Chapter 1: External Recon & Target Mapping¶
Tags: #recon #osint #nmap #dns #whois #fingerprinting #subdomain-enum
Overview¶
Recon is the widest part of your funnel. You start blind and progressively narrow to a set of confirmed, prioritized attack surfaces. This chapter moves from fully passive (zero contact with the target) through active scanning, ending with a triage decision that routes you into Chapter 2 (web) or Chapter 3 (services). Never skip recon to "save time" — the vector you miss here is the one that would have gotten you in cleanest.
Recon Decision Tree¶
START: You have a domain name and/or IP range in scope
│
├── STEP 1: Passive OSINT (zero target contact)
│ │
│ ├── Run WHOIS → note registrar, contacts, name servers §1
│ ├── Query crt.sh → harvest subdomains from TLS certs §2
│ ├── Query Shodan/Censys → pre-indexed port/banner data §3
│ ├── DNS enumeration → A, MX, TXT, NS, AXFR attempts §4
│ └── Web archive check → historical tech stack / old paths §5
│ │
│ └── Compile: domains, IPs, subdomains, tech hints
│
├── STEP 2: Active Host Discovery (light touch)
│ │
│ ├── Ping sweep / host discovery → which IPs are alive? §6
│ └── Did ICMP get blocked?
│ ├── YES → use TCP/SYN sweep on common ports
│ └── NO → proceed with live host list
│
├── STEP 3: Port Scanning
│ │
│ ├── Fast scan first (top 1000) → any quick wins? §7
│ ├── Full port scan in background (-p-) §8
│ └── UDP scan on top 20 UDP ports §9
│
├── STEP 4: Service & Version Fingerprinting §10
│ │
│ └── -sV + -sC on all open ports → banner grab everything
│
├── STEP 5: Web Fingerprinting (if HTTP/S found) §11
│ │
│ ├── whatweb / curl headers → tech stack, CMS, frameworks
│ ├── aquatone → screenshot all web surfaces at once
│ └── Vhost enumeration → hidden subdomains on same IP
│
└── STEP 6: Triage — Where do you go next? §12
│
├── Web surface found (80/443/8080/8443/alt-HTTP)?
│ └── → Chapter 2: Web Attack Surface
│
├── Non-web services found (21/22/25/445/3306/3389/etc)?
│ └── → Chapter 3: Service & Protocol Exploitation
│
└── Both found?
└── → Prioritize web first (broader attack surface,
less noise). Run Chapter 3 in parallel if time allows.
1. WHOIS Lookup¶
Info
Passive. Zero network contact with the target. Run this before anything else. Name servers, registrar, and admin contacts all feed into later attack phases (phishing, DNS zone transfer attempts, vhost guessing).
1. Query WHOIS
Look for: registrar, creation date, name servers, admin/tech contact emails, and whether privacy protection is hiding registrant info.2. Extract name servers for later DNS work
2. Certificate Transparency — Subdomain Harvesting¶
Info
TLS certificates are public record. crt.sh indexes every certificate ever issued for a domain, revealing subdomains the target never intended to expose publicly.
1. Query crt.sh for all subdomains
2. Filter wildcard and duplicate entries
curl -s "https://crt.sh/?q=<TARGET_DOMAIN>&output=json" \
| jq -r '.[].name_value' \
| sed 's/\*\.//g' \
| sort -u > recon/dns/crt_subdomains.txt
3. Shodan / Censys Pre-Indexed Recon¶
Info
Shodan and Censys have already scanned the entire internet. Query them before you touch the target — you get port/banner data for free with zero detection risk.
1. Shodan CLI query
2. Shodan search by organization / domain
Look for: exposed ports, software versions, TLS cert details, banners. Cross-reference with your crt.sh subdomain list.3. Google Dork for exposed assets
# In browser:
site:<TARGET_DOMAIN> -www
intitle:"index of" site:<TARGET_DOMAIN>
inurl:"/admin" site:<TARGET_DOMAIN>
filetype:pdf site:<TARGET_DOMAIN>
4. DNS Enumeration¶
Warning
DNS zone transfers (AXFR) are uncommon but when they work, they hand you the entire internal DNS map. Always attempt before moving on.
1. Basic DNS record query
dig <TARGET_DOMAIN> ANY +noall +answer
dig <TARGET_DOMAIN> A +short
dig <TARGET_DOMAIN> MX +short
dig <TARGET_DOMAIN> TXT +short
dig <TARGET_DOMAIN> NS +short
2. Attempt zone transfer against each name server
# Replace <NS_SERVER> with each name server found in WHOIS/dig
dig axfr <TARGET_DOMAIN> @<NS_SERVER>
3. Automated subdomain brute-force
dnsenum --dnsserver <NS_SERVER> --enum -p 0 -s 0 -o recon/dns/dnsenum.txt \
-f /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
<TARGET_DOMAIN>
4. Reverse DNS on discovered IPs
5. Web Archive Analysis¶
Info
Historical snapshots can reveal: old admin panels, decommissioned endpoints, previously exposed credentials in source code, and tech stack changes that hint at legacy vulnerabilities.
1. Check Wayback Machine for snapshots
curl -s "http://web.archive.org/cdx/search/cdx?url=<TARGET_DOMAIN>/*&output=text&fl=original&collapse=urlkey" \
| sort -u | head -100
/admin, /backup, .bak, .zip, .sql, old login pages, API endpoints.
6. Active Host Discovery¶
Warning
This is your first active contact with the target. ICMP is often blocked externally. If the ping sweep returns nothing on an IP range you know is active, switch to TCP-based discovery immediately.
1. ICMP ping sweep (internal networks)
2. Did ICMP get blocked? → TCP-SYN host discovery
# Checks if common ports respond, without full port scan
sudo nmap -sn -PS21,22,25,80,443,445,3389,8080 <TARGET_RANGE> \
-oA recon/nmap/host_discovery_tcp
3. From host list file
sudo nmap -sn -iL scope/targets.txt -oA recon/nmap/host_discovery
grep "Nmap scan report" recon/nmap/host_discovery.nmap | awk '{print $NF}'
7. Fast Port Scan (Quick Wins)¶
Info
Run this first. Top-1000 scan takes seconds and often reveals all the ports you need. Start service-specific work on these results while the full scan runs in the background.
1. SYN scan of top 1000 ports
2. Aggressive scan on discovered web ports
The-A flag combines -sV (version), -sC (default scripts), -O (OS detect), and --traceroute. Ideal for quick web port profiling.
8. Full Port Scan (Run in Background)¶
Warning
Non-standard ports (8080, 8443, 9090, 9200, 27017, etc.) are where lazy administrators hide services. Never skip the full scan.
1. Full TCP scan — all 65535 ports
2. Parse open ports from results
3. Targeted version + script scan on ALL open ports
# Use comma-separated port list from above
sudo nmap -sV -sC -Pn -p <PORT_LIST> <TARGET_IP> \
-oA recon/nmap/targeted_services
9. UDP Scan (Top 20)¶
Info
UDP is slow and often skipped — which means administrators also skip filtering it. SNMP (161), TFTP (69), DNS (53), NTP (123), and NetBIOS (137) are common wins.
1. Top 20 UDP ports
2. Follow up on interesting UDP ports
# SNMP community string check
sudo nmap -sU -p 161 --script snmp-info,snmp-sysdescr <TARGET_IP>
# SNMP walk (if community string 'public' works)
snmpwalk -v2c -c public <TARGET_IP>
public community string can leak hostnames, running processes, network interfaces, and installed software.
10. Service & Version Fingerprinting¶
1. Banner grab with netcat (manual verification)
Nmap sometimes misidentifies services. Always manually verify interesting ports.2. NSE — targeted script scan by category
# Safe + discovery scripts on all open ports
sudo nmap -sV --script="safe,discovery" -p <PORT_LIST> <TARGET_IP>
# Vulnerability scripts (noisier — use deliberately)
sudo nmap -sV --script vuln -p <PORT_LIST> <TARGET_IP> \
-oA recon/nmap/vuln_scan
3. NSE — service-specific scripts
# SMB enumeration
sudo nmap --script smb-enum-shares,smb-enum-users,smb-os-discovery -p 445 <TARGET_IP>
# HTTP enumeration
sudo nmap --script http-enum,http-headers,http-methods -p 80,443 <TARGET_IP>
# SMTP user enumeration
sudo nmap --script smtp-commands,smtp-enum-users -p 25 <TARGET_IP>
11. Web Surface Fingerprinting¶
Info
Run this on every HTTP/S port discovered. Tech stack identification determines which attacks to attempt and which CMS-specific tools to use in Chapter 2.
1. whatweb — automated tech stack detection
-a 3 is aggressive mode. Look for: CMS (WordPress, Drupal, Joomla), server (Apache, nginx, IIS), frameworks (Laravel, Django), and version numbers.
2. curl headers — quick manual check
Look for:Server:, X-Powered-By:, Set-Cookie: (session cookie names often reveal frameworks), X-Generator:.
3. aquatone — screenshot all discovered web surfaces
# Feed all discovered HTTP hosts at once
cat recon/dns/crt_subdomains.txt | aquatone -out recon/web/aquatone/ -ports 80,443,8080,8443
aquatone_report.html. Triage all web surfaces visually before attacking any of them. Prioritize by: interesting tech, login pages, exposed admin panels.
4. Virtual host (vhost) enumeration
# Fuzz for vhosts on the discovered IP
ffuf -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-20000.txt \
-u http://<TARGET_IP> \
-H "Host: FUZZ.<TARGET_DOMAIN>" \
-fs <DEFAULT_RESPONSE_SIZE> \
-o recon/web/vhost_enum.json
-fs) of the default "invalid host" response. Everything with a different size is a live vhost.
12. Target Triage Matrix¶
Use this table after completing §1–11. Map every open port to its next step.
| Discovered Port(s) | Service | Priority | Next Step |
|---|---|---|---|
| 80, 443, 8080, 8443 | HTTP/HTTPS | HIGH — always first | → Chapter 2, §1 (Web Fingerprinting) |
| 80/443 + CMS detected | WordPress / Drupal / Joomla | HIGH | → Chapter 2, §9 (CMS Attacks) |
| 8080 / 8443 + Java | Tomcat / Jenkins / JBoss | HIGH | → Chapter 2, §9b (Tomcat/Jenkins) |
| 445 | SMB | HIGH | → Chapter 3, §3 (SMB) |
| 22 | SSH | MEDIUM | → Chapter 3, §2 (SSH) |
| 21 | FTP | MEDIUM | → Chapter 3, §1 (FTP) |
| 3389 | RDP | MEDIUM | → Chapter 3, §5 (RDP) |
| 25 / 587 / 465 | SMTP | MEDIUM | → Chapter 3, §4 (SMTP) |
| 1433 | MSSQL | HIGH | → Chapter 3, §7 (MSSQL) |
| 3306 | MySQL | HIGH | → Chapter 3, §7 (MySQL) |
| 5985 / 5986 | WinRM | HIGH (if creds found) | → Chapter 3, §6 (WinRM/evil-winrm) |
| 161 / UDP | SNMP | HIGH | → Chapter 3, §8 (SNMP) |
| 2049 | NFS | HIGH | → Chapter 3, §9 (NFS) |
Decision: Web or Service First?¶
Both web AND services found?
│
├── Web has a login page, CMS, or app → hit web first
│ Reason: web exploits often give you direct RCE or creds
│ that then unlock the service-side attacks anyway
│
├── Only services found (no HTTP) → Chapter 3 directly
│
└── Neither is obviously exploitable yet?
→ Don't brute-force blindly. Go back to passive recon.
Check Shodan for known CVEs on the detected versions.
Search: "<service> <version> exploit site:exploit-db.com"
Recommended Scan Order (Time-Optimized)¶
Run these in parallel across two terminal panes:
Pane 1 — immediate results:
# Fast scan + web fingerprint
sudo nmap -sS --top-ports 1000 -T4 -Pn <TARGET_IP> -oA recon/nmap/fast_scan && \
whatweb -a 3 http://<TARGET_IP> && \
curl -s "https://crt.sh/?q=<TARGET_DOMAIN>&output=json" | jq -r '.[].name_value' | sort -u
Pane 2 — background full scan: