Home > Digital Forensics

Detecting Reconnaissance

Detecting reconnaissance is a key part of network forensics and intrusion detection. Reconnaissance is the phase where attackers gather information about a target system or network before launching the actual attack. This stage often leaves subtle but detectable traces in logs, PCAPs, and network monitoring tools. Identifying reconnaissance early allows defenders to stop intrusions before exploitation, privilege escalation, or lateral movement begins.

This chapter explains the types of reconnaissance, their network-level indicators, and how to detect hostile probing activities.

What Is Reconnaissance?

Reconnaissance (recon) is the information-gathering phase of an attack.
Its purpose is to:

  • Identify open ports and services

  • Discover operating systems and versions

  • Detect vulnerabilities

  • Enumerate users, shares, and directories

  • Map network structure

  • Test firewall rules

  • Gather intelligence for exploitation

Reconnaissance is almost always the attacker’s first technical step.

Types of Reconnaissance

1. External Reconnaissance (Public-Facing)

Performed from outside the network.

Includes:

  • Port scans

  • Banner grabbing

  • OS fingerprinting

  • Web scanning

  • DNS enumeration

  • Email harvesting

Tools:

  • Nmap

  • Masscan

  • Shodan

  • Nikto

  • WhatWeb

  • DNSRecon

2. Internal Reconnaissance (Post-Compromise)

Performed after gaining initial access.

Includes:

  • Host discovery

  • ARP scanning

  • SMB enumeration

  • LDAP/user enumeration

  • Scanner scripts inside a compromised machine

Tools:

  • Nmap

  • CrackMapExec

  • BloodHound

  • PowerView

  • Net commands

Network Indicators of Reconnaissance

Recon activities create noticeable patterns in traffic.

1. High Volume of Port Scanning

Signs:

  • Connection attempts to many ports on one host

  • Repeated SYN packets without corresponding ACK

  • Frequent RST responses

  • Rapid-fire connections

Wireshark filters:

tcp.flags.syn == 1 && tcp.flags.ack == 0

Typical behavior:

  • Thousands of SYN packets within seconds

  • Sequential port probing

  • Randomized port probing (stealth scan)

2. Horizontal Scanning

Attacker checks the same port across multiple hosts.

Example:

  • Scanning TCP 445 across all 10.0.0.X machines

Indicators:

  • Repeated connection attempts to the same port

  • Traffic consistent with worm-like scanning

3. Vertical Scanning

Attacker checks many ports on one host.

Indicators:

  • SYN sweep across 1–65535 ports

  • Dozens of closed/filtered responses

4. OS Fingerprinting

Attackers analyze responses to determine OS/version.

Indicators:

  • Packets with unusual flags (ECN, FIN-only)

  • Crafted TTL and window size probes

  • Unusual ICMP types

Tools like Nmap use these techniques heavily.

5. Banner Grabbing

Attackers attempt to capture service banners.

Indicators:

  • Connections followed by empty payloads

  • Simple text requests like:

    • HEAD / HTTP/1.0

    • QUIT (FTP)

    • EHLO (SMTP)

6. DNS Enumeration

Signs:

  • High volume of DNS queries

  • Brute-forcing subdomains

  • AXFR zone transfer attempts

Wireshark filter:

dns

7. SMB / LDAP / RDP Probing

Internal recon indicators include:

  • SMB queries to many hosts

  • LDAP user lookup attempts

  • Multiple failed RDP connections

This often occurs after initial compromise.

8. ICMP Sweeps (Ping Sweeps)

Used to discover live hosts.

Indicators:

  • Many ICMP echo requests

  • Sequential scanning of IP ranges

  • No corresponding legitimate need

Wireshark filter:

icmp.type == 8

9. ARP Scanning

Used in internal networks to map devices.

Indicators:

  • ARP requests for entire subnets

  • ARP bursts

Wireshark filter:

arp

Detecting Reconnaissance With Tools

Wireshark

Useful filters:

tcp.flags.syn == 1
icmp
arp
dns
tcp.port == 445

Look for:

  • Sequential IP probes

  • Scatter of SYN packets

  • DNS brute-force patterns

Zeek (Bro)

Relevant logs:

  • conn.log

  • weird.log

  • notice.log

Detection examples:

  • Excessive connection attempts

  • Port scanning signature

  • Unusual service probing

Suricata / Snort

IDS signatures detect:

  • Nmap scans

  • XMAS/NULL/FIN scans

  • UDP probes

  • DNS zone transfer attempts

Firewall & Router Logs

Look for:

  • Repeated blocked connections

  • Unrecognized incoming requests

  • Rapid port sweeps

Reconnaissance by Common Tools (Behavior Patterns)

Nmap

  • SYN/ACK/RST patterns

  • ICMP timestamp probes

  • Service banner grabs

Masscan

  • Extremely fast, high PPS

  • Large number of SYN attempts

Nikto

  • HTTP directory enumeration

  • Security.txt probing

Dirsearch/Gobuster

  • Web brute-force paths

Recognizing tool fingerprints helps identify attacker methods.

Red Flags for Reconnaissance (Checklist)

  • High rate of SYN packets with no completion

  • Many connection resets

  • Repeated probing of specific services

  • DNS enumeration attempts

  • ICMP sweeps across subnets

  • ARP storms on internal network

  • Scans originating from unusual hosts

  • Unauthorized SMB, LDAP, or RDP attempts

  • Short bursts of high-speed port scans

  • Use of known scanning tools, patterns, or payloads

Intel Dump

  • Reconnaissance is attacker information gathering and usually the first technical step of a cyberattack.

  • Indicators include port scanning (horizontal/vertical), DNS enumeration, OS fingerprinting, ARP/ICMP sweeps, SMB/LDAP probing, and banner grabbing.

  • Network forensics tools like Wireshark, Zeek, Suricata, Snort, and firewall logs reveal recon behaviors through packet patterns and scan fingerprints.

  • Common signs: repeated SYN packets, sequential IP probes, random subdomain queries, unusual ICMP requests, and bursts of traffic across many ports.

  • Early detection of recon can prevent exploitation and lateral movement, making it vital for incident response.

HOME COMMUNITY CAREERS DASHBOARD