My scanning methodology

Information gathering phase

It's important to perform information gathering properly, nothing down all interesting hosts. In this point it's important to remember that we are still in the information gathering process, every missed detail could break our assessment. We should not get careless and begin attacking hosts right away.

1. Initialize Metasploit

• Start the Metasploit database: Ensure the database is running.

• Check database status: Use the command db_status to verify connectivity.

2. Prepare Target and Exclusion Lists

• Create a Target File: List all targeted IPs in a file (e.g., target.txt).

• Create an Exclusion File: Specify any IPs to exclude in a separate file (e.g., exclude.txt).

3. Conduct Network Scans

• Scan for Live Hosts:

  Copy

  db_nmap -sP -iL target.txt --excludefile exclude.txt -oA discovery

• Service Detection and Script Scanning:

  Copy

  db_nmap -sS -sV -sC -T4 -iL target2.txt

• Use Additional Vulnerability Scripts:

  Copy

  db_nmap -Pn -sS -sV -sC -T4 -A --script=vuln* -iL target2.txt

4. Identify and Document Live Hosts

• Create a Documentation File: Record the live hosts identified during the scan in a separate file (e.g., live_hosts.txt).

5. Use a screenshot capturing tool to automatically capture screenshots of live hosts from list of identified livehosts

1. Eyewitness

EyeWitness can take the XML output from both Nmap and Nessus and create a report with screenshots of each web application present on the various ports using Selenium. It will also take things a step further and categorize the applications where possible, fingerprint them, and suggest default credentials based on the application. It can also be given a list of IP addresses and URLs and be told to pre-pend http:// and https:// to the front of each. It will perform DNS resolution for IPs and can be given a specific set of ports to attempt to connect to and screenshot.

We can install EyeWitness via apt:

Run it:

1. Aquatone

Aquatone is similart to Eyewitness