Reconnaissance

Passive External Network Reconnaissance

Active External Network Reconnaissance

NMAP

  • NSE scripts : 14 categories
  • auth
  • broadcast
  • brute
  • default
  • discovery
  • dos (not recommanded)
  • exploit
  • external
  • fuzzer
  • intrusive
  • malware
  • safe
  • version
  • vuln

Scanning /24 IP range with UDP and TCP scan using SMB NSE script.

nmap -sU -sT -p U:137,139,T:22,21,80,443,139,445 --script=smb2-security-mode.nse 192.168.0.10/24

Recon-NG

User account enumeration

On web app portal

Exposed services - Protocols

HTTP/HTTPS

SMTP

DKIM / DMARC / SPF misconfiguration

https://github.com/BishopFox/spoofcheck.git https://github.com/Mr-Un1k0d3r/SPFAbuse

SNMP

  • snmpget
  • onesixtyone
for i in $(cat onesixtyone/dict.txt); do echo -n "$i : "; snmpget -v 3 -u $i udp6:[IPv6] MIB_TO_FETCH; done

FTP

SSH

Databases (MySQL, MSSQL, Oracle, DB2, Postgre, MongoDB...)

Exposed storages

  • AWS S3 buckets
  • Azure blob storage
  • GCP storage

Scanning external target

Exploitation

RCE

RCE-as-a-feature (Jenkins, Serv-U, etc).

Exposed source code or credentials

  • .git folder

Access key, token, secret on github, gitlab, mercurial, code repo solutions... Git / Repo secret parsers

gitleaks (https://github.com/zricethezav/gitleaks) trufflehog (https://github.com/trufflesecurity/truffleHog) git-secrets (https://github.com/awslabs/git-secrets) shhgit (https://github.com/eth0izzle/shhgit) gitrob (https://github.com/michenriksen/gitrob)

SAP

Lync

IIS specific checks

Web vulnerabilities

  • serialization/deserialization

Default Credentials in use

Open SMTP Relay

DNS Zone Transfer

VPN - IKE Aggressive Mode

Password spray

(o365, Azure, Citrix, RDP, VPN, OWA, etc)

General tool

The following plugins are currently supported:

  • OWA - Outlook Web Access
  • EWS - Exchange Web Services
  • O365 - Office365
  • O365Enum - Office365 User Enum (No Authentication Request)
  • MSOL - Microsoft Online
  • Okta - Okta Authentication Portal
  • FortinetVPN - Fortinet VPN Client
  • HTTPBrute - Generic HTTP Brute Methods (Basic/Digest/NTLM)
  • ADFS - Active Directory Federation Services
  • AzureSSO - Azure AD Seamless SSO Endpoint
  • GmailEnum - Gmail User Enumeration (No Authentication Request)

CheckPoint SSL VPN

O365

 ./trevorspray.py -e emails.txt --passwords "Winter2021!"  --delay 15 --no-current-ip --ssh ubuntu@<IP> ubuntu2@<IP2> -k privkey.pem

OWA

Metasploit module : scanner/http/owa_login

Azure

IP rotation

Sometimes during password spraying or brute force attack attacker will need to rotate IP and geolocation to avoid being blocked.

2FA/MFA implementation issues

‚ÄčMFASweep: Detect MFA for various Microsoft Servers Credsniper Re-using valid credentials on alternate services Mailsniper

SSL/TLS

  • heartbleed
  • Shellshock

https://www.foregenix.com/blog/know-your-attack-surfaces