GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → adulau → active-scanning-techniques

adulau / active-scanning-techniques

Licence: other
A compilation of network scanning strategies to find vulnerable devices

Labels

nmapnetsecnetwork-scanningnetwork-security

Projects that are alternatives of or similar to active-scanning-techniques

SaltwaterTaffy
An nmap wrapper library for .NET
Stars: ✭ 44 (-27.87%)
Mutual labels:  nmap, network-security
Octopus
Octopus - Network Scan/Infos & Web Scan
Stars: ✭ 25 (-59.02%)
Mutual labels:  nmap, network-scanning
maalik
Feature-rich Post Exploitation Framework with Network Pivoting capabilities.
Stars: ✭ 75 (+22.95%)
Mutual labels:  netsec, network-security
showme
Rapid diagnostic system status tool (performance monitoring, network scanning, mysql performance monitoring, kubectl status)
Stars: ✭ 24 (-60.66%)
Mutual labels:  nmap, network-scanning
Nmap
Idiomatic nmap library for go developers
Stars: ✭ 391 (+540.98%)
Mutual labels:  nmap, netsec
Ivre
Network recon framework, published by @cea-sec & @ANSSI-FR. Build your own, self-hosted and fully-controlled alternatives to Shodan / ZoomEye / Censys and GreyNoise, run your Passive DNS service, collect and analyse network intelligence from your sensors, and much more!
Stars: ✭ 2,331 (+3721.31%)
Mutual labels:  nmap, network-security
avain
A Modular Framework for the Automated Vulnerability Analysis in IP-based Networks
Stars: ✭ 56 (-8.2%)
Mutual labels:  netsec, network-security
searchscan
Search Nmap and Metasploit scanning scripts.
Stars: ✭ 51 (-16.39%)
Mutual labels:  nmap, network-scanning
Badkarma
network reconnaissance toolkit
Stars: ✭ 353 (+478.69%)
Mutual labels:  nmap, network-security
Gorsair
Gorsair hacks its way into remote docker containers that expose their APIs
Stars: ✭ 678 (+1011.48%)
Mutual labels:  nmap, netsec
ivre
Network recon framework. Build your own, self-hosted and fully-controlled alternatives to Shodan / ZoomEye / Censys and GreyNoise, run your Passive DNS service, collect and analyse network intelligence from your sensors, and much more!
Stars: ✭ 2,712 (+4345.9%)
Mutual labels:  nmap, network-security
sharingan
Offensive Security recon tool
Stars: ✭ 88 (+44.26%)
Mutual labels:  nmap
flydns
Related subdomains finder
Stars: ✭ 29 (-52.46%)
Mutual labels:  network-security
Mis-Comandos-Linux
📋 Lista descrita de mis 💯 comandos favoritos ⭐ en GNU/Linux 💻
Stars: ✭ 28 (-54.1%)
Mutual labels:  nmap
NIST-to-Tech
An open-source listing of cybersecurity technology mapped to the NIST Cybersecurity Framework (CSF)
Stars: ✭ 61 (+0%)
Mutual labels:  netsec
sgCheckup
sgCheckup generates nmap output based on scanning your AWS Security Groups for unexpected open ports.
Stars: ✭ 77 (+26.23%)
Mutual labels:  nmap
Forerunner
Fast and extensible network scanning library featuring multithreading, ping probing, and scan fetchers.
Stars: ✭ 39 (-36.07%)
Mutual labels:  network-scanning
pwk scripts
Automation scripts in preparation for PWK/OSCP labs
Stars: ✭ 16 (-73.77%)
Mutual labels:  network-security
Jxnet
Jxnet is a Java library for capturing and sending custom network packet buffers with no copies. Jxnet wraps a native packet capture library (libpcap/winpcap/npcap) via JNI (Java Native Interface).
Stars: ✭ 26 (-57.38%)
Mutual labels:  network-security
community-id-spec
An open standard for hashing network flows into identifiers, a.k.a "Community IDs".
Stars: ✭ 137 (+124.59%)
Mutual labels:  network-security
View All Similar Projects ➔

Active Scanning Techniques

This repository is a collection of different techniques in order to find specific hosts to scan. The goal is to document the available techniques and improve the scanning for defenders.

Why this collection?

  • Finding vulnerable devices can be challenging for CSIRTs (waiting for the next scan in Shodan, Censys).
  • Finding the scope of the scan (regional versus global, wrong IRR allocation).
  • Discovering newly devices exposed without scanning the whole IPv4 space.
  • Discovering named-based services (many services are based on name such as HTTP virtual-host, TLS SNI).
  • Discovering newly exposed devices or services using IPv6 addresses.

Overview

Slides

Techniques

(TAS.1) Certificate Transparency

(TAS.1.1) Extract subjectAltName

  • Resolving AAAA

    • Adding most common hostname (short dictionary list)

    • DNS brute-forcing

      • SDBF
      • fierce
      • dnsenum

(TAS.2) Newly registered domains

(TAS.3) Passive DNS feed

(TAS.3.1) Extract CNAME, RRNAME

(TAS.3.2) Extract AAAA

(TAS 4) BGP Monitoring

(TAS 5) Discovering active IPv6 subnet from an IPv6 address

(TAS 5.1) Finding CIDR from RIR whois

(TAS 5.2) Active monitoring of public services logs (HTTP servers, public NTP servers)

(TAS 6) Blackhole network monitoring

(TAS 6.1) Extracting IPv6 addresses from GRE packets

(TAS 6.2) All protocols extraction "tshark -n -r $FILENAME -E separator="/n" -E occurrence=a -T fields -e ipv6.src ipv6.dst | sort -u | gzip -f

"

(TAS 7) Bitorrent GET_PEERS N6 request

(TAS 8) Guessing IPv6 addresses by using most common IPv6 manual allocations from an IPv6 subnet

(TAS 8.1) Enumerating easy to remember hex block (CAFE, DEAD, BEEF, ABBA, FFFF, ....)

(TAS 8.2) Enumerating TCP/UDP service port as last part

(TAS 9) DomainClassifier extraction (brute-force extraction of potential hostnames)

(TAS 9.1) GitHub commit streams

(TAS 9.2) Active crawling from CT logs

(TAS 9.3) Other sources such as social networks, pasties website, ....

(TAS 10) Extract potential hostname from IPv4 reverse PTR

(TAS 10.1) Enumerating IPv4/PTR

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].