OSINT
OSINT (Open Source Intelligence) is crucial for any penetration test because it provides a foundation of publicly available information that helps testers understand the target environment. It can help identify potential attack vectors, vulnerabilities, and entry points without alerting the target or causing disruption. We can find domain names, IP addresses, technology stacks, exposed services, user accounts, and more.
Nmap
Starting with NMap Scans to find common ports, and common alternative ports. Then go into further enumeration such as findings services, versioning, etc.
Full Scan:
sudo nmap -sS -Pn -sV --open -iL targets.txt -p- -vv --min-hostgroup 255 --initial-rtt-timeout 150ms --max-rtt-timeout 300ms --max-scan-delay 0 -oA FULLUDP:
sudo nmap -Pn -sU -iL targets.txt -p 1-1024,5353,1900 -vvv | grep "/open" | awk '{ print $2 }' > UDP.txtLDAP:
sudo nmap --open -p 389 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 389.txtHTTP:
sudo nmap --open -p 80 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 80.txtHTTPS:
sudo nmap --open -p 443 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 443.txtAlt HTTP:
sudo nmap --open -p 8080 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 8080.txtAlt HTTPS:
sudo nmap --open -p 8443 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 8443.txtFTP:
sudo nmap --open -p 21 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 21.txtSSH:
sudo nmap --open -p 22 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 22.txtRDP:
sudo nmap --open -p 3389 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 3389.txtAll-in-One Scan - This takes longer
sudo nmap --open -p 389 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 389.txt && sudo nmap --open -p 80 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 80.txt && sudo nmap --open -p 8080 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 8080.txt && sudo nmap --open -p 443 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 443.txt && sudo nmap --open -p 8443 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 8443.txt && sudo nmap --open -p 21 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 21.txt && sudo nmap --open -p 22 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 22.txt && sudo nmap --open -p 3389 -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > 3389.txt && sudo nmap -Pn -sU -iL targets.txt -p 1-1024,5353,1900 -vvv | grep "/open" | awk '{ print $2 }' > UDP.txtPlugin
Identifying technologies being used on a website is important to identify versioning to then search for vulnerabilities and exploits. For this I use:
Websites
Using multiple websites helps us also find other ports and services running, being sure to note down:
A Records - Map the network and identify potential targets for scanning or exploitation.
AAAA Records(if IPv6 infrastructure is being used)
MX Records - Mail servers can be attack vectors.
NS Records - Knowing authoritative DNS servers helps in DNS enumeration and potential DNS attacks.
TXT Records.
Subdomains - Often host different services or environments (dev, staging,etc.)
User Enumeration
Get the tenant name from AAD Internals.
We will need a user list, such as Statistically Likely Usernames.
sudo ./onedrive_enum.py -t tenant-name -d domain -U user-listThis will need an active subscriptions AND API credits on Dehashed.
dehashapitool -d DOMAIN -o Outfile.csvEnumeration
sudo ./FGDS.sh domainsudo ffuf -recursion -mc all -ac -c -e https://domain/FUZZ -w wordlist.txtsudo ffuf -recursion -mc all -ac -c -e .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml -w wordlist.txt -u https://domain/FUZZ -fc 400,401,403,404,406,500,502 > domain.txtsudo python3 sublist3r.py -d domainsudo nikto -h URLsudo amass enum -d domainsudo subfinder -d domain -vWordpress Enumeration
If a site is running Wordpress, we can look at:
[site]/wp-admin[site]/wp-login[site]/wp-json[site]/wp-json/wp/v2/users[site]/author/[user]
We can also use WPSCan, this does require an API-Token.
sudo wpscan --url URL --api-token TOKEN --enumerate vp,vt,u,tt --random-user-agent -o domain.txtOWA Enumeration
If they are using OWA we can find some more information with curl
curl -v -I --http1.0 https://[ip]/owa -k -H 'Location:'curl -v -I --http1.0 https://[ip]/owa -k -H 'HEADER:'Last updated