This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

My Preferred Reconnaissance Tools

This is not exhaustive list, most of the tools provide --help as a helper option too to give you a full usage guide

NMAP

Switch
Description
Example

-sV

Service version detection

nmap -sV 192.168.1.10

-O

OS fingerprinting

nmap -O 192.168.1.10

-p

Specify ports

nmap -p22,80,443 192.168.1.10

-p-

Scan all ports

nmap -p- 192.168.1.10

--top-ports

Scan most common ports

nmap --top-ports 100 192.168.1.10

-sC

Run default scripts

nmap -sC 192.168.1.10

--script

Run specific scripts

nmap --script vuln 192.168.1.10

-A

Aggressive scan (OS, version, scripts)

nmap -A 192.168.1.10

-T4

Fast timing

nmap -T4 192.168.1.10

-oA

Output all formats

nmap -oA scan 192.168.1.10

-f

Fragment packets

nmap -f 192.168.1.10

--min-rate

Minimum packet rate

nmap --min-rate 1000 192.168.1.10

MasScan

Switch
Description
Example

-p

Specify ports

masscan -p80,443 192.168.1.0/24

--rate

Packets per second

masscan -p80 192.168.1.0/24 --rate=1000

--open-only

Show only open ports

masscan -p1-1000 192.168.1.0/24 --open-only

-oG

Output grepable format

masscan -p80 192.168.1.0/24 -oG scan.txt

-oX

Output XML format

masscan -p80 192.168.1.0/24 -oX scan.xml

--top-ports

Scan most common ports

masscan --top-ports 100 192.168.1.0/24

--banners

Grab service banners

masscan -p80,443 192.168.1.0/24 --banners

--source-port

Use specific source port

masscan -p80 192.168.1.0/24 --source-port 53

--wait

Wait time after scan

masscan -p80 192.168.1.0/24 --wait 10

--exclude

Exclude IP ranges

masscan -p80 192.168.0.0/16 --exclude 192.168.1.0/24

--ping

Ping sweep mode

masscan --ping 192.168.1.0/24

Gobuster

Switch
Description
Example

dir

Directory brute force mode

gobuster dir -u http://192.168.1.10 -w wordlist.txt

-u

Target URL

gobuster dir -u http://192.168.1.10 -w wordlist.txt

-w

Wordlist file

gobuster dir -u http://192.168.1.10 -w /usr/share/wordlists/dirb/common.txt

-x

File extensions

gobuster dir -u http://192.168.1.10 -w wordlist.txt -x php,html,txt

-t

Number of threads

gobuster dir -u http://192.168.1.10 -w wordlist.txt -t 50

-s

Status codes to include

gobuster dir -u http://192.168.1.10 -w wordlist.txt -s 200,204,301,302

-b

Status codes to exclude

gobuster dir -u http://192.168.1.10 -w wordlist.txt -b 404,403

-o

Output file

gobuster dir -u http://192.168.1.10 -w wordlist.txt -o results.txt

-q

Quiet mode

gobuster dir -u http://192.168.1.10 -w wordlist.txt -q

-k

Skip SSL verification

gobuster dir -u https://192.168.1.10 -w wordlist.txt -k

-a

User agent string

gobuster dir -u http://192.168.1.10 -w wordlist.txt -a "Custom-Agent"

-H

HTTP headers

gobuster dir -u http://192.168.1.10 -w wordlist.txt -H "Authorization: Bearer token"

--timeout

HTTP timeout

gobuster dir -u http://192.168.1.10 -w wordlist.txt --timeout 10s

vhost

Virtual host brute force

gobuster vhost -u http://192.168.1.10 -w wordlist.txt

dns

DNS subdomain brute force

gobuster dns -d example.com -w wordlist.txt

Enum4linux

Switch
Description
Example

-a

All enumeration (do everything)

enum4linux -a 192.168.1.10

-d

Be detailed (verbose)

enum4linux -d -U 192.168.1.10

-u

Specify username

enum4linux -u administrator -U 192.168.1.10

-p

Specify password

enum4linux -u admin -p password123 -U 192.168.1.10

-A

Aggressive (all simple enumeration)

enum4linux -A 192.168.1.10

-s

Brute force guessing for share names

enum4linux -s /usr/share/enum4linux/share-list.txt 192.168.1.10

Hydra

Switch
Description
Example

-l

Single username

hydra -l admin -P passwords.txt ssh://192.168.1.10

-L

Username list

hydra -L users.txt -P passwords.txt ssh://192.168.1.10

-p

Single password

hydra -L users.txt -p password123 ssh://192.168.1.10

-P

Password list

hydra -L users.txt -P passwords.txt ssh://192.168.1.10

-C

Colon-separated username:password list

hydra -C defaults.txt ssh://192.168.1.10

-t

Threads

hydra -l admin -P passwords.txt -t 16 ssh://192.168.1.10

-s

Custom port

hydra -l admin -P passwords.txt -s 2222 ssh://192.168.1.10

-f

Stop after first valid login

hydra -l admin -P passwords.txt -f ssh://192.168.1.10

-V

Verbose (show login attempts)

hydra -l admin -P passwords.txt -V ssh://192.168.1.10

-o

Output file

hydra -l admin -P passwords.txt -o results.txt ssh://192.168.1.10

-x

Password generation

hydra -l admin -x 4:6:aA1 ssh://192.168.1.10

-e

Try empty/login as password

hydra -L users.txt -e nsr ssh://192.168.1.10

-u

Loop users first

hydra -L users.txt -P passwords.txt -u ssh://192.168.1.10

-M

Multiple targets

hydra -L users.txt -P passwords.txt -M targets.txt ssh

-w

Response timeout

hydra -l admin -P passwords.txt -w 30 ssh://192.168.1.10

SMBClient

Switch
Description
Example

-L

List shares on server

smbclient -L //192.168.1.10 -N

-N

No password (null session)

smbclient -L //192.168.1.10 -N

-U

Username

smbclient -L //192.168.1.10 -U administrator

-p

Port number

smbclient -L //192.168.1.10 -p 445 -N

-c

Execute command

smbclient //192.168.1.10/share -N -c "ls"

-m

SMB protocol version

smbclient -L //192.168.1.10 -N -m SMB2

-W

Workgroup/domain

smbclient -L //192.168.1.10 -U user -W DOMAIN

-A

Authentication file

smbclient -L //192.168.1.10 -A auth.txt

-k

Use Kerberos authentication

smbclient -L //192.168.1.10 -k

-e

Encrypt connection

smbclient -L //192.168.1.10 -U user -e

-T

Tar backup/restore

smbclient //192.168.1.10/share -U user -T c backup.tar

-D

Initial directory

smbclient //192.168.1.10/share -U user -D subfolder

-b

Buffer size

smbclient //192.168.1.10/share -U user -b 1024

-t

Timeout

smbclient -L //192.168.1.10 -N -t 30

-g

Grepable output

smbclient -L //192.168.1.10 -N -g

arp-scan

Switch
Description
Example

-l

Scan local network

arp-scan -l

-I

Specify network interface

arp-scan -I wlan0 192.168.1.0/24

-t

Timeout per host

arp-scan -t 500 192.168.1.0/24

-r

Number of retries

arp-scan -r 3 192.168.1.0/24

-g

Generate target list only

arp-scan -g 192.168.1.0/24

-q

Quiet mode (minimal output)

arp-scan -q 192.168.1.0/24

-x

XML output format

arp-scan -x 192.168.1.0/24

-N

Don't lookup hostnames

arp-scan -N 192.168.1.0/24

-a

Send gratuitous ARP

arp-scan -a 192.168.1.0/24

-v

Verbose mode

arp-scan -v 192.168.1.0/24

-B

Bandwidth limit

arp-scan -B 1000 192.168.1.0/24

Net cat

Switch
Description
Example

-n

No DNS resolution

nc -n 192.168.1.10 80

-v

Verbose output

nc -v 192.168.1.10 80

-w

Connection timeout

nc -w 5 192.168.1.10 80

-l

Listen mode

nc -l -p 4444

-p

Specify port

nc -l -p 8080

-u

UDP mode

nc -u 192.168.1.10 53

-e

Execute command

nc -l -p 4444 -e /bin/bash

-c

Execute command (some versions)

nc -l -p 4444 -c /bin/bash

-s

Source address

nc -s 192.168.1.5 192.168.1.10 80

-o

Output hex dump

nc -o dump.txt 192.168.1.10 80

-x

Hex dump to stderr

nc -x 192.168.1.10 80

-k

Keep listening

nc -k -l -p 8080

-6

IPv6 mode

nc -6 ::1 80

-t

Telnet negotiation

nc -t 192.168.1.10 23

PreviousActive ReconnaissanceNextHow to use this guide?

Last updated

Was this helpful?