This section focuses on the very first part of a penetration test: Passive Reconnaissance. This is where you use all the tools and resources at your disposal to gather up all of the information you can on your target, without interacting with the target in anyway (no scanning).
For more tools and resources on intelligence gathering outside of the below frameworks, please see the OSINT section under Cyber Intelligence.
After your passive reconnaissance phase, the next step is active scanning of your target. This usually involves port scanning and scanning for any vulnerabilities that your target might have, preferably with out them noticing. Active scanning does have direct interaction with your target and does run the risk of being detected. There are ways to subtle scan your target and not draw too much attention. This can include slowing the rate of your scanning or performing them in such a way as to not create a full connection request that would trigger any defensive alerts.
For ease of collection, there are many Recon Frameworks available that can gather intel from multiple sources and leverage multiple tools. They are a great way to save time on your Recon tasks.
Note: Many Recon Frameworks have both passive and active reconnaissance capabilities.
Attack Surface Mapping is the process of discovering, identifying, and analyzing all potential attack vectors on an organization’s IT infrastructure. This helps to identify vulnerabilities and threats to the system, as well as helping to decide how best to protect the system from malicious attack and exploitation. Attack surface mapping involves analyzing the assets and services available on a network, determining the boundaries of the system, and looking for potential attack vectors and vulnerabilities.
The first step in attack surface mapping is asset discovery. This involves gathering information about the system, including the hardware, software, and services that are running on the network. This includes both internal and external assets, such as web applications, databases, and other services. This information can be gathered manually, or with the help of automated tools.
The next step is to identify the attack vectors. Attack vectors are the various methods and techniques attackers can use to gain access to the network and its services. These include physical access, remote access, phishing attacks, malware, and social engineering. Once the attack vectors have been identified, the security team can then analyze them to determine the potential for exploitation.
The third step is to analyze the attack vectors and identify any vulnerabilities. This involves looking for any weaknesses in the system that could be exploited by an attacker. This can include weak passwords, unpatched software, and insecure configurations. Once the vulnerabilities have been identified, the security team can then decide on the best course of action to protect the system from potential attacks.
The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
API key file is located at $HOME/.config/subfinder/provider-config.yaml and the github has an example
naabu - A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
httpx - httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
proxify - Swiss Army knife Proxy tool for HTTP/HTTPS traffic capture, manipulation, and replay on the go.
dnsx - dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
URL: https://www.runzero.com/ About: runZero is a network discovery and asset inventory platform that uncovers every network in use and identifies every device connected–without credentials. ** Free Trial is available. **
https://www.reconness.com/ About: ReconNess helps you to run and keep all your recon in the same place allowing you to focus only on the potentially vulnerable targets without distraction and without required a lot of bash skill or programing skill in general.
https://github.com/yogeshojha/rengine About: reNgine is a web application reconnaissance suite with focus on a highly configurable streamlined recon process via Engines, recon data correlation, continuous monitoring, recon data backed by a database, and a simple yet intuitive User Interface. With features such as sub-scan, deeper co-relation, report generation, etc. reNgine aims to fix the gap in the traditional recon tools and probably a better alternative for existing commercial tools.
reNgine makes it easy for penetration testers and security auditors to gather reconnaissance data with bare minimal configuration.
https://github.com/slithery0/eReKon About: Web reconnaissance tool, only available in dark mode. Provides subdomain scanning, port scanning, version fingerprinting and screenshots of web applications.
** While it appears there is some development being done, the overall application appears to be under development still and should be used with caution. **
https://github.com/archerysec/archerysec About: ArcherySec allow to interact with continuous integration/continuous delivery (CI/CD) toolchains to specify testing, and control the release of a given build based on results. Its include prioritization functions, enabling you to focus on the most critical vulnerabilities. ArcherySec uses popular opensource tools to perform comprehensive scanning for web application and network. The developers can also utilize the tool for implementation of their DevOps CI/CD environment.
https://github.com/microsoft/AttackSurfaceAnalyzer About: Attack Surface Analyzer is a Microsoft developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.
https://github.com/vmware-labs/attack-surface-framework About: ASF aims to protect organizations acting as an attack surface watchdog, provided an “Object” which might be a: Domain, IP address or CIDR (Internal or External), ASF will discover assets/subdomains, enumerate their ports and services, track deltas and serve as a continuous and flexible attacking and alerting framework leveraging an additional layer of support against 0 day vulnerabilities with publicly available POCs.
https://github.com/superhedgy/AttackSurfaceMapper About: AttackSurfaceMapper (ASM) is a reconnaissance tool that uses a mixture of open source intelligence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets. It enumerates subdomains with bruteforcing and passive lookups, Other IPs of the same network block owner, IPs that have multiple domain names pointing to them and so on.
Once the target list is fully expanded it performs passive reconnaissance on them, taking screenshots of websites, generating visual maps, looking up credentials in public breaches, passive port scanning with Shodan/Censys and scraping employees from LinkedIn.
https://github.com/pry0cc/axiom About: Axiom is a dynamic infrastructure framework to efficiently work with multi-cloud environments, build and deploy repeatable infrastructure focussed on offensive and defensive security.
Axiom works by pre-installing your tools of choice onto a 'base image', and then using that image to deploy fresh instances. From there, you can connect and instantly gain access to many tools useful for both bug hunters and pentesters. With the power of immutable infrastructure, most of which is done for you, you can just spin up 15 boxes, perform a distributed nmap/ffuf/screenshotting scan, and then shut them down.
Axiom supports several cloud providers, eventually, axiom should be completely cloud agnostic allowing unified control of a wide variety of different cloud environments with ease. Currently, DigitalOcean, IBM Cloud, Linode, Azure and AWS are officially supported providers. GCP isnt supported but is partially implemented and on the roadmap.
https://github.com/riskprofiler/CloudFrontier About: Monitor the internet attack surface of various public cloud environments. Currently supports AWS, GCP, Azure, DigitalOcean and Oracle Cloud.
** It should be noted that this project has not been updated in some time and there are open issues. **
https://github.com/Findomain/Findomain About: The complete solution for domain recognition. Supports screenshoting, port scan, HTTP check, data import from other tools, subdomain monitoring, alerts via Discord, Slack and Telegram, multiple API Keys for sources and much more.
https://core.intrigue.io/ About: Intrigue Core is a framework for discovering attack surface. It discovers security-relevant assets and exposures within the context of projects and can be used with a human-in-the-loop running individual tasks, and/or automated through the use of workflows. With a flexible entity model and an incredibly deep enrichment system, it is the most full-featured attack surface discovery framework of its kind.
** A slack channel is available for support. Also, as of October 1, 2021, this component of the Intrigue project is no longer actively maintained on Github, and the code in Github has been re-licensed under the terms of the Mandiant Limited Open Source License Agreement. **
https://ivre.rocks/ - IVRE is an open-source framework for network recon. It relies on open-source well-known tools (Nmap, Masscan, ZGrab2, ZDNS and Zeek (Bro)) to gather data (network intelligence), stores it in a database (MongoDB is the recommended backend), and provides tools to analyze it.
Odin - ODIN is Python tool for automating intelligence gathering, asset discovery, and reporting.
Asnip - Asnip retrieves all IPs of a target organization—used for attack surface mapping in reconnaissance phases.
https://github.com/ayoubfathi/leaky-paths - A collection of special paths linked to major web CVEs, known misconfigurations, juicy APIs ..etc. It could be used as a part of web content discovery, to scan passively for high-quality endpoints and quick-wins
https://www.riskiq.com/ - RiskIQ Digital Footprint gives complete visibility beyond the firewall. Unlike scanners and IP-dependent data vendors, RiskIQ Digital Footprint is the only solution with composite intelligence, code-level discovery and automated threat detection and exposure monitoring—security intelligence mapped to your attack surface.
https://securitytrails.com/ - Powerful tools for third-party risk, attack surface management, and total intel
Goby - Goby is a new generation network security assessment tool. It can efficiently and practically scan vulnerabilities while sorting out the most complete attack surface information for a target enterprise.
Once on or apart of a target network we can perform a more detailed round of enumeration and discovery. By directly interacting with local network applications, host discovery can be used to identify vulnerable systems, services, and network topology.
Once the active devices on the network have been identified, the penetration tester can move on to the next steps in the penetration test process, such as vulnerability analysis and exploitation.
Host discovery can be performed by a few handy tools as well as command to enumerate hosts via various services.
fierce - Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It’s really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.
hosthunter - This package contains a tool to efficiently discover and extract hostnames providing a large set of target IP addresses. HostHunter utilises simple OSINT techniques to map IP addresses with virtual hostnames.
nmap --script broadcast-dhcp-discover
AD-DS (Active Directory Domain Services) rely on DNS SRV RR (service location resource records). Those records can be queried to find the location of some servers: the global catalog, LDAP servers, the Kerberos KDC and so on.
Wake On Lan is used to turn on computers through a network message. The magic packet used to turn on the computer is only a packet where a MAC Dst is provided and then it is repeated 16 times inside the same paket. Then this kind of packets are usually sent in an ethernet 0x0842 or in a UDP packet to port 9. If no [MAC] is provided, the packet is sent to broadcast ethernet (and the broadcast MAC will be the one being repeated).
#WOL (without MAC is used ff:...:ff)
wol.eth [MAC] #Send a WOL as a raw ethernet packet of type 0x0847
wol.udp [MAC] #Send a WOL as an IPv4 broadcast packet to UDP port 9
## Bettercap2 can also be used for this purpose
Responder is a great tool for spoofing various network protocols but can also be used in "analyze" modes.
BROWSER mode: inspect Browse Service messages and map IP addresses with NetBIOS names
LANMAN mode: passively map domain controllers, servers and workstations joined to a domain with the Browser protocol
LLMNR, NBTNS, MDNS modes: inspect broadcast and multicast name resolution requests
The following command will enable the analyze modes and will give interesting information like:
Domain Controller, SQL servers, workstations
Fully Qualified Domain Name (FQDN)
Windows versions in used
The "enabled" or "disabled" state of protocols like LLMNR, NBTNS, MDNS, LANMAN, BROWSER
net.probe on/off #Activate all service discover and ARP
net.probe.mdns #Search local mDNS services (Discover local)
net.probe.nbns #Ask for NetBios name (Discover local)
net.probe.upnp # Search services (Discover local)
net.probe.wsd # Search Web Services Discovery (Discover local)
net.probe.throttle 10 #10ms between requests sent (Discover local)
Port Scanning is a security penetration test that involves the use of software to identify open ports on a network and the services running on those ports. It is an important part of a security assessment because it can uncover security vulnerabilities that may otherwise be overlooked.
During a port scan, the software sends packets to each port on the target system and listens for a response. Depending on the response, the software can determine whether a port is open or closed. If a port is open, the software can also determine the service running on it. This information can help the tester identify any vulnerable services that can be exploited.
Port Scanning can help determine if there are any unauthorized access points, such as open ports or services running without authentication. It can also help determine if any services are running outdated versions of software that could be vulnerable to exploits.
Port status and other details can be gathered via manual requests, or through port scanning tools.
The tool NMAP has long been the standard for port scanning is an essential tool for all security testers to know.
This is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine.
Unicornscan is an attempt at a User-land Distributed TCP/IP stack. It is intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network.
Scantron - Scantron is a distributed nmap and Masscan scanner comprised of two components. The first is a console node that consists of a web front end used for scheduling scans and storing scan targets and results. The second component is an engine that pulls scan jobs from the console and conducts the actual scanning.
Scanless - This is a Python 3 command-line utility and library for using websites that can perform port scans on your behalf.
naabu - A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
RustScan - The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). Run scripts through our scripting engine (Python, Lua, Shell supported).
knocker - Knocker is a new, simple, and easy to use TCP security port scanner written in C, using threads. It is able to analyze hosts and the network services which are running on them.
unimap - Scan only once by IP address and reduce scan times with Nmap for large amounts of data.
Manual Port Checks
Netcat banner grab
nc -v 10.10.10.10 port
Telnet banner grab
telnet 10.10.10.10 port
Probe Response CheatSheet
Open port: SYN --> SYN/ACK --> RST
Closed port: SYN --> RST/ACK
Filtered port: SYN --> [NO RESPONSE]
Filtered port: SYN --> ICMP message
For more detailed identification of running appications, even if they are running on a non-standard port, we can use Application Detection tools to enumerate these.
AMAP - Attempts to identify applications even if they are running on a different port than normal.
$ amap -d $ip <port>
DNS Recon
DNS reconnaissance is the process of gathering information about a domain by querying various DNS records. DNS reconnaissance is often used to identify hosts, subdomains, and services associated with a domain. It can also provide insight into the network infrastructure, such as the type of DNS servers being used and the type of records they are responding with.
DNS Enumeration tools can give detail not just on DNS services related to your target, but also be used to identify other assets such as related domains and IP addresses.
DNS Enumeration Tools
dnsdumpster - A tool to perform DNS reconnaissance on target networks. Among the DNS information got from include subdomains, mx records, web application firewall detection and more fingerprinting and lookups
dnscan - dnscan is a python wordlist-based DNS subdomain scanner.
dnsenum - Dnsenum is a multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
dnsmap - dnsmap scans a domain for common subdomains using a built-in or an external wordlist
dnstracer - determines where a given Domain Name Server (DNS) gets its information from for a given hostname, and follows the chain of DNS servers back to the authoritative answer.
Lepus - A tool for enumerating subdomains, checking for subdomain takeovers and perform port scans - and boy, is it fast!
Knock - Knockpy is a python3 tool designed to enumerate subdomains on a target domain through dictionary attack.
HostileSubBruteForcer - Aggressive SubDomain brute forcing tool written by Nahamsec.
altdns - a DNS recon tool that allows for the discovery of subdomains that conform to patterns.
assetfinder - A tool to find domains and subdomains potentially related to a given domain.
fierce - Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It’s really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.
cansina - a Web Content Discovery Application. Help you making requests and filtering and inspecting the responses to tell apart if it is an existing resource or just an annoying or disguised 404.
Sublist3r - Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. This tool can do both scraping and Bruteforce which makes it a nice combined tool. The downside how ever is the wordlist cannot be specified.
shuffledns - MassDNS wrapper written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support.
SubDomainizer - A tool to find subdomains and interesting things hidden inside, external Javascript files of page, folder, and Github.
shosubgo - Small tool to Grab subdomains using Shodan api.
aiodnsbrute - A Python 3.5+ tool that uses asyncio to brute force domain names asynchronously. This is a bruteforcer with insane speed, and a very large number of built in wordlists. Use a list of resolvers with it
Altdns: Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging), as well as a list of known subdomains.
Findomain: Findomain offers a dedicated monitoring service hosted in Amazon (only the local version is free), that allows you to monitor your target domains and send alerts to Discord and Slack webhooks or Telegram chats when new subdomains are found.
Dome - Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.
Sub-domains are subsections of larger domains used to create separate sections of a website or to organize content into different categories. Each subdomain can provide a wealth of new attack vectors and vulnerabilities to map.
Discovering Sub-Domains can involve dynamic crawling of a website, brute forcing of common sub-domain names, and then visually parsing and flying through subdomains looking for anything fun and interesting. This process is called Sub-Domain Fly-Over.
Aquatone - Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
EyeWitness - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible
Meg: Meg is a tool for fetching lots of URLs without taking a toll on the servers. It can be used to fetch many paths for many hosts, or fetching a single path for all hosts before moving on to the next path and repeating.
Vulnerability Scanning
Vulnerability scanning is a process of identifying, detecting, and assessing security vulnerabilities in a computer system. It is designed to find known and unknown security risks in a network or computer system. Vulnerability scanning helps organizations identify and address any weaknesses in their systems before they can be exploited by attackers.
A vulnerability scan usually involves using automated tools to scan a system for known vulnerabilities. The scan looks for known weaknesses, such as incorrect settings, outdated software, missing patches, or other security flaws that could be exploited by attackers. After the scan is complete, a report is generated outlining the weaknesses found and providing recommendations on how to address them.
Vulnerability scanning is an important part of a comprehensive security program, and helps organizations identify and address weaknesses before attackers can exploit them. Conversely, vulnerability scanners are often used by offensive security testers to identify weak targets for exploitation.
After setup and update, check listening ports to see if OpenVAS is active
#ss -lnt4
Navigate to WebUI
https://127.0.0.1:939NSE Nmap Scripts - NSE Scripts can perform various scanning techniques for enumerating services and scanning targets for specific vulnerabilities.
Show all available scripts and thier details
# nmap --script-help default
Show all vuln/exploit scripts
# cat script.db | grep '"vuln"\|"exploit"'
Run all scripts in "vuln' category
# sudo nmap --script vuln [ip]
Other Scanning Tools
ReconMap - Reconmap is a vulnerability assessment and penetration testing (VAPT) platform. It helps software engineers and infosec pros collaborate on security projects, from planning, to implementation and documentation. The tool's aim is to go from recon to report in the least possible time.
Vuls - Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go.
Tsunami Scanner - Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
Flan Scan - Flan Scan is a lightweight network vulnerability scanner. With Flan Scan you can easily find open ports on your network, identify services and their version, and get a list of relevant CVEs affecting your network.
Web Application Security Testing is a type of security testing that is used to identify and address security vulnerabilities in web applications. It is a process that involves testing the security of web applications for weaknesses that could potentially be exploited by attackers. The goal of this type of testing is to identify and fix any security issues that could lead to the unauthorized access, manipulation, or destruction of data, or any other malicious activity.
Dynamic application security testing (DAST) is a process used to assess the security of a web application while it is running. This type of testing can be used to identify application-level vulnerabilities, such as cross-site scripting (XSS) and SQL injection.
For testing various web applications there are a multitude of testing tools for both individual vulnerabilities, as well as comprehensive suites. The foremost of these is Burp Suite.
Photon - Incredibly fast crawler designed for OSINT.
URLgrab - A golang utility to spider through a website searching for additional links.
hakrawler - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application. Also built by the Legendary Hakluke
gospider - This package contains a Fast web spider written in Go.
filebuster - Filebuster is a HTTP fuzzer / content discovery script with loads of features and built to be easy to use and fast! It uses one of the fastest HTTP classes in the world (of PERL) - Furl::HTTP. Also the thread modelling is optimized to run as fast as possible.
feroxbuster - feroxbuster is a tool designed to perform Forced Browsing. Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.
Misc Web App Testing Tools
https://www.webgap.io/ - WEBGAP remote browser isolation physically isolates you from the risks of using the internet by isolating your web browsing activity away from your local device.
https://requestbin.com/ - A modern request bin to collect, inspect and debug HTTP requests and webhooks
Race-the-web - Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.
DVCS-Ripper - Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, etc.
tls_prober - TLS Prober is a tool for identifying the implementation in use by SSL/TLS servers. It analyses the behaviour of a server by sending a range of probes then comparing the responses with a database of known signatures.
testssl.sh - A free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws.
changeme - This package contains a default credential scanner. changeme supports the http/https, MSSQL, MySQL, Postgres, ssh and ssh w/key protocols.
SharpShare - Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
Phishious - An open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers.
firewalk - Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass.
ftester - The Firewall Tester (FTester) is a tool designed for testing firewall filtering policies and Intrusion Detection System (IDS) capabilities.