CTF Reconnaissance & Enumeration

Web Reconnaissance

Initial Checks

Fetch and inspect

curl -v http://target/ curl -s http://target/ | head -100

Check common paths

for path in robots.txt sitemap.xml .env .git/HEAD .well-known/ admin api debug; do code=$(curl -s -o /dev/null -w "%{http_code}" "http://target/$path") [ "$code" != "404" ] && echo "[+] /$path -> $code" done

Response headers

curl -sI http://target/ | grep -iE "(server|x-|powered|content-type|set-cookie)"

View page source for comments, JS, hidden forms

curl -s http://target/ | grep -iE "(<!--|flag|secret|admin|api|token|password)"

Technology Fingerprinting

Server identification

curl -sI http://target/ | grep -i "server:"

X-Powered-By, X-Framework, etc.

Common framework indicators

curl -s http://target/ | grep -ioE "(react|angular|vue|next|nuxt|flask|django|express|laravel|rails)"

JavaScript bundles

curl -s http://target/ | grep -oE 'src="[^"]*.js"' | head -20

Check for source maps

curl -s http://target/main.js.map -o /dev/null -w "%{http_code}"

Directory/File Discovery

Common wordlist paths

/usr/share/wordlists/dirb/common.txt

/usr/share/seclists/Discovery/Web-Content/common.txt

ffuf for fuzzing

ffuf -u http://target/FUZZ -w wordlist.txt -mc 200,301,302,403 ffuf -u http://target/FUZZ -w wordlist.txt -e .php,.txt,.html,.js,.bak

gobuster alternative

gobuster dir -u http://target/ -w wordlist.txt

API Enumeration

Check common API paths

for path in api api/v1 api/v2 graphql api/docs swagger.json openapi.json; do code=$(curl -s -o /dev/null -w "%{http_code}" "http://target/$path") [ "$code" != "404" ] && echo "[+] /$path -> $code" done

Extract API endpoints from JS bundles

curl -s http://target/static/js/main.js | grep -oE '"/api/[^"]*"' | sort -u

GraphQL introspection

curl -s http://target/graphql -H "Content-Type: application/json"
-d '{"query":"{__schema{types{name fields{name}}}}"}'

Network Reconnaissance

Port Scanning

Quick TCP scan

nmap -sV -sC -T4 target

All ports

nmap -p- -T4 target

UDP scan (slow but important)

nmap -sU --top-ports 20 target

Service version detection

nmap -sV -p PORT target

Service Interaction

Banner grabbing

nc -v target port echo "" | nc -w3 target port

SSL/TLS info

openssl s_client -connect target:443 </dev/null 2>/dev/null | openssl x509 -noout -text

DNS

dig target ANY dig -t txt target dig axfr @ns.target target # Zone transfer attempt

Source Code Reconnaissance

Git Exposure

Check for exposed .git

curl -s http://target/.git/HEAD curl -s http://target/.git/config

Dump with git-dumper

git-dumper http://target/.git/ ./dumped-repo

Extract from downloaded .git

cd dumped-repo && git log --all --oneline git diff HEAD5..HEAD git log --all --diff-filter=D --name-only # Deleted files git show HEAD3:secret.txt # Recover deleted files

Backup File Discovery

Common backup extensions

for ext in .bak .old .orig .save .swp ~; do curl -s -o /dev/null -w "%{http_code}" "http://target/index.php${ext}" done

Editor backups

curl -s http://target/.index.php.swp # vim swap curl -s http://target/index.php~ # emacs backup

CTF-Specific Patterns

• Challenge description is ALWAYS a hint — read every word

• Challenge title often reveals the technique (e.g., "Inject" = injection, "Token" = JWT)

• Points/difficulty indicate expected complexity

• If a port is unusual, try connecting with nc first to see the banner

• Multiple open ports often means chaining vulnerabilities across services

• Always check for custom HTTP headers in responses (X-Flag, X-Hint, etc.)