Chapter 3.1 - Reconnaissance, Scanning and Enumeration
Module 3: Offensive Security and Exploitation Prerequisites: Module 2 complete - you understand what defenders see; now learn what attackers generate.
Table of Contents
- Reconnaissance Taxonomy - Passive vs Active
- Passive OSINT - DNS, WHOIS, Certificate Transparency and Shodan
- Active Scanning - Nmap Internals, Timing and Detection Footprint
- Service Enumeration - Banners, Versions and Protocol Fingerprinting
- Web Application Reconnaissance - Directory Brute-Force and Tech Detection
- DNS Enumeration and Zone Transfer Attacks
- SMTP, SMB and LDAP Enumeration
- Network Topology Mapping - Traceroute, TTL Analysis and AS Path
- Defensive Detections and Hardening
- MITRE ATT&CK Mapping
1. Reconnaissance Taxonomy - Passive vs Active
Reconnaissance is the first phase of every engagement - and the phase where defenders have the most asymmetric disadvantage. Done correctly, passive recon leaves zero footprint on the target's infrastructure. Active scanning generates packets that reach the target, creating log entries, triggering IDS rules, and potentially alerting defenders.
| Dimension | Passive Recon | Active Recon |
|---|---|---|
| Defender visibility | Zero (queries hit third-party infrastructure) | Partial to full (packets hit target) |
| Data freshness | Hours to weeks old | Real-time |
| Breadth | Infrastructure-wide, historical | Limited to live hosts |
| Speed | Slow (API rate limits) | Fast (parallel scan) |
| Detection risk | None | Medium to high |
| Legal boundary | Generally safe | Requires authorization |
Reconnaissance maps directly to MITRE ATT&CK Tactic: Reconnaissance (TA0043).
2. Passive OSINT - DNS, WHOIS, Certificate Transparency and Shodan
WHOIS and RDAP
# Classic WHOIS
whois target-corp.com
# RDAP structured JSON output
curl -s "https://rdap.verisign.com/com/v1/domain/target-corp.com" | jq .
# ASN lookup - find all IP ranges owned by the target
whois -h whois.radb.net -- '-i origin AS12345'
# Get all prefixes announced by an ASN
curl -s "https://api.bgpview.io/asn/12345/prefixes" | \
jq '.data.ipv4_prefixes[].prefix'
DNS Passive Reconnaissance
# Basic DNS record enumeration
for record_type in A AAAA MX NS TXT SOA CNAME; do
echo "=== $record_type ==="
dig +noall +answer target-corp.com $record_type
done
# SPF record - reveals mail infrastructure
dig +short TXT target-corp.com | grep "v=spf1"
# DMARC record - shows email security maturity
dig +short TXT _dmarc.target-corp.com
# SecurityTrails passive DNS
curl -s "https://api.securitytrails.com/v1/domain/target-corp.com/subdomains" \
-H "APIKEY: YOUR_KEY" | jq '.subdomains[]'
Certificate Transparency
# Find all subdomains via CT logs
curl -s "https://crt.sh/?q=%.target-corp.com&output=json" | \
jq -r '.[].name_value' | \
sed 's/\*\.//g' | \
sort -u | \
grep -v '^$'
# Resolve each subdomain to find live hosts
curl -s "https://crt.sh/?q=%.target-corp.com&output=json" | \
jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > subdomains.txt
while read subdomain; do
ip=$(dig +short A "$subdomain" 2>/dev/null | head -1)
if [ -n "$ip" ]; then echo "$ip $subdomain"; fi
done < subdomains.txt
Shodan and Censys
shodan init YOUR_API_KEY
# Find all hosts for a company by ASN
shodan search "asn:AS12345" --fields ip_str,port,org,product,version
# Find hosts by network range
shodan search "net:203.0.113.0/24" --fields ip_str,port,product,version,os
# Find vulnerable Apache 2.4.49 (CVE-2021-41773)
shodan search "org:\"Target Corporation\" product:\"Apache httpd\" version:\"2.4.49\""
# Censys equivalent
censys search "autonomous_system.name:\"Target Corporation\"" --index hosts \
--fields ip,services.port,services.service_name,services.software
GitHub and Code Repository OSINT
# truffleHog - scan GitHub org for leaked secrets
trufflehog github --org=target-corporation \
--only-verified \
--json | jq '{file:.SourceMetadata.Data.Github.file, detector:.DetectorName}'
# gitleaks - scan a specific repo
gitleaks detect --source /path/to/cloned/repo \
--report-format json --report-path /tmp/leaks.json
3. Active Scanning - Nmap Internals, Timing and Detection Footprint
How Nmap SYN Scanning Works
| Response | Nmap State | Meaning |
|---|---|---|
| SYN-ACK | open | Port is listening |
| RST | closed | Port reachable, no service |
| No response (timeout) | filtered | Firewall dropping packets |
| ICMP unreachable type 3 | filtered | Firewall rejecting |
SYN scanning never completes the three-way handshake - Nmap sends RST after receiving SYN-ACK, preventing application-layer logging.
Nmap Scan Types
# SYN scan (default, stealthy, requires root)
nmap -sS 192.168.1.0/24
# TCP connect scan (no root needed, fully logged)
nmap -sT 192.168.1.100
# UDP scan (essential for DNS/SNMP/TFTP)
nmap -sU --top-ports 100 192.168.1.100
# ACK scan - determine firewall rules
nmap -sA 192.168.1.0/24
Host Discovery
nmap -sn 10.0.0.0/24 # Ping sweep
nmap -sn --send-eth 192.168.1.0/24 # ARP scan (LAN)
nmap -sn -PS22,80,443 10.0.0.0/24 # TCP SYN ping
nmap -sn -PA80,443 10.0.0.0/24 # ACK ping
arp-scan --localnet # Direct ARP scan
Timing Templates
| Template | Name | Min RTT | IDS Risk |
|---|---|---|---|
-T0 | Paranoid | 5 min/probe | Near-zero |
-T1 | Sneaky | 15s/probe | Very low |
-T2 | Polite | 400ms | Low |
-T3 | Normal | 100ms | Medium |
-T4 | Aggressive | 10ms | High |
-T5 | Insane | 5ms | Very high |
# Evasive scan - below IDS threshold
nmap -sS -T1 -n \
--randomize-hosts \
--data-length 25 \
--source-port 53 \
-p 22,80,443,3389,445,8080 \
10.0.0.0/16 \
-oG /tmp/scan_results.gnmap
# Decoy scan - obscure real source IP
nmap -sS -D 10.0.0.1,10.0.0.2,ME,10.0.0.3 192.168.1.100
Full Targeted Scan Workflow
# Phase 1: Discover all open ports
nmap -sS -p- -T4 --min-rate 1000 -n --open \
-oG /tmp/all_ports.gnmap 192.168.1.100
# Extract open ports
ports=$(grep -oP '(?<=\d/open)[^,]*' /tmp/all_ports.gnmap | \
grep -oP '\d+(?=/)' | sort -nu | tr '\n' ',' | sed 's/,$//')
# Phase 2: Deep scan on open ports only
nmap -sS -sV -sC -O -p $ports --version-intensity 7 \
-oA /tmp/deep_scan 192.168.1.100
4. Service Enumeration - Banners, Versions and Protocol Fingerprinting
Banner Grabbing
nc -nv 192.168.1.100 22 # SSH banner
nc -nv 192.168.1.100 21 # FTP banner
echo "" | nc -w 3 192.168.1.100 80 | head -5
# HTTP headers
curl -si http://192.168.1.100/ | head -20
# SSL/TLS version details
openssl s_client -connect 192.168.1.100:443 2>/dev/null | \
grep -E "Protocol|Cipher|subject|issuer"
Nmap NSE Scripts
# SSH algorithm enumeration
nmap -p 22 --script ssh-hostkey,ssh2-enum-algos 192.168.1.100
# HTTP enumeration
nmap -p 80,443,8080 \
--script http-server-header,http-methods,http-title 192.168.1.100
# SMB protocols check
nmap -p 445 --script smb-protocols,smb-security-mode 192.168.1.100
# smb-protocols shows if SMBv1 is enabled - EternalBlue candidate
# SNMP community brute-force
nmap -sU -p 161 --script snmp-brute 192.168.1.100
snmpwalk -v2c -c public 192.168.1.100
5. Web Application Reconnaissance - Directory Brute-Force and Tech Detection
# Technology stack fingerprint
whatweb -a 3 http://target.example.com
# Manual header inspection
curl -si http://target.example.com | grep -iE \
"server:|x-powered-by:|x-generator:|set-cookie:"
# Directory discovery with ffuf
ffuf -u http://target.example.com/FUZZ \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-mc 200,204,301,302,307,401,403 -t 50 \
-o /tmp/ffuf_dirs.json -of json
# File extension brute-force
ffuf -u http://target.example.com/FUZZ \
-w /usr/share/wordlists/common.txt \
-e .php,.bak,.txt,.conf,.old,.sql,.zip -mc 200,204 -fs 0
# gobuster alternative
gobuster dir -u http://target.example.com \
-w /usr/share/wordlists/dirb/common.txt \
-x php,html,txt,bak -t 30 -o /tmp/gobuster.txt
6. DNS Enumeration and Zone Transfer Attacks
Subdomain Enumeration
# amass comprehensive enumeration
amass enum -passive -d target-corp.com
amass enum -active -d target-corp.com \
-brute -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
# subfinder passive discovery
subfinder -d target-corp.com -all -o /tmp/subdomains.txt
# dnsx fast resolver
dnsx -d target-corp.com \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
-a -resp -o /tmp/dns_results.txt
Zone Transfer (AXFR)
When misconfigured to allow transfers from any source, a zone transfer hands an attacker a complete map of every hostname and IP in the zone.
domain="target-corp.com"
nameservers=$(dig +short NS $domain)
for ns in $nameservers; do
echo "=== Attempting AXFR from $ns ==="
dig axfr @$ns $domain
done
# Using host command
host -l target-corp.com ns1.target-corp.com
# Defensive check - test your own zone (should return REFUSED)
dig axfr @your-primary-ns yourdomain.com
7. SMTP, SMB and LDAP Enumeration
SMTP User Enumeration
# Manual: connect and use VRFY/EXPN/RCPT TO
nc -nv 192.168.1.100 25
# Automated enumeration
smtp-user-enum -M RCPT \
-U /usr/share/wordlists/users.txt \
-D target-corp.com -t 192.168.1.100
nmap -p 25 --script smtp-enum-users \
--script-args smtp-enum-users.methods=VRFY,RCPT,EXPN 192.168.1.100
SMB Enumeration
smbclient -N -L //192.168.1.100 # Null session
enum4linux-ng -A 192.168.1.100 -oJ /tmp/enum.json # Full enum
# crackmapexec sweep
cme smb 192.168.1.0/24
cme smb 192.168.1.100 -u user -p pass --shares
cme smb 192.168.1.100 -u user -p pass --users
nmap -p 445 \
--script smb-enum-shares,smb-enum-users,smb-os-discovery \
192.168.1.100
LDAP Enumeration
# Anonymous bind test
ldapsearch -x -h 192.168.1.10 \
-b "DC=target,DC=corp" -s sub "(objectclass=*)" | head -50
# Find AS-REP Roasting candidates (no Kerberos pre-auth)
ldapsearch -x -h 192.168.1.10 \
-D "user@target.corp" -w 'Password' \
-b "DC=target,DC=corp" \
"(&(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" \
sAMAccountName
# Find SPNs (Kerberoasting candidates)
ldapsearch -x -h 192.168.1.10 \
-D "user@target.corp" -w 'Password' \
-b "DC=target,DC=corp" \
"(&(objectclass=user)(servicePrincipalName=*))" \
sAMAccountName servicePrincipalName
# ldapdomaindump - HTML reports
ldapdomaindump -u 'target.corp\\user' -p 'Password' 192.168.1.10 \
-o /tmp/ldap_dump/
8. Network Topology Mapping - Traceroute, TTL Analysis and AS Path
# Standard traceroute variants
traceroute target.example.com
traceroute -T -p 80 target.example.com # TCP on port 80
traceroute -I target.example.com # ICMP
# MTR continuous stats
mtr --report --report-cycles 10 --tcp -P 443 target.example.com
# AS path and BGP analysis
curl -s "https://api.bgpview.io/ip/203.0.113.1" | \
jq '.data.prefixes[0] | {prefix:.prefix, asn:.asn.asn, name:.asn.name}'
# Identify load balancers (multiple IPs = CDN or round-robin)
for i in {1..10}; do dig +short A target.example.com; done | sort | uniq -c
9. Defensive Detections and Hardening
Detecting Reconnaissance Activity
# Snort portscan preprocessor (snort.conf)
# preprocessor sfportscan: proto { all } sense_level { low }
# Suricata XMAS scan rule
# alert tcp any any -> $HOME_NET any (
# msg:"Nmap XMAS scan"; flags:FPU;
# classtype:network-scan; sid:9003001; rev:1;
# )
# psad - Port Scan Attack Detector
iptables -A INPUT -j LOG --log-prefix "IPTABLES_DROP: " --log-level 4
psad --Status
Hardening
# Disable SMBv1 (Windows PowerShell)
Set-SmbServerConfiguration -EnableSMB1Protocol $false
# Postfix - disable VRFY and EXPN (/etc/postfix/main.cf)
# disable_vrfy_command = yes
# BIND zone transfer restriction (/etc/named.conf)
# zone "target-corp.com" { allow-transfer { 192.168.1.2; }; };
# Apache - hide version info
# ServerTokens Prod
# ServerSignature Off
# Header unset X-Powered-By
10. MITRE ATT&CK Mapping
| Technique | ID | Tool/Method | Defense |
|---|---|---|---|
| Active Scanning: Port Scanning | T1595.001 | Nmap, masscan | psad, Snort portscan preprocessor |
| Active Scanning: Vulnerability Scanning | T1595.002 | Nmap NSE vuln, Nessus | WAF, rate limiting |
| Gather Victim Network Information: DNS | T1590.002 | dig, amass, dnsx | Restrict zone transfers |
| Gather Victim Network Information: Topology | T1590.004 | traceroute, mtr | ICMP rate-limiting |
| Gather Victim Org Info: Employee Names | T1591.004 | LinkedIn, OSINT | Limit public org info |
| Search Open Technical Databases | T1596 | Shodan, Censys, crt.sh | Minimize internet exposure |
| Search Open Websites/Social Media | T1593.001 | LinkedIn, GitHub | Developer security training |
| Phishing for Information | T1598 | SMTP enumeration | SPF/DKIM/DMARC enforcement |
| Search Victim-Owned Websites | T1594 | ffuf, gobuster, whatweb | WAF, robots.txt discipline |
| Gather Victim Host Info: Software | T1592.002 | Nmap -sV, banner grab | Remove version headers |