GeorgeBanu
  • About me
  • Pentesting CheatSheets
    • Information Gathering
    • Ports Enumeration
      • FTP-21
      • SSH-22
      • Telnet-23
      • SMTP - 25,465,587
      • DNS-53
      • NetBIOS, SMB - 139,445
      • SNMP-161
      • MySQL-3306
      • RDP-3389
      • WinRM-5985
    • Web Cheat Sheet
    • Privilege Escalation
      • Linux Enumeration
      • Linux Privesc Techniques
    • Tricks
    • Template
  • TryHackMe Writeups
    • Starter
    • Dreaming
    • ColddBox: Easy
    • Ollie
    • Blog
    • KoTH Hackers
    • Brooklyn Nine Nine
    • Chill Hack
    • Undiscovered
    • Archangel
    • Jason
    • GLITCH
    • VulnNet: Node
    • Road
    • VulnNet:Internal
    • W1seGuy
  • CyberEDU Writeups
    • flag-is-hidden
    • file-crawler
    • reccon
    • this-file-hides-something
    • wifiland
    • old-tickets
    • inodat
    • pattern
    • ultra-crawl
  • eJPT
Powered by GitBook
On this page
  • What information are we looking for?
  • Pasive Information Gathering
  • Active Information Gathering
  1. Pentesting CheatSheets

Information Gathering

The more you know about the target, the more successful you will be in the next stages of penetration test

What information are we looking for?

Passive Information Gathering
Active Information Gathering

Pasive Information Gathering

Get an IP address

host $IP

Check for hidden files

robots.txt
sitemap.xml
/crossdomain.xml
/clientaccesspolicy.xml
/.well-known/

Extensions

  • Builtwith

  • Wappalyzer

Version/Tech

whatweb -a 1 $URL
whatweb -a 3 $URL
whatweb -a 4 $URL

Analyze the source code

Domain enumeration without engage the target

  • enumeration

whois $domain
# DNS records
dig $domain +short # A records
dig $domain -t mx +short # MAIL records
dig $domain -t ns +short # NS, CNAME

  • subdomains

dig avfr $domain @10.10.10.10
dig -t axfr $domain @$IP
sublist3r -d $domain

Active Information Gathering

Host Discovery

  • netdiscover

sudo netdiscover -i $interface -r 10.10.10.0/24

  • fping

fping -a -g 10.10.20.0/24 2>/dev/null

  • nmap

namp -sn 10.10.0.0/24 --send-ip
### Examples ###
# 10.10.10.1-20 --> scan a range 
# 10.10.10.2.1 10.10.2.2 --> scan 2 hosts same time
# 10.10.10.0/24 --> scan a network

  • No man's land

 for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

DNS Zone Transfer

  • dig

dig axfr @$nameserver $domain

  • host

host -l $domain $nameserver

  • nslookup

nslookup
> server domain.com
> ls -d domain.com

  • DNS Records

A --> Resolve a hostname or domain to an IPv4
AAAA --> Resolve a hostname or domain to an IPv6
NS --> reference to the domains nameserver 
MX --> Resolves a domain to a mail server
CNAME --> Used for domain aliases
TXT --> Text record
HINFO --> Host information
SOA --> Domain authority 
SRV --> Service records
PTR --> Resolves an IP address to a hostname

Port Scanning

It is recomanded to save the scans in a file. I usualy save this files in recon directory

  • TCP Scan

sudo nmap -O -Pn -p- -T4 --max-retries 4 $IP -oN recon/nmap_tcp

  • UDP Scan

nmap -sU -sV -sC -n -F -T4 $IP -oN recon/nmap_udp

  • VULN Scan

nmap --script vulners -Pn -sV -A -T4 -p- --max-retries 5 --open $IP -oN recon/nmap.vuln

  • Firewall/IDS Evasion

sudo nmap -PN -sS -sV -T4 --max-retries 3 --min-rate 450 --max-rtt-timeout 500ms --min-rtt-timeout 50ms -p- -f --source-port 53 --spoof-mac aa:bb:cc:dd:ee:ff $IP

  • rustscan

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

Banner Grabbing

# NetCat
nc $IP $port
# Telnet
telnet $IP $port
# Curl
curl -vX $IP
PreviousPentesting CheatSheetsNextPorts Enumeration

Last updated 11 months ago