What tools do threat actors use for reconnaissance attacks?
Internet tools such as nslookup, whois, and ping to map the target's IP space and find active hosts.
Reconnaissance is the homework an attacker does before striking — discovering and mapping a target's systems and services so the real attack can be aimed precisely. What makes it dangerous is that it relies on perfectly ordinary, legitimate internet tools, so the early stages look like normal lookups:
* whois and nslookup reveal the target's IP space; a ping sweep then shows which hosts are alive to attack. *
- nslookup - Queries DNS servers to translate names into IP addresses and reveal domain details.
- whois - Looks up public registration records to learn which IP address ranges and domains belong to the target.
- ping - Sends a probe to test whether a given IP address is active and reachable.
The pieces combine into a simple workflow: use whois and nslookup to find the IP address space assigned to the target, then ping those addresses to see which hosts are alive, and use that map to plan where to attack next. Recognising this pattern early — e.g. a burst of pings across your address range — can be the first warning of a coming attack.
Go deeper:
Footprinting — Wikipedia — the reconnaissance phase and the tools (nslookup, whois, ping, nmap) used to map a target.