⌘Ctrlk

Information Gathering

The more you know about the target, the more successful you will be in the next stages of penetration test

What information are we looking for?

Passive Information Gathering

Active Information Gathering

Discovering open ports on target system
Learning about the entire infrastructure of a target (all network/organization)
Enumerating information from target system

Pasive Information Gathering

Get an IP address

host $IP

Check for hidden files

robots.txt
sitemap.xml
/crossdomain.xml
/clientaccesspolicy.xml
/.well-known/

Extensions

Builtwith
Wappalyzer

Version/Tech

whatweb -a 1 $URL
whatweb -a 3 $URL
whatweb -a 4 $URL

Analyze the source code

Domain enumeration without engage the target

enumeration

whois $domain
# DNS records
dig $domain +short # A records
dig $domain -t mx +short # MAIL records
dig $domain -t ns +short # NS, CNAME

subdomains

dig avfr $domain @10.10.10.10
dig -t axfr $domain @$IP
sublist3r -d $domain

Active Information Gathering

Host Discovery

netdiscover

sudo netdiscover -i $interface -r 10.10.10.0/24

fping

fping -a -g 10.10.20.0/24 2>/dev/null

nmap

namp -sn 10.10.0.0/24 --send-ip
### Examples ###
# 10.10.10.1-20 --> scan a range 
# 10.10.10.2.1 10.10.2.2 --> scan 2 hosts same time
# 10.10.10.0/24 --> scan a network

No man's land

 for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

DNS Zone Transfer

dig axfr @$nameserver $domain

host

host -l $domain $nameserver

nslookup

nslookup
> server domain.com
> ls -d domain.com

DNS Records

A --> Resolve a hostname or domain to an IPv4
AAAA --> Resolve a hostname or domain to an IPv6
NS --> reference to the domains nameserver 
MX --> Resolves a domain to a mail server
CNAME --> Used for domain aliases
TXT --> Text record
HINFO --> Host information
SOA --> Domain authority 
SRV --> Service records
PTR --> Resolves an IP address to a hostname

Port Scanning

It is recomanded to save the scans in a file. I usualy save this files in recon directory

TCP Scan

sudo nmap -O -Pn -p- -T4 --max-retries 4 $IP -oN recon/nmap_tcp

UDP Scan

nmap -sU -sV -sC -n -F -T4 $IP -oN recon/nmap_udp

VULN Scan

nmap --script vulners -Pn -sV -A -T4 -p- --max-retries 5 --open $IP -oN recon/nmap.vuln

Firewall/IDS Evasion

sudo nmap -PN -sS -sV -T4 --max-retries 3 --min-rate 450 --max-rtt-timeout 500ms --min-rtt-timeout 50ms -p- -f --source-port 53 --spoof-mac aa:bb:cc:dd:ee:ff $IP

rustscan

rustscan -a $IP --ulimit 5000 -- -sC -sV -v -oN recon/rustscan.init

Banner Grabbing

# NetCat
nc $IP $port
# Telnet
telnet $IP $port
# Curl
curl -vX $IP

PreviousPentesting CheatSheets NextPorts Enumeration

Last updated 1 year ago

hashtagWhat information are we looking for?

hashtagPasive Information Gathering

hashtagGet an IP address

hashtagCheck for hidden files

hashtagExtensions

hashtagVersion/Tech

hashtagAnalyze the source code

hashtagDomain enumeration without engage the target

hashtagActive Information Gathering

hashtagHost Discovery

hashtagDNS Zone Transfer

hashtagPort Scanning

hashtagBanner Grabbing

What information are we looking for?

Pasive Information Gathering

Get an IP address

Check for hidden files

Extensions

Version/Tech

Analyze the source code

Domain enumeration without engage the target

Active Information Gathering

Host Discovery

DNS Zone Transfer

Port Scanning

Banner Grabbing