Browse Definitions :

passive reconnaissance

What is passive reconnaissance?

Passive reconnaissance is an attempt to gain information about targeted computers and networks without actively engaging with the systems. In active reconnaissance, in contrast, the attacker engages with the target system, typically conducting a port scan to find any open ports.

The term reconnaissance comes from its military use to describe an information-gathering mission. In computing and networking, both passive and active reconnaissance are sometimes referred to as passive attacks because the purpose is simply to obtain information, rather than to actively exploit the target. However, reconnaissance is commonly used when preparing for an attack against a target system.

Graphic showing 10 common attach vectors
With passive reconnaissance cybercriminals attempt to gain information about targeted computers and networks without actively engaging those systems.

Why do cybercriminals do passive reconnaissance?

The main idea behind passive reconnaissance is to discover as much relevant information as possible about the target organization and its infrastructure without being detected. Cybercriminals attempt to achieve this in several ways:

  • Open source intelligence (OSINT). Would-be attackers gather information from publicly available sources, typically via the internet. Collected data can come from a wide range of sources and include specific details about the target organization and its employees, including email addresses, phone numbers, IP addresses, domain names, suppliers, deployed technologies, geographic locations and social networking accounts. Cybercriminals can find most of this data by using search engines such as Google or Bing, as well as tools such as theHarvester, a command-line utility that uses popular search engines to more easily retrieve OSINT data. In some cases, the information that hackers discover is highly sensitive, making their jobs much easier.
  • Environmental assessments. In conjunction with their OSINT searches, cybercriminals will look specifically for details about the target organization's operating environment. For example, they might try to discover what type of computers are being used, what operating systems are running, which software has been installed, an application's programming language and similar details about the organization's infrastructure and its configuration. To find this information, the cybercriminals often use a variety of tools. For example, they might use Wget to download files from a web server and then search those files for information about the environment, or they might use Netcraft, an internet security tool, to find specific details about a website such as IP addresses, domains or security certificate information. Hackers might also masquerade as authorized users to gain access to systems to learn more about the environment.
  • Network examination. Cybercriminals will also learn whatever they can about an organization's network and its internet connections. For example, they'll often search for Domain Name System (DNS) information such as IP delegation, domain ownership or DNS record content. A tool such as Netcraft can also be useful for this type of research, as can tools such as nslookup or whois. Cybercriminals might also eavesdrop on an organization's network traffic using Wireshark or another packet sniffer. This is sometimes done in conjunction with war driving, the process of locating and possibly exploiting connections to wireless local area networks. In addition, cybercriminals might use a tool such as Shodan to identify vulnerable devices connected to the internet whose IP addresses belong to the target organization.
  • Physical searches. Would-be hackers are not above performing physical searches to get at sensitive information. This might include digging through trash or looking for data stored on discarded computers or other devices. Any discarded item represents a potential inroad.

Both active and passive reconnaissance are also used by ethical hackers to carry out attacks against a system to determine its vulnerabilities. These can then be addressed before the system falls prey to a real attack. Ethical reconnaissance is typically part of a larger penetration testing strategy that also incorporates steps such as network scanning and vulnerability assessment.

Graphic showing six steps in penetration testing
Penetration testing at a glance.

Cybercriminals use passive reconnaissance because they want to go unnoticed, so it can be very difficult for the target organization to detect. The organization's best defense is to implement a layered protection strategy that includes comprehensive firewall protection and an intrusion prevention system (IPS). The firewall should permit only essential traffic and limit port exposure. The IPS should detect port scans in progress and shut them down before hackers can gain a full map of the network. The organization should also conduct regular penetration testing and employ other security measures that protect against data leakage.

Explore nine essential elements of network security and five different types of firewalls.

This was last updated in February 2023

Continue Reading About passive reconnaissance

  • subnet (subnetwork)

    A subnet, or subnetwork, is a segmented piece of a larger network. More specifically, subnets are a logical partition of an IP ...

  • secure access service edge (SASE)

    Secure access service edge (SASE), pronounced sassy, is a cloud architecture model that bundles together network and cloud-native...

  • Transmission Control Protocol (TCP)

    Transmission Control Protocol (TCP) is a standard protocol on the internet that ensures the reliable transmission of data between...

  • cyber attack

    A cyber attack is any malicious attempt to gain unauthorized access to a computer, computing system or computer network with the ...

  • digital signature

    A digital signature is a mathematical technique used to validate the authenticity and integrity of a digital document, message or...

  • What is security information and event management (SIEM)?

    Security information and event management (SIEM) is an approach to security management that combines security information ...

  • product development (new product development)

    Product development -- also called new product management -- is a series of steps that includes the conceptualization, design, ...

  • innovation culture

    Innovation culture is the work environment that leaders cultivate to nurture unorthodox thinking and its application.

  • technology addiction

    Technology addiction is an impulse control disorder that involves the obsessive use of mobile devices, the internet or video ...

  • organizational network analysis (ONA)

    Organizational network analysis (ONA) is a quantitative method for modeling and analyzing how communications, information, ...

  • HireVue

    HireVue is an enterprise video interviewing technology provider of a platform that lets recruiters and hiring managers screen ...

  • Human Resource Certification Institute (HRCI)

    Human Resource Certification Institute (HRCI) is a U.S.-based credentialing organization offering certifications to HR ...

Customer Experience
  • contact center agent (call center agent)

    A contact center agent is a person who handles incoming or outgoing customer communications for an organization.

  • contact center management

    Contact center management is the process of overseeing contact center operations with the goal of providing an outstanding ...

  • digital marketing

    Digital marketing is the promotion and marketing of goods and services to consumers through digital channels and electronic ...