Recon & Enum

Sections Recon & Enum

Host discovery and port scanning on a Linux target. Service-specific enum lives in 02 Service Enum

Set the target once so every block reuses it:

T=10.10.11.50
RANGE=10.10.11.0/24

i. Host discovery on the LAN

ARP sweep, only works on your own L2 segment, most reliable:

nmap -n -sn -PR -oG - "$RANGE" | grep Up

ICMP sweep with parallel ping when ARP is not an option:

seq 1 254 | xargs -P50 -I{} ping -c1 -W1 10.10.11.{} 2>/dev/null | grep 'bytes from' | awk '{print $4}' | tr -d :

Pure bash TCP knock, no tools needed on the host:

for i in {1..254}; do (timeout 1 bash -c "</dev/tcp/10.10.11.$i/22" 2>/dev/null && echo "10.10.11.$i:22 open") & done; wait

ii. Port scan, fast then deep

Two-phase scan, find all open ports fast, then deep-scan only those:

## Phase 1, find every open TCP port
nmap -p- --min-rate 10000 -T4 -Pn -n -oG fast.gnmap "$T"
PORTS=$(grep -oP '\d+/open' fast.gnmap | cut -d/ -f1 | paste -sd,)
## Phase 2, scripts + version on the hits only
nmap -p"$PORTS" -sCV -Pn -n -oA full "$T"

Top-1000 with scripts, the lazy first move when time is short:

nmap -sCV -T4 --open -Pn -n -oA quick "$T"

UDP top-100, slow, run it in parallel to the TCP scan:

sudo nmap -sU --top-ports 100 -Pn -n -oA udp "$T"

Masscan first when scanning a large range, then nmap the survivors:

sudo masscan -p1-65535 --rate 10000 -oG mass.txt 10.10.0.0/16
awk '/Host/{ip=$2} /Ports/{print ip" "$4}' mass.txt | sort -u
Defender boxes

--min-rate 10000 will trigger IDS on real engagements. Drop to --min-rate 100 and use -T2. On HTB and labs, crank it.

iii. Quick banner pull

One port, raw:

nc -nv "$T" 22 </dev/null

TLS cert for hostnames, vhosts, internal CN leaks:

echo | openssl s_client -connect "$T":443 2>/dev/null | openssl x509 -noout -text | grep -E 'Subject:|DNS:'

HTTP headers, server fingerprint:

curl -sIk "https://$T" | head -20

iv. Parse nmap output fast

Grep the gnmap for what is open:

grep -oE '[0-9]+/open/[a-z]+//[a-z0-9-]+' full.gnmap | sort -u

Extract every IP with a given port open from a /16 scan:

grep '80/open' mass.txt | awk '{print $2}' | sort -u

v. Vuln scripts when you want a hint

NSE vulners, version-based CVE matching, noisy but useful:

nmap -sV --script vulners --script-args mincvss=7 -p"$PORTS" "$T"

Next steps

For each open port, jump to the right section in 02 Service Enum . Web (80, 443, 8080, 8443) goes to 00 Linux MOC . Take notes on every banner, version string, and hostname you see, half of stuck moments are forgetting something already on screen.

Save the scan

Always use -oA name so you get nmap, gnmap, and XML. The gnmap is what you grep. The XML is what feeds tools like searchsploit and [eyewitness].