Comprehensive knowledge about network reconnaissance and service enumeration. Provides methodologies for port scanning, service fingerprinting, web directory discovery, and vulnerability identification. Includes best practices for structured data collection.
This knowledge base provides comprehensive reconnaissance methodologies and techniques. It covers information gathering about targets without performing exploitation, including discovering services, versions, technologies, and potential attack vectors.
nmap - Port and service discoverymasscan - Fast port scanning (if speed needed)nc (netcat) - Banner grabbinggobuster - Directory/file brute forcingdirb - Alternative directory scannernikto - Web vulnerability scannerwhatweb - Technology identificationcurlwgetenum4linux - SMB/Samba enumerationsmbclient - SMB interactionshowmount - NFS enumerationsnmpwalk - SNMP enumerationdig - DNS querieshost - DNS lookupsnslookup - DNS informationCore Principle: Every reconnaissance task has 3 layers - escalate when previous layer yields insufficient results.
Layer 1 (Quick & Broad):
- Fast tools with default parameters
- Goal: Get initial foothold information
- Time: 1-5 minutes
- Example: nmap top 1000 ports, gobuster with small wordlist
Layer 2 (Deep & Intensive):
- Same tools with aggressive parameters
- Goal: Extract maximum information from known services
- Time: 5-30 minutes
- Example: nmap all ports + version detection, gobuster with large wordlist
Layer 3 (Alternative & Creative):
- Different tools or manual techniques
- Goal: Find information that standard tools miss
- Time: Variable
- Example: Manual banner grabbing, alternative scanners, custom scripts
Escalation Triggers:
Goal: Find all open ports
# Quick scan (top 1000 ports)
nmap -p- --min-rate=1000 -T4 TARGET
# Comprehensive scan (all ports)
nmap -p- -T4 TARGET -oN ports.txt
Output Format:
{
"ports": [
{"port": 22, "state": "open", "protocol": "tcp"},
{"port": 80, "state": "open", "protocol": "tcp"}
]
}
Goal: Identify services and versions
# Service version detection
nmap -p22,80,443 -sV -sC -A TARGET -oN services.txt
# Aggressive scan with scripts
nmap -p22,80 -sC -sV --script=default,vuln TARGET
Output Format:
{
"services": [
{
"port": 22,
"service": "ssh",
"version": "OpenSSH 7.6p1",
"os": "Ubuntu Linux"
},
{
"port": 80,
"service": "http",
"version": "Apache httpd 2.4.29",
"technologies": ["PHP/7.2"]
}
]
}
Goal: Discover hidden files, directories, and web technologies
Layered Web Scanning:
# Layer 1: Quick directory scan
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirb/common.txt -x php,html,txt -t 50
# If Layer 1 finds little/nothing, escalate to Layer 2:
# Layer 2: Deep directory scan with larger wordlist
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip,bak -t 100
# If still insufficient, try Layer 3:
# Layer 3: Alternative tools or techniques
# Option A: Different tool
feroxbuster -u http://TARGET -w /usr/share/wordlists/dirb/common.txt
# Option B: Vulnerability scanner
nikto -h http://TARGET
# Option C: Technology detection
whatweb http://TARGET
# Alternative with larger wordlist
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
# Technology detection
whatweb http://TARGET
# Vulnerability scan
nikto -h http://TARGET
Output Format:
{
"web": {
"url": "http://10.10.10.1",
"technologies": ["Apache/2.4.29", "PHP/7.2", "WordPress 5.0"],
"directories": [
"/admin (Status: 403)",
"/uploads (Status: 301)",
"/backup (Status: 200)"
],
"files": [
"/config.php (Status: 200)",
"/README.txt (Status: 200)"
],
"vulnerabilities": [
"Outdated WordPress version",
"Directory listing enabled on /uploads"
]
}
}
# Basic enumeration
enum4linux -a TARGET
# List shares
smbclient -L //TARGET -N
# Check for anonymous access
smbmap -H TARGET
# Check for anonymous login
ftp TARGET
# Try: anonymous / anonymous
# Banner grab
nc TARGET 21
# Get SSH version and algorithms
ssh -v TARGET
# Check for user enumeration
ssh user@TARGET 2>&1 | grep -i "invalid\|denied"
# Banner grab
nc TARGET 3306
# Test default credentials
mysql -h TARGET -u root -p
# Try common passwords: root, admin, password, ''
Always format discoveries in JSON for easy parsing:
# Example: Parse nmap output to JSON
nmap -p- TARGET -oG - | grep "Ports:" | awk '{print $2, $4}' | sed 's/\/open//' | jq -R -s 'split("\n") | map(select(length > 0) | split(" ") | {port: .[1], service: .[0]})'
-T4, --min-rate=1000)-T2)# Always save raw output
nmap ... -oN nmap-full.txt -oX nmap-full.xml
# Save discoveries to state file
cat discovered.json >> .pentest-state.json
Don't miss:
nmap -sU --top-ports 100 TARGETnmap -p- TARGET# Small (fast)
/usr/share/wordlists/dirb/common.txt
# Medium (balanced)
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# Large (comprehensive)
/usr/share/wordlists/dirbuster/directory-list-2.3-big.txt
# Specific to web apps
/usr/share/wordlists/wfuzz/general/common.txt
After completing reconnaissance, provide summary in this format:
{
"target": "10.10.10.1",
"scan_date": "2025-01-15",
"discovered": {
"ports": [
{"port": 22, "service": "ssh", "version": "OpenSSH 7.6p1"},
{"port": 80, "service": "http", "version": "Apache 2.4.29"}
],
"web": {
"technologies": ["Apache", "PHP", "WordPress"],
"interesting_paths": ["/admin", "/uploads", "/wp-admin"],
"vulnerabilities": ["Outdated WordPress", "Directory listing"]
},
"potential_vectors": [
"File upload via /uploads",
"WordPress plugin vulnerabilities",
"SSH password authentication enabled"
]
},
"recommended_actions": [
"Test file upload functionality on /uploads",
"Search for WordPress exploits for version detected",
"Enumerate WordPress users with wpscan"
]
}
When reconnaissance is complete, provide:
.pentest-state.jsonAfter reconnaissance is sufficient, proceed to the exploitation phase using exploitation knowledge.