Before a penetration test begins, the PenTest-er should gather as much information as possible about the target. The more you know upfront, the smoother and more effective the test will be.

Since good information increases the chances of success, this phase deserves plenty of time and attention. This information‑gathering process is known as reconnaissance and enumeration.

<aside> <img src="/icons/target_red.svg" alt="/icons/target_red.svg" width="40px" />

Mission Objectives

• Perform Recon with Nmap
• Perform Enumeration with Nmap
• DNS Enumeration and Reconnaissance
• Perform a Decoy Scan </aside>

1. Information Gathering Techniques

Before touching the target's network, we use OSINT (Open Source Intelligence) to gather data from public records.

• Passive Reconnaissance: Gathering data without direct interaction.
  • WHOIS & DNS: Finding registered owners and subdomains (using Sublist3r or theHarvester).
  • Shodan: Searching for internet-connected devices and known vulnerabilities.
  • Social Media & Metadata: Scraping LinkedIn for employee names or extracting metadata from public PDFs to find internal naming conventions.
• Active Reconnaissance: Interacting directly with the target infrastructure (e.g., pinging a server).

2. Host and Service Discovery Techniques

Once we move to active scanning, the goal is to map the "Digital Footprint."

• ICMP & ARP Scanning: Identifying live hosts on the network.
• Nmap Mastery: Using different scan types to bypass firewalls.
  • nmap -sS (TCP Stealth/SYN Scan)
  • nmap -sU (UDP Scan for services like DNS/DHCP)
  • nmap -sV (Version detection to find specific software versions)
• Banner Grabbing: Connecting to a port (via Netcat or Telnet) to see what information the service leaks about its version and OS.

3. Enumeration for Attack Planning

Raw data is useless without analysis. This phase involves connecting the dots to choose the exploit.

• Attack Surface Analysis: Identifying which services are most vulnerable (e.g., an outdated Web Server vs. a hardened SSH port).
• Vulnerability Mapping: Matching discovered service versions against known CVEs (Common Vulnerabilities and Exposures).
• Network Topology Mapping: Visualizing how the target's internal network is structured.

4. Enumeration for Specific Assets

• DNS Enumeration: Attempting Zone Transfers (dig axfr) to see the entire internal record list.