Explain the difference between passive and active reconnaissance, with examples of each.
Short answer
Passive reconnaissance gathers information without directly interacting with the target's systems — OSINT, DNS records, certificate transparency. Active reconnaissance touches the target, like port scanning or banner grabbing, which is noisier but yields more detail.
Reconnaissance is the first technical phase of an engagement, and how you do it shapes everything that follows. The key distinction is whether you are interacting with the target's infrastructure or staying entirely off it.
Passive reconnaissance
Passive recon collects information without sending traffic that the target would log as coming from you. You are reading public or third-party sources. Examples:
- OSINT — company website, job postings (which reveal the tech stack), LinkedIn for usernames and naming conventions.
- DNS and WHOIS records, and certificate transparency logs, which leak subdomains and internal hostnames embedded in TLS certificates.
- Search engine and breach data, leaked credentials, code in public repositories.
Because you never touch the target, passive recon is essentially undetectable and carries the lowest legal and operational risk. Its weakness is depth: you only learn what's exposed elsewhere.
Active reconnaissance
Active recon interacts directly with the target: port scanning with Nmap, banner grabbing, DNS zone transfer attempts, service enumeration, or hitting web endpoints. This is far richer — you learn exactly which ports are open, which service versions are running, and how the application behaves.
The cost is detectability. Every probe can show up in the target's logs, IDS, or WAF, and aggressive scanning can crash fragile services. Good testers throttle and scope active recon carefully, and confirm it is permitted by the rules of engagement.
The practical workflow
Start passive to build a picture cheaply and quietly, then go active to confirm and deepen it. On a stealth or red-team engagement, the passive/active line is a real operational constraint, not academic trivia.
What interviewers look for
A clear, example-backed definition and an understanding of the stealth-versus-detail trade-off — plus awareness that active recon needs authorization and care.
Likely follow-ups
- Name three passive recon sources you'd check first.
- Why might active recon get you caught, and how would you reduce that risk?
- How does certificate transparency help map an organization's attack surface?