This chapter covers reconnaissance attack types, a critical topic for CompTIA Network+ N10-009 exam objective 4.1 (Security Threats). Reconnaissance is the first phase of any cyberattack, where attackers gather information to identify vulnerabilities. Expect 5–10% of exam questions to touch on reconnaissance methods, including passive vs. active techniques, footprinting, scanning, enumeration, and the tools used. Understanding these helps you detect and prevent attacks before they escalate.
Jump to a section
Reconnaissance attacks are like burglars casing a neighborhood before a break-in. First, the burglar drives through the area (passive reconnaissance) to note which houses have security cameras, dogs, or lights on timers—without touching anything. They might look up public property records (whois, DNS) to find the owner's name and phone number. Then, they do active reconnaissance: they walk up to a house and check if the door is unlocked (port scan), peer through windows (service enumeration), or try a key from a previous job (vulnerability scan). Each action risks alerting the homeowner (IDS/IPS). If they find an open window, they note it for later. A smart burglar never leaves fingerprints—they use tools that minimize noise (stealth scans) and cover their tracks (log clearing). The goal is a complete map of the house's weaknesses before attempting entry. In networking, the attacker maps open ports, running services, OS types, and potential vulnerabilities to plan the actual exploit. Like a burglar, they want to know: what's here, what's vulnerable, and how to get in without being detected.
What is Reconnaissance?
Reconnaissance (recon) is the information-gathering phase of an attack. Attackers collect data about target networks, systems, and services to plan further actions. The N10-009 exam distinguishes between passive and active reconnaissance.
Passive reconnaissance: Gathering info without directly interacting with the target. Examples: whois lookups, DNS queries, social media scanning, Google dorking. These are hard to detect.
Active reconnaissance: Interacting with the target, e.g., port scans, ping sweeps, vulnerability scans. These can be logged and detected by IDS/IPS.
Why Reconnaissance Matters for N10-009
The exam tests your ability to identify recon techniques and recommend mitigations. You must know common tools like Nmap, Netcat, and Wireshark. Key objective: 4.1 – Given a scenario, apply network security features, defense, and countermeasures.
Footprinting
Footprinting is the initial passive recon. Attackers collect:
Domain names (whois)
IP address ranges (ARIN lookups)
DNS records (nslookup, dig)
Employee info (LinkedIn, company website)
Technology stack (Wappalyzer, BuiltWith)
Example whois command:
whois example.comThis reveals registrar, name servers, and contact info. Attackers use this to find organizational structure and potential social engineering targets.
Scanning
Scanning is active recon to discover live hosts, open ports, and services. Tools: Nmap, Masscan, Unicornscan.
Nmap common scans: - TCP SYN scan (-sS): Half-open scan, stealthy. Sends SYN, waits for SYN-ACK, then RST. Default scan type. - TCP connect scan (-sT): Full three-way handshake. Noisy but works without raw socket privileges. - UDP scan (-sU): Slow, sends UDP packets to ports. Open ports may not respond; closed ports send ICMP Port Unreachable. - Ping sweep (-sn): ICMP echo requests to find live hosts.
Example Nmap command:
nmap -sS -p 1-1024 192.168.1.0/24This performs a SYN scan of the first 1024 ports on all hosts in the subnet.
Enumeration
After finding open ports, attackers enumerate services to extract details like version, OS, and user accounts.
- Banner grabbing: Using Netcat or telnet to connect to a service and read its banner.
nc -v 192.168.1.10 80
GET / HTTP/1.0- Service version detection: Nmap -sV flag.
nmap -sV -p 80 192.168.1.10- OS fingerprinting: Nmap -O flag uses TCP/IP stack behavior to guess OS.
nmap -O 192.168.1.10Vulnerability Scanning
Automated tools like Nessus, OpenVAS, or Qualys scan for known vulnerabilities. They compare service versions against CVE databases. N10-009 expects you to know that vulnerability scans are active recon and can disrupt services.
Social Engineering Recon
Attackers gather info via phishing calls, pretexting, or dumpster diving. Exam scenario: An attacker calls the help desk pretending to be an employee to reset a password.
Tools and Commands for N10-009
Memorize these commands and their functions: - nslookup: DNS lookup tool.
nslookup example.com- dig: Advanced DNS interrogation.
dig example.com ANY- traceroute / tracert: Maps network path.
traceroute 8.8.8.8- hping3: Custom packet crafting for stealth scans.
hping3 -S -p 80 192.168.1.10- netstat: Shows listening ports on local machine (useful for defense).
netstat -anDetection and Mitigation
IDS/IPS: Snort, Suricata can detect port scans (e.g., many SYN packets from same IP).
Firewall rules: Limit ICMP, block unused ports.
Port knocking: Hide services until correct sequence of connection attempts.
Honeypots: Decoy systems to lure attackers.
Log monitoring: Review logs for repeated failed connections.
Exam Tips
Active recon is detectable; passive is not.
Nmap SYN scan (-sS) is default and stealthy.
UDP scans are unreliable because services may not respond.
Vulnerability scans are active and can cause crashes.
Social engineering is often overlooked but tested.
Step-by-Step Reconnaissance Process
Footprinting (Passive): Gather public info via whois, DNS, social media.
Scanning (Active): Identify live hosts, open ports using ping sweeps and port scans.
Enumeration (Active): Extract service banners, OS, user lists.
Vulnerability Mapping: Match services to known vulnerabilities.
Exploitation Planning: Choose attack vector based on gathered data.
Footprinting – Passive Info Gathering
The attacker collects publicly available information without touching the target's network. They query WHOIS databases for domain registration details, perform DNS zone transfers (if misconfigured) to get all hostnames, and use search engines like Google dorking (e.g., 'site:example.com filetype:pdf'). They also scrape social media and job postings for employee names and tech stacks. At this stage, no packets are sent to the target's infrastructure, so no logs are generated. The attacker builds a profile of the organization's digital footprint.
Scanning – Discovering Live Hosts and Open Ports
The attacker sends packets to the target network to identify live hosts and open ports. Common techniques: ICMP ping sweep (e.g., 'ping 192.168.1.1-254') to find responsive hosts, then TCP SYN scan on each live host. A SYN scan sends a SYN packet; if a SYN-ACK returns, the port is open. The attacker then sends an RST to tear down the connection, leaving no complete handshake in logs. Tools like Nmap automate this. The attacker notes open ports (e.g., 80, 443, 22) for further enumeration. This activity can be detected by IDS if thresholds are exceeded (e.g., 100 SYN packets in 5 seconds).
Service Enumeration – Extracting Version Info
Once open ports are identified, the attacker probes them to determine the running service and version. Using Nmap's -sV flag or manual banner grabbing with Netcat, they connect to the port and read the banner (e.g., 'Apache/2.4.41 (Ubuntu)'). They also perform OS fingerprinting using TCP/IP stack quirks (e.g., TTL, window size). This information helps the attacker find known vulnerabilities for that specific version. For example, Apache 2.4.41 has a known path traversal vulnerability (CVE-2021-41773). Enumeration is noisier and more likely to be logged.
Vulnerability Scanning – Automated Checks
The attacker runs automated vulnerability scanners like Nessus or OpenVAS against the target. These tools cross-reference service versions with a database of known vulnerabilities (CVE/NVD). They may also attempt safe exploit checks (e.g., sending a malformed HTTP request to test for SQL injection). Vulnerability scans can be aggressive and may cause services to crash if the scanner sends unexpected payloads. The output is a list of vulnerabilities with severity ratings. The attacker prioritizes critical and high-severity issues for exploitation.
Exploitation Planning – Choosing the Attack Vector
Based on gathered data, the attacker selects the most promising vulnerability to exploit. They consider factors: ease of exploitation, impact, and likelihood of detection. For example, an unpatched Apache server with a remote code execution vulnerability is a prime target. The attacker prepares exploit code, sets up a listener, and chooses timing (e.g., during off-peak hours). They may also use the gathered social engineering info to craft a phishing email that delivers the exploit. This step transitions from reconnaissance to actual attack.
Enterprise Scenario 1: Reconnaissance Leading to Data Breach
A financial institution's external IP range was scanned by an attacker using Nmap. The attacker found an open SSH port (22) on a jump server. Enumeration revealed OpenSSH 7.2, which had a known vulnerability (CVE-2016-6210) that allowed user enumeration. The attacker brute-forced credentials for a valid user and gained shell access. From there, they pivoted to internal databases. Mitigation: The company should have blocked SSH from the internet, used a VPN, and applied patches. Post-incident, they implemented an IDS with custom rules to detect port scans (e.g., more than 50 SYN packets from a single IP in 10 seconds).
Enterprise Scenario 2: Social Engineering Recon in a Healthcare Network
Attackers called the help desk pretending to be a new IT employee, asking for the VPN server address and a temporary password. The help desk provided it without verification. The attacker used the VPN to access internal systems and performed active recon (nmap scan of internal subnet). They found a legacy Windows 7 machine with EternalBlue vulnerability (MS17-010). They deployed ransomware, encrypting patient records. Mitigation: Implement strict identity verification for password resets, disable legacy protocols, and segment networks so VPN access is limited.
Enterprise Scenario 3: Cloud Environment Recon
A company moved to AWS but left an S3 bucket misconfigured (public read). An attacker used Google dorking ('site:s3.amazonaws.com companyname') to find the bucket. They listed objects and downloaded a config file with database credentials. They then scanned the public IP of the RDS instance (found via DNS) and exploited a weak password. Mitigation: Use S3 bucket policies to block public access, enable CloudTrail logging, and use AWS Config rules to detect misconfigurations. Reconnaissance in the cloud often targets misconfigured storage and exposed APIs.
Performance Considerations
Scanning large subnets (e.g., /16) with full port scans can take hours. Attackers use tools like Masscan that can scan the entire internet in minutes by sending packets in parallel. Defenders must monitor for sudden spikes in connection attempts. Rate limiting and blacklisting IPs after threshold can slow attackers.
What N10-009 Tests
Objective 4.1: 'Given a scenario, apply network security features, defense, and countermeasures.' Reconnaissance attack types are a subset. Expect scenario-based questions where you identify the recon phase (e.g., 'An attacker queries WHOIS and uses nslookup. What phase?'), tools, and mitigations.
Common Wrong Answers
'Ping sweep is passive recon' – Wrong. Ping sweep sends ICMP echo requests, which is active. Passive recon includes WHOIS, DNS lookups (non-recursive), and social media.
'Nmap SYN scan completes the three-way handshake' – Wrong. SYN scan sends SYN, receives SYN-ACK, then sends RST. It never completes the handshake. Only TCP connect scan (-sT) completes it.
'Vulnerability scanning is passive' – Wrong. Vulnerability scans send probes to services, making them active. They may even crash services.
'Reconnaissance is always detectable' – Wrong. Passive recon leaves no trace. Active recon is detectable but can be stealthy (slow scans, decoy IPs).
Specific Numbers and Values
Default Nmap scan: SYN scan (-sS)
Port range: 1-1024 (well-known ports)
ICMP types: Echo (type 8) and Echo Reply (type 0)
WHOIS query: port 43 TCP
DNS query: port 53 UDP/TCP
Netcat banner grab: 'nc -v <IP> <port>'
Edge Cases
UDP scanning: Services like DNS may not respond to empty UDP probes, so open ports may appear closed. Attackers use service-specific probes.
Firewalled hosts: A host may respond to pings but have all ports filtered. Nmap shows 'filtered' for ports that don't respond.
Stealth scans: Using fragmented packets, decoy IPs, or timing options (e.g., Nmap -T paranoid) to evade detection.
How to Eliminate Wrong Answers
If the scenario mentions 'no packets sent to target', it's passive.
If the scenario includes 'SYN, SYN-ACK, RST', it's active SYN scan.
If the scenario says 'help desk call', it's social engineering recon.
Always match the tool to the phase: whois = footprinting, nmap = scanning, nessus = vulnerability scanning.
Reconnaissance is the first phase of an attack, divided into passive (undetectable) and active (detectable) methods.
Passive recon includes WHOIS, DNS lookups, social media scraping; no packets sent to target.
Active recon includes ping sweeps, port scans (Nmap SYN scan default), service enumeration, and vulnerability scans.
Nmap SYN scan (-sS) sends SYN, receives SYN-ACK, then RST; never completes handshake.
UDP scanning is unreliable because open services may not respond; ICMP Port Unreachable indicates closed ports.
Vulnerability scanners (Nessus, OpenVAS) are active and can crash services.
Mitigations: firewalls block unused ports, IDS/IPS detect scan patterns, rate limiting, and port knocking.
Social engineering (e.g., calling help desk) is a common recon tactic tested on the exam.
These come up on the exam all the time. Here's how to tell them apart.
Passive Reconnaissance
No packets sent to target; uses public sources
Undetectable by target systems
Examples: whois, DNS queries, Google dorking
Legal grey area (public info)
Gathers basic footprint: domain, IP range, employees
Active Reconnaissance
Sends packets directly to target
Detectable by IDS/IPS and logs
Examples: ping sweep, port scan, vulnerability scan
Often illegal without permission
Gathers detailed info: open ports, services, OS
Mistake
Reconnaissance is only about port scanning.
Correct
Reconnaissance includes passive techniques like WHOIS, DNS lookups, and social engineering. Port scanning is just one active technique.
Mistake
A ping sweep (ICMP echo) is a passive recon method.
Correct
Ping sweep sends ICMP packets to the target, making it active. Passive recon does not send any data to the target.
Mistake
Nmap's default scan completes the full TCP handshake.
Correct
Nmap's default SYN scan (-sS) sends SYN, receives SYN-ACK, then sends RST. It does not complete the handshake. Only -sT (connect scan) completes it.
Mistake
Vulnerability scanning is always safe and never disrupts services.
Correct
Vulnerability scanners send aggressive probes that can crash services, especially if they trigger buffer overflows or resource exhaustion.
Mistake
UDP scans are as reliable as TCP scans.
Correct
UDP is connectionless; open ports may not respond to empty probes, while closed ports send ICMP Port Unreachable. This makes UDP scanning slow and unreliable.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Passive reconnaissance gathers information without directly interacting with the target, using public sources like WHOIS, DNS, and social media. It is undetectable. Active reconnaissance sends packets to the target (e.g., ping, port scan) and can be detected by IDS/IPS or firewalls. For the exam, remember: passive = no touch, active = direct interaction.
The default Nmap scan is SYN scan (-sS). It is stealthy because it never completes the TCP three-way handshake: it sends SYN, receives SYN-ACK (indicating open port), then sends RST to tear down. This avoids the full connection log that some services record. Many applications only log completed connections, so SYN scans may evade detection.
Use an IDS/IPS (e.g., Snort) with rules that detect port scans (e.g., many SYN packets from one IP in a short time). Monitor firewall logs for repeated connection attempts to closed ports. Implement rate limiting to slow down scanners. Honeypots can lure attackers and alert administrators. Also, disable unnecessary services and block ICMP echo requests to reduce visibility.
Banner grabbing identifies the exact version of a service running on an open port (e.g., 'Apache/2.4.41'). Attackers use this to find known vulnerabilities for that version. Tools like Netcat or Nmap -sV perform banner grabbing. Defenders should disable or obfuscate banners to make reconnaissance harder.
No. Vulnerability scans send probes to services to check for vulnerabilities, which is active reconnaissance. They can cause service disruption. Passive reconnaissance never sends data to the target. The exam expects you to classify vulnerability scanning as active.
Social engineering recon involves manipulating people to reveal information. Examples: calling the help desk pretending to be an employee to get a password reset, or phishing for credentials. It is a passive technique from the network perspective (no packets), but it involves human interaction. The exam may present scenarios where an attacker gathers info via phone calls or emails.
Key commands: 'nslookup' and 'dig' for DNS queries; 'whois' for domain info; 'ping' for host discovery; 'traceroute' for path mapping; 'nmap' for port scanning; 'netstat' for checking local open ports; 'nc' (Netcat) for banner grabbing. Know the syntax and what each tool reveals.
You've just covered Reconnaissance Attack Types — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?