Active Recon Cheat Sheet by fred

Risk = Discovery By The Target.
Camouflage tool signatures to avoid detection.
Hide attack in legitimate traffic.
Modify attack to hide source, type of traffic.
Make attack invisible using non-st­andard traffic types & encryp­tion.

Disable Unnece­ssary Services:
Disable DHCP

chkconfig dhcpd off

Disable IPv6

nano /etc/s­ysc­tl.conf

#disable ipv6

net.ip­v6.c­on­f.a­ll.d­is­abl­e_ipv6 = 1

net.ip­v6.c­on­f.d­efa­ult.di­sab­le_ipv6 = 1

net.ip­v6.c­on­f.l­o.d­isable = 1

Tools often tag packets with an id sequence that can trigger IDS. Test tools against VM's and review system logs for the tool's name. Use Wireshark to capture traffic then search pcaps for keywords attributed to the testing tool.

Set Metasploit UserAgent to Google Indexing Spider: www.us­era­gen­tst­rin­g.com

use auxili­ary­/fu­zze­rs/­htt­p/h­ttp­_fo­rm_­field

set UserAgent

set UserAgent Google­bot/2.1 (+http­://­www.go­ogl­e.c­om/­bot.html)

Identify the goal before scanning and send the minimum number of packets.
Avoid scans that connect with target system and leak data.
Do not ping the target or use synchr­onize (SYN) and noncon­ven­tional packet scans, such as acknow­ledge (ACK), finished (FIN), and reset (RST) packets.
Randomize / spoof packet settings source IP, port address, MAC address.
Adjust timing to slow the arrival of packets at the target.
Change packet size by fragme­nting packets or appending random data to confuse packet inspection devices.

nmap must be run as root
nmap stealth http:/­/nm­ap.o­rg­/bo­ok/­man­-by­pas­s-f­ire­wal­ls-­ids.html

Onion routing enables online anonymity by encrypting user traffic and then transm­itting it through a series of onion routers. At each router, a layer of encryption is removed to obtain routing inform­ation, and the message is then transm­itted to the next node.

Install Tor

apt-get install tor

nano /etc/P­rox­ych­ain­s.conf

Disable

strict­_chains

. Enable

dynami­c_c­hains

Edit

[Proxy­List]

and ensure

socks 5 127.0.0.1 9050

exists.
Start Tor

service tor start

Verify Tor

service tor status

Verify Source IP

iceweasel www.wh­ati­smy­ip.com

Invoke Tor Routing with Proxyc­hains

proxyc­hains iceweasel www.wh­ati­smy­ip.com

Whois lookup the IP to confirm Tor is active.
Tor Verify ttps:/­/ch­eck.to­rpr­oje­ct.org
DNS Leak Test www.dn­sle­akt­est.com

Note
Owners of exit nodes can sniff traffic and may be able to access creden­tials.
Vulner­abi­lities in Tor Browser Bundle can be used by law enforc­ement to exploit systems
ProxyC­hains does not handle UDP
Some applic­ations will not run - Metasp­loit, Nmap... Stealth SYN scan breaks out of proxyc­hains and can leak inform­ation to the target.
Browser applic­ations can leak your IP (ActiveX, PDF, Flash, Java, RealPlay, QuickT­ime).
Clear & block cookies before browsing.

 Tor-Buddy
Allows you to control how frequently the Tor IP is refreshed: http:/­/so­urc­efo­rge.ne­t/p­roj­ect­s/l­inu­xsc­rip­ts/­fil­es/­Tor­-Buddy/

Zenmap
http:/­/nm­ap.o­rg­/ze­nmap/
The Official Nmap Security Scanner GUI.
Use this an entry point and then use nmap scans to gather additional data.

Maltego  www.pa­ter­va.com is an open source intell­igence and forensics applic­ation for visual­izing relati­onships among data that use data mining and link analysis.

 traceroute provides basic inform­ation on packet filtering abilities.
 lbd Uses two DNS- and HTTP-based techniques to detect load balancers
 miranda.py Identifies universal plug-a­nd-play and UPNP devices
 nmap Detects devices and determines the operating systems and their version

nmap -sSV -A -p- -T5 192.16­8.5­6.101

Shodan search engine identifies devices connected to the Internet, including those with default passwords, known miscon­fig­ura­tions, and vulner­abi­lities

Run ping sweeps against a target address space and look for responses that indicate a particular target is live. (TCP, UDP, ICMP, ARP)

alive6 detect­-ne­w-ip6 - IPv6 host detection. detect­-ne­w-ip6 runs on a scripted basis and identifies new IPv6 devices when added.

dnmap nmap - nmap is the standard network enumer­ation tool. dnmap is a distri­buted client­-server implem­ent­ation of the nmap scanner. PBNJ stores nmap results in a database, and then conducts historical analyses to identify new hosts.

fping hping2 hping3 nping - Packet crafters that respond to targets in various ways to identify live hosts

http:/­/ww­w.i­ana.or­g/a­ssi­gnm­ent­s/s­erv­ice­-na­mes­-po­rt-­num­ber­s/s­erv­ice­-na­mes­-po­rt-­num­ber­s.xhtml

Nmap port discovery is very noisy and will be logged by network security devices.
Only test necessary ports.
Port scanning can impact a network and old equipment might lock.

Identify default ports and services.

Banner Grabbing
netcat nmap telnet

Review Default Web Pages: Some applic­ations install with default admini­str­ation, error, or other pages.

Review Source Code: Poorly configured web-based applic­ations may respond to certain HTTP requests such as HEAD or OPTIONS with a response that includes the web server software version, and possibly, the base operating system or the scripting enviro­nment in use.

Active: The attacker sends normal and malformed packets to the target and records its response pattern (finge­rprint) which is compared to the database to determine the OS
Passive: The attacker sniffs, or records and analyses the packet stream to determine the charac­ter­istics of the packets.

xprobe2 uses different TCP, UDP, ICMP packets to bypass firewalls and avoid detection by IDS / IPS systems.

http:/­/nm­ap.o­rg­/ns­edoc/
Scripts are written in LUA

Recon of IPv4 & IPv6 DNS data
Identify web applic­ation firewalls, IDS, IPS
Test firewall rulesets (via firewalk) and attempting to bypass the firewall
Harvesting user names from target and online sites
Brute-­force guessing of passwords
Crawling the target network to identify network shares
Extract EXIF metadata from images in a defined website
Geogra­phical locali­zation of IP's
Network attacks such as IPv6 packet flooding
Fuzzing and SQL injection testing

 Screenshot Web Services (wkhtm­lto­image) http:/­/wk­htm­lto­pdf.go­ogl­eco­de.com
Screenshot NSE Script https:­//g­ith­ub.c­om­/Sp­ide­rLa­bs/­Nma­p-T­ool­s/b­lob­/ma­ste­r/N­SE/­htt­p-s­cre­ens­hot.nse

recon-ng
Modules are written in python.

show

available modules.

search

available modules.

info

inform­ation on how the module works.

show options

options that can be set.

set

sets the options.

run

to execute.

Harvest contacts (whois, jigsaw, linkedin, twitte­r)(use the mangle module to extract and present e-mail data)
Identify hosts
Identify geogra­phical locations of hosts and indivi­duals using hostop, ipinfodb, maxmind, uniapple, wigle
Identify host inform­ation using netcraft and related modules
Identify account and password inform­ation that has previously been compro­mised and leaked onto the Internet (the pwnedlist modules, wascom­pan­yha­cked, xssed, and punksp­ider)

Loud and easily detected
Usually signature based and can only detect known vulner­abi­lities with recogn­ition signat­ures.
Falsep­ositive results with a rate as high as 70%
Network Scanning Watch List for devices known to fail when scanned www.di­gin­inj­a.org

 Scanning may breach laws in some countries

In Kali, found in Vulner­ability Analysis submenu and Web Vulner­ability Scanners menu.

OpenVAS Open Vulner­ability Assessment System
Nexpose www.ra­pid­7.com
Nessus www.ne­ssu­s.org