Lab Exercise 3 – Learning Active and passive Reconnisance using

Kali linux

Objectives

▪ Part 1: Passive Reconnaisance using Kali

▪ Part 2: Active Reconnaisance using Kali

Required Resources

▪ Computer with a minimum of 8 GB of RAM and 50 GB of free disk space

▪ Kali Linux installed on virtual box

Part 1: Passive reconnsaince using Kali Linux

Passive reconnaisance is a technique where the attacker gathers information on the target
without having a direct contact with the target.

In this part of lab exercise, we will take a look at some of the tools used for passive reconnaisance.

Sr. Tool name Description

1. whois used to find out IP address of the domain name, domain owner, domain
name registery and expiry date, name servers, location etc.
2 host Used for name and IP address lookup. Also used for DNS related queries
3 nslookup Used for querying DNS to query several DNS relatated information
4 dnsrecon Gather information on the naming servers
5 theHarvester Gather information on employees, email addresses, phone numbers etc
6 wafw00f Verify whether the site is behind a WAF or not
7 whatweb Provides information on the technologies used (similar to builtwith)
8 Maltego OSINT (Open source intelligence tool) to gather information on an object
from varios trustworthy sources
9 Websites Provide various bits of handy information
(Buildwith /
wappalyzer
/ shodan.io
/ virustotal/
archive.org)

CECR 1003 – Cybersecurity by Design

1. Whois command

# whois hacthissite.org

2. host command

# host hacthissite.org

3. nslookup command

# nslookup hacthissite.org

CECR 1003 – Cybersecurity by Design

4. dnsrecon command

# dnsrecon -d hacthissite.org

5. theHarvester

# theHarvester -d zonetransfer.me -b all

CECR 1003 – Cybersecurity by Design

6. wafw00f

# wafw00f hackthissite.org

7. whatweb

# whatweb testphp.vulnweb.com

8. Maltego
Note: Usage of maltego requires creating a free account on https://www.maltego.com/ce-
registration/
Launch the tool using the command ‘maltego’

# maltego

CECR 1003 – Cybersecurity by Design

▪ Click on create a new graph in the upper left hand corner
▪ Once graph is opened, search for domain in the search bar. Select the domain option and
drag it into the graph workspace.
▪ Double click and change the domain name to hackthisiste.org
▪ Right click on the domain, select run all under all transforms.
▪ Export the results to a pdf and analyze

CECR 1003 – Cybersecurity by Design

Part 2: Active Reconnisance using Kali Linux
Active reconnaisance is a technique where the attacker makes a direct contact with the target
in order to gather more pertinent and accurate information.
In this part of lab exercise, we will take a look at some of the tools used for passive
reconnaisance.
Sr. Tool name Description
1. netdiscover Used to discover all the hosts and provides a map of the network
2 nikto Used for scanning web vulnerabilities
3 Recon-ng Reconnaisance tool used for both active as well as passive scans
4 nmap Used for network mapping and identification of live hosts, Ips and their
corresponding ports and OS

1. Netdiscover

# netdiscover

2. nikto

# nikto -h scanme.nmap.org

CECR 1003 – Cybersecurity by Design

3. nmap

# nmap hackthiswebsite.org

NMAP Cheatsheet: https://www.stationx.net/nmap-cheat-sheet/

SWITCH EXAMPLE DESCRIPTION
-sS nmap 192.168.1.1 -sS TCP SYN port scan (Default)
TCP connect port scan (Default without root
-sT nmap 192.168.1.1 -sT
privilege)
-sU nmap 192.168.1.1 -sU UDP port scan
-sA nmap 192.168.1.1 -sA TCP ACK port scan
-sW nmap 192.168.1.1 -sW TCP Window port scan
-sM nmap 192.168.1.1 -sM TCP Maimon port scan
-p nmap 192.168.1.1 -p x Port scan for port x
Attempts to determine the version of the service
nmap 192.168.1.1 -sV
-sV running on port
-sV –
nmap 192.168.1.1 -sV – Enable light mode. Lower possibility of
version-
version-light correctness. Faster
light
Enables OS detection, version detection, script
nmap 192.168.1.1 -A
-A scanning, and traceroute
Remote OS detection using TCP/IP stack
nmap 192.168.1.1 -O
-O fingerprinting

nmap -D
192.168.1.101,192.168.1.102,1
Send scans from spoofed Ips
92.168.1.103,192.168.1.23
192.168.1.1
-D
nmap 192.168.1.1 -oN
Normal output to the file normal.file
-oN normal.file
Increase the verbosity level (use -vv or more for
nmap 192.168.1.1 -v
-v greater effect)

CECR 1003 – Cybersecurity by Design

4. Recon-ng

# recon-ng
[recon-ng][default] > marketplace install all
[recon-ng][default] > modules load hackertarget
[recon-ng][default][hackertarget] >options set source hackthissite.org
[recon-ng][default][hackertarget] >run
[recon-ng][default][hackertarget] >show hosts

[recon-ng][ set SOURCE

CECR 1003 – Cybersecurity by Design