> ## Documentation Index
> Fetch the complete documentation index at: https://notes.chaelsoo.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Recon & Enumeration

Recon is the foundation of every engagement. The quality of your enumeration directly determines the quality of your attack surface: missed open ports, forgotten vhosts, and unscanned directories are where flags and footholds hide.

<CardGroup cols={2}>
  <Card title="Port Scanning" icon="crosshairs" href="./port-scanning">
    nmap techniques: full TCP, UDP, service detection, NSE scripts, and rate tuning
  </Card>

  <Card title="Web Enumeration" icon="globe" href="./web-enum">
    Directory and file brute force with ffuf/gobuster, extension sweeps, and API path discovery
  </Card>

  <Card title="Subdomain & DNS" icon="magnifying-glass" href="./subdomain-dns">
    Subdomain enumeration, DNS zone transfer, vhost fuzzing, and reverse DNS
  </Card>

  <Card title="OSINT" icon="eye" href="./osint">
    Passive recon: search engine dorks, certificate transparency, email harvesting, and LinkedIn
  </Card>
</CardGroup>

## Order of Operations

Run these phases roughly in sequence, but loop back as you find new hosts or services:

<Steps>
  <Step title="Port scan all TCP (full range)">
    ```bash wrap theme={"theme":{"light":"night-owl","dark":"night-owl"}}
    nmap -p- --min-rate 5000 -T4 <IP> -oN nmap/full.txt
    ```
  </Step>

  <Step title="Service and version detection on open ports">
    ```bash wrap theme={"theme":{"light":"night-owl","dark":"night-owl"}}
    nmap -sV -sC -p <ports> <IP> -oN nmap/targeted.txt
    ```
  </Step>

  <Step title="Web enumeration on every HTTP/HTTPS port">
    ```bash wrap theme={"theme":{"light":"night-owl","dark":"night-owl"}}
    ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
    ```
  </Step>

  <Step title="Subdomain and vhost discovery for web targets">
    ```bash wrap theme={"theme":{"light":"night-owl","dark":"night-owl"}}
    ffuf -u http://<IP> -H "Host: FUZZ.<domain>" \
      -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
      -fs <default_size>
    ```
  </Step>

  <Step title="OSINT for credential leads and exposed infrastructure">
    Check certificate transparency logs, search engine dorks, and LinkedIn before active scanning completes.
  </Step>
</Steps>

<Note>
  Never assume the scope is just one IP. Subdomain and port enumeration regularly surfaces additional attack surface not in the original brief.
</Note>
