Intro

active recon- risk

• port scanning — nmap, masscan, direct , may trigger ids
• vuln scan- known vulns like old sw, nessus, sqli , xss checking, openVAS, nikto . automated scanners high risky
• net mapping- traceroute , net traffic must not be excess
• banner grabbing - nc , curl , less risky,
• os fingerprinting- nmap, xprobe2, passive
• service enum- version detection, -sV , less risky
• Web spidering- crawl target page for pages, files and dirs. Burp Spider, Zap. crawler should mimic legitimate traffic

passive recon

• search engine
• Whois lookup for domain info
• DNS records for subdomains, mail servers and txts - dig, nslookup
• Web Archive- checking snapshots for website changes, Wayback machine
• Social Media- employee, roles, osint
• Code repos- for creds or vulns