π‘οΈ Methodology Checklist
- Passive OSINT first β WHOIS, crt.sh, Shodan, Google dorks, LinkedIn
- DNS: zone transfer attempts against all NS servers
- Nmap: host discovery β full port scan β service/version detection
- UDP scan: SNMP (161), IPMI (623), TFTP (69)
- Protocol-specific enum for each open service
- Web: subdomain brute-force + VHost fuzzing
- Credential check: anonymous/null auth on every service
- Compile all versions β CVE research (searchsploit + NVD)
π― Operational Context
Use when: Starting any engagement β master reference for recon phase tools and commands organized by phase (passive β active β service enumeration). Think Dumber First: Always passive first (WHOIS, CT logs, Shodan, Google dorks) before active. Note what you find before proceeding. Active scanning in wrong order wastes time and creates alert noise. Skip when: N/A β master reference document.
β‘ Tactical Cheatsheet
Host Discovery & Port Scanning
| Command | Tactical Outcome |
|---|---|
nmap -sn [CIDR]/24 | Ping sweep β live host discovery |
nmap -p- --min-rate 5000 -sV -sC -oA scan [TARGET_IP] | Full TCP scan with service/script detection |
sudo nmap -sU --top-ports 100 [TARGET_IP] | UDP top-100 scan |
sudo nmap -O [TARGET_IP] | OS fingerprint |
nmap --script [CATEGORY] [TARGET_IP] | Run NSE script category (vuln, auth, brute) |
nmap -p 445 --script smb-vuln-* [TARGET_IP] | SMB vulnerability scan |
DNS & Subdomain Enumeration
| Command | Tactical Outcome |
|---|---|
dig NS [DOMAIN] | Find all authoritative NS records |
dig axfr [DOMAIN] @[NS_IP] | Zone transfer attempt |
dig ANY [DOMAIN] @[NS_IP] | All record types |
gobuster dns -d [DOMAIN] -w [WORDLIST] -t 50 | Subdomain brute-force |
dnsx -d [DOMAIN] -w [WORDLIST] -resp | Resolver-based subdomain enum |
ffuf -u http://[TARGET_IP] -H "Host: FUZZ.[DOMAIN]" -w [WORDLIST] -fs [SIZE] | VHost fuzzing |
Service-Specific Enumeration
| Command | Tactical Outcome |
|---|---|
ftp [TARGET_IP] | FTP β try anonymous login |
smbclient -N -L //[TARGET_IP] | SMB β NULL session share list |
enum4linux-ng [TARGET_IP] | Full SMB/RPC enumeration |
snmpwalk -v2c -c [COMMUNITY] [TARGET_IP] | SNMP walk for config/credentials |
onesixtyone -c snmp.txt [TARGET_IP] | SNMP community string brute-force |
showmount -e [TARGET_IP] | List NFS exports |
ipmitool -I lanplus -C 0 -H [TARGET_IP] -U admin -P "" user list | IPMI cipher-0 auth bypass |
mysql -u root -h [TARGET_IP] | MySQL β test blank root password |
mssqlclient.py [USER]@[TARGET_IP] -p 1433 | MSSQL connect (Impacket) |
nc [TARGET_IP] 25 + VRFY [USER] | SMTP user enumeration |
Web Reconnaissance
| Command | Tactical Outcome |
|---|---|
curl -I http://[TARGET_IP] | Banner grab β Server, X-Powered-By headers |
whatweb http://[TARGET_IP] | Technology fingerprinting |
nikto -h [TARGET_IP] | Web server vulnerability scan |
ffuf -u http://[TARGET]/FUZZ -w [WORDLIST] -mc 200,301,302 | Directory brute-force |
ffuf -u http://[TARGET]/FUZZ -w [WORDLIST] -e .php,.txt,.bak | File extension fuzzing |
curl -s "https://crt.sh/?q=[DOMAIN]&output=json" | jq . | Certificate Transparency lookup |
whois [DOMAIN] | Registrar, NS, contact info |
waybackurls [DOMAIN] | sort -u | Historical URL enumeration |
OSINT
| Command | Tactical Outcome |
|---|---|
theHarvester -d [DOMAIN] -b all | Email/host/subdomain OSINT |
site:[DOMAIN] filetype:pdf OR xls OR docx | Google dork β document search |
site:[DOMAIN] inurl:login OR admin | Google dork β admin pages |
shodan search "org:[ORG] port:22" | Shodan β exposed SSH hosts |
π¬ Deep Dive & Workflow
Nmap Scanning Strategy
# Phase 1: Quick host sweep
nmap -sn [CIDR]/24 -oG - | grep Up | awk '{print $2}' > live_hosts.txt
# Phase 2: Full TCP + version (from host list)
nmap -p- --min-rate 5000 -sV -sC -iL live_hosts.txt -oA full_scan
# Phase 3: UDP key ports
sudo nmap -sU -p 53,67,68,69,123,161,162,514,623,1900 -iL live_hosts.txt -oA udp_scan
# Phase 4: Targeted scripts on discovered services
nmap --script smb-enum-shares,smb-enum-users -p 445 [TARGET_IP]
nmap --script ftp-anon,ftp-bounce -p 21 [TARGET_IP]
nmap --script ms-sql-info,ms-sql-empty-password -p 1433 [TARGET_IP]Subdomain & VHost Discovery Flow
# Passive (no traffic to target)
curl -s "https://crt.sh/?q=%25.[DOMAIN]&output=json" | jq -r '.[].name_value' | sort -u
# Active brute-force
gobuster dns -d [DOMAIN] -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50
# VHost fuzzing (find unlisted virtual hosts)
ffuf -u http://[TARGET_IP] -H "Host: FUZZ.[DOMAIN]" \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-fs [BASELINE_RESPONSE_SIZE] -o vhosts.json
# Add all discovered to /etc/hosts
echo "[TARGET_IP] [VHOST1] [VHOST2]" >> /etc/hostsAnonymous Auth Check Matrix
Protocol | Null/Anon test
----------|--------------------------------------------------
FTP | ftp [IP] β user: anonymous, pass: (blank)
SMB | smbclient -N -L //[IP]
LDAP | ldapsearch -x -H ldap://[IP] -b "DC=..."
SMTP | nc [IP] 25 β VRFY [USER]
SNMP | snmpwalk -v1 -c public [IP]
NFS | showmount -e [IP] β mount
MySQL | mysql -u root -h [IP] (no -p)
MSSQL | mssqlclient.py sa@[IP] (blank pass)
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Passive recon returns nothing | Target has minimal online presence | Switch to active earlier; passive recon scales with targetβs internet footprint |
| Nmap scan taking too long | Default timing too slow | Adjust: -T4 for faster; --min-rate 1000 for even faster; balance speed vs detection |
| Results missing from scan | Port range too narrow | Default nmap scans top 1000 ports; add -p- for all ports on interesting hosts |
| Scan detected by IDS | Aggressive timing triggered alerts | Reduce: -T2 timing; add --scan-delay 500ms; fragment: -f |
| Service version detection wrong | Aggressive probing needed | Add -A for OS+version+script; increase intensity: --version-intensity 9 |
π Reporting Trigger
Finding Title: Complete Reconnaissance Phase β Attack Surface Mapped Impact: Systematic recon from passive to active enumeration maps the complete external attack surface including all exposed services, versions, subdomains, and technologies β providing the foundation for targeted exploitation without wasted effort on inapplicable techniques. Root Cause: N/A β operational methodology documentation. Recommendation: Organizations should conduct regular external attack surface assessments using the same methodology. Implement continuous external attack surface management (EASM) to detect new exposure before attackers do.