Session 2 handout

Type of reconnaissance:
1- Passive
● Search Engines (google, Bing, Yahoo, …… Etc.)

● Archive

● Netcraft

● Dorks (google Dorks, Google Hacking Database, Shodan, GIT, …. Etc.)

● Data Extractor (Web data Extractor, HTTtrack)

2- Active
● Any method that interact with the Target directly such as scanning

Tools for Reconnaissance (company/websites):

onlin:
● Nslookup
● Who_is

on kali:
● maltego

CMD commands
• Set type=NS 🡪 to change dns

• Set type=MX 🡪 to know the mail for the ip

Parts of url

1. Scheme(protocol) :
The protocol or scheme part of the URL and indicates the set of rules that will
decide the transmission and exchange of data
HTTPS -> HyperText Transfer Protocol Secure

HTTP -> HyperText Transfer Protocol

FTP -> File Transfer Protocol which is used for transferring files between
client and server

SMTP -> Single Mail Transfer Protocol which is used for sending emails
2. Subdomain :
The subdomain is used to separate different sections of the website as it
specifies the type of resource to be delivered to the client. Here the subdomain used
‘www’ is a general symbol for any resource on the web. Subdomains like ‘blog’ direct to
a blog page, ‘audio’ indicates the resource type as audio.

3. Domain Name :
Domain name specifies the organization or entity that the URL belongs to. Like
in www.facebook.com the domain name ‘facebook’ indicates the organization that owns
the site.

4. Top-level Domain :
The TLD (top-level domain) indicates the type of organization the website is
registered to. Like the .com in www.facebook.com indicates a commercial entity.
Similarly, .org indicates organization, .co.uk a commercial entity in the UK.

.com -> Commercial

.org -> Organization

.edu -> Education

.gov -> government

.mil -> U.S. military

.int -> international

.net -> network

5. Port Number
A port number specifies the type of service that is requested by the client since
servers often deliver multiple services. Some default port numbers include 80 for HTTP
and 443 for HTTPS servers.

6. Path :
Path specifies the exact location of the web page, file, or any resource that the
user wants access to. Like here the path indicates a specific article in the blog webpage.

7. Query String Separator :

The query string which contains specific parameters of the search is preceded by
a question mark (?). The question mark tells the browser that a specific query is being
performed.

8. Query String :
The query string specifies the parameters of the data that is being queried from
a website’s database. Each query string is made up of a parameter and a value joined by
the equals (=) sign. In case of multiple parameters, query strings are joined using the
ampersand (&) sign. The parameter can be a number, string, encrypted value, or any
other form of data on the database.

9. Fragment :

The fragment identifier of a URL is optional, usually appears at the end, and
begins with a hash (#). It indicates a specific location within a page such as the ‘id’ or
‘name’ attribute for an HTML element.
Tools for Reconnaissance (sub-domain):

online tool:
• Sublist3r
• The Harvester
on kali tool:
Subfinder 🡪 subfinder –d domain

Tools for Reconnaissance (person):

online tool:
• PeopleFinder
• pipl

TCP vs UDP

Transmission Control Protocol User Datagram

Basis
(TCP) Protocol (UDP)
 UDP is the
Datagram-oriented
protocol. This is
because
TCP is a connection-oriented
protocol. Connection
there is no overhead
for opening a
orientation means that the connection,
Type of Service communicating devices should maintaining a
establish a connection before connection, or
transmitting data and should terminating a
close the connection after connection. UDP is
transmitting the data. efficient for
broadcast and
multicast types of
network
transmission.

The delivery of data

TCP is reliable as it guarantees
to the destination
Reliability the delivery of data to the
cannot be
destination router.
guaranteed in UDP.

TCP provides extensive

error-checking mechanisms.
UDP has only the
Error checking basic error-checking
mechanism It is because it provides flow mechanism using
control and acknowledgment of checksums.
data.
 No
An acknowledgment segment is
Acknowledgment acknowledgment
present.
segment.

Sequencing of data is a feature of

Transmission Control There is no
sequencing of data
in UDP. If the order
Sequence
Protocol (TCP). this means that is required, it has to
packets arrive in order at the be managed by the
receiver. application layer.

UDP is faster,
TCP is comparatively slower than
Speed simpler, and more
UDP.
efficient than TCP.

There is no
retransmission of
Retransmission of lost packets is
Retransmission lost packets in the
possible in TCP, but not in UDP.
User Datagram
Protocol (UDP).

TCP has a (20-60) bytes variable UDP has an 8 bytes

Header Length
length header. fixed-length header.
Weight TCP is heavy-weight. UDP is lightweight.

It’s a connectionless
Handshaking Uses handshakes such as SYN,
protocol i.e. No
Techniques ACK, SYN-ACK
handshake

TCP doesn’t support UDP supports

Broadcasting
Broadcasting. Broadcasting.

UDP is used by
TCP is used by HTTP, HTTPs, DNS, DHCP, TFTP,
Protocols
FTP, SMTP and Telnet. SNMP, RIP, and
VoIP.

The TCP connection is a byte UDP connection is a

Stream Type
stream. message stream.

Overhead Low but higher than UDP. Very low.

 This protocol is used
in situations where
quick
This protocol is primarily utilized
communication is
in situations when a safe and
necessary but
trustworthy communication
Applications where dependability
procedure is necessary, such as in
is not a concern,
email, on the web surfing, and in
such as VoIP, game
military services.
streaming, video,
and music
streaming, etc.
Scanning (NMAP)
• Full TCP scan
• Nmap -sT domain

• Stealth scan
• Nmap -sS domain

• Fin scan
• Nmap -sF (IP) -p (port number)

• UDP scan
• Nmap –sU (IP) –p(Port number)

• XMAS scan
• Nmap -sX (IP) -p(port)

● Banner Grabbing using Telnet

telnet (Website/IP) (portnumber)

● Banner Grabbing using netcat

nc -vv (Website/IP) (portnumber)

● Banner Grabbing using ID serve

GUI
What is vulnerability assessment:

A vulnerability assessment is a systematic review of security weaknesses in an

information system. It evaluates if the system is susceptible to any known vulnerabilities,
assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if
and whenever needed.

Nessus Download

https://www.tenable.com/products/nessus/nessus-essentials

Victim Machine

https://docs.rapid7.com/metasploit/metasploitable-2/
day2 Laps :

● LAB #1
● LAB #2

day2 Demo:

● vulnerability scanning (NMAP)

○ Demo
● vulnerability scanning (nessus)
○ Demo