Recon & Enumeration¶

Nmap¶

# Fast scan — top 1000 ports
nmap -T4 -F <target>

# Full TCP scan with service/version detection
nmap -sV -sC -p- -T4 <target>

# UDP scan (top 100)
nmap -sU --top-ports 100 <target>

# Output to all formats
nmap -oA scan_results <target>

Netdiscover / ARP¶

# Passive ARP discovery
netdiscover -r 192.168.1.0/24 -p

Gobuster / Directory Busting¶

# Directory brute-force
gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt -t 50

# DNS subdomain enumeration
gobuster dns -d <domain> -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt

OSINT¶

# theHarvester — emails, subdomains, hosts
theHarvester -d <domain> -b all

# whois
whois <domain>

# DNS records
dig <domain> ANY +noall +answer
nslookup -type=any <domain>