Footprinting (Continue Here)

Introduction

Enumeration is the most critical phase of any penetration testing process. It is also dynamic, meaning there isn’t a static step-by-step guide to follow. However, the diagram below provides a general idea of the enumeration process.

Infrastructure Based Enumeration

One common starting point is examining the SSL certificate of a company's main website, which may reveal useful information. Tools like crt.sh can help uncover various subdomains.

#Collect the subodomains of a specific domain. 
curl -s https://crt.sh/\?q\=\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

Google Dorking is another useful technique for discovering valuable information such as files, subdomains, and cloud resources.
2 Tools that can help automate the process are https://domain.glass/ and https://grayhatwarfare.com/.
Finally finding out company employees can help understand the infrastructure of a company. For example, reading job postings can help identfy what technologies are used. The recon process can be done also on the employees which can open another attack vector.
Identifying company employees can offer insights into the company’s infrastructure. For example, analyzing job postings may reveal the technologies in use. Reconnaissance on employees can also expose new attack vectors.

Host Based Enumeration

In this module popular protocols that will most likely be encountered in a penetration test will be examined.

File Transfer Protocol (FTP)

File Transfer Protocol is a protocol that's used to transfer files, it operates on TCP ports 21 (Control) and 20 (Data). FTP is considered a clear-text protocol which means it can be sniffed and there are different commands and status codes for it.
Trivial File Transfer Protocol (TFTP) is a simpler version of FTP, it uses UDP and doesn't provide user authentication.
There are many FTP servers that are avaliable, one of the most common on linux based distributions is vsFTPd. The vsFTPd config file can be found is located in /etc/vsftpd.conf
Nmap can be used to footprint FTP using many of the avaliable scripts.

#Important Configurations for vsFTPd:
anonymous_enable=YES #Allows anonymous login.
anon_upload_enable=YES #Allow anonymous upload.
no_anon_password=YES #Don't ask anonymous for password.
local_enable=YES #Enable local users to login
hide_ids=YES #Hide the ID of the users/groups when listing directories (Will show as FTP)

#FTP commands
ftp <IP Address> #Access a server over FTP

#Show more details when interacting with the server
debug
trace

ls -R #Recursive directory listing
GET <File> #Downloads a file.
PUT <File> # Uploads a file.

#Download all the files from an FTP server
wget -m --no-passive ftp://<Username>:<Password>@<Server IP Address>

PreviousNetwork Enumeration with Nmap (Continue Here)NextVulnerability Scanning

Last updated 3 months ago

Infrastructure Based Enumeration

One common starting point is examining the SSL certificate of a company's main website, which may reveal useful information. Tools like crt.sh can help uncover various subdomains.

#Collect the subodomains of a specific domain. 
curl -s https://crt.sh/\?q\=\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

Google Dorking is another useful technique for discovering valuable information such as files, subdomains, and cloud resources.

2 Tools that can help automate the process are https://domain.glass/ and https://grayhatwarfare.com/.

Finally finding out company employees can help understand the infrastructure of a company. For example, reading job postings can help identfy what technologies are used. The recon process can be done also on the employees which can open another attack vector.

Identifying company employees can offer insights into the company’s infrastructure. For example, analyzing job postings may reveal the technologies in use. Reconnaissance on employees can also expose new attack vectors.

Host Based Enumeration

In this module popular protocols that will most likely be encountered in a penetration test will be examined.

File Transfer Protocol (FTP)

File Transfer Protocol is a protocol that's used to transfer files, it operates on TCP ports 21 (Control) and 20 (Data). FTP is considered a clear-text protocol which means it can be sniffed and there are different commands and status codes for it.

Trivial File Transfer Protocol (TFTP) is a simpler version of FTP, it uses UDP and doesn't provide user authentication.

There are many FTP servers that are avaliable, one of the most common on linux based distributions is vsFTPd. The vsFTPd config file can be found is located in /etc/vsftpd.conf

Nmap can be used to footprint FTP using many of the avaliable scripts.

#Important Configurations for vsFTPd:
anonymous_enable=YES #Allows anonymous login.
anon_upload_enable=YES #Allow anonymous upload.
no_anon_password=YES #Don't ask anonymous for password.
local_enable=YES #Enable local users to login
hide_ids=YES #Hide the ID of the users/groups when listing directories (Will show as FTP)

#FTP commands
ftp <IP Address> #Access a server over FTP

#Show more details when interacting with the server
debug
trace

ls -R #Recursive directory listing
GET <File> #Downloads a file.
PUT <File> # Uploads a file.

#Download all the files from an FTP server
wget -m --no-passive ftp://<Username>:<Password>@<Server IP Address>