Reconnaissance
Passive Reconnaissance
Passive techniques gather information without directly interacting with target systems, minimizing detection risk while building network awareness.
Information
Start with passive techniques before active scanning. This reduces your footprint and helps
identify high-value targets for focused enumeration.
Network Traffic Analysis
Capturing Broadcast Traffic
bash
# Capture all broadcast traffic
sudo tcpdump -i eth0 -w capture.pcap broadcast
# Listen for NetBIOS/LLMNR broadcasts (credential opportunities)
sudo tcpdump -i eth0 'udp port 137 or udp port 138 or udp port 5355'
# Capture DHCP traffic to identify network configuration
sudo tcpdump -i eth0 'udp port 67 or udp port 68' -w dhcp.pcap
# Capture mDNS (Multicast DNS)
sudo tcpdump -i eth0 'udp port 5353'
# Capture all traffic for later analysis
sudo tcpdump -i eth0 -w full_capture.pcap -s 0# Capture all broadcast traffic
sudo tcpdump -i eth0 -w capture.pcap broadcast
# Listen for NetBIOS/LLMNR broadcasts (credential opportunities)
sudo tcpdump -i eth0 'udp port 137 or udp port 138 or udp port 5355'
# Capture DHCP traffic to identify network configuration
sudo tcpdump -i eth0 'udp port 67 or udp port 68' -w dhcp.pcap
# Capture mDNS (Multicast DNS)
sudo tcpdump -i eth0 'udp port 5353'
# Capture all traffic for later analysis
sudo tcpdump -i eth0 -w full_capture.pcap -s 0Wireshark Filters
text
# AD-related traffic
kerberos || ldap || smb || smb2 || dcerpc
# Find domain controllers
ldap.bindRequest || kerberos.as_req
# Credential-related broadcasts
llmnr || nbns || mdns
# DHCP (network config)
bootp
# Identify Windows hosts
browser || smb.cmd == 0x72
# HTTP traffic (internal web apps)
http.request
# Find printers (often less secured)
snmp || jetdirect# AD-related traffic
kerberos || ldap || smb || smb2 || dcerpc
# Find domain controllers
ldap.bindRequest || kerberos.as_req
# Credential-related broadcasts
llmnr || nbns || mdns
# DHCP (network config)
bootp
# Identify Windows hosts
browser || smb.cmd == 0x72
# HTTP traffic (internal web apps)
http.request
# Find printers (often less secured)
snmp || jetdirectExtract Information from Captures
bash
# Extract hostnames from NetBIOS traffic
tshark -r capture.pcap -T fields -e ip.src -e nbns.name | sort -u
# Extract domain information from Kerberos
tshark -r capture.pcap -Y "kerberos" -T fields -e kerberos.realm | sort -u
# Find SMB shares being accessed
tshark -r capture.pcap -Y "smb2.cmd == 3" -T fields -e ip.dst -e smb2.tree
# Extract HTTP hostnames
tshark -r capture.pcap -Y "http.host" -T fields -e http.host | sort -u
# Find usernames in traffic
tshark -r capture.pcap -Y "ntlmssp.auth.username" -T fields -e ntlmssp.auth.username | sort -u# Extract hostnames from NetBIOS traffic
tshark -r capture.pcap -T fields -e ip.src -e nbns.name | sort -u
# Extract domain information from Kerberos
tshark -r capture.pcap -Y "kerberos" -T fields -e kerberos.realm | sort -u
# Find SMB shares being accessed
tshark -r capture.pcap -Y "smb2.cmd == 3" -T fields -e ip.dst -e smb2.tree
# Extract HTTP hostnames
tshark -r capture.pcap -Y "http.host" -T fields -e http.host | sort -u
# Find usernames in traffic
tshark -r capture.pcap -Y "ntlmssp.auth.username" -T fields -e ntlmssp.auth.username | sort -uARP Discovery
bash
# View current ARP cache
arp -a
# Linux ARP cache
ip neigh show
# Passive ARP monitoring (watch for new hosts)
sudo arpwatch -i eth0
# Netdiscover passive mode (listens without sending)
sudo netdiscover -p -i eth0
# Bettercap passive mode
sudo bettercap -iface eth0 -eval "net.recon on"# View current ARP cache
arp -a
# Linux ARP cache
ip neigh show
# Passive ARP monitoring (watch for new hosts)
sudo arpwatch -i eth0
# Netdiscover passive mode (listens without sending)
sudo netdiscover -p -i eth0
# Bettercap passive mode
sudo bettercap -iface eth0 -eval "net.recon on"Responder in Analyze Mode
Tip
Responder's analyze mode captures broadcast requests without responding, showing what
protocols are in use and potential credential capture opportunities.
bash
# Run Responder in analyze mode (passive - no responses)
sudo responder -I eth0 -A
# Output shows:
# - LLMNR queries (hostname resolution attempts)
# - NBT-NS queries
# - MDNS queries
# - Browser elections
# - WPAD requests
# Look for:
# - Frequently queried hostnames (typos, old servers)
# - Systems making WPAD requests (proxy config)
# - LLMNR enabled (credential capture possible)# Run Responder in analyze mode (passive - no responses)
sudo responder -I eth0 -A
# Output shows:
# - LLMNR queries (hostname resolution attempts)
# - NBT-NS queries
# - MDNS queries
# - Browser elections
# - WPAD requests
# Look for:
# - Frequently queried hostnames (typos, old servers)
# - Systems making WPAD requests (proxy config)
# - LLMNR enabled (credential capture possible)DHCP Information
bash
# Request DHCP information
dhclient -v eth0
# Or use nmap
sudo nmap --script broadcast-dhcp-discover
# Information gathered:
# - IP range and subnet mask
# - Default gateway
# - DNS servers (often domain controllers)
# - Domain name
# - DHCP server IP
# Check lease file for details
cat /var/lib/dhcp/dhclient.leases# Request DHCP information
dhclient -v eth0
# Or use nmap
sudo nmap --script broadcast-dhcp-discover
# Information gathered:
# - IP range and subnet mask
# - Default gateway
# - DNS servers (often domain controllers)
# - Domain name
# - DHCP server IP
# Check lease file for details
cat /var/lib/dhcp/dhclient.leasesDNS Enumeration (Passive)
bash
# Check DNS configuration
cat /etc/resolv.conf
# Identify domain from DHCP-assigned DNS
nslookup -type=SOA .
# Reverse DNS lookups on discovered IPs
for ip in $(cat discovered_ips.txt); do
host $ip 2>/dev/null | grep "domain name pointer"
done
# Check for DNS zone transfer (often allowed internally)
dig axfr @DNS_SERVER DOMAIN.COM
# Find domain controllers via DNS
nslookup -type=SRV _ldap._tcp.dc._msdcs.
nslookup -type=SRV _kerberos._tcp.# Check DNS configuration
cat /etc/resolv.conf
# Identify domain from DHCP-assigned DNS
nslookup -type=SOA .
# Reverse DNS lookups on discovered IPs
for ip in $(cat discovered_ips.txt); do
host $ip 2>/dev/null | grep "domain name pointer"
done
# Check for DNS zone transfer (often allowed internally)
dig axfr @DNS_SERVER DOMAIN.COM
# Find domain controllers via DNS
nslookup -type=SRV _ldap._tcp.dc._msdcs.
nslookup -type=SRV _kerberos._tcp.Network Topology Discovery
flowchart TD
A[Passive Listening] --> B[Broadcast Traffic]
A --> C[ARP Cache]
A --> D[DNS Queries]
B --> E[Host Discovery]
C --> E
D --> E
E --> F[Domain Controllers]
E --> G[File Servers]
E --> H[Workstations]
E --> I[Network Devices]
style A fill:#00ff00,stroke:#000,color:#000
style E fill:#a855f7,stroke:#000,color:#000
bash
# Identify network segments from traffic
# Look for different subnets in captured traffic
tshark -r capture.pcap -T fields -e ip.src -e ip.dst | \
awk '{print $1"\n"$2}' | sort -u | \
cut -d'.' -f1-3 | sort -u
# Identify routers/gateways
# Look for TTL values indicating routing
tshark -r capture.pcap -T fields -e ip.src -e ip.ttl | sort -u
# Identify VLANs (if 802.1Q tagged)
tshark -r capture.pcap -Y "vlan" -T fields -e vlan.id | sort -u# Identify network segments from traffic
# Look for different subnets in captured traffic
tshark -r capture.pcap -T fields -e ip.src -e ip.dst | \
awk '{print $1"\n"$2}' | sort -u | \
cut -d'.' -f1-3 | sort -u
# Identify routers/gateways
# Look for TTL values indicating routing
tshark -r capture.pcap -T fields -e ip.src -e ip.ttl | sort -u
# Identify VLANs (if 802.1Q tagged)
tshark -r capture.pcap -Y "vlan" -T fields -e vlan.id | sort -uWindows Event Analysis
Information
If you have access to a domain-joined workstation, local logs provide valuable information.
powershell
# View network connections
netstat -ano
# View DNS cache
ipconfig /displaydns
# View recent connections
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"}
# View cached credentials
cmdkey /list
# View mapped drives
net use
# View network shares
net view
# View domain information
echo %USERDOMAIN%
echo %LOGONSERVER%
nltest /dclist:%USERDOMAIN%# View network connections
netstat -ano
# View DNS cache
ipconfig /displaydns
# View recent connections
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"}
# View cached credentials
cmdkey /list
# View mapped drives
net use
# View network shares
net view
# View domain information
echo %USERDOMAIN%
echo %LOGONSERVER%
nltest /dclist:%USERDOMAIN%Quick Reference
| Technique | Tool | Information Gathered |
|---|---|---|
| Traffic Capture | tcpdump, Wireshark | Hosts, domains, usernames, shares |
| ARP Monitoring | arpwatch, netdiscover | Live hosts, MAC addresses |
| Broadcast Analysis | Responder -A | LLMNR/NBT-NS usage, WPAD |
| DHCP | dhclient, nmap | Network config, DNS servers |
| DNS | nslookup, dig | Domain controllers, zone transfers |