cyber revision

Reconnaissance and scanning

OSINT, host discovery and the nmap command patterns that map a target's attack surface.

~4 min read

Information is the first weapon

You can't attack what you don't understand. Recon builds the picture of the target before (and during) an engagement, and thorough recon is what makes everything afterwards possible. It splits into two kinds, and the distinction matters legally as well as practically.

  • Passive reconnaissance: gathering information without interacting with the target's systems, using public sources. It's quiet and, on public data, generally lawful, since you're not touching their infrastructure.
  • Active reconnaissance: directly interacting with the target (scanning ports, probing services). Noisy, detectable, and only legitimate within an authorised scope.

OSINT

OSINT (Open-Source Intelligence) is passive recon from publicly available information, and it's striking how much an organisation exposes without realising:

  • WHOIS and DNS: domain registration details, name servers, mail servers; dig, nslookup, and whois reveal infrastructure. Subdomain enumeration (tools like dnsenum, amass, or certificate-transparency logs) often uncovers forgotten dev/staging servers.
  • Search engine dorking: crafted search queries (site:, filetype:, intitle:) surface exposed documents, login pages and config files. "Google dorking" is a whole skill.
  • Public records and social media: employee names, roles, email formats and tech stacks (from job ads and LinkedIn) feed both technical attacks and social engineering.
  • Breach data: checking whether company credentials appear in known breaches (e.g. Have I Been Pwned).
  • Shodan: a search engine for internet-connected devices; it indexes exposed services, so you can find an organisation's internet-facing systems, open ports and banners without ever scanning them yourself (making it effectively passive from the target's view).
  • Metadata: documents published online often carry metadata (authors, software versions, internal paths) that leaks internal detail.

The defensive lesson cuts both ways. Organisations should know and minimise their OSINT footprint, because attackers start here.

Host discovery and port scanning

Once active recon is authorised, the goal is to map what's reachable: which hosts are up, which ports are open, and what's listening behind them. A port's state tells you where the doors are. Every open port is a potential way in, or a piece of intelligence about the system's role.

Recall from networking that ports map to services (port 22 → SSH, 80/443 → web, 445 → SMB). Scanning ties the abstract port list to concrete attack surface.

nmap: the standard scanner

Nmap is the standard scanner for discovery, port scanning and service/version detection. The flags worth memorising:

nmap 10.10.10.5                 # default: top 1000 TCP ports
nmap -p- 10.10.10.5             # all 65535 TCP ports (thorough, do this)
nmap -p 22,80,443 10.10.10.5    # specific ports
nmap -sV 10.10.10.5             # service/version detection
nmap -sC 10.10.10.5             # run default NSE scripts
nmap -O 10.10.10.5              # OS detection
nmap -A 10.10.10.5             # aggressive: -sV, -sC, -O, traceroute
nmap -sU 10.10.10.5             # UDP scan (slow; don't forget UDP services)
nmap -sn 10.10.10.0/24          # ping sweep, host discovery only, no port scan
nmap -oN out.txt 10.10.10.5     # save normal output (always save your scans)

A very common CTF opening is nmap -p- -sV -sC (or -A) against the box, then enumerate each service it reveals. Scan all ports. Services hiding on high non-standard ports are a frequent reason people get stuck.

Scan types worth knowing:

  • TCP connect scan (-sT): completes the full three-way handshake. Reliable but logged.
  • SYN / half-open scan (-sS): sends SYN, gets SYN-ACK, then resets without completing. Faster and stealthier, and the default when run as root.
  • UDP scan (-sU): slow and tricky (no handshake to confirm state) but necessary to catch DNS, SNMP, etc.

Nmap also runs the NSE (Nmap Scripting Engine), which can do vulnerability checks, brute-forcing and deeper enumeration (--script vuln).

Service enumeration

After scanning, enumerate each open service. This is where engagements are won. A few standard moves:

  • Web (80/443): directory/file brute-forcing with gobuster, ffuf or dirb; inspect source, headers, robots.txt; identify the tech with whatweb/Wappalyzer.
  • SMB (445): list shares and try anonymous access with smbclient or enum4linux.
  • DNS (53): attempt a zone transfer (dig axfr), which can dump every record if misconfigured.
  • Any service: grab the banner (it often reveals the exact version), then search for known vulnerabilities and default credentials for that product/version.

Vulnerability scanning vs penetration testing: an automated vulnerability scanner (Nessus, OpenVAS, Qualys) checks a target against a database of known issues and produces a list. It's broad but throws false positives and does no actual exploitation. A penetration test uses human judgement to exploit and chains findings together. Scanners are a starting input to a test, not a replacement for one, and that's a recurring exam distinction.

Quick recall

  • Recon is passive (public sources, no interaction; OSINT) or active (direct interaction via scanning, needs authorisation).
  • OSINT sources: WHOIS/DNS and subdomains, search dorking, social media, breach data, Shodan (indexes exposed devices), document metadata. Minimise your own footprint.
  • nmap essentials: -p- (all ports), -sV (versions), -sC (default scripts), -A (aggressive), -sU (UDP), -sn (host discovery), -oN (save). -sS is the stealthy default-as-root scan; -sT is the full-connect scan.
  • Always scan all ports and save output; then deeply enumerate each service (gobuster/ffuf for web, enum4linux for SMB, banners + default creds everywhere).
  • Vulnerability scanning (automated, lists known issues) ≠ penetration testing (human, exploits and chains).
PreviousNext