This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Active Reconnaissance

Methodology Framework

Follow an OWASP/NIST-style workflow for network reconnaissance and initial assessment.

Flow: Target validation → Host discovery → Port scanning → Service enumeration → Vulnerability assessment → Documentation & reporting

Rules

  • Obtain explicit written authorization before any active testing.

  • Coordinate scan windows and acceptable noise with the client / SOC.

  • Specify scan flags explicitly for auditability.

  • Preserve raw output (-oA) for traceability.

1

Target validation

Confirm ownership, reachability, and boundaries before active testing.

Representative commands:

dig target.com A AAAA
whois target.com
traceroute target.com

Purpose: demonstrate authorization, identify boundary devices and network paths, confirm in-scope assets.

2

Host discovery

Produce a reliable list of live hosts.

Representative commands:

# ICMP sweep (fast)
nmap -sn 192.168.1.0/24

# TCP ping (if ICMP is filtered)
nmap -sn -PS80,443 target.com

Note: choose the discovery method based on permitted noise and client guidance. Save live-host lists (-oG, --open) for the next phase.

3

Port scanning

Find open services and prioritize hosts for enumeration.

Representative commands:

# Quick overview (top ports) + service detection
nmap --top-ports 100 --open -sV <targets>

# Common-services scan (explicit ports) + service detection
nmap -p21,22,80,443,3389 -sV <host>

Output: export machine-readable scans (-oA) and feed results into enumeration tasks.

4

Service enumeration

Gather service details, versions, banners, and reachable admin interfaces.

Representative commands:

# Service/version + default scripts (lightweight)
nmap -sV -sC <host>

# Web enumeration (titles, server headers)
nmap -p80,443 -sV --script=http-title,http-server-header <host>
gobuster dir -u http://<host> -w /usr/share/wordlists/dirb/common.txt

# SMB enumeration
nmap -p445 -sV --script=smb-os-discovery,smb-security-mode <host>
smbclient -L //<host> -N
enum4linux -a <host>

# LDAP / DC checks (only when DCs are in-scope)
ldapsearch -x -h <host> -s base namingcontexts
nmap -p88 -sV --script=krb5-enum-users <host>

Action: record versions, reachable management consoles, exposed directories, and any low-hanging misconfigurations.

5

Vulnerability assessment

Validate and prioritize exploitable issues. Automated checks must be validated manually and only run with authorization.

Representative commands:

# Authorized automated vulnerability scripts (use cautiously)
nmap --script vuln -sV <host>

# Targeted check example (SMB MS17-010)
nmap -p445 --script=smb-vuln-ms17-010 -sV <host>

Process: reproduce proofs-of-concept for critical items, assess business impact, and avoid destructive actions unless explicitly allowed.

6

Documentation

Collect evidence, produce deliverables, and hand off remediation guidance.

Representative commands / steps:

# Save structured outputs
nmap -sV 192.168.1.0/24 -oA network_scan

# Convert to HTML (example)
xsltproc network_scan.xml -o scan_report.html

Deliverables: executive summary, detailed technical report with PoCs, remediation guidance, raw exports (XML/gnmap), and a short SOC findings brief.

Scenario presets (copyable)

# External assessment (authorized)
nmap -T3 --top-ports 100 --open -sV target.com

# Internal baseline (LAN)
nmap -sn 192.168.1.0/24
nmap --top-ports 1000 -iL live_hosts.txt -sV

# Web application focus
nmap -p80,443 -sV --script=http-enum,http-title target.com
gobuster dir -u http://target.com -w common.tx
PreviousPassive ReconnaissanceNextPort Scanning

Last updated

Was this helpful?