Active Reconnaissance TryHackMe

Overview

Active reconnaissance begins when you directly interact with the target. This room focuses on low-level but highly useful recon tools: the web browser and its developer tools, ping, traceroute, telnet, and netcat.

Core idea: active recon can leave logs on the target or along the network path, so it should only be done with proper authorization and with a clear reason for every connection you make.

1) Active vs Passive Recon

Unlike passive recon, active recon requires some form of direct contact with the target.

Passive: public data only, no direct interaction.
Active: direct browsing, packet probing, banner grabbing, port checks, or service interaction.

Important: even normal-looking browser activity is still active reconnaissance because you are connecting to the target system.

2) Web Browser Recon

A browser is one of the easiest active recon tools because it naturally blends in with normal user traffic while still giving you direct interaction with the target.

Default ports: HTTP uses TCP/80, HTTPS uses TCP/443.
Custom ports: you can browse directly to non-standard ports such as https://127.0.0.1:8834/.
Developer tools: inspect JavaScript, cookies, requests, responses, and page structure.

Shortcut: open Developer Tools with Ctrl + Shift + I on Linux/Windows or Option + Command + I on macOS.

3) Browser Extensions for Recon

Some browser add-ons make active recon more efficient without changing the core workflow.

FoxyProxy: quickly switch traffic through a proxy such as Burp Suite.
User-Agent Switcher and Manager: spoof different browsers or devices.
Wappalyzer: identify technologies used by the target website.

Value: these tools let you inspect technology stacks, route traffic through testing tools, and alter how the site perceives your client.

4) ping

ping sends ICMP Echo requests to check whether a host is reachable and responding.

ping -c 5 MACHINE_IP
ping -c 10 MACHINE_IP

Reachability: confirms whether the host appears online.
Latency: shows round-trip timing.
Packet loss: may indicate routing problems, blocking, or an offline target.

No reply does not always mean down: the host might be offline, but firewalls commonly block ICMP as well. Windows hosts often block ping by default.

5) traceroute

traceroute shows the path packets take to the target by manipulating TTL values and observing ICMP Time Exceeded responses from routers along the way.

traceroute MACHINE_IP

Hop count: how many routers separate you from the target.
Routing changes: paths may vary between runs.
Missing replies: some routers simply do not answer.

Reading output: each numbered line is a hop. Asterisks usually mean the expected ICMP reply was not received for that probe.

6) telnet for Banner Grabbing

Although Telnet is insecure for administration, the client is still useful as a simple TCP connector for interacting with services manually and grabbing banners.

telnet MACHINE_IP 80

Example HTTP request after connecting:

GET / HTTP/1.1
host: telnet

This can reveal server details such as:

Server: nginx/1.6.2

Why it matters: if a service talks over plain TCP and does not require encryption immediately, Telnet can help you speak enough of the protocol to identify versions and behavior.

7) netcat

netcat or nc is a more flexible TCP/UDP Swiss Army knife. It can act as a client or as a server.

Client mode

nc MACHINE_IP 80

Example HTTP request:

GET / HTTP/1.1
host: netcat

Server mode

nc -vnlp 1234

-l listen mode
-p port number
-n numeric only, no DNS resolution
-v verbose output
-k keep listening after disconnect

Use case: banner grabbing, manual protocol interaction, ad-hoc TCP listeners, and quick connectivity testing.

8) Putting the Tools Together

The room’s real point is that these simple tools combine into a practical recon workflow before you ever touch heavier scanners like Nmap.

Use the browser and DevTools to inspect the web app like a normal user.
Use ping to check reachability.
Use traceroute to understand the network path.
Use telnet or nc to check open TCP services and collect banners.

PT1 mindset: these are primitive compared with Nmap and Burp, but they are installed almost everywhere and are excellent for quick checks or quiet manual verification.

Active Recon Cheat Sheet

ping -c 10 MACHINE_IP
traceroute MACHINE_IP
telnet MACHINE_IP PORT_NUMBER
nc MACHINE_IP PORT_NUMBER
nc -lvnp PORT_NUMBER

Exam Notes (PT1)

Active recon creates direct interaction and may leave logs on the target or network path.
Browser DevTools are legitimate recon tools for JavaScript, cookies, requests, responses, and structure discovery.
ping checks reachability, but blocked ICMP can create false negatives.
traceroute helps map the route and number of hops to the target.
telnet and nc are useful for banner grabbing and quick manual TCP interaction.