# Recon **#common vulnerable ports to scan** ``` UDP Ports: 53,69,111,161,500,623,2049 TCP Ports: 21,22,23,25,53,80,81,88,110,111,123,137-139,161,389,443,445,500,512,513,548,623-624,1099,1241,1433-1434,1521,2049,2483-2484,3268,3269,3306,3389,4333,4786,4848,5432,5800,5900,5901,6000,6001,7001,8000,8080,8181,8443,10000,16992-16993,27017,32764 ``` **#masscan against targets** ``` masscan -p --open --banners -oG output.txt -iL targets.txt ``` **#Nmap on:** 1. TCP + UDP 2. Common ports first --> then ALL ports 3. Enumerate versions 4. Enumerate OSs 5. Vuln scan 6. NSE scans 7. Run nmapAutomator in the background with "all" flag **#Enumerate HTTP-HTTPS with nmap and Aquatone** ``` cat scans/nmap-tcp.xml | aquatone -nmap -ports xlarge -out aquatone ``` **#wafw00f | check if WebApp is behind a firewall** ``` wafw00f countrygarden.com.cn ``` **#host,whois,dig,nslookup....** **#Sn1p3r** ``` #run on background and check output after you are done with manual enum sniper -t example.com -m stealth -o -re ``` **#Nuclei** ``` #Run nuclei against webapp, run vanilla then try custom modules sudo nuclei -u https://example.com sudo nuclei -u https://example.com -t vulnerabilities/wordpress ``` **#OWASP ZAP** ``` #Good all round scan against webapp, takes a while to complete so start and let run on background ``` **#TCPDump save packet capture** ``` tcpdump -i -s0 -w pcapfile.pcap #Ctrl-C to stop after about 5 minutes. Replay capture and look for interesting protocols: tcpdump -r pcapfile.pcap not and not arp ``` **#DNS enum** ``` #NMAP sudo nmap --script dns-nsid 10.10.10.10 #DIG dig ANY @ #Any information #nslookup nslookup > SERVER #Select dns server > 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe... > #Reverse lookup of a machine, maybe... #Metasploit auxiliary/gather/enum_dns #Perform enumeration actions #DNSRecon Subdomains reverse brute Force dnsrecon -r 127.0.0.0/24 -n #DNS reverse of all of the addresses dnsrecon -r 127.0.1.0/24 -n #DNS reverse of all of the addresses dnsrecon -r /24 -n #DNS reverse of all of the addresses #subdomains bruteforce dnsrecon -D subdomains-1000.txt -d -n dnscan -d -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan #Active Directory Servers DNS enum dig -t _gc._tcp.target.domain.com dig -t _ldap._tcp.target.domain.com dig -t _kerberos._tcp.target.domain.com dig -t _kpasswd._tcp.target.domain.com nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'" #Fierce fierce -d target.com #Amass amass -ip -active -d target.com ``` **#Responder LLMNR / NBTNS** ``` ./Responder.py -I -A sudo responder 192.168.12.139 -I eth0 -wd ``` **#Enumerate AD naming context** ``` ldapsearch -x -s base namingcontexts -H ldap:// ``` **#Locate AD domain controllers** ``` First you'll need the domain name. You should be able to find that in the tcpdump output. Next, run: nslookup -type=srv _ldap._tcp. | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g' > domaincontrollers.out ``` **#Null session enum** ``` ldapsearch -h -x -b "DC=example,DC=local" ############################################################################# If you get usernames, run Impacket GetNPUsers.py on them and crack any hashes that you get. This script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set UF_DONT_REQUIRE_PREAUTH). For those users with such configuration, a John The Ripper output will be generated so you can send it for cracking. ``` **#ASREPRoasting** ``` GetNPUsers.py [Domain Name]/ -dc-ip [DC IP address] -request ``` **#Kerberoasting** ``` GetUserSPNs.py -request -save -dc-ip domain/user ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/pentesting-checklist-s/internal-pentest-checklist/recon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.