Your First Steps¶

Setup done Good
Now do something with it

This section walks you through running your first commands against targets you own or have explicit permission to test
If you run these against random IPs you found on Shodan , don't come crying when your ISP calls

Your First nmap Scan¶

nmap is the Swiss Army knife of security testing
Learn it , love it , memorize the flags

# Simple port scan against your own machine
nmap localhost

# More detailed — version detection + default scripts
nmap -sV -sC localhost

# Service and OS detection
nmap -sV -O localhost

What you're looking at: * PORT — the open port number and protocol * STATE — open/filtered/closed * SERVICE — what nmap guesses is running * VERSION — actual version if you used -sV

# Scan a range — use with CAUTION , only on your own infrastructure
nmap -sS -sV -p- -T4 192.168.1.0/24

That -p- scans all 65535 ports
Expect it to take a while

Your First Directory Bust¶

Web servers have hidden paths — config files , admin panels , backup directories — that aren't linked anywhere but still accessible

# Basic directory busting with ffuf
ffuf -u https://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# With file extension filtering
ffuf -u https://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt \
  -e .php,.asp,.txt,.bak

# Filter out false positives by status code
ffuf -u https://example.com/FUZZ -w /usr/share/wordlists/dirb/common.txt \
  -fc 403,404

Understanding the output: * Status 200 — file exists and is accessible * Status 301/302 — redirect (could still be useful) * Status 403 — exists but forbidden (note this for later) * Status 404 — doesn't exist (or the server lies — some do)

Your First Subdomain Enumeration¶

Subdomains reveal attack surface that the main domain hides
Companies often secure example.com while their dev.example.com runs a test instance with default credentials

# Passive — no direct contact with target
subfinder -d example.com -o subdomains.txt

# Active — uses DNS brute forcing
dnsrecon -d example.com -D /usr/share/wordlists/dns/subdomains-top1million.txt -t brt

# Combined approach
assetfinder --subs-only example.com

Your First HTTP Probing¶

Not all subdomains respond — figure out which ones are alive

# Check which subdomains respond to HTTP/HTTPS
cat subdomains.txt | httpx -o alive.txt

# With status code and title
cat subdomains.txt | httpx -status-code -title -o detailed.txt

# Screenshot alive hosts
cat subdomains.txt | httpx -screenshot -o screenshots/

Common Problems and Fixes¶

Problem: nmap: command not found Fix: sudo apt install nmap

Problem: ffuf: command not found Fix: go install github.com/ffuf/ffuf/v2@latest

Problem: Permission denied Fix: You need root for SYN scans (sudo nmap -sS)
Regular users can use connect scans (nmap -sT)

What Success Looks Like¶

When you run these commands , you should see: * Ports listed with STATE "open" * Directory busting returns some 200 status codes * Subdomain enumeration finds at least a few subdomains

If everything returned "0 results" or "closed" — either your target is well-hardened or you're doing something wrong , probably the latter if you're just starting