| name | pentest-recon |
| description | Reconnaissance and information gathering tool reference. Covers nmap (port scanning, service detection, NSE scripts), whatweb, enum4linux, nbtscan, whois, dig, and on-demand tools (masscan, recon-ng, theHarvester, fierce, dnsenum, amass, subfinder). Use for any recon phase of a penetration test.
|
| version | 2.0.0 |
| triggers | ["recon","reconnaissance","nmap","port scan","host discovery","service detection","whatweb","enum4linux","whois","dig","masscan","subdomain","enumeration"] |
Reconnaissance — Tool Reference
Nmap — Network Mapper
Host Discovery
nmap -sn <target>/24
nmap -PR -sn <target>/24
nmap -PS22,80,443 -PA80,443 -sn <target>/24
Port Scanning
nmap -sV <target>
nmap -sV -sC -O -p- <target>
nmap -sS -Pn <target>
nmap -A -T4 <target>
nmap -sV -p 21,22,80,443,445,3306,8080 <target>
nmap -sU --top-ports 100 <target>
nmap -Pn -F <target>
nmap -sS -T2 -p- --max-retries 1 --min-rate 100 <target>
NSE Vulnerability Scripts
nmap --script vuln -p <ports> <target>
nmap --script http-enum,http-headers,http-methods,http-title -p 80,443 <target>
nmap --script ssl-enum-ciphers,ssl-cert -p 443 <target>
nmap --script smb-vuln*,smb-os-discovery,smb-enum-shares -p 445 <target>
nmap --script ssh-auth-methods,ssh2-enum-algos -p 22 <target>
nmap --script dns-zone-transfer -p 53 --script-args dns-zone-transfer.domain=<domain> <target>
nmap --script ftp-anon -p 21 <target>
nmap --script mysql-info,mysql-enum,mysql-empty-password -p 3306 <target>
nmap -sC -sV -p <ports> <target>
Output Formats
nmap -sV -sC -oA /tmp/scan <target>
nmap -sV -oX /tmp/scan.xml <target>
nmap -sV -oG /tmp/scan.gnmap <target>
Firewall Evasion
nmap -sS -f <target>
nmap -sS --mtu 24 <target>
nmap -sS -D RND:10 <target>
nmap -sS --spoof-mac 0 <target>
nmap -sS -f --mtu 24 --data-length 100 -D RND:10 --spoof-mac 0 <target>
Whatweb — Web Fingerprinting
whatweb <target>
whatweb -a 3 <target>
whatweb -v <target>
whatweb -i targets.txt
whatweb --log-json=/tmp/whatweb.json <target>
Enum4linux — SMB/Samba Enumeration
enum4linux -a <target>
enum4linux -U <target>
enum4linux -S <target>
enum4linux -P <target>
enum4linux -o <target>
enum4linux -u <user> -p <pass> -a <target>
Nbtscan — NetBIOS Scanner
nbtscan <target>/24
nbtscan -v <target>/24
nbtscan -h <target>/24
WHOIS / DNS
whois <domain>
whois <ip>
dig +short <domain> A
dig +short <domain> MX
dig +short <domain> NS
dig +short <domain> TXT
dig +short <domain> ANY
dig +short -x <ip>
dig axfr @<nameserver> <domain>
dig <domain> ANY +noall +answer
On-Demand Recon Tools
Install when needed: apt-get update && apt-get install -y <package>
Masscan — High-Speed Port Scanner
masscan -p1-65535 <target>/24 --rate=1000
masscan -p80,443 <target>/24 --banners -oJ /tmp/masscan.json
Recon-ng — OSINT Framework
recon-ng
theHarvester — Email/Subdomain Harvester
theHarvester -d <domain> -b google,bing,linkedin -l 500
theHarvester -d <domain> -b all -f /tmp/harvest.html
Fierce — DNS Reconnaissance
fierce --domain <domain>
fierce --domain <domain> --subdomains www,mail,ftp,admin
Dnsenum — DNS Enumeration
dnsenum <domain>
dnsenum --enum <domain> -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Tool Selection Guide
| Situation | Best Tool |
|---|
| Don't know what's running | nmap -sV --top-ports 1000 <target> |
| Need all ports fast | masscan -p1-65535 <target> --rate=1000 |
| Web server fingerprint | whatweb -a 3 <target> |
| Windows/SMB target | enum4linux -a <target> |
| DNS/subdomain recon | fierce --domain <domain> or dnsenum |
| Email/people OSINT | theHarvester -d <domain> -b all |
| Full OSINT framework | recon-ng |
| NetBIOS names on subnet | nbtscan <range>/24 |