# Reconnaissance

### Nmap
1. Check hosts with ping scan
    - `nmap -sn 192.168.254.0/24`
    - The -sn flag will skip port scanning 
    - Can use `-sT` flag to do a SYN scan which is less likely to be seen by IDS
2. After finding the correct target check open ports:
    - A default nmap scan with no flags will do a -sS (stealth scan)
    - `nmap 192.168.254.128`
3. Check the versions of services running (-sV) and guess OS based on that (-O)
    - `nmap -sV -O 192.168.254.128`
    - Take note of information given here, may be useful to exploit
    
### Evading Detection - IDS, IPS, WAF
- Important to take measures to prevent getting blocked by checking for an IDS or IPS before doing anything too loudly

**Nmap**
- Using scripts to test for the presence of a WAF
    - This works by sending specific malicious requests that will have expected responses based on known patterns of the type of WAF being used
1. `nmap -p 80,443 --script=http-waf-detect 192.168.254.128`
    - This command tests ports 80 and 443 for a waf using a script
    - If an IDS/IPS/WAF is detected you will see the port and alert
2. `nmap -p 80,443 --script=http-waf-fingerprint www.example.com`
    - This command test ports 80 and 443 for the device using a script
    - This script will more precisely try to determine the type of device (IDS/IPS/WAF) as well as the device name
        
### Checking Source Code with OWASP Mantra
- You can look at a web application's html code by right-clicking and selecting **View Page Source** or by pressing **f12** and switching to source
    - Some examples of things to look for:
        1. Libraries
        2. External files being called
        3. Subdomains being used
        4. Input fields and the type/size of data expected
- When checking with the **firebug** tool:
    1. Console: This tab will show errors, warnings, and messages generated when loading a page
    2. HTML: The page defaulted to show HTML from **View Page Source**
    3. CSS: View and modify the CSS Stylings used to format the page
    4. Script: See full HTML source, set breakpoints to interrupt the HTML as it loads and check variable values when running scripts
    5. DOM: Document Object Model, shows objects, values, and hierarchy
    6. Net: Displays server requests and responses, types, size, response time, and timeline order
    7. Cookies: Displays cookies set by the server, values, and parameters
    
### Editing Cookies with OWASP Mantra
- Open Cookie Manager: Click on wasp icon | Tools | Application Auditing | Cookies Manager+ | Find cookie and click "edit"
- You can try to stop session hijackings or code injection by making sure a cookie is "Http Only" when editing

### Robots.txt
- The robots exclusion standard aka **robots.txt** is a standard used by websites to communicate with web crawlers, informing them about areas that should not be processed or scanned
- Try accessing the directories found in robots.txt for information hidden to the public

### Finding Files, Folders, and Directories
- dirbuster
    - Combination webcrawler/bruteforce, will check directory and subdirectories for hidden files and folders using a dictionary
    - Open the gui with `dirbuster`
- OWASP ZAP (Zed Attack Proxy)
    1. Open the gui with `owasp-zap`
    2. Configure proxy settings on browser to be manual `127.0.0.1 port 8080`
        - Found in **Preferences | Advanced | Network | Connection | Settings** for firefox
    3. Find list of owasp tools in **Tools | Options**
        - Attack a URL, or view the directories on the left pane and right click to select a tool to use for the attack

### Password Profiling with CeWL
- Default dictionaries pre-installed in kali can be found in `/usr/share/wordlists/`
- The cewl tool can be used to get words from an application which will save the results to a txt file (which can later be used as a dictionary)
- `cewl -w cewl_WebsiteName.txt -c -m 5 http://192.168.254.128/WebsiteName/`
    - This command opens cewl, writes (-w) to a file named cewl_WebsiteName.txt, counts (-c) the words it finds, with a minimum (-m) length of 5, from http://192.168.254.128/WebsiteName/
    
### Using John the Ripper for dictionary generation
- Can be used to modify dictionary words during a brute force attack
    - Can use the dictionary created with CeWL
    - `john --stdout --wordlist=cewl_WebsiteName.txt --rules > WebsiteNameDictionary.txt`
        - This command will modify words in the list by switching cases, adding suffixes/prefixes, and replacing letters with numbers and symbols
        - Saves the output to WebsiteNameDictionary.txt
        
### Downloading Webpages with Wget
1. Create a directory to store the files in:
    - `mkdir websitename_pages`
2. Recursively (-r) download files to directory (-P) from a website
    - `wget -r -P bodgeit_pages/ http://192.168.254.128/bodgeit/`

**Useful flags to consider with wget**
- `-l` : Limit flag, limits the depth that a wget will follow when recursively traversing a website
    - e.g. `-l 5` will go at most 5 directories deep in a website
- `-k` : Modifies links to point to local files, making it possible to browse the site through a browser locally
- `-p` : Enables wget to download images by page, even if on other sites
- `-w` : Wait flag, makes wget wait x number of seconds between downloads, useful in evading detection in servers that look for automated browsers

### Using WebScarab to spider a website
1. Use Proxy server 127.0.0.1:8008 (WebScarab's default proxy port)
2. Open WebScarab and browse to website
    - e.g. `http://192.168.254.128/bodgeit/` and it will appear in the Summary tab of WebScarab
    - Find the tree you want to spider, right-click, select "Spider Website"
    - You can see possible vulnerabilities for each found url
    - You can adjust spider settings or stop the spider in the spider tab

### Identify Useful Keywords for Files and Directories

**Login/Registration Pages for guessing usernames and passwords**
- Account, Auth, Login, Logon, Registration, Register, Signup, Signin

**Username and Password recovery vulnerabilities**
- Change, Forgot, Lost-Password, Password, Recover, Reset, Lost

**Admin application sections, functions, high-privelaged tasks**
- Admin, Config, Manager, Root

**Content Management Systems (CMS) for database/server admin**
- Admin-console, Adminer, Administrator, Couch, Manager, Mylittleadmin, PhpMyAdmin, SqlWebAdmin, Wp-admin

**Finding weak testing or developmental versions**
- Alpha, Beta, Dev, Development, QA, Test, Temp, Build

**Web Server Information and Config files**
- config.xml, info, phpinfo, server-status, web.config

**Hidden/Disallowed Directories**
- Check `robots.txt` file for any files marked with `Disallow`