Kali Linux Tutorials: InformationGathering - Live Host Identification
- alive6
- arping
- cdpsnarf
- detect-new-ip-6
- detect-sniffer6
- dmitry
- dnmap-client
- dnmap-server
- fping
- hping3
- inverse_lookup6
- miranda
- ncat
- netdiscover
- nmap
- passive_discovery6
- thcping6
- wol-e
- xprobe2
alive6
DESCRIPTION -thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help
and show the command-line options.
alive6 shows alive addresses in the segment. If you specify a remote router, the packets are sent with a routing
header prefixed by fragmentation.
TIP DETECTION
Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make
rogue usage detection easier. The tools either specify a fixed packet signature or generically sniff for packets (e.g.
therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore
very easy to detect). If you don't want this, change the code.
USAGE alive6 [-dlmrS] [-W TIME] [-i FILE] [-o FILE] [-s NUMBER] interface [unicast-or-multicast-address [remoterouter]]
EXAMPLE alive6 eth1
arping
DESCRIPTION - arping pings a destination by sending ARP REQUEST packets to a neighbour host, using a given
source address.
USAGE arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination
EXAMPLE arping -f -c 1 -I wlan0 192.168.100.1 (Host 192.168.100.1 is alive -> Received 1 response(s))
EXAMPLE arping -f -c 1 -I eth0 192.168.100.2 (Host 192.168.100.2 isn't alive -> Received 0 response(s))
cdpsnarf
DESCRIPTION - CDPSnarf is a network sniffer exclusively written to extract information from CDP packets. It
provides all the information a “show cdp neighbors detail” command would return on a Cisco router and even more.
Features: Time intervals between CDP advertisements, Source MAC address, CDP Version, TTL, Checksum, Device ID,
Software version, Platform, Addresses, Port ID, Capabilities, Duplex, Save packets in PCAP dump file format, Read packets
from PCAP dump files, Debugging information (using the "-d" flag), Tested with IPv4 and IPv6
USAGE cdpsnarf -i <device>
OPTIONS cdpsnarf -h
EXAMPLE ./cdpsnarf eth2
detect-new-ip-6
DESCRIPTION - thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help
and show the command-line options.
This tool detects new IPv6 addresses joining the local network. If the script is supplied, it is executed with the
detected IPv6 address as an option.
TIP DETECTION
Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make
rogue usage detection easier. The tools either specify a fixed packet signature or generically sniff for packets (e.g.
therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore
very easy to detect). If you don't want this, change the code.
USAGE detect-new-ip6 <interface> [script]
EXAMPLE detect-new-ip6 eth0
detect-sniffer6
DESCRIPTION - thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help
and show the command-line options.
detect-sniffer6 - tests if systems on the local LAN are sniffing. Works against Windows, Linux, OS/X, and *BSD. If
no target is given, the link-local-all-nodes address is used, which however rarely works.
USAGE detect-sniffer6 interface [target6]
EXAMPLE n/a
TIP DETECTION
Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make
rogue usage detection easier. The tools either specify a fixed packet signature or generically sniff for packets (e.g.
therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore
very easy to detect). If you don't want this, change the code.
DMitry
DESCRIPTION - DMitry has the ability to gather as much information as possible about a host. Base functionality is
able to gather possible subdomains, email addresses, uptime information, TCP port scan, whois lookups, and
more. The information is gathered with the following methods:
- Perform an Internet Number whois lookup.
- Retrieve possible uptime data, system, and server data.
- Perform a SubDomain search on a target host.
- Perform an E-Mail address search on a target host.
- Perform a TCP Portscan on the host target.
- A Modular program allowing user specified modules
USAGE dmitry [options] <file> <url>
EXAMPLE dmitry –help (DMitry help)
EXAMPLE man dmitry (DMitry complete documentation)
EXAMPLE dmitry -iwns -o example.out google.com
dnmap
DESCRIPTION - dnmap is a framework to distribute Nmap scans among several clients. It reads an already created
file with Nmap commands and send those commands to each client connected to it.
The framework uses a client/server architecture. The server knows what to do and the clients do it. All the logic
and statistics are managed in the server. Nmap output is stored on both server and client.
Usually, you would want this if you have to scan a large group of hosts and you have several different internet connections (or friends that want to help you).
Clients can be run on any computer on the Internet. Do not have to be on a local cluster or anything.
- It uses the TLS protocol for encryption.
BASIC USAGE
1. Put some nmap commands on a file like commands.txt
2. ./dnmap_server -f commands.txt (Start the dnmap_server)
3. ./dnmap_client -s <server-ip> -a <alias> (Start any number of clients)
dnmap-client
DESCRIPTION
- If the server gets down, it keeps connecting to it until it gets up again.
- Strip strange characters from the command sent by the server. Tries to avoid command injection vulns.
- It only executes the nmap command. It deletes the command send by the server and changes it by the known and trusted nmap binary on the system.
- You can select an alias for your user.
- You can change which port the client connects to.
- If the command sent by the server does not have a -oA option, the client adds it anyway to the command, so it will always have a local copy of the output.
USAGE ./dnmap_client -s <server-ip> -a <alias> (start any number of clients)
EXAMPLE (see dnmap)
dnmap-server
DESCRIPTION
- If the server gets down, clients continue trying to connect until the server gets back online.
- If the server gets down, when you put it up again it will send commands starting from the last command given before the shutdown. You do not need to remember where it was.
- You can add new commands to the original file without having to stop the server. The server will read them automatically.
- If some client goes down, the server will remember which command it was executing and it will re-schedule it for later.
- It will store every detail of the operations in a log file.
- It shows real-time statistics about the operation of each client
You can choose which port to use. Defaults to 46001. Only Online clients are shown in the running stats.
USAGE ./dnmap_server -f commands.txt (start dnmap server)
EXAMPLE (see dnmap)
fping
DESCRIPTION - fping is a program like a ping that uses the Internet Control Message Protocol (ICMP) echo request to determine if a target host is responding.
Fping differs from ping in that you can specify any number of targets on the command line, or specify a file
containing the lists of targets to ping. Instead of sending to one target until it times out or replies, fping will send
out a ping packet and move on to the next target in a round-robin fashion.
In the default mode, if a target replies, it is noted and removed from the list of targets to check; if a target does
not respond within a certain time limit and/or retry limit it is designated as unreachable. Fping also supports
sending a specified number of pings to a target or looping indefinitely (as in ping).
Unlike ping, fping is meant to be used in scripts, so its output is designed to be easy to parse.
USAGE fping [options] [targets...]
EXAMPLE fping 192.168.100.1 (Responding host -> 192.168.100.1 is alive )
EXAMPLE fping 192.168.100.13 (Non-responding host -> 192.168.100.13 is unreachable)
hping3
DESCRIPTION - hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like
ping do with ICMP replies. Hping3 handles fragmentation, arbitrary packet body, and size and can be used in order to transfer files under supported protocols.
Hping3 can be used, among other things too: Test firewall rules, [spoofed] port scanning, test net performance
using different protocols, packet size, TOS (a type of service) and fragmentation, path MTU discovery, files
transferring even between really fascist firewall rules, traceroute like under different protocols, firewalk like usage,
remote OS fingerprint, TCP/IP stack auditing
USAGE hping3 <host> [options]
EXAMPLE hping3 192.168.100.1 -c 1 -I wlan0 -S -p 22 (Following command checks the status of port 22/tcp with a TCP SYN scan)
EXAMPLE hping3 192.168.100.1 -c 1 -I wlan0 -S -p 81 (Following command sends a TCP SYN packet to port 81/tcp on host 192.168.100.1)
EXAMPLE hping3 192.168.100.1 -I wlan0 -S --scan 20,21,22,80,8080 -V (Scan mode)
inverse_lookup6
DESCRIPTION thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help
and show the command-line options.
inverse_lookup6 - performs an inverse address query, to get the IPv6 addresses that are assigned to a MAC
address. Note that only a few systems support this yet.
USAGE inverse_lookup6 interface mac-address
EXAMPLE n/a
TIP DETECTION
Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make
rogue usage detection easier. The tools either specify a fixed packet signature or generically sniff for packets (e.g. therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore very easy to detect). If you don't want this, change the code.
Miranda
DESCRIPTION - Miranda is a tool that uses the UPnP(universal plug and play) protocol to enumerate the target
modem (if you found some routers and firewalls running the UPnP IGD protocol are vulnerable to attack).
Before working with Miranda you should have moderate knowledge of UPnP.
BASIC USAGE
- root@root:/pentest/enumeration/miranda#
- # ./miranda.py
- upnp> msearch (search for that device with the UPnP port open)
- upnp> host info 0 (this command will tell you various information about your target – name, protocol, server type, UPnP server)
- upnp> host get 0 (enumerates targets if possible)
- upnp> host summary 0 (get full details of your target after you have enumerated it)
- upnp> host info 0 devicelist WANConnectionDevice services WANPPPConnection actions (this command will tell you about the services that are running on the TARGET)
- upnp> host send 0 WANConnectionDevice WANPPPConnection ForceTermination (terminate the internet all oevr the network)
- upnp> host send 0 WANConnectionDevice WANPPPConnection RequestConnection (re-enable internet)
ncat
DESCRIPTION - ncat is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a
network. It aims to be your network Swiss Army knife, handling a wide variety of security testing and administration tasks.
Ncat can:
- Act as a simple TCP/UDP/SCTP/SSL client for interacting with web/telnet/mail/TCP/IP servers and services
- Act as a simple TCP/UDP/SCTP/SSL server for offering services to clients, or simply to understand what existing clients are up to by capturing every byte they send.
- Redirector proxy TCP/UDP/SCTP traffic to other ports or hosts.
- Encrypt communication with SSL and transport it over IPv4 or IPv6.
- Act as a network gateway for the execution of system commands, with I/O, redirected to the network.
- Act as a connection broker, allowing two (or far more) clients to connect to each other through a third (brokering) server.
USAGE ncat [options] <url>
EXAMPLE ncat -C mail.example.com 25 (sending email to an SMTP server. Read manual for further steps)
EXAMPLE ncat -l localhost 143 --sh-exec "ncat --ssl imap.example.com 993“ (connecting to an IMPA server that requires SSL . Read manual for further steps)
netdiscover
DESCRIPTION - Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless
networks without DHCP server when you are wardriving. It can be also used on the hub/switched networks.
Built on top of libnet and libpcap, it can passively detect online hosts, or search for them, by actively sending arp
requests, it can also be used to inspect your network arp traffic, or find network addresses using the auto-scan mode, which will scan for common local networks.
USAGE netdiscover [-i device] [-r range | -p] [-s time] [-n node] [-c count] [-f] [-S]
EXAMPLE netdiscover -i wlan0 -r 192.168.1.0/24 (Scan a class C network, to see which hosts are up)
EXAMPLE netdiscover -i wlan0 -r 192.168.0.0/16 (Scanning /16 network, trying to find online boexes)
EXAMPLE netdiscover -i wlan0 -r 10.0.0.0/8 (Scan a class A network, trying to find network addresses)
EXAMPLE netdiscover -i wlan0 (Auto scan common networks)
EXAMPLE netdiscover -i wlan0 -p (Don’t send arp requests, listen-only)
TIP
(If you want to change your mac address for the scan)
# ifconfig wlan0 down
# ifconfig wlan0 hw ether 00:11:22:33:44
nmap
DESCRIPTION - nmap is certainly THE scanner to know. Thanks to its numerous parameters, it is a Swiss army knife to all situations where network identification is needed. It enables among other things to list network hosts and
scan their ports.
USAGE ./nmap [Scan Type(s)] [Options] {target specification}
EXAMPLE ./nmap -sP 192.168.100.0/24 (Lists hosts on a network)
EXAMPLE ./nmap -sS -sV 192.168.100.18 (Scans a host. This example uses a TCP/SYN scan and tries to identify installed services)
passive_discovery6
DESCRIPTION - thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help and show the command-line options.
passive_discovery6 - passively sniffs the network and dump all client's IPv6 addresses detected. Note that in a
switched environment you get better results when additionally\nstarting parasite6, however, this will impact the
network. If a script name is specified after the interface, it is called with the\ndetected ipv6 address as first and the interface as the second option.
USAGE passive_discovery6 [-Ds] [-m maxhop] [-R prefix] interface [script]
OPTIONS
-D do also dump destination addresses (does not work with -m)
-s do only print the addresses, no other output
-m maxhop the maximum number of hops a target which is dumped may be away.
0 means local only, the maximum amount to make sense is usually 5
-R prefix exchange the defined prefix with the link-local prefix
TIP DETECTION
Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make rogue usage detection easier. The tools either specify a fixed packet signature, or generically sniff for packets (e.g. therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore very easy to detect). If you don't want this, change the code.
thcping6
DESCRIPTION - thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help and show the command-line options.
With thcping6 we can craft a custom ICMPv6 packet, with being able to configure almost any field in the header,
at least the most important ones. You can put an "x" into src6, srcmac, and dstmac for an automatic value.
USAGE thcping6 <interface> <source-ipv6> <destination-ipv6>
USAGE [-af] [-H o:s:v] [-D o:s:v] [-F dst] [-t ttl] [-c class] [-l label] [-d size] [-S port|-U port] interface src6 dst6
[srcmac [dstmac [data]]]
OPTIONS https://github.com/mmoya/thc-ipv6/blob/master/thcping6.c
EXAMPLE thcping6 eth0 2002:5cf9:8214:e472:a00:27ff:fe37:b032 2002:5cf9:8214:e472:290:a9ff:feb0:cac6
TIP DETECTION
Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make
rogue usage detection easier. The tools either specify a fixed packet signature, or generically sniff for packets (e.g.
therefore also answering to icmp6 neighbour solicitations which are sent to a non-existing mac, and are therefore very easy to detect). If you don't want this, change the code.
wol-e
DESCRIPTION WOL-E is a suite of tools for the Wake on LAN feature of network-attached computers, this is now
enabled by default on many Apple computers. These tools include brute-forcing the MAC address to wake up
clients, sniffing WOL attempts and passwords, scanning for Apple devices, and more.
If you do not specify a broadcast address or port, wol-e will set the following as defaults for you:
- Port: 9
- Broadcast: 255.255.255.255
If a password is required use the -k 00:12:34:56:78:90 at the end of the above command.
USAGE python wol-e.py -f
EXAMPLE ./wol-e.py -m 00:12:34:56:78:90 -b 192.168.1.255 -p 9 (To wake up a single computer)
EXAMPLE ./wol-e.py -s -i eth0 (To sniff the network for WOL traffic)
EXAMPLE ./wol-e.py –a (To bruteforce the network)
EXAMPLE ./wol-e.py –f (If you want to scan the network for Apple devices on your subnet)
EXAMPLE wol-e.py –fa (If you want to attempt to wake all targets found from using -f)
xprobe2
DESCRIPTION - xprobe2 is a remote active operating system fingerprinting tool. Xprobe2 relies on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database.
USAGE xprobe2 [ -v ] [ -r ] [ -p proto:portnum:state ] [ -c configfile ] [ -o logfile ] [ -p port ] [ -t receive_timeout ] [ -m
numberofmatches ] [ -D modnum ] [ -F ] [ -X ] [ -B ] [ -A ] [ -T port spec ] [ -U port spec ] host
EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will launch an OS fingerprinting attempt targeting 192.168.1.10. Modules 1 and 2, which are reachability tests, will be disabled, so probes will be sent even if target is down. Output will be verbose.)
EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will launch an OS fingerprint attempt targeting 192.168.1.20. The UDP destination port is set to 53, and the output will be verbose.)
EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will only enable TCP handshake module (number 11) to probe the target, very useful when all ICMP traffic is filtered.)
EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will cause TCP handshake module to try blindly guess open port on the target by sequentially sending TCP packets to the most likely open ports (80, 443, 23, 21, 25, 22, 139, 445 and 6000).)
EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will enable port scanning module, which will scan TCP ports starting from 1 to 1024 on 127.0.0.1)
EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (If the remote target has TCP port 139 open, the command line above will enable application-level SMB module (if the remote target has TCP port 445 open, substitute 139 in the command line with 445).)
EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will enable SNMPv2c application-level module, which will try to retrieve sysDescr.0 OID using community strings taken from xprobe2.conf file.)
This article content is really unique and amazing.This article really helpful and explained very well.So i am really thankful to you for sharing keep it up..
ReplyDelete