Peripheral network reconnaissance OSINT
Intro to Reconnaissance
Learning about a network from afar, whether actively or passively is always one of the first things you do when deciding to penetrate a computer system. There are a variety of tools we can use to help us along in this process, some of which I will cover here. While some of this seems like common sense, that means it is often overlooked, which can mean the difference between getting in, and calling it bust.
What are we looking for? OSINT. Anything that gleans us insider information about the network. That means, usernames, passwords (where be in plain text, or hashed), databases that we can download, information about the network typology such as how many machines, what type of networking hardware, what OSs on each machine, the versions of the software these machines are running, any information on what subnet(s) the machines sit on, and how many networks are at play, if there is a VPN in the picture, if there is an intrusion prevention/detection system, firewall, or WAF inline, (and what they may let slip through), etc. We also want to collect any information on employees, users, and administrators we can, such as their names, addresses, phone numbers, etc. We can collect this information in many ways.
Domain Enumeration
When feeling out a network, one things you’re going to need to do, is see how far reaching the network umbrella is, and an easy way to do that is to enumerate all different primary domains you’ll be attacking (check scope!), as well as their respective subdomains.
The primary domains should either be listed in scope, or can be found via a google search or two, but the subdomains sometimes aren’t quite as public. Hence, I usually use a subdomain enumeration tool… a personal favorite for this is Sublist3r.
usage: sublist3r.py [-h] -d DOMAIN [-b [BRUTEFORCE]] [-p PORTS] [-v [VERBOSE]] [-t THREADS] [-e ENGINES] [-o OUTPUT] [-n]
OPTIONS:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Domain name to enumerate it's subdomains
-b [BRUTEFORCE], --bruteforce [BRUTEFORCE]
Enable the subbrute bruteforce module
-p PORTS, --ports PORTS
Scan the found subdomains against specified tcp ports
-v [VERBOSE], --verbose [VERBOSE]
Enable Verbosity and display results in realtime
-t THREADS, --threads THREADS
Number of threads to use for subbrute bruteforce
-e ENGINES, --engines ENGINES
Specify a comma-separated list of search engines
-o OUTPUT, --output OUTPUT
Save the results to text file
-n, --no-color Output without color
Example: python ./sublist3r.py -d google.comI recommend doing this before firing off a long running (slow, so it’s accuracy is best) nmap scan, because then you can add each address the sub domain enumerator finds to the list of hosts for nmap to scan!
I would run: 1
python3 sublist3r.py -d example.com -t 2 -o example.com.subdomains
Port Scanning
First I usually start with port scanning, because the results of doing this will tell me where to go next. To do this, I would recommend using Nmap, a tool with a huge number of options and configurations for mapping out a network’s weak points, by finding open ports, enumerating services and their independent software versions via their characteristics, operating system versions, and scripts are used to enumerate things like samba shares, and web server configuration.
While I could do an entire write-up on just nmap alone, I’m going to stick to the basics here. Here is the help output, and as always, you can find more
detailed information about nmap and most other commands by using the 1
man
Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLESAs you can see, there is a plethora of options for different scan types, types of networks, output formats, timing, os and service detection, even evasion techniques. My favorite command I like to run, just to get started is:
1
sudo nmap -p 0-65535 -sV -sS -oN example.com.nmap -T2 -iL example.com.subdomains -O --osscan-limit -R -sC
This of course can and should be adapted to your specific use case. For example, if you know that a machine is running a UDP service, use 1
-sU
1
-sS
Google Dorking
Around this time I start doing what you may have heard of as Google dorking, where you use google or another search engine that supports extended
attributes in searches to find sensitive files, such as logs, programs, backups, domains, and vulnerable code. I would normally do 1
site:oxasploits.com
1
site:oxasploits.com filetype:log
| Operator | Explanation |
|---|---|
| “ “ | Words in a specific order |
| OR | Results will be related to A or B |
| | | Same as above |
| AND | Results will be related to both A and B |
| - | Results do not mention this |
| * | Wildcard for a phrase |
| ( ) | Search Grouping |
| define: | Search for a definition |
| cache: | Search for the most recent cache |
| filetype: | File ends in this extension |
| ext: | Same as filetype |
| site: | Website which results will come up for |
| related: | Websites related to a domain |
| intitle: | Search for a document that has this in title |
| allintitle: | Search for a document that has these multiple words in title |
| inurl: | Words are in the URL |
| allinurl: | Word string is in the URL |
| weather: | Weather at a location |
| stocks: | Information about a ticker symbol |
| map: | Search google maps for this location |
| movie: | Search info about a movie |
| in | Convert units |
| source: | Search from a specific google news source |
| before: | Results before this date |
| after: | Results after this date |
| source: | Search from a specific google news source |
| #..# | Search within a number range |
| anchor: | Search for pages backlinks containing this anchor text |
| allinanchor: | Search for pages backlinks containing all these words in anchor text |
| AROUND(X): | Search for pages with two words within X words of each other |
| loc: | Search results from a specific location |
| location: | Find news from this location |
| daterange: | Search results from within this date range |
Vulnerability Scanners
We can employ vulnerability scanners to check which services we might successfully attack in a later phase of the hack. There are tons of these, but some that I like are Nikto, which is a CGI scanner that you can enumerate HTTP servers running server-side website scripts (PHP, Perl…) that could have security bugs in their software versions. Nikto will scan for footholds that allow you to leverage RCE via LFI, RFI, and perl open read bugs, and more.
Options:
-ask+ Whether to ask about submitting updates
yes Ask about each (default)
no Don't ask, don't send
auto Don't ask, just send
-Cgidirs+ Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
-config+ Use this config file
-Display+ Turn on/off display outputs:
1 Show redirects
2 Show cookies received
3 Show all 200/OK responses
4 Show URLs which require authentication
D Debug output
E Display all HTTP errors
P Print progress to STDOUT
S Scrub output of IPs and hostnames
V Verbose output
-dbcheck Check database and other key files for syntax errors
-evasion+ Encoding technique:
1 Random URI encoding (non-UTF8)
2 Directory self-reference (/./)
3 Premature URL ending
4 Prepend long random string
5 Fake parameter
6 TAB as request spacer
7 Change the case of the URL
8 Use Windows directory separator (\)
A Use a carriage return (0x0d) as a request spacer
B Use binary value 0x0b as a request spacer
-Format+ Save file (-o) format:
csv Comma-separated-value
htm HTML Format
msf+ Log to Metasploit
nbe Nessus NBE format
txt Plain text
xml XML Format
(if not specified the format will be taken from the file extension passed to -output)
-Help Extended help information
-host+ Target host
-IgnoreCode Ignore Codes--treat as negative responses
-id+ Host authentication to use, format is id:pass or id:pass:realm
-key+ Client certificate key file
-list-plugins List all available plugins, perform no testing
-maxtime+ Maximum testing time per host
-mutate+ Guess additional file names:
1 Test all files with all root directories
2 Guess for password file names
3 Enumerate user names via Apache (/~user type requests)
4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
5 Attempt to brute force sub-domain names, assume that the host name is the parent domain
6 Attempt to guess directory names from the supplied dictionary file
-mutate-options Provide information for mutates
-nointeractive Disables interactive features
-nolookup Disables DNS lookups
-nossl Disables the use of SSL
-no404 Disables nikto attempting to guess a 404 page
-output+ Write output to this file ('.' for auto-name)
-Pause+ Pause between tests (seconds, integer or float)
-Plugins+ List of plugins to run (default: ALL)
-port+ Port to use (default 80)
-RSAcert+ Client certificate file
-root+ Prepend root value to all requests, format is /directory
-Save Save positive responses to this directory ('.' for auto-name)
-ssl Force ssl mode on port
-Tuning+ Scan tuning:
1 Interesting File / Seen in logs
2 Misconfiguration / Default File
3 Information Disclosure
4 Injection (XSS/Script/HTML)
5 Remote File Retrieval - Inside Web Root
6 Denial of Service
7 Remote File Retrieval - Server Wide
8 Command Execution / Remote Shell
9 SQL Injection
0 File Upload
a Authentication Bypass
b Software Identification
c Remote Source Inclusion
x Reverse Tuning Options (i.e., include all except specified)
-timeout+ Timeout for requests (default 10 seconds)
-Userdbs Load only user databases, not the standard databases
all Disable standard dbs and load only user dbs
tests Disable only db_tests and load udb_tests
-until Run until the specified time or duration
-update Update databases and plugins from CIRT.net
-useproxy Use the proxy defined in nikto.conf
-Version Print plugin and database versions
-vhost+ Virtual host (for Host header)
+ requires a valueAlso a useful remote vulnerability scanner I use frequently is WPScan, which is geared towards finding vulnerable Wordpress installations. Unfortunately for this tool, you will need to go to WPScan’s website and generate an API key to use the tool.
An example command would look something like: 1
nikto -Cgidirs all -Format txt -host www.example.com -mutate 3 -output www.example.com.nikto -port 443 -ssl -Tuning x --rua --api-token [token goes here]
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
Usage: wpscan [options]
--url URL The URL of the blog to scan
Allowed Protocols: http, https
Default Protocol if none provided: http
This option is mandatory unless update or help or hh or version is/are supplied
-h, --help Display the simple help and exit
--hh Display the full help and exit
--version Display the version and exit
-v, --verbose Verbose mode
--[no-]banner Whether or not to display the banner
Default: true
-o, --output FILE Output to FILE
-f, --format FORMAT Output results in the format supplied
Available choices: cli-no-colour, cli-no-color, json, cli
--detection-mode MODE Default: mixed
Available choices: mixed, passive, aggressive
--user-agent, --ua VALUE
--random-user-agent, --rua Use a random user-agent for each scan
--http-auth login:password
-t, --max-threads VALUE The max threads to use
Default: 5
--throttle MilliSeconds Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.
--request-timeout SECONDS The request timeout in seconds
Default: 60
--connect-timeout SECONDS The connection timeout in seconds
Default: 30
--disable-tls-checks Disables SSL/TLS certificate verification, and downgrade to TLS1.0+ (requires cURL 7.66 for the latter)
--proxy protocol://IP:port Supported protocols depend on the cURL installed
--proxy-auth login:password
--cookie-string COOKIE Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]
--cookie-jar FILE-PATH File to read and write cookies
Default: /tmp/wpscan/cookie_jar.txt
--force Do not check if the target is running WordPress or returns a 403
--[no-]update Whether or not to update the Database
--api-token TOKEN The WPScan API Token to display vulnerability data, available at https://wpscan.com/profile
--wp-content-dir DIR The wp-content directory if custom or not detected, such as "wp-content"
--wp-plugins-dir DIR The plugins directory if custom or not detected, such as "wp-content/plugins"
-e, --enumerate [OPTS] Enumeration Process
Available Choices:
vp Vulnerable plugins
ap All plugins
p Popular plugins
vt Vulnerable themes
at All themes
t Popular themes
tt Timthumbs
cb Config backups
dbe Db exports
u User IDs range. e.g: u1-5
Range separator to use: '-'
Value if no argument supplied: 1-10
m Media IDs range. e.g m1-15
Note: Permalink setting must be set to "Plain" for those to be detected
Range separator to use: '-'
Value if no argument supplied: 1-100
Separator to use between the values: ','
Default: All Plugins, Config Backups
Value if no argument supplied: vp,vt,tt,cb,dbe,u,m
Incompatible choices (only one of each group/s can be used):
- vp, ap, p
- vt, at, t
--exclude-content-based REGEXP_OR_STRING Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration.
Both the headers and body are checked. Regexp delimiters are not required.
--plugins-detection MODE Use the supplied mode to enumerate Plugins.
Default: passive
Available choices: mixed, passive, aggressive
--plugins-version-detection MODE Use the supplied mode to check plugins' versions.
Default: mixed
Available choices: mixed, passive, aggressive
--exclude-usernames REGEXP_OR_STRING Exclude usernames matching the Regexp/string (case insensitive). Regexp delimiters are not required.
-P, --passwords FILE-PATH List of passwords to use during the password attack.
If no --username/s option supplied, user enumeration will be run.
-U, --usernames LIST List of usernames to use during the password attack.
Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
--multicall-max-passwords MAX_PWD Maximum number of passwords to send by request with XMLRPC multicall
Default: 500
--password-attack ATTACK Force the supplied attack to be used rather than automatically determining one.
Available choices: wp-login, xmlrpc, xmlrpc-multicall
--login-uri URI The URI of the login page if different from /wp-login.php
--stealthy Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive
[!] To see full list of options use --hh.So a Wordpress website could be scanned for attack vectors like: 1
wpscan --url https://blog.example.com/ -v -o blog.example.com.wpscan -t 4 --api-token -e ap,at,cb,dbe,u --plugins-detection mixed
1
--stealthy
Screenshots
Screenshots can host gobs of information about a target, otherwise known as OSINT. You can find anything from locations by googling surroundings, names from looking at social media profiles in the shot, the length of a password by counting stars, or even if the screenshot is of something technical, information on what services are running, or the network typology… I am guilty of this as well, and frequently snap screenshots to show my hacker buddies, and often neglect to black out, or otherwise censor the sensitive information. Behold, one of my screenshots (try to resist rooting me, please)!
From this screenshot, try to pick out every piece of information about my network that you can, before checking below. You’ll be amazed once you start noticing things.
- Running an Xorg server
- Window manager is Fluxbox
- The time and date the shot was taken
- My username on the machine and my hostname
- My kernel version
- OS/Distribution is Kali Linux
- My user's uid, my primary group is 'users', and I am in the 'sudo' group
- Port 9000 is open on another machine on my network
- I'm running Graylog on another host, which suggests I am probably also running Opensearch or ElasticSearch, and Mongodb
- The Graylog instance is not encrypted
- I have bookmarks that indicate I have a job, may have a media server on the network, and embarrassingly, enjoy porn
- I have an active Google account
- A picture of me
- I'm connected to a wireless network
- My computer is a laptop because you can see the battery icon
- I'm torrenting something
- My browser is Google Chrome
- I like to watch video in pip while I'm working (icon for the pip shortcut plugin)
- I use the command line to download things frequently (curl/wget plugin)
- I use awesome screenshot to take pictures of only what is in the browser window
- My Google Chrome version/User Agent
- My Graylog NodeID
- That it only took 0.01 seconds for Graylog to respond after searching lots of data over 7 days, fast server
- I run OpenSSH servers on my network, and the low number of hits to it suggests firewalling
- I have a user on one server on the network called 'webmaster'
- I run an Apache2 server with SSL
- I run ntopng for network analysis
- The 10.0.2.0/24 network is protected by an IPS
- My torrent client has DHT enabled
- My firewall is netfilter/iptables
- Four hostnames on my network are, likon.dev.oxasploits.com, zerkon.dev.oxasploits.com, and oxasploits.com, and vpn.oxasploits.com
- Part of my monitoring suite uses Prometheus
- A program recently crashed and dumped core
- My screen resolution
Conclusion
It’s a pretty lengthy process to do network reconnaissance, and the larger the network, the longer it takes to do a thorough job. There a couple things I left out
of this tutorial for brevity, and I will list them here just so you can keep them in mind: You can use curl to grab http/https headers and learn plenty about a
web server simply by sifting through those details. You can see only that with 1
curl --head
This is only the first step, many to come!
If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!
Bitcoin Address:
bc1qclqhff9dlvmmuqgu4907gh6gxy8wy8yqk596yp
Thank you so much and happy hacking!