1. What Is Active Information Gathering?

Active Information Gathering is a reconnaissance technique where the tester directly interacts with the target system to collect information.

This means the tester sends:

  • Network packets
  • Requests to ports
  • HTTP requests to web servers

Because of this interaction,

The target system can detect the activity and Security systems (firewall, IDS, IPS) may trigger alerts. Logs may also be created.

Active information gathering is usually done after passive reconnaissance, when the tester already knows the target’s IP address or domain name.

Active Information Gathering usually follows these steps:

  1. Identify the target IP address or domain
  2. Send probes or requests to the target
  3. Observe how the target responds
  4. Analyze the response to find:
  • Open ports
  • Running services
  • Software versions
  • Security weaknesses
  • Main Characteristics

Active Information Gathering has the following characteristics:

  • Direct Interaction
  • The tester communicates directly with the target system.
  • Detectable
  • Activities can appear in logs and monitoring systems.
  • Detailed Results
  • It provides deeper technical information than passive recon.
  • Higher Risk
  • It should only be done with permission (ethical hacking).

2. Tools Used in Active Information Gathering

1. Nmap (Network Mapper)

Nmap is the most popular tool for active reconnaissance.

It is used to scan networks, detect open ports, services, and vulnerabilities.

  • Scan Common Ports and Detect Services
sudo nmap -sV -p 21,22,25,53,80,443,3389 domain/ipaddress


-sV is used to Detect service version

-p is used to Scan ports

21 : FTP

22 : SSH

80 : HTTP

443 : HTTPS

3389 : RDP


We can also use -p- instead of -p to scan all 65,535 Ports

  • Nmap Vulnerability Scripts

Uses Nmap scripts to check for vulnerabilities

sudo nmap --script vuln domain/ipaddress
  • Aggressive Scan

Aggressive scan is a type of Nmap scan that collects as much information as possible about a target system in one scan.

sudo nmap -A domain/ipaddress

The -A means:

  • OS detection
  • Service detection
  • Script scanning
  • Traceroute
This method is very noisy and is easily detected. Use it only with permission.

2. wafw00f (Web Application Firewall Detection)

This is a process of identifying whether a website is protected by a Web Application Firewall, and determining what type of WAF is being used.

wafw00f domain/ipaddress

This means the real server IP may be hidden behind a WAF (Cloudflare).

3. Nikto (Web Server Scanner)

Nikto is an open-source web server vulnerability scanner used in cybersecurity to find security issues on web servers. It works by sending multiple HTTP requests to a target website, analyzing the server’s responses, and then reporting any potential security issues it finds.

nikto -h domain/ipaddress

Nikto checks for:

  • Outdated web server versions (Apache, Nginx, IIS)
  • Default or sensitive files
  • Insecure server settings
  • Known vulnerabilities from public databases
Nikto is also very noisy and is easily detected. Use it only with permission.

3. Active Information Gathering Methods

Online Active Information Gathering

Done through the internet by directly interacting with a target system. It includes activities such as port scanning with Nmap, web server scanning with Nikto, and detecting Web Application Firewalls (WAFs). These actions send requests to the target, making them detectable and usually logged by security systems.

Offline Active Information Gathering

Requires physical access or close proximity to the target. It involves interacting directly with internal networks or people, such as connecting to a local network and scanning internal IP ranges, observing users while they enter credentials, searching discarded documents, or asking employees directly.