๐ Reconnaissance & Enumeration
Information gathering and target analysis - The cornerstone of successful penetration testing
Intermediate LevelOverview
Reconnaissance and enumeration form the foundation of any successful penetration test. This phase involves gathering as much information as possible about the target through both passive and active techniques. Mastering these skills will significantly improve your success rate in later exploitation phases.
Learning Objectives
- Master passive information gathering techniques
- Develop expertise in active scanning and enumeration
- Learn service-specific enumeration methodologies
- Understand DNS reconnaissance and subdomain discovery
- Build comprehensive target profiling skills
- Develop OSINT and social media intelligence capabilities
๐ต๏ธ Passive Information Gathering
OSINT Fundamentals
Open Source Intelligence gathering using publicly available information without directly interacting with the target.
- Google dorking and advanced search operators
- Social media intelligence (SOCMINT)
- Public records and data breach databases
- Threat intelligence platforms
DNS Reconnaissance
Passive DNS analysis and subdomain discovery without triggering security alerts.
- DNS record analysis (A, AAAA, MX, TXT)
- Subdomain enumeration with passive sources
- Certificate transparency logs
- Historical DNS data analysis
Website Analysis
Analyzing target websites and web infrastructure without active scanning.
- Technology stack identification
- Web archive analysis (Wayback Machine)
- JavaScript and source code review
- Metadata extraction from documents
๐ฏ Active Scanning
Nmap Mastery
Advanced Nmap techniques for port scanning and service detection.
- TCP SYN, Connect, and UDP scanning
- Stealth scanning techniques
- NSE script categories and custom scripts
- Timing and performance optimization
Masscan & Fast Scanning
High-speed port scanning for large networks and internet-wide scanning.
- Masscan configuration and optimization
- Rate limiting and stealth considerations
- Integration with other tools
- Large-scale network discovery
Custom Scanner Development
Building custom scanners for specific scenarios and protocols.
- Python socket programming
- Multi-threaded scanning techniques
- Protocol-specific scanners
- Banner grabbing and fingerprinting
๐ Service Enumeration
Web Service Enumeration
Comprehensive web application and service discovery.
- Directory and file discovery (dirb, gobuster)
- Virtual host discovery
- Technology fingerprinting
- API endpoint discovery
SMB/NetBIOS Enumeration
Windows network service enumeration and null session attacks.
- SMB version detection and vulnerabilities
- Share enumeration and access testing
- User and group enumeration
- Registry and RPC enumeration
SNMP Enumeration
Simple Network Management Protocol reconnaissance and exploitation.
- Community string bruteforcing
- MIB tree traversal
- Network device information gathering
- SNMP v1/v2c/v3 differences
๐๏ธ Database Enumeration
SQL Database Discovery
Identifying and enumerating SQL database services.
- MySQL, PostgreSQL, MSSQL detection
- Default credential testing
- Version enumeration and vulnerability assessment
- Database-specific enumeration techniques
NoSQL Database Enumeration
Modern NoSQL database discovery and assessment.
- MongoDB, Redis, Elasticsearch detection
- Authentication bypass techniques
- Data structure analysis
- NoSQL injection testing
Cloud Database Services
Cloud-hosted database identification and security assessment.
- AWS RDS, Azure SQL, GCP Cloud SQL
- Misconfiguration identification
- IAM and access control analysis
- Database backup and snapshot analysis
๐งช Hands-on Lab: Complete Reconnaissance Challenge
Objective: Perform comprehensive reconnaissance on a target network using both passive and active techniques.
Duration: 4-6 hours
Skills Practiced: OSINT, Nmap scanning, service enumeration, reporting
Start Lab Exercise๐ ๏ธ Essential Tools
Passive Reconnaissance Tools
- theHarvester: Email and subdomain gathering
- Shodan: Internet-connected device discovery
- Censys: Internet scanning and analysis
- Maltego: Link analysis and visualization
- Recon-ng: Web reconnaissance framework
Active Scanning Tools
- Nmap: Network discovery and security auditing
- Masscan: High-speed port scanner
- Zmap: Internet-wide network scanner
- Rustscan: Modern port scanner
- Nuclei: Vulnerability scanner
Enumeration Frameworks
- enum4linux: SMB enumeration tool
- gobuster: Directory/file/DNS bruteforcer
- ffuf: Fast web fuzzer
- dnsenum: DNS enumeration tool
- AutoRecon: Automated reconnaissance
๐ Recommended Resources
- OSINT Techniques by Michael Bazzell - Comprehensive OSINT methodology
- Nmap Network Scanning - Official Nmap guide by Gordon Lyon
- The Web Application Hacker's Handbook - Web enumeration techniques
- Penetration Testing: A Hands-On Introduction to Hacking - Practical reconnaissance
- Shodan Search Engine Guide - Internet device discovery
๐ฏ Certification Alignment
eJPT & eCPPTv2 Requirements
This reconnaissance module covers essential certification topics:
- โ Information Gathering and Vulnerability Assessment
- โ Network Security and Protocol Analysis
- โ Web Application Penetration Testing
- โ Reporting and Documentation
๐ Learning Progress
Track your reconnaissance skills development:
Complete the sections above to track your progress
Frequently Asked Questions
What is reconnaissance in cybersecurity?
Reconnaissance is the process of gathering information about a target system or organization to identify potential attack vectors.
What skills are covered in this roadmap?
You will learn OSINT, DNS enumeration, passive and active information gathering, and more.
Who should use this roadmap?
Anyone interested in penetration testing, red teaming, or cybersecurity research.