| name | reconnaissance-knowledge |
| description | Comprehensive knowledge about network reconnaissance and service enumeration. Provides methodologies for port scanning, service fingerprinting, web directory discovery, and vulnerability identification. Includes best practices for structured data collection. |
Reconnaissance Knowledge Base
Purpose
This knowledge base provides comprehensive reconnaissance methodologies and techniques. It covers information gathering about targets without performing exploitation, including discovering services, versions, technologies, and potential attack vectors.
Tools Available
Network Scanning
nmap - Port and service discovery
masscan - Fast port scanning (if speed needed)
nc (netcat) - Banner grabbing
Web Enumeration
gobuster - Directory/file brute forcing
dirb - Alternative directory scanner
nikto - Web vulnerability scanner
whatweb - Technology identification
curl/wget - Manual HTTP interaction
Service Enumeration
enum4linux - SMB/Samba enumeration
smbclient - SMB interaction
showmount - NFS enumeration
snmpwalk - SNMP enumeration
DNS/Subdomain
dig - DNS queries
host - DNS lookups
nslookup - DNS information
Layered Reconnaissance Strategy
Core Principle: Every reconnaissance task has 3 layers - escalate when previous layer yields insufficient results.
Layer Framework for Each Task:
Layer 1 (Quick & Broad):
- Fast tools with default parameters
- Goal: Get initial foothold information
- Time: 1-5 minutes
- Example: nmap top 1000 ports, gobuster with small wordlist
Layer 2 (Deep & Intensive):
- Same tools with aggressive parameters
- Goal: Extract maximum information from known services
- Time: 5-30 minutes
- Example: nmap all ports + version detection, gobuster with large wordlist
Layer 3 (Alternative & Creative):
- Different tools or manual techniques
- Goal: Find information that standard tools miss
- Time: Variable
- Example: Manual banner grabbing, alternative scanners, custom scripts
Escalation Triggers:
- Layer 1 returns nothing → Escalate to Layer 2
- Layer 2 returns minimal info → Escalate to Layer 3
- Layer 3 still insufficient → Re-evaluate entire approach
Reconnaissance Phases
Phase 1: Port Discovery
Goal: Find all open ports
nmap -p- --min-rate=1000 -T4 TARGET
nmap -p- -T4 TARGET -oN ports.txt
Output Format:
{
"ports": [
{"port": 22, "state": "open", "protocol": "tcp"},
{"port": 80, "state": "open", "protocol": "tcp"}
]
}
Phase 2: Service Detection
Goal: Identify services and versions
nmap -p22,80,443 -sV -sC -A TARGET -oN services.txt
nmap -p22,80 -sC -sV --script=default,vuln TARGET
Output Format:
{
"services": [
{
"port": 22,
"service": "ssh",
"version": "OpenSSH 7.6p1",
"os": "Ubuntu Linux"
},
{
"port": 80,
"service": "http",
"version": "Apache httpd 2.4.29",
"technologies": ["PHP/7.2"]
}
]
}
Phase 3: Web Enumeration (if HTTP/HTTPS found)
Goal: Discover hidden files, directories, and web technologies
Layered Web Scanning:
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirb/common.txt -x php,html,txt -t 50
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip,bak -t 100
feroxbuster -u http://TARGET -w /usr/share/wordlists/dirb/common.txt
nikto -h http://TARGET
whatweb http://TARGET
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
whatweb http://TARGET
nikto -h http://TARGET
Output Format:
{
"web": {
"url": "http://10.10.10.1",
"technologies": ["Apache/2.4.29", "PHP/7.2", "WordPress 5.0"],
"directories": [
"/admin (Status: 403)",
"/uploads (Status: 301)",
"/backup (Status: 200)"
],
"files": [
"/config.php (Status: 200)",
"/README.txt (Status: 200)"
],
"vulnerabilities": [
"Outdated WordPress version",
"Directory listing enabled on /uploads"
]
}
}
Phase 4: Specific Service Enumeration
SMB (Port 139/445)
enum4linux -a TARGET
smbclient -L //TARGET -N
smbmap -H TARGET
FTP (Port 21)
ftp TARGET
nc TARGET 21
SSH (Port 22)
ssh -v TARGET
ssh user@TARGET 2>&1 | grep -i "invalid\|denied"
MySQL/MSSQL (Port 3306/1433)
nc TARGET 3306
mysql -h TARGET -u root -p
Best Practices
1. Structured Output
Always format discoveries in JSON for easy parsing:
nmap -p- TARGET -oG - | grep "Ports:" | awk '{print $2, $4}' | sed 's/\/open//' | jq -R -s 'split("\n") | map(select(length > 0) | split(" ") | {port: .[1], service: .[0]})'
2. Stealth vs Speed
- For playground environments: Use aggressive scans (
-T4, --min-rate=1000)
- For real environments: Use slower, stealthy scans (
-T2)
3. Save All Output
nmap ... -oN nmap-full.txt -oX nmap-full.xml
cat discovered.json >> .pentest-state.json
4. Comprehensive Coverage
Don't miss:
- UDP ports (slower but important):
nmap -sU --top-ports 100 TARGET
- All TCP ports:
nmap -p- TARGET
- Web directories with multiple wordlists
- Default credentials for all services found
5. Time Management
- Quick initial scan: 5 minutes max
- Comprehensive scan: 15-20 minutes max
- This is a playground, not real-world - speed matters
Common Wordlists
/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-big.txt
/usr/share/wordlists/wfuzz/general/common.txt
Output Template
After completing reconnaissance, provide summary in this format:
{
"target": "10.10.10.1",
"scan_date": "2025-01-15",
"discovered": {
"ports": [
{"port": 22, "service": "ssh", "version": "OpenSSH 7.6p1"},
{"port": 80, "service": "http", "version": "Apache 2.4.29"}
],
"web": {
"technologies": ["Apache", "PHP", "WordPress"],
"interesting_paths": ["/admin", "/uploads", "/wp-admin"],
"vulnerabilities": ["Outdated WordPress", "Directory listing"]
},
"potential_vectors": [
"File upload via /uploads",
"WordPress plugin vulnerabilities",
"SSH password authentication enabled"
]
},
"recommended_actions": [
"Test file upload functionality on /uploads",
"Search for WordPress exploits for version detected",
"Enumerate WordPress users with wpscan"
]
}
Key Principles
- Thoroughness: Don't miss services or directories
- Structure: Always output JSON for coordinator to parse
- Speed: Balance between comprehensive and efficient
- Context: Provide next-step recommendations
- No Exploitation: Stay in recon phase, don't test exploits
Handoff to Next Phase
When reconnaissance is complete, provide:
- Complete service inventory
- Identified vulnerabilities
- Recommended exploitation approaches
- Any discovered credentials/default logins
- Updated
.pentest-state.json
After reconnaissance is sufficient, proceed to the exploitation phase using exploitation knowledge.