Internal Reconnaissance
Internal reconnaissance focuses on understanding the network topology, identifying Active Directory structure, and discovering high-value targets before active exploitation begins. Balance stealth with thoroughness.
Information
Start with passive techniques to minimize detection, then escalate to active scanning
as needed. Document all discovered systems for later phases.
flowchart TD
A[Reconnaissance] --> B[Passive Recon]
A --> C[Active Discovery]
A --> D[AD Enumeration]
A --> E[User Hunting]
B --> B1[Traffic Analysis / ARP / DHCP]
C --> C1[Nmap / Service Scans]
D --> D1[LDAP / BloodHound / PowerView]
E --> E1[Admin Hunting / Sessions]
style A fill:#3b82f6,stroke:#000,color:#fff
style B fill:#06b6d4,stroke:#000,color:#000
style C fill:#06b6d4,stroke:#000,color:#000
style D fill:#06b6d4,stroke:#000,color:#000
style E fill:#06b6d4,stroke:#000,color:#000
Reconnaissance Phases
Passive Reconnaissance
Network traffic analysis, ARP discovery, DHCP/mDNS monitoring, and stealthy enumeration.
tcpdump Wireshark ARP LLMNR
Active Discovery
Nmap scanning, host discovery, service enumeration, and OS fingerprinting techniques.
Nmap Masscan Ping Sweeps Service Enum
AD Enumeration
Domain discovery, LDAP queries, BloodHound analysis, and trust relationship mapping.
BloodHound PowerView LDAP Trusts
User Hunting
Admin identification, session tracking, high-value target discovery, and logged-on user enumeration.
Admin Hunting Sessions NetSessionEnum HVT
Reconnaissance Workflow
| Phase | Techniques | Detection Risk | Key Outputs |
|---|---|---|---|
| Passive | Traffic capture, ARP table, broadcast listening | Low | Network layout, active hosts, naming conventions |
| Active | Port scanning, service detection, OS fingerprint | Medium | Open ports, services, vulnerabilities |
| AD Enum | LDAP queries, BloodHound, GPO analysis | Medium | Domain structure, attack paths, privileges |
| User Hunting | Session enumeration, admin locating | Medium-High | Target systems, admin sessions |
Quick Reference
Essential Commands
nmap -sn 10.0.0.0/24bloodhound-python -c AllGet-DomainUser -AdminCount 1
Key Tools
- • Nmap / Masscan
- • BloodHound
- • PowerView / SharpView
Priority Targets
- • Domain Controllers
- • Admin workstations
- • Service accounts