Karim Abdelaziz

Information Gathering (Reconnaissance) Reconnaissance is the first phase in penetration testing operation and is to collect or gather information that is public available (passive reconnaissance) or private (active reconnaissance) about organization or individual or system or website and so on (information about our target) Types of Reconnaissance Passive information gathering → collect information that is public available without any active engaging with the target (IP and DNS information - Domain names - web technologies - subdomains and so on) Active information gathering → collecting information that isn’t public available with active engaging with the target (need authorization from target) (port scanning - information about internal network infrastructure - enumeration of gathered information) Target Scoping (In-Scope - Out-Scope) Target scoping is the process of defining what systems, apps and networks are allowed to test or not to test, it is the rules of engaging (what am i allowed to collect information about?), during reconnaissance the target is defined via one of those ways: ...

Active Reconnaissance We have already discussed passive reconnaissance, but now we are going to talk about active reconnaissance, active recon means gathering information by engaging with the target not like passive which gather public info, sending and receiving packets or other things to the target like DNS transfer zone and scanning ports with Nmap. 1. DNS Zone Reconnaissance We have discussed before in passive reconnaissance about DNS and how it actually it works in details, it is protocol mostly used to transfer hostnames into their corresponding IP addresses, as we said before it contains about several records each record is responsible to display specific information like: ...

Passive Reconnaissance As we know passive recon is collecting information without direct interacting with target, in passive we are trying to know the target very well and our boundaries and the meaningful data that will other steps of penetration testing efficiently. 1. Host Tool — IP Lookup The first thing we can do is trying to get the IP address of website using tool called (==host==) host tool → DNS lookup utility, we use to convert names into IPs and vice versa ...

Session Goals What do you want to be able to DO by the end of this session? Network Fundamentals ✅ 2026-05-14 Network Layer and how it works ✅ 2026-05-14 TCP Layer and how it works ✅ 2026-05-14 Concepts Learned Concept 1: [Protocol] What it is: protocol is set of rules the hosts use to connect or communicate with each other, each protocol represent specific service, written as set of rules Why it matters in a pentest: it is important to understand protocols because they are the milestones of communications between any hosts ...

Session Goals What do you want to be able to DO by the end of this session? Network Mapping ✅ 2026-05-30 Ping Sweeps ✅ 2026-05-30 Host Discovery ✅ 2026-05-30 Concepts Learned The Concepts i have learned in this session Concept 1: [Network Mapping] What it is: Network mapping encapsulates active recon techniques to draw a blueprint of the live hosts or devices on the network, it is the process of discovering live hosts to map the network architecture, by discovering different elements ...

Session Goals What do you want to be able to DO by the end of this session? Port Scanning ✅ 2026-06-03 Services versions and Operating Systems detection ✅ 2026-06-03 Nmap Scripting Engine (NSE) ✅ 2026-06-03 Concepts Learned The Concepts i have learned in this session Concept 1: [Port Scanning] What it is: in port scanning we try to discover which ports are open, closed or filtered TCP or UDP in the target system, and each one is going to give us information about what target are doing: ...

Session Goals In this session we will discuss how to optimize our scan and also how to use the different techniques to evade IDS and detect Firewalls Concepts Learned The Concepts i have learned in this session Concept 1: [Firewall Detection] What it is: Firewalls are considered filters of any type of server if we need to filter ping requests(ICMP echo requests) we need to create rule and put it inside the firewall and based on that rule it will decide to pass the packet or drop(filter) it. so we want to detect if there is a firewall on target or not, to do this we will use option (-sA) which is scanning uses ACK packet which sees if the ports are filtered or not based on the response, it work like following for using this option like the following as we can see in the previous image we see it says 100 unfiltered from this we say that there is no firewall or it exist but doesn’t filter on the specific ports we scanned which are most 100 famous ports using option (-F), also as we can see if we capture the process using Wireshark as following image we can see that it uses packets with ACK flag is set to detect if it filter packets or not ...