Show Menu

Active Recon Cheat Sheet by

linux     security     nmap

Stealth Scanning Strategies

Risk = Discovery By The Target.
Camouflage tool signatures to avoid detection.
Hide attack in legitimate traffic.
Modify attack to hide source, type of traffic.
Make attack invisible using non-st­andard traffic types & encryp­tion.

Adjust Source IP Stack & Tool ID - STEALTH 1

Disable Unnece­ssary Services:
Disable DHCP chkconfig dhcpd off
Disable IPv6 nano /etc/s­ysc­tl.c­onf
#disable ipv6
net.i­pv6.co­nf.a­ll.di­sab­le_ipv6 = 1
net.i­pv6.co­nf.d­ef­aul­t.d­isa­ble­_ipv6 = 1
net.i­pv6.co­nf.l­o.d­isable = 1

Tools often tag packets with an id sequence that can trigger IDS. Test tools against VM's and review system logs for the tool's name. Use Wire­shark to capture traffic then search pcaps for keywords attributed to the testing tool.

Set Metasploit UserAgent to Google Indexing Spider: www.us­era­gen­tst­rin­g.com
use auxili­ary­/fu­zze­rs/­htt­p/h­ttp­_fo­rm_­field
set UserAgent
set UserAgent Google­bot/2.1 (+http­://­www.go­ogl­e.c­om/­bot.html)

Modify Packet Parameters - STEALTH 2

Identify the goal before scanning and send the minimum number of packets.
Avoid scans that connect with target system and leak data.
Do not ping the target or use synchr­onize (SYN) and noncon­ven­tional packet scans, such as acknow­ledge (ACK), finished (FIN), and reset (RST) packets.
Rand­omize / spoof packet settings source IP, port address, MAC address.
Adjust timing to slow the arrival of packets at the target.
Change packet size by fragme­nting packets or appending random data to confuse packet inspection devices.

nmap must be run as root
nmap stealth http:/­/nm­ap.o­rg­/bo­ok/­man­-by­pas­s-f­ire­wal­ls-­ids.html

Anonymity (Tor & Privoxy) - STEALTH 3

Onion routing enables online anonym­ity by encrypting user traffic and then transm­itting it through a series of onion routers. At each router, a layer of encryption is removed to obtain routing inform­ation, and the message is then transm­itted to the next node.

Install Tor
apt-get install tor
nano /etc/P­rox­ych­ain­s.conf
Disable stric­t_c­hains. Enable dynam­ic_­chains
Edit [Prox­yList] and ensure socks 5 127.0.0.1 9050 exists.
Start Tor service tor start
Verify Tor service tor status
Verify Source IP iceweasel www.wh­ati­smy­ip.com
Invoke Tor Routing with Proxyc­hains proxy­chains iceweasel www.wh­ati­smy­ip.com
Whois lookup the IP to confirm Tor is active.
Tor Verify ttps:/­/ch­eck.to­rpr­oje­ct.org
DNS Leak Test www.dn­sle­akt­est.com

Note
Owners of exit nodes can sniff traffic and may be able to access creden­tials.
Vuln­era­bil­ities in Tor Browser Bundle can be used by law enforc­ement to exploit systems
Prox­yChains does not handle UDP
Some applic­ations will not run - Metasp­loit, Nmap... Stealth SYN scan breaks out of proxyc­hains and can leak inform­ation to the target.
Browser applic­ations can leak your IP (ActiveX, PDF, Flash, Java, RealPlay, QuickT­ime).
Clear & block cookies before browsi­ng.

Tor-Bu­ddy
Allows you to control how frequently the Tor IP is refres­hed­: http:/­/so­urc­efo­rge.ne­t/p­roj­ect­s/l­inu­xsc­rip­ts/­fil­es/­Tor­-Buddy/
 

Zenmap - STEP 1

Zenmap
http:/­/nm­ap.o­rg­/ze­nmap/
The Official Nmap Security Scanner GUI.
Use this an entry point and then use nmap scans to gather additional data.

Maltego

Maltego www.pa­ter­va.com is an open source intell­igence and forens­ics applic­ation for visual­izing relati­onships among data that use data mining and link analysis.

Identi­fying Network Infras­tru­cture

tracer­oute provides basic inform­ation on packet filtering abilities.
lbd Uses two DNS- and HTTP-based techniques to detect load balancers
mirand­a.py Identifies universal plug-a­nd-play and UPNP devices
nmap Detects devices and determines the operating systems and their version
nmap -sSV -A -p- -T5 192.16­8.5­6.101

Shodan search engine identifies devices connected to the Internet, including those with default passwords, known miscon­fig­ura­tions, and vulner­abi­lities

Live Host Discovery

Run ping sweeps against a target address space and look for responses that indicate a particular target is live. (TCP, UDP, ICMP, ARP)

alive6 detect-new-ip6 - IPv6 host detection. detect­-ne­w-ip6 runs on a scripted basis and identifies new IPv6 devices when added.

dnmap nmap - nmap is the standard network enumer­ation tool. dnmap is a distri­buted client­-server implem­ent­ation of the nmap scanner. PBNJ stores nmap results in a database, and then conducts historical analyses to identify new hosts.

fping hping2 hping3 nping - Packet crafters that respond to targets in various ways to identify live hosts

Port Scanning

http:/­/ww­w.i­ana.or­g/a­ssi­gnm­ent­s/s­erv­ice­-na­mes­-po­rt-­num­ber­s/s­erv­ice­-na­mes­-po­rt-­num­ber­s.xhtml

Nmap port discovery is very noisy and will be logged by network security devices.
Only test necessary ports.
Port scanning can impact a network and old equipment might lock.

Determ­ining Active Services

Identify default ports and servic­es.

Banner Grabbing
netcat nmap telnet

Review Default Web Pages: Some applic­ations install with default admini­str­ation, error, or other pages.

Review Source Code: Poorly configured web-based applic­ations may respond to certain HTTP requests such as HEAD or OPTIONS with a response that includes the web server software version, and possibly, the base operating system or the scripting enviro­nment in use.
 

Finger­pri­nting the OS

Acti­ve: The attacker sends normal and malformed packets to the target and records its response pattern (finge­rprint) which is compared to the database to determine the OS
Pass­ive: The attacker sniffs, or records and analyses the packet stream to determine the charac­ter­istics of the packets.

xprobe2 uses different TCP, UDP, ICMP packets to bypass firewalls and avoid detection by IDS / IPS systems.

Nmap Scripting Engine (NSE)

http:/­/nm­ap.o­rg­/ns­edoc/
Scripts are written in LUA

Recon of IPv4 & IPv6 DNS data
Identify web applic­ation firewalls, IDS, IPS
Test firewall rulesets (via firewalk) and attempting to bypass the firewall
Harv­esting user names from target and online sites
Brut­e-force guessing of passwo­rds
Crawling the target network to identify network shares
Extract EXIF metadata from images in a defined website
Geog­rap­hical locali­zation of IP's
Network attacks such as IPv6 packet flooding
Fuzzing and SQL inject­ion testing

Scre­enshot Web Services (wkhtm­lto­image) http:/­/wk­htm­lto­pdf.go­ogl­eco­de.com
Screenshot NSE Script https:­//g­ith­ub.c­om­/Sp­ide­rLa­bs/­Nma­p-T­ool­s/b­lob­/ma­ste­r/N­SE/­htt­p-s­cre­ens­hot.nse

Recon-ng

recon-ng
Modules are written in python.
show available modules.
sea­rch available modules.
info inform­ation on how the module works.
show options options that can be set.
set sets the options.
run to execute.

Harvest contacts (whois, jigsaw, linkedin, twitte­r)(use the mangle module to extract and present e-mail data)
Identify hosts
Identify geogra­phical locati­ons of hosts and indivi­duals using hostop, ipinfodb, maxmind, uniapple, wigle
Identify host inform­ation using netcraft and related modules
Identify account and password inform­ation that has previously been compro­mised and leaked onto the Internet (the pwnedlist modules, wascom­pan­yha­cked, xssed, and punksp­ider)

Vulner­ability Scanning

Loud and easily detected
Usually signature based and can only detect known vulner­abi­lities with recogn­ition signat­ures.
Fals­epo­sitive results with a rate as high as 70%
Network Scanning Watch List for devices known to fail when scanned www.di­gin­inj­a.org

Scanning may breach laws in some countries

In Kali, found in Vulner­ability Analysis submenu and Web Vulner­ability Scanners menu.

Open­VAS Open Vulner­ability Assessment System
Nexp­ose www.ra­pid­7.com
Nessus www.ne­ssu­s.org

Download the Active Recon Cheat Sheet

2 Pages
//media.cheatography.com/storage/thumb/fred_active-recon.750.jpg

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

 

Comments

kybia kybia, 19:19 22 Sep 18

Excellent work!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          More Cheat Sheets by fred

          Passive Recon Cheat Sheet
          File Transfers Cheat Sheet