Second step - Discovery


Discovery 🏝️, a.k.a. active recon (reconnaissance) is the second step of the pentester activities.

It involves gathering information about the target by probing their network or systems πŸ›ΆοΈ, to find exploitable vulnerabilities.

  • 🎯 Host discovery (OS, version...)
  • πŸ•ΈοΈ Network discovery (architecture...)
  • 🧭 Systems, services and application discovery (FTP, APIs...)
  • ...

Unlike passive discovery, as you are directly interacting with the target, you are likely to be detected, and maybe caught πŸš“.

Common activities are:

  • πŸšͺ Find entry points
    • running services and open ports
    • web applications or APIs
    • wireless network
    • physical devices
    • backdoors
    • ...
  • πŸ”₯ Find versions as there may be known vulnerabilities
  • πŸ”‘ Find usernames, backups, exposed data
  • πŸ₯… Find the network architecture (firewall/IDS...)
  • πŸ’ƒ Find any social engineering indicators (contact employees...)
  • 🌿 Investigate if a third-party/supplier is vulnerable

Arsenal 🌱

  • Spoof User-Agent

You can install an extension to make the target website believe that you are using another browser. Look for User-Agent Switcher extensions on Google. You can try them on whatismybrowser.

  • Use a proxy

You may use a proxy as an intermediary for your requests. If you do, then you can use the FoxyProxy extension of your browser to easily swap between no proxy, and your proxies configurations.

  • Devtools: by-pass HTML/JS verifications, hide/remove tags...
  • Disable scripts

You may do that to bypass JavaScript verifications. You can use plugins such as noscript, or ublock by clicking on the following icon


  • HTTP clients

We usually don't only rely on our web browser to recon/exploit websites, as they are unreliable. You can use Postman, curl or tools such as the Burp Suite...

Tools and methods πŸ—ΊοΈ

Network mapping

  • ping πŸ₯…: check if a host respond to pings
  • Packet tracing πŸ₯…: map a network
  • The TTL can be used to primitively guess the OS

Scanning and enumeration

Vulnerabilities scanners

  • Nessus: port scanning, find vulnerabilities, quite noisy/slow
  • OpenVAS: port scanning, find vulnerabilities, quite noisy/slow
  • Nikto: website vulnerability scanner



➑️ You should check for signs of well-known vulnerabilities.

Additional Notes

Remediation πŸ›‘οΈ

  • πŸ”’ Display generic error messages, disable errors messages, and do not give much information (ex: on invalid login, display the message 'credentials invalid', instead of 'username invalid' or 'password invalid')

  • 🚧 Test your endpoints with invalid values: 0, -1, characters, symbols... Test your pages with/without expected parameters, especially if a hacker tries to access pages in an unexpected order.

  • πŸ”« Do not trust anything coming from the user, its browser, or even your database. In a nutshell, do not trust anyone.

OWASP Foundation


OWASP (The Open Source Foundation for Application Security Project) is a foundation that is very well-known for its resources to improve website security. The release every few years the Top 10 vulnerabilities.

Pentest Considerations ⚠️

Automated scans can impact the network.

During an assignment, ensure you know which hosts can be automatically scanned (e.g., using Nessus) and which hosts should be excluded and manually tested.

When discovering something, it's important to question why we discovered something, e.g. why is this service present/enabled.

According to the kind of business, we may be able to guess their needs, and also guess some services that should be present.

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • sudo arp-scan -l -I eth0
  • clFrex
  • find S3 Buckets awscli (, contentdiscovery)
  • S3 buckets (AWS), blobs (Azure), cloud storage (GCP): may be accessible without auth grayhatwarfare