BloodHound ACL queries

Custom query showing ACLs on OUs from groups · Issue #283

More BloodHound Cypher queries 04 Oct 2020. Hello, In this blog post i will share my Cypher queries which i'm using in my daily engagements. I aim to be complementary to the cheatsheets you can found out there and to the default queries you will find in BloodHound.. I will also comment these ones if needed to provide further information bloodhound custom queries. GitHub Gist: instantly share code, notes, and snippets After uploading these files, take advantage of the pre-built queries within BloodHound. These queries are a great way to start obtaining important information about your environment. Queries include: viewing all domain administrators; viewing users with the most local administrator rights; or viewing computers with the most administrative user. Navigating the interface to the queries tab will show a list of pre-compiled built-in queries that BloodHound provides: An example query of the shortest path to domain administrator is shown below: If you have never used BloodHound this will look like a lot going on and it is, but lets break this down Most of the base cypher queries within the Computer, Group, and User tabs have been re-written for significantly increased speed and accuracy. Almost all queries should now complete almost instantly. The derivative admin to query remains relatively slow until a good solution is found to speed that query up without losing accuracy. In general, any unnecessary use of shortestPath or.

Useful Cypher queries for BloodHound. GitHub Gist: instantly share code, notes, and snippets Example query to display all direct ACL from user to user: User Specter has GenericAll rights on user RYEUNG. have been presented here but it is possible to do much more and customize the queries when diving into the Cypher query language. BloodHound has already been heavily discussed by many sources, good references on the topic are:.

Intro Active Directory is a vast, complicated landscape comprised of users, computers, and groups, and the complex, intertwining permissions and privileges that connect them. The initial release of BloodHound focused on the concept of derivative local admin, then BloodHound 1.3 introduced ACL-based attack paths. Now, with the release of BloodHound 1.5, pentesters and red-teamer BloodHound includes several powerful baked-in analytical queries. A notable query here is shortest path to Domain Admins. The example below displays the query Find Top 10 users with the Most Admins. BloodHound also includes custom node selection where a specified source, and target node are selected for attack path mapping Edges ¶. Edges. Edges are part of the graph construct, and are represented as links that connect one node to another. For example, this shows the user node for David McGuire connected to two groups, Domain Admins and Domain Users, via the MemberOf edge, indicating this user belongs to both of those groups: The direction of. fox-it.com • Direct integration with BloodHound and the Neo4j graph database • Supports any reversible ACL based attack chain • Advanced pathfinding to find the most efficient paths • Support for exploitation with NTLM hashes (pass-the-hash) • Saves restore state, easy rollback of changes • Can be run via a SOCKS tunnel • Written.

Make the most out of BloodHound - Compass Security Blo

Active Directory ACL Enumeration; Local Group Membership Enumeration; StealthDEFEND which can detect multiple reconnaissance scenarios and queries out of the box including but not limited to BloodHound, queries for all SPN's and queries for all accounts with password never expires Nodes in BloodHound represent Active Directory objects: Users, Groups, Computer, Ous, GPOs, and Domains. Each Active Directory object is described by a node label and will look something like this (:User) Queries are performed against node labels using the MATCH clause. Node labels can be assigned to variables and later referenced in your query. Nodes¶. Nodes represent principals and other objects in Active Directory. BloodHound stores certain information about each node on the node itself in the neo4j database, and the GUI automatically performs several queries to gather insights about the node, such as how privileged the node is, or which GPOs apply to the node, etc. Simply click the node in the BloodHound GUI, and the Node Info.

D.2 - Common BloodHound Queries 46 D.2.1 - Querying Nodes 46 D.2.2 - Querying Edges 48 D.2.3 - Querying Paths 49 The ACL Attack Path Update (v1.3) by @_Wald0 Evolution of the BloodHound Ingestor by @CptJesus The Object Properties Update (v1.4) by @CptJesus. BloodHound is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors which come in PowerShell and C# flavours PS C:\htb> Import-Module .\SharpHound.ps1 PS C:\htb> Invoke-BloodHound -CollectionMethod all -ZipFileName ilfreight_bloodhound Initializing BloodHound at 1:57 AM on 8/23/2020 Resolved Collection Methods to Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM Starting Enumeration for INLANEFREIGHT.LOCAL Status: 1161 objects.

Bloodhound -Active Directory Trust Relationships Analysis. Bloodhound is a network tool that maps the possible privilege escalation attack paths in an active directory domain. The tool performs the task by exploiting the Active directory protocol. Active directory is a Windows utility that manages permissions and resources in the network BloodHound. BloodHound is a tool developed by @wald0, @Harmj0y and @CptJesus. The idea of this tool is to analyze an Active Directory environment by enumerating its various objects, and by linking them with some relationships. For example, if the user support-account is a member of a group called support, the user will be linked with the. Bloodhound is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors which come in PowerShell and C sharp flavours Query Optimizations and New Queries. Several of the prebuilt queries in BloodHound have been reworked or optimized to greatly increase performance. In particular, the DCSync queries have seen a massive performance increase. We've also added some new queries on different tabs, which should give you more information when viewing nodes BloodHound runs a shortestPath query and shows us that glen.young has the ForceChangePassword ACL edge privilege over the user pamela.brown (node b), who is a member of the group Help Desk (node c). Members of this group have the GenericWrite ACL edge privilege over the Security Operations group (node d) and add a user to this group

This will allow you to explore new attack paths, including modification of GPOs to affect objects further down the tree. The 1.5 Release of SharpHound brings two new collection methods. The first, and biggest new addition to the project, is the Container collection method. The second is the All collection method The different abusable ACL permissions are described in a small help page inside zBang and explained further in one of the popular BloodHound blog posts on The ACL Attack Path - link by @_wald0. Here is also a good place to say thanks to @harmj0y for his PowerView project that ACLight relies on for its ACL query functionality BloodHound v2.0 released: Active Directory Toolkit. BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment Attackers are known to use LDAP queries to visually map the domain environment using publicly available tools, such as PowerView and BloodHound to implement queries. These tools help get all users, groups, computer accounts and account access control lists (ACL) in the environment Enumeration is key in these kind of scenarios. Often overlooked are the Access Control Lists (ACL) in AD.An ACL is a set of rules that define which entities have which permissions on a specific AD object. These objects can be user accounts, groups, computer accounts, the domain itself and many more. Bloodhound can make an export of all ACLs.

BloodHound 1.3 - The ACL Attack Path Update - wald0.co

Since then, BloodHound has been used by attackers and defenders alike to identify and analyze attack paths in on-prem Active Directory environments. Now, I am very proud to announce the release of BloodHound 4.0: The Azure Update. This release is authored by myself ( Andy Robbins ), Rohan Vazarkar, and Ryan Hausknecht, with special thanks to. System Access Control List (SACL) The interface for delegating control (creating ACE) in AD is not very clear. Delegation of control is usually performed by right-clicking on a OU and the click on Delegate Control , and then follow the wizard and add users/group/computer and specify which type of permission/control that securable object should. [Queries] > [Pre-Built Analytics Queries] > [Shortest Paths to High Value Targets]クエリを選択した場合の画面。 Ingestors によるデータ収集. ここまで、BloodHoundとneo4jのインストールと設定が完了しました Edit the Access Control List (ACL) of the script object or the directory where the file is located. Then remove any write permission given to the group. Introduced in: Points: 15 points per discovery. Documentation: [FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R18 [subsubsection.3.3.2 Sometimes, it's just flat out wrong. This is one of those times. The 2.1 release of BloodHound has a large focus on bug fixes, and a couple new features including a new attack primitive. This post is going to cover changes we've made since the release of BloodHound 2.0, including some of the incremental changes in between

Blocking BloodHound attacks. BloodHound is a popular open-source tool for enumerating and visualizing the domain Active Directory and is used by red teams and attackers as a post-exploitation tool. The enumeration allows a graph of domain devices, users actively signed into devices, and resources along with all their permissions LDAP Reconnaissance Activities. A common tool adversaries are using is BloodHound, which uses SharpHound to collect various of data. SharpHound uses LDAP queries to collect information within Active Directory. Once we ran this data collector, we can see that Microsoft Defender for Endpoint has captured all the LDAP queries that have been ran Once data is loaded into BloodHound and is queryable, type cypher into any current beacon session. Ensure that only active sessions are left on the screen. Go to the event log and copy the non-ACL path to domain admins that is ready for ANGRYPUPPY (with LIMIT 1) at end. Paste this query into the raw query section of BloodHound 6. Start Visualising Active Directory. Find the attack path to Domain Admin with Bloodhound Released on-stage at DEF CON 24 as part of the Six Degrees of Domain Admin presentation by @_wald0 @CptJesus @harmj0y Bloodhound is a tool the blue team can't afford not to use. If you have ever administered Active Directory you know how complicated and misconfigured it can get if not in the right hands

Bloodhound in Docker in a Browser. Oh My Create a Fully Loaded, Free Active Directory Lab in 15 Minutes Invoke-Badblood.ps1 New Features and Speed Increase Escalation Defenses AD guardrails every company should deploy A SIDHistory Attack - Marching onto a DC AD Privilege Escalation Exploit The Overlooked ACL Detected: Bulk DNS queries, nslookup, zone transfers. 51 IBM Security As of the last BloodHound 1.4 (SharpHound) release earlier this month: Not Detected: Escalation via Selective AD ACL Abuse Selectively targeting Active Directory object Access Control Entrie In the [Queries] tab in the left corner, you can see the display with some prepared analytic queries. [Queries] > [Pre-Built Analytics Queries] > [Shortest Paths to High Value Targets] Screen when a query is selected. Data collection with Ingestors. So far, BloodHound and neo4j have been installed and configured So set tom as the owner of claire object. PS C:\Users\tom\Desktop\AD Audit\BloodHound> Set-DomainObjectOwner -Identity claire -OwnerIdentity tom. Step 2. Now that tom is the owner of the claire object, tom can add entries to the ACL. Add an entry giving tom the right to change the password of the claire object PS C:\Users\tom > Invoke-BloodHound-CollectionMethod All Initializing BloodHound at 3:20 AM on 8/19/2019 Resolved Collection Methods to Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM Starting Enumeration for HTB.LOCAL Status: 84 objects enumerated (+ 84 Infinity/s---Using 101 MB RAM) Finished enumeration for HTB

More BloodHound Cypher queries phackt

bloodhound custom queries · GitHu

Hidden Administrative Accounts: BloodHound to the Rescu

  1. utes to complete. Powershell -exec bypass. Import-module SharpHound.ps1. Invoke-BloodHound -CollectionMethod ACL,ObjectProps,Default -CompressData -SkipPing. Wait 20
  2. Scanning for Active Directory Privileges & Privileged Accounts. By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security. Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization
  3. g • Password analysis & wordlist generatio
  4. - BloodHound at DEF CON 24. The deck used during DEF CON 24. Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.. This is a very well known quote by John Lambert, General Manager at Microsoft's Threat Intelligence Center. This quote and the blog post it serves as a.
  5. Last update: July 10th, 2021 Updated June 5th, 2021: I have made some more changes to this post based on (among others) techniques discussed in ZeroPointSecurity's 'Red Team Ops' course (for the CRTO certification). I've re-written and improved many sections. New sections have been added on DPAPI and GPO abuse. Notable changes have been made to the the sections on LAPS, AppLocker & CLM.

Bloodhound walkthrough

  1. ACE to RCE. tl;dr: In this writeup I am going to describe how to abuse a GenericWrite ACE misconfiguration in Active Directory to run arbitrary executables. During a recent assessment I found a new way to abuse Access Control Entries in a misconfigured Active Directory instance. Before jumping into the juicy bits, I'd first like to explain.
  2. The Query tab displays the query pane, results pane, and status bar. The query tab is selected in the above screenshot example. The query pane is where you build or type a query to run on clients in the collection. CMPivot uses a subset of the Kusto Query Language (KQL). Cut, copy, or paste content in the query pane
  3. HTB: Forest. This is a writeup about a retired HacktheBox machine: Forest published by egre55 and mrb3n on October the 12th 2019. This box is a Windows machine classified as easy. The server is a Domain Controller with 24 open ports. We will use Winrm, bloodhound and impacket to get both the user flag and the root flag
  4. s. If you want to restrict collection, specify the --collectionmethod parameter, which supports the following options (similar to SharpHound)
Hack The Box - Reel | Nikhil's Cybersec Blog

HTB: Sauna. Sauna was a neat chance to play with Windows Active Directory concepts packaged into an easy difficulty box. I'll start by using a Kerberoast brute force on usernames to identify a handful of users, and then find that one of them has the flag set to allow me to grab their hash without authenticating to the domain. I'll AS-REP. BloodHound.py requires impacket, ldap3 and dnspython to function. Lines 3 and 4 are like the Mono project, where we copy the source files into the /app folder on the container. To view the graphed network open the menu and select queries this will give you a list of pre-compiled queries to choose from RTF vuln. 上面的readme中提示了email rtf格式文件,相关漏洞: bhdresh/CVE-2017-0199: Exploit toolkit CVE-2017-0199 - v4.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE

Base cypher queries rewrite by andyrobbins · Pull Request

  1. BloodHound. Bloodhound is a GUI tool which uses neo4j as its database management. Basically an ingestor gathers a lot of information about the domain, stores them in numerous json files, which BloodHound processes for you. This writeup is not about how to run BloodHound. I first collect information about the domain using SharpHound
  2. Group AD groups enumeration onlyCollection Scoping Options 452 Collection from CSC MISC at Rock Ridge High Scoo
  3. A dishonest service provider instantiates both a valid enclave running on real hardware, as well as the same enclave running in a software simulator in parallel, is always able to respond correctly to Remote Attestation queries, all the while running the enclave inside a software simulator with full access to enclave's internal state

One of the recent advancements in Bloodhound is the discovery of access control list (ACL) attack paths, where permissions can be exploited to allow privileged access to your Active Directory. 1- Harden Privileged AD Groups Active Directory red team tools, like Bloodhound, look for memberships in interesting A 3.2.1. Bloodhound Nodes In BloodHound, there are 6 types of nodes [labels]: Each type of node has its own set of properties. Note: Bloodhound 3 nodes all have a unique objectid property. 3.2.2. BloodHound Edges In its original release, Bloodhound only had 3 types of relationships, but the little puppy grew quickly, and version 3 now counts 23. BloodHound supports the pre-build find shortest paths to domain admins query which is used by most attackers. Let's assume the output of this query is the following: SVC_SIEMENS is an interesting attack target because the user has the permissions to add new members to the domain admins group The Bloodhound tool written by Andy Robbins, Rohan Vazarkar, and Will can identify attack paths involving Exchange permissions configured in Active Directory. Microsoft recently published an article (https:.

Useful Cypher queries for BloodHound · GitHu

  1. 2) Then we upload the data into the Bloodhound front-end GUI where we can visualize relations between objects. The Bloodhound query language then allows us find paths like in this example: When we are looking for these rights and trust misconfigurations, we would typically start with the pre-built queries such as
  2. The LAPS relationships are 100% in the json, and i compiled bloodhound from source with dirkjans push of the LAPS acl fix but still no luck, is anyone able to test for me or identify why this query isnt working
  3. Thus, forgetting that machine accounts can move laterally, Kerberoast, or be used by tools like BloodHound. This leads machine accounts to be overlooked by both red and blue teams. For all of these reasons, we should not ignore the use of machine account hashes. In Active Directory (AD) there are two main objects, users and computers
  4. Active, as the name hints is an Active Directory box. If you're unfamiliar with it, you'll find it very difficult or impossible to do. Otherwise it isn't too difficult and will help to build your AD methodology. Lessons learned Developing an AD enumeration methodologyImpacket's AD enumeration scriptsBloodhound for mapping AD relationships Enumeration Many ports ar
  5. -Verbose. Find computers where a domain ad

Finding Active Directory attack paths using BloodHound

First, is since we do have network access, is simply check what subnet we're on via ifconfig or ipconfig. Once you have your IP, do a ping sweep in nmap to see if other devices are accessible. nmap -sn If devices come back, then you're in business Along with Bloodhound make sure to use other enumeration tools covered in the course such as Powerview and the active directory module. Make a well-structured note consisting of all the commands as it would be very easy to copy and paste commands and it would also save you a lot of time An attack through an ACL ACL in a domain context is a set of rules that determine the access rights of objects in AD. The ACL can be. triple for both a single object (for example, a user account), and for an organizational unit, for example, OU. When you configure the ACL on the OU, all objects within the OU will inherit the ACL • Bloodhound - Visualizing Attack Paths • Domain Privilege Escalation • Day 2 - Lab RPC, COM Objects • ACL and GPO Abuse • Trust Abuse in domain environment • Constraint and Unconstrained delegation • Mission Completion and Data Exfiltration • OPSEC Considerations For any queries, contact paranoidninja@0xdarkvortex.dev Drop loot.zip on to the Bloodhound web page to import: Question 3.1. Choose Queries then Find All Domain Admins: Hover over graph to see the name of the service: Question 3.2. Now we need to find the kerberoastable users, using this query: Looking at the graph we can see them: Task 4 - Mimikat

MS Just Gave the Blue Team Tactical Nukes (And How Red

Get Domain Policy. A domain policy defines some constraints about the domain. The Kerberos policy is the most interesting, in order to create tickets (with normal value) in the current context an attacker needs to know these limits.. With PowerView to check single a policy for the current Domain: `(Get-DomainPolicyData).systemaccess` . Tip: When an attacker would abuse an ACL like. Lateral movement is defined by MITRE as: Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting. After starting neo4j which is the DBMS used by BloodHound to handle graph databases open BloodHound itself and import the archive with the Import Data button and go to Queries > Shortest paths to high value target to have an overview of important user groups and users on the system and how they can be linked to each other in possible attack paths Add ½ cup of turmeric powder and one cup of water to a pan and stir gently over low flame to form a paste. This can take around 7-10 minutes. Add more water if required. Add 1 ½ teaspoons freshly ground pepper and 70 ml coconut or olive oil. It can be stored in the refrigerator for 2 weeks

Defending Against Adversaries Using FireEye's Stolen Red Team Tools. Written by: Venu Vissamsetty, Founding Engineer at Attivo Networks - FireEye recently published a report about a cyber attack that resulted in attackers stealing their Red Team tools. FireEye has also released countermeasures (IOCs, YARA rules) to detect the use of these. Forest. Adopt the pace of nature! Forest is an easy difficulty machine running Windows. It tests your knowledge in Basic enumeration and privelege escalation using common commands as well as using tools such as Bloodhound.. Be sure to checkout the Basic Setup section before you get started.. Enumeration. Like always, enumeration is our first port of call Reel was an awesome box because it presents challenges rarely seen in CTF environments, phishing and Active Directory. Rather than initial access coming through a web exploit, to gain an initial foothold on Reel, I'll use some documents collected from FTP to craft a malicious rtf file and phishing email that will exploit the host and avoid the protections put into place. Then I'll pivot.

to collect data and afterwards import it into our Bloodhound database to run the query Find Shortest Path to Domain Admins and the graph is too big for visualisation, we know, that the Domain Administrators are used for service accounts or daily operations, which is pretty bad. Many other AD groups can also be abused to get the highest privileges. So securing theese groups should somehow have. Bloodhound. One of the most important tools that is used in almost all internal penetration testing. The project is actively developing and supplemented by new features. Information collected by bloodhound. The information collectors are SharpHound.exe (installed .NET v3.5 is required) and the script SharpHound.ps1 written in powershell Original Price $18.00. (20% off) Metropolitan Grey Linen Table Cloth - Washable Linen - Neutral Tablecloth - Market Linen - 72 x 54 - Made in Atlanta. $92.99. Leather blanket strap carrier for a picnic blanket, Custom blanket strap in brown, blanket roll. Perfect for walking, camping, trip. Sale Price $31.50. $31.50 Many red teamers use Bloodhound to determine attack paths from a controlled asset on the breached network to their objective. The specific arguments in the example command instruct Bloodhound to use the following collection methods: ACL - Collect ACL (Access Control List) data; ObjectProps - Collects node property information for users and.

A Red Teamer's Guide to GPOs and OUs - wald0

Root required using bloodhound to visualize the AD environment and find a path to the domain admin, which included abusing ACL's to get DCSync rights. 1. Recon As usual we will start with an nmap scan of the target machine. nmap -sC -sV -oA nmap/scan The ports of note here are: 445 - SMB; 88 - Kerberos; 135 - RP Enumerating AD infrastructure with BloodHound. explore the profound relationship (intended and unintended) in an Active Directory environment, across users\machines\ACL's\Domain group memberships\Active sessions. queries can be executed to identify the relationships

Lay of the Land with Bloodhound - Threat Blo

The Bloodhound query language then allows us find paths like in this example: When we are looking for these rights and trust misconfigurations, we would typically start with the pre-built queries such as: Find Top 10 Users with Most Local Admin Rights Find Shortest Paths to Domain Admins , Map Domain Trusts etc aclpwn.py - Active Directory ACL exploitation with BloodHound CrackMapExec - A swiss army knife for pentesting networks ADACLScanner - A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Director Maximizing BloodHound. Description New Release: dpat - The BloodHound Domain Password Audit Tool (DPAT) A simple suite of tools: get-info - Pull lists of information from the Neo4j database mark-owned - Mark a list of objects as Owned mark-hvt - Mark a list of objects as High Value Targets query - Run a raw Cypher Read Mor Overview This post provides a walkthrough of the Forest system on Hack The Box. This walktrough, in entirety, is a spoiler. I create these walkthroughs as documentation for myself while working through a system; excuse any brevity or lack of formality. I've uploaded this walkthrough to help those that may be stuck. Service Enumeration To kick things off, we start with some service discovery.

Edges — BloodHound 3

Read writing from Rohan Vazarkar on Medium. Penetration Tester and BloodHound Developer. Every day, Rohan Vazarkar and thousands of other voices read, write, and share important stories on Medium An AWS request occurred to either create a new public bucket or to add a bucket access control list (ACL) to an existing bucket to make it public. While there are some use cases for AWS S3 public buckets, most are generally private. The security operations center should have a strong understanding of which buckets are allowed to be public The Explanation. First, we use PowerView's Get-DomainObjectACL to enumerate the ACEs for all group policy objects in a foreign domain. The -Domain 'dev.testlab.local' flag signals the query to run in the foreign domain, and the LDAP filter -LDAPFilter '(objectCategory=groupPolicyContainer)' indicates to only return group policy objects. The -ResolveGUIDs flag indicates that any.

Active Directory Pretesting is designed to provide security professionals to understand, analyze and practice threats and attacks in a modern Active Directory environment. The course is beginner friendly and comes with a walkthrough videos course and all documents with all the commands executed in the videos mitm6. Start up the server, specify hostname we want to target and domain. mitm6 -hw ws02 -d lab.local --ignore-nofqnd. ntlmrelayx. Start ntlmrelayx, specify domain controller, delegation attack, disable the SMB server and set the name for a malicious WPAD file that will be generated and served to the target A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems Bloodhound. I decided to go through with bloodhound in order to indentify targets and map the AD. It was the first time using it. Populating Bloodhound. Bloodhound needs data to trace all relations between AD objects so we need to gather it for him. I read in the documentation that an user is to required but I didn't find a way to do it without dorkbot is a modular command-line tool for Google dorking, which is performing vulnerability scans against a set of web pages returned by Google search queries in a given Google Custom Search Engine. How dorkbot works It is broken up into two sets of modules: Indexers - modules that issue a search query and return the results as targets Scanners - modules that perform a vulnerability scan.