Skip to content

Reconnaissance

Before you can attack a target, you need to properly understand it. You want to gather as much information as possible to give you the best chance at attacking them successfully.

Port Scanning

The go-to first technique is usually an nmap scan, using the popular CLI tool. Nmap is the best choice for a port scan because it includes a large library of tools and has a huge number of flags to allow you to customise its behaviour to your needs.

A basic nmap scan would look like:

nmap TARGET_IP

This would scan a few common ports on the target IP, and feed back to you with information on what services are available.

As mentioned previously, Nmap has many flags to help you build a perfect scan.

-p Specify a port to scan (ie, 80) or a range (ie, 80-180)

-p- Scan all ports

-sU Scan UDP ports as well (recommended)

-A Aggressive (increases chance of detection but picks up on more)

-sS Stealth scan (reduces risk of detection and very fast)

DNS Enumeration

If you have some information about a target, you might be able to enumerate DNS or subdomains to discover additional services.

Scan subnet for DNS resolver:

nmap -sC -sV -p53 192.168.x.0/24

Please refer to Certificate Transparency Checking