𓂀
𓋹
WARMUP 5 min

What is Reconnaissance?

Reconnaissance (recon) is the first phase of any security assessment. It involves gathering information about a target network before launching any actual attack. Think of it as a digital stakeout — you map out the terrain, discover live hosts, open ports, running services, and potential entry points.

ACTIVE RECON
Direct interaction with target (pings, scans)
PASSIVE RECON
OSINT, Shodan, whois lookups
FOOTPRINTING
Building a profile of the target's network
CORE 45 min
𓂀𓋹
Nmap — The Network Mapper

Nmap is the industry-standard tool for network discovery. It sends raw packets and analyses responses to discover hosts and services.

nmap -sn 192.168.1.0/24 # Ping sweep — find live hosts
nmap -sS 192.168.1.5 # Stealth SYN scan
nmap -sV 192.168.1.5 # Service version detection
nmap -A 192.168.1.5 # Aggressive scan (OS, version, scripts)

The -sS flag sends SYN packets without completing the TCP handshake — harder to detect.

Port Scanning Techniques

Every open port is a potential entry point. Understanding port states is critical:

  • Open — Service is actively listening
  • Closed — No service; port is reachable but nothing responds
  • Filtered — Firewall or filter is blocking probes
  • Unfiltered — Reachable but state unknown
nmap -p 1-1000 192.168.1.5 # Scan first 1000 ports
nmap -p- 192.168.1.5 # Scan all 65535 ports
nmap -sU 192.168.1.5 # UDP scan (slower)
OS Fingerprinting

Nmap analyses TCP/IP stack behaviour to guess the operating system. Different OSes handle packets differently — TTL values, window sizes, and TCP options give them away.

nmap -O 192.168.1.5 # OS detection
nmap -A 192.168.1.5 # Aggressive: OS + version + scripts
Example output: "Aggressive OS guesses: Linux 5.4 (96%), Linux 5.10 (91%)"
MINI CHALLENGE 10 min
𓂀𓋹
Interpret an Nmap Scan

Read the scan output below and answer:

Nmap scan report for 192.168.1.105
Host is up (0.0023s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1
80/tcp open http Apache 2.4.41
443/tcp open https Apache 2.4.41
3306/tcp filtered mysql
MAC Address: 00:1A:2B:3C:4D:5E (Intel)
Device type: general purpose
Running: Linux 4.X|5.X

How many services are running? Which port is filtered? What OS is likely running?

MAIN PROJECT 4 hours
𓂀𓋹
Plan a Reconnaissance Methodology

Design a step-by-step recon methodology suitable for a penetration test. Your plan should cover all three phases:

1
Passive Recon

OSINT, DNS enumeration, whois, Shodan — no direct contact with target.

2
Active Recon

Ping sweeps, port scans, service versioning, OS detection.

3
Documentation

Map the network topology, list all discovered services, prioritise targets.

Write your methodology below — be specific about which tools and flags you would use at each stage.

QUIZ 10 min
𓂀𓋹
Network Reconnaissance Quiz

1. What does the -sS flag in Nmap do?

Performs a ping sweep
Performs a SYN stealth scan
Enables OS detection

2. Which port state indicates a firewall is blocking probes?

Open
Closed
Filtered

3. What is the main difference between active and passive recon?

Active directly interacts with target; passive gathers data without touching it
Passive is faster but less accurate
There is no difference