Recon

Map every live host’s services, web surface, and content into a per-host picture you can attack.

Discovery told you what exists. Recon tells you what’s running on it. For each live host you build a profile: open ports, service versions, web apps, screenshots, and discovered content. This is the raw material the hunting phase mines for vulnerabilities.

Organize per host

Recon output is per-host. The convention (Arsenic’s hosts/ layout) keeps each host’s data isolated, so you can hand a teammate one host folder and they have everything:

hosts/
└── 203.0.113.10/
    └── recon/
        ├── nmap-quick-tcp.{nmap,gnmap,xml}   # full TCP port sweep
        ├── nmap-tcp.{nmap,gnmap,xml}         # version/script scan of open ports
        ├── nmap-udp.{nmap,gnmap,xml}
        ├── httpx.txt                          # live web services
        ├── ffuf.*.json                        # content discovery
        └── hostnames.txt                      # vhosts pointing at this IP

The recon pipeline

For each live host, in order:

  1. Port scanning — find every open TCP (and key UDP) port.
  2. Service enumeration — version + default-script scan the open ports to identify what’s listening.
  3. HTTP probing & screenshots — find web services across all hosts/ports and eyeball them fast.
  4. Content discovery — fuzz web roots for hidden paths, files, and endpoints.

Scan once per IP, remember every name

A single IP frequently hosts many domains (name-based virtual hosting). Port scan the IP so you don’t scan the same box ten times — but carry the list of hostnames forward, because the web server may serve completely different apps depending on the Host: header. The HTTP probing step is where vhosts matter most.

A note on pacing

Recon is the loudest phase so far — full port scans and fuzzing are unmistakable. Respect the rate limits from your rules of engagement: tune nmap -T, ffuf -rate, and run during permitted windows. When in doubt, go slower. A knocked-over production service is a bad look and a worse phone call.

Start with Port Scanning.


Port Scanning

Find every open port on each live host — fast, then thorough — without scanning the same box twice.

Service Enumeration

Identify the exact software and version behind every open port — the input every later step depends on.

HTTP Probing & Screenshots

Find every live web service across all hosts and ports, then screenshot them to triage the web surface at a glance.

Content Discovery

Fuzz web roots for hidden directories, files, and endpoints the app doesn’t link to.

Last modified July 4, 2026: Post/mobi (#71) (ff64902)