SlideShare a Scribd company logo

Reconnaissance - For pentesting and user awareness

Download as PPTX, PDF
Leon Teale
Leon Teale

Reconnaissance. Open-source intelligence gathering for penetration testing purposes and user awareness. https://pentest.training/

Internet
1 of 29
Reconnaissance Open-source intelligence
Chris Thomas Systems Specialist Leon Teale Penetration Tester http://secheads.co.uk http://batserver.co.uk https://www.linkedin.com/in/leonteale https://www.facebook.com/leonteale
Reconnaissance / OSINT Reconnaissance is the process of learning as much as possible about the target using the tools and services we have available. Information we wish to gather is: Servers: Hostnames / IPs / OSes / geo-location / hosting environment Services: What is running on the servers / version numbers Metadata: Usernames / Full names / passwords / software versions / internal file path disclosure Misc: Email harvesting / DNS bruteforcing
All starts with a name Starting with a domain name such as google.com allows us to start enumerating hosts and building our picture of the companies infrastructure
DNS and Email Reconnaissance
DNS Enumeration Tools ➢ DNSRecon - A powerful DNS enumeration script ➢ DNSenum - A good DNS enum tool with wildcard filtering ➢ Fierce - A semi-lightweight enumeration scanner ➢ TheHarvester - Commonly used for email enum but has a DNS enum built-in ➢ Nmap - Yes it's a port scanner, but it can bruteforce subdomains too (check nmap scripts) ➢ Google Dorks - Using search engines to list their pre-crawled result (passive) ➢ Dig - For simple DNS requests against the name server. Also good for AXFR checks ➢ Subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains ➢ dnscan - a python wordlist-based DNS subdomain scanner ➢ Recon-Ng - The recon-ng framework has a brute_hosts module that allows to bruteforce subdomains. ➢ Gobuster - Alternative directory and file busting tool written in Go ➢ AltDNS - offers bruteforcing based on permutations of already found domains ➢ Dnsdumpster.com - Not a kali tool but good for DNS enumeration ➢ Website scraping - Using various tools you can scrape a target domain for email addresses
dnsrecon dnsrecon -t brt,std,axfr -D wordlist.txt -d batserver.co.uk Dns Recon using a subdomain list for bruteforcing, standard checks such as SOA NS lookups etc.. and a Zone-transfer vulnerability check. dnsrecon -r 46.235.225.0/24 Dns Recon using a reverse lookup against the IP address ranges. In this instance a /24 and looking for associated domain names. Assuming reverseDNS is set up.
dnsenum Dnsenum batserver.co.uk Dnsenum will provide standard DNS lookups such as NS,MX,AXFR and bind versions Dnsenum -f wordlist.txt batserver.co.uk Dns Recon using bruteforce attack using a specified subdomain list. If a wildcard is identified. Then Dnsenum will filter out all the unique IP entries to try bypass the wildcard results.
theHarvester (DNS) theharvester -l 500 -b all -d google.com theHarvester is typically used for email enumeration but can also be used for passive DNS enumeration taken from search engines and rDNS recursive checks.
Dig Dig axfr domain.com @ns.domain.com Dig can be used to do Zone-transfer requests. An misconfigured and vulnerable nameserver will list all zone records to unauthorised hosts. Apparently.. Some companies swear this is not a security issue *sigh Dig @ns.123-reg.co.uk batserver.co.uk MX Dig can also be used for specific requests such as querying the MX records from the nameserver for a specific domain.
Fierce Fierce -dns domain.com Fierce is similar to most other DNS bruting tools. Its more a matter of preference. But seems to be amongst the top 3 commonly used by day to day security professionals. And most importantly is a kali default tool. Still trying to work out how they CAN'T see this is a security problem...
theHarvester (email) theharvester -l 500 -b all -d domain.com theHarvester does queries against search engines to scrape email addresses. You can define the search engine and the amount of results to return. Absolutely the first tool to start with when doing email enumeration.
Metadata Reconnaissance
Metadata Enumeration Tools ➢ FOCA - Windows based GUI for scraping, downloading and analysing files for metadata ➢ Metagoofil - Linux based tool for scraping, downloading and analysing files for metadata ➢ Exiftool - Simple tool for extracting metadata from typically images, good for usernames and GPS
Foca site:site.com filetype:pdf FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans. These documents may be on web pages and can be downloaded and analyzed with FOCA. It is capable of analyzing a wide variety of documents, with the most common being Microsoft Office, Open Office, or PDF files, although it also analyzes Adobe InDesign or SVG files, for instance.
Metagoofil metagoofil -d domain.com -t pdf -l 100 -n 25 -o folder -f file.html Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company. Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.
Exiftool Exiftool file.ext ExifTool is a customisable set of Perl modules plus a full-featured application for reading and writing meta information in a wide variety of files Exiftool is useful when extracting information such as GPS co- ordinates and author names. Also the file save location of the original image and software information. This gives us an insight into the architecture of the internal systems as well as versioning.
Server / Services Reconnaissance
Server Enumeration Tools ➢ NMAP - The most powerful port scanning tool with many additional scripts and functions ➢ WHOIS - For querying databases that store the registered users or assignees of an Internet resource ➢ Host - A simple utility for performing DNS lookups. Normally used to convert names to IPs and vice versa ➢ Application errors - Causing web service applications to error can inadvertently give away system information ➢ Shodan - An online databank of internet connected devices that have been pre-scanned ➢ Netcat - Useful for making TCP and UDP connections to open ports and services ➢ Telnet - A tool for logging into a remote computer and connecting to running services
NMAP Nmap -sV -O domain.com NMAP is not just a port scanner, it is a feature rich application capable of port scans, OS identification, versions checks and running NSE scripts. You could practically do a full penetration test using only NMAP! -sV = get versions -O = Guess operating system This is one of the most basic scans but clearly shows sufficient information about the target host. The more complex your scan the longer it takes but the more information obtained.
WHOIS Whois domain.com WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. With this information you can identify; ● Registrant address ● Registry dates ● Registrar ● Nameservers ● IP addresses
Application Errors http://domain.com/index.php?type=%%%%%% Providing a web server with an invalid request or URL can sometimes trigger an application error if the webserver is not configured correctly. This specific response provides the internal file path disclosure “Source File” and the software versions. This allows us to target attacks specifically for this server and use direct exploits if the software is out of date.
Shodan shodan search --fields ip_str,port,org,hostnames microsoft iis 6.0 Shodan typically is a web based search engine, it can be used to filter for specific targets or a wide internet search. It also supports a CLI version, requires an API key Shodan-cli search command lets you search Shodan and view the results in a terminal-friendly way. By default it will display the IP, port, hostnames and data. You can use the --fields parameter to print whichever banner fields you're interested in. Basically, if it’s online, its been scanned, saved, filed and attacked.
Netcat NC -v -n <ip> <port> Netcat allows you to connect to open ports and send TCP or UDP requests to the service. If the service is a web server you can provide standard HTTP requests. Like application errors, if you make the service give a 400 response (bad request) then you can possibly get system or service information. Such as web server version .
3rd Party Reconnaissance
Password Leaks Cat adobe_leak.txt | grep “domain.com” Using password leaks from hacked 3rd parties. It is possible to identify usernames, emails and often passwords for companies that use their company credentials as authentication. Latest Security Breaches 2016 IRS - Feb 29th Snapchat - March 3rd Verizon Enterprise Solutions - March 25th Multiple Major Email Providers - May 5th Linked-in - May 17th Oracle - August 12th Dropbox - September 2nd Yahoo - September 22nd
Data Dumps Pastebin, Tinypaste, Hastebin, Chop, Snipt and support forums An interesting method of reconnaissance is common sites that allow users to dump data either for personal/private access or as a temporary sharing method. It is not uncommon for people or admins to use discussion boards and support forums to post and receive help with technical issues. This can lead to stored or even just cached details about their systems, infrastructure, set up etc..
Conclusion
Conclusion Practice good Operational Security! You might have secured your own system but it's not just your own that is a target to attackers. Good recon can take a long time. The more information you gather the larger the attack surface and the more intel you have for precisely executing and attack. This isn't DB_autopwn, be smart, hack smart.

Recommended

Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissancemaroti164
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofingarpit.arp
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printingCHETAN THAKRE
 

Recommended

Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissancemaroti164
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofingarpit.arp
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printingCHETAN THAKRE
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Footprinting
FootprintingFootprinting
FootprintingDuah John
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissancen|u - The Open Security Community
 
NMap
NMapNMap
NMapPritesh Raka
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attackscommunication-eg
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingSourabh Badve
 
Clearing Up the Confusion About the ASTM E 1527-13 Phase I ESA Standard
Clearing Up the Confusion About the ASTM E 1527-13 Phase I ESA StandardClearing Up the Confusion About the ASTM E 1527-13 Phase I ESA Standard
Clearing Up the Confusion About the ASTM E 1527-13 Phase I ESA StandardEDR
 

More Related Content

What's hot

Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printingleminhvuong
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Footprinting
FootprintingFootprinting
FootprintingDuah John
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 

What's hot (20)

Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
 
Module 2 Foot Printing
Module 2 Foot PrintingModule 2 Foot Printing
Module 2 Foot Printing
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Denial of service
Denial of serviceDenial of service
Denial of service
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
 
Footprinting
FootprintingFootprinting
Footprinting
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
 
NMap
NMapNMap
NMap
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attacks
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 

Viewers also liked

Clearing Up the Confusion About the ASTM E 1527-13 Phase I ESA Standard
Clearing Up the Confusion About the ASTM E 1527-13 Phase I ESA StandardClearing Up the Confusion About the ASTM E 1527-13 Phase I ESA Standard
Clearing Up the Confusion About the ASTM E 1527-13 Phase I ESA StandardEDR
 
Rpp membuat rekaman audio di studio
Rpp membuat rekaman audio di studioRpp membuat rekaman audio di studio
Rpp membuat rekaman audio di studioEKO SUPRIYADI
 
Ch 09 -- ARP & IP Analysis
Ch 09 -- ARP & IP AnalysisCh 09 -- ARP & IP Analysis
Ch 09 -- ARP & IP AnalysisYoram Orzach
 
[NCTU] [CCCA] Network Security I
[NCTU] [CCCA] Network Security I[NCTU] [CCCA] Network Security I
[NCTU] [CCCA] Network Security IXatierlike Lee
 
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesBSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesShellmates
 
Ch 07 -- The Expert System
Ch 07 -- The Expert SystemCh 07 -- The Expert System
Ch 07 -- The Expert SystemYoram Orzach
 
Wireshark course, Ch 05: Advanced statistics tools
Wireshark course, Ch 05: Advanced statistics toolsWireshark course, Ch 05: Advanced statistics tools
Wireshark course, Ch 05: Advanced statistics toolsYoram Orzach
 
Wireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersWireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersYoram Orzach
 
SSL basics and SSL packet analysis using wireshark
SSL basics and SSL packet analysis using wiresharkSSL basics and SSL packet analysis using wireshark
SSL basics and SSL packet analysis using wiresharkAl Imran, CISA
 
Ch 08 -- Ethernet & LAN Switching Troubleshooting
Ch 08 -- Ethernet & LAN Switching TroubleshootingCh 08 -- Ethernet & LAN Switching Troubleshooting
Ch 08 -- Ethernet & LAN Switching TroubleshootingYoram Orzach
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search EngineInMobi Technology
 
Wireshark course, Ch 02: Introduction to wireshark
Wireshark course, Ch 02: Introduction to wiresharkWireshark course, Ch 02: Introduction to wireshark
Wireshark course, Ch 02: Introduction to wiresharkYoram Orzach
 
Ch 06 -- Bandwidth Delay and Jitter Issues
Ch 06 -- Bandwidth Delay and Jitter IssuesCh 06 -- Bandwidth Delay and Jitter Issues
Ch 06 -- Bandwidth Delay and Jitter IssuesYoram Orzach
 
Phase I Environmental Site Assessment Training Seminar
Phase I Environmental Site Assessment Training SeminarPhase I Environmental Site Assessment Training Seminar
Phase I Environmental Site Assessment Training SeminarBrandon Trate
 

Viewers also liked (20)

Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Clearing Up the Confusion About the ASTM E 1527-13 Phase I ESA Standard
Clearing Up the Confusion About the ASTM E 1527-13 Phase I ESA StandardClearing Up the Confusion About the ASTM E 1527-13 Phase I ESA Standard
Clearing Up the Confusion About the ASTM E 1527-13 Phase I ESA Standard
 
Paste Digest Project
Paste Digest ProjectPaste Digest Project
Paste Digest Project
 
Rpp membuat rekaman audio di studio
Rpp membuat rekaman audio di studioRpp membuat rekaman audio di studio
Rpp membuat rekaman audio di studio
 
Computer and network security
Computer and network securityComputer and network security
Computer and network security
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 
Ch 09 -- ARP & IP Analysis
Ch 09 -- ARP & IP AnalysisCh 09 -- ARP & IP Analysis
Ch 09 -- ARP & IP Analysis
 
[NCTU] [CCCA] Network Security I
[NCTU] [CCCA] Network Security I[NCTU] [CCCA] Network Security I
[NCTU] [CCCA] Network Security I
 
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani BenhabilesBSides Algiers - Nmap Scripting Engine - Hani Benhabiles
BSides Algiers - Nmap Scripting Engine - Hani Benhabiles
 
Ch 07 -- The Expert System
Ch 07 -- The Expert SystemCh 07 -- The Expert System
Ch 07 -- The Expert System
 
Wireshark course, Ch 05: Advanced statistics tools
Wireshark course, Ch 05: Advanced statistics toolsWireshark course, Ch 05: Advanced statistics tools
Wireshark course, Ch 05: Advanced statistics tools
 
Wireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersWireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filters
 
SSL basics and SSL packet analysis using wireshark
SSL basics and SSL packet analysis using wiresharkSSL basics and SSL packet analysis using wireshark
SSL basics and SSL packet analysis using wireshark
 
Ch 08 -- Ethernet & LAN Switching Troubleshooting
Ch 08 -- Ethernet & LAN Switching TroubleshootingCh 08 -- Ethernet & LAN Switching Troubleshooting
Ch 08 -- Ethernet & LAN Switching Troubleshooting
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
 
Wireshark course, Ch 02: Introduction to wireshark
Wireshark course, Ch 02: Introduction to wiresharkWireshark course, Ch 02: Introduction to wireshark
Wireshark course, Ch 02: Introduction to wireshark
 
Ch 06 -- Bandwidth Delay and Jitter Issues
Ch 06 -- Bandwidth Delay and Jitter IssuesCh 06 -- Bandwidth Delay and Jitter Issues
Ch 06 -- Bandwidth Delay and Jitter Issues
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
 
Phase I Environmental Site Assessment Training Seminar
Phase I Environmental Site Assessment Training SeminarPhase I Environmental Site Assessment Training Seminar
Phase I Environmental Site Assessment Training Seminar
 

Similar to Reconnaissance - For pentesting and user awareness

Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdfMarceloCunha571649
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringChris Gates
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksNitesh Shilpkar
 
Ch04 Footprinting and Social Engineering
Ch04 Footprinting and Social EngineeringCh04 Footprinting and Social Engineering
Ch04 Footprinting and Social Engineeringphanleson
 
Footprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdfFootprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdfsdfghj21
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Owasp modern information gathering
Owasp modern information gatheringOwasp modern information gathering
Owasp modern information gatheringKZA
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationBlueinfy Solutions
 
SplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunk
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainChristian Martorella
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionChris Gates
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunk
 
Web hacking
Web hackingWeb hacking
Web hackingtyorock
 
Hhs en05 system_identification
Hhs en05 system_identificationHhs en05 system_identification
Hhs en05 system_identificationShoaib Sheikh
 

Similar to Reconnaissance - For pentesting and user awareness (20)

Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
 
technical-information-gathering-slides.pdf
technical-information-gathering-slides.pdftechnical-information-gathering-slides.pdf
technical-information-gathering-slides.pdf
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 
Web hacking
Web hackingWeb hacking
Web hacking
 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information Gathering
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacks
 
Ch04 Footprinting and Social Engineering
Ch04 Footprinting and Social EngineeringCh04 Footprinting and Social Engineering
Ch04 Footprinting and Social Engineering
 
Footprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdfFootprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdf
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Owasp modern information gathering
Owasp modern information gatheringOwasp modern information gathering
Owasp modern information gathering
 
Applciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
 
SplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with SplunkSplunkLive! - Getting started with Splunk
SplunkLive! - Getting started with Splunk
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP Spain
 
Open Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon EditionOpen Source Information Gathering Brucon Edition
Open Source Information Gathering Brucon Edition
 
Forensic tools
Forensic toolsForensic tools
Forensic tools
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
 
Web hacking
Web hackingWeb hacking
Web hacking
 
Hhs en05 system_identification
Hhs en05 system_identificationHhs en05 system_identification
Hhs en05 system_identification
 
ch01.ppt
ch01.pptch01.ppt
ch01.ppt
 

Recently uploaded

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 

Recently uploaded (20)

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 

Reconnaissance - For pentesting and user awareness

  • 2. Chris Thomas Systems Specialist Leon Teale Penetration Tester http://secheads.co.uk http://batserver.co.uk https://www.linkedin.com/in/leonteale https://www.facebook.com/leonteale
  • 3. Reconnaissance / OSINT Reconnaissance is the process of learning as much as possible about the target using the tools and services we have available. Information we wish to gather is: Servers: Hostnames / IPs / OSes / geo-location / hosting environment Services: What is running on the servers / version numbers Metadata: Usernames / Full names / passwords / software versions / internal file path disclosure Misc: Email harvesting / DNS bruteforcing
  • 4. All starts with a name Starting with a domain name such as google.com allows us to start enumerating hosts and building our picture of the companies infrastructure
  • 5. DNS and Email Reconnaissance
  • 6. DNS Enumeration Tools ➢ DNSRecon - A powerful DNS enumeration script ➢ DNSenum - A good DNS enum tool with wildcard filtering ➢ Fierce - A semi-lightweight enumeration scanner ➢ TheHarvester - Commonly used for email enum but has a DNS enum built-in ➢ Nmap - Yes it's a port scanner, but it can bruteforce subdomains too (check nmap scripts) ➢ Google Dorks - Using search engines to list their pre-crawled result (passive) ➢ Dig - For simple DNS requests against the name server. Also good for AXFR checks ➢ Subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains ➢ dnscan - a python wordlist-based DNS subdomain scanner ➢ Recon-Ng - The recon-ng framework has a brute_hosts module that allows to bruteforce subdomains. ➢ Gobuster - Alternative directory and file busting tool written in Go ➢ AltDNS - offers bruteforcing based on permutations of already found domains ➢ Dnsdumpster.com - Not a kali tool but good for DNS enumeration ➢ Website scraping - Using various tools you can scrape a target domain for email addresses
  • 7. dnsrecon dnsrecon -t brt,std,axfr -D wordlist.txt -d batserver.co.uk Dns Recon using a subdomain list for bruteforcing, standard checks such as SOA NS lookups etc.. and a Zone-transfer vulnerability check. dnsrecon -r 46.235.225.0/24 Dns Recon using a reverse lookup against the IP address ranges. In this instance a /24 and looking for associated domain names. Assuming reverseDNS is set up.
  • 8. dnsenum Dnsenum batserver.co.uk Dnsenum will provide standard DNS lookups such as NS,MX,AXFR and bind versions Dnsenum -f wordlist.txt batserver.co.uk Dns Recon using bruteforce attack using a specified subdomain list. If a wildcard is identified. Then Dnsenum will filter out all the unique IP entries to try bypass the wildcard results.
  • 9. theHarvester (DNS) theharvester -l 500 -b all -d google.com theHarvester is typically used for email enumeration but can also be used for passive DNS enumeration taken from search engines and rDNS recursive checks.
  • 10. Dig Dig axfr domain.com @ns.domain.com Dig can be used to do Zone-transfer requests. An misconfigured and vulnerable nameserver will list all zone records to unauthorised hosts. Apparently.. Some companies swear this is not a security issue *sigh Dig @ns.123-reg.co.uk batserver.co.uk MX Dig can also be used for specific requests such as querying the MX records from the nameserver for a specific domain.
  • 11. Fierce Fierce -dns domain.com Fierce is similar to most other DNS bruting tools. Its more a matter of preference. But seems to be amongst the top 3 commonly used by day to day security professionals. And most importantly is a kali default tool. Still trying to work out how they CAN'T see this is a security problem...
  • 12. theHarvester (email) theharvester -l 500 -b all -d domain.com theHarvester does queries against search engines to scrape email addresses. You can define the search engine and the amount of results to return. Absolutely the first tool to start with when doing email enumeration.
  • 14. Metadata Enumeration Tools ➢ FOCA - Windows based GUI for scraping, downloading and analysing files for metadata ➢ Metagoofil - Linux based tool for scraping, downloading and analysing files for metadata ➢ Exiftool - Simple tool for extracting metadata from typically images, good for usernames and GPS
  • 15. Foca site:site.com filetype:pdf FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans. These documents may be on web pages and can be downloaded and analyzed with FOCA. It is capable of analyzing a wide variety of documents, with the most common being Microsoft Office, Open Office, or PDF files, although it also analyzes Adobe InDesign or SVG files, for instance.
  • 16. Metagoofil metagoofil -d domain.com -t pdf -l 100 -n 25 -o folder -f file.html Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company. Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.
  • 17. Exiftool Exiftool file.ext ExifTool is a customisable set of Perl modules plus a full-featured application for reading and writing meta information in a wide variety of files Exiftool is useful when extracting information such as GPS co- ordinates and author names. Also the file save location of the original image and software information. This gives us an insight into the architecture of the internal systems as well as versioning.
  • 18. Server / Services Reconnaissance
  • 19. Server Enumeration Tools ➢ NMAP - The most powerful port scanning tool with many additional scripts and functions ➢ WHOIS - For querying databases that store the registered users or assignees of an Internet resource ➢ Host - A simple utility for performing DNS lookups. Normally used to convert names to IPs and vice versa ➢ Application errors - Causing web service applications to error can inadvertently give away system information ➢ Shodan - An online databank of internet connected devices that have been pre-scanned ➢ Netcat - Useful for making TCP and UDP connections to open ports and services ➢ Telnet - A tool for logging into a remote computer and connecting to running services
  • 20. NMAP Nmap -sV -O domain.com NMAP is not just a port scanner, it is a feature rich application capable of port scans, OS identification, versions checks and running NSE scripts. You could practically do a full penetration test using only NMAP! -sV = get versions -O = Guess operating system This is one of the most basic scans but clearly shows sufficient information about the target host. The more complex your scan the longer it takes but the more information obtained.
  • 21. WHOIS Whois domain.com WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. With this information you can identify; ● Registrant address ● Registry dates ● Registrar ● Nameservers ● IP addresses
  • 22. Application Errors http://domain.com/index.php?type=%%%%%% Providing a web server with an invalid request or URL can sometimes trigger an application error if the webserver is not configured correctly. This specific response provides the internal file path disclosure “Source File” and the software versions. This allows us to target attacks specifically for this server and use direct exploits if the software is out of date.
  • 23. Shodan shodan search --fields ip_str,port,org,hostnames microsoft iis 6.0 Shodan typically is a web based search engine, it can be used to filter for specific targets or a wide internet search. It also supports a CLI version, requires an API key Shodan-cli search command lets you search Shodan and view the results in a terminal-friendly way. By default it will display the IP, port, hostnames and data. You can use the --fields parameter to print whichever banner fields you're interested in. Basically, if it’s online, its been scanned, saved, filed and attacked.
  • 24. Netcat NC -v -n <ip> <port> Netcat allows you to connect to open ports and send TCP or UDP requests to the service. If the service is a web server you can provide standard HTTP requests. Like application errors, if you make the service give a 400 response (bad request) then you can possibly get system or service information. Such as web server version .
  • 26. Password Leaks Cat adobe_leak.txt | grep “domain.com” Using password leaks from hacked 3rd parties. It is possible to identify usernames, emails and often passwords for companies that use their company credentials as authentication. Latest Security Breaches 2016 IRS - Feb 29th Snapchat - March 3rd Verizon Enterprise Solutions - March 25th Multiple Major Email Providers - May 5th Linked-in - May 17th Oracle - August 12th Dropbox - September 2nd Yahoo - September 22nd
  • 27. Data Dumps Pastebin, Tinypaste, Hastebin, Chop, Snipt and support forums An interesting method of reconnaissance is common sites that allow users to dump data either for personal/private access or as a temporary sharing method. It is not uncommon for people or admins to use discussion boards and support forums to post and receive help with technical issues. This can lead to stored or even just cached details about their systems, infrastructure, set up etc..
  • 29. Conclusion Practice good Operational Security! You might have secured your own system but it's not just your own that is a target to attackers. Good recon can take a long time. The more information you gather the larger the attack surface and the more intel you have for precisely executing and attack. This isn't DB_autopwn, be smart, hack smart.