Noirchapeau's Gitbook
Noirchapeau
Noirchapeau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Overview
  • Core Principles
  • Methodology Layers
  • 1. Internet Presence
  • 2. Gateway
  • 3. Accessible Services
  • 4. Processes
  • 5. Privileges
  • 6. OS Setup
  • Key Areas of Investigation
  • Domain Information
  • Cloud Resources
  • Staff Information
  • Command Reference
  • SSL Certificate Enumeration
  • DNS and Host Resolution
  • Shodan Reconnaissance
  • Best Practices
  • Red Team Tips

Footprinting - Enumeration and Information Gathering Notes

Overview

Enumeration is a systematic approach to gathering information about target systems through both active (scanning) and passive (third-party sources) means. Unlike OSINT, which relies exclusively on passive collection, enumeration can involve direct interaction with the target infrastructure.

Core Principles

  1. Look beyond the obvious - there's always more than meets the eye

  2. Distinguish between visible and hidden information

  3. Continuously seek additional information for complete understanding

  4. Plan strategically before taking action

  5. Avoid common pitfalls like rushing into brute-force attempts

Methodology Layers

1. Internet Presence

  • Focus: External infrastructure visible on the internet

  • Key elements: Domains, subdomains, vHosts, ASN, netblocks, IP addresses, cloud instances

  • Goal: Map complete external attack surface

2. Gateway

  • Focus: Security measures and protective infrastructure

  • Elements: Firewalls, DMZ, IPS/IDS, EDR, proxies, NAC, network segmentation

  • Goal: Understand security posture and defensive layers

3. Accessible Services

  • Focus: Available services and interfaces

  • Elements: Service types, functionality, configurations, ports, versions

  • Goal: Identify potential entry points and vulnerabilities

4. Processes

  • Focus: Internal processes and relationships

  • Elements: PIDs, processed data, tasks, source/destination relationships

  • Goal: Understand system interactions and dependencies

5. Privileges

  • Focus: Access controls and permissions

  • Elements: Groups, users, permissions, restrictions

  • Goal: Identify potential privilege escalation paths

6. OS Setup

  • Focus: Operating system configuration

  • Elements: OS type, patch level, network config, sensitive files

  • Goal: Understand internal security posture

Key Areas of Investigation

Domain Information

  • Initial website analysis

  • SSL certificate examination

  • Subdomain enumeration

  • Company-hosted server identification

  • DNS record analysis

Cloud Resources

  • Focus on AWS, GCP, and Azure resources

  • Watch for misconfigured storage access

  • Check DNS records for cloud resources

  • Monitor for exposed SSH keys

Staff Information

  • LinkedIn profiles and job posts

  • Social media presence

  • GitHub repositories

  • Team structure and roles

Command Reference

SSL Certificate Enumeration

# Get JSON output of SSL certificates
curl -s "https://crt.sh/?q=domain.com&output=json" | jq .

# List unique subdomains from certificates
curl -s "https://crt.sh/?q=domain.com&output=json" | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

DNS and Host Resolution

# Resolve subdomains to IP addresses
for i in $(cat subdomainlist); do host $i | grep "has address" | grep domain.com | cut -d" " -f1,4; done

# Get all DNS records
dig any domain.com

Shodan Reconnaissance

# Get information about multiple IP addresses
for i in $(cat ip-addresses.txt); do shodan host $i; done

Best Practices

  1. Document all findings systematically

  2. Verify information from multiple sources

  3. Keep track of scope boundaries

  4. Note unusual patterns or anomalies

  5. Maintain stealth when required by using passive techniques

Red Team Tips

  • Always consider the broader context of discovered information

  • Look for interconnections between different pieces of data

  • Document potential attack vectors for later testing

  • Keep track of access points that might be useful in later phases

  • Note default configurations and common misconfigurations for discovered services

PreviousNetwork Mapping and Security Auditing ToolNextFTP Pentesting Notes