When an attacker performs active reconnaissance, they directly engage a target computer or network in order to gather data. This is typically the second preparatory step of a cyber-attack, and the purpose of performing active reconnaissance is to potentially expose ways the attacker could gain access to a system.
Cyber-attacks typically begin with two data collection stages, known as passive reconnaissance and active reconnaissance. In these stages, potential attackers collect information about the network or system they are trying to break into. This can include IP addresses, software versions, device information, available open ports, WiFi information, or anything that could give them an edge when trying to break in.
Passive and Active Reconnaissance
Any attempt to gather information about a computer or a network is considered reconnaissance. The big difference between passive and active reconnaissance is whether or not the attacker directly engages with the system they’re planning to attack.
Passive reconnaissance occurs when information is gathered from the targeted system without engaging with the system directly. Passive reconnaissance is usually the first step of an attack as it allows the attacker to collect information without the potential of alerting the victim of the attack. You can learn more in our complete guide to passive reconnaissance.
Active reconnaissance occurs when the attacker engages directly with the targeted system to acquire information on it. This form of reconnaissance is faster to perform and generally yields more actionable information than its counterpart, but it is inherently riskier due to cybersecurity defenses such as firewalls, anti-virus software, and intrusion monitors.
These security measures alert the owners about suspicious activity on their network or system, and it is much more difficult for an attacker to break in once the owner is aware of the potential danger. This is why passive reconnaissance is performed before active reconnaissance – the element of surprise is crucial to the success of a cyber-attack.
Common Active Reconnaissance Techniques
During the active reconnaissance phase of a cyber-attack, the intruder is looking for and testing potential vulnerabilities that will allow them to actually break into the system. The simplest technique for gaining access is to use a tool to identify vulnerable server ports within the network. This is called port scanning, and there are a variety of free tools that can be used to perform these scans.
The most common port scanning tool is called Nmap. Nmap is free and can be run with a simple command line call. Nmap will scan the ports of the network, collecting data on the host of the network, discovering which ports on the network are currently open, returning version info on the packages and services being run through those ports, and log any clear points of entry for the attacker to use later.
Some other common port scanning tools are Unicornscan, Netcat, Zenmap, Metasploit, and Nessus. They all provide information similar to Nmap. These tools use different scanning techniques (such as port pings, TCP half-open, UDP scans, etc.) to try to gather information, and they all have advantages and disadvantages against different network configurations.
How to Detect Active Reconnaissance
Detecting active reconnaissance is much easier than detecting passive reconnaissance. Network owners at a minimum should always have active firewalls and Intrusion Detection Systems (IDSs) that are as up to date as possible. These two alone will both prevent common active reconnaissance attacks and alert the system when an attack is occurring.
Another good potential security measure to implement is some form of network address translation (NAT). This will obfuscate IP addresses and make only a single address visible to the public. This makes it much more difficult for attackers to port scan and find points of entry on a network.
How to Protect Against Active Reconnaissance
To reiterate, the simplest ways to protect against active reconnaissance are to implement strong security measures like well-configured firewalls and to keep those measures up to date. It is also recommended to train employees about the dangers of social engineering – an attacker performing active reconnaissance can learn quite a bit simply by talking to users of a network.
A more complex protection could be to employ common IP tools to perform NAT and similar IP masquerading techniques to make it more difficult to gather information on the network. The network owner can change IPs somewhat frequently, as well as revoke network privileges when people with access to the network no longer need it. Virtual private networks (VPNs) can be used as an extra layer of protection as well.
Performing Stress Tests
Once a network is secure, the owner of the network performs their own stress test of the system, conducting their own active reconnaissance on their network themself. They can use tools like Nmap and Unicornscan on their network and ensure the information that is exposed does not make them vulnerable to an attack. Through this self-evaluation of the network, the owner will be able to determine any security vulnerabilities shown by common active reconnaissance tactics, close any open ports, and ensure that their firewall and IDS are properly configured.
For further peace of mind, network owners are encouraged to hire contractors to try to break into their network. If these contractors succeed at breaking in, the owner can then fix the vulnerability that was leveraged to gain access to the network. The contractor can then be tasked with trying to break in again, and they can repeat this cycle until the contractor is unsuccessful.
Cyber-attacks and data collection methods like active reconnaissance are becoming increasingly common, but understanding the vectors and building preventative measures into your system will help safeguard against these types of attacks.