is watching someone from across the street, active reconnaissance is walking up and knocking on their door. You're directly interacting with target systems - and they can see you coming.
Active recon generates logs, can trigger security alerts, and leaves your IP address in their records. But it also reveals information you can't get passively: live hosts, open ports, running services, and version numbers.
Authorization Required
Active reconnaissance without authorization is illegal in most jurisdictions. Always have written permission before scanning any systems you don't own. Even "harmless" pings can be considered unauthorized access.
Host Discovery
Before scanning ports, you need to know which hosts are actually alive. Think of it like checking which houses on a street have lights on before deciding which doors to knock.
ICMP Ping Sweeps
bash
1606070;"># Basic ping sweep with fping
2fping -a -g 192.168.1.0/242>/dev/null
3
4606070;"># Nmap ping sweep
5nmap -sn 192.168.1.0/24
6
7606070;"># Specific ICMP types
8nmap -PE 192.168.1.0/24606070;"># Echo request
9nmap -PP 192.168.1.0/24606070;"># Timestamp
10nmap -PM 192.168.1.0/24606070;"># Address mask
ICMP Often Blocked
Many firewalls block ICMP. A host not responding to ping doesn't mean it's down - it might just be silently ignoring you. Use multiple discovery techniques.
TCP/UDP Discovery
bash
1606070;"># TCP SYN discovery (common ports)
2nmap -PS22,80,443,445192.168.1.0/24
3
4606070;"># TCP ACK discovery (can bypass some firewalls)
On local networks, ARP discovery is king. Devices MUST respond to ARP requests to communicate on the network - there's no firewall rule that can block it without breaking connectivity.
DNS Enumeration
DNS is chatty by design. With the right queries, it'll tell you about mail servers, subdomains, and sometimes the entire zone.
Zone Transfers
A zone transfer (AXFR) is a DNS feature that lets secondary servers copy the entire zone database. Misconfigured servers allow anyone to request this.
Services often announce themselves with banners - like a store putting their name on the window. Banners reveal software names, versions, and sometimes even OS information.
bash
1606070;"># Netcat banner grab
2nc -nv 192.168.1.1022
3nc -nv 192.168.1.1021
4nc -nv 192.168.1.1025
5
6606070;"># Telnet for HTTP
7telnet 192.168.1.1080
8GET / HTTP/1.0
9Host: 192.168.1.10
10
11606070;"># Nmap service detection
12nmap -sV 192.168.1.10
13
14606070;"># Grab specific service banners
15nmap --script banner 192.168.1.10
Manual vs Automated
While Nmap automates banner grabbing, manual netcat connections let you interact with services and sometimes extract more information through conversation.
OS Fingerprinting
Different operating systems implement TCP/IP slightly differently. By analyzing response packets, we can often determine the exact OS version.
bash
1606070;"># Nmap OS detection
2nmap -O 192.168.1.10
3nmap -O --osscan-guess 192.168.1.10
4
5606070;"># Using TTL values
6606070;"># Linux: 64
7606070;"># Windows: 128
8606070;"># Cisco: 255
9ping -c 1192.168.1.10 | grep ttl
10
11606070;"># p0f passive fingerprinting
12p0f -i eth0
Fingerprinting Needs Ports
OS detection requires at least one open and one closed port for accurate results. Run a port scan first.
SMB & NetBIOS
Windows networks leak information through SMB and NetBIOS like a gossipy neighbor. Usernames, shares, groups - it's all there for the asking.
SNMP (Simple Network Management Protocol) was designed for monitoring but often reveals far too much: running processes, installed software, network interfaces, and even credentials.
bash
1606070;"># SNMP walk with common community strings
2snmpwalk -v2c -c public 192.168.1.10
3snmpwalk -v2c -c private 192.168.1.10
4
5606070;"># Using onesixtyone for community string bruteforce
Joke in the industry: SNMP stands for "Security Not My Problem." Many devices still use default community strings like "public" and "private." Always check!
SMTP Enumeration
Mail servers can confirm valid usernames through VRFY and EXPN commands, or by observing RCPT TO responses.