{"id":1760,"date":"2020-12-14T21:59:35","date_gmt":"2020-12-14T20:59:35","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1760"},"modified":"2024-07-25T14:02:45","modified_gmt":"2024-07-25T12:02:45","slug":"osint-open-source-intelligence","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1760","title":{"rendered":"Active enumeration"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">The usual&nbsp;order<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Net\u00adwork sweep (detect\u00ading the systems)<\/li>\n\n\n\n<li>Net\u00adwork trac\u00ading (detect\u00ading the rela\u00adtions between the systems)<\/li>\n\n\n\n<li>Port scan<\/li>\n\n\n\n<li><span class=\"caps\">OS<\/span> fin\u00adger\u00adprint\u00ading<\/li>\n\n\n\n<li>Ver\u00adsion scanning<\/li>\n\n\n\n<li>Vul\u00adner\u00ada\u00adbil\u00adi\u00adty scanning<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Network scan<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Detect hosts for a domain (<a href=\"https:\/\/github.com\/danielmiessler\/SecLists\/tree\/master\/Discovery\/DNS\">use Seclist<\/a>):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">for ip in $(cat common-subdomains.txt); do\n  host $ip.megacorpone.com;\ndone<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Reverse lookup: Find domains for addresses:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">for ip in $(seq 155 190); do\n host 50.7.67.$ip;\ndone | grep -v \"not found\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Zonefile enumeration<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Grab zone\u00adfile from a ran\u00addom tar\u00adget domain:<\/p>\n\n\n\n<pre id=\"block-471b7bf7-97eb-4674-95a3-ab575ff1c86f\" class=\"wp-block-preformatted\">host -a -l fraunhofer.de ns3.fraunhofer.de<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get autho\u00adr\u00ada\u00adtive <span class=\"caps\">DNS<\/span> servers for a domain:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>host -t ns $target_domain<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Try now zone trans\u00adfer with all of these servers.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Tools<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dnsre\u00adcon<br><code>dnsrecon -d $target_doman -t axfr<\/code><\/li>\n\n\n\n<li>dnsenum<br><code>dnsenum $target_domain<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Port scan<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scan as root. <\/strong>Nmap won\u2019t use <span class=\"caps\">ICMP<\/span> pack\u00adets and <span class=\"caps\">NO<\/span> <span class=\"caps\">ACK<\/span> pack\u00adets if <span class=\"caps\">UID<\/span> !=&nbsp;0.<\/li>\n\n\n\n<li><strong>Con\u00adsid\u00ader to use the \u2011sT scan in a more sen\u00adsi\u00adtive envi\u00adron\u00adment<\/strong>. Because incom\u00adplete con\u00adnec\u00adtions like from stealth scans are unusu\u00adal, there are a big red flag for red teams \/ <span class=\"caps\">IDS<\/span> \/&nbsp;<span class=\"caps\">IPS<\/span>.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">First quick&nbsp;scan:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -sS $target | tee nmap-short.txt\nnmap -sS -oA nmap-short $target\nproxychains4 -q nmap -Pn -sT $target | tee nmap-short.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Sec\u00adond&nbsp;scan:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -sC -sV $target | tee nmap-standard.txt\nnmap -sC -sV -oA nmap-standard $target\nproxychains -q nmap -sC -sV -sT -Pn $target | tee nmap-standard.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Third scan for vulnerabilities:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -sV -T5 -F $target --script vuln | tee nmap-vuln.txt\nnmap -sV -oA nmap-vuln -T5 -F $target --script vuln\nproxychains -q nmap -sV -T5 -sT -Pn -F $target --script vuln | tee nmap-vuln.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Fourth com\u00adplete <span class=\"caps\">TCP<\/span>&nbsp;scan<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -sS -p- $target | tee nmap-tcp-full.txt\nnmap -sS -oA nmap-tcp-full -p- $target\nproxychains -q nmap -sT -Pn -p- $target | tee nmap-tcp-full.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">UDP<\/span> scan<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">masscan -e tun0 -p U:1-65535 --rate 2000 $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Tip: To get a nice list of detect\u00aded ver\u00adsions, take the port from the first scan and list details only for these&nbsp;ports:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted bbcode_code\">nmap $target -p 22,25,80,110,111,119,2049,4555 -sV --reason<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Bonus: Make nmap vulscan if you need&nbsp;more.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Quick nc&nbsp;scan:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -nvv -w 1 -z 10.2.2.23 1-65535\n# Copy output in file\ncat TEMPFILE.txt | grep -v \"Connection refused\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>If it should be faster, try some\u00adthing like <span class=\"author-a-z89z6z69zsz66zqz80zz74zpefz83zz77z1z72z9\"> \u2013min-rate=10000<\/span><\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tools<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=32\">Dmit\u00adry<\/a>: Active Infor\u00adma\u00adtion Gath\u00ader\u00ading&nbsp;Tool<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=35\" data-type=\"post\" data-id=\"35\">Dnmap<\/a>: Dis\u00adtrib\u00aduted Port Scanning<\/li>\n\n\n\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=572\" data-type=\"post\" data-id=\"572\">Var\u00adi\u00adous <span class=\"caps\">OS<\/span> detec\u00adtion&nbsp;tools<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/canarytokens.org\/nest\/\">https:\/\/canarytokens.org\/nest\/<\/a> <\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Other ideas<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bring users from the tar\u00adget net\u00adwork to click a link to a legit\u00adi\u00admate page (or a page which dis\u00adplays an error, serv\u00ader fail\u00adi\u00adure, \u2026) which col\u00adlects as many as pos\u00adsi\u00adble infor\u00adma\u00adtion which are send via the brows\u00ader (maybe also by invok\u00ading a <span class=\"caps\">JS<\/span> which col\u00adlects more infor\u00adma\u00adtion about the environment).<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The usu\u00adal&nbsp;order Net\u00adwork scan Detect hosts for a domain (use Seclist): for ip in $(cat common-subdomains.txt); do host $ip.megacorpone.com; done Reverse lookup: Find domains for address\u00ades: for ip in $(seq 155 190); do host 50.7.67.$ip; done | grep \u2011v \u201cnot found\u201d Zone\u00adfile enu\u00admer\u00ada\u00adtion Grab zone\u00adfile from a ran\u00addom tar\u00adget domain: host \u2011a \u2011l fraunhofer.de ns3.fraunhofer.de [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470],"tags":[50,212],"class_list":["post-1760","post","type-post","status-publish","format-standard","hentry","category-active-enum","tag-enumeration","tag-osint"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1760","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1760"}],"version-history":[{"count":8,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1760\/revisions"}],"predecessor-version":[{"id":3980,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1760\/revisions\/3980"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}