Module 03: Open Source Intelligence (OSINT) and Attack Surface Mapping
Scenario
Penetration testing is much more than just running exploits against vulnerable systems. A penetration test begins before penetration testers have even contacted the victim’s systems. Rather than blindly throwing out exploits and praying that one of them returns a shell, a penetration tester meticulously studies the environment for potential weaknesses and their mitigating factors. By the time a penetration tester runs an exploit, he or she is nearly certain that it will be successful. Since failed exploits can in some cases cause a crash or even damage to the target system, or at the very least make the target un-exploitable in the future, penetration testers won’t get the best results, or deliver the most thorough report to their clients, if they blindly turn an automated exploit machine on the target network with no preparation.
The importance of open-source intelligence (OSINT) in penetration testing lies in its ability to uncover publicly available information that attackers might exploit. By leveraging OSINT techniques, penetration testers can gather critical insights about an organization’s infrastructure, employees, and potential vulnerabilities without direct engagement. This process aids in identifying security gaps, such as exposed credentials, misconfigured assets, or sensitive data leaks, that may otherwise go unnoticed. Furthermore, the use of OSINT ensures a comprehensive reconnaissance phase, enabling testers to simulate real-world attack scenarios while adhering to ethical and legal boundaries. This proactive approach helps organizations fortify their defenses and mitigate risks effectively.
A penetration tester collects information about a company, such as internal and external links to the company’s website, people working in the company, geographical location, DNS information, competitive intelligence, network range, etc. This information is collected to search for vulnerabilities and exploit and sniff valuable information. To become an expert penetration tester and security auditor, you must know various techniques to gather a company’s information.
Objective
The objective of this lab is to help students learn different techniques to gather information about a company; you will learn how to:
- Collect Open-source Intelligence (OSINT) on Target’s Domain Name
- Collect OSINT about Target on the Web
- Collect OSINT on Target’s Employees
- Perform Open Source Intelligence (OSINT) using Automation Tools
- Identify and Map Attack Surface
Exercise 1: Collecting Open-source Intelligence (OSINT) on Target’s Domain Name
Scenario
This lab focuses on collecting OSINT related to the target’s domain name using publicly available information. It enables penetration testers to gather details such as subdomains, DNS records, WHOIS data, IP addresses, and publicly accessible services, providing insights into the target’s infrastructure and potential attack vectors.
Objective
- Perform Whois Lookups
- Find the DNS Records for the Domain
- Find the Domain and Sub-domains of the Target
- Using Scripts and AI Tools to Combine and Automate OSINT
Task 1: Performing Whois Lookups
Whois Lookup provides domain registration details, including the domain owner, registration and expiration dates, contact information, and name servers. Whois information helps in mapping the target’s network infrastructure, uncovering potential vulnerabilities, and extracting administrative and technical contact details.
In this lab, we will perform Whois lookup using various tools.
Lab Tasks
- Click Parrot Security to switch to the Parrot Security website for download the machine. Type your password in the Password field and press Enter.
- Launch a terminal and acquire root privileges by executing sudo su command. (When prompted for a password, type toor).
- In the terminal window, run whois certifiedhacker.com to gather whois information of www.certifidhacker.com.
4. Now, we will perform the Whois lookup using Nmap, in the terminal run nmap -sn –script whois-* www.certifiedhacker.com command.
5. We will now, perform whois lookup using whois.com, open a browser, and in the address bar type https://www.whois.com/whois/ and press Enter. In the Whois Domain Lookup page search for certifiedhacker.com.
6. whois.com displays the whois information of the certifiedhacker.com website.
Task 2: Finding DNS Records for the Domain
DNS records provide critical information such as domain names, computer names, and IP addresses within a network.
Lab Tasks
1. In Parrot Security OS machine, open a new terminal with sudo privileges, and type dnsrecon -d certifiedhacker.com to view the DNS records of the certifidhacker.com.
2. To perform reverse lookup run dnsrecon -r 162.241.216.0-162.241.216.255 command.
3. In the terminal window run the dig certifiedhacker.com command to gather the dns information of certifiedhacker.com.
4. To perform reverse dns lookup using dig run dig -x 162.241.216.11 command.
5. This concludes the demonstration of gathering the dns information from a target domain.
Task 3: Finding Domain and Sub-domains of the Target
In this lab, you will learn to identify and analyze the domain and subdomains of a target website using multiple tools and techniques. By leveraging tools like Subbrute, Nmap, Sublist3r, Netcraft, and DNSDumpster, you will gather valuable information for further exploitation and analysis of the target’s online presence.
Lab Tasks
1. In Parrot Security machine, open a new terminal with sudo privileges, and type cd subbrute to navigate to the subbrute directory.
2. In the subbrute directory run ./subbrute.py certifiedhacker.com command. It will take some time for the output to appear.
3. The sub-domains of www.certifiedhacker.com will be listed, which can be used for further exploitation of the target.
4. Now, we will use nmap to scan for a list of sub-domains in the www.certifidhacker.com domain. In the terminal run cd .. to navigate to /home/pentester.
5. Run nmap –script dns-brute www.certifiedhacker.com command to view the sub-domains of www.certifiedhacker.com.
6. We will now scan for sub-domains using the sublist3r tool, in the terminal window, type cd Sublist3r to navigate to the sublist3r directory.
7. Run python3 sublist3r.py -d certifiedhacker.com -p 80 command to view the list of sub-domains.
If you receive any errors while running the command ignore them.
8. We will now list the sub-domains of the www.certifiedhacker.com website using Netcraft.
9. Open a browser and in the address bar type https://sitereport.netcraft.com/ and press Enter.
If a pop-up appears, click on ACCEPT COOKIES.
10. In the netcraft web page, under What’s that site running? section type https://certifiedhacker.com and click LOOK UP.
11. Site report for https://certifiedhacker.com page appears, displaying the Background, Network, IP delegation, IP Geolocation etc.
12. Analyze the information and click on certifiedhacker.com hyperlink beside Domain under Network section.
13. This will list all the sub-domains of the certifiedhacker.com website.
14. Next, we will perform DNS Recon & Research using https://dnsdumpster.com.
15. In your browser enter https://dnsdumpster.com and enter eccouncil.org.
16. Scroll down and look at the host section.
17. Take a few minutes and explore the data results.
18. We have accomplished what we wanted to in this lab and will conclude the lab here.
Task 4: Using Scripts and AI Tools to Combine and Automate OSINT
In this lab, you will use an AI tool to generate a script for automating OSINT tasks on a target domain. The script will extract subdomains, parallel domains, WHOIS data, and DNS records, and check for zone transfers, providing organized results in labeled sections and saving them to a text file.
Lab Tasks
1. Click Parrot Security to switch to the Parrot Security machine, open the browser, and go to any AI tool, here we are using ChatGPT(https://chatgpt.com/).
2. Enter the following sample prompt to generate a script with commands for combining and automating OSINT tasks.
Generate a shell script to perform enumeration on the target domain (e.g., microsoft.com) to extract subdomains using the dnsmap tool, parallel domains using the urlcrazy -p command, WHOIS lookup data using the whois command, DNS records using the dnsrecon tool, and check for zone transfers using the dig command. The command should organize and display the results in clearly labeled sections for each type of information.
The output may vary slightly each time you use this prompt.
3. Save the generated script in a file named Domain_OSINT.sh. (You can use the Domain_OSINT.sh file located in /home/pentester/Scripts/Module 3/).
You can run the sample Shell script that is already saved and available as Domain_OSINT.sh in the /home/pentester/Scripts/Module 3 location. To do this, you first need to convert it into Unix format by executing the dos2unix Domain_OSINT.sh command and then the Shell script.
Edit the target domain name in the script.
4. Launch a terminal and acquire root privileges by executing sudo su command. (When prompted for a password, type toor).
5. In the terminal window, use dos2unix command to convert it into Unix format, type chmod +x Domain_OSINT.sh to give execution permissions and run ./Domain_OSINT.sh.
Make sure all the necessary tools are installed. Tools such as dnsmap, urlcrazy, whois, and dnsrecon)
6.This script automates the Domain’s OSINT extraction process. The execution might take some time and will generate the output as follows.
- Organized results in labeled sections
- Subdomains
- Parallel Domains
- WHOIS Lookup
- DNS Records
- Zone Transfer Check
7. This script also saves the output in a text file with the name domain_info.txt.
8. This concludes the demonstration of using Scripts and AI Tools to automate OSINT.
9. Close all open windows.
Exercise 2: Collecting OSINT about Target on the Web
Scenario
This lab focuses on collecting OSINT about the target organization from publicly accessible web sources. It helps penetration testers to gather specific information regarding the target.
Objective
- Search for Target’s Information using Advanced Search Operators
- Search for Public Cloud Buckets, blobs, files, and spaces using https://buckets.grayhatwarfare.com
Task 1: Searching for Target’s Information using Advanced Search Operators
Overview of the Lab:
In this lab, we will use Google’s advanced operators and Google Hacking Database (GHDB) to refine web searches with the Google search engine and create complex queries to find a comprehensive resource for querying the extensive reach of the Google search engine.
The following table lists the search operators that work with each Google search service.
| Search Service | Search Operators |
|---|---|
| Web Search | allinanchor:, allintext:, allintitle:, allinurl:, cache:, define:, filetype:, id:, inanchor:, info:, intext:, intitle:, inurl:, link:, related:, site: |
| Image Search | allintitle:, allinurl:, filetype:, inurl:, intitle:, site: |
| Groups Search | allintext:, allintitle:, author:, group:, insubject:, intext:, intitle: |
| Directory Search | allintext:, allintitle:, allinurl:, ext:, filetype:, intext:, intitle:, inurl: |
| News Search | allintext:, allintitle:, allinurl:, intext:, intitle:, inurl:, location:, source: |
| Product Search | allintext:, allintitle: |
Lab Tasks
1. Open a web browser and in the address bar type site:certifiedhacker.com -site:www.certifiedhacker.com and press Enter to find all the pages related to the subdomains of certifiedhacker.com.
2. Now, in the address bar type site:certifiedhacker.com inurl:Support to retrieve all the web pages containing “support” in the URL of the pages in the domain specified by the site operator.
The output might differ when you perform this lab.
3. In the address bar type site:certifiedhacker.com allintitle:login to retrieve all the webpages pages containing login in the title.
4. Now, we will use dorks available in the Google Hacking Database (GHDB) to perform advanced searches. Open a new tab and in the address bar type https://www.exploit-db.com/google-hacking-database and press Enter to navigate to Google Hacking Database website.
5. In the Google Hacking Data Base you can see various Google dorks that can be used for advanced search.
6. You can click on any Dork to view its details.
7. Click on the Google Search hyperlink to perform a search using the Google dork.
8. This concludes the demonstration of performing web searches using advanced operators.
9. Close all open windows.
Task 2: Searching for Public Cloud Buckets, Blobs, Files, and Spaces using https://buckets.grayhatwarfare.com
We know there are many organizations that are using the cloud, so if we want to extract some information from there it is good to have an understanding of it. We can use the web for assistance.
Lab Tasks
1. Enter the following URL:
- https://buckets.grayhatwarfare.com/
- An example of the website is in the screenshot:
2. Take a few minutes and explore the site, you will see for virtually all of the cloud services we have to be concerned with what we can access from this tool. Click on the AWS and you will see a listing of the buckets and the ability to filter on your query as well. But, you would have to register for this ability, and this is something you might want to do if you are required to do lots of searches for data.
Exercise 3: Collecting OSINT on Target’s Employees
Scenario
This lab focuses on gathering OSINT about the target organization’s employees from publicly accessible sources. It helps penetration testers identify employee roles, email addresses, social media profiles, job titles, professional networks, personal information, and contact details, which can be leveraged for social engineering attacks and further reconnaissance.
Objective
- Collect OSINT on Target’s Employees from Social Media Accounts using Sherlock
- Perform Social Media Content Analysis and OSINT Investigations using Maigret
- Search for People information using https://cylect.io/
Task 1: Collecting OSINT on Target’s Employees from Social Media Accounts using Sherlock
Sherlock is a Python-based tool that is used to gather information about a target person over various social networking sites. Sherlock searches a vast number of social networking sites for a given target user, locates the person, and displays the results along with the complete URL related to the target person.
Here, we will use Sherlock to gather personal information about the target from the social networking sites.
Here, we are gathering information about Elon Musk. However, you can select a target of your choice.
Lab Tasks
1. Click Parrot Security to switch to Parrot Security machine, open a Terminal window, and execute sudo su to run the programs as a root user (When prompted, enter the password toor).
The password that you type will not be visible.
2. Run sherlock “Elon Musk” command and you will get all the URLs related to Elon Musk, as shown in the screenshot. Scroll down to view all the results.
The results might differ when you perform this task. If you receive any error messages in between ignore them.
3. You can use the gathered URLs to obtain sensitive information about the target such as DOB, employment status, and information about the organization that they are working for, including the business strategy, potential clients, and upcoming project plans.
4. This concludes the demonstration of collecting OSINT on target employees from Social Media accounts using Sherlock.
5. You can also use tools such as Social Searcher (https://www.social-searcher.com), UserRecon (https://github.com), etc. to collect additional information related to the target company and its employees from social networking sites.
6. Close all open windows and document all the collected information.
Task 2: Performing Social Media Content Analysis and OSINT Investigations using Maigret
Maigret is an open-source OSINT tool, to perform social media content analysis and investigate online profiles based on usernames. It checks for accounts on over 3,000 websites and collects publicly available information to build a comprehensive profile of the target.
Here, we will use Maigret to perform Social Media content analysis.
Lab Tasks
1. Click Parrot Security to switch to Parrot Security machine, open a Terminal window, and execute sudo su to run the programs as a root user (When prompted, enter the password toor). (Skip this step if you are in the Parrot security machine)
2. Run maigret “Elon Musk” –html command and you will get all the online profiles related to Elon Musk, as shown in the screenshot. Scroll down to view all the results.
3. After the analysis is completed, the report is generated in the HTML format and saved in the location /home/pentester/reports/report_Elon Musk_plain.html as shown in the screenshot below.
4. Open the report in the browser.
5. Close all open windows.
Task 3: Searching for People Information using https://cylect.io/.
In this lab, you will use Cylect.io, an AI-powered OSINT tool, to search for and analyze publicly available information about individuals. By exploring tools like Webwii and Spokeo, you will learn to gather and review detailed personal data efficiently.
Lab Tasks
1. Click Parrot Security to switch to Parrot Security machine, open the browser, and visit the following URL:
2. Scroll down and enter the target person’s name in the search box. Then, select the People option from the list.
3. You will see a list of tools that provide information about people. From the list, select WebMii.
4. A new tab opens with the WebMii website displaying the search results. Take some time to review all the available details.
5. Navigate back to the Cylect.io webpage and click on Spokeo.
6. A new tab opens with the Spokeo website displaying the search results. Review the results and explore the available information.
7. This concludes the demonstration of performing searching for people’s information using https://cylect.io/web.
8. Close all open windows.
Exercise 4: Collecting OSINT using Automation Tools
Scenario
This lab covers gathering OSINT using automation tools to streamline data collection and analysis. It allows penetration testers to efficiently extract information such as domain details, IP addresses, employee profiles, technologies in use, and exposed services, enabling faster identification of potential vulnerabilities and attack surfaces.
Objective
- Gather Open Source Intelligence on a Target using Maltego
- Gather Open Source Intelligence on a Target using SpiderFoot
- Perform Web Reconnaissance using reNgine
Task 1: Gathering Open Source Intelligence on a Target using Maltego
Maltego is a footprinting tool used to gather maximum information for ethical hacking, computer forensics, and pentesting. It provides a library of transforms to discover data from open sources and visualizes that information in a graph format, suitable for link analysis and data mining. Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate and even makes it possible to see hidden connections.
Here, we will gather a variety of information about the target organization using Maltego.
The screenshots will differ while performing the lab tasks.
Lab Tasks
1. Click Parrot Security machine. Type toor in the Password field and press Enter.
2. Launch a terminal and acquire root privileges by executing sudo su command. (When prompted for the password, type toor). Run maltego to launch Maltego.
3. Welcome to Maltego window appears, select Maltego ID under the ACTIVATION OPTIONS section and click Next.
If the Memory Settings Optimized pop-up appears, click Restart Now.
4. In the next window select Online Activation radio button and click Next.
5. As the Configure Maltego window appears along with a LICENSE AGREEMENT form, check the Accept checkbox and click Next.
6. You will be redirected to the Login Link Options section; as shown in the screenshot.
7 Click on the copy button to copy the link. Now, open a browser, paste the copied link in the address bar, and press Enter. Sign In to Maltego page appears, click on CREATE ID. Create Maltego ID page appears enter your details and click the CONTINUE button.
If cookie notification appears in the lower section of the browser, click Accept.
8. In the next page, enter your details and click Continue. In the next page, create a new password and click CONTINUE.
9. In the Verify Email window enter the code that is sent to the email and click Verify.
10. Sign In to Maltego window appears, enter the password, and sign in.
11. In the Complete Your Profile window enter the details and click Continue.
12. Authentication Complete window appears. Minimize the web browser, go back to the setup wizard, and click Next in the Login section.
13. In the Maltego ID Activation window, click Next.
14. The Select Data Sources section appears, check the checkbox before Utilities ; click Next.
15. In the Download Data Sources window click Next.
If any connection issue error appears, change the system proxy to No Proxy and try again.
16. In the Data Sources T&C check the checkbox to accept terms and conitions and click Next.
17. The Install Data Sources section appears, which will download items from the chosen transform server; click Next.
18. The Help Improve Maltego section appears. Leave the options set to default and click Next.
19. In Web Browser Options click Next and then in the Privacy Mode Options section appears. Leave the options set to default and click Finish.
20. The Maltego Community Edition GUI appears, and the New Graph (1) window will be automatically launched, as shown in the screenshot.
If the New Graph (1)window does not open automatically, click the Create a new graph icon located at the top-left corner of the GUI (in the toolbar) to start a new graph.
If Privacy Notice pop-up displayed, click on the Acknowledge and then I Understand.
Previous Configuration Found pop-up appears, click No.
21. In the left pane of Maltego GUI, you can find the Entity Palette box, which contains a list of default built-in transforms. In the Infrastructure node under Entity Palette, observe a list of entities such as AS, DNS Name, Domain, IPv4 Address, URL, Website, etc.
22. Drag the Website entity onto the New Graph (1) window.
23. The entity appears on the new graph, with the www.maltego.com URL selected by default.
If you are not able to view the entity as shown in the screenshot, click in the New Graph (1) window and scroll up, which will increase the size of the entity.
24. Double-click the name www.maltego.com and change the domain name to www.certifiedhacker.com press Enter.
25. Right-click the www.certifiedhacker.com entity and select All Transforms.
26. Now, click on the To Domains [DNS].
27. The domain corresponding to the website displays, as shown in the following screenshot.
28. Right-click the certifiedhacker.com entity from the results and select To DNS Name [Using Name Schema dictionary].
29. Observe the status in the progress bar. This transform will attempt to test various name schemas against a domain and try to identify a specific name schema for the domain, as shown in the following screenshot.
30. After identifying the name schema, attackers attempt to simulate various exploitation techniques to gain sensitive information related to the resultant name schemas. For example, an attacker may implement a brute-force or dictionary attack to log in to ftp.certifiedhacker.com and gain confidential information.
31. Select only the name schemas and delete all by selecting them.
32. Right-click the certifiedhacker.com entity and select All Transforms –> To DNS Name – SOA (Start of Authority).
33. This returns the primary name server and the email of the domain administrator, as shown in the following screenshot.
34. By extracting SOA-related information, attackers attempt to find vulnerabilities in their services and architectures and exploit them.
35. Select both the name server and the email and delete them.
36. Right-click the certifiedhacker.com entity and select All Transforms –> To DNS Name – MX (mail server).
37. This transform returns the mail server associated with the certifiedhacker.com domain, as shown in the following screenshot.
38. By identifying the mail exchanger server, attackers attempt to exploit the vulnerabilities in the server and, thereby, use it to perform malicious activities such as sending spam e-mails.
39. Select only the mail server and delete it.
40. Right-click the certifiedhacker.com entity and select All Transforms –> To DNS Name – NS (name server).
41. This returns the name servers associated with the domain, as shown in the following screenshot.
42. By identifying the primary name server, an attacker can implement various techniques to exploit the server and thereby perform malicious activities such as DNS Hijacking and URL redirection.
43. Select both the domain and the name server and delete them. In the same way delete certifiedhacker.com and www.certifiedhacker.com entities.
44. Right-click the entity and select All Transforms –> To IP Address [DNS].
45. This displays the IP address of the website, as shown in the following screenshot.
46. By obtaining the IP address of the website, an attacker can simulate various scanning techniques to find open ports and vulnerabilities and, thereby, attempt to intrude into the network and exploit them.
47. Right-click the IP address entity and select All Transforms –> To Location [city, country].
48. This transform identifies the geographical location of the IP address, as shown in the following screenshot.
49. By obtaining the information related to geographical location, attackers can perform social engineering attacks by making voice calls (vishing) to an individual in an attempt to leverage sensitive information.
50. Now, right-click the www.certifiedhacker.com website entity and select All Transforms –> To Domains [DNS]. The domains corresponding to the website will be displayed as shown in the screenshot below.
51. Right-click the domain entity (certifiedhacker.com) and select All Transform –> To Entities from WHOIS [IBM Watson].
52. This transform returns the entities pertaining to the owner of the domain, as shown in the following screenshot.
53. By obtaining this information, you can exploit the servers displayed in the result or simulate a brute force attack or any other technique to hack into the admin mail account and send phishing emails to the contacts in that account.
54. Apart from the aforementioned methods, you can perform footprinting on the critical employee from the target organization to gather additional personal information such as email addresses, phone numbers, personal information, images, aliases, phrases, etc.
55. In the left pane of the Maltego GUI, click the Personal node under Entity Palette to observe a list of entities such as Email Address, Phone Numbers, Image, Alias, Phrase, etc.
56. Apart from the transformations mentioned above, other transforms can track the accounts and conversations of individuals who are registered on social networking sites such as Twitter. Extract all possible information.
57. By extracting all this information, you can simulate actions such as enumeration, web application hacking, social engineering, etc., which may allow you access to a system or network, gain credentials, etc.
58. This concludes the demonstration of footprinting a target using Maltego.
59. Close all open windows and document all the acquired information.
Task 2: Gathering Open Source Intelligence on a Target using SpiderFoot
SpiderFoot is an open-source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilizes a range of methods for data analysis, making that data easy to navigate. SpiderFoot has an embedded web server for providing a clean and intuitive web-based interface but can also be used completely via the command line. It’s written in Python 3 and MIT-licensed.
Source: https://github.com/smicallef/spiderfoot
Lab Tasks
1. Let us now take a look at SpiderFoot. There are some challenges in getting this setup, but again we want to show different ways of doing different things. Being a penetration tester is all about working with the process and finding the tools that assist us in this process. The first thing we need to do is clone the repository, and enter the following commands:
- cd ~
- git clone https://github.com/smicallef/spiderfoot.git
- cd spiderfoot
- pip install -r requirements.txt
You will get some error messages, but the tool will still be operational.
2. Now we want to run the tool, enter python3 sf.py -l 127.0.0.1:5001
3. The next thing you want to do is open the browser and enter http://127.0.0.1:5001.
4. We want to run a scan, click on New Scan
5. Take a few minutes and review the different settings of the interface. There are a lot of things that you can extract here, and you are encouraged to explore. We will look at a few of them here. Select Footprint, enter a scan name of ECC, and then enter the target of eccouncil.org and click Run Scan Now.
6. You can view the loading of the scan in the terminal window, or you can observe the GUI.
7. Take a few minutes and review the data. For example, you can view the following as shown in the screenshot.
8. If you have time, enter some domains that are of interest to you. As with many of these tools, it is public information, but some data will only be accessible after you enter an API key
9. This tool has a lot of features for you to explore and is recommended for OSINT.
Task 3: Performing Web Reconnaissance using reNgine
In this lab, you will learn to perform Web Reconnaissance using reNgine on a target domain. You will configure the tool, initiate scans, analyze subdomains, identify potential vulnerabilities, and document findings through an interactive dashboard.
Lab Tasks
1. Click Parrot Security to switch to the Parrot Security machine.
2. Open a browser and enter the link http://127.0.0.1. You will be redirected to the login page. Enter the username and password, then click on Login. (Here, the username is root and the password is toor.)
If a Warning window appears, click on Advanced.. and click on Accept the risk and continue.
3. In the Welcome to reNgine window, enter a Project name, scroll down, and click on Complete Setup.
4. In the dashboard, click on Targets from the top menu, and then click on Add Targets to add a target domain address.
5. In the Add or Import Targets window, type the target domain name under Add Targets. Then scroll down and click on Add 1 Targets.
6. You will see the Target window with the added target domain. Click on Initiate Scan.
7. In the next tab Initiating scan for certifiedhacker.com, under 1 Choose Scan Engine, select a scan engine according your requirement. (Here we are selecting reNgine Recommended. Then click on Next.
8. In the next tab, 2 Import/Ignore Subdomains, scroll down and click Next.
9. In the next tab, 3 URL Scope and Exclusions, scroll down and click Start Scan.
10. You can view the scan status in the Quick Scan History tab. Click on View Results after the scan is completed.
11. The scan results will be displayed in the Scan Findings window as shown in the screenshot:
12. Explore all other options in the Scan Findings tab and analyze the data.
13. Close all tabs after documenting the findings.
Exercise 5: Identifying and Mapping Attack Surface
Scenario
Attack surface mapping is a critical step in penetration testing, combining insights gained from OSINT with detailed scanning and analysis to identify and evaluate potential entry points and vulnerabilities within a target’s infrastructure. This process provides a comprehensive understanding of publicly visible and exploitable components, enabling penetration testers to plan further testing phases effectively. By thoroughly mapping and scanning the attack surface, penetration testers can prioritize vulnerabilities, develop targeted exploitation strategies, and recommend effective defenses. Attack surface mapping ensures that penetration tests are both effective and aligned with the organization’s specific security challenges.
Objective
- Discover Network Devices with Netdiscover and Nmap
- Scan with the Tool DMitry
- Scanning and Scripting with hping3
- Automate Penetration Testing Tasks Using Bash Scripting
- Using Workspaces and db_nmap
- Scanning and Building a Target Database
- OS Fingerprinting with Nmap
- Use AI to Perform Network Scanning
Task 1: Discovering Network Devices with Netdiscover and Nmap
To begin the lab, a proficient tester may use any tool depending on his or her personal preference. The objective of this lab is to help students use the Netdiscover and Nmap tools. Netdiscover is a network address discovering tool, developed mainly for those wireless networks without a DHCP server, it also works on hub/switched networks. It is based on arp packets, it will send arp requests and sniff for replies.
Lab Tasks
1. Click Parrot Security. By default pentester is selected as the user. Type toor in the Password field and press Enter.
2. Open a terminal window and enter netdiscover -h. This will display the netdiscover commands as shown in the screenshot:
3. This tool allows the user to discover live systems. In the terminal window, enter sudo netdiscover -i eth0 -p. If you are asked to enter a password, enter toor.
4. In the passive option, targets are generated slowly. It takes a lot of time to display the result. To save time, you can create your traffic by doing a ping sweep using nmap which is demonstrated in the next step.
5. In a new terminal window, enter the nmap ping sweep command to generate traffic. To do a ping sweep, type nmap -sn 192.168.0.0/24 and press Enter.
6. Switch back to netdiscover window to view the output
7. At times, some machines may not be discovered due to reasons such as the existence of a firewall or some other filter. In such a situation, you may use a Transmission Control Protocol (TCP) scan to confirm the existence of the new machine. To perform a TCP scan, enter the command nmap -sT 192.168.0.0/24.
8. Note that you have not scanned all 65,536 ports, which is preferable. Depending on the target machines’ settings, access to and data obtained from this machine may be limited. Upon scan completion, switch back to the netdiscover window to view the output. In this lab, the netdiscover output remains the same, as no new machines were discovered during the nmap scan.
9. If stealth is not part of the scope of the test and a passive scan is unnecessary, an active scan is the best choice. To discover targets, use Netdiscover as a scanner. To search for the network for targets, exit the current netdiscover scan, type sudo netdiscover -i eth0 -r 192.168.0.0/24 in the terminal window, and press Enter. If you are asked to enter a password, enter toor.
10. The targets will be displayed on the screen after some time, as shown in the screenshot. (To speed up the process, you can run a nmap ping sweep scan.)
11. This new method validates your live and target machines. This concludes the lab exercise.
Task 2: Performing Networking Scanning using DMitry Tool
To begin the lab, a proficient tester may use any tool depending on his or her personal preference. The objective of this lab is to help students use the DMitry tool. The following activities are included in this lab:
- Start the DMitry tool
- Setup the network environment
- Scan and review the data from the DMitry tool
Lab Tasks
1. Obtain the list of targets using the following scanning methodology:
- Live Systems
- Ports
- Services
- Enumeration
- Identify vulnerabilities
- Exploitation
2. Open a new terminal, enter sudo nmap -sn 192.168.0.0/24. Type toor if you are asked to enter the password. An example of a partial output from the command is shown in the screenshot.
3. The scan reveals a selection of targets, records information about the targets, and determines which ones to target. Since you have used the Nmap tool, switch to another tool. Note that this module requires proficiency in at least two to three tools for each step of the process.
4. Open a terminal window and enter dmitry -pf 192.168.0.7, as shown in the screenshot.
5. The DMitry tool, a port scanner, provides all port information (for more information about the tool, please see the man page).
6. In the terminal window, enter dmitry -pb 192.168.0.7, as shown in the screenshot.
7. You are now viewing a banner grab as well as a port scan, as shown in the above screenshot.
8. If there is time, continue using the tool and explore more options.
9. This concludes the lab.
Task 3: Scanning and Scripting with hping3
To begin the lab, a proficient tester may use any tool depending on his or her personal preference. The objective of this lab is to help students use the hping3 tool.
In this lab, you will:
- Start the hping3 tool
- Conduct a query with hping3
- Check hping3 capabilities
- Execute a simple script within the hping3 command environment
- Capture packets with hping3
- Conduct a hping3 scan
- Review the data from the scan
- Send files using ICMP
Lab Tasks
1. Click Parrot Security. The Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. Hping3 is a powerful tool. It is a TCL scripting engine contained within a shell. For the first attempt, practice with a few commands.
4. To begin the lab, launch hping3 by issuing the command sudo hping3 in a command line terminal. If you are asked you enter a password, type toor and press Enter.
5. The first command will send a simple Internet Control Message Protocol (ICMP) echo request to a target. Select one of the available targets you have discovered and enter the following command, replacing the IP address with that of the machine you are targeting. In this lab, we are targeting 172.19.19.7. So, type hping send {ip(daddr=172.19.19.7)+icmp(type=8,code=0)}. Press Enter. This command will send an ICMP type 8 code 0 echo request to a target, as shown in the screenshot.
6. If the ICMP echo request is not visible, verify it by opening a new terminal window; type sudo tcpdump –i eth1 and press Enter. If you are asked you enter a password, type toor and press Enter. This will capture the network traffic. Run the command again and watch the output of the tcpdump command.
Here, we willget reply from www.goodshopping.com as it is hosted on 172.19.19.7 machine.
7. Start a query using the scripting capability of the TCL language. The basic syntax is easy to use. In the hping3 terminal window, type the following command (all on one line) and press Enter:
foreach i [list 5 6 7 8 9 10] {hping send “ip(daddr=172.19.19.7,ttl=$i)+icmp(type=8,code=0)”}
This command will set the time-to-live (TTL) at 5, and then increment it by 1 when it sends an ICMP echo request. The output will take time to appear; you may run tcpdump and capture it by entering sudo tcpdump –i eth1 –x –vv | grep ICMP, as shown in the screenshot.
8. Next, identify the capability of hping3 to receive packets. Enter a simple loop to receive packets. In the hping3 terminal window, enter the following command:
while 1 {
set p [lindex [hping recv eth1] 0]
puts “[hping getfield ip saddr $p] -> [hping getfield ip ttl $p]”
}
9. The command shown above will help loop and receive packets until you press Ctrl+C to stop the loop.
Enter the commands exactly as shown above to keep the codes valid. To scroll through the packet view, open a new terminal window and ping a target by typing ping 172.19.19.7, as shown in the screenshot.
10. Using your chosen text editor, type “You are under attack!” and save the file as attack.sig in Home folder.
11. The hping3 tool allows users to send messages. Accordingly, send the message as a string. Open a new terminal window, type sudo hping3 -2 -p 500 172.19.19.7 -d 139 -E attack.sig, and press Enter. Type toor in the password field and press Enter. This will send the packet to port 139 from port 500.
12. Use Wireshark to view the packet information. In a new terminal window, type sudo wireshark and press Enter. If you are asked to enter the password, enter toor.
13. Wireshark GUI appears, select eth1 interface.
14. The window shows the Internet Security Association and Key Management Protocol (ISAKMP) traffic, as you are using User Datagram Protocol (UDP) port 500. The lower window also shows that the message you specified is carried within the packet.
15. The message in the packet can also be displayed using tcpdump: Type sudo tcpdump –i eth1 –nX in the terminal window. If you are asked to enter the password, enter toor.
16. Scan a target using hping3. Open a new terminal window and enter sudo hping3 –scan known 172.19.19.7 -S. This command displays the list of open ports/services running on the target.
17. Hping3 is a powerful scanning tool that, in the previous example, only showed the known option for the ports listed in /etc/services. Next, specify a range to scan. In the terminal window, enter sudo hping3 –scan ‘0-3000’ 172.19.19.7 –S, as shown in the screenshot.
18. Finally, send files using the ICMP. Open two terminal windows and position them side-by-side.
19. In the first terminal window, enter sudo hping3 127.0.0.1 –listen signature –safe –-icmp. Enter toor as the password if asked.
20. Create an ICMP packet to send as a file to the listening hping3 window. This could be accomplished across the machines by simply changing the IP addresses. For this exercise, a loopback address will be used instead.
21. In the second terminal window, type sudo hping3 127.0.0.1 –icmp -d 100 –sign signature –file /etc/passwd. Enter toor as the password if asked.
22. The file contents begin to appear in the first terminal as shown in the following screenshot:
23. The file has been transmitted successfully. Note that this could be any ASCII file and the process can be used for several different actions. This concludes the lab exercise.
Task 4: Automating Penetration Testing Tasks Using Bash Scripting
Bash is a command processor that typically runs in a text window, where the user types commands that cause actions. Bash can also read commands from a file, called a script. Like all Unix shells, it supports filename globbing (wildcard matching), piping, here documents, command substitution, variables, and control structures for condition-testing and iteration. The keywords, syntax, and other basic features of the language were all copied from sh.
Bash Scripting aids pentesters during the penetration testing process as they can perform multiple tasks such as running Nmap commands, running FTP commands, etc all at a time, thereby avoiding the need to run each command individually.
Lab Tasks
1. Click Parrot Security. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. Navigate to Places and click Home Folder. The Home Folder directory window appears, double-click on the pentest.sh file to open and view the bash script.
4. This bash script is used to perform:
- Automated reconnaissance on a specified network range for live machines with FTP port open
- Dictionary attack on selected IP Address and reveal user credentials
- Login to the FTP server using the attained credentials
5. The first line of the bash script is #!/bin/bash, meaning that the script should always be run with bash, rather than another shell.
6. The tput clear command in the second line clears the screen and puts you at the top of the terminal screen.
7. The echo command is used to display a line of text/string on a standard output or a file. So, whatever you type in between double quotes will be printed on the screen. In this lab, we are performing a Nmap scan for live host and FTP open port identification. So, you can observe the text written in the echo command as shown in the screenshot:
8. Minimize the pentest.sh file window. Now, let us run the bash script. Launch a command line terminal, type bash pentest.sh, and press Enter.
9. Minimize the command line terminal and maximize the Leafpad window. The read command allows you to read a line from standard input. It accepts the input from the keyboard and assigns it to a variable. In this lab, we are using the read command to enter the IP Address range on which we will be performing a Nmap scan for live host detection. In this lab, the variable used for addressing the IP Address range is ip_range.
10. Minimize the Leafpad window and maximize the command line terminal. As described in the earlier steps, the tput clear command clears the screen and points the mouse cursor at the top of the terminal, followed by the echo command. Type 172.19.19.7-50 and press Enter. We selected the IP range from 7-50 to ease the process and save time.
11. Minimize the command line terminal and maximize the text editor window. nmap -sP $ip_range -oG out.txt: -sP is used to identify live hosts in the entered IP Address range. $ip_range grabs the value (IP Address range) you entered in the read command. -oG represents greppable output. It is a simple format that lists each host on one line and can be trivially searched and parsed with standard Unix tools such as grep. Once the Nmap scan is completed, its output is stored in the out.txt file. So, by entering nmap -sP $ip_range -oG out.txt, nmap is going to perform live host detection and send the greppable output to out.txt file. You can view the out.txt file created in the root folder for a better understanding.
12. The cat (in short “concatenate”) command allows you to view the contents of single/multiple files, create files, concatenate files, and redirect the output to the terminal or files. The pipe | redirects the output of cat out.txt to the grep command. The grep command is used to search the given file (out.txt) for lines containing a match to the given string (Up). So, by entering the script cat out.txt | grep Up > out1.txt: A search is performed in the out.txt file for all the lines containing the status of the IP addresses as Up and these IP Addresses are saved to out1.txt. You can view the out1.txt file created in the root folder for better understanding.
13. The cut command is used to select a portion of text from each line of a file. You can use the cut command to select fields or columns from a line by specifying a delimiter. By entering the script cat out1.txt | cut -d ” ” -f2 > open.txt: The content of out1.txt is redirected to the cut command, where the delimiter is ” ” (space). So, field 2 will be selected from each line of out1.txt in between the spaces; and the output will be saved to the open.txt file. For a better understanding, you may view the open.txt file created in the root folder.
14. By entering the script nmap -p 21 ‘cat open.txt’ -oG final.txt: Nmap performs a scan on the IP addresses present in the open.txt file and saves the greppable output to the final.txt file. You may view the final.txt file created in the root folder for a better understanding.
15. So far, Nmap has performed live host and FTP open port identification. The script cat final.txt | grep open > ftp.txt is used to view the output stored in final.txt, find the lines containing the string “open” and save those lines to a file named ftp.txt. You may view the ftp.txt file created in the root folder for a better understanding.
16. So far, we have obtained machines that are up and have the FTP port open. Now, we shall echo the IP Addresses of these machines on the screen. The echo “” represents an empty line. In the next line, we are writing something stating that the scan has been performed. This will be returned on the screen as we are using the echo command.
17. Note that our aim is to view only the IP Addresses in the file ftp.txt. To view only the IP Address, we shall be using the script cat ftp.txt | cut -d ” ” -f2. Here, field 2 will be selected from each line of the ftp.txt file in between the spaces; and the output (i.e., only the IP Address) will be displayed on the screen.
18. Now, minimize the text editor window and maximize the command line terminal. Nmap has performed live host identification on the given IP Address range. Once the live hosts are identified, the script is written in such a way, that a new nmap scan is initiated to find the machines (among the identified live hosts) that have the FTP port open. The live machines with the FTP port open are displayed as shown in the screenshot.
Screenshots may differ while performing the lab.
19. Minimize the command line terminal and maximize the text editor window. So far, the above-explained scripts are used to perform live host and FTP port identification. Now, we shall use a machine obtained from the Nmap scanning; and perform a dictionary attack to crack user credentials that have weakly implemented passwords. Before that, we shall use the echo command to write some content related to the dictionary attack, for better understanding.
20. As discussed before, regarding the read command, we shall use this command to enter the target machine’s IP Address. In this lab, the variable used for addressing the IP Address range is ip_addr.
21. Minimize the text editor window and maximize the command line terminal. Since we have obtained the machines whose FTP ports are open, we shall enter the IP Address of the machine on which you would like to perform a dictionary attack to obtain FTP credentials. In this lab, we are going to attack the FTP server of FTP Server whose IP Address is 172.19.19.9. So, type the IP Address 172.19.19.9 and press Enter.
This performs a Dictionary attack on the machine's user accounts using Hydra.
22. Minimize the command line terminal and maximize the text editor window. hydra -L /home/pentester/Wordlists/Usernames.txt -P /home/pentester/Wordlists/Passwords.txt ftp://$ip_addr: We are going to use hydra to perform a dictionary attack on the FTP server. -L switch in the script represents the username list. The list is provided in the location /home/pentester/Wordlists/Usernames.txt. -P switch in the script represents the password list. The list is provided in the location /home/pentester/Wordlists/Passwords.txt. ftp://$ip_addr: Here, $ip_addr grabs the value (IP Address range) you entered in read command. So, a dictionary attack will be performed on the IP address you entered in the previous step, using Hydra.
23. Minimize the text editor window and maximize the command line terminal. On issuing the IP Address, Hydra begins to a perform Dictionary attack on the machine and starts displaying the user credentials as shown in the screenshot.
It takes around 3 minutes for Hydra to crack all the credentials.
24. Minimize the command line terminal and maximize the text editor window. By now, you would have attained the user credentials to log in to the FTP server. So, your next task will be to log in to the server. Before that, we shall use the echo command to write some content related to the server to log in to the server as shown in the screenshot:
25. Now, we shall use the read command to enter the target machine’s IP Address. In this lab, the variable used for addressing the IP Address range is ftp_ip.
26. Minimize the text editor window and maximize the command line terminal. Once the credentials are obtained, you will be asked to enter the IP Address of the machine to log in to the FTP server. Type 172.19.19.9 and press Enter.
27. Minimize the command line terminal and maximize the text editor window. Upon entering the IP Address, the command ftp $ftp_ip is given to log in to the IP Address of the target machine.
28. Minimize the Leafpad window and maximize the command line terminal. You will be asked to enter a username. In this lab, we are logging in to jason user’s account. So type jason and press Enter.
You may issue any one of the account's usernames in the Name field.
29. You will be asked to enter the password for the user account. Since we are going to log in to john’s user account, type green (password for jason’s user account) and press Enter.
The Password field remains blank while you are typing the password.
30. On issuing the user credentials, you will be logged in to the FTP Server, as shown in the screenshot.
31. In the same way, you may run this script to crack the user credentials and access the FTP Server if hosted in the other networks. Close all the opened windows.
In this lab, you have successfully performed a subnet scan, found machines having FTP ports open, performed a dictionary attack to attain credentials, and successfully logged in to the server using the obtained credentials.
Task 5: Using Workspaces and db_nmap
In this lab, you will:
- Conduct the task of creating workspaces
- Use db_nmap contained within the Metasploit Framework
- Store and retrieve the scan results from the tool
- Import the results into a Metasploit module
Lab Tasks
1. Open a new terminal window. Set up and initialize the sql server. In the terminal window, type sudo service postgresql start and press Enter. Enter the password toor if you are required to. The postgresql command initializes the PostgreSQL database service.
2. After the database is launched, type sudo msfdb init, and press Enter. Enter the password toor if you are required to. The msfdb init command initializes and creates the PostgreSQL database for Metasploit.
3. If a database appears to be already configured, a message to skip initialization appears; ignore the message.
4. Once the databases are created and initialized, we can quickly fire up Metasploit using the command sudo msfconsole. Enter the password toor if you are required to.
5. To find out the status of the database, type db_status in the terminal window, as shown in the screenshot.
6. The Metasploit tool has different workspaces; type workspace -h to see the different commands available for the workspace. Once you have reviewed them, continue.
7. Create a workspace for your data by typing workspace -a LPT. You now have a workspace setup. You are ready to use the built-in Nmap database within Metasploit.
8. Next, use the tool to conduct the scanning methodology. Enter db_nmap -sP 192.168.0.0/24 as shown in the screenshot.
9. Once the scan is complete, move to the next step; type db_nmap -sS 192.168.0.2-70.
10. Once the scan is complete, move to the next step; type db_nmap -sV 192.168.0.2-70.
11. Once the scan is complete, move to the next step; type db_nmap -A 192.168.0.2-70.
12. You have now conducted the bulk of the scanning methodology. Sufficient data have been stored in the workspace. To examine the database information, type services and press Enter, as shown in the screenshot.
13. The results show all services from the scans; this is the start of the target database and works well for penetration testing.
14. Next, examine the database list of hosts; type hosts as shown in the screenshot.
15. Because of the virtual environment, you may not receive the most accurate data. Additional analysis is needed to better clarify the targets.
16. Enter host -h to see the different available options. Query the “hosts’” command to display only the IP address and OS type using the “-c” switch.
17. Type hosts -c address,os_flavor and press Enter, as shown in the screenshot.
18. Note that you can also search all entries for a specific target. If you wish to find only Linux-based machines from the scan, use the “-S” option. This option can be combined with our previous example to fine-tune the results. Type hosts -c address,os_flavor -S Linux.
19. Next, import the results of the scans into a Metasploit module. Type use auxiliary/scanner/portscan/tcp and press Enter.
20. Input the data into the scanner by using the R option; type hosts -c address,os_flavor -S Linux -R and press Enter, as shown in the screenshot.
21. The above command will import the results in the host table into RHOSTS; you can view this by entering show options. Note that there might be extra hosts in the database.
22. Once you are ready, type run and press Enter. The scan will be conducted against the target added to the database, as shown in the screenshot.
23. You have diverse search options; for this, type services -c name,info -S http and press Enter. This will search the hosts for services with HTTP in the name.
24. There are many combinations for searching. You can use specific ports or port ranges, or the full or partial service name when using the “-s” or “-S” switches, as well as for all hosts or a select few. However, you may need to experiment with these features to obtain the desired results.
25. As you have seen in this exercise, we have many options to work with when using the database capability within Metasploit; therefore, you are encouraged to research on your own.
26. This concludes the lab.
Task 6: Scanning and Building a Target Database
Once the tools are used, a target database must be created to prioritize targets. This is a critical step in producing the final report. The objective of this lab is to help students analyze the output of a tool and check if they can start to populate the target database used to produce the report.
In this lab, you will
- Scan for targets
- Conduct the scanning methodology
- Review the data from the scans
- Analyze the scan output
- Build an initial target database
Lab Tasks
1. Click Parrot Security. Parrot lock screen appears.
2. By default pentester is selected as the user. Type toor in the Password field and press Enter.
3. Launch a command-line terminal. In a terminal window, type nmap and press Enter. This exercise requires a good understanding of the scanning methodology. A quick review of the commands is listed here, but not the graphic images.
4. Enter the following:
- Live Systems: -sP
- Ports: -sS
- Services: -sV
- Enumerate: -A
5. The output can be made into an XML format by adding “X” to the output option. This requires converting the output to HTML. Prior browsers could render the XML format, but not reliable, since most browsers no longer allow such rendering owing to security settings.
6. Convert the file to HTML using the xsltproc command. Enter xsltproc -o ~/scanresults.html /usr/share/nmap/nmap.xsl scan.xml.
Run an nmap command to create a scan.xml file.
7. An example of the XML-formatted output is shown in the screenshot.
8. The XML format is a good choice for preparing and creating the database.
9. Next, populate the target database. For this, the following database information is required:
- Host/IP
- OS
- Ports
- Services
- Vulnerabilities
- Exploit
- Notes
- Priority
10. The database table key is as follows:
- Host/IP: Include both items if available or only the IP
- OS: Include all information available to provide specific service packs, so that the target selection is easier
- Ports: If too many ports exist, only include those relevant
- Services: The service and the version to the best of knowledge
- Vulnerabilities: The vulnerabilities discovered either with a scanner, manually, or through personal research
- Exploit: Any exploit that can be linked to a vulnerability for the targets; if successful, write it in red
- Notes: Any additional information discovered about the target
11. An example of the above is shown in the screenshot.
14. From this point forward, create a target database for every opportunity, range, or environment.
13. This concludes the lab exercise.
Task 7: OS Fingerprinting with Nmap
A penetration tester must use a tool to fingerprint the OS. The choice of tool here is the most popular tool on the market that is free and open source: Nmap. The objective of this lab is to help students use the Nmap tool and focus on the tool’s OS capability.
In this lab, you will
- Fingerprint the OS
- Compare different scan options
- Analyze the tool output
Lab Tasks
1. There is a specific option for attempting to enumerate the OS with Nmap: –O option (the “O” does not stand for zero).
2. Using your target database, use the –O option to fingerprint the OS.
3. Start capturing on Wireshark.
4. In a terminal window, type sudo nmap –O 192.168.0.X, replacing the “X” with the required IP address number from your target database, as shown in the screenshot.
If you are asked to enter the password, type toor and press Enter.
5. Carefully review the results and transfer the required data to the target database.
6. As required, re-scan and enter the required IP addresses for the other machines to finish populating your target database.
7. Note that Nmap is noisy and uses many packets to detect the OS; if stealth is a requirement, this may not be the best tool.
8. It is imperative to use multiple tools—at least two to validate and verify the information that a tool discovers.
9. Once you fully understand the process, you may continue to review and evaluate the tools that you need to be a professional security tester.
10. This concludes the lab exercise.
Task 8: Automating Network Scanning using AI-Powered Tools
A penetration tester can use AI tools such as Microsoft Copilot to perform attack surface mapping. The objective of this lab is to allow students to use the AI tool and:
- Discover Live Hosts
- Scan different ports
- OS Banner Grabbing and Service Version Discovery
Lab Tasks
1. Click Parrot Security to switch to Parrot Security machine, open Mozilla Firefox, and go to any AI tool. (here, we are using Copilot(https://copilot.microsoft.com)).
2. On the Message Copilot text box enter the below sample prompt for generating a Python Script for performing the attack surface mapping of the target IP or Network.
Generate a Python script to analyze the attack surfaces of a target website. The script should prompt for the input URL and perform the following tasks sequentially: 1. Host Discovery: Perform ICMP Ping scan, ARP Ping scan, UDP Ping scan, and TCP Ping scan to identify live hosts. 2. Port Scanning: Conduct TCP connect/full open scan, UDP scan, half-open scan, Xmas scan, and SCTP INIT scan to detect open ports. 3. Service Version Discovery: Retrieve information about the target's operating system, running services, and their versions from the identified live hosts. Ensure the script saves all gathered information in a text file.
You can get different output at the time of performing this lab.
3. Save the obtained Script in a text file named Attack_Surface_Mapping.py.
4. Launch a command-line terminal. In the terminal window, type sudo su and press Enter. Type toor as the password.
5. You can run the sample Python script that is already saved and available in the /home/pentester/Scripts/Module 3 location.
6. Go to the location in the terminal, type python3 Attack_Surface_Mapping.py and press Enter. Once executed, it will ask you to enter the target URL or IP address that needs to be scanned.
7. Type 192.168.0.0/24 and press Enter.
You need to wait for some time to obtain the scan results as it will perform multiple scans sequentially.
8. After the execution is completed, open the scan results file to analyze the output obtained as shown in the given screenshots.
9. This concludes the lab task.