Internal Active Recon

This guide is intended for internal corporate usage in controlled environments and is noisy on the network. The below code snippets are examples to demonstrate the methodology and remaining organized with the same working directory.

Prerequisites

Obtain explicit written authorization before scanning any external or internal assets.
Define scope: which domains, IP ranges, and network segments to include or exclude.
Understand and document business criticality of assets.
Ensure VPN or internal network access as needed.
Prepare and organize target lists (domains, IPs) in text files.
Set up a dedicated scanning host with appropriate privileges and resources.
Install necessary tools:
- Subdomain enumerators: findomain, sublist3r, amass (with API keys for VirusTotal, Shodan if needed)
- Scanners: masscan, nmap
- Vulnerability scanners: nuclei, openvas, nessus
- HTTP validation and fingerprinting: httpx, dismap, eyewitness
- Internal domain enumeration and attack path mapping: bloodhound, crackmapexec

Directory & Workspace Setup

Create a structured workspace on your scanning host before starting scans:

mkdir -p ~/attack-surface-assessment/{outputs,subdomains,nmap,masscan,vulnerabilities,screenshots,bloodhound}
cd ~/attack-surface-assessment

outputs/: General aggregated outputs and reports.
subdomains/: Raw and processed subdomain enumeration results.
nmap/: Detailed service scans.
masscan/: Large-scale port scan files.
vulnerabilities/: Vulnerability scan reports.
screenshots/: Browser screenshots captured during reconnaissance.
bloodhound/: Internal domain enumeration and attack path data.

Documentation: This setup supports organized storage of outputs for easy auditing and retrieval.

Attack Surface Assessment Workflow

1. Subdomain & Asset Enumeration

findomain -t example.com -o subdomains/findomain.txt && cat subdomains/findomain.txt > subdomains/all_subs.txt
sublist3r -d example.com -o - | tee -a subdomains/all_subs.txt
amass enum -d example.com -o - | tee -a subdomains/all_subs.txt
sort -u subdomains/all_subs.txt -o subdomains/all_subs.txt

Aggregate subdomains from multiple sources into a single unique list.

2. Validate & Resolve Assets

httpx -l subdomains/all_subs.txt -o outputs/live_hosts.txt

Validate HTTP/S live hosts and DNS resolution.

Httpx GitHub

3. Port & Service Discovery

masscan -p1-65535 -iL outputs/live_hosts.txt --rate=10000 -oG masscan/masscan_results.gnmap
awk '/Up$/{print $2}' masscan/masscan_results.gnmap > nmap/scan_targets.txt
nmap -sS -sV -A -iL nmap/scan_targets.txt -oN nmap/nmap_services.txt

Quick port scan with Masscan and detailed service enumeration with Nmap.

4. Vulnerability Assessment

nuclei -l outputs/live_hosts.txt -o vulnerabilities/nuclei_web_results.txt
openvas-cli --target-file nmap/scan_targets.txt --output vulnerabilities/openvas_report.html
nessus -q -x -i nmap/scan_targets.txt -o vulnerabilities/nessus_report.nessus

Run fast template-based and deep vulnerability scans.

5. Internal Network Mapping (if authorized)

nmap -sn 10.0.0.0/8 -oG nmap/internal_discovery.gnmap
awk '/Up$/{print $2}' nmap/internal_discovery.gnmap > nmap/internal_live_hosts.txt
nmap -sS -sV -A -iL nmap/internal_live_hosts.txt -oN nmap/internal_services.txt
bloodhound-python -u admin -p 'Password123!' -d domain.local -gc-ip 10.0.0.1 -c all --json bloodhound/bloodhound_data.json
crackmapexec smb 10.0.0.0/24 -u username -p password

Internal host discovery and service enumeration, plus AD attack path analysis.

6. Web Technology & Screenshotting

dismap -i outputs/live_hosts.txt -o outputs/dismap_results.txt
eyewitness --web -f outputs/live_hosts.txt -d screenshots/

Fingerprint web tech stacks and gather screenshots.

Post-Assessment: File Structure & Organization

Example directory structure and contents after assessment:

~/attack-surface-assessment/
├── outputs/
│   ├── live_hosts.txt
│   ├── dismap_results.txt
│   └── aggregated_report.pdf
├── subdomains/
│   ├── all_subs.txt
│   ├── findomain.txt
│   ├── sublist3r.txt
│   └── amass.txt
├── nmap/
│   ├── internal_services.txt
│   ├── nmap_services.txt
│   ├── internal_live_hosts.txt
│   └── scan_targets.txt
├── masscan/
│   └── masscan_results.gnmap
├── vulnerabilities/
│   ├── nuclei_web_results.txt
│   ├── openvas_report.html
│   └── nessus_report.nessus
├── screenshots/
│   └── (image files)
└── bloodhound/
    └── bloodhound_data.json

Notes and Best Practices

Chain outputs between stages for automation and maximum coverage.
Use sort -u often to avoid duplications.
Keep directory structure consistent and filenames clear.
Only scan within authorized scope.
Schedule scans to minimize disruption.

PreviousRecon + OSINT NextOffensive

Last updated 5 months ago

hashtagThis guide is intended for internal corporate usage in controlled environments and is noisy on the network. The below code snippets are examples to demonstrate the methodology and remaining organized with the same working directory.

hashtagPrerequisites

hashtagDirectory & Workspace Setup

hashtagAttack Surface Assessment Workflow

hashtag1. Subdomain & Asset Enumeration

hashtag2. Validate & Resolve Assets

hashtag3. Port & Service Discovery

hashtag4. Vulnerability Assessment

hashtag5. Internal Network Mapping (if authorized)

hashtag6. Web Technology & Screenshotting

hashtagPost-Assessment: File Structure & Organization

hashtagNotes and Best Practices

This guide is intended for internal corporate usage in controlled environments and is noisy on the network. The below code snippets are examples to demonstrate the methodology and remaining organized with the same working directory.

Prerequisites

Directory & Workspace Setup

Attack Surface Assessment Workflow

1. Subdomain & Asset Enumeration

2. Validate & Resolve Assets

3. Port & Service Discovery

4. Vulnerability Assessment

5. Internal Network Mapping (if authorized)

6. Web Technology & Screenshotting

Post-Assessment: File Structure & Organization

Notes and Best Practices