# Reconnaissance and Initial Access

## Passive Enum

### whois

`whois $domain -h $ip`&#x20;

### Google Dorking

`site`, `intext`, `inurl`, `intitle`, `filetype`

[google hacking database](https://www.exploit-db.com/google-hacking-database)&#x20;

### Shodan

[Filter Reference](https://www.shodan.io/search/filters)

[API Reference ](https://developer.shodan.io/api)(python module sucks last I used it, use requests)

`http.favicon.hash` - mm3 hash of the base64 encoding of the favicon (very fun!). [Here ](https://github.com/sansatart/scrapts/blob/master/shodan-favicon-hashes.csv)are some pre-hashed ones for your enjoyment.&#x20;

```python
import mm3h
import base64

with open('favicon.ico', 'rb') as f:
    h = mm3h.hash(base64.b64encode(f.read()))
```

### Greynoise

Not really Enum, to be moved

[Search Cheatsheet](https://viz.greynoise.io/cheat-sheet)

### Misc Passive and Semi-passive tools

[securityheaders.com](https://securityheaders.com/) and [ssltest](https://www.ssllabs.com/ssltest)

[urlscan.io](https://urlscan.io)

[crt.sh ](https://crt.sh/)- certificate search&#x20;

## Active Enum

### ARP scanning

`sudo arp-scan --interface=XXX 192.168.0.0/24`  to scan that `/24` on interface XXX (usually `eth0`), you can also just use `--localnet` instead to generate the address range based on your interface configuration.&#x20;

`sudo net-discover -r 192.168.0.0/24` to scan that `/24` has a fancy interface vs arp-scan&#x20;

### SSH

Just try to `ssh`into it, if it's real old or something you can manually specify kex, cipher, host key with `-oKexAlgorithms=+{kex}`, `-c {cipher}`, and `-oHostKeyAlgorithms=+{host_key}`  respectively.  You might get a banner or something, not usually very useful for now.&#x20;

### DNS

`host` is used to go from domain name to ip, specify type with `-t` (default is A)

`dnsrecon` is a python script, `-d` for domain and `-t` for recon type from the following

```
std:      SOA, NS, A, AAAA, MX and SRV.
rvl:      Reverse lookup of a given CIDR or IP range.
brt:      Brute force domains and hosts using a given dictionary.
srv:      SRV records.
axfr:     Test all NS servers for a zone transfer.
bing:     Perform Bing search for subdomains and hosts.
yand:     Perform Yandex search for subdomains and hosts.
crt:      Perform crt.sh search for subdomains and hosts.
snoop:    Perform cache snooping against all NS servers for a given domain, testing
          all with file containing the domains, file given with -D option.

tld:      Remove the TLD of given domain and test against all TLDs registered in IANA.
zonewalk: Perform a DNSSEC zone walk using NSEC records.
```

DNS brute force `dnsrecon -d $domain -D $list -t brt`&#x20;

`dnsenum` is better though, just pass it the domain like `dnsenum $domain`&#x20;

In :b:indows we can use `nslookup` to do the same as `host`, use `-type={TXT,MX,etc}` for other types and specify the dns server after the domain to use a specific one! IE `nslookup -type=MX $domain $dns_server`&#x20;

### Port Scanning

`nc` is awesome, as we all know, and you can actually do a port scan with it&#x20;

`nc -nvv -w 1 -z $ip $port_lower-$port_upper`

`-w` is timeout, `-z` specifies zero i/o, `-nvv` is numeric IPs and extra verbosity respectively. `-u` can also be used for UDP, `-i` is delay interval

Important UDP scanning detail, ICMP contol messages are used to determine port is closed so if they're filtered by a firewall closed ports will be reported as open.&#x20;

For :b:indows, we can use `Test-NetConnection` for port scanning, cop this ps oneliner

```powershell
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
```

### nmap

nmap gets its own section because it's so important.

`-sS` "stealth" SYN scan, not even remotely stealthy anymore but used to be because connections wouldn't be logged if they weren't fully established or something.&#x20;

`-sT` 3-way handshake connect scan, useful with "some proxies", also the default

`-sU` UDP scan, uses more than the ICMP method to detect ports on a per-port basis (ie SNMP enum for 161). Can be used with other scanning methods

`-sC` Default scripts

`-sn` network sweep, ICMP echo, SYN to 443, TCP ACK to 80, ICMP timestamp request

Outputs are `-oN/-oX/-oS/-oG : Output scan in normal, XML, s|<rIpt kIddi3, and grepable format, respectively, to the given filename.` and `-oA` for all of them.

`-A: Enable OS detection, version detection, script scanning, and traceroute`

`--osscan-guess` can be use to force nmap to give you OS guesses even if it's not sure&#x20;

`--top-ports=X` for X most common TCP ports, which can be found in **/usr/share/nmap/nmap-services**

`-p` is used to specify ports, `-p-` is shorthand for `-p 1-25565` and you can also specify ports like `-p 22,23,80`

`--open` only open ports

NSE scripts are in **/usr/share/nmap/scripts** and are run with `--script` (see help with `--script-help`

To add a new script, drop it into the aforementioned dir and run `sudo nmap --script-updatedb`

### NetBIOS and SMB (139 and 445)

`nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254` initial enum

`enum4linux -a $ip` enumerate SMB, can enum less than `-a` like just userlist (`-U`)&#x20;

`sudo nbtscan -r 192.168.50.0/24` for netbios scanning, `-r` for 137 as origin, a trailing `/` may be required after the CIDR block (?)

nmap has a bunch of SMB scripts `ls -1 /usr/share/nmap/scripts/smb*`

`net view \\HOST /all` to view all SMB shares at `\\HOST` that are listable

`smbclient -L \\\\{IP}`to connect and list shares, add on the sharename to connect to it

### SMTP (25)

`nc -nv $ip 25` to connect

on :b:indows use `Test-NetConnection -Port 25 $IP` as you expect to check that you can connect

also on :b:indows, use `dism /online /Enable-Feature:TelnetClient` to get a telnet client on the box, which you can then use to interact with SMTP and anything else you want to telnet into

`VRFY $email` to check if an email is registered with the server (probably obvious, don't include domain name)

`EXPN` can be used to check mailing list membership

### SNMP (161)

`onesixone -c $community -i $ips` where `$community` and `$ip` are file lists of communities and ips

`snmpwalk -c $community -v{1,2c,3} -t 10 $ip` to query for interesting MIBs, `-c` is the community, `-v` is SNMP version, `-t` is timeout. Put a MIB after that to query it.

typical usage: `snmpwalk -c public -v1 -Oa $ip` warning this will vomit out a ton of data, again put a MIB after to get less data lol

#### Windows MIBs

| MIB                    |                        |
| ---------------------- | ---------------------- |
| 1.3.6.1.2.1.25.1.6.0   | System Processes       |
| 1.3.6.1.2.1.25.4.2.1.2 | Running Programs       |
| 1.3.6.1.2.1.25.4.2.1.4 | Processes Path         |
| 1.3.6.1.2.1.25.2.3.1.4 | Storage Units          |
| 1.3.6.1.2.1.25.6.3.1.2 | Software Name          |
| 1.3.6.1.4.1.77.1.2.25  | User Accounts          |
| 1.3.6.1.2.1.6.13.1.3   | TCP Local Ports :fire: |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.edwiniv.com/core-playbook/reconnaissance-and-initial-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.