📡 Recon & Scanning

Initial reconnaissance and port scanning methodology. Run these first on every target.


NETWORK SCANNING

Quick TCP scan (top 1000)

Start here. Fast results. — Find open ports quickly

nmap -sC -sV -oN nmap/initial $IP
Example Output
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1
80/tcp open  http    Apache 2.4.29
443/tcp open ssl/http Apache 2.4.29

Full TCP port scan

Run in background while enumerating initial results — Don't miss high ports

nmap -p- -sC -sV -oN nmap/full $IP
Example Output
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
8443/tcp  open  https-alt
10000/tcp open  webmin

UDP scan (top 20)

UDP is slow. Top 20 catches SNMP, TFTP, DNS — SNMP and TFTP are common wins

nmap -sU --top-ports 20 -oN nmap/udp $IP
Example Output
PORT    STATE SERVICE
53/udp  open  domain
161/udp open  snmp
69/udp  open  tftp

Aggressive scan on specific ports

After finding ports, dig deeper — OS detection, scripts, traceroute

nmap -A -p 80,443,8080 -oN nmap/targeted $IP
Example Output
nmap -A -p 80,443 10.10.10.5
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache 2.4.29
|_http-title: My Website
OS: Linux 4.15
Traceroute: 1 hop

Vulnerability scan

Run against interesting services — Quick CVE check

nmap --script vuln -p <ports> $IP
Example Output
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution
|   State: VULNERABLE
|   Risk factor: HIGH

Rustscan (fast alternative)

Scans all 65535 ports fast, passes to nmap — Faster than nmap full scan

rustscan -a $IP -- -sC -sV
Example Output
rustscan -a 10.10.10.5 -- -sC -sV
Open 10.10.10.5:22
Open 10.10.10.5:80
Open 10.10.10.5:8443
(All 65535 ports scanned in 3 seconds)

SERVICE VERSION RESEARCH

Google each service + version

Include version numbers — Known CVEs are free wins

Search: "Apache 2.4.49 exploit"
Example Output
Search result: 'Apache 2.4.49 - Path Traversal & RCE (CVE-2021-41773)'
Exploit-DB: https://www.exploit-db.com/exploits/50383

SearchSploit

Check for public exploits — Local exploit database

searchsploit apache 2.4.49
Example Output
Apache 2.4.49 - Path Traversal  | exploits/multiple/webapps/50383.sh
vsftpd 2.3.4 - Backdoor         | exploits/unix/remote/49757.py

Check exploit-db.com

More detail than searchsploit — Proof of concepts available

Browse exploit-db for service version
Example Output
https://www.exploit-db.com/exploits/50383
Apache 2.4.49 - Path Traversal
Verified: Yes | Author: n/a
Type: webapps | Platform: Multiple
(Download exploit, read the code first)

Check CVE databases

Official CVE details — Severity scores, affected versions

Google: site:nvd.nist.gov <service> <version>
Example Output
NVD: CVE-2021-41773
CVSS Score: 7.5 (HIGH)
Affected: Apache 2.4.49
Vector: Network/Low/None
(Confirms severity and affected versions)

Check GitHub for PoCs

Often more reliable than exploit-db — Working PoCs with instructions

Search: "<CVE-XXXX-XXXX> exploit github"
Example Output
github.com search: CVE-2021-41773
Result: 47 repositories
Top: nuclei-templates/cves/2021/CVE-2021-41773.yaml
(Working PoC with usage instructions)