Show Menu

Active Recon Cheat Sheet by

Stealth Scanning Strategies

Risk = Discovery By The Target.
Camouflage tool signatures to avoid detection.
Hide attack in legitimate traffic.
Modify attack to hide source, type of traffic.
Make attack invisible using non-st­andard traffic types & encryp­tion.

Adjust Source IP Stack & Tool ID - STEALTH 1

Disable Unnece­ssary Services:
Disable DHCP
chkconfig dhcpd off

Disable IPv6
nano /etc/s­ysc­tl.conf

#disable ipv6

net.ip­v6.c­on­f.a­ll.d­is­abl­e_ipv6 = 1

net.ip­v6.c­on­f.d­efa­ult.di­sab­le_ipv6 = 1

net.ip­v6.c­on­f.l­o.d­isable = 1

Tools often tag packets with an id sequence that can trigger IDS. Test tools against VM's and review system logs for the tool's name. Use Wireshark to capture traffic then search pcaps for keywords attributed to the testing tool.

Set Metasploit UserAgent to Google Indexing Spider:­era­gen­tst­rin­
use auxili­ary­/fu­zze­rs/­htt­p/h­ttp­_fo­rm_­field

set UserAgent

set UserAgent Google­bot/2.1 (+http­://­www.go­ogl­e.c­om/­bot.html)

Modify Packet Parameters - STEALTH 2

Identify the goal before scanning and send the minimum number of packets.
Avoid scans that connect with target system and leak data.
Do not ping the target or use synchr­onize (SYN) and noncon­ven­tional packet scans, such as acknow­ledge (ACK), finished (FIN), and reset (RST) packets.
Randomize / spoof packet settings source IP, port address, MAC address.
Adjust timing to slow the arrival of packets at the target.
Change packet size by fragme­nting packets or appending random data to confuse packet inspection devices.

nmap must be run as root
nmap stealth http:/­/nm­ap.o­rg­/bo­ok/­man­-by­pas­s-f­ire­wal­ls-­ids.html

Anonymity (Tor & Privoxy) - STEALTH 3

Onion routing enables online anonymity by encrypting user traffic and then transm­itting it through a series of onion routers. At each router, a layer of encryption is removed to obtain routing inform­ation, and the message is then transm­itted to the next node.

Install Tor
apt-get install tor

nano /etc/P­rox­ych­ain­s.conf

. Enable

and ensure
socks 5 9050
Start Tor
service tor start

Verify Tor
service tor status

Verify Source IP
iceweasel www.wh­ati­smy­

Invoke Tor Routing with Proxyc­hains
proxyc­hains iceweasel www.wh­ati­smy­

Whois lookup the IP to confirm Tor is active.
Tor Verify ttps:/­/ch­­rpr­oje­
DNS Leak Test www.dn­sle­akt­

Owners of exit nodes can sniff traffic and may be able to access creden­tials.
Vulner­abi­lities in Tor Browser Bundle can be used by law enforc­ement to exploit systems
ProxyC­hains does not handle UDP
Some applic­ations will not run - Metasp­loit, Nmap... Stealth SYN scan breaks out of proxyc­hains and can leak inform­ation to the target.
Browser applic­ations can leak your IP (ActiveX, PDF, Flash, Java, RealPlay, QuickT­ime).
Clear & block cookies before browsing.

Allows you to control how frequently the Tor IP is refreshed: http:/­/so­urc­efo­­t/p­roj­ect­s/l­inu­xsc­rip­ts/­fil­es/­Tor­-Buddy/

Zenmap - STEP 1

The Official Nmap Security Scanner GUI.
Use this an entry point and then use nmap scans to gather additional data.


Maltego­ter­ is an open source intell­igence and forensics applic­ation for visual­izing relati­onships among data that use data mining and link analysis.

Identi­fying Network Infras­tru­cture

traceroute provides basic inform­ation on packet filtering abilities.
lbd Uses two DNS- and HTTP-based techniques to detect load balancers Identifies universal plug-a­nd-play and UPNP devices
nmap Detects devices and determines the operating systems and their version
nmap -sSV -A -p- -T5 192.16­8.5­6.101

Shodan search engine identifies devices connected to the Internet, including those with default passwords, known miscon­fig­ura­tions, and vulner­abi­lities

Live Host Discovery

Run ping sweeps against a target address space and look for responses that indicate a particular target is live. (TCP, UDP, ICMP, ARP)

alive6 detect­-ne­w-ip6 - IPv6 host detection. detect­-ne­w-ip6 runs on a scripted basis and identifies new IPv6 devices when added.

dnmap nmap - nmap is the standard network enumer­ation tool. dnmap is a distri­buted client­-server implem­ent­ation of the nmap scanner. PBNJ stores nmap results in a database, and then conducts historical analyses to identify new hosts.

fping hping2 hping3 nping - Packet crafters that respond to targets in various ways to identify live hosts

Port Scanning


Nmap port discovery is very noisy and will be logged by network security devices.
Only test necessary ports.
Port scanning can impact a network and old equipment might lock.

Determ­ining Active Services

Identify default ports and services.

Banner Grabbing
netcat nmap telnet

Review Default Web Pages: Some applic­ations install with default admini­str­ation, error, or other pages.

Review Source Code: Poorly configured web-based applic­ations may respond to certain HTTP requests such as HEAD or OPTIONS with a response that includes the web server software version, and possibly, the base operating system or the scripting enviro­nment in use.

Finger­pri­nting the OS

Active: The attacker sends normal and malformed packets to the target and records its response pattern (finge­rprint) which is compared to the database to determine the OS
Passive: The attacker sniffs, or records and analyses the packet stream to determine the charac­ter­istics of the packets.

xprobe2 uses different TCP, UDP, ICMP packets to bypass firewalls and avoid detection by IDS / IPS systems.

Nmap Scripting Engine (NSE)

Scripts are written in LUA

Recon of IPv4 & IPv6 DNS data
Identify web applic­ation firewalls, IDS, IPS
Test firewall rulesets (via firewalk) and attempting to bypass the firewall
Harvesting user names from target and online sites
Brute-­force guessing of passwords
Crawling the target network to identify network shares
Extract EXIF metadata from images in a defined website
Geogra­phical locali­zation of IP's
Network attacks such as IPv6 packet flooding
Fuzzing and SQL injection testing

Screenshot Web Services (wkhtm­lto­image) http:/­/wk­htm­lto­pdf.go­ogl­eco­
Screenshot NSE Script https:­//g­ith­ub.c­om­/Sp­ide­rLa­bs/­Nma­p-T­ool­s/b­lob­/ma­ste­r/N­SE/­htt­p-s­cre­ens­hot.nse


Modules are written in python.
available modules.
available modules.
inform­ation on how the module works.
show options
options that can be set.
sets the options.
to execute.

Harvest contacts (whois, jigsaw, linkedin, twitte­r)(use the mangle module to extract and present e-mail data)
Identify hosts
Identify geogra­phical locations of hosts and indivi­duals using hostop, ipinfodb, maxmind, uniapple, wigle
Identify host inform­ation using netcraft and related modules
Identify account and password inform­ation that has previously been compro­mised and leaked onto the Internet (the pwnedlist modules, wascom­pan­yha­cked, xssed, and punksp­ider)

Vulner­ability Scanning

Loud and easily detected
Usually signature based and can only detect known vulner­abi­lities with recogn­ition signat­ures.
Falsep­ositive results with a rate as high as 70%
Network Scanning Watch List for devices known to fail when scanned www.di­gin­inj­

Scanning may breach laws in some countries

In Kali, found in Vulner­ability Analysis submenu and Web Vulner­ability Scanners menu.

OpenVAS Open Vulner­ability Assessment System
Nexpose www.ra­pid­


Excellent work!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          More Cheat Sheets by fred

          Passive Recon Cheat Sheet
          File Transfers Cheat Sheet