IV Needle: May 2009

Saturday, May 30, 2009

Metasploit Quick Tutorial

>: /pentest/exploits/framework3
>: ./msfconsole
msf > use exploit/...
msf > set PAYLOAD ...
msf > set RHOST ...
msf > set RPORT ...
msf > set LHOST ...
msf > set LPORT ...
msf > exploit

BAM

Thursday, May 28, 2009

Trying out the new "Email-to-Post" blog feature

In theory, thanks to Google magic... this email will be posted on the blog.

Tuesday, May 26, 2009

Glass Firefox Extension

Sexy...

http://www.neowin.net/forum/index.php?showtopic=746714

Saturday, May 16, 2009

Nmap OS Fingerprinting

Active OS Fingerprinting (Gen1) - Nmap versions <>TCP Sequence Prediction

SYN packet to open port

NULL packet to open port

SYN|FIN|URG|PSH packet to open port

ACK packet to open port

SYN packet to closed port

ACK packet to closed port

FIN|PSH|URG packet to closed port

UDP packet to closed port

Nmap Gen2 Active OS Fingerprinting (> 30 different methods/tests, invoked with -O or -O2)

TCP ISN greatest common denominator (GCD)
TCP ISN counter rate (ISR)
TCP IP ID sequence generation algorithm (TI)
ICMP IP ID sequence generation algorithm (II)
Shared IP ID sequence boolean (SS)
TCP timestamp option algorithm (TS)
TCP initial window size (W, W1 - W6)
IP don’t fragment bit (DF)
IP initial time-to-live guess (TG)
Explicit congestion notification (CC)

Nmap Top Port Scan Performance Options

--host-timeout: (Asks Nmap to give up on hosts that take more than the given amount of time to scan)
--max-retries: (Specifies the maximum number of port scan probe retransmissions to a single port)
--min_rtt_timeout:, --max_rtt_timeout:, --initial_rtt_timeout: (Amount of time that Nmap will wait for a port scan probe response)
--min-rate, --max-rate (The min and max number of probe packets Nmap sends per second
--min_parallelism:, --max_parallelism: (Number of port scan probes (across all hosts scanned concurrently) that Nmap may have outstanding)
--scan_delay:, --max-scan-delay: (Amount of time between sending probes to any individual host (the scan delay can grow as Nmap detects packet loss, so a maximum may be specified)

Nmap Version Scanning (-sV)

When Nmap identifies an open port, it displays the default service commonly associated with that port (Based on list of about 2,200 services in nmap-services file)
What about services not on the list?
What about services on unexpected ports?(i.e. HTTP on T:90 or sshd on T:3322)
--version-trace (option shows probe details in real time)

Nmap Version Scanning Technique

NULL probe
- If port is TCP, Nmap connects to it and listens for roughly 5 seconds for initial welcome banner
- If data is received, it is compared to signatures in nmap-services-probes
Probable Port probes (share connection from 1.)
- All UDP ports and TCP ports that failed (or soft-matched) NULL probing
- Every probe has a list of probable port numbers
- Probes that match the port send a probe string to the port
- Responses are compared to regular expressions
Sequential Probes
- New connection for each probe (to avoid corrupting next probe)
- Uses ‘rarity’ metric to avoid trying probes that are extremely unlikely
SSL probes
- If Sequential Probes determine the target port is running SSL and if OpenSSL is available, Nmap connects back via SSL and restarts scan
Nmap RPC Grinder
- If generic probe identifies RPC-based service, Grinder brute-forces the RPC program number/name and supported version numbers

Nmap UDP Scans (-sU)

Scans generally slower and more difficult than TCP
Sends empty (no data) UDP header to target ports
ICMP response rate-limiting detection
- Closed ports typically respond ICMP Port Unreachable
- OS limits ICMP responses (Linux limits to 1/sec)
- Nmap slows down to avoid wasting packets
- 65,536-ports @ 1/sec > 18 hours for one host

Nmap Runtime Interaction

p = turn on packet tracing
v = increase verbosity
d = increase debugging level
Shift + [p,v,d] inverts
AnyOtherKey = print status message
- Elapsed time, # of hosts completed, # of hosts up, # of hosts currently being scanned
- % done, ETA remaining

Nmap Timing Options (-T)

Paranoid (0) - scan serially, wait 5min between packets
Sneaky (1) - scan serially, wait 15 seconds between packets
Polite (2) - scan serially, wait .4 seconds between packets
Normal (3) [def] - parallel scan, multiple packets to multiple ports at once
Aggressive (4) - parallel scan, max time per host 5 min, 1.25 seconds response time-out
Insane (5) - parallel scan, max time per host 75 seconds, 0.3 seconds response time-ou

TCP Idle Scan

1998…Security researcher Antirez (who also wrote hping2) posted to the Bugtraq mailing list
One way to determine whether a TCP port is open is to send a SYN packet to the port. The target machine will respond with a SYN/ACK packet if the port is open, and RST if the port is closed.
A machine that receives an unsolicited SYN/ACK packet will respond with a RST. An unsolicited RST will be ignored.
Every IP packet on the Internet has a fragment identification number (IPID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe.
Three cases ‘open’, ‘closed’, and ‘filtered’ port
The actors:
- The Attacker

- The Zombie

- The Target

Case 1: Open Port

Case 2: Closed Port

Case 3: Filtered Port

Nmap Idle Scans (-sI)

Find a suitable Zombie
- We didn't just choose a printer icon to represent a zombie in our illustrations to be funny—simple network devices often make great zombies because they are commonly both underused (idle) and built with simple network stacks which are vulnerable to IPID traffic detection.
Execute the scan
- Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest.

FTP Bounce Scan

RFC 959 October 1985 - File Transfer Protocol
DATA PORT (PORT)
“The argument is a HOST-PORT specification for the data port to be used in data connection. There are defaults for both the user and server data ports, and under normal circumstances this command and its reply are not needed. If this command is used, the argument is the concatenation of a 32-bit internet host address and a 16-bit TCP port address. This address information is broken into 8-bit fields and the value of each field is transmitted as a decimal number (in character string representation).
The fields are separated by commas.
A port command would be:
PORT h1,h2,h3,h4,p1,p2
where h1 is the high order 8 bits of the internet host address.”

FTP Bounce Scan (-b) with Nmap

-b [][:]@[:]
Most modern FTP servers have fixed this vulnerability, but many modern printers that support FTP have forwarding capabilities turned on by default

Nmap FTP Bounce Scans

Most common results of FTP bounce scan attempts

# nmap -PN -b ftp.microsoft.com google.com

Starting Nmap ( http://nmap.org )
Your FTP bounce server doesn’t allow privileged ports, skipping them.
Your FTP bounce servers sucks, it won’t let us feed bogs ports!

Successful FTP bounce scan

# nmap -p 22,25,135 -PN -v -b XXX.YY.111.2 scanme.nmap.org

Starting Nmap ( http://nmap.org )
Attempting connection to ftp://anonymous:-wwwuser@@XXX.YY.111.2:21
Connected:220 JD FTP Server Ready
Login credentials accepted by ftp server!
Initiating TCP ftp bounce scan against scanme.nmap.org (64.13.134.52)
Adding open port 22/tcp
Adding open port 25/tcp
Scanned 3 ports in 12 seconds via the Bounce scan.
Interesting ports on scanme.nmap.org (64.13.134.52):
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
135/tcp filtered msrpc

Nmap done: 1 IP address (1 host up) scanned in 21.79 seconds

Port Scanning with Nmap

-sT: Connect TCP scan (aka “polite”)
-sS: SYN scan (aka “half-open”)
- Harder to detect
- Much quicker
-sF, -sN, -sX: FIN, NULL, and Xmas scans
- RFC 793 p.65: “if the [destination] port state is CLOSED…an incoming segment not containing a RST causes a RST to be sent in response.” p.66 - regarding packets sent to open ports without the SYN, RST, or ACK bits set: “you are unlikely to get here, but if you do, drop the segment and return.”
- Compliant systems respond to packets not containing SYN,RST, or ACK bits with RST if closed and no response if port is open
--scanflags: Custom Scan Types
- Any combination of URG, ACK, PSH, RST, SYN, and FIN
- Non-delimited list (URGACKPSHRSTSYNFIN)
-sA: TCP ACK scan
- Does not determine port state
- Useful to map firewall rulesets and whether they are stateful or not
- ‘open’ and ‘closed’ reachable ports reply RST = ‘unfiltered’
- ‘filtered’ ports don’t respond or send ICMP errors
-sW: Window TCP scan
- Same as ACK scan, however examines TCP Window value of RST
-sM: Maimon scan (FIN/ACK)
- Uriel Maimon (Phrack Magazine, Nov. 1996)

Port Selection Examples (-p | -F)

-p 22 (Scan a single port)
-p ssh (Specify port names rather than numbers)
-p 22,25,80 (Multiple ports seperated with commas (protocol determined by scan))
-p 80-85,443,8000-8005,8080-8085 (Ranges specified by [-] multiple ranges separated by [,])
-p -100,60000- (Can omit beginning or ending of range to imply ports 1 & T:65535 | U:255)
-p- (Omit beginning and end numbers to scan the entire range (excluding 0))
-pT:21,23,110,U:53,111,137,161 (For scans which include UDP and TCP types, port lists can specify ports for each protocol)
-p http* (Wildcards may be used to match ports with similar names (may need to shell-escape))
-p 1-1023,[1024-] (Enclosing a range in brackets causes those port numbers to be scanned only if they are registered in nmap-services)

Traceroute with Nmap

--traceroute
Determines what sort of probe will be most effective based on scan results
- ICMP | TCP specific port | UDP specific port
Sends probes in parallel
“goes backwards” for efficiency
Sends probe with high TTL based on guess derived from scan results so far and determines exact number of hops
- If response from end host, lowers TTL
- If ICMP Time Exceeded message, raises TTL

Sweeping with nmap

# nmap [options]
By default Nmap will ping targets before scanning them and only scan ‘up’
Sweep types:
-sP: Ping Scan (only)
-PN: Disable Ping
-PS: TCP SYN Ping (comma sep list)
-PA: TCP ACK Ping (requires priv)
-PU: UDP Ping
-PE,-PP,-PM: ICMP Ping Types [Echo (8/0), Timestamp (13/14), Address Mask (17/18)]
-PO: IP Protocol Ping [def ICMP+IGMP+IP-in-IP]
-PR: ARP Scan
Defaults:
Privileged Users: -PA+-PE | Local=-PR
Unprivileged: -PS

Scanning with nmap

Nmap Security Scanner

Developed by Fyodor, Nmap (“Network Mapper”) is free / open-source utility for network exploration or security auditing.
Linux Journal’s Editor’s Choice Award for Best Security Tool
LinuxQuestions.Org Security App of the Year award
- 1. Nmap (56.45%), 2. Snort (15.5%), 3. Nessus (14.9%)
Info World’s Best Information Security Product award
Codetalker Digest Security Product of the Year award

Sweeping with nmap

# nmap [options]
By default Nmap will ping targets before scanning them and only scan ‘up’
Sweep types:
-sP: Ping Scan (only)
-PN: Disable Ping
-PS: TCP SYN Ping (comma sep list)
-PA: TCP ACK Ping (requires priv)
-PU: UDP Ping
-PE,-PP,-PM: ICMP Ping Types [Echo (8/0), Timestamp (13/14), Address Mask (17/18)]
-PO: IP Protocol Ping [def ICMP+IGMP+IP-in-IP]
-PR: ARP Scan
Defaults:
Privileged Users: -PA+-PE | Local=-PR
Unprivileged: -PS

Traceroute with Nmap

--traceroute
Determines what sort of probe will be most effective based on scan results
- ICMP | TCP specific port | UDP specific port
Sends probes in parallel
“goes backwards” for efficiency
Sends probe with high TTL based on guess derived from scan results so far and determines exact number of hops
- If response from end host, lowers TTL
- If ICMP Time Exceeded message, raises TTL

Port Selection Examples (-p | -F)

-p 22 (Scan a single port)
-p ssh (Specify port names rather than numbers)
-p 22,25,80 (Multiple ports seperated with commas (protocol determined by scan))
-p 80-85,443,8000-8005,8080-8085 (Ranges specified by [-] multiple ranges separated by [,])
-p -100,60000- (Can omit beginning or ending of range to imply ports 1 & T:65535 | U:255)
-p- (Omit beginning and end numbers to scan the entire range (excluding 0))
-pT:21,23,110,U:53,111,137,161 (For scans which include UDP and TCP types, port lists can specify ports for each protocol)
-p http* (Wildcards may be used to match ports with similar names (may need to shell-escape))
-p 1-1023,[1024-] (Enclosing a range in brackets causes those port numbers to be scanned only if they are registered in nmap-services)

TCP Header (RFC 793 + 3168)

Port Scanning with Nmap

-sT: Connect TCP scan (aka “polite”)
-sS: SYN scan (aka “half-open”)
- Harder to detect
- Much quicker
-sF, -sN, -sX: FIN, NULL, and Xmas scans
- RFC 793 p.65: “if the [destination] port state is CLOSED…an incoming segment not containing a RST causes a RST to be sent in response.” p.66 - regarding packets sent to open ports without the SYN, RST, or ACK bits set: “you are unlikely to get here, but if you do, drop the segment and return.”
- Compliant systems respond to packets not containing SYN,RST, or ACK bits with RST if closed and no response if port is open
--scanflags: Custom Scan Types
- Any combination of URG, ACK, PSH, RST, SYN, and FIN
- Non-delimited list (URGACKPSHRSTSYNFIN)
-sA: TCP ACK scan
- Does not determine port state
- Useful to map firewall rulesets and whether they are stateful or not
- ‘open’ and ‘closed’ reachable ports reply RST = ‘unfiltered’
- ‘filtered’ ports don’t respond or send ICMP errors
-sW: Window TCP scan
- Same as ACK scan, however examines TCP Window value of RST
-sM: Maimon scan (FIN/ACK)
- Uriel Maimon (Phrack Magazine, Nov. 1996)

FTP Bounce Scan

RFC 959 October 1985 - File Transfer Protocol
DATA PORT (PORT)
“The argument is a HOST-PORT specification for the data port to be used in data connection. There are defaults for both the user and server data ports, and under normal circumstances this command and its reply are not needed. If this command is used, the argument is the concatenation of a 32-bit internet host address and a 16-bit TCP port address. This address information is broken into 8-bit fields and the value of each field is transmitted as a decimal number (in character string representation).
The fields are separated by commas.
A port command would be:
PORT h1,h2,h3,h4,p1,p2
where h1 is the high order 8 bits of the internet host address.”

FTP Bounce Scan (-b) with Nmap

-b [][:]@[:]
Most modern FTP servers have fixed this vulnerability, but many modern printers that support FTP have forwarding capabilities turned on by default

Nmap FTP Bounce Scans

Most common results of FTP bounce scan attempts

Successful FTP bounce scan

Find a suitable Zombie
- We didn't just choose a printer icon to represent a zombie in our illustrations to be funny—simple network devices often make great zombies because they are commonly both underused (idle) and built with simple network stacks which are vulnerable to IPID traffic detection.
Execute the scan
- Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest.
Example: # nmap -PN -p -sI [:src-port]

# nmap -PN -p- -sI kiosk.adobe.com www.riaa.com

Starting Nmap ( http://nmap.org )
Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental
Interesting ports on 208.225.90.120:
(The 65522 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
25/tcp open smtp
80/tcp open http
111/tcp open sunrpc
135/tcp open loc-srv
443/tcp open https
1027/tcp open IIS
1030/tcp open iad1
2306/tcp open unknown
5631/tcp open pcanywheredata
7937/tcp open unknown
7938/tcp open unknown
36890/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 2594.47 seconds

Nmap UDP Scans (-sU)

Scans generally slower and more difficult than TCP
Sends empty (no data) UDP header to target ports
ICMP response rate-limiting detection
- Closed ports typically respond ICMP Port Unreachable
- OS limits ICMP responses (Linux limits to 1/sec)
- Nmap slows down to avoid wasting packets
- 65,536-ports @ 1/sec > 18 hours for one host

Nmap Runtime Interaction

p = turn on packet tracing
v = increase verbosity
d = increase debugging level
Shift + [p,v,d] inverts
AnyOtherKey = print status message
- Elapsed time, # of hosts completed, # of hosts up, # of hosts currently being scanned
- % done, ETA remaining

Nmap Timing Options (-T)

Paranoid (0) - scan serially, wait 5min between packets
Sneaky (1) - scan serially, wait 15 seconds between packets
Polite (2) - scan serially, wait .4 seconds between packets
Normal (3) [def] - parallel scan, multiple packets to multiple ports at once
Aggressive (4) - parallel scan, max time per host 5 min, 1.25 seconds response time-out
Insane (5) - parallel scan, max time per host 75 seconds, 0.3 seconds response time-out

Nmap Top Port Scan Performance Options

--host-timeout: (Asks Nmap to give up on hosts that take more than the given amount of time to scan)
--max-retries: (Specifies the maximum number of port scan probe retransmissions to a single port)
--min_rtt_timeout:, --max_rtt_timeout:, --initial_rtt_timeout: (Amount of time that Nmap will wait for a port scan probe response)
--min-rate, --max-rate (The min and max number of probe packets Nmap sends per second
--min_parallelism:, --max_parallelism: (Number of port scan probes (across all hosts scanned concurrently) that Nmap may have outstanding)
--scan_delay:, --max-scan-delay: (Amount of time between sending probes to any individual host (the scan delay can grow as Nmap detects packet loss, so a maximum may be specified)

Nmap Version Scanning (-sV)

When Nmap identifies an open port, it displays the default service commonly associated with that port (Based on list of about 2,200 services in nmap-services file)
What about services not on the list?
What about services on unexpected ports?(i.e. HTTP on T:90 or sshd on T:3322)
--version-trace (option shows probe details in real time)

Nmap Version Scanning Technique

NULL probe
- If port is TCP, Nmap connects to it and listens for roughly 5 seconds for initial welcome banner
- If data is received, it is compared to signatures in nmap-services-probes
Probable Port probes (share connection from 1.)
- All UDP ports and TCP ports that failed (or soft-matched) NULL probing
- Every probe has a list of probable port numbers
- Probes that match the port send a probe string to the port
- Responses are compared to regular expressions
Sequential Probes
- New connection for each probe (to avoid corrupting next probe)
- Uses ‘rarity’ metric to avoid trying probes that are extremely unlikely
SSL probes
- If Sequential Probes determine the target port is running SSL and if OpenSSL is available, Nmap connects back via SSL and restarts scan
Nmap RPC Grinder
- If generic probe identifies RPC-based service, Grinder brute-forces the RPC program number/name and supported version numbers

Active OS Fingerprinting (Gen1) - Nmap versions < 4.51 include first-generation (-01)

TCP Sequence Prediction
SYN packet to open port
NULL packet to open port
SYN|FIN|URG|PSH packet to open port
ACK packet to open port
SYN packet to closed port
ACK packet to closed port
FIN|PSH|URG packet to closed port
UDP packet to closed port

Nmap Gen2 Active OS Fingerprinting (> 30 different methods/tests, invoked with -O or -O2)

TCP ISN greatest common denominator (GCD)
TCP ISN counter rate (ISR)
TCP IP ID sequence generation algorithm (TI)
ICMP IP ID sequence generation algorithm (II)
Shared IP ID sequence boolean (SS)
TCP timestamp option algorithm (TS)
TCP initial window size (W, W1 - W6)
IP don’t fragment bit (DF)
IP initial time-to-live guess (TG)
Explicit congestion notification (CC)

Outputing in terminal while writing to file...

After the write to file command, add ' & tail -f '

For example:

nmap -PS 192.192.0.0/16 > output.txt & tail -f output.txt

This will display the contents of your output file to the terminal as it is written.

Network Mapping / Tracing

Windows - tracert

Sends ICMP Echo Request
Small TTLs ++
C:\> tracert
-d: Don’t resolve names
-h [N]: Max hops (def 30)
-j [hostlist]: Loose source routing, sp-seperated
-w [N]: millisec * timeout (def 4000)

Linux/Unix - traceroute

UDP packets 33434++
Each hop measured 3x
# traceroute
-f [N]: TTL for first packet
-g [hostlist]: Loose source routing (8 hops max)
-I: use ICMP Echo Request
-m [N]: Max hops
-n: Don’t resolve names (use numbers)
-p [port]: Base UDP port
-w [N]: seconds * timeout (def 5)

Layer Four Traceroute (LFT) (v3.1 May 2008)

Linux / MacOS free
Windows GUI paid (Path Analyzer Pro)
Traverses many IDS/IPS
TCP/UDP/ICMP probes
$ lft [options] address
-d [port]: destination port (set to port FW allows)
-s [port]: source port
-E/e: Enable Adaptive engine (tries several TCP states to improve chances of success)
-A: displays ASNs (uses various whois servers)

TCP Initialization Sequence

TCP Connection Scenarios

TCP Connection Scenarios “filtered”

UDP Traffic Scenarios

UDP Traffic Scenarios "open|filtered"

Port inaccessible
Possible Reasons:
- Port is closed
- Firewall is blocking inbound UDP packet
- Firewall is blocking outbound response
- Port is open, but would only respond to specific data in the UDP payload
Ultimately…no way to know

Thursday, May 14, 2009

Visual Trace Tools... Sweetness

Visual traceroute using Google maps...

Network Tools by YouGetSignal.com

Kismet Options

This is a great resource for understanding Kismet's interface...

Kismet Main Page

Wednesday, May 13, 2009

Network Sweeping

ICMP-type8 Echo Requests ‘Pings’

Frequently blocked
Noisy + frequently monitored / signature

TCP packets to likely open ports

3-way initialization
Various possibilities
May traverse IDS/IPS

UDP packets to likely closed ports

ICMP Port Unreachable messages
Non-reliable

Angry IP Scanner (v2.21 Apr 04 / v3.0-beta4 Mar 09) [Some AV software may have signature]

v2.x - Windows-XP
- Standalone binary
v3.x - Cross-platform
- Requires Java
- Windows 2000/XP/Vista | MacOS X Intel/PPC | Linux
Threaded for each scanned IP
ICMP Echo Request sweep
TCP port scan
Gets MAC addresses
Gathers NetBIOS names and Workgroups

ICMPQuery (v1.0.3 2000) [Dave Andersen cs.ut.edu -> cs.cmu.edu]

CLI Linux/Unix
ICMP Timestamp (t13) and Address Mask Request (t17)

Tuesday, May 12, 2009

War Driving

2001... Peter Shipley
-Drove around Silicon Valley
-Discovered hundreds of APs
War Walking
War Flying
War Biking
War Chalking
All = War Driving (AKA 'stumbling')
http://www.wardriving.com/

Active Scanning

Sending probe packets
802.11 packets with ESSID of 'Any'
Response from WLAN access points

NetStumbler v0.4.0 (Apr 2004)

802.11a/b/g
MAC addresses
ESSID
Wireless channels
Signal strength
[IP addresses]
Wireless Security

Passive Listening

Wireless promiscuous mode
rfmon mode
vistarfmon (Josh Wright http://inguardians.com/tools/)
All wireless packets incl. mgmt frames

Wellenreiter (v1.9 Aug 2003) [Ger: wave runner / surfer]

Stealth ESSID broadcasts
Channel
MAC Addresses
Security
DHCP / ARP
-list of IPs
tcpdump compatible

Wellenreiter II (handhelds)

Kismet (v2008-05-R1 May 08)

802.11a/b/g + GPS mapping
tcpdump compatibility
Hidden SSID decloaking
Graphical network mapping
Mfgr/Model APs and clients
Known defaults detection

War Dialing

Numbers
Range: random, sequential, list
Nudging
Jamming
THC-Scan v2.1 (Oct 2005)

Scanning

War Dialing
War Driving
Sweeping
Mapping (tracing)
Port Scanning
OS Fingerprinting
Version Scanning
Vulnerability Scanning

Sunday, May 10, 2009

BT3 - USB Wireless HCL

Below is the list of wireless usb dongles and their compatibility with BackTrack3 from a VMware machine...

HCL:Wireless - Offensive-security.com

Friday, May 8, 2009

More Recon Tools

Sam Spade (by Steve Atkins)

Network query tool for Windows
Ping, DNS Lookup, Whois, DNS Zone Transfer, Traceroute, Finger, SMTP Verify, Mirror Website, Check Time, Keep-alive, etc.

Spiderfoot (by Steve Micallef)

Input domain name(s)
Crawls website(s) for links and subdomains
Reverse DNS lookups for IPs of findings + given block(s)
Whois lookups {www,mail}.domains.{com,us,etc}
Google searches with SOAP API

BiLE Suite

BiLE-weigh.pl ($ ./BiLE-weigh.pl [site_of_interest] [BiLE_output.mine]) - Comples weighting algorithm to determine 'related' score
tld-expand.pl - Over 250 TLDs and does DNS lookup
vet-IPrange.pl + vet-mx.pl - Are results of previous tools in defined range - (ex. What are the mail-servers for each domain?)
qtrace.pl - Uses hping to traceroute all target IPs - Outputs hop-by-hop paths to target

BiLE Recon Assembly-Line

BiLE -> Bile-weigh -> tld-expand -> vet-IPrange + vet-mx -> qtrace

BiLE DNS Tools

Jarf-rev - Input target network range - Output reverse DNS lookups for each address
Jarf-dnsbrute - Input domain + dictionary - Output DNS lookup for every sub-domain

Metadata

Info in Metadata

Includes MAC address, user names, edits, GPS info (depending on file format)

JPG
- EXIF (Exchangeable image file format)
- IPTC (International Press Telecommunications Council)
PDF
DOC
DOCX
EXE
XLS
XLSX
PNG
Etc

Metadata Tools

Recon Automation

Automating Google Recon

SiteDigger (v2.0 Released Jan 2005) [Win]
Wikto (v2.1 Released Dec 2008) [Win]
Gooscan (~2006) [Lin] ... can be found in BackTrack
Goolag (v1.0.0.41 Mar 2008) [cDc/Win]

Google Proxies

Dec 2006... Google stops giving out SOAP API keys (deprecated)
Mar 2009 AJAX API 'graduates' from Google Code
Aug 2009... Google will disable the SOAP API

Google Proxy Tools

AURA (API Usable / Re-usable Again)
EvilAPI (defunct?)

Thursday, May 7, 2009

Google Hacking

“Google, properly leveraged, has more intrusion potential than any hacking tool.” - Adrian Lamo (Grey Hat Hacker, hacked NY Times, Yahoo, etc.)

See this book: Google Hacking For Penetration Testers - Johnny Long

Google Searching Basics

Preferences and Advanced

Preferences
Language Tools
Advanced Search

Advanced Directives

site: (Searches only within a given domain)
[all]intext: (Shows pages with all terms in page text)
[all]inurl: (Shows pages whose URL matches)
[all]intitle: (Shows pages whose title matches)
filetype: (ext:) vs. searchterm
phonebook: (General)
bphonebook: (Business)
rphonebook: (Residential)
link: (Shows all sites linked to a given site)
related: (Shows similar pages [hit/miss])
cache: (Google cache)
info: (Cached + link: + related: ... Not very useful)
daterange: (Indexed by Google during dates within range) -Must always be a range - Must be in Julian Date form (Number of days since Jan 1, 4713 B.C.)
vs &as_qdr={h.d.w.m.y}[2..x]

Operators

""
(|) / (OR v. or)
(-) (+)
(.) (*)
(..) / numrange
(~)

Google Hacking Database

Available remote desktop systems
Default web material
Indexable directories
UserIDs and passwords
Shell history
GHDB of "GoogleDorks" (http://johnny.ihackstuff.com)

Inventory

Target

Name
IP Address(es)
OS
Open Ports
Known Vulnerabilities
Administrative Accounts / Passwords
Other Accounts / Passwords

How Discovered?

Findings

Objectives
Exploitation Attempts
Results
Obtained Flag (Pwnd?)

Web-based Recon

Target's own websites:

Press releases
White Papers
Design Documents
Sample deliverables
Open positions
Key people
Contacts

Related Sites:

Business partners, ISP, suppliers
Competitors, review sites

Public Databases:

SEC's Edgar database (Public Companies... http://www.sec.gov/edgar/quickedgar.htm)
Job Sites (monster.com, hotjobs.com, etc.)
Blogs
Social Networking Sites
Newsgroups
Wayback Machine

On/Off-line

Newspapers
Magazines
Etc.

DNS Interrogation

DNS Record Types (http://en.wikipedia.org/wiki/List_of_DNS_record_types)

A: IPv4 Address record
CNAME: Canonical Name (alias)
MX: Mail Exchange record (mail servers for domain)
NS: Name Server record (authoritative name server)
PTR: Pointer for inverse lookups record (reverse record)
SOA: Start of Authority record (server authoritative for zone)
TXT: Text record (arbitrary text string - often used vs. spam)
HINFO: Host Information record (formerly system type) - rarely used
RP: Responsible Person record (info of human) - rarely used
SRV: Service Locator record (host/port info - used for newer protocols instead of creating proto-specific records like MX) - rarely used

nslookup (+interactive mode)

server
set
- type=any
- [no]recurse
ls -d [> filename]
view

DNS Cache Snooping - Luis Grangia (http://www.sysvalue.com/ResourcesUser/docs/dns_cache_snooping.pdf)

dig [@global-server [domain] [type]

dig @ -t AXFR (All zone transfer)
dig @ -t IXFR= (Incremental zone transfer, retrieving records since SOA serial number was N)
+[no]recursive (recursive searches default)
Dig for Windows (http://www.nscan.org/dig.html)

DNSstuff.com & DNS Query Websites

http://member.dnsstuff.com/pages/tools.php
DNS Report (Improved, lots of info – but only trial free now)
Whois/IPWhois Lookup
IP Information (City, Country, etc.)
URL Deobfuscator
Traceroute

Whois Lookups

InterNIC -> Individual Registrar (sometimes more detail)

Web-based whois searches:

CLI 'whois':

Direct vs. Automatically Redirected
whois [-h HOST] OBJECT

IP Address Assignments:

ARIN (http://www.arin.net): North America

Max 256 results
Query-by-record-type:
- n: network address space
- a: automation system
- p: point of contact
- o: organization
- c: end-user customers
Query-by-attribute:
- @: match domain portion of an email address
- ! : match handle or id
- . : match by name
Display flags:
- + : FULL output (details for each match)
- - : LIST output (summary only)

RIPE NCC (http://www.ripe.net): Europe, Middle East, Central Asia
APNIC (http://www.apnic.net): Asia and Pacific Region
AUNIC (http://www.aunic.net): Australia
LACNIC (http://www.lacnic.net): Latin America and Caribbean
AfriNIC (http://www.afrinic.net): Africa

Reconnaissance

The following are reconnaissance techniques:

Hacking Techniques

As outlined in my Ethical Hacking Class:

Reconnaissance
Scanning
Exploitation
Maintaining Access (Malware)
Evading Detection

Wednesday, May 6, 2009

Firefox Add-on List

These are my favorite Firefox Add-ons:

Google Reader Watcher - Adds a notification on status bar that tells me how many unreader feeds I have waiting.
Hide Menubar - Hides the Menubar (a la IE7) to give yourself more screen to view.
OpenDownload - Gives you an option to open a downloaded file instead of just saving it locally.
Xmarks - Best bookmark/password manager I have found.
DownThemAll! - Awesome Download utility.
Office 2007 Black - Black theme if you are into that.
CHM Reader - Allows you to read Windows Help files in the browser.

Sunday, May 3, 2009

Windows Command Prompt Resources

Sites that give good information on Windows Command Prompt commands: