Active Reconnaissance
Introduction
Active Reconnaissance (Active Recon) is the process of directly interacting with systems that are explicitly authorized for testing to gather technical information about the target environment. Unlike passive reconnaissance, which relies on publicly available information, active reconnaissance sends network requests to the target. These interactions may be recorded in server logs, intrusion detection systems (IDS), web application firewalls (WAFs), or other monitoring solutions.
The primary goal of active reconnaissance is to verify discovered assets, identify running services, and collect detailed technical information that supports later phases such as enumeration, vulnerability assessment, and manual security testing.
Important: Active reconnaissance must only be performed after obtaining written authorization and must remain within the approved scope defined in the Rules of Engagement (RoE).
Objectives of Active Reconnaissance
The objectives of active reconnaissance are to:
Verify discovered assets.
Identify live hosts.
Discover open network services.
Detect web applications and APIs.
Identify technologies and software.
Build a complete inventory of reachable systems.
Expand and validate the attack surface map.
Gather technical information for later testing phases.
Characteristics of Active Reconnaissance
Unlike passive reconnaissance, active reconnaissance:
Sends network traffic to the target.
May appear in security logs.
Interacts directly with servers.
Provides more accurate and up-to-date information.
Requires authorization before execution.
Information Collected During Active Reconnaissance
1. Live Host Discovery
The first step is determining which systems are currently online and responding.
Information Collected
Active servers
Reachable IP addresses
Internet-facing hosts
Cloud instances
Example
203.0.113.10
↓
www.example.com
Status: Live
HTTPS: Enabled
Benefits
Removes inactive assets.
Confirms reachable systems.
Creates an accurate host inventory.
2. Service Identification
Once live systems are identified, determine which network services are available.
Examples of common services include:
HTTP
HTTPS
SSH
SMTP
DNS
FTP
IMAP
POP3
RDP
VPN
Example
Host:
portal.example.com
Services
HTTPS
SSH
SMTP
Benefits
Understands system functionality.
Identifies exposed network services.
Supports later enumeration.
3. Port Identification
Every network service communicates through one or more ports.
Common Ports
Port Service
80 HTTP
443 HTTPS
22 SSH
25 SMTP
53 DNS
3389 Remote Desktop Protocol (RDP)
Open ports indicate which services are available on a system.
4. Service Fingerprinting
After identifying services, determine the technologies behind them.
Examples include:
Web server software
Reverse proxy
Database platform
Programming framework
Content Management System (CMS)
Example
Server
↓
Nginx
↓
Node.js
↓
PostgreSQL
Benefits
Identifies software components.
Supports technology inventory.
Improves assessment planning.
5. Web Application Discovery
Organizations frequently host multiple web applications.
Examples:
Customer Portal
Admin Dashboard
Support Portal
Documentation Portal
Developer Portal
Example
www.example.com
↓
Customer Portal
admin.example.com
↓
Administration Portal
support.example.com
↓
Support Center
6. Directory and Resource Discovery
Applications contain many directories and resources.
Examples:
/login
/dashboard
/profile
/api
/docs
/uploads
/images
Discovering these resources helps build an inventory of application functionality.
7. API Discovery
Modern applications commonly expose APIs.
Common API types include:
REST
GraphQL
SOAP
gRPC
Example
https://api.example.com/v1/
https://api.example.com/graphql
Information Collected
API versions
Authentication methods
Available endpoints
Response formats
8. JavaScript Analysis
Client-side JavaScript often references application functionality.
Examples of information found:
API URLs
Hidden routes
Configuration values
Feature flags
Third-party integrations
Example
const API_URL = "https://api.example.com";
const LOGIN = "/login";
This helps identify additional application components.
9. Virtual Host Discovery
A single server may host multiple websites.
Example
203.0.113.15
↓
www.example.com
↓
admin.example.com
↓
api.example.com
Each virtual host may provide different functionality.
10. Authentication Entry Points
Identify where users authenticate.
Examples:
Login pages
OAuth providers
SSO portals
Multi-Factor Authentication pages
Password reset functionality
Example
/login
↓
OAuth
↓
Dashboard
Understanding authentication flows supports later testing of authentication and authorization controls.
11. Cloud Resource Discovery
Many organizations use cloud infrastructure.
Examples include:
Virtual Machines
Object Storage
Load Balancers
Serverless Functions
CDN Endpoints
Understanding cloud resources helps document the deployment environment.
12. Security Headers
HTTP responses often include security-related headers.
Examples:
Content-Security-Policy (CSP)
Strict-Transport-Security (HSTS)
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy
Reviewing these headers helps understand the application's security configuration.
Active Reconnaissance Workflow
Authorization
↓
Live Host Discovery
↓
Service Identification
↓
Port Identification
↓
Technology Fingerprinting
↓
Web Application Discovery
↓
API Discovery
↓
Directory Discovery
↓
JavaScript Analysis
↓
Authentication Discovery
↓
Cloud Resource Identification
↓
Attack Surface Update
Deliverables
At the end of active reconnaissance, the security team should have:
Verified list of live hosts.
Network service inventory.
Web application inventory.
API inventory.
Technology stack documentation.
Authentication entry points.
Cloud infrastructure overview.
Updated attack surface map.
Best Practices
Perform only activities authorized in the Rules of Engagement.
Stay strictly within the defined scope.
Minimize unnecessary network traffic.
Record every discovered asset and observation.
Verify findings using multiple sources when possible.
Update documentation continuously throughout the assessment.
Importance of Active Reconnaissance
Active reconnaissance transforms the information gathered during passive reconnaissance into a verified and accurate view of the target environment. It confirms which assets are currently active, identifies available services and technologies, and provides the technical details required for deeper security testing. A thorough active reconnaissance phase enables ethical hackers to conduct efficient, focused, and comprehensive assessments while remaining within the boundaries of authorized testing.
Summary
Active Reconnaissance is the process of directly interacting with authorized target systems to identify live hosts, discover network services, detect web applications and APIs, fingerprint technologies, and validate the organization's attack surface. Because it generates network traffic and may be visible to monitoring systems, it must always be conducted with explicit authorization and in accordance with the engagement's Rules of Engagement. The information gathered during this phase forms the technical foundation for enumeration, vulnerability assessment, and manual security testing.