Scribd
Upload
48 views10 pages

Introduction to Reconnaissance Techniques

This document provides an overview of reconnaissance techniques in ethical hacking. It defines reconnaissance as the process of gathering information about a target system without interacting with it directly. The document outlines two main types of reconnaissance - active reconnaissance, which involves direct interaction with the target, and passive reconnaissance, which does not. It also defines some common reconnaissance techniques like port scanning, OS fingerprinting, and discusses nmap, an open-source tool used for port scanning and discovery.

Uploaded by

Johnpatrick Dejesus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views10 pages

Introduction to Reconnaissance Techniques

This document provides an overview of reconnaissance techniques in ethical hacking. It defines reconnaissance as the process of gathering information about a target system without interacting with it directly. The document outlines two main types of reconnaissance - active reconnaissance, which involves direct interaction with the target, and passive reconnaissance, which does not. It also defines some common reconnaissance techniques like port scanning, OS fingerprinting, and discusses nmap, an open-source tool used for port scanning and discovery.

Uploaded by

Johnpatrick Dejesus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

NEXUS EDUCATION SERVICES

📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@[Link] 🌐 [Link]

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

Information Gathering (Reconnaissance)

Ethical Hacking - Reconnaissance. Advertisements. Information Gathering and getting to know the target systems
is the first process in ethical hacking. Reconnaissance is a set of processes and techniques (Footprinting, Scanning
& Enumeration) used to covertly discover and collect information about a target system.

Introduction to Reconnaissance:

Reconnaissance is key to any successful hack. On average, approximately three-fourths of any hack should be
spent performing accurate and precise recon. Reconnaissance is the act of gaining information about our target.
Such as open ports, operating system, what services those ports are running, and any vulnerable applications they
have installed. All of this information will be absolutely vital to choosing an attack. How are we supposed to hack if
we don’t know what we’re getting into?

There are two base types of recon, active and passive. Both have their pros and cons, so let’s cover these types of
recon briefly:

Active Recon:
This type of recon requires that we interact with the target. This recon is faster and more accurate, but it also
makes much more noise. Since we have to interact with the target to gain information, there’s an increased
chance that we’ll get caught by a firewall or one of the network security devices. (Intrusion Detection Systems,
network firewalls, etc.)

Passive Recon:
This type of recon doesn’t require any interaction with the target, so it is far less likely to be detected. The trade
off is that the information gained is not as accurate and it’s much slower than it’s active counterpart. Passive recon
is the act of watching the target. Instead of interacting with them, we can watch their traffic and gain information
without so much as pinging them.
Now that we’ve covered the two base types of recon, let’s go over some of the recon terms that we’ll hear
commonly:

Discovery:
This is the act of discovering possible victims. Discovery is essential to reconnaissance as it tells us who our
potential victims are.

Port Scanning:
As the name implies, this is the act of scanning a range of ports on a victim. A port is used to make connections and
manage communications for net-workable services or applications. Any open port is a possible avenue of attack.
There are multiple kinds of port scans, but those go beyond the scope of this introductory article.

OS Fingerprinting:
OS fingerprinting is the act of attempting to determine a victims operating system. Knowing the victims OS is
crucial to choosing an attack that will work. Attempting a Windows based attack on a Linux victim doesn’t make
much sense.

Now that we know about these terms and methods. Allow me to introduce you to one of the most used and best
active recon tools, nmap. Nmap stands for network mapper.

1
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@[Link] 🌐 [Link]

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

What is NMAP

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to
rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to
determine what hosts are available on the network, what services (application name and version) those hosts are
offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in
use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and
network administrators find it useful for routine tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime.

The output from Nmap is a list of scanned targets, with supplemental information on each depending on the
options used. Key among that information is the “interesting ports table”. That table lists the port number and
protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an
application on the target machine is listening for connections/packets on that port. Filtered means that a firewall,
filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed
ports have no application listening on them, though they could open up at any time. Ports are classified as
unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or
closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of
the two states describe a port. The port table may also include software version details when version detection has
been requested. When an IP protocol scan is requested (-sO), Nmap provides information on supported IP
protocols rather than listening ports.

In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS
names, operating system guesses, device types, and MAC addresses.

TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, etc.


Ex: [Link], [Link]/24, [Link]; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host

SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maximon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans

2
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@[Link] 🌐 [Link]

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

--scanflags <flags>: Customize TCP scan flags


-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:


-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>

SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)

SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.

OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE:


Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes

3
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@[Link] 🌐 [Link]

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

--min-rate <number>: Send packets no slower than <number> per second


--max-rate <number>: Send packets no faster than <number> per second

FIREWALL/IDS EVASION AND SPOOFING:


-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum

OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from [Link] for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.

EXAMPLES:
nmap -v -A [Link]
nmap -v -sn [Link]/16 [Link]/8
nmap -v -iR 10000 -Pn -p 80

4
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@[Link] 🌐 [Link]

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

What is Dmitry

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C.
DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather
possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more.

The following is a list of the current features:

▪ An Open Source Project.


▪ Perform an Internet Number whois lookup.
▪ Retrieve possible uptime data, system and server data.
▪ Perform a SubDomain search on a target host.
▪ Perform an E-Mail address search on a target host.
▪ Perform a TCP Portscan on the host target.
▪ A Modular program allowing user specified modules
▪ Source: [Link]
▪ DMitry Homepage | Kali DMitry Repo

Author: James Greig


License: GPLv3
Tools included in the dmitry package
dmitry – Deepmagic Information Gathering Tool

How to use it
root@kali:~# dmitry -h
Deepmagic Information Gathering Tool
"There be some deep magic going on"

dmitry: invalid option -- 'h'

Usage: dmitry [-winsepfb] [-t 0-9] [-o %[Link]] host

-o Save output to %[Link] or to file specified by -o file


-i Perform a whois lookup on the IP address of a host
-w Perform a whois lookup on the domain name of a host
-n Retrieve [Link] information on a host
-s Perform a search for possible subdomains
-e Perform a search for possible email addresses
-p Perform a TCP port scan on a host
* -f Perform a TCP port scan on a host showing output reporting filtered ports
* -b Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed

5
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@[Link] 🌐 [Link]

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

WHOIS KALI LINUX COMMAND

“whois command” in Kali Linux is an utility tool to list and find the detailed domain information in all the Linux-
based operating system. If this command is used properly, then it can even identifies Unknown and distant hosts,
and Net-admins.

Some of the attributes in domain details, are:

▪ Registrar
▪ Admin
▪ Tech
▪ Name Server
▪ Geographical Location
▪ IP history

Getting Started with installation first

Inorder to install whois command in Mint, Ubuntu, Debian and Kali type the following command without quotes:

” sudo apt install whois “

Note: Latest versions of Kali Linux Comes pre-loaded with whois client.

And for installing whois command in Fedora,RHEL and CentOS type the following command without quotes:

” sudo yum install whois “

Syntax to use whois command in Kali Linux

whois < name of the website with extention/ ip address >

What is Recon-ng
Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent
modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-
ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly
and thoroughly.

Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the
framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is
designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit
Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance,
use Recon-ng! See the Usage Guide for more information.

Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to
contribute. Each module is a subclass of the “module” class. The “module” class is a customized “cmd” interpreter
equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output,
interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been

6
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@[Link] 🌐 [Link]

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more
information.

Source: [Link]
Recon-ng Homepage | Kali Recon-ng Repo

Author: Tim Tomes


License: GPLv3

Tools included in the recon-ng package


Recon-ng – Web Reconnaissance framework written in Python

root@kali:~# recon-ng --help


usage: recon-ng [-h] [-v] [-w workspace] [-r filename] [--no-check]
[--no-analytics]

recon-ng - Tim Tomes (@LaNMaSteR53) tjt1980[at][Link]

optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-w workspace load/create a workspace
-r filename load commands from a resource file
--no-check disable version check
--no-analytics disable analytics reporting

recon-ng Usage Example


Search for results on [Link] (use recon/domains-vulnerabilities/xssed) for the target domain (set SOURCE
[Link]):

root@kali:~# recon-ng

_/_/_/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/


_/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/_/_/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/_/ _/ _/
_/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/ _/ _/ _/ _/_/_/

/\
/ \\ /\
Sponsored by... /\ /\/ \\V \/\
/ \\/ // \\\\\ \\ \/\
// // BLACK HILLS \/ \\
[Link]

[recon-ng v4.9.4, Tim Tomes (@LaNMaSteR53)]

[76] Recon modules


[8] Reporting modules

7
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@[Link] 🌐 [Link]

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

[2] Import modules


[2] Exploitation modules
[2] Discovery modules

[recon-ng][default] > use recon/domains-vulnerabilities/xssed


[recon-ng][default][xssed] > set SOURCE [Link]
SOURCE => [Link]
[recon-ng][default][xssed] > run

---------
[Link]
---------
[*] Category: Redirect
[*] Example: [Link]
[*] Host: [Link]
[*] Publish_Date: 2012-02-16 [Link]
[*] Reference: [Link]
[*] Status: unfixed
[*] --------------------------------------------------
[*] Category: XSS
[*] Example:
[Link]
br>_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-
1&p_p_col_count=1&p_r_p_185834411_no<br>deId=803209&p_r_p_185834411_title=%22%3E%3Ch1%3ECross-
Site%20Scripting%20@matiaslonigro%3C/h1%3E%3Cs<br>cript%3Ealert%28/xss/%29%3C/script%3E
[*] Host: [Link]
[*] Publish_Date: 2012-02-13 [Link]
[*] Reference: [Link]
[*] Status: unfixed
...

As a responsible ethical hacker, security engineer or penetration tester you should be familiar with the tools to
perform the Information Gathering too

HANDS-ON LAB: Reconnaissance

Lab Objectives:

Lab Duration:
▪ Time: 45 minutes

Lab Environment
▪ You need internet connection

Lab Tasks
▪ To gather information about the victims environment

8
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@[Link] 🌐 [Link]

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

Tools
▪ Nmap
▪ Dmitry
▪ Whois
▪ Reconng

Step-by-Steps Instructions

INFORMATION GATHERING #1 Nmap

Port scanning using nmap

Step 1. Open a new terminal in NEXUS-KALI then type nmap -T5 -PN -v -A -oA nmapResult [Link]

-T5 speed of nmap wil execute 1 slowest 5 fastest

-v verbose mode

-PN not to ping for identified active session

-n no DNS resolution

-sS Syn packet type

--top-ports 100

--max limits outstanding row

-oA outputs the result to nmap

Step 2. Review the output or open the file nmapResult

INFORMATION GATHERING #2 Dimitry

Step 1. Open a new terminal and type dmitry -winsepfbo [Link]

INFORMATION GATHERING #3 Whois

Step 1. Open a new terminal and type whois [Link]

INFORMATION GATHERING #4 the harvester

Step 1. Open a new terminal and type theharvester -d [Link]

To check all the options type theharvester options

9
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@[Link] 🌐 [Link]

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

INFORMATION GATHERING #5 Recon-ng

Step 1. Open a new terminal and type recon-ng

Step 2. To load the database type, load infodb

Step 3. To go back, type back

Step 4. You must create a workspace so type, workspaces add mysite

Step 5. Run the brute hosts

load bing domain_web


run
load brute_hosts
run

Step 6. display all the available hosts by typing query select * from hosts

Step 7. To resolve the hostname, type load hosts-hosts/resolve then type run

Step 8. now lets check if the table has been populated with the ip address, type show hosts

Step 9. Lets do a reverse resolve to display the info by typing load hosts-hosts/reverse_resolve then run

Step 10. Fill the geographic locations, type load ipinfodb then type run

Step 11. The let’s examine the content of our table by typing show hosts

Result of Information Gathering: by now you should know how gather information and the tools needed to
display the information you want to sue for penetration testing

Question: As a Nexus Ethical Hacker enumerate all the tools that you used and explain the advantage and
disadvantage of each tool

10

Common questions

Powered by AI

Nmap's version detection (-sV) attempts to identify services running on open ports and their versions, which is crucial for identifying vulnerabilities as certain exploits only work on specific versions . OS detection (-O) identifies the target's operating system, which aids in planning further attacks or deciding on defense strategies . These features are vital in security assessments because they provide a detailed understanding of the network's exposure and allow security professionals to advise on patch management and risk mitigation strategies . Knowing both the service and OS versions allows for a more precise threat model to be developed .

To optimize efficiency and accuracy in large networks, selecting the right Nmap scan parameters is crucial. Using timing templates (-T0 to -T5) helps manage scan speed, with higher settings (`T5`) favoring fast scans at the cost of more detectable network traffic . Limiting scan ranges or focusing on top used ports (--top-ports) prevents unnecessary resource use, improving scan efficiency . Scan techniques should match network architecture, such as using SYN scans for stealth (-sS) or TCP connect scans when visibility is less of a concern (-sT). Proper scripting and version detection can enhance accuracy but require increased time and resources, mandating a balance based on assessment goals .

Nmap assists in network profiling by scanning for open ports, services, OS details, and network defenses, providing a map of available attack vectors . Recon-ng complements this by offering a modular framework for web reconnaissance, gathering additional intelligence like domain vulnerabilities, exposing weak points beyond the network level . Together, they contribute to a comprehensive security assessment by covering both network and web vulnerabilities, and their integration allows an ethical hacker to build a robust threat model, identifying both technical and non-technical risks . This holistic approach aids in forming a solid foundation for subsequent penetration testing stages .

Nmap provides various scan techniques, each suited for different scenarios. The TCP SYN Scan (-sS) is ideal for stealth scanning and is commonly used because it doesn't complete the TCP handshake, leaving less evidence in logs . TCP Connect Scan (-sT) completes the connection, making it suitable for systems where SYN scanning isn't possible, though it's more detectable . UDP Scan (-sU) helps identify UDP services but can be slow and unreliable without proper configuration due to the connectionless nature of UDP . The IP Protocol Scan (-sO) is useful for identifying supported IP protocols rather than listening ports, making it suitable for network mapping . SCTP INIT Scan (-sY) is used for networks using SCTP, and Idle Scan (-sI) is beneficial for stealth, as it obscures the source IP address but is complex to set up .

The -sS option in Nmap initiates a TCP SYN scan, a stealth scan that doesn't complete the TCP handshake, which makes it less detectable on logs, helping testers to covertly determine which ports are open . The -Pn option treats all hosts as online, skipping host discovery. This is useful when dealing with networks where ICMP requests are blocked or when testing for large networks to ensure every possible host is checked without initial ping yields . Analysts might choose -sS when subtlety is required, while -Pn is suitable for environments with aggressive filtering where host discovery by ping might otherwise miss reachable hosts .

Nmap's scripting engine, using the Nmap Scripting Engine (NSE), augments its capabilities by allowing custom scripts to automate a variety of network auditing tasks . Practical applications include vulnerability detection, where scripts can check for known weaknesses across services, and extraction of deeper information about networked services and configurations . For instance, scripts can be used to perform complex version checks, detect malware traces, or gather detailed data on operating system vulnerabilities without manually executing several different commands . This scripting capability makes Nmap adaptable to diverse network security needs, making it a versatile tool in a penetration tester's toolkit .

Nmap classifies ports into several states: open, filtered, closed, and unfiltered . An open port means an application on the target machine is actively listening for connections/payloads. This is significant for security audits because open ports can be exploited by attackers to gain unauthorized access . Filtered ports indicate that a firewall or network obstacle blocks the connection attempts, making it difficult to ascertain even the port's status . Closed ports aren’t listening but can become entry points if a service starts listening on them . Unfiltered ports respond to Nmap probes but don’t reveal if they are open or closed, suggesting further investigation is needed to determine their security implications .

Nmap offers several strategies for firewall evasion and spoofing. Packet fragmentation (-f) and changing the Maximum Transmission Unit (--mtu) can disrupt signature matching by splitting packets . The use of decoys (-D) cloaks scans by sending irrelevant data from innocent hosts, confusing IDS (Intrusion Detection Systems). Source IP spoofing (-S) and MAC address spoofing (--spoof-mac) further obfuscate the origin of the scan . While these techniques are technically sophisticated, they pose ethical challenges, as they can be used to attack networks under the guise of benign traffic. Ethically, these should only be used with permission, as they can violate privacy, mislead the security measures in place, and risk legal consequences .

Ethical considerations in using tools like Nmap and recon-ng include ensuring explicit permission from network owners before conducting scans, as unauthorized scanning can lead to legal ramifications and breach of privacy . Practitioners can remain compliant by engaging in written agreements with clients, clearly outlining the scope and objectives of the reconnaissance . They should avoid ambiguity in tasks, ensuring all actions are in line with agreed terms and local laws governing cybersecurity activity . Conducting activities transparently and maintaining logs to demonstrate ethical practice are also key to compliance .

Customizing Nmap's output, using formats like normal (-oN), XML (-oX), and Grepable formats (-oG), facilitates detailed network audits by allowing analysts to tailor reports to different audiences or purposes . For instance, XML outputs provide structured data easily integrated into other tools or systems for further analysis . Normal or Grepable formats can be used for quick manual reviews or when integrating scan findings into text-based reports . Leveraging these options effectively ensures information is presented clearly, suited to technical or non-technical stakeholders, and maintains the audit's integrity by preserving all relevant data for legal or compliance purposes .

You might also like