This Cyber Security Project report presents a detailed analysis of vulnerabilities identified following a comprehensive scan conducted on the target system/network. Leveraging advanced scanning tools and methodologies, our assessment aims to uncover potential weaknesses and security gaps that could pose risks to the integrity and confidentiality of your digital assets. From critical vulnerabilities requiring immediate attention to low-risk findings warranting further monitoring, this report provides actionable insights to enhance your cybersecurity posture. Explore the breakdown of vulnerabilities, prioritized recommendations for remediation, and proactive measures to mitigate future threats. Empower your organization with the knowledge and strategies needed to strengthen defenses and safeguard against potential exploits with our Cyber Security projects. Discover more at https://bostoninstituteofanalytics.org/cyber-security-and-ethical-hacking/
2. Title – Generating a report for
analyzing vulnerability after scan
Subtitle – Describe about Tools & Methods used for
Reconnaissance
Name- Aditi Vasaikar
3. Introduction - Reconnaissance
• Reconnaissance is initial phases in the process of gathering information
about a target network or system, typically as a precursor to a cyber
attack.
• Reconnaissance, involves more direct probing and scanning of the target
network or system to gather additional information beyond what is
publicly available.
• Reconnaissance may involve sending probes, pings, port scans, and other
network reconnaissance techniques to gather information about the
target's network topology, open ports, services running, and potential
vulnerabilities.
• Reconnaissance may also involve interacting with the target system in a
way that can be detected, although the goal is still to remain as stealthy
as possible to avoid detection.
4. Recon – in context of cybersecurity
1.Network Reconnaissance: This involves actively scanning and probing
a target network to identify vulnerabilities, open ports, network topology,
and other valuable information that can be exploited during an attack.
2.Host Reconnaissance: This involves gathering information about
specific hosts within a network, including operating systems, running
services, software versions, and configurations.
3.Application Reconnaissance: This involves analyzing specific
applications or services running on a network to identify potential
weaknesses or vulnerabilities that could be exploited.
5. Difference between Footprinting
and Reconnaissance
• Footprinting is the initial phase of reconnaissance, focused on passive
information gathering from publicly available sources.
• While reconnaissance involves a broader range of active and passive
techniques to gather intelligence about a target's systems, networks, and
personnel.
• Footprinting typically involves collecting basic information about a
target organization from public sources.
• While reconnaissance extends this by actively probing the target's
systems and networks to gather more detailed and potentially sensitive
information.
6. Objective of reconnaissance
• Gathering information
• Understanding Target
• Identifying Weaknesses
• Planning Attacks
• Avoiding Detection
7. Reconnaissance methods-
Reconnaissance can be conducted through various methods and
techniques, both passive and active. Here are some common ways
reconnaissance can be done:
1. Passive Reconnaissance: Involves gathering information from
publicly available sources without directly interacting with the target.
This includes techniques like open-source intelligence (OSINT), social
media monitoring, and browsing public websites.
2. Active Reconnaissance: Entails actively probing the target's systems
and networks to gather additional information. This includes
techniques such as network scanning, port scanning, service
enumeration, and vulnerability scanning.
8. 3. Physical Reconnaissance: Involves physically observing the target's
premises, infrastructure, and personnel to gather information. This
could include site visits, dumpster diving, tailgating, or reconnaissance
through physical reconnaissance.
4. Wireless Reconnaissance: Focuses on identifying and analysing
wireless networks and devices. Techniques may include wireless
scanning, Wi-Fi sniffing, and wardriving.
5. Web Reconnaissance: Involves gathering information from websites,
web applications, and web servers. Techniques may include spidering,
directory brute-forcing, analysing HTTP headers, and extracting
metadata from web pages.
9. Website Information
I am performing Reconnaissance on a college website. Its basically
polytechnic college at my place (Raigad District).
It’s a dynamic website with college details, educational stuff, etc.
Website URL – www.gvacharyapolytechnic.org
IP Address – 103.21.58.93
For findings its IP address I have used nslookup command in kali Linux
and ping command in Windows 10.
10. For Kali Linux
Step 1 –
Open kali Linux Terminal and execute command
• Command : nslookup <website>
11. For Windows 10
Step 1 –
Open Command Prompt in Windows and execute command
Command : ping <website>
12. Reconnaissance Tools
• Search engines – google,
Shodan, Yahoo, etc.
• Nmap
• Masscan
• Recon-ng
• Metasploit
• Sublist3r
• WhoisLookup
• Zenmap
• Spiderfoot
• Dirbuster
• Burpsuite
• Webscrapping
• Google Hacking
database(GHDB)
• Maltego
• Aquatone
• Wappalyzer
• Nessus and many more
13. 1. WhoisLookup
WHOIS is a protocol and database used for querying information about
domain registrations, including details such as domain owner, registrar,
registration and expiration dates, contact information, and name servers.
• Uses:
1) Retrieving registration information for domain names.
2) Identifying domain ownership and contact details.
3) Verifying domain registration status and expiration dates.
4) Discovering name server information for domains.
5) Investigating domain history and registrar information.
14. • Functionalities:
1) Querying WHOIS databases for domain registration data.
2) Parsing and extracting registration details, such as owner name,
organization, and contact information.
3) Displaying domain registration status, including creation and
expiration dates.
4) Providing name server information and registrar details for domains.
5) Offering command-line and web-based interfaces for WHOIS queries.
• Outcomes:
1) Obtain comprehensive information about domain ownership and
registration.
2) Verify the legitimacy and status of domain registrations.
3) Identify potential contact points for domain administrators and owners.
4) Investigate domain history, including previous ownership and
registration changes.
5) Assess domain registration data for security and compliance purposes.
17. Step 3 –
Enter the website URL into the search bar of the Whoislookup tool.
18. Step 4 –
Review the results for the website URL, including domain
Information, registrant contact details, administrative contact details,
technical contact details, and raw WHOIS data.
19.
20.
21.
22. 2. Nmap
Nmap is a versatile network scanning tool used for discovering hosts and
services on a network.
• Uses
1) Network scanning and reconnaissance.
2) Host enumeration and discovery.
3) Port scanning and service detection.
4) Operating system detection.
5) Vulnerability scanning and assessment.
6) Network mapping and topology visualization.
7) Security auditing and assessment.
23. • Functionalities:
1) Live host detection using ICMP and TCP probes.
2) Port scanning using various scan techniques (TCP, UDP, ACK, etc.).
3) Service detection to identify running applications and versions.
4) Operating system detection based on network fingerprinting.
5) Scripting engine (NSE) for custom scripts and vulnerability checks.
6) Network mapping to visualize network structure and layout.
7) Security assessment to identify vulnerabilities and misconfigurations.
• Outcomes:
1) Identification of live hosts and active IP addresses.
2) Discovery of open, closed, and filtered ports on target hosts.
3) Determination of running services and associated applications.
4) Inference of the operating system running on target hosts.
5) Detection of known vulnerabilities and security weaknesses.
6) Visualization of network topology and architecture.
7) Evaluation of the security posture and risk exposure of target networks.
24. Steps/POC - Nmap
Open Kali Linux terminal and execute the following nmap command:
Command 1 : nmap <website>
This command conducts an overall basic scanning of the specified website.
25. Command 2 : nmap –sS <website>
This command initiates a TCP SYN scan, which is a stealthy scanning
technique used to determine which ports are open on the target system.
26. Command 3 : nmap –sV <website>
This command will attempt to determine the versions of services running
on open ports on the target system.
27. Command 4 : nmap –O <website>
This command will attempt to determine the operating system of the
target system based on various network characteristics and responses.
28. Command 5 : nmap –sU <website>
This command initiates a UDP scan, which is used to identify open UDP
ports on the target system.
29. Command 6 : nmap –-script vulners <website>
This command searches for known vulnerabilities in the target system
30. 3. Recon-ng
Recon-ng is open-source reconnaissance framework that provides a
powerful set of tools for gathering information from various sources,
including search engines, social media platforms, and public databases.
• Uses:
1.Reconnaissance framework for gathering OSINT (Open Source
Intelligence) data.
2.Automating the process of information gathering and reconnaissance.
3.Performing various reconnaissance tasks, including DNS enumeration,
subdomain discovery, and social media profiling.
4.Integrating with other tools and platforms to enhance reconnaissance
capabilities.
31. • Functionalities:
1) Modules for conducting OSINT tasks, such as DNS enumeration,
subdomain discovery, and email harvesting.
2) Automated reconnaissance workflows for streamlining information
gathering processes.
3) Integration with third-party APIs and data sources for accessing
additional information.
4) Customizable and extensible framework with support for developing
custom modules and scripts.
• Outcomes:
1) Comprehensive intelligence gathering from various sources, including
DNS records, social media platforms, and public databases.
2) Identification of subdomains, email addresses, and other relevant
information about target domains.
3) Profiling of individuals and organizations based on online presence
and activity.
4) Enhanced reconnaissance capabilities through integration with external
tools and services.
32. POC/Steps – Recon-ng
Step 1 –
Open kali Linux terminal & execute following command
Step 2 –
Command – recon-ng
Step 3 –
Install all modules for further process
Command - marketplace install all
Step 4 –
modules search using following command
Command – modules search
33.
34.
35.
36. Step 5 –
Create workspace(demo) using following command
Command – workspaces
Command – Workspaces create demo
Step 6 –
List all available workplaces
Command – workspaces list
Step 7 –
Adding domain to workspace
Command – db insert domains
Step 8 –
Listing domains available in demo workspaces
Command – show domains
37.
38.
39. Step 9 –
Listing hosts available in domain(demo workspaces)
Command – show hosts
Step 10 –
Loading all content/data in report
Command – modules load report
40.
41. Step 11 –
Trying with different module
Command –module load recon/domains-hosts/hackertarget
Step 12 –
Run the modules with following command
Command – run
Step 13 –
Loading all content/data in report
Command – modules load report
Step 14 –
Check the html file
You will get complete report of recon-ng
42.
43.
44.
45. 4. Metasploit
Metasploit is popular penetration testing framework that includes modules
for reconnaissance, exploitation, post-exploitation, and reporting.
Metasploit can be used for scanning, fingerprinting, and exploiting
vulnerabilities in target systems.
• Uses:
1) Penetration testing and vulnerability assessment.
2) Exploiting security vulnerabilities to gain unauthorized access.
3) Post-exploitation activities, including privilege escalation and lateral
movement.
4) Developing and testing custom exploits and payloads.
46. • Functionalities:
1) Exploit development and execution for known vulnerabilities.
2) Payload generation for delivering malicious code to target systems.
3) Post-exploitation modules for performing various actions on
compromised systems.
4) Auxiliary modules for reconnaissance, information gathering, and
network scanning.
• Outcomes:
1) Identification and exploitation of security vulnerabilities in target
systems.
2) Unauthorized access to target systems for assessing security posture.
3) Execution of post-exploitation actions, such as privilege escalation or
data exfiltration.
4) Development and testing of custom exploits and payloads for targeted
attacks.
47. POC/Steps - Metasploit
Step 1 –
Open kali linux terminal & execute command
Step 2 –
Type msfconsole
Step 3 –
Search module - HTTP Server Fingerprinting
Command –
search http_version
use auxiliary/scanner/http_version
set RHOSTS <IP address(103.21.58.93)>
run
This module attempts to fingerprint the web server software and version.
49. Step 4 –
Search module - Directory Scanner
Command –
search dir_scanner
use auxiliary/scanner/dir_scanner
set RHOSTS <IP address(103.21.58.93)>
run
This module scans for directories and files on the target web server.
Step 5 –
Search module - HTTP Directory Listing Checker
Command –
search dir_listing
use auxiliary/scanner/dir_listing
set RHOSTS <IP address(103.21.58.93)>
run
This module checks if directory listing is enabled on the target web server.
52. Step 6 –
Search module – Port Scanning
Command –
search portscan
Use scanner/portscan/syn
set RHOSTS <IP address(103.21.58.93)>
run
This module scans for ports on the target web server.
Step 7 –
Search module – Server Message block scanning
Command –
use scanner/smb/smb_version
set RHOSTS <IP address(103.21.58.93)>
run
This module identify versions of Microsoft Windows on the target web server.
54. Step 8 –
Search module – Gathering my SQL server information
Command –
Use scanner/mssql/mssql__ping
set RHOSTS <IP address(103.21.58.93)>
Set threads 255
run
This module gathers my sql information.
Step 9 –
Search module – Gathering SSH Server information
Command –
use scanner/ssh/ssh_version
set RHOSTS <IP address(103.21.58.93)>
run
This module gathers SSH information.
56. Step 10 –
Search module – Scanning FTP version
Command –
Use scanner/ftp/ftp_version
set RHOSTS <IP address(103.21.58.93)>
run
This module scans FTP versions.
Scanning FTP version
57. Step 11 –
Search module – SSL Certificate Analysis
Command –
use auxiliary/scanner/http/cert
set RHOSTS <IP address(103.21.58.93)>
run
This module is used to analyze SSL certificates.
Step 12 –
Search module – Login Page Identification
Command –
use auxiliary/scanner/http/http_login
set RHOSTS <IP address(103.21.58.93)>
run
This module is used to identify login pages on a web server.
59. Step 13 –
Search module – Nmap
Command –
db_nmap –sS –A <IP address(103.21.58.93)>
This command runs an aggressive scan (-A) with TCP SYN Scan(-sS) and
imports the results into the Metasploit database.
61. 5. Masscan
A high-speed TCP port scanner designed to scan large networks quickly.
Masscan is known for its speed and efficiency in scanning large IP ranges.
• Uses:
1) Network scanning and reconnaissance.
2) Rapid scanning of large network ranges.
3) Identifying open ports and services on target systems.
4) Assessing network security posture and identifying potential attack
vectors.
62. • Functionalities:
1) High-speed asynchronous port scanning using custom TCP and
UDP packets.
2) Support for scanning large IPv4 and IPv6 address ranges.
3) Customizable scan parameters, including scan rate, timeout, and packet
size.
4) Integration with Nmap and other tools for further analysis and
exploitation.
• Outcomes:
1) Quick identification of live hosts and active IP addresses.
2) Detection of open ports and services on target systems.
3) Assessment of network security vulnerabilities and misconfigurations.
4) Enhanced reconnaissance capabilities through rapid and efficient
network scanning.
63. Steps/POC - Masscan
Step 1 –
Open kali Linux Terminal
Step 2 –
Execute the following command
Command :
masscan -p0-65535 <IP address of targeted system>
This command scans all ports (from 0 to 65535) on the specified IP address
using Masscan tool.
64.
65. 6. Sublist3r
A tool for enumerating subdomains of a given domain. Sublist3r utilizes
various search engines and DNS data sources to discover subdomains,
which can be useful for expanding the scope of reconnaissance.
• Uses:
1) Subdomain enumeration and discovery.
2) Expanding the scope of reconnaissance.
3) Identifying additional entry points for penetration testing and
vulnerability assessment.
4) Assessing the attack surface of target domains.
66. • Functionalities:
1) Querying multiple search engines and DNS databases for
subdomain information.
2) Brute-forcing subdomains using wordlists and permutation techniques.
3) Verifying the existence of discovered subdomains through DNS
resolution.
4) Generating lists of subdomains for further analysis or exploitation.
• Outcomes:
1) Discovery of subdomains associated with target domains.
2) Expansion of reconnaissance scope by identifying additional targets.
3) Identification of potential entry points for cyber attacks or security
assessments.
4) Enhanced understanding of the attack surface and potential
vulnerabilities of target domains.
67. Steps/POC – Sublist3r
Step 1 – Open kali Linux Terminal and execute following commands
Step 2 –
Change directory to Desktop
Command : cd Desktop
Step 2 –
Change directory to Sublist3r
Command : cd sublist3r
Step 3 –
Check data by using ‘ls’ command
Command : ls
Step 4 -
Review subdomains results by following command:
Command : sublist3r -d <website>
This command will utilize Sublist3r to search for subdomains associated with the
specified website.
68.
69. 7. Spiderfoot
SpiderFoot is a versatile tool that offers a wide range of functionalities for
information gathering, threat intelligence, and security analysis, ultimately
leading to improved security posture and risk management.
Uses:
1) Information Gathering
2) Threat Intelligence
3) Footprinting
Functionalities:
1) Automated Data Collection
2) Integration with Various Data Sources
3) Analysis and Correlation
4) Reporting and Visualization
70. Outcomes:
1) Identification of Vulnerabilities
2) Risk Assessment
3) Enhanced Situational Awareness
4) Support for Investigations
71. Steps/POC – Spiderfoot
Step 1 –
Open kali Linux Terminal execute following commands
Step 2 –
Review results by executing following command:
Command : spiderfoot -s <IPAddress>
This command will instruct SpiderFoot to perform a scan on the specified
IP address and gather information about it from various sources.
72.
73.
74.
75.
76.
77.
78.
79.
80. Note –
In PPT, only 10-15% of the scan results generated by the SpiderFoot tool are displayed in the
uploaded snapshots.
81. Preventions of Reconnaissance
Preventing reconnaissance is challenging since it often involves gathering
information that is publicly available or difficult to control. However, there
are several techniques and measures that organizations can implement to
reduce the effectiveness of reconnaissance activities and minimize the risk
of potential attacks:
1) Implement Network Segmentation
2) Use Intrusion Detection and Prevention Systems (IDPS)
3) Employ Network Monitoring and Logging
4) Enforce Strong Authentication Mechanisms
5) Educate Employees About Security Awareness
82. 6) Implement Web Application Firewalls (WAF)
7) Regularly Update and Patch Systems
8) Monitor External Exposure
9) Conduct Regular Security Assessments
By implementing these prevention techniques, organizations can mitigate
the risk of reconnaissance activities and enhance their overall security
posture against potential cyber threats. However, it's important to note that
no single solution can provide complete protection, and a layered approach
to security is necessary to effectively defend against reconnaissance and
other types of cyber attacks.
83. Conclusion
Reconnaissance serves as the foundation of cybersecurity, providing
crucial insights into the adversary's intentions and capabilities.
Through meticulous information gathering and analysis, reconnaissance
enables proactive threat detection and response.
By understanding the importance of reconnaissance and implementing
robust defense measures, organizations can effectively mitigate risks and
safeguard their digital assets.
Continuous reconnaissance efforts are essential in today's evolving threat
landscape, ensuring organizations stay one step ahead of cyber
adversaries and maintain a resilient security posture.
84. Proof of performance
• Video Drive link –
BIA Capstone Project_Recon_tools_videos
Drive link includes screen recording of recon tools like nmap, sublist3r,
masscan, whoislookup, nslookup, ping(cmd), Metasploit, recon-ng,
spiderfoot.