2.2.1 Information gathering & Vulnerability scanning: active reconnaissance/ scanning & recon Flashcards
What is active reconnaissance?
Engaging with the targeted systems or networks to gather information about their vulnerabilities
Scanning & enumeration: name the type of scan that can be done (3):
- Discovery scan: ping scan that identifies what host are online and port scan that identifies whether the ports on those hosts are open/closed
- Enumeration: it digs deep into target systems and links identified components into known vuln
- Nmap/Zenmap: nmap require exact syntax and zenmap provides dropdown menu, there is also other scan like ping scan, quick scan and intense scan
Scanning & enumeration: what is scanning?
Actively connecting to a system and getting a response to identify hosts, open ports, service, users, domain names and URLs used by a given organization
Scanning & enumeration: what is fingerprinting ?
The identification of an OS, service or specific software version that is use by a host, system or network
Scanning & enumeration: what is banner grabbing refers to?
Using a program like Netcat, wget or telnet to connect to a given port that is running a service
Scanning & enumeration: what’s the difference between scanning, enumeration and fingerprinting ?
- Scanning: more generic
- Enumeration: more in depth
- Fingerprinting: most detailed
Scanning & enumeration: what is host enumeration?
Enumeration of any server, workstation, client, which can also include mobile devices, tablets, and IoT devices, or even a networking device like a switch, router, or access point
Scanning & enumeration: how to proceed to a host enumeration?
We can enumerate the hosts using command line-based Windows tools or BASH command line tools for Linux hosts or servers to learn more about the target network
Scanning & enumeration: list and explain the most common commands line tools for enumeration on Windows
- net: A suite of tools that can be used to perform operations on groups, users, account policies, network shares, and more
- arp: Used when enumerating a Windows host. Address Resolution Protocol (ARP) Cache
provides a list of all the other machine’s MAC addresses that have recently communicated with the host you are currently on - ipconfig: Determines the IP address of the machine you are currently on
- ipconfig /displaydns: Displays any DNS names that have recently been resolved
Scanning & enumeration: list and explain the most common commands line tools for enumeration on Linux
- finger: Used to view a user’s home directory, their login, and their current idle time
- uname -a: Shows the OS’s name, version, and other relevant details displayed to the terminal
- env: Gives a list of all of the environment variables on a Linux system
Scanning & enumeration: can service be enumerated and why?
Yes, they can be enumerated to provide us with additional details about a given host
Scanning & enumeration: how service can be enumerated?
By conducting an intensive scan using Nmap, it returns information about the services running on a host’s open ports
Scanning & enumeration: what is Active Directory (AD)?
A database that stores, organizes, and enables access to other objects under its control
Scanning & enumeration: in AD, what is Organizational Unit (OU)?
Used within a domain to group similar objects (i.e., computers, groups, or even users) together
Scanning & enumeration: in AD, what is a user?
Used to represent a person or process that will access a given resource in the domain
Scanning & enumeration: in AD, what is a group?
A collection of users
Scanning & enumeration: why do you need to know domain enumeration?
Because many Windows attacks rely on trying to bypass the Kerberos authentication in a domain environment.
The first domain is always considered the root domain. Domains or subdomains underneath the root domain are considered children
Scanning & enumeration: how to enumerate a domain?
- Powershell: with Get-NetDomain (Lists the current logged in user’s domain) or Get-NetLoggedon (Lists of all the users who are logged into a given computer)
- Nmap, Metasploit
Scanning & enumeration: how to enumerate users on a Windows machine?
- Get-NetGroupMember: Lists the domain members belonging to a given group
- net user: Lists all the users on the machine
- net groups: Lists the groups on the machine
Website reconnaissance: what information do you need to determine when you are conducting a website reconnaissance?
▪ Software
▪ Operating system
▪ Hosting
▪ Resources
▪ Hidden information
Website reconnaissance: what is a website builder?
A platform that a creator or developer uses to create a website from the ground up. It typically offers templates to select from that give sites different looks, features, capabilities, and further opportunities for customization as well.
Website reconnaissance: why should you conduct a website reconnaissance?
To identify vulnerabilities.
Find every page that exists on the website, because any page can hold a vulnerability
Website reconnaissance: how to conduct a website reconnaissance (2 techniques)?
2 ways:
- Website Crawling (Forced Browsing): The process of systematically attempting to find every page on a given website
- Web Scraping/Harvesting/Data Extraction: A technique used for extracting data from websites performed using automation or through manual processes
Website reconnaissance: what are the 2 ways to conduct Website Crawling?
- Prevention: by checking the robots.txt file
- Using DirBuster
