LFFInformationGathering.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <script type="text/javascript">

      var _gaq = _gaq || [];
      _gaq.push(['_setAccount', 'UA-92365403-1']);
      _gaq.push(['_trackPageview']);

      (function() {
        var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
        ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
        var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
      })();
    </script>
    <title>Learning from the field : Reconnaissance - Information Gathering &#8212; tech.bitvijays.com</title>
    
    <link rel="stylesheet" href="_static/sphinxdoc.css" type="text/css" />
    <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    './',
        VERSION:     '0.1',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="_static/jquery.js"></script>
    <script type="text/javascript" src="_static/underscore.js"></script>
    <script type="text/javascript" src="_static/doctools.js"></script>
    <link rel="search" title="Search" href="search.html" />
    <link rel="top" title="tech.bitvijays.com" href="index.html" />
    <link rel="next" title="Learning from the field : Wireless Pentesting" href="LFFWirelessPentesting.html" />
    <link rel="prev" title="Learning from the field : Enumeration - Basic Network Hygiene" href="LFFBasicNetworkHygiene.html" /> 
  </head>
  <body role="document">
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="LFFWirelessPentesting.html" title="Learning from the field : Wireless Pentesting"
             accesskey="N">next</a></li>
        <li class="right" >
          <a href="LFFBasicNetworkHygiene.html" title="Learning from the field : Enumeration - Basic Network Hygiene"
             accesskey="P">previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">tech.bitvijays.com</a> &#187;</li> 
      </ul>
    </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="index.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Learning from the field : Reconnaissance - Information Gathering</a><ul>
<li><a class="reference internal" href="#passive-fingerprinting">Passive Fingerprinting:</a><ul>
<li><a class="reference internal" href="#whois">Whois</a></li>
<li><a class="reference internal" href="#asn-number">ASN Number</a></li>
<li><a class="reference internal" href="#enumeration-with-domain-name-e-g-example-com-using-external-websites">Enumeration with Domain Name (e.g example.com) using external websites</a><ul>
<li><a class="reference internal" href="#dns-dumpster-api">DNS Dumpster API</a></li>
<li><a class="reference internal" href="#recon-ng">Recon-ng</a></li>
<li><a class="reference internal" href="#the-harvester">The Harvester</a></li>
<li><a class="reference internal" href="#google-search-operators">Google search operators</a></li>
<li><a class="reference internal" href="#publicly-available-scans-of-ip-addresses">Publicly available scans of IP Addresses</a></li>
</ul>
</li>
<li><a class="reference internal" href="#reverse-dns-lookup-using-external-websites">Reverse DNS Lookup using External Websites</a></li>
</ul>
</li>
<li><a class="reference internal" href="#active-fingerprinting">Active Fingerprinting</a><ul>
<li><a class="reference internal" href="#finding-dns-mx-aaaa-a-using">Finding DNS, MX, AAAA, A using</a><ul>
<li><a class="reference internal" href="#host">host</a></li>
<li><a class="reference internal" href="#nslookup">nslookup</a></li>
</ul>
</li>
<li><a class="reference internal" href="#dns-zone-transfer-using">DNS Zone Transfer: Using</a><ul>
<li><a class="reference internal" href="#id1">host</a></li>
<li><a class="reference internal" href="#dig">Dig</a></li>
<li><a class="reference internal" href="#dnsrecon">dnsrecon</a></li>
<li><a class="reference internal" href="#dnsenum">DNSEnum</a></li>
<li><a class="reference internal" href="#srv-records">SRV Records</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#internal-infrastructure-mapping">Internal Infrastructure Mapping</a><ul>
<li><a class="reference internal" href="#internal-range-identification">Internal range identification</a><ul>
<li><a class="reference internal" href="#dns-enumeration">DNS Enumeration</a></li>
<li><a class="reference internal" href="#internal-portal-links">Internal Portal Links</a></li>
<li><a class="reference internal" href="#reverse-dns-lookup">Reverse DNS Lookup</a></li>
</ul>
</li>
<li><a class="reference internal" href="#identifying-alive-ip-addresses">Identifying Alive IP Addresses</a></li>
<li><a class="reference internal" href="#port-scanning">Port Scanning</a><ul>
<li><a class="reference internal" href="#identifying-service-versions">Identifying service versions</a></li>
<li><a class="reference internal" href="#performance">Performance</a></li>
<li><a class="reference internal" href="#nmap-scripts">Nmap Scripts</a></li>
<li><a class="reference internal" href="#output-options">Output Options</a></li>
</ul>
</li>
<li><a class="reference internal" href="#exploring-the-network-further">Exploring the Network Further</a><ul>
<li><a class="reference internal" href="#gathering-screenshots-for-http-services">Gathering Screenshots for http* services</a></li>
<li><a class="reference internal" href="#information-gathering-for-http-services">Information Gathering for http* Services</a></li>
<li><a class="reference internal" href="#netbios-service">NetBIOS Service</a></li>
<li><a class="reference internal" href="#nbtscan">NBTSCAN</a></li>
<li><a class="reference internal" href="#enum4linux">enum4linux</a></li>
<li><a class="reference internal" href="#snmp-enumeration">SNMP Enumeration</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="LFFBasicNetworkHygiene.html"
                        title="previous chapter">Learning from the field : Enumeration - Basic Network Hygiene</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="LFFWirelessPentesting.html"
                        title="next chapter">Learning from the field : Wireless Pentesting</a></p>
  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="_sources/LFFInformationGathering.txt"
           rel="nofollow">Show Source</a></li>
    <li><a href="https://github.com/bitvijays/bitvijays.github.io-sphinx/blob/master/docs/LFFInformationGathering.rst"
           rel="nofollow">Show on GitHub</a></li>
    <li><a href="https://github.com/bitvijays/bitvijays.github.io-sphinx/edit/master/docs/LFFInformationGathering.rst"
           rel="nofollow">Edit on GitHub</a></li>
  </ul>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <form class="search" action="search.html" method="get">
      <div><input type="text" name="q" /></div>
      <div><input type="submit" value="Go" /></div>
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="learning-from-the-field-reconnaissance-information-gathering">
<h1>Learning from the field : Reconnaissance - Information Gathering<a class="headerlink" href="#learning-from-the-field-reconnaissance-information-gathering" title="Permalink to this headline">¶</a></h1>
<p>This post (always Work in Progress) would list the technical steps which might be important while doing the information gathering of an organization and we only know the company name or it’s domain name such as example.com.</p>
<p><strong>Thanks to Vulnhub-ctf team, bonsaiviking, recrudesce, Rajesh and Tanoy</strong></p>
<p>Suppose, we have to do a external/ internal pentest of a big organization with DMZ, Data centers, Telecom network etc. We can either do <strong>Passive fingerprinting</strong> (method to learn more about the enemy, without them knowing it ) or <strong>Active fingerprinting</strong> ( process of transmitting packets to a remote host and analysing corresponding replies ). <strong>Passive fingerprinting</strong> and <strong>Active fingerprinting</strong> can be done by using various methods such as</p>
<table border="1" class="docutils">
<colgroup>
<col width="62%" />
<col width="38%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Passive Fingerprinting</th>
<th class="head">Active Fingerprintering</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td><ul class="first last simple">
<li>whois</li>
</ul>
</td>
<td><ul class="first last simple">
<li>Finding DNS, MX, AAAA, A</li>
</ul>
</td>
</tr>
<tr class="row-odd"><td><ul class="first last simple">
<li>ASN Number</li>
</ul>
</td>
<td><ul class="first last simple">
<li>DNS Zone Transfer</li>
</ul>
</td>
</tr>
<tr class="row-even"><td><ul class="first last simple">
<li>Enumeration with Domain Name</li>
</ul>
</td>
<td><ul class="first last simple">
<li>SRV Records</li>
</ul>
</td>
</tr>
<tr class="row-odd"><td><ul class="first last simple">
<li>Publicly available scans of IP Addresses</li>
</ul>
</td>
<td><ul class="first last simple">
<li>Port Scanning</li>
</ul>
</td>
</tr>
<tr class="row-even"><td><ul class="first last simple">
<li>Reverse DNS Lookup using External Websites</li>
</ul>
</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
<div class="section" id="passive-fingerprinting">
<h2>Passive Fingerprinting:<a class="headerlink" href="#passive-fingerprinting" title="Permalink to this headline">¶</a></h2>
<div class="section" id="whois">
<h3>Whois<a class="headerlink" href="#whois" title="Permalink to this headline">¶</a></h3>
<p>Whois provide information about the registered users or assignees of an Internet resource, such as Domain name, an IP address block, or an autonomous system.</p>
<p>whois command acts differently for ip address and domain name.</p>
<ul class="simple">
<li>In Domain name it just provides registrar name etc.</li>
<li>In IP address it provides the net-block ASN Number etc.</li>
</ul>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">whois</span> <span class="o">&lt;</span><span class="n">Domain</span> <span class="n">Name</span><span class="o">/</span> <span class="n">IP</span> <span class="n">Address</span><span class="o">&gt;</span>
<span class="o">-</span><span class="n">H</span> <span class="n">Do</span> <span class="ow">not</span> <span class="n">display</span> <span class="n">the</span> <span class="n">legal</span> <span class="n">disclaimers</span> <span class="n">some</span> <span class="n">registries</span> <span class="n">like</span> <span class="n">to</span> <span class="n">show</span> <span class="n">you</span><span class="o">.</span>
</pre></div>
</div>
<p>Googling for</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="s2">&quot;Registrant Organization&quot;</span> <span class="n">inurl</span><span class="p">:</span> <span class="n">domaintools</span>
</pre></div>
</div>
<p>also helps for to search for new domains registered by the same organization. &#8220;Registrant Organization&#8221; is present in the output of whois. This technique was used by person who compromised FinFisher in the <a class="reference external" href="http://pastebin.com/raw/cRYvK4jb">writeup</a>.</p>
</div>
<div class="section" id="asn-number">
<h3>ASN Number<a class="headerlink" href="#asn-number" title="Permalink to this headline">¶</a></h3>
<p>We could find AS Number that participates in Border Gateway Protocol (BGP) used by particular organization which could further inform about the IP address ranges used by the organization.ASN Number and information could be found by using Team CMRU whois service</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">whois</span> <span class="o">-</span><span class="n">h</span> <span class="n">whois</span><span class="o">.</span><span class="n">cymru</span><span class="o">.</span><span class="n">com</span> <span class="s2">&quot; -v 216.90.108.31&quot;</span>                         <span class="o">|</span>
</pre></div>
</div>
<p>If you want to do bulk queries refer &#64;`IP-ASN-Mapping-Team-CYMRU &lt;<a class="reference external" href="http://www.team-cymru.org/IP-ASN-mapping.html">http://www.team-cymru.org/IP-ASN-mapping.html</a>&gt;`__</p>
<p>Hurricane Electric Internet Services also provide a website <a class="reference external" href="http://bgp.he.net">BGPToolkit</a> which provides your IP Address ASN or search function by Name, IP address etc. It also provides AS Peers which might help in gathering more information about the company in terms of it&#8217;s neighbors.</p>
<div class="admonition-todo admonition" id="index-0">
<p class="first admonition-title">Todo</p>
<p class="last">Commandline checking of subnet and making whois query efficient.</p>
</div>
</div>
<div class="section" id="enumeration-with-domain-name-e-g-example-com-using-external-websites">
<h3>Enumeration with Domain Name (e.g example.com) using external websites<a class="headerlink" href="#enumeration-with-domain-name-e-g-example-com-using-external-websites" title="Permalink to this headline">¶</a></h3>
<p>If you have domain name you could use</p>
<div class="section" id="dns-dumpster-api">
<h4>DNS Dumpster API<a class="headerlink" href="#dns-dumpster-api" title="Permalink to this headline">¶</a></h4>
<p>We can utilize DNS Dumpster API to know the various sub-domain related to that domain.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>#Script connects to the API and convert the required output to a CSV ready format.
#!/bin/bash
#$1 is the first argument to script
curl -s http://api.hackertarget.com/hostsearch/?q=$1 &gt; hostsearch
cat hostsearch | awk -F , &#39;{print &quot;\&quot;&quot;$1&quot;\&quot;&quot;&quot;,&quot;&quot;\&quot;&quot;$2&quot;\&quot;&quot;}&#39; &gt; temp.csv
</pre></div>
</div>
<p>and the various dns queries by</p>
<div class="highlight-default"><div class="highlight"><pre><span></span>#Script connects to the API and greps only the Name Servers.
#!/bin/bash
#$1 is the first argument to the script
curl -s http://api.hackertarget.com/dnslookup/?q=$1 &gt; dnslookup
cat dnslookup | grep -v RRSIG | grep -v DNSKEY | grep -v SOA | grep NS &gt; temp
cat -T temp &gt; temp2
cat temp2 | cut -d &quot;I&quot; -f7 | rev | cut -c 2- | rev
#rm temp temp2
</pre></div>
</div>
</div>
<div class="section" id="recon-ng">
<h4>Recon-ng<a class="headerlink" href="#recon-ng" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li>use recon/domains-hosts/bing_domain_web : Harvests hosts from Bing.com by using the site search operator.</li>
<li>use recon/domains-hosts/google_site_web : Harvests hosts from google.com by using the site search operator.</li>
<li>use recon/domains-hosts/brute_hosts : Brute forces host names using DNS.</li>
<li>use recon/hosts-hosts/resolve : Resolves the IP address for a host.</li>
<li>use reporting/csv : Creates a CSV file containing the specified harvested data.</li>
</ul>
<p>Jason Haddix has created a dynamic resource script for sub-domain discovery which is available <a class="reference external" href="https://github.com/jhaddix/domain">here</a>. Simply put the domain name and it runs the necessary modules, creates a new workspace and save the report.</p>
<div class="admonition-todo admonition" id="index-1">
<p class="first admonition-title">Todo</p>
<p class="last">Check API option too, why google_site_web is failing, add a module to add ASN Info and Location Info too.</p>
</div>
</div>
<div class="section" id="the-harvester">
<h4>The Harvester<a class="headerlink" href="#the-harvester" title="Permalink to this headline">¶</a></h4>
<p>The harvester provides a email address, virtual hosts, different domains, shodan results for the domain. Provides really good results, especially if you combine with shodan results as it may provide server versions and what&#8217;s OS is running on the IP address.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">Usage</span><span class="p">:</span> <span class="n">theharvester</span> <span class="n">options</span>
   <span class="o">-</span><span class="n">d</span><span class="p">:</span> <span class="n">Domain</span> <span class="n">to</span> <span class="n">search</span> <span class="ow">or</span> <span class="n">company</span> <span class="n">name</span>
   <span class="o">-</span><span class="n">b</span><span class="p">:</span> <span class="n">data</span> <span class="n">source</span><span class="p">:</span> <span class="n">google</span><span class="p">,</span> <span class="n">googleCSE</span><span class="p">,</span> <span class="n">bing</span><span class="p">,</span> <span class="n">bingapi</span><span class="p">,</span> <span class="n">pgp</span>
                    <span class="n">linkedin</span><span class="p">,</span> <span class="n">google</span><span class="o">-</span><span class="n">profiles</span><span class="p">,</span> <span class="n">people123</span><span class="p">,</span> <span class="n">jigsaw</span><span class="p">,</span>
                    <span class="n">twitter</span><span class="p">,</span> <span class="n">googleplus</span><span class="p">,</span> <span class="nb">all</span>
   <span class="o">-</span><span class="n">v</span><span class="p">:</span> <span class="n">Verify</span> <span class="n">host</span> <span class="n">name</span> <span class="n">via</span> <span class="n">dns</span> <span class="n">resolution</span> <span class="ow">and</span> <span class="n">search</span> <span class="k">for</span> <span class="n">virtual</span> <span class="n">hosts</span>                              <span class="o">|</span>
   <span class="o">-</span><span class="n">f</span><span class="p">:</span> <span class="n">Save</span> <span class="n">the</span> <span class="n">results</span> <span class="n">into</span> <span class="n">an</span> <span class="n">HTML</span> <span class="ow">and</span> <span class="n">XML</span> <span class="n">file</span>
   <span class="o">-</span><span class="n">c</span><span class="p">:</span> <span class="n">Perform</span> <span class="n">a</span> <span class="n">DNS</span> <span class="n">brute</span> <span class="n">force</span> <span class="k">for</span> <span class="n">the</span> <span class="n">domain</span> <span class="n">name</span>
   <span class="o">-</span><span class="n">t</span><span class="p">:</span> <span class="n">Perform</span> <span class="n">a</span> <span class="n">DNS</span> <span class="n">TLD</span> <span class="n">expansion</span> <span class="n">discovery</span>
   <span class="o">-</span><span class="n">e</span><span class="p">:</span> <span class="n">Use</span> <span class="n">this</span> <span class="n">DNS</span> <span class="n">server</span>
   <span class="o">-</span><span class="n">h</span><span class="p">:</span> <span class="n">use</span> <span class="n">SHODAN</span> <span class="n">database</span> <span class="n">to</span> <span class="n">query</span> <span class="n">discovered</span> <span class="n">hosts</span>             <span class="o">|</span>
</pre></div>
</div>
<div class="admonition-todo admonition" id="index-2">
<p class="first admonition-title">Todo</p>
<p class="last">Combine these results with recon-ng and DNS Dumpsters and create one csv with all results.</p>
</div>
</div>
<div class="section" id="google-search-operators">
<h4>Google search operators<a class="headerlink" href="#google-search-operators" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li><strong>site</strong>: Get results from certain sites or domains.</li>
<li><strong>filetype:suffix</strong>: Limits results to pages whose names end in suffix. The suffix is anything following the last period in the file name of the web page. For example: filetype:pdf</li>
<li><strong>allinurl/inurl</strong>: Restricts results to those containing all the query terms you specify in the URL. For example, [ allinurl: google faq ] will return only documents that contain the words “google” and “faq” in the URL, such as “www.google.com/help/faq.html”.</li>
<li><strong>allintitle/intitle</strong>:Restricts results to those containing all the query terms you specify in the title.</li>
</ul>
<p>Three good places to refer are <a class="reference external" href="https://support.google.com/websearch/answer/2466433">Search Operators</a>, <a class="reference external" href="https://sites.google.com/site/gwebsearcheducation/advanced-operators">Advanced Operators</a> and <a class="reference external" href="https://www.exploit-db.com/google-hacking-database/">Google Hacking Database</a>.</p>
<p>Another two important tools are</p>
<ul class="simple">
<li><a class="reference external" href="http://www.mcafee.com/in/downloads/free-tools/sitedigger.aspx">Mcafee Site Digger</a> which searches Google’s cache to look for vulnerabilities, errors, configuration issues,proprietary information, and interesting security nuggets on web sites.</li>
<li><a class="reference external" href="http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/">SearchDiggityv3</a> It is Bishop Fox’s MS Windows GUI application that serves as a front-end to the most recent versions of our Diggity tools: GoogleDiggity, BingDiggity, Bing, LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, FlashDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, and NotInMyBackYard Diggity.</li>
</ul>
</div>
<div class="section" id="publicly-available-scans-of-ip-addresses">
<h4>Publicly available scans of IP Addresses<a class="headerlink" href="#publicly-available-scans-of-ip-addresses" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li><a class="reference external" href="https://exfiltrated.com/">Exfiltrated</a>  It provides the scans from the 2012 Internet Census. It would provide the IP address and the port number running at the time of scan in the year 2012.</li>
<li><a class="reference external" href="https://www.shodan.io/">Shodan</a>: Shodan provides the same results may be with recent scans. You need to be logined. Shodan CLI is available at <a class="reference external" href="https://cli.shodan.io/">Shodan Command-Line Interface</a></li>
</ul>
<p>Shodan Queries</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">title</span>   <span class="p">:</span> <span class="n">Search</span> <span class="n">the</span> <span class="n">content</span> <span class="n">scraped</span> <span class="kn">from</span> <span class="nn">the</span> <span class="n">HTML</span> <span class="n">tag</span>
<span class="n">html</span>    <span class="p">:</span> <span class="n">Search</span> <span class="n">the</span> <span class="n">full</span> <span class="n">HTML</span> <span class="n">content</span> <span class="n">of</span> <span class="n">the</span> <span class="n">returned</span> <span class="n">page</span>
<span class="n">product</span> <span class="p">:</span> <span class="n">Search</span> <span class="n">the</span> <span class="n">name</span> <span class="n">of</span> <span class="n">the</span> <span class="n">software</span> <span class="ow">or</span> <span class="n">product</span> <span class="n">identified</span> <span class="ow">in</span> <span class="n">the</span> <span class="n">banner</span>
<span class="n">net</span>     <span class="p">:</span> <span class="n">Search</span> <span class="n">a</span> <span class="n">given</span> <span class="n">netblock</span> <span class="p">(</span><span class="n">example</span><span class="p">:</span> <span class="mf">204.51</span><span class="o">.</span><span class="mf">94.79</span><span class="o">/</span><span class="mi">18</span><span class="p">)</span>
<span class="n">version</span> <span class="p">:</span> <span class="n">Search</span> <span class="n">the</span> <span class="n">version</span> <span class="n">of</span> <span class="n">the</span> <span class="n">product</span>
<span class="n">port</span>    <span class="p">:</span> <span class="n">Search</span> <span class="k">for</span> <span class="n">a</span> <span class="n">specific</span> <span class="n">port</span> <span class="ow">or</span> <span class="n">ports</span>
<span class="n">os</span>      <span class="p">:</span> <span class="n">Search</span> <span class="k">for</span> <span class="n">a</span> <span class="n">specific</span> <span class="n">operating</span> <span class="n">system</span> <span class="n">name</span>
<span class="n">country</span> <span class="p">:</span> <span class="n">Search</span> <span class="k">for</span> <span class="n">results</span> <span class="ow">in</span> <span class="n">a</span> <span class="n">given</span> <span class="n">country</span> <span class="p">(</span><span class="mi">2</span><span class="o">-</span><span class="n">letter</span> <span class="n">code</span><span class="p">)</span>
<span class="n">city</span>    <span class="p">:</span> <span class="n">Search</span> <span class="k">for</span> <span class="n">results</span> <span class="ow">in</span> <span class="n">a</span> <span class="n">given</span> <span class="n">city</span>
</pre></div>
</div>
<div class="admonition-todo admonition" id="index-3">
<p class="first admonition-title">Todo</p>
<p class="last">Learn how to access Shodan with API</p>
</div>
<ul class="simple">
<li><a class="reference external" href="http://www.netmux.com/">Netmux</a>: NETMUX is the all-source information hub about every IP address, device, IOT, or domain on the internet. All with a single query.</li>
<li><a class="reference external" href="https://censys.io/">Censys</a>: Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet.Driven by Internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed. A good feature is the Query metadata which tells the number of Http,https and other protocols found in the IP network range.</li>
</ul>
<p>Censys.io queries</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">ip</span><span class="p">:</span><span class="mf">192.168</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">24</span> <span class="o">--</span> <span class="n">CIDR</span> <span class="n">notation</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="reverse-dns-lookup-using-external-websites">
<h3>Reverse DNS Lookup using External Websites<a class="headerlink" href="#reverse-dns-lookup-using-external-websites" title="Permalink to this headline">¶</a></h3>
<p>Even after doing the above, sometimes we miss few of the domain name. Example: Recently, In  one of our engagement, the domain name was example.com and the asn netblock was 192.168.0.0/24. We did recon-ng, theharvester, DNS reverse-lookup via nmap. Still, we missed few of the websites hosted on same netblock but with different domain such as exam.in. We can find such entries by using ReverseIP lookup by</p>
<ul class="simple">
<li><a class="reference external" href="http://reverseip.domaintools.com">Reverse IP Lookup by Domaintools</a>: Domain name search tool that allows a wildcard search, monitoring of WHOIS record changes and history caching, as well as Reverse IP queries.</li>
<li><a class="reference external" href="https://www.passivetotal.org/">Passive Total</a> : A threat-analysis platform created for analysts, by analysts.</li>
<li><a class="reference external" href="http://serversniff.net.ipaddress.com/">Server Sniff</a> : A website providing IP Lookup,Reverse IP services.</li>
<li><a class="reference external" href="https://www.robtex.com/">Robtex</a> : Robtex is one of the world&#8217;s largest network tools. At robtex.com, you will find everything you need to know about domains, DNS, IP, Routes, Autonomous Systems, etc. There&#8217;s a nmap nse <a class="reference external" href="https://nmap.org/nsedoc/scripts/http-robtex-reverse-ip.html">http-robtex-reverse-ip</a> which can be used to find the domain/website hosted on that ip.</li>
</ul>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nmap</span> <span class="o">--</span><span class="n">script</span> <span class="n">http</span><span class="o">-</span><span class="n">robtex</span><span class="o">-</span><span class="n">reverse</span><span class="o">-</span><span class="n">ip</span> <span class="o">--</span><span class="n">script</span><span class="o">-</span><span class="n">args</span> <span class="n">http</span><span class="o">-</span><span class="n">robtex</span><span class="o">-</span><span class="n">reverse</span><span class="o">-</span><span class="n">ip</span><span class="o">.</span><span class="n">host</span><span class="o">=</span><span class="s1">&#39;XX.XX.78.214&#39;</span>
<span class="n">Starting</span> <span class="n">Nmap</span> <span class="mf">7.01</span> <span class="p">(</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">nmap</span><span class="o">.</span><span class="n">org</span> <span class="p">)</span> <span class="n">at</span> <span class="mi">2016</span><span class="o">-</span><span class="mi">04</span><span class="o">-</span><span class="mi">20</span> <span class="mi">21</span><span class="p">:</span><span class="mi">39</span> <span class="n">IST</span>
<span class="n">Pre</span><span class="o">-</span><span class="n">scan</span> <span class="n">script</span> <span class="n">results</span><span class="p">:</span>
<span class="o">|</span> <span class="n">http</span><span class="o">-</span><span class="n">robtex</span><span class="o">-</span><span class="n">reverse</span><span class="o">-</span><span class="n">ip</span><span class="p">:</span>
<span class="o">|</span>   <span class="n">xxxxxxindian</span><span class="o">.</span><span class="n">com</span>
<span class="o">|</span><span class="n">_</span>  <span class="n">www</span><span class="o">.</span><span class="n">xxxxxindian</span><span class="o">.</span><span class="n">com</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="active-fingerprinting">
<h2>Active Fingerprinting<a class="headerlink" href="#active-fingerprinting" title="Permalink to this headline">¶</a></h2>
<p>Most probably by now we have gathered all the public available information without interacting with client infrastructure. Next, we can use <strong>DNS enumeration</strong> to  gather more information about the client. The below information could gather externally as well as internally. However, amount of information gathered from internal network would definitely be more than when done externally.</p>
<div class="section" id="finding-dns-mx-aaaa-a-using">
<h3>Finding DNS, MX, AAAA, A using<a class="headerlink" href="#finding-dns-mx-aaaa-a-using" title="Permalink to this headline">¶</a></h3>
<div class="section" id="host">
<h4>host<a class="headerlink" href="#host" title="Permalink to this headline">¶</a></h4>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">host</span> <span class="o">&lt;</span><span class="n">domain</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="n">optional_name_server</span><span class="o">&gt;</span>
<span class="n">host</span> <span class="o">-</span><span class="n">t</span> <span class="n">ns</span> <span class="o">&lt;</span><span class="n">domain</span><span class="o">&gt;</span>           <span class="o">--</span> <span class="n">Name</span> <span class="n">Servers</span>
<span class="n">host</span> <span class="o">-</span><span class="n">t</span> <span class="n">a</span> <span class="o">&lt;</span><span class="n">domain</span><span class="o">&gt;</span>            <span class="o">--</span> <span class="n">Address</span>
<span class="n">host</span> <span class="o">-</span><span class="n">t</span> <span class="n">aaaa</span> <span class="o">&lt;</span><span class="n">domain</span><span class="o">&gt;</span>         <span class="o">--</span> <span class="n">AAAA</span> <span class="n">record</span> <span class="n">points</span> <span class="n">a</span> <span class="n">domain</span> <span class="ow">or</span> <span class="n">subdomain</span> <span class="n">to</span> <span class="n">an</span> <span class="n">IPv6</span> <span class="n">address</span>
<span class="n">host</span> <span class="o">-</span><span class="n">t</span> <span class="n">mx</span> <span class="o">&lt;</span><span class="n">domain</span><span class="o">&gt;</span>           <span class="o">--</span> <span class="n">Mail</span> <span class="n">Servers</span>
<span class="n">host</span> <span class="o">-</span><span class="n">t</span> <span class="n">soa</span> <span class="o">&lt;</span><span class="n">domain</span><span class="o">&gt;</span>          <span class="o">--</span> <span class="n">Start</span> <span class="n">of</span> <span class="n">Authority</span>
<span class="n">host</span> <span class="o">&lt;</span><span class="n">IP</span><span class="o">&gt;</span>                     <span class="o">--</span> <span class="n">Reverse</span> <span class="n">Lookup</span>
</pre></div>
</div>
<p>Example:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">host</span> <span class="o">-</span><span class="n">t</span> <span class="n">ns</span> <span class="n">zonetransfer</span><span class="o">.</span><span class="n">me</span>
<span class="n">zonetransfer</span><span class="o">.</span><span class="n">me</span> <span class="n">name</span> <span class="n">server</span> <span class="n">nsztm1</span><span class="o">.</span><span class="n">digi</span><span class="o">.</span><span class="n">ninja</span><span class="o">.</span>
<span class="n">zonetransfer</span><span class="o">.</span><span class="n">me</span> <span class="n">name</span> <span class="n">server</span> <span class="n">nsztm2</span><span class="o">.</span><span class="n">digi</span><span class="o">.</span><span class="n">ninja</span><span class="o">.</span>
</pre></div>
</div>
</div>
<div class="section" id="nslookup">
<h4>nslookup<a class="headerlink" href="#nslookup" title="Permalink to this headline">¶</a></h4>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nslookup</span> <span class="o">-</span> <span class="o">&lt;</span><span class="n">optional_name_server</span><span class="o">&gt;</span>
<span class="nb">set</span> <span class="nb">type</span><span class="o">=</span><span class="n">mx</span>
<span class="nb">set</span> <span class="nb">type</span><span class="o">=</span><span class="n">ns</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="dns-zone-transfer-using">
<h3>DNS Zone Transfer: Using<a class="headerlink" href="#dns-zone-transfer-using" title="Permalink to this headline">¶</a></h3>
<div class="section" id="id1">
<h4>host<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h4>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">host</span> <span class="o">-</span><span class="n">l</span> <span class="o">&lt;</span><span class="n">Domain</span> <span class="n">Name</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="n">DNS</span> <span class="n">Server</span><span class="o">&gt;</span>
</pre></div>
</div>
<p>Try zonetransfer using host for zonetransfer.me using their name servers.</p>
</div>
<div class="section" id="dig">
<h4>Dig<a class="headerlink" href="#dig" title="Permalink to this headline">¶</a></h4>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">dig</span> <span class="n">axfr</span> <span class="o">&lt;</span><span class="n">domain_name</span><span class="o">&gt;</span> <span class="nd">@nameserver</span>
</pre></div>
</div>
<p>Try zonetransfer using dig for zonetransfer.me using their name servers.</p>
</div>
<div class="section" id="dnsrecon">
<h4>dnsrecon<a class="headerlink" href="#dnsrecon" title="Permalink to this headline">¶</a></h4>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">dnsrecon</span> <span class="o">-</span><span class="n">d</span> <span class="o">&lt;</span><span class="n">domain</span><span class="o">&gt;</span> <span class="o">-</span><span class="n">t</span> <span class="n">axfr</span>
</pre></div>
</div>
<p>dnsrecon could also be used for other purposes such as finding nameservers, mailserver, forward reverse lookup</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">-</span><span class="n">d</span><span class="p">,</span> <span class="o">--</span><span class="n">domain</span>      <span class="o">&lt;</span><span class="n">domain</span><span class="o">&gt;</span>          <span class="n">Domain</span> <span class="n">to</span> <span class="n">Target</span> <span class="k">for</span> <span class="n">enumeration</span><span class="o">.</span>
<span class="o">-</span><span class="n">r</span><span class="p">,</span> <span class="o">--</span><span class="nb">range</span>       <span class="o">&lt;</span><span class="nb">range</span><span class="o">&gt;</span>           <span class="n">IP</span> <span class="n">Range</span> <span class="k">for</span> <span class="n">reverse</span> <span class="n">look</span><span class="o">-</span><span class="n">up</span> <span class="n">brute</span> <span class="n">force</span> <span class="ow">in</span> <span class="n">formats</span> <span class="p">(</span><span class="n">first</span><span class="o">-</span><span class="n">last</span><span class="p">)</span> <span class="ow">or</span> <span class="ow">in</span> <span class="p">(</span><span class="nb">range</span><span class="o">/</span><span class="n">bitmask</span><span class="p">)</span><span class="o">.</span>
<span class="o">-</span><span class="n">n</span><span class="p">,</span> <span class="o">--</span><span class="n">name_server</span> <span class="o">&lt;</span><span class="n">name</span><span class="o">&gt;</span>            <span class="n">Domain</span> <span class="n">server</span> <span class="n">to</span> <span class="n">use</span><span class="p">,</span> <span class="k">if</span> <span class="n">none</span> <span class="ow">is</span> <span class="n">given</span> <span class="n">the</span> <span class="n">SOA</span> <span class="n">of</span> <span class="n">the</span> <span class="n">target</span> <span class="n">will</span> <span class="n">be</span> <span class="n">used</span>
</pre></div>
</div>
</div>
<div class="section" id="dnsenum">
<h4>DNSEnum<a class="headerlink" href="#dnsenum" title="Permalink to this headline">¶</a></h4>
<p>DNS Enumeration tool</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">dnsenum</span> <span class="o">&lt;</span><span class="n">domain</span><span class="o">&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="srv-records">
<h4>SRV Records<a class="headerlink" href="#srv-records" title="Permalink to this headline">¶</a></h4>
<p>Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services. An SRV record has the form:</p>
<ul class="simple">
<li><strong>Retrieving an SRV record:</strong></li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span>$ dig _sip._tls.example.com SRV

$ host -t SRV _sip._tls.example.com

$ nslookup -querytype=srv _sip._tls.example.com

$ nslookup
 &gt; set querytype=srv
 &gt; _sip._tls.example.com
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li><strong>Usage:</strong></li>
</ul>
<blockquote>
<div><p>SRV records are used by the below standardized communication protocols.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">Teamspeak</span> <span class="mi">3</span> <span class="p">(</span><span class="n">since</span> <span class="n">version</span> <span class="mf">3.0</span><span class="o">.</span><span class="mi">8</span> <span class="o">-</span> <span class="n">Neither</span> <span class="n">priority</span> <span class="n">nor</span> <span class="n">weight</span> <span class="ow">is</span> <span class="n">taken</span> <span class="n">into</span> <span class="n">consideration</span><span class="o">.</span><span class="n">The</span> <span class="n">client</span> <span class="n">appears</span> <span class="n">to</span> <span class="n">choose</span> <span class="n">an</span> <span class="n">SRV</span> <span class="n">record</span> <span class="n">at</span> <span class="n">random</span> <span class="k">for</span> <span class="n">a</span> <span class="n">connection</span> <span class="n">attempt</span><span class="o">.</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
<span class="n">Minecraft</span> <span class="p">(</span><span class="n">since</span> <span class="n">version</span> <span class="mf">1.3</span><span class="o">.</span><span class="mi">1</span><span class="p">,</span> <span class="n">_minecraft</span><span class="o">.</span><span class="n">_tcp</span><span class="p">)</span>
<span class="n">CalDAV</span> <span class="ow">and</span> <span class="n">CardDAV</span>
<span class="n">Client</span> <span class="n">SMTP</span> <span class="n">Authorization</span>
<span class="n">DNS</span> <span class="n">Service</span> <span class="n">Discovery</span> <span class="p">(</span><span class="n">DNS</span><span class="o">-</span><span class="n">SD</span><span class="p">)</span>
<span class="n">IMPS</span>
<span class="n">Kerberos</span>
<span class="n">LDAP</span>
<span class="n">Puppet</span>
<span class="n">SIP</span>
<span class="n">XMPP</span>
<span class="n">Mail</span> <span class="n">submission</span><span class="p">,</span> <span class="n">Post</span> <span class="n">Office</span> <span class="n">Protocol</span><span class="p">,</span> <span class="ow">and</span> <span class="n">Internet</span> <span class="n">Message</span> <span class="n">Access</span> <span class="n">Protocol</span>
<span class="n">Libravatar</span> <span class="n">uses</span> <span class="n">SRV</span> <span class="n">records</span> <span class="n">to</span> <span class="n">locate</span> <span class="n">avatar</span> <span class="n">image</span> <span class="n">servers</span>
<span class="n">Microsoft</span> <span class="n">Lync</span>
<span class="n">Citrix</span> <span class="n">Receiver</span>
</pre></div>
</div>
<p>Checkout the brute_srv function in the dnsrecon tool script to get familar with the different SRV names and services.</p>
</div></blockquote>
</div>
</div>
</div>
<div class="section" id="internal-infrastructure-mapping">
<h2>Internal Infrastructure Mapping<a class="headerlink" href="#internal-infrastructure-mapping" title="Permalink to this headline">¶</a></h2>
<p>All the steps in 2.a which are DNS related recon could also be performed in the internal penetration testing provided we have the access to the internal DNS Server. After, we have gathered all the information from DNS enumeration, still we haven&#8217;t enumerated internal infrastructure. We apply the below methods to enumerate further.</p>
<div class="section" id="internal-range-identification">
<h3>Internal range identification<a class="headerlink" href="#internal-range-identification" title="Permalink to this headline">¶</a></h3>
<p>In many instances, we are provided or expected to find vulnerabilities in a 10.0.0.0/8 network which would contain around 16 million IP Addresses. Scanning 16 million IP address in a considerable time is difficult. In which case, we need faster and targeted result. So, how do we find out the ranges?</p>
<div class="section" id="dns-enumeration">
<h4>DNS Enumeration<a class="headerlink" href="#dns-enumeration" title="Permalink to this headline">¶</a></h4>
<p>If you are connected to a internal dns server, you may query it with</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">dig</span> <span class="o">-</span><span class="n">t</span> <span class="nb">any</span> <span class="o">&lt;</span><span class="n">domainname</span><span class="o">&gt;</span>
</pre></div>
</div>
<p>which should result in outputting different name servers, mail servers, A, AAAA, SOA records which would possibly give you a inner scenario how the network has been designed as there can be different nameservers, domain controllers for different locations, internal departments etc.</p>
<div class="admonition-todo admonition" id="index-4">
<p class="first admonition-title">Todo</p>
<p class="last">Convert dig output directly into hostname, ip address format.</p>
</div>
</div>
<div class="section" id="internal-portal-links">
<h4>Internal Portal Links<a class="headerlink" href="#internal-portal-links" title="Permalink to this headline">¶</a></h4>
<p>Most of the organization have one internal portals which serves has a one-stop links to every possible portal link. This could also result in some internal range exposure.</p>
<div class="admonition-todo admonition" id="index-5">
<p class="first admonition-title">Todo</p>
<p class="last">Write the script for grep and printing host and IP address and combine it with DNS Enumeration.</p>
</div>
</div>
<div class="section" id="reverse-dns-lookup">
<h4>Reverse DNS Lookup<a class="headerlink" href="#reverse-dns-lookup" title="Permalink to this headline">¶</a></h4>
<p>Nmap provides a List scan option which does the reverse lookup. It provides the hostnames of the IP Address</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nmap</span> <span class="o">-</span><span class="n">sL</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.0</span><span class="o">/</span><span class="mi">8</span>
</pre></div>
</div>
<p>It can also be used with the below options:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">--</span><span class="n">randomize</span><span class="o">-</span><span class="n">hosts</span>  <span class="p">:</span> <span class="n">make</span> <span class="n">the</span> <span class="n">scans</span> <span class="n">less</span> <span class="n">obvious</span> <span class="n">to</span> <span class="n">various</span> <span class="n">network</span> <span class="n">monitoring</span> <span class="n">systems</span>
<span class="o">--</span><span class="n">dns</span><span class="o">-</span><span class="n">servers</span> <span class="n">server1</span><span class="p">,</span><span class="n">server2</span> <span class="p">:</span> <span class="n">By</span> <span class="n">default</span><span class="p">,</span> <span class="n">it</span> <span class="n">would</span> <span class="n">use</span> <span class="n">the</span> <span class="n">dns</span> <span class="n">servers</span> <span class="n">which</span> <span class="n">are</span> <span class="n">listed</span> <span class="ow">in</span> <span class="n">resolve</span><span class="o">.</span><span class="n">conf</span> <span class="p">(</span><span class="k">if</span> <span class="n">you</span> <span class="n">haven</span><span class="s1">&#39;t used --system-dns option). We can also list              custom servers using these options.</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="identifying-alive-ip-addresses">
<h3>Identifying Alive IP Addresses<a class="headerlink" href="#identifying-alive-ip-addresses" title="Permalink to this headline">¶</a></h3>
<p>Nmap by default provides a -sn Ping scan option. The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. This works as if ICMP echo request is blocked, nmap would know if a host is alive if it receives any response from port 443 or 80 or timestamp reply.</p>
<p>Let&#8217;s see what the nmap does when do a ping scan.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nmap</span> <span class="o">-</span><span class="n">sn</span> <span class="o">-</span><span class="n">n</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span>
<span class="c1">#My IP is 10.0.0.1</span>
</pre></div>
</div>
<p>It is very important to mention that -n option (No DNS resolution) should be used going forward as we have already did DNS resolution while using List scan. Since DNS can be slow even with Nmap&#8217;s built-in parallel stub resolver, this option can slash scanning times. TCP Dump output is presented here. As both the IP address are in the same subnet, nmap would use ARP Ping scan to find the alive IP Address.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="mi">22</span><span class="p">:</span><span class="mi">11</span><span class="p">:</span><span class="mf">27.292054</span> <span class="n">ARP</span><span class="p">,</span> <span class="n">Request</span> <span class="n">who</span><span class="o">-</span><span class="n">has</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span> <span class="p">(</span><span class="n">Broadcast</span><span class="p">)</span> <span class="n">tell</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">,</span> <span class="n">length</span> <span class="mi">28</span>
<span class="mi">22</span><span class="p">:</span><span class="mi">11</span><span class="p">:</span><span class="mf">27.361100</span> <span class="n">ARP</span><span class="p">,</span> <span class="n">Reply</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span> <span class="ow">is</span><span class="o">-</span><span class="n">at</span> <span class="mi">8</span><span class="n">c</span><span class="p">:</span><span class="mi">64</span><span class="p">:</span><span class="mi">22</span><span class="p">:</span><span class="mi">3</span><span class="n">b</span><span class="p">:</span><span class="mi">2</span><span class="n">b</span><span class="p">:</span><span class="mi">2</span><span class="n">d</span> <span class="p">(</span><span class="n">oui</span> <span class="n">Unknown</span><span class="p">),</span> <span class="n">length</span> <span class="mi">28</span>
</pre></div>
</div>
<p>However, this behavior can be changed using &#8211;disable-arp-ping</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nmap</span> <span class="o">-</span><span class="n">sn</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span> <span class="o">--</span><span class="n">disable</span><span class="o">-</span><span class="n">arp</span><span class="o">-</span><span class="n">ping</span>
</pre></div>
</div>
<p>TCPdump output is as below One ICMP Echo Request, SYN to Port 443, ACK to Port 80 and a time stamp request.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="mi">22</span><span class="p">:</span><span class="mi">14</span><span class="p">:</span><span class="mf">02.742180</span> <span class="n">IP</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.1</span> <span class="o">&gt;</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span><span class="p">:</span> <span class="n">ICMP</span> <span class="n">echo</span> <span class="n">request</span><span class="p">,</span> <span class="nb">id</span> <span class="mi">45066</span><span class="p">,</span> <span class="n">seq</span> <span class="mi">0</span><span class="p">,</span> <span class="n">length</span> <span class="mi">8</span>
<span class="mi">22</span><span class="p">:</span><span class="mi">14</span><span class="p">:</span><span class="mf">02.742222</span> <span class="n">IP</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.1</span><span class="o">.</span><span class="mi">59246</span> <span class="o">&gt;</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span><span class="o">.</span><span class="n">https</span><span class="p">:</span> <span class="n">Flags</span> <span class="p">[</span><span class="n">S</span><span class="p">],</span> <span class="n">seq</span> <span class="mi">3994420539</span><span class="p">,</span> <span class="n">win</span> <span class="mi">1024</span><span class="p">,</span> <span class="n">options</span> <span class="p">[</span><span class="n">mss</span> <span class="mi">1460</span><span class="p">],</span> <span class="n">length</span> <span class="mi">0</span>
<span class="mi">22</span><span class="p">:</span><span class="mi">14</span><span class="p">:</span><span class="mf">02.742234</span> <span class="n">IP</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.1</span><span class="o">.</span><span class="mi">59246</span> <span class="o">&gt;</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span><span class="o">.</span><span class="n">http</span><span class="p">:</span> <span class="n">Flags</span> <span class="p">[</span><span class="o">.</span><span class="p">],</span> <span class="n">ack</span> <span class="mi">3994420539</span><span class="p">,</span> <span class="n">win</span> <span class="mi">1024</span><span class="p">,</span> <span class="n">length</span> <span class="mi">0</span>
<span class="mi">22</span><span class="p">:</span><span class="mi">14</span><span class="p">:</span><span class="mf">02.742241</span> <span class="n">IP</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.1</span> <span class="o">&gt;</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span><span class="p">:</span> <span class="n">ICMP</span> <span class="n">time</span> <span class="n">stamp</span> <span class="n">query</span> <span class="nb">id</span> <span class="mi">38635</span> <span class="n">seq</span> <span class="mi">0</span><span class="p">,</span> <span class="n">length</span> <span class="mi">20</span>
<span class="mi">22</span><span class="p">:</span><span class="mi">14</span><span class="p">:</span><span class="mf">02.801243</span> <span class="n">IP</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span> <span class="o">&gt;</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">:</span> <span class="n">ICMP</span> <span class="n">echo</span> <span class="n">reply</span><span class="p">,</span> <span class="nb">id</span> <span class="mi">45066</span><span class="p">,</span> <span class="n">seq</span> <span class="mi">0</span><span class="p">,</span> <span class="n">length</span> <span class="mi">8</span>
<span class="mi">22</span><span class="p">:</span><span class="mi">14</span><span class="p">:</span><span class="mf">02.801930</span> <span class="n">IP</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span><span class="o">.</span><span class="n">https</span> <span class="o">&gt;</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.1</span><span class="o">.</span><span class="mi">59246</span><span class="p">:</span> <span class="n">Flags</span> <span class="p">[</span><span class="n">R</span><span class="o">.</span><span class="p">],</span> <span class="n">seq</span> <span class="mi">0</span><span class="p">,</span> <span class="n">ack</span> <span class="mi">3994420540</span><span class="p">,</span> <span class="n">win</span> <span class="mi">0</span><span class="p">,</span> <span class="n">length</span> <span class="mi">0</span>
<span class="mi">22</span><span class="p">:</span><span class="mi">14</span><span class="p">:</span><span class="mf">02.805083</span> <span class="n">IP</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span><span class="o">.</span><span class="n">http</span> <span class="o">&gt;</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.1</span><span class="o">.</span><span class="mi">59246</span><span class="p">:</span> <span class="n">Flags</span> <span class="p">[</span><span class="n">R</span><span class="p">],</span> <span class="n">seq</span> <span class="mi">3994420539</span><span class="p">,</span> <span class="n">win</span> <span class="mi">0</span><span class="p">,</span> <span class="n">length</span> <span class="mi">0</span>
<span class="mi">22</span><span class="p">:</span><span class="mi">14</span><span class="p">:</span><span class="mf">02.805930</span> <span class="n">IP</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span> <span class="o">&gt;</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">:</span> <span class="n">ICMP</span> <span class="n">time</span> <span class="n">stamp</span> <span class="n">reply</span> <span class="nb">id</span> <span class="mi">38635</span> <span class="n">seq</span> <span class="mi">0</span><span class="p">:</span> <span class="n">org</span> <span class="mi">00</span><span class="p">:</span><span class="mi">00</span><span class="p">:</span><span class="mf">00.000</span><span class="p">,</span> <span class="n">recv</span> <span class="mi">16</span><span class="p">:</span><span class="mi">40</span><span class="p">:</span><span class="mf">52.731</span><span class="p">,</span> <span class="n">xmit</span> <span class="mi">16</span><span class="p">:</span><span class="mi">40</span><span class="p">:</span><span class="mf">52.731</span><span class="p">,</span> <span class="n">length</span> <span class="mi">20</span>
</pre></div>
</div>
<p>If you use &#8211;reason option, nmap would tell why it thinks the host is alive. In the below case (received echo-reply).</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">Nmap</span> <span class="n">scan</span> <span class="n">report</span> <span class="k">for</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span>
<span class="n">Host</span> <span class="ow">is</span> <span class="n">up</span><span class="p">,</span> <span class="n">received</span> <span class="n">echo</span><span class="o">-</span><span class="n">reply</span> <span class="p">(</span><span class="mf">0.073</span><span class="n">s</span> <span class="n">latency</span><span class="p">)</span><span class="o">.</span>
</pre></div>
</div>
<p>If we only want to send ICMP Ping query ( as if the host replies to it, the other three packets (SYN 443, ACK 80 and Timestamp )are extra burden. ( I may be wrong here). We can use</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nmap</span> <span class="o">-</span><span class="n">n</span> <span class="o">-</span><span class="n">sn</span> <span class="o">-</span><span class="n">PE</span> <span class="o">--</span><span class="n">disable</span><span class="o">-</span><span class="n">arp</span><span class="o">-</span><span class="n">ping</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span>
</pre></div>
</div>
<p>TCP Dump output:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="mi">22</span><span class="p">:</span><span class="mi">30</span><span class="p">:</span><span class="mf">20.768525</span> <span class="n">IP</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.1</span> <span class="o">&gt;</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span><span class="p">:</span> <span class="n">ICMP</span> <span class="n">echo</span> <span class="n">request</span><span class="p">,</span> <span class="nb">id</span> <span class="mi">39366</span><span class="p">,</span> <span class="n">seq</span> <span class="mi">0</span><span class="p">,</span> <span class="n">length</span> <span class="mi">8</span>
<span class="mi">22</span><span class="p">:</span><span class="mi">30</span><span class="p">:</span><span class="mf">20.826098</span> <span class="n">IP</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.230</span> <span class="o">&gt;</span> <span class="mf">10.0</span><span class="o">.</span><span class="mf">0.1</span><span class="p">:</span> <span class="n">ICMP</span> <span class="n">echo</span> <span class="n">reply</span><span class="p">,</span> <span class="nb">id</span> <span class="mi">39366</span><span class="p">,</span> <span class="n">seq</span> <span class="mi">0</span><span class="p">,</span> <span class="n">length</span> <span class="mi">8</span>
</pre></div>
</div>
<p>Please note, this ICMP scan would miss all the host which are alive but the firewall is dropping the ICMP echo request packet. However, if you want to find more hosts, it would be advisable to separate the list of IPs which responded to ICMP from the IP address scan range and run the scan again may be with SYN to 443 and ACK to 80 using PA, PS options.</p>
<p>Please also note Nmap&#8217;s ICMP ping, by default, sends zero data as part of the ping. Nmap typically pings the host via icmp if the user has root privileges, and uses a tcp-ping otherwise. This is easily detected by the Snort IDS Rule 1-469 <a class="reference external" href="https://www.snort.org/rule_docs/1-469">SID 1-469</a>.</p>
<p>This could be evaded by using</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">--</span><span class="n">data</span> <span class="o">&lt;</span><span class="nb">hex</span> <span class="n">string</span><span class="o">&gt;</span> <span class="p">(</span><span class="n">Append</span> <span class="n">custom</span> <span class="n">binary</span> <span class="n">data</span> <span class="n">to</span> <span class="n">sent</span> <span class="n">packets</span><span class="p">)</span>
<span class="o">--</span><span class="n">data</span><span class="o">-</span><span class="n">string</span> <span class="o">&lt;</span><span class="n">string</span><span class="o">&gt;</span> <span class="p">(</span><span class="n">Append</span> <span class="n">custom</span> <span class="n">string</span> <span class="n">to</span> <span class="n">sent</span> <span class="n">packets</span><span class="p">)</span>
<span class="o">--</span><span class="n">data</span><span class="o">-</span><span class="n">length</span> <span class="o">&lt;</span><span class="n">number</span><span class="o">&gt;</span> <span class="p">(</span><span class="n">Append</span> <span class="n">random</span> <span class="n">data</span> <span class="n">to</span> <span class="n">sent</span> <span class="n">packets</span><span class="p">)</span>
</pre></div>
</div>
<p>Please note that you should use this options only on ICMP Echo Request for IDS Evasion as the data gets appended to every packet (ex. port scan packets). Designing the ideal combinations of probes as suggested in the Nmap Book is</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">-</span><span class="n">PE</span> <span class="o">-</span><span class="n">PA</span> <span class="o">-</span><span class="n">PS</span> <span class="mi">21</span><span class="p">,</span><span class="mi">22</span><span class="p">,</span><span class="mi">23</span><span class="p">,</span><span class="mi">25</span><span class="p">,</span><span class="mi">80</span><span class="p">,</span><span class="mi">113</span><span class="p">,</span><span class="mi">31339</span> <span class="o">-</span><span class="n">PA</span> <span class="mi">80</span><span class="p">,</span><span class="mi">113</span><span class="p">,</span><span class="mi">443</span><span class="p">,</span><span class="mi">10042</span>
 <span class="n">Adding</span> <span class="o">--</span><span class="n">source</span><span class="o">-</span><span class="n">port</span> <span class="mi">53</span> <span class="n">might</span> <span class="n">also</span> <span class="n">help</span>
</pre></div>
</div>
<p>The above combination would find more hosts than just the ping scan, however it also gonna cost a decent amount of time. NormalTime vs Accuracy trade off.</p>
</div>
<div class="section" id="port-scanning">
<h3>Port Scanning<a class="headerlink" href="#port-scanning" title="Permalink to this headline">¶</a></h3>
<p>Once you have the list of IP Addresses which are alive, we can do port scan on them. Nmap provides multiple options such as</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">-</span><span class="n">sS</span> <span class="n">TCP</span> <span class="n">SYN</span> <span class="n">Stealth</span> <span class="p">:</span> <span class="n">Half</span> <span class="n">Open</span> <span class="n">SYN</span> <span class="n">Scan</span> <span class="p">:</span> <span class="n">Nmap</span> <span class="n">sends</span> <span class="n">the</span> <span class="n">SYN</span> <span class="n">packet</span><span class="p">,</span> <span class="n">Server</span> <span class="n">would</span> <span class="n">send</span> <span class="n">SYN</span><span class="o">/</span><span class="n">ACK</span><span class="p">,</span> <span class="n">System</span> <span class="n">would</span> <span class="n">send</span> <span class="n">RST</span><span class="o">.</span>
<span class="o">-</span><span class="n">sT</span> <span class="n">TCP</span> <span class="n">Connect</span> <span class="n">Scan</span> <span class="p">:</span> <span class="n">Nmap</span> <span class="n">uses</span> <span class="n">system</span> <span class="n">to</span> <span class="n">send</span> <span class="n">the</span> <span class="n">SYN</span> <span class="n">scan</span> <span class="p">:</span> <span class="n">Connect</span> <span class="n">full</span> <span class="n">TCP</span> <span class="n">Handshake</span>
<span class="o">-</span><span class="n">sU</span> <span class="n">UDP</span> <span class="n">Scan</span>
<span class="o">-</span><span class="n">sA</span> <span class="n">ACK</span> <span class="n">Scan</span> <span class="p">:</span> <span class="n">Ack</span> <span class="n">scan</span> <span class="ow">is</span> <span class="n">generally</span> <span class="n">used</span> <span class="n">to</span> <span class="nb">map</span> <span class="n">out</span> <span class="n">firewall</span> <span class="n">rulesets</span><span class="o">.</span> <span class="n">Whether</span> <span class="n">firewall</span> <span class="ow">is</span> <span class="n">stateful</span> <span class="ow">or</span> <span class="ow">not</span><span class="o">.</span>
</pre></div>
</div>
<p>Please note p0f recognizes Nmap&#8217;s SYN scan because of the TCP Options such as TCP window size a multiple of 1024, and only the MSS option supported with a value of 1460 (Check the tcpdump output of Ping scan above, SYN Packet). Recently, a IRC user was getting filtered port while using SYN Scan whereas was getting OPN ports which using telnet or TCP Connect Scan. Also, A patch to allow a user to override the TCP Window size in SYN scan was just posted to the <a class="reference external" href="http://seclists.org/nmap-dev/2015/q3/52">Nmap DevelopmentList</a>.</p>
<p>By default, nmap scans the 1000 most popular ports of eachprotocol ( gathered by scanning million of IP address ). Scanning 1000 ports in an unknown environment with 16 million IP Address could be challenging. Nmap also provides -F Fast scan option which scans the 100 most common ports in each protocol. Otherwise it also provides &#8211;top-ports to specify an arbitrary number of ports. So, How do we know what are the ports scanned with &#8211;top-portsoption. This could be found by</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nmap</span> <span class="o">-</span><span class="n">sT</span> <span class="o">-</span><span class="n">oG</span> <span class="o">-</span> <span class="o">-</span><span class="n">v</span> <span class="o">|</span> <span class="n">grep</span> <span class="s1">&#39;^# Ports&#39;</span>
</pre></div>
</div>
<p>or</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nmap</span> <span class="n">localhost</span> <span class="o">-</span><span class="n">F</span> <span class="o">-</span><span class="n">oX</span> <span class="o">-</span> <span class="o">|</span> <span class="n">grep</span> <span class="s1">&#39;^&lt;scaninfo&#39;</span>
</pre></div>
</div>
<p>Nmap needs an nmap-services file with frequency information in order to know which ports are the most common. See the sectioncalled <a class="reference external" href="http://seclists.org/nmap-dev/2015/q3/52">Well Known Port List: nmap-services</a> : for more information about port frequencies. We could provide ports to nmap by using -p option also, for example</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">-</span><span class="n">p</span> <span class="mi">22</span> <span class="p">:</span> <span class="n">Scan</span> <span class="n">single</span> <span class="n">port</span>
<span class="o">-</span><span class="n">p</span> <span class="mi">22</span><span class="p">,</span><span class="mi">25</span><span class="p">,</span><span class="mi">80</span> <span class="p">:</span> <span class="n">Scan</span> <span class="n">multiple</span> <span class="n">ports</span> <span class="k">with</span> <span class="n">comma</span> <span class="n">separated</span> <span class="n">values</span><span class="o">.</span> <span class="n">If</span> <span class="o">-</span><span class="n">sS</span> <span class="ow">is</span> <span class="n">specified</span> <span class="n">TCP</span> <span class="n">ports</span> <span class="n">would</span> <span class="n">be</span> <span class="n">scanned</span><span class="o">.</span> <span class="n">If</span> <span class="o">-</span><span class="n">sU</span> <span class="n">UDP</span> <span class="n">Scan</span> <span class="ow">is</span> <span class="n">specified</span><span class="p">,</span> <span class="n">UDP</span> <span class="n">Ports</span> <span class="n">would</span> <span class="n">be</span> <span class="n">scanned</span><span class="o">.</span>
<span class="o">-</span><span class="n">p80</span><span class="o">-</span><span class="mi">85</span><span class="p">,</span> <span class="mi">443</span><span class="p">,</span> <span class="mi">8000</span><span class="o">-</span><span class="mi">8005</span> <span class="p">:</span> <span class="n">Scan</span> <span class="n">port</span> <span class="k">with</span> <span class="n">ranges</span><span class="o">.</span>
<span class="o">-</span><span class="n">p</span><span class="o">-</span> <span class="p">:</span> <span class="n">Scan</span> <span class="nb">all</span> <span class="n">the</span> <span class="n">ports</span> <span class="n">excluding</span> <span class="mf">0.</span>
<span class="o">-</span><span class="n">pT</span><span class="p">:</span><span class="mi">21</span><span class="p">,</span><span class="mi">22</span><span class="p">,</span><span class="mi">25</span><span class="p">,</span><span class="n">U</span><span class="p">:</span><span class="mi">53</span><span class="p">,</span><span class="mi">111</span><span class="p">,</span><span class="mi">161</span> <span class="p">:</span> <span class="n">Scan</span> <span class="n">TCP</span> <span class="mi">21</span><span class="p">,</span><span class="mi">22</span><span class="p">,</span><span class="mi">25</span> <span class="ow">and</span> <span class="n">UDP</span> <span class="n">Ports</span> <span class="mi">53</span><span class="p">,</span><span class="mi">111</span><span class="p">,</span><span class="mf">161.</span> <span class="o">-</span><span class="n">sU</span> <span class="n">must</span> <span class="n">also</span> <span class="n">be</span> <span class="n">specified</span><span class="o">.</span>
<span class="o">-</span><span class="n">p</span> <span class="n">http</span><span class="o">*</span> <span class="p">:</span> <span class="n">wild</span> <span class="n">cards</span> <span class="n">may</span> <span class="n">be</span> <span class="n">used</span> <span class="k">for</span> <span class="n">ports</span> <span class="k">with</span> <span class="n">similar</span> <span class="n">names</span><span class="o">.</span> <span class="n">This</span> <span class="n">would</span> <span class="n">match</span> <span class="n">nine</span> <span class="n">ports</span> <span class="n">including</span> <span class="mi">80</span><span class="p">,</span><span class="mi">280</span><span class="p">,</span><span class="mi">443</span><span class="p">,</span><span class="mi">591</span><span class="p">,</span><span class="mi">593</span><span class="p">,</span><span class="mi">8000</span><span class="p">,</span><span class="mi">8008</span><span class="p">,</span><span class="mi">8080</span><span class="p">,</span><span class="mf">8443.</span>
</pre></div>
</div>
<p>Port scanning via <strong>netcat</strong>: Netcat might not be the best tool to use for port scanning, but can be used quickly. netcat scans TCP ports by default, but we can perform UDP scans as well.</p>
<p>For a TCP scan, the format is</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nc</span> <span class="o">-</span><span class="n">vvn</span> <span class="o">-</span><span class="n">z</span> <span class="n">xxx</span><span class="o">.</span><span class="n">xxx</span><span class="o">.</span><span class="n">xxx</span><span class="o">.</span><span class="n">xxx</span> <span class="n">startport</span><span class="o">-</span><span class="n">endport</span>
   <span class="o">-</span><span class="n">z</span> <span class="n">flag</span> <span class="ow">is</span> <span class="n">Zero</span><span class="o">-</span><span class="n">I</span><span class="o">/</span><span class="n">O</span> <span class="n">mode</span> <span class="p">(</span> <span class="n">used</span> <span class="k">for</span> <span class="n">scannng</span> <span class="p">)</span>
   <span class="o">-</span><span class="n">vv</span> <span class="n">will</span> <span class="n">provide</span> <span class="n">verbose</span> <span class="n">information</span> <span class="n">about</span> <span class="n">the</span> <span class="n">results</span>
   <span class="o">-</span><span class="n">n</span> <span class="n">flag</span> <span class="n">allows</span> <span class="n">to</span> <span class="n">skip</span> <span class="n">the</span> <span class="n">DNS</span> <span class="n">lookup</span>
</pre></div>
</div>
<p>For a UDP Port Scan, we need to add -u flag which makes the format</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nc</span> <span class="o">-</span><span class="n">vvn</span> <span class="o">-</span><span class="n">u</span> <span class="o">-</span><span class="n">z</span> <span class="n">xxx</span><span class="o">.</span><span class="n">xxx</span><span class="o">.</span><span class="n">xxx</span><span class="o">.</span><span class="n">xxx</span> <span class="n">startport</span><span class="o">-</span><span class="n">endport</span>
</pre></div>
</div>
<div class="section" id="identifying-service-versions">
<h4>Identifying service versions<a class="headerlink" href="#identifying-service-versions" title="Permalink to this headline">¶</a></h4>
<p>Ideally, we can use -sV to probe the ports to find the version running. When performing a version scan (-sV), Nmap sends a series of probes, each of which is assigned a rarity value correctly identified. However, high intensity scans takelonger. The intensity must be between 0 and 9. The default is 7.</p>
<p>Ideally, to avoid the IDS Detection, we should avoid using -sV option. However, we can keep the noise less by using &#8211;version intensity by which we can control the number of probes sent to determine the service. Setting this option to 0 will send only the Null probe (connect and wait for banner) and any probes that have been specifically listed as pertaining to the scanned port in nmap-service-probes. The other options available are below:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">--</span><span class="n">version</span><span class="o">-</span><span class="n">light</span> <span class="p">(</span><span class="n">Enable</span> <span class="n">light</span> <span class="n">mode</span><span class="p">)</span> <span class="p">:</span> <span class="n">Alias</span> <span class="k">for</span> <span class="o">--</span><span class="n">version</span><span class="o">-</span><span class="n">intensity</span> <span class="mf">2.</span>
<span class="o">--</span><span class="n">version</span><span class="o">-</span><span class="nb">all</span> <span class="p">(</span><span class="n">Try</span> <span class="n">every</span> <span class="n">single</span> <span class="n">probe</span><span class="p">)</span> <span class="p">:</span> <span class="n">An</span> <span class="n">alias</span> <span class="k">for</span> <span class="o">--</span><span class="n">version</span><span class="o">-</span><span class="n">intensity</span> <span class="mi">9</span>
<span class="o">--</span><span class="n">version</span><span class="o">-</span><span class="n">trace</span> <span class="p">(</span><span class="n">Trace</span> <span class="n">version</span> <span class="n">scan</span> <span class="n">activity</span><span class="p">)</span> <span class="p">:</span> <span class="n">Print</span> <span class="n">debugging</span> <span class="n">information</span><span class="o">.</span>
</pre></div>
</div>
<p>Also, when -sV is specified apart from the probes, all the scripts in the <a class="reference external" href="https://nmap.org/nsedoc/categories/version.html">Version</a> category are executed. These scripts could be prevented from running by removing them from the script.db catalog or by building Nmap without NSE support (./configure &#8211;without-liblua). However,if &#8211;version-intensity option is less than 7, those scripts won&#8217;t be executed ( I might be a little wrong here).</p>
<p>So our scan would become approx</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nmap</span> <span class="o">&lt;</span><span class="n">IP_Address_Range</span><span class="o">&gt;</span> <span class="o">-</span><span class="n">n</span> <span class="o">--</span><span class="n">top</span><span class="o">-</span><span class="n">ports</span> <span class="o">&lt;</span><span class="n">number</span><span class="o">&gt;/-</span><span class="n">p</span> <span class="o">&lt;</span><span class="n">Custom</span> <span class="n">Port</span> <span class="n">List</span><span class="o">&gt;</span> <span class="o">-</span><span class="n">sV</span> <span class="o">--</span><span class="n">version</span><span class="o">-</span><span class="n">intensity</span> <span class="mi">0</span><span class="o">/</span> <span class="p">(</span><span class="n">No</span> <span class="o">-</span><span class="n">sV</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="performance">
<h4>Performance<a class="headerlink" href="#performance" title="Permalink to this headline">¶</a></h4>
<p>So, How can we improve the performance of our nmap scan, so that result could be  achieved faster. However, as always we will have Time Vs Accuracy Trade off.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">-</span><span class="n">T</span><span class="o">&lt;</span><span class="mi">0</span><span class="o">-</span><span class="mi">5</span><span class="o">&gt;</span><span class="p">:</span> <span class="n">Set</span> <span class="n">timing</span> <span class="n">template</span> <span class="p">(</span><span class="n">higher</span> <span class="ow">is</span> <span class="n">faster</span><span class="p">)</span>
<span class="o">--</span><span class="nb">min</span><span class="o">-</span><span class="n">rtt</span><span class="o">-</span><span class="n">timeout</span><span class="o">/</span><span class="nb">max</span><span class="o">-</span><span class="n">rtt</span><span class="o">-</span><span class="n">timeout</span><span class="o">/</span><span class="n">initial</span><span class="o">-</span><span class="n">rtt</span><span class="o">-</span><span class="n">timeout</span> <span class="o">&lt;</span><span class="n">time</span><span class="o">&gt;</span><span class="p">:</span> <span class="n">Specifies</span> <span class="n">probe</span> <span class="nb">round</span> <span class="n">trip</span> <span class="n">time</span><span class="o">.</span>
<span class="o">--</span><span class="nb">max</span><span class="o">-</span><span class="n">retries</span> <span class="o">&lt;</span><span class="n">tries</span><span class="o">&gt;</span><span class="p">:</span> <span class="n">Caps</span> <span class="n">number</span> <span class="n">of</span> <span class="n">port</span> <span class="n">scan</span> <span class="n">probe</span> <span class="n">retransmissions</span><span class="o">.</span>
<span class="o">--</span><span class="n">host</span><span class="o">-</span><span class="n">timeout</span> <span class="o">&lt;</span><span class="n">time</span><span class="o">&gt;</span><span class="p">:</span> <span class="n">Give</span> <span class="n">up</span> <span class="n">on</span> <span class="n">target</span> <span class="n">after</span> <span class="n">this</span> <span class="n">long</span>
<span class="o">--</span><span class="n">scan</span><span class="o">-</span><span class="n">delay</span><span class="o">/--</span><span class="nb">max</span><span class="o">-</span><span class="n">scan</span><span class="o">-</span><span class="n">delay</span> <span class="o">&lt;</span><span class="n">time</span><span class="o">&gt;</span><span class="p">:</span> <span class="n">Adjust</span> <span class="n">delay</span> <span class="n">between</span> <span class="n">probes</span>
<span class="o">--</span><span class="nb">min</span><span class="o">-</span><span class="n">rate</span> <span class="o">&lt;</span><span class="n">number</span><span class="o">&gt;</span><span class="p">:</span> <span class="n">Send</span> <span class="n">packets</span> <span class="n">no</span> <span class="n">slower</span> <span class="n">than</span> <span class="o">&lt;</span><span class="n">number</span><span class="o">&gt;</span> <span class="n">per</span> <span class="n">second</span>
<span class="o">--</span><span class="nb">max</span><span class="o">-</span><span class="n">rate</span> <span class="o">&lt;</span><span class="n">number</span><span class="o">&gt;</span><span class="p">:</span> <span class="n">Send</span> <span class="n">packets</span> <span class="n">no</span> <span class="n">faster</span> <span class="n">than</span> <span class="o">&lt;</span><span class="n">number</span><span class="o">&gt;</span> <span class="n">per</span> <span class="n">second</span>
</pre></div>
</div>
<p>T0,T1,T2 is specifically for IDS Evasion. T3 is the default. We can set max-retries to a lower value such as 2. Currently it&#8217;s 10 for T0,T1,T2,T3; 6 for T4 and 2 for T5.</p>
</div>
<div class="section" id="nmap-scripts">
<h4>Nmap Scripts<a class="headerlink" href="#nmap-scripts" title="Permalink to this headline">¶</a></h4>
<p>As bonsaiviking says <a class="reference external" href="http://blog.bonsaiviking.com/2015/07/they-see-me-scannin-part-2.html">Here</a>: If you are wild enough to try NSE scripts against an IDS-protected target, you should know how to read Lua, since the script sources are the final authority on what data is sent. But if you&#8217;re just looking to get a little better at blending in, these tips should help:</p>
<ul class="simple">
<li>Use &#8211;script-args-file to pass script arguments to Nmap from a file. This will keep your command line clean and make it harder to accidentally miss one of the options you choose</li>
<li>Obviously avoid dos, intrusive, and exploit category scripts.</li>
<li>Use scripts by name instead of by category, so that you know exactly what will be run.</li>
<li>Thoroughly read the documentation for each script you intend to use. Set http.useragent to something believable that blends in. Currently, The HTTP scripts all use a User-Agent header that identifies as &#8220;Nmap Scripting Engine.&#8221;</li>
</ul>
</div>
<div class="section" id="output-options">
<h4>Output Options<a class="headerlink" href="#output-options" title="Permalink to this headline">¶</a></h4>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">-</span><span class="n">oN</span><span class="o">/-</span><span class="n">oX</span><span class="o">/-</span><span class="n">oS</span><span class="o">/-</span><span class="n">oG</span> <span class="o">&lt;</span><span class="n">file</span><span class="o">&gt;</span><span class="p">:</span> <span class="n">Output</span> <span class="n">scan</span> <span class="ow">in</span> <span class="n">normal</span><span class="p">,</span> <span class="n">XML</span><span class="p">,</span> <span class="n">s</span><span class="o">|&lt;</span><span class="n">rIpt</span> <span class="n">kIddi3</span><span class="p">,</span> <span class="ow">and</span> <span class="n">Grepable</span> <span class="nb">format</span><span class="p">,</span> <span class="n">respectively</span><span class="p">,</span> <span class="n">to</span> <span class="n">t</span><span class="o">.</span>
<span class="o">-</span><span class="n">oA</span> <span class="o">&lt;</span><span class="n">basename</span><span class="o">&gt;</span><span class="p">:</span> <span class="n">Output</span> <span class="ow">in</span> <span class="n">the</span> <span class="n">three</span> <span class="n">major</span> <span class="n">formats</span> <span class="n">at</span> <span class="n">once</span>
<span class="o">--</span><span class="n">reason</span><span class="p">:</span> <span class="n">Display</span> <span class="n">the</span> <span class="n">reason</span> <span class="n">a</span> <span class="n">port</span> <span class="ow">is</span> <span class="ow">in</span> <span class="n">a</span> <span class="n">particular</span> <span class="n">state</span>
<span class="o">--</span><span class="nb">open</span><span class="p">:</span> <span class="n">Only</span> <span class="n">show</span> <span class="nb">open</span> <span class="p">(</span><span class="ow">or</span> <span class="n">possibly</span> <span class="nb">open</span><span class="p">)</span> <span class="n">ports</span>
<span class="o">--</span><span class="n">packet</span><span class="o">-</span><span class="n">trace</span><span class="p">:</span> <span class="n">Show</span> <span class="nb">all</span> <span class="n">packets</span> <span class="n">sent</span> <span class="ow">and</span> <span class="n">received</span>
<span class="o">--</span><span class="n">resume</span> <span class="o">&lt;</span><span class="n">filename</span><span class="o">&gt;</span><span class="p">:</span> <span class="n">Resume</span> <span class="n">an</span> <span class="n">aborted</span> <span class="n">scan</span> <span class="p">:</span> <span class="n">Filename</span> <span class="n">should</span> <span class="n">be</span> <span class="o">.</span><span class="n">nmap</span> <span class="ow">or</span> <span class="o">.</span><span class="n">gnmap</span>
</pre></div>
</div>
<p>At this point, it&#8217;s good to find what are the most common ports open in the scan we just performed by</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">grep</span> <span class="s2">&quot;^[0-9]\+&quot;</span> <span class="o">&lt;</span><span class="n">nmap</span> <span class="n">file</span> <span class="o">.</span><span class="n">nmap</span> <span class="n">extension</span><span class="o">&gt;</span> <span class="o">|</span> <span class="n">grep</span> <span class="s2">&quot;\ open\ &quot;</span> <span class="o">|</span> <span class="n">sort</span> <span class="o">|</span> <span class="n">uniq</span> <span class="o">-</span><span class="n">c</span> <span class="o">|</span> <span class="n">sort</span> <span class="o">-</span><span class="n">rn</span> <span class="o">|</span> <span class="n">awk</span> <span class="s1">&#39;{print &quot;</span><span class="se">\&quot;</span><span class="s1">&quot;$1&quot;</span><span class="se">\&quot;</span><span class="s1">,</span><span class="se">\&quot;</span><span class="s1">&quot;$2&quot;</span><span class="se">\&quot;</span><span class="s1">,</span><span class="se">\&quot;</span><span class="s1">&quot;$3&quot;</span><span class="se">\&quot;</span><span class="s1">,</span><span class="se">\&quot;</span><span class="s1">&quot;$4&quot;</span><span class="se">\&quot;</span><span class="s1">,</span><span class="se">\&quot;</span><span class="s1">&quot;$5&quot; &quot;$6&quot; &quot;$7&quot; &quot;$8&quot; &quot;$9&quot; &quot;$10&quot; &quot;$11&quot; &quot;$12&quot; &quot;$13&quot;</span><span class="se">\&quot;</span><span class="s1">&quot;}&#39;</span> <span class="o">&gt;</span> <span class="n">test</span><span class="o">.</span><span class="n">csv</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="exploring-the-network-further">
<h3>Exploring the Network Further<a class="headerlink" href="#exploring-the-network-further" title="Permalink to this headline">¶</a></h3>
<p>By now, we would have information about what ports are open and possibly what services are running on them. Further, we need to explore the various options by which we can get more information.</p>
<div class="section" id="gathering-screenshots-for-http-services">
<h4>Gathering Screenshots for http* services<a class="headerlink" href="#gathering-screenshots-for-http-services" title="Permalink to this headline">¶</a></h4>
<p>There are four ways (in my knowledge to do this)</p>
<ul class="simple">
<li><strong>http-screenshot NSE</strong>: Nmap has a NSE script <a class="reference external" href="https://github.com/SpiderLabs/Nmap-Tools/blob/master/NSE/http-screenshot.nse">http-screenshot</a> This could be executed while running nmap. It uses wkhtml2image tool in the script. Sometimes, you may find that running this script takes a long time. It might be a good idea to gather the http* running IP, Port and provide this information to wkhtml2image directly via scripting. You do have to install wkhtml2image and test with disable javascript and other options available.</li>
<li><strong>httpscreenshot</strong> from breenmachine: <a class="reference external" href="https://github.com/breenmachine/httpscreenshot">httpscreenshot</a> is a tool for grabbing screenshots and HTML of large numbers of websites. The goal is for it to be both thorough and fast which can sometimes oppose each other.</li>
<li><strong>Eyewitness</strong> from Chris Truncer: <a class="reference external" href="https://github.com/ChrisTruncer/EyeWitness">EyeWitness</a> is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.</li>
<li>Another method is to use <a class="reference external" href="https://code.google.com/p/java-html2image/">html2image</a> which is a simple Java library converts plain HTML markup to image and provides client-side image-map using html element.</li>
<li><strong>RAWR: Rapid Assesment of Web Resourses</strong>: <a class="reference external" href="https://bitbucket.org/al14s/rawr/wiki/Home">RAWR</a> provides with a customizable CSV containing ordered information gathered for each host, with a field for making notes/etc.; An elegant, searchable, JQuery-driven HTML report that shows screenshots, diagrams, and other information. A report on relevent security headers. In short, it provides a landscape of your  webapplications. It takes input from multiple formats such as Nmap, Nessus, OpenVAS etc.</li>
</ul>
</div>
<div class="section" id="information-gathering-for-http-services">
<h4>Information Gathering for http* Services<a class="headerlink" href="#information-gathering-for-http-services" title="Permalink to this headline">¶</a></h4>
<ul class="simple">
<li><a class="reference external" href="http://www.morningstarsecurity.com/research/whatweb">WhatWeb</a> recognises web technologies including content managementsystems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded device. <a class="reference external" href="https://www.aldeid.com/wiki/Tellmeweb">Tellmeweb</a> is a ruby script to read Nmap Gnmap file and run whatweb on all of them. A <a class="reference external" href="https://github.com/stevecoward/whatweb-parser">WhatWeb Result Parser</a> also has been written which converts the results to CSV format. More information about advance usage can be found <a class="reference external" href="https://github.com/urbanadventurer/WhatWeb/wiki/Advanced-Usage">here</a>.</li>
<li>Wapplyzer &lt;<a class="reference external" href="http://wappalyzer.com">http://wappalyzer.com</a>&gt;`__ is a Firefox plug-in. There are four ways (in my knowledge to do this)be loaded on browser. It works completely at the browser level and gives results in the form of icons.</li>
<li><a class="reference external" href="http://w3techs.com/">W3Tech</a> is another Chrome plug-in which provides information about the usage of various types technologies on the web. It tells the web technologies based on the crawling it has done. So example.com, x1.example.com, x2.example.com will show the same technologies as the domain is same (which is not correct).</li>
<li><a class="reference external" href="https://github.com/justjavac/ChromeSnifferPlus">ChromeSnifferPlus</a> is another chrome extension to sniff about the different web-technologies used by the website.</li>
<li><a class="reference external" href="http://builtwith.com/">BuiltWith</a> is another website which provides a good amount of information about the different technologies used by website.</li>
</ul>
</div>
<div class="section" id="netbios-service">
<h4>NetBIOS Service<a class="headerlink" href="#netbios-service" title="Permalink to this headline">¶</a></h4>
<p>Netbios listens on TCP Port 139, 445 and UDP Port 137. How do we machines on which these three ports or a combination are open and feed that IP information to nbtscan and enum4linux. We can do this by using grep such as</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="s2">&quot;^Host.*[ ]137/open/udp&quot;</span> <span class="o">&lt;</span><span class="n">Nmap</span> <span class="o">.</span><span class="n">gnmap</span> <span class="n">file</span><span class="o">&gt;</span>     <span class="p">:</span> <span class="n">Grep</span> <span class="mi">137</span> <span class="n">UDP</span> <span class="n">Ports</span> <span class="n">to</span> <span class="n">run</span> <span class="n">nbtscan</span>
<span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="s2">&quot;^Host.*[ ]139/open/tcp&quot;</span> <span class="o">&lt;</span><span class="n">Nmap</span> <span class="o">.</span><span class="n">gnmap</span> <span class="n">file</span><span class="o">&gt;</span>
<span class="c1">#If we want that tcp port 139 and 445 both must be open</span>
<span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="s2">&quot;^Host.*[ ]139/open/tcp&quot;</span> <span class="o">&lt;</span><span class="n">Nmap</span> <span class="o">.</span><span class="n">gnmap</span> <span class="n">file</span><span class="o">&gt;</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="s2">&quot;^Host.*[ ]445/open/tcp&quot;</span>                 <span class="o">&lt;</span><span class="n">Nmap</span> <span class="o">.</span><span class="n">gnmap</span> <span class="n">file</span><span class="o">&gt;</span> <span class="p">:</span> <span class="n">Grep</span> <span class="n">TCP</span> <span class="mi">135</span> <span class="ow">and</span> <span class="mi">445</span> <span class="n">port</span> <span class="n">to</span> <span class="n">run</span> <span class="n">enum4linux</span>
<span class="c1">#If we want that tcp port 139 or 445 must be open</span>
<span class="n">grep</span> <span class="o">-</span><span class="n">E</span> <span class="s2">&quot;^Host.*[ ]139/open/tcp|[ ]443/open/tcp&quot;</span> <span class="o">&lt;</span><span class="n">Nmap</span> <span class="o">.</span><span class="n">gnmap</span> <span class="n">file</span><span class="o">&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="nbtscan">
<h4>NBTSCAN<a class="headerlink" href="#nbtscan" title="Permalink to this headline">¶</a></h4>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">nbtscan</span>
    <span class="o">-</span><span class="n">v</span>        <span class="n">Verbose</span> <span class="n">output</span><span class="o">.</span> <span class="n">Print</span> <span class="nb">all</span> <span class="n">names</span> <span class="n">received</span> <span class="kn">from</span> <span class="nn">each</span> <span class="n">host</span><span class="o">.</span>
    <span class="o">-</span><span class="n">f</span> <span class="n">filename</span>     <span class="n">Take</span> <span class="n">IP</span> <span class="n">addresses</span> <span class="n">to</span> <span class="n">scan</span> <span class="kn">from</span> <span class="nn">file</span> <span class="s2">&quot;filename&quot;</span>
</pre></div>
</div>
</div>
<div class="section" id="enum4linux">
<h4>enum4linux<a class="headerlink" href="#enum4linux" title="Permalink to this headline">¶</a></h4>
<p>A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts. It is is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.A very good usage guide is`here &lt;<a class="reference external" href="https://labs.portcullis.co.uk/tools/enum4linux/">https://labs.portcullis.co.uk/tools/enum4linux/</a>&gt;`__</p>
</div>
<div class="section" id="snmp-enumeration">
<h4>SNMP Enumeration<a class="headerlink" href="#snmp-enumeration" title="Permalink to this headline">¶</a></h4>
<p>For SNMP Enumeration, UDP Port 161 should be open. If the port 161 is open we can use</p>
<ul class="simple">
<li><strong>snmpcheck:</strong></li>
</ul>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">snmpcheck</span> <span class="o">-</span><span class="n">t</span> <span class="o">&lt;</span><span class="n">IP</span> <span class="n">address</span><span class="o">&gt;</span>
     <span class="o">-</span><span class="n">c</span> <span class="p">:</span> <span class="n">SNMP</span> <span class="n">community</span><span class="p">;</span> <span class="n">default</span> <span class="ow">is</span> <span class="n">public</span>
     <span class="o">-</span><span class="n">v</span> <span class="p">:</span> <span class="n">SNMP</span> <span class="n">version</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">);</span> <span class="n">default</span> <span class="ow">is</span> <span class="mi">1</span>
     <span class="o">-</span><span class="n">w</span> <span class="p">:</span> <span class="n">detect</span> <span class="n">write</span> <span class="n">access</span> <span class="p">(</span><span class="n">separate</span> <span class="n">action</span> <span class="n">by</span> <span class="n">enumeration</span><span class="p">)</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li><strong>snmpwalk:</strong></li>
</ul>
<p>It also allows us to interact with the SNMP version 3. It also allows to extract particular nodes of a MIB tree.</p>
<blockquote>
<div><div class="highlight-default"><div class="highlight"><pre><span></span>snmpwalk -­c public ­‐v1 &lt;IP Address&gt;  : Enumerating  the  Entire  MIB  Tree
snmpwalk -­c public ­‐v1 &lt;IP Address&gt;  &lt;MIB Tree Number&gt; : Enumerate particular node
    -v 1|2c|3     specifies SNMP version to use
    -c COMMUNITY      set the community string
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li><strong>OneSixtyOne:</strong></li>
</ul>
<p>onesixtyone allows you to brute force the community strings, you could onesixty one tool</p>
</div>
</div>
</div>
</div>


          </div>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="LFFWirelessPentesting.html" title="Learning from the field : Wireless Pentesting"
             >next</a></li>
        <li class="right" >
          <a href="LFFBasicNetworkHygiene.html" title="Learning from the field : Enumeration - Basic Network Hygiene"
             >previous</a> |</li>
        <li class="nav-item nav-item-0"><a href="index.html">tech.bitvijays.com</a> &#187;</li> 
      </ul>
    </div>
    <div class="footer" role="contentinfo">
        &#169; Copyright 2017, Vijay Kumar.
    </div>
  </body>
</html>