Penetration Testing - Reconnaissance & Enumeration Guide
Category: Penetration Testing - Phase 1
Tags: oscp, htb, reconnaissance, enumeration, nmap, discovery, information-gathering
Reconnaissance & Enumeration Methodology
What this phase covers: Systematic information gathering and service enumeration to identify attack surface, running services, potential vulnerabilities, and entry points into target systems.
Why reconnaissance is critical: "The more you know about your target, the more likely you are to find a way in." Poor enumeration is the #1 reason penetration tests fail. 80% of successful attacks come from thorough reconnaissance.
OSCP/HTB Methodology: Follow a systematic approach - Network Discovery → Port Scanning → Service Enumeration → Vulnerability Identification → Attack Vector Planning.
Network Discovery & Host Identification
nmap - The Swiss Army Knife of Network Scanning
What it does: Network scanner that discovers live hosts, open ports, running services, operating system details, and potential vulnerabilities. The foundation tool for any penetration test.
Why nmap is essential: Provides the roadmap for your entire penetration test. Identifies what services are running, their versions, and potential attack vectors. Without proper nmap enumeration, you'll miss critical services and vulnerabilities.
When to use nmap: First tool in any penetration test, continuous enumeration throughout engagement, confirming firewall rules, validating exploits worked.
# Phase 1: Network Discovery (Find live hosts)
nmap -sn 192.168.1.0/24 # Ping sweep - ICMP echo requests
nmap -sn -PE -PP -PM 192.168.1.0/24 # Multiple ping types (ICMP echo, timestamp, netmask)
nmap -sn -PS80,443,22 192.168.1.0/24 # TCP SYN ping to common ports
nmap -sn -PA80,443,22 192.168.1.0/24 # TCP ACK ping (bypass firewalls)
nmap -sn -PU53,161,137 192.168.1.0/24 # UDP ping to DNS, SNMP, NetBIOS
# Why use different ping types:
# - ICMP might be blocked by firewalls
# - SYN ping works when ICMP is blocked
# - ACK ping bypasses stateless firewalls
# - UDP ping finds hosts that only respond to UDP
# Phase 2: Port Discovery (Find open services)
nmap -sS target.com # SYN scan (stealth, doesn't complete handshake)
nmap -sT target.com # TCP connect scan (completes handshake, more reliable)
nmap -sU target.com # UDP scan (finds DNS, SNMP, DHCP services)
nmap -sA target.com # ACK scan (firewall rule mapping)
nmap -sW target.com # Window scan (advanced OS fingerprinting)
# Why different scan types matter:
# - SYN scan is stealthy (doesn't appear in connection logs)
# - TCP connect scan is reliable (works through proxies)
# - UDP scan finds critical services often missed
# - ACK scan maps firewall rules and filtered ports
# - Window scan provides detailed OS fingerprinting
# Phase 3: Comprehensive Port Scanning
nmap -p- target.com # All 65535 ports (thorough but slow)
nmap --top-ports 1000 target.com # Most common 1000 ports (balanced)
nmap -p1-100,443,993,995 target.com # Custom port ranges
nmap -F target.com # Fast scan (top 100 ports)
# Port range strategies:
# - Full port scan for critical targets (takes hours)
# - Top ports for quick assessment (minutes)
# - Custom ranges for specific services
# - Fast scan for initial triage
# Phase 4: Service and Version Detection
nmap -sV target.com # Version detection (service banners)
nmap -sV --version-intensity 5 target.com # Aggressive version detection
nmap -sV --version-light target.com # Light version detection (faster)
nmap -A target.com # Aggressive scan (-sV -sC -O)
# Why version detection is crucial:
# - Specific service versions have known vulnerabilities
# - Banner information reveals configuration details
# - Helps identify default credentials
# - Required for accurate exploit selection
# Phase 5: Operating System Detection
nmap -O target.com # OS fingerprinting
nmap -O --osscan-guess target.com # Aggressive OS guessing
nmap --script smb-os-discovery target.com # SMB-based OS detection
# OS detection importance:
# - Different exploits work on different OS versions
# - Helps plan privilege escalation strategies
# - Identifies patch levels and security posture
# - Required for payload selection
# Phase 6: Script Scanning (NSE - Nmap Scripting Engine)
nmap -sC target.com # Default scripts (safe, informative)
nmap --script vuln target.com # Vulnerability detection scripts
nmap --script "safe or intrusive" target.com # Script categories
nmap --script "not dos" target.com # All scripts except DoS
# Essential NSE script categories:
nmap --script auth target.com # Authentication bypass scripts
nmap --script brute target.com # Brute force scripts
nmap --script discovery target.com # Information disclosure scripts
nmap --script exploit target.com # Exploitation scripts
nmap --script fuzzer target.com # Fuzzing scripts
nmap --script malware target.com # Malware detection scripts
# Why NSE scripts are powerful:
# - Automate common enumeration tasks
# - Test for specific vulnerabilities
# - Extract detailed service information
# - Consistent methodology across engagements
Advanced nmap Techniques:
# Stealth and Evasion Techniques
nmap -sS -T1 -f target.com # Slow timing, fragmented packets
nmap -D 192.168.1.5,192.168.1.6,ME target.com # Decoy scanning
nmap --source-port 53 target.com # Spoof source port (DNS)
nmap --data-length 25 target.com # Add random data to packets
nmap -g 80 target.com # Spoof source port 80
# Why use evasion:
# - Bypass IDS/IPS detection
# - Appear as legitimate traffic
# - Blend with normal network activity
# - Avoid rate limiting and blocking
# Timing and Performance Optimization
nmap -T0 target.com # Paranoid timing (very slow)
nmap -T1 target.com # Sneaky timing (slow)
nmap -T2 target.com # Polite timing (normal)
nmap -T3 target.com # Normal timing (default)
nmap -T4 target.com # Aggressive timing (fast)
nmap -T5 target.com # Insane timing (very fast)
# Custom timing control:
nmap --min-rate 1000 target.com # Minimum packet rate
nmap --max-rate 5000 target.com # Maximum packet rate
nmap --max-retries 3 target.com # Retry failed probes
nmap --host-timeout 300s target.com # Per-host timeout
# Output and Reporting
nmap -oN scan.txt target.com # Normal output format
nmap -oX scan.xml target.com # XML output format
nmap -oG scan.gnmap target.com # Greppable output format
nmap -oA scan target.com # All output formats
nmap --open target.com # Show only open ports
# Why different output formats:
# - Normal for human reading
# - XML for tool integration
# - Greppable for bash processing
# - All formats for comprehensive reporting
Real-world nmap Scenarios:
# Scenario 1: Initial Network Assessment
# Goal: Map entire network and identify all services
nmap -sn 10.10.10.0/24 | grep -E "Nmap scan report" | awk '{print $5}' > live_hosts.txt
for host in $(cat live_hosts.txt); do
nmap -sS -sV -O -oA "scan_$host" "$host" &
done
wait # Wait for all background scans to complete
# Why this approach:
# - Parallel scanning saves time
# - Comprehensive coverage of network
# - Separate files for each host
# - Systematic documentation
# Scenario 2: Web Application Discovery
nmap -p80,443,8080,8443,8000,8888 --script http-enum,http-title,http-headers target.com
# Discovers web applications and basic information
# http-enum finds common directories
# http-title reveals application names
# http-headers shows server information
# Scenario 3: Database Service Enumeration
nmap -p1433,3306,5432,1521,27017 --script "*sql*" target.com
# Targets common database ports
# SQL-related scripts test for vulnerabilities
# Identifies database types and versions
# Scenario 4: Active Directory Environment
nmap -p88,135,139,389,445,636,3268,3269 --script smb-enum-*,ldap-rootdse target.com
# Targets AD-related ports (Kerberos, SMB, LDAP)
# SMB enumeration scripts gather domain information
# LDAP scripts reveal directory structure
# Scenario 5: Vulnerability Assessment Focus
nmap --script "vuln and not dos" --script-args=unsafe=1 target.com
# Runs all vulnerability scripts except DoS
# unsafe=1 enables potentially harmful checks
# Comprehensive vulnerability detection
masscan - High-Speed Port Scanner
What it does: Extremely fast port scanner capable of scanning the entire internet in under 5 minutes. Uses asynchronous transmission for maximum speed.
Why use masscan: When you need to scan large networks quickly or when nmap is too slow. Perfect for initial reconnaissance of large IP ranges.
When to use masscan: Large network assessments, internet-wide scanning, when speed is more important than stealth, initial port discovery before detailed nmap scanning.
# Basic masscan usage
masscan -p1-65535 192.168.1.0/24 --rate=1000
# Scans all ports on /24 network at 1000 packets/second
# Much faster than nmap for large ranges
# Targeted service discovery
masscan -p80,443,22,21,25,53,110,143,993,995 10.10.0.0/16 --rate=10000
# Scans common ports across large network
# High rate for maximum speed
# Output formatting
masscan -p1-1000 192.168.1.0/24 --rate=1000 -oG masscan.gnmap
masscan -p1-1000 192.168.1.0/24 --rate=1000 -oX masscan.xml
masscan -p1-1000 192.168.1.0/24 --rate=1000 -oJ masscan.json
# Why different formats:
# - Greppable for bash processing
# - XML for tool integration
# - JSON for modern applications
# Advanced masscan techniques
masscan --top-ports 100 0.0.0.0/0 --rate=100000 --excludefile exclude.txt
# Scans top 100 ports on entire internet
# Excludes addresses from file
# Maximum practical scanning rate
# Integration with nmap
masscan -p1-65535 192.168.1.0/24 --rate=1000 | grep "open" | awk '{print $4,$3}' | sort -n > open_ports.txt
# Use masscan for port discovery
# Process results for nmap input
# Follow up with detailed nmap scanning
# Why this workflow is effective:
# - Masscan quickly identifies open ports
# - Nmap provides detailed service information
# - Best of both tools' strengths
rustscan - Modern Port Scanner
What it does: Modern port scanner written in Rust that combines speed with nmap integration. Automatically runs nmap scripts on discovered ports.
Why rustscan is useful: Bridges the gap between masscan's speed and nmap's functionality. Automatically follows up port discovery with detailed enumeration.
# Basic rustscan with nmap integration
rustscan -a 192.168.1.10 -- -sC -sV
# Discovers open ports quickly
# Automatically runs nmap scripts on found ports
# Combines speed with detailed enumeration
# Batch scanning multiple hosts
rustscan -a 192.168.1.10,192.168.1.11,192.168.1.12 -- -A
# Scans multiple hosts efficiently
# Runs aggressive nmap scan on results
# Custom port ranges and timing
rustscan -a 192.168.1.10 -p 1-10000 --ulimit 5000 -- -sV
# Custom port range
# Adjusted ulimit for performance
# Version detection on found ports
Service-Specific Enumeration
HTTP/HTTPS Web Service Enumeration
Why web enumeration is critical: Web applications are the most common attack vector in modern penetration tests. Hidden directories, files, and functionality often contain vulnerabilities or sensitive information.
gobuster - Directory and File Brute-forcing
What it does: Fast directory/file brute-forcer written in Go. Uses wordlists to discover hidden web content through systematic enumeration.
Why gobuster over alternatives: Faster than dirb/dirbuster, supports multiple protocols, active development, handles large wordlists efficiently.
# Basic directory brute-forcing
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
# Uses common directory names
# Discovers hidden admin panels, backup directories
# Advanced directory enumeration
gobuster dir -u http://target.com -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html,txt,bak,old,zip
# Larger wordlist for thorough coverage
# Multiple file extensions to find various content types
# Discovers backup files, configuration files, archives
# Why file extensions matter:
# - .php files may contain source code or configs
# - .bak files often contain backup versions with vulnerabilities
# - .txt files may contain sensitive information
# - .zip files may contain source code or backups
# Status code filtering and customization
gobuster dir -u http://target.com -w wordlist.txt -s 200,301,302,403
# Only show specific status codes
# 200: Found, 301/302: Redirects (may indicate protected areas)
# 403: Forbidden (exists but access denied)
gobuster dir -u http://target.com -w wordlist.txt -b 404,400
# Hide specific status codes
# Reduces noise from not found responses
# Authentication and headers
gobuster dir -u http://target.com -w wordlist.txt -H "Authorization: Bearer token123"
# Include authentication headers
# Access authenticated areas of application
gobuster dir -u http://target.com -w wordlist.txt -c "session=abc123"
# Include session cookies
# Maintain authenticated session during enumeration
# Recursive directory scanning
gobuster dir -u http://target.com -w wordlist.txt -r
# Follow redirects automatically
# Discover deeper directory structures
# Advanced filtering and output
gobuster dir -u http://target.com -w wordlist.txt -l -k -t 50
# -l: Include response length (helps identify interesting responses)
# -k: Skip SSL certificate verification
# -t 50: Use 50 threads for faster scanning
# Virtual host enumeration
gobuster vhost -u target.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# Discovers virtual hosts and subdomains
# Finds applications hosted on same IP
# May reveal development or staging environments
# Why vhost enumeration is important:
# - Different virtual hosts may have different security
# - Development sites often have weaker security
# - May reveal internal network information
ffuf - Fast Web Fuzzer
What it does: Fast web fuzzer that can fuzz directories, files, parameters, headers, and more. More flexible than gobuster for complex fuzzing scenarios.
Why ffuf is powerful: Supports fuzzing multiple positions simultaneously, advanced filtering options, and can fuzz any part of HTTP requests.
# Directory fuzzing (similar to gobuster)
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://target.com/FUZZ
# FUZZ keyword is replaced with wordlist entries
# Discovers hidden directories and files
# File extension fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://target.com/FUZZ -e .php,.html,.txt,.bak
# Automatically appends extensions
# Finds files with different extensions
# Parameter fuzzing (GET parameters)
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://target.com/search.php?FUZZ=test
# Fuzzes GET parameter names
# Discovers hidden parameters that may be vulnerable
# POST parameter fuzzing
ffuf -w params.txt -X POST -d "FUZZ=test" -u http://target.com/login.php
# Fuzzes POST parameter names
# Tests for hidden form parameters
# Header fuzzing
ffuf -w headers.txt -H "FUZZ: test" -u http://target.com/
# Fuzzes HTTP headers
# Tests for header-based vulnerabilities
# Advanced filtering
ffuf -w wordlist.txt -u http://target.com/FUZZ -fs 4242
# Filter out responses with specific size
# Reduces noise from error pages
ffuf -w wordlist.txt -u http://target.com/FUZZ -fc 404,403
# Filter out specific status codes
# Focus on interesting responses
ffuf -w wordlist.txt -u http://target.com/FUZZ -fr "Not Found"
# Filter out responses containing specific text
# Customize filtering for target application
# Multi-position fuzzing
ffuf -w users.txt:USER -w passwords.txt:PASS -X POST -d "username=USER&password=PASS" -u http://target.com/login
# Fuzz multiple positions simultaneously
# Useful for credential brute-forcing
# Subdomain enumeration
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://FUZZ.target.com/
# Virtual host fuzzing
# Discovers subdomains and applications
nikto - Web Vulnerability Scanner
What it does: Web vulnerability scanner that tests for over 6700 potentially dangerous files/programs, outdated versions, and security issues.
Why nikto is valuable: Automated vulnerability detection, comprehensive database of known issues, good for initial web application assessment.
# Basic vulnerability scan
nikto -h http://target.com
# Comprehensive vulnerability assessment
# Tests for common web application issues
# Advanced scanning options
nikto -h http://target.com -p 80,443,8080 -Format htm -output nikto_results.html
# Multiple ports
# HTML output format for reporting
# Authentication scanning
nikto -h http://target.com -id admin:password
# Scan authenticated areas
# May reveal additional vulnerabilities
# Tuning and customization
nikto -h http://target.com -T 1,2,3,4,5,6,7,8,9,0
# Specific test categories:
# 1: Interesting files, 2: Misconfiguration
# 3: Information disclosure, 4: Injection
# 5: Remote file retrieval, 6: Denial of service
# 7: Remote file retrieval, 8: Command execution
# 9: SQL injection, 0: File upload
# Integration with other tools
nikto -h http://target.com -output nikto.xml -Format xml
# XML output for tool integration
# Can be imported into vulnerability management systems
SMB/NetBIOS Enumeration
Why SMB enumeration is critical: SMB shares often contain sensitive files, and SMB services have many historical vulnerabilities. Common in Windows environments and often misconfigured.
smbclient - SMB Share Access
What it does: Command-line SMB client that can list shares, access files, and interact with SMB services.
# List SMB shares
smbclient -L //target.com -N
# -L lists shares, -N uses null authentication
# Discovers available shares without credentials
# Access SMB shares
smbclient //target.com/sharename -N
# Access specific share anonymously
# Navigate and download files
# Authenticated access
smbclient //target.com/C$ -U username%password
# Access with credentials
# C$ is admin share (full system access)
# Download files recursively
smbclient //target.com/share -N -c "recurse ON; prompt OFF; mget *"
# Download entire share contents
# Useful for offline analysis
enum4linux - SMB/LDAP Enumeration
What it does: Comprehensive SMB and LDAP enumeration tool that gathers detailed information about Windows systems.
# Comprehensive SMB enumeration
enum4linux -a target.com
# All enumeration options
# Users, groups, shares, policies, etc.
# Specific enumeration types
enum4linux -U target.com # User enumeration
enum4linux -G target.com # Group enumeration
enum4linux -S target.com # Share enumeration
enum4linux -P target.com # Password policy enumeration
# Why each enumeration type matters:
# - Users: Potential targets for attacks
# - Groups: Understanding privilege structure
# - Shares: File access and sensitive data
# - Policies: Account lockout and password rules
DNS Enumeration
Why DNS enumeration matters: DNS reveals network topology, subdomains, internal systems, and may allow zone transfers that expose entire network structure.
dnsrecon - DNS Reconnaissance
What it does: Comprehensive DNS enumeration tool that performs various DNS reconnaissance techniques.
# Basic DNS enumeration
dnsrecon -d target.com
# Standard DNS record enumeration
# A, AAAA, MX, NS, SOA records
# Zone transfer attempt
dnsrecon -d target.com -t axfr
# Attempts DNS zone transfer
# May reveal entire DNS zone contents
# Subdomain brute-forcing
dnsrecon -d target.com -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t brt
# Brute-force subdomains using wordlist
# Discovers additional subdomains and services
# Reverse DNS lookup
dnsrecon -r 192.168.1.0/24
# Reverse DNS on IP range
# Discovers hostnames for IP addresses
dnsenum - DNS Enumeration Alternative
What it does: Another comprehensive DNS enumeration tool with different capabilities and wordlists.
# Comprehensive DNS enumeration
dnsenum target.com
# Automatic enumeration with built-in wordlists
# Attempts zone transfers and subdomain enumeration
# Custom wordlist
dnsenum --dnsserver 8.8.8.8 -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt target.com
# Use specific DNS server
# Custom subdomain wordlist
Automated Reconnaissance Frameworks
AutoRecon - Automated Multi-Service Reconnaissance
What it does: Comprehensive automated reconnaissance tool that runs appropriate enumeration tools based on discovered services.
Why AutoRecon is powerful: Systematic approach, runs multiple tools simultaneously, service-specific enumeration, generates organized reports.
# Basic AutoRecon scan
autorecon target.com
# Automatic service detection and enumeration
# Runs appropriate tools for each discovered service
# Multiple targets
autorecon target1.com target2.com 192.168.1.10
# Parallel scanning of multiple targets
# Efficient resource utilization
# Custom port ranges
autorecon --ports="1-10000" target.com
# Custom port range for initial discovery
# Balances thoroughness with speed
# Specific service enumeration
autorecon --only-scans-dir target.com
# Only run directory/file enumeration
# Focus on specific enumeration types
nmapAutomator - Automated nmap Workflows
What it does: Bash script that automates common nmap scanning workflows with different modes for different scenarios.
# Different scanning modes
./nmapAutomator.sh target.com All
# Comprehensive scanning (Network, Port, Script, Full)
./nmapAutomator.sh target.com Basic
# Basic scanning (Network, Port)
./nmapAutomator.sh target.com Web
# Web-focused scanning (HTTP enumeration)
./nmapAutomator.sh target.com Vulns
# Vulnerability-focused scanning
Manual Service Enumeration Techniques
Banner Grabbing and Service Interaction
Why manual enumeration matters: Automated tools miss context-specific information and may not test all functionality. Manual enumeration provides deeper understanding.
# Netcat banner grabbing
nc -nv target.com 80 # HTTP service
nc -nv target.com 21 # FTP service
nc -nv target.com 25 # SMTP service
nc -nv target.com 110 # POP3 service
# Why banner grabbing is important:
# - Reveals exact service versions
# - May show custom error messages
# - Identifies service behavior
# - Helps plan specific attacks
# Telnet service interaction
telnet target.com 80
GET / HTTP/1.1
Host: target.com
# Manual HTTP requests reveal:
# - Server headers and versions
# - Supported HTTP methods
# - Error page information
# - Application framework details
# OpenSSL for SSL/TLS services
openssl s_client -connect target.com:443
# SSL/TLS service information
# Certificate details and chain
# Supported cipher suites
# Protocol versions
# SSH service enumeration
ssh -v target.com
# SSH version and supported methods
# Host key fingerprints
# Available authentication methods
Reconnaissance Methodology Summary
Systematic Approach for HTB/OSCP:
- Network Discovery
- Use nmap ping sweep to find live hosts
- Document all discovered systems
-
Identify network topology and subnets
-
Port Scanning
- Start with top ports for quick overview
- Follow with comprehensive port scans
-
Use different scan types for evasion
-
Service Enumeration
- Version detection on all open ports
- Service-specific enumeration tools
-
Manual interaction and banner grabbing
-
Vulnerability Assessment
- Run vulnerability scanners (nmap scripts, nikto)
- Research discovered service versions
-
Identify potential attack vectors
-
Documentation and Analysis
- Organize all findings systematically
- Prioritize services by attack potential
- Plan exploitation phase based on findings
Key Success Factors:
- Thoroughness over speed - Don't rush enumeration
- Multiple tools - Different tools find different things
- Service-specific approach - Each service needs different enumeration
- Documentation - Keep detailed notes of all findings
- Iteration - Re-enumerate after gaining access
This reconnaissance methodology forms the foundation for successful penetration testing. Thorough enumeration directly correlates with successful exploitation in HTB challenges and OSCP exam scenarios.