Internal Active Recon

This guide is intended for internal corporate usage in controlled environments and is noisy on the network. The below code snippets are examples to demonstrate the methodology and remaining organized with the same working directory.

Prerequisites

  • Obtain explicit written authorization before scanning any external or internal assets.

  • Define scope: which domains, IP ranges, and network segments to include or exclude.

  • Understand and document business criticality of assets.

  • Ensure VPN or internal network access as needed.

  • Prepare and organize target lists (domains, IPs) in text files.

  • Set up a dedicated scanning host with appropriate privileges and resources.

  • Install necessary tools:

    • Subdomain enumerators: findomain, sublist3r, amass (with API keys for VirusTotal, Shodan if needed)

    • Scanners: masscan, nmap

    • Vulnerability scanners: nuclei, openvas, nessus

    • HTTP validation and fingerprinting: httpx, dismap, eyewitness

    • Internal domain enumeration and attack path mapping: bloodhound, crackmapexec

Directory & Workspace Setup

  1. Create a structured workspace on your scanning host before starting scans:

mkdir -p ~/attack-surface-assessment/{outputs,subdomains,nmap,masscan,vulnerabilities,screenshots,bloodhound}
cd ~/attack-surface-assessment

  • outputs/: General aggregated outputs and reports.

  • subdomains/: Raw and processed subdomain enumeration results.

  • nmap/: Detailed service scans.

  • masscan/: Large-scale port scan files.

  • vulnerabilities/: Vulnerability scan reports.

  • screenshots/: Browser screenshots captured during reconnaissance.

  • bloodhound/: Internal domain enumeration and attack path data.

Documentation: This setup supports organized storage of outputs for easy auditing and retrieval.

Attack Surface Assessment Workflow

1. Subdomain & Asset Enumeration

findomain -t example.com -o subdomains/findomain.txt && cat subdomains/findomain.txt > subdomains/all_subs.txt
sublist3r -d example.com -o - | tee -a subdomains/all_subs.txt
amass enum -d example.com -o - | tee -a subdomains/all_subs.txt
sort -u subdomains/all_subs.txt -o subdomains/all_subs.txt

Aggregate subdomains from multiple sources into a single unique list.

2. Validate & Resolve Assets

httpx -l subdomains/all_subs.txt -o outputs/live_hosts.txt

Validate HTTP/S live hosts and DNS resolution.

3. Port & Service Discovery

masscan -p1-65535 -iL outputs/live_hosts.txt --rate=10000 -oG masscan/masscan_results.gnmap
awk '/Up$/{print $2}' masscan/masscan_results.gnmap > nmap/scan_targets.txt
nmap -sS -sV -A -iL nmap/scan_targets.txt -oN nmap/nmap_services.txt

Quick port scan with Masscan and detailed service enumeration with Nmap.

4. Vulnerability Assessment

nuclei -l outputs/live_hosts.txt -o vulnerabilities/nuclei_web_results.txt
openvas-cli --target-file nmap/scan_targets.txt --output vulnerabilities/openvas_report.html
nessus -q -x -i nmap/scan_targets.txt -o vulnerabilities/nessus_report.nessus

Run fast template-based and deep vulnerability scans.

5. Internal Network Mapping (if authorized)

nmap -sn 10.0.0.0/8 -oG nmap/internal_discovery.gnmap
awk '/Up$/{print $2}' nmap/internal_discovery.gnmap > nmap/internal_live_hosts.txt
nmap -sS -sV -A -iL nmap/internal_live_hosts.txt -oN nmap/internal_services.txt
bloodhound-python -u admin -p 'Password123!' -d domain.local -gc-ip 10.0.0.1 -c all --json bloodhound/bloodhound_data.json
crackmapexec smb 10.0.0.0/24 -u username -p password

Internal host discovery and service enumeration, plus AD attack path analysis.

6. Web Technology & Screenshotting

dismap -i outputs/live_hosts.txt -o outputs/dismap_results.txt
eyewitness --web -f outputs/live_hosts.txt -d screenshots/

Fingerprint web tech stacks and gather screenshots.

Post-Assessment: File Structure & Organization

Example directory structure and contents after assessment:

~/attack-surface-assessment/
├── outputs/
│   ├── live_hosts.txt
│   ├── dismap_results.txt
│   └── aggregated_report.pdf
├── subdomains/
│   ├── all_subs.txt
│   ├── findomain.txt
│   ├── sublist3r.txt
│   └── amass.txt
├── nmap/
│   ├── internal_services.txt
│   ├── nmap_services.txt
│   ├── internal_live_hosts.txt
│   └── scan_targets.txt
├── masscan/
│   └── masscan_results.gnmap
├── vulnerabilities/
│   ├── nuclei_web_results.txt
│   ├── openvas_report.html
│   └── nessus_report.nessus
├── screenshots/
│   └── (image files)
└── bloodhound/
    └── bloodhound_data.json

Notes and Best Practices

  • Chain outputs between stages for automation and maximum coverage.

  • Use sort -u often to avoid duplications.

  • Keep directory structure consistent and filenames clear.

  • Only scan within authorized scope.

  • Schedule scans to minimize disruption.

PreviousRecon + OSINTNextOffensive-Cybersecurity

Last updated