From Shadows to Contact
In Part 2, we gathered intelligence without touching the target. Now we cross the line—Active Reconnaissance involves directly probing the target’s systems. You will leave footprints. Firewalls will log your IP. IDS systems may alert.
This is where the Rules of Engagement become critical. You must have explicit written permission for every IP range you scan.
Port Scanning: Mapping the Attack Surface
Every network service listens on a port. Finding open ports reveals what services are running and where.
- Port 22: SSH
- Port 80/443: HTTP/HTTPS
- Port 3306: MySQL
- Port 3389: RDP
- Port 445: SMB
Nmap: The Network Mapper
Nmap is the industry standard. It’s not just a port scanner—it’s a complete network reconnaissance framework.
Basic Scans
# Simple TCP scan
nmap 192.168.1.1
# Scan specific ports
nmap -p 22,80,443 192.168.1.1
# Scan all 65535 ports
nmap -p- 192.168.1.1
# Scan a range
nmap 192.168.1.1-254
# Scan from file
nmap -iL targets.txt
Scan Types
| Flag | Type | Description |
|---|---|---|
-sS |
SYN Scan | Stealthy, doesn’t complete handshake (default with root) |
-sT |
Connect Scan | Full TCP connection, more detectable |
-sU |
UDP Scan | Slow but finds DNS, SNMP, TFTP |
-sV |
Version Detection | Identifies service versions |
-sC |
Script Scan | Runs default NSE scripts |
-O |
OS Detection | Fingerprints operating system |
-A |
Aggressive | Combines -sV -sC -O –traceroute |
Stealth Techniques
# Slow scan to avoid detection
nmap -T1 -sS 192.168.1.1
# Fragment packets
nmap -f 192.168.1.1
# Decoy scan (spoofed source IPs)
nmap -D RND:10 192.168.1.1
# Idle scan (zombie host)
nmap -sI zombie_host target
My Go-To Command
nmap -sC -sV -oA scan_results 192.168.1.1
-sC: Default scripts for additional info-sV: Version detection-oA: Output in all formats (for documentation)
Service Enumeration
Open ports are just the beginning. We need to understand what is running and what version.
Banner Grabbing
# Manual banner grab
nc -v 192.168.1.1 22
# Output: SSH-2.0-OpenSSH_7.9p1 Debian-10
# With Nmap
nmap -sV --version-intensity 5 192.168.1.1
HTTP Enumeration
Web servers require special attention.
# Nikto web scanner
nikto -h http://192.168.1.1
# Directory brute force
gobuster dir -u http://192.168.1.1 -w /usr/share/wordlists/dirb/common.txt
# Technology fingerprinting
whatweb 192.168.1.1
SMB Enumeration (Port 445)
SMB is often misconfigured and extremely valuable.
# Enumerate shares
smbclient -L //192.168.1.1 -N
# List users
enum4linux -a 192.168.1.1
# Check for EternalBlue
nmap --script smb-vuln-ms17-010 192.168.1.1
DNS Enumeration (Port 53)
# Zone transfer (if misconfigured)
dig axfr @192.168.1.1 target.com
# Reverse DNS lookup
nmap -sL 192.168.1.0/24
SNMP Enumeration (Port 161 UDP)
SNMP with default community strings leaks massive information.
# Brute force community strings
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.1.1
# Enumerate with community string
snmpwalk -v2c -c public 192.168.1.1
Vulnerability Scanning
Now we map our discovered services to known vulnerabilities.
Nmap Scripting Engine (NSE)
Nmap includes hundreds of vulnerability scripts.
# Find all vuln scripts
ls /usr/share/nmap/scripts/ | grep vuln
# Run vulnerability scripts
nmap --script vuln 192.168.1.1
# Specific vulnerability check
nmap --script http-vuln-cve2017-5638 192.168.1.1
Nessus
Industry-standard vulnerability scanner. Commercial but essential for enterprise assessments.
OpenVAS
Open-source alternative to Nessus. Comprehensive vulnerability database.
Nuclei
Fast, template-based scanner with community-contributed checks.
nuclei -u http://192.168.1.1 -t cves/
Web Application Scanning
Web apps have their own attack surface.
Burp Suite
The essential web proxy. Intercepts, modifies, and replays HTTP requests. Professional version includes automated scanning.
OWASP ZAP
Free alternative to Burp with active scanning capabilities.
WPScan (WordPress)
wpscan --url http://target.com --enumerate u,vp,vt
SQLMap
sqlmap -u "http://target.com/page?id=1" --dbs
Organizing Your Findings
Active recon generates massive amounts of data. Organization is critical.
Directory Structure
/engagement
├── scope.txt
├── passive/
│ ├── subdomains.txt
│ └── emails.txt
├── active/
│ ├── nmap/
│ │ ├── initial_scan.nmap
│ │ ├── full_port_scan.nmap
│ │ └── service_scan.nmap
│ ├── web/
│ │ ├── gobuster.txt
│ │ └── nikto.txt
│ └── vulnerabilities/
│ └── findings.md
└── exploitation/
Note-Taking Tools
- Cherry Tree: Hierarchical notes with rich text.
- Obsidian: Markdown-based with linking.
- Notion: Cloud-based collaboration.
Avoiding Detection
Even authorized testers should practice stealth—it’s good training.
Timing
- Scan during business hours (blends with normal traffic).
- Use slow scan speeds (-T2 or -T1).
Source Obfuscation
- Rotate source IPs if authorized.
- Use VPN exit nodes.
Traffic Blending
- Keep request rates reasonable.
- Avoid obvious scanner user-agents.
From Recon to Attack
After active reconnaissance, you should know:
- Open Ports: Complete map of network services.
- Service Versions: Exact software and versions.
- Potential Vulnerabilities: CVEs, misconfigurations.
- Web Endpoints: Hidden directories, APIs, admin panels.
- User Information: Usernames, email formats.
This intelligence feeds directly into the Exploitation phase—where we validate vulnerabilities and gain access.
Next Part: Exploitation—turning vulnerabilities into access using Metasploit, manual techniques, and real-world attack chains.
Discussion