D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
Nmap is very powerful if used correctly, especially for mapping a network.
Beginning my workflow I start with passive DNS recon usually with dnsdumpster.com and other online tools. Once the list is compiled, two groups are made; sites and hosts. The initial goal is to get a high view of the network for better under-standing. This is accomplished with an OS detection scan on all the hosts using their arguments: -iL hosts.txt, -O, --traceroute. Next aggressive port scan is done with: -sC, -sV, -p-, --open, -T5, -oA, --traceroute. The topology tab in zenmap is translated to my note's with Obsidian's graph view. The --traceroute command really helps find unscanned hosts along with greping commonName and Alternative Name. To be thorough - Nmap's output is reviewed for any new subdomains and ips by searching for lines containing the root domain, "commonName", "Alternative Name". Finally, newly found hosts are scanned and the initial DNS recon is done. This is a very basic approach to active dns recon but with the help of Obsidian's link and branch feature - Nmap's topology can be replicated, technologies and versions can be grouped and it really helps visually.
Beginning my workflow I start with passive DNS recon usually with dnsdumpster.com and other online tools. Once the list is compiled, two groups are made; sites and hosts. The initial goal is to get a high view of the network for better under-standing. This is accomplished with an OS detection scan on all the hosts using their arguments: -iL hosts.txt, -O, --traceroute. Next aggressive port scan is done with: -sC, -sV, -p-, --open, -T5, -oA, --traceroute. The topology tab in zenmap is translated to my note's with Obsidian's graph view. The --traceroute command really helps find unscanned hosts along with greping commonName and Alternative Name. To be thorough - Nmap's output is reviewed for any new subdomains and ips by searching for lines containing the root domain, "commonName", "Alternative Name". Finally, newly found hosts are scanned and the initial DNS recon is done. This is a very basic approach to active dns recon but with the help of Obsidian's link and branch feature - Nmap's topology can be replicated, technologies and versions can be grouped and it really helps visually.