Ethical Hacking Lesson 20 – Recon Best Practices | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
Reconnaissance & Scanning · Lesson 20

Recon Best Practices

Section II is nearly done. Ten lessons of reconnaissance and scanning — DNS, WHOIS, Google dorking, Nmap, service enumeration, vulnerability scanning, banner grabbing. This lesson ties it together into a workflow that holds up under real engagement conditions.

The mistakes that cost engagements

After running a recon phase, most people make one of two errors. Either they rush through it — ticking boxes rather than actually reading what the tools return — or they go so deep into one area that they run out of time for the rest. Both are avoidable. The first is a discipline problem. The second is a planning problem.

A tight recon workflow fixes both. It tells you what to do, in what order, for roughly how long — and when to move on even if a particular area feels like it might have more to give. Knowing when to stop digging in one place and move to the next is one of the less-discussed skills in pen testing, and it is genuinely important.

The recon workflow — phases in order

Every engagement is different but the underlying structure of a professional recon phase stays consistent. This is the order that works — each phase feeds into the next, and skipping one creates gaps that show up later.

RECON WORKFLOW — phases and outputs
1
Passive recon
WHOIS, DNS records, Google dorking, Shodan, theHarvester, certificate transparency. Zero contact with the target. Build the initial picture before anything active begins. Output: domain profile, subdomain list, email addresses, IP ranges, known CVEs on discovered IPs.
2
Scope confirmation
Cross-reference what passive recon found against the scope document. Flag anything that looks in-scope but was not listed — IP blocks from WHOIS, subdomains from cert logs. Confirm with the client before touching anything outside the explicit list.
3
Host discovery
Nmap -sn sweep across confirmed IP ranges. Find live hosts before committing to port scanning. Output: confirmed list of live addresses — the only ones worth scanning further.
4
Port scanning
SYN scan across all 65,535 ports on confirmed live hosts. Follow with UDP scan on high-value ports. Save all output with -oN or -oX. Output: complete open port list per host.
5
Service enumeration
Nmap -sV against open ports. Manual banner grabbing on interesting services. HTTP headers, SMTP VRFY, SMB null sessions. Output: service inventory with confirmed versions.
6
Vulnerability scanning
Nmap NSE vuln scripts first, then OpenVAS or Nessus for full coverage. Authenticated if credentials are available. Output: prioritised findings list with CVSS scores and detection method.
7
Manual validation
Confirm every significant finding manually before it enters the report. Document what you tested, how you tested it, and what the result was. Escalate criticals immediately — do not wait for the report.

Seven phases. The first two are passive and can run before the engagement formally opens. Phases three through seven are active and require an open testing window. If you have a two-week engagement, passive recon should already be complete before day one begins.

Documentation — the habit that separates professionals

Every command you run in a pen test should be logged. The timestamp, the exact command, the output, and a one-line note about what it revealed. This sounds tedious — it is not, once it becomes habit — and it matters for three very concrete reasons.

Reason 1 — You will need it for the report

Three days after running a scan, you will not remember whether a particular finding came from Nmap or OpenVAS or a manual banner grab. The log tells you. Without it, you either guess — which is unprofessional — or you re-run the command, which wastes time you do not have.

Reason 2 — Legal protection

If something goes wrong during an engagement — a service goes down, a client disputes what you tested — your logs are your evidence. Timestamped command history showing exactly what ran, when, and against which IP is the difference between a clean exit and a legal problem.

Reason 3 — Team coordination

On multi-person engagements, your logs let teammates pick up where you left off without duplicating work. A scan that was already run does not need to be run again. A finding that was already validated does not need re-validating. Good documentation multiplies team capacity.

Logging commands automatically during a session

The scenario: You are starting day two of a two-week engagement. Before running a single command, you set up a session log that will automatically capture everything you type — commands, outputs, and timestamps — into a structured file you can reference throughout the engagement and pull from when writing the report.

# Create an organised directory structure for the engagement
# Good folder structure means findings are easy to locate under time pressure

# mkdir -p creates all folders in the path at once, including parent directories
# Replace "clientname" with the actual client or engagement name
mkdir -p ~/engagements/clientname/{recon,scans,exploits,loot,report}

# Navigate into the engagement directory
cd ~/engagements/clientname

# Start a session log using the script command
# script captures everything printed to the terminal — commands and their output
# -t writes a timing file alongside the transcript (useful for replaying the session)
# The log file is named with today's date so multiple day logs do not overwrite each other
# tee -a appends to the log file rather than overwriting if you run this again today
script -t 2>recon/timing-$(date +%Y%m%d).log recon/session-$(date +%Y%m%d).log

# From this point every command and output is captured automatically
# When the session is done, type "exit" to stop the logging

# Also save Nmap output directly to files during scanning
# -oN saves human-readable output  -oX saves XML for tool import
nmap -sS -p- -T4 -oN scans/nmap-syn-full.txt -oX scans/nmap-syn-full.xml 192.168.56.101

Breaking it down:

The folder structure
Five folders — recon, scans, exploits, loot, report — mirror the phases of a pen test. Every file you create during the engagement goes into the appropriate folder. At report-writing time, everything you need is already organised. This sounds trivial until you are three days from deadline and searching for a specific Nmap output file.
script command
The script command records everything that appears on your terminal into a text file — including commands you type and the output they produce. The date-stamped filename means running it on multiple days creates separate logs rather than overwriting. It is the simplest possible session logging tool and it requires nothing to install.
-oN and -oX together
Saving Nmap output in both formats simultaneously costs nothing and gives you two useful files. The .txt file is readable by humans. The .xml file is importable into Metasploit with db_import — the same command covered in Lesson 18. Running both output flags on every scan is a habit that pays dividends during the exploitation phase.

Noise management — staying under the radar when it matters

Not every engagement is black box with the SOC unaware. But some are — and even on engagements where the security team knows testing is happening, good recon practice involves not generating unnecessary noise. Sloppy scanning habits that work fine in the lab become problems in production.

Three habits make a significant difference to scan visibility:

Timing

Use -T2 or -T3 on production systems. -T4 is fine for the lab. On real targets over real networks, aggressive timing generates bursts of traffic that IDS signatures are tuned to catch. Slow down slightly and you become significantly less visible.

Sequencing

Do not scan everything at once. Host discovery first, then targeted port scans on confirmed live hosts, then service enumeration on confirmed open ports. Each step narrows the scope of the next. Random, simultaneous scanning across all targets is the pattern that triggers alerts.

Passive first

Everything passive before anything active. Shodan, certificate logs, WHOIS, Google — none of it touches the target. Build as complete a picture as possible from public sources, then move to active scanning with a targeted list rather than a broad sweep.

The recon mindset — what to carry into Section III

Section III is system and network attacks — exploitation. Everything from here uses what the recon phase produced. The quality of your recon determines the quality of your exploitation phase. A weak recon means guessing what to attack. A strong recon means walking in with a prioritised list and knowing which door to try first.

Three things to carry forward:

Never act on unvalidated scanner output

A scanner finding is a hypothesis. Manual validation is the experiment. Do not write "vulnerable" in a report until you have confirmed it is actually vulnerable — not just version-string-possibly-vulnerable.

Critical findings get escalated immediately

A confirmed unauthenticated RCE or an exposed database backup does not wait for the final report. Phone call to the engagement contact — not an email — the same day it is found.

Stay inside the scope

Every tool, every technique, every packet — directed only at what is explicitly authorised. When WHOIS reveals an IP block larger than what the client listed, you confirm scope before you scan. When a subdomain surfaces that was not in the original list, you confirm before you touch it. Always.

Teacher's Note: The best recon produces a target list short enough to fit on one page, with each entry annotated with the confirmed version, the specific CVE it is susceptible to, and whether that CVE has a public exploit available. When you can hand that page to your team lead and they can plan the exploitation phase from it — that is what good recon looks like.

Practice questions

Scenario:

A pen tester's engagement formally opens on Monday. On Saturday they spend two hours running WHOIS lookups, searching certificate transparency logs, running theHarvester against the target domain, and checking Shodan for the discovered IP addresses. When the engagement kickoff call happens Monday morning, the tester already has a subdomain list, email addresses, and two Shodan-flagged CVEs documented. Which phase of the recon workflow covers the work the tester did on Saturday?


Scenario:

A pen tester wants to automatically capture every command they type and every line of output produced during their terminal session — without having to manually copy and paste anything. They want the log saved to a date-stamped file in their engagement directory. No additional tools need to be installed because this utility ships with Linux by default. Which command starts this automatic session logging?


Scenario:

A pen tester's scope document lists twelve specific IP addresses belonging to a retail company. A WHOIS lookup on one of those IPs reveals the company owns the full /24 block — 256 addresses — under the same organisation name. DNS enumeration surfaces three more subdomains that resolve to IPs in that same block but outside the twelve listed. The tester believes those additional IPs are almost certainly company-owned and therefore fair game. What must happen before they scan anything outside the twelve explicitly listed addresses?


Quiz

Scenario:

A pen tester has a two-week engagement starting Monday. They want to make the most of the active testing window and not waste the first day doing work that could have been done beforehand. Their team lead suggests a specific type of work that can be completed before the engagement formally opens without violating any authorisation boundaries. What work can legitimately run before day one?

Scenario:

A pen tester is running a black box engagement where the client's SOC has not been notified — the goal is to test whether the security team detects the activity. The tester is about to start port scanning and has been using -T4 throughout their lab work. Their team lead flags that -T4 generates traffic bursts that are specifically detected by common IDS signatures. What timing adjustment should the tester make for this engagement?

Scenario:

A pen tester completes their recon phase and hands their team lead a document with forty discovered hosts, a list of open ports on each, and a note that "several of these look interesting." The team lead sends them back to redo the document before the exploitation phase begins. The tester is confused — they found forty hosts, which seems thorough. What went wrong with how they approached the recon phase?

Up Next · Section III — Lesson 21

System Hacking — Overview

Section III begins. The recon phase is documented, the target list is ready, and the exploitation phase opens. Everything changes from here.

← Previous Course Index Next →