Skip to content

Latest commit

 

History

History
123 lines (86 loc) · 3.52 KB

information-gathering.md

File metadata and controls

123 lines (86 loc) · 3.52 KB
Raw

Information Gathering

Whois

It is a protocol used for querying databases that store an Internet resource's registered users or assignees

whois example.com

DNS Enumeration

Manual

dig +short a zonetransfer.me      # List of ipv4 address
dig +short mx zonetransfer.me     # List of email servers
dig +short -x 192.246.126.3       # Reverse lookups
dig +short ns zonetransfer.me     # List of DNS servers for the domain
dig axfr zonetransfer.me @nsztm1.digi.ninja. # Get a copy of the zone from the primary server. (zone transfer attack)

{% hint style="info" %} Note: AXFR offers no authentication, so any client can ask a DNS server for a copy of the entire zone. {% endhint %}

Automatic

  • dnsdumpster.com
  • dnsrecon (tool)

Subdomain enumeration

sublist3r: enumerates subdomains using search engines such as Google and using DNSdumpster etc. It support also bruteforce

sublist3r -d example.com

All in one

  • amass: network mapping and external asset discovery using open source information gathering and active reconnaissance techniques
  • sitereport.netcraft.com: gives a lot of information about a domain
  • theHarvester: gathers names, emails, IPs, subdomains, and URLs by using multiple public resources
theHarvester -d example.com -b google,linkedin,dnsdumpster,duckduckgo

Host Discovery (nmap)

-sn option

The default host discovery done with -sn consists of an ICMP echo request. But when a privileged user tries to scan targets on a local ethernet network, ARP requests are used.

nmap -sn 192.168.1.0/24

-PS option

nmap -sn -PS 192.168.1.5

This option sends an empty TCP packet with the SYN flag set. The default destination port is 80.

{% hint style="info" %} Note: you should also use other ports to better detect hosts.

nmap -sn -PS22-25 192.168.1.5 {% endhint %}

Other options

  • -PA (ACK flag is set instead of the SYN flag). Default port: 80
  • -PU (sends a UDP packet). Default port: 40125
  • -PY (sends an SCTP packet). Default port: 80

Port Scanning (nmap)

Use nmap documentation to understand the differences between port scans

nmap -p- 192.168.1.5          # Scan all TCP ports
nmap -sU --top-ports 25 <ip>  # Suggestion for udp scan

Script engine: For more info read nmap documentation

  • --script <filename>|<category>|<directory>|<expression>
  • -sC Runs a script scan using the default script set. It is the equivalent of --script=default
nmap --script "default or safe" # Load all scripts that are in the default, safe, or both categories.

{% hint style="info" %} Note: there are many categories. Some of the scripts in this category are considered intrusive and may not run on a network target without permissions. {% endhint %}

Website Recon

  • Web App Technology Fingerprinting
    • wappalyzer (extension)
    • builtwith (extension)
    • whatweb example.com
  • Look for hidden directory/files:
    • http://example.com/robots.txt
    • http://example.com/sitemap.xml
  • WAF Detection
    • wafw00f http://example.com -a
  • Download website source
    • httrack
  • Google Dorks
    • site,filetype,inurl,intitle,cache
    • exploit-db.com/google-hacking-database
  • waybackmachine
    • web.archive.org