Reconnaissance Knowledge Base

Purpose

This knowledge base provides comprehensive reconnaissance methodologies and techniques. It covers information gathering about targets without performing exploitation, including discovering services, versions, technologies, and potential attack vectors.

Tools Available

Network Scanning

• nmap - Port and service discovery
• masscan - Fast port scanning (if speed needed)
• nc (netcat) - Banner grabbing

Web Enumeration

• gobuster - Directory/file brute forcing
• dirb - Alternative directory scanner
• nikto - Web vulnerability scanner
• whatweb - Technology identification
• curl/wget - Manual HTTP interaction

Service Enumeration

• enum4linux - SMB/Samba enumeration
• smbclient - SMB interaction
• showmount - NFS enumeration
• snmpwalk - SNMP enumeration

DNS/Subdomain

• dig - DNS queries
• host - DNS lookups
• nslookup - DNS information

Layered Reconnaissance Strategy

Core Principle: Every reconnaissance task has 3 layers - escalate when previous layer yields insufficient results.

Layer Framework for Each Task:

Layer 1 (Quick & Broad):
  - Fast tools with default parameters
  - Goal: Get initial foothold information
  - Time: 1-5 minutes
  - Example: nmap top 1000 ports, gobuster with small wordlist

Layer 2 (Deep & Intensive):
  - Same tools with aggressive parameters
  - Goal: Extract maximum information from known services
  - Time: 5-30 minutes
  - Example: nmap all ports + version detection, gobuster with large wordlist

Layer 3 (Alternative & Creative):
  - Different tools or manual techniques
  - Goal: Find information that standard tools miss
  - Time: Variable
  - Example: Manual banner grabbing, alternative scanners, custom scripts

Escalation Triggers:

• Layer 1 returns nothing → Escalate to Layer 2
• Layer 2 returns minimal info → Escalate to Layer 3
• Layer 3 still insufficient → Re-evaluate entire approach

Reconnaissance Phases

Phase 1: Port Discovery

Goal: Find all open ports

# Quick scan (top 1000 ports)
nmap -p- --min-rate=1000 -T4 TARGET

# Comprehensive scan (all ports)
nmap -p- -T4 TARGET -oN ports.txt

Output Format:

{
  "ports": [
    {"port": 22, "state": "open", "protocol": "tcp"},
    {"port": 80, "state": "open", "protocol": "tcp"}
  ]
}

Phase 2: Service Detection

Goal: Identify services and versions

# Service version detection
nmap -p22,80,443 -sV -sC -A TARGET -oN services.txt

# Aggressive scan with scripts
nmap -p22,80 -sC -sV --script=default,vuln TARGET

Output Format:

{
  "services": [
    {
      "port": 22,
      "service": "ssh",
      "version": "OpenSSH 7.6p1",
      "os": "Ubuntu Linux"
    },
    {
      "port": 80,
      "service": "http",
      "version": "Apache httpd 2.4.29",
      "technologies": ["PHP/7.2"]
    }
  ]
}

Phase 3: Web Enumeration (if HTTP/HTTPS found)

Goal: Discover hidden files, directories, and web technologies

Layered Web Scanning:

# Layer 1: Quick directory scan
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirb/common.txt -x php,html,txt -t 50

# If Layer 1 finds little/nothing, escalate to Layer 2:
# Layer 2: Deep directory scan with larger wordlist
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip,bak -t 100

# If still insufficient, try Layer 3:
# Layer 3: Alternative tools or techniques
# Option A: Different tool
feroxbuster -u http://TARGET -w /usr/share/wordlists/dirb/common.txt

# Option B: Vulnerability scanner
nikto -h http://TARGET

# Option C: Technology detection
whatweb http://TARGET

# Alternative with larger wordlist
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

# Technology detection
whatweb http://TARGET

# Vulnerability scan
nikto -h http://TARGET

Output Format:

{
  "web": {
    "url": "http://10.10.10.1",
    "technologies": ["Apache/2.4.29", "PHP/7.2", "WordPress 5.0"],
    "directories": [
      "/admin (Status: 403)",
      "/uploads (Status: 301)",
      "/backup (Status: 200)"
    ],
    "files": [
      "/config.php (Status: 200)",
      "/README.txt (Status: 200)"
    ],
    "vulnerabilities": [
      "Outdated WordPress version",
      "Directory listing enabled on /uploads"
    ]
  }
}

Phase 4: Specific Service Enumeration

SMB (Port 139/445)

# Basic enumeration
enum4linux -a TARGET

# List shares
smbclient -L //TARGET -N

# Check for anonymous access
smbmap -H TARGET

FTP (Port 21)

# Check for anonymous login
ftp TARGET
# Try: anonymous / anonymous

# Banner grab
nc TARGET 21

SSH (Port 22)

# Get SSH version and algorithms
ssh -v TARGET

# Check for user enumeration
ssh user@TARGET 2>&1 | grep -i "invalid\|denied"

MySQL/MSSQL (Port 3306/1433)

# Banner grab
nc TARGET 3306

# Test default credentials
mysql -h TARGET -u root -p
# Try common passwords: root, admin, password, ''

Best Practices

1. Structured Output

Always format discoveries in JSON for easy parsing:

# Example: Parse nmap output to JSON
nmap -p- TARGET -oG - | grep "Ports:" | awk '{print $2, $4}' | sed 's/\/open//' | jq -R -s 'split("\n") | map(select(length > 0) | split(" ") | {port: .[1], service: .[0]})'

2. Stealth vs Speed

• For playground environments: Use aggressive scans (-T4, --min-rate=1000)
• For real environments: Use slower, stealthy scans (-T2)

3. Save All Output

# Always save raw output
nmap ... -oN nmap-full.txt -oX nmap-full.xml

# Save discoveries to state file
cat discovered.json >> .pentest-state.json

4. Comprehensive Coverage

Don't miss:

• UDP ports (slower but important): nmap -sU --top-ports 100 TARGET
• All TCP ports: nmap -p- TARGET
• Web directories with multiple wordlists
• Default credentials for all services found

5. Time Management

• Quick initial scan: 5 minutes max
• Comprehensive scan: 15-20 minutes max
• This is a playground, not real-world - speed matters

Common Wordlists

# Small (fast)
/usr/share/wordlists/dirb/common.txt

# Medium (balanced)
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# Large (comprehensive)
/usr/share/wordlists/dirbuster/directory-list-2.3-big.txt

# Specific to web apps
/usr/share/wordlists/wfuzz/general/common.txt

Output Template

After completing reconnaissance, provide summary in this format:

{
  "target": "10.10.10.1",
  "scan_date": "2025-01-15",
  "discovered": {
    "ports": [
      {"port": 22, "service": "ssh", "version": "OpenSSH 7.6p1"},
      {"port": 80, "service": "http", "version": "Apache 2.4.29"}
    ],
    "web": {
      "technologies": ["Apache", "PHP", "WordPress"],
      "interesting_paths": ["/admin", "/uploads", "/wp-admin"],
      "vulnerabilities": ["Outdated WordPress", "Directory listing"]
    },
    "potential_vectors": [
      "File upload via /uploads",
      "WordPress plugin vulnerabilities",
      "SSH password authentication enabled"
    ]
  },
  "recommended_actions": [
    "Test file upload functionality on /uploads",
    "Search for WordPress exploits for version detected",
    "Enumerate WordPress users with wpscan"
  ]
}

Key Principles

1. Thoroughness: Don't miss services or directories
2. Structure: Always output JSON for coordinator to parse
3. Speed: Balance between comprehensive and efficient
4. Context: Provide next-step recommendations
5. No Exploitation: Stay in recon phase, don't test exploits

Handoff to Next Phase

When reconnaissance is complete, provide:

1. Complete service inventory
2. Identified vulnerabilities
3. Recommended exploitation approaches
4. Any discovered credentials/default logins
5. Updated .pentest-state.json

After reconnaissance is sufficient, proceed to the exploitation phase using exploitation knowledge.