Vulnarex | Elite Cybersecurity Learning Platform

#Bringing It All Together#link

Throughout this course, we have progressed through the complete active reconnaissance workflow — from understanding the legal framework, to DNS enumeration, port scanning, service fingerprinting, web directory discovery, and SMB/NFS share enumeration. In this final lesson, we will synthesize everything into a cohesive methodology and learn how to document your findings professionally.

The Complete Active Recon Workflow

Active reconnaissance is not a collection of isolated tools — it is a systematic process where each phase feeds intelligence into the next. Here is the complete workflow we have learned, applied to our target 192.168.1.10.

Phase	Tool(s)	Key Findings
DNS Enumeration	dig, dnsenum	Discovered subdomains: dev, staging, api, admin, vpn, internal. Successful zone transfer exposed internal infrastructure.
Port Scanning	nmap -sS	Found 7 open ports: 21 (FTP), 22 (SSH), 80 (HTTP), 139 (NetBIOS), 445 (SMB), 3306 (MySQL), 8080 (HTTP-Proxy).
Service Fingerprinting	nmap -sV -O -A	Identified: vsftpd 2.3.4, OpenSSH 7.9p1, Apache 2.4.49, Samba 4.11.6, MySQL 5.7.38, Apache Tomcat 9.0.31. OS: Linux 5.4.
Web Enumeration	gobuster, curl	Discovered: /admin, /backup, /phpinfo.php, config.php.bak (exposed DB credentials), backup.zip, database.sql.
SMB Enumeration	smbclient, enum4linux	Found shares: public, confidential, admin (all accessible via null session). Users: john, sarah, admin. Weak password policy.
NFS Enumeration	showmount, mount, nmap NSE	Exports: /home/john (contains SSH private key), /var/backups (contains DB backup), /tmp (world-writable).

Building the Attack Surface Map

The real value of active reconnaissance is not individual findings — it is the composite attack surface map that emerges when you combine all the intelligence. Let us trace the attack paths our recon revealed.

▪Path 1 — Web Application Attack: Apache 2.4.49 is vulnerable to CVE-2021-41773 (path traversal/RCE). The exposed config.php.bak gives us database credentials to connect to MySQL on port 3306.
▪Path 2 — FTP Backdoor: vsftpd 2.3.4 has a known backdoor (CVE-2011-2523) that opens a shell on port 6200 when a username ending in ':' is used.
▪Path 3 — SMB Credential Harvesting: Null session access to the 'confidential' share exposed passwords_backup.txt. Combined with the user list from enum4linux, we have valid credentials.
▪Path 4 — NFS to SSH Privilege Escalation: The NFS-exported /home/john directory contains john's private SSH key, enabling authentication as john on any server.
▪Path 5 — Database Access: MySQL 5.7.38 is accessible with credentials from config.php.bak, potentially exposing the entire application database.

callout

Notice how each reconnaissance phase contributed to multiple attack paths. DNS enumeration found the host, port scanning found the services, fingerprinting identified vulnerable versions, web enumeration exposed credentials, and SMB/NFS enumeration provided lateral movement opportunities. This is why thorough reconnaissance is the foundation of every successful penetration test.

Documenting Your Findings

Professional penetration testing requires thorough documentation. Every finding should include a clear description, evidence, risk rating, and remediation recommendation. Here is a template for documenting an active reconnaissance finding.

json

{
  "finding": "Anonymous SMB Share Access — Confidential Documents Exposed",
  "severity": "Critical",
  "cvss_score": 9.1,
  "target": "192.168.1.10",
  "description": "The SMB server on 192.168.1.10 allows null session authentication and exposes a share named 'confidential' containing sensitive files including employee_data.xlsx and passwords_backup.txt. Any user on the network can access these files without credentials.",
  "evidence": "smbclient -L //192.168.1.10 -N confirmed null session access. smbclient //192.168.1.10/confidential -N allowed listing and downloading of files.",
  "impact": "Unauthorized access to confidential employee data and password backups. Could lead to credential compromise and further network penetration.",
  "remediation": "1. Disable null session access in Samba configuration (restrict anonymous = yes). 2. Implement proper share-level authentication. 3. Remove sensitive files from network shares. 4. Audit all SMB shares for appropriate access controls."
}

Severity Classification

Consistent severity classification is essential for professional reporting. Use the CVSS framework or a simple four-tier system.

Severity	CVSS Range	Examples from Our Recon
Critical	9.0 – 10.0	vsftpd 2.3.4 backdoor, Apache 2.4.49 RCE, exposed database credentials in config.php.bak
High	7.0 – 8.9	Anonymous SMB access to confidential share, NFS-exported SSH private key, null session SMB access
Medium	4.0 – 6.9	DNS zone transfer enabled, phpinfo.php exposed, weak password policy (no lockout)
Low	0.1 – 3.9	Server version disclosure in HTTP headers, TRACE method enabled, robots.txt reveals internal paths

Reconnaissance Checklist

Use this checklist to ensure you have covered all active reconnaissance bases during your next engagement.

▪DNS Enumeration: A, AAAA, MX, NS, TXT, SOA records queried for all target domains
▪DNS Enumeration: Zone transfer attempted against all discovered name servers
▪DNS Enumeration: Subdomain brute-forcing performed with at least two wordlists
▪Port Scanning: Full TCP port range scanned (or top 1000 minimum)
▪Port Scanning: UDP scan performed for common services (53, 67, 68, 69, 123, 161, 500, 514, 520, 1900)
▪Service Fingerprinting: Version detection (-sV) run against all open ports
▪Service Fingerprinting: OS detection (-O) attempted
▪Service Fingerprinting: NSE scripts run (at minimum -sC and --script vuln)
▪Web Enumeration: robots.txt and sitemap.xml checked
▪Web Enumeration: Directory brute-forcing performed with common wordlist and file extensions
▪Web Enumeration: Virtual host enumeration attempted
▪SMB Enumeration: Share listing attempted with null session
▪SMB Enumeration: enum4linux full scan completed
▪SMB Enumeration: User enumeration and password policy extraction
▪NFS Enumeration: showmount -e run against all targets
▪NFS Exports: All discovered exports mounted and browsed
▪Documentation: All findings saved with screenshots and command output
▪Documentation: Results saved in multiple formats (nmap -oA, tool-specific exports)

What Comes Next

Active reconnaissance is the foundation, but it is only the beginning. The intelligence you have gathered feeds directly into the next phases of a penetration test.

▪Vulnerability Assessment: Use the service versions and OS information to search for known CVEs using tools like searchsploit, Nessus, or OpenVAS.
▪Exploitation: Attempt to exploit discovered vulnerabilities using Metasploit, manual techniques, or custom exploits — always within authorized scope.
▪Post-Exploitation: Use compromised credentials and access to move laterally through the network, escalate privileges, and access sensitive data.
▪Reporting: Compile all findings into a professional penetration test report with executive summary, technical findings, and remediation roadmap.

info

💡 The Vulnarex curriculum continues with courses on Vulnerability Assessment, Network Exploitation, Web Application Hacking, and Post-Exploitation. Each course builds directly on the reconnaissance skills you have learned here.

Final Challenge

challenge BLOCK (★ 100 XP)

Full Active Recon Simulation

Select your proof vectors above

Active Reconnaissance Synthesis and Reporting