The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » method_2_recon
method_2_recon

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
method_2_recon [2022/11/26 17:12] – [[1] OSInt] gmanmethod_2_recon [2022/12/31 22:10] (current) – [SMTP] gman
Line 46: Line 46:
 ====== [1] OSInt ====== ====== [1] OSInt ======
  
-**WhoIs:** ''whois'' provides information such as email addresses, phone numbers, and possibly even physical addresses associated with a domain name or IP address.+===== WhoIs =====
  
-**NSLookUp:** ''nslookup'' is similar to whois but a bit more flexible and focused.+''whois'' provides information such as email addresses, phone numbers, and possibly even physical addresses associated with a domain name or IP address. 
 + 
 +**Problem:** A major problem with whois lookups today is that the amount of visible data has been greatly reduced in an effort to provide better privacy and protection. 
 + 
 +**Work-Around:** There are services that provide historical whois lookups (kind of like a WayBack Machine for DNS/WhoIs stuff). Examples: 
 +  * DomainHistory.net (but it appears dead) 
 +  * WhoIsMind.com (but it appears out of service) 
 +  * What the heck...? 
 + 
 +===== NSLookUp ===== 
 + 
 +''nslookup'' is similar to whois but a bit more flexible and focused.
  
 <code> <code>
Line 59: Line 70:
 nslookup 172.250.191.174 nslookup 172.250.191.174
 </code> </code>
 +
 +===== FOCA =====
  
 **FOCA: Fingerprinting Organizations with Collected Archives** **FOCA: Fingerprinting Organizations with Collected Archives**
Line 74: Line 87:
   * This will dump all the metadata into Metadata Summary and Document Analysis   * This will dump all the metadata into Metadata Summary and Document Analysis
   * Have fun!   * Have fun!
 +
 +===== Routing Info =====
 +
 +Routing information is network information, and you can find it in public BGP((Border Gateway Protocol)) route information servers called BGP Looking Glasses.
 +  * You can find a list of them here: [[https://www.bgp4.as/looking-glasses | bgp4]]
  
 ---- ----
Line 202: Line 220:
 [[https://www.googleguide.com/advanced_operators_reference.html | The Google Guide ]] [[https://www.googleguide.com/advanced_operators_reference.html | The Google Guide ]]
   * For Google tips, tricks, & how Google works...   * For Google tips, tricks, & how Google works...
 +
 +Four of the most useful Google queries: 
 +  - **inurl:[string]:** Restricts results to documents containing your string in the URL.
 +    * Example: ''inurl:101labs''
 +  - **intitle:[string]:** Restricts results to documents containing your string in the web page's title.
 +    * Example: ''intitle:apple''
 +  - **site[site | domain]:** Restrics results to the site or domain specified.
 +    * Example: ''site:.gov''
 +    * Example: ''site:theology101.net'' 
 +  - **filetype:[filetype suffix]:** Restrics results to documents with the suffix specified.
 +    * Example: ''filetype:pdf'' 
  
 ---- ----
Line 207: Line 236:
 ====== [3] Active Recon ====== ====== [3] Active Recon ======
  
-[place holder]+Much of active recon involves scanning. So... for right now, see "[[method_3_scanning | Scanning]]." 
 + 
 +===== URL Enum ===== 
 + 
 +URL enumeration makes a list of URLs in a domain, often showing hidden files and directories. 
 +  * This is especially important in web application pentesting. 
 +  * NOTE: This is an aggressive process. 
 +  * Tool: [[https://www.kali.org/tools/ffuf/ | FFUF]] (Fuzz Faster U Fool) 
 + 
 +===== DNS Enum ===== 
 + 
 +DNS enumeration is like an aggressive DNS lookup (think whois on steroids). 
 +  * This is active recon and it will take a long time. 
 +  * It barfs out a butt-ton of information. 
 +  * Tool: [[https://www.kali.org/tools/dnsenum/ | dnsenum]] 
 + 
 +Example syntax: ''dnsenum --enum google.com'' 
 + 
 +===== SMTP ===== 
 + 
 +**Simple Mail Transfer Protocol (SMTP):** A vintage email sending protocol. 
 +  * No much built in security. 
 +  * Runs on port 25. 
 + 
 +You can gather info on SMTP by telnetting to the service port (25) and grabbing the banner information and then using [[https://cr.yp.to/smtp/vrfy.html |VRFY and/or EXPN]] to gather more info. Example sytax: 
 + 
 +<code> 
 +telnet example.server.com 25 
 + 
 +# once connected, type: 
 +VRFY [username] 
 +# or 
 +EXPN [user_alias] 
 +</code> 
 + 
 +**Exploits:** SMTP exploits are usually associated with a vulnerable version. 
 +  * Connect (by telnet). Grab banner info (VRFY, EXPN). 
 +  * This should give you a clue as to the SMTP version on your target. 
 +===== SNMP ===== 
 + 
 +You can use SNMP to gather information on a system //**if**// you have access to the system //**and**// you know the "read" community string (which is often: ''public''). 
 + 
 +**Tools:** 
 +  - [[https://www.kali.org/tools/snmpenum/ | snmpenum]] 
 +  - [[http://www.net-snmp.org/wiki/index.php/Snmpwalk | snmpwalk]] 
 + 
 +<code> 
 +# Example syntax for snmpwalk, assuming 'public' as the community string 
 +snmpwalk -c public -v1 192.168.1.1 
 +</code> 
  
 ---- ----
method_2_recon.1669482741.txt.gz · Last modified: by gman