Pentest - Active Information Gathering

Active Information Gathering

DNS

DNS Enumeration - Basics

DNS forward lookup brute-forcing to determine additional IPs belonging to a domain:

1

for ip in $(cat list.txt); do host $ip.domain.com; done

Comprehensive lists available at SecLists. Based on IPs determined from the above, we can perform reverse lookups by scanning an associated range:

1

for ip in $(seq 200 254); do host xxx.xxx.xxx.$ip; done | grep -v "not found"

nslookup

TCP/UDP Port Scanning

Simple port scan with Netcat:

1

nc -nvv -w 1 -z 192.168.1.2 3000-4000

where -w is timeout in seconds and -z specifies zero-I/O mode. TCP scans use the 3-way handshake to detect open ports. UDP is stateless, so open port detection involves a different mechanism. Using Netcat:

1

nc -nv -u -z -w 1 192.168.1.2 120-123

Here, if the destination UDP port is closed, the target should respond with an ICMP port unreachable. UDP scanning is often unreliable, as firewalls and routers may drop ICMP packets. This can lead to false positives and ports showing as open when they are, in fact, closed.

Recon - Port Scanning and nmap

Living off the Land

Windows: lolbas
Linux: gtfobins
Drivers: loldrivers

Owlglass