Thursday, May 12, 2011

zenmap

Information Gathering -> Network Analysis -> Identify Live Hosts -> zenmap

zenmap is a GUI interface for nmap. We have several options:

1. We can select from predefined profiles (profile - given parameter settings for nmap)
2. We create our own profile
3. We enter the nmap command itself
The output and and the summary will be in the main window, and on the left side we will see the hosts and services, which were found.


Official website: http://nmap.org/zenmap/



Wednesday, May 11, 2011

reverseraider

Information Gathering -> Network Analysis -> DNS Analysis -> reverseraider

This is another DNS domain search tool, which uses brute force method. We can search based on IPv4 and IPv6 ranges as well instead of domains. It has 3 different length wordlists, or we can use our own. We can choose to use TCP queries instead of UDP.

Official website: http://complemento.sourceforge.net/

dnsdict6

Information Gathering -> Network Analysis -> DNS Analysis -> dnsdict6

This program is looking for DNS domain names, and it attempts to resolve their IPv6 addresses with brute force method. You can also create your own word list or use its own, which currently contains 3,001 words. It can run maximum 32 threads to perform queries.

The utility is part of a complete IPv6 testing toolset, which can be found here:
http://www.thc.org/thc-ipv6/

Backtrack 5 has been released

Backtrack 5 has been released!!!


New features:
  • 32 & 64 bit version
  • Kernel 2.6.38
  • KDE (4.6) and Gnome (2.6) desktops
  • Base ARM BackTrack image, which can be installed on Android devices
  • New tools
  • New design
The BackTrack 4 is no longer available or supported, as well as previous editions. From now on I am going to write tools found on the new one, and won't update the old post, the tools work the same way in the new edition and hopefully everyone will find them :-)

The articles about the basic usage are true also for the new version.

Downloadable from here:

http://www.backtrack-linux.org/

Monday, May 9, 2011

nmap

Network Mapping -> Identify Live Hosts -> Nmap

"Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X."

I couldn't write it better (source: nmap.org) :-) The tool has tons of options, worth to play around with it. This is the de-facto standard port scanning utility. That's all about it, there are lot of examples, and usage guide on their webpage, even in Hungarian. Here are two examples:

Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in milliseconds, unless you append 's'
(seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
--adler32: Use deprecated Adler32 instead of CRC32C for SCTP checksums
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection, Script scanning and Traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

root@bt:~# nmap -sP 192.168.183.0/24

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-09 14:36 EDT
Nmap scan report for 192.168.183.1
Host is up (0.00049s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.183.2
Host is up (0.00021s latency).
MAC Address: 00:50:56:FB:42:C6 (VMware)
Nmap scan report for 192.168.183.130
Host is up (0.00028s latency).
MAC Address: 00:0C:29:11:69:AF (VMware)
Nmap scan report for 192.168.183.131
Host is up.
Nmap scan report for 192.168.183.132
Host is up (0.00020s latency).
MAC Address: 00:0C:29:EF:E7:29 (VMware)
Nmap scan report for 192.168.183.254
Host is up (0.00026s latency).
MAC Address: 00:50:56:E0:08:18 (VMware)
Nmap done: 256 IP addresses (6 hosts up) scanned in 9.31 seconds

root@bt:~# nmap -sS -O 192.168.183.0/24

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-09 14:42 EDT
Nmap scan report for 192.168.183.1
Host is up (0.00037s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
912/tcp open unknown
2869/tcp open icslap
5357/tcp open unknown
MAC Address: 00:50:56:C0:00:08 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 o
pen and 1 closed port
Device type: general purpose
Running: Microsoft Windows Vista|2008|7
OS details: Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7
Network Distance: 1 hop

Nmap scan report for 192.168.183.2
Host is up (0.057s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
445/tcp open microsoft-ds
514/tcp filtered shell
554/tcp open rtsp
912/tcp open unknown
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1028/tcp open unknown
1054/tcp open unknown
2869/tcp open icslap
5357/tcp open unknown
6059/tcp open X11:59
10000/tcp open snet-sensor-mgmt
10243/tcp open unknown
MAC Address: 00:50:56:FB:42:C6 (VMware)
Device type: general purpose|webcam|storage-misc|printer
Running (JUST GUESSING) : Apple Mac OS X 10.5.X (94%), DVTel embedded (88%), Blu
eArc embedded (88%), Brother embedded (85%)
Aggressive OS guesses: Apple Mac OS X 10.5.5 (Leopard) (94%), DVTel DVT-9540DW n
etwork camera (88%), BlueArc Titan 2100 NAS device (88%), Brother HL-5170DN prin
ter (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

Nmap scan report for 192.168.183.130
Host is up (0.0027s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:0C:29:11:69:AF (VMware)
Device type: general purpose
Running: Microsoft Windows 2003|XP
OS details: Microsoft Windows Server 2003 SP1 or SP2, Microsoft Windows XP SP2 o
r Server 2003 SP1 or SP2
Network Distance: 1 hop

Nmap scan report for 192.168.183.131
Host is up (0.000056s latency).
All 1000 scanned ports on 192.168.183.131 are closed
Too many fingerprints match this host to give specific OS details
Network Distance: 0 hops

Nmap scan report for 192.168.183.132
Host is up (0.00053s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2869/tcp closed icslap
MAC Address: 00:0C:29:EF:E7:29 (VMware)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows XP SP3
Network Distance: 1 hop

Nmap scan report for 192.168.183.254
Host is up (0.00020s latency).
All 1000 scanned ports on 192.168.183.254 are filtered
MAC Address: 00:50:56:E0:08:18 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/s
ubmit/ .
Nmap done: 256 IP addresses (6 hosts up) scanned in 358.56 seconds
root@bt:~# nmap -sn 192.168.183.0/24

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-09 14:57 EDT
Nmap scan report for 192.168.183.1
Host is up (0.00018s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.183.2
Host is up (0.00014s latency).
MAC Address: 00:50:56:FB:42:C6 (VMware)
Nmap scan report for 192.168.183.130
Host is up (0.00028s latency).
MAC Address: 00:0C:29:11:69:AF (VMware)
Nmap scan report for 192.168.183.131
Host is up.
Nmap scan report for 192.168.183.132
Host is up (0.00034s latency).
MAC Address: 00:0C:29:EF:E7:29 (VMware)
Nmap scan report for 192.168.183.254
Host is up (0.00046s latency).
MAC Address: 00:50:56:E0:08:18 (VMware)
Nmap done: 256 IP addresses (6 hosts up) scanned in 3.09 seconds

Official website: http://nmap.org/

Sunday, May 8, 2011

SCTPscan

Network Mapping -> Identify Live Hosts -> SCTPscan

SCTPscan was written by Philippe Langlois, for scanning SCTP endpoints. SCTP protocol is used for transmitting SS7 signaling over TCP/IP, and it's part of the SIGTRAN protocol family. This protocol is build in to most OSs like TCP (Linux kernel 2.6, Solaris 10, FreeBSD 7, Mac OS X...).

It usually doesn't work from behind NAT, as routers and firewalls doesn't know it, and they can't NAT it properly.

ptions:
-p, --port <port> (default: 10000)
port specifies the remote port number
-P, --loc_port <port> (default: 10000)
port specifies the local port number
-l, --loc_host <loc_host> (default: 127.0.0.1)
loc_host specifies the local (bind) host for the SCTP
stream with optional local port number
-r, --rem_host <rem_host> (default: 127.0.0.2)
rem_host specifies the remote (sendto) address for the SCTP
stream with optional remote port number
-s --scan -r aaa[.bbb[.ccc]]
scan all machines within network
-m --map
map all SCTP ports from 0 to 65535 (portscan)
-F --Frequent
Portscans the frequently used SCTP ports
Frequent SCTP ports: 1, 100, 128, 260, 250, 1167, 1812, 2097, 2225, 2427,
2477, 2577, 2904, 2905, 2944, 2945, 3097, 3565, 3863, 3864, 3868, 4739, 5000, 50
01, 5060, 5061, 5090, 5091, 5675, 6000, 6790, 6789, 7000, 7102, 7103, 7105, 7551
, 7626, 7701, 7800, 8001, 8787, 9006, 9899, 9911, 9900, 9901, 9902, 10000, 10001
, 11997, 11998, 11999, 14001, 30000, 32931, 32768
-a --autoportscan
Portscans automatically any host with SCTP aware TCP/IP stack
-i --linein
Receive IP to scan from stdin
-f --fuzz
Fuzz test all the remote protocol stack
-B --bothpackets
Send packets with INIT chunk for one, and SHUTDOWN_ACK for the other
-b --both_checksum
Send both checksum: new crc32 and old legacy-driven adler32
-C --crc32
Calculate checksums with the new crc32
-A --adler32
Calculate checksums with the old adler32
-Z --zombie
Does not collaborate to the SCTP Collaboration platform. No reporting.
-d --dummyserver
Starts a dummy SCTP server on port 10000. You can then try to scan it from
another machine.
-E --exec <script_name>
Executes <script_name> each time an open SCTP port is found.
Execution arguments: <script_name> host_ip sctp_port

Scan port 9999 on 192.168.1.24
./sctpscan -l 192.168.1.2 -r 192.168.1.24 -p 9999

Scans for availability of SCTP on 172.17.8.* and portscan any host with SCTP sta
ck
./sctpscan -s -l 172.22.1.96 -r 172.17.8

Scans frequently used ports on 172.17.8.*
./sctpscan -s -F -l 172.22.1.96 -r 172.17.8

Scans all class-B network for frequent port
./sctpscan -s -F -r 172.22 -l `ifconfig eth0 | grep 'inet addr:' | cut -d: -f2
| cut -d ' ' -f 1 `

Simple verification end to end on the local machine:
./sctpscan -d &
./sctpscan -s -l 192.168.1.24 -r 192.168.1 -p 10000

This tool does NOT work behind most NAT.
That means that most of the routers / firewall don't know how to NAT SCTP packet
s.
You _need_ to use this tool from a computer having a public IP address (i.e. non
-RFC1918)

root@bt:/pentest/scanners/sctpscan# ./sctpscan -r 192.168.1.11
Sending Crc32 checksumed packet
End of scan: duration=4 seconds packet_sent=1 packet_rcvd=1 (SCTP=0, ICMP=1)
root@bt:/pentest/scanners/sctpscan# ./sctpscan -r 192.168.1.11 -F
Portscanning with Crc32 checksumed packet
Portscanning Frequent Ports on 192.168.1.11
End of portscan on 192.168.1.11
Sending Crc32 checksumed packet
End of scan: duration=4 seconds packet_sent=2 packet_rcvd=2 (SCTP=0, ICMP=2)
root@bt:/pentest/scanners/sctpscan# ./sctpscan -r 192.168.1.11 -a
Sending Crc32 checksumed packet
End of scan: duration=5 seconds packet_sent=1 packet_rcvd=1 (SCTP=0, ICMP=1)
root@bt:/pentest/scanners/sctpscan# ./sctpscan -r 192.168.1.11 -m
Portscanning with Crc32 checksumed packet
Portscanning 65535 ports on 192.168.1.11
End of portscan on 192.168.1.11
End of scan: duration=116 seconds packet_sent=65536 packet_rcvd=22227 (SCTP=0, I
CMP=22227)

Additional details: http://www.blackhat.com/presentations/bh-europe-07/Langlois/Whitepaper/bh-eu-07-langlois-WP.pdf

Friday, May 6, 2011

Netifera

Network Mapping -> Identify Live Hosts -> Netifera

This program is actually a port scanner. You can specify an IP address range, domain names, e-mail address, and after that it will execute the scan on the target. It's capable for passive monitoring, thus more information can be gathered this way. The user interface is quite straightforward.


Official website: http://netifera.com/

Thursday, May 5, 2011

5nmp

Network Mapping -> Identify Live Hosts -> 5nmp

This is an SNMP scanner tool, with graphical interface. It can scan through an IP range for searching community strings. We can give it a wordlist. It ran a list with 70.000 entries in 2 minutes on a virtual machine, so it's quite fast.

I used this Hungarian wordlist: http://sourceforge.net/projects/wordlist-hu/

Wednesday, May 4, 2011

onesixtyone

Network Mapping -> Identify Live Hosts -> onesixtyone

onesixtyone is an SNMP scanner, which trues to find the community strings with brute force method. It sends requests as fast as it can, by default every 10ms.

We can give a wordlist as an input, but if it has a word which contains more than 16 characters, we get a "Community string too long" error. However it accepts longer, if providing a string for the command directly.

onesixtyone 0.3.2 [options] <host> <community>
-c <communityfile> file with community names to try
-i <inputfile> file with target hosts
-o <outputfile> output log
-d debug mode, use twice for more information

-w n wait n milliseconds (1/1000 of a second) between sending 
packets (default 10)
-q quiet mode, do not print log to stdout, use with -l
examples: ./s -c dict.txt 192.168.4.1 public
./s -c dict.txt -i hosts -o my.log -w 100

root@bt:~# onesixtyone 192.168.1.10
Scanning 1 hosts, 2 communities
192.168.1.10 [public] Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M
), Version 12.4(15)T4, RELEASE SOFTWARE (fc2) Technical Support: http://www.cis
co.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu
13-Mar-08 07:50 by prod_rel_team
192.168.1.10 [private] Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-
M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2) Technical Support: http://www.ci
sco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Th
u 13-Mar-08 07:50 by prod_rel_team
root@bt:~# onesixtyone -c /root/mylist 192.168.1.10
 
192.168.1.10 [public] Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-M
), Version 12.4(15)T4, RELEASE SOFTWARE (fc2) Technical Support: http://www.cis
co.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu
13-Mar-08 07:50 by prod_rel_team
192.168.1.10 [private] Cisco IOS Software, 3700 Software (C3745-ADVENTERPRISEK9-
M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2) Technical Support: http://www.ci
sco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Th
u 13-Mar-08 07:50 by prod_rel_team

Official website: http://www.phreedom.org/solar/onesixtyone/

Tuesday, May 3, 2011

sslscan

Network Mapping -> Identify Live Hosts -> sslscan

SSLScan is a fast SSL port scanner. The tool connects to an SSL port, and determines what encryption is supported by the device, which is the preferred and prints the certificate.


___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|

Version 1.6
http://www.titania.co.uk
Copyright (C) 2007-2008 Ian Ventura-Whiting

SSLScan is a fast SSL port scanner. SSLScan connects to SSL
ports and determines what ciphers are supported, which are
the servers prefered ciphers, which SSL protocols are
supported and returns the SSL certificate. Client
certificates / private key can be configured and output is
to text / XML.

Command:
sslscan [Options] [host:port | host]

Options:
--targets=<file> A file containing a list of hosts to
check. Hosts can be supplied with
ports (i.e. host:port).
--no-failed List only accepted ciphers (default
is to listing all ciphers).
--ssl2 Only check SSLv2 ciphers.
--ssl3 Only check SSLv3 ciphers.
--tls1 Only check TLSv1 ciphers.
--pk=<file> A file containing the private key or
a PKCS#12 file containing a private
key/certificate pair (as produced by
MSIE and Netscape).
--pkpass=<password> The password for the private key or
PKCS#12 file.
--certs=<file> A file containing PEM/ASN1 formatted
client certificates.
--xml=<file> Output results to an XML file.
--version Display the program version.
--help Display the help text you are now
reading.
Example:
sslscan 127.0.0.1

root@bt:~# sslscan --no-failed www.google.com
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|

Version 1.6
http://www.titania.co.uk
Copyright (C) 2007-2008 Ian Ventura-Whiting

Testing SSL server www.google.com on port 443

Supported Server Cipher(s):
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5

Prefered Server Cipher(s):
SSLv3 128 bits RC4-SHA
TLSv1 128 bits RC4-SHA

SSL Certificate:
Version: 2
Serial Number: -4294967295
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
Not valid before: Dec 18 00:00:00 2009 GMT
Not valid after: Dec 18 23:59:59 2011 GMT
Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e8:f9:86:0f:90:fa:86:d7:df:bd:72:26:b6:d7:
44:02:83:78:73:d9:02:28:ef:88:45:39:fb:10:e8:
7c:ae:a9:38:d5:75:c6:38:eb:0a:15:07:9b:83:e8:
cd:82:d5:e3:f7:15:68:45:a1:0b:19:85:bc:e2:ef:
84:e7:dd:f2:d7:b8:98:c2:a1:bb:b5:c1:51:df:d4:
83:02:a7:3d:06:42:5b:e1:22:c3:de:6b:85:5f:1c:
d6:da:4e:8b:d3:9b:ee:b9:67:22:2a:1d:11:ef:79:
a4:b3:37:8a:f4:fe:18:fd:bc:f9:46:23:50:97:f3:
ac:fc:24:46:2b:5c:3b:b7:45
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
URI:http://crl.thawte.com/ThawteSGCCA.crl

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
CA Issuers - URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt

Verify Certificate:
unable to get local issuer certificate

Monday, May 2, 2011

nbtscan

Network Mapping -> Identify Live Hosts -> nbtscan

nbtscan is capable of scanning IP ranges for NETBIOS names. It sends a NETBIOS status query to all IPs in the range, and lists the results.

nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator]
[-m retransmits] (-f filename)|(<scan_range>)
-v verbose output. Print all names received
from each host
-d dump packets. Print whole packet contents.
-e Format output in /etc/hosts format.
-l Format output in lmhosts format.
Cannot be used with -v, -s or -h options.
-t timeout wait timeout milliseconds for response.
Default 1000.
-b bandwidth Output throttling. Slow down output
so that it uses no more that bandwidth bps.
Useful on slow links, so that ougoing queries
don't get dropped.
-r use local port 137 for scans. Win95 boxes
respond to this only.
You need to be root to use this option on Unix.
-q Suppress banners and error messages,
-s separator Script-friendly output. Don't print
column and record headers, separate fields with separator.
-h Print human-readable names for services.
Can only be used with -v option.
-m retransmits Number of retransmits. Default 0.
-f filename Take IP addresses to scan from file filename.
-f - makes nbtscan take IP addresses from stdin.
<scan_range> what to scan. Can either be single IP
like 192.168.1.1 or
range of addresses in one of two forms:
xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
Examples:
nbtscan -r 192.168.1.0/24
Scans the whole C-class network.
nbtscan 192.168.1.25-137
Scans a range from 192.168.1.25 to 192.168.1.137
nbtscan -v -s : 192.168.1.0/24
Scans C-class network. Prints results in script-friendly
format using colon as field separator.
Produces output like that:
192.168.0.1:NT_SERVER:00U
192.168.0.1:MY_DOMAIN:00G
192.168.0.1:ADMINISTRATOR:03U
192.168.0.2:OTHER_BOX:00U
...
nbtscan -f iplist
Scans IP addresses specified in file iplist.

root@bt:~# nbtscan 192.168.1.0/24
Doing NBT name scan for addresses from 192.168.1.0/24

IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.1.0 Sendto failed: Permission denied
192.168.1.1 NETGEARUSB <server> NETGEARUSB 00:00:00:00:00:00
192.168.1.5 OTTHON-BEA <server> BEA 00:50:8d:xx:xx:xx
192.168.1.11 HOME-CSABI <unknown> 00:1c:25:xx:xx:xx
192.168.1.255 Sendto failed: Permission denied
root@bt:~#
root@bt:~# nbtscan -s : 192.168.1.0/24
192.168.1.0 Sendto failed: Permission denied
192.168.1.5:OTTHON-BEA :<server>:BEA :00:50:8d:xx:xx:xx
192.168.1.1:NETGEARUSB :<server>:NETGEARUSB :00:00:00:00:00:00
192.168.1.11:HOME-CSABI ::<unknown>:00:1c:25:xx:xx:xx
192.168.1.255 Sendto failed: Permission denied
 

Official website: http://www.unixwiz.net/tools/nbtscan.html

Sunday, May 1, 2011

Autoscan Network

Network Mapping -> Identify Live Hosts -> Autoscan

autoscan is an automated network discovery tool with a GUI. Searches for devices on the network, performs port scanning on them, OS detection, etc. ... on multiple threads simultaneously. It contains telnet and VNC client, and can run various applications with configurable parameters. By default a ping and nmap script is built in. OS fingerprints can be expanded with our own. It contains an intrusion detector, which if turned on basically means that any new device is detected as an intruder. The results can be saved to an XML file.


Official website: http://autoscan-network.com/