# Source: Cybrary "Advanced Penetration Test" *Find as much information as possible about the target. *What domains do they own? What job ads are they posting? What is their email structure? What technologies are they using on publicly facing systems? (1) Google Dorks Database of helpful Google Dorks: http://www.exploit-db.com/google-dorks/ Example: xamppdirpasswd.txt filetype:txt finds xampp passwords (2) Shodan (Python API) Search engine that uses banner grabbing (3) Whois Domain registration records root@kali:~# whois ________.com (4) DNS Recon root@kali:~# host www.________.com root@kali:~# host -t ns ________.com root@kali:~# host -t mx ________.com *DNS Zone Transfer root@kali:~# host -t ns zoneedit.com root@kali:~# host -l zoneedit.com ns2.zoneedit.com DNS Bruteforce root@kali:~# fierce -dns ________.com (5) Netcraft http://searchdns.netcraft.com/ (6) The Harvester The Harvester automatically searches for emails etc. online root@kali:~# theharvester -d ________.com -l 500 -b all (7) Maltego Graphical information gathering and correlation tool root@kali:~# maltego (8) Recon-ng Reconnaissance framework recon-ng > use recon/hosts/enum/http/web/xssed [recon-ng][default][xssed] > show options recon-ng [xssed] > set DOMAIN ________.com DOMAIN => ________.com recon-ng [xssed] > run (9) Port Scanning Nmap root@kali:~# nmap -sS 192.168.20.9-11 -oA synscan root@kali:~# nmap -sU 192.168.20.9-11 -oA udpscan Metasploit Port Scanners search portscan (shows portscan modules) scanner/portscan/tcp (runs a TCP connect scan) Use auxiliary modules like exploits (use, set, exploit, etc..)
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
July 2016
Categories |