<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Recon on defektive</title><link>https://defektive.github.io/docs/pentest-handbook/recon/</link><description>Recent content in Recon on defektive</description><generator>Hugo</generator><language>en</language><atom:link href="https://defektive.github.io/docs/pentest-handbook/recon/index.xml" rel="self" type="application/rss+xml"/><item><title>Port Scanning</title><link>https://defektive.github.io/docs/pentest-handbook/recon/port-scanning/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://defektive.github.io/docs/pentest-handbook/recon/port-scanning/</guid><description>&lt;p&gt;The goal is the complete set of open ports on each host. The pattern that
balances speed and completeness is &lt;strong&gt;two passes&lt;/strong&gt;: a fast full-range sweep to
find &lt;em&gt;which&lt;/em&gt; ports are open, then a detailed scan of &lt;em&gt;only&lt;/em&gt; those ports (covered
in &lt;a href="https://defektive.github.io/docs/pentest-handbook/recon/service-enumeration/"&gt;Service Enumeration&lt;/a&gt;).&lt;/p&gt;

&lt;h2 id="pass-1-fast-full-range-tcp-sweep"&gt;Pass 1: fast full-range TCP sweep&lt;a class="td-heading-self-link" href="#pass-1-fast-full-range-tcp-sweep" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Scan all 65,535 TCP ports quickly to find what&amp;rsquo;s open. I reach for one of two
tools here.&lt;/p&gt;

&lt;h3 id="nmap-the-classic"&gt;nmap (the classic)&lt;a class="td-heading-self-link" href="#nmap-the-classic" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nv"&gt;host&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;203.0.113.10
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;mkdir -p &lt;span class="s2"&gt;&amp;#34;hosts/&lt;/span&gt;&lt;span class="nv"&gt;$host&lt;/span&gt;&lt;span class="s2"&gt;/recon&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;sudo nmap -p- --open -Pn -n &lt;span class="se"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="se"&gt;&lt;/span&gt; --min-rate &lt;span class="m"&gt;1500&lt;/span&gt; --max-retries &lt;span class="m"&gt;1&lt;/span&gt; &lt;span class="se"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="se"&gt;&lt;/span&gt; -T4 &lt;span class="se"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="se"&gt;&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;&lt;/span&gt;&lt;span class="nv"&gt;$host&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt; &lt;span class="se"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="se"&gt;&lt;/span&gt; -oA &lt;span class="s2"&gt;&amp;#34;hosts/&lt;/span&gt;&lt;span class="nv"&gt;$host&lt;/span&gt;&lt;span class="s2"&gt;/recon/nmap-quick-tcp&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Pull the open ports into a comma list for pass 2&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nv"&gt;ports&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="k"&gt;$(&lt;/span&gt;awk -F/ &lt;span class="s1"&gt;&amp;#39;/open/{print $1}&amp;#39;&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;hosts/&lt;/span&gt;&lt;span class="nv"&gt;$host&lt;/span&gt;&lt;span class="s2"&gt;/recon/nmap-quick-tcp.gnmap&amp;#34;&lt;/span&gt; &lt;span class="se"&gt;\
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="se"&gt;&lt;/span&gt; &lt;span class="p"&gt;|&lt;/span&gt; tr &lt;span class="s1"&gt;&amp;#39;\n&amp;#39;&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;,&amp;#39;&lt;/span&gt; &lt;span class="p"&gt;|&lt;/span&gt; sed &lt;span class="s1"&gt;&amp;#39;s/,$//&amp;#39;&lt;/span&gt;&lt;span class="k"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;-p-&lt;/code&gt; — all 65,535 ports.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;--open&lt;/code&gt; — only report open ports.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;-Pn&lt;/code&gt; — skip host discovery (you already know it&amp;rsquo;s up).&lt;/li&gt;
&lt;li&gt;&lt;code&gt;-n&lt;/code&gt; — no DNS resolution (faster, quieter).&lt;/li&gt;
&lt;li&gt;&lt;code&gt;--min-rate&lt;/code&gt; / &lt;code&gt;--max-retries&lt;/code&gt; — speed knobs; raise min-rate on robust
networks, lower it on fragile ones.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3 id="naabu-faster-for-many-hosts"&gt;naabu (faster for many hosts)&lt;a class="td-heading-self-link" href="#naabu-faster-for-many-hosts" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;a href="https://github.com/projectdiscovery/naabu"&gt;&lt;code&gt;naabu&lt;/code&gt;&lt;/a&gt; uses a SYN scan and is
noticeably quicker across large host lists. Pipe its results straight into nmap
for versioning:&lt;/p&gt;</description></item><item><title>Service Enumeration</title><link>https://defektive.github.io/docs/pentest-handbook/recon/service-enumeration/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://defektive.github.io/docs/pentest-handbook/recon/service-enumeration/</guid><description>&lt;p&gt;Knowing port 8080 is open tells you little. Knowing it&amp;rsquo;s &lt;em&gt;Apache Tomcat 9.0.30&lt;/em&gt;
tells you what default paths to check, what CVEs apply, and what credentials to
try. Service enumeration turns open ports into identified, versioned services.&lt;/p&gt;

&lt;h2 id="version--default-script-scan"&gt;Version + default-script scan&lt;a class="td-heading-self-link" href="#version--default-script-scan" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Run nmap against &lt;strong&gt;only the ports you found open&lt;/strong&gt; in &lt;a href="https://defektive.github.io/docs/pentest-handbook/recon/port-scanning/"&gt;port
scanning&lt;/a&gt;, with version detection and the default safe scripts.
This is the deep, accurate scan, so let it take its time:&lt;/p&gt;</description></item><item><title>HTTP Probing &amp; Screenshots</title><link>https://defektive.github.io/docs/pentest-handbook/recon/http-probing-and-screenshots/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://defektive.github.io/docs/pentest-handbook/recon/http-probing-and-screenshots/</guid><description>&lt;p&gt;Web is where most findings live. After port scanning you have a pile of open
ports that &lt;em&gt;might&lt;/em&gt; be HTTP; this step confirms which ones actually serve web
content — on which scheme and port, with what title and technology — then
screenshots them so you can eyeball hundreds of apps in minutes.&lt;/p&gt;

&lt;h2 id="probe-with-httpx"&gt;Probe with httpx&lt;a class="td-heading-self-link" href="#probe-with-httpx" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;I use &lt;a href="https://github.com/projectdiscovery/httpx"&gt;&lt;code&gt;httpx&lt;/code&gt;&lt;/a&gt; (ProjectDiscovery)
for this. Feed it every host and every web-ish port; it works out http vs https,
follows redirects, and reports a bunch of metadata.&lt;/p&gt;</description></item><item><title>Content Discovery</title><link>https://defektive.github.io/docs/pentest-handbook/recon/content-discovery/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://defektive.github.io/docs/pentest-handbook/recon/content-discovery/</guid><description>&lt;p&gt;Apps expose far more than their navigation shows: &lt;code&gt;/admin&lt;/code&gt;, &lt;code&gt;/.git/&lt;/code&gt;,
&lt;code&gt;/backup.zip&lt;/code&gt;, &lt;code&gt;/api/v1&lt;/code&gt;, &lt;code&gt;/.env&lt;/code&gt;, old &lt;code&gt;/test.php&lt;/code&gt; files. Content discovery
brute-forces paths against a wordlist to find them. Run it against every live web
service from &lt;a href="https://defektive.github.io/docs/pentest-handbook/recon/http-probing-and-screenshots/"&gt;HTTP probing&lt;/a&gt;.&lt;/p&gt;

&lt;h2 id="pick-a-fuzzer"&gt;Pick a fuzzer&lt;a class="td-heading-self-link" href="#pick-a-fuzzer" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Arsenic supports &lt;code&gt;gobuster&lt;/code&gt;, &lt;code&gt;dirb&lt;/code&gt;, and &lt;code&gt;ffuf&lt;/code&gt;, defaulting to &lt;strong&gt;ffuf&lt;/strong&gt;. The two
I actually use:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="https://github.com/ffuf/ffuf"&gt;ffuf&lt;/a&gt;&lt;/strong&gt; — fast, flexible, good filtering; my
default.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="https://github.com/epi052/feroxbuster"&gt;feroxbuster&lt;/a&gt;&lt;/strong&gt; — recursive by
default, nice for deep trees.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2 id="wordlists"&gt;Wordlists&lt;a class="td-heading-self-link" href="#wordlists" aria-label="Heading self-link"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;&lt;a href="https://github.com/danielmiessler/SecLists"&gt;SecLists&lt;/a&gt; is where I pull wordlists
from. A solid general-purpose stack (this mirrors Arsenic&amp;rsquo;s default &lt;code&gt;web-content&lt;/code&gt;
set):&lt;/p&gt;</description></item></channel></rss>