Week 5: Reconnaissance
MITRE ATT&CK: Tactic — TA0043 (Reconnaissance), Techniques — T1590 (Gather Victim Network Information), T1595 (Active Scanning), T1592 (Gather Victim Host Information)
Real-World Attack Scenario: The Yahoo Reconnaissance Campaign
In 2013-2014, state-sponsored attackers reconnaissance Yahoo using multiple OSINT techniques:
Passive Recon (OSINT):
- WHOIS lookup revealed admin contacts and name servers
- DNS enumeration discovered mail.yahoo.com, auth.yahoo.com subdomains
- LinkedIn searches found IT administrators
- Leaked credentials from other breaches were tested
Active Recon:
- Nmap scans found exposed SSH (port 22) and potentially vulnerable services
- subdomain enumeration revealed developer testing environments
- SSL certificate analysis exposed internal hostnames in certs
Information Correlation:
- Combined data from multiple sources to build complete network map
- Identified weakest link (possibly a development server with weak creds)
Final Access:
- SQL injection in feed generator interface
- Command execution via unvalidated file upload
Why this week matters: The Yahoo breach wasn't caused by a sophisticated zero-day — it was thorough reconnaissance that found the entry point. Attackers spend 60-80% of their time on recon. The more you know about your attack surface, the better you can defend it.
Objectives
- Master passive and active reconnaissance techniques
- Learn OSINT methodology and tooling
- Understand scanning, enumeration, and information gathering
- Map attack surface for penetration testing
Reconnaissance Framework
Phase 1: Passive (OSINT) No direct interaction with target
├── WHOIS records
├── DNS enumeration
├── Subdomain discovery
├── Public code (GitHub, GitLab)
├── Leaked credentials
└── Social media / people search
Phase 2: Active (Direct probes) Traffic sent to target
├── Nmap scanning
├── Service fingerprinting
├── Directory enumeration
├── Vulnerability scanning
└── Technology detectionGolden rule: Spend 60-70% of your time in recon. More information = better attack plan.
Passive Recon (OSINT)
WHOIS Lookup
bash
# Basic WHOIS
whois example.com
# Extract registrant info
whois example.com | grep -E "Registrant|Name Server|Creation"
# Reverse WHOIS (find other domains by email/org)
whois -h whois.verisign.com "domain example.com"
# Use: https://whois.domaintools.com/DNS Enumeration
bash
# Record types
dig example.com A # IPv4
dig example.com AAAA # IPv6
dig example.com MX # Mail servers
dig example.com NS # Nameservers
dig example.com TXT # SPF, DKIM, verification
dig example.com SOA # Start of authority
dig example.com AXFR # Zone transfer attempt
# All record types
dig any example.com
# Reverse DNS
dig +short -x 93.184.216.34
# Passive DNS (RiskIQ, VirusTotal)
# Use online tools for passive intel
# Tools
dnsenum example.com
dnsenum -f /usr/share/dnsenum/dns.txt example.com
fierce -dns example.com
dnsrecon -d example.com
dnsrecon -d example.com -t axfr # Zone transferSubdomain Enumeration
bash
# Amass (OWASP, best overall)
amass enum -passive -d example.com
amass enum -active -d example.com -brute
amass enum -dir /tmp/amass -d example.com
# Subfinder (fast, passive)
subfinder -d example.com
subfinder -d example.com -o subdomains.txt
subfinder -d example.com - recursive
# Assetfinder (uses certspotter, facebook, etc.)
assetfinder example.com
# Findomain (certspotter, virustotal, sublist3r)
findomain -t example.com
# Virtual host enumeration
ffuf -w /usr/share/wordlists/subdomains.txt -u http://example.com -H "Host: FUZZ.example.com"
# Permutations
dnsgen -w wordlist.txt -d example.com | dnsgen - | head -20GitHub/OSINT Recon
bash
# GitHub recon
gitrob user/org # Find sensitive files in org repos
trufflehog org -x=true # Search for secrets in commits
shhgit -threads 10 -q 100 # Real-time GitHub search
# Search for domain in pastes
# https://haveibeenpwned.com/
# https:// dehashed.com/
# Google dorking
site:example.com filetype:pdf
site:example.com "internal"
site:example.com intitle:"admin"
site:example.com inurl:login
site:example.com filetype:logPeople Search
# Names, emails, positions
# https://hunter.io/ - Email hunter
# https://phonebook.cz/ - Contacts
# https://rocketreach.com/ - Professional info
# https://linkedin.com/ - Company/employee researchActive Reconnaissance
Nmap Deep Dive
bash
# Ping sweep (host discovery)
nmap -sn 10.0.0.0/24 # Disable port scan
nmap -sn -PS22,80,443 10.0.0.0/24 # SYN ping
nmap -sn -PA22,80,443 10.0.0.0/24 # ACK ping
nmap -sn -PU53,161,123 10.0.0.0/24 # UDP ping
# Port scanning techniques
nmap -sT 10.0.0.5 # TCP connect (full handshake, logged)
nmap -sS 10.0.0.5 # SYN scan (half-open, stealthier)
nmap -sU 10.0.0.5 # UDP scan (slow, combine with TCP)
nmap -sN 10.0.0.5 # Null scan (no flags)
nmap -sF 10.0.0.5 # FIN scan
nmap -sX 10.0.0.5 # Xmas scan (FIN+URG+PSH)
# Version detection
nmap -sV 10.0.0.5 # Version + port
nmap -sV --script=banner 10.0.0.5 # Explicit banner grab
# OS detection
nmap -O 10.0.0.5 # OS fingerprinting
nmap -A 10.0.0.5 # All: OS, version, scripts, traceroute
# Script scanning (NSE - Nmap Scripting Engine)
nmap -sC 10.0.0.5 # Default scripts
nmap --script= vuln 10.0.0.5 # Vulnerability scripts
nmap --script= http-enum 10.0.0.5 # Directory enumeration
nmap --script= dns-zone-transfer 10.0.0.5 # Zone xfer
nmap --script= ssl-enum-ciphers 10.0.0.5 # SSL analysis
# Performance
nmap -T0 10.0.0.5 # Paranoid (IDS evasion)
nmap -T1 10.0.0.5 # Sneaky
nmap -T2 10.0.0.5 # Polite
nmap -T3 10.0.0.5 # Normal (default)
nmap -T4 10.0.0.5 # Aggressive
nmap -T5 10.0.0.5 # Insane
# Specific port ranges
nmap -p 22 10.0.0.5 # Single port
nmap -p 22,80,443 10.0.0.5 # Multiple ports
nmap -p 1-1000 10.0.0.5 # Range
nmap -p- 10.0.0.5 # All 65535 ports
nmap --top-ports 100 10.0.0.5 # Top 100 most common
# Output formats
nmap -oA scan 10.0.0.5 # All formats (.nmap, .xml, .gnmap)
nmap -oN scan.nmap 10.0.0.5 # Normal
nmap -oX scan.xml 10.0.0.5 # XML (for parsing)
nmap -oG scan.grep 10.0.0.5 # GrepableMasscan (Fast Internet Scanner)
bash
# Install
sudo apt install masscan
# Usage (needs sudo)
masscan 10.0.0.0/24 -p80,443,22 --rate=10000
masscan 0.0.0.0/0 -p80,443 --rate=1000 # Internet-wide
masscan 10.0.0.0/24 -p1-1000 --rate=10000
# Parse results
masscan --open 10.0.0.0/24 -p22,80,443 --rate=10000 -oJ scan.jsonService Enumeration
FTP (21)
bash
# Connect
ftp 10.0.0.5
# anonymous/anonymous or test/test
# Commands
ls
get file.txt
put file.txt
bye
# Nmap scripts
nmap --script=ftp-anon,ftp-bounce,ftp-proftpd-backdoor 10.0.0.5SSH (22)
bash
# Banner grab
nc -nv 10.0.0.5 22
ssh -v 10.0.0.5
# Enum users
enum4linux -u 10.0.0.5
nmap --script=ssh2-enum-algos 10.0.0.5
nmap --script=ssh-auth-methods 10.0.0.5
# Key exchange
nmap -p 22 --script=ssh-hostkey 10.0.0.5
# Try brute force (with authorization)
hydra -l root -P wordlist.txt ssh://10.0.0.5SMB (445/139)
bash
# Null session
smbclient -L //10.0.0.5 -N
rpcclient -U "" -N 10.0.0.5
# Enum with enum4linux
enum4linux -a 10.0.0.5
enum4linux -u administrator -p password -a 10.0.0.5
# Nmap scripts
nmap --script=smb-enum-shares,smb-enum-users 10.0.0.5
nmap --script=smb-vuln* 10.0.0.5 # Vulnerability scan (careful!)
# Impacket
python3 GetNPUsers.py -usersfile users.txt -dc-ip 10.0.0.5 DOMAIN/
python3 secretsdump.py user:pass@10.0.0.5HTTP (80/443/8080)
bash
# Whatweb (identify technologies)
whatweb 10.0.0.5
whatweb --log-xml=whatweb.xml 10.0.0.5
# Wappalyzer (browser extension also works)
# https://www.wappalyzer.com/
# Nikto (vulnerability scanner)
nikto -h http://10.0.0.5
nikto -h https://10.0.0.5 -ssl -useproxy http://127.0.0.1:8080
# Directory enumeration
gobuster dir -u http://10.0.0.5 -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://10.0.0.5 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
# ffuf (fast fuzzer)
ffuf -w /usr/share/wordlists/raft-small-directories.txt -u http://10.0.0.5/FUZZ
ffuf -w /usr/share/wordlists/subdomains.txt -u http://example.com -H "Host: FUZZ.example.com"
ffuf -w params.txt -u http://10.0.0.5/api?param=FUZZWeb Technology Detection
bash
# Wappalyzer / whatweb
whatweb -a 3 http://10.0.0.5
# BuiltWith
# https://builtwith.com/
# SSL/TLS analysis
nmap -p 443 --script=ssl-cert,ssl-enum-ciphers 10.0.0.5
testssl.sh --fast 10.0.0.5 # If installed
# Headers
curl -I http://10.0.0.5
# CMS detection
# WordPress: wpscan --url http://10.0.0.5
# Drupal: droopescan scan drupal -u http://10.0.0.5Automated Recon Frameworks
Sn1per
bash
# Community edition
sniper -t example.com -m stealth
sniper -t 10.0.0.5 -mportscan
sniper -t example.com -m webAutoRecon
bash
# Install
pip3 install autorecon
# Usage
autorecon 10.0.0.5
autorecon 10.0.0.0/24Nmap Automation Script
bash
#!/bin/bash
# Quick comprehensive scan
TARGET="$1"
[ -z "$TARGET" ] && echo "Usage: $0 <target>" && exit 1
echo "[*] Starting recon on $TARGET"
# Quick scan - top 100 ports
echo "[*] Top 100 port scan..."
nmap -sV -sC -oA nmap_top100 -p$(nmap --top-ports 100 -oG - $TARGET | grep -oP '(?<=Ports: )[^ ]+' | tr ',' '\n' | cut -d'/' -f1 | tr '\n' ',') $TARGET
# Full port scan if needed
echo "[*] Full port scan..."
nmap -sV -sC -p- -oA nmap_full $TARGET
# UDP scan top ports
echo "[*] UDP scan..."
nmap -sU -sV --top-ports 20 -oA nmap_udp $TARGET
echo "[*] Recon complete. Review nmap_*.{nmap,xml,gnmap} files"Practice Labs
Lab 1: Full Recon on Metasploitable
bash
# Boot Metasploitable, find IP
nmap -sn 10.0.0.0/24
# Run comprehensive scan
nmap -sV -sC -A -p- 10.0.0.5 -oA metasploitable_full
# Analyze with grep
grep "22/tcp" metasploitable_full.nmap
grep "open" metasploitable_full.nmap | head -30Lab 2: Subdomain Brute Force
bash
# Create wordlist of potential subdomains
echo -e "www\nmail\nftp\nadmin\nblog\napi\ndev\ntest\nstaging" > subdomains.txt
# Run ffuf
ffuf -w subdomains.txt -u http://example.com -H "Host: FUZZ.example.com"
# Compare with subfinder (passive)
subfinder -d example.comLab 3: GitHub OSINT
bash
# Clone a public repo and search for secrets
git clone https://github.com/user/repo.git
grep -r "password" --include="*.py" --include="*.js" --include="*.json" .
grep -r "api_key" --include="*.py" .
grep -rn "-----BEGIN.*PRIVATE KEY-----" .Key Takeaways
- Recon is 60-70% of the work — don't skip it
- Passive first — OSINT before touching target
- Subdomain enumeration — find hidden assets
- Nmap mastery — every flag, timing, output format
- Automation — script repetitive tasks
- Document everything — note IPs, services, versions, potential vulns
Next Week Preview
Week 6 dives into Web Application Testing — you'll learn OWASP Top 10, Burp Suite, SQL injection, XSS, SSRF, and more. Web apps are the most common entry point.