From 467ba5c35c2d83ed22517d23a2482a2b55c758fd Mon Sep 17 00:00:00 2001 From: Sunillad08 Date: Sat, 22 Jun 2024 23:06:57 +0530 Subject: [PATCH] Modified and resampled notes --- .../Network_mapping.md | 46 ------ eJPT/Footprinting_and_Scanning/index.md | 93 +++++++++++- .../Active_information_gathering.md | 47 ------ .../Passive_information_gathering.md | 84 ----------- eJPT/Information_Gathering/index.md | 138 +++++++++++++++++- eJPT/index.md | 3 +- 6 files changed, 225 insertions(+), 186 deletions(-) delete mode 100644 eJPT/Footprinting_and_Scanning/Network_mapping.md delete mode 100644 eJPT/Information_Gathering/Active_information_gathering.md delete mode 100644 eJPT/Information_Gathering/Passive_information_gathering.md diff --git a/eJPT/Footprinting_and_Scanning/Network_mapping.md b/eJPT/Footprinting_and_Scanning/Network_mapping.md deleted file mode 100644 index b6eac1a..0000000 --- a/eJPT/Footprinting_and_Scanning/Network_mapping.md +++ /dev/null @@ -1,46 +0,0 @@ -# Network Mapping -[Back](./index.md) - --- - - -Prerequisite: [IP](../../Networking/Protocols/IP.md), [ICMP](../../Networking/Protocols/ICMP.md), [IPv4](../../Networking/Protocols/IPv4.md), [IPv6](../../Networking/Protocols/IPv6.md), [TCP](../../Networking/Protocols/TCP.md), [UDP](../../Networking/Protocols/UDP.md), [TCP_IP_3_way_handshake](../../Networking/TCP_IP_3_way_handshake.md) - -## Objective -- Discovery of live hosts -- Identify open ports and services -- Network topology mapping -- OS fingerprinting -- service version detection -- identify filtering and security measures - -> [nmap](../../Cyber_Security/Tools/nmap.md) is predominantly used for network mapping and diagnostics. - - -## Command to check all open TCP connections -```bash -Linux> Netstat -antp -``` - -```powershell -Windows> Netstat -ano -``` - - -## Host discovery technique -- ping sweeps / ICMP Ping - - Firewall may block ICMP packets -- Arp scanning -- TCP SYN scan - - Firewall/Security measures may block -- UDP ping -- TCP ACK -- SYN ACK - - -### Read [nmap](../../Cyber_Security/Tools/nmap.md) to learn about host discovery using ICMP sweep, ARP sweep and multiple other ways. - - - - - - diff --git a/eJPT/Footprinting_and_Scanning/index.md b/eJPT/Footprinting_and_Scanning/index.md index 2ca2f96..6f55fe7 100644 --- a/eJPT/Footprinting_and_Scanning/index.md +++ b/eJPT/Footprinting_and_Scanning/index.md @@ -1,10 +1,99 @@ # Footprinting & Scanning + [Back](../index.md) -- - -## [Network_mapping](Network_mapping.md) +# Network Mapping + +Prerequisite: [IP](../../Networking/Protocols/IP.md), [ICMP](../../Networking/Protocols/ICMP.md), [IPv4](../../Networking/Protocols/IPv4.md), [IPv6](../../Networking/Protocols/IPv6.md), [TCP](../../Networking/Protocols/TCP.md), [UDP](../../Networking/Protocols/UDP.md), [TCP_IP_3_way_handshake](../../Networking/TCP_IP_3_way_handshake.md) + +## Objective +- Discovery of live hosts +- Identify open ports and services +- Network topology mapping +- OS fingerprinting +- service version detection +- identify filtering and security measures + +> [nmap](../../Cyber_Security/Tools/nmap.md) is predominantly used for network mapping and diagnostics. + + +## Command to check all open TCP connections +```bash +Linux> Netstat -antp +``` + +```powershell +Windows> Netstat -ano +``` + + +## Host discovery technique +- ping sweeps / ICMP Ping + - Firewall may block ICMP packets +- Arp scanning +- TCP SYN scan + - Firewall/Security measures may block +- UDP ping +- TCP ACK +- SYN ACK + + +### Read [nmap](../../Cyber_Security/Tools/nmap.md) to learn about host discovery using ICMP sweep, ARP sweep and multiple other ways. -- - -## Also read [Footprinting_and_scanning](../../Cyber_Security/Footprinting_and_scanning.md) \ No newline at end of file +# Port Scanning + +## Port Scanning + +Port scanning using [nmap](../../Cyber_Security/Tools/nmap.md). + +Use Stealth scan to avoid getting detected. Use TCP scan in verification. + +Use -Pn to avoid sending ping to system and clarify nmap not to verify if host is up or not. + +Use -p- to scan all possible port range. + +Use timing templates to adjust scan duration and avoid detection. + +Once all open ports are identified, we can move on to service version and OS detection. + +## Service Version & OS Detection + +Use [nmap](../../Cyber_Security/Tools/nmap.md) to gather information regarding service versions and OS of machine. After detecting active machines, its better to perform OS detection before port detection so you target specific ports. After detecting open ports , perform service version detection on found open port. + +Use -sV for version detection on open ports. +Provide open ports number to perform scan faster. + +Use -O for detection of host operating system. +Use '--osscan-guess' to get more info if nmap is not giving proper output. + +Use -sC for running nmap scripts for further enumeration + +-- - + +# Evasion : Firewall , IDS & other security measures + +Read [nmap](../../Cyber_Security/Tools/nmap.md) and [Nmap Documentation](https://nmap.org/book/man-bypass-firewalls-ids.html). + +If pings are blocked or scans are getting timeout, that indicates presence of firewall , IDS or other security measures. To avoid getting detected we can apply few methods. + +### Packet fragmentation +Using `-f` and `--mtu` option in nmap to sent fragmented packets and set custom MTU ( Maximum Transmission Unit ). + +### Decoy IP +We can set decoy IPs to avoid repeating or revealing our own IP address. We need to have either network logs or access to decoy machines to fetch response. We can use `-D` flag in nmap to set multiple decoy IPs. + +### Port Number +We can also spoof port number from our end to evade firewall blocking request from repeative port number. We can use `-g` option in nmap to spoof port number. + +### Spoof IP +In some circumstances, Nmap may not be able to determine your source address. In this situation, use `-S` with the IP address of the interface you wish to send packets through. This is replace spoofed IP in place of actual. + +## Optimising nmap + +Optimizing Nmap scan is also important as getting result in short time while creating less traceable traffic is necessary. We should use timing template to red + +We can use `--host-timeout 5s` to reduce timeout value. We can also delay scan to avoid flooding systems with `--scan-delay`. diff --git a/eJPT/Information_Gathering/Active_information_gathering.md b/eJPT/Information_Gathering/Active_information_gathering.md deleted file mode 100644 index 7f55cab..0000000 --- a/eJPT/Information_Gathering/Active_information_gathering.md +++ /dev/null @@ -1,47 +0,0 @@ -# Active Information Gathering - -[Back](./index.md) - --- - - -Read [DNS](../../Networking/Protocols/DNS.md) - --- - - -## DNS Zone Transfer - -DNS Zone Transfer : Process of copy or transfer of zone files from one DNS server to another. - -![DNS Zone Transfer](https://images.ctfassets.net/aoyx73g9h2pg/1PGX1tDUWI2LvZaMfcuLLD/f98d47c3d88a0756e6d13884fec69628/What-are-DNS-zone-transfers-Diagram.jpg) - -- [DNS Zone Transfer Hackersploit](https://youtu.be/kdYnSfzb3UA?si=lxAt7FEex7ZcDcKv) -- [DNS Zone Transfer Hindi](https://youtu.be/4-vKfKVyjHA?si=HmQssVkYpXaDXsOS) - --- - - -## dig -DNS Zone Transfer using dig -``` -dig axfr @"nameserver" "site" -``` - - -## dnsenum -Enumeration of publically available information, zone transfer and bruteforce subdomains. -``` -dnsenum "site" -``` - - -## fierce - -``` -fierce –dns domain_name -``` - - -## Nmap - -Read [nmap](../../Cyber_Security/Tools/nmap.md) , [hping3](../../Cyber_Security/Tools/hping3.md) - -To enumerate active machines using ping scan to gather active machines IP. diff --git a/eJPT/Information_Gathering/Passive_information_gathering.md b/eJPT/Information_Gathering/Passive_information_gathering.md deleted file mode 100644 index b985ef9..0000000 --- a/eJPT/Information_Gathering/Passive_information_gathering.md +++ /dev/null @@ -1,84 +0,0 @@ -# Passive Information Gathering -[Back](./index.md) - --- - - -## Web Recon and Footprinting - -Web reconnaissance and footprinting focusses on gathering information about website. - -- Whatis \ -- robots.txt -- sitemap.xml or sitemaps.xml -- Builtwith and wappalyzer : To identify web technologies used -- Whatweb : Command line utility to gather technology information -- HTTrack (app) webhttrack (cmd) : To download and replicate website in local environment - -## Domain Information gathering - -Read [DNS](../../Networking/Protocols/DNS.md) - -### Whois -Command line tool to gather DNS information about host -``` -Whois hostname -``` -- Who.is : Web version of Whois - -### Netcraft -- Sitereport.netcraft.com to gather DNS , Web technologies and Firewall information. - -### DNSRecon -To find information regarding domain - -``` -DNSRecon -d domain_name -``` - -- dnsdumpster.com (Website) - -### CRT.sh : -Gather information about subdomains on basis of certificates. - -### Sublist3r -To identify subdomains of given domain -``` -Sublist3r domain_name -``` - -## Web Application Firewall(WAF) detection -To detect web application firewall being used. - -``` -waffw00f domain -``` - -## Google Dork - -Read [Google_Dorking](../../Cyber_Security/Tools/Google_Dorking.md) - -examples : -Site: -Intitle : index of -Cache: site_name - - -### Google Hacking Database (GHDB) -Interesting google dorks stored in database. - -## Wayback machine -To check previous versions of websites and find information from it. - - -## Email Harvesting - -### theHarvester -- Helps in OSINT. -- Command line tool -- help to find emails , subdomains and IPs - - -## Leaked password - -### haveibeenpwned.com -To find leaked passwords in breaches, gather information about possible breaches occured. \ No newline at end of file diff --git a/eJPT/Information_Gathering/index.md b/eJPT/Information_Gathering/index.md index 1335bf5..27b53d3 100644 --- a/eJPT/Information_Gathering/index.md +++ b/eJPT/Information_Gathering/index.md @@ -1,13 +1,11 @@ -## Information Gathering +# Information Gathering [Back](../index.md) -- - -## [Passive_information_gathering](Passive_information_gathering.md) - -## [Active_information_gathering](Active_information_gathering.md) - - +Quick Access: +- [Passive Information Gathering](#Passive%20Information%20Gathering) +- [Active Information Gathering](#Active%20Information%20Gathering) ## Information Gathering @@ -21,3 +19,131 @@ Information gathering refers to gathering or collecting information about person - Passive : IP address, DNS details, Email address, Web technology, subdomains, etc. - Active : Open ports, internal infrastructure of target, information about target systems. + +-- - +# Passive Information Gathering + +## Web Recon and Footprinting + +Web reconnaissance and footprinting focusses on gathering information about website. + +- Whatis \ +- robots.txt +- sitemap.xml or sitemaps.xml +- Builtwith and wappalyzer : To identify web technologies used +- Whatweb : Command line utility to gather technology information +- HTTrack (app) webhttrack (cmd) : To download and replicate website in local environment + +## Domain Information gathering + +Read [DNS](../../Networking/Protocols/DNS.md) + +### Whois +Command line tool to gather DNS information about host +``` +Whois hostname +``` +- Who.is : Web version of Whois + +### Netcraft +- Sitereport.netcraft.com to gather DNS , Web technologies and Firewall information. + +### DNSRecon +To find information regarding domain + +``` +DNSRecon -d domain_name +``` + +- dnsdumpster.com (Website) + +### CRT.sh : +Gather information about subdomains on basis of certificates. + +### Sublist3r +To identify subdomains of given domain +``` +Sublist3r domain_name +``` + +## Web Application Firewall(WAF) detection +To detect web application firewall being used. + +``` +waffw00f domain +``` + +## Google Dork + +Read [Google_Dorking](../../Cyber_Security/Tools/Google_Dorking.md) + +examples : +Site: +Intitle : index of +Cache: site_name + + +### Google Hacking Database (GHDB) +Interesting google dorks stored in database. + +## Wayback machine +To check previous versions of websites and find information from it. + + +## Email Harvesting + +### theHarvester +- Helps in OSINT. +- Command line tool +- help to find emails , subdomains and IPs + + +## Leaked password + +### haveibeenpwned.com +To find leaked passwords in breaches, gather information about possible breaches occured. + + +-- - + +# Active Information Gathering + +Read [DNS](../../Networking/Protocols/DNS.md) + +## DNS Zone Transfer + +DNS Zone Transfer : Process of copy or transfer of zone files from one DNS server to another. + +![DNS Zone Transfer](https://images.ctfassets.net/aoyx73g9h2pg/1PGX1tDUWI2LvZaMfcuLLD/f98d47c3d88a0756e6d13884fec69628/What-are-DNS-zone-transfers-Diagram.jpg) + +- [DNS Zone Transfer Hackersploit](https://youtu.be/kdYnSfzb3UA?si=lxAt7FEex7ZcDcKv) +- [DNS Zone Transfer Hindi](https://youtu.be/4-vKfKVyjHA?si=HmQssVkYpXaDXsOS) + +-- - + +## dig +DNS Zone Transfer using dig +``` +dig axfr @"nameserver" "site" +``` + + +## dnsenum +Enumeration of publically available information, zone transfer and bruteforce subdomains. +``` +dnsenum "site" +``` + + +## fierce + +``` +fierce –dns domain_name +``` + + +## Nmap + +Read [nmap](../../Cyber_Security/Tools/nmap.md) , [hping3](../../Cyber_Security/Tools/hping3.md) + +To enumerate active machines using ping scan to gather active machines IP. \ No newline at end of file diff --git a/eJPT/index.md b/eJPT/index.md index 99e15ae..a8052f4 100644 --- a/eJPT/index.md +++ b/eJPT/index.md @@ -4,4 +4,5 @@ -- - ## [Information Gathering](Information_Gathering/index.md) -## [Footprinting and Scanning](Footprinting_and_Scanning/index.md) \ No newline at end of file +## [Footprinting and Scanning](Footprinting_and_Scanning/index.md) +## [Service Enumeration](Service_Enumeration/index.md) \ No newline at end of file