Introduction to External Recon

Introduction to External Recon
Photo by engin akyurt / Unsplash

What is recon?

In the realm of ethical hacking, one of the initial phases that is pivotal within the attack life cycle is the reconnaissance phase, which can make or break an engagement. This phase includes the passive and active enumeration of targets within the scope of the engagement.

Passive reconnaissance is a non-intrusive method of gathering information, which can include, but is not limited to, using Google-fu, OSINT (Open Source Intelligence), reviewing public source code, and inspecting web applications.

On the contrary, active enumeration involves intrusive methods of information gathering, which can include scanning, fuzzing, and spoofing.

We will exclude in-depth Open Source Intelligence (OSINT) from this article, as that topic deserves an article of its own.

Before we delve further, I wanted to share a small idea that has been passed down to me and which I have found to be true: "Hacking is 80% Enumeration and 20% Exploitation." This statement rings particularly true when considering external reconnaissance. Logically speaking, if I were to provide you with every single detail about a target, you could potentially achieve full takeover in a very short amount of time. Therefore, it's crucial to emphasize the importance of this phase when starting a penetration test, engagement, or Capture The Flag (CTF) competition.


Ready, Set, Scan!!!

Before attacking ports and services, we need to determine which ports and services are present so that we can focus our efforts effectively. This can be achieved using scanning tools and vulnerability scanners.

Two of the most commonly used scans in my toolkit are nmap and rustscan.

Nmap is a powerful tool included in most penetration testing distributions and is highly dependable for completing various tasks. Nowadays, I primarily use nmap for conducting UDP scans.

##Command##
sudo nmap x.x.x.x -F -sU
---------------------------------------
x.x.x.x 	Scans the specified target.
-F 	        Scans top 100 ports.
-sU 	        Performs a UDP scan.

Nmap UDAP scan

My primary scanning option is the Docker version of rustscan, as it allows for swift and thorough scans in a reasonable amount of time.

##ZSHRC alias##
alias rustscan='sudo docker run -it --rm --name rustscan rustscan/rustscan:latest'
---------------------------------------------------------
##Command##
rustscan -a $IP -n --ulimit 70000 -t 5000 -- -A -Pn
---------------------------------------------------------
##Flags##
-a address
-n ignore config file
--ulimit increase ulimit of scan
-t timeout in MS before por tis closed
-- Nmap script flags to run on the open ports

My standard rustscan

I am opting to leave out vulnerability scanners as I do not wish to mix the nature of penetration testing with vulnerability scanning. However, I will still provide a link to Nessus below so you may research at your own discretion.

Download Tenable Nessus
Download Nessus and Nessus Manager

Target Acquired:

Now that we see what is open on the target, let's begin targeted enumeration. To keep this article concise, we will cover some of these ports to help build the methodology.

This list is not exhaustive, and I have omitted many ports and specific tactics.

Service - Port

FTP - 21

  • The main goals of FTP enumeration are:
    • Determining if anonymous or credentialed access is possible.
    • Enumerating current data and downloading as necessary.
    • Noting whether upload capabilities exist, which can be useful for transferring tools later.
##Do we have anonymous access?##
ftp x.x.x.x
  User:anonymous
  password:anonymous
------
##What is the current status and contents?##
ftp> status
#Displays overall status of the server

ftp> ls -R
#Recursive listing of the contents
-----
##Can we upload and download?##
ftp> get <filename>
#Download a file

ftp> put <filename>
#upload a file 

SSH - 22

  • 99% of the time, if we find this port open, I make a note to return with credentials.
    • At most, we can check for default credentials or initiate a brute-force attack.
##Quick Check##
ssh root@x.x.x.x
  Passwords:
    root
    toor
    Password

SMTP - 25/587

  • Some goals of SMTP enumeration include:
    • Checking for open-relay, which can be leveraged for internal phishing.
    • Enumerating usernames.
##NMAP##
sudo nmap x.x.x.x -sC -sV -p25
#Stanadard SMTP enum

sudo nmap x.x.x.x -p25 --script smtp-open-relay -v
#Open relay check
----------------------------------------
##Username Enumeration##
smtp-user-enum -M <method> -U /user/file/path -t x.x.x.x (-w $time)
#Enum users on the server(method=VRFY,EXPN,RCPT)(-w wait time to validate)

smtp-user-enum -M <method> -U /user/file/path -D <domain> -t x.x.x.x
#Enum Domain users on the server(method=VRFY,EXPN,RCPT)(-w wait time to validate)

DNS - 53

  • DNS is often overlooked; my main focus is on identifying subdomains.
##Digging##
dig <domain.com>
#Simple A record look up of domain

dig ns <domain.com> @x.x.x.x
#NS Query 

dig CH TXT version.bind x.x.x.x
#Version Query 

dig any <domain.com> @x.x.x.x
#ANY Query 

dig axfr <domain.com> @x.x.x.x
#AXFR Zone Transfer

dig axfr internal.<domain.com> @x.x.x.x
#AXFR Zone Transfer - Internal
-----------------------
##Subdomain enumeration##
dnsenum --dnsserver x.x.x.x --enum -p 0 -s 0 -o subdomains.txt -f /path/to/list <domain.com>
#Targeted dnsenum

gobuster dns -d $Domain -w $path/to/wordlist
#Gobuster

ffuf -w $path/to/wordlist -u https://FUZZ.$Domain/ 
#ffuf

subfinder -d $Domain -v
#Subfinder

HTTP(S) - 80/443

  • Web enumeration is a complex concept, so I'll focus on providing some quick fuzzing techniques.
##FFUF##
ffuf -w <Path/to/wordlist>:FUZZ -u http://<Target_IP>:<PORT>/FUZZ
#Directory Fuzzing 

ffuf -w <Path/to/wordlist>:FUZZ -u http://<Target_IP>:<PORT>/<DIR>/<knownitem>.FUZZ
#Extension fuzzing

ffuf -w <Path/to/wordlist>:FUZZ -u http://<Target_IP>:<PORT>/<DIR>/FUZZ.<ext>
#Page Fuzzing (May requiring knowing the extension)

ffuf -w <Path/to/wordlist>:FUZZ -u http://FUZZ.<domain.com>/
#Sub-domain fuzzing

ffuf -w <Path/to/wordlist>:FUZZ -u http://<domain.com>:<Port>/ -H 'Host: FUZZ.<domain.com>'
#Vhost fuzzing
--------
##Feroxbuster##
feroxbuster -u http://<IP or Domain.com>/ -w </path/to/wordlist>

SMB - 137,139,445

  • The main goal of SMB enumeration is similar to FTP:
    • Determining if anonymous or credentialed access is possible.
    • Enumerating current data and downloading as necessary.
    • Noting whether upload capabilities exist, which can be useful for transferring tools later.
##SMBCLIENT##
smbclient -L \\\\x.x.x.x\\ [-U $user -W Domain]
#discovers what shares are available (with or without creds)

smbclient \\\\x.x.x.x\\$SHARENAME [-U $user -W Domain]
#Connect to share
--------
##Upload/Download##
smb: \> get <filename>
#Download file

smb: \> put <filename>
#Upload File
----
##Automation##
enum4linux-ng x.x.x.x -A

RDP - 3389

  • Similar to SSH, this is a port I keep in mind for when I have credentials..
xfreerdp /u:$user /p:$password /v:x.x.x.x
#RDP with credientals

WinRM - 5985/5986

  • Similar to RDP and SSH, I keep this in mind for when I have credentials.
evil-winrm -i x.x.x.x -u $user -p $passsword (-H <Ha...sh>)
#Connect to winrm via pass or hash

Lessons Learned:

I want to emphasize that this is just an introduction to external reconnaissance. The information provided here is not exhaustive. The scanning techniques and port enumeration covered are just the tip of the enumeration iceberg.

The key points I hope you take away from this article are:

  • Understanding Reconnaissance.
  • Differences between Passive and Active Reconnaissance.
  • Simple scanning techniques.
  • Basic methodologies for open port enumeration.
📚
The information within this article is intended solely for educational purposes. It is crucial that the techniques and methodologies discussed should only be used for educational and ethical purposes. They should never be leveraged in a manner that could cause unlawful harm or infringe upon the rights, security, or privacy of others. It is essential for anyone engaging with this content to approach it with a mindset of learning and understanding, ensuring that knowledge gained is used responsibly and ethically.