This page looks best with JavaScript enabled

Active Recon Resources

 ·  ☕ 4 min read

Active Reconnaissance

To gather intelligence by actively engaging the target.

 
In the active recon phase, we’re planning our future phases, like exploitation, by actively collecting information on the target.
Few examples:
~ What targets were found and what ports are open?
~ What software, versions, and configs are we up against?
~ Any sensitive data or services found through fuzzing or crawling?
~ Any hosts/services vulnerable to known exploits?
~ Continue mapping possible network topology.

This is a list of tools which use active reconnaissance techniques(E.g., Scanning, Fingerprinting, etc) to gather information on the target.
 
⚠️ Active reconnaissance directly interacts with the target AND some active reconnaissance tools are capable of executing exploits!⚠️


Regarding my notes:

  • The brackets() after each tool will indicate if the tool is:
    1. (built-in) = available in Kali’s repo. Simple sudo apt update && sudo apt install *tool*
    2. (external) = outside Kali’s repo. It’ll need downloaded then installed.
    3. (website) = part of a website.
    4. There’s others but they’re self-explanatory.
  • I’ll also try specifying any restrictions I know of.
    1. API access needed.
    2. Paywalls.
    3. etc.

Darkweb

  1. OnionScan - (external)
    • “OnionScan is a free and open source tool for investigating the Dark Web.”
    • Scan details at “What is scanned for”.

Domains

Probe automation

  1. httprobe (external)
    • “Take a list of domains and probe for working http and https servers.”
    • Great for automating subdomain discovery prior to gowitness.

Subdomains

  1. Amass by OWASP (built-in)
    • Open-source for enumerating and discovering subdomains.
    • Active scanning, option -active, will attempt to gather TLS certificates, perform web crawling, DNS zone transfer, and NSEC(zone) walking.

Fuzzing

AIO Fuzzing

  1. ffuf (built-in)

    • Fuzzer written in Go.
    • Finds directory, files, V-Host, and GET and POST parameter fuzzing, etc.

  2. GoBuster (built-in)

    • Fuzzing tool written in Go.
    • Used for Directory/File, DNS, V-Host, open S3 and cloud buckets, and TFTP servers.

  3. Wfuzz (built-in)

    • Anything web application fuzzer. E.g., RCE, VHost, etc.
    • Replaces FUZZ reference with specified payload.

Web Path Fuzzing

  1. DirBuster (built-in)

    • Multithread GUI/CLI Java app for fuzzing webapp files and directories.

  2. dirsearch (built-in)

    • An advanced web path brute-forcer for fuzzing directories and files.

  3. FeroxBuster (built-in)

    • “Forced Browsing” rust tool used for enumerating directories and files.

Web Object Fuzzing

  1. DIRB (built-in)
    • Web-Object fuzzer.

Scanners

Network Scanners

  1. Nmap (built-in)
    • The “goto” network and port scanner with many capabilities beyond scanning, e.g., built-in scripts for vulnerability testing, etc.

CMS Scanners

  1. CMSmap (external)

    • CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.

  2. WPScan (built-in)

    • WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

  3. joomscan by OWASP (built-in)

    • OWASP Joomla Vulnerability Scanner Project.

Web Scanners

  1. Nessus (external) - Account creation required. Free for home use but limited to 15 hosts.

    • Proprietary vulnerability scanner by Tenable.
    • Has many additional scanning options like specialized scans, web app scans, etc.

  2. nikto (built-in)

    • Web server vulnerability scanner in perl.

  3. OpenVAS (built-in) - Account creation required.

    • Commercial and CE editions
    • Component of the Greenbone Vulnerability Management suite.

  4. Sn1per (external) - Exploitation features tied to premium. API integration available!

    • Open source recon and penetration testing framework.
    • Premium and CE versions available.

SNMP Scanners

  1. onesixtyone (built-in)
    • SNMP scanner which logs the software running on a device.

Specialized Scanners

  1. log4j-scan (external)

    • A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228.
    • Supports lists of URLs, 60+ HTTP headers, Bypass payloads for WAFs(Web Application Firewall), etc.

  2. ItWasAllADream (external)

    • CVE-2021-34527 (PrintNightmare) RCE python scanner.
    • Scan entire subnets for PrintNightmare RCE(Remote code execution) and export CVS report.
    • Does NOT apply to LPE(Local privilege escalation)! Only RCE!

Web *

Web App Firewall

  1. WAFW00F (built-in)
    • Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Web App Proxy

  1. BurpSuite (built-in) - Free version has rate limited brute-forcing. Paid version has many features.

    • AIO web app security testing.
    • Free community extensions can help improve the free version.

  2. Zed Attack Proxy (ZAP) (built-in)

    • Free and open-source web app scanner.
    • No limit on brute-force attempts.

  3. Foxy Proxy (browser extension)

    • Browser proxy used with ZAP and Burp.

Web TechStack

  1. Wappalyzer - (Browser Extension)

    • Actively interacts with a website, when browsing to it, to find website’s tech stack in realtime.

  2. WhatWeb (built-in)

    • Default scan uses HTTP requests to identify website’s tech stack.
    • Aggression is adjustable.

Website Screenshots

  1. gowitness (external) - Requires chromium to be installed.
    • “gowitness - a golang, web screenshot utility using Chrome Headless.”
    • Great for automating external pentests by removing the manual process of visiting each found website.

Wireless

  1. aircrack-ng - (built-in)
    • AIO wireless security suite.
    • Contains both passive and active recon tools, along with many exploitation tools.
Share on
Matt Raupfer
WRITTEN BY
Matt Raupfer
Cyber Nerd

©2023, All Rights Reserved