Network information gathering¶
Passive information gathering¶
Google hacking¶
site:google.com
intitle:"index of"
intitle:"one phrase" "second phrase"
inurl:"passwords.xls"
https://www.exploit-db.com/google-hacking-database/
Email harvesting¶
- Simply Email
git clone https://github.com/killswitch-GUI/SimplyEmail.git cd SimplyEmail/ ./setup/setup.sh restart console / bash ./SimplyEmail.py -all -e TARGET-DOMAIN
whois¶
whois DOMAIN/IP
recong-ng¶
./recon-ng
show modules
help
Active information gathering¶
Subnet table¶
| / | Addresses | Hosts | Netmask |
|---|---|---|---|
| /30 | 4 | 2 | 255.255.255.252 |
| /29 | 8 | 6 | 255.255.255.248 |
| /28 | 16 | 14 | 255.255.255.240 |
| /27 | 32 | 30 | 255.255.255.224 |
| /26 | 64 | 62 | 255.255.255.192 |
| /25 | 128 | 126 | 255.255.255.128 |
| /24 | 256 | 254 | 255.255.255.0 |
| /23 | 512 | 510 | 255.255.254.0 |
| /22 | 1024 | 1022 | 255.255.252.0 |
| /21 | 2048 | 2046 | 255.255.248.0 |
| /20 | 4096 | 4094 | 255.255.240.0 |
| /19 | 8192 | 8190 | 255.255.224.0 |
| /18 | 16384 | 16382 | 255.255.192.0 |
| /17 | 32768 | 32766 | 255.255.128.0 |
| /16 | 65536 | 65534 | 255.255.0.0 |
Network scanning¶
ARP¶
- netdiscover
netdiscover -r IP
nmap¶
- basic scan
nmap -A -p- -sS -T4 -oA output IP- full scan (TCP and UDP)
nmap -A -p- -sS -sU -T4 -oA output IP- quick scan
nmap -F -T4 IP- traceroute
nmap -sn --traceroute IP- boost service detection
nmap -sV --version-all --all-ports -p PORT IPnmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p PORT IP
Enumeration¶
DNS¶
- dig query
dig domain.com @dns-server any any- dig zone transfer
dig axfr domain.com @dns-server- dnsrecon dns brute force
dnsrecon -d domain.com -D /usr/share/wordlists/dnsmap.txt -t std -asgbkw- dnsenum
dnsenum domain.com- fierce
fierce -dns domain.com -threads 20 -wordlist /usr/share/wordlists/dnsmap.txt
RPC¶
- rpcclient
rpcclient --user="" --command=enumprivs -N IP
SMB¶
- connect to share
smbclient //MOUNT/share -I IP -N- nmap authenticated scripts
nmap -p 445 --script='smb*' --script-args smbuser=<username>,smbpass=<password> --script-args=unsafe=1 IP- enum4linux
enum4linus -a IP- rid cycling
ridenum.py IP 500 50000 dict.txt
SMTP¶
POP3¶
SNMP¶
- More MIBs recognition
apt install snmp-mibs-downloader download-mibs echo "mibs +ALL" > /etc/snmp/snmp.conf
Vendords MIBs put here:~/.snmp/mibsCisco MIBs:ftp://ftp.cisco.com/pub/mibs/v2/*.myVerification:
snmptranslate -Tp- GUI browser
qtmib- snmpwalk
snmpwalk -c public -v1 IP- find snmp services
onesixtyone -c public -i hosts- snmp default credentials
/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
MSSQL¶
nmap:
nmap -p 1433 --script ms-sql*
--script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER IP