Information Gathering

Passive Information Gathering

##Whois Enumeration
whois megacorpone.com 
whois megacorpone.com -h 192.168.50.251    #Here -h parameter is the whois server database which can provide details
#we can do reverse lookups as well
whois 38.100.193.70
whois 38.100.193.70 -h 192.168.50.251 

##Google Hacking
site:megacorpone.com
site:megacorpone.com filetype:txt
site:megacorpone.com -filetype:html
intitle:“index of” “parent directory”
#This website has lot of docks as well: https://www.exploit-db.com/google-hacking-database

##Netcraft
#We can use netcraft website as well for information gathering: https://searchdns.netcraft.com/

##Open-Source Code
#git hub is great source to find open-source code
#some usefull searches in github: https://github.com/megacorpone
filename:users
user:megacorpone filename:users
#We can use automated tools like Gitrob and Gitleaks as well

##Shodan
hostname:megacorpone.com
hostname:megacorpone.com port:"22"

##Security Headers and SSL/TLS
#https://securityheaders.com/
#https://www.ssllabs.com/ssltest/

Active Information Gathering

##DNS Enumeration
host www.megacorpone.com
host -t mx megacorpone.com
host -t txt megacorpone.com
host www.megacorpone.com 
host idontexist.megacorpone.com
#the list.txt contains below subdoamins
#www
#ftp
#mail
#owa
#proxy
#router
for ip in $(cat list.txt); do host $ip.megacorpone.com; done
for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found"
#with dnsrecon
dnsrecon -d megacorpone.com -t std
dnsrecon -d megacorpone.com -D ~/list.txt -t brt
dnsenum megacorpone.com
#with nslookup
nslookup mail.megacorptwo.com
nslookup -type=TXT info.megacorptwo.com 192.168.50.151

##SMB Enumeration
nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254
sudo nbtscan -r 192.168.50.0/24
ls -1 /usr/share/nmap/scripts/smb*
nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152
net view \\dc01 /all

##SMTP Enumeration
nc -nv 192.168.50.8 25
#smtp.py
#------script start-----
#!/usr/bin/python
import socket
import sys
if len(sys.argv) != 3:
 print("Usage: vrfy.py <username> <target_ip>")
 sys.exit(0)
# Create a Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect to the Server
ip = sys.argv[2]
connect = s.connect((ip,25))
# Receive the banner
banner = s.recv(1024)
print(banner)
# VRFY a user
user = (sys.argv[1]).encode()
s.send(b'VRFY ' + user + b'\r\n')
result = s.recv(1024)
print(result)
# Close the socket
s.close()
#---------script ends-------
python3 smtp.py root 192.168.50.8
python3 smtp.py johndoe 192.168.50.8
Test-NetConnection -Port 25 192.168.50.8
#installing telnet in windows
dism /online /Enable-Feature /FeatureName:TelnetClient
telnet 192.168.50.8 25

##SNMP Enumeration
#MIB values correspond to specific Microsoft Windows SNMP parameters and contain much more than network-based information
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports

sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt
echo public > community
echo private >> community
echo manager >> community
for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
onesixtyone -c community -i ips
snmpwalk -c public -v1 -t 10 192.168.50.151
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.6.3.1.2
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3

##Port Scanning with Nmap
nmap 192.168.50.149
sudo nmap -sS 192.168.50.149 #synk attack
nmap -sT 192.168.50.149 #connect scan
sudo nmap -sU 192.168.50.149 #UDP scan
sudo nmap -sU -sS 192.168.50.149 #combined UDP and SYN scan
nmap -sn 192.168.50.1-253 #network sweep
nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt #save output
grep Up ping-sweep.txt | cut -d " " -f 2 # grep to find live hosts
nmap -p 80 192.168.50.1-253 -oG web-sweep.txt 
grep open web-sweep.txt | cut -d" " -f2
nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt
cat /usr/share/nmap/nmap-services
sudo nmap -O 192.168.50.14 --osscan-guess
nmap -sT -A 192.168.50.14
nmap --script http-headers 192.168.50.6