Reconnaissance

Active Discovery

Active discovery involves directly probing systems to identify live hosts, open ports, and running services. This generates network traffic that may be detected.

Warning

Active scanning generates logs and may trigger security alerts. Coordinate with the client on acceptable scanning windows and intensity levels.

Host Discovery

ARP Scanning (Layer 2)

bash 
# ARP scan - fastest for local subnet (Layer 2)
sudo arp-scan -l -I eth0

# Specify range
sudo arp-scan -I eth0 10.0.0.0/24

# Multiple subnets
sudo arp-scan -I eth0 10.0.0.0/24 10.0.1.0/24

# Netdiscover active mode
sudo netdiscover -i eth0 -r 10.0.0.0/24

ICMP Discovery

bash 
# Ping sweep with nmap
nmap -sn 10.0.0.0/24

# Faster ping sweep (no DNS resolution)
nmap -sn -n 10.0.0.0/24

# Using fping (faster for large ranges)
fping -a -g 10.0.0.0/24 2>/dev/null

# With timestamps
fping -a -g 10.0.0.0/24 2>/dev/null | while read ip; do
  echo "$(date +%H:%M:%S) - $ip"
done

TCP/UDP Discovery

bash 
# TCP SYN discovery (when ICMP blocked)
nmap -sn -PS22,80,443,445 10.0.0.0/24

# TCP ACK discovery
nmap -sn -PA80,443 10.0.0.0/24

# UDP discovery
nmap -sn -PU53,161 10.0.0.0/24

# Combined discovery
nmap -sn -PS22,80,443,445 -PA80,443 -PU53,161 10.0.0.0/24

# Using masscan for speed
sudo masscan 10.0.0.0/24 -p22,80,443,445 --rate=1000

Port Scanning

flowchart TD A[Host Discovery] --> B[Quick Scan] B --> C[Full Port Scan] C --> D[Service Detection] D --> E[Vulnerability Scan] B --> B1[Top 100 ports] C --> C1[All 65535 ports] D --> D1[Version detection] E --> E1[NSE scripts] style A fill:#00ff00,stroke:#000,color:#000 style E fill:#ff6b6b,stroke:#000,color:#000

Quick Scans

bash 
# Quick TCP scan (top 1000 ports)
nmap -sS -T4 10.0.0.0/24 -oA quick_scan

# Top 100 ports
nmap -sS -T4 --top-ports 100 10.0.0.0/24

# Common internal ports
nmap -sS -T4 -p 21,22,23,25,53,80,88,110,111,135,139,143,389,443,445,636,993,995,1433,1521,3306,3389,5432,5900,8080 10.0.0.0/24

Full Port Scans

bash 
# Full TCP port scan
nmap -sS -p- -T4 10.0.0.1 -oA full_tcp

# Full scan with version detection
nmap -sS -sV -p- -T4 10.0.0.1 -oA full_version

# UDP scan (slow but important)
nmap -sU --top-ports 100 10.0.0.1

# Combined TCP and UDP
nmap -sS -sU -p T:1-65535,U:53,67,68,69,111,123,137,138,139,161,162,500,514,520,1900 10.0.0.1

Service Detection

bash 
# Version detection
nmap -sV -sC -p 22,80,443,445 10.0.0.1

# Aggressive scan (version + OS + scripts)
nmap -A -p 22,80,443,445 10.0.0.1

# Script scan categories
nmap --script=default,safe -p 445 10.0.0.1
nmap --script=vuln -p 445 10.0.0.1
nmap --script=discovery -p 445 10.0.0.1

SMB Discovery

bash 
# Identify SMB hosts
nmap -p 445 --open 10.0.0.0/24

# CrackMapExec SMB scan
crackmapexec smb 10.0.0.0/24

# NetExec (CME successor)
nxc smb 10.0.0.0/24

# Identify domain controllers
crackmapexec smb 10.0.0.0/24 | grep -i "domain"

# Generate relay target list (SMB signing disabled)
crackmapexec smb 10.0.0.0/24 --gen-relay-list relay_targets.txt

# Enumerate shares (null session)
crackmapexec smb 10.0.0.0/24 --shares

Domain Controller Discovery

bash 
# DNS-based DC discovery
nslookup -type=SRV _ldap._tcp.dc._msdcs.DOMAIN.COM
nslookup -type=SRV _kerberos._tcp.DOMAIN.COM
nslookup -type=SRV _gc._tcp.DOMAIN.COM

# Find PDC
nslookup -type=SRV _ldap._tcp.pdc._msdcs.DOMAIN.COM

# Port-based DC identification
nmap -p 88,389,636,3268,3269 --open 10.0.0.0/24

# LDAP banner grab
nmap -p 389 --script ldap-rootdse 10.0.0.1

# Nmap scripts for DC
nmap -p 389 --script ldap-search 10.0.0.1

Service-Specific Discovery

Database Servers

bash 
# Find MSSQL
nmap -p 1433 --open 10.0.0.0/24
nmap -p 1433 --script ms-sql-info 10.0.0.1

# Find MySQL
nmap -p 3306 --open 10.0.0.0/24
nmap -p 3306 --script mysql-info 10.0.0.1

# Find PostgreSQL
nmap -p 5432 --open 10.0.0.0/24

# Find Oracle
nmap -p 1521 --open 10.0.0.0/24
nmap -p 1521 --script oracle-tns-version 10.0.0.1

Web Servers

bash 
# Find HTTP/HTTPS
nmap -p 80,443,8080,8443 --open 10.0.0.0/24

# HTTP title grab
nmap -p 80,443 --script http-title 10.0.0.0/24

# Eyewitness for screenshots
eyewitness --web -f urls.txt -d eyewitness_output

# Aquatone
cat urls.txt | aquatone -ports 80,443,8080,8443

Remote Access

bash 
# Find RDP
nmap -p 3389 --open 10.0.0.0/24
nmap -p 3389 --script rdp-enum-encryption 10.0.0.1

# Find SSH
nmap -p 22 --open 10.0.0.0/24
nmap -p 22 --script ssh-auth-methods 10.0.0.1

# Find WinRM
nmap -p 5985,5986 --open 10.0.0.0/24

# Find VNC
nmap -p 5900-5910 --open 10.0.0.0/24

Network Device Discovery

bash 
# SNMP discovery
nmap -sU -p 161 --open 10.0.0.0/24
nmap -sU -p 161 --script snmp-info 10.0.0.1

# SNMP walk with community string
snmpwalk -v2c -c public 10.0.0.1

# Find printers
nmap -p 9100,515,631 --open 10.0.0.0/24

# Find network management
nmap -p 23,22,443,161 --open 10.0.0.0/24

Scan Optimization

bash 
# Masscan for speed (then nmap for accuracy)
# Phase 1: Fast discovery
sudo masscan 10.0.0.0/16 -p 21,22,23,25,53,80,88,110,135,139,143,389,443,445,636,1433,3306,3389,5432,8080 --rate=10000 -oG masscan_results.txt

# Phase 2: Parse masscan output
grep "Ports:" masscan_results.txt | awk '{print $4}' | cut -d'/' -f1 | sort -u > ports.txt
grep "Ports:" masscan_results.txt | awk '{print $2}' | sort -u > hosts.txt

# Phase 3: Detailed nmap scan
nmap -sV -sC -iL hosts.txt -p $(cat ports.txt | tr '\n' ',') -oA detailed_scan

Quick Reference

Target Ports Tool/Command
Domain Controllers 88, 389, 636, 3268 nmap, crackmapexec
File Servers 445, 139, 2049 smbclient, nxc
Databases 1433, 3306, 5432, 1521 nmap scripts
Web Servers 80, 443, 8080, 8443 eyewitness, aquatone
Remote Access 22, 3389, 5985, 5900 nmap, nxc

Related Topics

Passive Recon

Passive network discovery

AD Enumeration

Active Directory enumeration

Scanning

Vulnerability scanning