Neko

Infrastructure Recon

Usually the first things I do in black box tests that involve a large scope.

Last updated: May 4th, 2023

Netblocks

Finding Live Hosts

If you're given an IP block or netblock such as 255.255.255.0/24, generally the first thing you want to do is find which of those hosts are alive. To do this we can use nmap, fping, hping and metasploit. I'll demonstrate some of the commands below.

fping -a -g x.x.x.x/xx 2>/dev/null
nmap -sn x.x.x.x/xx
nmap -n -sn x.x.x.x/xx #no ping
nmap -sL --dns-servers x.x.x.x/xx  #Host Identification
for i in {1..254}; do dig +noall +answer @x.x.x.x -x x.x.x.$i; done

#metasploit
msf > use auxiliary/scanner/discovery/arp_sweep
set SHOST 192.168.1.101
set SMAC d6:46:a7:38:15:65
set RHOSTS 192.168.1.200-254
run

Finding Domains

Once you have live hosts, you can run a reverse DNS lookup against them to discover domains:

nslookup -type=PTR x.x.x.x
dig x.x.x.x PTR

Domains

If you're given a domain, you may want to check some information using DNS such as tied IPs and various records. You can also check these with just an IP as well.

#nslookup
nslookup target.com #basic DNS query
nslookup -type=MX target.com #mail exchange query
nslookup -type=NS target.com #name server query
#zone transfer below, a server misconfig that allows a complete dns lookup
nslookup
> server target.com
> ls -d target.com

#dig equivalents to the above nslookup commands
dig target.com
dig target.com A #Only present in forward zones
dig target.com TXT #Text records
dig target.com MX
dig target.com NS
dig target axfr @x.x.x.x target.com #zone transfer

#other tools
dnsrecon -d target.com -a --name-server server
nmap -sU -p53 x.x.x.x/xx
dnsmap target.com
dnsenum --dnsserver x.x.x.x -f /usr/share/seclists/Discovery/DNS/namelist.txt example.com
#Google and Bing
ip:x.x.x.x

Ports

If you've been able to isolate a specific host and find which services are running or which ports are open, you can do so with nmap and hping.

nmap -sS x.x.x.x #TCP
nmap -sU x.x.x.x #UDP
#Scan all ports quickly, very loud
ports=$(nmap -p- --min-rate=1000 -T4 x.x.x.x | grep ^[0-9] | cut -d '/' -f1 | tr '\n' ',' | sed s/,$//)
nmap -sV -sC -p $ports x.x.x.x
#Zombie scan, better for stealth
nmap -O -v x.x.x.x #look for incremental sequence gen
nmap -Pn -sI zombieIP:xx targetIP -p$ports -v
#zombie with hping3
hping3 -S --scan known x.x.x.x #identify ports
hping3 -S -r -p$ports x.x.x.x #identify zombie