Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Network Reconnaissance

Training Camp • Cybersecurity Glossary

What is Network Reconnaissance?

The attacker's first phase: scanning and probing a target to map hosts, services, and vulnerabilities before exploitation.

Glossary > Threats, Malware & Attacks > Network Reconnaissance

Understanding Network Reconnaissance

Network reconnaissance is the information-gathering phase in which an attacker probes a target network to discover its hosts, services, topology, and vulnerabilities. As the first stage of most intrusions, it builds the map an adversary uses to identify entry points and plan exploitation. Defenders perform the same techniques during authorized penetration tests.

Reconnaissance is divided into passive and active methods. Passive recon collects information without touching the target directly, using WHOIS records, DNS data, public certificates, and OSINT, leaving no trace. Active recon interacts with the network: ping sweeps to find live hosts, port scanning with tools like Nmap to enumerate open ports and services, banner grabbing to fingerprint software versions, and enumeration of shares, users, and protocols. The output is a detailed inventory of attackable surface.

Reconnaissance matters because it is the foundation on which targeted attacks are built, mapping to the Reconnaissance stage of the Cyber Kill Chain and the Discovery tactic in MITRE ATT&CK. Detecting it early, through IDS signatures for scans, port-scan thresholds, and honeypots, gives defenders an opportunity to respond before exploitation begins. Conversely, exposed services and verbose banners hand attackers a roadmap, so reducing the discoverable attack surface is a key defensive goal.

For example, before attacking, an adversary runs an Nmap scan such as nmap -sV against the target's public range, discovering an open port 22 running an outdated OpenSSH version and port 445 exposing SMB. Cross-referencing the SSH version against a CVE database reveals a known vulnerability, giving the attacker a concrete, prioritized target for the next, exploitation phase.

Learn More About Network Reconnaissance:

Ready to Get Certified?

Network Reconnaissance is one of the topics you'll master in the CEH Boot Camp.

CEH Boot Camp →