# Table of Contents - [The Red-Book | Infiltr8: The Red-Book](#the-red-book-infiltr8-the-red-book) - [Reconnaissance | Infiltr8: The Red-Book](#reconnaissance-infiltr8-the-red-book) - [DNS Enumeration | Infiltr8: The Red-Book](#dns-enumeration-infiltr8-the-red-book) - [Host Discovery | Infiltr8: The Red-Book](#host-discovery-infiltr8-the-red-book) - [Execution | Infiltr8: The Red-Book](#execution-infiltr8-the-red-book) - [Subdomains enumeration | Infiltr8: The Red-Book](#subdomains-enumeration-infiltr8-the-red-book) - [Maltego | Infiltr8: The Red-Book](#maltego-infiltr8-the-red-book) - [Specialized Search Engines | Infiltr8: The Red-Book](#specialized-search-engines-infiltr8-the-red-book) - [Google Dorks | Infiltr8: The Red-Book](#google-dorks-infiltr8-the-red-book) - [Email Harvesting | Infiltr8: The Red-Book](#email-harvesting-infiltr8-the-red-book) - [Files Metadata | Infiltr8: The Red-Book](#files-metadata-infiltr8-the-red-book) - [Vulnerability Scanning | Infiltr8: The Red-Book](#vulnerability-scanning-infiltr8-the-red-book) - [TCP/UDP Service Scanning | Infiltr8: The Red-Book](#tcp-udp-service-scanning-infiltr8-the-red-book) - [GitHub Recon | Infiltr8: The Red-Book](#github-recon-infiltr8-the-red-book) - [Email Protection | Cloudflare](#email-protection-cloudflare) --- # The Red-Book | Infiltr8: The Red-Book ![](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2F329872044-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FMdUKdzuqIuObdvCB3mUR%252Fuploads%252F85svW8dJpDkkRnIwaJ0B%252Flogo-blanc-rouge.png%3Falt%3Dmedia%26token%3Db881e451-225e-4e60-83e0-0f949543ce08&width=768&dpr=4&quality=100&sign=fad97b97&sv=2) **The Red-Book** by **infiltr8** is offering a collection of **technical notes** and **cheat sheets**. Our goal is to provide you with practical knowledge rooted in real-world experience. All the information you find within these pages has been meticulously sourced from a diverse range of valuable resources on the internet. We have scoured numerous reputable sources, including research papers, industry blogs, documentation, and expert opinions, to bring you the most relevant and up-to-date content. The techniques, methodologies, and concepts presented in **The Red-Book** have been carefully vetted and tested (we still human, it's possible there's some mistakes). Whether you are a cybersecurity enthusiast, an aspiring ethical hacker, or a concerned individual seeking to fortify your digital defenses, **The Red-Book** will serve as your indispensable resource. We cover a wide range of topics, including penetration testing, vulnerability assessments, social engineering, red teaming, network security, web application security, and much more. As you embark on this journey with us, keep in mind that offensive cybersecurity **is not about malicious intent**. It is about understanding the tactics employed by potential adversaries and using that knowledge to protect yourself and others. Together, let's take a proactive stance and defend against the ever-evolving digital threats that surround us. Remember, **knowledge is power, and with power comes responsibility**. šŸŽ‰Please feel free to contribute, give feedback/suggestions or reach out to me on Discord (**v4resk#0430**). Around 90%, of the content relating to "Active Directory" comes from [The Hacker Recipes](https://www.thehacker.recipes/) website. Many thanks to [Charlie Bromberg](https://twitter.com/_nwodtuhs) for his valuable work. Fell free to contribute with donation in cryptocurrency ETH/BSC: 0x6F8274f1BEF5ca774769A73AB520C5461fB22219 **Disclaimer: Use of Information and Tools on infiltr8.io** The information provided on infiltr8.io is intended for educational and informational purposes only. The website offers resources related to penetration testing (pentest) and red teaming, with the goal of enhancing cybersecurity awareness and knowledge. **1\. No Unlawful Activities:** Users are strictly prohibited from using any information, tools, or resources provided on this website for any unlawful activities. Engaging in unauthorized access, malicious hacking, or any activities that violate applicable laws and regulations is strictly against our principles. **2\. Ethical Use:** All content on infiltr8.io is meant to be used ethically and responsibly. Users are encouraged to adhere to ethical guidelines and legal standards when applying the information, tools, or methodologies discussed on the website. **3\. User Responsibility:** Users are solely responsible for their actions and the consequences that may arise from using the information presented on the website. infiltr8.io and its contributors will not be held liable for any misuse or illegal activities carried out by individuals using the provided content. **4\. No Guarantees:** While we strive to provide accurate and up-to-date information, infiltr8.io makes no guarantees regarding the completeness, accuracy, or reliability of the content. Users are encouraged to verify information independently and use it at their own discretion. **5\. External Links:** The website may contain links to external resources, tools, or websites. infiltr8.io is not responsible for the content, security, or privacy practices of these external links. Users should exercise caution and review the policies of external sites. **6\. Changes to Disclaimer:** infiltr8.io reserves the right to modify or update this disclaimer at any time without prior notice. It is the user's responsibility to review the disclaimer periodically for any changes. **7\. No Endorsement:** Any mention of specific tools, products, or services on infiltr8.io does not constitute an endorsement. Users are encouraged to conduct their own research and make informed decisions. By accessing and using infiltr8.io, users acknowledge and agree to comply with the terms of this disclaimer. If you do not agree with these terms, please refrain from using the website. Last updated 2 months ago Was this helpful? This site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the [privacy policy](https://infiltr8.io/privacy-policy/) . AcceptReject --- # Reconnaissance | Infiltr8: The Red-Book [](https://red.infiltr8.io/redteam/recon#theory) Theory ------------------------------------------------------------ Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts. ![](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2F329872044-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FMdUKdzuqIuObdvCB3mUR%252Fuploads%252FducIfl8WIIHgsQ1TuXTH%252Fkillchain-in.png%3Falt%3Dmedia%26token%3D44c6a47a-ff54-4159-9f45-61bf27e2dbc6&width=768&dpr=4&quality=100&sign=2eab3571&sv=2) The Unified Kill Chain - in phase [](https://red.infiltr8.io/redteam/recon#resources) Resources ------------------------------------------------------------------ [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fattack.mitre.org%2Ftheme%2Ffavicon.ico&width=20&dpr=4&quality=100&sign=c87b0706&sv=2)Reconnaissance, Tactic TA0043 - Enterprise | MITRE ATT&CKĀ®attack.mitre.org](https://attack.mitre.org/tactics/TA0043/) [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fwww.unifiedkillchain.com%2Fassets%2Ffavicons%2Fandroid-icon-192x192.png&width=20&dpr=4&quality=100&sign=7d1bba5a&sv=2)Unified Kill Chain: Raising Resilience Against Cyber Attackspaulpols](https://www.unifiedkillchain.com/#thescience) [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Ftryhackme.com%2Fapple-touch-icon.png&width=20&dpr=4&quality=100&sign=ea369212&sv=2)TryHackMe | Cyber Security TrainingTryHackMe](https://tryhackme.com/room/recon) Last updated 1 year ago Was this helpful? --- # DNS Enumeration | Infiltr8: The Red-Book [](https://red.infiltr8.io/redteam/recon/dns-enum#theory) Theory --------------------------------------------------------------------- Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk. Each domain can use different types of DNS records. Some of the most common types of DNS records include: * **NS**: Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain. * **A**: Also known as a host record, the "_a record_" contains the IPv4 address of a hostname (such as www.megacorpone.com). * **AAAA**: Also known as a quad A host record, the "_aaaa record_" contains the IPv6 address of a hostname (such as www.megacorpone.com). * **MX**: Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records. * **PTR**: Pointer Records are used in reverse lookup zones and can find the records associated with an IP address. * **CNAME**: Canonical Name Records are used to create aliases for other host records. * **TXT**: Text records can contain any arbitrary data and be used for various purposes, such as domain ownership verification. [](https://red.infiltr8.io/redteam/recon/dns-enum#practice) Practice ------------------------------------------------------------------------- Dig Host Nslookup DNSRecon DNSMap DNSEnum dnsdumpster The dig (domain information groper) command is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the queried name server(s). Copy # Simple DNS resolution dig domain.com #Enum records dig MX domain.com dig NS domain.com dig A domain.com dig txt domain.com dig AAAA domain.com #If supported by the DNS server, we can use the ANY query and dump all records dig any domain.com #Zone transfert dig axfr domain.com @ns.domain.com Using the host command, we may perform DNS and revers DNS enumeration Copy # Simple DNS resolution host domain.com # Enum records host -t MX www.domain.com host -t NS domain.com host -t A domain.com host -t txt domain.com host -t AAAA domain.com # Reverse DNS # Works if the DNS is configured with a PTR record host 149.56.244.87 # Bash script reverse DNS lookup an IP addresses range for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found" Nslookup is a native **Windows & Linux** command that may be used as a [LOLBAS](https://red.infiltr8.io/redteam/evasion/living-off-the-land/lolbas) to perform DNS enumeration Copy # Simple DNS resolution nslookup domain.com # Enum records, you may use set=all nslookup > set type=ns > domain.com # Specify a DNS server nslookup > server 10.10.10.8 > domain.com # One-liner: request TXT records for info.domain.com on 10.10.10.8 DNS server nslookup -type=TXT info.domain.com 10.10.10.8 # Reverse DNS # Works if the DNS is configured with a PTR record nslookup 149.56.244.87 [DNSRecon](https://github.com/darkoperator/dnsrecon) is a Python script that provides the ability to perform DNS enumeration. Copy #Basic enum dnsrecon -d domain.com # -t std for standar scan dnsrecon -d domain.com -t std #Brute force domains and hosts dnsrecon -t brt -d domain.com -D /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt #Bing (-b) and yandex (-y) search enum dnsrecon -by -d domain.com #Zone transfert dnsrecon -a -d domain.com #DNSSEC zone walk dnsrecon -z -d domain.com [DNSMap](https://github.com/makefu/dnsmap) scans a domain for common subdomains using a built-in or an external wordlist (if specified using -w option). The internal wordlist has around 1000 words Copy #Brute force domains and hosts dnsmap domain.com -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt [DNSEnum](https://github.com/fwaeytens/dnsenum) Dnsenum is a multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks. The main purpose of Dnsenum is to gather as much information as possible about a domain. Copy dnsenum domain.com [dnsdumpster](https://dnsdumpster.com/) is a usefull website to perform DNS enumeration. [](https://red.infiltr8.io/redteam/recon/dns-enum#ressource) Ressource --------------------------------------------------------------------------- [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fattack.mitre.org%2Ftheme%2Ffavicon.ico&width=20&dpr=4&quality=100&sign=c87b0706&sv=2)Gather Victim Network Information: DNS, Sub-technique T1590.002 - Enterprise | MITRE ATT&CKĀ®attack.mitre.org](https://attack.mitre.org/techniques/T1590/002/) Last updated 1 year ago Was this helpful? --- # Host Discovery | Infiltr8: The Red-Book [](https://red.infiltr8.io/redteam/recon/host-discovery#theory) Theory --------------------------------------------------------------------------- One of the very first steps in network recon is to reduce a set (sometimes huge) of IP ranges to a list of active or interesting hosts. Scanning all the ports of each IP is slow and often pointless. Nmap offers a wide variety of host discovery techniques beyond the standard ICMP echo request. [](https://red.infiltr8.io/redteam/recon/host-discovery#practice) Practice ------------------------------------------------------------------------------- Nmap #### [](https://red.infiltr8.io/redteam/recon/host-discovery#network-sweep) Network Sweep When performing a network sweep with Nmap using the `-sn` option, the host discovery process consists of more than just sending an ICMP echo request. Nmap also sends a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request to verify whether a host is available. By default, on an ethernet LAN, nmap will perform an [ARP scan](https://red.infiltr8.io/redteam/recon/host-discovery#arp-scan) . Copy # Network sweep for IP Range nmap -sn 192.168.50.1-200 # Network sweep for IP Range using CIDR nmap -sn 192.168.50.0/24 #### [](https://red.infiltr8.io/redteam/recon/host-discovery#tcp-syn-ping) TCP SYN Ping The `-PS` option sends an empty TCP packet with the SYN flag set. The default destination port is 80. Nmap does not care whether the port is open or closed. Either the RST or SYN/ACK response discussed previously tell Nmap that the host is available and responsive. Copy # TCP SYN Ping nmap -sn -PS 192.168.50.0/24 # TCP SYN Ping with custom ports nmap -sn -PS22-25,80,113,1050,35000 192.168.50.0/24 #### [](https://red.infiltr8.io/redteam/recon/host-discovery#tcp-ack-ping) TCP ACK Ping The TCP ACK ping is quite similar to the SYN ping. The difference, as you could likely guess, is that the TCP ACK flag is set instead of the SYN flag. Such an ACK packet purports to be acknowledging data over an established TCP connection, but no such connection exists. So remote hosts should always respond with a RST packet, disclosing their existence in the process. Copy # TCP ACK Ping nmap -sn -PA 192.168.50.0/24 # TCP ACK Ping with custom ports nmap -sn -PA22-25,80,113,1050,35000 192.168.50.0/24 #### [](https://red.infiltr8.io/redteam/recon/host-discovery#udp-ping) UDP Ping Another host discovery option is the UDP ping, which sends a UDP packet to the given ports. The port list takes the same format as with the previously discussed `-PS` and `-PA` options. If no ports are specified, the default is 40,125. For most ports, the packet will be empty, though for a few common ports like 53 and 161, a protocol-specific payload will be sent that is more likely to get a response. The `--data-length` option sends a fixed-length random payload for all ports. Copy # TCP ACK Ping nmap -sn -PU 192.168.50.0/24 # TCP ACK Ping with custom ports and data-length specification nmap -sn -PU53 --data-length 32 192.168.50.0/24 #### [](https://red.infiltr8.io/redteam/recon/host-discovery#icmp-ping-types) ICMP Ping Types Nmap can send the standard packets sent by the ubiquitous ping program. Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts. Copy # -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes nmap -sn -PE 192.168.50.0/24 #### [](https://red.infiltr8.io/redteam/recon/host-discovery#arp-scan) ARP Scan One of the most common Nmap usage scenarios is to scan an ethernet LAN. On most LANs, Hosts frequently block IP-based ping packets, but they generally cannot block ARP requests or responses. **ARP is the default scan type when scanning ethernet hosts**. The `--send-ip` option tells Nmap to send IP level packets (rather than raw ethernet) even though it is a local network. Copy # ARP Scan (useless as default) nmap -sn -PR 192.168.50.0/24 # Raw IP ping scan (don't send raw ethernet frames) nmap -n -sn --send-ip 192.168.50.0/24 [](https://red.infiltr8.io/redteam/recon/host-discovery#ressources) Ressources ----------------------------------------------------------------------------------- [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fnmap.org%2Fshared%2Fimages%2Ftiny-eyeicon.png&width=20&dpr=4&quality=100&sign=f9a07fa9&sv=2)Host Discovery Techniques | Nmap Network Scanningnmap.org](https://nmap.org/book/host-discovery-techniques.html) Last updated 1 year ago Was this helpful? --- # Execution | Infiltr8: The Red-Book [](https://red.infiltr8.io/redteam/weapon#theory) Theory ------------------------------------------------------------- Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. ![](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2F329872044-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FMdUKdzuqIuObdvCB3mUR%252Fuploads%252FZen9fPGc7hxG6JB7huI0%252Fkillchain-trough.png%3Falt%3Dmedia%26token%3D5c025039-4cd4-4911-83be-1bb0202dee1c&width=768&dpr=4&quality=100&sign=ec26aedd&sv=2) [](https://red.infiltr8.io/redteam/weapon#resources) Resources ------------------------------------------------------------------- [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fwww.lockheedmartin.com%2Ffavicon.ico&width=20&dpr=4&quality=100&sign=49949661&sv=2)Cyber Kill ChainĀ®Lockheed Martin](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fwww.unifiedkillchain.com%2Fassets%2Ffavicons%2Fandroid-icon-192x192.png&width=20&dpr=4&quality=100&sign=7d1bba5a&sv=2)Unified Kill Chain: Raising Resilience Against Cyber Attackspaulpols](https://www.unifiedkillchain.com/) [![Logo](https://www.ired.team/~gitbook/image?url=https%3A%2F%2F386337598-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fspaces%252F-LFEMnER3fywgFHoroYn%252Favatar.png%3Fgeneration%3D1536436814766237%26alt%3Dmedia&width=48&height=48&sign=29a0b597&sv=2)What is ired.team notes? | Red Team Noteswww.ired.team](https://www.ired.team/) [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Ftryhackme.com%2Fapple-touch-icon.png&width=20&dpr=4&quality=100&sign=ea369212&sv=2)WeaponizationTryHackMe](https://tryhackme.com/room/weaponization) [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=4&quality=100&sign=390ef44a&sv=2)GitHub - infosecn1nja/Red-Teaming-Toolkit: This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter.GitHub](https://github.com/infosecn1nja/Red-Teaming-Toolkit#Initial-Access) Last updated 1 year ago Was this helpful? --- # Subdomains enumeration | Infiltr8: The Red-Book When conducting penetration tests on a website, or on a `*.domain.com` scope, finding subdomains of the target can help widen the attack surface. There are many different techniques to find subdomains that can be divided in two main categories. [Subdomains enumeration](https://red.infiltr8.io/web-pentesting/recon/subdomain-enum) Last updated 1 year ago Was this helpful? --- # Maltego | Infiltr8: The Red-Book Last updated 2 years ago Was this helpful? --- # Specialized Search Engines | Infiltr8: The Red-Book [https://www.shodan.io/www.shodan.io](https://www.shodan.io/) [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fyastatic.net%2Fs3%2Fhome-static%2F_%2Fnova%2FJSRBlH1m.png&width=20&dpr=4&quality=100&sign=e6697c78&sv=2)YandexYandex](https://yandex.com/) Last updated 2 years ago Was this helpful? --- # Google Dorks | Infiltr8: The Red-Book [](https://red.infiltr8.io/redteam/recon/google-dorks#theory) Theory ------------------------------------------------------------------------- Google dorking is a technique of using the Google search engine to search for vulnerabilities or to retrieve sensitive data. This technique relies on the results of the exploration and indexation of websites by the Googlebot. We can perform advanced search queries using various operators that allow us to reach our goal. ![](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2F329872044-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FMdUKdzuqIuObdvCB3mUR%252Fuploads%252F7d65jPUpzjRs1tn6ywih%252Fimage.png%3Falt%3Dmedia%26token%3D1f139698-27da-4548-90ec-c06727d14436&width=768&dpr=4&quality=100&sign=ff43fb98&sv=2) [](https://red.infiltr8.io/redteam/recon/google-dorks#practice) Practice ----------------------------------------------------------------------------- Here are some operators that might be useful Copy # Specify the filetype "pdf" and search the term "email address". filetype:pdf "email address" # Search all URLs containing the word "edu" and search the term "login" in the urls. inurl:edu "login" # Searches keywords contained in the page title. intitle:pentesting # Search the term "DB_USER" contained in the given site "github.com". site:github.com "DB_USER" site:github.com "DB_PASSWORD" # Views cached content cache:example.com ### [](https://red.infiltr8.io/redteam/recon/google-dorks#google-hacking-database-ghdb) Google Hacking Database (GHDB) [The Google Hacking Database(GHDB)](https://www.exploit-db.com/google-hacking-database) is a database of search queries (dorks) used to find sensitive publicly available information or vulnerabilities. This is hosted by [exploit-db](https://www.exploit-db.com/) ### [](https://red.infiltr8.io/redteam/recon/google-dorks#useful-dorks) Useful dorks Subdomains Directory Listing You can use this google dorks to enum subdomains of a website Copy #Search for subdomains site:*.domain.com #Search for subdomains with 'admin' in title site:*.domain.com intitle:admin You can use this google dorks to enum websites with directory listing enabled Copy intitle:"Directory Listing For" intitle:"index of" [](https://red.infiltr8.io/redteam/recon/google-dorks#ressource) Ressource ------------------------------------------------------------------------------- [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fwww.exploit-db.com%2Ffavicon.ico&width=20&dpr=4&quality=100&sign=ea030137&sv=2)OffSec’s Exploit Database Archivewww.exploit-db.com](https://www.exploit-db.com/google-hacking-database) [https://exploit-notes.hdks.org/exploit/reconnaissance/google-dorks/exploit-notes.hdks.org](https://exploit-notes.hdks.org/exploit/reconnaissance/google-dorks/) Last updated 1 year ago Was this helpful? --- # Email Harvesting | Infiltr8: The Red-Book [](https://red.infiltr8.io/redteam/recon/email-harvesting#theory) Theory ----------------------------------------------------------------------------- We may attempt to obtain a list of email addresses and accounts from a domain or website. This is part of passive reconnaissance. It can provide us with useful information and help us gain initial access. [](https://red.infiltr8.io/redteam/recon/email-harvesting#practice) Practice --------------------------------------------------------------------------------- Bash theHarvester Whois We can recursively crawl a website and pipe it over a regex to extract emails. Copy # Recursively get emails on a website with wget wget -r -O crawl.txt https://target.url grep -haio "\b[a-z0-9.-]\+@[a-z0-9.-]\+\.[a-z]\{2,4\}\+\b" crawl.txt # Get emails one a specific page with curl curl -kfsSL https://target.url | grep -hio "\b[a-z0-9.-]\+@[a-z0-9.-]\+\.[a-z]\{2,4\}\+\b" [theHarvester](https://github.com/laramies/theHarvester) is used to gather open source intelligence (OSINT) on a company or domain. The tool gathers names, emails, IPs, subdomains, and URLs by using multiple public resources. Copy #Search using bing theHarvester -d target.url -b bing Whois is a widely used Internet record listing that identifies who owns a domain and how to get in contact with them. We may find emails and other valuable information. Copy whois target.url Last updated 1 year ago Was this helpful? --- # Files Metadata | Infiltr8: The Red-Book [](https://red.infiltr8.io/redteam/recon/files-metadata#theory) Theory --------------------------------------------------------------------------- To identify potential target users and gather information about their operating systems and installed application software, we might review the metadata of publicly accessible documents linked to the target organization. [](https://red.infiltr8.io/redteam/recon/files-metadata#practice) Practice ------------------------------------------------------------------------------- Exiftool We may find and download target organization's publicly accessible documents by using [google dorks](https://red.infiltr8.io/redteam/recon/google-dorks) such as `site:example.com filetype:pdf` or by directly downloading files from the organization's website. Then, exfitool can be used to inspect metadata tags Copy # -u : Display unknown tags # -a : Display duplicated tags exiftool -u -a corpo-image.png Last updated 2 years ago Was this helpful? --- # Vulnerability Scanning | Infiltr8: The Red-Book [](https://red.infiltr8.io/redteam/recon/vulnerability-scanning#theory) Theory ----------------------------------------------------------------------------------- We may scan victims for vulnerabilities that can be used for exploitation. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit that we may seek to use. [](https://red.infiltr8.io/redteam/recon/vulnerability-scanning#practice) Practice --------------------------------------------------------------------------------------- Nmap - NSE Nesus We may use the [Nmap Scripting Engine (NSE)](https://nmap.org/book/man-nse.html) to perform automated vulnerability scans. NSE scripts expand upon Nmap's core capabilities to perform a wide range of network related functions. These functions are organized into categories that revolve around specific use cases, [listed here](https://nmap.org/book/nse-usage.html#nse-categories) . You can list all scripts under following directory: Copy ls /usr/share/nmap/scripts/*.nse For vulnerability scanning, we are mainly interested in the `**vuln**` category. Note that each script may have several categories such as `vuln`, `safe` or `intrusive`. The **script.db** file serves as a comprehensive catalog of all accessible NSE scripts, enabling us to obtain the list of scripts falling within the vulnerability (vuln) category. Copy cat /usr/share/nmap/scripts/script.db | grep "\"vuln\"" We maye use the Nmap Scripting Engine (NSE) as follow for vulnerability scanning Copy # Vulnerability scanning using all scripts nmap -sS -sV --script "vuln" # Vulnerability scanning only using safe scripts nmap -sS -sV --script "vuln and safe" # Vulnerability scanning using a custom script wget https://raw.githubusercontent.com/RootUp/PersonalStuff/master/http-vuln-cve-2021-41773.nse mv http-vuln-cve-2021-41773.nse /usr/share/nmap/scripts/ nmap --script-updatedb nmap -sS -sV --script="http-vuln-cve-2021-41773" [Nessus](https://www.tenable.com/downloads/nessus?loginAttempted=true) is a powerfull vulnerability scanner that can perform multiple type of scan, Its available as Nessus Essentials wich is free and allow scanning 16 different IP addresses and Nessus Professional. It can perform: * [Host Discovery](https://red.infiltr8.io/redteam/recon/host-discovery) scans * Compliance scans (available with Nessus Pro) * Vulnerability Scans Vulnerability scans may be: * **Authenticated:** scans for missing operating system patches and outdated applications. * **Unauthenticated**: Mainly network scans that identify commonly known, exploitable vulnerabilities. [](https://red.infiltr8.io/redteam/recon/vulnerability-scanning#resources) Resources ----------------------------------------------------------------------------------------- [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fattack.mitre.org%2Ftheme%2Ffavicon.ico&width=20&dpr=4&quality=100&sign=c87b0706&sv=2)Active Scanning: Vulnerability Scanning, Sub-technique T1595.002 - Enterprise | MITRE ATT&CKĀ®attack.mitre.org](https://attack.mitre.org/techniques/T1595/002/) Last updated 8 months ago Was this helpful? --- # TCP/UDP Service Scanning | Infiltr8: The Red-Book [](https://red.infiltr8.io/redteam/recon/tcp-udp-service-scanning#theory) Theory ------------------------------------------------------------------------------------- We may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system. Blindly conducting port scans can lead to detrimental consequences for both the target systems and the client network. This is primarily due to the potentially high volume of traffic generated by these scans, coupled with their intrusive nature. Such consequences may include server and network link overloads, as well as the triggering of intrusion detection and prevention systems (IDS/IPS). TCP and UDP or protocols of the TCP/IP transport layer. They exchange data receipt acknowledgments and retransmit missing packets to ensure that packets arrive in order and without error. End-to-end communication is referred to as such. * **TCP:** Applications can interact with one another using [TCP](https://www.geeksforgeeks.org/what-is-transmission-control-protocol-tcp/) as though they were physically connected by a circuit. TCP transmits data in a way that resembles character-by-character transmission rather than separate packets. A starting point that establishes the connection, the whole transmission in byte order, and an ending point that closes the connection make up this transmission. * **UDP:** The datagram delivery service is provided by [UDP](https://www.geeksforgeeks.org/user-datagram-protocol-udp/) , the other transport layer protocol. Connections between receiving and sending hosts are not verified by UDP. Applications that transport little amounts of data use UDP rather than TCP because it eliminates the processes of establishing and validating connections. [](https://red.infiltr8.io/redteam/recon/tcp-udp-service-scanning#practice) Practice ----------------------------------------------------------------------------------------- UNIX-Like Windows [Nmap](https://nmap.org/download) is one of the most popular, versatile, and robust port scanners available. Copy # Nmap TCP CONNECT scan ## -sT: TCP Connect scan ## -p3388-3390: port range nmap -sT -p3388-3390 # Nmap SYN TCP scan (stealthy) nmap -sS # Nmap UDP scan nmap -sU # Nmap Full scan ## -sV: Version scan ## -sC: Script scan ## -O: OS Scan ## --osscan-guess: Guess OS more aggressively ## -oN: Output to file (normal format) ## -p-: Scan all ports nmap -sS -sV -sC -O --osscan-guess -oN nmap.txt -p- [Netcat](https://nmap.org/download) also may be used to scan tragets for open ports Copy # netact TCP CONNECT scan ## ## -n: numeric‐only IP addresses, no DNS ## -vv: verbose level ## -w: request timeout (in second) ## -z: zero‐I/O mode (scan mode) ## 3388-3390: port range to scan nc -nvv -w 1 -z 3388-3390 # netact UDP scan ## -u: UDP mode ## 120-123: port range to scan ## If no "ICMP port unreachable" message sent back, port is likely open/filtred nc -nv -u -z -w 1 120-123 The [Test-NetConnection](https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps) powershell cmdlet checks if an IP responds to ICMP and whether a specified TCP port on the target host is open. Copy # Scan for one port Test-NetConnection -Port However `Test-NetConnection` send additional traffic that is non needed for our purposes Using the Net.Sockets.TcpClient object, we can script a service scan Copy # Loop to scan the first 1024 ports 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("TARGET_IP", $_)) "TCP port $_ is open"} 2>$null [](https://red.infiltr8.io/redteam/recon/tcp-udp-service-scanning#ressources) Ressources --------------------------------------------------------------------------------------------- [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fattack.mitre.org%2Ftheme%2Ffavicon.ico&width=20&dpr=4&quality=100&sign=c87b0706&sv=2)Network Service Discovery, Technique T1046 - Enterprise | MITRE ATT&CKĀ®attack.mitre.org](https://attack.mitre.org/techniques/T1046/) Last updated 1 year ago Was this helpful? --- # GitHub Recon | Infiltr8: The Red-Book Theory Online repositories of code hold a window into an organization's technology stack, revealing the programming languages and frameworks they employ. In some rare instances, developers have unintentionally exposed sensitive information, including critical data and credentials, within public repositories. These inadvertent revelations may present a unique opportunity us. [](https://red.infiltr8.io/redteam/recon/open-source-code#practice) Practice --------------------------------------------------------------------------------- ### [](https://red.infiltr8.io/redteam/recon/open-source-code#github-dorks-and-sensitive-data-exposure) Github Dorks & Sensitive Data Exposure To automate the process of searching sensitives files and hardcoded credentials in **Git repositories**, we may use following tools Github Dorks GitHound Noseyparker GitHunt Gitleaks Gitrob [Github-dorks](https://github.com/techgaun/github-dorks) is a python tools used to search leaked secrets via github search. Its collection of Github dorks can reveal sensitive personal and/or organizational information such as private keys, credentials, authentication tokens, etc. Copy # search a single repo github-dork.py -r techgaun/github-dorks # search all repos of a user github-dork.py -u techgaun # search all repos of an organization github-dork.py -u dev-nepal Alternatively, we can manualy search for specific dorks, without using [Github-dorks](https://github.com/techgaun/github-dorks) : ![](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2F329872044-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FMdUKdzuqIuObdvCB3mUR%252Fuploads%252Frdw94K7pGEHMpzNc6dO4%252FCapture%2520d%25E2%2580%2599%25C3%25A9cran_2024-08-22_00-29-55.png%3Falt%3Dmedia%26token%3D9a41fc86-04f6-426d-b87c-09204452c9be&width=768&dpr=4&quality=100&sign=dea901c3&sv=2) Examples of Github Dorks are : Dork Description filename:.npmrc \_auth npm registry authentication data filename:.dockercfg auth docker registry authentication data extension:pem private private keys extension:ppk private puttygen private keys filename:id\_rsa or filename:id\_dsa private ssh keys filename:wp-config.php wordpress config files filename:.env MAIL\_HOST=smtp.gmail.com gmail smtp configuration (try different smtp services too) shodan\_api\_key language:python Shodan API keys (try other languages too) /"sk-\[a-zA-Z0-9\]{20,50}"/ language:Shell Open AI API Keys "api\_hash" "api\_id" Telegram API token [GitHound](https://github.com/tillson/git-hound) hunts down exposed API keys and other sensitive information on GitHub using GitHub code search, pattern matching, and commit history searching. Copy # Basic Usage git-hound --subdomain-file subdomains.txt echo "\"example.com\"" | git-hound # Searching for exposed API keys echo "api.halcorp.biz" | githound --dig-files --dig-commits --many-results --rules halcorp-api-regexes.txt --results-only | python halapitester.py # Bug Bounty Hunters: Searching for leaked employee API tokens echo "\"uberinternal.com\"" | githound --dig-files --dig-commits --many-results --languages common-languages.txt --threads 100 [Noseyparker](https://github.com/praetorian-inc/noseyparker) is a command-line program that finds secrets and sensitive information in textual data and Git history. Copy # Scan a repo noseyparker scan --datastore np.myDataStore --git-url # Scan all repo of an user noseyparker scan --datastore np.myDataStore --github-user # Scan all repo of an organization noseyparker scan --datastore np.myDataStore --github-organization # Show result of a scan noseyparker report -d np.myDataStore [GitHunt](https://github.com/v4resk/GitHunt) is a (Python) tool for detecting sensitive data exposure in GitHub repositories, leveraging GitHub's search functionality. Copy # See available hunting modules python GitHunt.py hunt -h # Hunt for OpenAI API Keys python GitHunt.py hunt -m OpenAI # Export all valid OpenAI API keys found in a json python GitHunt.py db -m OpenAI -f json -o ~/export.json [Gitleaks](https://github.com/gitleaks/gitleaks) (Go) is a SAST tool for **detecting** and **preventing** hardcoded secrets like passwords, api keys, and tokens in git repos. Copy ./gitleaks detect -v -r= [Gitrob](https://github.com/michenriksen/gitrob) (Go) is a tool to help find potentially sensitive files pushed to public repositories on Github. It will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. Gitrob will need a Github access token in order to interact with the Github API. See [Create a personal access token](https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/) . Copy # Run it ! # With an organization/user profile (i.e v4resk) gitrob -github-access-token [](https://red.infiltr8.io/redteam/recon/open-source-code#resources) Resources ----------------------------------------------------------------------------------- [![Logo](https://red.infiltr8.io/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=4&quality=100&sign=390ef44a&sv=2)GitHub - techgaun/github-dorks: Find leaked secrets via github searchGitHub](https://github.com/techgaun/github-dorks) Last updated 10 months ago Was this helpful? --- # Email Protection | Cloudflare Please enable cookies. Email Protection ================ You are unable to access this email address red.infiltr8.io ----------------------------------------------------------- The website from which you got to this page is protected by Cloudflare. Email addresses on that page have been hidden in order to keep them from being accessed by malicious bots. **You must enable Javascript in your browser in order to decode the e-mail address**. If you have a website and are interested in protecting it in a similar way, you can [sign up for Cloudflare](https://www.cloudflare.com/sign-up?utm_source=email_protection) . * [How does Cloudflare protect email addresses on website from spammers?](https://developers.cloudflare.com/waf/tools/scrape-shield/email-address-obfuscation/) * [Can I sign up for Cloudflare?](https://developers.cloudflare.com/fundamentals/setup/account/create-account/) Cloudflare Ray ID: **9a1471087d242010** • Your IP: Click to reveal 54.237.218.47 • Performance & security by [Cloudflare](https://www.cloudflare.com/5xx-error-landing) ---