What's the difference between active and passive reconnaissance?

Exploring essential tools of both ethical and malicious hackers alike

Figure walking through keyhole

Being a part of the tech sector, one can’t avoid the onslaught of headline-grabbing security breaches, each one costing organisations large sums of money and presenting security teams with a waking nightmare.

Reconnaissance plays a big role in the orchestration process of any attack, and it’s developed into a crucial tool hackers use to conduct a successful infiltration.

Advertisement - Article continues below

Both active and passive in nature, reconnaissance gives attacks the chance to glean vital information about the status of a company both in terms of its on-prem infrastructure and cloud configuration, with such information normally obtained without detection. Although no cyber attack may actually be launched, a scouting venture means attackers are primed with the information about your company’s strengths and weaknesses to feed into any future plans.

Not only are the largest organisations vulnerable, but small and medium-sized businesses too with more and more digital transformation projects underway at all levels. Ventures that haven’t been rigorously assessed for gaps in security, or plans tied with improper or inadequate use of security tools, can present a boon for hackers infiltrating your network. The risks include applications being left unfortified, and the data in use vulnerable to being accessed by third-parties. Every business should consider this particular threat alive and well, given the advancement in the processes that criminals deploy, particularly the use of bots to systematically scour networks and applications hunting for holes.

Advertisement - Article continues below
Advertisement - Article continues below

Meanwhile, the rise in cyber attacks and the increasingly sophisticated methods deployed is married with the rise in ethical testing. This process usually involves deploying the methods hackers normally adopt, by professional penetration testers, to locate the holes in an organisation's defences. This would allow the business to resolve any of these weaknesses as and when they're found before they're exploited by hackers in a live setting. The method isn't always free from fuss, however, and pen-testers have occasionally been mistaken for actual criminals.

How they work

The term 'reconnaissance' originates from the military and references an intelligence-gathering exercise in hostile territory. Simply put, the aim is to obtain information about the target rather than conduct any harmful activity. Avoiding detection is crucial to its success, therefore, in order for the perpetrator to conduct a more effective and successful attack against their target when the time is right.

It's clear to see how this parallels with IT. Though from the organisations perspective, active and passive reconnaissance works more along the principle of a vaccine as it helps the host shore up its defences against future attacks.

Advertisement - Article continues below

Simply put, active reconnaissance is the process of examining a computer system in order to scope technical weaknesses that can be used to access it. System information is used to gain unauthorised access to protected materials, infiltrating any firewalls or routers. The hacker then actively maps the network infrastructure, using tools such as NSLookup to identify hosts. Once they have been found, a port scan is conducted to reveal any potential vulnerabilities. Security barriers have therefore been engaged, with information resistance found relayed back to the hacker.

On the other hand, performing passive reconnaissance doesn't necessitate contact with any infrastructure, allowing hackers to bypass potential obstacles. The reconnaissance determines the target company, partner and employee details, technology in use, IP information, and so on then retreats with information collated.

Advertisement - Article continues below

No trace is left as usually sites are browsed as a typical user. The only evidence of a hacker's presence would be in analytical data, however, with no red flags raised, they shouldn't appear in security logs. Using tools such as Wget, hackers can browse a website offline, analysing content to reveal hardware, operating systems and contact information. Other common methods of passive reconnaissance include advanced google searches, war driving, sifting through information stored on discarded devices, and impersonating users.

Differences and common use cases

The fundamental difference in method is that while active reconnaissance involves being present on a target network or server, leaving a trail in the hacker's wake, passive reconnaissance is concerned with being as untraceable as possible. Computers and networks are still targeted, but crucially without actively engaging with the systems or infrastructure. Subsequently, few clues are left which lead back to an IP address.

Advertisement - Article continues below

Differences in method unsurprisingly yield different results. Active reconnaissance is riskier (from the malicious hacker's perspective), but generally more useful information is gathered. Passive reconnaissance carries less risk, however, it is slightly more unreliable, can be time-consuming, and is usually far less revealing.

Despite these drawbacks, for many hackers passive reconnaissance is the method of choice as they are much less likely to be detected. If completed successfully, the hacker can't be incriminated and the organisation is not alerted, leaving any vulnerabilities wide open for a subsequent cyber attack. Scrupulous preparation is necessary for active reconnaissance because the traces it leaves can likely be used as evidence against them in a digital investigation. Undertaking passive reconnaissance is therefore viewed as the simpler option, despite it being quite time-consuming.

Penetration testers would likely cover both methods in order to provide a comprehensive overview of an organisation's cyber defences. Vulnerabilities are reported, and the organisation will then set out to remedy them. Taking into account information gathered, organisations can augment a web application firewall (WAF), the most holistic defence against cyber attacks. A strong WAF should be flexible to adapt to an organisation's needs, and secure to protect applications both in the cloud and on-premise.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020

Trump administration wants to enhance the security of .gov sites

24 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020