Malleum Knowledge Base

2. External Recon

3 min read

If not a assumed breach than the initial access needs to be gained through external research.

There are two main facets of recon - organisational and technical.

During “organisational” recon, you’re focused on collecting information about the organisation.  This can include the people who work there (names, jobs and skills), the organisational structure, site locations and business relationships.

During “technical” recon, you’re looking for systems such as public-facing websites, mail servers, remote access solutions, and any vendors or products in use, particularly defensive ones - web proxies, email gateways, firewalls, antivirus etc.

Information can be gathered in two ways.

Actively and passively.

Passive Information Gathering

Dig

dig $domain

dig +tcp @192.168.20.10 adfs.0x0security.local

Check the ip address of the the domain to the DNS server on 192.168.20.10

Spoof check

spoofy -d $domain -o stdout

Whois

whois $IP

searchdns.netcraft.com

If the output of the whois shows that there is cloudflare involved then the webserver could be either hosted on premise or on cloud.

If on cloud, proper permissions should be taken from the cloud service provider.

Go And Explore Recon-ng, github, pastebin and Maltego

theHarvester

theharvester -d domain.com -b google

Active Information Gathering

DNS

  • Find the ip address
host www.domain.com

  • Flag -t can be used to get different types of record.

  • SRV Record (Service Record)**

  • Purpose: Used to locate services (like SIP, Kerberos, LDAP) within a domain.

  • Example:

_ldap._tcp.example.com → dc1.example.com:389

Zone Transfer

  • DNS has zone files which contains the information about the infrastructure which we are trying to get.
host -l domain.com dns_server_address

dnsrecon -d domainname.com -t axfr

Subdomains

./dnscan.py -d partech.com -w subdomains-1000.txt 
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://ghost.htb:8008/ -H 'Host: FUZZ.ghost.htb' -fl 185

RustScan & Nmap

rustscan -a 192.168.181.140 192.168.181.141 192.168.181.142 --ulimit 5000 -- -Pn -sC -sV -oA challenge2
sudo nmap -sC -sV -T4 -oA 172.16.20.50 172.16.20.50 -Pn
  • Nmap ping scan
nmap -sn 10.10.110.0/24

On the wire, sends:

  • ARP requests (on LAN)

  • ICMP Echo Requests (on all networks)

  • Marks hosts as up if a response is received

Nikto

nikto -host $IP

Search Sploit

searchsploit drupal 8

Feroxbuster

feroxbuster -k -u http://$ip:$port --force-recursion -C 404,405 -m GET,POST -e -x html,js,php

WPSCAN

 
wpscan --url http://blogger.thm/assets/fonts/blog --plugins-detection aggressive

Droopescan

 
droopescan scan drupal -u $ip:$port -t 32

NFS

showmount -e 10.10.201.38

sudo mount -t nfs -o vers=3,nolock 10.10.201.38:/opt/share ./shared

sudo mount -t nfs -o vers=2,nolock 10.10.201.38:/opt/share ./shared
  • IF we have access to a share but we are not able to read it as we are not that user. we can create a local user with the same uid and access that file.
sudo adduser pwn

sudo sed -i -e 's/1001/1014/g' /etc/passwd

SMTP

nc ip port

ELO example.com
VRFY username or email

SNMP

  • It as Network Management Protocol.
  • It works on port 161.

The SNMP Management Information Base (MIB) is a database containing information usually related to network management. The database is organized like a tree, where branches represent different organizations or network functions. The leaves of the tree (final endpoints) correspond to specific variable values that can then be accessed, and probed, by an external user.

sudo nmap -sU --open -p 161 10.11.1.1-254 -oG open-snmp.txt

FTP

ftp anonymous@$IP

Responder

sudo ./Responder.py -I tun0

Coercer

coercer coerce -d essos.local -t meereen.essos.local -l 192.168.56.1

Graph View