๐งช Advanced Reconnaissance Lab
Comprehensive information gathering and target profiling exercise
Intermediate Level LabLab Overview
This foundational lab focuses on reconnaissance techniques and information gathering methodologies essential for security assessments. You'll learn professional approaches to target enumeration, vulnerability identification, and initial access vectors.
๐ Professional Security Assessment
While this lab teaches reconnaissance fundamentals, enterprise security assessments require comprehensive expertise and professional methodologies. For organizations in Portugal seeking thorough security evaluations, Pentesting.pt provides expert security assessment services following industry best practices.
Learning Objectives
- Master passive information gathering techniques (OSINT)
- Develop expertise in active scanning and enumeration
- Learn service-specific enumeration methodologies
- Understand DNS reconnaissance and subdomain discovery
- Build comprehensive target profiling skills
- Create actionable intelligence reports
Essential Tools & Security
- ๐ก๏ธ Required: Secure VPN for anonymous reconnaissance
- ๐ Benefits: Hide your real IP, switch locations, avoid blacklisting
- ๐ Privacy: No-logs policy for confidential OSINT activities
- ๐ Performance: High-speed servers for efficient scanning
๐ฏ Target Environment
Reconnaissance Target: TechCorp Industries
- Primary Domain: techcorp-industries.com
- Network Range: 203.0.113.0/24 (example range)
- Organization: Mid-size technology company
- Services: Web applications, email, VPN, file sharing
- Social Media: Active LinkedIn, Twitter, Facebook presence
- Public Records: SEC filings, press releases, job postings
๐ ๏ธ Reconnaissance Arsenal
OSINT Tools
- theHarvester: Email and subdomain harvesting
- Maltego: Link analysis and visualization
- Shodan: Internet device discovery
- Recon-ng: Web reconnaissance framework
Active Scanning
- Nmap: Network discovery and service detection
- Masscan: High-speed port scanning
- Nuclei: Vulnerability scanning
- AutoRecon: Automated multi-service enumeration
Specialized Enumeration
- DNSrecon: DNS enumeration
- Sublist3r: Subdomain discovery
- enum4linux: SMB enumeration
- SNMPwalk: SNMP enumeration
๐ Lab Phases
Phase 1: Passive OSINT Collection
Gather intelligence without directly interacting with target systems.
- Google dorking and search engine reconnaissance
- Social media intelligence gathering
- Public document metadata extraction
- Job posting analysis for technology stack
Phase 2: DNS & Subdomain Enumeration
Comprehensive DNS reconnaissance and subdomain discovery.
- DNS record analysis (A, AAAA, MX, TXT, NS)
- Zone transfer attempts
- Subdomain brute forcing
- Certificate transparency log analysis
Phase 3: Network Discovery
Active network scanning and host discovery.
- Network range identification
- Live host discovery
- Port scanning and service detection
- Operating system fingerprinting
Phase 4: Service Enumeration
Deep enumeration of discovered services and applications.
- Web application technology stack analysis
- Directory and file enumeration
- Database service enumeration
- Network service banner grabbing
Phase 5: Intelligence Analysis
Synthesize collected information into actionable intelligence.
- Attack surface mapping
- Vulnerability assessment prioritization
- Potential attack vector identification
- Comprehensive intelligence reporting
๐ฏ Detailed Scenarios
Scenario 1: Google Dorking & OSINT
Objective: Gather maximum intelligence using passive techniques only.
Tasks
- Identify employee names and email patterns
- Discover technology stack through job postings
- Extract metadata from public documents
- Map organizational structure via LinkedIn
- Identify potential security contacts
Google Dorks Examples
site:techcorp-industries.com filetype:pdf"techcorp-industries.com" inurl:adminintext:"@techcorp-industries.com"site:pastebin.com "techcorp"
Scenario 2: DNS Reconnaissance Deep Dive
Objective: Comprehensive DNS analysis and subdomain discovery.
Tasks
- Perform comprehensive DNS record analysis
- Attempt zone transfers on all nameservers
- Brute force subdomains using multiple wordlists
- Analyze certificate transparency logs
- Map DNS infrastructure and relationships
Key Commands
dig any techcorp-industries.comdnsrecon -d techcorp-industries.comsublist3r -d techcorp-industries.comamass enum -d techcorp-industries.com
Scenario 3: Network & Service Discovery
Objective: Map the complete network infrastructure and identify all running services.
Tasks
- Identify the complete network range
- Discover all live hosts
- Perform comprehensive port scanning
- Identify service versions and banners
- Fingerprint operating systems
Scanning Strategy
- TCP SYN scan for stealth
- UDP scan for missed services
- Service version detection
- OS fingerprinting techniques
Scenario 4: Web Application Reconnaissance
Objective: Comprehensive web application discovery and technology analysis.
Tasks
- Identify all web applications and vhosts
- Analyze technology stack and frameworks
- Discover hidden directories and files
- Enumerate API endpoints
- Identify potential admin interfaces
Web Recon Tools
gobuster dir -u http://targetwhatweb http://targetnikto -h http://targetwfuzz -w wordlist -u http://target/FUZZ
๐ Advanced Techniques
Stealth Considerations
- Rate limiting and timing delays
- User agent randomization
- Proxy chain utilization
- Distributed scanning techniques
Data Correlation
- Cross-referencing multiple sources
- Timeline analysis
- Relationship mapping
- Pattern recognition
Automation Techniques
- Custom script development
- API integration
- Workflow automation
- Data parsing and analysis
๐ Expected Deliverables
Comprehensive Reconnaissance Report
Your final deliverable should include a professional intelligence report containing:
- ๐ Executive Summary: Key findings and risk assessment
- ๐ฏ Target Profile: Organizational structure and technology stack
- ๐ Network Infrastructure: Complete network topology mapping
- ๐ Service Inventory: All discovered services and versions
- โ ๏ธ Attack Surface Analysis: Potential entry points and vulnerabilities
- ๐ Risk Prioritization: Ranked threat assessment
- ๐ง Recommendations: Security improvement suggestions
- ๐ Appendices: Technical data and supporting evidence
๐ก Professional Tips
Expert Reconnaissance Methodologies
- ๐ฏ Systematic Approach: Follow structured methodologies
- ๐ Detailed Documentation: Record every source and finding
- ๐ Iterative Process: Build on previous discoveries
- โฐ Time Management: Balance depth with breadth
- ๐ญ OPSEC Awareness: Minimize detection footprint
- ๐ Data Validation: Verify information accuracy
- ๐ Source Correlation: Cross-reference multiple sources
- ๐จ Visualization: Create clear and actionable reports
๐ Knowledge Validation
Post-Lab Assessment
Test your reconnaissance mastery with these questions:
- What is the difference between passive and active reconnaissance?
- How can certificate transparency logs aid in subdomain discovery?
- What are the OPSEC considerations for active scanning?
- How would you identify potential email addresses without contacting the target?
- What information can be extracted from DNS records beyond IP addresses?
- How can social media be leveraged for reconnaissance without alerting targets?
- What are the limitations of automated reconnaissance tools?
- How do you prioritize discovered attack surfaces?
๐ Advanced Applications
Red Team Operations
- Long-term target profiling
- Social engineering preparation
- Infrastructure mapping
- Operational planning
Threat Intelligence
- Adversary profiling
- Attack pattern analysis
- Indicator collection
- Threat landscape mapping
Bug Bounty Hunting
- Scope boundary identification
- Asset discovery
- Technology stack analysis
- Attack surface enumeration
๐ฏ Lab Completion Checklist
Verify comprehensive reconnaissance: Ensure all phases completed successfully.
- โ Conducted thorough OSINT collection
- โ Completed comprehensive DNS reconnaissance
- โ Mapped entire network infrastructure
- โ Enumerated all discoverable services
- โ Analyzed web applications and technology stacks
- โ Correlated information from multiple sources
- โ Prioritized attack surface and risks
- โ Created professional intelligence report
Estimated Time: 4-6 hours for complete reconnaissance
Next: Web Application LabFrequently Asked Questions
What is the Reconnaissance Lab?
A hands-on environment to practice reconnaissance and OSINT skills for penetration testing.
What skills can I develop here?
You will learn intelligence gathering, mapping targets, and OSINT techniques.
Who should use this lab?
Anyone interested in reconnaissance, OSINT, or penetration testing.