Cybersecurity · Active Reconnaissance

Active Reconnaissance

Host discovery, port scanning, service/version detection, and script-based fingerprinting with Nmap.

View this project on GitHub

Table of Contents

Introduction

This document covers active reconnaissance using Nmap and companion tools inside a contained, virtualized lab with three VMs. We perform host discovery (arp-scan, fping, and Nmap ping scan), then move into TCP/UDP scanning and service fingerprinting. Finally, we use NSE scripts to enumerate common services on a Metasploitable2 host.

Host Discovery

Run ARP, ping sweeps, and Nmap discovery to identify live hosts on the local network.

ARP scan + Nmap ping scan output
arp-scan + Nmap -sn output.
fping sweep of local subnet
fping sweep results.

Port Scanning & Host Fingerprinting

SYN scan with service version detection
SYN scan with -sV service detection.
Full port scan
Full port sweep against the target.
SYN + service detection + UDP scan
Combining TCP and UDP reconnaissance.
Scan of ports 1–10000 with service detection
Focused low-port scan (1–10000) with -sV.

Fingerprinting with Nmap Scripts

Leverage Nmap Scripting Engine to enumerate service details and potential misconfigurations.

FTP Enumeration

Nmap FTP anonymous login script result
Anonymous FTP checks.
Nmap FTP SYST response
FTP SYST / banner.
Nmap FTP vulnerability scripts output
FTP vuln script output.

SSH Enumeration

Nmap SSH auth methods
SSH auth methods.
Nmap SSH host key fingerprints
Host key fingerprints.
Nmap SSH algorithms enumeration
Cipher/KEX algos.

SMB Enumeration

Nmap SMB OS discovery
OS discovery via SMB.
Nmap SMB security mode
SMB security mode.

Web Server Enumeration

Nmap HTTP title enumeration
http-title results.
Nmap HTTP methods enumeration
http-methods check.
Nmap HTTP headers inspection
http-headers output.

Back to Home