Chapter 8 Exercises: Active Reconnaissance

Exercise 1: DNS Record Deep Dive

Difficulty: Beginner | Estimated Time: 30 minutes

Using dig or nslookup, query all common DNS record types (A, AAAA, MX, NS, TXT, SOA, CNAME, CAA) for an authorized target domain. For each record type that returns results, explain what the records reveal about the organization's infrastructure. Specifically identify: the email provider (from MX records), DNS hosting provider (from NS records), any cloud services (from TXT verification tokens), and the domain administrator's email (from SOA records). Document your findings in a structured table.

Exercise 2: Zone Transfer Testing

Difficulty: Beginner | Estimated Time: 30 minutes

Write a bash script (or Python script) that takes a domain as input, discovers all authoritative name servers, and attempts a zone transfer (AXFR) against each one. The script should clearly report whether each attempt succeeded or failed. Test it against intentionally vulnerable DNS servers in your lab (set up BIND with zone transfers enabled) and against authorized real-world targets. What percentage of name servers permit zone transfers?

Exercise 3: Subdomain Brute Force Comparison

Difficulty: Intermediate | Estimated Time: 1.5 hours

Using the same authorized target, run subdomain brute forcing with three different tools: gobuster (DNS mode), Amass (active enumeration), and dnsrecon. Use the same wordlist for each tool (SecLists top-5000-subdomains). Compare the results: How many subdomains did each tool find? Were there subdomains unique to specific tools? Which tool was fastest? Which produced the fewest false positives? Document your findings in a comparison matrix.

Exercise 4: Subdomain Takeover Assessment

Difficulty: Intermediate | Estimated Time: 1 hour

Given a list of subdomains (from Exercise 3 or provided by your instructor), write a script that checks each subdomain for potential takeover vulnerabilities. Your script should: (1) resolve each subdomain's CNAME record, (2) check if the CNAME target points to a known vulnerable service (GitHub Pages, Heroku, AWS S3, etc.), (3) attempt to access the subdomain via HTTP/HTTPS and check for known error messages indicating an unclaimed service. Test against deliberately vulnerable lab environments.

Exercise 5: Web Technology Fingerprinting

Difficulty: Intermediate | Estimated Time: 1 hour

Fingerprint five web applications from an authorized target using at least three different methods: (1) HTTP header analysis using curl, (2) automated fingerprinting with WhatWeb, and (3) manual HTML source code analysis. For each application, identify: the web server, the programming language, any frameworks or CMS platforms, JavaScript libraries, and security headers present. Create a comprehensive technology inventory table.

Exercise 6: Security Header Audit

Difficulty: Intermediate | Estimated Time: 45 minutes

Write a Python script that audits a website's HTTP security headers. Your script should check for the presence and correct configuration of: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. Assign a numeric score based on which headers are present and correctly configured. Grade the site (A through F). Test your auditor against 10 different websites and rank them by security header implementation.

Exercise 7: WAF Detection and Identification

Difficulty: Intermediate | Estimated Time: 45 minutes

Using wafw00f and manual analysis techniques, identify the Web Application Firewalls protecting five different websites. For each detected WAF, research: (1) the common bypass techniques, (2) the WAF's known limitations, (3) how the WAF's presence affects your testing approach. Create a decision tree that shows how different WAF detections should influence the subsequent penetration testing strategy.

Exercise 8: Content Discovery Campaign

Difficulty: Intermediate | Estimated Time: 1.5 hours

Run content discovery (directory/file brute forcing) against an authorized web application using feroxbuster or gobuster. Use at least two different wordlists (e.g., dirb/common.txt and dirbuster medium). For each interesting finding (200, 301, 302, 401, 403 responses), categorize the discovery: administrative interfaces, API endpoints, backup files, configuration files, development resources, or documentation. Which wordlist produced more unique findings? Did any findings represent security vulnerabilities?

Exercise 9: API Discovery and Documentation

Difficulty: Advanced | Estimated Time: 1.5 hours

For an authorized web application, discover and document its API surface. Check for: (1) exposed Swagger/OpenAPI documentation, (2) GraphQL introspection endpoints, (3) API endpoints referenced in JavaScript files (using LinkFinder or manual analysis), (4) API endpoints discovered through content discovery. Create a complete API map documenting each discovered endpoint, its HTTP method, expected parameters, and authentication requirements.

Exercise 10: Active Recon Methodology Lab

Difficulty: Advanced | Estimated Time: 3-4 hours

Conduct a complete active reconnaissance assessment of an authorized target (or HackTheBox/TryHackMe machine) following the methodology in Section 8.7. Your assessment must include: DNS enumeration (including zone transfer attempts), subdomain discovery (combining passive CT data with active brute forcing), web application fingerprinting, content discovery, and API enumeration. Document your findings in a professional reconnaissance report with an attack surface summary table (Section 8.9.1).

Exercise 11: Exposed Git Repository Exploitation

Difficulty: Advanced | Estimated Time: 1 hour

Set up a web server in your lab that exposes a .git directory (deliberately vulnerable configuration). Then: (1) detect the exposed git directory using content discovery, (2) use git-dumper to download the repository, (3) reconstruct the source code from the downloaded git objects, (4) analyze the commit history for any secrets that were committed and later removed. Document each step and explain the security implications.

Exercise 12: Virtual Host Discovery

Difficulty: Intermediate | Estimated Time: 45 minutes

Using gobuster (vhost mode) or ffuf, discover virtual hosts on a target web server. Set up a lab environment with an Nginx or Apache server hosting three virtual hosts: one public site, one administrative interface, and one development environment. Practice discovering the hidden virtual hosts by fuzzing the Host header. Document the technique, the wordlist used, and how you filtered false positives from the results.

Exercise 13: SSL/TLS Configuration Assessment

Difficulty: Intermediate | Estimated Time: 45 minutes

Using testssl.sh, sslscan, or nmap's ssl-enum-ciphers script, assess the SSL/TLS configuration of five different authorized web servers. For each server, document: (1) supported TLS protocol versions, (2) cipher suites offered (and which are considered weak), (3) certificate details (issuer, validity, SANs), (4) vulnerability to known attacks (BEAST, POODLE, Heartbleed, ROBOT). Rank the servers from most to least secure and provide remediation recommendations.

Exercise 14: Stealth vs. Speed Trade-offs

Difficulty: Advanced | Estimated Time: 1 hour

Against a target in your lab with an IDS (Snort or Suricata), run the same active reconnaissance workflow at three different speed settings: fast (50 threads, no delays), moderate (10 threads, small delays), and stealthy (1 thread, random delays). Compare: (1) How many IDS alerts did each approach generate? (2) How long did each approach take? (3) Did the slow approaches miss any findings? Write a recommendation for when each speed setting is appropriate.

Exercise 15: Building an Automated Recon Pipeline

Difficulty: Advanced | Estimated Time: 2-3 hours

Create a bash script that automates the active reconnaissance workflow from Section 8.7. Your pipeline should: (1) take a domain as input, (2) perform DNS enumeration, (3) discover subdomains, (4) check for live hosts using httpx, (5) fingerprint web technologies, (6) check for subdomain takeovers, (7) perform content discovery on key targets, and (8) generate a summary report. Include error handling, rate limiting, and progress indicators. Test your pipeline against a lab environment.