Network Reconnaissance
Probe infrastructure. Resolve targets. Download intel.
CLASSIFIED SCENARIO
NSA SIGINT has identified a hostile nation's research facility at codename IRON FORTRESS. Your mission: resolve the facility's network infrastructure, probe their web services, download leaked research documents, and establish a listening post for future operations. Standard tools only - no malware deployment.
Why Network Recon Matters
Before any operation, you must understand the target's network landscape. Network reconnaissance reveals:
- DNS infrastructure - Domain names, mail servers, subdomains
- Web services - Headers, technologies, vulnerabilities
- Network topology - IP ranges, hosting providers, CDNs
- Data retrieval - Download files, APIs, leaked documents
- Connectivity testing - Port scanning, service identification
What Network Data Reveals
- DNS records - Hidden subdomains, mail servers, TXT records with secrets
- HTTP headers - Server software, versions, security configurations
- WHOIS data - Registration details, admin contacts, nameservers
- Open ports - Running services, potential entry points
- SSL certificates - Organization info, certificate transparency logs
Core Network Commands
curl
Transfer data from URLs. Fetch pages, APIs, download files. Swiss army knife of HTTP.
wget
Download files and mirror sites. Recursive downloads, resume support.
nc (netcat)
TCP/UDP network tool. Port scanning, banner grabbing, data transfer.
dig / host / nslookup
DNS queries. Resolve domains, find mail servers, enumerate records.
Command Deep Dive
dig - DNS Intelligence
$ dig ironfortress.hostile.gov ANY +short
# A record (IPv4)
203.0.113.50
# MX record (mail)
10 mail.ironfortress.hostile.gov.
# NS records (nameservers)
ns1.hostile.gov.
ns2.hostile.gov.
# TXT record
"v=spf1 include:_spf.hostile.gov ~all"
[INTEL] Primary IP: 203.0.113.50
[INTEL] Mail server identified - potential phishing target
curl - HTTP Probing
$ curl -I https://ironfortress.hostile.gov
HTTP/2 200
server: nginx/1.18.0
content-type: text/html; charset=utf-8
x-powered-by: PHP/7.4.3
strict-transport-security: max-age=31536000
x-frame-options: SAMEORIGIN
[VULN] nginx 1.18.0 - check for CVEs
[VULN] PHP 7.4.3 - outdated, potential exploits
[INTEL] Server stack identified: nginx + PHP
wget - File Retrieval
$ wget -q https://ironfortress.hostile.gov/docs/research.pdf
$ ls -la research.pdf
-rw-r--r-- 1 operator operator 2.4M Jan 15 04:30 research.pdf
[DOWNLOADED] research.pdf (2.4MB)
[INTEL] Document secured for analysis
netcat - Port Probing
$ nc -zv ironfortress.hostile.gov 22 80 443 3389
ironfortress.hostile.gov [203.0.113.50] 22 (ssh) open
ironfortress.hostile.gov [203.0.113.50] 80 (http) open
ironfortress.hostile.gov [203.0.113.50] 443 (https) open
ironfortress.hostile.gov [203.0.113.50] 3389 (ms-wbt-server) : Connection refused
[OPEN] SSH (22), HTTP (80), HTTPS (443)
[CLOSED] RDP (3389) - Windows services not exposed
[INTEL] SSH access possible if credentials obtained
Quick Reference
| Command | Purpose | Key Flags |
|---|---|---|
dig domain ANY | All DNS records | +short, @server |
host domain | Quick DNS lookup | -t (record type) |
nslookup domain | Interactive DNS | Legacy but useful |
curl -I url | HTTP headers only | -v (verbose), -o (output) |
wget url | Download file | -r (recursive), -q (quiet) |
nc -zv host port | Port scan | -z (scan), -v (verbose) |
Recon Workflow
# === NETWORK RECONNAISSANCE CHECKLIST ===
$ dig target.com ANY +short # 1. DNS enumeration
$ host -t MX target.com # 2. Find mail servers
$ curl -I https://target.com # 3. HTTP fingerprinting
$ nc -zv target.com 22 80 443 # 4. Port scanning
$ wget https://target.com/file.pdf # 5. Download intel
# Always: Document findings, check for CVEs, report to handler
Ready to Probe the Fortress?
Test your network recon skills, then infiltrate IRON FORTRESS.