Skip to main content
Recon is the foundation of every engagement. The quality of your enumeration directly determines the quality of your attack surface: missed open ports, forgotten vhosts, and unscanned directories are where flags and footholds hide.

Port Scanning

nmap techniques: full TCP, UDP, service detection, NSE scripts, and rate tuning

Web Enumeration

Directory and file brute force with ffuf/gobuster, extension sweeps, and API path discovery

Subdomain & DNS

Subdomain enumeration, DNS zone transfer, vhost fuzzing, and reverse DNS

OSINT

Passive recon: search engine dorks, certificate transparency, email harvesting, and LinkedIn

Order of Operations

Run these phases roughly in sequence, but loop back as you find new hosts or services:
1

Port scan all TCP (full range)

nmap -p- --min-rate 5000 -T4 <IP> -oN nmap/full.txt
2

Service and version detection on open ports

nmap -sV -sC -p <ports> <IP> -oN nmap/targeted.txt
3

Web enumeration on every HTTP/HTTPS port

ffuf -u http://<IP>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
4

Subdomain and vhost discovery for web targets

ffuf -u http://<IP> -H "Host: FUZZ.<domain>" \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -fs <default_size>
5

OSINT for credential leads and exposed infrastructure

Check certificate transparency logs, search engine dorks, and LinkedIn before active scanning completes.
Never assume the scope is just one IP. Subdomain and port enumeration regularly surfaces additional attack surface not in the original brief.