Red teaming reconnaissance and information gathering techniques

recon_methods.sh

# define your target
export TARGET = brannon.online

# perform a whois lookup
whois $TARGET

# do a dns lookup
nslookup $TARGET
# here we find that 34.201.87.194 is the
# true IP address of the $TARGET

export TARGET_IP=34.201.87.194

# perform another whois lookup to determin
# the owner of the IP block the IP address
# belongs to
whois $TARGET

# perform an nmap scan to determin OS version 
# and open ports and services
#   -Pn: Treat hosts as online and don't ping scan, as this is blocked by many firewals
#   -sS: TCP SYN scan (or stealth scan). Requires root access, exclude this flag if you don't have it.
#   -A: Enables OS detection, version detection, script scanning, and traceroute
#
# nmap references and cheatsheets:
#   - https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide
sudo nmap -Pn -sS -A $TARGET_IP

# optionally, perform a vulnerabilities scan against the versions
# of services found to be running on the machine from the nmap scan
# using a nmap scritp (.nse). Must have nmap-vulners.nse installed:
#   $ locate *.nse # use this to find where nmap scripts are stored
#                  # likely /usr/share/nmap/scripts on linux
#   $ cd /usr/share/nmap/scripts
#   $ git clone https://github.com/vulnersCom/nmap-vulners
nmap -sV --script=nmap-vulners $TARGET_IP

# perform a geolocation traceroute to determin where in the world
# your target server lives, and what hops it might need to get there
#   - replace -p with the port you would like to target if not http server
sudo nmap --traceroute --script traceroute-geolocation -p 80 $TARGET_IP

# perform a bruteforce dns subdomain guess attack enumerating common subdomains
#   -sn: Don't port scan
#   -Pn: Don't ping scan
nmap -sn -Pn --script dns-brute $TARGET_IP