Results 1 to 3 of 3

Thread: Tutorial : Internet Enumeration

  1. #1
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Chico CA

    Default Tutorial : Internet Enumeration

    This tutorial will demonstrate how to perform reconnaissance against internet targets. If you have anything to add, please post.


    There are various methods at enumerating the net blocks of your target. But to start, perform the following:

    Whois -h > file.txt
    If a specific IP does not have an ASN number associated with it, then that IP address is not routable.
     whois -h
    4565||EPOCH-INTERNET - Epoch Network
    To perform bulk queries, create a text file in this format:


    Feed the text file to whois by using netcat.
     ./netcat 43 <ip_list.txt |sort -n > ip_list_asn.txt
    Look through the results for ASN numbers to determine if the netblocks are routable.

    You can also login to a BGP router connected to the internet and display the route:
    Username: rviews> show ip bgp regexp _31830$
    BGP table version is 2197815, local router ID is
    Status codes: s suppressed, d damped, h history, * valid, > best, i -internal, S Stale
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Network          Next Hop            Metric LocPrf Weight Path
    *           119             0 6461 701 31830 i
    *                                      0 3333 3356 701 31830i
    *                                    0 8075 701 31830 i
    *                  4103             0 4513 13789 701 31830 i
    Learn more here:

    Once you have netblocks for your target, check bind versions and perform zone transfers against the name servers:
     dig version.bind txt chaos
    dig axfr
     perl -dns
    If the zone transfers are successful, you now have a list of target IP's. Clean up your list so only the IP addresses remain. The easiest method is to open the ip list in excel and applying a filter. Now feed the IP list to nmap:
     nmap -sS -P0 -iL ip_ranges.txt -p 21,22,23,25,53,79,80,81,88,110,111,113,135,139,143,254,264,265,443,445,1026,1027,1433,1434,1494,1521,1723,2049,2001,2301,2381,3389,4001,4662,5631,6000,6001,8080,10000 --max_rtt_timeout 2000 -oA formatted_list
    You can now take the output files and run them through the nmap report generator:

    At this point, you should have a list of IP addresses with open ports. Lets target a few of the ports.

    21 - FTP - If you see port 21 open, attempt to connect. Record the login banner and try "anonymous" as the username. If that is not successful, you may want to try running medusa against it to brute force.
     medusa -h host -U logins.txt -P passwords.txt -O results.txt -M ftp
    25 - SMTP - Connect the the SMTP server and attempt to enumerate valid users. You can use this to target specific employees within the company through phishing or brute force attacks at login pages.
     nc 25
    expn root
    expn test
    80 - HTTP - Look for methods that are not necessary. Namely PUT. If you find this, then you may be able to upload your own files to the server. Use to transfer cmd.asp to the server. Both files should be on BT3.

     curl -I -X OPTIONS
    That should get you started. Follow up with a nessus scan:

    Some additional tools I use that are not based on Backtrack are:
    Acunetix Web Vulnerability Scanner
    N-Stalker Free Edition

    If you have anything to add, please do!


  2. #2
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007


    Quote Originally Posted by williamc View Post
    This tutorial will demonstrate how to perform reconnaissance against internet targets. If you have anything to add, please post....
    .... ....

    ....If you have anything to add, please do!

    Yet another great tutorial bud. Just a "here's how I do it" kinda thing, when I'm listing ports via Nmap I usually simplify/organize the list by utilizing the U: and T: delimiter for UDP/TCP distinction and 21-23 etc to shorten the string a bit. This just makes it a bit easier, at least for me, to remember what, exactly, I'm scanning for.

    "The goal of every man should be to continue living even after he can no longer draw breath."


  3. #3
    Good friend of the forums
    Join Date
    Feb 2010


    myipneighbors > google search for param to help find exploitable scripts

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts