LightBlog

Monday, 12 April 2021

Kali Linux Tutorials: InformationGathering - Live Host Identification


Kali Linux Tutorials: InformationGathering - Live Host Identification

  • alive6
  • arping
  • cdpsnarf
  • detect-new-ip-6
  • detect-sniffer6
  • dmitry
  • dnmap-client
  • dnmap-server
  • fping
  • hping3
  • inverse_lookup6
  • miranda
  • ncat
  • netdiscover
  • nmap
  • passive_discovery6
  • thcping6
  • wol-e
  • xprobe2

alive6

DESCRIPTION -thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help

and show the command-line options.

alive6 shows alive addresses in the segment. If you specify a remote router, the packets are sent with a routing

header prefixed by fragmentation.

TIP DETECTION

Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make

rogue usage detection easier. The tools either specify a fixed packet signature or generically sniff for packets (e.g.

therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore

very easy to detect). If you don't want this, change the code.

USAGE alive6 [-dlmrS] [-W TIME] [-i FILE] [-o FILE] [-s NUMBER] interface [unicast-or-multicast-address [remoterouter]]

EXAMPLE alive6 eth1


arping

DESCRIPTION - arping pings a destination by sending ARP REQUEST packets to a neighbour host, using a given

source address.

USAGE arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination

EXAMPLE arping -f -c 1 -I wlan0 192.168.100.1 (Host 192.168.100.1 is alive -> Received 1 response(s))

EXAMPLE arping -f -c 1 -I eth0 192.168.100.2 (Host 192.168.100.2 isn't alive -> Received 0 response(s))


cdpsnarf

DESCRIPTION - CDPSnarf is a network sniffer exclusively written to extract information from CDP packets. It

provides all the information a “show cdp neighbors detail” command would return on a Cisco router and even more.

Features: Time intervals between CDP advertisements, Source MAC address, CDP Version, TTL, Checksum, Device ID,

Software version, Platform, Addresses, Port ID, Capabilities, Duplex, Save packets in PCAP dump file format, Read packets

from PCAP dump files, Debugging information (using the "-d" flag), Tested with IPv4 and IPv6

USAGE cdpsnarf -i <device>

OPTIONS cdpsnarf -h

EXAMPLE ./cdpsnarf eth2


detect-new-ip-6


DESCRIPTION - thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help

and show the command-line options.

This tool detects new IPv6 addresses joining the local network. If the script is supplied, it is executed with the

detected IPv6 address as an option.

TIP DETECTION

Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make

rogue usage detection easier. The tools either specify a fixed packet signature or generically sniff for packets (e.g.

therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore

very easy to detect). If you don't want this, change the code.

USAGE detect-new-ip6 <interface> [script]

EXAMPLE detect-new-ip6 eth0


detect-sniffer6

DESCRIPTION - thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help

and show the command-line options.

detect-sniffer6 - tests if systems on the local LAN are sniffing. Works against Windows, Linux, OS/X, and *BSD. If

no target is given, the link-local-all-nodes address is used, which however rarely works.

USAGE detect-sniffer6 interface [target6]

EXAMPLE n/a

TIP DETECTION

Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make

rogue usage detection easier. The tools either specify a fixed packet signature or generically sniff for packets (e.g.

therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore

very easy to detect). If you don't want this, change the code.


DMitry

DESCRIPTION - DMitry has the ability to gather as much information as possible about a host. Base functionality is

able to gather possible subdomains, email addresses, uptime information, TCP port scan, whois lookups, and

more. The information is gathered with the following methods:

  • Perform an Internet Number whois lookup.
  • Retrieve possible uptime data, system, and server data.
  • Perform a SubDomain search on a target host.
  • Perform an E-Mail address search on a target host.
  • Perform a TCP Portscan on the host target.
  • A Modular program allowing user specified modules

USAGE dmitry [options] <file> <url>

EXAMPLE dmitry –help (DMitry help)

EXAMPLE man dmitry (DMitry complete documentation)

EXAMPLE dmitry -iwns -o example.out google.com


dnmap

DESCRIPTION - dnmap is a framework to distribute Nmap scans among several clients. It reads an already created

file with Nmap commands and send those commands to each client connected to it.

The framework uses a client/server architecture. The server knows what to do and the clients do it. All the logic

and statistics are managed in the server. Nmap output is stored on both server and client.

Usually, you would want this if you have to scan a large group of hosts and you have several different internet connections (or friends that want to help you).

Clients can be run on any computer on the Internet. Do not have to be on a local cluster or anything.

  • It uses the TLS protocol for encryption.                                          

BASIC USAGE

1. Put some nmap commands on a file like commands.txt

2. ./dnmap_server -f commands.txt (Start the dnmap_server)

3. ./dnmap_client -s <server-ip> -a <alias> (Start any number of clients)


dnmap-client

DESCRIPTION

  • If the server gets down, it keeps connecting to it until it gets up again.
  • Strip strange characters from the command sent by the server. Tries to avoid command injection vulns.
  • It only executes the nmap command. It deletes the command send by the server and changes it by the known and trusted nmap binary on the system. 
  • You can select an alias for your user.
  • You can change which port the client connects to.
  • If the command sent by the server does not have a -oA option, the client adds it anyway to the command, so it will always have a local copy of the output.

USAGE ./dnmap_client -s <server-ip> -a <alias> (start any number of clients)

EXAMPLE (see dnmap)


dnmap-server

DESCRIPTION

  • If the server gets down, clients continue trying to connect until the server gets back online.
  • If the server gets down, when you put it up again it will send commands starting from the last command given before the shutdown. You do not need to remember where it was. 
  • You can add new commands to the original file without having to stop the server. The server will read them automatically.
  • If some client goes down, the server will remember which command it was executing and it will re-schedule it for later.
  • It will store every detail of the operations in a log file.
  • It shows real-time statistics about the operation of each client

You can choose which port to use. Defaults to 46001. Only Online clients are shown in the running stats.

USAGE ./dnmap_server -f commands.txt (start dnmap server)

EXAMPLE (see dnmap)


fping

DESCRIPTION -  fping is a program like a ping that uses the Internet Control Message Protocol (ICMP) echo request to determine if a target host is responding.

Fping differs from ping in that you can specify any number of targets on the command line, or specify a file

containing the lists of targets to ping. Instead of sending to one target until it times out or replies, fping will send

out a ping packet and move on to the next target in a round-robin fashion.

In the default mode, if a target replies, it is noted and removed from the list of targets to check; if a target does

not respond within a certain time limit and/or retry limit it is designated as unreachable. Fping also supports

sending a specified number of pings to a target or looping indefinitely (as in ping).

Unlike ping, fping is meant to be used in scripts, so its output is designed to be easy to parse.

USAGE fping [options] [targets...]

EXAMPLE fping 192.168.100.1 (Responding host -> 192.168.100.1 is alive )

EXAMPLE fping 192.168.100.13 (Non-responding host -> 192.168.100.13 is unreachable)


hping3

DESCRIPTION - hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like

ping do with ICMP replies. Hping3 handles fragmentation, arbitrary packet body, and size and can be used in order to transfer files under supported protocols.

Hping3 can be used, among other things too: Test firewall rules, [spoofed] port scanning, test net performance

using different protocols, packet size, TOS (a type of service) and fragmentation, path MTU discovery, files

transferring even between really fascist firewall rules, traceroute like under different protocols, firewalk like usage,

remote OS fingerprint, TCP/IP stack auditing

USAGE hping3 <host> [options]

EXAMPLE hping3 192.168.100.1 -c 1 -I wlan0 -S -p 22 (Following command checks the status of port 22/tcp with a TCP SYN scan)

EXAMPLE hping3 192.168.100.1 -c 1 -I wlan0 -S -p 81 (Following command sends a TCP SYN packet to port 81/tcp on host 192.168.100.1)

EXAMPLE hping3 192.168.100.1 -I wlan0 -S --scan 20,21,22,80,8080 -V (Scan mode)


inverse_lookup6

DESCRIPTION thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help

and show the command-line options.

inverse_lookup6 - performs an inverse address query, to get the IPv6 addresses that are assigned to a MAC

address. Note that only a few systems support this yet.

USAGE inverse_lookup6 interface mac-address

EXAMPLE n/a

TIP DETECTION

Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make

rogue usage detection easier. The tools either specify a fixed packet signature or generically sniff for packets (e.g. therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore very easy to detect). If you don't want this, change the code.


Miranda

DESCRIPTION - Miranda is a tool that uses the UPnP(universal plug and play) protocol to enumerate the target

modem (if you found some routers and firewalls running the UPnP IGD protocol are vulnerable to attack).

Before working with Miranda you should have moderate knowledge of UPnP.

BASIC USAGE

  1. root@root:/pentest/enumeration/miranda#
  2. # ./miranda.py
  3. upnp> msearch (search for that device with the UPnP port open)
  4. upnp> host info 0 (this command will tell you various information about your target – name, protocol, server type, UPnP server)
  5. upnp> host get 0 (enumerates targets if possible)
  6. upnp> host summary 0 (get full details of your target after you have enumerated it)
  7. upnp> host info 0 devicelist WANConnectionDevice services WANPPPConnection actions (this command will tell you about the services that are running on the TARGET)
  8. upnp> host send 0 WANConnectionDevice WANPPPConnection ForceTermination (terminate the internet all oevr the network) 
  9. upnp> host send 0 WANConnectionDevice WANPPPConnection RequestConnection (re-enable internet)


ncat

DESCRIPTION - ncat is a general-purpose command-line tool for reading, writing, redirecting, and encrypting data across a

network. It aims to be your network Swiss Army knife, handling a wide variety of security testing and administration tasks.

Ncat can:

  • Act as a simple TCP/UDP/SCTP/SSL client for interacting with web/telnet/mail/TCP/IP servers and services
  • Act as a simple TCP/UDP/SCTP/SSL server for offering services to clients, or simply to understand what existing clients are up to by capturing every byte they send.
  • Redirector proxy TCP/UDP/SCTP traffic to other ports or hosts.
  • Encrypt communication with SSL and transport it over IPv4 or IPv6.
  • Act as a network gateway for the execution of system commands, with I/O, redirected to the network.
  • Act as a connection broker, allowing two (or far more) clients to connect to each other through a third (brokering) server.

USAGE ncat [options] <url>

EXAMPLE ncat -C mail.example.com 25 (sending email to an SMTP server. Read manual for further steps)

EXAMPLE ncat -l localhost 143 --sh-exec "ncat --ssl imap.example.com 993“ (connecting to an IMPA server that requires SSL . Read manual for further steps)


netdiscover

DESCRIPTION - Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless

networks without DHCP server when you are wardriving. It can be also used on the hub/switched networks.

Built on top of libnet and libpcap, it can passively detect online hosts, or search for them, by actively sending arp

requests, it can also be used to inspect your network arp traffic, or find network addresses using the auto-scan mode, which will scan for common local networks.

USAGE netdiscover [-i device] [-r range | -p] [-s time] [-n node] [-c count] [-f] [-S]

EXAMPLE netdiscover -i wlan0 -r 192.168.1.0/24 (Scan a class C network, to see which hosts are up)

EXAMPLE netdiscover -i wlan0 -r 192.168.0.0/16 (Scanning /16 network, trying to find online boexes)

EXAMPLE netdiscover -i wlan0 -r 10.0.0.0/8 (Scan a class A network, trying to find network addresses)

EXAMPLE netdiscover -i wlan0 (Auto scan common networks)

EXAMPLE netdiscover -i wlan0 -p (Don’t send arp requests, listen-only)

TIP

(If you want to change your mac address for the scan)

# ifconfig wlan0 down

# ifconfig wlan0 hw ether 00:11:22:33:44


nmap

DESCRIPTION - nmap is certainly THE scanner to know. Thanks to its numerous parameters, it is a Swiss army knife to all situations where network identification is needed. It enables among other things to list network hosts and

scan their ports.

USAGE ./nmap [Scan Type(s)] [Options] {target specification}

EXAMPLE ./nmap -sP 192.168.100.0/24 (Lists hosts on a network)

EXAMPLE ./nmap -sS -sV 192.168.100.18 (Scans a host. This example uses a TCP/SYN scan and tries to identify installed services)


passive_discovery6

DESCRIPTION - thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help and show the command-line options.

passive_discovery6 - passively sniffs the network and dump all client's IPv6 addresses detected. Note that in a

switched environment you get better results when additionally\nstarting parasite6, however, this will impact the

network. If a script name is specified after the interface, it is called with the\ndetected ipv6 address as first and the interface as the second option.

USAGE passive_discovery6 [-Ds] [-m maxhop] [-R prefix] interface [script]

OPTIONS

-D do also dump destination addresses (does not work with -m)

-s do only print the addresses, no other output

-m maxhop the maximum number of hops a target which is dumped may be away.

0 means local only, the maximum amount to make sense is usually 5

-R prefix exchange the defined prefix with the link-local prefix


TIP DETECTION

Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make rogue usage detection easier. The tools either specify a fixed packet signature, or generically sniff for packets (e.g. therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore very easy to detect). If you don't want this, change the code.


thcping6

DESCRIPTION - thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help and show the command-line options.

With thcping6 we can craft a custom ICMPv6 packet, with being able to configure almost any field in the header,

at least the most important ones. You can put an "x" into src6, srcmac, and dstmac for an automatic value.

USAGE thcping6 <interface> <source-ipv6> <destination-ipv6>

USAGE [-af] [-H o:s:v] [-D o:s:v] [-F dst] [-t ttl] [-c class] [-l label] [-d size] [-S port|-U port] interface src6 dst6

[srcmac [dstmac [data]]]

OPTIONS https://github.com/mmoya/thc-ipv6/blob/master/thcping6.c

EXAMPLE thcping6 eth0 2002:5cf9:8214:e472:a00:27ff:fe37:b032 2002:5cf9:8214:e472:290:a9ff:feb0:cac6


TIP DETECTION

Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make

rogue usage detection easier. The tools either specify a fixed packet signature, or generically sniff for packets (e.g.

therefore also answering to icmp6 neighbour solicitations which are sent to a non-existing mac, and are therefore very easy to detect). If you don't want this, change the code.


wol-e

DESCRIPTION WOL-E is a suite of tools for the Wake on LAN feature of network-attached computers, this is now

enabled by default on many Apple computers. These tools include brute-forcing the MAC address to wake up

clients, sniffing WOL attempts and passwords, scanning for Apple devices, and more.

If you do not specify a broadcast address or port, wol-e will set the following as defaults for you:

  • Port: 9
  • Broadcast: 255.255.255.255

If a password is required use the -k 00:12:34:56:78:90 at the end of the above command.

USAGE python wol-e.py -f

EXAMPLE ./wol-e.py -m 00:12:34:56:78:90 -b 192.168.1.255 -p 9 (To wake up a single computer)

EXAMPLE ./wol-e.py -s -i eth0 (To sniff the network for WOL traffic)

EXAMPLE ./wol-e.py –a (To bruteforce the network)

EXAMPLE ./wol-e.py –f (If you want to scan the network for Apple devices on your subnet)

EXAMPLE wol-e.py –fa (If you want to attempt to wake all targets found from using -f)


xprobe2

DESCRIPTION - xprobe2 is a remote active operating system fingerprinting tool. Xprobe2 relies on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database.

USAGE xprobe2 [ -v ] [ -r ] [ -p proto:portnum:state ] [ -c configfile ] [ -o logfile ] [ -p port ] [ -t receive_timeout ] [ -m

numberofmatches ] [ -D modnum ] [ -F ] [ -X ] [ -B ] [ -A ] [ -T port spec ] [ -U port spec ] host

EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will launch an OS fingerprinting attempt targeting 192.168.1.10. Modules 1 and 2, which are reachability tests, will be disabled, so probes will be sent even if target is down. Output will be verbose.)

EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will launch an OS fingerprint attempt targeting 192.168.1.20. The UDP destination port is set to 53, and the output will be verbose.)

EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will only enable TCP handshake module (number 11) to probe the target, very useful when all ICMP traffic is filtered.)

EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will cause TCP handshake module to try blindly guess open port on the target by sequentially sending TCP packets to the most likely open ports (80, 443, 23, 21, 25, 22, 139, 445 and 6000).)

EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will enable port scanning module, which will scan TCP ports starting from 1 to 1024 on 127.0.0.1)

EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (If the remote target has TCP port 139 open, the command line above will enable application-level SMB module (if the remote target has TCP port 445 open, substitute 139 in the command line with 445).)

EXAMPLE xprobe2 -v -D 1 -D 2 192.168.1.10 (Will enable SNMPv2c application-level module, which will try to retrieve sysDescr.0 OID using community strings taken from xprobe2.conf file.)



1 comment:

  1. This article content is really unique and amazing.This article really helpful and explained very well.So i am really thankful to you for sharing keep it up..

    ReplyDelete