Active

Scanning or active enumeration is the phase where the attacker begins to “touch” the systems and possibly leaving some traces behind. however there is no way to do this without leaving any footprints behind.

The active recon chain is somehow pretty obvious, you find the target ( might have done this in the passive recon phase), trace the route to target IP or network and try to map the network as best as you can, search for open ports and services, if its a web app try using it and viewing the source code or use browser extensions that can give you some info about the technologies and apps behind it, finally move on to the next phase ( threat modeling or vulnerability assessment ).

Useful Resources

• Recon Everything

• payload all the things

• Hacking Tricks

• Nmap.org

• Nmap Cookbook

Vulnerability Scanners

Although using vulnerability scanners is not usual in advanced pentesting or red team engagements, its useful to know about different vulnscanners out there

• Nessus ( Commertial/Free Trial )

• Nexpose ( Commertial/Free Trial )

• OpenVAS (Free)

• Nmap NSE scripts (Free)

• Nikto (Free)

• BurpSuite Scanner ( Free and commertial )

• OWASP Zaproxy scanner (Free)

• Acunetix ( Commertial/Free Trial )

• Netsparker ( Commertial/Free Trial )