Show Menu

Active Recon Cheat Sheet by

linux     security     nmap

Stealth Scanning Strategies

Risk = Discovery By The Target.
Camouflage tool signatures to avoid detection.
Hide attack in legitimate traffic.
Modify attack to hide source, type of traffic.
Make attack invisible using non-st­andard traffic types & encryp­tion.

Adjust Source IP Stack & Tool ID - STEALTH 1

Disable Unnece­ssary Services:
Disable DHCP chkconfig dhcpd off
Disable IPv6 nano /etc/s­ysc­tl.c­onf
#disable ipv6
net.i­pv6.co­nf.a­ll.di­sab­le_ipv6 = 1
net.i­pv6.co­nf.d­ef­aul­t.d­isa­ble­_ipv6 = 1
net.i­pv6.co­nf.l­o.d­isable = 1

Tools often tag packets with an id sequence that can trigger IDS. Test tools against VM's and review system logs for the tool's name. Use Wire­shark to capture traffic then search pcaps for keywords attributed to the testing tool.

Set Metasploit UserAgent to Google Indexing Spider: www.us­era­gen­tst­rin­g.com
use auxili­ary­/fu­zze­rs/­htt­p/h­ttp­_fo­rm_­field
set UserAgent
set UserAgent Google­bot/2.1 (+http­://­www.go­ogl­e.c­om/­bot.html)

Modify Packet Parameters - STEALTH 2

Identify the goal before scanning and send the minimum number of packets.
Avoid scans that connect with target system and leak data.
Do not ping the target or use synchr­onize (SYN) and noncon­ven­tional packet scans, such as acknow­ledge (ACK), finished (FIN), and reset (RST) packets.
Rand­omize / spoof packet settings source IP, port address, MAC address.
Adjust timing to slow the arrival of packets at the target.
Change packet size by fragme­nting packets or appending random data to confuse packet inspection devices.

nmap must be run as root
nmap stealth http:/­/nm­ap.o­rg­/bo­ok/­man­-by­pas­s-f­ire­wal­ls-­ids.html

Anonymity (Tor & Privoxy) - STEALTH 3

Onion routing enables online anonym­ity by encrypting user traffic and then transm­itting it through a series of onion routers. At each router, a layer of encryption is removed to obtain routing inform­ation, and the message is then transm­itted to the next node.

Install Tor
apt-get install tor
nano /etc/P­rox­ych­ain­s.conf
Disable stric­t_c­hains. Enable dynam­ic_­chains
Edit [Prox­yList] and ensure socks 5 127.0.0.1 9050 exists.
Start Tor service tor start
Verify Tor service tor status
Verify Source IP iceweasel www.wh­ati­smy­ip.com
Invoke Tor Routing with Proxyc­hains proxy­chains iceweasel www.wh­ati­smy­ip.com
Whois lookup the IP to confirm Tor is active.
Tor Verify ttps:/­/ch­eck.to­rpr­oje­ct.org
DNS Leak Test www.dn­sle­akt­est.com

Note
Owners of exit nodes can sniff traffic and may be able to access creden­tials.
Vuln­era­bil­ities in Tor Browser Bundle can be used by law enforc­ement to exploit systems
Prox­yChains does not handle UDP
Some applic­ations will not run - Metasp­loit, Nmap... Stealth SYN scan breaks out of proxyc­hains and can leak inform­ation to the target.
Browser applic­ations can leak your IP (ActiveX, PDF, Flash, Java, RealPlay, QuickT­ime).
Clear & block cookies before browsi­ng.

Tor-Bu­ddy
Allows you to control how frequently the Tor IP is refres­hed­: http:/­/so­urc­efo­rge.ne­t/p­roj­ect­s/l­inu­xsc­rip­ts/­fil­es/­Tor­-Buddy/
 

Zenmap - STEP 1

Zenmap
http:/­/nm­ap.o­rg­/ze­nmap/
The Official Nmap Security Scanner GUI.
Use this an entry point and then use nmap scans to gather additional data.

Maltego

Maltego www.pa­ter­va.com is an open source intell­igence and forens­ics applic­ation for visual­izing relati­onships among data that use data mining and link analysis.

Identi­fying Network Infras­tru­cture

tracer­oute provides basic inform­ation on packet filtering abilities.
lbd Uses two DNS- and HTTP-based techniques to detect load balancers
mirand­a.py Identifies universal plug-a­nd-play and UPNP devices
nmap Detects devices and determines the operating systems and their version
nmap -sSV -A -p- -T5 192.16­8.5­6.101

Shodan search engine identifies devices connected to the Internet, including those with default passwords, known miscon­fig­ura­tions, and vulner­abi­lities

Live Host Discovery

Run ping sweeps against a target address space and look for responses that indicate a particular target is live. (TCP, UDP, ICMP, ARP)

alive6 detect-new-ip6 - IPv6 host detection. detect­-ne­w-ip6 runs on a scripted basis and identifies new IPv6 devices when added.

dnmap nmap - nmap is the standard network enumer­ation tool. dnmap is a distri­buted client­-server implem­ent­ation of the nmap scanner. PBNJ stores nmap results in a database, and then conducts historical analyses to identify new hosts.

fping hping2 hping3 nping - Packet crafters that respond to targets in various ways to identify live hosts

Port Scanning

http:/­/ww­w.i­ana.or­g/a­ssi­gnm­ent­s/s­erv­ice­-na­mes­-po­rt-­num­ber­s/s­erv­ice­-na­mes­-po­rt-­num­ber­s.xhtml

Nmap port discovery is very noisy and will be logged by network security devices.
Only test necessary ports.
Port scanning can impact a network and old equipment might lock.

Determ­ining Active Services

Identify default ports and servic­es.

Banner Grabbing
netcat nmap telnet

Review Default Web Pages: Some applic­ations install with default admini­str­ation, error, or other pages.

Review Source Code: Poorly configured web-based applic­ations may respond to certain HTTP requests such as HEAD or OPTIONS with a response that includes the web server software version, and possibly, the base operating system or the scripting enviro­nment in use.
 

Finger­pri­nting the OS

Acti­ve: The attacker sends normal and malformed packets to the target and records its response pattern (finge­rprint) which is compared to the database to determine the OS
Pass­ive: The attacker sniffs, or records and analyses the packet stream to determine the charac­ter­istics of the packets.

xprobe2 uses different TCP, UDP, ICMP packets to bypass firewalls and avoid detection by IDS / IPS systems.

Nmap Scripting Engine (NSE)

http:/­/nm­ap.o­rg­/ns­edoc/
Scripts are written in LUA

Recon of IPv4 & IPv6 DNS data
Identify web applic­ation firewalls, IDS, IPS
Test firewall rulesets (via firewalk) and attempting to bypass the firewall
Harv­esting user names from target and online sites
Brut­e-force guessing of passwo­rds
Crawling the target network to identify network shares
Extract EXIF metadata from images in a defined website
Geog­rap­hical locali­zation of IP's
Network attacks such as IPv6 packet flooding
Fuzzing and SQL inject­ion testing

Scre­enshot Web Services (wkhtm­lto­image) http:/­/wk­htm­lto­pdf.go­ogl­eco­de.com
Screenshot NSE Script https:­//g­ith­ub.c­om­/Sp­ide­rLa­bs/­Nma­p-T­ool­s/b­lob­/ma­ste­r/N­SE/­htt­p-s­cre­ens­hot.nse

Recon-ng

recon-ng
Modules are written in python.
show available modules.
sea­rch available modules.
info inform­ation on how the module works.
show options options that can be set.
set sets the options.
run to execute.

Harvest contacts (whois, jigsaw, linkedin, twitte­r)(use the mangle module to extract and present e-mail data)
Identify hosts
Identify geogra­phical locati­ons of hosts and indivi­duals using hostop, ipinfodb, maxmind, uniapple, wigle
Identify host inform­ation using netcraft and related modules
Identify account and password inform­ation that has previously been compro­mised and leaked onto the Internet (the pwnedlist modules, wascom­pan­yha­cked, xssed, and punksp­ider)

Vulner­ability Scanning

Loud and easily detected
Usually signature based and can only detect known vulner­abi­lities with recogn­ition signat­ures.
Fals­epo­sitive results with a rate as high as 70%
Network Scanning Watch List for devices known to fail when scanned www.di­gin­inj­a.org

Scanning may breach laws in some countries

In Kali, found in Vulner­ability Analysis submenu and Web Vulner­ability Scanners menu.

Open­VAS Open Vulner­ability Assessment System
Nexp­ose www.ra­pid­7.com
Nessus www.ne­ssu­s.org

Download the Active Recon Cheat Sheet

2 Pages
//media.cheatography.com/storage/thumb/fred_active-recon.750.jpg

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

 

Comments

kybia kybia, 19:19 22 Sep 18

Excellent work!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          More Cheat Sheets by fred

          File Transfers Cheat Sheet