Scanning & Reconnaissance Basics

For CTF Competitions

What is Scanning & Reconnaissance?

Scanning

  • Probing systems to identity what data they are sending out
    Reconnaissance
  • Gathering information about a target

What is a port?

  • 65536 ports
  • Data Transport
    • TCP/UDP
  • Where servers "listen" for incomming connections

Common Services/Ports

Port Service Acronym
21 File Transfer Protocol FTP
22 Secure Shell SSH
25 Simple Mail Transfer Protocol SMTP
53 Domain Name System DNS
80 Hypertext Transfer Protocol HTTP
110 Post Office Protocol POP3
123 Network Time Protocol NTP
143 Internet Message Access Protocol IMAP
389 Lightweight Directory Access Protocol LDAP
443 Secure Hypertext Transfer Protocol HTTPS
631 Common Unix Printing System CUPS

Scanning Computers

nmap

  • Scans for open ports
  • nmap -p- <target> To Scan TCP
  • nmap -sU <target> To Scan UDP
    • UDP scans are often unreliable

nmap Script Engine

netcat/nc/ncat

  • Network
  • TCP/UDP
nc <IP> <PORT>
nc google.com 80
nc -u 1.1.1.1 53
echo "GET /" | nc google.com 80

Scanning Websites

  • dirbuster/feroxbuster
    • Uses a wordlist to enumerate existing folders
    • feroxbuster -u <target> -w <wordlist>
  • bbot
    • Subdomain enumeration, Web Crawler
    • bbot -t <target> -p subdomain-enum
  • Special Website Files
    • <domain>.<tld>/robots.txt
    • <domain>.<tld>/sitemap.xml

Shodan

  • Search engine for IPs

Wordlists for Scanning

Common Names

FTP Default User:Pass

Directory List (*buster)