Network Reconnaissance and Host Discovery
Passive vs. Active Reconnaissance Methodologies
Network reconnaissance begins with a critical decision: how visible do you want to be? Passive reconnaissance collects intelligence without ever touching the target's infrastructure. You mine public records, DNS registries, certificate transparency logs, and social media. This phase leaves zero footprints in target logs and is ideal when stealth is paramount—red team engagements, competitive intelligence, or pre-engagement scoping.
Active reconnaissance directly interacts with target systems: probing ports, sending crafted packets, and measuring responses. It yields precise, real-time data but generates detectable noise. Firewall logs, IDS alerts, and SOC playbooks are designed to catch these probes.
| Scenario | Preferred Approach | Rationale |
|---|---|---|
| External red team, assumed breach unknown | Passive first, then active | Build target list without early detection |
| Internal network audit, authorized access | Active, full throttle | Time-boxed, permission granted, maximize coverage |
| Bug bounty, production environment | Passive-heavy, selective active | Minimize disruption to live services |
| Incident response, threat actor infrastructure | Active, aggressive | Speed outweighs stealth; adversary already aware |
The mature operator treats these as complementary phases. Passive intelligence narrows the active scope; active results validate and enrich passive findings.
The Nmap Scripting Engine: Precision Service Enumeration
Nmap transcends basic port scanning through its Scripting Engine (NSE). With 600+ scripts in the default distribution, NSE transforms Nmap from a port scanner into an application-aware reconnaissance platform. Scripts execute during the scan phase, probing discovered services for version accuracy, vulnerability indicators, and configuration drift.
Timing templates control the trade-off between speed and detectability:
| Template | Flag | Behavior | Use Case |
|---|---|---|---|
| Paranoid | -T0 |
Serial scan, 5-minute timeout between probes | IDS-evasion, single target, extreme stealth |
| Sneaky | -T1 |
15-second intervals | Slow, evasive scans |
| Polite | -T2 |
400ms delays, lowers bandwidth | Avoid disrupting fragile targets |
| Normal | -T3 |
Default, balanced | Standard engagements |
| Aggressive | -T4 |
1-second timeouts, parallel probes | Fast networks, reliable infrastructure |
| Insane | -T5 |
500ms timeouts, maximum parallelism | Local networks, bandwidth tolerance |
Evasion techniques become necessary when standard scans trigger defenses:
# Fragmented packets to evade simple pattern matching
sudo nmap -f --mtu 24 target.example.com
# Decoy scan: appear to originate from multiple IPs
sudo nmap -D RND:10,ME,8.8.8.8 target.example.com
# Spoof source port (leverage trust in DNS responses)
sudo nmap --source-port 53 target.example.com
# Combine with NSE for deep service probing
sudo nmap -sS -T2 -f -D RND:5,ME --script=banner,vulners \
--script-args vulners.cvssbase=min(7.0) \
-p- -oA target_full_scan target.example.com
Output formats for tool chaining matter enormously in multi-tool workflows:
-oN(Normal): Human-readable, grep-friendly-oX(XML): Parsed by Metasploit, Dradis, custom pipelines-oG(Grepable): Line-per-host, ideal forawkextraction-oA(All): Generates all three formats simultaneously
Convert XML to actionable JSON for downstream automation:
nmap-parse-output nmap-scan.xml host-ports-protocol > targets.json
Masscan: Internet-Scale Port Scanning
When the scope spans entire ASNs or country-level IP ranges, Masscan replaces Nmap. Its asynchronous architecture sends probes at the kernel's maximum rate without waiting for responses. A single Masscan instance can saturate a 10Gbps link, scanning the entire IPv4 space for a single port in under five minutes.
The architectural insight: Masscan reimplements its own TCP/IP stack in user space. It bypasses the kernel's connection tracking, eliminating bottlenecks. This same feature requires careful interface configuration:
# Scan 10,000 random IPs across all ports at 100,000 packets/second
sudo masscan 0.0.0.0/0 -p0-65535 \
--max-rate 100000 \
--randomize-hosts \
--banners \
--range 192.0.2.0/24 \
-oL masscan-results.txt
Critical: avoiding ISP abuse alerts. Masscan's speed triggers automated abuse detection. Mitigation strategies:
- Rate enforcement:
--max-ratebelow your provider's threshold (typically 10,000 pps for commercial circuits) - Exclusion files: Maintain
--excludefilewith known honeypots, law enforcement ranges, and critical infrastructure - Timestamp spreading: Use
--shardand--seedfor distributed scanning across multiple sources and time windows - Banners cautiously:
--bannersrequires stateful TCP; enable only after initial port discovery narrows scope
For responsible large-scale reconnaissance, prefer sharding over speed:
# Split scan across 10 instances, each handling one shard
sudo masscan 192.0.2.0/24 -p443 --shard 1/10 --seed 2024
sudo masscan 192.0.2.0/24 -p443 --shard 2/10 --seed 2024
# ... etc
OSINT Integration: theHarvester, Shodan, and Maltego
Modern reconnaissance splices automated OSINT gathering with technical scanning.
theHarvester aggregates email addresses, subdomains, hosts, and employee names from search engines, certificate databases, and social platforms:
theHarvester -d subsidiary.example.com -b all -f harvester_output
# Sources: Bing, Google, DuckDuckGo, Baidu, LinkedIn, CRT.sh, Shodan
Shodan provides historical and current Internet-wide service fingerprints. Its query language (apache city:"Singapore" ssl:"Example Corp") identifies exposed assets without direct scanning. The Shodan CLI integrates into automation:
shodan search --fields ip_str,port,org,ssl.cert.subject.cn \
"org:'Example Subsidiary LLC' apache"
Maltego visualizes these relationships. Transform hubs connect DNS records to netblocks, WHOIS registrars to associated domains, and email addresses to breach data. The value is emergent: a single domain pivot reveals infrastructure patterns—hosting providers, CDN usage, certificate authorities—that predict target architecture.
Effective OSINT workflow: theHarvester discovers subdomains; Shodan confirms live services with vulnerable versions; Maltego maps organizational relationships to prioritize which subsidiary or acquisition presents the weakest entry point.
Diagramming Attack Surface and Prioritizing Targets
Raw scan output demands synthesis. Attack surface diagramming transforms IP lists into strategic intelligence.
Progressive discovery methodology builds understanding layer by layer:
- Organizational boundary: WHOIS, business registries, SEC filings
- Network allocation: RIPE/ARIN queries map ASN to IP ranges
- Infrastructure fingerprint: CDN, cloud provider, hosting geography
- Live host confirmation: ICMP, TCP SYN, application-layer probes
- Service depth: Version enumeration, default credential testing, configuration analysis
Worked Example: Reconnaissance Against Subsidiary Corp
Target: subsidiary.example.com, recently acquired division of Example Corp, rumored to have integrato una nuova infrastruttura cloud senza revisione della sicurezza.
Phase 1: Passive foundation
# WHOIS reveals registrant and name servers
whois subsidiary.example.com | grep -E "Registrant|Name Server|Creation Date"
# ASN mapping traces upstream
whois -h whois.radb.net '!gAS64500' | grep ^route
# Certificate Transparency logs expose pre-production hosts
curl -s "https://crt.sh/?q=%.subsidiary.example.com&output=json" | \
jq -r '.[].name_value' | sort -u
Output: 47 unique subdomains, including dev.subsidiary.example.com, mail.subsidiary.example.com, and legacy-vpn.subsidiary.example.com.
Phase 2: Active confirmation with stealth
# Nmap with paranoid timing against high-value discovery
sudo nmap -sS -T1 -Pn -p22,80,443,8080,8443 \
-f --source-port 53 \
--script=ssl-cert,http-title,ssh-hostkey \
-iL live-hosts.txt -oA phase2_stealth
Phase 3: Internet-scale confirmation with Masscan
# Masscan the announced /22 at conservative rate
sudo masscan 203.0.113.0/22 -p0-65535 \
--max-rate 5000 \
--banners \
--excludefile exclude-reserved.txt \
-oL masscan_phase3.txt
Masscan identifies 312 live hosts, 14 with non-standard SSH ports, 3 with Telnet exposed.
Phase 4: OSINT correlation
# Shodan historical data for the ASN
shodan stats --facets port,product,os "net:203.0.113.0/22"
# Maltego transform: domain → netblock → related organizations
# Reveals shared hosting with unrelated healthcare entity
Phase 5: Prioritization matrix
| Target | Services | Risk Indicators | Priority |
|---|---|---|---|
dev.subsidiary.example.com |
80,443,3306,6379 | MySQL and Redis exposed, no WAF | P1 |
legacy-vpn.subsidiary.example.com |
443,22 | End-of-life OpenSSL version | P1 |
mail.subsidiary.example.com |
25,587,993 | Standard config, recent patches | P3 |
| Shared hosting neighbor | 80,443 | Healthcare data, compliance risk | P2 (lateral) |
The dev environment's database exposure and the VPN's outdated TLS stack become initial access candidates. The shared hosting neighbor, discovered through ASN pivoting, presents a compliance-amplified lateral movement path if direct compromise proves difficult.
This structured progression—from passive intelligence through controlled active confirmation to prioritized target selection—ensures each subsequent penetration testing phase operates against validated, understood infrastructure rather than assumptions.