Active Reconnaissance
All the scripts presented in this chapter are consolidated into a single, well-organized tool available in my GitHub repository below.
Methodology Framework
This methodology follows the OWASP Testing Guide and NIST SP 800-115 frameworks for systematic network reconnaissance, applicable to any target environment.
Reconnaissance Flow
Target Validation → Network Discovery → Port Scanning → Service Enumeration → Protocol Analysis → Infrastructure Mapping → Vulnerability Assessment → Evidence ProcessingCore Principles
Systematic Progression: Each phase builds upon previous discoveries
Comprehensive Coverage: All network protocols and services
Evidence-Based: All findings documented and verifiable
Methodology Agnostic: Works across different network architectures
Phase 1: Target Validation
1.1 Scope Verification
Objective: Validate target ranges and ensure testing authorization
# Step 1.1.1: DNS Resolution Validation
dig target.com A
dig target.com AAAA
dig target.com MX
dig target.com NS
# Step 1.1.2: WHOIS Information Gathering
whois target.com
whois NETBLOCK
# Step 1.1.3: ASN and Network Range Discovery
whois -h whois.radb.net "!gAS15169"
curl -s "https://stat.ripe.net/data/announced-prefixes/data.json?resource=AS15169"
# Step 1.1.4: Reverse DNS Enumeration
dig -x TARGET_IP
for i in {1..254}; do dig -x 192.168.1.$i +short; done | grep -v "NXDOMAIN"1.2 Initial Network Boundaries
Objective: Define network perimeter and identify entry points
# Step 1.2.1: Traceroute Analysis
traceroute target.com
mtr --report target.com
# Step 1.2.2: Network Topology Discovery
nmap --traceroute target_range -oA phase1_topology
# Step 1.2.3: Gateway and Router Identification
nmap -sS -O target_range | grep -A5 "Network Distance"Phase 2: Network Discovery
2.1 Host Discovery Techniques
Objective: Identify all live hosts within target ranges
# Step 2.1.1: Layer 2 Discovery (Local Networks)
arp-scan -l --interface=eth0
netdiscover -r 192.168.1.0/24 -i eth0
# Step 2.1.2: ICMP Discovery
nmap -sn target_range --min-rate 1000 -oA phase2_icmp
fping -a -g target_range > live_hosts_icmp.txt 2>/dev/null
# Step 2.1.3: TCP Discovery (Firewall Bypass)
nmap -sn -PS21,22,25,53,80,135,139,443,445,993,995,3389,5900 target_range -oA phase2_tcp
# Step 2.1.4: UDP Discovery
nmap -sn -PU53,67,68,137,161,500,514,1434 target_range -oA phase2_udp
# Step 2.1.5: Protocol-Specific Discovery
masscan -p1-65535 target_range --rate=1000 --open -oG masscan_discovery.txt2.2 Host Enumeration and Classification
Objective: Categorize discovered hosts by function and operating system
# Step 2.2.1: Operating System Detection
nmap -O --osscan-guess -iL live_hosts.txt -oA phase2_os_detection
# Step 2.2.2: Device Type Classification
nmap --script smb-os-discovery,ssh-hostkey,http-server-header -iL live_hosts.txt
# Step 2.2.3: Network Device Identification
nmap -sU -p161 --script snmp-sysdescr -iL live_hosts.txt2.3 Network Segmentation Analysis
Objective: Understand network architecture and segmentation
# Step 2.3.1: Subnet Analysis
for subnet in $(seq 0 255); do
ping -c 1 192.168.$subnet.1 >/dev/null 2>&1 && echo "192.168.$subnet.0/24 is reachable"
done
# Step 2.3.2: VLAN Discovery
yersinia -I eth0 -G # CDP/LLDP discovery
nmap -sU -p161 --script snmp-interfaces target_switches.txt
# Step 2.3.3: Routing Table Analysis
nmap --script targets-ipv6-multicast-echo target_rangePhase 3: Port Scanning
3.1 Progressive Port Discovery
Objective: Identify open ports using layered scanning methodology
# Step 3.1.1: Fast Common Port Scan
nmap -sS --top-ports 1000 -T4 --open -iL live_hosts.txt -oA phase3_fast_scan
# Step 3.1.2: Comprehensive TCP Scan (Critical Hosts)
grep -E "80/open|443/open|22/open|23/open|21/open|25/open|53/open|110/open|143/open|993/open|995/open|135/open|139/open|445/open|1433/open|3306/open|5432/open|3389/open|5900/open" phase3_fast_scan.gnmap | cut -d' ' -f2 | sort -u > critical_hosts.txt
nmap -sS -p- --min-rate 5000 -iL critical_hosts.txt -oA phase3_comprehensive_tcp
# Step 3.1.3: UDP Service Discovery
nmap -sU --top-ports 1000 --open -T4 -iL live_hosts.txt -oA phase3_udp_scan
# Step 3.1.4: Unusual Port Discovery
nmap -sS -p1-1023,1024-5000,5001-10000,10001-65535 --open -iL live_hosts.txt -oA phase3_full_range3.2 Port State Analysis
Objective: Analyze port states and filtering behavior
# Step 3.2.1: Firewall Rule Detection
nmap -sA -T4 -iL live_hosts.txt -oA phase3_ack_scan
# Step 3.2.2: Stealth Scan Techniques
nmap -sF -T2 -iL live_hosts.txt -oA phase3_fin_scan
nmap -sX -T2 -iL live_hosts.txt -oA phase3_xmas_scan
nmap -sN -T2 -iL live_hosts.txt -oA phase3_null_scan
# Step 3.2.3: Fragmentation Testing
nmap -sS -f -iL live_hosts.txt -oA phase3_fragment_scan3.3 Service Categorization
Objective: Group discovered services for targeted enumeration
# Step 3.3.1: Extract Services by Protocol
grep "22/tcp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > ssh_targets.txt
grep -E "21/tcp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > ftp_targets.txt
grep -E "23/tcp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > telnet_targets.txt
grep -E "25/tcp.*open|587/tcp.*open|465/tcp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > smtp_targets.txt
grep -E "53/tcp.*open|53/udp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > dns_targets.txt
grep -E "80/tcp.*open|443/tcp.*open|8080/tcp.*open|8443/tcp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > web_targets.txt
grep -E "110/tcp.*open|995/tcp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > pop3_targets.txt
grep -E "143/tcp.*open|993/tcp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > imap_targets.txt
grep -E "135/tcp.*open|139/tcp.*open|445/tcp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > smb_targets.txt
grep -E "1433/tcp.*open|3306/tcp.*open|5432/tcp.*open|1521/tcp.*open|27017/tcp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > database_targets.txt
grep -E "3389/tcp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > rdp_targets.txt
grep -E "5900/tcp.*open|5901/tcp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > vnc_targets.txt
grep -E "161/udp.*open|162/udp.*open" phase3_*.gnmap | cut -d' ' -f2 | sort -u > snmp_targets.txt
# Step 3.3.2: Generate Service Distribution Summary
echo "=== Phase 3 Service Distribution ===" > phase3_summary.txt
echo "SSH Services: $(wc -l < ssh_targets.txt)" >> phase3_summary.txt
echo "FTP Services: $(wc -l < ftp_targets.txt)" >> phase3_summary.txt
echo "Telnet Services: $(wc -l < telnet_targets.txt)" >> phase3_summary.txt
echo "SMTP Services: $(wc -l < smtp_targets.txt)" >> phase3_summary.txt
echo "DNS Services: $(wc -l < dns_targets.txt)" >> phase3_summary.txt
echo "Web Services: $(wc -l < web_targets.txt)" >> phase3_summary.txt
echo "POP3 Services: $(wc -l < pop3_targets.txt)" >> phase3_summary.txt
echo "IMAP Services: $(wc -l < imap_targets.txt)" >> phase3_summary.txt
echo "SMB Services: $(wc -l < smb_targets.txt)" >> phase3_summary.txt
echo "Database Services: $(wc -l < database_targets.txt)" >> phase3_summary.txt
echo "RDP Services: $(wc -l < rdp_targets.txt)" >> phase3_summary.txt
echo "VNC Services: $(wc -l < vnc_targets.txt)" >> phase3_summary.txt
echo "SNMP Services: $(wc -l < snmp_targets.txt)" >> phase3_summary.txtPhase 4: Service Enumeration
4.1 Version Detection and Banner Grabbing
Objective: Identify exact service versions and configurations
# Step 4.1.1: Comprehensive Version Detection
nmap -sV --version-intensity 9 -iL live_hosts.txt -oA phase4_versions
# Step 4.1.2: Banner Grabbing
nmap -sS --script banner -iL live_hosts.txt -oA phase4_banners
nc -nv target_ip port
# Step 4.1.3: Application Layer Discovery
nmap -sS --script default,discovery,safe -iL live_hosts.txt -oA phase4_scripts4.2 Protocol-Specific Enumeration
4.2.1 FTP Service Enumeration
# Anonymous FTP Access
nmap -p21 --script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor -iL ftp_targets.txt
# FTP Brute Force
nmap -p21 --script ftp-brute --script-args userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt,passdb=/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -iL ftp_targets.txt
# Manual FTP Testing
for target in $(cat ftp_targets.txt); do
echo "Testing FTP on $target"
echo "quit" | nc $target 21
done4.2.2 SSH Service Enumeration
# SSH Configuration Analysis
nmap -p22 --script ssh-hostkey,ssh2-enum-algos,ssh-auth-methods -iL ssh_targets.txt
# SSH Brute Force (Limited)
nmap -p22 --script ssh-brute --script-args userdb=/usr/share/seclists/Usernames/top-usernames-shortlist.txt,passdb=/usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -iL ssh_targets.txt
# SSH Version Enumeration
for target in $(cat ssh_targets.txt); do
echo "SSH version on $target:"
nc $target 22 | head -1
done4.2.3 Web Service Enumeration
# Web Technology Detection
for target in $(cat web_targets.txt); do
echo "=== Analyzing $target ===" >> web_enum_results.txt
whatweb --aggression 3 http://$target >> web_enum_results.txt 2>/dev/null
whatweb --aggression 3 https://$target >> web_enum_results.txt 2>/dev/null
done
# HTTP Methods and Headers
nmap -p80,443,8080,8443 --script http-methods,http-headers,http-title,http-server-header -iL web_targets.txt
# Directory Discovery
gobuster dir -u http://target -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,asp,aspx,jsp,html,txt
# Virtual Host Discovery
gobuster vhost -u http://target -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
# SSL/TLS Analysis
nmap -p443 --script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,ssl-dh-params -iL web_targets.txt4.2.4 Database Service Enumeration
# MySQL Enumeration
nmap -p3306 --script mysql-info,mysql-databases,mysql-variables,mysql-brute -iL database_targets.txt
# MSSQL Enumeration
nmap -p1433 --script ms-sql-info,ms-sql-config,ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-brute -iL database_targets.txt
# PostgreSQL Enumeration
nmap -p5432 --script pgsql-brute -iL database_targets.txt
# Oracle Enumeration
nmap -p1521 --script oracle-sid-brute,oracle-brute,oracle-enum-users -iL database_targets.txt
# MongoDB Enumeration
nmap -p27017 --script mongodb-info,mongodb-databases -iL database_targets.txt4.2.5 Email Service Enumeration
# SMTP Enumeration
nmap -p25,465,587 --script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -iL smtp_targets.txt
# POP3 Enumeration
nmap -p110,995 --script pop3-capabilities,pop3-brute -iL pop3_targets.txt
# IMAP Enumeration
nmap -p143,993 --script imap-capabilities,imap-brute -iL imap_targets.txt4.2.6 DNS Service Enumeration
# DNS Server Information
nmap -p53 --script dns-nsid,dns-recursion -iL dns_targets.txt
# Zone Transfer Attempts
for target in $(cat dns_targets.txt); do
dig @$target domain.com AXFR
fierce --domain domain.com --dns-servers $target
done
# DNS Cache Snooping
nmap -p53 --script dns-cache-snoop --script-args dns-cache-snoop.domains={google.com,facebook.com,youtube.com} -iL dns_targets.txt4.2.7 SMB/NetBIOS Enumeration
# SMB Protocol Analysis
nmap -p445 --script smb-protocols,smb-security-mode,smb-os-discovery -iL smb_targets.txt
# Share Enumeration
for target in $(cat smb_targets.txt); do
echo "=== SMB Shares on $target ===" >> smb_enum_results.txt
smbclient -L //$target -N >> smb_enum_results.txt 2>/dev/null
smbmap -H $target -u null -p "" >> smb_enum_results.txt 2>/dev/null
done
# Comprehensive SMB Enumeration
enum4linux -a $(head -5 smb_targets.txt) > enum4linux_sample.txt
# NetBIOS Information
nbtscan -r smb_targets.txt4.2.8 SNMP Enumeration
# SNMP Community String Testing
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -iL snmp_targets.txt
# SNMP Walk
for target in $(cat snmp_targets.txt); do
snmpwalk -c public -v1 $target 2>/dev/null | head -20
done
# SNMP System Information
nmap -sU -p161 --script snmp-sysdescr,snmp-info,snmp-netstat,snmp-processes -iL snmp_targets.txtPhase 5: Protocol Analysis
5.1 Network Protocol Identification
Objective: Analyze network protocols and communication patterns
# Step 5.1.1: Protocol Distribution Analysis
nmap -sO target_range -oA phase5_protocol_scan
# Step 5.1.2: Custom Protocol Detection
hping3 -S -p ++1-1000 target_ip
nmap --script unusual-port target_range
# Step 5.1.3: IPv6 Protocol Analysis
nmap -6 target_ipv6_range -oA phase5_ipv6_scan5.2 Application Layer Protocol Analysis
Objective: Deep dive into application protocols and their implementations
# Step 5.2.1: HTTP/HTTPS Protocol Analysis
nmap --script http-methods,http-trace,http-options target_range
curl -I http://target
openssl s_client -connect target:443
# Step 5.2.2: Database Protocol Analysis
nmap --script mysql-info,ms-sql-info,oracle-tns-version target_range
# Step 5.2.3: Proprietary Protocol Detection
nmap --script banner,unusual-port target_range5.3 Encryption and Security Protocol Assessment
Objective: Evaluate cryptographic implementations and security protocols
# Step 5.3.1: SSL/TLS Security Assessment
nmap --script ssl-cert,ssl-enum-ciphers,ssl-dh-params target_range
sslscan target:443
testssl.sh target:443
# Step 5.3.2: SSH Cryptographic Analysis
nmap --script ssh2-enum-algos,ssh-hostkey target_range
# Step 5.3.3: VPN Protocol Detection
nmap -sU -p500,4500 --script ike-version target_range
ike-scan target_rangePhase 6: Infrastructure Mapping
6.1 Network Architecture Discovery
Objective: Map complete network infrastructure and dependencies
# Step 6.1.1: Network Device Discovery
nmap --script snmp-sysdescr,snmp-info target_range
cdp-neighbors target_range
# Step 6.1.2: Load Balancer Detection
hping3 -S -p 80 -c 10 target_ip
nmap --script http-trace target_range
# Step 6.1.3: Firewall and IPS Detection
nmap -sA target_range
hping3 -S -p 80 -t 1-30 target_ip6.2 Service Dependency Mapping
Objective: Understand service relationships and dependencies
# Step 6.2.1: Database Connection Analysis
nmap --script mysql-databases,ms-sql-tables target_range
# Step 6.2.2: Web Application Backend Analysis
nmap --script http-trace,http-methods target_range
curl -X TRACE http://target
# Step 6.2.3: Authentication Service Discovery
nmap -p88,389,636 target_range
ldapsearch -x -h target -s base namingcontexts6.3 Network Topology Visualization
Objective: Create comprehensive network maps and diagrams
# Step 6.3.1: Generate Network Graph Data
cat phase3_*.gnmap | grep "open" | awk '{print $2 " " $4}' | sort | uniq > service_relationships.txt
# Step 6.3.2: Create Topology Map
python3 << 'EOF'
import networkx as nx
import matplotlib.pyplot as plt
import json
# Create network graph
G = nx.Graph()
# Add nodes and edges from service data
with open('service_relationships.txt', 'r') as f:
for line in f:
parts = line.strip().split()
if len(parts) >= 2:
host = parts[0]
service = parts[1]
G.add_edge(host, service)
# Generate layout
pos = nx.spring_layout(G, k=1, iterations=50)
# Create visualization
plt.figure(figsize=(20, 15))
nx.draw(G, pos, with_labels=True, node_color='lightblue',
node_size=1000, font_size=8, font_weight='bold')
plt.title("Network Service Topology")
plt.savefig('network_topology.png', dpi=300, bbox_inches='tight')
# Export data for other tools
topology_data = {
'nodes': list(G.nodes()),
'edges': list(G.edges()),
'node_count': G.number_of_nodes(),
'edge_count': G.number_of_edges()
}
with open('topology_data.json', 'w') as f:
json.dump(topology_data, f, indent=2)
EOF
# Step 6.3.3: Generate Network Documentation
cat << 'EOF' > network_infrastructure_summary.md
# Network Infrastructure Summary
## Network Segments Discovered
[Auto-generated from traceroute data]
## Critical Infrastructure Components
[Auto-generated from service categorization]
## Service Distribution
[Auto-generated from port scan results]
## Security Boundaries
[Auto-generated from firewall detection]
EOFPhase 7: Vulnerability Assessment
7.1 Automated Vulnerability Detection
Objective: Identify known vulnerabilities across all discovered services
# Step 7.1.1: Comprehensive Vulnerability Scan
nmap --script vuln -iL live_hosts.txt -oA phase7_vulnerabilities
# Step 7.1.2: Service-Specific Vulnerability Scans
nmap -p80,443 --script http-vuln* -iL web_targets.txt -oA phase7_web_vulns
nmap -p445 --script smb-vuln* -iL smb_targets.txt -oA phase7_smb_vulns
nmap -p22 --script ssh-vuln* -iL ssh_targets.txt -oA phase7_ssh_vulns
nmap -p21 --script ftp-vuln* -iL ftp_targets.txt -oA phase7_ftp_vulns
# Step 7.1.3: Database Vulnerability Assessment
nmap -p1433 --script ms-sql-vuln* -iL database_targets.txt -oA phase7_mssql_vulns
nmap -p3306 --script mysql-vuln* -iL database_targets.txt -oA phase7_mysql_vulns7.2 Configuration Security Assessment
Objective: Identify security misconfigurations and weak settings
# Step 7.2.1: Default Credential Testing
nmap --script auth -iL live_hosts.txt -oA phase7_default_creds
# Step 7.2.2: Weak Cryptography Detection
nmap --script ssl-enum-ciphers,ssh2-enum-algos -iL live_hosts.txt -oA phase7_crypto_analysis
# Step 7.2.3: Information Disclosure Assessment
nmap --script banner,version -iL live_hosts.txt -oA phase7_info_disclosure7.3 Network Security Controls Assessment
Objective: Evaluate network security controls and filtering
# Step 7.3.1: Firewall Rule Analysis
nmap -sA -p1-1000 target_range -oA phase7_firewall_analysis
# Step 7.3.2: IDS/IPS Detection
nmap -f -t 0 target_range -oA phase7_ids_detection
hping3 -S -p 80 --flood target_ip
# Step 7.3.3: Network Segmentation Assessment
nmap --traceroute target_range -oA phase7_segmentation_analysisPhase 8: Evidence Processing
8.1 Data Consolidation
Objective: Process and organize all reconnaissance data
# Step 8.1.1: Create Evidence Structure
mkdir -p evidence/{network_discovery,port_scanning,service_enumeration,protocol_analysis,infrastructure_mapping,vulnerability_assessment}
# Step 8.1.2: Organize Scan Results by Phase
cp phase1_* evidence/network_discovery/
cp phase2_* phase3_* evidence/port_scanning/
cp phase4_* evidence/service_enumeration/
cp phase5_* evidence/protocol_analysis/
cp phase6_* evidence/infrastructure_mapping/
cp phase7_* evidence/vulnerability_assessment/
# Step 8.1.3: Generate Comprehensive Service Inventory
cat phase3_*.gnmap phase4_*.gnmap | grep "open" | \
awk '{print $2 "," $4 "," $5 "," $6}' | sort | uniq > comprehensive_service_inventory.csv
# Add CSV header
echo "IP_Address,Port_Protocol,State,Service,Version" > final_service_inventory.csv
cat comprehensive_service_inventory.csv >> final_service_inventory.csv8.2 Vulnerability Analysis
Objective: Analyze and prioritize discovered vulnerabilities
# Step 8.2.1: Extract CVE Information
grep -h "CVE-[0-9]\{4\}-[0-9]\+" evidence/vulnerability_assessment/*.nmap | \
sort | uniq -c | sort -nr > cve_summary.txt
# Step 8.2.2: Categorize Vulnerabilities by Severity
grep -h "VULNERABLE" evidence/vulnerability_assessment/*.nmap | \
grep -E "(HIGH|CRITICAL)" > high_severity_vulnerabilities.txt
grep -h "VULNERABLE" evidence/vulnerability_assessment/*.nmap | \
grep -E "(MEDIUM)" > medium_severity_vulnerabilities.txt
grep -h "VULNERABLE" evidence/vulnerability_assessment/*.nmap | \
grep -E "(LOW)" > low_severity_vulnerabilities.txt
# Step 8.2.3: Generate Vulnerability Statistics
echo "=== Vulnerability Assessment Summary ===" > vulnerability_summary.txt
echo "Total CVEs Identified: $(wc -l < cve_summary.txt)" >> vulnerability_summary.txt
echo "High/Critical Vulnerabilities: $(wc -l < high_severity_vulnerabilities.txt)" >> vulnerability_summary.txt
echo "Medium Vulnerabilities: $(wc -l < medium_severity_vulnerabilities.txt)" >> vulnerability_summary.txt
echo "Low Vulnerabilities: $(wc -l < low_severity_vulnerabilities.txt)" >> vulnerability_summary.txt8.3 Attack Surface Documentation
Objective: Document complete attack surface and potential attack paths
# Step 8.3.1: Generate Attack Surface Report
cat << 'EOF' > attack_surface_report.md
# Attack Surface Analysis Report
## Executive Summary
- Total hosts discovered: $(wc -l < live_hosts.txt)
- Total services identified: $(grep -c "open" final_service_inventory.csv)
- Critical vulnerabilities: $(wc -l < high_severity_vulnerabilities.txt)
## Network Infrastructure
### Live Hosts by Network Segment
[Auto-generated from network discovery]
### Service Distribution
#### Web Services
- HTTP: $(grep ":80/" final_service_inventory.csv | wc -l)
- HTTPS: $(grep ":443/" final_service_inventory.csv | wc -l)
#### Remote Access Services
- SSH: $(grep ":22/" final_service_inventory.csv | wc -l)
- RDP: $(grep ":3389/" final_service_inventory.csv | wc -l)
- VNC: $(grep ":5900/" final_service_inventory.csv | wc -l)
#### Database Services
- MySQL: $(grep ":3306/" final_service_inventory.csv | wc -l)
- MSSQL: $(grep ":1433/" final_service_inventory.csv | wc -l)
- PostgreSQL: $(grep ":5432/" final_service_inventory.csv | wc -l)
## Security Findings
### Critical Vulnerabilities
[Auto-generated from vulnerability assessment]
### Configuration Issues
[Auto-generated from configuration assessment]
### Recommended Attack Paths
[Generated based on service analysis and vulnerabilities]
## Recommendations
[Generated based on findings]
EOF
# Step 8.3.2: Create Service Matrix
python3 << 'EOF'
import csv
from collections import defaultdict
# Read service inventory
services = defaultdict(list)
with open('final_service_inventory.csv', 'r') as f:
reader = csv.DictReader(f)
for row in reader:
if 'IP_Address' in row and 'Port_Protocol' in row:
services[row['IP_Address']].append(row['Port_Protocol'])
# Generate service matrix
with open('service_matrix.txt', 'w') as f:
f.write("Host Service Matrix\n")
f.write("=" * 50 + "\n")
for host, ports in sorted(services.items()):
f.write(f"\n{host}:\n")
for port in sorted(ports):
f.write(f" - {port}\n")
EOF8.4 Reporting and Documentation
Objective: Generate comprehensive reports for different audiences
# Step 8.4.1: Technical Report Generation
cat << 'EOF' > technical_reconnaissance_report.md
# Technical Reconnaissance Report
## Methodology
This assessment followed the systematic active reconnaissance methodology covering:
- Network discovery and host enumeration
- Comprehensive port scanning
- Service version detection and enumeration
- Protocol analysis and security assessment
- Infrastructure mapping and topology analysis
- Vulnerability identification and assessment
## Scope
**Target Networks:** [Insert target ranges]
**Assessment Period:** [Insert dates]
**Tools Used:** nmap, masscan, gobuster, enum4linux, custom scripts
## Findings Summary
### Network Infrastructure
**Total Hosts Discovered:** $(wc -l < live_hosts.txt)
**Network Segments:** [Auto-populated from discovery]
**Operating Systems:** [Auto-populated from OS detection]
### Service Distribution
**Web Services:** $(wc -l < web_targets.txt)
**Database Services:** $(wc -l < database_targets.txt)
**Remote Access Services:** $(wc -l < ssh_targets.txt) SSH, $(wc -l < rdp_targets.txt) RDP
**File Sharing Services:** $(wc -l < smb_targets.txt) SMB, $(wc -l < ftp_targets.txt) FTP
**Email Services:** $(wc -l < smtp_targets.txt) SMTP, $(wc -l < imap_targets.txt) IMAP
### Security Assessment
**Critical Vulnerabilities:** $(wc -l < high_severity_vulnerabilities.txt)
**Medium Risk Issues:** $(wc -l < medium_severity_vulnerabilities.txt)
**Configuration Issues:** [Auto-populated from analysis]
## Detailed Findings
[Service-specific findings and technical details]
## Recommendations
[Technical recommendations for remediation]
EOF
# Step 8.4.2: Executive Summary Generation
cat << 'EOF' > executive_summary.md
# Executive Summary - Network Reconnaissance Assessment
## Assessment Overview
A systematic network reconnaissance assessment was conducted to identify the external attack surface and potential security exposures.
## Key Findings
- **Network Scope:** $(wc -l < live_hosts.txt) active systems identified
- **Critical Services:** $(wc -l < web_targets.txt) web applications, $(wc -l < database_targets.txt) database servers
- **Security Exposure:** $(wc -l < high_severity_vulnerabilities.txt) critical vulnerabilities requiring immediate attention
## Risk Summary
### High Risk
- [Auto-populated critical findings]
### Medium Risk
- [Auto-populated medium findings]
### Low Risk
- [Auto-populated low findings]
## Business Impact
[Impact assessment based on services discovered]
## Immediate Actions Required
1. [Prioritized recommendations]
2. [Security improvements]
3. [Monitoring enhancements]
## Long-term Recommendations
[Strategic security improvements]
EOF
# Step 8.4.3: Remediation Tracking Template
cat << 'EOF' > remediation_tracking.csv
"Finding ID","Severity","Service","Host","Description","Recommendation","Status","Assigned To","Due Date","Completed Date"
EOF
# Auto-populate critical findings
grep -n "VULNERABLE" evidence/vulnerability_assessment/*.nmap | head -20 | \
while IFS=':' read -r file line content; do
echo "\"VUL-$(printf "%03d" $line)\",\"High\",\"Unknown\",\"Unknown\",\"$content\",\"See technical report\",\"Open\",\"\",\"\",\"\"" >> remediation_tracking.csv
doneMethodology Validation and Quality Assurance
9.1 Phase Completion Checklist
Network Discovery Validation:
All target network ranges scanned
Host discovery techniques applied (ARP, ICMP, TCP, UDP)
Network topology documented
Operating system fingerprinting completed
Live host inventory generated
Port Scanning Validation:
Progressive scanning methodology followed
TCP comprehensive scan on critical hosts
UDP service discovery completed
Service categorization performed
Port state analysis documented
Service Enumeration Validation:
Version detection performed on all services
Protocol-specific enumeration completed
Banner grabbing and fingerprinting done
Default credentials tested
Service configuration assessed
Infrastructure Mapping Validation:
Network architecture documented
Service dependencies identified
Security boundaries mapped
Topology visualization created
Infrastructure documentation generated
Vulnerability Assessment Validation:
Automated vulnerability scanning completed
Configuration security assessment done
Network security controls evaluated
Vulnerability prioritization performed
CVE identification and cataloging complete
Evidence Processing Validation:
All scan data organized and preserved
Service inventory comprehensive and accurate
Vulnerability analysis completed
Attack surface documentation generated
Reports created for appropriate audiences
9.2 Data Quality Verification
# Step 9.2.1: Scan Completeness Check
echo "=== Scan Completeness Verification ===" > quality_assurance_report.txt
echo "Phase 1 Files: $(ls phase1_*.* 2>/dev/null | wc -l)" >> quality_assurance_report.txt
echo "Phase 2 Files: $(ls phase2_*.* 2>/dev/null | wc -l)" >> quality_assurance_report.txt
echo "Phase 3 Files: $(ls phase3_*.* 2>/dev/null | wc -l)" >> quality_assurance_report.txt
echo "Phase 4 Files: $(ls phase4_*.* 2>/dev/null | wc -l)" >> quality_assurance_report.txt
echo "Phase 5 Files: $(ls phase5_*.* 2>/dev/null | wc -l)" >> quality_assurance_report.txt
echo "Phase 6 Files: $(ls phase6_*.* 2>/dev/null | wc -l)" >> quality_assurance_report.txt
echo "Phase 7 Files: $(ls phase7_*.* 2>/dev/null | wc -l)" >> quality_assurance_report.txt
# Step 9.2.2: Data Consistency Check
echo -e "\n=== Data Consistency Check ===" >> quality_assurance_report.txt
echo "Live hosts in discovery: $(wc -l < live_hosts.txt)" >> quality_assurance_report.txt
echo "Hosts with open ports: $(cat phase3_*.gnmap | grep 'open' | cut -d' ' -f2 | sort -u | wc -l)" >> quality_assurance_report.txt
echo "Hosts with services: $(cat phase4_*.gnmap | grep 'open' | cut -d' ' -f2 | sort -u | wc -l)" >> quality_assurance_report.txt
# Step 9.2.3: Coverage Analysis
echo -e "\n=== Coverage Analysis ===" >> quality_assurance_report.txt
total_hosts=$(wc -l < live_hosts.txt)
scanned_hosts=$(cat phase3_*.gnmap | cut -d' ' -f2 | sort -u | wc -l)
coverage_percent=$(echo "scale=2; $scanned_hosts * 100 / $total_hosts" | bc 2>/dev/null || echo "N/A")
echo "Scan coverage: $scanned_hosts/$total_hosts hosts ($coverage_percent%)" >> quality_assurance_report.txt9.3 Methodology Adherence Verification
# Step 9.3.1: Required Tool Usage Verification
echo -e "\n=== Tool Usage Verification ===" >> quality_assurance_report.txt
tools_used=""
[ -f "phase1_icmp.nmap" ] && tools_used="$tools_used nmap-icmp"
[ -f "masscan_discovery.txt" ] && tools_used="$tools_used masscan"
[ -f "web_enum_results.txt" ] && tools_used="$tools_used whatweb"
[ -f "smb_enum_results.txt" ] && tools_used="$tools_used enum4linux"
echo "Tools utilized: $tools_used" >> quality_assurance_report.txt
# Step 9.3.2: Phase Dependency Check
echo -e "\n=== Phase Dependency Verification ===" >> quality_assurance_report.txt
[ -f "live_hosts.txt" ] && echo "✓ Phase 1 output available for Phase 2" >> quality_assurance_report.txt
[ -f "critical_hosts.txt" ] && echo "✓ Phase 2 output available for Phase 3" >> quality_assurance_report.txt
[ -f "ssh_targets.txt" ] && echo "✓ Phase 3 output available for Phase 4" >> quality_assurance_report.txtAdvanced Techniques and Extensions
10.1 IPv6 Network Discovery
# Step 10.1.1: IPv6 Address Discovery
nmap -6 target_ipv6_range -sn -oA ipv6_discovery
# Step 10.1.2: IPv6 Multicast Discovery
ping6 -c 4 ff02::1%interface
# Step 10.1.3: IPv6 Service Enumeration
nmap -6 -sS -sV target_ipv6_range -oA ipv6_services10.2 Cloud Infrastructure Assessment
# Step 10.2.1: Cloud Provider Detection
nmap --script http-title,ssl-cert target_range | grep -E "(AWS|Azure|Google|CloudFlare)"
# Step 10.2.2: CDN and Load Balancer Detection
curl -I http://target | grep -E "(Server|X-Cache|CF-RAY)"
dig target A | grep -E "(amazonaws|azure|cloudflare)"
# Step 10.2.3: Cloud Storage Discovery
nmap --script http-enum target_range | grep -E "(s3|blob|storage)"10.3 IoT and Embedded Device Discovery
# Step 10.3.1: IoT Protocol Detection
nmap -sU -p161,1900,5353 --script snmp-info,upnp-info target_range
# Step 10.3.2: Industrial Protocol Scanning
nmap -p502,44818,2404,20000 --script modbus-discover,enip-info target_range
# Step 10.3.3: Embedded Web Interface Discovery
nmap -p80,443,8080,8443 --script http-title target_range | grep -iE "(router|switch|camera|printer)"Automation and Scripting
11.1 Automated Reconnaissance Pipeline
#!/bin/bash
# automated_recon.sh - Complete reconnaissance automation
set -e
# Configuration
TARGET_RANGE="$1"
OUTPUT_DIR="recon_$(date +%Y%m%d_%H%M%S)"
THREADS=100
# Validate input
if [ -z "$TARGET_RANGE" ]; then
echo "Usage: $0 <target_range>"
echo "Example: $0 192.168.1.0/24"
exit 1
fi
# Create output directory structure
mkdir -p "$OUTPUT_DIR"/{discovery,scanning,enumeration,vulnerabilities,reports}
cd "$OUTPUT_DIR"
echo "[+] Starting automated reconnaissance of $TARGET_RANGE"
echo "[+] Output directory: $OUTPUT_DIR"
# Phase 1: Network Discovery
echo "[+] Phase 1: Network Discovery"
nmap -sn "$TARGET_RANGE" --min-rate 1000 -oA discovery/network_sweep
grep "Up" discovery/network_sweep.gnmap | cut -d' ' -f2 > live_hosts.txt
echo "[+] Discovered $(wc -l < live_hosts.txt) live hosts"
# Phase 2: Port Scanning
echo "[+] Phase 2: Port Scanning"
nmap -sS --top-ports 1000 -T4 --open -iL live_hosts.txt -oA scanning/fast_scan
nmap -sS -p- --min-rate 5000 -iL live_hosts.txt -oA scanning/comprehensive_scan &
nmap -sU --top-ports 100 -iL live_hosts.txt -oA scanning/udp_scan &
wait
# Phase 3: Service Enumeration
echo "[+] Phase 3: Service Enumeration"
nmap -sV -sC -iL live_hosts.txt -oA enumeration/service_detection
# Service categorization
grep "22/tcp.*open" scanning/*.gnmap | cut -d' ' -f2 | sort -u > ssh_targets.txt
grep -E "80/tcp.*open|443/tcp.*open" scanning/*.gnmap | cut -d' ' -f2 | sort -u > web_targets.txt
grep "445/tcp.*open" scanning/*.gnmap | cut -d' ' -f2 | sort -u > smb_targets.txt
# Phase 4: Vulnerability Assessment
echo "[+] Phase 4: Vulnerability Assessment"
nmap --script vuln -iL live_hosts.txt -oA vulnerabilities/vuln_scan &
nmap -p80,443 --script http-vuln* -iL web_targets.txt -oA vulnerabilities/web_vulns &
nmap -p445 --script smb-vuln* -iL smb_targets.txt -oA vulnerabilities/smb_vulns &
wait
# Phase 5: Report Generation
echo "[+] Phase 5: Report Generation"
total_hosts=$(wc -l < live_hosts.txt)
total_services=$(grep -h "open" scanning/*.gnmap | wc -l)
critical_vulns=$(grep -h "VULNERABLE" vulnerabilities/*.nmap | wc -l)
cat << EOF > reports/executive_summary.txt
Automated Reconnaissance Summary
===============================
Target Range: $TARGET_RANGE
Scan Date: $(date)
Results:
- Live Hosts: $total_hosts
- Open Services: $total_services
- Potential Vulnerabilities: $critical_vulns
Detailed results available in subdirectories.
EOF
echo "[+] Reconnaissance complete. Results saved in $OUTPUT_DIR"
echo "[+] Executive summary: $OUTPUT_DIR/reports/executive_summary.txt"11.2 Continuous Monitoring Integration
#!/bin/bash
# continuous_recon.sh - Continuous reconnaissance monitoring
BASELINE_DIR="baseline_$(date +%Y%m%d)"
CURRENT_DIR="current_$(date +%Y%m%d)"
TARGET_RANGE="$1"
# Perform current scan
./automated_recon.sh "$TARGET_RANGE"
mv "recon_*" "$CURRENT_DIR"
# Compare with baseline if available
if [ -d "$BASELINE_DIR" ]; then
echo "[+] Comparing with baseline..."
diff "$BASELINE_DIR/live_hosts.txt" "$CURRENT_DIR/live_hosts.txt" > host_changes.txt || true
diff "$BASELINE_DIR/scanning/fast_scan.gnmap" "$CURRENT_DIR/scanning/fast_scan.gnmap" > service_changes.txt || true
if [ -s host_changes.txt ] || [ -s service_changes.txt ]; then
echo "[!] Changes detected - review change files"
else
echo "[+] No significant changes detected"
fi
else
echo "[+] Creating baseline for future comparisons"
cp -r "$CURRENT_DIR" "$BASELINE_DIR"
fiTroubleshooting and Common Issues
12.1 Network Connectivity Issues
# Test basic connectivity
ping -c 3 target_ip
traceroute target_ip
# Test specific ports
nc -zv target_ip port
hping3 -S -p port -c 1 target_ip
# Bypass filtering
nmap -sA target_ip # ACK scan to test firewall rules
nmap -f target_ip # Fragment packets
nmap --source-port 53 target_ip # Source port spoofing12.2 Performance Optimization
# Increase scanning speed
nmap --min-rate 1000 target_range
nmap -T4 target_range
masscan -p1-65535 target_range --rate=10000
# Reduce resource usage
nmap -T1 target_range # Slow scan
nmap --max-retries 1 target_range
nmap --host-timeout 30s target_range12.3 Common Error Resolution
DNS Resolution Issues:
# Use direct IP addresses
nmap -n target_range
# Specify custom DNS servers
nmap --dns-servers 8.8.8.8,1.1.1.1 target_rangePermission Issues:
# Run with appropriate privileges
sudo nmap -sS target_range
# Use unprivileged scans
nmap -sT target_range # TCP connect scanRate Limiting Detection:
# Slow down scanning
nmap -T0 target_range
nmap --scan-delay 1s target_range
# Use decoy scanning
nmap -D decoy1,decoy2,ME target_rangeConclusion
This comprehensive active reconnaissance methodology provides a systematic approach to network discovery and service enumeration suitable for any target environment. The methodology emphasizes:
Systematic Progression: Each phase builds upon previous discoveries
Comprehensive Coverage: All major protocols and services
Quality Assurance: Built-in validation and verification steps
Professional Documentation: Structured reporting and evidence collection
Automation Support: Scriptable processes for consistency and efficiency
By following this methodology, penetration testers and security professionals can ensure complete coverage of the target attack surface while maintaining professional standards for documentation and reporting.
Last updated
Was this helpful?