When performing a black-box test, the client may not give us all of the subdomains of their organization. In this recipe, we will cover one of the few techniques that can be used to get a list of the subdomains of an organization.

DNSdumpster: It is a free project by HackerTarget that lets us look up subdomains. It relies on https://scans.io/ for its results. It is pretty simple to use.

1. We type the domain name we want and it will show us the results of all the subdomains it could find:

In the following screenshot, we can see the subdomains of the domain packtpub.com:

In the following recipe, we will look at Shodan, which is the most useful source for knowing about what devices...

Shodan is the world's first search engine that was used to search for devices that are connected on the internet. It was launched in 2009 by John Matherly. Shodan can be used to look up webcams, databases, industrial systems, video games, and so on. Shodan mostly collects data on the most popular web services that are running, such as HTTP, HTTPS, MongoDB, FTP, and many more.

To use Shodan, we will need to create an account on Shodan.

1. Open your browser and visit https://www.shodan.io. You will see the...

Shodan Honeyscore is another great project that was built in Python. It helps us figure out whether an IP address we have found is a honeypot or a real system.

1. To use Shodan Honeyscore, visit https://honeyscore.shodan.io/, as shown:

2. Then, enter the IP address you want to check, which in this case is 8.8.8.8:

That's it! Now, let's look at the plugins for Shodan.

To make our life even easier, Shodan has plugins for Chrome and Firefox that can be used to check open ports for websites we visit on the go!

1. Download and install the plugin from https://www.shodan.io/.
2. Browse to any website. You will find that by clicking on the plugin, you can see the open ports:

In the following recipe, we will discover, monitor, and analyze devices with Censys.

Censys was created in 2017 by the developers of ZMAP. It helps users to discover, monitor, and analyze publicly available devices. Censys regularly explores every IP and popular domain names using ZMAP scans and collects this data to make it available through APIs or web interfaces. In this recipe, we will look at some of the ways to use Censys for recon.

1. Visit https://censys.io/ in your browser, as shown in the following screenshot:

2. We must be a logged-in user to perform detailed searches, which we will cover later in this recipe.

3. If we want to look for a particular IP, we can simply paste the IP in the search bar. As we can see in the following screenshot, it will give us basic information about...

Nmap or Network Mapper is a security scanner that was written by Gordon Lyon in September 1997. It is used to find hosts and services in a network. Nmap has various features and scripts that are designed to perform various tests, such as finding the OS, service version, and brute-force default logins.

The following are some of the most common types of scan:

• TCP connect() scan
• SYN stealth scan
• UDP scan
• Ping scan
• Idle scan

Let's perform the following steps:

1. Nmap is already installed in Kali Linux. We can type the following command to start it and see all the options that are available:

       nmap -h

The following screenshot shows the output of the preceding command:

2. To...

Most of the time, during a pentest, we will come across systems that are protected by firewalls or intrusion detection systems (IDS). Nmap provides different ways of bypassing these IDS firewalls to perform a port scan on a network.

In this recipe, we will learn about some of the ways of bypassing firewalls.

Let's learn how to use the ACK, TCP Window, and Idle scans.

The ACK scan is used to show unfiltered and filtered ports instead of open and closed ports:

1. The command for an ACK scan is as follows...

In the previous recipe, we discussed how to find open ports on a network IP or domain name. Once we have open ports, we often see ports running web servers on different ports. Sometimes, developers leave open directories misconfigured, which may contain juicy information for us. Here, we will look at the GoBuster. It is a tool that was built in the Go language, which can be used for brute forcing directories as well as brute forcing subdomains.

Since GoBuster is built on Go, we first need to install Go on Kali:

1. Do this by using the following command:

apt install golang

2. First, we clone the Git repository from the following URL: https://github.com/OJ/gobuster....

Most web applications today use SSL to communicate with the server. SSLscan is a great tool to check SSL for flaws or misconfigurations.

In this recipe, we will learn how to use SSLScan to perform an analysis of SSL configured on the website.

Let's perform the following steps:

1. We will look at the help manual to see the various options the tool has:

sslscan -h

The following screenshot shows the output of the preceding command:

2. To run the tool against a host, we type the following:

sslscan host.com:port

The following screenshot shows the output of the preceding command and we can see various types of information on the SSL protocol implemented on google.com:

As we can see from...

BruteSpray is another open source tool which is built on Python. It takes the input from an Nmap scan and automatically brute forces the services running with default credentials using Medusa.

Let's perform the following steps:

1. Run the following command to install brutespray on Kali:

apt install brutespray 

The following screenshot shows the output of the preceding command:

2. Once it is installed, we can run the tool with the -h flag to view the list of all features.
3. To run a default brute force on all of the services that were discovered by a previously run Nmap scan, we can use the following command:

brutespray --file scan.xml --threads 5

The following screenshot...

TheHarvester is a great tool for penetration testing as it helps us find a lot of information about a company. It can be used to find email accounts, subdomains, and so on. In this recipe, we will learn how to use it to discover data.

1. The command to the TheHarvester is pretty simple:

theharvester -d domain_name -l 20 -b all  

We can see in the following screenshot that the tool has launched and it will give us the results of anything it will find once finished:

In the preceding recipe, -d is for the domain...

There is no point starting a pentest against a web application without knowing what the actual technology is behind it. For example, it would be absolutely useless to run dirs3arch to look for files with the extension PHP when the technology is actually Asp. So, in this recipe, we will learn how to use a simple tool, WhatWeb, to reveal the technology behind a webapp. It comes by default in Kali.

1. The WhatWeb tool can be launched by using the following command:

whatweb

The following screenshot shows the output of the preceding command:

2. The domain name can be...

Masscan is an amazing tool. It is the fastest port scan tool available, and it has been claimed that it can scan the entire internet when it transmits at the speed of 10 million packets per second.

It is similar to Nmap, but it does not support and default to the port scan – all ports must be specified using -p.

In this recipe, we will learn about the usage of Masscan.

1. Masscan is simple to use. We can begin a scan of a network by using the following command:

masscan 192.168.1.0/24 -p 80,443,23  

We can also specify the packet rate by using -max-rate. By default, the rate is 100 packets per second.

CloudBunny is a tool that uses search engines such as Censys, Shodan, and Zoomeye to find the origin IP of the server. It is typically used when a company only uses a Web Application Firewall (WAF) for its main domain and leaves the subdomains unprotected. CloudBunny uses the same concept to find origin IPs of the domains. In this recipe, we will look at the usage of CloudBunny to find misconfigured Cloudflare domains.

1. Download/clone the repository from GitHub: https://github.com/Warflop/CloudBunny:

2. Next, install the Python dependencies by using the pip install -r requirements.txt command.
3. Since the tool is dependent on Shodan, Censys, and Zoomeye, we need to provide...

Kismet is a layer two wireless network detector. It comes in handy because while performing a pentest in a corporate environment, we may need to look for wireless networks as well. Kismet can sniff 802.11a/b/g/n traffic. It works with any wireless card that supports raw monitoring mode.

In this recipe, we will learn how to use Kismet to monitor Wi-Fi networks.

1. Use the following command to launch Kismet:

kismet 

The following screenshot shows the output of the preceding command:

2. Once the GUI is up, it will ask us to start the server. Choose Yes.
3. Next, we need to specify a source interface. In our case, it is wlan0, so we type that in. Make sure that the interface is in monitor...

Firewalk is a network security reconnaissance tool that helps us figure out whether our routers are actually doing the job they are supposed to do. Firewalk attempts to find which protocols a router or firewall will allow and which it will block.

This tool is incredibly useful during pentesting, and can help you verify and validate firewall policies in a corporate environment. In this recipe, we will learn about using Firewalk.

1. If firewalk is not installed, we can install it by typing the following:

apt install firewalk

The following screenshot shows the output of the preceding command:

2. We can use the following command to run firewalk:

firewalk -S 1-23 -i eth0 192.168.1.1...