What's the difference between active and passive reconnaissance?

A shield with a keyhole on a radar system denoting cyber security
(Image credit: Shutterstock)

Hacking is a profession that requires lots of preparation. It isn't a case of selecting a target and hitting them with whatever malware you've got - it's far more nuanced. Pentesters and malicious attackers need to know how best to hit an organisation, including how to gain access to their networks without being caught, and when the right time to strike is. This information will only be gleaned from thorough reconnaissance.

With the sheer volume of systems and cloud environments on offer to businesses, a blueprint of the target helps to strengthen the attack. Does the target use an on-premise infrastructure, or does it use a cloud service from a third-party provider? How many employees does it have, and which ones are authorised to access the systems you want to hit? Do employees have their own devices at work? - this can all be critical information.

Regardless of your route in, the key to successful reconnaissance is stealth. Going undetected will keep your eventual attack a surprise (though most businesses should expect to be regularly attacked these days).

Active vs passive reconnaissance

"Reconnaissance', which is often shortened to 'recon' is a military term for observing a region to locate the enemy or find information to design an attack strategy. Within IT, the term is normally classified as either 'active' or 'passive' with each referring to different methods.

Active reconnaissance

Active reconnaissance is a more direct approach. Hackers will use this method to probe a system for weaknesses, often risking early detection. Of the two, this is the fastest method of recon, actively searching for vulnerabilities or entre points.


Best practices for protecting remote work

Staying safe and secure while working from home


System information is used to gain unauthorised access to protected materials, infiltrating any firewalls or routers. The hacker then actively maps the network infrastructure, using tools such as NSLookup to identify hosts. Once they have been found, a port scan is conducted to reveal any potential vulnerabilities.

The Nmap open source tool is perhaps the most well-known exploit kit used for active reconnaissance, which uses a range of different scan types to find hosts and services connected to a network.

Given this approach requires interaction with a system, it’s far more likely that a scan will be caught by a system’s firewall or an attached security suite.

Passive reconnaissance

Passive reconnaissance does not rely on direct interactions with a target system, and is therefore far easier to hide. This technique involves simply eavesdropping on a network in order to gain intelligence, with hackers being able to analyse the target company for partner and employee details, technology in use, and IP information.

If the attack is conducted successfully, the only evidence of a hacker's presence would be in analytical data, and with no red flags raised, they shouldn't appear in security logs.

Using tools such as Wget, hackers can browse a website offline, analysing content to reveal hardware, operating systems and contact information. Other common methods of passive reconnaissance include advanced Google searches, sifting through information stored on discarded devices, and impersonating users.

Use cases for active and passive reconnaissance

Differences in method, unsurprisingly, yield different results. Active reconnaissance is riskier (from the hacker's perspective) but generally more useful information is gathered. Passive reconnaissance carries less risk, but is slightly more unreliable, can be time-consuming, and is usually far less revealing.

Despite these drawbacks, passive reconnaissance is the preferred tactic for many hackers, chiefly because of the reduced risk of detection. It also allows hackers to avoid the risk of incrimination, and the information gathered is still incredibly useful for supporting future cyber attacks. Conversely, active reconnaissance normally requires scrupulous preparation in order to avoid detection, and hackers always run the risk that a trace of their attack may be left behind.

All organisations are susceptible to these types of attacks, not just high profile networks. Small and medium-sized businesses should be particularly wary of reconnaissance, especially if they have digital transformation projects underway. Ventures that haven’t been properly checked for potential security breaches, or that have misconfigured security tools, can be especially helpful to hackers trying to infiltrate your network.

Other risks worth considering include unfortified applications containing data which could be vulnerable to being accessed by third-parties. Every organisation should be one step ahead of potential hackers and consider all the processes that a criminal could deploy in order to gain access to confidential information.

It’s also important to remember that reconnaissance is equally useful for ethical hacking. This process usually involves professional penetration tests deploying the methods hackers normally adopt in order to locate the holes in an organisation's defences. This would allow the business to resolve any of these weaknesses as and when they're found before they're exploited by hackers in a live setting. The method isn't always free from fuss, however, and pen-testers have occasionally been mistaken for actual criminals.

Penetration testers would likely cover both methods in order to provide a comprehensive overview of an organisation's cyber defences. Vulnerabilities are reported, and the organisation will then set out to remedy them. Taking into account information gathered, organisations can augment a web application firewall (WAF), the most holistic defence against cyber attacks. A strong WAF should be flexible to adapt to an organisation's needs, and secure to protect applications both in the cloud and on-premise.