This module translates OSINT and reconnaissance into a prioritized, risk-aware scanning plan that finds real issues without causing harm or legal exposure. It covers rules of engagement, target prioritization, discovery techniques, timing, evasion trade-offs, a checklist/pseudocode strategy, a cautious nmap example, and an ethical closing challenge.
Scanning Strategy and Target Selection — The Tactical Art of Not Getting Arrested (or Fired) You already did the homework: OSINT, registries, social engineering pretexting, and a python-powered conveyor belt of intel. Now we turn that mountain of juicy metadata into a focused, ethical scanning pla...
Why this matters (and why your recon spreadsheet is now a battle map) You learned to collect facts about targets in previous modules. Now the problem is: you cannot scan everything, everywhere, at once. Targets must be chosen and scanned with intent and care. The goal here is efficient discovery ...
Big rules before we even start Do not scan without explicit authorization. Always verify the scope, time window, and rules of engagement. This is not optional. It is ethical hacking 101. Document everything. What you ran, when, from where, and why. If something breaks, the log saves lives (and ...
1) Build a prioritized target list (the tactical shortlist) You should not treat all hosts equally. Use OSINT and business context to rank targets by impact, accessibility, and likelihood of vulnerability. Steps to prioritize: Map business function: which hosts support critical services (auth...
2) Choose discovery techniques — speed vs stealth vs coverage table Technique Coverage Speed Detectability / IDS footprint Best when... ARP sweep (LAN) High for local subnet Very fast Low on LAN, not visible beyond switch You are on the same VLAN ICMP ping sweep Moderate ...
3) Scanning cadence and windows (the gentle art of timing) Schedule scans in agreed maintenance windows when possible. Use gradual ramp-up: start with low rate and increase if harmless. Use off-peak hours for broader sweeps, but coordinate with on-call teams. Consider short, focused bursts ...
4) Evasion techniques — plan, don’t weaponize Evasion is not about being sneaky for creeper reasons. It’s about reducing false positives and avoiding accidental denial-of-service on fragile services. Always get approval. Common techniques and trade-offs: Low-and-slow scanning (-T0/-T1 styles)...
5) A simple scanning strategy template (use this as checklist) Confirm authorization, scope, and R.o.E. (Rules of Engagement). Who owns the IP ranges? Time windows? Build prioritized target list from OSINT and asset inventory. Select discovery methods per target (ARP for LAN; SYN for public s...
6) Example sanitized nmap command (for learning, with permission) # Example: cautious SYN discovery with reduced speed and logging nmap -sS -Pn -p 1-1024 --min-rate 50 -T2 -oA cautious_scan example[.]com -sS: SYN probe (stealthy relative to full connect) -Pn: skip host discovery if you know h...
10 study modes available based on your content