Hack That Shit
Network Recon with Netcat, Nmap & Built-in Tools

Network Recon with Netcat, Nmap & Built-in Tools

by

⚠️ Safety & Ethics

Everything here is lab-only. Use these commands and workflows only on systems and networks you own or have explicit permission to test. Reckless scanning on live networks can break services and get you in legal trouble.

🛠️ Tools & quick reminders

A good recon session answers:

  • Which hosts are alive?

  • Which ports/services are open?

  • What software/version is running?

  • Are there interesting banners or weak configs?

  • Which findings deserve deeper, manual inspection?

We’ll move from light discovery → focused enumeration → evidence collection.

🧠 Recon goals — what we want to achieve

  • nmap — powerful scanner (many options)

  • nc / netcat — banner grabbing, simple listeners, port forwards

  • ss, ss -tulwn — active sockets

  • sshd/ss + lsof -i — find process owning ports

  • curl, wget — interact with HTTP services

  • nikto, whatweb, wpscan (lab-only extra tools)

  • timeout, parallel, jq — helpers for automation

Step 1: Light discovery (safe defaults)

Purpose: find live hosts and quick open ports without being noisy.

A. Ping sweep (local lab subnet)

				
					# use with care; prefer an ARP scan in local networks
for ip in $(seq 1 254); do ping -c 1 -W 1 192.168.56.$ip >/dev/null && echo "192.168.56.$ip alive"; done

B. ARP-based discovery (safer on LAN)

				
					arp-scan -l  # requires arp-scan; local network only

C. Quick nmap host & top ports scan

				
					nmap -sn 192.168.56.0/24       # ping sweep, no port scan
nmap -sS --top-ports 100 -T3 10.0.2.15 -oN quick_top100.txt

Why: -sn avoids port scans; --top-ports 100 finds the most common services quickly. Use -T3 (polite) to reduce noise.

Step 2: Service enumeration (targeted, non-aggressive)

Once you have a live host, enumerate services carefully.

A. Nmap service/version + default scripts (safe)

				
					nmap -sC -sV -p 22,80,443,3306 -oN svc_enum.txt 10.0.2.15

  • -sC runs default scripts (safe, helpful)

  • -sV fingerprints version info

B. Full port discovery (lab-only explicit)

				
					nmap -p- -T4 10.0.2.15 -oN all_ports.txt

Note: -p- scans all 65535 ports — gated to lab environments only.

Step 3: Banner grabbing & manual checks with Netcat

Netcat is simple and invaluable for interactively probing services.

A. Grab SSH banner

				
					nc -v -w 2 10.0.2.15 22
# or
echo | nc -w 2 10.0.2.15 22

B. Grab HTTP banner / basic request

				
					printf "GET / HTTP/1.1\r\nHost: 10.0.2.15\r\nConnection: close\r\n\r\n" | nc -w 3 10.0.2.15 80

C. Test raw TCP (telnet-like)

				
					nc -v 10.0.2.15 6379   # connect to Redis, see banner

Why: Netcat shows raw responses and sometimes reveals misconfigurations (open shells, plaintext protocols, default creds prompts).

Step 4: Web services — quick manual inspection

A. Fetch and inspect

				
					curl -I http://10.0.2.15             # headers only
curl -L http://10.0.2.15/index.php   # follow redirects

B. Probe robots and hidden files

				
					curl -s http://10.0.2.15/robots.txt
# use Gobuster/ffuf for wordlists in lab
gobuster dir -u http://10.0.2.15 -w /usr/share/wordlists/dirb/common.txt -o gobuster.txt

Why: Web apps often leak paths, config files, or misconfigured directories that lead to escalation in labs/CTFs.

Step 5: Automated nmap scripts for safe enumeration

Nmap NSE scripts are powerful. Use default and safe scripts first.

A. Default script scan

				
					nmap -sC -sV 10.0.2.15 -oN nmap_default.txt

B. Use targeted NSE categories (discovery, safe)

				
					nmap --script "default,discovery" -sV 10.0.2.15 -oN nmap_disc.txt

C. Vulnerability scripts (lab-only and explicit)

				
					nmap --script vuln 10.0.2.15 -oN nmap_vuln.txt   # lab-only; can be noisy

Tip: Always read what an NSE script does before running it; some are intrusive.

Step 6: Combining tools into a pipeline (example workflow)

Collect evidence → quick scan → targeted enumeration → save outputs.

Example one-liner pipeline (lab-only):

				
					TARGET=10.0.2.15
OUT=./recon_${TARGET}_$(date +%F_%H%M)
mkdir -p "$OUT"
nmap -sC -sV -oN "$OUT/nmap_default.txt" "$TARGET"
grep -E "open" "$OUT/nmap_default.txt" > "$OUT/open_ports.txt"
# banner grab open ports
awk '/open/ {print $1}' "$OUT/open_ports.txt" | cut -d/ -f1 | while read -r p; do
  echo "==== PORT $p ====" >> "$OUT/banners.txt"
  timeout 2 bash -c "echo | nc -w 2 $TARGET $p" >> "$OUT/banners.txt" || true
done

This creates neat artifacts you can review or feed into later scripts.

Advanced Netcat usages (lab-only helpers)

  • Simple listener (catch a reverse shell in lab):
				
					nc -lvnp 4444

  • File transfer (quick local transfers inside lab)

				
					# sender
nc -l 1234 < file.bin
# receiver
nc target 1234 > file.bin

  • Port forwarding / proxying

				
					# forward local 8888 to remote 10.0.2.15:80 (lab)
mkfifo /tmp/f; nc -l 8888 0</tmp/f | nc 10.0.2.15 80 1>/tmp/f

Warning: Listeners and file transfers can be abused. Use them only in controlled labs.

Evidence collection & reporting (good habit)

  • Save all outputs (-oN, -oX, -oG for nmap).

  • Use -oX to produce XML and convert to other formats (xsltproc, xmlstarlet, or nmap2json).

  • Timestamp and document commands used for every scan.

Example:

				
					nmap -sC -sV -oA "$OUT/nmap_default" "$TARGET"   # produces .nmap, .xml, .gnmap

Quick reconnaissance checklist (safe defaults)

  • Start with -sn or --top-ports to avoid being noisy.

  • Use -T3 (polite) initially. Move to -T4/-T5 only in aggressive lab scans.

  • Always document what you ran (command + timestamp).

  • Read NSE script documentation before using --script.

  • Use timeouts for banner grabbing (avoid hanging).

  • Respect rate limits in shared environments.

🧪 Lab Exercises (snapshot VMs first)

  1. Full workflow on localhost

    • Run discovery → nmap default → banner grab pipeline above. Review outputs.

  2. Web app deep-dive (lab)

    • Use curl, gobuster, and nmap -sV to enumerate. Save artifacts.

  3. Netcat practice

    • Set up a listener and send a test message from another VM. Practice safe file transfer.

  4. NSE exploration

    • Run nmap --script-help http-enum to read what a script does; run it against a lab web server.

  5. Reporting

    • Bundle results into a single directory, create a short markdown report summarizing findings and suggested defensive actions (no exploit instructions).

🔁 How this ties into the series

Network recon is the bridge between knowing Linux tools and using them to find lab vulnerabilities. In Part 11: Building a Local Linux Lab for Practice, we’ll diagram lab topologies and show how to safely apply these recon techniques across isolated VMs and networks.

🎯 Coming Up Next

Part 11: Building a Local Linux Lab for Practice — step-by-step VM setups, networking tips, snapshots, and ready-made vulnerable boxes to practice the recon workflows above.

💬 Got Questions?

Drop them in the comments or join our community on Discord for exclusive hacking tips and resources.

Don’t worry — mastery comes with practice.
Just open your terminal and hack your brain into CLI mode daily.

Let’s keep building. 💻⚔️

Leave a comment

Table of Contents

Index