Active Information Gathering Flashcards
What is DNS?
The Domain Name System (DNS) is one of the most critical systems on the Internet and is a distributed database responsible for translating user-friendly domain names into IP addresses.
Example of TLD?
.com
How to control how long a server or client caches a DNS record?
Via TTL field of DNS record.
What is NS?
NS - Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.
What is A?
A - Also known as a host record, the “a record” contains the IP address of a hostname (such as www.megacorpone.com).
What is MX?
MX - Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.
What is PTR?
PTR - Pointer Records are used in reverse lookup zones and are used to find the records associated with an IP address.
What is CNAME?
CNAME - Canonical Name Records are used to create aliases for other host records.
What is TXT?
TXT - Text records can contain any arbitrary data and can be used for various purposes, such as domain ownership verification.
How to to find the A host record for www.megacorpone.com?
host www.megacorpone.com
How to find the MX records for megacorpone.com?
host -t mx megacorpone.com
How to find the TXT records for megacorpone.com?
host -t txt megacorpone.com
How to look up a valid host for megacorpone.com?
host www.megacorpone.com
How to use host to look up an invalid host?
host idontexist.megacorpone.com
What NXDOMAIN means?
Public DNS record does not exist for that hostname.
How to use bash to brute force forward DNS name lookups for megacorpone.com? You have a wordlist called “list.txt”.
kali@kali:~$ for ip in $(cat list.txt); do host $ip.megacorpone.com; done
How to use bash to bruteforce reverse DNS names? Let’s use a loop to scan IP addresses 38.100.193.50 through 38.100.193.100. We will filter out invalid results by showing only entries that do not contain “not found” (with grep -v).
for ip in $(seq 50 100); do host 38.100.193.$ip; done | grep -v “not found”
What “grep -v” do?
Select non-matching lines.
What is DNS zone transfer?
A zone transfer is basically a database replication between related DNS servers in which the zone file is copied from a master DNS server to a slave server. The zone file contains a list of all the DNS names configured for that zone. Zone transfers should only be allowed to authorized slave DNS servers but many administrators misconfigure their DNS servers, and in these cases, anyone asking for a copy of the DNS server zone will usually receive one.
How to use host to perform a DNS zone transfer?
host -l domain_name dns_server_address
How to attempt zone transfer on “megacorpone.com” and on ns1 subdomain?
kali@kali:~$ host -l megacorpone.com ns1.megacorpone.com
How to use host to do a DNS zone transfer on www.megacorpone.com and ns2 subdomain?
kali@kali:~$ host -l megacorpone.com ns2.megacorpone.com
How to use host to obtain DNS servers for a given domain name?
host -t ns megacorpone.com | cut -d “ “ -f 4
What ‘-t’ do in host command?
-t specifies the query type
What is DNSRecon?
DNSRecon is an advanced, modern DNS enumeration script written in Python.
What is ‘-d’ for in dnsrecon?
To specify a domain name.
What is ‘-t’ for in dnsrecon?
To specify the type of enumeration to perform.
How to use dnsrecon to perform a zone transfer on megacorpone.com?
kali@kali:~$ dnsrecon -d megacorpone.com -t axfr
What is ‘-D’ for in dnsrecon?
To specify a file name containing potential subdomain strings.
What is ‘-t’ for in dnsrecon?
To specify the type of enumeration to perform.
How to brute force hostnames using dnsrecon and list.txt?
kali@kali:~$ dnsrecon -d megacorpone.com -D ~/list.txt -t brt
What is DNSenum?
DNSEnum is another popular DNS enumeration tool.
How to find a website’s DNS address?
host -t ns domain-name-com-here
How to attempt a Zone transfer using dnsrecon on megacorpone.com?
dnsrecon -d megacorpone.com
What is port scanning?
Port scanning is the process of inspecting TCP or UDP ports on a remote machine with the intention of detecting what services are running on the target and what potential attack vectors may exist.
How to use netcat to perform a TCP port scan on ports 3388-3390? On address IP 10.11.1.220.
nc -nvv -w 1 -z 10.11.1.220 3388-3390
What ‘-w’ option do in netcat?
Specifies connection timeout in seconds.
What ‘-z’ option do in netcat?
Is used to specify zero-I/O mode, which will send no data.
How to use netcat to perform a UDP port scan on ports 160-162, destination IP 10.11.1.115?
kali@kali:~$ nc -nv -u -z -w 1 10.11.1.115 160-162
What ‘-u’ option do in netcat?
Indicate UDP port scan.
What is nmap?
Is one of the most popular, versatile, and robust port scanners available.
What is ‘-I’ option for in iptables?
To insert a new rule into a given chain which in this case includes both the INPUT (Inbound) and OUTPUT (Outbound) chains followed by the rule number.
What is ‘-s’ option for in iptables?
Specify a source IP address.
What is ‘-d’ option for in iptables?
Specify a destination IP address.
What is ‘-j’ option for in iptables?
ACCEPT the traffic.
What is ‘-z’ option for in iptables?
Zero the packet and byte counters in all chains.
How to configure iptables rules for the scan on IP 10.11.1.220?
kali@kali:~$ sudo iptables -I INPUT 1 -s 10.11.1.220 -j ACCEPT
kali@kali:~$ sudo iptables -I OUTPUT 1 -d 10.11.1.220 -j ACCEPT
kali@kali:~$ sudo iptables -Z
How to scan an IP 10.11.1.220 for the 1000 most popular TCP ports?
nmap 10.11.1.220
What ‘-v’ option in iptables do?
Add some verbosity.
What ‘-n’ option in iptables do?
Enable numeric output.
What ‘-L’ option in iptables do?
List the rules present in all chains.
How to to monitor nmap traffic for a top 1000 port scan?
sudo iptables -vn -L
How to perform a SYN scan on ip 10.11.1.220?
kali@kali:~$ sudo nmap -sS 10.11.1.220
How to perform a TCP connect scan on ip address 10.11.1.220?
nmap -sT 10.11.1.220
How to perform a UDP scan on ip 10.11.1.115?
kali@kali:~$ sudo nmap -sU 10.11.1.115
How to to perform a combined UDP and SYN scan?
sudo nmap -sS -sU 10.11.1.115
How to perform a network sweep?
kali@kali:~$ nmap -sn 10.11.1.1-254
How to perform a network sweep and then using grep to find live hosts?
nmap -v -sn 10.11.1.1-254 -oG ping-sweep.txt
grep Up ping-sweep.txt | cut -d “ “ -f 2
How to scan for web servers using port 80?
kali@kali:~$ nmap -p 80 10.11.1.1-254 -oG web-sweep.txt
kali@kali:~$ grep open web-sweep.txt | cut -d” “ -f2
How to perform a top twenty port scan, saving the output in greppable format?
nmap -sT -A –top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt
What ‘-O’ option do in nmap?
OS fingerprinting. This feature attempts to guess the target’s operating system by inspecting returned packets. This
is possible because operating systems often have slightly different implementations of the
TCP/IP stack (such as varying default TTL values and TCP window sizes) and these slight
variances create a fingerprint that Nmap can often identify.
How to use nmap for OS fingerprinting on ip 10.11.1.220?
kali@kali:~$ sudo nmap -O 10.11.1.220
How to use nmap for banner grabbing and/or service enumeration, destination ip address is 10.11.1.220?
kali@kali:~$ nmap -sV -sT -A 10.11.1.220
What is NSE for?
To launch user-created scripts in order to automate various scanning tasks. These scripts perform a broad range of functions including DNS enumeration, brute force attacks, and even vulnerability identification.
Where are NSE scripts?
NSE scripts are located in the /usr/share/nmap/scripts directory.
How to use nmap’s scripting engine (NSE) for OS fingerprinting? Destination IP address is 10.11.1.220, and SMB is turned on.
kali@kali:~$ nmap 10.11.1.220 –script=smb-os-discovery
How to use nmap to perform a DNS zone transfer on ns2.megacorpone.com, port 53.
nmap –script=dns-zone-transfer -p 53 ns2.megacorpone.com
What service is on port 53?
DNS
How to view more information about a script?
–script-help
which displays a description of the script and a URL where we can find more in-depth information, such as the script arguments and usage examples.
How to use –script-help option to view more information about script?
kali@kali:~$ nmap –script-help dns-zone-transfer
How to conduct a ping sweep 10.11.1.* addresses and save the output to a file “ping_sweep.txt”, and use grep to show only machines that are online?
nmap -sP 10.11.1.1-255 | grep “10.11.1.” | cut -d “ “ -f 5 > ping_sweep.txt
How to scan the IP addresses from “ping_sweep.txt” for open webserver ports. Use Nmap to find the webserver and operating system versions.
sudo nmap -iL ping_sweep.txt -p 80 -O
How to use NSE scripts to scan the machines in the labs that are running the SMB service?
sudo nmap –script smb-os-discovery.nse -iL ping_sweep.txt -p 445
How to check IP address 10.11.1.5 and port 80 using netcat?
nc -zv 10.11.1.5 80
How to perform nmap UDP scan on IP 10.11.1.5?
sudo nmap -sU 10.11.1.5
What is Masscan?
Masscan is arguably the fastest port scanner; it can scan the entire Internet in about 6 minutes, transmitting an astounding 10 million packets per second! While it was originally designed to scan the entire Internet, it can easily handle a class A or B subnet, which is a more suitable target range during a penetration test.
How to install Masscan on Linux?
sudo apt install masscan
How to use masscan to look for all web servers within a class A subnet?
kali@kali:~$ sudo masscan -p80 10.0.0.0/8
What is ‘–rate’ for in masscan?
To specify the desired rate of packet transmission.
What is ‘-e’ for in masscan?
To specify the raw network interface to use.
What is ‘–router-ip’ for in masscan?
Specify the IP address for the appropriate gateway.
How to use masscan on port 80
kali@kali:~$ sudo masscan -p80 10.11.1.0/24 –rate=1000 -e tap0 –router-ip 10.11.0.1
What is SMB?
Server Message Block
On which port NetBIOS service listen?
139
SMB port?
445
What is NetBIOS?
NetBIOS is an independent session layer protocol and service that allows computers on a local network to communicate with each other.
How to use nmap to scan for the NetBIOS service?
kali@kali:~$ nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254
How to use nbtscan to collect additional NetBIOS information on IP 10.11.1.*?
kali@kali:~$ sudo nbtscan -r 10.11.1.0/24
Where are Nmap SMB NSE Scripts?
/usr/share/nmap/scripts
How to find various nmap SMB NSE scripts?
ls -1 /usr/share/nmap/scripts/smb*
What is NetBIOS?
Network Basic Input/Output System
How to use NSE to perform OS discovery?
kali@kali:~$ nmap -v -p 139, 445 –script=smb-os-discovery 10.11.1.227
How to pass argument to NSE script?
–script-args
How to pass “smb-vuln-ms08-067” argument to NSE script? Destination IP is 10.11.1.5 and destination ports are 139 and 445.
nmap -v -p 139,445 –script=smb-vuln-ms08-067 –script-args=unsafe=1 10.11.1.5
What is NFS?
Network File System is a distributed file system protocol originally developed by Sun Microsystems in 1984. It allows a user on a client computer to access files over a computer network as if they were on locally-mounted storage.
What is UDP?
User Datagram Protocol
How to use nmap to identify hosts that have portmapper/rpcbind running?
kali@kali:~$ nmap -v -p 111 10.11.1.1-254
How to query rpcbind in order to get registered services?
nmap -sV -p 111 –script=rpcinfo 10.11.1.1-254
How to locate various NSE scripts for NFS?
kali@kali:~$ ls -1 /usr/share/nmap/scripts/nfs*
How to run all NSE scripts for NFS on IP address 10.11.1.72?
nmap -p 111 –script nfs* 10.11.1.72
How to use nmap to make a list of machines running NFS in the labs?
nmap –script=nfs-ls 10.11.1.1-255 -p 111
What is SMTP and what it support?
The Simple Mail Transport Protocol (SMTP) supports several interesting commands, such as VRFY and EXPN.
What VRFY do in SMTP?
A VRFY request asks the server to verify an email address.
What EXPN do in SMTP?
EXPN asks the server for the membership of a mailing list.
How to validate nc to validate SMTP users on ip address 10.11.1.217?
nc -nv 10.11.1.217 25
VRFY root
VRFY idontexist
What is SNMP?
Simple Network Protocol
SNMP is based on what?
UDP
What is UDP?
Simple, stateless protocol, which is susceptible to IP spoofing and replay attacks.
What is the SNMP MIB?
The SNMP Management Information Base (MIB) is a database containing information usually related to network management. The database is organized like a tree, where branches represent different organizations or network functions. The leaves of the tree (final endpoints) correspond to specific variable values that can then be accessed, and probed, by an external user. The IBM
Knowledge Center contains a wealth of information about the MIB tree.
How to scan for open SNMP ports, which command would you use?
nmap
Which option would you use to perform UDP scanning in nmap?
-sU
Which option is used to limit the output to only display open ports in nmap?
–open
How to use nmap to perform a SNMP scan on 10.11.1.*?
sudo nmap -sU –open -p 161 10.11.1.1-254 -oG open-snmp.txt
What is onesixtyone?
Tool that will attempt a brute force attack against a list of IP addresses.
How to use onesixtyone to brute force community strings?
onesixtyone -c community -i ips
How to enumerate the entire MIB tree on IP address 10.11.1.14?
snmpwalk -c public -vl -t 10 10.11.1.14
How to enumerate Windows Users using snmpwalk on address IP 10.11.1.14?
snmpwalk -c public -vl 10.11.1.14 1.3.6.1.4.1.77.1.2.25
How to enumerate Windows processes using snmpwalk on address IP 10.11.1.73?
snmpwalk -c public -vl 10.11.1.73 1.3.6.1.2.1.25.4.2.1.2
How to enumerate open TCP ports using snmpwalk on address IP 10.11.1.14?
snmpwalk -c public -vl 10.11.1.14 1.3.6.1.2.1.6.13.1.3
How to enumerate installed software using snmpwalk on IP address 10.11.1.50?
snmpwalk -c public -vl 10.11.1.50 1.3.6.1.2.1.25.6.3.1.2
How to scan network 10.11.1.0 to identify a SNMP servers?
sudo nmap -sU -p 161 10.11.1.0/24
How to find SNMP Servers on network 148.32.42.*?
nmap -sU -p 161 148.32.42.0/24
What is SNMP?
SNMP fullform is Simple Network Management Protocol and that is used for interchanging or exchanging management information between different network devices. SNMP allows an administrator to gather information about the host on which SNMP service is running. It is also possible to modify the information.
What is an SNMP Community String?
The “SNMP Community string” is like user id and password that allows router’s to access other router’s statistics data. IPCheck Server Monitor sends the community string along with all SNMP requests. If the community string data is correct, the device responds with the requested information. If the community string is incorrect, the device simply discards the request and does not respond.
Important: SNMP Community strings are used only by those devices which support SNMP v1 and SNMP v2c protocol. The SNMP v3 uses the username and password authentication, along with an encryption key. Most SNMP v1 and v2c devices are set to default from the factory with a read-only community string set to “public“.
What is an SNMP Community String?
The “SNMP Community string” is like user id and password that allows router’s to access other router’s statistics data. IPCheck Server Monitor sends the community string along with all SNMP requests. If the community string data is correct, the device responds with the requested information. If the community string is incorrect, the device simply discards the request and does not respond.
Important: SNMP Community strings are used only by those devices which support SNMP v1 and SNMP v2c protocol. The SNMP v3 uses the username and password authentication, along with an encryption key. Most SNMP v1 and v2c devices are set to default from the factory with a read-only community string set to “public“.
How to Find SNMP Community String?
One can find the SNMP Community String using a tool called Onesixtyone. Onesixtyone will use a word list provided by the user and brute force the SNMP service.
