An attack starts at that point, where you are scanning the server, you are testing the wlan, plug in the RasPi in the network jack …….
Sorry, that’s wrong.
An effective attack starts earlier, it starts with the information gathering, collecting enough and reliable informations.
Is there only one hardened webserver or are there other (vulnerable) servers, which yo can take for an attack? Is there only one domain or are ther domains with an other not recognized TLD or subdomains with other IPs? Is there a possibility for social engineering?
Yes, information gathering is time-consuming, but starting a full-scan with nmap or nessus without good informations can stop your attack before it starts. Enough and reliable informations are important for an effective attack.
On the other side an IT-Security-Officer should take a look on the informations, which are readable in the internet. Are there unnecessary ports, which you dont need to open, are mail-addresses machine-readable inside your website? Do you have personal addresses with full names (nice for social engineering) or mails per function like office, accounting, human-ressources?
These topics will be processed in this area.