Contrary to passive-recce, Active reconnaissance requires you to make some kind of contact with your target, eg.
- a phone call
- visit the target company under some pretext
- direct connection to the target system
- visiting their website
- checking if their firewall has an SSH port open
- connecting to their servers (HTTP, FTP etc.)
- inspecting their windows and door locks
[!danger] Mind the sow
It is essential to remember not to engage in active reconnaissance work before getting signed legal authorization from the client.
Tools
- recce-with-browser
- the browser can be armed to become an efficient recon framework
- ping
- traceroute
- telnet
- netcat
Traces
Any connection might leave information in the logs showing the client IP address, time of the connection, and duration of the connection, etc. Not all connections are suspicious - it's possible to make the reconnaissance appear as regular client activity (e.g. web browsing).