocking the probe; Nmap cannot determine if the port is open
  • open|filtered -- Nmap cannot determine whether the port is open or filtered (common with UDP)
  • closed|filtered -- Nmap cannot determine whether the port is closed or filtered

Service Enumeration

Once you know which ports are open, the next step is to determine exactly what software is running on each port and its version number. This is called service enumeration, and it is critical for identifying vulnerable software.

Nmap Service Detection

# Version detection on all open ports
nmap -sV 10.10.10.100

# Increase version detection intensity (0-9, default 7)
nmap -sV --version-intensity 9 10.10.10.100

# Version detection + default scripts
nmap -sV -sC 10.10.10.100

# The -A flag enables OS detection, version detection,
# script scanning, and traceroute in one command
sudo nmap -A 10.10.10.100

Example output from service enumeration:

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.6
80/tcp   open  http        Apache httpd 2.4.52
443/tcp  open  ssl/http    Apache httpd 2.4.52
3306/tcp open  mysql       MySQL 5.7.42-0ubuntu0.18.04.1
8080/tcp open  http-proxy  Squid http proxy 5.7

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine extends Nmap's capabilities with hundreds of scripts for service enumeration, vulnerability detection, and information gathering. Scripts are categorized by purpose: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln. 

# Run default scripts against a target
nmap -sC 10.10.10.100

# Run a specific script
nmap --script http-title 10.10.10.100

# Run all scripts in a category
nmap --script vuln 10.10.10.100

# Run multiple specific scripts
nmap --script "http-enum,http-headers,http-methods" 10.10.10.100

# List available scripts matching a pattern
ls /usr/share/nmap/scripts/ | grep http
⚠️
Some NSE scripts are intrusive.

Scripts in the "intrusive," "exploit," "dos," and "brute" categories can crash services, lock accounts, or cause denial of service. Never run --script all against a production target. Stick to "safe" and "default" categories unless you specifically understand what each script does and your Rules of Engagement allow it.

OS Fingerprinting

Operating system fingerprinting determines what OS a target host is running by analyzing how its TCP/IP stack responds to specially crafted probes. Different operating systems implement the TCP/IP specification with subtle variations that Nmap can detect. 

# OS detection (requires root privileges)
sudo nmap -O 10.10.10.100

# OS detection with increased guessing
sudo nmap -O --osscan-guess 10.10.10.100

# Combined: OS + service + scripts
sudo nmap -O -sV -sC 10.10.10.100

Example OS detection output:

OS CPE: cpe:/o:linux:linux_kernel:5.4
OS details: Linux 5.4 - 5.15
Network Distance: 2 hops

OS CPE: cpe:/o:microsoft:windows_server_2019
OS details: Microsoft Windows Server 2019
Network Distance: 1 hop

Limitations of OS Fingerprinting

  • Firewalls -- packet filtering can alter or block the probes Nmap uses, leading to inaccurate results
  • Load balancers -- traffic may be answered by different hosts, confusing fingerprinting
  • Virtual machines -- VMs sometimes present a fingerprint that differs from the actual guest OS
  • Custom TCP stacks -- some security appliances and IoT devices have non-standard implementations
  • Requires open and closed ports -- OS detection is most accurate when Nmap can observe responses from both an open and a closed port

Vulnerability Scanning Basics

Once services and their versions have been identified, the next step is to determine whether any of them have known vulnerabilities. This can be done through Nmap's vulnerability scripts, dedicated vulnerability scanners, or manual research.

Nmap Vulnerability Scripts

# Run all vulnerability detection scripts
nmap --script vuln 10.10.10.100

# Check for specific vulnerabilities
nmap --script smb-vuln-ms17-010 10.10.10.100   # EternalBlue
nmap --script ssl-heartbleed 10.10.10.100       # Heartbleed
nmap --script http-shellshock 10.10.10.100      # Shellshock

# Check for default credentials
nmap --script http-default-accounts 10.10.10.100

Manual Vulnerability Research

When you know the exact software and version running on a port, search for known vulnerabilities in public databases:

  • CVE Database (cve.mitre.org) -- the canonical reference for Common Vulnerabilities and Exposures
  • National Vulnerability Database (nvd.nist.gov) -- enriched CVE data with CVSS scores, affected versions, and references
  • Exploit-DB (exploit-db.com) -- public exploits and proof-of-concept code indexed by CVE
  • searchsploit -- command-line tool that searches a local copy of Exploit-DB
# Search for known exploits using searchsploit
searchsploit apache 2.4.52
searchsploit openssh 8.9
searchsploit mysql 5.7

Web Application Scanning

When the target runs web applications, specialized web scanners complement network-level scanning by testing for web-specific vulnerabilities like SQL injection, cross-site scripting, directory traversal, and misconfigurations.

Nikto -- Web Server Scanner

# Install Nikto
sudo apt install nikto

# Basic scan of a web server
nikto -h http://10.10.10.100

# Scan a specific port
nikto -h http://10.10.10.100:8080

# Scan with SSL
nikto -h https://10.10.10.100

# Save output to a file
nikto -h http://10.10.10.100 -o nikto-results.html -Format htm

Directory and File Enumeration

# Gobuster -- fast directory brute-forcing
gobuster dir -u http://10.10.10.100 -w /usr/share/wordlists/dirb/common.txt

# With specific file extensions
gobuster dir -u http://10.10.10.100 -w /usr/share/wordlists/dirb/common.txt \
  -x php,html,txt,bak,conf

# feroxbuster -- recursive directory discovery
feroxbuster -u http://10.10.10.100 -w /usr/share/wordlists/dirb/common.txt

# dirsearch -- Python-based directory scanner
dirsearch -u http://10.10.10.100 -e php,html,js,txt
💡
Wordlist selection matters

The quality of directory and file enumeration depends heavily on the wordlist you use. /usr/share/wordlists/dirb/common.txt is a good starting point (~4,600 entries). For more thorough enumeration, use SecLists from Daniel Miessler's GitHub repository, which contains specialized wordlists for different technologies, languages, and purposes. Larger wordlists take longer but discover more hidden content.

Banner grabbing is the technique of connecting to a service and reading the initial response (the "banner") that the service sends. Many services announce their software name and version in this banner, providing quick identification without needing Nmap's version detection probes.

Using Netcat for Banner Grabbing

# Grab the banner from an HTTP server
nc -v 10.10.10.100 80
# Then type: HEAD / HTTP/1.0 and press Enter twice

# Grab the SSH banner
nc -v 10.10.10.100 22
# Output: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6

# Grab the SMTP banner
nc -v 10.10.10.100 25
# Output: 220 mail.example.com ESMTP Postfix

# Grab the FTP banner
nc -v 10.10.10.100 21
# Output: 220 (vsFTPd 3.0.5)

Using Nmap for Banner Grabbing

# Banner grabbing with Nmap
nmap --script banner -p 21,22,25,80,110,143,443 10.10.10.100

# HTTP-specific banner information
nmap --script http-headers -p 80,443 10.10.10.100

Using curl for HTTP Headers

# View HTTP response headers
curl -I http://10.10.10.100

# Example output:
# HTTP/1.1 200 OK
# Server: Apache/2.4.52 (Ubuntu)
# X-Powered-By: PHP/8.1.2
# Content-Type: text/html; charset=UTF-8

# Follow redirects and show all headers
curl -ILv http://10.10.10.100 2>&1 | grep -i "server\|x-powered-by\|x-aspnet"
🎉
Banner removal is a defense

Security-conscious administrators often remove or modify service banners to reveal less information. If you find a target with blank or generic banners, this is a sign of security hardening. Nmap's -sV version detection uses deeper probing techniques that work even when banners have been customized.

Documentation and Reporting

Active reconnaissance generates significant amounts of data. Proper documentation ensures findings are preserved, reproducible, and presentable to stakeholders. Every scan should be recorded with sufficient detail to reproduce the results.

Saving Nmap Output

# Save in all three formats simultaneously
sudo nmap -sV -sC -O -p- 10.10.10.100 -oA scan-full

# This creates:
# scan-full.nmap    -- human-readable output
# scan-full.xml     -- XML (for tools like Metasploit, searchsploit)
# scan-full.gnmap   -- grepable format (for quick command-line analysis)

# Convert XML to HTML report
xsltproc scan-full.xml -o scan-full.html

What to Document for Each Host

  • IP address and hostname -- every host with its resolved name
  • Open ports and protocols -- TCP and UDP, with port states
  • Service names and versions -- exact software and version strings
  • Operating system -- detected OS with confidence level
  • Potential vulnerabilities -- CVEs associated with identified versions
  • Interesting findings -- default credentials, misconfigurations, exposed management interfaces
  • Scan parameters -- exact command used, timing, date and time of scan
⚠️
Secure your scan data.

Active reconnaissance results contain sensitive information about the target's infrastructure -- open ports, software versions, and potential vulnerabilities. This data must be encrypted at rest and transmitted securely. Follow your organization's data handling policies and the requirements specified in your Rules of Engagement. Destroy scan data according to the agreed timeline after the engagement concludes.

Summary

In this tutorial, you learned the core active reconnaissance techniques used in ethical hacking:

  • Active vs. passive -- active recon directly probes the target's systems, producing detailed results but leaving traces in logs and IDS
  • Port scanning -- Nmap SYN, TCP connect, and UDP scans reveal open ports across the target's attack surface
  • Service enumeration -- version detection (-sV) and NSE scripts identify the exact software running on each open port
  • OS fingerprinting -- TCP/IP stack analysis with -O determines the target's operating system
  • Vulnerability scanning -- NSE vuln scripts and manual CVE research identify known weaknesses in detected services
  • Web application scanning -- Nikto, Gobuster, and directory enumeration uncover web-specific attack vectors
  • Banner grabbing -- netcat, curl, and Nmap extract service identification banners from open ports
  • Documentation -- saving all output in multiple formats with complete scan parameters for reproducibility
🎉
Strong foundation built!

You now have the skills to systematically discover and map a target's infrastructure. Combined with the passive reconnaissance techniques from the previous tutorial, you can build a comprehensive picture of any authorized target's attack surface before moving into the vulnerability assessment and exploitation phases.

Related Tutorials