1. Theory
A. Why Reconnaissance Matters
Reconnaissance is the first active step in a web penetration test. Before launching attacks, you need to map the application and identify its components:
- What server software is running? (Apache, Nginx, IIS)
- What programming languages/frameworks are in use? (PHP, Python, Java, etc.)
- What directories, files, and hidden endpoints exist?
- What user input is possible?
The more information you gather, the more precise and effective your attacks will be.
B. Types of Reconnaissance
- Passive Reconnaissance (OSINT):
- Gathering info without directly interacting with the target.
- Examples: WHOIS lookups, Google dorking, analyzing metadata.
- Active Reconnaissance:
- Interacting with the target system directly.
- Examples: Nmap scanning, directory brute forcing, banner grabbing.
C. Key Techniques & Tools
- Port Scanning & Service Enumeration:
nmapfor discovering open ports and services.
- Banner Grabbing:
- Extracting information from services to identify versions.
- Example:
curl -I http://<target>
- Directory & File Enumeration:
- Tools:
dirb,gobuster,feroxbuster. - Goal: Find hidden files (e.g.,
/admin/,/backup.zip).
- Tools:
- Technology Fingerprinting:
- Identify frameworks, CMS, or scripting languages.
- Tools:
whatweb,wappalyzer.
2. Hands-On Exercise
Objective: Map a target web application (your Metasploitable web services).
Step 1: Identify Running Services (Nmap)
Using Nmap, we can run a scan against our target machine to determine what services and ports are running on the server. From the output below you can see Apache Version 2.2.8 on Ubuntu Operating system.
──(ehis㉿ehis)-[~]
└─$ nmap -sV -p 80,443 192.168.71.128
Starting Nmap 7.93 ( https://nmap.org ) at 2025-09-02 09:49 EDT
Nmap scan report for 192.168.71.128
Host is up (0.0071s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
443/tcp closed https
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.13 seconds
-sV→ Detects service versions.-p-→ Scans all 65535 ports.- Look for ports 80/443 (HTTP/HTTPS) and note the server version.
Step 2: Grab Server Banners
Similar to Nmap scan above, “Grab Server Banners” refers to the process of retrieving and analyzing the server’s response headers, specifically the “banner” information that the server discloses. These banners typically include details about the web server software (e.g., Apache, Nginx, IIS), its version, and sometimes other components or technologies used.
Purpose
- Identify Server Software and Version: Knowing the exact server software and version helps a pentester determine if there are known vulnerabilities associated with that version.
- Fingerprinting: Helps in mapping the technology stack and environment.
- Attack Surface Reduction: By understanding the server, the tester can tailor attacks or verify if the server is exposing unnecessary information.
How to Grab Server Banners using the Curl tool
From your Kali terminal, type the following command
curl -I http://192.168.71.128/dvwa┌──(ehis㉿ehis)-[~]
└─$ curl -I http://192.168.71.128/dvwa
HTTP/1.1 301 Moved Permanently
Date: Tue, 02 Sep 2025 12:27:19 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Location: http://192.168.71.128/dvwa/
Content-Type: text/html; charset=iso-8859-1
-I→ Fetches HTTP headers only.- Look for
Server:header (e.g., Apache/2.2.8).
Step 3: Enumerate Directories and Files
Using dirb (pre-installed in Kali):
dirb http://<target-ip>/ /usr/share/wordlists/dirb/common.txtOutput
┌──(ehis㉿ehis)-[~]
└─$ dirb http://192.168.71.128/ /usr/share/wordlists/dirb/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Sep 2 12:52:20 2025
URL_BASE: http://192.168.71.128/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.71.128/ ----
==> DIRECTORY: http://192.168.71.128/.config/
.....
---- Entering directory: http://192.168.71.128/.config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
.....
---- Entering directory: http://192.168.71.128/phpMyAdmin/setup/ ----
+ http://192.168.71.128/phpMyAdmin/setup/config (CODE:303|SIZE:1370)
...
---- Entering directory: http://192.168.71.128/twiki/bin/ ----
+ http://192.168.71.128/twiki/bin/attach (CODE:200|SIZE:4360)
....
---- Entering directory: http://192.168.71.128/phpMyAdmin/setup/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.71.128/twiki/pub/Main/ ----
-----------------
END_TIME: Tue Sep 2 12:53:22 2025
DOWNLOADED: 32284 - FOUND: 56
- Identify hidden directories like
/admin/,/uploads/,/phpmyadmin/.
Step 4: Fingerprint Web Technologies
To fingerprint web technologies using WhatWeb, you use it to scan a target website and identify the underlying technologies like web servers, CMS, frameworks, programming languages, analytics tools, and more.
WhatWeb Basics
- Installation: On Kali Linux or Debian-based:
sudo apt install whatweb
- Already installed in Kal
Basic Usage:
whatweb http://targetsite.comThis command outputs detected technologies, versions, and server info. Example output: Apache[2.2.8], PHP[5.2.4], MySQL
Example Output
┌──(ehis㉿ehis)-[~]
└─$ whatweb http://192.168.71.128
http://192.168.71.128 [200 OK] Apache[2.2.8], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) DAV/2], IP[192.168.71.128], PHP[5.2.4-2ubuntu5.10], Title[Metasploitable2 - Linux], WebDAV[2], X-Powered-By[PHP/5.2.4-2ubuntu5.10]How it works
WhatWeb uses pattern matching on:
- HTTP headers
- HTML source code
- URL paths
- Cookies
- JavaScript files
- Response behaviors
Use case in pentesting
- Identify CMS, plugins, server software, frameworks, analytics tools.
- Check for outdated versions or vulnerable components.
- Assist in crafting targeted exploits or payloads.
Step 5: Document Findings
Create a small Recon Table for each web app:
| Service | URL | Technology | Notes |
|---|---|---|---|
| HTTP | http://<target>/dvwa | Apache 2.2.8, PHP 5.2.4 | DVWA login page |
| HTTP | http://<target>/mutillidae | Apache 2.2.8, PHP 5.2.4 | Multiple test forms |
✅ Lesson Outcome:
By the end of Lesson 2, you should be able to:
- Identify what services and technologies a target is running.
- Enumerate hidden directories and files.
- Gather enough reconnaissance data to plan targeted attacks (like SQLi or XSS).
I’m Emmanuel Okaiwele, a Secure Web Developer, Offensive Security Engineer, Member Cybersecurity Experts Association of Nigeria – CSEAN, and the founder of Nebitex Africa — a platform dedicated to making cybersecurity simple, practical, and accessible for Africans.
