📡 Recon & Scanning
Initial reconnaissance and port scanning methodology. Run these first on every target.
NETWORK SCANNING
Quick TCP scan (top 1000)
Start here. Fast results. — Find open ports quickly
nmap -sC -sV -oN nmap/initial $IP
Example Output
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1
80/tcp open http Apache 2.4.29
443/tcp open ssl/http Apache 2.4.29
Full TCP port scan
Run in background while enumerating initial results — Don't miss high ports
nmap -p- -sC -sV -oN nmap/full $IP
Example Output
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8443/tcp open https-alt
10000/tcp open webmin
UDP scan (top 20)
UDP is slow. Top 20 catches SNMP, TFTP, DNS — SNMP and TFTP are common wins
nmap -sU --top-ports 20 -oN nmap/udp $IP
Example Output
PORT STATE SERVICE
53/udp open domain
161/udp open snmp
69/udp open tftp
Aggressive scan on specific ports
After finding ports, dig deeper — OS detection, scripts, traceroute
nmap -A -p 80,443,8080 -oN nmap/targeted $IP
Example Output
nmap -A -p 80,443 10.10.10.5
PORT STATE SERVICE VERSION
80/tcp open http Apache 2.4.29
|_http-title: My Website
OS: Linux 4.15
Traceroute: 1 hop
Vulnerability scan
Run against interesting services — Quick CVE check
nmap --script vuln -p <ports> $IP
Example Output
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution
| State: VULNERABLE
| Risk factor: HIGH
Rustscan (fast alternative)
Scans all 65535 ports fast, passes to nmap — Faster than nmap full scan
rustscan -a $IP -- -sC -sV
Example Output
rustscan -a 10.10.10.5 -- -sC -sV
Open 10.10.10.5:22
Open 10.10.10.5:80
Open 10.10.10.5:8443
(All 65535 ports scanned in 3 seconds)
SERVICE VERSION RESEARCH
Google each service + version
Include version numbers — Known CVEs are free wins
Search: "Apache 2.4.49 exploit"
Example Output
Search result: 'Apache 2.4.49 - Path Traversal & RCE (CVE-2021-41773)'
Exploit-DB: https://www.exploit-db.com/exploits/50383
SearchSploit
Check for public exploits — Local exploit database
searchsploit apache 2.4.49
Example Output
Apache 2.4.49 - Path Traversal | exploits/multiple/webapps/50383.sh
vsftpd 2.3.4 - Backdoor | exploits/unix/remote/49757.py
Check exploit-db.com
More detail than searchsploit — Proof of concepts available
Browse exploit-db for service version
Example Output
https://www.exploit-db.com/exploits/50383
Apache 2.4.49 - Path Traversal
Verified: Yes | Author: n/a
Type: webapps | Platform: Multiple
(Download exploit, read the code first)
Check CVE databases
Official CVE details — Severity scores, affected versions
Google: site:nvd.nist.gov <service> <version>
Example Output
NVD: CVE-2021-41773
CVSS Score: 7.5 (HIGH)
Affected: Apache 2.4.49
Vector: Network/Low/None
(Confirms severity and affected versions)
Check GitHub for PoCs
Often more reliable than exploit-db — Working PoCs with instructions
Search: "<CVE-XXXX-XXXX> exploit github"
Example Output
github.com search: CVE-2021-41773
Result: 47 repositories
Top: nuclei-templates/cves/2021/CVE-2021-41773.yaml
(Working PoC with usage instructions)