Backtrack Manual Part3
28
Project Report Project Report on on Project by - Nutan Kumar Panda Technology Evangelist ISEH R&D - ATL Guwahati Project By: Nutan Kumar Panda
-
Upload
nutan-kumar-panda -
Category
Education
-
view
3.537 -
download
6
description
enjoy part3...For any query contact: [email protected]
Transcript of Backtrack Manual Part3
Project ReportProject Report
onon
Project by - Nutan Kumar Panda
Technology Evangelist ISEH
RampD - ATL Guwahati
INSTALLED FEATURES
DNStracer determines where a given Domain Name Server (DNS) gets its information from and follows the chain of DNS servers back to the servers which know the data
Project By Nutan Kumar Panda
SYNOPSIS dnstracer [options] name
DESCRIPTION dnstracer determines where a given Domain Name Server (DNS) gets its information from and follows the chain of DNS servers back to the
servers which know the data
Options are
-c Disable local caching
-C Enable negative caching
-o Enable overview of received answers at the end
-q qgtugtegtrgtygtcgtlgtagtsgtsgt Change the query-class default is A You can either specify a number of the type (if youre brave) or one of the following strings a aaaa a6 soa cname hinfo mx ns txt and ptr
-r rgtegttgtrgtigtegtsgt Number of retries for DNS requests default 3
-s sgtegtrgtvgtegtrgt DNS server to use for the initial request default is acquired from the system If a dot is specified () AROOT-SERVERSNET will be used
-v Be verbose on what sent or received
-4 Use only IPv4 servers dont query IPv6 servers (only available when IPv6 support hasnt been disabled)
-S sgtogtugtrgtcgtegtagtdgtdgtrgtegtsgtsgt Use this as source-address for the outgoing packets
HOW IT WORKS It sends the specified name-server a non-recursive request for the name
Non-recursive means if the name-server knows it it will return the data requested If the name-server doesnt know it it will return pointers to name-servers that are authoritive for the domain part in the name or it will return the addresses of the root name-servers
Project By Nutan Kumar Panda
If the name server does returns an authoritative answer for the namethe next server is queried If it returns an non-authoritative answer for the name the name servers in the authority records will bequeried
The program stops if all name-servers are queried
Make sure the server youre querying doesnt do forwarding towards other servers as dnstracer is not able to detect this for you
It detects so called lame servers which are name-servers which has been told to have information about a certain domain but donthave this information
EXAMPLES Search for the A record of wwwmavetjuorg on your local nameserver
dnstracer wwwmavetjuorg
Search for the MX record of mavetjuorg on the root-nameservers
dnstracer -s -q mx mavetjuorg
Search for the PTR record (hostname) of 212204230141
dnstracer -q ptr 141230204212in-addrarpa
And for IPv6 addresses
dnstracer -q ptr -s -o 20000000000000000640200008b0eff3ip6int
Project By Nutan Kumar Panda
tcptraceroute A traceroute implementation using TCP packets The more traditional traceroute(8) sends out either UDP or ICMP ECHO packets with a TTL of one and increments the TTL until the destination has been reached By printing the gateways that generate ICMP time exceeded messages along the way it is able to determine the path packets are taking to reach the destination The problem is that with the widespread use of firewalls on the modern Internet many of the packets that traceroute(8) sends out end up being filtered making it impossible to completely trace the path to the destination However in many cases these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on By sending out TCP SYN packets instead of UDP or ICMP ECHO packets tcptraceroute is able to bypass the most common firewall filters
It is worth noting that tcptraceroute never completely establishes a TCP connection with the destination host If the host is not listening for incoming connections it will respond with an RST indicating that the port is closed If the host instead responds with a SYN|ACK the port is known to be open and an RST is sent by the kernel tcptraceroute is running on to tear down the connection without completing three-way handshake This is the same half-open scanning technique that nmap(1) uses when passed the -sS flag
To trace the path to a web server listening for connections on port 80
tcptraceroute webserver
To trace the path to a mail server listening for connections on port 25
tcptraceroute mailserver 25
Project By Nutan Kumar Panda
Nmap (Network Mapper) is a utility for network exploration or security auditing Many systems and network administrators also find it useful for tasks such as network inventory managing service upgrade schedules and monitoring host or service uptime Nmap uses raw IP packets in novel ways to determine what hosts are available on the network what services (application name and version) those hosts are offering what operating systems (and OS versions) they are running what type of packet filtersfirewalls are in use and dozens of other characteristics It was designed to rapidly scan large networks but works fine against single hosts Nmap runs on all major computer operating systems and official binary packages are avalable for Linux Windows and Mac OS X
Command gtnmap -v -A targethost
Nmap features include
Host Discovery - Identifying hosts on a network for example listing the hosts which
respond to pings or which have a particular port open
Port Scanning - Enumerating the open ports on one or more target hosts
Version Detection - Interrogating listening network services listening on remote
devices to determine the application name and version number
Project By Nutan Kumar Panda
OS Detection - Remotely determining the operating system and some hardware
characteristics of network devices
Scriptable interaction with the target - using Nmap Scripting Engine (NSE)
and Lua programming language customized queries can be made Nmap Scripting
Engine
Typical uses of Nmap
Auditing the security of a device by identifying the network connections which can be
made to it
Identifying open ports on a target host in preparation for auditing
Network inventory Network mapping maintenance and asset management Auditing the security of a network by identifying unexpected new servers
Nmap is used to discover computers and services on a computer network thus creating a
ldquomaprdquo of the network Just like many simple port scanners Nmap is capable of discovering
passive services on a network despite the fact that such services arenrsquot advertising
themselves with a service discovery protocol In addition Nmap may be able to determine
various details about the remote computers These include operating system device type
uptime software product used to run a service exact version number of that product
presence of some firewall techniques and on a local area network even vendor of the
remote network card
By default Nmap performs a SYN Scan which works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms It can be used to quickly scan thousands of ports and it allows clear reliable differentiation between ports in open closed and filtered states
To perform a SYN scan on the host wwwyourorgcom
use the commandnmap wwwyourorgcom
Syntax
nmap [Scan Type(s)] [Options] target specification
TARGET SPECIFICATION
Project By Nutan Kumar Panda
-iL Input from list of hostsnetworks
-iR Choose random targets
--exclude lthost1[host2][host3]gt
Exclude hostsnetworks
--excludefile ltexclude_filegt
Exclude list from file
HOST DISCOVERY
-sL List Scan - simply list targets to scan
-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PSPAPU [portlist] TCP SYNACK or UDP discovery to given ports
-PEPPPM ICMP echo timestamp and netmask request discovery probes
-n-R Never do DNS resolutionAlways resolve [default sometimes]
--dns-servers ltserv1[serv2]gt
Specify custom DNS servers
--system-dns Use OSs DNS resolver
SCAN TECHNIQUES
-sSsTsAsWsM TCP SYNConnect()ACKWindowMaimon scans
-sNsFsX TCP Null FIN and Xmas scans
--scanflags ltflagsgt Customize TCP scan flags
-sI ltzombie host[probeport]gt
Idlescan
-sO IP protocol scan
-b ltftp relay hostgt FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER
-p ltport rangesgt Only scan specified portsEx -p22 -p1-65535 -p U53111137T21-25801398080
-F Fast - Scan only the ports listed in the nmap-services file)
Project By Nutan Kumar Panda
-r Scan ports consecutively - dont randomize
SERVICEVERSION DETECTION
-sV Probe open ports to determine serviceversion info
--version-intensity ltlevelgt
Set from 0 (light) to 9 (try all probes)
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)
OS DETECTION
-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
TIMING AND PERFORMANCE
Options which take lttimegt are in milliseconds unless you append s (seconds) m (minutes) or h (hours) to the value (eg 30m)
-T[0-5] Set timing template (higher is faster)
--min-hostgroupmax-hostgroup ltsizegt
Parallel host scan group sizes
--min-parallelismmax-parallelism lttimegt
Probe parallelization
--min-rtt-timeoutmax-rtt-timeoutinitial-rtt-timeout lttimegt
Specifies probe round trip time
--max-retries lttriesgt Caps number of port scan probe retransmissions
--host-timeout lttimegt
Give up on target after this long
--scan-delay--max- Adjust delay between probes
Project By Nutan Kumar Panda
scan-delay lttimegt
FIREWALLIDS EVASION AND SPOOFING
-f --mtu ltvalgt fragment packets (optionally wgiven MTU)
-D ltdecoy1decoy2[ME]gt
Cloak a scan with decoys
-S ltIP_Addressgt Spoof source address
-e ltifacegt Use specified interface
-g--source-port ltportnumgt
Use given port number
--data-length ltnumgt Append random data to sent packets
--ttl ltvalgt Set IP time-to-live field
--spoof-mac ltmac addressprefixvendor namegt
Spoof your MAC address
--badsum Send packets with a bogus TCPUDP checksum
OUTPUT
-oN-oX-oS-oG ltfilegt
Output scan in normal XML s|ltrIpt kIddi3 and Grepable format respectively to the given filename
-oA ltbasenamegt Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errorswarnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume ltfilenamegt Resume an aborted scan
--stylesheet ltpathURLgt
XSL stylesheet to transform XML output to HTML
--webxml Reference stylesheet from InsecureOrg for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet wXML output
Project By Nutan Kumar Panda
MISC
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir ltdirnamegt Specify custom Nmap data file location
--send-eth--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number
nmap -P0 2042281503
Running the above port scan on the Computer Hope IP address would give information similar to the below example Keep in mind that with the above command its -Pltzerogt not the letter O
Interesting ports on wwwcomputerhopecom (2042281503)Not shown 1019 filtered ports 657 closed portsPORT STATE SERVICE21tcp open ftp80tcp open http113tcp open auth443tcp open https
Project By Nutan Kumar Panda
Lanmap
Lanmap Listens to all available traffic on the interface of your choice figures out whorsquos talking to who how much using which protocols This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a networkrsquos topologysudo aptitude install lanmapThis will complete the installation
Using lanmap
lanmap syntax
lanmap [-o directory] [-e program] [-T pnggifsvg] [-f filtetr] [-D allraw] [-r seconds][-i wildcardiface] [-h] [-v] [-V]
lanmap examplelanmap -i eth0 -r 30 -T png -o tmpThis will create a lanmappng file under tmp folder
Project By Nutan Kumar Panda
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
SYNOPSIS dnstracer [options] name
DESCRIPTION dnstracer determines where a given Domain Name Server (DNS) gets its information from and follows the chain of DNS servers back to the
servers which know the data
Options are
-c Disable local caching
-C Enable negative caching
-o Enable overview of received answers at the end
-q qgtugtegtrgtygtcgtlgtagtsgtsgt Change the query-class default is A You can either specify a number of the type (if youre brave) or one of the following strings a aaaa a6 soa cname hinfo mx ns txt and ptr
-r rgtegttgtrgtigtegtsgt Number of retries for DNS requests default 3
-s sgtegtrgtvgtegtrgt DNS server to use for the initial request default is acquired from the system If a dot is specified () AROOT-SERVERSNET will be used
-v Be verbose on what sent or received
-4 Use only IPv4 servers dont query IPv6 servers (only available when IPv6 support hasnt been disabled)
-S sgtogtugtrgtcgtegtagtdgtdgtrgtegtsgtsgt Use this as source-address for the outgoing packets
HOW IT WORKS It sends the specified name-server a non-recursive request for the name
Non-recursive means if the name-server knows it it will return the data requested If the name-server doesnt know it it will return pointers to name-servers that are authoritive for the domain part in the name or it will return the addresses of the root name-servers
Project By Nutan Kumar Panda
If the name server does returns an authoritative answer for the namethe next server is queried If it returns an non-authoritative answer for the name the name servers in the authority records will bequeried
The program stops if all name-servers are queried
Make sure the server youre querying doesnt do forwarding towards other servers as dnstracer is not able to detect this for you
It detects so called lame servers which are name-servers which has been told to have information about a certain domain but donthave this information
EXAMPLES Search for the A record of wwwmavetjuorg on your local nameserver
dnstracer wwwmavetjuorg
Search for the MX record of mavetjuorg on the root-nameservers
dnstracer -s -q mx mavetjuorg
Search for the PTR record (hostname) of 212204230141
dnstracer -q ptr 141230204212in-addrarpa
And for IPv6 addresses
dnstracer -q ptr -s -o 20000000000000000640200008b0eff3ip6int
Project By Nutan Kumar Panda
tcptraceroute A traceroute implementation using TCP packets The more traditional traceroute(8) sends out either UDP or ICMP ECHO packets with a TTL of one and increments the TTL until the destination has been reached By printing the gateways that generate ICMP time exceeded messages along the way it is able to determine the path packets are taking to reach the destination The problem is that with the widespread use of firewalls on the modern Internet many of the packets that traceroute(8) sends out end up being filtered making it impossible to completely trace the path to the destination However in many cases these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on By sending out TCP SYN packets instead of UDP or ICMP ECHO packets tcptraceroute is able to bypass the most common firewall filters
It is worth noting that tcptraceroute never completely establishes a TCP connection with the destination host If the host is not listening for incoming connections it will respond with an RST indicating that the port is closed If the host instead responds with a SYN|ACK the port is known to be open and an RST is sent by the kernel tcptraceroute is running on to tear down the connection without completing three-way handshake This is the same half-open scanning technique that nmap(1) uses when passed the -sS flag
To trace the path to a web server listening for connections on port 80
tcptraceroute webserver
To trace the path to a mail server listening for connections on port 25
tcptraceroute mailserver 25
Project By Nutan Kumar Panda
Nmap (Network Mapper) is a utility for network exploration or security auditing Many systems and network administrators also find it useful for tasks such as network inventory managing service upgrade schedules and monitoring host or service uptime Nmap uses raw IP packets in novel ways to determine what hosts are available on the network what services (application name and version) those hosts are offering what operating systems (and OS versions) they are running what type of packet filtersfirewalls are in use and dozens of other characteristics It was designed to rapidly scan large networks but works fine against single hosts Nmap runs on all major computer operating systems and official binary packages are avalable for Linux Windows and Mac OS X
Command gtnmap -v -A targethost
Nmap features include
Host Discovery - Identifying hosts on a network for example listing the hosts which
respond to pings or which have a particular port open
Port Scanning - Enumerating the open ports on one or more target hosts
Version Detection - Interrogating listening network services listening on remote
devices to determine the application name and version number
Project By Nutan Kumar Panda
OS Detection - Remotely determining the operating system and some hardware
characteristics of network devices
Scriptable interaction with the target - using Nmap Scripting Engine (NSE)
and Lua programming language customized queries can be made Nmap Scripting
Engine
Typical uses of Nmap
Auditing the security of a device by identifying the network connections which can be
made to it
Identifying open ports on a target host in preparation for auditing
Network inventory Network mapping maintenance and asset management Auditing the security of a network by identifying unexpected new servers
Nmap is used to discover computers and services on a computer network thus creating a
ldquomaprdquo of the network Just like many simple port scanners Nmap is capable of discovering
passive services on a network despite the fact that such services arenrsquot advertising
themselves with a service discovery protocol In addition Nmap may be able to determine
various details about the remote computers These include operating system device type
uptime software product used to run a service exact version number of that product
presence of some firewall techniques and on a local area network even vendor of the
remote network card
By default Nmap performs a SYN Scan which works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms It can be used to quickly scan thousands of ports and it allows clear reliable differentiation between ports in open closed and filtered states
To perform a SYN scan on the host wwwyourorgcom
use the commandnmap wwwyourorgcom
Syntax
nmap [Scan Type(s)] [Options] target specification
TARGET SPECIFICATION
Project By Nutan Kumar Panda
-iL Input from list of hostsnetworks
-iR Choose random targets
--exclude lthost1[host2][host3]gt
Exclude hostsnetworks
--excludefile ltexclude_filegt
Exclude list from file
HOST DISCOVERY
-sL List Scan - simply list targets to scan
-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PSPAPU [portlist] TCP SYNACK or UDP discovery to given ports
-PEPPPM ICMP echo timestamp and netmask request discovery probes
-n-R Never do DNS resolutionAlways resolve [default sometimes]
--dns-servers ltserv1[serv2]gt
Specify custom DNS servers
--system-dns Use OSs DNS resolver
SCAN TECHNIQUES
-sSsTsAsWsM TCP SYNConnect()ACKWindowMaimon scans
-sNsFsX TCP Null FIN and Xmas scans
--scanflags ltflagsgt Customize TCP scan flags
-sI ltzombie host[probeport]gt
Idlescan
-sO IP protocol scan
-b ltftp relay hostgt FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER
-p ltport rangesgt Only scan specified portsEx -p22 -p1-65535 -p U53111137T21-25801398080
-F Fast - Scan only the ports listed in the nmap-services file)
Project By Nutan Kumar Panda
-r Scan ports consecutively - dont randomize
SERVICEVERSION DETECTION
-sV Probe open ports to determine serviceversion info
--version-intensity ltlevelgt
Set from 0 (light) to 9 (try all probes)
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)
OS DETECTION
-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
TIMING AND PERFORMANCE
Options which take lttimegt are in milliseconds unless you append s (seconds) m (minutes) or h (hours) to the value (eg 30m)
-T[0-5] Set timing template (higher is faster)
--min-hostgroupmax-hostgroup ltsizegt
Parallel host scan group sizes
--min-parallelismmax-parallelism lttimegt
Probe parallelization
--min-rtt-timeoutmax-rtt-timeoutinitial-rtt-timeout lttimegt
Specifies probe round trip time
--max-retries lttriesgt Caps number of port scan probe retransmissions
--host-timeout lttimegt
Give up on target after this long
--scan-delay--max- Adjust delay between probes
Project By Nutan Kumar Panda
scan-delay lttimegt
FIREWALLIDS EVASION AND SPOOFING
-f --mtu ltvalgt fragment packets (optionally wgiven MTU)
-D ltdecoy1decoy2[ME]gt
Cloak a scan with decoys
-S ltIP_Addressgt Spoof source address
-e ltifacegt Use specified interface
-g--source-port ltportnumgt
Use given port number
--data-length ltnumgt Append random data to sent packets
--ttl ltvalgt Set IP time-to-live field
--spoof-mac ltmac addressprefixvendor namegt
Spoof your MAC address
--badsum Send packets with a bogus TCPUDP checksum
OUTPUT
-oN-oX-oS-oG ltfilegt
Output scan in normal XML s|ltrIpt kIddi3 and Grepable format respectively to the given filename
-oA ltbasenamegt Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errorswarnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume ltfilenamegt Resume an aborted scan
--stylesheet ltpathURLgt
XSL stylesheet to transform XML output to HTML
--webxml Reference stylesheet from InsecureOrg for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet wXML output
Project By Nutan Kumar Panda
MISC
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir ltdirnamegt Specify custom Nmap data file location
--send-eth--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number
nmap -P0 2042281503
Running the above port scan on the Computer Hope IP address would give information similar to the below example Keep in mind that with the above command its -Pltzerogt not the letter O
Interesting ports on wwwcomputerhopecom (2042281503)Not shown 1019 filtered ports 657 closed portsPORT STATE SERVICE21tcp open ftp80tcp open http113tcp open auth443tcp open https
Project By Nutan Kumar Panda
Lanmap
Lanmap Listens to all available traffic on the interface of your choice figures out whorsquos talking to who how much using which protocols This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a networkrsquos topologysudo aptitude install lanmapThis will complete the installation
Using lanmap
lanmap syntax
lanmap [-o directory] [-e program] [-T pnggifsvg] [-f filtetr] [-D allraw] [-r seconds][-i wildcardiface] [-h] [-v] [-V]
lanmap examplelanmap -i eth0 -r 30 -T png -o tmpThis will create a lanmappng file under tmp folder
Project By Nutan Kumar Panda
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
If the name server does returns an authoritative answer for the namethe next server is queried If it returns an non-authoritative answer for the name the name servers in the authority records will bequeried
The program stops if all name-servers are queried
Make sure the server youre querying doesnt do forwarding towards other servers as dnstracer is not able to detect this for you
It detects so called lame servers which are name-servers which has been told to have information about a certain domain but donthave this information
EXAMPLES Search for the A record of wwwmavetjuorg on your local nameserver
dnstracer wwwmavetjuorg
Search for the MX record of mavetjuorg on the root-nameservers
dnstracer -s -q mx mavetjuorg
Search for the PTR record (hostname) of 212204230141
dnstracer -q ptr 141230204212in-addrarpa
And for IPv6 addresses
dnstracer -q ptr -s -o 20000000000000000640200008b0eff3ip6int
Project By Nutan Kumar Panda
tcptraceroute A traceroute implementation using TCP packets The more traditional traceroute(8) sends out either UDP or ICMP ECHO packets with a TTL of one and increments the TTL until the destination has been reached By printing the gateways that generate ICMP time exceeded messages along the way it is able to determine the path packets are taking to reach the destination The problem is that with the widespread use of firewalls on the modern Internet many of the packets that traceroute(8) sends out end up being filtered making it impossible to completely trace the path to the destination However in many cases these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on By sending out TCP SYN packets instead of UDP or ICMP ECHO packets tcptraceroute is able to bypass the most common firewall filters
It is worth noting that tcptraceroute never completely establishes a TCP connection with the destination host If the host is not listening for incoming connections it will respond with an RST indicating that the port is closed If the host instead responds with a SYN|ACK the port is known to be open and an RST is sent by the kernel tcptraceroute is running on to tear down the connection without completing three-way handshake This is the same half-open scanning technique that nmap(1) uses when passed the -sS flag
To trace the path to a web server listening for connections on port 80
tcptraceroute webserver
To trace the path to a mail server listening for connections on port 25
tcptraceroute mailserver 25
Project By Nutan Kumar Panda
Nmap (Network Mapper) is a utility for network exploration or security auditing Many systems and network administrators also find it useful for tasks such as network inventory managing service upgrade schedules and monitoring host or service uptime Nmap uses raw IP packets in novel ways to determine what hosts are available on the network what services (application name and version) those hosts are offering what operating systems (and OS versions) they are running what type of packet filtersfirewalls are in use and dozens of other characteristics It was designed to rapidly scan large networks but works fine against single hosts Nmap runs on all major computer operating systems and official binary packages are avalable for Linux Windows and Mac OS X
Command gtnmap -v -A targethost
Nmap features include
Host Discovery - Identifying hosts on a network for example listing the hosts which
respond to pings or which have a particular port open
Port Scanning - Enumerating the open ports on one or more target hosts
Version Detection - Interrogating listening network services listening on remote
devices to determine the application name and version number
Project By Nutan Kumar Panda
OS Detection - Remotely determining the operating system and some hardware
characteristics of network devices
Scriptable interaction with the target - using Nmap Scripting Engine (NSE)
and Lua programming language customized queries can be made Nmap Scripting
Engine
Typical uses of Nmap
Auditing the security of a device by identifying the network connections which can be
made to it
Identifying open ports on a target host in preparation for auditing
Network inventory Network mapping maintenance and asset management Auditing the security of a network by identifying unexpected new servers
Nmap is used to discover computers and services on a computer network thus creating a
ldquomaprdquo of the network Just like many simple port scanners Nmap is capable of discovering
passive services on a network despite the fact that such services arenrsquot advertising
themselves with a service discovery protocol In addition Nmap may be able to determine
various details about the remote computers These include operating system device type
uptime software product used to run a service exact version number of that product
presence of some firewall techniques and on a local area network even vendor of the
remote network card
By default Nmap performs a SYN Scan which works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms It can be used to quickly scan thousands of ports and it allows clear reliable differentiation between ports in open closed and filtered states
To perform a SYN scan on the host wwwyourorgcom
use the commandnmap wwwyourorgcom
Syntax
nmap [Scan Type(s)] [Options] target specification
TARGET SPECIFICATION
Project By Nutan Kumar Panda
-iL Input from list of hostsnetworks
-iR Choose random targets
--exclude lthost1[host2][host3]gt
Exclude hostsnetworks
--excludefile ltexclude_filegt
Exclude list from file
HOST DISCOVERY
-sL List Scan - simply list targets to scan
-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PSPAPU [portlist] TCP SYNACK or UDP discovery to given ports
-PEPPPM ICMP echo timestamp and netmask request discovery probes
-n-R Never do DNS resolutionAlways resolve [default sometimes]
--dns-servers ltserv1[serv2]gt
Specify custom DNS servers
--system-dns Use OSs DNS resolver
SCAN TECHNIQUES
-sSsTsAsWsM TCP SYNConnect()ACKWindowMaimon scans
-sNsFsX TCP Null FIN and Xmas scans
--scanflags ltflagsgt Customize TCP scan flags
-sI ltzombie host[probeport]gt
Idlescan
-sO IP protocol scan
-b ltftp relay hostgt FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER
-p ltport rangesgt Only scan specified portsEx -p22 -p1-65535 -p U53111137T21-25801398080
-F Fast - Scan only the ports listed in the nmap-services file)
Project By Nutan Kumar Panda
-r Scan ports consecutively - dont randomize
SERVICEVERSION DETECTION
-sV Probe open ports to determine serviceversion info
--version-intensity ltlevelgt
Set from 0 (light) to 9 (try all probes)
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)
OS DETECTION
-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
TIMING AND PERFORMANCE
Options which take lttimegt are in milliseconds unless you append s (seconds) m (minutes) or h (hours) to the value (eg 30m)
-T[0-5] Set timing template (higher is faster)
--min-hostgroupmax-hostgroup ltsizegt
Parallel host scan group sizes
--min-parallelismmax-parallelism lttimegt
Probe parallelization
--min-rtt-timeoutmax-rtt-timeoutinitial-rtt-timeout lttimegt
Specifies probe round trip time
--max-retries lttriesgt Caps number of port scan probe retransmissions
--host-timeout lttimegt
Give up on target after this long
--scan-delay--max- Adjust delay between probes
Project By Nutan Kumar Panda
scan-delay lttimegt
FIREWALLIDS EVASION AND SPOOFING
-f --mtu ltvalgt fragment packets (optionally wgiven MTU)
-D ltdecoy1decoy2[ME]gt
Cloak a scan with decoys
-S ltIP_Addressgt Spoof source address
-e ltifacegt Use specified interface
-g--source-port ltportnumgt
Use given port number
--data-length ltnumgt Append random data to sent packets
--ttl ltvalgt Set IP time-to-live field
--spoof-mac ltmac addressprefixvendor namegt
Spoof your MAC address
--badsum Send packets with a bogus TCPUDP checksum
OUTPUT
-oN-oX-oS-oG ltfilegt
Output scan in normal XML s|ltrIpt kIddi3 and Grepable format respectively to the given filename
-oA ltbasenamegt Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errorswarnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume ltfilenamegt Resume an aborted scan
--stylesheet ltpathURLgt
XSL stylesheet to transform XML output to HTML
--webxml Reference stylesheet from InsecureOrg for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet wXML output
Project By Nutan Kumar Panda
MISC
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir ltdirnamegt Specify custom Nmap data file location
--send-eth--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number
nmap -P0 2042281503
Running the above port scan on the Computer Hope IP address would give information similar to the below example Keep in mind that with the above command its -Pltzerogt not the letter O
Interesting ports on wwwcomputerhopecom (2042281503)Not shown 1019 filtered ports 657 closed portsPORT STATE SERVICE21tcp open ftp80tcp open http113tcp open auth443tcp open https
Project By Nutan Kumar Panda
Lanmap
Lanmap Listens to all available traffic on the interface of your choice figures out whorsquos talking to who how much using which protocols This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a networkrsquos topologysudo aptitude install lanmapThis will complete the installation
Using lanmap
lanmap syntax
lanmap [-o directory] [-e program] [-T pnggifsvg] [-f filtetr] [-D allraw] [-r seconds][-i wildcardiface] [-h] [-v] [-V]
lanmap examplelanmap -i eth0 -r 30 -T png -o tmpThis will create a lanmappng file under tmp folder
Project By Nutan Kumar Panda
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
tcptraceroute A traceroute implementation using TCP packets The more traditional traceroute(8) sends out either UDP or ICMP ECHO packets with a TTL of one and increments the TTL until the destination has been reached By printing the gateways that generate ICMP time exceeded messages along the way it is able to determine the path packets are taking to reach the destination The problem is that with the widespread use of firewalls on the modern Internet many of the packets that traceroute(8) sends out end up being filtered making it impossible to completely trace the path to the destination However in many cases these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on By sending out TCP SYN packets instead of UDP or ICMP ECHO packets tcptraceroute is able to bypass the most common firewall filters
It is worth noting that tcptraceroute never completely establishes a TCP connection with the destination host If the host is not listening for incoming connections it will respond with an RST indicating that the port is closed If the host instead responds with a SYN|ACK the port is known to be open and an RST is sent by the kernel tcptraceroute is running on to tear down the connection without completing three-way handshake This is the same half-open scanning technique that nmap(1) uses when passed the -sS flag
To trace the path to a web server listening for connections on port 80
tcptraceroute webserver
To trace the path to a mail server listening for connections on port 25
tcptraceroute mailserver 25
Project By Nutan Kumar Panda
Nmap (Network Mapper) is a utility for network exploration or security auditing Many systems and network administrators also find it useful for tasks such as network inventory managing service upgrade schedules and monitoring host or service uptime Nmap uses raw IP packets in novel ways to determine what hosts are available on the network what services (application name and version) those hosts are offering what operating systems (and OS versions) they are running what type of packet filtersfirewalls are in use and dozens of other characteristics It was designed to rapidly scan large networks but works fine against single hosts Nmap runs on all major computer operating systems and official binary packages are avalable for Linux Windows and Mac OS X
Command gtnmap -v -A targethost
Nmap features include
Host Discovery - Identifying hosts on a network for example listing the hosts which
respond to pings or which have a particular port open
Port Scanning - Enumerating the open ports on one or more target hosts
Version Detection - Interrogating listening network services listening on remote
devices to determine the application name and version number
Project By Nutan Kumar Panda
OS Detection - Remotely determining the operating system and some hardware
characteristics of network devices
Scriptable interaction with the target - using Nmap Scripting Engine (NSE)
and Lua programming language customized queries can be made Nmap Scripting
Engine
Typical uses of Nmap
Auditing the security of a device by identifying the network connections which can be
made to it
Identifying open ports on a target host in preparation for auditing
Network inventory Network mapping maintenance and asset management Auditing the security of a network by identifying unexpected new servers
Nmap is used to discover computers and services on a computer network thus creating a
ldquomaprdquo of the network Just like many simple port scanners Nmap is capable of discovering
passive services on a network despite the fact that such services arenrsquot advertising
themselves with a service discovery protocol In addition Nmap may be able to determine
various details about the remote computers These include operating system device type
uptime software product used to run a service exact version number of that product
presence of some firewall techniques and on a local area network even vendor of the
remote network card
By default Nmap performs a SYN Scan which works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms It can be used to quickly scan thousands of ports and it allows clear reliable differentiation between ports in open closed and filtered states
To perform a SYN scan on the host wwwyourorgcom
use the commandnmap wwwyourorgcom
Syntax
nmap [Scan Type(s)] [Options] target specification
TARGET SPECIFICATION
Project By Nutan Kumar Panda
-iL Input from list of hostsnetworks
-iR Choose random targets
--exclude lthost1[host2][host3]gt
Exclude hostsnetworks
--excludefile ltexclude_filegt
Exclude list from file
HOST DISCOVERY
-sL List Scan - simply list targets to scan
-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PSPAPU [portlist] TCP SYNACK or UDP discovery to given ports
-PEPPPM ICMP echo timestamp and netmask request discovery probes
-n-R Never do DNS resolutionAlways resolve [default sometimes]
--dns-servers ltserv1[serv2]gt
Specify custom DNS servers
--system-dns Use OSs DNS resolver
SCAN TECHNIQUES
-sSsTsAsWsM TCP SYNConnect()ACKWindowMaimon scans
-sNsFsX TCP Null FIN and Xmas scans
--scanflags ltflagsgt Customize TCP scan flags
-sI ltzombie host[probeport]gt
Idlescan
-sO IP protocol scan
-b ltftp relay hostgt FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER
-p ltport rangesgt Only scan specified portsEx -p22 -p1-65535 -p U53111137T21-25801398080
-F Fast - Scan only the ports listed in the nmap-services file)
Project By Nutan Kumar Panda
-r Scan ports consecutively - dont randomize
SERVICEVERSION DETECTION
-sV Probe open ports to determine serviceversion info
--version-intensity ltlevelgt
Set from 0 (light) to 9 (try all probes)
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)
OS DETECTION
-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
TIMING AND PERFORMANCE
Options which take lttimegt are in milliseconds unless you append s (seconds) m (minutes) or h (hours) to the value (eg 30m)
-T[0-5] Set timing template (higher is faster)
--min-hostgroupmax-hostgroup ltsizegt
Parallel host scan group sizes
--min-parallelismmax-parallelism lttimegt
Probe parallelization
--min-rtt-timeoutmax-rtt-timeoutinitial-rtt-timeout lttimegt
Specifies probe round trip time
--max-retries lttriesgt Caps number of port scan probe retransmissions
--host-timeout lttimegt
Give up on target after this long
--scan-delay--max- Adjust delay between probes
Project By Nutan Kumar Panda
scan-delay lttimegt
FIREWALLIDS EVASION AND SPOOFING
-f --mtu ltvalgt fragment packets (optionally wgiven MTU)
-D ltdecoy1decoy2[ME]gt
Cloak a scan with decoys
-S ltIP_Addressgt Spoof source address
-e ltifacegt Use specified interface
-g--source-port ltportnumgt
Use given port number
--data-length ltnumgt Append random data to sent packets
--ttl ltvalgt Set IP time-to-live field
--spoof-mac ltmac addressprefixvendor namegt
Spoof your MAC address
--badsum Send packets with a bogus TCPUDP checksum
OUTPUT
-oN-oX-oS-oG ltfilegt
Output scan in normal XML s|ltrIpt kIddi3 and Grepable format respectively to the given filename
-oA ltbasenamegt Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errorswarnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume ltfilenamegt Resume an aborted scan
--stylesheet ltpathURLgt
XSL stylesheet to transform XML output to HTML
--webxml Reference stylesheet from InsecureOrg for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet wXML output
Project By Nutan Kumar Panda
MISC
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir ltdirnamegt Specify custom Nmap data file location
--send-eth--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number
nmap -P0 2042281503
Running the above port scan on the Computer Hope IP address would give information similar to the below example Keep in mind that with the above command its -Pltzerogt not the letter O
Interesting ports on wwwcomputerhopecom (2042281503)Not shown 1019 filtered ports 657 closed portsPORT STATE SERVICE21tcp open ftp80tcp open http113tcp open auth443tcp open https
Project By Nutan Kumar Panda
Lanmap
Lanmap Listens to all available traffic on the interface of your choice figures out whorsquos talking to who how much using which protocols This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a networkrsquos topologysudo aptitude install lanmapThis will complete the installation
Using lanmap
lanmap syntax
lanmap [-o directory] [-e program] [-T pnggifsvg] [-f filtetr] [-D allraw] [-r seconds][-i wildcardiface] [-h] [-v] [-V]
lanmap examplelanmap -i eth0 -r 30 -T png -o tmpThis will create a lanmappng file under tmp folder
Project By Nutan Kumar Panda
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
Nmap (Network Mapper) is a utility for network exploration or security auditing Many systems and network administrators also find it useful for tasks such as network inventory managing service upgrade schedules and monitoring host or service uptime Nmap uses raw IP packets in novel ways to determine what hosts are available on the network what services (application name and version) those hosts are offering what operating systems (and OS versions) they are running what type of packet filtersfirewalls are in use and dozens of other characteristics It was designed to rapidly scan large networks but works fine against single hosts Nmap runs on all major computer operating systems and official binary packages are avalable for Linux Windows and Mac OS X
Command gtnmap -v -A targethost
Nmap features include
Host Discovery - Identifying hosts on a network for example listing the hosts which
respond to pings or which have a particular port open
Port Scanning - Enumerating the open ports on one or more target hosts
Version Detection - Interrogating listening network services listening on remote
devices to determine the application name and version number
Project By Nutan Kumar Panda
OS Detection - Remotely determining the operating system and some hardware
characteristics of network devices
Scriptable interaction with the target - using Nmap Scripting Engine (NSE)
and Lua programming language customized queries can be made Nmap Scripting
Engine
Typical uses of Nmap
Auditing the security of a device by identifying the network connections which can be
made to it
Identifying open ports on a target host in preparation for auditing
Network inventory Network mapping maintenance and asset management Auditing the security of a network by identifying unexpected new servers
Nmap is used to discover computers and services on a computer network thus creating a
ldquomaprdquo of the network Just like many simple port scanners Nmap is capable of discovering
passive services on a network despite the fact that such services arenrsquot advertising
themselves with a service discovery protocol In addition Nmap may be able to determine
various details about the remote computers These include operating system device type
uptime software product used to run a service exact version number of that product
presence of some firewall techniques and on a local area network even vendor of the
remote network card
By default Nmap performs a SYN Scan which works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms It can be used to quickly scan thousands of ports and it allows clear reliable differentiation between ports in open closed and filtered states
To perform a SYN scan on the host wwwyourorgcom
use the commandnmap wwwyourorgcom
Syntax
nmap [Scan Type(s)] [Options] target specification
TARGET SPECIFICATION
Project By Nutan Kumar Panda
-iL Input from list of hostsnetworks
-iR Choose random targets
--exclude lthost1[host2][host3]gt
Exclude hostsnetworks
--excludefile ltexclude_filegt
Exclude list from file
HOST DISCOVERY
-sL List Scan - simply list targets to scan
-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PSPAPU [portlist] TCP SYNACK or UDP discovery to given ports
-PEPPPM ICMP echo timestamp and netmask request discovery probes
-n-R Never do DNS resolutionAlways resolve [default sometimes]
--dns-servers ltserv1[serv2]gt
Specify custom DNS servers
--system-dns Use OSs DNS resolver
SCAN TECHNIQUES
-sSsTsAsWsM TCP SYNConnect()ACKWindowMaimon scans
-sNsFsX TCP Null FIN and Xmas scans
--scanflags ltflagsgt Customize TCP scan flags
-sI ltzombie host[probeport]gt
Idlescan
-sO IP protocol scan
-b ltftp relay hostgt FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER
-p ltport rangesgt Only scan specified portsEx -p22 -p1-65535 -p U53111137T21-25801398080
-F Fast - Scan only the ports listed in the nmap-services file)
Project By Nutan Kumar Panda
-r Scan ports consecutively - dont randomize
SERVICEVERSION DETECTION
-sV Probe open ports to determine serviceversion info
--version-intensity ltlevelgt
Set from 0 (light) to 9 (try all probes)
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)
OS DETECTION
-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
TIMING AND PERFORMANCE
Options which take lttimegt are in milliseconds unless you append s (seconds) m (minutes) or h (hours) to the value (eg 30m)
-T[0-5] Set timing template (higher is faster)
--min-hostgroupmax-hostgroup ltsizegt
Parallel host scan group sizes
--min-parallelismmax-parallelism lttimegt
Probe parallelization
--min-rtt-timeoutmax-rtt-timeoutinitial-rtt-timeout lttimegt
Specifies probe round trip time
--max-retries lttriesgt Caps number of port scan probe retransmissions
--host-timeout lttimegt
Give up on target after this long
--scan-delay--max- Adjust delay between probes
Project By Nutan Kumar Panda
scan-delay lttimegt
FIREWALLIDS EVASION AND SPOOFING
-f --mtu ltvalgt fragment packets (optionally wgiven MTU)
-D ltdecoy1decoy2[ME]gt
Cloak a scan with decoys
-S ltIP_Addressgt Spoof source address
-e ltifacegt Use specified interface
-g--source-port ltportnumgt
Use given port number
--data-length ltnumgt Append random data to sent packets
--ttl ltvalgt Set IP time-to-live field
--spoof-mac ltmac addressprefixvendor namegt
Spoof your MAC address
--badsum Send packets with a bogus TCPUDP checksum
OUTPUT
-oN-oX-oS-oG ltfilegt
Output scan in normal XML s|ltrIpt kIddi3 and Grepable format respectively to the given filename
-oA ltbasenamegt Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errorswarnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume ltfilenamegt Resume an aborted scan
--stylesheet ltpathURLgt
XSL stylesheet to transform XML output to HTML
--webxml Reference stylesheet from InsecureOrg for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet wXML output
Project By Nutan Kumar Panda
MISC
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir ltdirnamegt Specify custom Nmap data file location
--send-eth--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number
nmap -P0 2042281503
Running the above port scan on the Computer Hope IP address would give information similar to the below example Keep in mind that with the above command its -Pltzerogt not the letter O
Interesting ports on wwwcomputerhopecom (2042281503)Not shown 1019 filtered ports 657 closed portsPORT STATE SERVICE21tcp open ftp80tcp open http113tcp open auth443tcp open https
Project By Nutan Kumar Panda
Lanmap
Lanmap Listens to all available traffic on the interface of your choice figures out whorsquos talking to who how much using which protocols This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a networkrsquos topologysudo aptitude install lanmapThis will complete the installation
Using lanmap
lanmap syntax
lanmap [-o directory] [-e program] [-T pnggifsvg] [-f filtetr] [-D allraw] [-r seconds][-i wildcardiface] [-h] [-v] [-V]
lanmap examplelanmap -i eth0 -r 30 -T png -o tmpThis will create a lanmappng file under tmp folder
Project By Nutan Kumar Panda
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
OS Detection - Remotely determining the operating system and some hardware
characteristics of network devices
Scriptable interaction with the target - using Nmap Scripting Engine (NSE)
and Lua programming language customized queries can be made Nmap Scripting
Engine
Typical uses of Nmap
Auditing the security of a device by identifying the network connections which can be
made to it
Identifying open ports on a target host in preparation for auditing
Network inventory Network mapping maintenance and asset management Auditing the security of a network by identifying unexpected new servers
Nmap is used to discover computers and services on a computer network thus creating a
ldquomaprdquo of the network Just like many simple port scanners Nmap is capable of discovering
passive services on a network despite the fact that such services arenrsquot advertising
themselves with a service discovery protocol In addition Nmap may be able to determine
various details about the remote computers These include operating system device type
uptime software product used to run a service exact version number of that product
presence of some firewall techniques and on a local area network even vendor of the
remote network card
By default Nmap performs a SYN Scan which works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms It can be used to quickly scan thousands of ports and it allows clear reliable differentiation between ports in open closed and filtered states
To perform a SYN scan on the host wwwyourorgcom
use the commandnmap wwwyourorgcom
Syntax
nmap [Scan Type(s)] [Options] target specification
TARGET SPECIFICATION
Project By Nutan Kumar Panda
-iL Input from list of hostsnetworks
-iR Choose random targets
--exclude lthost1[host2][host3]gt
Exclude hostsnetworks
--excludefile ltexclude_filegt
Exclude list from file
HOST DISCOVERY
-sL List Scan - simply list targets to scan
-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PSPAPU [portlist] TCP SYNACK or UDP discovery to given ports
-PEPPPM ICMP echo timestamp and netmask request discovery probes
-n-R Never do DNS resolutionAlways resolve [default sometimes]
--dns-servers ltserv1[serv2]gt
Specify custom DNS servers
--system-dns Use OSs DNS resolver
SCAN TECHNIQUES
-sSsTsAsWsM TCP SYNConnect()ACKWindowMaimon scans
-sNsFsX TCP Null FIN and Xmas scans
--scanflags ltflagsgt Customize TCP scan flags
-sI ltzombie host[probeport]gt
Idlescan
-sO IP protocol scan
-b ltftp relay hostgt FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER
-p ltport rangesgt Only scan specified portsEx -p22 -p1-65535 -p U53111137T21-25801398080
-F Fast - Scan only the ports listed in the nmap-services file)
Project By Nutan Kumar Panda
-r Scan ports consecutively - dont randomize
SERVICEVERSION DETECTION
-sV Probe open ports to determine serviceversion info
--version-intensity ltlevelgt
Set from 0 (light) to 9 (try all probes)
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)
OS DETECTION
-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
TIMING AND PERFORMANCE
Options which take lttimegt are in milliseconds unless you append s (seconds) m (minutes) or h (hours) to the value (eg 30m)
-T[0-5] Set timing template (higher is faster)
--min-hostgroupmax-hostgroup ltsizegt
Parallel host scan group sizes
--min-parallelismmax-parallelism lttimegt
Probe parallelization
--min-rtt-timeoutmax-rtt-timeoutinitial-rtt-timeout lttimegt
Specifies probe round trip time
--max-retries lttriesgt Caps number of port scan probe retransmissions
--host-timeout lttimegt
Give up on target after this long
--scan-delay--max- Adjust delay between probes
Project By Nutan Kumar Panda
scan-delay lttimegt
FIREWALLIDS EVASION AND SPOOFING
-f --mtu ltvalgt fragment packets (optionally wgiven MTU)
-D ltdecoy1decoy2[ME]gt
Cloak a scan with decoys
-S ltIP_Addressgt Spoof source address
-e ltifacegt Use specified interface
-g--source-port ltportnumgt
Use given port number
--data-length ltnumgt Append random data to sent packets
--ttl ltvalgt Set IP time-to-live field
--spoof-mac ltmac addressprefixvendor namegt
Spoof your MAC address
--badsum Send packets with a bogus TCPUDP checksum
OUTPUT
-oN-oX-oS-oG ltfilegt
Output scan in normal XML s|ltrIpt kIddi3 and Grepable format respectively to the given filename
-oA ltbasenamegt Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errorswarnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume ltfilenamegt Resume an aborted scan
--stylesheet ltpathURLgt
XSL stylesheet to transform XML output to HTML
--webxml Reference stylesheet from InsecureOrg for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet wXML output
Project By Nutan Kumar Panda
MISC
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir ltdirnamegt Specify custom Nmap data file location
--send-eth--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number
nmap -P0 2042281503
Running the above port scan on the Computer Hope IP address would give information similar to the below example Keep in mind that with the above command its -Pltzerogt not the letter O
Interesting ports on wwwcomputerhopecom (2042281503)Not shown 1019 filtered ports 657 closed portsPORT STATE SERVICE21tcp open ftp80tcp open http113tcp open auth443tcp open https
Project By Nutan Kumar Panda
Lanmap
Lanmap Listens to all available traffic on the interface of your choice figures out whorsquos talking to who how much using which protocols This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a networkrsquos topologysudo aptitude install lanmapThis will complete the installation
Using lanmap
lanmap syntax
lanmap [-o directory] [-e program] [-T pnggifsvg] [-f filtetr] [-D allraw] [-r seconds][-i wildcardiface] [-h] [-v] [-V]
lanmap examplelanmap -i eth0 -r 30 -T png -o tmpThis will create a lanmappng file under tmp folder
Project By Nutan Kumar Panda
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
-iL Input from list of hostsnetworks
-iR Choose random targets
--exclude lthost1[host2][host3]gt
Exclude hostsnetworks
--excludefile ltexclude_filegt
Exclude list from file
HOST DISCOVERY
-sL List Scan - simply list targets to scan
-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PSPAPU [portlist] TCP SYNACK or UDP discovery to given ports
-PEPPPM ICMP echo timestamp and netmask request discovery probes
-n-R Never do DNS resolutionAlways resolve [default sometimes]
--dns-servers ltserv1[serv2]gt
Specify custom DNS servers
--system-dns Use OSs DNS resolver
SCAN TECHNIQUES
-sSsTsAsWsM TCP SYNConnect()ACKWindowMaimon scans
-sNsFsX TCP Null FIN and Xmas scans
--scanflags ltflagsgt Customize TCP scan flags
-sI ltzombie host[probeport]gt
Idlescan
-sO IP protocol scan
-b ltftp relay hostgt FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER
-p ltport rangesgt Only scan specified portsEx -p22 -p1-65535 -p U53111137T21-25801398080
-F Fast - Scan only the ports listed in the nmap-services file)
Project By Nutan Kumar Panda
-r Scan ports consecutively - dont randomize
SERVICEVERSION DETECTION
-sV Probe open ports to determine serviceversion info
--version-intensity ltlevelgt
Set from 0 (light) to 9 (try all probes)
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)
OS DETECTION
-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
TIMING AND PERFORMANCE
Options which take lttimegt are in milliseconds unless you append s (seconds) m (minutes) or h (hours) to the value (eg 30m)
-T[0-5] Set timing template (higher is faster)
--min-hostgroupmax-hostgroup ltsizegt
Parallel host scan group sizes
--min-parallelismmax-parallelism lttimegt
Probe parallelization
--min-rtt-timeoutmax-rtt-timeoutinitial-rtt-timeout lttimegt
Specifies probe round trip time
--max-retries lttriesgt Caps number of port scan probe retransmissions
--host-timeout lttimegt
Give up on target after this long
--scan-delay--max- Adjust delay between probes
Project By Nutan Kumar Panda
scan-delay lttimegt
FIREWALLIDS EVASION AND SPOOFING
-f --mtu ltvalgt fragment packets (optionally wgiven MTU)
-D ltdecoy1decoy2[ME]gt
Cloak a scan with decoys
-S ltIP_Addressgt Spoof source address
-e ltifacegt Use specified interface
-g--source-port ltportnumgt
Use given port number
--data-length ltnumgt Append random data to sent packets
--ttl ltvalgt Set IP time-to-live field
--spoof-mac ltmac addressprefixvendor namegt
Spoof your MAC address
--badsum Send packets with a bogus TCPUDP checksum
OUTPUT
-oN-oX-oS-oG ltfilegt
Output scan in normal XML s|ltrIpt kIddi3 and Grepable format respectively to the given filename
-oA ltbasenamegt Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errorswarnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume ltfilenamegt Resume an aborted scan
--stylesheet ltpathURLgt
XSL stylesheet to transform XML output to HTML
--webxml Reference stylesheet from InsecureOrg for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet wXML output
Project By Nutan Kumar Panda
MISC
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir ltdirnamegt Specify custom Nmap data file location
--send-eth--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number
nmap -P0 2042281503
Running the above port scan on the Computer Hope IP address would give information similar to the below example Keep in mind that with the above command its -Pltzerogt not the letter O
Interesting ports on wwwcomputerhopecom (2042281503)Not shown 1019 filtered ports 657 closed portsPORT STATE SERVICE21tcp open ftp80tcp open http113tcp open auth443tcp open https
Project By Nutan Kumar Panda
Lanmap
Lanmap Listens to all available traffic on the interface of your choice figures out whorsquos talking to who how much using which protocols This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a networkrsquos topologysudo aptitude install lanmapThis will complete the installation
Using lanmap
lanmap syntax
lanmap [-o directory] [-e program] [-T pnggifsvg] [-f filtetr] [-D allraw] [-r seconds][-i wildcardiface] [-h] [-v] [-V]
lanmap examplelanmap -i eth0 -r 30 -T png -o tmpThis will create a lanmappng file under tmp folder
Project By Nutan Kumar Panda
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
-r Scan ports consecutively - dont randomize
SERVICEVERSION DETECTION
-sV Probe open ports to determine serviceversion info
--version-intensity ltlevelgt
Set from 0 (light) to 9 (try all probes)
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)
OS DETECTION
-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
TIMING AND PERFORMANCE
Options which take lttimegt are in milliseconds unless you append s (seconds) m (minutes) or h (hours) to the value (eg 30m)
-T[0-5] Set timing template (higher is faster)
--min-hostgroupmax-hostgroup ltsizegt
Parallel host scan group sizes
--min-parallelismmax-parallelism lttimegt
Probe parallelization
--min-rtt-timeoutmax-rtt-timeoutinitial-rtt-timeout lttimegt
Specifies probe round trip time
--max-retries lttriesgt Caps number of port scan probe retransmissions
--host-timeout lttimegt
Give up on target after this long
--scan-delay--max- Adjust delay between probes
Project By Nutan Kumar Panda
scan-delay lttimegt
FIREWALLIDS EVASION AND SPOOFING
-f --mtu ltvalgt fragment packets (optionally wgiven MTU)
-D ltdecoy1decoy2[ME]gt
Cloak a scan with decoys
-S ltIP_Addressgt Spoof source address
-e ltifacegt Use specified interface
-g--source-port ltportnumgt
Use given port number
--data-length ltnumgt Append random data to sent packets
--ttl ltvalgt Set IP time-to-live field
--spoof-mac ltmac addressprefixvendor namegt
Spoof your MAC address
--badsum Send packets with a bogus TCPUDP checksum
OUTPUT
-oN-oX-oS-oG ltfilegt
Output scan in normal XML s|ltrIpt kIddi3 and Grepable format respectively to the given filename
-oA ltbasenamegt Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errorswarnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume ltfilenamegt Resume an aborted scan
--stylesheet ltpathURLgt
XSL stylesheet to transform XML output to HTML
--webxml Reference stylesheet from InsecureOrg for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet wXML output
Project By Nutan Kumar Panda
MISC
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir ltdirnamegt Specify custom Nmap data file location
--send-eth--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number
nmap -P0 2042281503
Running the above port scan on the Computer Hope IP address would give information similar to the below example Keep in mind that with the above command its -Pltzerogt not the letter O
Interesting ports on wwwcomputerhopecom (2042281503)Not shown 1019 filtered ports 657 closed portsPORT STATE SERVICE21tcp open ftp80tcp open http113tcp open auth443tcp open https
Project By Nutan Kumar Panda
Lanmap
Lanmap Listens to all available traffic on the interface of your choice figures out whorsquos talking to who how much using which protocols This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a networkrsquos topologysudo aptitude install lanmapThis will complete the installation
Using lanmap
lanmap syntax
lanmap [-o directory] [-e program] [-T pnggifsvg] [-f filtetr] [-D allraw] [-r seconds][-i wildcardiface] [-h] [-v] [-V]
lanmap examplelanmap -i eth0 -r 30 -T png -o tmpThis will create a lanmappng file under tmp folder
Project By Nutan Kumar Panda
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
scan-delay lttimegt
FIREWALLIDS EVASION AND SPOOFING
-f --mtu ltvalgt fragment packets (optionally wgiven MTU)
-D ltdecoy1decoy2[ME]gt
Cloak a scan with decoys
-S ltIP_Addressgt Spoof source address
-e ltifacegt Use specified interface
-g--source-port ltportnumgt
Use given port number
--data-length ltnumgt Append random data to sent packets
--ttl ltvalgt Set IP time-to-live field
--spoof-mac ltmac addressprefixvendor namegt
Spoof your MAC address
--badsum Send packets with a bogus TCPUDP checksum
OUTPUT
-oN-oX-oS-oG ltfilegt
Output scan in normal XML s|ltrIpt kIddi3 and Grepable format respectively to the given filename
-oA ltbasenamegt Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errorswarnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume ltfilenamegt Resume an aborted scan
--stylesheet ltpathURLgt
XSL stylesheet to transform XML output to HTML
--webxml Reference stylesheet from InsecureOrg for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet wXML output
Project By Nutan Kumar Panda
MISC
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir ltdirnamegt Specify custom Nmap data file location
--send-eth--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number
nmap -P0 2042281503
Running the above port scan on the Computer Hope IP address would give information similar to the below example Keep in mind that with the above command its -Pltzerogt not the letter O
Interesting ports on wwwcomputerhopecom (2042281503)Not shown 1019 filtered ports 657 closed portsPORT STATE SERVICE21tcp open ftp80tcp open http113tcp open auth443tcp open https
Project By Nutan Kumar Panda
Lanmap
Lanmap Listens to all available traffic on the interface of your choice figures out whorsquos talking to who how much using which protocols This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a networkrsquos topologysudo aptitude install lanmapThis will complete the installation
Using lanmap
lanmap syntax
lanmap [-o directory] [-e program] [-T pnggifsvg] [-f filtetr] [-D allraw] [-r seconds][-i wildcardiface] [-h] [-v] [-V]
lanmap examplelanmap -i eth0 -r 30 -T png -o tmpThis will create a lanmappng file under tmp folder
Project By Nutan Kumar Panda
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
MISC
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir ltdirnamegt Specify custom Nmap data file location
--send-eth--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number
nmap -P0 2042281503
Running the above port scan on the Computer Hope IP address would give information similar to the below example Keep in mind that with the above command its -Pltzerogt not the letter O
Interesting ports on wwwcomputerhopecom (2042281503)Not shown 1019 filtered ports 657 closed portsPORT STATE SERVICE21tcp open ftp80tcp open http113tcp open auth443tcp open https
Project By Nutan Kumar Panda
Lanmap
Lanmap Listens to all available traffic on the interface of your choice figures out whorsquos talking to who how much using which protocols This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a networkrsquos topologysudo aptitude install lanmapThis will complete the installation
Using lanmap
lanmap syntax
lanmap [-o directory] [-e program] [-T pnggifsvg] [-f filtetr] [-D allraw] [-r seconds][-i wildcardiface] [-h] [-v] [-V]
lanmap examplelanmap -i eth0 -r 30 -T png -o tmpThis will create a lanmappng file under tmp folder
Project By Nutan Kumar Panda
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
Lanmap
Lanmap Listens to all available traffic on the interface of your choice figures out whorsquos talking to who how much using which protocols This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a networkrsquos topologysudo aptitude install lanmapThis will complete the installation
Using lanmap
lanmap syntax
lanmap [-o directory] [-e program] [-T pnggifsvg] [-f filtetr] [-D allraw] [-r seconds][-i wildcardiface] [-h] [-v] [-V]
lanmap examplelanmap -i eth0 -r 30 -T png -o tmpThis will create a lanmappng file under tmp folder
Project By Nutan Kumar Panda
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
You can see the same screen here
lanmap available options
-o directory - The directory in which to save the generated images Default is the current directory-e program - The program to use to generate images Default is twopi-T pnggifsvg - Output image format Default is png-f filter - Traffic filter in libpcap syntax-D allraw - Debug mode lots of output use with caution payload bytes to dump (default 0)-r seconds - Set the time interval between 2 consecutive graph generations Default is 60 seconds-i wildcardiface - Interface to use list all devices and exit 3Com use the first NIC withldquo3Comrdquo in it-V - Version info-vv - Verbose mode up to 3 levels (-vv -vv0921 29112007v)-h - Help message
SPIKE is written in C and exposes an API for quickly and efficiently developing network protocol fuzzers SPIKE utilizes a novel technique for representing and thereafter fuzzing network protocols Protocol data structures are broken down and represented as blocks also referred to as a SPIKE which contains both binary data and the block size Block-based protocol representation allows for abstracted construction of various protocol layers with automatic size calculations To better understand the block-based concept consider the following simple example from the whitepaper The Advantages of Block-Based Protocol Analysis for Security Testing8
Project By Nutan Kumar Panda
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
s_block_size_binary_bigendian_word(somepacketdata) s_block_start(somepacketdata) s_binary(01020304) s_block_end(somepacketdata)
This basic SPIKE script (SPIKE scripts are written in C) defines a block named somepacketdata pushes the four bytes 0x01020304 into the block and prefixes the block with the block length In this case the block length would be calculated as 4 and stored as a big endian word Note that most of the SPIKE API is prefixed with either s_ orspike_ The s_binary() API is used to add binary data to a block and is quite liberal with its argument format allowing it to handle a wide variety of copied and pasted inputs such as the string 4141 x41 0x41 41 00 41 00 Although simple this example demonstrates the basics and overall approach of constructing a SPIKE As SPIKE allows blocks to be embedded within other blocks arbitrarily complex protocols can be easily broken down into their smallest atoms Expanding on the previous example
s_block_size_binary_bigendian_word(somepacketdata)s_block_start(somepacketdata)s_binary(01020304)s_blocksize_halfword_bigendian(innerdata)s_block_start(innerdata)s_binary(00 01)s_binary_bigendian_word_variable(0x02)s_string_variable(SELECT)s_block_end(innerdata)s_block_end(somepacketdata)
In this example two blocks are defined somepacketdata and innerdata The latter block is contained within the former block and each individual block is prefixed with a size value The newly defined innerdata block begins with a static two-byte value (0x0001) followed by a four-byte variable integer with a default value of 0x02 and finally a string variable with a default value of SELECT Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a predefined set of integer and string variables (attack heuristics) respectively that have been known in the past to uncover security vulnerabilities SPIKE will begin by looping through the possible word variable mutations and then move on to mutating the string variable The true power of this framework is that SPIKE will automatically update the values for each of the size fields as the various mutations are made To examine or expand the current list of fuzz variables look at SPIKEsrcspikecVersion 29 of the framework contains a list of almost 700 error-inducing heuristics
Using the basic concepts demonstrated in the previous example you can begin to see how arbitrarily complex protocols can be modeled in this framework A number of additional APIs and examples exist Refer to the SPIKE documentation for further information Sticking to the running example the following code excerpt is from an FTP fuzzer distributed with SPIKE This is not the best showcase of SPIKEs capabilities as no blocks are actually defined but it helps to compare apples with apples
Project By Nutan Kumar Panda
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
s_string(HOST )s_string_variable(10203040)s_string(rn)s_string_variable(USER)s_string( v)s_string_variable(bob)s_string(rn)s_string(PASS )s_string_variable(bob)s_string(rn)s_string(SITE )s_string_variable(SEDV)s_string(rn)s_string(ACCT )s_string_variable(bob)s_string(rn)s_string(CWD )s_string_variable()s_string(rn)s_string(SMNT )s_string_variable()s_string(rn)s_string(PORT )s_string_variable(1)s_string()s_string_variable(2)s_string()s_string_variable(3)s_string()s_string_variable(4)s_string()s_string_variable(5)s_string()s_string_variable(6)s_string(rn)
The Goals of SPIKE
Find new vulnerabilities by
Making it easy to quickly reproduce a complex binary protocol
Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
Test old vulnerabilities on new programs
Make it easy to manually mess with protocols
Project By Nutan Kumar Panda
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
How the SPIKE API works
Unique SPIKE data structure supports lengths and blocks
s_block_start() s_block_end() s_blocksize_halfword_bigendian()
SPIKE utility routines make dealing with binary data network code and common
marshalling routines easy
s_xdr_string()
SPIKE fuzzing framework automates iterating through all potential problem spots
s_string(ldquoHost ldquo) s_string_variable(ldquolocalhostrdquo)
A SPIKE is a kind of First In First Out Queue or ldquoBuffer Classrdquo
A SPIKE can automatically fill in ldquolength fieldsrdquo
s_size_string(ldquopostrdquo5)
s_block_start(ldquoPostrdquo)
s_string_variable(ldquouser=bobrdquo)
s_block_end(ldquopostrdquo)
Httprint is a web server fingerprinting tool It relies on web server characteristics to accurately identify web servers despite the fact that they may have been obfuscated by changing the server banner strings or by plug-ins such as mod_security or servermask Httprint can also be used to detect web enabled devices which do not have a server banner string such as wireless access points routers switches cable modems etc httprint uses text signature strings and it is very easy to add signatures to the signature databaseSource HttprintTo get the CLI useCodecd pentestenumerationwwwhttprint_301linux httprint
Project By Nutan Kumar Panda
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
Now first things first you should probably go ahead and update your Signature FileSo it will usually be inCodepentestenumerationwwwhttprint_301linux
look for signaturestxtok now to update just go to signatures and do a save as make sure you use a txt extension Overwriting the one we found earlier
Next letrsquos get the inputtxt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite text editorOk you should see something likeCode inputs for httprint can be - individual IP addresses (default port 80) - httpservername [port] - httpsservername[port] - IP range xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
inputs for httprint can be - individual IP addresses (default port 80) - httpservername[port] - httpsservername[port] - IP ranges xxxxxxxx-yyyyyyyyhttpwwwapache DOT org
dsniff - password sniffer The ability to access the raw packets on a network interface (known as network sniffing) has long been an important tool for system and network administrators For debugging purposes it is often helpful to look at the network traffic down to the wire level to see exactly what is being transmitted Dsniff as the name implies is a network sniffer - but designed for testing of a different sort dsniff is a package of utilities that includes code to parse many different application protocols and extract interesting information such as usernames and passwords web pages being visited contents of email and more Additionally it can be used to defeat the normal behaviour of switched networks and cause network traffic from other hosts on the same network segment to be visible not just traffic involving the host dsniff is running on
Project By Nutan Kumar Panda
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS protocols which would allow viewing of the traffic unencrypted and even the possibility of taking over interactive SSH sessions
Synopsis
dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[]]] [-r|-w savefile] [expression]
Description
options
-c
Perform half-duplex TCP stream reassembly to handle asymmetrically routed traffic (such as when using arpspoof(8) to intercept client traffic bound for the local gateway)
-d
Enable debugging mode
-m
Enable automatic protocol detection
-n
Do not resolve IP addresses to hostnames
-i interfaceSpecify the interface to listen on
-p pcapfileRather than processing the contents of packets observed upon the network process the given PCAP capture file
-s snaplenAnalyze at most the first snaplen bytes of each TCP connection rather than the default of 1024
-f servicesLoad triggers from a services file
-t trigger[]Load triggers from a comma-separated list specified as portproto=service (eg 80tcp=http)
-r savefile
Project By Nutan Kumar Panda
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
Read sniffed sessions from a savefile created with the -w option-w file
Write sniffed sessions to savefile rather than parsing and printing them outexpression
Specify a tcpdump(8) filter expression to select traffic to sniffOn a hangup signal dsniff will dump its current trigger table to dsniffservices
Files
etcdsniffdsniffservices
Default trigger tableetcdsniffdsniffmagic
Network protocol magic
Dsniff contains several powerful new network tools written for use in penetration testing Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies Findgw determines the local gateway of an unknown network via passive sniffing which can be used in conjunction with arpredirect to intercept all outgoing traffic on a switch Macof floods the network with random MAC addresses causing some switches to fail in open repeating mode facilitating sniffing Dsniff is a simple password sniffer which parses passwords from many protocols only saving the interesting bits Mailsnarf is a fast and easy way to violate the Electronic Communications Privacy Act of 1986 urlsnarf outputs all requested URLs from HTTP traffic webspy sends URLs sniffed from a client to your local Netscape browser for display updated in real-time (as the target surfs your browser surfs along with them automagically)
Bluetooth is meant to be a wireless replacement for some of the functions USB fulfills and Wi-Fi is more of a wireless replacement for Ethernet Many high-end phones laptops PDAs car stereos and other electronics are being shipped with Bluetooth capability so they can communicate
rootslax~ hciconfig hci0 uprootslax~ hciconfigjhci0 Type USBBD Address 000A3A52698C ACL MTU 1928 SCO MTU 648UP RUNNING PSCAN ISCANRX bytes148 acl0 sco0 events17 errors0TX bytes65 acl0 sco0 commands17 errors0
Project By Nutan Kumar Panda
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
rootslax~rootslax~ hcitool scanScanning 000272CA146D TestToprootslax~
3proxy is universal proxy server It can be used to provide internal users wuth fully controllable access to external resources or to provide external users with access to internal resources 3proxy is not developed to replace squid(8) but it can extend functionality of existing cashing proxy It can be used to route requests between different types of clients and proxy servers Think about it as application level gateway with configuration like hardware router has for network layer It can establish multiple gateways with HTTP and HTTPS proxy with FTP over HTTP support SOCKS v4 v45 and v5 POP3 proxy UDP and TCP portmappers Each gateway is started from configuration file like independant service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is not a kind of wrapper or superserver for this daemons It just has same code compiled in but provides much more functionality SOCKSv5 implementatation allows to use 3proxy with any UDP or TCP based client applications designed without proxy support (with SocksCAP FreeCAP or another client-side redirector under Windows of with socksification library under Unix) So you can play your favourite games listen music exchange files and messages and even accept incoming connections behind proxy server
dnspr does not exist as independant service It DNS caching proxy (it requires nscache and nserver to be set in configuration Only A-records are cached Please note the this caching is mostly a hack and has nothing to do with real DNS server but it works perfectly for SOHO networks
3proxy supports access control lists (ACL) like network router Source and destination networks and destination port can be specified In addition usernames and gateway action (for example GET or POST) can be used in ACLs In order to filter request on username basis user must be authenticated somehow There are few authentication types including password authentication and authentication by NetBIOS name for Windows clients (its very like ident authentication) Depending on ACL action request can be allowed denied or redirected to another host or to another proxy server or even to a chain of proxy servers
It supports different types of logging to logfiles syslog(3) (only under Unix) or to ODBC database Logging format is turnable to provide compatibility with existing log file parsers It makes it possible to use 3proxy with IIS ISA Apache or Squid log parsers
OPTIONSconfig_file
Project By Nutan Kumar Panda
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
Name of config file See 3proxycfg(3) for configuration file format Under Windows if config_file is not specified 3proxy looks for file named 3proxycfg in the default location (in same directory with executable file and in current directory) Under Unix if no config file is specified 3proxy reads configuration from stdin It makes it possible to use 3proxycfg file as executable script just by setting +x mode and adding usrlocal3proxy3proxy as a first line in 3proxycfg
--install(Windows NT family only) install 3proxy as a system service
--remove(Windows NT family only) remove 3proxy from system services
SIGNALS
Under Unix there are few signals 3proxy catches See kill(1)SIGTERM
cleanup connections and exitSIGPAUSE
stop to accept new connections on second signal - start and re-read configurationSIGCONT
start to accept new conenctionsSIGUSR1
reload configuration
Under Windows if 3proxy is installed as service you can standard service management to start stop pause and continue 3proxy service for example net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Web admin service can also be used to reload configuration Use wget to automate this task
FILESusrlocal3proxy3proxycfg (3proxycfg)
3proxy configuration file How to open portssocks -p28800
Cryptcat is a simple Unix utility which reads and writes data across network connections using TCP or UDP protocol while encrypting the data being transmitted It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts At the same time it is a feature-rich network debugging and
Project By Nutan Kumar Panda
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
exploration tool since it can create almost any kind of connection you would need and has several interesting built-in capabilities
And as a powerful back-end tool it also lets user to hide his IP and establish connection a victim would not know about A hacker would also be able to run commands on your computer through the connection If you look through the features of Crypcat listed in this article again you will find out that it can easily switch ports and slow down the data sending process so that you will never get an idea of being hacked until you find out that perhaps your passwords accounts information and credit-cards numbers are stolen
To sum up Cryptcat is a powerful networking tool with almost unlimited performance capabilities On the one hand it can provide security and save your information but on the other hand any experienced hacker has it installed And not only for security purposes
Cryptcat is the standard netcat enhanced with twofish encryption Cryptcat is the standard netcat enhanced with twofish encryption
Machine A cryptcat -l -p 1234 lt testfile Machine B cryptcat ltmachine A IPgt 1234
This is identical to the normal netcat options for doing exactly the same thing However in this case the data transferred is encrypted
Vulnerability Note VU165099 - cryptcat does not encrypt data communications when -e command argument is used
Encrypting Data with Cryptcat
Cryptcat has the same syntax and functionsas netcatEncrypted data transferEncrypting files means that Attackerrsquos sniffer cannot compromise yourinformation (Unless your passphrase iscompromised) Encryption nearly eliminates risk of datacontamination or injection
Name
Synopsis
cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]
Project By Nutan Kumar Panda
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
Description
Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket while otherwise working as the standard Unix command cat(1)
cryptcat takes a password as a salt to encrypt the data being sent over the connection Without a specified password cryptcatmetallicarsquorsquo Needless to say failure to specify a different password makes the connection as good as unencrypted will default to the hardcoded password lsquolsquo
Options
This programs does not follow the usual GNU command line syntax with long options starting with two dashes (lsquo-rsquo) A summary of the options specific to cryptcat is included below
-h
Show summary of options
-k secret password
Change the shared secret password to be used to establish a connection
Bugs
This version of cryptcat does not support the -e command command line option available in some versions of nc
Project By Nutan Kumar Panda
- Synopsis
- Description
- options
- Files
- OPTIONS
- SIGNALS
- FILES
- Name
- Options
- Bugs
-
