Differences

This shows you the differences between two versions of the page.

--- method_2_recon [2022/11/26 16:36] – [[1] OSInt] gman
+++ method_2_recon [2022/12/31 22:10] (current) – [SMTP] gman
@@ Line 46: / Line 46: @@
 ====== [1] OSInt ======
-**WhoIs:** ''whois'' provides information such as email addresses, phone numbers, and possibly even physical addresses associated with a domain name or IP address.
+===== WhoIs =====
-**NSLookUp:** ''nslookup'' is similar to whois but a bit more flexible and focused.
+''whois'' provides information such as email addresses, phone numbers, and possibly even physical addresses associated with a domain name or IP address.
+**Problem:** A major problem with whois lookups today is that the amount of visible data has been greatly reduced in an effort to provide better privacy and protection.
+**Work-Around:** There are services that provide historical whois lookups (kind of like a WayBack Machine for DNS/WhoIs stuff). Examples:
+  * DomainHistory.net (but it appears dead)
+  * WhoIsMind.com (but it appears out of service)
+  * What the heck...?
+===== NSLookUp =====
+''nslookup'' is similar to whois but a bit more flexible and focused.
 <code>
-# Basic: Find IP of domain...
+# Basic:
+whois google.com
 nslookup google.com
 # Reverse:
+whois 172.250.191.174
 nslookup 172.250.191.174
 </code>
+===== FOCA =====
+**FOCA: Fingerprinting Organizations with Collected Archives**
+  * [[https://github.com/ElevenPaths/FOCA | GitHub ReadMe]]. This is a Windows-only program.
+  * You first need to install the Express version of MicroSoft's SQL server.Go [[https://www.microsoft.com/en-us/sql-server/sql-server-downloads | here]], scroll down to "Or, download a free specialized edition" and click on the Express version Download Now button.
+  * Download and unzip the [[https://github.com/ElevenPaths/FOCA/releases | current release]] of FOCA.It is self-contained so you'll run FOCA.exe from the folder you get when you unzip the download.
+  * Run FOCA.exe
+  * When FOCA opens up, click on "Project Name" and set the Project Name, Domain website, and Folder where to save documents. Click "Create."
+  * In the next window click on settings
+    * Deselect all but FOCA in the Module filter
+    * Check (select) all options in the Search engines and Extensions option lists.
+  * Click on "Search All" and let it do its thing.
+  * Once it's finished, you need to "Download All" the discovered files (highlight, right click).
+  * Then, highlight all the files, right click, and choose "Extract All Metadata."
+  * This will dump all the metadata into Metadata Summary and Document Analysis
+  * Have fun!
+===== Routing Info =====
+Routing information is network information, and you can find it in public BGP((Border Gateway Protocol)) route information servers called BGP Looking Glasses.
+  * You can find a list of them here: [[https://www.bgp4.as/looking-glasses | bgp4]]
 ----
@@ Line 187: / Line 220: @@
 [[https://www.googleguide.com/advanced_operators_reference.html | The Google Guide ]]
   * For Google tips, tricks, & how Google works...
+Four of the most useful Google queries:
+  - **inurl:[string]:** Restricts results to documents containing your string in the URL.
+    * Example: ''inurl:101labs''
+  - **intitle:[string]:** Restricts results to documents containing your string in the web page's title.
+    * Example: ''intitle:apple''
+  - **site[site | domain]:** Restrics results to the site or domain specified.
+    * Example: ''site:.gov''
+    * Example: ''site:theology101.net''
+  - **filetype:[filetype suffix]:** Restrics results to documents with the suffix specified.
+    * Example: ''filetype:pdf''
 ----
@@ Line 192: / Line 236: @@
 ====== [3] Active Recon ======
-[place holder]
+Much of active recon involves scanning. So... for right now, see "[[method_3_scanning | Scanning]]."
+===== URL Enum =====
+URL enumeration makes a list of URLs in a domain, often showing hidden files and directories.
+  * This is especially important in web application pentesting.
+  * NOTE: This is an aggressive process.
+  * Tool: [[https://www.kali.org/tools/ffuf/ | FFUF]] (Fuzz Faster U Fool)
+===== DNS Enum =====
+DNS enumeration is like an aggressive DNS lookup (think whois on steroids).
+  * This is active recon and it will take a long time.
+  * It barfs out a butt-ton of information.
+  * Tool: [[https://www.kali.org/tools/dnsenum/ | dnsenum]]
+Example syntax: ''dnsenum --enum google.com''
+===== SMTP =====
+**Simple Mail Transfer Protocol (SMTP):** A vintage email sending protocol.
+  * No much built in security.
+  * Runs on port 25.
+You can gather info on SMTP by telnetting to the service port (25) and grabbing the banner information and then using [[https://cr.yp.to/smtp/vrfy.html |VRFY and/or EXPN]] to gather more info. Example sytax:
+<code>
+telnet example.server.com 25
+# once connected, type:
+VRFY [username]
+# or
+EXPN [user_alias]
+</code>
+**Exploits:** SMTP exploits are usually associated with a vulnerable version.
+  * Connect (by telnet). Grab banner info (VRFY, EXPN).
+  * This should give you a clue as to the SMTP version on your target.
+===== SNMP =====
+You can use SNMP to gather information on a system //**if**// you have access to the system //**and**// you know the "read" community string (which is often: ''public'').
+**Tools:**
+  - [[https://www.kali.org/tools/snmpenum/ | snmpenum]]
+  - [[http://www.net-snmp.org/wiki/index.php/Snmpwalk | snmpwalk]]
+<code>
+# Example syntax for snmpwalk, assuming 'public' as the community string
+snmpwalk -c public -v1 192.168.1.1
+</code>
 ----