Active

Directly interacts with a target system to obtain information.

Automated

• AutoRecon

• reconftw

• nmapAutomator

• FinalRecon

• magicRecon

---

Infrastructure

Technology Stack

Tools

Tool	Details
whatweb	whatweb -v <DOMAIN> whatweb -v -a <LEVEL_AGGRESSIVE> <DOMAIN>

Website

Website	Details
Wappalyzer	Option to intall it as a browser extension.

WAF

Tool	Details
wafw00f	Allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website. wafw00f -v -a <DOMAIN>

Subdomain & Vhost

Tool	Details
subfinder	Subdomain passively via online sources. subfinder -d <DOMAIN>
gobuster dns	gobuster dns [-r <SERVER_DNS>] -d <DOMAIN> -w <WORDLIST>
subbrute	Create the list with own NameServers/Domain (ex., myResolver.txt) subbrute.py -r myResolver.txt <DOMAIN> [-s <WORDLIST>]
ffuf	ffuf -c -w <WORDLIST>:X -u http://X.<DOMAIN>/ ffuf -c -w <WORDLIST>:X -u http://<IP:PORT or DOMAIN>/ -H 'Host: X.<DOMAIN>'

Zone Transfer

Zone Transfer is how a secondary (slave) DNS server receives information from the primary (master) DNS server and updates it. The primary DNS server may not be configured correctly. If we can successfully perform a zone transfer for a domain, we will get all the information available for that domain.

1. Need to find all possible Subdomains and Name Servers.

2. Need to perform Asynchronous Full Transfer Zone (AXFR) queries on each element found at 1.

Tools

Tool	Details
host	host -l <DOMAIN> <SERVER_DNS>
nslookup	nslookup -type=any -query=AXFR <DOMAIN> <SERVER_DNS>
dig	dig axfr @<SERVER_DNS> <DOMAIN>

Website

Website	Details
HackerTarget	Online Test for open Zone Transfer.

Port & Host scanning

Finding the active host and ports for then proceeding with services enumeration.

Host

nmap

Command	Description
nmap -sn <NETWORK>	ARP scan.
nmap -sn -PE/-PS/-PA/-PU <NETWORK>	ICMP/TCP-SYN/TCP-ACK/UDP scan.
--disable-arp-ping	Disable ARP.
--packet-trace, --reason	For investigating.

---

Tool	Details
masscan	Internet-scale port scanner, for very large networks sudo masscan <NETWORK>
fping	ICMP scan fping -a -q -g <NETWORK>
arp-scan	ARP scan arp-scan -g -S <SOURCE_MAC> -i <INTERFACE> <NETWORK>
RustScan	The Modern Port Scanner rustscan -a <IP> [<NMAP OPTIONS>]
netcat	for i in $(seq 1 254); do nc -zv -w 1 X.X.X.$i 445;done

Port

nmap

Command	Description
nmap -Pn -n <IP>	NO host scan and NO DNS resolution.
sudo nmap -sS <IP>	SYN scan (default with sudo).
nmap -sT <IP>	CONNECT scan (default without sudo).
sudo nmap -sA <IP>	ACK scan.
sudo nmap -sU [--open] <IP>	UDP scan.
-v	Show open ports as soon as it reveals them.
-T<1-5> -sV -sC -O	Speed, Version, Default Script, OS
-A	sV + sC + O
--source-port	Possibile bypass firewall (ex. 53)
/usr/share/nmap/scripts/ nmap --script-updatedb nmap --script--help <SCRIPT> nmap --script "<SCRIPT or TYPE>" <IP>	Scripts for enumeration and attack of services. (LINK)
nmap -oN <NAME> <IP> nmap -oX <NAME> <IP> nmap -oG <NAME> <IP> nmap -oA <NAME> <IP>	TXT format, .nmap XML format, .xml Grepable format, .gnmap All format.
xsltproc <FILE.xml> -o <NEW_NAME.html>	Create an html page from xml nmap scan.

---

Tool	Details
netcat	nc -nzvv -w 1 <IP> <PORT-RANGE> (CONNECT scan) nc -nzv -u -w 1 <IP> <PORT-RANGE> (UDP scan, !false-positive!)

Ping Sweep

Do this at least twice to be sure.

Terminal	Details
Linux	for i in {1..254} ;do (ping -c 1 X.X.X.$i | grep "bytes from" &) ;done
CMD	for /L %i in (1 1 254) do ping X.X.X.%i -n 1 -w 100 | find "Reply"
PowerShell	1..254 | % {"172.15.5.$($): $(Test-Connection -count 1 -comp 172.15.5.$($) -quiet)"}

Note

Windows Defender blocks ICMP, traditional ping.