Ethical Hacking Lesson 7 – Passive vs Active Recon | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
Foundations & Hacking Mindset · Lesson 7

Passive vs Active Reconnaissance

Lesson 6 introduced the distinction between passive and active reconnaissance. This lesson goes deeper — looking at the specific tools and techniques used in each phase, the point at which switching from passive to active changes your legal standing, and how experienced pen testers manage the transition between the two.

The core difference — contact with the target

The single most important distinction between passive and active reconnaissance is whether your activity reaches the target's systems. That is the line — not the tool you are using, not the information you are after, but whether packets are sent to infrastructure the target controls.

A WHOIS lookup queries a public registry server — not the target. A DNS lookup against a public resolver — not the target. Reading a LinkedIn profile — not the target. These are all passive. The moment you send a packet to an IP address the target owns, you have crossed into active reconnaissance — and that requires authorisation.

This matters practically because the same tool can be used in both passive and active modes. A DNS lookup run against a public resolver is passive. The same lookup run directly against the target's DNS server is active. The tool is identical. The legal and operational implications are completely different.

Side-by-side — passive and active techniques compared

Here is a direct comparison of the techniques used in each phase. Notice that many goals — discovering subdomains, identifying technologies, mapping the network — can be achieved through both passive and active means. The passive version takes longer and finds less. The active version is faster and more comprehensive, but it leaves a footprint on the target's systems.

PASSIVE vs ACTIVE — TECHNIQUE COMPARISON
Goal Passive approach Active approach
Find subdomains Query certificate transparency logs (crt.sh), search engines, DNS dumpster DNS brute-force enumeration against the target's name server
Identify technology Read HTTP headers from cached pages, check job postings, use BuiltWith Send requests directly to the web server, analyse live response headers and cookies
Map open ports Check Shodan — a search engine that indexes internet-facing devices and their open ports Run a port scanner directly against the target's IP addresses
Find email addresses Search LinkedIn, company website, and tools like theHarvester using search engine queries Send test emails to verify which addresses exist and bounce, query mail server directly
Discover services Check Shodan for previously indexed service banners on the target's IPs Connect directly to open ports and read the live service banner
Check breach exposure Query Have I Been Pwned or similar public breach databases Attempt credential stuffing against the target's login pages (requires explicit permission)

Shodan appears in the passive column for a reason worth understanding. Shodan is a search engine that continuously scans the internet and indexes what it finds — open ports, running services, banners, TLS certificates. When you query Shodan, you are reading that index, not contacting the target directly. The scan that Shodan ran previously is what makes direct contact. Your query is passive.

The transition point — when passive becomes active

The transition from passive to active reconnaissance is not something that happens gradually. It is a hard line — and crossing it without authorisation turns an information-gathering exercise into an unauthorised computer access offence.

In a professional engagement, this transition is agreed in advance. The Rules of Engagement document will typically specify when active testing can begin — often defined by a date and time, a specific IP range, and a contact number to call if anything breaks. You do not move to active recon until all of that is confirmed in writing.

TRANSITION CHECKLIST — Passive to Active

Written Rules of Engagement signed by the client and reviewed by your team

Scope confirmed — IP ranges, domains, and any explicitly out-of-scope systems listed and understood

Testing window agreed — start date, end date, permitted hours, and any blackout periods defined

Emergency contact confirmed — a named person at the client who can be reached immediately if something unexpected happens

Get-out-of-jail letter printed and with the tester — ready to produce if law enforcement gets involved

Every item on that checklist needs to be confirmed before your first active scan runs. Missing even one of them means you are either operating without full authorisation or without the safety net that protects you if something goes wrong mid-engagement.

Active reconnaissance in practice — the first scan

Once the active phase begins, the first thing most pen testers do is confirm that the passive recon picture is accurate and complete. Passive sources can be outdated — Shodan's last scan of a target might be weeks old. The live environment may have changed. The first active probes are often just confirmations of what the passive phase suggested.

The scenario: Your passive recon phase is complete. The client's IT team has whitelisted your IP address and confirmed the testing window is open. It is 9 AM on day two. You are beginning active reconnaissance against the logistics company's network. Your first task is to confirm which of the subdomains you found yesterday are actually live and responding.

# This script checks which subdomains from our passive recon are actually live
# It sends a real DNS query for each one — this is ACTIVE recon
# Only run this after your IP has been whitelisted and the testing window is open

# Loop through each subdomain name one at a time
for sub in www mail vpn portal staging; do

    # Build the full subdomain and ask DNS what IP address it points to
    # 2>/dev/null hides any error messages so the output stays clean
    # grep "has address" filters out everything except the IP address line
    result=$(host $sub.targetlogistics.com 2>/dev/null | grep "has address")

    # -n "$result" checks if a result came back — if yes, the subdomain is live
    if [ -n "$result" ]; then
        echo "[LIVE] $sub.targetlogistics.com — $result"  # print the subdomain and its IP

    # If nothing came back, the subdomain did not resolve — it is down or does not exist
    else
        echo "[DOWN] $sub.targetlogistics.com"
    fi

done  # end of the loop — move to the next subdomain in the list

Breaking it down:

The for loop
Iterates through each subdomain from your passive recon list. In a real engagement you would have a much larger list — sometimes hundreds of subdomains to check. The loop handles all of them automatically without retyping the command each time.
staging resolves to 192.168.10.45
Any IP starting with 192.168 is a private internal address — not reachable directly from the internet. The staging server sits on the internal network but its subdomain resolves publicly. Whether it can actually be accessed needs confirming in the next phase.
vpn.targetlogistics.com — 89.44.12.201
A live VPN gateway on a public IP is a high-value target. The next step is identifying the VPN software and its version number — done in the scanning phase — to check whether it is running a known vulnerable build. VPN software has been one of the most exploited categories in real-world attacks over the past five years.

Stealth vs speed — a real trade-off in active recon

Once you are in the active phase, you face a trade-off that every pen tester has to think about: speed versus stealth. Running aggressive, fast scans gives you more information quickly — but it also generates a lot of noise. Intrusion detection systems will flag it. Security analysts will notice. If your client has told you to test without notifying their security team, a noisy scan gives the game away.

On the other hand, a very slow and stealthy scan looks exactly like how a real attacker would operate — patient, methodical, designed not to trigger alerts. This is a better simulation but takes considerably longer to complete.

Aggressive scan

Fast, loud, comprehensive. Sends thousands of packets quickly. Completes in minutes. Almost certain to trigger IDS alerts and appear in security logs.

Best for: White box engagements where the security team is already informed, or when speed matters more than stealth.

Slow and stealthy scan

Spreads probes over hours or days with randomised timing and decoy traffic. Designed to look like normal background internet noise. Much harder to detect.

Best for: Black box or red team engagements where simulating a realistic attacker matters and the security team should not be tipped off.

Documenting everything from the first moment

One discipline that separates professional pen testers from amateurs is documentation. From the first passive search to the last active probe, everything gets recorded — what command was run, at what time, against which target, and what it returned. This serves three purposes.

It builds the report

Everything in your final report needs evidence. Screenshots, command output, timestamps. If you did not document it during the engagement, reconstructing it afterwards is either impossible or time-consuming. Notes taken in real-time are always more accurate than memory.

It protects you legally

If a client later claims you tested systems outside your scope or caused damage, your timestamped logs show exactly what you touched and when. Without documentation, it is your word against theirs.

It enables the retest

After the client patches the vulnerabilities you found, they often request a retest to verify the fixes. Without detailed notes on exactly what you did to trigger each finding, running the same test again is much harder than it should be.

A simple documentation log for the recon phase

Every command run during an engagement gets logged in a table like this — recording the exact time, what tool or source was used, which target it was run against, and what it returned. This is the actual working document a pen tester keeps open throughout the day. The last row below shows why this matters: Shodan revealed a critical CVE on the VPN server at 10:31 — found passively, before any active scan had touched that host.

Timestamp Tool / Source Target Finding
09:04 WHOIS (passive) targetlogistics.com Domain registered 2008. Cloudflare nameservers. DNSSEC unsigned.
09:18 crt.sh (passive) targetlogistics.com 7 subdomains found including staging and vpn.
10:02 host cmd (active) All subdomains 5 of 7 subdomains live. staging resolves to internal IP 192.168.10.45.
10:31 Shodan (passive) 89.44.12.201 (vpn) Fortinet SSL-VPN 6.4.2 — known CVE-2022-40684 — critical.

Teacher's Note: The best pen testers are meticulous note-takers. Get into the habit of documenting every command and its output from the very first engagement — it will save you hours of reconstruction work later and make your reports significantly stronger.

Practice questions

Scenario:

A pen tester with written authorisation runs a script that sends DNS queries directly to the target company's name server, asking it to resolve a list of 500 potential subdomains. Each query reaches the company's own DNS infrastructure and some of the queries appear in the server's query logs. The tester is doing this to discover subdomains that certificate transparency logs missed. What type of reconnaissance is this?


Scenario:

Before an engagement starts, a pen tester searches Shodan for the target company's IP address range and finds that Shodan has previously indexed an open port 8080 running an outdated Jenkins instance on one of their servers. The tester did not send any packets to the company's infrastructure — they only searched Shodan's existing index of internet-facing devices. What type of reconnaissance is this?


Scenario:

A client commissions a red team engagement and tells your team: "Our security operations centre should not know this test is happening. We want to see if they detect you." Your team needs to run port scans and service enumeration during the active phase. To avoid triggering the SOC's IDS alerts, what kind of scanning approach should you use?


Quiz

Scenario:

A junior pen tester on your team argues: "Searching Shodan for the target's IP address must be active reconnaissance because we are getting real information about their live servers." You need to correct them. Is querying Shodan passive or active recon, and why?

Scenario:

During active recon, your DNS resolution script reveals that staging.targetclient.com resolves to 192.168.5.100 — a private IP address that is not directly reachable from the internet. You are currently in the active reconnaissance phase, not yet in the scanning phase. The client has authorised you to test all in-scope systems including the staging environment. What is the correct next step?

Scenario:

A pen tester completes a two-week engagement and delivers a strong technical report. Three weeks later, the client contacts them claiming that a production database was corrupted during the testing period and suggesting the pen tester was responsible. The tester produces timestamped logs showing every command run, every target contacted, and the exact time windows — none of which include the production database. What is the most important function that detailed recon and testing documentation served here?

Up Next · Lesson 8

Information Gathering Tools

The specific tools professionals use to gather intelligence — theHarvester, Maltego, Shodan, and more — with hands-on examples for each.

← Previous Course Index Next →