Title: Recon & Enumeration techniques used and required in Penetration TestingAuthor: unknowndevice64
It is imperative that a scout should know the history, tradition, religion, social customs, and superstitions of whatever country or people he is called on to work in or among. This is almost as necessary as to know the physical character of the country, its climate and products. Certain people will do certain things almost without fail. Certain other things, perfectly feasible, they will not do. There is no danger of knowing too much of the mental habits of an enemy. One should neither underestimate the enemy nor credit him with superhuman powers. Fear and courage are latent in every human being, though roused into activity by very diverse means.

**— **Frederick Russell Burnham

This is what I refer to as first-pass enumeration, or enumeration from the outside. We take the time to identify all running services and open ports and identify what they are, what they do and how we can communicate with them
Information Gathering
Resources

Recon-ng Tutorial
Basic Information

Kali> whois domain.com
Kali> dig {a|txt|ns|mx} domain.com
Kali> dig {a|txt|ns|mx} domain.com @ns1.domain.com

Email

Kali> simplyemail.py -all -e domain.com

Initial Discovery
Resources

NMAP: A Practical Guide

NMAP: Scanning the Internet

Massively Scaling your Scans
Finger Printing

Banner Grabbing

Kali> nc -v $TARGET 80
Kali> telnet $TARGET 80
Kali> amap -bqv1 1-65535 $TARGET

TTL Fingerprinting

Operating System TTL
Windows 128
Solaris 225
Cisco 225
Probing Neighbors

# IPV4/IPV6
Kali> netdiscover -i eth0

# IPV6
Kali> ping6 ff02::1%eth0

Network Scan

Kali> nmap -sn 192.168.1.0/24
Kali> nmap -sP 192.168.1.0/2
Kali> for ip in $(cat targets.txt);do nmap -A -T4 -oN scans/nmap.$ip.txt $ip;done

UDP Scan

UDP-Protocol-Scanner

# Port Scan
udp-protocol-scanner.pl -f ips.txt

# Protocol specific scan
udp-protocol-scanner -p ntp -f ips.txt

Netcat

# UDP (ICMP Error -> Port Closed)
Kali> nc -nv -u -z -w 1 host 160-162

NMAP

Kali> sudo nmap -sU -A -T3 --top-ports 100 10.10.10.24

TCP Scan

Netcat

Kali> nc -nvv -w 1 -z host 1000-2000

NMAP

Kali> nmap -p 1-65535 -sV -sS -T4 $TARGET
Kali> nmap -v -sS -A -T4 $TARGET
Kali> nmap -v -sV -O -sS -T4 $TARGET

Masscan

A Masscan Tutorial and Primer
Enumeration
HTTP

Stop what you're doing and go check the source code, yes all of it.

CMSHunter

CMS-Hunter - GitHub

Directory Fuzzing

Kali> dirb http://$TARGET /usr/share/wordlists/dirb/big.txt -o dirb.txt
Kali> gobuster -u http://$TARGET -w /usr/share/wordlists/dirb/big.txt -t 100

# A little for loop so you can go do other stuff
Kali> for wordlist in $(ls);do gobuster -u http://$TARGET -w $wordlist -t 100;done

# dirsearch is fairly good
Kali> dirsearch -u http://$TARGET -e php

cURL

# Robots can give us a clue as to where to look next you may have to send a user agent
Kali> curl -s http://$TARGET/robots.txt

# Check all the methods
Kali> curl -vX OPTIONS $TARGET

Nikto

Kali> nikto -h http://$TARGET

BurpSuite

I don't care who you are or what you're doing but it's time to go poke the website with burp. Play with all the things, get params, post params, cookies, user agents, referrers in fact all the headers, change get requests to posts, take note of all error codes, fuzz parameter values, and names, etc.

SSL

Kali> ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $TARGET

DNS

Zone Transfer

Kali> host -l megacorpon.com ns1.megacorpone.com
Kali> dnsrecon -d domain.com -t axfr @ns1.domain.com
Kali> dnsenum domain.com
Kali> nslookup -> set type=any -> ls -d domain.com

Enumerate Subdomains

Kali> for sub in $(cat subdomains.txt);do host $sub.domain.com|grep "has.address";done
Kali> dnsrecon -d $TARGET -D wordlist.txt -t std --xml output.xml

DATABASES

MSSQL

Kali> nmap -sU --script=ms-sql-info $TARGET

LDAP

Resources

Understanding the LDAP
RPC

Examples

Kali> Rpcinfo -p $TARGET

RDP

Kali> rdesktop -u admin -p password $TARGET

NETBIOS

Resources

NBTScan Cheatsheet

TechNet NBTStat Reference

Examples

# Sometimes shows logged in users/addresses
Kali> nbtscan $TARGET -R 54

SAMBA

Resources

Plundering Windows accounts through authenticated SMB sessions

Hacking windows shares through Samba with Linux

Examples

# Fingerprint version
Kali> smbclient -L //$TARGET

# TODO
Kali> nmblookup -A $TARGET

# null Session
Kali> rpcclient -v "" $TARGET
Kali> smbclient -L //$TARGET

# Minimal Scan
Kali> enum4linux $TARGET

# Scan Everything
Kali> enum4linux -a $TARGET

# discover windows/samba on subnet find macs and netbios name/domain
Kali> nbtscan 192.168.1.0/24

# Find open shares
Kali> nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24
Kali> Showmount -e $TARGET/<port>

# Investigate share
Kali> smblookup -A $TARGET smbclient //MOUNT/share -I $TARGET -N

# Enumerate users
Kali> nmap -sU -sS --script=smb-enum-users -p U:137,T:139 192.168.11.0/24
Kali> python /usr/share/doc/python-impacket-doc/examples/samrdump.py $TARGET

# RID Cycling (500 = admin, 501 = Guest)
Kali> ridenum.py $TARGET 500 50000 /path/to/wordlist.txt

# NBTScan-Unixwiz
Kali> nbtscan-unixwiz -f $TARGET

# Mount Linux/Windows
Kali> mount $TARGET:/vol/share /mnt/nfs
Kali> Mount -t cifs //<server ip>/<share> <local dir> -o username=”guest”,password=””
C:\>net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no

SMTP

VRFY username (verifies if username exists – enumeration of accounts)
EXPN username (verifies if username is valid – enumeration of accounts)

SNMP

Resources

What is SNMP?

How to get IPv6 Address through SNMP

SNMPv3Enum

SNMP Enumeration

Examples

# Overview
Default Community Names:
public, private, cisco, manager

Enumerate MIB:
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports

# Enmerate users from SNMP
Kali> snmpwalk public -v1 192.168.X.XXX 1 | grep 77.1.2.25 | cut -d” “ -f4
Kali> python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP $TARGET

# Search SNMP with nmap
Kali> nmap -sT -p 161 192.168.1.0/24 -oG snmp_results.txt

# Examples
Kali> snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.4.2.1.2
Kali> onesixtyone -c community -I $TARGET
Kali> snmpcheck -t $TARGET
Kali> snmpenum -t $TARGET

# Version3
Kali> nmap -sV -p 161 --script=snmp-info 192.168.1.0/24

# Wordlists
/usr/share/metasploit-framework/data/wordlists/snmp_

default_pass.txt


Submitted On: 2019-05-18 13:27:00