Night’s lights flicker behind the glass and steel of the server farms. Hum hum hum, the routers breathe, packets pulse in veins of copper and fibre. Somewhere, a proxy snarls alive, VPNs arc like electric veins under flickering neon. In this cathedral of code and metal, you are both pilgrim and predator, breathing in the ozone scent of routers warmed by power supplies, staring at blinking LEDs like distant constellations.

You slip inside, heart hammering as you tail the shadows of traffic. TCP SYNs crack open doors; DNS whispers secrets. Firewalls hiss like guardians, routers roll by like roadblocks. You are Recon , reconnaissance in the digital underground , seizing glimpses of the target’s midnight spine. This is where maps are drawn in packets, and vulnerability is carved in the seams of misconfigurations and open ports. You want to know what lies beneath that corporate shell, the soft spots hidden in log files, in protocols misused, in VPNs poorly anchored. So you learn, you probe, you watch, and you survive.

1. Reconnaissance: The Mindset

Before keystrokes and port scans there is mindset. Recon is as much art as science. You assume nothing. You observe. You sketch mental maps of networks and paths. You think like the defender, but act like the trespasser, only with ethics and legality in your tools.

• Be curious. Invisible network segments, odd exposed services, legacy systems, you want to know them all.
• Be patient. Recon is often noise reduction: filtering out what’s irrelevant, spotting anomalies.
• Be methodical. Every scan, every packet, must serve a purpose: footprinting, mapping, identifying trust boundaries.

2. Types of Recon and When to Use Them

3. Ethical & Legal Pre-flight Checklist

Before you fire off that first scan, make sure:

• You have explicit, written permission.
• Your scope is defined (hosts, networks, time windows).
• You understand laws: local and international.
• You know the impact: scans can break fragile systems; beware IDS/IPS triggers.
• You have secure communication and logging; audit everything in case it backfires.

4. Passive Recon in Practice

Workflow

1. Domain & Subdomain Enumeration
   Use search engines, certificates, open directories, SSL/TLS records to find subdomains.

2. DNS Records & WHOIS
   Check SOA, NS, MX, TXT, CNAME records for misconfigurations. Extract domain owner, registrar info.

3. OSINT for Infrastructure Data
   Leverage tools like Shodan, Censys, GitHub-leaked creds, public IP space mapping.

4. Web Footprint
   Analyse site content, Technologies (CMS, JS libs), error pages, robots.txt, sitemap.xml.

Tools & Commands

bash
# Example: enumerate subdomains via cert transparency
# WARNING: Use only in authorised, legal environments.
curl -s "https://crt.sh/?q=%25.example.com&output=json" \
  | jq -r '.[].name_value' \
  | sort -u

bash
# WHOIS + dig
whois example.com
dig example.com ANY
dig example.com MX
dig example.com TXT

Mini-Lab

• Pick a domain you own or have permission to test.
• Enumerate subdomains via crt.sh and common wordlists.
• Use dig to query NS, MX, TXT records.
• Identify any misconfigurations (e.g. missing SPF record, wildcard subdomains).

Takeaways

• Public data often reveals internal structure.
• Certificates and DNS are treasure-troves.
• Even passive recon can trigger alerting in some organisations, caution matters.

5. Active Recon: Hands-On Mapping & Port Scanning

Workflow

1. Ping & Host Discovery
   Use ICMP, TCP SYN probes to identify live hosts.

2. Port Scanning & Service Enumeration
   Scan common & unusual ports. Grab banners. Identify versions.

3. OS & Fingerprint Detection
   Once services are found, attempt OS detection via TCP/IP stack quirks.

4. VPNs, Firewalls, IDS Interaction
   Understand how the network blocks or allows traffic. Try scanning from different angles (internal, external).

Tools & Code

bash
# WARNING: Use only in authorised, legal environments.
# Quick nmap scan of a subnet
nmap -sS -sV -O -p 1-65535 192.168.1.0/24

python
# WARNING: Use only in authorised, legal environments.
# Simple banner grabbing via Python
import socket
target = '192.168.1.50'
port = 22
s = socket.socket()
s.settimeout(5)
s.connect((target, port))
banner = s.recv(1024)
print(f"Banner on {target}:{port} -> {banner}")
s.close()

Edge Cases & Tips

• Stealth scanning: latency-based detection by IDS can flag high-frequency scans. Slow them or randomise port order.
• Firewall behaviour: some firewalls respond with TCP RST from closed ports; others simply drop, affects detectability.
• VPN internals: clients might have split-tunnelling; internal resources reachable even from remote connections.

Mini-Lab

• On a lab network, run nmap scans from both an internal and external vantage.
• Detect differences in open ports, exposed services.
• Try OS fingerprinting (using -O) and observe how accurate it is.
• Identify firewall rules by sending traffic to blocked ports.

Takeaways

• Active recon is powerful but noisy.
• Different vantage points expose different surfaces.
• Banner grabbing + version detection opens the door to exploits.

6. Internal Recon & Pivoting

Once inside: the network is yours to map from the inside.

Workflow

1. Network Layout & Segmentation
   Run ip a, route, check ARP tables. Discover VLANs, subnets.

2. Privilege & Trust Relationships
   Find trusts in AD, firewall rules, service accounts. Look for weak segmentation.

3. Internal Services
   DNS servers, SMB shares, database servers. Explore shares, RPC endpoints.

4. Lateral Movement Paths
   Look for misconfigured permissions, reuse of credentials, exposed RDP or SSH clients.

Tools & Code

powershell
# WARNING: Use only in authorised, legal environments.
# Enumerate local machine AD trusts
Get-ADTrust -Filter * | Format-Table Name,TrustType,Direction

bash
# WARNING: Use only in authorised, legal environments.
# Scan for SMB shares internally
nmap --script smb-list-shares.nse -p445 10.0.0.0/24

Deal With Edge Cases

• Segmented networks: you may have jump hosts or bastion hosts. Inspect their roles heavily.
• Shadow credentials: config files, old backups, or forgotten scripts often contain passwords.
• DNS spoofing/misconfiguration: internal DNS may resolve aliases you didn’t expect.

Mini-Lab

• In a controlled lab, create at least two VLANs or segments separated by firewall rules.
• Gain access in one segment. Try to access hosts in another. Document what fails and why.
• Explore service account credentials in accessible files.

Takeaways

• Internal is different: what you can see and move through may surprise you.
• Every trust or open share is a potential bridge.
• Credentials and misconfigurations are often more powerful than raw exploits.

7. Recon Practicals: Scripts and Workflow Templates

Here are structured workflows you can adapt when entering a new recon engagement:

Workflow Template

1. Initial Information Gathering (Passive)
   - WHOIS, DNS, SSL certs, OSINT.

2. Vantage-point Analysis
   - External vs internal scanning.

3. Port & Service Enumeration
   - Use nmap, masscan, banner grabbers.

4. OS / Software Version Identification

5. Vulnerability Mapping
   - Based on versions and services, cross-reference with CVEs.

6. Trust & Segmentation Analysis

7. Pivot Potential & Lateral Movement

8. Documentation & Reporting

Practical Bash Script Skeleton

bash
# WARNING: Use only in authorised, legal environments.
#!/usr/bin/env bash

TARGET="$1"
if [ -z "$TARGET" ]; then
  echo "Usage: $0 <target>"
  exit 1
fi

# Step 1: Ping sweep
nmap -sn "${TARGET}/24" -oG ping_sweep.txt

# Step 2: Port scan on live hosts
awk '/Up$/{print $2}' ping_sweep.txt | while read host; do
  nmap -sS -sV -O -p1-1000 "${host}" -oN scan_${host}.txt
done

Checklist Before a Recon Task

• [ ] Confirm permissions and scope.
• [ ] Backup critical configurations if needed.
• [ ] Ensure time windows are safe (low traffic, maintenance windows).
• [ ] Choose your tools and ensure latest versions.
• [ ] Prepare logging and secure workspace.

Beginners Guide to Recon

Aim

To introduce foundational reconnaissance techniques for cybersecurity beginners, showing practical methods to gather information about a target for vulnerability assessment.

Learning Outcomes

By the end of this guide you will be able to:
- Use network scanning tools to discover active hosts and open ports
- Perform WHOIS and DNS enumeration to reveal domain registration and configuration details
- Extract banners and service information from hosts to identify potential weaknesses
- Automate simple reconnaissance tasks using Bash or Python scripts

Prerequisites

• Basic knowledge of networking (IP addresses, TCP/UDP, DNS)
• Access to a Unix-based environment (Linux, macOS or WSL)
• Tools installed: nmap, whois, dig, curl, openssl, Python 3
• Permission to perform reconnaissance on the target (own machine, lab environment or authorised scope)

Step-by-Step Guide to Recon

1. Identify active hosts and open ports

Use nmap to scan a target IP range or domain.

bash
# Scan common ports on a single host
nmap -sS -sV -T4 example.com

# Scan a range of IP addresses
nmap -sS 192.168.1.0/24

Options explained:
- -sS for a SYN (stealth) scan
- -sV to detect service versions
- -T4 for faster execution

2. DNS and domain enumeration

Fetch domain registration and configuration using whois and dig.

bash
# Get domain registration details
whois example.com

# Fetch DNS records (A, MX, NS, TXT)
dig example.com any +noall +answer

Review WHOIS output for registrar, creation date, nameservers. Check DNS records to see where email, subdomains or SPF/TXT data exists.

3. Banner grabbing

Determine services running on open ports by pulling banners.

bash
# Using netcat to grab a banner
nc -v example.com 80

# Using openssl to get TLS certificate information
openssl s_client -connect example.com:443 -servername example.com </dev/null | openssl x509 -noout -text

Analyse banners for software versions, protocols, TLS cipher suites or any misconfigurations.

4. Subdomain discovery

Reveal potential subdomains that may expose additional attack surface.

bash
# Using a wordlist with bash loop
for sub in $(cat subdomains.txt); do
  host $sub.example.com | grep "has address"
done

Alternatively use Python with requests to check HTTP response codes:

python
import requests

with open('subdomains.txt') as f:
    subs = [line.strip() for line in f]

for sub in subs:
    url = f"http://{sub}.example.com"
    try:
        r = requests.get(url, timeout=3)
        print(f"{url} → {r.status_code}")
    except requests.RequestException:
        pass

5. Automation and report generation

Combine steps into a simple script to automate scans and aggregate results.

bash
#!/bin/bash

target=$1
nmap -sS -sV -oN scan_ports.txt $target
whois $target > whois_info.txt
dig $target any +noall +answer > dns_records.txt

echo "Recon complete for $target"
echo "Results: scan_ports.txt, whois_info.txt, dns_records.txt"

Save this as recon.sh, make executable (chmod +x recon.sh) and run:

bash
./recon.sh example.com

Practical Insights

• Always respect legal and ethical boundaries; scanning beyond authorisation can be illegal
• Use verbose or debugging flags (-v or -d) to gain more context during scans
• Cross-validate results with multiple tools; discrepancies often reveal deeper clues
• Keep tools and vulnerability databases up to date to identify recent exploits

You now have a structured, hands-on method to gather key information about a target, set up for further vulnerability analysis or security assessments.

When the router hums and the network’s crust is thin, when you strip back ports with nmap, peel off banners in Python, map internal ARP tables, you are touching the labyrinth’s bones. Every result, every dropped packet, every misconfigured DNS record is a thread in a living tapestry. You saw the VPN’s split tunnelling, the firewall’s blind spots, the shares laid bare. You drew that map, you held it. Use it well, respect its dangers. Because once Recon begins, once you are inside, the city never sleeps.