Saturday, April 30, 2011


Network Mapping -> Identify Live Hosts -> hping3

hping3 can do the same as hping2, and can run TCL scripts as an addition.

As I'm not familiar with TCL scripts, other than knowing that Cisco routers are also capable running it, here are two simple examples:

root@bt:~# hping3
hping3> hping resolve
hping3> hping exec foo.htcl

More useful information:

Friday, April 29, 2011


Network Mapping -> Identify Live Hosts -> hping2

hping utility is good for many things: port scanning, firewall verification, fragmentation discovery, MTU discovery, OS fingerprinting, etc... We can fine tune most of the fields in the TCP/UDP header as it is seen from the help.

There are a couple of examples below. By default it does TCP ping.

root@bt:~# hping -h
usage: hping host [options]
-h --help show this help
-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
--fast alias for -i u10000 (10 packets for second)
-n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port)
-Z --unbind unbind ctrl+z
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-8 --scan SCAN mode.
Example: hping --scan 1-30,70-90 -S
-9 --listen listen mode
-a --spoof spoof source address
--rand-dest random destionation address mode. see the man.
--rand-source random source address mode. see the man.
-t --ttl ttl (default 64)
-N --id id (default random)
-W --winid use win* id byte ordering
-r --rel relativize id field (to estimate host traffic)
-f --frag split packets in more frag. (may pass weak acl)
-x --morefrag set more fragments flag
-y --dontfrag set dont fragment flag
-g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu
-o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer
--lsrr loose source routing and record route
--ssrr strict source routing and record route
-H --ipproto set the IP protocol field, only in RAW IP mode
-C --icmptype icmp type (default echo request)
-K --icmpcode icmp code (default 0)
--force-icmp send all icmp types (default send only supported types)
--icmp-gw set gateway address for ICMP redirect (default
--icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
--icmp-help display help for others icmp options
-s --baseport base source port (default random)
-p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending the packet
so you'll get bad UDP/TCP checksum instead.
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code
--tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime
-d --data data size (default is 0)
-E --file data from file
-e --sign add 'signature'
-j --dump dump packets in hex
-J --print dump printable characters
-B --safe enable 'safe' protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1)
--tr-stop Exit when receive the first not ICMP in traceroute mode
--tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
--tr-no-rtt Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
--apd-send Send the packet described with APD (see docs/APD.txt)

root@bt:~# hping
HPING (eth0 NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip= ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.7 ms
len=46 ip= ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=0.4 ms
len=46 ip= ttl=64 DF id=0 sport=0 flags=RA seq=2 win=0 rtt=0.4 ms
len=46 ip= ttl=64 DF id=0 sport=0 flags=RA seq=3 win=0 rtt=0.5 ms
len=46 ip= ttl=64 DF id=0 sport=0 flags=RA seq=4 win=0 rtt=0.5 ms
len=46 ip= ttl=64 DF id=0 sport=0 flags=RA seq=5 win=0 rtt=0.4 ms
len=46 ip= ttl=64 DF id=0 sport=0 flags=RA seq=6 win=0 rtt=0.5 ms
len=46 ip= ttl=64 DF id=0 sport=0 flags=RA seq=7 win=0 rtt=0.5 ms
--- hping statistic ---
8 packets transmitted, 8 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.7 ms
root@bt:~# hping -1 -c 2
HPING (eth0 icmp mode set, 28 headers + 0 data bytes
len=46 ip= ttl=64 id=952 icmp_seq=0 rtt=0.7 ms
len=46 ip= ttl=64 id=953 icmp_seq=1 rtt=0.6 ms

--- hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.6/0.7 ms
root@bt:~# hping -8 1-100 -c 2
Scanning (, port 1-100
100 ports to scan, use -V to see all the replies
|port| serv name | flags |ttl| id | win |
All replies received. Done.
Not responding ports:
root@bt:~# hping -8 1-1000 -c 2
Scanning (, port 1-1000
1000 ports to scan, use -V to see all the replies
|port| serv name | flags |ttl| id | win |
All replies received. Done.
Not responding ports: (111 sunrpc)

root@bt:~# hping -y --icmp -d 1472
HPING (eth0 icmp mode set, 28 headers + 1472 data bytes
len=92 ip= ttl=54 id=41258 icmp_seq=0 rtt=24.8 ms
len=92 ip= ttl=54 id=41259 icmp_seq=1 rtt=24.2 ms
len=92 ip= ttl=54 id=41260 icmp_seq=2 rtt=24.0 ms
--- hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 24.0/24.3/24.8 ms
root@bt:~# hping -y --icmp -d 1473
HPING (eth0 icmp mode set, 28 headers + 1473 data bytes
--- hping statistic ---
4 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Official website:

Thursday, April 28, 2011


Network Mapping -> Identify Live Hosts -> genlist

genlist can ping all hosts in a given subnet, and print out the IPs, which responded. Later on we can scan these with nmap. Here are a couple of examples:

Input Type:
-s --scan <target> Ping Target Range ex: 10.0.0.\*

Scan Options:
-n --nmap <path> Path to Nmap executable
--inter <interface> Perform Nmap Scan using non default interface

General Options:
-v --version Display version
-h --help Display this information

Send Comments to Joshua D. Abraham ( )

root@bt:~# genlist -s
root@bt:~# genlist -s 192.168.1.\*
root@bt:~# genlist -v
genlist version 2.04 by Joshua D. Abraham


Network Mapping -> Identify Live Hosts -> fping

fping is capable of pinging multiple hosts at the same time (ICMP ECHO). We can give a list, range, a file, etc... the ping properties like timeout, number of retries are also configurable.

Here are a few examples:

Usage: fping [options] [targets...]
-a show targets that are alive
-A show targets by address
-b n amount of ping data to send, in bytes (default 56)
-B f set exponential backoff factor to f
-c n count of pings to send to each target (default 1)
-C n same as -c, report results in verbose format
-e show elapsed time on return packets
-f file read list of targets from a file ( - means stdin) (only if no -g specified)
-g generate target list (only if no -f specified)
(specify the start and end IP in the target list, or supply a IP netmask)
(ex. fping -g or fping -g
-i n interval between sending ping packets (in millisec) (default 25)
-l loop sending pings forever
-m ping multiple interfaces on target host
-n show targets by name (-d is equivalent)
-p n interval between ping packets to one target (in millisec)
(in looping and counting modes, default 1000)
-q quiet (don't show per-target/per-ping results)
-Q n same as -q, but show summary every n seconds
-r n number of retries (default 3)
-s print final stats
-S addr set source address
-t n individual target initial timeout (in millisec) (default 500)
-u show targets that are unreachable
-v show version
targets list of targets to check (if no -f specified)

root@bt:~# fping is alive is alive
ICMP Host Unreachable from for ICMP Echo sent to
ICMP Host Unreachable from for ICMP Echo sent to
ICMP Host Unreachable from for ICMP Echo sent to is unreachable
root@bt:~# fping -r 1 -g is alive is alive is alive is unreachable is unreachable is unreachable is unreachable is unreachable is unreachable is unreachable
10 targets
3 alive
7 unreachable
0 unknown addresses

14 timeouts (waiting for response)
17 ICMP Echos sent
3 ICMP Echo Replies received
0 other ICMP received

0.09 ms (min round trip time)
72.5 ms (avg round trip time)
216 ms (max round trip time)
1.591 sec (elapsed real time)

Official website:

Wednesday, April 27, 2011

Angry IP Scanner

Network Mapping -> Identify Live Hosts ->Angry IP Scanner

This is s network scanner utility with graphical interface. It can scan an IP range with ICMP, make TCP/UDP portscans, resolve IP, search for NETBIOS names, etc... Almost all settings can be fine tuned. The tool is multithread thus the scanning is faster. The old 2.x version supported plugins, the newer 3.x is still in beta, and it doesn't support this feature yet.

Official website:

Tuesday, April 26, 2011


Network Mapping -> Identify Live Hosts -> arping

I change topic, and with this also try to bring in a new design, but it might change later.

The first tool is the arping. This essentially sends ARP messages to a given host. Obviously will work only on LANs, as ARP is a Layer2 protocol.

Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination
-f : quit on first reply
-q : be quiet
-b : keep broadcasting, don't go unicast
-D : duplicate address detection mode
-U : Unsolicited ARP mode, update your neighbours
-A : ARP answer mode, update your neighbours
-V : print version and exit
-c count : how many packets to send
-w timeout : how long to wait for a reply
-I device : which ethernet device to use (eth0)
-s source : source ip address
destination : ask for what ip address

More help is available use hping -h to see all parameters

root@bt:~# arping -c 3
ARPING from eth0
Unicast reply from [00:26:37:xx:xx:xx] 111.205ms
Unicast reply from [00:26:37:xx:xx:xx] 141.059ms
Unicast reply from [00:26:37:xx:xx:xx] 158.921ms
Sent 3 probes (1 broadcast(s))
Received 3 response(s)

Book: BackTrack 4: Assuring Security by Penetration Testing

I won't write such topics frequently :-) but an interesting book have been released recently at PacketPub:

BackTrack 4: Assuring Security by Penetration Testing

Based on the table of contents it goes through many of the tools found in Backtrack, and there is a chapter about the pentesting methodology. There aren't so many other books like this in my opinion.

You can order it here, and the 2nd chapter is available for free:

It can be downloaded either in PDF or ePUB.

Monday, April 25, 2011


Information Gathering > DNS > dnsenum

This will be the last tool in the information gathering topic. I won't deal with Dradis and Paterva Maltego for now. This is an all-in-one software, and capable for the following:

1) Retrieves the IP address of the host (A record)
2) Get NS records
3) Get MX records
4) Zone transfer
5) Search for subdomains with Google
6) Search for subdomains based on a list
7) Class C IP calculation and whois query
8) Reverse lookup IP address ranges

An example:


Information Gathering > DNS > fierce

This is a very useful tool with a pretty good algorithm. In short how it works:

After our DNS server it jumps to the target domain's, and continue query that one. Thus, the private IP address ranges can also be detected if the target uses the same server for internal and external IP's resolution. Then retrieves the SOA record and tries to make a zone transfer (this is usually not successful). Then looks for subdomain based on a list, but you can specify your own. If it finds an address that resolves to an IP, will try to resolve the surrounding IP addresses as well (the range is adjustable).

In addition, there are plenty of options. Here is an example (the result does not seen till the end, because it's rather long):

Official website:

Backtrack basics: 7. Starting SSH service

If we want to login remotely to our machine, we can use ssh. For using SSH tunnels we will need this service as well. First we need to generate the public and private keys to be used with the connection:


If this is done, we can start the SSH service:

/etc/init.d/ssh start

The we can login and verify if it runs:

netstat -antp

Sunday, April 24, 2011


Information Gathering > DNS > dnsrecon

This is an all-in-one tool, we can do lots of DNS related tasks with it:
  1. Do a reverse lookup query for an IP range
  2. Search for the top level domain of a given domain
  3. sub domain search based on a list
  4. Query MX, SOA, NS records
  5. Zone transfer for the given NS records
  6. SRV record enumeration

An example:

Saturday, April 23, 2011


Information Gathering > DNS > dnstracer

The tool is for finding which DNS server resolves a specific domain. It sends a non-recursive query to the DNS server, and based on the answer it makes additional queries. Here is a very good article about the process:

In summary, the client makes a DNS query to its own server, and if it doesn't know the answer it returns a list of servers, which might be able resolve the request. Then the app will query those servers, and so on till it gets the answer, we even could reach the root server. Running is finished, when all DNS servers were queried.

If we use the "-v" option it will print the DNS packets as well.

Here is an example:

Official website:

Sunday, April 17, 2011


Information Gathering > DNS > dnsmap-bulk

This is a small script, which runs  dnsmap to multiple domains at the same time.

If you got the following message: "./ line 17: dnsmap: command not found" then open the script and change "dnsmap" to "./dnsmap".

Friday, April 15, 2011


Information Gathering > DNS > dnsmap

This is basically a brute force program, which performs a DNS lookups on the domain based on the provided wordlist. Thus, we can find non-public domain names (with IP of course), dynamic entries, or anything. Really depends on how good our word list is. We can use the built-in list of the tool or our own. The result can be saved in a plain TXT or CSV files.

Official website:

Monday, April 11, 2011


I decided before moving on with the DNS tools, I will read a bit more about the protocol. Till then I check a few from the miscellaneous tools. There is a utility called ipcalc, which is really a subnet calculator, as the name suggest. We give an IP and a mask, and it prints out every useful information, like number of hosts, broadcast IP, etc... If you send a few years in networking you probably won't need this :-)

If we give a second mask, then it will either split or create a supernet subnet. Here is an example:

ipcalc /8

The result is really colorful :-) I like it, but you can turn it off if you want.

Official website:

Friday, April 8, 2011


Information Gathering > DNS > dnswalk

Before I jump into, I have to admit, that I'm not expert in DNS. This tool can do DNS zone transfers. This means that we can request, and download the whole DNS database of a domain to our machine. Of course this doesn't work in most the cases, cause it usually not permitted on the server, however it's really a legit DNS function. Other than that it also runs a couple of consistency checks.

Usage: dnswalk domain
domain MUST end with a '.'
root@bt:/pentest/enumeration/dns/dnswalk# ./dnswalk --help
./dnswalk version [unknown] calling Getopt::Std::getopts (version 1.05 [paranoid]),
running under Perl version 5.10.0.

Usage: dnswalk [-OPTIONS [-MORE_OPTIONS]] [--] [PROGRAM_ARG1 ...]

The following single-character options are accepted:
        With arguments: -D
        Boolean (without arguments): -r -f -i -a -d -m -F -l

Options may be merged together.  -- stops processing of options.
Space is not required between options and their arguments.
  [Now continuing due to backward compatibility and excessive paranoia.
   See ``perldoc Getopt::Std'' about $Getopt::Std::STANDARD_HELP_VERSION.]
Usage: dnswalk domain
domain MUST end with a '.'

Its help is not too informative regarding the options, but we can find a pretty good article about them here:

Wednesday, April 6, 2011


Information Gathering > DNS > lbd

This is a very simple utility. It checks whether a domain uses load balancer or not.

lbd - load balancing detector 0.1 - Checks if a given domain uses load-balancing.
                                    Written by Stefan Behte (
                                    Proof-of-concept! Might give false positives.
usage: ./ [domain]


Here is an example: as we can see it tries several different methods to detect load balancers.

root@bt:/pentest/enumeration/lbd# ./

lbd - load balancing detector 0.1 - Checks if a given domain uses load-balancing.
                                    Written by Stefan Behte (
                                    Proof-of-concept! Might give false positives.

Checking for DNS-Loadbalancing: NOT FOUND
Checking for HTTP-Loadbalancing [Server]:
 Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g

Checking for HTTP-Loadbalancing [Date]: 05:35:59, 05:35:59, 05:35:59, 05:35:59, 05:36:00, 05:35:59, FOUND

Checking for HTTP-Loadbalancing [Diff]: NOT FOUND does Load-balancing. Found via Methods: HTTP[Date]

Official website:

Tuesday, April 5, 2011


It basically the same as the tctrace. We can trace with TCP SYN packets, which are useful if a firewall let's through some ports. The options are a little bit different.

tcptraceroute 1.5beta7
Copyright (c) 2001-2006 Michael C. Toren <>
Updates are available from

Usage: tcptraceroute [-nNFSAE] [-i <interface>] [-f <first ttl>]
       [-l <packet length>] [-q <number of queries>] [-t <tos>]
       [-m <max ttl>] [-pP] <source port>] [-s <source address>]
       [-w <wait time>] <host> [destination port] [packet length]