Reconnaissance in Cybersecurity – The 1st Stage of Cyber Kill Chain

Written By Sambita Panigrahy  
Anuraag Singh
Approved By Anuraag Singh 
Published On April 25th, 2023
Reading Time 6 Minutes Reading

Earlier we discussed the Cyber Kill Chain model where reconnaissance was the very first process of the model. Here, we’ll dive deeper and understand what is reconnaissance in cybersecurity.

The term reconnaissance is derived from military language, which refers to a mission with the goal of obtaining information from enemy territory. This is a practice used by IT security professionals. But, unfortunately, sophisticated hackers also use the very same process to gather administrative data that they can use against the victim/target organization.

Reconnaissance in Cybersecurity – Understand Its Meaning From Different Standpoints

It’s always a mystery in which way a hacker may intrude on the security systems. But, reconnaissance or simply recon helps information security experts to ethically hack into an organization’s IT infrastructure to determine the present vulnerabilities. In other words, this technique is referred to as penetration testing.

During the reconnaissance phase, ethical hackers take seven steps to gather information about the target company. 

  1. Determine the company’s network range
  2. Identify the active/running machines
  3. Discover accessible points and ports
  4. Identify the type of operating system the company is using
  5. Locate services on port
  6. Create a network map.
  7. Collect initial information about the organization

Though reconnaissance is very helpful in IT security, however, let’s not forget that high-profile cybercriminals too use the same ‘recon’ technique to collect sensitive information. So, it becomes equally important to think from the hackers’ point of view. Like, what type of information will they target to steal using reconnaissance? Such that, it’ll be easier for security experts to stay alert all the time.

Mostly, cyberattackers target to gain access of 

  • File permissions
  • Operating System platform
  • Administrative data
  • Running network services
  • Cloud and On-premise servers

So, continuously monitoring such entry points could help mitigate a probable cyber attack.

Now, let’s understand the different reconnaissance techniques.

Two Different Phases of Reconnaissance in Cybersecurity 

Reconnaissance consists of methods that adversaries use to actively or passively gather information that can be used to support targeting. So, there are two reconnaissance types.

reconnaissance in cybersecurity

Technique – 1: Active Reconnaissance

Active reconnaissance scans are executed to gather the information that can be used during exploitation. In active scanning, the attacker probes victim infrastructure by directly interacting with the network traffic.

Depending on what type of information the adversary seeks to gather, different forms of active scanning are performed.

In active recon, the goal is to send different types of requests to the computer and gather information about that device and other connected devices on the same network. It is used to find out information such as open ports, OS platforms, running services, etc.

Technique – 2: Passive Reconnaissance

Passive recon is a process where adversaries gather information about a target without directly involving or interacting with the target. They don’t send any kind of requests to the target systems. That means there’s no way of knowing that your sensitive information is being gathered. 

Generally, in this phase of reconnaissance, the adversaries gather information using public resources that have information about the target, and this technique is called Open Source Intelligence (OSINT). Through OSINT they collect information such as IP addresses, domain names, email addresses, names, hostnames, DNS records, and even the software that is running on a website. 

Common Reconnaissance Tools Used by Adversaries 

In both active and passive reconnaissance, adversaries use some standard information-gathering tools. Let’s have a look at them.

1. Tools Used in Active Reconnaissance

Here are some of the standard tools:

Nmap: Nmap is a free and open-source network mapping and port scanner. This means that it may be used to conduct ping sweeps that detect new hosts as well as scan already known hosts to find out what ports are open, what services are running on those ports, the OS systems of the machines, and with some configuration known CVEs connected with those services.

Nessus: The vulnerability scanner Nessus is a paid version. It analyses hosts and compiles an orderly report of all the vulnerable programs found there. Although this application, unlike Nmap, is not free, it is widely used in the sector and offers extremely detailed reports.

Nikito: Nikito is a free command-line tool that scans web servers for vulnerabilities. This contains potentially harmful files, out-of-date server software, and other widespread issues.

Metasploit: The main purpose of Metasploit is as an exploitation toolkit. Several of its modules have numerous readymade exploits for different vulnerabilities. Even for inexperienced hackers, Metasploit offers a gateway into a variety of susceptible machines.

Despite being created as an exploit toolkit, Metasploit can also be used for reconnaissance. A hacker can try to exploit a target by any method necessary by using Metasploit’s auto pawn feature. With more focused analysis, a hacker can utilize Metasploit to conduct more covert reconnaissance.

2. Tools Used in Passive Reconnaissance

Here are some common tools,

Wireshark: Although Wireshark is most famous for its network traffic analysis features, it is incredibly useful for passive network surveillance. Adversaries can use Wireshark to examine network traffic after gaining access to a company’s Wi-Fi network or in some other way eavesdrop on employee network traffic. This allows them to learn important details about the network.

Shadon: This is a very well-liked tool for locating network and IoT devices remotely. It provides details on things like possible vulnerabilities, ISPs, hostnames, nations, open ports, details of SSL certificates, encryption schemes, and more.

OS Fingerprinting: A remote computer’s operating system can be identified using OS fingerprinting. OS fingerprinting is generally used for cyber reconnaissance since the majority of exploitable vulnerabilities are operating system-specific.

Google: In Google, Bing, and other search engines, you may use custom search terms to find data such as usernames, passwords, hidden web pages, secret files, metadata, and more. People frequently utilize the Google Hacking Database, a free web application that compiles beneficial Google searches that are known to give out useful information.


Reconnaissance in cybersecurity plays an important role in gathering information related to an intended target. This step will determine what you will do in other steps. Though it is used by hackers to exploit sensitive information, the same method cyber experts can also use to identify any security loopholes through penetration testing.

Note: If you feeling uncertain about how to protect your sensitive information, then consult with our cyber experts today and have peace of mind knowing your IT assets are secured and your employees are cyber-trained.