What is the difference between active reconnaissance and scanning/enumeration

Question

I have just started studying for CEH exam v8 and I am trying to get the core of so called hacking phases.

I could not totally understand the practical difference between the first two phases. In recon a pentester should get all available info from the target. As far as I can see it would be expected he uses tools like nmap in order to do that. For example, he could use nmap to discover how many machines are in the network.

On the other hand if he is using nmap to understand the network would not he be scanning it?

I know it is a silly question and is just about a matter of definition, but I really want to have a systematic understanding of pen testing.

By the way, I am using "CEH all-in-one" by Matt Walker as a main resource.

Answer 1

1. Active Recon -- doesn't matter if touching or not touching any infrastructure -- the important part is the recon comes first in order to determine the target(s) which normally consist of company and partner names, employee names, identification of technology vendors in use, identification of public IP ranges, primary top-level domain names, email address structure, et al (think mindmaps or scratch pads)
2. Enumeration -- this is the second stage that produces a narrowed-down list of specific IP addresses, port numbers, hostnames, bulk lists of email addresses, etc to be used in later stages (think structured ASCII lists or relational databases)
3. Scanning -- the last stage automates against the enumerations to get further information. It is typically a client-server request-response paradigm using tools such as nmap, curl, SET, msfconsole, et al where the responses include the desired information (think robots that do your dirty work for you)

Answer 2

To make it a bit more clear I'm going to tweak the terms a bit.

Active Information Gathering involves doing something on a target network/server that could be directly traced back to you. For example you run a web app scan, port scan, vuln scan etc. You may enter known bad characters in places of input such as ' < > to produce a crash/error.

Here you may be breaking the law/Terms of Service of your target network/server. You may show up in a log or security alert somewhere. You may be blocked by Intrusion Prevention Systems (IPS)/Firewalls.

Passive Information Gathering involves finding information via means that would not be directly tied back to you/your ip address. You might be browsing a site as a typical user. You might find information from whois/robtex/maltego/other public means.

Here you are not breaking the law/Terms of services. You may show up in analytic data but not necessarily in security event logs/alerts.

Answer 3

Using a dictionary can sometimes help :-) to me reconnaissance is more passive, one 'mines and maps' available data resources by using secondary sources, not triggering illegal connections. By scanning/enumeration one does just that, 'scan and map' based on known and new techniques to retrieve targetable area's etc.

Answer 4

I'll throw my 2 cents in here. The keyword that I zero in on is active. To me, this means that you are performing actions that will or cause packets to touch the target's infrastructure. In that sense, I would not consider there to be a big difference between saying active reconnaissance and scanning/enumeration. I would be doing port scans, DNS enumeration, etc. if I were to say I was doing active reconnaissance or scanning/enumeration.

Passive reconnaissance is something that I would consider actions that don't require touching the target's infrastructure. This might be something such as looking up the target's whois information or searching for employees that work at the target company on LinkedIn for example.

I'm not sure CEH gives the best definitions...