Classroom Glossary Public page

Week 3: Active Reconnaissance (Nmap, Masscan, Service Enumeration)

1,113 words

Active recon sends packets to the target and reads what comes back. You learn what is running, what version it is, and what the attack surface looks like from the network. This week you build the host inventory that the vulnerability analysis in Week 5 will work from.

Reading (~1.5 hr)

Required:

  • Weidman, Penetration Testing, Chapter 5 ("Information Gathering"), the port scanning subsections (Nmap: SYN scan, version scan, UDP scan, specific ports). ~20 pages. The book uses older Nmap syntax; all commands run correctly on current Kali.
  • Nmap Network Scanning reference chapters (nmap.org/book/; free online). Read the "Port Scanning Overview" and "Nmap Output" sections. Nmap's official documentation is better than any third-party summary.

Supplementary:

  • Weidman, Penetration Testing, Chapter 5, the service-banner and Nmap Scripting Engine (NSE) subsections.
  • PTES, Intelligence Gathering, Active Reconnaissance subsection (pentest-standard.org/Intelligence_Gathering#Active).

Lecture outline (~1 hr)

Part 1: The scan taxonomy (20 min)

Active recon covers a range of intrusiveness. Every scan in this taxonomy sends packets to the target; the question is how many, how fast, and what kind.

By scan type:

Scan type Nmap flag What it does Noise level
TCP SYN (half-open) -sS Sends SYN; if SYN-ACK received, immediately RSTs Low (no completed connection; many firewalls log it anyway)
TCP Connect -sT Full 3-way handshake High (logged by the target service)
UDP -sU Sends UDP packets; ICMP Port Unreachable = closed Slow; many services do not respond
Version detection -sV Probes open ports for service banners + version strings Medium (service sees connection + probe)
OS fingerprint -O Analyzes TCP/IP stack behavior to guess OS Low (no new connections; needs one open + one closed port)
Script scan --script=default or -sC Runs Nmap's built-in NSE scripts against open ports Medium-High (scripts vary; some are intrusive)
Aggressive -A Combines -sV -O -sC --traceroute High

By speed/timing:

Nmap's timing templates (-T0 through -T5) control how aggressive the scan is. -T3 is default; -T4 is faster but noisier; -T1 and -T2 are paranoid-slow (useful when detection avoidance matters).

Masscan: Masscan (github.com/robertdavidgraham/masscan) is the fastest Internet-scale port scanner, capable of scanning all 65535 TCP ports on a /16 range in minutes. Used in PEN-101 for initial broad discovery of the lab network; Nmap is then used for targeted service enumeration on discovered hosts.

# masscan: initial broad discovery
sudo masscan -p1-65535 192.168.100.0/24 --rate=1000 -oG masscan-results.txt
# then feed discovered hosts to nmap:
nmap -sV -sC -p<ports> <hosts-from-masscan>

Part 2: The enumeration workflow (25 min)

Active recon produces a host inventory. The inventory is the structured output the vulnerability analysis phase consumes. A good inventory for a small business LAN looks like this:

Host: 192.168.100.10
  OS: Windows Server 2019 (confidence 95%)
  Open ports:
    80/tcp   open  http   Microsoft IIS httpd 10.0
    443/tcp  open  https  Microsoft IIS httpd 10.0
    3389/tcp open  rdp    Microsoft Terminal Services
    445/tcp  open  smb    Windows Server SMB
    5985/tcp open  wsman  Microsoft HTTPAPI httpd 2.0
  Notes: IIS default page visible; RDP exposed publicly; SMBv1 enabled per Nmap script output

Host: 192.168.100.20
  OS: Ubuntu 20.04 (confidence 90%)
  Open ports:
    22/tcp   open  ssh    OpenSSH 7.4
    8080/tcp open  http   Apache Tomcat 8.5.73
    3306/tcp open  mysql  MySQL 5.7.39

Each entry in the host inventory is a combination of the port scan output, the version detection output, and any relevant NSE script results.

Service-specific enumeration: For each open port, there are tool families designed to extract more information:

  • SMB (445): enum4linux, smbmap, crackmapexec smb -- share enumeration, null session tests, user enumeration
  • HTTP/HTTPS (80, 443, 8080): Web recon is Week 4; note the web port as a target for that phase
  • SSH (22): Banner grab; check for weak algorithms (ssh-audit)
  • FTP (21): Anonymous login test (ftp <ip>, user anonymous)
  • DNS (53): Zone transfer (Week 2 revisited from the active side)
  • RDP (3389): Banner grab; check for NLA (Network Level Authentication)
  • MySQL / MSSQL / PostgreSQL: Attempt anonymous or default-credential login
# Full Nmap run with version detection and default scripts:
nmap -sV -sC -p- -oA nmap-full 192.168.100.0/24

# SMB enumeration:
enum4linux -a 192.168.100.10
smbmap -H 192.168.100.10

# SSH audit:
ssh-audit 192.168.100.20

Part 3: Nmap Scripting Engine (NSE) (15 min)

NSE scripts extend Nmap with service-specific probes. They are organized into categories:

  • safe -- no impact on stability; almost always appropriate
  • default -- the set run by -sC; curated for reasonable output
  • intrusive -- may crash or flag on sensitive systems; use with explicit client authorization
  • vuln -- active vulnerability checks; treats the target as a test subject; intrusive

For this course, use --script=default as the standard option. The vuln category is reserved for targets where you have exploitation authorization (Weeks 5-7).

Useful individual scripts:

nmap --script=smb-vuln-ms17-010 192.168.100.10  # EternalBlue check
nmap --script=http-title -p 80,443,8080 192.168.100.0/24  # grab page titles
nmap --script=ftp-anon -p 21 192.168.100.0/24   # anonymous FTP check
nmap --script=ssh-auth-methods -p 22 192.168.100.0/24  # SSH auth methods

Lab 3: Full Network Scan and Service Enumeration (~4 hr, graded)

See labs/lab-3-active-recon.md for the full lab.

Target: The authorized lab network (RFC 1918 range; instructor-assigned. Kali and Metasploitable 2 are on this range as a minimum.)

Authorization note: Scan the authorized IP range only. Scans outside the lab network are not authorized for this course.

Phase 1: Discovery scan (Masscan)

Run a Masscan discovery scan across all 65535 TCP ports. Record which hosts respond and on which ports.

sudo masscan -p1-65535 <lab-range> --rate=500 -oL masscan-output.txt

Phase 2: Service enumeration (Nmap)

For each live host discovered, run a targeted Nmap version + script scan.

nmap -sV -sC -p<ports-from-masscan> <host> -oA nmap-<host>

Phase 3: Service-specific enumeration

For each open port in the categories covered in lecture (SMB, SSH, FTP, HTTP, MySQL), run the service-specific tool. Document findings.

Deliverable: A structured host inventory (Markdown table or formatted text file) covering each live host, its OS guess, its open services with versions, and a one-sentence note per service about what is interesting or notable. Submit the raw Masscan and Nmap output files alongside the host inventory.

Independent practice (~3 hr)

  • Nmap mastery (1.5 hr): Run Nmap against Metasploitable 2 with the following flag combinations and note how the output differs: -sS -p80,445,21,22,23,3306, then -sV -sC -p80,445,21,22,23,3306, then -A -p80,445,21,22,23,3306. Why would you choose one over another on a real engagement?
  • enum4linux exploration (0.5 hr): Run enum4linux -a <metasploitable2-ip>. What does it find? What does null-session SMB enumeration tell an attacker before authentication?
  • Reflection (1 hr): Write the reflection prompts below.

Reflection prompts

  1. The Nmap version detection flag (-sV) sends additional probes to open ports to identify service banners and versions. On a real client engagement, what is the risk of running -sV against every port on every host? How does the ROE constrain this? What would you ask the client if you wanted to run an aggressive scan but were uncertain if it was authorized?

  2. You scan the lab network and find port 23 (Telnet) open on a host. Telnet sends credentials in plaintext. What information does this immediately give you about the host's security posture without running a single exploit? How would you document this as a finding in the vulnerability analysis phase?

  3. An Nmap script scan (--script=default) returns the following output for a Windows host: smb-security-mode: account_used: guest | authentication_level: user | challenge_response: supported | message_signing: disabled. Interpret this output. What does "message_signing: disabled" mean for SMB, and why might this matter in Week 10's lateral movement phase?

Toolchain Diary: Week 3 additions

  • Nmap -- The practitioner's canonical port scanner. Deepened from NET-101 (where it introduced the concept of port scanning) into engagement-methodology use (scan type selection, NSE, host inventory production). Version: nmap --version.
  • Masscan -- Fast broad discovery scanner; complements Nmap's depth with raw speed across large IP ranges.
  • enum4linux -- SMB/Samba null-session enumeration; wraps smbclient, rpcclient, net, and nmblookup.
  • smbmap -- SMB share enumeration with access-level indication (read/write per share).
  • ssh-audit -- Checks SSH server configuration for weak ciphers, MACs, and key exchange algorithms.

What's next

Week 4 narrows the scope from the whole network to the web application attack surface. Burp Suite goes inline as the HTTP proxy. You map the web application's structure, enumerate directories, and fingerprint the technology stack. Every web service you flagged in Lab 3's host inventory becomes a Week 4 target.