In Information gathering,white hat hackers use different data collection tools to gather information about attack.There are lot's of ways and methods for gathering information.white hat hackers try different data gathering method to gather information about attack.
If you want to gather information about a target’s DNS, you should probably use a tool like dnsdict6 to help you to enumerate many of the details which are not easily apparent for your average user or websurfer.
With dnsdict6 you find information such as:
· Subdomain info
· Enumerate all ipv4 and ipv6 addresses.
· You can also enumerate details of srv records.
· Also you can enumerate details of Name Server and Mail Exchanger records.
So, now we will jump into dnsdict6 on Kali Linux, your best option for a penetration testing distribution.
HOW TO OPEN DNSDICT6 ON KALI LINUX
To open dnsdict6 goto > Kali Linux > Information Gathering > DNS Analysis > dnsdict6
Once you opened dnsdict6, you will find various options on your screen.
A good Pen Tester will always read and understand all options at his disposal.
So lets see what kind of options we have, and some examples:
-4 : dump ipv4 addresses : Try this example on your terminal > Example > dnsdict6 -4 [url]
-t [#] : specify the number of threads. Remember default is set to 8 and max threads you can use is 32. Ex : dnsdict6 -d -t 18 [url]
-d : it displays ipv6 info on NS, MX DNS domain information. Example : dnsdict6 -d [url]
-S : perform SRV service records. Example : dnsdict6 -S -t 21 [url]
-[smlx] : This options is for choose size of the inbuilt dictionary -s : small, -m medium, -l : large, -x: xtreme
ENUMERATION WITH DEFAULT SETTINGS
This example shows the DNS entries of a given url.
dnsdict6 facebook.comWhen you run this command with options it automatically takes the default no of threads i.e 8 and dictionary size -m(eduim=796).
And in this command, it takes 1 – 2 minutes to complete this process.
EXAMPLE: ENUMERATING DNS RECORDS
In this example, you will find the nameserver (NS) and Mail exchange (MX) records.
To see the NS & MX records, you have to use “-d ” option. As we have used in our example.
After running the command, it shows the dns records of google.com with ipv4 addresses.
Why Ipv4 addresses? Because we used the -4 option with the command which dump all the ipv4 addresses.
Remember: If we dont specified any threads and dictionary size, it takes it default threads(8) and dictionary size (medium).
ENUMERATE IPV4 IPV6, NAME SERVER, MAIL SERVER WITH OPTIONS
This example is same as above in case of enumerating NS and MX records but the mail difference is we are going to set the number of threads and dictionary size manually.
Command is :
dnsdict6 -d46 -t 32 -z google.comThis command will display the NS and MX records with their ipv4 and ipv6 addresses and the number of threads we use is 32 and dictionary file size we used is xtreme.
So try this example and you will be able to gather as much information as you can
dnsenum script is based on perl programming language.It is used to obtain dns information of domain name.It also used to discover non-contiguous ip blocks.
It is open source tool and available on github https://github.com/fwaeytens/dnsenum
Don’t do a reverse lookup (–noreverse) and save the output to a file (-o mydomain.xml) for the domain example.com:
dnsenum --noreverse -o mydomain.xml example.com
dnsmapdnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …
Scan example.com using a wordlist (-w /usr/share/wordlists/dnsmap.txt):
dnsmap example.com -w /usr/share/wordlists/dnsmap.txt
Create a file containing domain names to scan (domains.txt) and pass it to dnsmap-bulk.sh:
root@kali:~# echo "example.com" >> domains.txtroot@kali:~# echo "example.org" >> domains.txtroot@kali:~# dnsmap-bulk.sh domains.txt
dnsreconDNSRecon provides the ability to perform Check a DNS Server Cached records for A, AAAA and CNAME Records and many more list of host records in a text file to check
Scan a domain (-d example.com), use a dictionary to brute force hostnames (-D /usr/share/wordlists/dnsmap.txt), do a standard scan (-t std), and save the output to a file (–xml dnsrecon.xml)
root@kali:~# dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml
dnstracerdnstracer determines where a given Domain Name Server ( DNS) gets its information from, and follows the chain of DNS servers back to the servers knows the data. The tool works by sending the specified name-server a non-recursive request for the name. If the name server does returns an authoritative answer for the name, the next server is queried.
Scan a domain (example.com), retry up to 3 times (-r 3), and display verbose output (-v):
root@kali:~# dnstracer -r 3 -v example.com
dnswalkdnswalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as accuracy.
root@kali:~# dnswalk example.com
fierceFierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics.
It is meant specifically to locate likely targets both inside and outside a corporate network.
Run a default scan against the target domain (-dns example.com):
root@kali:~# fierce -dns example.com
MaltegoMaltego, is an open source intelligence and forensics application. This is a GUI tool so looks different. Maltego is an information gathering tool that allows you to visually see relationships.
Maltego allows you to enumerate network and domain information like:
· Domain Names
· Whois Information
· DNS Names
· IP Addresses etc
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime
Scan in verbose mode (-v), enable OS detection, version detection, script scanning, and traceroute (-A), with version detection (-sV) against the target IP (192.168.1.1):
root@kali:~# nmap -v -A -sV 192.168.1.1
urlcrazyGenerate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.
Search for URLs using the dvorak layout (-k dvorak) and do no resolve hostnames (-r) for the given domain (example.com):
urlcrazy -k dvorak -r example.com
zenmapZenmap is the gui version of nmap tool.
fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection” paper of January 1998.
It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour.
This tool was written in good faith to aid in the testing of network intrusion detection systems, firewalls, and basic TCP/IP stack behaviour
root@kali:~# fragroute 192.168.1.123
FragrouterFragrouter is a network intrusion detection evasion toolkit. It implements most of the attacks described in the Secure Networks “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection” paper of January 1998.
This program was written in the hopes that a more precise testing methodology might be applied to the area of network intrusion detection, which is still a black art at best.
Conceptually, fragrouter is just a one-way fragmenting router – IP packets get sent from the attacker to the fragrouter, which transforms them into a fragmented data stream to forward to the victim.
Using interface eth0 (-i eth0), send ordered 8-byte IP fragments (-F1):
root@kali:~# fragrouter -i eth0 -F1
LBDlbd (load balancing detector) detects if a given domain uses DNS and/or HTTP Load-Balancing (via Server: and Date: header and diffs between server answers).
Test to see if the target domain (example.com) is using a load balancer:
root@kali:~# lbd example.com
CDPSnarf is a network sniffer exclusively written to extract information from CDP packets.
Sniff on interface eth0 (-i) and write the capture to a file named cdpsnarf.pcap (-w):
root@kali:~# cdpsnarf -i eth0 -w cdpsnarf.pcap
DMitryDMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more.
Run a domain whois lookup (w), an IP whois lookup (i), retrieve Netcraft info (n), search for subdomains (s), search for email addresses (e), do a TCP port scan (p), and save the output to example.txt (o) for the domain example.com:
root@kali:~# dmitry -winsepo example.txt example.com
hPing3hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
Use traceroute mode (–traceroute), be verbose (-V) in ICMP mode (-1) against the target (www.example.com):
root@kali:~# hping3 --traceroute -V -1 www.example.com
MirandaMiranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities.
Start on interface eth0 (-i eth0) in verbose mode (-v), then start discovery mode (msearch):
root@kali:~# miranda -i eth0 -v
THC-iPV6A complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library.
Convert an IPv6 address to a MAC address and vice-versa:
root@kali:~# address6 fe80::76d4:35ff:fe4e:39c874:d4:35:4e:39:c8
root@kali:~# address6 74:d4:35:4e:39:c8fe80::76d4:35ff:fe4e:39c8
WOL-E is a suite of tools for the Wake on LAN feature of network attached computers, this is now enabled by default on many Apple computers. These tools include:
Bruteforcing the MAC address to wake up clients
Sniffing WOL attempts on the network and saving them to disk
Sniffing WOL passwords on the network and saving them to disk
Waking up single clients (post sniffing attack)
Scanning for Apple devices on the network for WOL enabling
Sending bulk WOL requests to all detected Apple clients
Detect Apple devices on the network (-f):
root@kali:~# wol-e -f
dnmap Server/ClientThis can be little be complicated but read carefully. I am sure you will get what and how I am trying to explain here.
What is dnmap- dnmap is a framework to distribute nmap scans among several clients. It reads an already created file with nmap commands and send those commands to each client connected to it.
The framework use a client/server architecture. The server knows what to do and the clients do it. All the logic and statistics are managed in the server. Nmap output is stored on both server and client.
Usually you would want this if you have to scan a large group of hosts and you have several different internet connections.
For performingthis tutorial we need at least a Attacker machine ( Kali Linux – 192.168.71.129) and Target machine (192.168.71.128).
Features of dnmap server
- If the server gets down, clients continue trying to connect until the server gets back online.
- If the server gets down, when you put it up again it will send commands starting from the last command given before the shutdown. You do not need to remember where it was.
- You can add new commands to the original file without having to stop the server. The server will read them automatically.
- If some client goes down, the server will remember which command it was executing and it will re-schedule it for later.
- It will store every detail of the operations in a log file.
- It shows real time statistics about the operation of each client, including:
- Number of commands executed
- Last time seen
- Version of the client
- If the client is being run as root or not.
- It calculates the amount of commands executed per minute
- The historic average of the amount of commands executed per minute
- The status of the client (Online, Offline, Executing or Storing)
- You can choose which port to use. Defaults to 46001
- Only the Online clients are shown in the running stats.
Features of dnmap client
- If the server gets down, it keeps connecting to it until it gets up again.
- Strip strange characters from the command sent by the server. Tries to avoid command injection vulns.
- It only executes the nmap command. It deletes the command send by the server and changes it by the known and trusted nmap binary on the system.
- You can select an alias for your user.
- You can change which port the client connects to.
- If the command sent by the server does not have a -oA option, the client add it anyway to the command, so it will always have a local copy of the output.
- If the server sends a min-rate parameter, it is striped out.
- You can control the nmap scanning rate regarthless of servers sent parameters.
- Tell the server if you are root or not, so it can change the nmap commands accordingly.
First of all start dnmap server
1. How to open dnmap server
A. GUI Method
Application →Kali Linux → Information gathering → Live Host Identification → dnmap-server
B. Open Terminal type dnmap_server and hit enter
2. As you can see, the server requires a file containing our Nmap commands to run.
3. Using Gvim create a file named commands.txt –
a. how to open Gvim GUI method
Application →Accessories → GVim
b. now write some simple nmap command and save it as named commands.txt
To show the ability to schedule multiple jobs, we add multiple Nmap commands to our file. Since weonly have one target host, we are simply going to split up the port ranges between jobs. If we had more than one client in our cluster, these jobs would be distributed among the hosts, and it would be difficult for the target host administrator to tell that one attacker was behind the port scan.
4. Now run dnmap_server command with nmap command file
Ex – /usr/bin/ dnmap_server -f commands.txt
After running this command our server started up and waiting for clients.
5. Now time to start dnmap_client
A. How to open dnmap_client
a. GUI Method
Application →Kali Linux → Information gathering → Live Host Identification → dnmap-client
b. open terminal type dnmap_client and hit enter
6. Here simple we need to provide server address for our client to connect to the server, and start running commands.
7. we have done now just back on the server
Scanning Target Hosts with unicorn scan
Scanning a hosts most of the time multiple hosts for open ports and services discovery is one of first thing most of the penetration testers do , so in this post I am going to show you how to use unicorn scan and how to perform scan against single and multiple targets .
PLEASE NOTE : For demonstration purpose , I’ll be using kali Linux as my primary os and ubuntu and windows virtual machines as target hosts with running several service .
Asynchronous stateless TCP scanning with all variations of TCP Flags.
Asynchronous stateless TCP banner grabbing
Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response).
Active and Passive remote OS, application, and component identification by analyzing responses.
PCAP file logging and filtering
Relational database output
Custom module support
Customized data-set views
Lets see how to perform simple scan , Basic TCP SYN scan
root@kali:~# unicornscan 172.16.215.132Unicorn Scan
root@kali:~# unicornscan -mU -r200 -I 192.168.100.1:53Where
-mU : is mode UDP
-I : Display Immediately
192.168.100.1 : target IP
:53 : port number
-r200 : 200 Packets per second
root@kali:~# unicornscan -r500 -mT 192.168.100.1/24:80,443,445,339Where
-mT : is mode TCP
192.168.100.1/24 : target network range ( block )
:80,443,445 : ports
-r500 : 500 Packets per second
Many Other options you can pass , for example for ACK use -mTsA
SYN : -mT
ACK scan : -mTsA
Fin scan : -mTsF
Null scan : -mTs
Xmas scan : -mTsFPU
Connect Scan : -msf -Iv
scan with all options : -mTFSRPAUEC
Syn + osdetect : -eosdetect -Iv (-mT)
scan ports 1 through 5 : (-mT) host:1-5
Practical Use Case
scanning for mysql with http and https ports
root@kali:~# unicornscan -r200 -Iv -eosdetect -mT 172.16.215.1:3306,80,443
NetdiscoverNetdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without DHCP server, when you are wardriving. It can be also used on hub/switched networks.This tool will allow us to quickly gather IP address on a given network and as stated above work great in wireless networks that have no DHCP server.
1. How to open netdiscover
A. GUI Method
Application →Kali Linux → Information gathering → Network Scanner→ netdiscover
B. Open terminal type netdiscover –h this command will open netdiscover with help option
2. This command is used to auto scan. As result it detect online hosts, IP address, MAC address and other details. If you want to stop this scan you need to press Ctrl + C.
Syntax – netdiscover
3. This command is used to scan given range of IP. As result it detect online hosts, IP address, MAC address and other details.
Syntax – netdiscover –I interface –r IP range
netdiscover –I eth0 –r 192.168.71.0/24
CaseFileCaseFile is the little brother to Maltego. It targets a unique market of ‘offline’ analysts whose primary sources of information are not gained from the open-source intelligence side or can be programmatically queried. We see these people as investigators and analysts who are working ‘on the ground’, getting intelligence from other people in the team and building up an information map of their investigation.
CaseFile gives you the ability to quickly add, link and analyze data having the same graphing flexibility and performance as Maltego without the use of transforms. CaseFile is roughly a third of the price of Maltego.
What does CaseFile do?
CaseFile is a visual intelligence application that can be used to determine the relationships and real world links between hundreds of different types of information.
It gives you the ability to quickly view second, third and n-th order relationships and find links otherwise undiscoverable with other types of intelligence tools.
CaseFile comes bundled with many different types of entities that are commonly used in investigations allowing you to act quickly and efficiently. CaseFile also has the ability to add custom entity types allowing you to extend the product to your own data sets.
What can CaseFile do for me?
CaseFile can be used for the information gathering, analytics and intelligence phases of almost all types of investigates, from IT Security, Law enforcement and any data driven work. It will save you time and will allow you to work more accurately and smarter.
CaseFile has the ability to visualise datasets stored in CSV, XLS and XLSX spreadsheet formats.
We are not marketing people. Sorry.
CaseFile aids you in your thinking process by visually demonstrating interconnected links between searched items.
If access to “hidden” information determines your success, CaseFile can help you discover it.
Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.
Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner? and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.
Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information.
Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the “module” class. The “module” class is a customized “cmd” interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more information.
The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.
This is a complete rewrite of the tool with new features like:
Time delays between request
All sources search
Virtual host verifier
Active enumeration (DNS enumeration, Reverse lookups, TLD expansion)
Integration with SHODAN computer database, to get the open ports and banners
Save to XML and HTML
Basic graph with stats
Search from email addresses from a domain (-d kali.org), limiting the results to 500 (-l 500), using Google (-b google):
root@kali:~# theharvester -d kali.org -l 500 -b google
twofiWhen attempting to crack passwords custom word lists are very useful additions to standard dictionaries. An interesting idea originally released on the “7 Habits of Highly Effective Hackers” blog was to use Twitter to help generate those lists based on searches for keywords related to the list that is being cracked. This idea has been expanded into twofi which will take multiple search terms and return a word list sorted by most common first.
Otraceotrace is an object-oriented debugger for nonlinear tracing of asynchronous or multithreaded interactive python programs. It addresses some of the limitations of sequential debugging techniques which do not work well with server programs, where multiple requests are handled in parallel. For example, instrumenting web servers with print/logging statements can often result in voluminous log output with interleaved streams of messages.
otrace takes a different approach to debugging that relies less on sequential operations. Its features including taking "snapshots" of variables for tracing, "tagging" objects for tracking across different method invocations, and modifying live code ("monkey patching") to insert print statements etc.
otrace maps all the objects in the running program, as well as the "snapshot" objects, to a virtual filesystem mounted under /osh. It provides a shell-like interface, oshell, with commands like cd, ls etc. that can be used to browse classes, methods, and instance variables in the virtual filesystem. Tab completion and simple wildcarding are supported.
otrace may be used as:
a tracing tool for debugging web servers and interactive programs
a console or dashboard for monitoring production servers
a teaching tool for exploring the innards of a program
a code patching tool for unit testing
otrace is best suited for use with "long-running" programs like GUI applications or servers that interact with users. Typically, these programs have an event loop that runs until the program is shutdown. otrace runs in its own thread, and enables debugging of the running program.
otrace takes control of the terminal, and would not work very well with programs that read user input directly from the terminal (or standard input). However, otrace has a browser-based graphical front-end, GraphTerm, that can be used with programs that do read from the terminal.
otrace does not consume any resources until some tracing action is initiated. So it can be included in production code without any performance penalty. It also works well with detached server processes (daemons) via the GNU screen terminal emulator, or using the GraphTerm front-tend.
IPv6 pentesting 7. - trace6
trace6 is a traceroute utility for IPv6. It can do TCP and ICMPv6 based trace, and we can also set the source address.
trace6 interface destination-ip [port]
If we set the port number it will do a TCP trace, otherwise an ICMPv6.
trace6 eth0 3003::1 80Performs some IPv6 implementation checks, can be used to test some firewall features too. Takes approx. 2 minutes to complete.
implementation6dIdentifies test packets by the implementation6 tool, useful to check what packets passed a firewall
Ncat or netcat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project and is the culmination of the currently splintered family of Netcat incarnations. It is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses. Ncat is also known as : THE SWISS ARMY KNIFE. we can write ncat or nc while running the command options. So dont be confuse if i will use different name of ncat. simply we can understand What netcat does it opens the connection between two machines and give back two streams.
IN this tutorial we need two machine here I am using kali linux as server and backtrack as client machine.
1. How to open ncat
A. GUI Method
Application →Kali Linux → Information gathering → Live Host Identification → ncat
B. Open terminal type ncat –h this command will open ncat with help options
2. Listening on any TCP/UDP port - We will learn to act as any server with ncat. Let me clear you some command option which we are going to use here
-l option will help it work in listen mode.
-p option will mention which port to listen.
-v option will make it interactive.
On kali linux (server)
Syntax – ncat –lvvp port
Ex – ncat –lvvp 25
On Backtrack (client )
Syntax – telnet serverIP port
Ex- telnet 192.168.71.129 25
Run this command on Kali linux (server). It will show you that you are established
Syntax – netstat –antp |grep port (run this syntax in a new terminal)
Ex - netstat –antp |grep 25
These are proof we have successfully done our job
3. Transfer file by using ncat - we will learn transferring file with ncat between server or client.
ncat –lvvp 3333 > receive.txt will make your pc to listen on tcp port 3333 and write everything from the client to the receive.txt file.
nc serverIp address 3333 < send.txt command on the client will establish session to server and starts uploading the send.txt to server. Lets learn this theory with some practical example but before this I want to explain commands once again in syntax mode.
Kali Linux (server)
Syntax - ncat –lvvp port > filename.txt
Ex – ncat –lvvp 3333 > receive.txt
Syntax – echo “write whatever you want to send” > filename2.txt
ncat serverIP port < filename2.txt
Ex – echo “hello I am a client PC and My name is backtrack” > send.txt
Ncat 192.168.71.129 3333 < send.txt
we have successful on our task.
4. Ncat as a simple UDP Port scanner.
nc -vzu 192.168.71.128 1-2555. Create a instant chat session by ncat – we are going to create a chat session between sever or client.
Kali linux (server)
Syntax – nc –l –p port
Ex – nc –l –p 3333
Here –l option will help it works in listener mode
-poption for port number
Syntax – nc serverIP port
Ex – nc 192.168.71.129 3333
If everything is fine we will get msg on both PC server or client which they are sending to each other.
SSLScan is a fast SSL port scanner. SSLScan connects to SSL ports and determines what ciphers are supported, which are the servers preferred ciphers, which SSL protocols are supported and returns the SSL certificate. Client certificates / private key can be configured and output is to text / XML.
A. Scan by IP
B. Scan by Domain
SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify misconfigurations affecting their SSL servers.
Key features include:
Multi-processed and multi-threaded scanning (it’s fast)
SSL 2.0/3.0 and TLS 1.0/1.1/1.2 compatibility
Performance testing: session resumption and TLS tickets support
Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more
Server certificate validation and revocation checking through OCSP stapling
Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP and FTP
Support for client certificates when scanning servers that perform mutual authentication
XML output to further process the scan results
Launch a regular scan type (–regular) against the target host (www.example.com):
sslyze --regular www.example.com
tlssledTLSSLed is a Linux shell script whose purpose is to evaluate the security of a target SSL/TLS (HTTPS) web server implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool. The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.
Check SSL/TLS on the host (192.168.1.1) and port (443):
root@kali:~# tlssled 192.168.1.1 443
Attempts to connect to the IPC$ and ADMIN$ shares depending on which flags have been chosen, and tries a combination of usernames and passwords in the hope to identify the password to a given account via a dictionary password guessing attack.
nbtscannbtscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).
1. How to open
A. GUI Method
Application → Kali linux→ Information Gathering → SMB Analysis → nbtscan
B. open Terminal type nbtscan and hit enter
2. This command is used to scan alive host information on same network.
Syntax – nbtscan –r IP range
nbtscan –r 192.168.71.0/243. This command is used to see the output in script friendly.
Syntax – nbtscan –v –s : IP range
nbtscan –v –s : 192.168.71.0/24Here –v for verbose mode. And –s for script friendly output
4. This command is used to print human readable name for service.
Syntax – nbtscan –v –h IP range
nbtscan –v –h 192.168.71.0/24Here –h for print human readable name for service and –hcan only be used with –v.
5. This is our target PC which we got from nbtscan. Here I am showing you Host name, Mac address and IP address same we got in our kali linux after nbtscan. So this is as proof we have done this scan successfully.
Smtp-user-enumsmtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands. It could be adapted to work against other vulnerable SMTP daemons, but this hasn’t been done as of v1.0.
Use the VRFY method (-M VRFY) to search for the specified user (-u root) on the target server (-t 192.168.1.25):
root@kali:~# smtp-user-enum -M VRFY -u root -t 192.168.1.25
swaksSwiss Army Knife SMTP, the all-purpose smtp transaction tester
swaks’ primary design goal is to be a flexible, scriptable, transaction-oriented SMTP test tool. It handles SMTP features and extensions such as TLS, authentication, and pipelining; multiple version of the SMTP protocol including SMTP, ESMTP, and LMTP; and multiple transport methods including unix-domain sockets, internet- domain sockets, and pipes to spawned processes. Options can be specified in environment variables, configuration files, and the command line allowing maximum configurability and ease of use for operators and scripters.
braaBraa is a mass snmp scanner. The intended usage of such a tool is of course making SNMP queries – but unlike snmpget or snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.
Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp. The implementation is very dirty, supports only several data types, and in any case cannot be stated ‘standard-conforming’! It was designed to be fast, and it is fast. For this reason (well, and also because of my laziness ;), there is no ASN.1 parser in braa – you HAVE to know the numerical values of OID’s (for instance .18.104.22.168.22.214.171.124.0 instead of system.sysName.0).
Cisco auditing tools
Perl script which scans cisco routers for common vulnerabilities.
Scan the host (-h 192.168.99.230) on port 23 (-p 23), using a password dictionary file (-a /usr/share/wordlists/nmap.lst):
root@kali:~# CAT -h 192.168.99.230 -p 23 -a /usr/share/wordlists/nmap.lstcisco-torch
Cisco Torch mass scanning, fingerprinting, and exploitation tool was written while working on the next edition of the “Hacking Exposed Cisco Networks”, since the tools available on the market could not meet our needs.
The main feature that makes Cisco-torch different from similar tools is the extensive use of forking to launch multiple scanning processes on the background for maximum scanning efficiency. Also, it uses several methods of application layer fingerprinting simultaneously, if needed. We wanted something fast to discover remote Cisco hosts running Telnet, SSH, Web, NTP and SNMP services and launch dictionary attacks against the services discovered.
Run all available scan types (-A) against the target IP address (192.168.99.202):
root@kali:~# cisco-torch -A 192.168.99.202
Copy router configCopies configuration files from Cisco devices running SNMP.
Copy the config from the router (192.168.1.1) to the TFTP server (192.168.1.15), authenticating with the community string (private):
root@kali:~# copy-router-config.pl 192.168.1.1 192.168.1.15 private
Merge router configMerge the config with the router (192.168.1.1), copying from the TFTP server (192.168.1.15), using the community string (private):
root@kali:~# merge-router-config.pl 192.168.1.1 192.168.1.15 private
Onesixtyone is an SNMP analysis tool that is named for the UDP port upon which SNMP operates. It is a very simple SNMP scanner that only requests the system description value for any specified IP address(es).
simple SNMP scanner which sends requests for the sys‐Descr value asynchronously with user-adjustable sending times.
Like to snmpwalk, snmpcheck allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring. Distributed under GPL license and based on “Athena-2k” script by jshaw.
Scan the target host (-t 192.168.1.2) using the public SNMP community string (-c public):
root@kali:~# snmpcheck -t 192.168.1.2 -c public
SSLCAuditThe goal of sslcaudit project is to develop a utility to automate testing SSL/TLS clients for resistance against MITM attacks. It might be useful for testing a thick client, a mobile application, an appliance, pretty much anything communicating over SSL/TLS over TCP.
ssldump is an SSL/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSL/TLS traffic.When it identifies SSL/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
1. How to open
A. GUI Method
Application →Kali Linux → Information gathering → SSL Analysis → ssldump
B. open terminal type ssldump –h this command will open ssldump with help option
2. This command will show the traffic.
Syntax – ssldump –i interface port portno
ssldump –i eth0 port 803. This command display the application data traffic. This usually means decrypting it, but when -d is used ssldump will also decode application data traffic before the SSL session initiates. This allows you to see HTTPS CONNECT behavior as well as SMTP STARTTLS. As a side effect, since ssldump can't tell whether plaintext is traffic before the initiation of an SSL connection or just a regular TCP connection, this allows you to use ssldump to sniff any TCP connection.
ssldump will automatically detect ASCII data and display it directly to the screen.non-ASCII data is displayed as hex dumps.
4. Print absolute timestamps instead of relative timestamps.
5. The full SSL packet header. ssldump may print record-specific data on the rest of the line. For Handshake records, it prints the handshake message. Thus, this record is a Certificate message. ssldump chooses certain record types for further decoding. These are the ones that have proven to be most useful for debugging:
ClientHello - version, offered cipher suites, session id
ServerHello - version, session_id, chosen cipher suite, compression method
sslh accepts connections in HTTP, HTTPS, SSH, OpenVPN, tinc, XMPP, or any other protocol that can be tested using a regular expression, on the same port. This makes it possible to connect to any of these servers on port 443 while still serving HTTPS on that port.
What it does for you?
Basically you can access your remote server/system via HTTP, HTTPS, SSH, OpenVPN and some other protocols. But the only problem is some internet service providers or your company firewalls don’t allow you to connect to remote servers/systems via these ports except some specific ports such as HTTP (80), HTTPS (443). So what if you want to access the servers via SSH when all the other ports are blocked?
The only solution is that you can use the same port HTTPS (443), for SSH protocol. This is where a tiny tool called sshlh will help you to acheive this goal. It simply allows you to connect to the servers via SSH on port 443, while the web server is using the same port.
$ sudo apt-get install sslh
SSL SniffThis tool was originally written to demonstrate and exploit IE’s vulnerability to a specific “basicConstraints” man-in-the-middle attack. While Microsoft has since fixed the vulnerability that allowed leaf certificates to act as signing certificates, this tool is still occasionally useful for other purposes.
It is designed to MITM all SSL connections on a LAN and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by any certificate that you provide.
The three steps to get this running are:
Download and run sslsniff-0.7.tar.gz
SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing.
SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3 certificates on-the-fly, based on the original server certificate subject DN and subjectAltName extension. SSLsplit fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. SSLsplit can also use existing certificates of which the private key is available, instead of generating forged ones. SSLsplit supports NULL-prefix CN certificates and can deny OCSP requests in a generic way. SSLsplit removes HPKP response headers in order to prevent public key pinning.
Run in debug mode (-D), log the connections (-l connections.log), set the chroot jail (-j /tmp/sslsplit/), save files to disk (-S /tmp/), specify the key (-k ca.key), specify the cert (-c ca.crt), specify ssl (ssl), and configure the proxy (0.0.0.0 8443 tcp 0.0.0.0 8080):
root@kali:~# sslsplit -D -l connections.log -j /tmp/sslsplit/ -S /tmp/ -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080
sslstrip is a tool that transparently hijacks HTTP traffic on a network, watch for HTTPS links and redirects, and then map those links into look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.
Write the results to a file (-w sslstrip.log), listening on port 8080 (-l 8080):
root@kali:~# sslstrip -w sslstrip.log -l 8080
SSLyzeSSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify misconfigurations affecting their SSL servers.
Launch a regular scan type (–regular) against the target host (www.example.com):
root@kali:~# sslyze --regular www.example.com
StunnelThe stunnel program is designed to work as SSL encryption wrapper between remote clients and local (inetd-startable) or remote servers. The concept is that having non-SSL aware daemons running on your system you can easily set them up to communicate with clients over secure SSL channels.
TLSSLed is a Linux shell script whose purpose is to evaluate the security of a target SSL/TLS (HTTPS) web server implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool. The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.
Check SSL/TLS on the host (192.168.1.1) and port (443):
root@kali:~# tlssled 192.168.1.1 443
AceACE (Automated Corporate Enumerator) is a simple yet powerful VoIP Corporate Directory enumeration tool that mimics the behavior of an IP Phone in order to download the name and extension entries that a given phone can display on its screen interface. In the same way that the “corporate directory” feature of VoIP hardphones enables users to easily dial by name via their VoIP handsets, ACE was developed as a research idea born from “VoIP Hopper” to automate VoIP attacks that can be targeted against names in an enterprise Directory. The concept is that in the future, attacks will be carried out against users based on their name, rather than targeting VoIP traffic against random RTP audio streams or IP addresses. ACE works by using DHCP, TFTP, and HTTP in order to download the VoIP corporate directory. It then outputs the directory to a text file, which can be used as input to other VoIP assessment tools.
FTester is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.
irpas-assAutonomous System Scanner
This program is for sending CDP (Cisco router Discovery Protocol) messages to the wire.
P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
Some of p0f’s capabilities include:
Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.
Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.
Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.
Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.
The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to.
Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics.
Use interface eth0 (-i eth0) in promiscuous mode (-p), saving the results to a file (-o /tmp/p0f.log):
root@kali:~# p0f -i eth0 -p -o /tmp/p0f.logTcpflow
Tcpflow is a TCP/IP Demultiplexer. Tcpflow is used to record traffic mainly between 2 hosts although it can be used to monitor thousands of connections. Tcpflow differs from other tools by actually capturing the real data and dumping it to a file we specify. It can be then further used for other analysis purposes. One more advantage of tcpflow is it effectively reconstructs broken packets. Also tcpflow has a veriety of filter options. We can filter out the capture in a lot of different ways and that too very easily.
Normally most of the sniffing attacks include arp-poisioning as the first stage. However tcpflow captures almost all data without actively poisoning the subnet or network.
This lab demonstrates basic console-logging of data to and from the target. Here our target IP is 192.168.0.100. Also domain/hostnames are acceptable.
command tcpflow -ce host 192.168.0.100<your target here>
Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.
root@kali:~# tshark -f "tcp port 80" -i eth0
VPN AnalysisiKE Scan
In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It's possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK.
This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already encrypted. Based on such facts IKE aggressive mode is not very secure.
There hasnt been much in the way of updates on breaking into VPN servers that have aggressive mode enabled.
ike-scan is probably still your best bet.