hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
If your good and not running in root you will require sudo. Backtrack drop sudo as your running in root.
sudo hping3 -c 1 -V -I tap0 -p 445 -S 192.168.0.100
sudo hping3 -c 1 -V -I tap0 -p 445 -S 192.168.0.100
using tap0, addr: 192.168.0.1, MTU: 1500
HPING 192.168.0.100 (tap0 192.168.0.100): S set, 40 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 DF id=1315 tos=0 iplen=44
sport=445 flags=SA seq=0 win=64240 rtt=0.6 ms
seq=2232013429 ack=25004686 sum=9f2f urp=0
— 192.168.0.100 hping statistic —
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.6/0.6 ms
for use with nic card
sudo hping3 -c 1 -V -I eth0 -p 445 -S 192.168.0.100
-c = count
-V = verbose
-I = Network Interface to use
-1 = ICMP packet
-p port to use
Testing firewall rules with Hping3 – examples
Mon, 05 Jul 2010
1. Testing ICMP: In this example hping3 will behave like a normal ping utility, sending ICMP-echo und receiving ICMP-reply
hping3 -1 0daysecurity.com
2. Traceroute using ICMP: This example is similar to famous utilities like tracert (windows) or traceroute (linux) who uses ICMP packets increasing every time in 1 its TTL value.
hping3 –traceroute -V -1 0daysecurity.com
3. Checking port: Here hping3 will send a Syn packet to a specified port (80 in our example). We can control also from which local port will start the scan (5050).
hping3 -V -S -p 80 -s 5050 0daysecurity.com
4. Traceroute to a determined port: A nice feature from Hping3 is that you can do a traceroute to a specified port watching where your packet is blocked. It can just be done by adding –traceroute to the last command.
hping3 –traceroute -V -S -p 80 -s 5050 0daysecurity.com
5. Other types of ICMP: This example sends a ICMP address mask request ( Type 17 ).
hping3 -c 1 -V -1 -C 17 0daysecurity.com
6. Other types of Port Scanning: First type we will try is the FIN scan. In a TCP connection the FIN flag is used to start the connection closing routine. If we do not receive a reply, that means the port is open. Normally firewalls send a RST+ACK packet back to signal that the port is closed..
hping3 -c 1 -V -p 80 -s 5050 -F 0daysecurity.com
7. Ack Scan: This scan can be used to see if a host is alive (when Ping is blocked for example). This should send a RST response back if the port is open.
hping3 -c 1 -V -p 80 -s 5050 -A 0daysecurity.com
8. Xmas Scan: This scan sets the sequence number to zero and set the URG + PSH + FIN flags in the packet. If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP Xmas scan, sending no reply.
hping3 -c 1 -V -p 80 -s 5050 -M 0 -UPF 0daysecurity.com
9. Null Scan: This scan sets the sequence number to zero and have no flags set in the packet. If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP NULL scan, sending no reply.
hping3 -c 1 -V -p 80 -s 5050 -Y 0daysecurity.com
10. Smurf Attack: This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.
hping3 -1 –flood -a VICTIM_IP BROADCAST_ADDRESS
11. DOS Land Attack:
hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 –flood –rand-source VICTIM_IP
* –flood: sent packets as fast as possible. Don’t show replies.
* –rand-dest: random destionation address mode. see the man.
* -V <– Verbose
* -c –count: packet count
* -d –data: data size
* -S –syn: set SYN flag
* -w –win: winsize (default 64)
* -p –destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
* -s –baseport: base source port (default random)
information gathering – dnswalk
dnswalk is a DNS debugger. It performs zone transfers of specifieddomains, and checks the database in numerous ways for internalconsistency, as well as accuracy.
Backtrack 5R1
/pentest/enumeration/dns/dnswalk
Options
-r = Recursively descend sub-domains of the specified domain. Use with care.
-a = Turn on warning of duplicate A records. (see below)
-d = Print debugging and ‘status’ information to stderr. (Use only if redirecting stdout) See DIAGNOSTICS section.
-m = Perform checks only if the zone has been modified since the previous run.
-F = perform “forced” checking. When checking an A record, compare the PTR name for each IP address with the forward name and report mismatches.
-i = Suppress check for invalid characters in a domain name. (see below)
-l = Perform “lame delegation” checking. For every NS record, check to see that the listed host is indeed returning authoritative answers for this domain.
root@bt:/pentest/enumeration/dns/dnswalk# ./dnswalk -r -d url-to-show-how.com.
Checking example.com.
Getting zone transfer of url-to-show-how.com. from a.iana-servers.net…failed
FAIL: Zone transfer of url-to-show-how.com. from a.iana-servers.net failed: Response code from server: REFUSED
!Getting zone transfer of url-to-show-how.com. from b.iana-servers.net…failed
FAIL: Zone transfer of url-to-show-how.com. from b.iana-servers.net failed: Response code from server: REFUSED
!BAD: All zone transfer attempts of url-to-show-how.com. failed!
!2 failures, 0 warnings, 1 errors.
information gathering – fping
fping is a ping(1) like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable.
Unlike ping, fping is meant to be used in scripts and its output is easy to parse.
OPTIONS
-a Show systems that are alive.
-d Use DNS to lookup address of return ping packet. This allows you to
give fping a list of IP addresses as input and print hostnames in
the output.
-e Show elapsed (round-trip) time of packets
-f Read list of system from a file. This option can only be used by
the root user. Regular users should pipe in the file via stdin:
fping < targets_file
-g Generate a target list from a supplied IP netmask, or a starting
and ending IP. Specify the netmask or start/end in the targets
portion of the command line.
ex. To ping the class C 192.168.1.x, the specified command
line could look like either:
fping -g 192.168.1.0/24
or
fping -g 192.168.1.0 192.168.1.255
-in The minimum amount of time (in milliseconds) between sending a ping
packet to any host (default is 10).
-q Quiet. Don’t show per host results, just set final exit status.
-rn Retry limit (default 3). This is the number of times an attempt at
pinging a host will be made, not including the first try.
-s Dump final statistics.
-tn Individual host timeout in milliseconds (default 2500). This is the
minimum number of milliseconds between ping packets directed
towards a given host.
-u Show systems that are unreachable. fping a list of IP addresses as
input and have the results printed as hostnames.
fping -g 192.168.1.1 192.168.1.16
fping sends icmp to the range to see if alive.
root@bt:~# fping -g 192.168.1.1 192.168.1.16
192.168.1.1 is alive
192.168.1.2 is alive
192.168.1.3 is alive
192.168.1.4 is alive
192.168.1.5 is alive
192.168.1.16 is alive
192.168.1.6 is unreachable
192.168.1.7 is unreachable
192.168.1.8 is unreachable
192.168.1.9 is unreachable
192.168.1.10 is unreachable
192.168.1.11 is unreachable
192.168.1.12 is unreachable
192.168.1.13 is unreachable
192.168.1.14 is unreachable
192.168.1.15 is unreachable
information gathering – metagoofil
Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,odp,ods) availables in the target/victim websites.
It will generate a html page with the results of the metadata extracted, plus a list of potential usernames very useful for preparing a bruteforce attack on open services like ftp, pop3,web applications, vpn, etc. Also it will extract a list of disclosed PATHs in the metadata, with this information you can guess OS, network names, Shared resources, etc.
How does it work? MetaGooFil basically: Search in google, for interesting documents in the target site. Example: site:victim.com filetype: pdf
backtrack 5r1
location:
pentest/enumeration/google/metagoofil#
use:
root@bt:/pentest/enumeration/google/metagoofil#./metagoofil.py -d (Site URL minus the www. ie microsoft.com) -t doc,pdf -l 200 -n 50 -o /root/Desktop/metagoofil-folder/ -f /root/Desktop/results.html
create folder on your desktop called metagoofil-folder as all files found will be placed here.
metagoofil options
-d: domain to search
-t: filetype to download (pdf,doc,xls,ppt,odp,ods,docx,xlsx,pptx)
-l: limit of results to search (default 200)
-h: work with documents in directory (use “yes” for local analysis)
-n: limit of files to download
-o: working directory
-f: output file
Examples:
metagoofil.py -d microsoft.com -t doc,pdf -l 200 -n 50 -o microsoftfiles -f results.html
metagoofil.py -h yes -o microsoftfiles -f results.html (local dir analysis)
information gathering – nessus
1. http://www.tenable.com/products/nessus/select-your-operating-system
2. Nessus-5.0.1-debian6_i386.deb
3. Save to root.
4. root@bt:~# dpkg -i Nessus-5.0.1-debian6_i386.deb
(Reading database … 241215 files and directories currently installed.)
Preparing to replace nessus 4.4.1 (using Nessus-5.0.1-debian6_i386.deb) …
Shutting down Nessus : .
Unpacking replacement nessus …
Setting up nessus (5.0.1) …
Fetching the newest plugins from nessus.org…
Fetching the newest updates from nessus.org…
Done. The Nessus server will start processing these plugins within a minute
nessusd (Nessus) 5.0.1 [build R23111] for Linux
(C) 1998 – 2012 Tenable Network Security, Inc.
Processing the Nessus plugins…
[##################################################]
All plugins loaded
– You can start nessusd by typing /etc/init.d/nessusd start
– Then go to https://bt:8834/ to configure your scanner
5. http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code
6. root@bt:~#cd /opt/nessus/bin/
7. root@bt:/opt/nessus/bin# nessus-fetch –register xxxx-xxxx-xxxx-xxxx
Your Activation Code has been registered properly – thank you.
Now fetching the newest plugin set from plugins.nessus.org…
Your Nessus installation is now up-to-date.
If auto_update is set to ‘yes’ in nessusd.conf, Nessus will
update the plugins by itself.
8. root@bt:/opt/nessus/bin#cd /opt/nessus/sbin/
9. root@bt:/opt/nessus/sbin# nessus-adduser
10. root@bt:/opt/nessus/sbin#cd /etc/init.d/
11. root@bt:/etc/init.d# nessusd start
nessusd (Nessus) 5.0.1 [build R23111] for Linux
(C) 1998 – 2012 Tenable Network Security, Inc.
Processing the Nessus plugins…
[##################################################]
All plugins loaded
12. web browse to https://localhost:8834/
——————————————————–
Update Nessus manually
1. update nessus
root@bt:~# cd /opt/nessus/sbin/
root@bt:/opt/nessus/sbin# nessus-update-plugins
Fetching the newest updates from nessus.org…
Done. The Nessus server will start processing these plugins within a minute
2. Manually start processing if nothing happens after update.
root@bt:/opt/nessus/sbin# /opt/nessus/sbin/nessusd -R
nessusd (Nessus) 5.0.1 [build R23111] for Linux
(C) 1998 – 2012 Tenable Network Security, Inc.
Processing the Nessus plugins…
[##### ]
————————————————————-
ENABLING WINDOWS SERVER 2008 LOGINS FOR NESSUS LOCAL AND REMOTE AUDITS
1. Under Windows Firewall -> Windows Firewall Settings, “File and Printer Sharing” must be enabled.
2. Create a new account with Admin level rights. The username can be anything you wish.
3. Enable Remote Registry. Under Services.
4. Disable UAC by un ticking. This will require a reboot.
While scanning with Nessus if you see the below log listed under info investigate that the remote registry service is started, UAC is turned off and the user account is set to Admin privileges.
Nessus Windows Scan Not Performed with Admin Privileges
information gathering – netdiscover
Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without DHCP server, when you are wardriving. It can be also used on hub/switched networks.
root@bt:~# netdiscover -i eth0 -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 120
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
—————————————————————————–
192.168.1.129 15:44:a1:c5:a0:80 01 050 Unknown vendor
192.168.1.130 15:44:a1:c5:a0:81 01 050 Unknown vendor
192.168.1.131 15:44:a1:c5:a0:ab 01 050 Unknown vendor
Netdiscover 0.3-beta7 [Active/passive arp reconnaissance tool]
Written by: Jaime Penalba <jpenalbae@gmail.com>
Usage: netdiscover [-i device] [-r range | -l file | -p] [-s time] [-n node] [-c count] [-f] [-d] [-S] [-P] [-C]
-i device: your network device
-r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
-l file: scan the list of ranges contained into the given file
-p passive mode: do not send anything, only sniff
-F filter: Customize pcap filter expression (default: “arp”)
-s time: time to sleep between each arp request (miliseconds)
-n node: last ip octet used for scanning (from 2 to 253)
-c count: number of times to send each arp reques (for nets with packet loss)
-f enable fastmode scan, saves a lot of time, recommended for auto
-d ignore home config files for autoscan and fast mode
-S enable sleep time supression betwen each request (hardcore mode)
-P print results in a format suitable for parsing by another program
-L in parsable output mode (-P), continue listening after the active scan is completed
If -r, -l or -p are not enabled, netdiscover will scan for common lan addresses
information gathering – nbtscan
NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.
root@bt:~# nbtscan 192.168.1.1-254
Doing NBT name scan for addresses from 192.168.1.1-254
IP address NetBIOS Name Server User MAC address
——————————————————————————
192.168.1.1 test-1 <server> <unknown> 00-01-8a-ab-91-d4
192.168.1.2 test-2 <server> <unknown> 00-01-8a-ab-92-d5
To find services use the -hv command
root@bt:~# nbtscan -hv 192.168.1.1
Doing NBT name scan for addresses from 192.168.1.100
NetBIOS Name Table for Host 192.168.1.1:
Incomplete packet, 155 bytes long.
Name Service Type
—————————————-
test-1 � Workstation Service
testdomain � Domain Name
test-1 � File Server Service
Adapter address: 00-01-8a-ab-91-d4
information gathering – theharvester
theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key servers.
This tools is intended to help Penetration testers in the early stages of the project It’s a really simple tool, but very effective.
/pentest/enumeration/theharvester
root@bt:/# cd /pentest/enumeration/theharvester
root@bt:/pentest/enumeration/theharvester# ./theHarvester.py -d test-site.com -l 100 -b all
Note drop the www. from the url your interested in, example http://www.test-stie.com becomes test-site.com
Usage: theharvester options
-d: Domain to search or company name
-b: Data source (google,bing,bingapi,pgp,linkedin,google-profiles,exalead,all)
-s: Start in result number X (default 0)
-v: Verify host name via dns resolution and search for virtual hosts
-f: Save the results into an HTML and XML file
-n: Perform a DNS reverse query on all ranges discovered
-c: Perform a DNS brute force for the domain name
-t: Perform a DNS TLD expansion discovery
-e: Use this DNS server
-l: Limit the number of results to work with(bing goes from 50 to 50 results,
-h: use SHODAN database to query discovered hosts
google 100 to 100, and pgp doesn’t use this option)
Examples:./theHarvester.py -d site-you-want-info-on.com -l 500 -b google
./theHarvester.py -d site-you-want-info-on.com -b pgp
./theHarvester.py -d site-you-want-info-on.com -l 200 -b linkedin