offsecnotes
Star

Information Gathering

Whois

Whois [๐Ÿ”—] is a protocol used for querying databases that store an Internet resource’s registered users or assignees. You can provide:

  • Domain -> info about it such as name server, registrar, etc.
  • IP -> info about who is hostring the IP address
whois example.com

# whois by specifying a whois server
whois example.com -h 192.168.5.5

# Perform a reverse lookup
whois 38.100.193.70
whois 38.100.193.70 -h 192.168.5.5

Netcraft

Netcraft is an ISP, that offers a free web portal [๐Ÿ”—] for information gathering (technologies, subdomains, etc.).

Open-Source Code

Gather information through GitHub, GitLab, etc.

Google Dorks

Example

# Restrict the search to example.com and subdomains
site:example.com

# Restrict the search to example.com and subdomains and exclude HTML pages
site:example.com -filetype:html

# Search for pages with 'index of' in the title and 'parent directory' in the content
intitle:โ€œindex ofโ€ โ€œparent directoryโ€

Shodan

Shodan [๐Ÿ”—] is a search engine for internet-connected devices, including servers, routers, and IoT devices.

DNS Enumeration

Manual

host example.com                  # List of ipv4 & ipv6 address
host -t mx example.com            # List of email servers
host -t txt example.com           # List of TXT records

dig +short a zonetransfer.me      # List of ipv4 address
dig +short mx zonetransfer.me     # List of email servers
dig +short -x 192.246.126.3       # Reverse lookups
dig +short ns zonetransfer.me     # List of DNS servers for the domain
dig axfr zonetransfer.me @nsztm1.digi.ninja. # Get a copy of the zone from the primary server. (zone transfer attack)

nslookup example.com              # Works on Windows
Note: AXFR offers no authentication, so any client can ask a DNS server for a copy of the entire zone.

Automatic

There are several tools…

dnsrecon -d example.com -t std                # Standard enumeration
dnsrecon -d example.com -t brt -D list.txt    # Brute force subdomain enum
  • sublist3r [๐Ÿ”—] enumerates subdomains using search engines such as Google and using DNSdumpster etc. It support also bruteforce.
sublist3r -d example.com

All in one

  • amass [๐Ÿ”—]: network mapping and external asset discovery using open source information gathering and active reconnaissance techniques
  • theHarvester [๐Ÿ”—]: gathers names, emails, IPs, subdomains, and URLs by using multiple public resources
theHarvester -d example.com -b google,linkedin,dnsdumpster,duckduckgo

Port Scanning

Netcat [๐Ÿ”—]

# Scan TCP
nc -nvv -w 1 -z 192.168.5.5 100-102

# Scan UDP [Highly unreliable, as firewalls/routers may drop ICMP packets ->
# leading to false positives]
nc -nv -u -z -w 1 192.168.5.5 120-123

Nmap [๐Ÿ”—]

# [TCP] Stealth scan (default if you're root)
# It will not appear in any app logs, but modern firewall log them
sudo nmap -sS 192.168.5.5

# TCP Connect Scanning (default if you're not root)
nmap -sT 192.168.5.5

# UDP Scan
nmap -sU 192.168.5.5

# Scan all TCP ports
nmap -p- 192.168.5.5

# Scan a single port
nmap -p 5 192.168.5.5
Note: 1000-port scan generate around 72KB of traffic. Scanning all ports generate about 4 MB. 254 hosts * 4 MB = 1000 MB of traffic.

Host Discovery (nmap)

-sn option

The default host discovery done with -sn consists of an ICMP echo request. But when a privileged user tries to scan targets on a local ethernet network, ARP requests are used.

nmap -sn 192.168.1.0/24

-PS option

nmap -sn -PS 192.168.1.5

This option sends an empty TCP packet with the SYN flag set. The default destination port is 80.

Note: you should also use other ports to better detect hosts.

nmap -sn -PS22-25 192.168.1.5

Other options

  • -PA (ACK flag is set instead of the SYN flag). Default port: 80
  • -PU (sends a UDP packet). Default port: 40125
  • -PY (sends an SCTP packet). Default port: 80

Port Scanning (nmap)

Use nmap documentation to understand the differences between port scans

nmap -p- 192.168.1.5          # Scan all TCP ports
nmap -sU --top-ports 25 <ip>  # Suggestion for udp scan

Script engine: For more info read nmap documentation

  • --script <filename>|<category>|<directory>|<expression>
  • -sC Runs a script scan using the default script set. It is the equivalent of --script=default
nmap --script "default or safe" # Load all scripts that are in the default, safe, or both categories.
Note: there are many categories. Some of the scripts in this category are considered intrusive and may not run on a network target without permissions.

Website Recon

  • Web App Technology Fingerprinting
    • wappalyzer (extension)
    • builtwith (extension)
    • whatweb example.com
  • Look for hidden directory/files:
    • http://example.com/robots.txt
    • http://example.com/sitemap.xml
  • WAF Detection
    • wafw00f http://example.com -a
  • Download website source
    • httrack
  • waybackmachine