Network Reconnaissance

Map the network. Find open ports. Identify services. Know your target.

Authorization Required

Only scan networks you own or have explicit written permission to test. Unauthorized scanning is illegal and unethical.

The Recon Methodology

Network reconnaissance is the first phase of any security assessment. Before you can test a system, you need to understand what's there.

1⃣

Host Discovery

Find live systems on the network. What's actually online?

2⃣

Port Scanning

Which ports are open? What services are listening?

3⃣

Service Enumeration

What versions are running? Are they vulnerable?

Nmap - The Network Mapper

Nmap is the industry standard for network discovery and security auditing.

Command	Purpose
`nmap 192.168.1.1`	Basic scan (top 1000 ports)
`nmap -sn 192.168.1.0/24`	Ping sweep - find live hosts
`nmap -p 1-65535 target`	Scan ALL ports
`nmap -sV target`	Version detection
`nmap -O target`	OS detection
`nmap -A target`	Aggressive scan (OS, version, scripts)

# Find live hosts on a subnet
nmap -sn 192.168.1.0/24

Nmap scan report for 192.168.1.1
Host is up (0.0015s latency).
Nmap scan report for 192.168.1.50
Host is up (0.0023s latency).
Nmap scan report for 192.168.1.100
Host is up (0.0031s latency).

# Scan specific target with version detection
nmap -sV -p 22,80,443 192.168.1.100

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1
80/tcp  open  http    Apache httpd 2.4.41
443/tcp open  ssl     OpenSSL 1.1.1f

Netcat - The Swiss Army Knife

Netcat (nc) reads and writes data across network connections. Essential for testing connectivity and grabbing banners.

# Check if a port is open
nc -zv 192.168.1.100 22
Connection to 192.168.1.100 22 port [tcp/ssh] succeeded!

# Grab a service banner
nc 192.168.1.100 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1

# Scan a range of ports
nc -zv 192.168.1.100 20-25 2>&1 | grep succeeded

# Listen on a port (for testing)
nc -lvp 4444

Common Ports to Know

Port	Service	Security Note
`21`	FTP	Often allows anonymous login
`22`	SSH	Check for weak credentials
`23`	Telnet	Cleartext - should be disabled
`25`	SMTP	Email server, check for relay
`80/443`	HTTP/HTTPS	Web apps, many attack vectors
`445`	SMB	File sharing, EternalBlue
`3306`	MySQL	Database, check remote access
`3389`	RDP	Remote desktop, brute force target

Documenting Your Recon

# Save nmap output in all formats
nmap -sV -oA scan_results 192.168.1.0/24

# Creates:
# scan_results.nmap  (normal output)
# scan_results.xml   (XML for tools)
# scan_results.gnmap (greppable)

# Quick grep for open ports
grep "open" scan_results.nmap

# Parse XML with grep
grep -oP 'portid="\K[^"]+' scan_results.xml

LAB: Network Recon Simulator

You have permission to scan the 10.0.0.0/24 network. Find live hosts, discover open ports, and identify running services.

☐Perform a ping sweep to find live hosts

☐Scan a target for open ports

☐Identify service versions with -sV

☐Use netcat to grab a banner

recon-lab

Network Reconnaissance Lab =========================== Target Network: 10.0.0.0/24 (authorized) Try: nmap -sn 10.0.0.0/24 nmap -sV 10.0.0.10 nc -v 10.0.0.10 22

hacker@kali:~$

RECON COMPLETE!

You've successfully mapped the network and enumerated services!

Ready to Test Your Skills?

Take the Quiz → Back to Script House

Completing CLH-010 to CLH-012 earns: CLI Engineer