information gathering – hping

Image result for hping

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

If your good and not running in root you will require sudo. Backtrack drop sudo as your running in root.
sudo hping3 -c 1 -V -I tap0 -p 445 -S 192.168.0.100

sudo hping3 -c 1 -V -I tap0 -p 445 -S 192.168.0.100
using tap0, addr: 192.168.0.1, MTU: 1500
HPING 192.168.0.100 (tap0 192.168.0.100): S set, 40 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 DF id=1315 tos=0 iplen=44
sport=445 flags=SA seq=0 win=64240 rtt=0.6 ms
seq=2232013429 ack=25004686 sum=9f2f urp=0

— 192.168.0.100 hping statistic —
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.6/0.6 ms

for use with nic card

sudo hping3 -c 1 -V -I eth0 -p 445 -S 192.168.0.100

-c = count
-V = verbose
-I = Network Interface to use
-1 = ICMP packet
-p port to use

Testing firewall rules with Hping3 – examples
Mon, 05 Jul 2010

1. Testing ICMP: In this example hping3 will behave like a normal ping utility, sending ICMP-echo und receiving ICMP-reply
hping3 -1 0daysecurity.com

2. Traceroute using ICMP: This example is similar to famous utilities like tracert (windows) or traceroute (linux) who uses ICMP packets increasing every time in 1 its TTL value.
hping3 –traceroute -V -1 0daysecurity.com

3. Checking port: Here hping3 will send a Syn packet to a specified port (80 in our example). We can control also from which local port will start the scan (5050).
hping3 -V -S -p 80 -s 5050 0daysecurity.com

4. Traceroute to a determined port: A nice feature from Hping3 is that you can do a traceroute to a specified port watching where your packet is blocked. It can just be done by adding –traceroute to the last command.
hping3 –traceroute -V -S -p 80 -s 5050 0daysecurity.com

5. Other types of ICMP: This example sends a ICMP address mask request ( Type 17 ).
hping3 -c 1 -V -1 -C 17 0daysecurity.com

6. Other types of Port Scanning: First type we will try is the FIN scan. In a TCP connection the FIN flag is used to start the connection closing routine. If we do not receive a reply, that means the port is open. Normally firewalls send a RST+ACK packet back to signal that the port is closed..
hping3 -c 1 -V -p 80 -s 5050 -F 0daysecurity.com

7. Ack Scan: This scan can be used to see if a host is alive (when Ping is blocked for example). This should send a RST response back if the port is open.
hping3 -c 1 -V -p 80 -s 5050 -A 0daysecurity.com

8. Xmas Scan: This scan sets the sequence number to zero and set the URG + PSH + FIN flags in the packet. If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP Xmas scan, sending no reply.
hping3 -c 1 -V -p 80 -s 5050 -M 0 -UPF 0daysecurity.com

9. Null Scan: This scan sets the sequence number to zero and have no flags set in the packet. If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP NULL scan, sending no reply.
hping3 -c 1 -V -p 80 -s 5050 -Y 0daysecurity.com

10. Smurf Attack: This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.
hping3 -1 –flood -a VICTIM_IP BROADCAST_ADDRESS

11. DOS Land Attack:
hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 –flood –rand-source VICTIM_IP

* –flood: sent packets as fast as possible. Don’t show replies.
* –rand-dest: random destionation address mode. see the man.
* -V <– Verbose
* -c –count: packet count
* -d –data: data size
* -S –syn: set SYN flag
* -w –win: winsize (default 64)
* -p –destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
* -s –baseport: base source port (default random)

 

information gathering – dnswalkImage result for dnswalk

dnswalk is a DNS debugger. It performs zone transfers of specifieddomains, and checks the database in numerous ways for internalconsistency, as well as accuracy.

Backtrack 5R1

/pentest/enumeration/dns/dnswalk

Options

-r = Recursively descend sub-domains of the specified domain. Use with care.
-a = Turn on warning of duplicate A records. (see below)
-d = Print debugging and ‘status’ information to stderr. (Use only if redirecting stdout) See DIAGNOSTICS section.
-m = Perform checks only if the zone has been modified since the previous run.
-F = perform “forced” checking. When checking an A record, compare the PTR name for each IP address with the forward name and report mismatches.
-i = Suppress check for invalid characters in a domain name. (see below)
-l = Perform “lame delegation” checking. For every NS record, check to see that the listed host is indeed returning authoritative answers for this domain.

root@bt:/pentest/enumeration/dns/dnswalk# ./dnswalk -r -d url-to-show-how.com.
Checking example.com.
Getting zone transfer of url-to-show-how.com. from a.iana-servers.net…failed
FAIL: Zone transfer of url-to-show-how.com. from a.iana-servers.net failed: Response code from server: REFUSED
!Getting zone transfer of url-to-show-how.com. from b.iana-servers.net…failed
FAIL: Zone transfer of url-to-show-how.com. from b.iana-servers.net failed: Response code from server: REFUSED
!BAD: All zone transfer attempts of url-to-show-how.com. failed!
!2 failures, 0 warnings, 1 errors.

 

information gathering – fping

Image result for fping

 

fping is a ping(1) like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. Instead of trying one host until it timeouts or replies, fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit it will be considered unreachable.

Unlike ping, fping is meant to be used in scripts and its output is easy to parse.

OPTIONS

-a      Show systems that are    alive.

-d      Use DNS to lookup address of return ping packet. This    allows you to
give fping a list of IP addresses as input and print hostnames in
the output.

-e      Show elapsed (round-trip) time of packets

-f      Read list of system from a file. This option can only be used by
the root user.  Regular users should pipe in the file via stdin:
fping < targets_file

-g   Generate a target list from a supplied IP netmask, or a starting
and ending IP. Specify the netmask or start/end in the targets
portion of the command line.

ex. To ping the class C 192.168.1.x, the specified command
line could look like either:

fping -g 192.168.1.0/24

or

fping -g 192.168.1.0 192.168.1.255

-in  The minimum amount of    time (in milliseconds) between sending a ping
packet to any    host (default is 10).

-q      Quiet. Don’t show per    host results, just set final exit status.

-rn  Retry    limit (default 3). This    is the number of times an attempt at
pinging a host will be made, not including the first try.

-s      Dump final statistics.

-tn  Individual host timeout in milliseconds (default 2500). This is the
minimum number of milliseconds between ping packets directed
towards a given host.

-u      Show systems that are    unreachable.  fping a list of IP addresses as
input    and have the results printed as    hostnames.

fping -g 192.168.1.1 192.168.1.16

fping sends icmp to the range to see if alive.

root@bt:~# fping -g 192.168.1.1 192.168.1.16
192.168.1.1 is alive
192.168.1.2 is alive
192.168.1.3 is alive
192.168.1.4 is alive
192.168.1.5 is alive
192.168.1.16 is alive
192.168.1.6 is unreachable
192.168.1.7 is unreachable
192.168.1.8 is unreachable
192.168.1.9 is unreachable
192.168.1.10 is unreachable
192.168.1.11 is unreachable
192.168.1.12 is unreachable
192.168.1.13 is unreachable
192.168.1.14 is unreachable
192.168.1.15 is unreachable

 

information gathering – metagoofil

Image result for metagoofil

Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,odp,ods) availables in the target/victim websites.
It will generate a html page with the results of the metadata extracted, plus a list of potential usernames very useful for preparing a bruteforce attack on open services like ftp, pop3,web applications, vpn, etc. Also it will extract a list of disclosed PATHs in the metadata, with this information you can guess OS, network names, Shared resources, etc.

How does it work? MetaGooFil basically: Search in google, for interesting documents in the target site. Example: site:victim.com filetype: pdf

backtrack 5r1

location:

pentest/enumeration/google/metagoofil#

use:

root@bt:/pentest/enumeration/google/metagoofil#./metagoofil.py -d (Site URL minus the www. ie microsoft.com) -t doc,pdf -l 200 -n 50 -o /root/Desktop/metagoofil-folder/ -f /root/Desktop/results.html

create folder on your desktop called metagoofil-folder as all files found will be placed here.

metagoofil options

-d: domain to search
-t: filetype to download (pdf,doc,xls,ppt,odp,ods,docx,xlsx,pptx)
-l: limit of results to search (default 200)
-h: work with documents in directory (use “yes” for local analysis)
-n: limit of files to download
-o: working directory
-f: output file

Examples:
metagoofil.py -d microsoft.com -t doc,pdf -l 200 -n 50 -o microsoftfiles -f results.html
metagoofil.py -h yes -o microsoftfiles -f results.html (local dir analysis)

 

information gathering – nessus

Image result for nessus logo

1. http://www.tenable.com/products/nessus/select-your-operating-system

2. Nessus-5.0.1-debian6_i386.deb

3. Save to root.

4. root@bt:~# dpkg -i Nessus-5.0.1-debian6_i386.deb

(Reading database … 241215 files and directories currently installed.)
Preparing to replace nessus 4.4.1 (using Nessus-5.0.1-debian6_i386.deb) …
Shutting down Nessus : .
Unpacking replacement nessus …
Setting up nessus (5.0.1) …
Fetching the newest plugins from nessus.org…
Fetching the newest updates from nessus.org…
Done. The Nessus server will start processing these plugins within a minute
nessusd (Nessus) 5.0.1 [build R23111] for Linux
(C) 1998 – 2012 Tenable Network Security, Inc.

Processing the Nessus plugins…
[##################################################]

All plugins loaded

– You can start nessusd by typing /etc/init.d/nessusd start
– Then go to https://bt:8834/ to configure your scanner

5. http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code

6. root@bt:~#cd /opt/nessus/bin/

7. root@bt:/opt/nessus/bin# nessus-fetch –register xxxx-xxxx-xxxx-xxxx

Your Activation Code has been registered properly – thank you.
Now fetching the newest plugin set from plugins.nessus.org…
Your Nessus installation is now up-to-date.
If auto_update is set to ‘yes’ in nessusd.conf, Nessus will
update the plugins by itself.

8. root@bt:/opt/nessus/bin#cd /opt/nessus/sbin/

9. root@bt:/opt/nessus/sbin# nessus-adduser

10. root@bt:/opt/nessus/sbin#cd /etc/init.d/

11. root@bt:/etc/init.d# nessusd start

nessusd (Nessus) 5.0.1 [build R23111] for Linux
(C) 1998 – 2012 Tenable Network Security, Inc.

Processing the Nessus plugins…
[##################################################]

All plugins loaded

12. web browse to https://localhost:8834/
——————————————————–

Update Nessus manually

1. update nessus
root@bt:~# cd /opt/nessus/sbin/
root@bt:/opt/nessus/sbin# nessus-update-plugins

Fetching the newest updates from nessus.org…
Done. The Nessus server will start processing these plugins within a minute

2. Manually start processing if nothing happens after update.

root@bt:/opt/nessus/sbin# /opt/nessus/sbin/nessusd -R

nessusd (Nessus) 5.0.1 [build R23111] for Linux
(C) 1998 – 2012 Tenable Network Security, Inc.

Processing the Nessus plugins…
[#####                                             ]

————————————————————-

ENABLING WINDOWS SERVER 2008 LOGINS FOR NESSUS LOCAL AND REMOTE AUDITS

1. Under Windows Firewall -> Windows Firewall Settings, “File and Printer Sharing” must be enabled.

2. Create a new account with Admin level rights. The username can be anything you wish.

3. Enable Remote Registry. Under Services.

4. Disable UAC by un ticking. This will require a reboot.

While scanning with Nessus if you see the below log listed under info investigate that the remote registry service is started, UAC is turned off and the user account is set to Admin privileges.

Nessus Windows Scan Not Performed with Admin Privileges

information gathering – netdiscover

Image result for netdiscover kali

Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without DHCP server, when you are wardriving. It can be also used on hub/switched networks.

root@bt:~# netdiscover -i eth0 -r 192.168.1.0/24

Currently scanning: Finished!   |   Screen View: Unique Hosts

3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 120
_____________________________________________________________________________
IP            At MAC Address      Count  Len   MAC Vendor
—————————————————————————–
192.168.1.129  15:44:a1:c5:a0:80    01    050   Unknown vendor
192.168.1.130  15:44:a1:c5:a0:81    01    050   Unknown vendor
192.168.1.131  15:44:a1:c5:a0:ab    01    050   Unknown vendor

Netdiscover 0.3-beta7 [Active/passive arp reconnaissance tool]
Written by: Jaime Penalba <jpenalbae@gmail.com>

Usage: netdiscover [-i device] [-r range | -l file | -p] [-s time] [-n node] [-c count] [-f] [-d] [-S] [-P] [-C]
-i device: your network device
-r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
-l file: scan the list of ranges contained into the given file
-p passive mode: do not send anything, only sniff
-F filter: Customize pcap filter expression (default: “arp”)
-s time: time to sleep between each arp request (miliseconds)
-n node: last ip octet used for scanning (from 2 to 253)
-c count: number of times to send each arp reques (for nets with packet loss)
-f enable fastmode scan, saves a lot of time, recommended for auto
-d ignore home config files for autoscan and fast mode
-S enable sleep time supression betwen each request (hardcore mode)
-P print results in a format suitable for parsing by another program
-L in parsable output mode (-P), continue listening after the active scan is completed

If -r, -l or -p are not enabled, netdiscover will scan for common lan addresses

 

information gathering – nbtscan

Image result for nbtscan

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

root@bt:~# nbtscan 192.168.1.1-254
Doing NBT name scan for addresses from 192.168.1.1-254

IP address       NetBIOS Name     Server    User             MAC address
——————————————————————————
192.168.1.1    test-1         <server>  <unknown>        00-01-8a-ab-91-d4
192.168.1.2    test-2         <server>  <unknown>        00-01-8a-ab-92-d5

To find services use the -hv command

root@bt:~# nbtscan -hv 192.168.1.1
Doing NBT name scan for addresses from 192.168.1.100

NetBIOS Name Table for Host 192.168.1.1:

Incomplete packet, 155 bytes long.
Name             Service          Type
—————————————-
test-1       � Workstation Service
testdomain           � Domain Name
test-1      � File Server Service

Adapter address: 00-01-8a-ab-91-d4

information gathering – theharvester

Image result for theharvester kali

theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key servers.
This tools is intended to help Penetration testers in the early stages of the project It’s a really simple tool, but very effective.

/pentest/enumeration/theharvester

root@bt:/# cd /pentest/enumeration/theharvester
root@bt:/pentest/enumeration/theharvester# ./theHarvester.py -d test-site.com -l 100 -b all

Note drop the www. from the url your interested in, example http://www.test-stie.com becomes test-site.com

Usage: theharvester options

-d: Domain to search or company name
-b: Data source (google,bing,bingapi,pgp,linkedin,google-profiles,exalead,all)
-s: Start in result number X (default 0)
-v: Verify host name via dns resolution and search for virtual hosts
-f: Save the results into an HTML and XML file
-n: Perform a DNS reverse query on all ranges discovered
-c: Perform a DNS brute force for the domain name
-t: Perform a DNS TLD expansion discovery
-e: Use this DNS server
-l: Limit the number of results to work with(bing goes from 50 to 50 results,
-h: use SHODAN database to query discovered hosts
google 100 to 100, and pgp doesn’t use this option)

Examples:./theHarvester.py -d site-you-want-info-on.com -l 500 -b google
./theHarvester.py -d site-you-want-info-on.com -b pgp
./theHarvester.py -d site-you-want-info-on.com -l 200 -b linkedin

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s