Passive Recon · OSINT Tools · Nmap · Service Enumeration · Vulnerability Scanning
Study with Practice Tests →Reconnaissance is Stage 1 of every attack kill chain. Defenders who understand what attackers see — and how they see it — can detect and disrupt intrusions earlier. This topic covers the full recon spectrum from passive OSINT through active scanning and vulnerability assessment.
Passive recon gathers information without any direct contact with target systems — undetectable by the target. Active recon involves direct interaction (packets sent to target) and leaves traces in logs. Knowing which is which is a classic exam trap.
WHOIS (domain ownership), Shodan (internet-exposed devices), theHarvester (emails/subdomains from search engines), Maltego (relationship mapping), Recon-ng (modular framework), crt.sh (certificate transparency for passive subdomain discovery). All passive — no target packets sent.
Record types: A (IPv4), AAAA (IPv6), MX (mail), NS (nameserver), TXT (SPF/DKIM), PTR (reverse), CNAME (alias). Zone transfer (AXFR) reveals ALL records if misconfigured — restrict AXFR to authorized secondaries.
-sS (SYN stealth, default), -sT (TCP connect, no root), -sU (UDP), -sV (version/banner), -O (OS detection), -sC (NSE scripts), -A (aggressive). Timing T0–T5: paranoid to insane.
Banner grabbing with netcat, curl, telnet. Protocol-specific enum: SMB (enum4linux), SNMP (snmpwalk — default "public" string), SMTP (VRFY/EXPN), LDAP (ldapsearch). Each reveals service version, configuration, and potential attack surface.
Nessus (credentialed/uncredentialed, plugin-based), OpenVAS/GVM (open-source), Nikto (web server). CVSS v3.1 severity: Critical 9.0–10.0 · High 7.0–8.9 · Medium 4.0–6.9 · Low 0.1–3.9. Base metrics: AV, AC, PR, UI, Scope, CIA Impact.
| Topic | Key Concepts |
|---|---|
| 1. Incident Handling Process | PICERL, chain of custody, IR team roles, MITRE ATT&CK, IOCs, threat intelligence |
| 2. Reconnaissance & Scanning | OSINT, Nmap, vulnerability scanning, passive vs active recon |
| 3. Exploitation & Web Attacks | Password attacks, buffer overflows, social engineering, SQLi, XSS, CSRF |
| 4. Network Attacks & IDS | ARP poisoning, DoS/DDoS, packet analysis, IDS/IPS evasion, NetFlow |
| 5. Malware & Lateral Movement | Malware types, C2, persistence, Pass-the-Hash, YARA, memory forensics |
The GCIH exam frequently presents scenarios and asks if the activity is detectable. Remember: passive recon (OSINT, WHOIS, Shodan, crt.sh) never touches the target — fully undetectable. Active scanning (Nmap, banner grabbing, zone transfer attempts) generates traffic the target can log.
Memorize: Critical starts at 9.0 (not 8.0), High starts at 7.0, Medium at 4.0. Critical is a common distractor — exam may offer "8.0–10.0" as a wrong choice. The correct Critical range is 9.0–10.0.
SYN scan (-sS) requires root/admin privileges because it uses raw sockets. TCP Connect (-sT) uses the OS socket API — no root needed. This distinction appears frequently in scenario questions about what a non-privileged user can run.
Passive reconnaissance collects intelligence about a target without sending a single packet to their systems. From the defender's perspective, passive recon is invisible — no logs, no alerts, no evidence. Understanding these techniques is essential for both offensive awareness and defensive strategy.
No direct target contact. Queries public data sources, third-party services, cached databases. Target has zero visibility into activity. Fully undetectable. Examples: WHOIS lookups, Shodan queries, Google dorks, crt.sh, theHarvester, DNS lookups via public resolvers.
Direct interaction with target systems. Packets are sent to and received from the target. Activity appears in target firewall logs, IDS alerts, web server logs. Examples: Nmap port scans, banner grabbing via netcat, DNS zone transfer (AXFR) directly to target's nameserver, subdomain brute-force with live queries.
Queries domain registration databases for ownership information. Reveals: registrant name/org/email, registration/expiry dates, registrar, and often name servers. Organizations using privacy protection mask personal details. Passive — queries public WHOIS servers.
Search engine that continuously crawls and indexes internet-connected devices. Finds: exposed webcams, industrial control systems (ICS/SCADA), unpatched services, default credentials, open databases. Query by IP, hostname, port, product, or OS. Fully passive for the researcher.
Harvests email addresses, employee names, subdomains, IPs, and URLs from public sources including Google, Bing, LinkedIn, and PGP key servers. Command: theHarvester -d target.com -b google. Excellent for building phishing target lists. Passive.
Visual link analysis tool for mapping relationships between OSINT entities — domains, IPs, email addresses, people, organizations, social profiles. Uses "transforms" (API calls to data sources). Identifies organizational structure, infrastructure, and personnel relationships. Powerful for APT attribution research.
Modular framework (similar to Metasploit) for web-based open-source reconnaissance. Modules for WHOIS, DNS, breach data, social media, port scanning, and more. Workspaces keep engagements organized. Some modules are passive; others active. API keys required for most data sources.
Certificate Transparency logs record every TLS certificate issued by trusted CAs. crt.sh queries these public logs — enter a domain and retrieve all subdomains that have ever had certificates issued. 100% passive — queries CT log databases, not the target. Reveals internal subdomain naming conventions.
| Operator | Example | Finds |
|---|---|---|
site: | site:target.com | All pages indexed for domain, reveals subdomain structure |
filetype: | filetype:pdf site:target.com | Exposed file types (PDF, XLS, DOC, SQL, BAK) |
intitle:"index of" | intitle:"index of" site:target.com | Open directory listings — exposes file trees |
inurl:admin | inurl:admin site:target.com | Admin login pages and admin interfaces |
intext: | intext:"username" filetype:log | Credentials or sensitive strings in indexed files |
cache: | cache:target.com | Google's cached version — useful if page is taken down |
A — IPv4 address mapping
AAAA — IPv6 address mapping
MX — Mail server, with priority value
NS — Authoritative nameservers
TXT — SPF, DKIM, DMARC, verification tokens
PTR — Reverse DNS (IP → hostname)
CNAME — Canonical name alias
SOA — Start of Authority (zone serial, TTL, contact)
DNS zone transfers replicate all records from primary to secondary nameservers. If misconfigured, any host can request a full zone dump with: dig axfr @ns1.target.com target.com. A successful AXFR dumps every hostname, IP, MX, TXT record — a complete internal map. Defend: restrict AXFR to authorized secondary IPs only via ACL on nameserver config.
Brute-force subdomain discovery using wordlists (active — queries live DNS):
gobuster dns -d target.com -w wordlist.txt
dnsrecon -d target.com -t brt
dnsx -d target.com -w common.txt
Passive alternative: crt.sh — no DNS queries to target.
AXFR attempts appear in DNS server logs — even failed attempts are visible. Monitor for zone transfer requests from unauthorized IPs. Repeated NXDOMAIN responses (failed lookups) indicate subdomain brute-forcing.
Bursts of 404 errors in rapid succession indicate directory/file brute-forcing. Unusual or scripted User-Agent strings (Python-requests, nikto, gobuster) flag automated recon tools. Low-and-slow scanning may still leave log traces over time.
Fake credentials, documents, or DNS records planted specifically to detect recon. If a honeytoken is accessed, an attacker has discovered and used it — immediate alert. DNS canary tokens: a fake subdomain that fires an alert when resolved.
Active reconnaissance involves direct interaction with target systems. Packets are sent, responses analyzed, and the activity is logged. Mastering Nmap scan types, timing, and output formats is essential GCIH knowledge — these appear heavily in exam scenarios.
| Scan Type | Flag | Mechanism | Notes |
|---|---|---|---|
| TCP SYN (Stealth) | -sS | SYN → SYN-ACK → RST; half-open, never completes handshake | Default scan; stealthier; requires root/admin |
| TCP Connect | -sT | Full 3-way handshake (SYN → SYN-ACK → ACK) | More detectable (full connection in logs); no root needed |
| UDP | -sU | Sends UDP probes; open=response, closed=ICMP port unreachable | Slow; targets DNS (53), SNMP (161), TFTP (69) |
| OS Detection | -O | Analyzes TCP/IP stack behavior to fingerprint OS | Requires at least one open and one closed port; root needed |
| Version Detection | -sV | Sends service-specific probes; reads banners | Banner grabbing at scale; reveals service name + version |
| Script Scan | -sC | Runs default Nmap Scripting Engine (NSE) scripts | Quick enumeration of open services; many scripts available |
| Aggressive | -A | Combines -O -sV -sC + traceroute | Noisy but comprehensive; triggers most IDS signatures |
| Ping Sweep | -sn | Host discovery only — ICMP echo + TCP 80/443 probes | Maps live hosts without port scanning; fast network recon |
| Template | Flag | Use Case | Speed |
|---|---|---|---|
| Paranoid | -T0 | IDS evasion — serialized, very long delays between probes | Extremely slow |
| Sneaky | -T1 | Slow IDS evasion with slightly better speed | Very slow |
| Polite | -T2 | Reduces bandwidth use; less likely to crash services | Slow |
| Normal | -T3 | Default — balanced speed and accuracy | Default |
| Aggressive | -T4 | Fast scanning on reliable LAN connections | Fast |
| Insane | -T5 | Maximum speed; may miss ports on slow/congested networks | Very fast |
-oN filename — Normal (human-readable)
-oX filename — XML (for tool import/parsing)
-oG filename — Grepable (one host per line, grep-friendly)
-oA basename — All three formats at once
Best practice: always save output with -oA for engagement documentation.
nmap -sS -sV -O -T4 target — Stealth SYN + version + OS, fast
nmap -sU -sS -T3 target — Combined TCP+UDP
nmap -p- target — All 65535 ports
nmap -sn 192.168.1.0/24 — Ping sweep entire subnet
nmap -A -T4 -oA results target — Aggressive, save all formats
| Tool | Command | Use Case |
|---|---|---|
| netcat | nc -v target.com 80 then HEAD / HTTP/1.0 | Manual banner grab, any port |
| curl | curl -I https://target.com | HTTP headers including Server: field |
| telnet | telnet target.com 25 | SMTP/FTP banners (legacy) |
| Nmap -sV | nmap -sV -p 80,443,22 target | Automated banner grabbing at scale |
enum4linux -a target — Enumerate shares, users, groups, OS, password policy
smbclient -L //target -N — List shares anonymously
Key findings: share names, null session access, guest access, OS version, domain membership.
snmpwalk -v2c -c public target — Walk MIB tree with default community string
Default community string "public" = read access, "private" = write access. If not changed: exposes running processes, interfaces, routing tables, installed software, user accounts.
VRFY username — Verify if user exists (if enabled)
EXPN listname — Expand mailing list members
User enumeration: 252 = user exists, 550 = no such user. Modern configs disable VRFY/EXPN — but older mail servers expose full user lists.
ldapsearch -x -H ldap://target -b "dc=target,dc=com" — Anonymous bind query
If anonymous bind allowed: retrieves AD users, groups, OUs, computer accounts, password policies. Critical misconfiguration in Active Directory environments — reveals entire org structure.
-T3 is easily detected by tuned IDS rules.
Look for one source IP connecting to sequential destination ports in rapid succession. Blocked connection attempts to many ports = port scan. Many SYN packets with no ACK completion = SYN scan.
Deploy fake services on ports that should never receive connections (e.g., TCP 31337, or ports 1–1024 unused by production). Any connection attempt = immediate alert of scanning activity. Zero false positives.
Correlate: source IP hits 50+ ports in 60 seconds = port scan rule. Cross-reference with threat intel feeds for known scanner IPs. Alert on version probes from external IPs — -sV generates distinctive service probes.
Vulnerability scanning systematically tests systems for known weaknesses, misconfigurations, and outdated software. Understanding scanner types, their outputs, and CVSS severity scoring is critical for GCIH — both for finding attacker activity and for conducting authorized assessments.
| Scanner | Type | Best For | Key Feature |
|---|---|---|---|
| Nessus | Commercial (free for personal use) | Comprehensive host & network vuln assessment | Most widely used; credentialed + uncredentialed; plugin-based; CVSS scores; compliance checks |
| OpenVAS / GVM | Open-source | Budget-conscious enterprise scanning | Greenbone Vulnerability Manager; large plugin feed; on-premise deployment; community-supported |
| Nikto | Open-source web scanner | Web server misconfiguration assessment | Finds outdated software, dangerous files, default pages, insecure headers; not stealthy |
Uses valid credentials (local admin, SSH key, domain user) to log into the target system. Provides deep host assessment: patch levels, installed software, registry settings, local user accounts, service configurations, file permissions. More accurate — finds vulnerabilities an attacker with valid creds would find. More "noise" — creates authentication events in logs.
Attacker perspective — sees only what is exposed to the network. Tests network-facing services, identifies open ports, checks banner versions, tests for common unauthenticated exploits. Faster and simpler to set up. Misses locally configured vulnerabilities, patch state, and internal misconfigurations. Better for external attack surface assessment.
| Metric | Abbreviation | What It Measures | Values |
|---|---|---|---|
| Attack Vector | AV | How far away the attacker must be | Network (N), Adjacent (A), Local (L), Physical (P) |
| Attack Complexity | AC | Conditions beyond attacker's control | Low (L), High (H) |
| Privileges Required | PR | Level of access needed before attack | None (N), Low (L), High (H) |
| User Interaction | UI | Is victim participation required? | None (N), Required (R) |
| Scope | S | Does vuln affect resources beyond component? | Unchanged (U), Changed (C) |
| Confidentiality Impact | C | Impact on data secrecy | None (N), Low (L), High (H) |
| Integrity Impact | I | Impact on data accuracy/trustworthiness | None (N), Low (L), High (H) |
| Availability Impact | A | Impact on service/resource access | None (N), Low (L), High (H) |
Vulnerability scanners generate distinctive traffic: sequential port hits, service-specific probes, HTTP requests to known vulnerability paths. Nessus and Nikto have well-known signatures in Snort/Suricata rulesets.
Large volumes of connection attempts to many ports and services from one source. Nikto generates hundreds of HTTP requests to known vulnerable paths — easily spotted in web server access logs as bursts of 404/403 responses.
Scanners probe every port — including ports with no legitimate services. Deploy honeypot listeners on unused port ranges. Any connection to a honeypot port = active scanning in progress. Zero legitimate traffic should ever reach these ports.
10 questions covering passive vs active recon, OSINT tools, Nmap, DNS zone transfers, CVSS scoring, and vulnerability scanning. Select your answers and click Submit to see your score.
dig axfr @ns1.target.com target.com attempts to:-sV do?High-retention mnemonics for rapid recall during the GCIH exam. Each hook encodes the key distinction in a memorable phrase.
Click any flashcard to reveal the answer. Use the Study Advisor below to get topic-specific guidance.
Click a card to flip it · Click again to flip back
Select a topic for targeted exam guidance: