What's the difference between active and passive reconnaissance?

Exploring essential tools of both ethical and malicious hackers alike

Figure walking through keyhole

It's difficult to work within the technology industry and not be aware of the series of high-profile security breaches which are costing corporations millions and keeping CIOs up at night. 

The development of active and passive reconnaissance as a cyber attack method has equipped hackers with a tool that allows the status of a company information based both on-premise and in the cloud to be gleaned, sometimes without detection. This means that even if no cyber attack has actually occurred, a scouting foray may have already discovered that your cyber defences are susceptible to attack, and as a result, one may be in the post.

What's more, it isn't just large enterprises that are vulnerable. As digital innovation sweeps across the globe, SMBs continue their digital transformations. Poorly prepared transitions paired with the improper or incomplete use of security tools can be debilitating, leaving applications unfortified and the data they contain vulnerable. Combined with the advancement of bots which endlessly scour business applications in search of such vulnerabilities, everyone is a target.

Advertisement - Article continues below

In accordance with incremental cyber attacks, the practice of ethical testing has developed. Here, the very methods hackers employ to scout potential targets are used by professional penetration testers, hired by the organisation to highlight chinks in their armour. In theory, this allows the organisation to subsequently solve any weaknesses before they are actively exploited by malicious hackers. Though unorthodoxies have been recorded.

How they work

Reconnaissance stems from the militaristic term which describes an information-gathering mission into hostile territory. Its purpose is to simply obtain information, rather than actively exploit the target. As such, discretion is key. After successful reconnaissance and depending on the information gathered, an active attempt to exploit the target may follow.

Advertisement - Article continues below

It's clear to see how this parallels with IT. Though from the organisations perspective, active and passive reconnaissance works more along the principle of a vaccine as it helps the host shore up its defences against future attacks.

Advertisement - Article continues below

Simply put, active reconnaissance is the process of examining a computer system in order to scope technical weaknesses that can be used to access it. System information is used to gain unauthorised access to protected materials, infiltrating any firewalls or routers. The hacker then actively maps the network infrastructure, using tools such as NSLookup to identify hosts. Once they have been found, a port scan is conducted to reveal any potential vulnerabilities. Security barriers have therefore been engaged, with information resistance found relayed back to the hacker.

On the other hand, performing passive reconnaissance doesn't necessitate contact with any infrastructure, allowing hackers to bypass potential obstacles. The reconnaissance determines the target company, partner and employee details, technology in use, IP information, and so on then retreats with information collated.

No trace is left as usually sites are browsed as a typical user. The only evidence of a hacker's presence would be in analytical data, however, with no red flags raised, they shouldn't appear in security logs. Using tools such as Wget, hackers can browse a website offline, analysing content to reveal hardware, operating systems and contact information. Other common methods of passive reconnaissance include advanced google searches, war driving, sifting through information stored on discarded devices, and impersonating users.

Differences and common use cases

The fundamental difference in method is that while active reconnaissance involves being present on a target network or server, leaving a trail in the hacker's wake, passive reconnaissance is concerned with being as untraceable as possible. Computers and networks are still targeted, but crucially without actively engaging with the systems or infrastructure. Subsequently, few clues are left which lead back to an IP address.

Advertisement - Article continues below

Differences in method unsurprisingly yield different results. Active reconnaissance is riskier (from the malicious hacker's perspective), but generally more useful information is gathered. Passive reconnaissance carries less risk, however, it is slightly more unreliable, can be time-consuming, and is usually far less revealing.

Despite these drawbacks, for many hackers passive reconnaissance is the method of choice as they are much less likely to be detected. If completed successfully, the hacker can't be incriminated and the organisation is not alerted, leaving any vulnerabilities wide open for a subsequent cyber attack. Scrupulous preparation is necessary for active reconnaissance because the traces it leaves can likely be used as evidence against them in a digital investigation. Undertaking passive reconnaissance is therefore viewed as the simpler option, despite it being quite time-consuming.

Penetration testers would likely cover both methods in order to provide a comprehensive overview of an organisation's cyber defences. Vulnerabilities are reported, and the organisation will then set out to remedy them. Taking into account information gathered, organisations can augment a web application firewall (WAF), the most holistic defence against cyber attacks. A strong WAF should be flexible to adapt to an organisation's needs, and secure to protect applications both in the cloud and on-premise.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now

Most Popular


Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020