# Internal Active Recon

{% hint style="danger" %}

### This guide is intended for internal corporate usage in controlled environments and is noisy on the network. The below code snippets are examples to demonstrate the methodology and remaining organized with the same working directory.

{% endhint %}

### Prerequisites

* Obtain explicit written authorization before scanning any external or internal assets.
* Define scope: which domains, IP ranges, and network segments to include or exclude.
* Understand and document business criticality of assets.
* Ensure VPN or internal network access as needed.
* Prepare and organize target lists (domains, IPs) in text files.
* Set up a dedicated scanning host with appropriate privileges and resources.
* Install necessary tools:
  * Subdomain enumerators: `findomain`, `sublist3r`, `amass` (with API keys for VirusTotal, Shodan if needed)
  * Scanners: `masscan`, `nmap`
  * Vulnerability scanners: `nuclei`, `openvas`, `nessus`
  * HTTP validation and fingerprinting: `httpx`, `dismap`, `eyewitness`
  * Internal domain enumeration and attack path mapping: `bloodhound`, `crackmapexec`

***

### Directory & Workspace Setup

1. Create a structured workspace on your scanning host before starting scans:

```bash
mkdir -p ~/attack-surface-assessment/{outputs,subdomains,nmap,masscan,vulnerabilities,screenshots,bloodhound}
cd ~/attack-surface-assessment
```

* `outputs/`: General aggregated outputs and reports.
* `subdomains/`: Raw and processed subdomain enumeration results.
* `nmap/`: Detailed service scans.
* `masscan/`: Large-scale port scan files.
* `vulnerabilities/`: Vulnerability scan reports.
* `screenshots/`: Browser screenshots captured during reconnaissance.
* `bloodhound/`: Internal domain enumeration and attack path data.

**Documentation:** This setup supports organized storage of outputs for easy auditing and retrieval.

***

### Attack Surface Assessment Workflow

### 1. Subdomain & Asset Enumeration

```bash
findomain -t example.com -o subdomains/findomain.txt && cat subdomains/findomain.txt > subdomains/all_subs.txt
sublist3r -d example.com -o - | tee -a subdomains/all_subs.txt
amass enum -d example.com -o - | tee -a subdomains/all_subs.txt
sort -u subdomains/all_subs.txt -o subdomains/all_subs.txt
```

*Aggregate subdomains from multiple sources into a single unique list.*

* [Findomain GitHub & Blog](https://github.com/Findomain/Findomain), <https://findomain.app/the-real-power-of-findomain/>
* [Sublist3r GitHub](https://github.com/aboul3la/Sublist3r)
* [Amass GitHub](https://github.com/OWASP/Amass)

### 2. Validate & Resolve Assets

```
httpx -l subdomains/all_subs.txt -o outputs/live_hosts.txt
```

*Validate HTTP/S live hosts and DNS resolution.*

* [Httpx GitHub](https://github.com/projectdiscovery/httpx)

### 3. Port & Service Discovery

```bash
masscan -p1-65535 -iL outputs/live_hosts.txt --rate=10000 -oG masscan/masscan_results.gnmap
awk '/Up$/{print $2}' masscan/masscan_results.gnmap > nmap/scan_targets.txt
nmap -sS -sV -A -iL nmap/scan_targets.txt -oN nmap/nmap_services.txt
```

*Quick port scan with Masscan and detailed service enumeration with Nmap.*

* [Masscan GitHub](https://github.com/robertdavidgraham/masscan)
* [Nmap Official](https://nmap.org/book/man-briefoptions.html)

### 4. Vulnerability Assessment

```bash
nuclei -l outputs/live_hosts.txt -o vulnerabilities/nuclei_web_results.txt
openvas-cli --target-file nmap/scan_targets.txt --output vulnerabilities/openvas_report.html
nessus -q -x -i nmap/scan_targets.txt -o vulnerabilities/nessus_report.nessus
```

*Run fast template-based and deep vulnerability scans.*

* [Nuclei Docs](https://nuclei.projectdiscovery.io/templating-guide/)
* [OpenVAS Wiki](https://www.greenbone.net/en/community-edition/)
* [Nessus Docs](https://docs.tenable.com/nessus/)

### 5. Internal Network Mapping (if authorized)

```bash
nmap -sn 10.0.0.0/8 -oG nmap/internal_discovery.gnmap
awk '/Up$/{print $2}' nmap/internal_discovery.gnmap > nmap/internal_live_hosts.txt
nmap -sS -sV -A -iL nmap/internal_live_hosts.txt -oN nmap/internal_services.txt
bloodhound-python -u admin -p 'Password123!' -d domain.local -gc-ip 10.0.0.1 -c all --json bloodhound/bloodhound_data.json
crackmapexec smb 10.0.0.0/24 -u username -p password
```

*Internal host discovery and service enumeration, plus AD attack path analysis.*

* [BloodHound Docs](https://bloodhound.readthedocs.io/en/latest/)
* [CrackMapExec GitHub](https://github.com/byt3bl33d3r/CrackMapExec)

### 6. Web Technology & Screenshotting

```
dismap -i outputs/live_hosts.txt -o outputs/dismap_results.txt
eyewitness --web -f outputs/live_hosts.txt -d screenshots/
```

*Fingerprint web tech stacks and gather screenshots.*

* [Dismap GitHub](https://github.com/m4ll0k/Dismap)
* [Eyewitness GitHub](https://github.com/FortyNorthSecurity/EyeWitness)

***

### Post-Assessment: File Structure & Organization

Example directory structure and contents after assessment:

```
~/attack-surface-assessment/
├── outputs/
│   ├── live_hosts.txt
│   ├── dismap_results.txt
│   └── aggregated_report.pdf
├── subdomains/
│   ├── all_subs.txt
│   ├── findomain.txt
│   ├── sublist3r.txt
│   └── amass.txt
├── nmap/
│   ├── internal_services.txt
│   ├── nmap_services.txt
│   ├── internal_live_hosts.txt
│   └── scan_targets.txt
├── masscan/
│   └── masscan_results.gnmap
├── vulnerabilities/
│   ├── nuclei_web_results.txt
│   ├── openvas_report.html
│   └── nessus_report.nessus
├── screenshots/
│   └── (image files)
└── bloodhound/
    └── bloodhound_data.json
```

***

### Notes and Best Practices

* Chain outputs between stages for automation and maximum coverage.
* Use `sort -u` often to avoid duplications.
* Keep directory structure consistent and filenames clear.
* Only scan within authorized scope.
* Schedule scans to minimize disruption.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://martian1337.gitbook.io/notes/resources/recon-+-osint/internal-active-recon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.