Presentation Slides
Scanning & Reconnaissance Basics
For CTF Competitions
What is Scanning & Reconnaissance?
Scanning
- Probing systems to identity what data they are sending out Reconnaissance
- Gathering information about a target
What is a port?
- 65536 ports
- Data Transport
- TCP/UDP
- Where servers “listen” for incomming connections
Common Services/Ports
| Port | Service | Acronym |
|---|---|---|
| 21 | File Transfer Protocol | FTP |
| 22 | Secure Shell | SSH |
| 25 | Simple Mail Transfer Protocol | SMTP |
| 53 | Domain Name System | DNS |
| 80 | Hypertext Transfer Protocol | HTTP |
| 110 | Post Office Protocol | POP3 |
| 123 | Network Time Protocol | NTP |
| 143 | Internet Message Access Protocol | IMAP |
| 389 | Lightweight Directory Access Protocol | LDAP |
| 443 | Secure Hypertext Transfer Protocol | HTTPS |
| 631 | Common Unix Printing System | CUPS |
Scanning Computers
- Scans for open ports
nmap -p- <target>To Scan TCPnmap -sU <target>To Scan UDP- UDP scans are often unreliable
nmap Script Engine
- FTP-Brute
- HTTP-Brute
- IMAP-Brute
- SMTP-Enum-Users
nmap --script <script> -p <port> <target>
netcat/nc/ncat
- Network
- TCP/UDP
nc <IP> <PORT>
nc google.com 80
nc -u 1.1.1.1 53
echo "GET /" | nc google.com 80
Scanning Websites
- dirbuster/feroxbuster
- Uses a wordlist to enumerate existing folders
feroxbuster -u <target> -w <wordlist>
- bbot
- Subdomain enumeration, Web Crawler
bbot -t <target> -p subdomain-enum
- Special Website Files
- <domain>.<tld>/robots.txt
- <domain>.<tld>/sitemap.xml
Shodan
- Search engine for IPs