Port Scanning
Find every open port on each live host — fast, then thorough — without scanning the same box twice.
Discovery told you what exists. Recon tells you what’s running on it. For each live host you build a profile: open ports, service versions, web apps, screenshots, and discovered content. This is the raw material the hunting phase mines for vulnerabilities.
Recon output is per-host. The convention (Arsenic’s hosts/ layout) keeps each
host’s data isolated, so you can hand a teammate one host folder and they have
everything:
hosts/
└── 203.0.113.10/
└── recon/
├── nmap-quick-tcp.{nmap,gnmap,xml} # full TCP port sweep
├── nmap-tcp.{nmap,gnmap,xml} # version/script scan of open ports
├── nmap-udp.{nmap,gnmap,xml}
├── httpx.txt # live web services
├── ffuf.*.json # content discovery
└── hostnames.txt # vhosts pointing at this IP
For each live host, in order:
A single IP frequently hosts many domains (name-based virtual hosting). Port scan
the IP so you don’t scan the same box ten times — but carry the list of
hostnames forward, because the web server may serve completely different apps
depending on the Host: header. The HTTP probing
step is where vhosts matter most.
Recon is the loudest phase so far — full port scans and fuzzing are
unmistakable. Respect the rate limits from your rules of
engagement:
tune nmap -T, ffuf -rate, and run during permitted windows. When in doubt, go
slower. A knocked-over production service is a bad look and a worse phone call.
Start with Port Scanning.
Find every open port on each live host — fast, then thorough — without scanning the same box twice.
Identify the exact software and version behind every open port — the input every later step depends on.
Find every live web service across all hosts and ports, then screenshot them to triage the web surface at a glance.
Fuzz web roots for hidden directories, files, and endpoints the app doesn’t link to.