Infrastructure Reconnaissance: Your First Steps in Network Pentesting

Table of contents

👋 Introduction

Hey everyone!

Funny how this works. I’ve spent months covering complex offensive security topics. Web3 signature exploitation, Active Directory attacks, Kubernetes escapes, deserialization chains. But somehow I never wrote about the absolute basics.

nmap. nuclei. Subdomain enumeration. The tools you literally use on day one of every infrastructure assessment or bug bounty program.

This is pentesting 101. The foundation everything else builds on. Whether you just landed your first infrastructure pentest, want to get into bug bounty, or need to refresh the fundamentals, this is where you start. You can’t exploit an Active Directory environment if you can’t enumerate the network. You can’t find Web3 API vulnerabilities if you don’t know how to discover endpoints.

And while the methodology hasn’t changed, the tooling has evolved massively. Modern reconnaissance frameworks automate workflows that used to take days. Nuclei runs 10,000+ vulnerability templates in minutes. Subdomain enumeration now leverages certificate transparency and passive DNS datasets at scale.

This week we’re covering the complete infrastructure reconnaissance workflow from zero. Port scanning with nmap, masscan, and rustscan. Vulnerability detection with nuclei. Subdomain enumeration strategies. SSL/TLS analysis. And how to chain everything into a systematic methodology you can use on your next engagement.

Let’s build that attack surface map 👇

🎯 The Methodology

Infrastructure recon isn’t about randomly running tools. You’re building a complete picture of the attack surface, layer by layer.

Phase 1: Network Discovery - Find live hosts and open ports. This gives you the initial surface.

Phase 2: Service Enumeration - Extract versions, configurations, protocols. This reveals specific attack vectors.

Phase 3: Vulnerability Scanning - Map known CVEs to enumerated services.

Phase 4: Subdomain Enumeration - Expand the surface. Dev servers and staging environments are often less secured.

Phase 5: SSL/TLS Analysis - Test crypto configs. Weak ciphers and cert issues lead to MITM or info disclosure.

Each phase informs the next. Ports reveal services. Services reveal versions. Versions map to CVEs.

🔍 Port Scanning with nmap

nmap is the standard. You’re testing infrastructure? You’re using nmap.

Basic scans:

# Top 1000 ports
nmap 10.0.0.1

# Specific ports
nmap -p 80,443,8080 10.0.0.1

# All ports
nmap -p- 10.0.0.1

SYN scan (faster, stealthier):

# Default for privileged users
sudo nmap -sS 10.0.0.1

# Skip ping (useful if ICMP blocked)
sudo nmap -Pn -sS 10.0.0.1

SYN scans don’t complete the TCP handshake. Faster and less likely to trigger application logs.

Service detection:

# Detect versions
nmap -sV 10.0.0.1

# Aggressive detection
nmap -sV --version-intensity 9 10.0.0.1

# OS + version
sudo nmap -A 10.0.0.1

You need exact versions to map CVEs. OpenSSH 7.2p2 has different vulns than 8.0p1.

Timing (speed vs stealth):

# Slow and stealthy (IDS evasion)
nmap -T1 10.0.0.1

# Normal (default)
nmap -T3 10.0.0.1

# Aggressive (faster)
nmap -T4 10.0.0.1

Bug bounty and authorized tests? Use -T4. Red team where stealth matters? -T1 or -T2.

NSE scripts (the real power):

nmap includes 600+ NSE scripts for vulnerability detection and advanced enumeration:

# Default scripts + version detection
nmap -sC -sV 10.0.0.1

# Specific script
nmap --script http-title 10.0.0.1

# All HTTP scripts
nmap --script "http-*" -p 80,443 10.0.0.1

# Vulnerability scripts
nmap --script vuln 10.0.0.1

# SMB enumeration
nmap --script smb-os-discovery,smb-enum-shares -p 445 10.0.0.1

NSE automates recon that would otherwise need manual testing. http-title grabs page titles. smb-enum-shares lists shares. ssl-cert extracts certificate SANs (great for subdomain discovery).

Web server enumeration:

# Comprehensive web enum
sudo nmap -Pn -sS -sV -p 80,443,8000-8443 \
  --script http-title,http-headers,ssl-cert \
  10.0.0.1

Always save outputs:

# All formats
nmap -oA scan 10.0.0.1

⚡ Speed Scanning

nmap is thorough but slow on large networks. masscan trades thoroughness for raw speed.

# Scan all ports (very fast)
sudo masscan 10.0.0.1 -p0-65535 --rate 10000

# Common web ports across /24
sudo masscan 10.0.0.0/24 -p80,443,8080,8443 --rate 5000

masscan is stateless and asynchronous. Blazing fast but less accurate.

Best workflow: masscan + nmap

# Step 1: masscan finds ports
sudo masscan 10.0.0.0/24 -p0-65535 --rate 10000 -oL masscan.txt

# Step 2: nmap enumerates those specific ports
# Parse masscan output and feed to nmap

Combine masscan’s speed with nmap’s accuracy.

rustscan alternative:

rustscan is modern, fast, and pipes directly to nmap:

# Automatically pipes to nmap
rustscan -a 10.0.0.1

# All ports, aggressive
rustscan -a 10.0.0.1 -r 1-65535 -- -A -T4

🎯 Vulnerability Scanning with nuclei

nuclei by ProjectDiscovery is the standard for automated vulnerability detection in bug bounty. Template-based, fast, and community-driven.

Over 10,000+ templates covering CVEs, misconfigurations, exposed panels, and more.

Note: I cover nuclei in depth in my Web Pentesting Fundamentals series, including custom template creation and advanced workflows. This section gives you the essentials to get started.

Setup:

# Install
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Update templates (do this regularly)
nuclei -ut

Basic usage:

# Scan single target
nuclei -u https://example.com

# Scan multiple targets
nuclei -l targets.txt

# Critical and high severity only
nuclei -u https://example.com -severity critical,high

# Specific tech (WordPress, Laravel, etc)
nuclei -u https://example.com -tags wordpress

# Specific CVE
nuclei -u https://example.com -tags cve2024

Filtering:

# CVE templates only
nuclei -u https://example.com -t cves/

# Misconfiguration templates
nuclei -u https://example.com -t misconfiguration/

# Exclude DOS/fuzzing
nuclei -u https://example.com -etags dos,fuzz

Rate limiting:

# Limit requests per second
nuclei -u https://example.com -rate-limit 50

# Custom headers (auth, WAF bypass)
nuclei -u https://example.com -H "Authorization: Bearer token"

Writing custom templates:

This is where nuclei shines. Custom templates for specific targets:

id: custom-admin-panel

info:
  name: Custom Admin Panel Detection
  author: yourname
  severity: info
  tags: panel,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/admin-secret"
      - "{{BaseURL}}/secret-panel"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "Admin Login"
          - "Dashboard"
        condition: or

Save as custom.yaml:

nuclei -u https://example.com -t custom.yaml

CVE template example:

id: CVE-2024-example

info:
  name: Example Product RCE
  author: yourname
  severity: critical
  classification:
    cve-id: CVE-2024-example

http:
  - raw:
      - |
        POST /api/upload HTTP/1.1
        Host: {{Hostname}}

        {"file":"test.php","exec":"true"}

    matchers:
      - type: word
        words:
          - "upload successful"
        condition: or

Check the template guide for full syntax.

Bug bounty workflow:

# Discover subdomains
subfinder -d example.com -o subs.txt

# Find live hosts
cat subs.txt | httpx -silent -o live.txt

# Scan for vulns
nuclei -l live.txt -severity critical,high

This pipeline discovers subdomains, identifies live hosts, and scans for vulnerabilities in minutes.

🌐 Subdomain Enumeration

Subdomain enum expands your attack surface. Forgotten staging servers and dev environments are often less secured than production.

Certificate Transparency:

crt.sh logs every issued SSL certificate publicly. Perfect for subdomain discovery.

# Query crt.sh API
curl -s "https://crt.sh/?q=%25.example.com&output=json" | \
  jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u

subfinder (passive):

subfinder aggregates 30+ sources (crt.sh, VirusTotal, Shodan):

# Install
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

# Basic
subfinder -d example.com

# All sources
subfinder -d example.com -all -o subs.txt

amass (passive + active):

OWASP Amass is more aggressive. Active DNS brute-forcing:

# Passive only
amass enum -passive -d example.com

# Active with brute-force
amass enum -active -brute -d example.com -o amass.txt

assetfinder (fast and simple):

assetfinder by Tom Hudson:

# Install
go install github.com/tomnomnom/assetfinder@latest

# Basic usage
assetfinder --subs-only example.com

DNS brute-forcing with puredns:

# Install
go install github.com/d3mondev/puredns/v2@latest

# Brute-force
puredns bruteforce wordlist.txt example.com

Use SecLists DNS wordlist.

httpx (probe live hosts):

# Install
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest

# Probe discovered subdomains
cat subs.txt | httpx -silent -o live.txt

Complete workflow:

# Passive enum
subfinder -d example.com > subs1.txt
assetfinder --subs-only example.com > subs2.txt

# Combine
cat subs1.txt subs2.txt | sort -u > all_subs.txt

# DNS brute-force (optional)
puredns bruteforce wordlist.txt example.com >> all_subs.txt

# Probe live
cat all_subs.txt | httpx -silent -o live.txt

# Scan
nuclei -l live.txt -severity critical,high

🔐 SSL/TLS Analysis

SSL/TLS misconfigs lead to MITM, info disclosure, and compliance violations.

testssl.sh:

testssl.sh tests protocols, ciphers, cert validity, and known vulns:

# Clone
git clone --depth 1 https://github.com/drwetter/testssl.sh.git

# Basic scan
./testssl.sh https://example.com

# Check vulnerabilities
./testssl.sh --vulnerable https://example.com

# JSON output
./testssl.sh --json --jsonfile results.json https://example.com

Checks for weak protocols (SSLv2, SSLv3, TLS 1.0), weak ciphers, cert issues, and vulns (POODLE, Heartbleed, DROWN).

Extract SANs for subdomain discovery:

# Extract SANs from cert
echo -n | openssl s_client -connect example.com:443 2>/dev/null | \
  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
  openssl x509 -text -noout | \
  grep -A1 "Subject Alternative Name" | \
  grep DNS: | sed 's/DNS://g' | tr ',' '\n'

Or with nmap:

nmap --script ssl-cert -p 443 example.com

🛠️ Automation Frameworks

reconftw automates the entire workflow:

# Clone and install
git clone https://github.com/six2dez/reconftw
cd reconftw && ./install.sh

# Full recon
./reconftw.sh -d example.com -r

reconftw chains subfinder, amass, httpx, nuclei, and more into one workflow.

recon-ng is modular like Metasploit:

pip3 install recon-ng
recon-ng

# Create workspace
workspaces create example_recon

# Load module
modules load recon/domains-hosts/certificate_transparency
options set SOURCE example.com
run

🎯 Key Takeaways

Infrastructure recon is the foundation. You can’t exploit what you can’t find. Master port scanning, service enumeration, and subdomain discovery before moving to exploitation.

nmap is still the gold standard. NSE scripts automate vulnerability checks and advanced recon. Combine masscan or rustscan for speed, then nmap for accuracy.

nuclei automates vulnerability detection at scale. Over 10,000 templates covering CVEs and misconfigs. Write custom templates for specific targets.

Subdomain enumeration expands attack surface exponentially. Use subfinder and amass for passive discovery, puredns for brute-forcing, httpx for probing. Staging servers are prime targets.

Certificate Transparency logs are gold mines. Every SSL cert is logged publicly. Extract SANs for subdomain discovery.

Automation is essential. reconftw chains subdomain enum, port scanning, and vulnerability scanning into single workflows.

---

That’s it for this week.

This is foundational stuff. Every infrastructure assessment starts here. Master nmap syntax. Learn nuclei templates. Build subdomain enum workflows. Practice on bug bounty programs and HTB.

The attack surface is out there. Go find it.

Thanks for reading, and happy hunting!

— Ruben

Other Issues

WiFi Hacking 101: Breaking Into Wireless Networks (Part 1)

Previous Issue