-
Notifications
You must be signed in to change notification settings - Fork 23
Full Active Intel Gathering
This use case applies to internal and external penetration tests. Among other things, the use cases are:
- Check services for default credentials using
hydra
orchangeme
- Check access to file sharing services (e.g., NFS and SMB) using
smbclient
orshowmount
- Check security of web applications using tools like
gobuster
,nikto
,davtest
,aquatone
or Burp Suite Professional - Obtain TLS information using
sslscan
,sslyze
andnmap
- Perform vhost enumerations
The collection is performed on previously executed Nmap scans and a list of in-scope IPv4/IPv6 networks/addresses.
Before we start:
- We re-initialize the KIS database
- We specify a workspace
$ws
(e.g.,ws=pentest
) - We specify the list of networks
$networks
to be investigated (e.g.,networks=192.168.0.0/24
,networks=192.168.1.0/24 192.168.1.0/24
,networks=192.168.0.1
, ornetworks=192.168.0.1 192.168.0.2
). Refer to the wiki page Scoping in KIS for more information. - We import Nmap scan results
- We might also import Nessus scan results
# initialize new database
docker exec -t kaliintelsuite kismanage database --drop --init
# create a new workspace $ws
docker exec -it kaliintelsuite kismanage workspace --add $ws
# add the networks $networks to workspace $ws and set the scope to all (default)
docker exec -it kaliintelsuite kismanage network -w $ws --add $networks
# import nmap scan results into KIS
docker exec -it kaliintelsuite kismanage scan -w $ws --nmap $nmap_paths
# add new host names to workspace $ws. thereby, all sub-level domains of $domains become automatically
# in scope due to the second-level domains' scope type all
docker exec -it kaliintelsuite kismanage hostname -w $ws --add $domains $hostnames
Note: If we also want to incorporate second-level domains and their sub-domains into the penetration test, then we might want to start with the use case Semi-passive hostname gathering.
Now, we perform the actual active intelligence collection. For more information about the selected collectors, refer to the wiki page KIS Collectors.
docker exec -it kaliintelsuite kiscollect -w $ws --debug --strict -t5 --anyservicenmap --certnmap \
--dnsaxfrdomain --dnsaxfrservice --dnsnmap --finger --ftpfilelist --ftphydra --ftpnmap --httpchangeme \
--httpdavtest --httpgobuster --httpgobustersmart --httphydra --httpkiterunner --httpmsfrobotstxt --httpnikto \
--httpnmap --httpntlmnmap --httpwhatweb --ikescan --imapnmap --ipmi --ldapnmap --ldapsearch --msrpcenum --mssqlhydra \
--mssqlnmap --mysqlhydra --mysqlnmap --nbtscan --nfsnmap --ntpq --onesixtyone --oraclesidguess --pgsqlhydra \
--pop3nmap --rdpnmap --rpcclient --rpcinfo --rpcnmap --showmount --smbclient --smbcme --smbfilelist --smbmap \
--smbnmap --smtpnmap --snmpcheck --snmphydra --snmpnmap --snmpwalk --sshchangeme --sshnmap --sslscan --sslyze \
--tlsnmap --telnetnmap --tftpnmap --vncnmap --x11nmap --httpburpsuitepro --autostart
After the collection, we review collected domain information (obtained via certificate scrapping using collectors
certnmap
, sslyze
and sslscan
) and if applicable, add them in scope:
# perform a review of the collected data using kisreport
docker exec -it kaliintelsuite bash
(.venv) kis_shell> ws=
(.venv) kis_shell> kisreport domain -w $ws --csv --scope outside | csvcut -c "Second-Level Domain (SLD)","Scope (SLD)","Companies (SLD)" | \
csvsort -c "Second-Level Domain (SLD)" | csvlook
[...]
(.venv) kis_shell> exit
# add newly identified second-level domains and their sub-level domains in scope
domains=
docker exec -it kaliintelsuite kismanage domain -w $ws -s {all,strict} $domains
hostnames=
docker exec -it kaliintelsuite kismanage hostname -w $ws --add $domains $hostnames
Based on the newly added in-scope information, we might also collect intelligence from vhosts using
kiscollect's --vhost
argument:
docker exec -it kaliintelsuite kiscollect -w $ws --debug --strict -t5 --anyservicenmap --certnmap \
--certopenssl --dnsaxfrdomain --dnsaxfrservice --dnsnmap --finger --ftpfilelist --ftphydra --ftpnmap --httpchangeme \
--httpdavtest --httpgobuster --httpgobustersmart --httphydra --httpkiterunner --httpmsfrobotstxt --httpnikto \
--httpnmap --httpntlmnmap --httpwhatweb --ikescan --imapnmap --ipmi --ldapnmap --ldapsearch --msrpcenum --mssqlhydra \
--mssqlnmap --mysqlhydra --mysqlnmap --nbtscan --nfsnmap --ntpq --onesixtyone --oraclesidguess --pgsqlhydra \
--pop3nmap --rdpnmap --rpcclient --rpcinfo --rpcnmap --showmount --smbclient --smbcme --smbfilelist --smbmap \
--smbnmap --smtpnmap --snmpcheck --snmphydra --snmpnmap --snmpwalk --sshchangeme --sshnmap --sslscan --sslyze \
--tlsnmap --telnetnmap --tftpnmap --vncnmap --x11nmap --httpburpsuitepro --vhost domain --tld --autostart
We might also want to create screenshots using aquatone
:
docker exec -it kaliintelsuite bash
(.venv) kis_shell> ws=
(.venv) kis_shell> kisreport path -w $ws --scope within --type http --csv | csvcut -c "Full Path" | grep -v "Full Path" | aquatone -out /kis/aquatone
[...]
(.venv) kis_shell> exit
After Aquatone is complete, we copy newly created screenshots form the docker volume:
mv /var/lib/docker/volumes/kaliintelsuite_kis_data/_data/aquatone .
If we are working on Microsoft Windows, then we have to replace the above path by:
\\wsl$\docker-desktop-data\version-pack-data\community\docker\volumes\docker_kis_data\_data\aquatone