project: unknownMission Request
← Back to Insights
Insights7 min read

Active Information Gathering (Reconnaissance)

Introduction

Active Information Gathering, also known as Active Reconnaissance, is the phase of a penetration test where we directly interact with the target system to collect information. Unlike passive reconnaissance, which relies on third-party data and open-source intelligence, active reconnaissance involves sending traffic directly to the target infrastructure.

At this stage, the tester should already have a general idea of the target’s technology stack. From passive reconnaissance or initial discovery, you may already suspect:

  • A web framework (Apache, Nginx, IIS)
  • A backend language (PHP, ASP.NET, Java)
  • An operating system family (Linux, Windows)
  • The presence of common services (SMB, SSH, FTP)

Active reconnaissance is where those assumptions are confirmed, refined, and expanded. The goal is no longer to guess the framework, but to enumerate exact versions, configurations, and exposed functionality, allowing you to later identify specific, real-world exploits.

Because active reconnaissance directly touches the target, it is detectable, logged, and often filtered by security controls. Despite this, it is a mandatory phase, as exploitation decisions depend entirely on the accuracy of this information.

Why Active Reconnaissance Matters

Active reconnaissance transforms high-level assumptions into actionable intelligence.

During this phase, we aim to:

  • Confirm technologies identified earlier
  • Enumerate precise software versions
  • Identify enabled modules and features
  • Detect misconfigurations
  • Identify security controls such as WAFs and IDS
  • Map services to known vulnerabilities and exploits

A critical concept to understand is:

Enumeration is service-dependent. The port you discover determines the enumeration approach, and the enumeration results determine the exploit path.

Host Discovery

Before deep enumeration, we verify which hosts are reachable.

bashping -c 5 target

If ICMP is blocked:

bashnmap -Pn -PS80,443 target
basharp-scan 10.11.1.0/24

Host discovery also provides early insight into firewall and filtering behavior, which affects later scanning techniques.

Network Mapping and Route Analysis

Traceroute

bashtraceroute target
bashtraceroute -T -p 80 target

Traceroute helps identify:

  • Network boundaries
  • Perimeter filtering
  • Load balancers and CDNs
  • Possible WAF or proxy placement

DNS Enumeration

DNS enumeration often validates assumptions made earlier.

bashhost target.com
bashhost -t mx target.com
bashhost -t txt target.com
bashdig target.com ANY
bashdig target.com NS

Zone transfers:

bashdig @ns1.target.com target.com AXFR

Active subdomain enumeration:

bashdnsrecon -d target.com -t brt
bashamass enum -active -d target.com

Port Scanning

Port scanning defines the exposed attack surface.

bashnmap -sS -p- --open -T4 target
bashnmap -sU -p- -T3 target

At this stage, recognizable patterns emerge:

  • Web services
  • File sharing services
  • Remote administration services
  • Databases

These patterns determine how enumeration proceeds next.

Fragmented Packets and IDS/WAF Detection

Fragmented packets can be used to:

  • Test firewall and IDS behavior
  • Bypass poorly configured security devices
  • Identify packet inspection limitations
bashnmap -f target
bashnmap --mtu 24 target

Observing differences between fragmented and non-fragmented scans can reveal:

  • Deep packet inspection
  • Inline security devices
  • IDS/IPS normalization behavior

This technique is not about stealth alone — it is about understanding defensive controls in place.

WAF Detection

Before aggressive web enumeration, it is important to identify whether a Web Application Firewall is present.

bashwafw00f http://target

Indicators of a WAF include:

  • Modified HTTP responses
  • Block pages
  • CAPTCHA challenges
  • Inconsistent status codes

Identifying a WAF early influences:

  • Payload design
  • Fuzzing strategy
  • Exploit reliability

Service Enumeration: Port Dictates Approach

Once open ports are identified, enumeration becomes highly targeted.

The same enumeration techniques do not apply across different services. Each port requires its own methodology.

Active reconnaissance is where you move from “this looks like Apache” to “this is Apache 2.4.49 with mod_cgi enabled.”

Web Services Enumeration (80, 443, 8080, 8000)

By this stage, you should already have a rough idea of the web stack. The focus now is version enumeration and application behavior.

Header and Technology Identification

bashcurl -I http://target
bashwhatweb http://target

Wappalyzer

Wappalyzer helps identify:

  • Frontend frameworks
  • JavaScript libraries
  • Analytics platforms
  • CMS platforms

This information often narrows exploit research significantly.

Directory and File Enumeration

bashgobuster dir -u http://target -w common.txt
bashffuf -u http://target/FUZZ -w wordlist.txt

Virtual Host Enumeration

bashgobuster vhost -u http://target -w subdomains.txt

Burp Suite: Inspecting Requests and Responses

Burp Suite is essential during active reconnaissance for manual inspection.

Using Burp, you can analyze:

  • HTTP request and response headers
  • Cookies and session tokens
  • Server response patterns
  • Redirect logic

Common information leaks include:

  • Server version headers
  • Framework identifiers
  • Debug parameters
  • Internal paths

JavaScript Enumeration

JavaScript files often leak:

  • API endpoints
  • Hardcoded URLs
  • Framework versions
  • Feature flags

Using Burp or browser dev tools, enumerate:

  • Loaded JS files
  • Inline scripts
  • Source maps (.map files)

This information frequently leads to hidden functionality or attack paths.

Metadata Analysis (Exiftool)

Web application assets like images, documents (PDFs), and other media files often contain hidden metadata (EXIF data). This metadata can leak sensitive information that is not visible on the surface.

Using a tool like Exiftool, an investigator can inspect these files to find:

  • Software versions used to create the files (e.g., Adobe Photoshop, Microsoft Word)
  • Usernames or author names
  • Internal network paths
  • Geolocation data (GPS coordinates) from photos
  • Email addresses
bashexiftool example-image.jpg

Scraping and analyzing all downloadable assets from a target website can reveal technology stacks, employee names, and other intelligence useful for social engineering or identifying further vulnerabilities.

SMB Enumeration (445)

bashsmbclient -L //target -N
bashenum4linux target
bashnmap --script smb-os-discovery target

SMB enumeration confirms:

  • OS version
  • Domain details
  • Share permissions

FTP Enumeration (21)

bashnmap --script ftp-anon target
bashftp target

SSH Enumeration (22)

bashnmap --script ssh2-enum-algos target
bashnmap --script ssh-hostkey target

SNMP Enumeration (161 UDP)

bashsnmpwalk -v2c -c public target
bashnmap --script snmp-info target

Banner Grabbing

Manual banner grabbing often reveals details missed by automation.

bashnc target 80
bashnc target 21
bashtelnet target 25
bashopenssl s_client -connect target:443

Nmap Scripting Engine (NSE)

Scripts should be selected based on service context.

bashnmap -sC -sV target
bashnmap --script vuln target

From Enumeration to Exploitation

Active reconnaissance ends when you can confidently answer:

  • What service is running?
  • What exact version is it?
  • What protections are in place?
  • What exploits realistically apply?

This is where framework identification becomes exploit research.

Key Takeaways

  • Active reconnaissance assumes initial technology awareness
  • Enumeration focuses on versions and configurations
  • Each port requires a different enumeration strategy
  • WAFs and IDS must be identified early
  • Web inspection and JavaScript analysis are critical
  • Enumeration results directly dictate exploit selection

Conclusion

Active Information Gathering Reconnaissance is where penetration testing becomes precise and intentional. By confirming technologies, enumerating exact versions, detecting defensive controls, and analyzing application behavior, testers eliminate guesswork and build reliable attack paths.

Effective exploitation starts with high-quality enumeration, and high-quality enumeration begins with disciplined active reconnaissance.

Remember, there are many more methods and tools for active reconnaissance; this post serves as a foundational baseline.