Introduction to External Recon
What is recon?
In the realm of ethical hacking, one of the initial phases that is pivotal within the attack life cycle is the reconnaissance phase, which can make or break an engagement. This phase includes the passive and active enumeration of targets within the scope of the engagement.
Passive reconnaissance is a non-intrusive method of gathering information, which can include, but is not limited to, using Google-fu, OSINT (Open Source Intelligence), reviewing public source code, and inspecting web applications.
On the contrary, active enumeration involves intrusive methods of information gathering, which can include scanning, fuzzing, and spoofing.
Before we delve further, I wanted to share a small idea that has been passed down to me and which I have found to be true: "Hacking is 80% Enumeration and 20% Exploitation." This statement rings particularly true when considering external reconnaissance. Logically speaking, if I were to provide you with every single detail about a target, you could potentially achieve full takeover in a very short amount of time. Therefore, it's crucial to emphasize the importance of this phase when starting a penetration test, engagement, or Capture The Flag (CTF) competition.
Ready, Set, Scan!!!
Before attacking ports and services, we need to determine which ports and services are present so that we can focus our efforts effectively. This can be achieved using scanning tools and vulnerability scanners.
Two of the most commonly used scans in my toolkit are nmap and rustscan.
Nmap is a powerful tool included in most penetration testing distributions and is highly dependable for completing various tasks. Nowadays, I primarily use nmap for conducting UDP scans.
My primary scanning option is the Docker version of rustscan, as it allows for swift and thorough scans in a reasonable amount of time.
I am opting to leave out vulnerability scanners as I do not wish to mix the nature of penetration testing with vulnerability scanning. However, I will still provide a link to Nessus below so you may research at your own discretion.
Target Acquired:
Now that we see what is open on the target, let's begin targeted enumeration. To keep this article concise, we will cover some of these ports to help build the methodology.
Service - Port
FTP - 21
- The main goals of FTP enumeration are:
- Determining if anonymous or credentialed access is possible.
- Enumerating current data and downloading as necessary.
- Noting whether upload capabilities exist, which can be useful for transferring tools later.
##Do we have anonymous access?##
ftp x.x.x.x
User:anonymous
password:anonymous
------
##What is the current status and contents?##
ftp> status
#Displays overall status of the server
ftp> ls -R
#Recursive listing of the contents
-----
##Can we upload and download?##
ftp> get <filename>
#Download a file
ftp> put <filename>
#upload a file
SSH - 22
- 99% of the time, if we find this port open, I make a note to return with credentials.
- At most, we can check for default credentials or initiate a brute-force attack.
##Quick Check##
ssh root@x.x.x.x
Passwords:
root
toor
Password
SMTP - 25/587
- Some goals of SMTP enumeration include:
- Checking for open-relay, which can be leveraged for internal phishing.
- Enumerating usernames.
##NMAP##
sudo nmap x.x.x.x -sC -sV -p25
#Stanadard SMTP enum
sudo nmap x.x.x.x -p25 --script smtp-open-relay -v
#Open relay check
----------------------------------------
##Username Enumeration##
smtp-user-enum -M <method> -U /user/file/path -t x.x.x.x (-w $time)
#Enum users on the server(method=VRFY,EXPN,RCPT)(-w wait time to validate)
smtp-user-enum -M <method> -U /user/file/path -D <domain> -t x.x.x.x
#Enum Domain users on the server(method=VRFY,EXPN,RCPT)(-w wait time to validate)
DNS - 53
- DNS is often overlooked; my main focus is on identifying subdomains.
##Digging##
dig <domain.com>
#Simple A record look up of domain
dig ns <domain.com> @x.x.x.x
#NS Query
dig CH TXT version.bind x.x.x.x
#Version Query
dig any <domain.com> @x.x.x.x
#ANY Query
dig axfr <domain.com> @x.x.x.x
#AXFR Zone Transfer
dig axfr internal.<domain.com> @x.x.x.x
#AXFR Zone Transfer - Internal
-----------------------
##Subdomain enumeration##
dnsenum --dnsserver x.x.x.x --enum -p 0 -s 0 -o subdomains.txt -f /path/to/list <domain.com>
#Targeted dnsenum
gobuster dns -d $Domain -w $path/to/wordlist
#Gobuster
ffuf -w $path/to/wordlist -u https://FUZZ.$Domain/
#ffuf
subfinder -d $Domain -v
#Subfinder
HTTP(S) - 80/443
- Web enumeration is a complex concept, so I'll focus on providing some quick fuzzing techniques.
##FFUF##
ffuf -w <Path/to/wordlist>:FUZZ -u http://<Target_IP>:<PORT>/FUZZ
#Directory Fuzzing
ffuf -w <Path/to/wordlist>:FUZZ -u http://<Target_IP>:<PORT>/<DIR>/<knownitem>.FUZZ
#Extension fuzzing
ffuf -w <Path/to/wordlist>:FUZZ -u http://<Target_IP>:<PORT>/<DIR>/FUZZ.<ext>
#Page Fuzzing (May requiring knowing the extension)
ffuf -w <Path/to/wordlist>:FUZZ -u http://FUZZ.<domain.com>/
#Sub-domain fuzzing
ffuf -w <Path/to/wordlist>:FUZZ -u http://<domain.com>:<Port>/ -H 'Host: FUZZ.<domain.com>'
#Vhost fuzzing
--------
##Feroxbuster##
feroxbuster -u http://<IP or Domain.com>/ -w </path/to/wordlist>
SMB - 137,139,445
- The main goal of SMB enumeration is similar to FTP:
- Determining if anonymous or credentialed access is possible.
- Enumerating current data and downloading as necessary.
- Noting whether upload capabilities exist, which can be useful for transferring tools later.
##SMBCLIENT##
smbclient -L \\\\x.x.x.x\\ [-U $user -W Domain]
#discovers what shares are available (with or without creds)
smbclient \\\\x.x.x.x\\$SHARENAME [-U $user -W Domain]
#Connect to share
--------
##Upload/Download##
smb: \> get <filename>
#Download file
smb: \> put <filename>
#Upload File
----
##Automation##
enum4linux-ng x.x.x.x -A
RDP - 3389
- Similar to SSH, this is a port I keep in mind for when I have credentials..
xfreerdp /u:$user /p:$password /v:x.x.x.x
#RDP with credientals
WinRM - 5985/5986
- Similar to RDP and SSH, I keep this in mind for when I have credentials.
evil-winrm -i x.x.x.x -u $user -p $passsword (-H <Ha...sh>)
#Connect to winrm via pass or hash
Lessons Learned:
I want to emphasize that this is just an introduction to external reconnaissance. The information provided here is not exhaustive. The scanning techniques and port enumeration covered are just the tip of the enumeration iceberg.
The key points I hope you take away from this article are:
- Understanding Reconnaissance.
- Differences between Passive and Active Reconnaissance.
- Simple scanning techniques.
- Basic methodologies for open port enumeration.