Active Information Gathering
Once we have exhausted the possible ways to passively collect information about our target, we will turn to an active collection. These tools and methods are more powerful and can provide us with more information, but at the same time, they may expose you to detection. Let’s have a look at some common techniques.
Wireshark is a protocol analyzer (aka packet analyzer) and the best tool available for analyzing network traffic, and it is highly recommended that everyone become very familiar with its usage. Technically Wireshark takes packet data and gives you many ways to examine and analyze it. You are going to encounter Wireshark very often as a cyber professional, so it’s to your benefit to dive in and make yourself an expert.
Nmap is a network mapper primarily used to identify the existence of network hosts or devices, ports, services and vulnerabilities. It is the tool of choice for network enumeration and will most likely be the first tool to get detected by network defense devices. While there are ways to do this graphically, learning Nmap from the command line will really help you to better appreciate its capabilities and at the same time help you feel more accustomed to working with a command-line interface (CLI).
An ideal enumeration process is:
- Host Identification
- Port Identification
- Service Identification
- Vulnerability Identification
Yes, you can perform these tasks separately or with one command. The point is to keep your attack surface low while being accountable for your traffic. Some commands to perform these tasks are:
nmap -sn 10.0.6.200-254
nmap -v -T4 -sS -Pn --top-ports 10 10.0.6.200-254 --open
nmap -v -T4 -sT -Pn --top-ports 10 10.0.6.200-254 --open
nmap -v -T4 -sV -Pn --top-ports 25 10.0.6.200-254 --open
nmap -v -T4 -sV -sC -Pn -F 10.0.6.200-254 --open
nmap -v -T4 -A -p- 10.0.6.200-254 --open --randomize-hosts
nmap -v -T4 -p 445 --script=smb-vuln-ms10-061 10.0.6.200-254 –open
nmap -v -T4 -sU -sT -sV -p U:53,11,137,161,T:22,139,445 10.0.6.200-254 --open
Scanning with Metasploit
Although scanning with Nmap is very popular, you can also use Metasploit auxiliary modules to perform scans. Below are some examples:
- 21 auxiliary/scanner/ftp/anonymous
- 21 auxiliary/scanner/ftp/ftp_version
- 22 auxiliary/scanner/ssh/ssh_version
- 23 auxiliary/scanner/telnet/telnet_version
- 25 auxiliary/scanner/smtp/smtp_version
- 69 auxiliary/scanner/tftp/tftpbrute
- 79 auxiliary/scanner/finger/finger_users
- 80 auxiliary/scanner/http/http_version
- 110 auxiliary/scanner/pop3/pop3_version
- 111 auxiliary/scanner/misc/sunrpc_portmapper
- 123 auxiliary/scanner/ntp/ntp_monlist
- 143 auxiliary/scanner/imap/imap_version
- 512 auxiliary/scanner/rservices/rexec_login
- 513 auxiliary/scanner/rservices/rlogin_login
- 514 auxiliary/scanner/rservices/rsh_login
- 1521 auxiliary/scanner/oracle/sid_enum
- 3306 auxiliary/scanner/mysql/mysql_version
- 5432 auxiliary/scanner/postgres/postgres_version
- 5900 auxiliary/scanner/vnc/vnc_none_auth
- 6000 auxiliary/scanner/x11/open_x11
- 9100 auxiliary/scanner/printer/printer_version_info
- 50000 auxiliary/scanner/db2/db2_version
This is a command-line scan tool, running on Windows or Linux, which displays NetBIOS information. It may even display logged in users and device purpose. This is helpful when building your initial hosts and users list.
# nbtscan 10.0.6.200-254
# nbtscan -v 10.0.6.200-254
C:> nbtscan 10.0.6.0/24
# smbtree -b
# smbtree -D
# smbtree -S
enum4linux gives a multitude of information from a target machine. This can include usernames, password policies, user and group information, etc. It also shows what commands were used to get that information. This does not work all the time. A basic example of this would be:
# enum4linux 10.0.6.218
The host command can be used in many ways to identify information for a particular host or website. This is a good way to begin DNS and/or network infrastructure enumeration. For example:
# host www.facebook.com
facebook.com has address 188.8.131.52
facebook.com has IPv6 address 2a03:2880:2110:df07:face:b00c:0:1
facebook.com mail is handled by 10 msgin.t.facebook.com.
An example of a successful search for ipv6.google.com is the following:
# host ipv6.google.com
ipv6.google.com is an alias for ipv6.l.google.com.
ipv6.l.google.com has the IPv6 address: 2607:f8b0:4004:801::1004
To identify mail servers using the host command:
# host -mx cover6solutions.com
# host -t ns cover6solutions.com
Dnsrecon is one of many tools you can use to perform a zone transfer in hopes of enumerating a domain’s DNS enumeration.
# dnsrecon -d megacorpone.com -t axfr
Probably the easiest way to perform a zone transfer in Kali is to use the dnsenum tool. Keep in mind that most sites should not allow zone transfers!
# dnsenum megacorpone.com
Probably the easiest way to perform a zone transfer in Kali is to use the fierce command. Remember most sites should not allow zone transfers!! The zone file will contain a list of all the DNS names configured in that zone. Basically, it gives you the corporate network layout.
# fierce –dns cover6solutions.com
IPv6 has been out for over 21 years. It is a protocol or method of communication just like IPv4 but with over 340 undecillion more available IP addresses. How many is that? An undecillion is so large it is a 1 followed by 36 zeros! Think of it as if for every road, highway, or path that exists there is another one directly under it that not many people know about. Now add over 340 undecillion more!
Alive6 is a tool you can use to identify IPv6 hosts on the local network segment:
# atk6-alive6 -l eth0