Reconnaissance
Table of Contents
tags: Security Recon
Reference
Workflow
Tools
- OWASP Amass: DNS Scraping Certificates APIs Web Archives
Passive Information Gathering
Search Engine
Google hacking
Asset identification
Email Harvesting
theHarvester: Gathers emails, names, subdomains, IPs, and URLs
theharvester -d cisco.com -b google
Tools
Active Information Gathering
@|⭐掃描 cheat sheet|Hakluke’s Ultimate OSCP Guide
DNS enumeration
-
- example: brute force reverse zone
dnsrecon -n 10.10.10.83 -r 10.0.0.0/8 --db olympus.db dnsrecon -n 10.10.10.83 -r 172.16.0.0/12 --db olympus.db dnsrecon -n 10.10.10.83 -r 192.168.0.0/16 --db olympus.db
- example: brute force reverse zone
-
brute force subdomain
-
reverse lookup brute force - 反查 ip
-
A zone transfer can be requested by specifying a type of AXFR
-
dig axfr @10.10.10.83 olympus.htb
-
-
DNS Zone Transfer - 偽裝成 slave DNS
# get dns server list
host -t ns megacorpone.com | cut -d " " -f 4
# require DNS zone
host -l {{domain name}} {{dns server address}}
host -l megacorpone.com ns2.megacorpone.com
#!/bin/bash
# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash script
# Check if argument was given, if not, print usage
if [ -z "$1" ]; then
echo "[*] Simple Zone transfer script"
echo "[*] Usage : $0 <domain name> "
exit 0
fi
# if argument was given, identify the DNS servers for the domain
for server in $(host -t ns $1 |cut -d" " -f4);do
# For each of these servers, attempt a zone transfer
host -l $1 $server |grep "has address"
done
Port Scanning
- TCP 開啟,回覆 SYN-ACK 封包
- UDP
送出空的 UDP 包
- 開啟,沒有回覆
- 關閉,回覆 ICMP unreachable
- SNMP - onesixtyone
- Tools
- nmap
- Masccan
Scan for UDP
nmap -sU 10.11.1.X
unicornscan -mU -v -I 10.11.1.X
Fingerprint Scanning
- lbd - Load balancer detector
- Netcraft [website]
Vulnerability Scanning
- Nmap
- OpenVAS (Nessus)
AWS S3 buckets
枚舉 Bucket Name
- S3Scanner
- grayhatwarfare: Public buckets by grayhatwarfare