After this lesson, you will be able to: Run passive and active recon: OSINT, Nmap, DNS enumeration.
Recon is the longest phase of a real engagement. The more you know about the target, the more efficient exploitation is. This lesson differentiates passive (no contact) from active (touching the target) and gets you using Nmap.
Passive. Google dorking, LinkedIn employee enumeration, Shodan, Wayback Machine. The target sees nothing. Active. DNS lookups, port scans, banner grabbing. The target may log your IP.
Against a target you OWN or a TryHackMe lab IP:
# Default scan (top 1000 ports, TCP)nmap 10.10.10.10# Service/version detectionnmap -sV 10.10.10.10# OS fingerprint + scripts (aggressive)nmap -A 10.10.10.10# All ports (slower)nmap -p- 10.10.10.10
`dig targetcompany.com any`, shows all records. Subdomain enumeration with `subfinder`, `amass`, `dnsenum`, finds dev/staging/admin subdomains often left exposed.
Pick.
Sign in and purchase access to unlock this lesson.