DEV Community


Posted on

How to do a quick network recon during a pentest or CTF

This article was also published on

Since I have been learning more lately about pentesting, and playing on sites like, I find myself starting with the same tools usually so I decided to write this short post about the process.


Sometimes you know the IP of the machine that you will be working on and sometimes you don't. Sometimes there is more than one machine on the network you want to look into, so in those cases, you start with the basic IP scan.

nmap -sn -n -oN discovery.nmap


-sn: ping scan
-n: no DNS resolution
-oN: output scan in normal to file

Besides using nmap for this, you can also use netdiscover to see all the machine on the current network by specifying the interface.

netdiscover -i tap0

Here I use tap0 as the interface if I am connected to a VPN or if I just look at machines on my internal network I would use eth0.

netdiscover -i eth0

Once nmap is done running, I take that file and remove everything from it leaving just the IPs.

cat discovery.nmap | grep for | cut -d " " -f 5 > ips.txt

I also make sure my IP is not in there so I don't scan myself.


Now that we have a list of IPs, I can run a longer scan.

nmap -sV -p- -n -v -Pn -T4 -iL ips.txt -A --open


-sV: version info
-p-: scan all ports
-n: no DNS resolution
-v: verbose
-Pn: treat host as online
-T4: timing template
-iL: use the file and only scan IPs in it
-A: OS detection, version, script scan, traceroute
--open: only show open

Of course these might not work for every engagement and you should read more about nmap strategies before using them, but for my needs so far these have worked well.

Website involved

If the scans above yield some http ports open (80,8080, etc), I then run dirbuster to look for any folders that might be hidden.


Fork in the road

After the usual scan above is where I take a different road based on whatever scenario I encounter, now that I have the data I need from the scan.

Happy scanning!

Top comments (0)