protos

No, I won't write about Starcraft, although it's an amazing game. :-) This is an IP protocol scanner. It discovers which protocols are supported by the host, with using ICMP and waiting for "Protocol unreachable" answer, which theoretically should arrive if the target doesn't support the given protocol.

protos: invalid option -- 'h'
Usage: ./protos -i eth0 -d 10.1.2.3 -v
-v             verbose
-V             show which protocols are not supported
-u             don't ping targets first
-s             make the scan slow (for very remote devices)
-L             show the long protocol name and it's reference (RFC)
-p x           number of probes (default=5)
-S x           sleeptime is x (default=1)
-a x           continue scan afterwards for x seconds (default=3)
-d dest        destination (IP or IP/MASK)
-i interface   the eth0 stuff
-W             don't scan, just print the protocol list
root@bt:~#

Let's see, what it can find on on my Android phone.

root@bt:~# protos -i eth0 -d 192.168.1.9 -v -L
192.168.1.9 is alive
TARGET  192.168.1.9
Running in verbose mode
        Afterscan delay is 3
        running in fast scan - pause every 1 probes
        continuing scan afterwards for 3 secs
        supported protocols will be reported
        you supplied the target(s) 192.168.1.9

Scanning 192.168.1.9
Port unreachable - therefore protocol IPenc is running
Port unreachable - therefore protocol IPv6 is running
>>>>>>>>> RESULTS >>>>>>>>>>

192.168.1.9 may be running (did not negate):
ICMP            Internet Control Message [RFC792]
GGP             Gateway-to-Gateway [RFC823]
IPenc           IP in IP (encapsulation) [RFC2003]
ST              Stream [RFC1190,IEN119]
TCP             Transmission Control [RFC793]
IGP             any private interior gateway [IANA]
NVP-II          Network Voice Protocol [RFC741,SC3]
ARGUS           ARGUS [RWS4]
XNET            Cross Net Debugger [IEN158,JFH2]
UDP             User Datagram [RFC768,JBP]
DCN-MEAS        DCN Measurement Subsystems [DLM1]
PRM             Packet Radio Measurement [ZSU]
TRUNK-1         Trunk-1 [BWB6]
LEAF-1          Leaf-1 [BWB6]
RDP             Reliable Data Protocol [RFC908,RH6]
ISO-TP4         ISO Transport Protocol Class 4 [RFC905,RC77]
MFE-NSP         MFE Network Services Protocol [MFENET,BCH2]
SEP             Sequential Exchange Protocol [JC120]
IDPR            Inter-Domain Policy Routing Protocol [MXS1]
DDP             Datagram Delivery Protocol [WXC]
IL              IL Transport Protocol [Presotto]
IPv6            Ipv6 [Deering]
SDRP            Source Demand Routing Protocol [DXE1]
IPv6-Frag       Fragment Header for IPv6 [Deering]
RSVP            Reservation Protocol [Bob Braden]
MHRP            Mobile Host Routing Protocol[David Johnson]
ESP             Encap Security Payload for IPv6 [RFC1827]
I-NLSP          Integrated Net Layer Security TUBA [GLENN]
NARP            NBMA Address Resolution Protocol [RFC1735]
TLSP            Transport Layer Security Protocol [Oberg]
IPv6-ICMP       ICMP for IPv6 [RFC1883]
IPv6-Opts       Destination Options for IPv6 [RFC1883]
CFTP            CFTP [CFTP,HCF2]
SAT-EXPAK       SATNET and Backroom EXPAK [SHB]
RVD             MIT Remote Virtual Disk Protocol [MBG]
68              any distributed file system [IANA]
VISA            VISA Protocol [GXT1]
CPNX            Computer Protocol Network Executive [DXM2]
WSN             Wang Span Network [VXD]
BR-SAT-MON      Backroom SATNET Monitoring [SHB]
WB-MON          WIDEBAND Monitoring [SHB]
ISO-IP          ISO Internet Protocol [MTR]
SECURE-VMTP     SECURE-VMTP [DRC3]
TTP             TTP [JXS]
DGP             Dissimilar Gateway Protocol [DGP,ML109]
EIGRP           EIGRP [CISCO,GXS]
Sprite-RPC      Sprite RPC Protocol [SPRITE,BXW]
MTP             Multicast Transport Protocol [SXA]
IPIP            IP-within-IP Encapsulation Protocol [JI6]
SCC-SP          Semaphore Communications Sec. Pro. [HXH]
ENCAP           Encapsulation Header [RFC1241,RXB3]
IFMP            Ipsilon Flow Management Protocol [Hinden]
PIM             Protocol Independent Multicast [Farinacci]
SCPS            SCPS [Durst]
A/N             Active Networks [Braden]
SNP             Sitara Networks Protocol [Sridhar]
IPX-in-IP       IPX in IP [Lee]
L2TP            Layer Two Tunneling Protocol [Aboba]
IATP            Interactive Agent Transfer Protocol [Murphy]
SRP             SpectraLink Radio Protocol [Hamilton]
SMP             Simple Message Protocol [Ekblad]
PTP             Performance Transparency Protocol [Welzl]
FIRE            [Partridge]
CRUDP           Combat Radio User Datagram [Sautter]
IPLT            [Hollbach]
PIPE            Private IP Encapsulation within IP [Petri]
FC              Fibre Channel [Rajagopal]
135             [IANA]
137             [IANA]
138             [IANA]
141             [IANA]
143             [IANA]
145             [IANA]
147             [IANA]
149             [IANA]
151             [IANA]
153             [IANA]
155             [IANA]
157             [IANA]
159             [IANA]
161             [IANA]
163             [IANA]
165             [IANA]
167             [IANA]
169             [IANA]
171             [IANA]
173             [IANA]
175             [IANA]
177             [IANA]
179             [IANA]
182             [IANA]
184             [IANA]
186             [IANA]
188             [IANA]
190             [IANA]
192             [IANA]
194             [IANA]
196             [IANA]
198             [IANA]
200             [IANA]
202             [IANA]
204             [IANA]
206             [IANA]
208             [IANA]
210             [IANA]
212             [IANA]
214             [IANA]
216             [IANA]
218             [IANA]
220             [IANA]
222             [IANA]
224             [IANA]
226             [IANA]
228             [IANA]
230             [IANA]
232             [IANA]
234             [IANA]
236             [IANA]
238             [IANA]
240             [IANA]
242             [IANA]
244             [IANA]
246             [IANA]
248             [IANA]
250             [IANA]
252             [IANA]
254             [IANA]

root@bt:~#

Dmitry

Dmitry (Deepmagic Information Gathering Tool) is an all-in-one tool, which gathers some basic information, like whois serach, netcraft.com data, subdomain serach, email search and TCP port scan for a given domain or host.

Deepmagic Information Gathering Tool
"There be some deep magic going on"

Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
  -o     Save output to %host.txt or to file specified by -o file
  -i     Perform a whois lookup on the IP address of a host
  -w     Perform a whois lookup on the domain name of a host
  -n     Retrieve Netcraft.com information on a host
  -s     Perform a search for possible subdomains
  -e     Perform a search for possible email addresses
  -p     Perform a TCP port scan on a host
* -f     Perform a TCP port scan on a host showing output reporting filtered ports
* -b     Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed
root@bt:/usr/local/bin#

One example:

root@bt:/usr/local/bin# dmitry -iwnse bme.hu  

All of the searches happens in a public database.

If we choose the TCP portscan and output file options at the same time, we get "Segmentation fault" error, but the file is still made.

netmask

This is also a very simple tool. It sends an ICMP Netmask (ICMP type 17) request to the target, and in the answer (ICMP type 18) we should find the subnet mask of the target. This way we can get more information about the IP addressing structure at the target. Usually most of the firewalls are filtering these messages, but even if they don't the hosts replies many times with /32.

We can print the result in many different ways, most of the options are related to the representation. Here are a couple of examples:

netmask 192.168.1.1 -b - bit view

netmask 192.168.1.1 -c - CIDR view

netmask 192.168.1.1 -s - standard view

netmask 192.168.1.1 -r - range view

root@bt:~# netmask 192.168.1.1 -b
11000000 10101000 00000001 00000001 / 11111111 11111111 11111111 11111111

root@bt:~#netmask 192.168.1.1 -c
    192.168.1.1/32

root@bt:~# netmask 192.168.1.1 -s
    192.168.1.1/255.255.255.255

root@bt:~# netmask 192.168.1.1 -r
    192.168.1.1-192.168.1.1     (1)

Látszik, hogy a routerem is /32-t ad vissza annak ellenére hogy /24 a subnet mask.

lanmap

lanmap.

A very simple little tool that is able to make a drawing about what it sees on the LAN. The program does not generate any traffic, just passively listening on the configured NIC. This implies that it is relatively time consuming to find devices (it's running and listening continuously). To speed up the process, I used netenum, which I wrote about previously. I got this:

Backtrack basics: 6. Setting static IP address

We can set the IP, default gateway and DNS server with the following 3 commands:

ifconfig eth0 192.168.1.55/24
route add default gw 192.168.1.1
echo nameserver 192.168.1.1 > /etc/resolv.conf

netenum

netenum is a simple ping utility. We supply a subnet and a timeout and it will ping all hosts in the given subnet. If we don't set a timeout, then it will just show all the IPs in the subnet.

Running it on my LAN, it found my two PCs, my phone and the router.

0trace

This one is an interesting traceroute utility. It requires an established TCP connection, and using that will do the trace. This is good, cause firewalls allows established TCP connections through, and thus won't filter the trace. Usage of this a bit more complicated then the others.

1. Open a TCP connection - telnet [IP address] 80
2. Start 0trace - ./0trace.sh eth0 [IP address] 80  
3. Generate some network traffic (TCP activity) - GET / HTTP/1.0

It won't work, if:

• The FW at the target drops outgoing ICMP packets
• The FW at the target rewrites the TTL field
• There is an application layer proxy / loadbalancer in the traffic way
• No L3 infrastructure behind the FW

And as the tool, has a recognizable TCP fingerprint, IDS and IPS systems can detect it.

Official website: http://lcamtuf.coredump.cx/

itrace

itrace. Almost the same as the previous tool, but this one uses ICMP ECHO packets to perform a traceroute.

Similar options, as in the previous, not much to add. By the way Windows uses ICMP packets for doing traceroute.

tctrace

Finally a new folder :) Information gathering -> Route

tctrace is a traceroute tool, which uses TCP SYN packets for doing it. This can be good if we know that the firewall is allowing some TCP ports.

By default it uses port 80, but we can set anything.

You can see an example above. X is a variable in the options.

It doesn't work in all cases, cause many providers can detect and filter trace like this.

WhatWeb

Is not entirely clear why this tool is between the search engines, but whatever. This is the last in the list.

WhatWeb examines the fingerprint of web servers. When you open a web page, you can obtain a lot of information from the server, webapplications, content management systems (CMS), etc. ... the list is quite long.

The program has about 250 plugin, which can identify all kinds of content. If there is something, which you can't find, you can write your own. It has quite a few options, but by default, the run is pretty simple:

root@bt:/pentest/enumeration/www/whatweb# ./whatweb csabyblog.blogspot.com

From this example, we can reveal that this page is running on a GSE web server.

Official website: http://www.morningstarsecurity.com/research/whatweb

Backtrack basics: 5. Changing desktop

In Backtrack 4 we can choose between two desktops: kde és fluxbox. Two switch between the two we can use the dragon utility:

The command to change to fluxbox::

dragon >> desktop fluxbox

After being set we can start the GUI as usually. Personally I like the kde more.

Backtrack basics: 4. Turning OFF

If we would like to properly terminate our Backtrack, we can do that with the "poweroff" command:

gooscan

Another a Google search tool. If we write good enough query, we can discover many vulnerabilities. We must specify where we are searching (URL) and the query itself. We have a couple of other options, such as domain, proxies, output files, etc..

The program comes with a little extra, there are pre-built queries, stored in a files, which can be found in the directory below (.gs files):

/pentest/enumeration/google/gooscan/data_files

If we want to use them, you can do that with the "-i" option (in their example, it is mistakenly written with -f). Of course, we can write our own. We need to pay attention to that all our queries within the file will run, which can take a while.

In the author web-site we can find lot of additional queries, which we can try, either with this program, either directly on Google.

http://johnny.ihackstuff.com/ghdb/

Backtrack basics: 3. GUI

Starting the GUI:

startx

That's it.

The Harvester

I will continue my exploration of the search apps. Only two remained after this. The following is "The Harvester". This program is essentially searches for email addresses and subdomains. The options are shown below. As usual, you can set the domain, the search engine (except Google all of them are new to me, because none of them have been seen in previous programs), how many hits to process and whether to resolve domain names to IP addresses.

An example for the search:

For me it seems much more effective for finding email addresses compared to the previous tool.

Backtrack basics: 2. Dynamic IP address

By default Backtrack starts with no networking enables. We have two options to set IP: dynamic or static. Dynamic can be set with (starting a DHCP client):

dhclient eth0
eth0 is the network card.

goorecon

Well, this program is pretty much knows the same as the others. Google-based search.

It can search for email addresses and subdomains. First we specify what, and then the where (main domain):

It prints the results to the stdout, as opposed to goohost, which wrote it to a file. We get the IP addresses beside the hostnames as well. The effectiveness of each tool is different, so when we collect information, you may want to try all of them.

goohost

Goohost. Another Google based search. Let's see:

Basically we can search subdomains, ip addresses and email addresses belonging to a given domain. We can specify how many result pages to download from Google. An example:

 

I don't think that it's too difficult to use, so that's it for this time.

Backtrack basics: 1. Logging in

Beside the tools I will write sometimes about some basic usage as well. The first is the login.

username: root

password: toor

Changing password: "passwd" command.

goog-mail

Moving to the "searchengine" folder, we find 8 apps, which uses search engines for information gathering. I already checked two (typically the tools can be found in multiple directories, based on their function). The next one is goog-mail.

It's very simple. It takes email addresses from Google search, and it has one argument, which is a domain. Command:

I didn't found it very successful, but it's up to you to decide.

SEAT (Search Engine Assessment Tool)

The second tool is the SEAT (Search Engine Assessment Tool). This is an information-gathering tool that can search data with more than one search engine, on multiple threads and various conditions. Thus, this is also built on existing search engines' databases. So let's see. Launch:

The complete documentation, and some great videos about the usage can be found here:

http://midnightresearch.com/projects/search-engine-assessment-tool/

Not much I would write about it because I have learned the usage from the above video, which is quite simple. The program is essentially divided into three panels. On the first we set the search criteria, on the second page the search engine settings and on the third we can analyze the results.

For some reason I never throw a hit, if anyone knows why please post it on a comment.

Beginning

So. I decided to look through all of the BackTrack 4 pre-installed applications and get to know them. I will document them here, partly for myself, but maybe somebody else find it handy. I have only limited knowledge of network security / security, so probably it will not be perfect, but you can correct me if I write something stupid. :-)

The first is the Metagoofil tool, which can be found here:

Briefly is designed to search files in a given domain, it will download and extract the metadata (who, when edited the last time, etc ...), and it will generate a report, so that tells you what user names exist in a given domain. The program is completely based on a Google search, and since they have recently changed the listing of results, we need to edit the python code to produce results. The solution can be found here:

http://www.cedarlug.org/mediawiki/index.php/Things_Google_Won%27t_%28or_didn%27t%29_Find_For_Me

An example for running:

It does not handle very well special foreign characters, but otherwise it's very handy. In short, that's it, it's worth to experiment it.