Information Gathering

Passive Information Gathering

##Whois Enumeration
whois megacorpone.com 
whois megacorpone.com -h 192.168.50.251    #Here -h parameter is the whois server database which can provide details
#we can do reverse lookups as well
whois 38.100.193.70
whois 38.100.193.70 -h 192.168.50.251 

##Google Hacking
site:megacorpone.com
site:megacorpone.com filetype:txt
site:megacorpone.com -filetype:html
intitle:“index of” “parent directory”
#This website has lot of docks as well: https://www.exploit-db.com/google-hacking-database

##Netcraft
#We can use netcraft website as well for information gathering: https://searchdns.netcraft.com/

##Open-Source Code
#git hub is great source to find open-source code
#some usefull searches in github: https://github.com/megacorpone
filename:users
user:megacorpone filename:users
#We can use automated tools like Gitrob and Gitleaks as well

##Shodan
hostname:megacorpone.com
hostname:megacorpone.com port:"22"

##Security Headers and SSL/TLS
#https://securityheaders.com/
#https://www.ssllabs.com/ssltest/

Active Information Gathering

##DNS Enumeration
host www.megacorpone.com
host -t mx megacorpone.com
host -t txt megacorpone.com
host www.megacorpone.com 
host idontexist.megacorpone.com
#the list.txt contains below subdoamins
#www
#ftp
#mail
#owa
#proxy
#router
for ip in $(cat list.txt); do host $ip.megacorpone.com; done
for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found"
#with dnsrecon
dnsrecon -d megacorpone.com -t std
dnsrecon -d megacorpone.com -D ~/list.txt -t brt
dnsenum megacorpone.com
#with nslookup
nslookup mail.megacorptwo.com
nslookup -type=TXT info.megacorptwo.com 192.168.50.151

##SMB Enumeration
nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254
sudo nbtscan -r 192.168.50.0/24
ls -1 /usr/share/nmap/scripts/smb*
nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152
net view \\dc01 /all

##SMTP Enumeration
nc -nv 192.168.50.8 25
#smtp.py
#------script start-----
#!/usr/bin/python
import socket
import sys
if len(sys.argv) != 3:
 print("Usage: vrfy.py <username> <target_ip>")
 sys.exit(0)
# Create a Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect to the Server
ip = sys.argv[2]
connect = s.connect((ip,25))
# Receive the banner
banner = s.recv(1024)
print(banner)
# VRFY a user
user = (sys.argv[1]).encode()
s.send(b'VRFY ' + user + b'\r\n')
result = s.recv(1024)
print(result)
# Close the socket
s.close()
#---------script ends-------
python3 smtp.py root 192.168.50.8
python3 smtp.py johndoe 192.168.50.8
Test-NetConnection -Port 25 192.168.50.8
#installing telnet in windows
dism /online /Enable-Feature /FeatureName:TelnetClient
telnet 192.168.50.8 25

##SNMP Enumeration
#MIB values correspond to specific Microsoft Windows SNMP parameters and contain much more than network-based information
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports

sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt
echo public > community
echo private >> community
echo manager >> community
for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
onesixtyone -c community -i ips
snmpwalk -c public -v1 -t 10 192.168.50.151
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.6.3.1.2
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3

##Port Scanning with Nmap
nmap 192.168.50.149
sudo nmap -sS 192.168.50.149 #synk attack
nmap -sT 192.168.50.149 #connect scan
sudo nmap -sU 192.168.50.149 #UDP scan
sudo nmap -sU -sS 192.168.50.149 #combined UDP and SYN scan
nmap -sn 192.168.50.1-253 #network sweep
nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt #save output
grep Up ping-sweep.txt | cut -d " " -f 2 # grep to find live hosts
nmap -p 80 192.168.50.1-253 -oG web-sweep.txt 
grep open web-sweep.txt | cut -d" " -f2
nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt
cat /usr/share/nmap/nmap-services
sudo nmap -O 192.168.50.14 --osscan-guess
nmap -sT -A 192.168.50.14
nmap --script http-headers 192.168.50.6

PreviousNetwork basics NextPrivilege Escalation

Last updated 6 months ago

##Whois Enumeration whois megacorpone.com whois megacorpone.com -h 192.168.50.251 #Here -h parameter is the whois server database which can provide details #we can do reverse lookups as well whois 38.100.193.70 whois 38.100.193.70 -h 192.168.50.251 ##Google Hacking site:megacorpone.com site:megacorpone.com filetype:txt site:megacorpone.com -filetype:html intitle:“index of” “parent directory” #This website has lot of docks as well: https://www.exploit-db.com/google-hacking-database ##Netcraft #We can use netcraft website as well for information gathering: https://searchdns.netcraft.com/ ##Open-Source Code #git hub is great source to find open-source code #some usefull searches in github: https://github.com/megacorpone filename:users user:megacorpone filename:users #We can use automated tools like Gitrob and Gitleaks as well ##Shodan hostname:megacorpone.com hostname:megacorpone.com port:"22" ##Security Headers and SSL/TLS #https://securityheaders.com/ #https://www.ssllabs.com/ssltest/

##DNS Enumeration host www.megacorpone.com host -t mx megacorpone.com host -t txt megacorpone.com host www.megacorpone.com host idontexist.megacorpone.com #the list.txt contains below subdoamins #www #ftp #mail #owa #proxy #router for ip in $(cat list.txt); do host $ip.megacorpone.com; done for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found" #with dnsrecon dnsrecon -d megacorpone.com -t std dnsrecon -d megacorpone.com -D ~/list.txt -t brt dnsenum megacorpone.com #with nslookup nslookup mail.megacorptwo.com nslookup -type=TXT info.megacorptwo.com 192.168.50.151 ##SMB Enumeration nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254 sudo nbtscan -r 192.168.50.0/24 ls -1 /usr/share/nmap/scripts/smb* nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152 net view \\dc01 /all ##SMTP Enumeration nc -nv 192.168.50.8 25 #smtp.py #------script start----- #!/usr/bin/python import socket import sys if len(sys.argv) != 3: print("Usage: vrfy.py <username> <target_ip>") sys.exit(0) # Create a Socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Connect to the Server ip = sys.argv[2] connect = s.connect((ip,25)) # Receive the banner banner = s.recv(1024) print(banner) # VRFY a user user = (sys.argv[1]).encode() s.send(b'VRFY ' + user + b'\r\n') result = s.recv(1024) print(result) # Close the socket s.close() #---------script ends------- python3 smtp.py root 192.168.50.8 python3 smtp.py johndoe 192.168.50.8 Test-NetConnection -Port 25 192.168.50.8 #installing telnet in windows dism /online /Enable-Feature /FeatureName:TelnetClient telnet 192.168.50.8 25 ##SNMP Enumeration #MIB values correspond to specific Microsoft Windows SNMP parameters and contain much more than network-based information 1.3.6.1.2.1.25.1.6.0 System Processes 1.3.6.1.2.1.25.4.2.1.2 Running Programs 1.3.6.1.2.1.25.4.2.1.4 Processes Path 1.3.6.1.2.1.25.2.3.1.4 Storage Units 1.3.6.1.2.1.25.6.3.1.2 Software Name 1.3.6.1.4.1.77.1.2.25 User Accounts 1.3.6.1.2.1.6.13.1.3 TCP Local Ports sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt echo public > community echo private >> community echo manager >> community for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips onesixtyone -c community -i ips snmpwalk -c public -v1 -t 10 192.168.50.151 snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25 snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2 snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.6.3.1.2 snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3 ##Port Scanning with Nmap nmap 192.168.50.149 sudo nmap -sS 192.168.50.149 #synk attack nmap -sT 192.168.50.149 #connect scan sudo nmap -sU 192.168.50.149 #UDP scan sudo nmap -sU -sS 192.168.50.149 #combined UDP and SYN scan nmap -sn 192.168.50.1-253 #network sweep nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt #save output grep Up ping-sweep.txt | cut -d " " -f 2 # grep to find live hosts nmap -p 80 192.168.50.1-253 -oG web-sweep.txt grep open web-sweep.txt | cut -d" " -f2 nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt cat /usr/share/nmap/nmap-services sudo nmap -O 192.168.50.14 --osscan-guess nmap -sT -A 192.168.50.14 nmap --script http-headers 192.168.50.6