Active Information Gathering

DNS Enumeration

host www.megacorpone.com: Searches for the A record of the host
host -t txt megacorpone.com: Searches for the TXT record
- -t specifies the type of the record

for ip in $(cat wordlist.txt); do host $ip.megacorpone.com; done | grep -v "not found"

If misconfigured, DNS servers can hand out the entire zone file to anyone asking for it: host -l <domain name> <dns server address>

dnsrecon -d megacorpone.com -t axfr
- -d: Specify the domain name
- -t: Specify the type of enumeration
dnsrecon -d megacropone.com -D ~/wordlist.txt -t brt
- -D: Specify the fine containing potential subdomains
- -t: Specify brute force enumeration
dnsenum zonetransfer.me

TCP basic port scanner: nc -nvv -w 1 -z 10.11.1.220 3388-3390
- -w: Specify the connection timeout in seconds
- -z: Specify Zero IO mode (sends no data and is used for scanning)
UDP basic port scanner: nc -nv -u -z -w 1 10.11.1.115 160-162
- -u: Specifies a UDP scan
- Can be very unreliable

Stealth/SYN scanning: sudo nmap -sS 10.11.1.220 (fast)
TCP Connect scanning: sudo nmap -sT 10.11.1.220 (slow)
UDP scanning: sudo nmap -sU 10.11.1.220
Network sweeping: nmap -sn 10.11.1.1-254 (reduce traffic)
-v: Increase verbosity
-oG <file name>.txt to make the output grepable
-p: Specify a port(s)
--top-ports=20: Only scan the top ports (determined by /usr/share/nmap-services)
-A: Enable OS version detection, script scanning and traceroute
-O: Enable OS Fingerprinting (best guess attempt)
-sV: Enable Service and version detection
--open: Only display open ports
NSE scripts: /usr/share/nmap/scripts
- nmap 10.11.1.220 --script=smb-os-discovery
- nmap --script=dns-zone-transfer -p 53 ns3.megacorpone.com
- For more info about a script: nmap --script-help dns-zone-transfer
- To list all scripts: tree /usr/share/nmap/scripts/

Also possible with: nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254
More suitable: sudo nbtscan -r 10.11.1.0/24
- -r: Specify the originating the UDP port as 137

ls -al /usr/share/nmap/scripts/smb*
- nmap -v -p 139,445 --script=smb-os-discovery 10.11.1.227
ls -al /usr/share/nmap/scripts/smb-vuln-*
- nmap -v -p 139,445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 10.11.1.227
  - unsafe=1 WILL CRASH THE TARGET!

Get additional information
To run all (/usr/share/nmap/scripts/nfs*) nfs scripts: nmap -p 111 --script nfs* 10.11.1.72
To mount a exposed folder: mkdir new-mounted-folder && sudo mount -o nolock 10.11.1.72:/home ./new-mounted-folder/ && cd new-mounted-folder && ls al
- -o nolock: Disable file locking (needed for older NFS servers)
- If we get a permission denied error we can create a new local user with the id which has sufficient right to view the bypass the permission error
  - sudo adduser pwn
  - sudo sed -i -e 's/<current id of the new user>/<user id which sufficient privileges>/g' /etc/password
  - grep pwn /etc/passwd
  - su pwn
  - id
  - Access the file/folder
  - exit

Only works if you know the community read-only SNMP string (usually public)
Enumerate the SNMP MIB tree: snmpwalk -c public -v1 -t 10 10.11.1.14
- -c: Specify the community string
- -v1: Specify SNMP version number
- -t: Specify the timeout (in seconds)
Enumerate Windows Users: snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25
Enumerate Running Windows Processes: snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.25.4.2.1.2
Enumerate Open TCP Ports: snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.6.13.1.3
Enumerate Installed Software: snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.25.6.3.1.2