Home Peripheral network reconnaissance OSINT

Peripheral network reconnaissance OSINT

Network Recon

Intro to Reconnaissance

Learning about a network from afar, whether actively or passively is always one of the first things you do when deciding to penetrate a computer system. There are a variety of tools we can use to help us along in this process, some of which I will cover here. While some of this seems like common sense, that means it is often overlooked, which can mean the difference between getting in, and calling it bust.

What are we looking for? OSINT. Anything that gleans us insider information about the network. That means, usernames, passwords (where be in plain text, or hashed), databases that we can download, information about the network typology such as how many machines, what type of networking hardware, what OSs on each machine, the versions of the software these machines are running, any information on what subnet(s) the machines sit on, and how many networks are at play, if there is a VPN in the picture, if there is an intrusion prevention/detection system, firewall, or WAF inline, (and what they may let slip through), etc. We also want to collect any information on employees, users, and administrators we can, such as their names, addresses, phone numbers, etc. We can collect this information in many ways.

Domain Enumeration

When feeling out a network, one things you’re going to need to do, is see how far reaching the network umbrella is, and an easy way to do that is to enumerate all different primary domains you’ll be attacking (check scope!), as well as their respective subdomains.

The primary domains should either be listed in scope, or can be found via a google search or two, but the subdomains sometimes aren’t quite as public. Hence, I usually use a subdomain enumeration tool… a personal favorite for this is Sublist3r.

usage: sublist3r.py [-h] -d DOMAIN [-b [BRUTEFORCE]] [-p PORTS] [-v [VERBOSE]] [-t THREADS] [-e ENGINES] [-o OUTPUT] [-n]

  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        Domain name to enumerate it's subdomains
  -b [BRUTEFORCE], --bruteforce [BRUTEFORCE]
                        Enable the subbrute bruteforce module
  -p PORTS, --ports PORTS
                        Scan the found subdomains against specified tcp ports
  -v [VERBOSE], --verbose [VERBOSE]
                        Enable Verbosity and display results in realtime
  -t THREADS, --threads THREADS
                        Number of threads to use for subbrute bruteforce
  -e ENGINES, --engines ENGINES
                        Specify a comma-separated list of search engines
  -o OUTPUT, --output OUTPUT
                        Save the results to text file
  -n, --no-color        Output without color

Example: python ./sublist3r.py -d google.com

I recommend doing this before firing off a long running (slow, so it’s accuracy is best) nmap scan, because then you can add each address the sub domain enumerator finds to the list of hosts for nmap to scan!

I would run: python3 sublist3r.py -d example.com -t 2 -o example.com.subdomains.

Port Scanning

First I usually start with port scanning, because the results of doing this will tell me where to go next. To do this, I would recommend using Nmap, a tool with a huge number of options and configurations for mapping out a network’s weak points, by finding open ports, enumerating services and their independent software versions via their characteristics, operating system versions, and scripts are used to enumerate things like samba shares, and web server configuration.

While I could do an entire write-up on just nmap alone, I’m going to stick to the basics here. Here is the help output, and as always, you can find more detailed information about nmap and most other commands by using the man command, and in the documentation.

Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
  nmap -v -A scanme.nmap.org
  nmap -v -sn
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

As you can see, there is a plethora of options for different scan types, types of networks, output formats, timing, os and service detection, even evasion techniques. My favorite command I like to run, just to get started is:

sudo nmap -p 0-65535 -sV -sS -oN example.com.nmap -T2 -iL example.com.subdomains -O --osscan-limit -R -sC

This of course can and should be adapted to your specific use case. For example, if you know that a machine is running a UDP service, use -sU in place of or in addition to -sS.

Google Dorking

Around this time I start doing what you may have heard of as Google dorking, where you use google or another search engine that supports extended attributes in searches to find sensitive files, such as logs, programs, backups, domains, and vulnerable code. I would normally do site:oxasploits.com at the beginning of the google dork, and then apply the actual dork after that, so that we only get listings related to the domain in our scope. So for example: site:oxasploits.com filetype:log will search for file with the extension .log under the oxasploits domain. An extensive searchable Google dorking database can be found at exploit-db. I would recommend looking though the database to get a feel for how Google dorks are assembled. Then, if you are feeling clever, or need to find something specific for whatever reason, you can look through the following list of advanced search operators that may help you build a query.

Operator Explanation
“ “Words in a specific order
ORResults will be related to A or B
|Same as above
ANDResults will be related to both A and B
-Results do not mention this
*Wildcard for a phrase
( )Search Grouping
define:Search for a definition
cache:Search for the most recent cache
filetype:File ends in this extension
ext:Same as filetype
site:Website which results will come up for
related:Websites related to a domain
intitle:Search for a document that has this in title
allintitle:Search for a document that has these multiple words in title
inurl:Words are in the URL
allinurl:Word string is in the URL
weather:Weather at a location
stocks:Information about a ticker symbol
map:Search google maps for this location
movie:Search info about a movie
inConvert units
source:Search from a specific google news source
before:Results before this date
after:Results after this date
source:Search from a specific google news source
#..#Search within a number range
anchor:Search for pages backlinks containing this anchor text
allinanchor:Search for pages backlinks containing all these words in anchor text
AROUND(X):Search for pages with two words within X words of each other
loc:Search results from a specific location
location:Find news from this location
daterange:Search results from within this date range

Vulnerability Scanners

We can employ vulnerability scanners to check which services we might successfully attack in a later phase of the hack. There are tons of these, but some that I like are Nikto, which is a CGI scanner that you can enumerate HTTP servers running server-side website scripts (PHP, Perl…) that could have security bugs in their software versions. Nikto will scan for footholds that allow you to leverage RCE via LFI, RFI, and perl open read bugs, and more.

       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don't ask, don't send
                               auto  Don't ask, just send
       -Cgidirs+           Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator (\)
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               htm   HTML Format
                               msf+  Log to Metasploit
                               nbe   Nessus NBE format
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host
       -IgnoreCode        Ignore Codes--treat as negative responses
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -output+           Write output to this file ('.' for auto-name)
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Save              Save positive responses to this directory ('.' for auto-name)
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval - Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval - Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -until             Run until the specified time or duration
       -update            Update databases and plugins from CIRT.net
       -useproxy          Use the proxy defined in nikto.conf
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
                + requires a value

Also a useful remote vulnerability scanner I use frequently is WPScan, which is geared towards finding vulnerable Wordpress installations. Unfortunately for this tool, you will need to go to WPScan’s website and generate an API key to use the tool.

An example command would look something like: nikto -Cgidirs all -Format txt -host www.example.com -mutate 3 -output www.example.com.nikto -port 443 -ssl -Tuning x --rua --api-token [token goes here], and as always, feel free to experiment and change these options at your discretion… see what works for this specific server!

         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22

       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

Usage: wpscan [options]
        --url URL                                 The URL of the blog to scan
                                                  Allowed Protocols: http, https
                                                  Default Protocol if none provided: http
                                                  This option is mandatory unless update or help or hh or version is/are supplied
    -h, --help                                    Display the simple help and exit
        --hh                                      Display the full help and exit
        --version                                 Display the version and exit
    -v, --verbose                                 Verbose mode
        --[no-]banner                             Whether or not to display the banner
                                                  Default: true
    -o, --output FILE                             Output to FILE
    -f, --format FORMAT                           Output results in the format supplied
                                                  Available choices: cli-no-colour, cli-no-color, json, cli
        --detection-mode MODE                     Default: mixed
                                                  Available choices: mixed, passive, aggressive
        --user-agent, --ua VALUE
        --random-user-agent, --rua                Use a random user-agent for each scan
        --http-auth login:password
    -t, --max-threads VALUE                       The max threads to use
                                                  Default: 5
        --throttle MilliSeconds                   Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.
        --request-timeout SECONDS                 The request timeout in seconds
                                                  Default: 60
        --connect-timeout SECONDS                 The connection timeout in seconds
                                                  Default: 30
        --disable-tls-checks                      Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)
        --proxy protocol://IP:port                Supported protocols depend on the cURL installed
        --proxy-auth login:password
        --cookie-string COOKIE                    Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]
        --cookie-jar FILE-PATH                    File to read and write cookies
                                                  Default: /tmp/wpscan/cookie_jar.txt
        --force                                   Do not check if the target is running WordPress or returns a 403
        --[no-]update                             Whether or not to update the Database
        --api-token TOKEN                         The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile
        --wp-content-dir DIR                      The wp-content directory if custom or not detected, such as "wp-content"
        --wp-plugins-dir DIR                      The plugins directory if custom or not detected, such as "wp-content/plugins"
    -e, --enumerate [OPTS]                        Enumeration Process
                                                  Available Choices:
                                                   vp   Vulnerable plugins
                                                   ap   All plugins
                                                   p    Popular plugins
                                                   vt   Vulnerable themes
                                                   at   All themes
                                                   t    Popular themes
                                                   tt   Timthumbs
                                                   cb   Config backups
                                                   dbe  Db exports
                                                   u    User IDs range. e.g: u1-5
                                                        Range separator to use: '-'
                                                        Value if no argument supplied: 1-10
                                                   m    Media IDs range. e.g m1-15
                                                        Note: Permalink setting must be set to "Plain" for those to be detected
                                                        Range separator to use: '-'
                                                        Value if no argument supplied: 1-100
                                                  Separator to use between the values: ','
                                                  Default: All Plugins, Config Backups
                                                  Value if no argument supplied: vp,vt,tt,cb,dbe,u,m
                                                  Incompatible choices (only one of each group/s can be used):
                                                   - vp, ap, p
                                                   - vt, at, t
        --exclude-content-based REGEXP_OR_STRING  Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.
                                                  Both the headers and body are checked. Regexp delimiters are not required.
        --plugins-detection MODE                  Use the supplied mode to enumerate Plugins.
                                                  Default: passive
                                                  Available choices: mixed, passive, aggressive
        --plugins-version-detection MODE          Use the supplied mode to check plugins' versions.
                                                  Default: mixed
                                                  Available choices: mixed, passive, aggressive
        --exclude-usernames REGEXP_OR_STRING      Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required.
    -P, --passwords FILE-PATH                     List of passwords to use during the password attack.
                                                  If no --username/s option supplied, user enumeration will be run.
    -U, --usernames LIST                          List of usernames to use during the password attack.
                                                  Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
        --multicall-max-passwords MAX_PWD         Maximum number of passwords to send by request with XMLRPC multicall
                                                  Default: 500
        --password-attack ATTACK                  Force the supplied attack to be used rather than automatically determining one.
                                                  Available choices: wp-login, xmlrpc, xmlrpc-multicall
        --login-uri URI                           The URI of the login page if different from /wp-login.php
        --stealthy                                Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive

[!] To see full list of options use --hh.

So a Wordpress website could be scanned for attack vectors like: wpscan --url https://blog.example.com/ -v -o blog.example.com.wpscan -t 4 --api-token -e ap,at,cb,dbe,u --plugins-detection mixed. Of course feel free to include anything else you already know about the server, such as usernames, or if you know there is a WAF involved, I recommend dropping mixed from the last option and adding the --stealthy option.


Screenshots can host gobs of information about a target, otherwise known as OSINT. You can find anything from locations by googling surroundings, names from looking at social media profiles in the shot, the length of a password by counting stars, or even if the screenshot is of something technical, information on what services are running, or the network typology… I am guilty of this as well, and frequently snap screenshots to show my hacker buddies, and often neglect to black out, or otherwise censor the sensitive information. Behold, one of my screenshots (try to resist rooting me, please)!

From this screenshot, try to pick out every piece of information about my network that you can, before checking below. You’ll be amazed once you start noticing things.

  • Running an Xorg server
  • Window manager is Fluxbox
  • The time and date the shot was taken
  • My username on the machine and my hostname
  • My kernel version
  • OS/Distribution is Kali Linux
  • My user's uid, my primary group is 'users', and I am in the 'sudo' group
  • Port 9000 is open on another machine on my network
  • I'm running Graylog on another host, which suggests I am probably also running Opensearch or ElasticSearch, and Mongodb
  • The Graylog instance is not encrypted
  • I have bookmarks that indicate I have a job, may have a media server on the network, and embarrassingly, enjoy porn
  • I have an active Google account
  • A picture of me
  • I'm connected to a wireless network
  • My computer is a laptop because you can see the battery icon
  • I'm torrenting something
  • My browser is Google Chrome
  • I like to watch video in pip while I'm working (icon for the pip shortcut plugin)
  • I use the command line to download things frequently (curl/wget plugin)
  • I use awesome screenshot to take pictures of only what is in the browser window
  • My Google Chrome version/User Agent
  • My Graylog NodeID
  • That it only took 0.01 seconds for Graylog to respond after searching lots of data over 7 days, fast server
  • I run OpenSSH servers on my network, and the low number of hits to it suggests firewalling
  • I have a user on one server on the network called 'webmaster'
  • I run an Apache2 server with SSL
  • I run ntopng for network analysis
  • The network is protected by an IPS
  • My torrent client has DHT enabled
  • My firewall is netfilter/iptables
  • Four hostnames on my network are, likon.dev.oxasploits.com, zerkon.dev.oxasploits.com, and oxasploits.com, and vpn.oxasploits.com
  • Part of my monitoring suite uses Prometheus
  • A program recently crashed and dumped core
  • My screen resolution


It’s a pretty lengthy process to do network reconnaissance, and the larger the network, the longer it takes to do a thorough job. There a couple things I left out of this tutorial for brevity, and I will list them here just so you can keep them in mind: You can use curl to grab http/https headers and learn plenty about a web server simply by sifting through those details. You can see only that with curl --head. Once you have enumerated some users on a system or two, you should probably also use a tool such as Dirbuster to map out which directories on the http server are exposed to the internet serving pages users have put up. These user designed pages are not normally the most secure of the bunch. If you are stalling while gathering information about users, try using an OSINT tool such as Maltego, it can help tie various users to their respective company positions and find their phone numbers, full names, date of birth, addresses, even social security numbers, which can be extremely useful in a later stage of the hack… password cracking.

This is only the first step, many to come!

If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!
Bitcoin Address:

Thank you so much and happy hacking!
This post is licensed under CC BY 4.0 by the author.