Active Information Gathering

Active Information Gathering / Enumeration / Recon

  • Active Information Gathering, is the process of collecting information about a target, generally by directly interacting with that target.

  • When "Living off the Land", we can leverage several pre-installed and trusted Windows binaries to perform post-compromise analysis. These binaries are shortened as LOLBins or, more recently, LOLBAS to include Binaries, Scripts and Libraries.

DNS Information Gathering Tools

  • Due to the wealth of information contained within DNS, it is often a lucrative target for active information gathering.

  • host <Domain Name> - Is used to find the A host record (IPv4 Address) for a domain.

  • host -t <Option> <Domain Name> - the t option can be used to specifiy the record/data (i.e. mx or txt)

  • host -a <Domain Name> - The a option is used to display all the records.

  • for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found" - Is a one-line bash script that can brute-force a DNS server to reverse look-up and find working hosts.

  • dnsrecon -d <Domain Name> -t <Scan Type> - A tool that's installed by default on Kali Linux and can perform DNS enumeration.

  • dnsenum <Domain Name> - Another tool that performs automatic DNS enumeration.

  • nslookup <Domain Name> - Finds the IP address for the provided domain name (Works in Windows)

Port Scanning

  • Port scanning is the process of inspecting TCP or UDP ports on a remote machine with the intention of detecting what services are running on the target and what potential attack vectors may exist.

  • nc -nvv -w 1 -z <IP Address> <Start Port>-<End Port> - Uses Netcat, which is installed by default on most systems, to scan for ports. (-w is used to set the timeout in seconds, -z is to specify zero input/output which is used when scanning for an open port and not sending data.)

  • nc -nvv -u -w 1 -z <IP Address> <Start Port>-<End Port> - Same as the above command but to scan for UDP.

Most UDP scanners tend to use the standard "ICMP port unreachable" message to infer the status of a target port. However, this method can be completely unreliable when the target port is filtered by a firewall.

  • Nmap can be used to automate the port scanning process but the footprint that automated port scanning tools leave should be taken into consideration.

  • If we are conducting initial network enumeration from a Windows laptop with no internet access, we are prevented from installing any extra tools that might help us, like the Windows Nmap version. In such a limited scenario, we are forced to pursue the 'living off the land' strategy we discussed earlier.

  • Test-NetConnection -Port <Port Number> <IP Address> - The Test-NetConnection function checks if an IP responds to ICMP and whether a specified TCP port on the target host is open.

  • 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("<IP Address>", $)) "TCP port $ is open"} 2>$null - A Powershell one-line script that scans the first 1-1024 ports.

Server Message Block (SMB)

  • The security track record of the Server Message Block (SMB) protocol has been poor for many years due to its complex implementation and open nature.

  • The NetBIOS service listens on TCP port 139, as well as several UDP ports. It should be noted that SMB (TCP port 445) and NetBIOS are two separate protocols. NetBIOS is an independent session layer protocol and service that allows computers on a local network to communicate with each other. While modern implementations of SMB can work without NetBIOS, NetBIOS over TCP (NBT) is required for backward compatibility and these are often enabled together. This also means the enumeration of these two services often goes hand-in-hand.

  • Tools like nmap can be used to scan for both SMB and NetBIOS. However, there are more specialized tools like nbtscan.

  • Nmap also provides many useful scripts specifically for SMB.

Any Nmap service and OS enumeration output should be taken with grain of salt, as none of the algorithms are perfect.

  • One useful tool for enumerating SMB shares within Windows environments is net view. It lists domains, resources, and computers belonging to a given host.

  • net view \<Domain Name> /all - By providing the /all keyword, we can list the administrative shares ending with the dollar sign.

Simple Mail Transport Protocol (SMTP)

  • We can also gather information about a host or network from vulnerable mail servers.

  • The Simple Mail Transport Protocol (SMTP) supports several interesting commands, such as VRFY and EXPN. A VRFY request asks the server to verify an email address, while EXPN asks the server for the membership of a mailing list. These can often be abused to verify existing users on a mail server, which is useful information during a penetration test.

With Test-NetConnection we are prevented from fully interacting with the SMTP service.

  • Nevertheless, if not already enabled, we can install the Microsoft version of the Telnet client using the following command, dism /online /Enable-Feature /FeatureName:TelnetClient It requires admin privileges. A workaround would be locating TelnetClient in one of our other machines and transferring it to the machine we are testing.

  • Once we get the telnet running we can use the following command to interact with the SMTP server, telnet <IP Address> 25

Simple Network Management Protocol (SNMP)

  • Over the years, we have often found that the Simple Network Management Protocol (SNMP) is not well-understood by many network administrators. This often results in SNMP misconfigurations, which can result in significant information leaks.

  • SNMP is based on UDP, a simple, stateless protocol, and is therefore susceptible to IP spoofing and replay attacks.

  • Additionally, the commonly used SNMP protocols 1, 2, and 2c offer no traffic encryption, meaning that SNMP information and credentials can be easily intercepted over a local network.

  • Traditional SNMP protocols also have weak authentication schemes and are commonly left configured with default public and private community strings.

  • Until recently, SNMPv3, which provides authentication and encryption, has been shipped to support only DES-56, proven to be a weak encryption scheme that can be easily brute-forced.

  • A more recent SNMPv3 implementation supports the AES-256 encryption scheme.

  • The SNMP Management Information Base (MIB) is a database containing information usually related to network management. The database is organized like a tree, with branches that represent different organizations or network functions. The leaves of the tree (or final endpoints) correspond to specific variable values that can then be accessed and probed by an external user.

  • sudo nmap -sU --open -p 161 <IP Address Range> -oG <Output Name> - Can be used to scan for SNMP.

  • onesixtyone is a tool that can be used to scan SNMP.

  • snmpwalk is another tool that can be used to scan SNMP.

PreviousPassive Information GatheringNextVulnerability Scanning

Last updated