Scribd Logo
Upload

Welcome to Scribd!

  • Active Recon Cheat Sheet

    Uploaded by

    lbb1987
    52 views3 pages

    Original Title

    active-recon-cheat-sheet

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    52 views3 pages

    Active Recon Cheat Sheet

    Uploaded by

    lbb1987

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Active Recon Cheat Sheet

    by fred via cheatography.com/22666/cs/4695/

    Stealth Scanning Strategies Modify Packet Parameters - STEALTH 2 Anonymity (Tor & Privoxy) - STEALTH 3
    (cont) (cont)
    Risk = Discovery By The Target.
    Camouflage tool signatures to avoid Do not ping the target or use synchr​onize DNS Leak Test www.dn​sle​akt​est.com
    detection. (SYN) and noncon​ven​tional packet scans, Note
    Hide attack in legitimate traffic. such as acknow​ledge (ACK), finished (FIN), Owners of exit nodes can sniff traffic and
    Modify attack to hide source, type of traffic. and reset (RST) packets. may be able to access creden​tials.
    Make attack invisible using non-st​andard Randomize / spoof packet settings source Vulner​abi​lities in Tor Browser Bundle can
    traffic types & encryp​tion. IP, port address, MAC address. be used by law enforc​ement to exploit
    Adjust timing to slow the arrival of packets systems
    Adjust Source IP Stack & Tool ID - at the target. ProxyC​hains does not handle UDP
    STEALTH 1 Change packet size by fragme​nting packets Some applic​ations will not run - Metasp​loit,
    or appending random data to confuse Nmap... Stealth SYN scan breaks out of
    Disable Unnece​ssary Services:
    packet inspection devices. proxyc​hains and can leak inform​ation to the
    Disable DHCP chkconfig dhcpd off
     nmap must be run as root target.
    Disable IPv6 nano /etc/s​ysc​‐
     nmap stealth http:/​/nm​ap.o​rg​/bo​ok/​man​- Browser applic​ations can leak your IP
    tl.conf
    by​pas​s-f​ire​wal​ls-​ids.html (ActiveX, PDF, Flash, Java, RealPlay,
    #disable ipv6
    QuickT​ime).
    net.ip​v6.c​on​f.a​ll.d​is​abl​‐
    Anonymity (Tor & Privoxy) - STEALTH 3 Clear & block cookies before browsing.
    e_ipv6 = 1
     Tor-Buddy
    Onion routing enables online anonymity by
    net.ip​v6.c​on​f.d​efa​ult.di​‐
    Allows you to control how frequently the Tor
    encrypting user traffic and then transm​itting
    sab​le_ipv6 = 1 IP is refreshed: http:/​/so​urc​efo​rge.ne​t/p​roj​‐
    it through a series of onion routers. At each
    net.ip​v6.c​on​f.l​o.d​isable = ect​s/l​inu​xsc​rip​ts/​fil​es/​Tor​-Buddy/
    router, a layer of encryption is removed to
    1
    obtain routing inform​ation, and the
    Tools often tag packets with an id sequence Zenmap - STEP 1
    message is then transm​itted to the next
    that can trigger IDS. Test tools against VM's
    node.  Zenmap
    and review system logs for the tool's name.
     Install Tor http:/​/nm​ap.o​rg​/ze​nmap/
    Use Wireshark to capture traffic then search
    apt-get install tor The Official Nmap Security Scanner GUI.
    pcaps for keywords attributed to the testing
    nano /etc/P​rox​ych​ain​s.conf Use this an entry point and then use nmap
    tool.
    Disable strict​_chains
    . Enable scans to gather additional data.
    Set Metasploit UserAgent to Google
    dynami​c_c​hains
    Indexing Spider: www.us​era​gen​tst​rin​g.com
    Edit [Proxy​List]and ensure socks 5 Maltego
    use auxili​ary​/fu​zze​rs/​htt​‐
    127.0.0.1 9050 exists. Maltego  www.pa​ter​va.com is an open
    p/h​ttp​_fo​rm_​field
    Start Tor service tor start source intell​igence and forensics applic​‐
    set UserAgent
    Verify Tor service tor status ation for visual​izing relati​onships among
    set UserAgent Google​bot/2.1
    Verify Source IP iceweasel www.wh​‐ data that use data mining and link analysis.
    (+http​://​www.go​ogl​e.c​om/​‐
    ati​smy​ip.com
    bot.html)
    Invoke Tor Routing with Proxyc​hains
    proxyc​hains iceweasel www.wh​‐
    Modify Packet Parameters - STEALTH 2
    ati​smy​ip.com
    Identify the goal before scanning and send
    Whois lookup the IP to confirm Tor is active.
    the minimum number of packets.
    Tor Verify ttps:/​/ch​eck.to​rpr​oje​ct.org
    Avoid scans that connect with target system
    and leak data.

    By fred Published 30th July, 2015. Sponsored by Readable.com


    cheatography.com/fred/ Last updated 9th September, 2016. Measure your website readability!
    Page 1 of 3. https://readable.com
    Active Recon Cheat Sheet
    by fred via cheatography.com/22666/cs/4695/

    Identi​fying Network Infras​tru​cture Port Scanning Nmap Scripting Engine (NSE)

     traceroute provides basic inform​ation on http:/​/ww​w.i​ana.or​g/a​ssi​gnm​ent​s/s​erv​ice​-na​‐ http:/​/nm​ap.o​rg​/ns​edoc/


    packet filtering abilities. mes​-po​rt-​num​ber​s/s​erv​ice​-na​mes​-po​rt-​num​‐ Scripts are written in LUA
     lbd Uses two DNS- and HTTP-based ber​s.xhtml Recon of IPv4 & IPv6 DNS data
    techniques to detect load balancers Nmap port discovery is very noisy and will Identify web applic​ation firewalls, IDS, IPS
     miranda.py Identifies universal plug-a​nd- be logged by network security devices. Test firewall rulesets (via firewalk) and
    play and UPNP devices Only test necessary ports. attempting to bypass the firewall
     nmap Detects devices and determines Port scanning can impact a network and old Harvesting user names from target and
    the operating systems and their version equipment might lock. online sites
    nmap -sSV -A -p- -T5 192.16​‐ Brute-​force guessing of passwords
    8.5​6.101 Determ​ining Active Services Crawling the target network to identify
    Shodan search engine identifies devices network shares
    Identify default ports and services.
    connected to the Internet, including those Extract EXIF metadata from images in a
    Banner Grabbing
    with default passwords, known miscon​fig​‐ defined website
     netcat  nmap  telnet
    ura​tions, and vulner​abi​lities Geogra​phical locali​zation of IP's
    Review Default Web Pages: Some applic​‐
    Network attacks such as IPv6 packet
    ations install with default admini​str​ation,
    Live Host Discovery flooding
    error, or other pages.
    Fuzzing and SQL injection testing
    Run ping sweeps against a target address Review Source Code: Poorly configured
     Screenshot Web Services (wkhtm​lto​‐
    space and look for responses that indicate a web-based applic​ations may respond to
    image) http:/​/wk​htm​lto​pdf.go​ogl​eco​de.com
    particular target is live. (TCP, UDP, ICMP, certain HTTP requests such as HEAD or
     Screenshot NSE Script https:​//g​ith​ub.c​‐
    ARP) OPTIONS with a response that includes the
    om​/Sp​ide​rLa​bs/​Nma​p-T​ool​s/b​lob​/ma​ste​‐
     alive6  detect​-ne​w-ip6 - IPv6 host web server software version, and possibly,
    r/N​SE/​htt​p-s​cre​ens​hot.nse
    detection. detect​-ne​w-ip6 runs on a scripted the base operating system or the scripting
    basis and identifies new IPv6 devices when enviro​nment in use.
    Recon-ng
    added.
     dnmap  nmap - nmap is the standard Finger​pri​nting the OS  recon-ng
    network enumer​ation tool. dnmap is a distri​‐ Modules are written in python.
    Active: The attacker sends normal and
    buted client​-server implem​ent​ation of the show available modules.
    malformed packets to the target and
    nmap scanner. PBNJ stores nmap results in records its response pattern (finge​rprint) search available modules.
    a database, and then conducts historical which is compared to the database to info inform​ation on how the module works.
    analyses to identify new hosts. determine the OS show options options that can be set.
     fping  hping2  hping3  nping - Passive: The attacker sniffs, or records and set sets the options.
    Packet crafters that respond to targets in analyses the packet stream to determine run to execute.
    various ways to identify live hosts the charac​ter​istics of the packets. Harvest contacts (whois, jigsaw, linkedin,
     xprobe2 uses different TCP, UDP, ICMP twitte​r)(use the mangle module to extract
    packets to bypass firewalls and avoid and present e-mail data)
    detection by IDS / IPS systems. Identify hosts

    By fred Published 30th July, 2015. Sponsored by Readable.com


    cheatography.com/fred/ Last updated 9th September, 2016. Measure your website readability!
    Page 2 of 3. https://readable.com
    Active Recon Cheat Sheet
    by fred via cheatography.com/22666/cs/4695/

    Recon-ng (cont)

    Identify geogra​phical locations of hosts and


    indivi​duals using hostop, ipinfodb, maxmind,
    uniapple, wigle
    Identify host inform​ation using netcraft and
    related modules
    Identify account and password inform​ation
    that has previously been compro​mised and
    leaked onto the Internet (the pwnedlist
    modules, wascom​pan​yha​cked, xssed, and
    punksp​ider)

    Vulner​ability Scanning

    Loud and easily detected


    Usually signature based and can only detect
    known vulner​abi​lities with recogn​ition
    signat​ures.
    Falsep​ositive results with a rate as high as
    70%
    Network Scanning Watch List for devices
    known to fail when scanned www.di​gin​inj​‐
    a.org
     Scanning may breach laws in some
    countries
    In Kali, found in Vulner​ability Analysis
    submenu and Web Vulner​ability Scanners
    menu.
    OpenVAS Open Vulner​ability Assessment
    System
    Nexpose www.ra​pid​7.com
    Nessus www.ne​ssu​s.org

    By fred Published 30th July, 2015. Sponsored by Readable.com


    cheatography.com/fred/ Last updated 9th September, 2016. Measure your website readability!
    Page 3 of 3. https://readable.com

    You might also like