Active Information Gathering (Reconnaissance)
Introduction
Active Information Gathering, also known as Active Reconnaissance, is the phase of a penetration test where we directly interact with the target system to collect information. Unlike passive reconnaissance, which relies on third-party data and open-source intelligence, active reconnaissance involves sending traffic directly to the target infrastructure.
At this stage, the tester should already have a general idea of the target’s technology stack. From passive reconnaissance or initial discovery, you may already suspect:
- A web framework (Apache, Nginx, IIS)
- A backend language (PHP, ASP.NET, Java)
- An operating system family (Linux, Windows)
- The presence of common services (SMB, SSH, FTP)
Active reconnaissance is where those assumptions are confirmed, refined, and expanded. The goal is no longer to guess the framework, but to enumerate exact versions, configurations, and exposed functionality, allowing you to later identify specific, real-world exploits.
Because active reconnaissance directly touches the target, it is detectable, logged, and often filtered by security controls. Despite this, it is a mandatory phase, as exploitation decisions depend entirely on the accuracy of this information.
Why Active Reconnaissance Matters
Active reconnaissance transforms high-level assumptions into actionable intelligence.
During this phase, we aim to:
- Confirm technologies identified earlier
- Enumerate precise software versions
- Identify enabled modules and features
- Detect misconfigurations
- Identify security controls such as WAFs and IDS
- Map services to known vulnerabilities and exploits
A critical concept to understand is:
Enumeration is service-dependent. The port you discover determines the enumeration approach, and the enumeration results determine the exploit path.
Host Discovery
Before deep enumeration, we verify which hosts are reachable.
ping -c 5 target
If ICMP is blocked:
nmap -Pn -PS80,443 target
arp-scan 10.11.1.0/24
Host discovery also provides early insight into firewall and filtering behavior, which affects later scanning techniques.
Network Mapping and Route Analysis
Traceroute
traceroute target
traceroute -T -p 80 target
Traceroute helps identify:
- Network boundaries
- Perimeter filtering
- Load balancers and CDNs
- Possible WAF or proxy placement
DNS Enumeration
DNS enumeration often validates assumptions made earlier.
host target.com
host -t mx target.com
host -t txt target.com
dig target.com ANY
dig target.com NS
Zone transfers:
dig @ns1.target.com target.com AXFR
Active subdomain enumeration:
dnsrecon -d target.com -t brt
amass enum -active -d target.com
Port Scanning
Port scanning defines the exposed attack surface.
nmap -sS -p- --open -T4 target
nmap -sU -p- -T3 target
At this stage, recognizable patterns emerge:
- Web services
- File sharing services
- Remote administration services
- Databases
These patterns determine how enumeration proceeds next.
Fragmented Packets and IDS/WAF Detection
Fragmented packets can be used to:
- Test firewall and IDS behavior
- Bypass poorly configured security devices
- Identify packet inspection limitations
nmap -f target
nmap --mtu 24 target
Observing differences between fragmented and non-fragmented scans can reveal:
- Deep packet inspection
- Inline security devices
- IDS/IPS normalization behavior
This technique is not about stealth alone — it is about understanding defensive controls in place.
WAF Detection
Before aggressive web enumeration, it is important to identify whether a Web Application Firewall is present.
wafw00f http://target
Indicators of a WAF include:
- Modified HTTP responses
- Block pages
- CAPTCHA challenges
- Inconsistent status codes
Identifying a WAF early influences:
- Payload design
- Fuzzing strategy
- Exploit reliability
Service Enumeration: Port Dictates Approach
Once open ports are identified, enumeration becomes highly targeted.
The same enumeration techniques do not apply across different services. Each port requires its own methodology.
Active reconnaissance is where you move from “this looks like Apache” to “this is Apache 2.4.49 with mod_cgi enabled.”
Web Services Enumeration (80, 443, 8080, 8000)
By this stage, you should already have a rough idea of the web stack. The focus now is version enumeration and application behavior.
Header and Technology Identification
curl -I http://target
whatweb http://target
Wappalyzer
Wappalyzer helps identify:
- Frontend frameworks
- JavaScript libraries
- Analytics platforms
- CMS platforms
This information often narrows exploit research significantly.
Directory and File Enumeration
gobuster dir -u http://target -w common.txt
ffuf -u http://target/FUZZ -w wordlist.txt
Virtual Host Enumeration
gobuster vhost -u http://target -w subdomains.txt
Burp Suite: Inspecting Requests and Responses
Burp Suite is essential during active reconnaissance for manual inspection.
Using Burp, you can analyze:
- HTTP request and response headers
- Cookies and session tokens
- Server response patterns
- Redirect logic
Common information leaks include:
- Server version headers
- Framework identifiers
- Debug parameters
- Internal paths
JavaScript Enumeration
JavaScript files often leak:
- API endpoints
- Hardcoded URLs
- Framework versions
- Feature flags
Using Burp or browser dev tools, enumerate:
- Loaded JS files
- Inline scripts
- Source maps (.map files)
This information frequently leads to hidden functionality or attack paths.
Metadata Analysis (Exiftool)
Web application assets like images, documents (PDFs), and other media files often contain hidden metadata (EXIF data). This metadata can leak sensitive information that is not visible on the surface.
Using a tool like Exiftool, an investigator can inspect these files to find:
- Software versions used to create the files (e.g., Adobe Photoshop, Microsoft Word)
- Usernames or author names
- Internal network paths
- Geolocation data (GPS coordinates) from photos
- Email addresses
exiftool example-image.jpg
Scraping and analyzing all downloadable assets from a target website can reveal technology stacks, employee names, and other intelligence useful for social engineering or identifying further vulnerabilities.
SMB Enumeration (445)
smbclient -L //target -N
enum4linux target
nmap --script smb-os-discovery target
SMB enumeration confirms:
- OS version
- Domain details
- Share permissions
FTP Enumeration (21)
nmap --script ftp-anon target
ftp target
SSH Enumeration (22)
nmap --script ssh2-enum-algos target
nmap --script ssh-hostkey target
SNMP Enumeration (161 UDP)
snmpwalk -v2c -c public target
nmap --script snmp-info target
Banner Grabbing
Manual banner grabbing often reveals details missed by automation.
nc target 80
nc target 21
telnet target 25
openssl s_client -connect target:443
Nmap Scripting Engine (NSE)
Scripts should be selected based on service context.
nmap -sC -sV target
nmap --script vuln target
From Enumeration to Exploitation
Active reconnaissance ends when you can confidently answer:
- What service is running?
- What exact version is it?
- What protections are in place?
- What exploits realistically apply?
This is where framework identification becomes exploit research.
Key Takeaways
- Active reconnaissance assumes initial technology awareness
- Enumeration focuses on versions and configurations
- Each port requires a different enumeration strategy
- WAFs and IDS must be identified early
- Web inspection and JavaScript analysis are critical
- Enumeration results directly dictate exploit selection
Conclusion
Active Information Gathering Reconnaissance is where penetration testing becomes precise and intentional. By confirming technologies, enumerating exact versions, detecting defensive controls, and analyzing application behavior, testers eliminate guesswork and build reliable attack paths.
Effective exploitation starts with high-quality enumeration, and high-quality enumeration begins with disciplined active reconnaissance.
Remember, there are many more methods and tools for active reconnaissance; this post serves as a foundational baseline.