Last reviewed

Internal Reconnaissance

Internal reconnaissance focuses on understanding the network topology, identifying Active Directory structure, and discovering high-value targets before active exploitation begins. Balance stealth with thoroughness.

Information

Start with passive techniques to minimize detection, then escalate to active scanning as needed. Document all discovered systems for later phases.
flowchart TD A[Reconnaissance] --> B[Passive Recon] A --> C[Active Discovery] A --> D[AD Enumeration] A --> E[User Hunting] B --> B1[Traffic Analysis / ARP / DHCP] C --> C1[Nmap / Service Scans] D --> D1[LDAP / BloodHound / PowerView] E --> E1[Admin Hunting / Sessions] style A fill:#3b82f6,stroke:#000,color:#fff style B fill:#06b6d4,stroke:#000,color:#000 style C fill:#06b6d4,stroke:#000,color:#000 style D fill:#06b6d4,stroke:#000,color:#000 style E fill:#06b6d4,stroke:#000,color:#000

Reconnaissance Phases

Passive Reconnaissance

Network traffic analysis, ARP discovery, DHCP/mDNS monitoring, and stealthy enumeration.

tcpdump Wireshark ARP LLMNR

Active Discovery

Nmap scanning, host discovery, service enumeration, and OS fingerprinting techniques.

Nmap Masscan Ping Sweeps Service Enum

AD Enumeration

Domain discovery, LDAP queries, BloodHound analysis, and trust relationship mapping.

BloodHound PowerView LDAP Trusts

User Hunting

Admin identification, session tracking, high-value target discovery, and logged-on user enumeration.

Admin Hunting Sessions NetSessionEnum HVT

Reconnaissance Workflow

Phase Techniques Detection Risk Key Outputs
Passive Traffic capture, ARP table, broadcast listening Low Network layout, active hosts, naming conventions
Active Port scanning, service detection, OS fingerprint Medium Open ports, services, vulnerabilities
AD Enum LDAP queries, BloodHound, GPO analysis Medium Domain structure, attack paths, privileges
User Hunting Session enumeration, admin locating Medium-High Target systems, admin sessions

Quick Reference

Essential Commands

  • nmap -sn 10.0.0.0/24
  • bloodhound-python -c All
  • Get-DomainUser -AdminCount 1

Key Tools

  • • Nmap / Masscan
  • • BloodHound
  • • PowerView / SharpView

Priority Targets

  • • Domain Controllers
  • • Admin workstations
  • • Service accounts

Related Topics

Passive Reconnaissance

Active Discovery

AD Enumeration

User Hunting

BloodHound Cheatsheet

Related Tools

Use the interactive toolset as a nearby operator companion while working through this guide.

Interactive Tool

Nmap Builder

Generate internal discovery and service-enumeration scans that map cleanly to the scanning and enumeration phases.
Interactive Tool

Reverse Shell Generator

Keep payload generation close to the exploitation workflow when you need a fast fallback shell during lateral movement.
Interactive Tool

Port Reference

Cross-check exposed services and odd internal ports while triaging hosts, shares, and management interfaces.
Interactive Tool

Findings Library

Translate credential, AD, relay, and privilege-escalation chains into report-ready language for internal engagements.