- Basic familiarity with Linux
- Basic familiarity with web technologies
- Differences between active and passive information gathering
- Perform passive and active information gathering with various tools and resources
🗒️ Information gathering (Reconnaissance) is the initial stage of any penetration test and one of the most important phase.
- It involves finding out as much information as possible about a targeted individual, website, company or system.
- The more information a pentester has on a target, the more successful and easier the latter stages of a pentest will be. It depends on the scope of the penetration test too.
E.g.1- Pentest on a Website: web technology, vulnerabilities, IP address of the hosting server.E.g.2- Pentest on a public facing assets and some internal systems, there can be more attack vectors:- gain access to the internal network through the public facing web server (one access vector)
- during the info-gathering phase, learn more about the company employees (names, email addresses, credentials), getting this important information (useful for exploitation or initial access) by using phishing attacks, malicious attachments via email (another access vector)
🗒️ Passive information gathering involves obtaining as much data as possible without actively interacting with the target.
- The pentester uses what's available on the Internet.
E.g.- Website: utilizing publicly accessible information and resources of that particular website, through the browser, public IP address of the webserver hosting that website, etc.
- IP addresses, DNS, domain names and domain ownership
- Email addresses, social media profiles
- Web technologies, subdomains
🗒️ Active information gathering involves obtaining as much information as possible by actively engaging with the target.
❗An authorization is required to conduct active information gathering.
- The target will be aware of the attacker's engagement.
E.g.- Website: perform a port scan of the webserver IP address (found with passive info gathering) usingnmaptool to identify the open ports and running services. Identify exploitable vulnerabilities on those services and consequently access the web server.
- Open ports, internal network/organization infrastructure
- Enumeration target info
📌 From the The Pentester's Code of Conduct - by Sherri Davidoff
- Know your scope.
- Do not exceed your scope.
- Take responsibility.
- Only hack when under signed contract.
- Verify your targets well in advance of the start of an engagement, and have the list in writing.
- Do a thorough and complete job.
- Take careful notes.
- Upload your evidence to a central repository as soon as you can.
- Know your client.
- Communicate with your teammates, your client, and your project managers.
- Know your limitations and do not exceed them.
- Treat all others with respect.
- Own your mistakes.
- Include your best suggestions for a solution when reporting a problem.
- Google first, then ask questions.
- Share your knowledge.
- Above all, exercise common sense.
🚩🔬 zonetransfer.me domain will be utilized for training purposes and examples.
🗒️ Footprinting is like reconnaissance, with more important information about a particular target.
| What to look for in a Website? |
|---|
| IP addresses of the web server |
| Hidden directories |
| Names, Email addresses |
| Phone numbers |
| Physical Addresses |
| Web technologies |
E.g. - Passive Reconnaissance on hackersploit.org:
hostcommand
host hackersploit.org
hackersploit.org has address 188.114.97.7
hackersploit.org has address 188.114.96.7
hackersploit.org has IPv6 address 2a06:98c1:3121::7
hackersploit.org has IPv6 address 2a06:98c1:3120::7
hackersploit.org mail is handled by 0 _dc-mx.2c2a3526b376.hackersploit.org.- 2 IP addresses found - the website is behind Cloudflare proxy.
- Check the DNSLytics Report too.
- Social Links at the bottom of the main page:
robots.txtfile - https://hackersploit.org/robots.txt
- Avoid having the site indexed by search engines by using the "Disallow" feature, which lets the site owner designate which file or folder not to index.
/wp-contentindicates that the website is running Wordpress
sitemap.xmlfile - https://hackersploit.org/sitemap.xml
- Used to provide search engines with an organized way of indexing the website.
- List of site pages, categories, author, etc
Broswer add-ons for Web Technology footprinting:
- Wappalyzer - find out the technology stack of the website
whatwebcommand
Download the entire website, for analyzing the source code for example:
sudo apt install httrack
# Open from start menu "WebHTTrack Website Copier", opening up the web instance
Whois lookups are used to identify information regarding a particular domain.
- Date of registration, Owner, Registrar, Owner Email address, etc
WHOISis a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. - Whois - Wikipedia
whoiscommand
- who.is site
- domaintools.com site
Netcraft provides internet security services for a large number of use cases, including cybercrime detection and disruption, application testing and PCI scanning.
- It collates previous information identified with other tools and outputs an easy to read format.
E.g. - Netcraft - Hackersploit.org - check the information needed for the pentest:
- Background
- Network: domain IP address, Nameserver, Domain registrar, IP delegation
- SSL/TLS Certificate: Issuer, Validity, Transparency, vulnerabilities
- Hosting History
- Web Trackers
- Site Technology: Server-Side, Client-Side, Frameworks, etc
🗒️ DNS Recon is used to identify DNS records associated to a domain, like A record, IP address, mail server IP.
dnsrecontool - a Python script that provides the ability to perform NS/DNS Records Enumeration, records lookup, subdomain brute force, etc.
dnsrecon -d hackersploit.org
# It responds with the NameServer addresses (NS)
# A record - IPv4 address of the website
# AAAA record - IPv6 addresses
# MX record - mail server address
# TXT record - domain/site verification or other values (SPF ...)
dnsdumpster.com site
- discover hosts related to a domain
- map the domain in a graph
.pngimage or.xlsxfile.
Web Application Firewall (
WAF) detection withwafw00f.
It does the following:
- Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions.
- If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is.
- If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks.
wafw00f -l
# List all WAFs that it is able to detect
# -a option
wafw00f hackertube.net -a
wafw00f zonetransfer.me -a
- This would be definitely tested within the active information gathering phase with a port scan on the webserver IP address.
To identify the subdomains of a specific domain in a passive way, publicly available resources and databases can be utilized.
sublist3rtool - a Python tool that enumerate subdomains of websites using OSINT (Open-Source Inteligence).
- this example is NOT active enumeration - is is passive (using public available resources)
- it enumerates subdomains using search engines (Google, Yaoo, Bing ...) and other tools (Netcraft, Virustotal, DNSdumpster, ReverseDNS, ThreatCrowd).
sudo apt install sublist3r
sublist3r -d hackersploit.com
sublist3r -d hackersploit.com -e google,yahoo
sublist3r -d hackersploit.com -o hs_sub_enum.txt
# Find hackersploit.com subdomains and save the results to a text file
🗒️ Google Dorking/Hacking can be utilized to identify public information pertinent to a target.
- Search filters for specific subdomains, files, etc using google.com.
- First try to directly search for the specific domain and look for useful information.
site:
- limit all results to the particular domain/site
- shows subdomains for that particular domain
inurl:
- look for specific results within the website title/URL
e.g.-inurl:admin, etc.
site:*.site.com
- show subdomains (indexed by Google) for a particular domain
- usually they are exposed subdomains
- sometimes unintended exposed subdomains
intitle:
- limit the results to subdomains with a specific word in the site title
filetype:
- limit the results to a file type in the URL
- make the search query a bit more specific
intitle:index of
- look for sites with directory listing enabled, searching for index of
- common web servers vulnerability/misconfiguration (against security)
- directory listing allows users to see the content of the directory
cache:
- shows the cached website
- Other Google dorking examples:
inurl:auth_user_file.txtinurl:passwd.txtinurl:wp-config.bak
Google Hacking Database - exploit-db.com
- use it to search for Dorks by Category to find potentially unsecured files
- a digital archive by the Internet Archive
- captures/snapshots web pages over time
- check earlier version of websites
- on older versions of the websites there can be useful sensitive information leaked
theHarvestertool - an open-source Python tool that performs OSINT gathering to help determine a domain's external threat landscape.
- used to enumerate the emails (names, IPs, URLs, subdomains) belonging to a domain target, using publicly available resources and databases.
- check the GitHub repository for more information on the Passive and Active information gathering and Installation.
- In this case the tool is used for Email Harvesting.
# Pre-installed on Kali Linux.
theHarvester -d hackersploit.org
theHarvester -d hackersploit.org -b dnsdumpster,duckduckgo,crtsh
# It finds some subdomains
theHarvester -d zonetransfer.me -b all
- Emails could be used to send phishing email with malicious attachments during an attack.
Email or account passwords can be potentially found and used for a password spray attack = use the discovered passwords and test them for authentication on many other services (not part of Passive info gathering).
- Leaked online password databases can be utilized, usually coming from a site data breach containing the users credentials.
haveibeenpwned.com site by Troy Hunt
- safe, reliable, no signup
- insert the found target email in the site to check for data breaches
- for older emails there is a greater chance of finding data breaches!
🗒️ Check my basic DNS theory notes here.
📌 More in depth explanations about DNS can be found at the Cloudflare Learning Center.
🔬 Training list: Check some PentesterAcademy/INE DNS Network Pentesting Labs (
subscription required)
- Most common types of DNS:
| Record Type | Description |
|---|---|
| A | Holds/Resolves the IPv4 address of a domain/hostname |
| AAAA | Holds/Resolves the IPv6 address of a domain/hostname |
| CNAME | Used for domain aliases, forwards one domain/subdomain to another domain |
| MX | Resolves a domain to a mail server |
| TXT | Used for admin text notes, often used for email security |
| NS | Reference to the domains name server |
| SOA | Stores admin information about a domain (domain authority) |
| HINFO | Host information |
| SRV | Specific services records |
| PTR | Resolves an IP address to a hostname - reverse lookups |
🗒️ Enumerating DNS records for a particular domain is done through a procedure known as DNS Interrogation.
- Probe a DNS server to provide additional records and information (domain IP address, subdomains, mail server addresses, etc)
To obtain more records from a DNS server with regards to a particular domain, DNS Zone Transfers may be useful:
- A zone transfer occurs when a system admin may want to copy or transfer zone files (containing domain records) from one DNS server to another.
- This functionality can be abused by attackers when left misconfigured, to copy the zone file from the primary DNS to another DNS server.
- It can give penetration testers a complete picture of the network architecture of an organization and internal network addresses may be found.
An IP address can be mapped to a local (or external) specific domain name using the /etc/hosts file:
# Before DNS, the O.S. would use the host file for DNS resolution:
sudo nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# IP ADDRESS # Domain NamesE.g.-ZoneTransfer.mecan be utilized for educational purposes
Passive reconnaissance here - using dnsdumpster.com, dnsrecon
[-] DNSSEC is not configured for zonetransfer.me
[*] SOA nsztm1.digi.ninja 81.4.108.41
[*] NS nsztm1.digi.ninja 81.4.108.41
[*] Bind Version for 81.4.108.41 secret"
[*] NS nsztm2.digi.ninja 34.225.33.2
[*] Bind Version for 34.225.33.2 you"
[*] MX ASPMX4.GOOGLEMAIL.COM 142.251.8.27
[*] MX ASPMX5.GOOGLEMAIL.COM 173.194.202.26
[*] MX ALT2.ASPMX.L.GOOGLE.COM 74.125.200.27
[*] MX ASPMX3.GOOGLEMAIL.COM 74.125.200.26
[*] MX ALT1.ASPMX.L.GOOGLE.COM 142.250.150.26
[*] MX ASPMX2.GOOGLEMAIL.COM 142.250.150.27
[*] MX ASPMX.L.GOOGLE.COM 108.177.119.27
[*] MX ASPMX4.GOOGLEMAIL.COM 2404:6800:4008:c15::1b
[*] MX ASPMX5.GOOGLEMAIL.COM 2607:f8b0:400e:c00::1b
[*] MX ALT2.ASPMX.L.GOOGLE.COM 2404:6800:4003:c00::1b
[*] MX ASPMX3.GOOGLEMAIL.COM 2404:6800:4003:c00::1a
[*] MX ALT1.ASPMX.L.GOOGLE.COM 2a00:1450:4010:c1c::1a
[*] MX ASPMX2.GOOGLEMAIL.COM 2a00:1450:4010:c1c::1b
[*] MX ASPMX.L.GOOGLE.COM 2a00:1450:4013:c07::1a
[*] A zonetransfer.me 5.196.105.14
[*] TXT zonetransfer.me google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] Enumerating SRV Records
[+] SRV _sip._tcp.zonetransfer.me www.zonetransfer.me 5.196.105.14 5060Active reconnaissance
dnsenumtool - a multithread Perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks
- enumerate public DNS records
- perform automatic DNS zone transfer
- perform DNS brute force on subdomains
- The two name server of ZoneTransfer.me are
nsztm1.digi.ninjaandnsztm2.digi.ninja- DNS Zone transfer functionality must be ON on the Name Servers.
- Identify subdomains and internal IP addresses from the Zone Transfer results.
Check comments below
dnsenum zonetransfer.me
dnsenum VERSION:1.2.6
----- zonetransfer.me -----
# PASSIVE RECON
Host s addresses:
__________________
zonetransfer.me. 5 IN A 5.196.105.14
# ^^ Web server IP address ^^
Name Servers:
______________
nsztm2.digi.ninja. 5 IN A 34.225.33.2
nsztm1.digi.ninja. 5 IN A 81.4.108.41
Mail (MX) Servers:
___________________
ALT2.ASPMX.L.GOOGLE.COM. 5 IN A 74.125.200.27
ASPMX4.GOOGLEMAIL.COM. 5 IN A 142.251.8.26
ASPMX.L.GOOGLE.COM. 5 IN A 108.177.119.27
ASPMX2.GOOGLEMAIL.COM. 5 IN A 142.250.150.27
ALT1.ASPMX.L.GOOGLE.COM. 5 IN A 142.250.150.26
ASPMX3.GOOGLEMAIL.COM. 5 IN A 74.125.200.27
ASPMX5.GOOGLEMAIL.COM. 5 IN A 173.194.202.26
# ACTIVE RECON
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for zonetransfer.me on nsztm1.digi.ninja ...
# Provides all the records stored on the NS nsztm1.digi.ninja
# Try to access the interesting ones
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO "Casio fx-700G" "Windows XP"
zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT "6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI"
_sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me.
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
# Some subdomains (found actively):
asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1 asfdbbox.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1 asfdbbox.zonetransfer.me.
# If not external, the IP could be an internal DNS Record = Security issue
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT "; ls"
contact.zonetransfer.me. 2592000 IN TXT "Remember to call or email Pippa on +44 123 4567890 or [email protected] when making DNS changes"
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
dr.zonetransfer.me. 300 IN LOC 53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m
DZC.zonetransfer.me. 7200 IN TXT "AbCdEfG"
email.zonetransfer.me. 2222 IN NAPTR 1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me.
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT "Hi to Josh and all his class"
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT "ZoneTransfer.me service provided by Robin Wood - [email protected]. See http://digi.ninja/projects/zonetransferme.php for more information."
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
# ^^ Pay ATTENTION to internal pointing addresses ^^
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT "Robin Wood"
rp.zonetransfer.me. 321 IN RP robin.zonetransfer.me. robinwood.zonetransfer.me.
sip.zonetransfer.me. 3333 IN NAPTR 2 3 "P" "E2U+sip" "!^.*$!sip:[email protected]!" .
sqli.zonetransfer.me. 300 IN TXT "' or 1=1 --"
sshock.zonetransfer.me. 7200 IN TXT "() { :]}; echo ShellShocked"
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
# ^^ Try this redirection on a browser. If it fails maybe it is an internal record.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT "'>alert('Boo')"
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
Trying Zone Transfer for zonetransfer.me on nsztm2.digi.ninja ...
[...]
Brute forcing with /usr/share/dnsenum/dns.txt:
# Used primarily to find subdomains
_______________________________________________
office.zonetransfer.me. 5 IN A 4.23.39.254
owa.zonetransfer.me. 5 IN A 207.46.197.32
staging.zonetransfer.me. 5 IN CNAME www.sydneyoperahouse.com.
www.sydneyoperahouse.com. 5 IN CNAME d3gdbrxsb9xhmf.cloudfront.net.
d3gdbrxsb9xhmf.cloudfront.net. 5 IN A 13.224.103.62
d3gdbrxsb9xhmf.cloudfront.net. 5 IN A 13.224.103.26
d3gdbrxsb9xhmf.cloudfront.net. 5 IN A 13.224.103.84
d3gdbrxsb9xhmf.cloudfront.net. 5 IN A 13.224.103.17
vpn.zonetransfer.me. 5 IN A 174.36.59.154
www.zonetransfer.me. 5 IN A 5.196.105.14
zonetransfer.me class C netranges:
___________________________________
4.23.39.0/24
5.196.105.0/24
174.36.59.0/24
207.46.197.0/24
Performing reverse lookup on 1024 ip addresses:
________________________________________________
0 results out of 1024 IP addresses.
zonetransfer.me ip blocks:
___________________________
done.dnsenumcan fail if zone transfer is disabled (e.g. Cloudflare NS)
digtool - query DNS name servers
- AXFR zone transfers are the full DNS zone transfers of all DNS data. The Primary DNS server sends the whole zone file that contains all the DNS records to the Secondary DNS servers. This assures that the secondary DNS server is well synced. It will have all the latest changes that were made to the Master DNS zone.
dig axfr @nsztm1.digi.ninja zonetransfer.me
# axfr is the zone transfer switch
fiercetool - a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains, using DNS primarily
fierce --domain zonetransfer.me
NS: nsztm2.digi.ninja. nsztm1.digi.ninja.
SOA: nsztm1.digi.ninja. (81.4.108.41)
Zone: failure
Wildcard: failure
Found: email.zonetransfer.me. (74.125.206.26)
Nearby:
{'74.125.206.21': 'wk-in-f21.1e100.net.',
[...]
'74.125.206.31': 'wk-in-f31.1e100.net.'}
Found: home.zonetransfer.me. (127.0.0.1)
Found: office.zonetransfer.me. (4.23.39.254)
Found: owa.zonetransfer.me. (207.46.197.32)✍️ "Zone transfers are rare these days, but they give us the keys to the DNS castle." fierce - Geeksforgeeks
nmap- open source security tool for network exploration, security scanning and auditing.
nmap -h
Nmap 7.93 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS''s DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports sequentially - don''t randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--noninteractive: Disable runtime interactions via keyboard
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLESE.g.- Discover all the devices on a target network using a ping sweep (ping scan) with Nmap.-snoption - Ping Scan (ping sweep), disable port scan. It finds the responding hosts. -sn consist of:- an ICMP echo request
- a TCP SYN to port 443
- a TCP ACK to port 80
- an ICMP default timestamp
-snmust be run assudo
# Check your network IP subnet
ip -br -c a
lo UNKNOWN 127.0.0.1/8 ::1/128
eth0 DOWN
eth1 UP 192.168.31.128/24 fe80::20c:29ff:fe3a:6a12/64
# Current local subnet network is 192.168.31.0/24
sudo nmap -sn 192.168.31.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-20 15:46 CET
Nmap scan report for 192.168.31.2 # Default Gateway IP
Host is up (0.00021s latency).
MAC Address: 00:50:56:F3:CD:3F (VMware) # MAC Address of the manufacturer
Nmap scan report for 192.168.31.133 # Ubuntu VM IP
Host is up (0.00013s latency).
MAC Address: 00:0C:29:C9:89:DE (VMware)
Nmap scan report for 192.168.31.254 # Vmware DHCP server IP
Host is up (0.00013s latency).
MAC Address: 00:50:56:E7:B4:64 (VMware)
Nmap scan report for 192.168.31.128 # current Kali VM IP
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.01 seconds
# Only 4 devices are up- Copy the found IPs for future references and move on to the port scan phase on each of them.
192.168.31.2
192.168.31.128
192.168.31.133
192.168.31.254
netdiscover- an active/passive ARP discovering tool
- it utilizes ARP requests
netdiscover -h
Netdiscover 0.10 [Active/passive ARP reconnaissance tool]
Written by: Jaime Penalba <[email protected]>
Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-F filter] [-s time] [-c count] [-n node] [-dfPLNS]
-i device: your network device
-r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
-l file: scan the list of ranges contained into the given file
-p passive mode: do not send anything, only sniff
-m file: scan a list of known MACs and host names
-F filter: customize pcap filter expression (default: "arp")
-s time: time to sleep between each ARP request (milliseconds)
-c count: number of times to send each ARP request (for nets with packet loss)
-n node: last source IP octet used for scanning (from 2 to 253)
-d ignore home config files for autoscan and fast mode
-f enable fastmode scan, saves a lot of time, recommended for auto
-P print results in a format suitable for parsing by another program and stop after active scan
-L similar to -P but continue listening after the active scan is completed
-N Do not print header. Only valid when -P or -L is enabled.
-S enable sleep time suppression between each request (hardcore mode)
If -r, -l or -p are not enabled, netdiscover will scan for common LAN addresses.
🔬 Training list: PentesterAcademy Windows Recon - Host Discovery (
subscription required)
Use nmap to identify open ports and the respective running services on a target system.
- Enumerate as much information as possible
E.g.- perform post scanning on TCP and UDP ports, using a few techniques
# Default nmap scan on 1000 most commonly used TCP ports
nmap <TARGET_IP>- Windows systems will typically block ICMP ping probes, resulting in a "host down" response from the
nmapcommand.
-Pnoption - skip host discovery (skipping)
nmap -Pn <TARGET_IP># Nmap scan report:
Not shown: 993 filtered ports
PORT STATE SERVICE
80/tcp open http # Webserver
135/tcp open msrpc
139/tcp open netbios-ssn # SMB
445/tcp open microsoft-ds # SMB
3389/tcp open ms-wbt-server # RDP
# ^^ Windows O.S. recognizable ports/services
49154/tcp open unknown
49155/tcp open unknown
- Try to access the webserver with a browser:
-p-- Scan the entire range of TCP ports (65535 ports)
- the scan will take longer
nmap -Pn -p- <TARGET_IP>
-p <PORTS_LIST>- Scan a specific or more TCP ports:
- if a port state is filtered it means the port is blocked by a firewall or closed
# Port 80 only scan
nmap -Pn -p 80 <TARGET_IP>
# Custom list of ports scan
nmap -Pn -p 80,445,3389 <TARGET_IP>
# Custom ports range scan
nmap -Pn -p1-2000 <TARGET_IP>
# Filtered/blocked/closed port
nmap -Pn -p 8080 <TARGET_IP>
PORT STATE SERVICE
8080/tcp filtered http-proxy
-F- fast mode, scan 100 of the most commonly used ports-v- increase verbosity, see background scanning info
nmap -Pn -F <TARGET_IP> -v# Nmap fast scan verbose report:
Starting Nmap 7.70 ( https://nmap.org ) at 2023-01-20 22:44 IST
Initiating Parallel DNS resolution of 1 host. at 22:44
Completed Parallel DNS resolution of 1 host. at 22:44, 0.00s elapsed
Initiating SYN Stealth Scan at 22:44
Scanning 10.4.24.170 [100 ports]
Discovered open port 139/tcp on 10.4.24.170
Discovered open port 445/tcp on 10.4.24.170
Discovered open port 135/tcp on 10.4.24.170
Discovered open port 80/tcp on 10.4.24.170
Discovered open port 3389/tcp on 10.4.24.170
Discovered open port 49155/tcp on 10.4.24.170
Discovered open port 49154/tcp on 10.4.24.170
Completed SYN Stealth Scan at 22:44, 1.69s elapsed (100 total ports)
Nmap scan report for 10.4.24.170
Host is up (0.0090s latency).
Not shown: 93 filtered ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49154/tcp open unknown
49155/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds
Raw packets sent: 193 (8.492KB) | Rcvd: 7 (308B)
-sU- UDP scan
- always try to do a UDP port scan (DNS service, etc). Default
nmapscan performs only TCP scans.
nmap -Pn -sU <TARGET_IP>
-sV- probe open ports to determine service/version info
nmap -Pn -F -sV <TARGET_IP># Nmap fast and services scan report:
Not shown: 93 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
-O- Operating System detection, based on the open ports and running services
- sometimes is not accurate
- a penetration tester can start to identify specific O.S. version vulnerabilities and exploits
sudo nmap -Pn -F -sV -O <TARGET_IP>Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2012
OS CPE: cpe:/o:microsoft:windows_server_2012
OS details: Microsoft Windows Server 2012
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
-sC- defaultnmapscript scan
- under each service,
nmapwill run a series of scripts based on the service
nmap -Pn -F -sV -O -sC <TARGET_IP>PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
# Webserver scripts
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
|_http-title: HFS /
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=http-server
| Issuer: commonName=http-server
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-01-19T16:57:55
| Not valid after: 2023-07-21T16:57:55
| MD5: cbb9 8b92 dda3 30f7 bd3d 1ac3 56c4 dc23
|_SHA-1: 2d00 389f 6f30 e78a fdd1 010c b94e 7f85 92b3 4802
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2012
OS CPE: cpe:/o:microsoft:windows_server_2012
OS details: Microsoft Windows Server 2012
Uptime guess: 0.022 days (since Fri Jan 20 22:27:42 2023)
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
# SMB scripts
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-01-20 22:58:03
|_ start_date: 2023-01-20 22:27:50
NSE: Script Post-scanning.
Initiating NSE at 22:58
Completed NSE at 22:58, 0.00s elapsed
Initiating NSE at 22:58
Completed NSE at 22:58, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.19 seconds
Raw packets sent: 236 (12.952KB) | Rcvd: 14 (716B)
-A- Aggressive scan: OS detection, version detection, script scanning (-sV+-O+-sC)
nmap -Pn -F -A <TARGET_IP>
-T#-nmapTiming templates - optimize and speed up scanning (higher is faster)
-T0- paranoid (possible IDS evasion, slow)-T1- sneaky (possible IDS evasion, slow)-T2- polite (less bandwidth and target machine resources, slow)-T3- normal (default scan)-T4- aggressive (reasonably fast, modern and reliable network)-T5- insane (extraordinarily fast network)- the lower the number the slower the scan
nmap -Pn -F -T5 -sV -O -sC <TARGET_IP> -v
-oN- output the report into three main formats
# Output the scan results, as displayed into the terminal, into a file
nmap -Pn -F <TARGET_IP> -oN outputfile.txt# Output the scan results into an XML file
nmap -Pn -F <TARGET_IP> -oX outputfile.xml