Network Reconnaissance
Network reconnaissance is the discovery phase of an attack or security assessment, where the actor enumerates live hosts, open ports, running services, and topology to build a map of the target environment before attempting any exploitation.
Reconnaissance precedes exploitation. Whether the operator is a penetration tester, a red teamer, or a real attacker, the first task is the same: turn an undefined target into a structured inventory of reachable systems and the services they expose. Nothing else in the engagement works without this step — a vulnerability cannot be exploited if its existence has not been observed.
Network reconnaissance splits into passive and active approaches. Passive recon avoids touching the target: querying public DNS, certificate transparency logs, search engines, GitHub commits, and OSINT sources to infer hosts, subdomains, and technologies in use. Active recon directly probes the target — ping sweeps to find live hosts, port scans (SYN, full-connect, UDP), banner grabbing to fingerprint software versions, and protocol-specific probes (SMB, SNMP, RDP) for richer detail. Tools like Nmap, Masscan, RustScan, and ZMap dominate the active phase; Amass, Shodan, and the Censys APIs dominate the passive phase.
For defenders, network reconnaissance is the first credible signal that an engagement is underway. Egress logs, NetFlow/IPFIX records, IDS signatures for scan patterns, and honeypots all light up during this phase. Mature SOCs treat unusual scan activity from external sources as a threat-hunting trigger — not because the scan itself is dangerous, but because it indicates someone is preparing the next step. Internal reconnaissance from a compromised host (a workstation suddenly enumerating internal subnets it has never touched before) is one of the strongest indicators of lateral-movement-in-progress and should be a top-tier alert.
The defensive playbook is well understood: minimise the externally-reachable footprint, ensure internal segmentation makes lateral discovery noisy, deploy deception (honey-tokens, honey-services) that look attractive to a scanner, and tune detections specifically for reconnaissance behaviour rather than relying on exploit-only signatures. The earlier you catch recon, the more time you have before the attacker reaches an objective.