Active

Directly interacts with a target system to obtain information.

Last updated 2 months ago

Was this helpful?

Active

Directly interacts with a target system to obtain information.

Tools

Details

Designed to take screenshots of websites provide some server header info, and identify default credentials if known. eyewitness --web -x <nmap_scan>.xml -d <output_name> eyewitness --web -x <nessus_scan>.xml -d <output_name> eyewitness -f <subdomains> -d <output_name>

Tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface. cat <nmap_scan>.xml | ./aquatone -nmap

Automated

Infrastructure

Technology Stack

Tool

Details

whatweb -v <DOMAIN> whatweb -v -a <LEVEL_AGGRESSIVE> <DOMAIN>

WAF

Tool

Details

Allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website. wafw00f -v -a <DOMAIN>

Subdomain & Vhost

Tool

Details

Subdomain passively via online sources. subfinder -d <DOMAIN>

gobuster dns [-r <SERVER_DNS>] -d <DOMAIN> -w <WORDLIST>

Create the list with own NameServers/Domain (ex., myResolver.txt) subbrute.py -r myResolver.txt <DOMAIN> [-s <WORDLIST>]

ffuf -c -w <WORDLIST>:X -u http://X.<DOMAIN>/ ffuf -c -w <WORDLIST>:X -u http://<IP:PORT or DOMAIN>/ -H 'Host: X.<DOMAIN>'

Zone Transfer

Zone Transfer is how a secondary (slave) DNS server receives information from the primary (master) DNS server and updates it. The primary DNS server may not be configured correctly. If we can successfully perform a zone transfer for a domain, we will get all the information available for that domain.

Need to find all possible Subdomains and Name Servers.
Need to perform Asynchronous Full Transfer Zone (AXFR) queries on each element found at 1.

Tool

Details

host

host -l <DOMAIN> <SERVER_DNS>

nslookup

nslookup -type=any -query=AXFR <DOMAIN> <SERVER_DNS>

dig

dig axfr @<SERVER_DNS> <DOMAIN>

Port & Host scanning

Finding the active host and ports for then proceeding with services enumeration.

Command

Description

nmap -sn <NETWORK>

ARP scan.

nmap -iL <FILE>

Input from list of hosts/networks

nmap -sn -PE/-PS/-PA/-PU <NETWORK>

ICMP/TCP-SYN/TCP-ACK/UDP scan.

--disable-arp-ping

Disable ARP.

--packet-trace, --reason

For investigating.

Tool

Details

Internet-scale port scanner, for very large networks sudo masscan <NETWORK>

ICMP scan fping -a -q -g <NETWORK>

ARP scan arp-scan -g -S <SOURCE_MAC> -i <INTERFACE> <NETWORK>

The Modern Port Scanner rustscan -a <IP> [<NMAP OPTIONS>]

netcat

for i in $(seq 1 254); do nc -zv -w 1 X.X.X.$i 445;done

Command

Description

nmap -Pn -n <IP>

NO host scan and NO DNS resolution.

sudo nmap -sS <IP>

SYN scan (default with sudo).

nmap -sT <IP>

CONNECT scan (default without sudo).

sudo nmap -sA <IP>

ACK scan.

sudo nmap -sU [--open] <IP>

UDP scan.

-v

Show open ports as soon as it reveals them.

-T<1-5> -sV -sC -O

Speed, Version, Default Script, OS

-A

sV + sC + O

--source-port

Possibile bypass firewall (ex. 53)

/usr/share/nmap/scripts/ nmap --script-updatedb nmap --script--help <SCRIPT> nmap --script "<SCRIPT or TYPE>" <IP>

nmap -oN <NAME> <IP> nmap -oX <NAME> <IP> nmap -oG <NAME> <IP> nmap -oA <NAME> <IP>

TXT format, .nmap XML format, .xml Grepable format, .gnmap All format.

xsltproc <FILE.xml> -o <NEW_NAME.html>

Create an html page from xml nmap scan.

Tool

Details

netcat

nc -nzvv -w 1 <IP> <PORT-RANGE> (CONNECT scan) nc -nzv -u -w 1 <IP> <PORT-RANGE> (UDP scan, !false-positive!)

Do this at least twice to be sure.

Terminal

Details

Linux

for i in {1..254} ;do (ping -c 1 X.X.X.$i | grep "bytes from" &) ;done

CMD

for /L %i in (1 1 254) do ping X.X.X.%i -n 1 -w 100 | find "Reply"

PowerShell

1..254 | % {"172.15.5.$($): $(Test-Connection -count 1 -comp 172.15.5.$($) -quiet)"}

Last updated 2 months ago

Was this helpful?