<Introduction>
Penetration testing, or pentesting, is a critical practice in cybersecurity, involving simulated cyberattacks to uncover vulnerabilities in an organization’s systems before malicious actors can exploit them. One key phase in pen testing is active reconnaissance, where the tester interacts directly with the target system to gather vital information. This comprehensive cheat sheet covers the essential tools, techniques, and commands for effective active reconnaissance during a penetration test.
<Understanding Active Reconnaissance>
Active reconnaissance involves direct interaction with the target system to uncover its structure, services, and vulnerabilities. Unlike passive reconnaissance, which avoids engaging the target and remains undetectable, active reconnaissance is more intrusive and can trigger alerts. Despite the risks, this approach provides deeper insights into the target's defenses, making it indispensable in penetration testing.
<Network Scanning>
The first step in active reconnaissance is network scanning, which identifies live hosts, open ports, and services running on the target network.
Nmap Basics
Nmap (Network Mapper) is the most popular network scanning tool. Here are some fundamental Nmap commands:
- Scan a single IP address:
nmap <target IP>
- Scan a range of IP addresses:
nmap <start IP>-<end IP>
- Scan multiple IP addresses:
nmap <IP1> <IP2> <IP3>
Advanced Nmap Scans
- Detect OS and Services:
nmap -A <target IP>
- Aggressive scan for detailed information:
nmap -T4 -A -v <target IP>
- Scan all 65,535 ports:
nmap -p- <target IP>
Masscan
Masscan is renowned for its speed and ability to scan the entire internet in minutes.
- Basic scan:
masscan -p80 <target IP range>
- Scan with custom rate:
masscan -p80 <target IP range> --rate=10000
<Service Enumeration>
Service enumeration identifies the services and applications running on the target and their versions, which is crucial for spotting potential vulnerabilities.
Banner Grabbing
Banner grabbing is a technique used to determine the software version running on a service. Useful tools include:
- Using Nmap:
nmap -sV <target IP>- Using Netcat:
nc -v <target IP> <port>- Using Telnet:
telnet <target IP> <port>- Using OpenSSL:
openssl s_client -connect <target IP>:<port>
- Using cURL:
curl -I http://<target IP>
- Using Netcat for HTTP banner:
nc <target IP> 80 HEAD / HTTP/1.0
Service Version Detection
- Version detection with Nmap:
nmap -sV --version-intensity 5 <target IP>
- Service enumeration with AMAP:
amap <target IP> <port>
- Using Smbclient for SMB:
smbclient -L //<target IP>
- Using Metasploit for service enumeration:
use auxiliary/scanner
- Using SSLyze for SSL/TLS services:
sslyze --regular <target IP>:<port>
<Vulnerability Scanning>
Once services have been identified, it’s crucial to check for known vulnerabilities.
Nikto
Nikto is a web server scanner that checks for over 6,700 potentially dangerous files/programs, outdated versions, and other issues.
- Scan a website:
nikto -h <target IP>
OpenVAS
OpenVAS (Open Vulnerability Assessment System) is a comprehensive vulnerability scanner.
- Basic command:
openvas-startUse the web interface to initiate and manage scans.
Additional Tools
- Nessus:
nessuscli agent link --key=<key> --host=<server>
- QualysGuard:
Use the web interface to configure and run scans.
- Wapiti:
wapiti http://<target URL>
- Nexpose:
Use the GUI to configure scans and generate detailed reports.
- Acunetix:
Initiate scans through the Acunetix dashboard.
<Operating System Fingerprinting>
Identifying the target’s operating system helps in tailoring further exploitation efforts.
Xprobe2
Xprobe2 is known for its accuracy in OS fingerprinting.
- Basic usage:
xprobe2 <target IP>
Nmap
OS Detection
- OS detection with Nmap:
nmap -O <target IP>
Additional Tools
p0f
p0f -i <interface>
SinFP
sinfp.pl -d <target IP>
HTTPrint
httprint -h <target IP> -s signatures.txt
Wireshark
Passive OS Fingerprinting with:
Analyze captured packets to determine OS types based on TCP/IP stack behavior.
Recon-ng
recon-ng
<Web Application Reconnaissance>
Web applications often present rich targets in penetration tests. Effective reconnaissance can reveal potential entry points, hidden directories, and vulnerabilities.
Dirbuster/Dirb
These tools brute-force directories to discover hidden files and directories not publicly listed.
Dirbuster
dirbuster -u <target URL> -w <wordlist>
Dirb
dirb <target URL>
OWASP ZAP
OWASP ZAP (Zed Attack Proxy) is an open-source tool for detecting vulnerabilities in web applications.
- Launch ZAP GUI:
Burp Suite
Burp Suite is a comprehensive tool for web application security testing.
- Proxy setup for intercepting requests:
Configure your browser to use Burp’s proxy.
- Automated scan for vulnerabilities:
Use the Burp Scanner module.
Wfuzz
Wfuzz is a flexible tool for brute-forcing web applications, helping discover hidden resources and parameters.
- Brute-force directories:
wfuzz -c -z file,/path/to/wordlist -u http://<target URL>/FUZZ
- Brute-force parameters:
wfuzz -c -z file,/path/to/wordlist -d "param=FUZZ" -u http://<target URL>
SQLMap
SQLMap automates the detection and exploitation of SQL injection vulnerabilities.
- Basic SQL injection test:
sqlmap -u "http://<target URL>?id=1"
- Database enumeration:
sqlmap -u "http://<target URL>?id=1" --dbs
WhatWeb
WhatWeb identifies technologies used by a website, such as web servers and CMS.
- Scan a website:
whatweb <target URL>
Arachni
Arachni is a modular web application scanner designed to find security issues within web applications.
- Start a scan:
arachni <target URL>
Sublist3r
Sublist3r is used for subdomain enumeration, revealing additional attack surfaces.
- Enumerate subdomains:
sublist3r -d <domain>
Aquatone
Aquatone is a tool for domain flyovers, useful for gathering screenshots of websites and obtaining a visual overview of accessed hosts.
- Basic usage:
cat hosts.txt | aquatone
<DNS Enumeration>
DNS enumeration reveals valuable information about a domain’s structure and potential entry points.
DNSenum
DNSenum is a tool for discovering information about DNS zones.
- Basic usage:
dnsenum <domain>
Fierce
Fierce is used to locate non-contiguous IP space and hostnames within specified domains.
- Basic usage:
fierce --domain <domain>
<SMB Enumeration>
SMB (Server Message Block) enumeration is crucial for gathering information about shares, users, and services on a Windows network.
SMBclient
SMBclient allows interaction with SMB shares.
- List available shares:
smbclient -L //<target IP>
Enum4linux
Enum4linux is a Linux tool for SMB enumeration.
- Basic usage:
enum4linux -a <target IP>
Additional Tools
Nmap
SMB Enumeration:
nmap --script smb-enum-shares -p 445 <target IP>
Smbmap
smbmap -H <target IP>
CrackMapExec
crackmapexec smb <target IP>
Metasploit
SMB Modules:
use auxiliary/scanner/smb/smb_version
<Common Active Reconnaissance Tools>
Some frequently used tools for active reconnaissance include:
- Nmap: Network scanning and service enumeration.
- Masscan: High-speed network scanning.
- Nikto: Web server vulnerability scanning.
- Xprobe2: OS fingerprinting.
- Dirbuster/Dirb: Directory brute-forcing.
- OWASP ZAP: Web application vulnerability detection.
- Burp Suite: Comprehensive web security testing.
- Wfuzz: Web application brute-forcing.
- SQLMap: SQL injection testing.
- WhatWeb: Technology fingerprinting.
- Arachni: Modular web application scanner.
- Sublist3r: Subdomain enumeration.
- Aquatone: Domain flyover and screenshots.
- DNSenum: DNS enumeration.
- Enum4linux: SMB enumeration.
- AMAP: Service version detection.
- Nessus: Vulnerability scanning.
- p0f: Passive OS fingerprinting.
- Smbmap: SMB enumeration.
</Conclusion>
This cheat sheet offers a guide to the essential tools and commands used in active reconnaissance during penetration testing. Mastering these techniques allows you to efficiently gather the necessary information to identify and exploit vulnerabilities.
Thank you for reading my post on "DevOps Essentials: Getting Started with Pipeline Automation". If you find this content informative and you are interested in cybersecurity, please regularly check back on the Cyb3r-S3c website. For more free content, please like and subscribe to the Cyb3r-0verwatch channel. Until next time keep learning, the only way to improve is to keep learning.
/Signing Off,
Pragmat1c_0n3
Comments