Security · Topic 14 of 23 · Part III — Pentesting in depth

Reconnaissance & enumeration in practice

The phase that turns "engagement starts now" into "here is the candidate attack surface" — breadth first, then depth.

Syllabus: PTES §2 (Intelligence Gathering) and §4 (Vulnerability Analysis), as exercised inside a pentest engagement.
Topic 14 · Recon & enum

Most engagements are won or lost here

By the end of this topic you can:
  • Distinguish passive recon, active recon, and enumeration — and operate within the legal line between them.
  • Build an external attack surface map from OSINT and active discovery.
  • Conduct service enumeration using current tooling.
  • Translate raw enumeration output into a prioritized list of attack candidates.
  • Document recon and enumeration evidence to report standard.

The recon → enumeration spectrum

1Passive recon
2Active recon
3Enumeration
Passive No packets to the target. OSINT, Shodan, certificate transparency, DNS history, archive.org. No authorization needed beyond normal internet access.
Active First packets to the target. Discovery sweeps, DNS resolution against target servers, banner grabs. Authorization by scope is required.
Enumeration Deeper probing of identified hosts: service versions, supported protocols, accessible resources, configurations. Still pre-exploitation.

Active recon discovers what is there; enumeration extracts details from each thing that is there. The line is fuzzy in practice; the distinction that matters is authorization.

Building the target picture

External engagement

  • Domains and subdomains owned by the target
  • IP addresses and ranges that host the target
  • Open ports on each host
  • Services and versions behind each port
  • Web content: hostnames, directories, parameters, technologies
  • Identity surfaces: login pages, SSO endpoints, email patterns
  • Third-party dependencies: CDN, WAF, SaaS

Internal / assumed breach

  • Internal subnets reachable
  • File shares, databases, AD, internal web apps
  • Identity environment: users, groups, computers, trusts
  • Config weaknesses: missing patches, default credentials, shared local-admin passwords
Living document This catalogue evolves throughout testing; the report's methodology section draws directly from it.

Domain & subdomain enumeration

  • Certificate transparency logs. crt.sh, censys.io — near-complete coverage of subdomains that have valid certificates (post-2018 enforcement).
  • Passive DNS aggregators. SecurityTrails, RiskIQ, DNSDB — historical and current records from third-party observers.
  • Brute-force DNS. Candidate names tried against target resolvers: amass, subfinder, dnsrecon with SecLists wordlists.
  • Reverse DNS / ASN lookup. From IPs, identify the owning AS and other IPs the same org owns.
  • Cloud asset discovery. AWS/Azure/GCP hosting patterns — storage bucket names, default DNS entries.
Core toolset amass (broad, multi-source) · subfinder (fast, source-driven) · dnsrecon (general DNS) · httpx (probe live HTTP services) · dnsx (high-throughput resolution)

Network-level discovery & port scanning

Nmap: the standard tester progression.

1Host discovery (-sn)
2Quick scan (-F)
3Full TCP (65535 ports)
4UDP (DNS, SNMP, NTP…)
5Service/version (-sV)
6OS detection (-O)
7NSE scripts (--script)
 
Alternatives RustScan (fast discovery, feeds Nmap) · masscan (extreme-speed, large ranges) · naabu · AutoRecon (orchestrates Nmap + per-service scripts)
Rate on production Aggressive scans can crash fragile/embedded services. Use -T2/-T3 on production; reserve -T4/-T5 for labs. Real attackers don't skip unusual ports — most lazy scans do.

Service enumeration — web & file sharing

HTTP / HTTPS

  • Identify technology. Wappalyzer, httpx -tech-detect, browser dev tools. "Drupal 7" vs. "Spring Boot" reshapes every subsequent step.
  • Content brute-force. ffuf, feroxbuster, gobuster with SecLists. Target: admin interfaces, .bak/.git directories, .env/web.config, Swagger/GraphQL docs.
  • Headers & responses. Server, X-Powered-By, Set-Cookie, CORS settings, error messages, redirects.
  • TLS. testssl.sh, sslyze — supported versions, cipher suites, certificate chain.

SMB / NetBIOS (internal)

  • Enumerate shares. smbclient -L, crackmapexec smb, enum4linux-ng.
  • Null sessions. Whether the server allows unauthenticated SMB queries.
  • SMB signing posture. Relevant to relay attacks.
  • Accessible files. Open shares with sensitive data appear with depressing regularity.

Service enumeration — other protocols

ServicePortsWhat to check
Databases3306, 5432, 1433, 27017, 6379, 9200Unauthenticated access (Redis/MongoDB/ES defaults), default/weak creds, version for CVEs
SSH22Version, config leaks at protocol level; brute-force only if scope explicitly permits
FTP21Anonymous access, banner/version — old versions with known issues
SMTP / POP3 / IMAP25, 465, 587User enum via VRFY/EXPN, TLS config, open relay if in scope
SNMP161 UDPDefault community strings (public, private); onesixtyone, snmp-check yield rich system inventory
RDP / VNC3389, 5900Internet exposure is itself a finding; NLA posture; version (BlueKeep-era CVEs)
Industrial / IoT502, 47808, 102Extreme care — standard scans often crash these devices

Pattern for every service: identify → version → configuration → accessible resources → default-credential check → known weakness.

Network-level inspection — passive sniffing

  • tcpdump / tshark. Universal CLI packet capture; essential for understanding what is on the wire — unencrypted credentials, traffic patterns, service discovery via protocol fingerprints.
  • Wireshark. GUI analysis — deep-dive protocol work, following TCP streams, filtering across large captures.
  • Zeek (formerly Bro). Extracts structured metadata — DNS queries, HTTP headers, TLS certificates — from pcap at scale.

What passive sniffing reveals

  • Plaintext credentials — FTP, HTTP-Basic-Auth, SMTP AUTH, LDAP binds, telnet
  • Service fingerprinting from DHCP, mDNS, SSDP, NTP broadcast traffic
  • API keys and session tokens in unencrypted service-to-service traffic
  • Kerberos / SMB signing patterns revealing domain trust relationships
Scope note Passive sniffing on a span port or assumed-breach host is standard for internal engagements. Capturing traffic you do not control externally crosses into active injection territory.

Network-level inspection — active spoofing & MitM

Explicit scope authorization required Injecting packets to redirect traffic is active reconnaissance. Unauthorized ARP spoofing on a production LAN is not a pentest technique — it is sabotage. Rules of Engagement must name the technique, the network segment, and any time constraints.

Techniques

  • ARP spoofing. Gratuitous ARP replies claiming to be the gateway — enables local MitM. Tools: arpspoof, Bettercap, scapy.
  • DNS spoofing. Forged DNS responses to redirect lookups. Tools: dnsspoof, Bettercap.
  • Rogue DHCP. Exhaust DHCP pools or host a rogue server to become the default gateway.

What MitM reveals

  • Plaintext traffic between clients and services
  • Session tokens and credentials in transit
  • TLS cipher weaknesses via SSL stripping
  • Service misconfigurations visible only during modified authentication

Bettercap — modern orchestrator for ARP/DNS spoofing, SSL stripping, and sniffing. mitmproxy — HTTP(S) modification and inspection.

Active Directory enumeration (internal)

On a Windows network, AD is typically the highest-value surface. The targets of enumeration are stable even as tools evolve.

What to look for

  • Misconfigured ACLs on AD objects
  • Unconstrained delegation
  • Kerberoastable accounts (SPNs set on user accounts)
  • Password policies and GPO contents
  • ADCS misconfigurations (certificate template abuse)
  • Trust relationships and attack paths to high-value targets
Key tools BloodHound + SharpHound / BloodHound.py — graphs trust, group memberships, sessions, ACLs, finds attack paths. ldapsearch / ldap3 for raw queries. Impacket (GetUserSPNs, samrdump). adidnsdump, PowerView (legacy).

BloodHound is the "first thing to run" — attack paths are not visible from individual objects; the graph reveals them.

Cloud enumeration & triage

Cloud-specific targets

  • Public storage buckets. S3, Azure Blob, GCS misconfigurations remain frequent.
  • API gateways with overly permissive configuration.
  • OIDC / OAuth misconfigurations — open redirect, weak grant types.
  • Cloud metadata services when accessible from compromised compute.

Tools: ScoutSuite, Prowler, CloudSploit, CloudMapper; AWS PACU for offensive work.

Translating output → attack candidates

  • Direct Known exploit, unauthenticated access, default creds
  • Likely Version near vulnerable; configuration questionable — needs verification
  • Queue Minor signals; revisit if time remains
  • Defensive Exposure worth reporting even without exploitation (e.g. RDP to internet)
Discipline Finish enumeration before exploiting the first attractive finding — a higher-impact path may be one host away.

Documentation discipline

  • Command, target, timestamp, result — captured via script, asciinema, tmux logging, or deliberate real-time notes.
  • Tool outputs preserved. Nmap XML, scanner reports, web crawl results — not just screenshots.
  • Screenshots of key findings at the moment of observation: login pages, admin interfaces, exposed data.
  • Working hypotheses in a live document. What you are verifying, next step if it works, next step if it does not.
Why this matters This evidence trail is what the report (Topic 22) and legal defence (Topic 05) stand on. Start at minute one — reconstructing at engagement end is unreliable and may not hold up under scrutiny.

Check — attack surface from scratch

Scenario

You are given scope: domain example.com only. Walk through the steps to build an external attack surface picture — tools, order, and stopping criteria.

Reveal answer

(1) Passive: crt.sh / amass / subfinder for subdomains; Shodan / Censys for exposed services; archive.org for historical surface. (2) Resolve: httpx / dnsx to find live HTTP hosts and resolve IPs. (3) Active: Nmap against in-scope hosts — host discovery → quick scan → full TCP → service/version → NSE. (4) Per-service: ffuf for web content, smbclient / netexec for SMB, etc. Stop when the next step would touch out-of-scope assets or the recon time-box is reached.

What you take home

  • Passive recon touches no target infrastructure; active recon and enumeration require scope authorization.
  • The target catalogue — subdomains, IPs, ports, services, technologies — is the working document of the engagement.
  • CT logs, passive DNS, Shodan, and ASN lookups give near-complete external passive coverage before the first packet.
  • Nmap's seven-step progression and NSE scripts cover the majority of service enumeration needs.
  • Passive sniffing reveals what port scans cannot; active ARP/DNS spoofing requires explicit scope and RoE language.
  • On AD engagements, BloodHound's graph is the first deliverable; attack paths require the full graph, not individual object queries.
  • Document from minute one — evidence quality determines report quality and legal defensibility.

Next: Topic 15 — Exploitation. Enumeration ends where exploitation begins — the candidate list becomes the strike list.

END · TOPIC 14

Breadth first. Then depth.

Build the full picture before you exploit anything.