Port Scanning
nmap techniques: full TCP, UDP, service detection, NSE scripts, and rate tuning
Web Enumeration
Directory and file brute force with ffuf/gobuster, extension sweeps, and API path discovery
Subdomain & DNS
Subdomain enumeration, DNS zone transfer, vhost fuzzing, and reverse DNS
OSINT
Passive recon: search engine dorks, certificate transparency, email harvesting, and LinkedIn
Order of Operations
Run these phases roughly in sequence, but loop back as you find new hosts or services:Never assume the scope is just one IP. Subdomain and port enumeration regularly surfaces additional attack surface not in the original brief.