Open Source Intelligence

The package “open source intelligence” refers to a passive or active scan of a target domain. Both scans enable a first evaluation of the public attack surface of a company or domain. The cascading usage of tools – centralized and automated in the mgm tool “recon me” – identifies accessible services, used software, available data and more. The entirety of the findings allow an experienced security expert to draw conclusions regarding the technical IT security of the target.

Passive scan

A passive scan searches publicly accessible directory services to obtain information about the target. Those services usually generate their information by using their own active scanners, which means they analyse big parts of the internet automatically. The collected information are saved and offered as a service to clients.

The advantage for the clients lies in the fact, that they never directly interact with the target and thus aren’t identifiable by it. That’s why the scanned is considered passive. The disadvantage of this method is, that the actuality or availability of the requested information about the target can’t be guaranteed.

Some of the obtainable information by a passive scan are the owner information of the target (whois), different servers like DNS and E-mail, E-mail addresses, subdomains of the target (e.g.,, …), the location of the server (in most cases), the operator (especially with external operators such as Amazon or Akamai) and the available standard services (e.g. http/https/ssh). If a special web presence is used, the used technology is also identified in most cases.

The result is a report, that contains all findings and the resulting issues.

Active scan

The active scan differs from the passive scan primarily in the differnt usage of tools, that directly and actively analyse the target. For this purpose, direct communication connections between the analysis system and the target are established.

The requests create a certain load, that is being kept as small as possible and shouldn’t affect the reaction time of the target. In addition to that, no attacks are executed. Nontheless, performing an active scan requires the consent of the target due to the current legal situation in Germany (see also § 202c StGB).

The quality as well as the extent of the generated data by an active scan can differ significantly from data generated by a passive scan. The differences can exists in the completeness of the data (i.a. server, subdomains, services, used technologies) as well as in the type. This way, an active scan can also identify unintentionally publicly accessible data.

The result is (similar to the passive scan) a corresponding report with the findings and resulting issues.

We assist you:

  • active  and/or passive analysis of a target domain with the help of the mgm tool “recon me
  • public attack surface assessment
  • structured processing of the results with concrete suggestions
  • extensive consulting regarding additional measures


Open Source Intelligence

Your Contact:

Thomas Schönrich

Contact us via email.
Or call us or use our special contact form.