# Active
ToolsDetails
EyeWitnessDesigned to take screenshots of websites provide some server header info, and identify default credentials if known.
eyewitness --web -x <nmap_scan>.xml -d <output_name>
eyewitness --web -x <nessus_scan>.xml -d <output_name>
eyewitness -f <subdomains> -d <output_name>
Aquatone (new)Tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
cat <nmap_scan>.xml | ./aquatone -nmap
## Automated * [AutoRecon](https://github.com/Tib3rius/AutoRecon) * [reconftw](https://github.com/six2dez/reconftw) * [nmapAutomator](https://github.com/21y4d/nmapAutomator) * [FinalRecon](https://github.com/thewhiteh4t/FinalRecon) * [magicRecon](https://github.com/robotshell/magicRecon) *** ## Infrastructure ### Technology Stack {% tabs %} {% tab title="Tools" %}
ToolDetails
whatwebwhatweb -v <DOMAIN>
whatweb -v -a <LEVEL_AGGRESSIVE> <DOMAIN>
{% endtab %} {% tab title="Website" %}
WebsiteDetails
WappalyzerOption to intall it as a browser extension.
{% endtab %} {% endtabs %} ### WAF
ToolDetails
wafw00fAllows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.
wafw00f -v -a <DOMAIN>
## DNS Subdomain & Vhost
ToolDetails
dnsreconScript for DNS info and specific scans
dnsrecon -d <DOMAIN> [-n <SERVER_DNS>]
dnsrecon -d <DOMAIN> -D <WORDLIST> -t brt (bruteforce)
dnsrecon -d <DOMAIN> -r <RANGE> (reverse lookup)
dnsenumScript that autoenumerates DNS subdomain
dnsenum <DOMAIN> [--dnsserver <SERVER_DNS>]
gobuster dnsBruteforce subdomain
gobuster dns [--resolver <SERVER_DNS>] -do <DOMAIN> -w <WORDLIST> -ne
ffufTry to find Vhost
ffuf -c -w <WORDLIST>:X -u http://X.<DOMAIN>/
ffuf -c -w <WORDLIST>:X -u http://<IP:PORT or DOMAIN>/ -H 'Host: X.<DOMAIN>'
subbruteCreate the list with own NameServers/Domain (ex., myResolver.txt)
subbrute.py -r myResolver.txt <DOMAIN> [-s <WORDLIST>]
### Zone Transfer Zone Transfer is how a secondary (slave) DNS server receives information from the primary (master) DNS server and updates it. The primary DNS server may not be configured correctly. If we can successfully perform a zone transfer for a domain, we will get all the information available for that domain. 1. Need to find all possible Subdomains and Name Servers. 2. Need to perform Asynchronous Full Transfer Zone (**AXFR**) queries on each element found at 1. {% tabs %} {% tab title="Tools" %} Other tools such as [dnsrecon](https://github.com/darkoperator/dnsrecon) and [dnsenum](https://github.com/SparrowOchon/dnsenum2) already perform zone transfer checks.
ToolDetails
hosthost -l <DOMAIN> <SERVER_DNS>
nslookupnslookup -type=any -query=AXFR <DOMAIN> <SERVER_DNS>
digdig axfr @<SERVER_DNS> <DOMAIN>
{% endtab %} {% tab title="Website" %}
WebsiteDetails
HackerTargetOnline Test for open Zone Transfer.
{% endtab %} {% endtabs %} ## Port & Host scanning Finding the active host and ports for then proceeding with **services enumeration**. {% tabs %} {% tab title="Host" %} ### [nmap](https://nmap.org/docs.html) `ARP` on the same subnet, otherwise `ICMP`
CommandDescription
nmap -sn <NETWORK>Host discovery, no port scan.
nmap -iL <FILE>Input from list of hosts/networks
nmap -sn -PE/-PS/-PA/-PU <NETWORK>ICMP/TCP-SYN/TCP-ACK/UDP scan.
--disable-arp-pingDisable ARP.
--packet-trace, --reasonFor investigating.
#### Ping Sweep Do this at least twice to be sure.
TerminalDetails
Linuxfor i in {1..254} ;do (ping -c 1 X.X.X.$i | grep "bytes from" &) ;done
CMDfor /L %i in (1 1 254) do ping X.X.X.%i -n 1 -w 100 | find "Reply"
PowerShell1..254 | % {"172.15.5.$($): $(Test-Connection -count 1 -comp 172.15.5.$($) -quiet)"}
{% endtab %} {% tab title="Port" %} ### [nmap](https://nmap.org/docs.html)
CommandDescription
nmap -Pn -n <IP>NO host scan and NO DNS resolution.
sudo nmap -sS <IP>SYN scan (default with sudo).
nmap -sT <IP>CONNECT scan (default without sudo).
sudo nmap -sA <IP>ACK scan.
sudo nmap -sU [--open] <IP>UDP scan.
-vShow open ports as soon as it reveals them.
-T<1-5> -sV -sC -OSpeed, Version, Default Script, OS
-AsV + sC + O
--source-portPossibile bypass firewall (ex. 53)
/usr/share/nmap/scripts/
nmap --script-updatedb
nmap --script--help <SCRIPT>
nmap --script "<SCRIPT or TYPE>" <IP>		Scripts for enumeration and attack of services. (LINK)
nmap -oN <NAME> <IP>
nmap -oX <NAME> <IP>
nmap -oG <NAME> <IP>
nmap -oA <NAME> <IP>		TXT format, .nmap
XML format, .xml
Grepable format, .gnmap
All format.
xsltproc <FILE.xml> -o <NEW_NAME.html>Create an html page from xml nmap scan.
***
ToolDetails
netcatnc -nzvv -w 1 <IP> <PORT-RANGE> (CONNECT scan)
nc -nzv -u -w 1 <IP> <PORT-RANGE> (UDP scan, !false-positive!)
Powershell1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("<IP>", $_)) "TCP port $_ is open"} 2>$null
{% endtab %} {% tab title="Other" %}
ToolDetails
masscanInternet-scale port scanner, for very large networks
sudo masscan <NETWORK>
fpingICMP scan
fping -a -q -g <NETWORK>
arp-scanARP scan
arp-scan -g -S <SOURCE_MAC> -i <INTERFACE> <NETWORK>
RustScanThe Modern Port Scanner
rustscan -a <IP> [<NMAP OPTIONS>]
netcatfor i in $(seq 1 254); do nc -zv -w 1 X.X.X.$i 445;done
{% code title="netscan.py" overflow="wrap" %} ```python import socket import ipaddress import sys def port_scan(ip_range, ports): for ip in ip_range: print(f"Scanning {ip}") for port in ports: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(.2) result = sock.connect_ex((str(ip), port)) if result == 0: print(f"Port {port} is open on {ip}") sock.close() ip_range = ipaddress.IPv4Network(sys.argv[1], strict=False) ports = [80, 443, 8080] # List of ports to scan port_scan(ip_range, ports) ``` {% endcode %} {% endtab %} {% tab title="Note" %} Windows Defender blocks ICMP, traditional ping. {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/information-gathering/active.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.