Information gathering tools

Next is a list of information gathering tools with a short description and an example of basic usage. For more information on each tool, refer to their man pages:

Useful to detect computers connected to a network. arp-scan --interface=eth0 --localhost Very useful when there are webdav vulnerabilities, or we can connect to it, in order to upload or download files to the server. If we type the following we get an interactive console: cadaver http://10.11.1.202/webdav Typing help we will see the available commands.If the webdav server is not on the standard port 80, we first connect to the non standard port (-p option): cadaver -p 192.168.96.128:8180 and then we open the webdav directory from the cadaver prompt: dav:!> open http://192.168.96.128:8180/webdav Tool to extract words from a website with the idea of producing a wordlist of words relevant to that website, which can then be mutated to produce a dictionary for attepmting password attacks. The following creates a file (-w ption) in our local computer which contains words with a minimum length of 6 characters from the website specified: cewl www.test.com -m 6 -w /root/test.txt Then the password file can be used to apply mutations and create a new file with: john --wordlist=testl.txt --rules --stdout > mutated.txt The mutation rules are specified in /etc/john/john.conf For testing which machines a set of credentials have access to. Useful after dumping creds from a box, and trying to see where those creds have access. crackmapexec -u -p 192.168.1.1/24 A file can be uploaded to a webserver with curl: curl -X PUT http://test.com --upload-file file.txt The output of this command is in html, usually with an error for not being able to upload, and for what reason. To view better this output, copy and paste this on some online html viewer, to not have to save a file and open it a browser every time. We may also try to upload a remote command executing program with a one line command: curl -v -X PUT -d ‘’ http://172.16.92.137/test/shell.php
 * arp-scan
 * cadaver
 * cewl
 * crackmapexec
 * curl

Tool to check if we can abuse webdav to upload files and what formats can be executed on the server. We can intercept with Burp the requests, to see how davtest uses PUT requests to try to upload files davtest -url http://192.168.1.100 Tool to perform DNS zone transfers dig axfr @10.10.10.29 Directory bruteforcing tool to discover hidden files and folders in a website dirb http://192.168.1.100 /usr/share/dirb/wordlists/common.txt Dirb also works through proxychains: proxychains dirb http://192.168.1.100 /usr/share/dirb/wordlists/common.txt Python alternative to dirb, must be downloaded first (it's not a kali linux tool). We can choose to not use recursive search (don't look inside found subfolders) python3 dirsearch.py -w /path/list.txt -e php -f -t 20 -u http://192.168.1.100 -f forces the use of file extensions, -w is the dictionary we use, -e is the file extension type, -u the url and -t is the number of parallel threads.
 * davtest
 * dig
 * dirb
 * dirsearch

Tool to attempt host discovery in the range specified with -r by quering the DNS server specified with -n: dnsrecon -r 127.0.0.1/24 -n 10.10.10.29 Tool used to scan websites made with drupal
 * dnsrecon
 * droopescan

Tool to enumerate SMB and Samba (Linux implementation of the SMB protocol): enum4linux 192.168.1.100 Alternative to dirb and dirsearch, to bruteforce directories in websites. gobuster -u 10.1.1.236/ -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 50 -u is to specify the URL, -w the dictionary wordlist and -t the number of threads. Gobuster works with proxychains and https (for that, write the URL as https://x.x.x.x:443/. If it complains, we may need to pass the option -k to include the ssl certificate.
 * enum4linux
 * gobuster

Linux command line tool to display internal DNS lookups, as stored in /etc/resolv.conf host 192.168.1.100 To retrieve the associated URL host www.test.com To retrieve the associated IP
 * host

Program to test some credentials in a set of IPs, stored in the file ips.txt keimpx -l /root/smbopen.txt -U victim -P s3cr3t -v 1 -b Program to test a lot of known vulnerabilities in the specified website (-host option), with the possibility to specify an uncommon http or https port (-port) nikto -host 10.11.1.44 -port 8000 The most popular port scanner. Check the page dedicated to nmap for more details. To scan the ports 139 and 445 of an IP and apply SMB enumeration scripts: nmap 192.168.1.100 -p 139,445 --script=smb-enum*
 * keimpx
 * nikto
 * nmap

nslookup

It can be used to read stored information as text (TXT record) in DNS servers (for example, "Game of Thrones" from Vulnhub, or "Cronos" from Hack the Box). This command can be complimentary to dig, but one must be very strict with the sintax of these commands, or we may miss information that is there... nslookup -q=TXT TimeF0rconqu3rs.7kingdoms.ctf 192.168.1.155

dig axfr @10.10.10.13 cronos.htb Where we already knew that cronos.htb is a domain name, and with the zone transfer we find subdomains that might be invisible otherwise. Several domain names can be added in /etc/resolv.conf in the same line, associated to a single IP, by separating the domain names with a white spaces. We would do this if we know virtual hosting is being used, therefore a single IP of a physical server contains different URLs of logically separated websites. Tool to enumerate the SNMP protocol (port 161). It brute forces communities, to discover which are active in an ip. To check public, private and manager, create a textfile called community containing these three words, one per line and scan the network, and also a file called ips, containting the IPs to scan, one per line, and run: onesixtyone -c community -i ips Tool to scan ports, but uses unicorn scan for UDP ports, much faster than nmap (ip is a textfile containting ips) onetwopunch.sh -p udp -t ip Tool to enumerate the RPC protocol rpcinfo -p 192.168.1.100
 * onesixtyone
 * onetwopunch
 * rpcinfo

smbclient

If there is a share we are trying to connect to and we want to try to connect using a null session, when prompted for a password, we just hit enter. If for example we know from enum4linux that there is a share called wwwroot, we will get an smb shell in that location with: smbclient \\\\192.168.1.100\\wwwroot -U "" And when asked for a password, we just hit enter. If null sessions are allowed, we will be in. If we just want to list the directories, we use -L: smbclient -L //192.168.1.143 In Windows hosts, we precede the IP with \\\\ and the directories are separated by \\, while in linux hosts we preced the IP with // and the directories are separated by /. The metasploit exploit:

use auxiliary/admin/smb/samba_symlink_traversal

we may navigate the filesystem. The command help in the smb:> shell is useful to know what commands are available and with help we will know what the command does.
 * snmpenum


 * snmpcheck

To read the values of snmp communities. Useful in Vulnhub's "Necromancer", where a custom community hides a message. snmpget -v 2c -c death2allrw 192.168.0.101 iso.3.6.1.2.1.1.6.0 To give values to community strings, again like in "Necromancer". snmpset -v 2c -c death2allrw 192.168.0.101 iso.3.6.1.2.1.1.6.0 s Unlocked Tool for enumerating community strings. The output can be huge if we just do the following, to check public strings: snmpwalk -c public -v1 192.168.1.100 It can be more useful to look at specific branches of the tree, which have known names:
 * snmpget
 * snmpset
 * snmpwalk:

Windows Users: snmpwalk -c public -v1 192.168.1.100 1.3.6.1.4.1.77.1.2.25

Running Windows Processes: snmpwalk -c public -v1 192.168.1.100 1.3.6.1.2.1.25.4.2.1.2

Open TCP Ports: snmpwalk -c public -v1 192.168.1.100 1.3.6.1.2.1.6.13.1.3

Installed Software: snmpwalk -c public -v1 192.168.1.100 1.3.6.1.2.1.25.6.3.1.2 SPARTA is a great tool that automates many of the scanning programs in this page, but it may be too noisy by launching so many programs together, but it gives very comopolete information and has an intuitive GUI, just add the IPs you want to scan. Command line alternative to wireshark. Can be useful if we have a remote shell in a target inside a network, to listen for packets moving across that network. This website contains a good description of the commands: https://www.rationallyparanoid.com/articles/tcpdump.html tcpdump src 10.11.1.8 -i tap0 -i is the interface, and src filters the source of the packets. Tool to perform fast UDP scans, compared to Nmap. unicornscan -m U 192.168.1.100 -m indicates the mode of the scan, in this case UDP, but we can leave this blank for default. A Remote active operating system fingerprinting tool. xprobe2 -v -p tcp:80:open 10.11.1.133 Tool to scan wordpress made websites for vulnerabilities wpscan --url 192.168.1.100 --enumerate u That tries to enumerate users. If for example we have found that there is a user "admin", we can try to brute force it: wpscan --url 192.168.1.100 --wordlist /usr/share/wordlists/top10000.txt --username admin --threads 20 If the page created with wordpress is not in the root folder of http, we need to say where (usually brute forcing directories finds this, with dirb, dirbuster, etc), for example the folder "wp": wpscan --url 192.168.1.100/wp --enumerate u
 * SPARTA
 * tcpdump:
 * unicornscan
 * xprobe2
 * wpscan

wpscan --url 192.168.1.100/wp --wordlist /usr/share/wordlists/top10000.txt --username admin --threads 10 Or if the wordpress installation folder has a not default name, we also need to indicate what this is: wpscan --url 192.168.1.100/wp --enumerate u --force --wp-content-dir wp-content The option -e vt,tt,u,ap enumerates several things simultaneously.Don't only look for enumerating users, pay attention at the vulnerabilities found, and look for tutorials on google on how to exploit them, there is plenty of information. The Zed Attack Proxy can be used for many things, but it has an interesting option for information gathering, consisting in the possibility of spideirng the directories of a website. Sometimes nikto or directory brute forcing programs give a MASSIVE list of found directories, and this is not to be paid attention to: every directory is giving a false positive and it is impossible to analyze all. In that case, spidering the website can be the only possibility to find hidden directories in a reasonable time. Capture an HTTP request to the page we want to spider, right click on the folder icon containgin that IP, in the left panel of ZAP interface, and click Spider.
 * ZAP