Scanning and Reconnaissance

Online Scanning and Reconnaissance Tools

• ICANN registration data lookup tool — WHOIS search tool
• Autonomous System Lookup (AS/ASN/IP)
• Website to IP Lookup

More Scanning and Reconnaissance Tools

• Dirbuster —
• wfuzz
• cewl (creating wordlist from webpage)
• smtp-user-enum — Username guessing tool primarily for use against the default SMTP service.
  • Linux username wordlist
• wget
• Zenmap — A graphical user interface for Nmap.

Dirb

Dirb is a tool to perform a dictionary based attack against web server; scan web server for directories using a dictionary file.

• Use option -f for fine-tune scan.

Nikto

nikto is a web server scanner, tests for dangerous files and programs, security vulnerabilities.

• Basic usage: Scan a single port of an IP address:

  perl nikto.pl -h <ip address> -p <TCP port number>
  

  note that if no port is specified, TCP port 80 is assumed.

WFuzz

WFuzz is a web application security fuzzer tool and Python library. A HackTricks article on using WFuzz is found here.

Nslookup

• Interactive or non-interactive modes.

Syntax:

nslookup [options] [website or IP address]

Running without options should return the IP address associated with a website (or website associated with IP address).

Nslookup options:

• -domain=[domain name] option to change the default DNS name.
• -debug option to show debugging information.
• -timeout=[seconds] option to specify the time allowed for the server to respond.
• -port=[port number] option to specify the port for queries. Default port number is 53.
• -type=a to view information about the DNS A address records.
• -type=any to view all available records.
• -type=hinfo to view hardware-related information about the host.
• -type=mx to view Mail Exchange (MX) server information.
• -type=ns to view Name Server (NS) records.
• -type=ptr to view Pointer records. Used in reverse DNS lookups.
• -type=soa to view Start of Authority records.

How to use nslookup:

• View NS records for a domain:

  nslookup -type=ns [domain name]
  

• View MX (Mail Exchange server data) records for a domain:

  nslookup -type=mx [domain name]
  

• Perform a reverse DNS lookup (find domain name associated with IP address):

  nslookup [domain name]
  

• View all available logs:

  nslookup -type=any [domain name]
  

Dig

Dig documentation found here. Dig (domain information groper) is a flexible tool for interrogating DNS name servers. Basic usage looks like the following:

dig @server name type

where server is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. name is the name of the resource record that is to be looked up. type indicates what type of query is required. Valid query types include: A, AAAA, MX, SIG, SOA, TXT, etc.

Nmap

Nmap — “Network Mapper”, a network scanning tool.

• Ping scan:

  nmap -sp 192.168.1.1/24
  

• No ping (skip host discovery stage)

  nmap -Pn 192.168.1.1/24
  

• Scan a single host:

  nmap scanme.nmap.org
  

• Stealth scan (TCP SYN scan):

  nmap -sS scanme.nmap.org
  

• UDP scan:

  nmap -sU scanme.nmap.org
  

• Version scan:

  nmap -sV scanme.nmap.org
  

• OS scanning:

  nmap -sV scanme.nmap.org
  

• Aggressive scan:

  nmap -A scanme.nmap.org
  

• Scanning multiple hosts (several approaches)
• Port scanning:

  nmap -p 973 192.164.0.1
  

• Port scanning for information about a particular type of connection (here, TCP connection):

  nmap -p T:7777, 973 192.164.0.1
  

• More options:
  • -S to spoof an IP address
  • -6 to conduct an IPv6 scan

OpenSSL

• OpenSSL Documentation
• Check SSL certificate expiration date

  cat cert.cer | openssl x509 -noout -enddate
  

The Heartbleed Bug

The Heartbleed Bug is a vulnerability in the OpenSSL cryptographic software library.

Investigate if an https page is vulnerable to heartbleed:

sudo sslscan <ip address>:443

Or with an nmap script:

nmap -sV --script=ssl-heartbleed <ip address>

Exploit Heartbleed vulnerability:

• Module in burp suite.
• Metasploit module.

  use auxiliary/scanner/ssl/openssl_heartbleed
  set RHOSTS <ip address>
  set verbose true
  run
  

HTTP response status codes

• Informational response (100-199)
• Successful response (200-299)
• Redirection message (300-399)
• Client error response (400-499)
  • 403 Forbidden: The client doesn’t have rights to access the content; it’s unauthorized, so the server is refusing to give the requested resource. Unlike 401 Unauthorized, the client’s identity is known to the server.
• Server error response (500-599)

DNS Record Types

• A records resolve to IPv4 addresses.
• AAAA records resolve to IPv6 addresses.
• CNAME records resolve to another domain name (like a subdomain).
• MX records resolve to the address of the servers that handle the email for the domain you are querying.
• TXT records are free text fields where any text-based data can be stored.

SSH Key Pairs

SSH employs public key cryptography (a.k.a. asymmetric cryptography), which requires two separate keys: one private key, and one public key. Together, the public and private key compose a key pair. In SSH, the public key cryptography is used in both directions (client to server and server to client), so two key pairs are used. One key pair is the host (server) key; one is the user (client) key. This article details how to generate an SSH Key Pair.

Acronyms and Definitions

• ASN: Autonomous System Number
• AS: Autonomous System
• DNS: Domain Name System
• IP: Internet Protocol
• RIR: Regional Internet Registry
• SOA: Start of Authority. DNS SOA record used to designate the primary name server and administrator responsible for a zone.
• SSL: Secure Sockets Layer
  • CN: SSL Certificate Common Name (a.k.a. Fully Qualified Domain Name (FQDN))
• TLD: Top-Level Domain
• TTL: Time to live (also known as “hop limit”) - specifies how long a DNS record should be cached for.