Skip to main content

Home Reconnaissance


(also recon)

Reconnaissance definition

Reconnaissance in cybersecurity refers to gathering information about a target network or system before planning and executing a cyberattack. This data may include the system’s architecture, software versions, security measures, and information about the system or network users. Reconnaissance is typically the first step in a cyberattack because it allows an attacker to detect vulnerabilities they can target.

See also: active attack

How reconnaissance works

  1. 1.The attacker identifies a target (e.g., a specific organization, network, or system).
  2. 2.The attacker begins to collect information about the target. This step may involve scanning for open ports, searching online resources, and analyzing network traffic.
  3. 3.The attacker uses the information they gathered to identify security vulnerabilities. This stage may involve looking for outdated software versions or weak passwords.
  4. 4.The information gathered helps the attacker plan the attack and choose the most suitable methods to exploit the detected vulnerabilities.
  5. 5.The attacker executes the attack, attempting to access the target’s systems or steal sensitive data.

Common reconnaissance techniques

  • Port scanning. The attacker searches a network for open ports to gain access to systems. To prevent port scanning, organizations can use firewalls to block incoming traffic on unused ports and only allow traffic on the ports necessary for the organization's operations.
  • Network mapping. The attacker creates a map of a target network (e.g., the IP addresses, network topology, and connected devices). Organizations can prevent network mapping with tools that detect and block scans of their networks and systems.
  • DNS enumeration. The attacker gathers information about a target's domain name system (DNS) to identify subdomains, email servers, and other information that can be used in an attack. Organizations can implement DNS security measures (e.g., rate-limiting and encryption) to prevent DNS enumeration.
  • OS fingerprinting. The attacker analyzes network traffic to determine the target’s operating system (OS), which can be used to identify potential vulnerabilities. To prevent OS fingerprinting, companies can use tools that obfuscate their OS information or return false information when a fingerprinting attempt is made.
  • Social engineering. The attackers manipulate people (e.g., network users) to provide sensitive information that can be used in a cyber attack. Organizations can prevent social engineering by providing employee training on how to recognize and respond to phishing attacks.