Complete Red Team Recon Fundamentals.
Hello my dear friends, welcome back to my new article. This is your friend Sagar. I hope you all are good, safe & secure at your home / your country and wherever you are.
Today I’m back with new intresting and another hot topic, about ethical hacking and pentesting. Because this will gonna importnant topic which you should not miss out at any cost !!!
By reading a title, hope you will get, that today we will be cover complete red team reconnaissance fundamental from start to end.
In this session we will see the tools, tactics, techniques and some other bonus points that we see at every end of the topic.
Before start writing the blog, I have such a small request to all of you, I always right articles on cyber security, ethical hacking, penetration testing. So if you didn’t follow, then follow me first and clap on this article, because that’s give me a motivation to write something new !!
If you didn’t follow me on my socials, here it is.
☛ My-Twitter
☛ My-Linkedin
☛ My-GitHub
Thank you !!!
Let’s Start !!!
✦ Introduction Of Red Teaming ✦
What Is Red Teaming ?
Red teaming is basically, practice using by group of people in cybersecurity who find vulnerability, bugs, in system and exploit them. Red teaming is distinguished from traditional security assessments (like penetration testing) by its broader and more adversarial approach. It goes beyond just finding technical vulnerabilities and considers the entire attack surface, including social engineering, physical security, and organizational processes.What Is Recon ?
Recon OR reconnaissance is a process to gather information about the target, using the way actively and passively as much as possible.
There are mostly 2 types of recon, that we are gonna see in this article.
- Passive Recon
- Active Recon
Let’s see each of recon type in depth !!!
⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚
▶ Passive Recon :
Passive recon is a method of information gathering and footprinting, without gettting interect with target server or system. We gather the information from public sources, whois database, DNS search, OSINT, news, magzines, websites, leaked database and search engines.
Let’s discuss about some passive recon method as follows !!! 👇
1. Google Dorks :
Google dorks is basically google searching keywords to filters the results.
Google Dorks, also known as Google hacking or Google-fu, refers to the use of advanced search operators to refine and narrow down search results.
Here I already written the article on google dorks. 👇
2. Hacker’s Search Engine :
Search engine is a most important and powerfull resourses to get information about any target. In this case most of the information is public such as, email address usernames, servers, IOT devices, vulnerabilities and much more.
Here, You can get the TOP 20+ hackers search engine !!! 👇
3. OSINT :
OSINT that means “Open Source INTelligence” is the collection and analysis of data gathered from open sources, including social media, websites, images, organization, person, network and from many more, which is present on open source.
We are able to gather the publically available information as much as possible.
In this case, we do gather the information from followings things
News, Magazine, Ads, Journal, Conference of Organization, Annual Reports, Websites Footprinting, Forums, Social Media OSINT, Archive Information, Default Password, Organization Background, Company Directory, Location Details, Companies Phone Numbers, Leaked Information & Database From Hackers Forum Sites.
Here, I written the article before, that you must have to check it out !! 👇
You will got everything what I mentioned above. You will get millions of tools, which will helps you to perform better and much better !!!
Here, you can get the Social Media OSINT Guidance !! 👇
Using the Social Media OSINT you can get some information such as, employes phone number, email address, personal websites, job information, date of birth, username and may more things !!!
I’m not gonna give tools here, as I mention articles above, there are lots of tools has into it !!!
4. Passive Network & Web Information Gathering Tools :
Passive network & web recon gives you lots of information such as, whois information, ip address, doamin, subdomains, zone transfer and many more !!!
There are few tools for passive recon. In this article you’ll get all about website footprinting in depth with tons of tool.👇
Here are some passive network recon tool to gather information about network. In this list, some tools are both use for active as well as passive recon !! 👇
☛ Nslookup
☛ Dig
☛ Host
☛ Whois
☛ Traceroute
☛ DnsDumpster
☛ DnsEnum
☛ DnsRecon
☛ Netcraft
☛ WhatWeb
☛ Httrack
☛ Metasploit
☛ Recon-NG
☛ Amass
You can also setup target monitering alert system, on your recon or attacker machine.
Here are some “Web Monitering Alert System” sites that you can use !! 👇
☛ Google-Alerts
☛ ChangeTower
☛ VisualPing
☛ Distill
☛ UPTimeRobot
☛ Pingdom
☛ Site24x7
Hope you get it, all about the passive recon. Now we will move towords active recon !!!
⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚
▶ Active Recon :
Red teaming in cybersecurity refers to a type of ethical hacking or simulated cyber attack where a group of security professionals, known as the “Red Team,” emulates the tactics, techniques, and procedures (TTPs) of malicious actors to assess and test the security of a system or organization.
The goal of red teaming is to identify vulnerabilities, weaknesses, and potential points of exploitation in a proactive and controlled manner.
Let’s discuss about some active recon method as follows !!! 👇
1) Network Scanning, Fingerprinting & Enumeration :
Network scanning is a crucial phase in cybersecurity and network management, as it allows individuals or organizations to gather information about the target network’s structure, devices, and vulnerabilities.
Fingerprinting involves analyzing the responses from network devices to identify their operating systems, software versions, and configurations, aiding in understanding potential weaknesses and attack vectors.
Let’s deep dive in network scanning & fingerprinting !!!! 👇
1. Host Scanning :
Identifies live hosts on a network by sending packets to potential target IP addresses and analyzing responses, helping assess the scope of a network.
2. OS Scanning :
Determines the operating system of a target system by analyzing its responses to various network probes, aiding in understanding the environment for potential vulnerabilities.
3. Trace Routing :
Maps the route that packets take to reach a destination, revealing network infrastructure and potential points of interest for further analysis or exploitation.
4. Banner Grabbing :
Extracts information from service banners, such as web servers or FTP services, to gather details about the software version and configuration, aiding in potential vulnerabilities identification.
5. Port Scanning :
Port scanning involves probing a target’s network ports to discover open services, facilitating the identification of potential entry points.
6. Service Scanning :
Identifies active services running on open ports, providing insights into the specific applications and protocols in use on a target system.
7. Version Scanning :
Analyzes service responses to determine software versions, enabling the identification of known vulnerabilities associated with specific versions for targeted exploitation.
8. Script Scanning :
Searches for vulnerabilities using automated scripts that interact with target systems, helping to uncover potential weaknesses in configurations or application logic.
9. IDS/IPS Scanning :
Probes for weaknesses in Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to assess their ability to detect and respond to malicious activities.
10. Mail Server Scanning (SMTP) :
Evaluates the security of the Simple Mail Transfer Protocol (SMTP) on mail servers, seeking vulnerabilities that could be exploited to compromise email communication.
11. Application Scanning :
Assesses the security of web applications or software by analyzing their structure, functionality, and inputs to uncover potential vulnerabilities, ensuring a robust security posture.
12. VPN Points :
VPN (Virtual Private Network) points are entry or exit locations for encrypted network connections, providing secure access to a private network over the internet, enhancing privacy and data integrity for remote users.
13. Default Password :
Default passwords are pre-set, often generic, login credentials assigned to devices or applications. Failure to change default passwords poses a significant security risk, making systems susceptible to unauthorized access.
14. Misconfiguration :
Misconfiguration refers to errors in system setup or settings that can lead to security vulnerabilities. Inadequate configurations may expose sensitive data or create unintended access points, compromising the overall security posture.
15. Authentication Mechanisms :
Authentication mechanisms are processes that verify the identity of users or systems attempting access. Robust authentication methods, such as multi-factor authentication, enhance security by ensuring only authorized entities gain entry.
16. Active IP Addresses :
Active IP addresses are currently in use on a network, indicating live devices. Monitoring and managing active IP addresses are crucial for security, as unauthorized or rogue devices may pose threats if undetected on the network.
17. Network IP Information :
Network IP Information comprises the following elements:
- IP Address: A unique numeric label assigned to each device on a network, facilitating communication and identification.
- Subnet Mask: Determines the network and host portions of an IP address, aiding in efficient addressing by defining the boundary between network and device.
- IP Range: The set of consecutive IP addresses within a network, determined by the combination of the IP address and subnet mask, defining the scope of addresses available for devices on that network.
18. Network Topology & Routing Tables :
Mapping network topology involves visually representing the layout and interconnections of devices within a network, utilizing symbols and lines to depict relationships and data flow. Tools like traceroute can reveal information about the network infrastructure.
The tool you can use, Solarwinds Network Topology Mapper to identify network topology.
19. DNS Scanning :
DNS Scanning: Systematically querying Domain Name System (DNS) servers to gather information about domain names and associated IP addresses. Identifying potential targets, services, and misconfigurations.
Enables reconnaissance by revealing valuable details like subdomains, mail servers, and network structure, helping testers understand the attack surface for further analysis.
20. VoIP Scanning :
VoIP scanning in pentesting involves identifying vulnerabilities in Voice over Internet Protocol systems. It assesses the security of communication networks, helping to uncover potential weaknesses that could be exploited. You can gather the information about VoIP Using OSINT.
21. Fuzzing & Content Discovery :
Fuzzing involves inputting random or malformed data to identify vulnerabilities in software. Content discovery involves scanning a target for hidden or unlinked web pages, subdomains enumeration, folders and resources, aiding in identifying potential attack vectors or sensitive information during a penetration test.
✯ Here are some tools to fuzzing and content discovery. ✯
☛ Dirb
☛ Dirbuster
☛ Gobuster
☛ Dirsearch
☛ Wfuzz
☛ FFUF
☛ Feroxbuster
☛ Kiterunner
☛ BurpSuite Intruder
✯ Here are some tools to get subdoamin enumeration. ✯
☛ Knockpy
☛ Sublist3r
☛ Turbolist3r
☛ Subfinder
☛ Assetfinder
☛ Amass
☛ Findomain
☛ Subbrute
You can use other tools as per your confort !!
2) Organization System Information :
Organization System Information is gathering information typically about, Working Users and Groups Names, System Banners, SNMP Information System Architecture and many more !!!
This type of information, you can get by using either could be active or passive recon techniques !!!
Let’s discuss about some following information types !!!
1. User and Groups Names :
Extract user and group information through techniques like OSINT, network reconnaissance, or active directory enumeration to understand the user landscape within the target organization. Also you need to have information about system administartor.
2. System Banners :
Analyze system banners obtained from services like HTTP, FTP, or SSH to identify software versions and potential vulnerabilities. This helps in tailoring attacks to specific system weaknesses.
3. SNMP Information :
Leverage Simple Network Management Protocol (SNMP) to gather information about network devices, such as routers and switches, and potentially extract configuration details or other sensitive information.
4. System Architecture :
Investigate the overall system architecture, including the arrangement of servers, network devices, and security measures, to identify potential weak points and attack vectors.
5. Remote System Type :
Utilize tools like Nmap or banner grabbing to identify the remote system types and their associated vulnerabilities, aiding in the selection of appropriate exploitation techniques.
6. System User Names :
Enumerate system user names through techniques like brute-force attacks, password spraying, or by querying active directory services to gather a list of valid usernames for further exploitation.
7. Passwords :
Employ password cracking techniques, such as using password dictionaries or rainbow tables, to identify weak or easily guessable passwords associated with user accounts within the organization.
Gathering this information provides a comprehensive view of the target environment, allowing penetration testers to craft targeted and effective attack strategies while also assisting organizations in strengthening their security posture.
3) Active Recon Tools :
There are some tools which are mostly used into active recon !!!
☛ Traceroute
☛ Telnet
☛ Netcat
☛ Ncat
☛ Nmap
☛ Netdiscover
☛ Netstat
☛ SMBclient
☛ Enum4Linux
☛ MassScan
☛ RustScan
Here are some tools, which are use while performing red team operation on active directory recon !!!
☛ BloodHound
☛ SharpHound
☛ SharpHound3
☛ PowerSploit
☛ Seatbelt
☛ PowerTools
☛ SharpGPOAbuse
☛ SharpDump
☛ LaZagne
☛ Mimikatz
☛ Rubeus
☛ ADRecon
☛ PowerUpSQL
☛ Invoke-ACLPwn
☛ CrackMapExec
☛ Misc-Powershell-Scripts
☛ Pingcastle
☛ DeathStar
Here are some more linux networking commands, you need to know !!!
4) Vulnerability Scanning :
Vulnerability scanning is a proactive security measure involving automated tools that systematically identify and assess weaknesses in computer systems, networks, or applications.
The goal is to provide organizations with insights into potential security risks, allowing them to address and patch vulnerabilities before they can be exploited by malicious actors, thereby enhancing overall cybersecurity.
There are some tools and softwares, which are used into vulnerability scanning of system and network !!
☛ Acunetix
☛ Nessus
☛ Invicti
☛ Nexpose
☛ AppScan
☛ Qualys
☛ Burpsuite
☛ Nikto
☛ Nmap
☛ Skipfish
☛ Uniscan
☛ Unicornscan
☛ Openvas
☛ Metasploit-Framework
As I given the tools, some are paid and some are free tools, you can use it as per your confort !!
That’s it !!!
⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚⮘⮚
✯ Bonus Points ✯
- Don’t forget to folllow, proper rules of engagement while recon and pentesting as well !!
- Try to find out more information as you can find, because recon is a first and most important phase in pentesting. More you will recon, then there are more chances to get maximum attack surface and attack vector too !!
- You can also use some social engineering techniques to get the information about target !!
- Store every historical data, that you find from different sources including your recon data, all subdomains, your exploits, payloads and everything that you gather.
- Keep learning new things and don’t forget to update and grow your knowledge.
- Make a cheatsheet about, whatever you find the information !!
I hope you guys love this blog.
If you like it, then don’t forget to follow, subscribe and claps.
I’ll see you with next article.
