# Scanning ## AutoRecon ```bash autorecon -ct 2 -cs 2 -vv -o outputdir 192.168.1.100 192.168.1.1/30 localhost autorecon 10.200.97.200 autorecon -t targets.txt --only-scans-dir # With vhost enumeration for known hostname autorecon TARGET_IP --vhost-enum.hostname TARGET.htb -v # Specify directory busting tool autorecon TARGET_IP --dirbuster.tool feroxbuster -v # Combined example autorecon 10.129.237.241 --vhost-enum.hostname planning.htb --dirbuster.tool feroxbuster -v ``` **Common Flags:** | Flag | Description | | ----------------------- | -------------------------------------------------------- | | `-ct` | Concurrent targets | | `-cs` | Concurrent scans per target | | `-o` | Custom output directory | | `-v` / `-vv` | Verbose output | | `--vhost-enum.hostname` | Hostname for vhost enumeration | | `--dirbuster.tool` | Tool for directory busting (gobuster, feroxbuster, ffuf) | | `--only-scans-dir` | Only output scans directory | AutoRecon will create and store results in the `/results` directory. ## General Enumeration Figure out the Hosts and Services Running ### NetDiscover * Netdiscover is an active/passive reconnaissance tool that uses ARP to find live hosts on a local network. * Netdiscover actively searches for live hosts on the network by broadcasting ARP requests like a router. * By default netdiscover operates in active mode, however you can use it in passive mode with `-p`. With passive move it will not broadcast anything. * Note: ARP is unable to cross network boundaries or over any VPN connection ``` netdiscover -r 10.11.1.0/24 ``` ### Nmap * I have no time to read, just give me the nmap scanning meta. ``` nmap -sS x.x.x.x -p- --min-rate 10000 nmap -A -T5 x.x.x.x -p- -vv nmap --script=scriptname.nse x.x.x.x -vv ``` #### Ping Scan -sn Option * -sn tells nmap to perform host discovery only without any additional port scanning and prints out details of any hosts that responded. ``` nmap -sn 10.11.1.0/24 ``` * nmap also has the -Pn option which will disable the host discovery stage altogether on a scan. The -Pn option is best used in combination with other scans. #### TCP Connect Scan * The TCP connect scan in Nmap is the alternative TCP scan to use when a SYN scan is not an option. * TCP connect scan should be used when nmap does not have raw packet privileges which is required for a SYN scan. ``` nmap -sT [target host] ``` #### TCP SYN Scan * Does not complete the 3 way handshake ``` nmap -sS [target host] ``` #### UDP Port Scanning * Always check for UDP ports will pick up DNS, NTP, SNMP ``` nmap -sU [target host] nmap -sU -F [target host] ``` #### Fingerprint Services * To figure out what services are running on target ports we use: ``` nmap -sV [target ip address] ``` * The following command will use nmap port scan to detect the service and OS: ``` nmap -sV -O [target ip address] ``` * Can also use the -A option in Nmap. The A stands for aggressive scan options and enables OS detection, script scanning and traceroute. ``` nmap -A [target ip address] ``` #### Scanning port ranges with Nmap * By default nmap will only scan the most 1000 common ports. To override the default use the -p ``` nmap -p 1-100 [target host] nmap -p 137-139,445 [target host] ``` ### NSE * Web Application Vulnerability scan: ``` nmap --script=http-vuln* 10.10.10.10 ``` * Location of scripts ``` /usr/share/nmap/scripts ``` * Scripts are sorted by protocol, can sort by service ``` ls -l /usr/share/nmap/scripts/ftp* ``` * Nmap script help ``` nmap --script-help ftp-anon ``` * Nmap script execution ``` nmap --script=[script name] [target host] ``` * The following command executes a script names http-robots.txt on port 80: ``` nmap --script=http-robots.txt.nse [target host] ``` ### Detecting Linux Version from nmap SSH output * If ssh is running on the target, and it can fingerprint the service you have a good chance of detecting the operating system version: ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA) | 256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA) |_ 256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519) ``` * Take a look at the part `4ubuntu0.5` * If you google that and select the `launchpad.net` link it will tell you the OS version *
### Nmap Output Parsing Extract open ports and services from greppable output: ```bash nmap -A -T4 TARGET -oA nmap_output # Extract open TCP services from .gnmap output egrep -v "^#|Status: Up" nmap_output.gnmap | cut -d' ' -f2,4- | \ sed -n -e 's/Ignored.*//p' | \ awk '{print "Host: " $1 " Ports: " NF-1; for(i=2;i<=NF;i++){print "\t"$i}}' | \ sed -e 's/\/open\//\t/g' -e 's/\/\///g' -e 's/|/\t/g' ``` This extracts a clean list of hosts with their open ports, services, and versions from the `.gnmap` file. *** ## Vulnerability Scanning * Good nmap command ``` nmap -T4 -n -sC -sV -p- -oN nmap-versions --script='*vuln*' [ip] ``` ``` nmap -p 80 --script=all $ip - Scan a target using all NSE scripts. May take an hour to complete. nmap -p 80 --script=*vuln* $ip - Scan a target using all NSE vuln scripts. nmap -p 80 --script=http*vuln* $ip - Scan a target using all HTTP vulns NSE scripts. nmap -p 21 --script=ftp-anon $ip/24 - Scan entire network for FTP servers that allow anonymous access. nmap -p 80 --script=http-vuln-cve2010-2861 $ip/24 - Scan entire network for a directory traversal vulnerability. It can even retrieve admin's password hash. ```