Eden of Ire - NEW New Dev

Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]

OAT sh opwg.sh -s ip_address OR c:\opwg -s ip_address

Oscanner sh oscanner.sh -s ip_address OR c:\oscanner -s ip_address

Run Oracle Security Check (needs credentials)

Run LSNrCheck

Run NGS Squirrel for Oracle

Use DBVisualisor

Sql scripts from pentest.co.uk

Manual sql input of previously reported vulnerabilties

Oracle default password list

OAT sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID

NFS Port 2049 open

showmount -e hostname/ip_address

mount -t nfs ip_address:/directory_found_exported /local_mount_point

Interact with NFS share and try to add/delete

RDesktop port 3389 open

Remote Desktop Connection

TSGrinder

Sybase Port 5000+ open

sybase-version ip_address from NGS

Use DBVisualiser

Sybase Security checksheet

Copy output into excel spreadsheet

Evaluate mis-configured parameters

Manual sql input of previously reported vulnerabilties

Network Backbone

Wireshark (Formerly Ethereal)

ip.src == ip_address

ip.dst == ip_address

tcp.dstport == port_no.

! ip.addr == ip_address

(ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

Cisco-Torch

./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>

NTP-Fingerprint

perl ntp-fingerprint.pl -t [ip_address]

cge

Manual Check (Credentials required)

Yersinia

p0f

./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

PIXDos

perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]

Password cracking

John the Ripper

./unshadow passwd shadow > file_to_crack

./john -single file_to_crack

./john -w=location_of_dictionary_file -rules file_to_crack

./john -show file_to_crack

./john --incremental:All file_to_crack

L0phtcrack

Domain credentials

Sniffing

pwdump import

sam import

Rainbow crack

ophcrack

rainbow tables

rcrack c:\rainbowcrack\*.rt -f pwfile.txt

pwdump

pwdump [-h][-o][-u][-p] machineName

Pre-Inspection Visit

Introduction

Authority to test

Who we are

What we do

Accreditation Status

Interim

Re-accreditation

Full

Scope of Test

Stage of Lifecyle

Interim Operating Capability

Final Operating Capability

Major upgrade

Known waivers/exemptions

Known to Accreditor

Risk Assessments completed

Exemptions from test

Development builds

Joint-owned equipment

Laptops

Trial Applications

Unstable Hosts

Contractural constraints

Service Level Agreement in place

Waiver letter required for test

Local equipment requirement

CAT5 taps and speed

Fibre taps/converter requirement

Local Internet access

Filtered

Unfiltered

Downloads/exports allowed

Office space

Power available

Refreshments

Local manpower requirement

Application administrators

Database administrators

Network administrators

Operating System administrators

Points of Contact

Accreditor

Database Administrator

Local Security Officer

System Administrator

Networking Administrator

Reporting Timescales

Normal timescale

Local requested timescale

Privacy/Commercial Protective Marking required

Distribution List

Previous tests & reports

Penetration Tests

Reason for test

Who carried out

When carried out

Vulnerability Assessments

Reason for test

Who carried out

When carried out

Release timescale

Start of test

During test

End of test

Physical inspection

Major work areas

Network equipment room

Server room

Network Reconnaisance

Whois

Google

General Information

Financial

Phone book

Google Hacking Database

Social Engineering

Dumpster Diving

Web Site copy

htttrack

teleport pro

Zone Transfer

nslookup

nslookup [ -option ... ] [ host-to-find | - [ server ]]

dig

dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]

host

host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ]

Cheops-ng

Enumeration
Enumeration can serve two distinct purposes in Vulnerability Assessment:

OS Fingerprinting
Remote applications being served.

OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (nmap) or passively (scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent.

Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

Enumerating the target host can give you an idea straight away where to concentrate your vulnerability assessment on. The best tool for this by far is of course NMAP! For further version enumerating there's AMAP and if you want a quick a easy port scanner, Dan Kaminsky's scanrand (part of the paketto suite), is furiously fast against your target host. You could also try hping which as well as being an excellent tool for testing network performance can also be used for TCP/IP stack auditing, to uncover firewall policy, to scan TCP port in a lot of different modes, to transfer files across a firewall and many other stuff. One other useful tool used to enumerate NetBios information is nbtscan. One other tool that has a few nice add-ons is Unicornscan which can be used for basic enumeration, but also for introducing specific stimuli into the target network and measuring and recording the responses gained.

Of course if all hosts are behind a firewall you need to really assess what the firewall allow and deny rules are for the network. A way to find out this information is by firewalking utilising firewalk.

Obviously a returned result from nmap will give you a bunch of open ports and the quick and easy way to enumerate services that are running and gather version and OS details is to utilise the trusty in built applications within your OS:
Enumerating with Telnet:

Port 21 - File Transfer Protocol open
telnet 192.168.0.1 21
220 remote_hostname FTP server (Version 1.1.214.8 Fri Apr 25 08:57:22 GMT 2003) ready.
User (remote_hostname:(none))
Enumerates that there is a remote ftp server running on the host and gives the version number, a simple check of google could spring up possible exploits that may effect this version. You could also try logging in as anonymous and supplying a bogus email address as the password if requested and anonymous access is allowed.

Port 23 - Telnet port open
telnet 192.168.0.1
Sun 5.6

Login
Enumerates that telnet is running on a Sun Solaris 5.6 host.

Port 25 - Simple Mail Transport Protocol open
telnet 192.168.0.1 25 220 uk03.cak.uk ESMTP Sendmail 8.9.3; Wed, 9 Nov 2005 15:29:50 GMT EXPN ROOT 250 <root@uk03.nu.cak.uk> 250 <smith.j@uk03.nu.cak.uk> EXPN BIN 250 <bin@uk03.nu.cak.uk> VRFY NOBODY 250 <nobody@uk03.nu.cak.uk> EXPN NOBODY 250 /dev/null@uk03.nu.cak.uk> VRFY ORACLE 550 ORACLE... User unknown QUIT
Enumerates that there are a number of valid accounts on this host, notably root and smith.j. From this information you could then try and brute-force the password having the username already or if you were a spammer, would have some valid accounts to send mail to.

Port 80 - Hypertext Transport Protocol open
telnet 192.168.0.1 80 -->HEAD / HTTP/1.0 --> --> HTTP/1.1 200 OK Content-Length:1433 Content-Type: test/html Content-Location: http://192.168.0.1/iistart.htm Last-Modified: Wed, 2 Nov 2005 11:21:52 GMT Accept-Ranges: bytes ETag: "98gf66c25abv54:254" Server: Microsoft-IIS/6.0 Date: Wed, 9 Nov 2005 15:29:50 GMT Connection: close
Enumerates that there is an IIS 6 web server running on the remote host and most probably running on a Windows 2k3 host. You would then tailor your vulnerability search to this version of IIS and of course the most likely OS.

Enumerating with Finger:
A bonus when enumerating is finding port 79 open, notably used by the finger service. It may be possible to enumerate a number of valid user accounts and also the OS type by passing the following command against the remote host:
finger 'a b c d e f g h'@target

Sample output:
Login Name TTY Idle When Where root Super-User console <Dec 30 08:47> :0 daemon ??? < . . . . > bin ??? < . . . . > sys ??? < . . . . > adm Admin < . . . . > lp Line Printer Admin < . . . . > smtp Mail Daemon User console <Dec 30 08:47> :0 uucp uucp Admin < . . . . > nobody Nobody < . . . . > noaccess No Access User < . . . . > smith.j Dr J Smith - Directorate 7764 <Aug 15, 2005> 192.168.0.1 andrews.f Mr F Andrews - Accounts - < . . . . > james.t Mr T James Personnel - pts/1 <Oct 15, 2005> 192.168.0.43 apache Apache Web Server < . . . . >
The output above would tell you the remote host is unix based, is probably running a web server, (apache) and there are 5 accounts you might want to try a dictionary or brute force attack against, (root, smith.j, andrews.f, james.t and apache)

Enumerating with Net View:
C:\Documents and Settings\administrator>net view \\192.168.0.1 Shared resources at \\192.168.0.1 HOME Share name Type Used as Comment -------------------------------------------------------- dd Disk SharedDocs Disk The command completed successfully.
Passing the net view command to a windows host will return a list of shares that are available, (albeit possibly tied down to an access control list) for the remote host.

NMAP

Nmap is typically utilised for network mapping, enumeration and security auditing. It can scan large networks extremely quickly and reliably and scales well from a single host to a class A network, (that may take a while though!). Nmap enumerates what hosts are alive on a network, their open ports and consequently the services/applications they are running. From this information nmap can also attempt to fingerprint the OS in use on the remote host. Another use is gleaning information on firewall rulesets which may help you further in a VA/Penetration Test type scenario.
Available from insecure.org

Installation:
Requires Winpcap 3.1 beta 4 or above
Just extract the nmap-VERSION-win32.zip file into an appropriate directory, tar -zxvf the appropriate nmap tarball or for simplicity and upgrade use the rpm facility.

Execution:
Usage: nmap [Scan Type(s)] [Options] {target specification}
Target Specification:
Can pass hostnames, IP addresses, networks, i.e. example.website.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254     -iL <inputfilename>: Input from list of hosts/networks     -iR <num hosts>: Choose random targets     --exclude <host1[,host2][,host3],...>: Exclude hosts/networks     --excludefile <exclude_file>: Exclude list from file
Host Discovery:
    -sL: List Scan - simply list targets to scan     -sP: Ping Scan - go no further than determining if host is online     -P0: Treat all hosts as online -- skip host discovery     -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports     -PE/PP/PM: ICMP echo, timestamp, netmask request discovery probes     -n/R: Never do DNS resolution/Always resolve [default: sometimes]     --dns-servers <serv1[,serv2],...>: Specify custom DNS servers     --system-dns: Use OS's DNS resolver
Scan Techniques:
    -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans     -sN/sF/sX: TCP Null, FIN, and Xmas scans     --scanflags <flags>: Customize TCP scan flags     -sI <zombie host[:probeport]>: Idlescan     -sO: IP protocol scan     -b <ftp relay host>: FTP bounce scan
Port Specification and Scan order:
    -p <port ranges>: Only scan specified ports;     i.e. -p22; -p1-65535; -p U:53,111,137, T:21-25,80,139,8080     -F: Fast - Scan only the ports listed in the nmap-services file)     -r: Scan ports consecutively - don't randomize
Service/Version Detection:
    -sV: Probe open ports to determine service/version info     --version-intensity <level>: 0 (light) to 9 (try all probes)     --version-light: Limit to most likely probes (intensity 2)     --version-all: Try every single probe (intensity 9)     --version-trace: Detailed version scan activity (for debugging)
OS Detection:
    -O: Enable OS detection     --osscan-limit: Limit OS detection to promising targets     --osscan-guess: Guess OS more aggressively
Timing & Performance:
    -T[0-5]: Set timing template (higher is faster)     --min-hostgroup/max-hostgroup <size>: Parallel scan group sizes     --min-parallelism/max-parallelism <msec>: Probe parallelization     --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <msec>: Specifies probe round trip time.     --max-retries <tries>: Caps # of port scan probe retransmissions.     --host-timeout <msec>: Give up on target after this long     --scan-delay/--max-scan-delay <msec>: Adjust delay between probes
Firewall/IDS Evasion & Spoofing
    -f --mtu <val>: fragment packets (optionally w/given MTU)     -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys     -S <IP_Address>: Spoof source address     -e <iface>: Use specified interface     -g/--source-port <portnum>: Use given port number     --data-length <num>: Append random data to sent packets     --ttl <val>: Set IP time-to-live field     --spoof-mac <mac address/prefix/vendor name>: Spoof MAC address     --badsum: Send packets with a bogus TCP/UDP checksum
Output:
    -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format to the given filename.     -oA <basename>: Output in the three major formats at once     -v: Increase verbosity level (use twice for more effect)     -d[level]: Set/increase debugging level (Up to 9 is meaningful)     --packet-trace: Show all packets sent and received     --iflist: Print host interfaces and routes (for debugging)     --append-output: Append rather than clobber output files     --resume <filename>: Resume an aborted scan     --stylesheet <path/URL>: XSL stylesheet to transform     XML output to HTML     --webxml: Reference stylesheet from Insecure.Org     for more portable XML     --no-stylesheet: Prevent associating of XSL stylesheet     w/XML output
Miscellaneous:
    -6: Enable IPv6 scanning     -A: Enables OS detection and Version detection     --datadir <dirname>: Specify custom Nmap data file location     --send-eth/--send-ip: Send using raw ethernet frames/IP packets     --privileged: Assume that the user is fully privileged     -V: Print version number     -h: Print this help summary page
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
Expected Output:
Syn Stealth Scan
C:\nmap>nmap -sS -O -p- 200.100.100.234 Starting nmap 4.01( http://www.insecure.org/nmap ) at 2006-01-17 21:37 GMT Standard Time Interesting ports on 200.100.100.234: (The 65530 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1241/tcp open nessus MAC Address: 00:0C:29:2A:CF:F9 (VMware) Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux 2.4.0 - 2.5.20 Nmap finished: 1 IP address (1 host up) scanned in 11.436 seconds

Version Scan
C:\nmap>nmap -sV -O -p- 200.100.100.234 Starting nmap 4.01( http://www.insecure.org/nmap ) at 2006-01-17 21:37 GMT Standard Time Interesting ports on 200.100.100.234: (The 65530 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.6.1p2 (protocol 1.99) 111/tcp open rpcbind 2 (rpc #100000) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 1241/tcp open ssl Nessus security scanner MAC Address: 00:0C:29:2A:CF:F9 (VMware) Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux 2.4.0 - 2.5.20 Nmap finished: 1 IP address (1 host up) scanned in 21.611 seconds

AMAP

Amap has been designed to correlate the applications that are running on a specific port or ports residing on a host. Amap does this by connecting to the port(s) and sending packets that will hopefully trigger an automatic response in reply. These packets typically encompass a standard attempt by an application to carry out a handshake between both hosts. A lot of network daemons only respond to when a connection is attempted utilising an appropriate handshake (i.e. SSL). Amap then correlates this response with its in-built library and verbosely prints to screen.
Available from thc.org

Execution:
amap v5.1 (c) 2005 by van Hauser <amap-dev@thc.org> www.thc.org/thc-amap
Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]

Modes:
-A Map applications: send triggers, analyse responses (default) -B Just grab banners, do not send triggers -P No banner or application stuff - be a port scanner -W Web Update - online update the application fingerprint database!

Options:
-1 Only send triggers to a port until 1st identification. Speeeeed! -6 Use IPv6 instead of IPv4 -b Print ascii banner of responses -i FILE Nmap machine readable outputfile to read ports from -u Ports specified on commandline are UDP (default is TCP) -R / -S Do NOT identify RPC / SSL services -H Do NOT send application triggers marked as potentially harmful -U Do NOT dump unrecognised responses (better for scripting) -d Dump all responses -v Verbose mode, use twice+ for debug (not recommended :-) -q Doesn't report closed ports, do not print them as unidentified -o FILE [-m] Write output to file FILE, -m creates machine readable output -c CONS Amount of parallel connections default 32, max 256) -C RETRIES Number of reconnects on connect timeouts default 3) -T SEC Connect timeout in seconds (default 5) -t SEC Response wait timeout in seconds (default 5) -p PROTO Only send triggers for this protocol (e.g. ftp)

TARGET PORT The target address and port(s) to scan (additional to -i) amap is a tool to identify application protocols on target ports.
Usage hint: Options "-bqv" are recommended, add "-1" for fast/rush checks.

Scanrand

Scanrand is extremely quick and effective port scanner. It works by forking two distinct processes:

One to send the initial queries,
One to receive responses and reconcile them from the above.

Installation:
Scanrand comes as part of the paketto suite of tools and is available from Dan Kaminsky's site.
Note:- Install the provided libnet,libtomcrypt and libpcap tarballs first
Installation is by means of the usual ./configure, make and make install process, however I found that with installing on both Fedora Core 1 (within VMWare) and Fedora Core 4 that errors were encountered. These were fixed as follows:

Fedora Core 1:
paketto.h the following lines cause an error as only the first has been commented, either comment them all or issue the command 4dd in the vi editor to delete them all

#error "We couldn't find the system macro _IOW on your machine...if you run find /usr/include | xargs grep _IOW and find some file other than sys/sockio.h containing the macro, emaildan@doxpara.com and I'll get it in the next build."e;

Fedora Core 4 & 5:
Strangely a different error? A number of files report errors on the configure process including paketto.c, lc.c, minewt.c and scanutil.c.

paketto.c:112: error: invalid lvalue in assignment
paketto.c:121: error: invalid lvalue in assignment
paketto.c:136: error: invalid lvalue in assignment
paketto.c:137: error: invalid lvalue in assignment
paketto.c:167: error: invalid lvalue in assignment
paketto.c:173: error: invalid lvalue in assignment
paketto.c:179: error: invalid lvalue in assignment 
paketto.c:320: error: invalid lvalue in assignment
paketto.c:337: error: invalid lvalue in assignment


      minewt.c:602: error: invalid lvalue in assignment

scanutil.c: In function bake_syncookie:
scanutil.c:13: error: invalid lvalue in assignment
scanutil.c:14: error: invalid lvalue in assignment
scanutil.c: In function munch_syncookie:
scanutil.c:42: error: invalid lvalue in assignment
scanutil.c:43: error: invalid lvalue in assignment
scanutil.c: In function build_generic_syn:
scanutil.c:255: warning: assignment from incompatible pointer type
scanutil.c:264: error: invalid lvalue in assignment
scanutil.c:279: error: invalid lvalue in assignment

lc.c: In function main:
lc.c:193: error: invalid lvalue in assignment
lc.c:226: error: invalid lvalue in assignment
lc.c:247: error: invalid lvalue in assignment

The problem lies in the fact that the(char *) ((void *) in lc.c) variable has been declared both sides and the first such reference to this needs to be removed i.e.
(char *)x->eth = (char *)packet; needs to be edited to:
x->eth = (char *)packet; and
(char *)x->arp = (char *)x->eth + LIBNET_ETH_H; needs to be edited to:
x->arp = (char *)x->eth + LIBNET_ETH_H; etc.

There are quite a few of these changes to be made but once done should then compile straightforwardly. Look for the error messages lvalue and assignment and record the line numbers outputted. It is on these lines that you must remove the duplicate variables.
Execution:
OPTIONS
Scanrand implements numerous options; reasonable defaults are selected when no specific guidance is received from the user. The only thing mandated is a target destination, which may be specified using either a FQDN(Fully Qualified Domain Name) or a numeric specification. These numerics may employ any number of dashes, commas, or combination thereof at the same time. For example, scanrand 10.0.1-255.1-10,20:80,137-139 works fine. More ports will be scanned by default when scanning a single host than when scanning a network. Scanrand is able to estimate remote hopcount by examining incoming TTLs.

-S Only send requests, do not listen for their responses.
-L Only listen for responses, do not actually send the matching requests. There's nothing that forces the sender and receiver to be the same host -- in fact, split operation is explicitly supported.
-e Show responses from hosts that are up but aren't accepting connections to the requested port.
-E *ONLY* show responses from hosts that are up but aren't accepting connections to the requested port -- do not display ports that are up.
-t [number of seconds] = Set maximum number of seconds that may pass before listening process gives up on receiving any more responses. This timer is reset with every good response, whether the port is up or down.
-b [bandwidth] [b][k][m][g] = Limit the amount of bandwidth that scanrand may use for its outgoing requests. -b 100k would limit said bandwidth to 100kbyte/s. Note, since outgoing SYN frames constitute only 64 bytes on the wire, very little bandwidth can go very, very far. The bandwidth value of 0 -- set by default -- corresponds to no bandwidth limitation.
-N Use Reverse-DNS to determine a DNS host name that matches the source of a detected packet.
-NN Use Reverse-DNS to determine a DNS host name that matches the intended destination of a given packet.
-v Verbosity Level 1: Mark the sending of packets.
-vv Verbosity Level 2: Output all interpreted TCP and IP headers. ADDRESSING
-d <interface> = Use this Layer 2 Device for all traffic.
-i <IP Address> = Use this Layer 3 Source IP address for all traffic.
-p <Port> = Use this Layer 4 TCP Source Port for all direct traffic. TCP Traceroute will use this port as a basis for its activity, but will vary its actual selected port by up to 255.
-s <Seed> = Use this value as a cryptographic seed for authenticating incoming packets. This value is normally generated automatically, but needs to be manually specified and synchronized when splitting the sender and receiver processes across invocations, hosts, and possibly entire networks. It is highly advised not to repeat the same seed for two separate scans; spoofing responses becomes much easier given that circumstance.
-f <file> = Read list of targets from a file. Syntax follows whatever is accepted on the command line.
-l <from-to> = Stateless TCP Tracerouting -- instead of just iterating across ports and hosts, we're iterating across network hops and reconstructing the network based on the ICMP errors (with original copies of our IP and first 8 bytes of TCP. May function in tandem with standard host/port lists. Specify minimum and maximum hop-distance you want to map, as in scanrand -l1-20 www.foobar.com
-c Verify Inverse SYN Cookies in returned ICMP errors. Not enabled by default.
-D Actively discover distance to target host. This is done by sending it an invalid ACK, which immediately forces a TCP RST. It turns out that lots of systems (including Minewt, oops) attempting to return replies as fast as possible will use the incoming packet as a prototype for the response, flipping only those fields that absolutely need to be. This doesn't include TTL...so what happens is, we send out our ACK probe with a TTL of around 180. No normal host will ever have a TTL in that range, and no normal network will hop down from the 255's into there. Now, we can look at returned RST's, see the TTL in the impossible range, and know that we caused it. Divide by two to get the average distance (between getting there and getting back, usually identical but not always due to asymmetric routing). "Distco mode" is flexible enough to handle when TTL's *are* handled correctly, and in at least one case, will determine hopcounts through firewalls that otherwise try to scrub the TTL back up to 64. On the flip side, at least one PIX likes to respond to an ACK with a locally produced RST|ACK, for some unimaginable reason. Great way to find out if you're behind a PIX, but it kills Distco dead (sort of like the 80's). PORT SELECTION Instead of using a comma/dash notated port range, like "80,20-25", several default port ranges have been precompiled into scanrand. They are:
quick = Quick scanning hits the top one or two dozen TCP service ports that are often enabled on a given server. This translates directly to: 80,443,445,53,20-23,25,135,139,8080, 110,111,143,1025,5000,465,993,31337, 79,8010,8000,6667,2049,3306 This is the default scan mode when scanning a single host. When multiple hosts are scanned, scanrand automatically defaults to scan only port 80 (HTTP).
squick = Super-Quick scanning hits the top five or six TCP service ports that are very often enabled on a given server. This translates directly to: 80,443,139,21,22,23
known = Known Port Scanning uses IANA's list of TCP port numbers, as well as any other port numbers observed by Fyodor of the nmap project, to select 1150 ports from the 65K possible to scan. This is equivalent to the nmap "fast scan" option.
all = Scans all ports -- 0(which is a valid port!) to 65535.

Simple Sample Output:

root@host ~]# scanrand 192.168.0.1:all
UP: 192.168.0.1:135 [01] 0.112s
UP: 192.168.0.1:139 [01] 0.112s
UP: 192.168.0.1:389 [01] 0.151s
UP: 192.168.0.1:445 [01] 0.155s
UP: 192.168.0.1:1025 [01] 0.898s
UP: 192.168.0.1:1026 [01] 0.899s
UP: 192.168.0.1:1720 [01] 0.955s
UP: 192.168.0.1:3002 [01] 1.026s
UP: 192.168.0.1:47624 [01] 14.983s

These open ports can then be mapped to various services, obviously from the ports open we are looking at a Microsoft Windows host with 135,139 and 445 open. From a pen testers perspective now, the services running on the other ports may be of interest.

Hping

Hping is a software to do TCP/IP stack auditing, to uncover firewall policy, to scan TCP port in a lot of different modes, to transfer files across a firewall and many other stuff. Using hping you are able to do even a lot of not security-regarding stuff i.e.

Test firewall rules
Advanced port scanning
Test net performance using different protocols, packet size, TOS (type of service) and fragmentation.
Path MTU discovery
Transferring files between hosts where stringent firewall rules are being applied.
Traceroute-like under different protocols.
Firewalk-like usage.
Remote OS fingerprinting.
TCP/IP stack auditing.

Installation
The usual ./configure & make && make install routine works fine, however, it is best to install the latest libpcap package.
Basic Execution

root@FC4]# hping3 192.168.0.1
HPING 192.168.0.1 (eth0 192.168.0.1): NO FLAGS are set, 40 headers + 0 data bytes
mslen=46 ip=192.168.0.1 ttl=128 id=2258 sport=0 flags=RA seq=0 win=0 rtt=0.7
mslen=46 ip=192.168.0.1 ttl=128 id=2259 sport=0 flags=RA seq=1 win=0 rtt=0.8
mslen=46 ip=192.168.0.1 ttl=128 id=2260 sport=0 flags=RA seq=2 win=0 rtt=0.7
mslen=46 ip=192.168.0.1 ttl=128 id=2261 sport=0 flags=RA seq=3 win=0 rtt=0.3
mslen=46 ip=192.168.0.1 ttl=128 id=2262 sport=0 flags=RA seq=4 win=0 rtt=0.8
mslen=46 ip=192.168.0.1 ttl=128 id=2263 sport=0 flags=RA seq=5 win=0 rtt=0.2
mslen=46 ip=192.168.0.1 ttl=128 id=2264 sport=0 flags=RA seq=6 win=0 rtt=0.7
mslen=46 ip=192.168.0.1 ttl=128 id=2265 sport=0 flags=RA seq=7 win=0 rtt=0.3 ms
--- 192.168.0.1 hping statistic ---
8 packets tramitted, 8 packets received, 0% packet loss

(ms)len is the size, in bytes, of the data captured from the data link layer excluding the data link header size. This may not match the IP datagram size due to low level transport layer padding.
ip is the source ip address.
id is the IP ID field.
flags are the TCP flags,

    R for RESET,
    S for SYN,
    A for ACK,
    F for FIN,
    P for PUSH,
    U for URGENT

seq is the sequence number of the packet, obtained using the source port for TCP/UDP packets, the sequence field for ICMP packets.
win is the window size.
rtt is the round trip time. i.e. time taken to return from the initial ping.

Nbtscan

NBTscan scans IP networks for Microsoft Windows NetBIOS name information. It sends NetBIOS status queries to all hosts specified in the range to check and outputs the information directly to screen. The results list:

IP address,
NetBIOS computer name,
logged-in user name,
MAC address.

Installation: ./configure & make && make install (as you would expect)
Usage:

nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|(<scan_range>) 
     -v verbose output. Print all names received from each host
    -d dump packets. Print whole packet contents.
    -e Format output in /etc/hosts format.
    -l Format output in lmhosts format. Cannot be used with -v, -s or -h options.
    -t timeout wait timeout in milliseconds for response. Default 1.
    -b bandwidth Output throttling. Slows down output uses no more that bandwidth.
    (Useful on slow links, so outgoing queries don't get dropped.)
    -r use local port 137 for scans. Win95 boxes respond to this only. 
    -q Suppress banners and error messages,
    -s Script-friendly output. Don't print column/record headers
    -h Print human-readable names for services. Can only be used with -v option.
    -m retransmits Number of retransmits. Default 0.
    -f filename Take IP addresses to scan from file filename
    -f - makes nbtscan take IP addresses from stdin.
    <scan_range> what to scan. Either single IP i.e. 192.168.1.1 or range of addresses
    in one of two forms: 
    xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.

Examples:
nbtscan -r 192.168.0.0/24
Scans the whole C-class network.

Doing NBT name scan for addresses from 192.168.0.0/24

NetBIOS Name Table for Host 192.168.0.1:

Name Service Type 
----------------------------------------
WORK1 <00> UNIQUE
WORK1 <20> UNIQUE
WORKGROUP <00> GROUP

Adapter address: 00-02-b3-a7-6a-50
----------------------------------------

NetBIOS Name Table for Host 192.168.0.99:

Name Service Type 
----------------------------------------
2003-SVR <00> UNIQUE
2003-SVR <20> UNIQUE
ConfigServer <1c> GROUP
WORKGROUP <00> GROUP
2003-svr <2d> UNIQUE
WORKGROUP <1e> GROUP
WORKGROUP <1d> UNIQUE
__MSBROWSE__ <01> GROUP

nbtscan 192.168.1.25-137
Scans a range from 192.168.1.25 to 192.168.1.137
nbtscan -v -s : 192.168.0.0/24
Scans C-class network. Prints results in script-friendly format using colon as field separator. Produces output like that:

192.168.0.1:NT_SERVER:00U
192.168.0.1:MY_DOMAIN:00G
192.168.0.1:ADMINISTRATOR:03U
192.168.0.2:OTHER_BOX:00U

nbtscan -f iplist

Scans IP addresses specified in file iplist.

Unicornscan

Unicornscan is designed as a compact enumerator for gathering network and OS information. It provides the user with the facility to introduce a stimuli against a specific host or network and measure the returned response. It currently has a number of features, including:

Asynchronous stateless TCP scanning with all variations of TCP Flags.
Asynchronous stateless TCP banner grabbing
Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a response).
Active and Passive remote OS, application, and component identification by analyzing responses.
PCAP file logging and filtering
Relational database output
Custom module support
Customized data-set views

Installation:
Unicornscan is available from here
rpm -ivh unicornscan-0.4.2-0.i386.rpm

Execution:
Usage:

unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ]
IP_ADDRESS/CIDR_SUBNET_MASK:S-E

Options:


          -b, --broken-crc *[Set broken crc sums on [T]ransport layer, [N]etwork layer, or both[TN]]

          -B, --source-port *[Set source port? or whatever the scan module expects as a number]

          -d, --delay-type *[Set delay type] Numeric value, valid options are:

              1:tsc

              2:gtod

              3:sleep

          -D, --no-defpayload [No default Payload, probe known protocols]

          -e, --enable-module *[enable modules listed as arguments (output and report currently)]

          -E, --show-errors [for tracking icmp errors and rst packets]

          -h, --help [help]

          -i, --interface *[interface name, i.e. eth0, not normally required]

          -m, --mode *[scan mode] Options include:

              tcp (syn) scan is default,

              U for udp

              T for tcp

              `sf' for tcp connect scan and

              A for arp

          -M, --module-dir *[default:/usr/local/libexec/unicornscan/modules)]

          -p, --no-patience [No patience, display things as we find them]

          -P, --pcap-filter *[Extra pcap filter string for reciever]

          -q, --covertness *[Covertness value from 0 to 255]

          -r, --pps *[pkts/s (total, not per host, as you go higher it gets less accurate)]

          -R, --repeats *[Repeat packet scan N times]

          -s, --source-addr *[Source address for packets `r' for random]

          -S, --no-shuffle [DON'T shuffle ports]

          -t, --ip-ttl *[Set TTL on sent packets]

          -T, --ip-tos *[set TOS on sent packets]

          -w, --safefile *[Write pcap file of recieved packets]

          -W, --fingerprint *[OS fingerprint] Options are:

              0=cisco(def)

              1=openbsd

              2=WindowsXP

              3=p0fsendsyn

              4=FreeBSD

              5=nmap

              6=linux

              7:Crazy lint tcp header (use with p0f hopefully)

          -v, --verbose [verbose (each time more verbose so -vvvvv is really verbose!!!!!)]

          -V, --version [Display version]

          -Z, --drone-type *[L or S]


      Note:- Using the flags -mT you can also specify tcp flags following the T like -mTsFpU for example that would send tcp syn packets with (NO Syn|FIN|NO Push|URG)


      *: Options with `*' require an argument following them

      Address ranges are 1.2.3.4/8 for all of 1.?.?.? (if you omit the CIDR mask then the subnet mask of /32 is implied)

      Port ranges to be used come in the format 1-4096, for a range, 80 for a single port and "a" for all 65535 TCP ports and "p" for the default port range of 1-1024


      Example: unicornscan -i eth1 208.47.125.0/24:1-4000 -pr 160 -E

      Basic Example Output:
[root@host ~]# unicornscan 192.168.0.1
Open epmap[ 135] From 192.168.0.1 ttl 128
Open netbios-ssn[ 139] From 192.168.0.1 ttl 128
Open ldap[ 389] From 192.168.0.1 ttl 128
Open microsoft-ds[ 445] From 192.168.0.1 ttl 128
Open blackjack[ 1025] From 192.168.0.1 ttl 128
Open h323hostcall[ 1720] From 192.168.0.1 ttl 128

    


    
      
Firewalk
      Firewalk is an active reconnaissance network security tool for enumerating firewalls. It attempts to determine what layer 4 protocols a firewall within its current configuration will allow to pass through to internal hosts. Firewalk sends out TCP or UDP packets with a TTL one greater than the targeted gateway/firewall. If the gateway/firewall allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets on the floor and we will see no response.


      Installation:

      Currently available from here or I have an rpm that does work on Fedora Core 4/5.

      ./configure
make
make install


      Execution:

      firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]


      Options:

      -d 1-65535 Specify initial dest port to use during the ramping phase.
-h         Program help.
-i         Interface_name Specify interface to use.
-n         Don't resolve IP's to hostnames.
-P 1-2000  Set a network writing pause, to keep firealk from flooding the network.
-p TCP,UDP Type of scan to perform.
-r         Strict RFC 793 compliance.
-S 1-65535,... (1-130,139,1025) Specify ports to scan. Specified in ranges, delimited by dashes, multiple ranges may be specified, delimited by commas. Omitting the terminating port number is shorthand for 65535.
-s 1-65535 (53)Specify the source port for the scan (both phases).
-T 1-2000 (2)Network packet reading timeout.
-t 1-25 (1)Sets initial IP TTL value (target gateway is known to be n hops from the source host, the TTL can be preloaded to facilitate a faster scan.
-v         Dump program version and exit.
-x         Expire vector (1)The expire vector is the number of hops that the scanning probes will expire,past the gateway host. The binding hopcount is the hopcount of the gateway + the expire vector.


      Sample Output:

      root@fc4>firewalk -n -p tcp -s 80 -d 80 192.168.0.1 192.168.1.1

Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
TCP-based scan.
Ramping phase source port: 80, destination port: 80
Hotfoot through 192.168.0.1 using 192.168.1.1 as a metric.
Ramping Phase:
expired [192.168.0.1]
Binding host reached.
Scan bound at 2 hops.
Scanning Phase: 
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]


      In this example, traffic is allowed through ports 25 and 80, in essence Sendmail, (SMTP) and Hypertext Transfer Protocol (HTTP). An attacker trying to get inside your network could then quite possibly use tools such as nmap to scan internal subnets for all hosts with these distinct ports open. Having found some targets, they may try and bypass your firewall by tunnelling traffic through these ports.

    


    
      
Network Time Protocol Enumeration
      NTP is a protocol designed to synchronise clocks of networked computers. From a Vulnerability Analysis/Penetration testing aspect, the data available when querying the ntp server can prove quite valuable and is usually available without any formal authentication being required.


      The following commands can be used against an NTP server:
      
        ntpdate
        ntptrace
        ntpdc
        ntpq
      
      Ntpdate - ntpdate can collect a number of time samples from a number of time sources (i.e., multiple NTP servers)

      ntpdate [-bBdoqsuv] [-a key] [-e authdelay] [-k keyfile] [-o version] [-p samples] [-t timeout]  [server/IP_address]

      # ntpdate 192.168.0.1
27 Dec 11:50:49 ntpdate[627]: adjust time server 192.168.0.1 offset -0.005030 sec


      Options

      -a key Enable the authentication function/specify the key identifier to be used for authentication.

      -B    Force the time to always be slewed.

      -b    Force the time to be stepped.

      -d    Enable debugging mode.

      -e authdelay  Specify the processing delay.

      -k keyfile   Specify the path for the authentication key file as the string keyfile. The default is /etc/ntp.keys.

      -o version    Specify NTP version for outgoing packets as the integer version, can be 1 or 2. Default is 3.

      -p samples   Specify # of samples to be acquired from each server, with values from 1-8. Default is 4.

      -q       Query only - don't set the clock.

      -s       Divert logging output from the standard output (default) to the system syslog facility.

      -t timeout Specify the maximum time waiting for a server response. Default is 1 second.

      -u       Use an unprivileged port or outgoing packets.

      -v       Be verbose.


      Ntptrace - ntptrace determines where a NTP server gets its time from, and follows the chain of NTP servers back to its primary i.e. master, time source. If you supply no argument ntptrace will start with the localhost, if a server is specified, the localhost will appear last.

      ntptrace [-vdn] [-r retries ] [-t timeout] [servername/IP_address]
# ntptrace localhost: stratum 4, offset 0.0019529, synch distance 0.143235 192.168.0.1: stratum 2, offset 0.0114273, synch distance 0.115554 192.168.1.1: stratum 1, offset 0.0017698, synch distance 0.011193
Options

      -d     Display debugging output.

      -n     Does not print host names only IP addresses are shown. May be useful if a nameserver is down.

      -r retries Sets the number of retransmission attempts for each host (default = 5).

      -t timeout Sets the retransmission timeout (in seconds) (default = 2).

      -v     Prints verbose information about the NTP servers.


      Ntpdc - ntpdc is used to query the ntpd daemon about its current state and to request changes in that state. The program may be run either in interactive mode or controlled using command line arguments.

      ntpdc [-ilnps] [-c command] [hostname/IP_address]

      root@attacker]# ntpdc -c sysinfo 192.168.0.1
***Warning changing to older implementation
***Warning changing the request packet size from 160 to 48
system peer: 192.168.1.100
system peer mode: client
leap indicator: 00
stratum: 5
precision: -15
root distance: 0.00107 s
root dispersion: 0.02306 s
reference ID: [192.168.1.100]
reference time: f66s4f45.f633e130 Wed, Jun 28 2006 11:06:11.631
system flags: monitor ntp stats calibrate
jitter: 0.000000 s
stability: 4.256 ppm
broadcastdelay: 0.003875 s
authdelay: 0.000107 s


      root@attacker]# ntpdc -c monlist 192.168.0.1
***Warning changing to older implementation
***Warning changing the request packet size from 160 to 48
remote address port local address count m ver code avgint lstint
===============================================================================
192.168.0.222 32786 192.168.0.1       5 7 2      0 0       188
192.168.1.100 123   192.168.0.1    4299 3 2      0 22      1022110
192.168.2.133 32766 192.168.0.1      10 4 2      0 559     1110
192.168.2.133 123   192.168.0.1       6 3 6      0 1101    1502
attacker      32812 127.0.0.1         1 5 3      0 1022142 1022142
 

      Options

      -c command Following argument interpreted as an interactive format command. Multiple -c options may be given.

      -i       Force ntpdc to operate in interactive mode.

      -l       Obtain a list of peers which are known to the server(s). This switch is equivalent to -c listpeers

      -n       Output all host addresses in dotted-quad numeric format rather than host names.

      -p       Print a list of the peers as well as a summary of their state. This is equivalent to -c peers.

      -s       Print a list of the peers as well as a summary of their state.  This is equivalent to -c dmpeers.


      Available commands (abridged):

      listpeers     Obtains and prints a brief list of the peers.

      peers             Obtains a list of peers for which the server is maintaining state.

      sysinfo         Print a variety of system state variables.

      reslist         Obtain and print the server's restriction list.

      monlist [version] Obtain and print traffic counts collected and maintained by the monitor facility.


      Ntpq - is used to monitor NTP daemon ntpd operations and determine performance.

      ntpq [-inp] [-c command] [host/IP_address]

      root@attacker]# ntpq 192.168.01
ntpq> lpeers
remote              refid st t when poll reach delay offset jitter
*192.168.1.100 LOCAL(0)    4 u   18   58   344 0.655 -0.039  0.029
 


      ntpq> version
ntpq 4.2.0a@1.1196-r Mon May 07 14:14:14 EDT 2006 (1)


      ntpq> host
current host is 192.168.0.1


      ntpq> readlist
assID=0 status=0674 leap_none, sync_ntp, 7 events, event_peer/strat_chg,
system="SunOS", leap=00, stratum=5, rootdelay=0.655,
rootdispersion=20.080, peer=40852, refid=192.168.1.100,
reftime=c66b4f07.d732d455 Sat, Jul 01 2006 17:28:11.773, poll=6,
clock=0xc66b4f3b.595ed455, phase=-0.040, freq=80337.65, error=0.01


      Options

      -c        Following argument is interpreted as an interactive format command. Multiple -c options may be given.

      -d        Debugging mode.

      -i       Force ntpq to operate in interactive mode.

      -n       Output all host addresses in dotted-quad numeric format rather than host na