I wanted to talk through some of the phases of a security engagement, so today I decided to speak on the discovery and intel gathering phase of an engagement, because where better to start than with the start. I will use the Nmap testing site(http://scanme.nmap.org/) as an example so I don't need to redact as much information.
Of course this is considering you have already decided who, or what your target is, whether that's through a scope of work or engagement letter, or wherever you gain your targets from,. I like to start with a search of crt.sh which is a a certificate search index, I have used in the past for other projects(e.g. I built a tool called Cipher-parse & crt-scanner that uses the results of crt.sh).
the results contain a list of all verified certificates for a given domain, this is one way to gain a list of available targets during your discovery phase if the target has domain names(another great tool is Sublist3r by aboul3la).
I often take that list of domains and create a TXT document in order to track for later.
only engage in Active scanning on targets you have explicit permission to engage with.
There are a wide range of tools you can use to get information about services used, ports open, and vulnerabilities available I often start with a NMAP, and Nikto scan for almost EVERYTHING, some things have stuck with me from early 90's hacker tutorials and their just stuck.
Nmap is the OG network mapping tool that many pentesters and hackers still use today, many tools over the years have attempted to replace NMAP and have done some things better and some things worse, NMAP is still here. since NMAP has a entire book dedicated to using NMAP I won't go into the details for them(they know it better than me), but I recommend looking into it.
You will get data on all ports available based the options you choose. I like version detection when it makes sense because.... basic version data.
Nikto is one of my favorite web vulnerability scanners, not because it catches everything, or anything useful like that, its simple, command line, open source and the things Nikto does it does well. and the creator Chris Sullo has been maintaining it since 2001, and I've been using it since.
Whenever you run Nikto you get nice easy to read output.
Although I included "vulnerability" scanners I would still consider all of this informational things just keep in mind, any active scanning should only be performed on targets you have explicit approval(i.e. in writing somewhere). with the information we have gathered so far a decent foot hold onto a targets landscape can be determined, whether you take the current target list and continue with further vulnerability scanning with something like greenbone or Nessus, or you take the domains into your Burp or Zap proxy and start enumerating site-maps is up to you.