# Reconnaissance and Initial Access

## Passive Enum

### whois

`whois $domain -h $ip` 

### Google Dorking

`site`, `intext`, `inurl`, `intitle`, `filetype`

[google hacking database](https://www.exploit-db.com/google-hacking-database) 

### Shodan

[Filter Reference](https://www.shodan.io/search/filters)

[API Reference ](https://developer.shodan.io/api)(python module sucks last I used it, use requests)

`http.favicon.hash` - mm3 hash of the base64 encoding of the favicon (very fun!). [Here ](https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv)are some pre-hashed ones for your enjoyment. 

```python
import mm3h
import base64

with open('favicon.ico', 'rb') as f:
    h = mm3h.hash(base64.b64encode(f.read()))
```

### Greynoise

Not really Enum, to be moved

[Search Cheatsheet](https://viz.greynoise.io/cheat-sheet)

### Misc Passive and Semi-passive tools

[securityheaders.com](https://securityheaders.com/) and [ssltest](https://www.ssllabs.com/ssltest)

[urlscan.io](https://urlscan.io)

[crt.sh ](https://crt.sh/)- certificate search 

## Active Enum

### ARP scanning

`sudo arp-scan --interface=XXX 192.168.0.0/24`  to scan that `/24` on interface XXX (usually `eth0`), you can also just use `--localnet` instead to generate the address range based on your interface configuration. 

`sudo net-discover -r 192.168.0.0/24` to scan that `/24` has a fancy interface vs arp-scan 

### SSH

Just try to `ssh`into it, if it's real old or something you can manually specify kex, cipher, host key with `-oKexAlgorithms=+{kex}`, `-c {cipher}`, and `-oHostKeyAlgorithms=+{host_key}`  respectively.  You might get a banner or something, not usually very useful for now. 

### DNS

`host` is used to go from domain name to ip, specify type with `-t` (default is A)

`dnsrecon` is a python script, `-d` for domain and `-t` for recon type from the following

```
std:      SOA, NS, A, AAAA, MX and SRV.
rvl:      Reverse lookup of a given CIDR or IP range.
brt:      Brute force domains and hosts using a given dictionary.
srv:      SRV records.
axfr:     Test all NS servers for a zone transfer.
bing:     Perform Bing search for subdomains and hosts.
yand:     Perform Yandex search for subdomains and hosts.
crt:      Perform crt.sh search for subdomains and hosts.
snoop:    Perform cache snooping against all NS servers for a given domain, testing
          all with file containing the domains, file given with -D option.

tld:      Remove the TLD of given domain and test against all TLDs registered in IANA.
zonewalk: Perform a DNSSEC zone walk using NSEC records.
```

DNS brute force `dnsrecon -d $domain -D $list -t brt` 

`dnsenum` is better though, just pass it the domain like `dnsenum $domain` 

In :b:indows we can use `nslookup` to do the same as `host`, use `-type={TXT,MX,etc}` for other types and specify the dns server after the domain to use a specific one! IE `nslookup -type=MX $domain $dns_server` 

### Port Scanning

`nc` is awesome, as we all know, and you can actually do a port scan with it 

`nc -nvv -w 1 -z $ip $port_lower-$port_upper`

`-w` is timeout, `-z` specifies zero i/o, `-nvv` is numeric IPs and extra verbosity respectively. `-u` can also be used for UDP, `-i` is delay interval

Important UDP scanning detail, ICMP contol messages are used to determine port is closed so if they're filtered by a firewall closed ports will be reported as open. 

For :b:indows, we can use `Test-NetConnection` for port scanning, cop this ps oneliner

```powershell
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
```

### nmap

nmap gets its own section because it's so important.

`-sS` "stealth" SYN scan, not even remotely stealthy anymore but used to be because connections wouldn't be logged if they weren't fully established or something. 

`-sT` 3-way handshake connect scan, useful with "some proxies", also the default

`-sU` UDP scan, uses more than the ICMP method to detect ports on a per-port basis (ie SNMP enum for 161). Can be used with other scanning methods

`-sC` Default scripts

`-sn` network sweep, ICMP echo, SYN to 443, TCP ACK to 80, ICMP timestamp request

Outputs are `-oN/-oX/-oS/-oG : Output scan in normal, XML, s|<rIpt kIddi3, and grepable format, respectively, to the given filename.` and `-oA` for all of them.

`-A: Enable OS detection, version detection, script scanning, and traceroute`

`--osscan-guess` can be use to force nmap to give you OS guesses even if it's not sure&#x20;

`--top-ports=X` for X most common TCP ports, which can be found in **/usr/share/nmap/nmap-services**

`-p` is used to specify ports, `-p-` is shorthand for `-p 1-25565` and you can also specify ports like `-p 22,23,80`

`--open` only open ports

NSE scripts are in **/usr/share/nmap/scripts** and are run with `--script` (see help with `--script-help`

To add a new script, drop it into the aforementioned dir and run `sudo nmap --script-updatedb`

### NetBIOS and SMB (139 and 445)

`nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254` initial enum

`enum4linux -a $ip` enumerate SMB, can enum less than `-a` like just userlist (`-U`)&#x20;

`sudo nbtscan -r 192.168.50.0/24` for netbios scanning, `-r` for 137 as origin, a trailing `/` may be required after the CIDR block (?)

nmap has a bunch of SMB scripts `ls -1 /usr/share/nmap/scripts/smb*`

`net view \\HOST /all` to view all SMB shares at `\\HOST` that are listable

`smbclient -L \\\\{IP}`to connect and list shares, add on the sharename to connect to it

### SMTP (25)

`nc -nv $ip 25` to connect

on :b:indows use `Test-NetConnection -Port 25 $IP` as you expect to check that you can connect

also on :b:indows, use `dism /online /Enable-Feature:TelnetClient` to get a telnet client on the box, which you can then use to interact with SMTP and anything else you want to telnet into

`VRFY $email` to check if an email is registered with the server (probably obvious, don't include domain name)

`EXPN` can be used to check mailing list membership

### SNMP (161)

`onesixone -c $community -i $ips` where `$community` and `$ip` are file lists of communities and ips

`snmpwalk -c $community -v{1,2c,3} -t 10 $ip` to query for interesting MIBs, `-c` is the community, `-v` is SNMP version, `-t` is timeout. Put a MIB after that to query it.

typical usage: `snmpwalk -c public -v1 -Oa $ip` warning this will vomit out a ton of data, again put a MIB after to get less data lol

#### Windows MIBs

| MIB                    |                        |
| ---------------------- | ---------------------- |
| 1.3.6.1.2.1.25.1.6.0   | System Processes       |
| 1.3.6.1.2.1.25.4.2.1.2 | Running Programs       |
| 1.3.6.1.2.1.25.4.2.1.4 | Processes Path         |
| 1.3.6.1.2.1.25.2.3.1.4 | Storage Units          |
| 1.3.6.1.2.1.25.6.3.1.2 | Software Name          |
| 1.3.6.1.4.1.77.1.2.25  | User Accounts          |
| 1.3.6.1.2.1.6.13.1.3   | TCP Local Ports :fire: |