πExternal Information Gathering
π― Overview
External Information Gathering is the critical first phase of enterprise network attacks. This process involves systematic reconnaissance to map the attack surface, identify services, discover subdomains, and gather intelligence for targeted exploitation against external-facing infrastructure.
π Initial Network Reconnaissance
π Quick Port Discovery
# Initial top 1000 ports scan
sudo nmap --open -oA target_tcp_1k -iL scope
# Key findings analysis:
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
8080/tcp open http-proxy
# Service categories identified:
- Web services (80, 8080)
- Email services (25, 110, 143, 993, 995)
- File transfer (21)
- Remote access (22)
- DNS services (53)π§ Comprehensive Service Enumeration
# Full port aggressive scan
sudo nmap --open -p- -A -oA target_tcp_all_svc -iL scope
# Key service discoveries:
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5
25/tcp open smtp Postfix smtpd
53/tcp open domain (unknown banner: 1337_HTB_DNS)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
8080/tcp open http Apache httpd 2.4.41 ((Ubuntu))
# Anonymous FTP access discovered:
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 38 May 30 17:16 flag.txtπ Service Analysis with Nmap Grep
# Extract service information efficiently
egrep -v "^#|Status: Up" target_tcp_all_svc.gnmap | cut -d ' ' -f4- | tr ',' '\n' | \
sed -e 's/^[ \t]*//' | awk -F '/' '{print $7}' | grep -v "^$" | sort | uniq -c | sort -k 1 -nr
# Results:
2 Dovecot pop3d
2 Dovecot imapd (Ubuntu)
2 Apache httpd 2.4.41 ((Ubuntu))
1 vsftpd 3.0.3
1 Postfix smtpd
1 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5
1 2-4 (RPC #100000)π DNS Enumeration
π DNS Zone Transfer Attack
# Attempt zone transfer for subdomain discovery
dig axfr inlanefreight.local @TARGET_IP
# Successful zone transfer results:
inlanefreight.local. 86400 IN SOA ns1.inlanfreight.local. dnsadmin.inlanefreight.local.
blog.inlanefreight.local. 86400 IN A 127.0.0.1
careers.inlanefreight.local. 86400 IN A 127.0.0.1
dev.inlanefreight.local. 86400 IN A 127.0.0.1
flag.inlanefreight.local. 86400 IN TXT "HTB{..."
gitlab.inlanefreight.local. 86400 IN A 127.0.0.1
ir.inlanefreight.local. 86400 IN A 127.0.0.1
status.inlanefreight.local. 86400 IN A 127.0.0.1
support.inlanefreight.local. 86400 IN A 127.0.0.1
tracking.inlanefreight.local. 86400 IN A 127.0.0.1
vpn.inlanefreight.local. 86400 IN A 127.0.0.1
# Discovery: 9 additional subdomains + flag in TXT recordπ Alternative DNS Enumeration
# If zone transfer fails, use passive methods:
# - DNSDumpster.com
# - Certificate transparency logs
# - Search engine dorking
# - Subdomain brute forcing
# Active subdomain enumeration:
ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.inlanefreight.localπ Virtual Host Discovery
π VHost Enumeration Process
# Step 1: Determine invalid vhost response size
curl -s -I http://TARGET_IP -H "HOST: defnotvalid.inlanefreight.local" | grep "Content-Length:"
# Result: Content-Length: 15157
# Step 2: Fuzz vhosts filtering invalid responses
ffuf -w /opt/useful/seclists/Discovery/DNS/namelist.txt:FUZZ -u http://TARGET_IP/ -H 'Host:FUZZ.inlanefreight.local' -fs 15157
# Results discovered:
blog [Status: 200, Size: 8708]
careers [Status: 200, Size: 51810]
dev [Status: 200, Size: 2048]
gitlab [Status: 302, Size: 113]
ir [Status: 200, Size: 28545]
monitoring [Status: 200, Size: 56] # β Additional vhost not in DNS
status [Status: 200, Size: 917]
support [Status: 200, Size: 26635]
tracking [Status: 200, Size: 35185]
vpn [Status: 200, Size: 1578]π§ Alternative VHost Tools
# Gobuster vhost enumeration
gobuster vhost -u http://TARGET_IP -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt --domain inlanefreight.local
# Wfuzz vhost discovery
wfuzz -c -f sub-fighter -w /opt/useful/seclists/Discovery/DNS/namelist.txt -u "http://TARGET_IP" -H "Host: FUZZ.inlanefreight.local" --hh 15157π Host File Configuration
π§ Adding Discovered Hosts
# Add all discovered subdomains to /etc/hosts
sudo tee -a /etc/hosts > /dev/null <<EOT
## inlanefreight hosts
TARGET_IP inlanefreight.local blog.inlanefreight.local careers.inlanefreight.local dev.inlanefreight.local gitlab.inlanefreight.local ir.inlanefreight.local status.inlanefreight.local support.inlanefreight.local tracking.inlanefreight.local vpn.inlanefreight.local monitoring.inlanefreight.local
EOT
# Verify configuration
cat /etc/hosts | grep inlanefreightπ― HTB Academy Lab Solutions
Lab Environment
# Target: 10.129.211.225 (ACADEMY-AEN-DMZ01)
# Add to /etc/hosts:
sudo sh -c 'echo "TARGET_IP inlanefreight.local" >> /etc/hosts'π Question 1: Banner Grab Non-Standard Service
# Service enumeration with version detection
sudo nmap -sC -sV inlanefreight.local
# Key finding in DNS service:
53/tcp open domain (unknown banner: 1337_HTB_DNS)
| dns-nsid:
|_ bind.version: 1337_HTB_DNS
# Answer: 1337_HTB_DNSπ Question 2: DNS Zone Transfer Flag
# Perform zone transfer
dig AXFR inlanefreight.local @TARGET_IP
# Flag discovered in TXT record:
flag.inlanefreight.local. 86400 IN TXT "HTB{..."
# Answer: HTB{DNs_ZOn3_Tr@nsf3r}π Question 3: Flag Subdomain FQDN
# From zone transfer output:
flag.inlanefreight.local. 86400 IN TXT "HTB{..."
# Answer: flag.inlanefreight.localπ Question 4: Additional VHost Discovery
# Determine invalid response size
curl -sI http://TARGET_IP/ -H "Host: defnotvalid.inlanefreight.local" | grep "Content-Length:"
# Result: Content-Length: 15157
# Fuzz for additional vhosts
ffuf -s -w /opt/useful/SecLists/Discovery/DNS/namelist.txt:FUZZ -u http://TARGET_IP/ -H 'Host: FUZZ.inlanefreight.local' -fs 15157
# Additional vhost found:
monitoring [Status: 200, Size: 56]
# Answer: monitoringπ Information Gathering Workflow
π Systematic Approach
# 1. Initial port discovery
sudo nmap --open -oA quick_scan -iL scope
# 2. Service enumeration
sudo nmap --open -p- -A -oA full_scan -iL scope
# 3. DNS zone transfer attempt
dig axfr DOMAIN @TARGET_IP
# 4. Subdomain/vhost discovery
ffuf -w wordlist -u http://TARGET/ -H 'Host:FUZZ.domain' -fs INVALID_SIZE
# 5. Host file configuration
sudo tee -a /etc/hosts <<< "TARGET_IP domain subdomain1.domain subdomain2.domain"
# 6. Service-specific enumeration
# Continue with FTP, HTTP, SMTP, etc. detailed analysisπ― Attack Surface Mapping
# Service categorization:
Web Services: 80, 443, 8080, 8443
Email Services: 25, 110, 143, 587, 993, 995
File Transfer: 21, 22, 69, 873
Database: 1433, 3306, 5432, 1521
Management: 161, 623, 8080, 9090
Remote Access: 22, 23, 3389, 5985, 5986
# Priority targets:
1. Web applications (immediate attack surface)
2. Anonymous/weak authentication services
3. Known vulnerable service versions
4. Management interfaces
5. Email services for user enumerationβ οΈ Reconnaissance Best Practices
π Stealth Considerations
# Timing controls for stealth
nmap -T2 --scan-delay 5s TARGET_IP
# Fragmented packets
nmap -f TARGET_IP
# Source port spoofing
nmap --source-port 53 TARGET_IP
# Decoy scanning
nmap -D RND:10 TARGET_IPπ Documentation Standards
# Essential documentation:
- All scan outputs saved with timestamps
- Service version information recorded
- Subdomain/vhost discovery results
- Anonymous access findings
- Potential attack vectors identified
- Evidence screenshots for findingsπ‘ Key Takeaways
Systematic enumeration reveals complete attack surface
DNS zone transfers provide valuable subdomain intelligence
VHost discovery uncovers hidden applications
Service versioning enables vulnerability research
Anonymous access often provides immediate foothold opportunities
Comprehensive documentation essential for attack planning
Multiple enumeration methods ensure complete coverage
External information gathering establishes the foundation for enterprise network attacks by mapping the complete external attack surface and identifying high-value targets for exploitation.
Last updated