Embedded Files
Name : Divya Dipak Mali
Class : BE - computer
Roll No : 58
Subject : Cyber - Security Lab
Aim: Study of Information Gathering Tools in Kali Linux
1. Live host identification: Hping3
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. Hping3 is nearly similar to ping tools but is more advanced, as it can bypass the firewall filter
and use TCP, UDP, ICMP and RAW-IP protocols. It has a traceroute mode.
hping3 172.16.0.7
hping3 --scan 1-30,70-90 -S sscoetjalgaon.ac.in
While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t care about security to test networks and hosts. A subset of the stuff you can do using hping:
Remote OS fingerprinting
Remote uptime guessing
TCP/IP stacks auditing
Firewall testing
Advanced port scanning
Network testing, using different protocols, TOS, fragmentation
References:
1. https://www.jigsawacademy.com/blogs/cyber-security/nmap-commands/
2. Network and Port Scanner: NMAP
Nmap, which stands for "Network Mapper," is an open source tool that lets you perform scans on local and remote networks. Nmap is very powerful when it comes to discovering network protocols, scanning open ports, detecting operating systems running on remote machines, etc. The tool is used by network administrators to inventory network devices, monitor remote host status, save the scan results for later use, and so on.
NMAP uses raw IP packets in novel ways to determine which hosts are available on the
network, what services (application name and version) those hosts are offering, which
operating systems (and OS versions) they are running, what type of packet filters/firewalls
are in use, etc.
Step 1 − To open, go to Applications → 01-Information Gathering → nmap or zenmap.
Step 2 − The next step is to detect the OS type/version of the target host. Based on the help indicated by NMAP, the parameter of OS type/version detection is variable “O”. nmap -O 172.16.0.7 nmap -O sscoetjalgaon.ac.in
Step 3 − Next, open the TCP and UDP ports. To scan all the TCP ports based on NMAP, use the following command − nmap -p 1-65535 -T4 172.16.0.7
Where the parameter “–p” indicates all the TCP ports that have to be scanned. In this case, we are scanning all the ports and “-T4” is the speed of scanning at which NMAP has to run.
References:
3. NMAP Stealth Scan
SYN scan is the default and most popular scan option for good reason. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between open, closed, and filtered states.
Stealth scan or SYN is also known as half-open scan, as it doesn’t complete the TCP there way handshake. A hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it’s assumed the target would c omplete the connect and the port is listening. If an RST is received back from the target, then it is assumed the port is n’t active or is c losed. nmap - sS 172.16.0. nmap -sS -T4 sscoetjalgaon.ac.in
References:
4. DNS Analysis: dnsenum
Dnsenum is a tool for DNS enumeration, which is the process of locating all DNS servers and DNS entries for an organization. DNS enumeration will allow us to gather critical information about the organization such as usernames, computer names, IP addresses, and so on.
Dnsenum helps to get MX, A, and other records connect to a domain. dnsenum sscoetjalgaon.ac.in
References:
5. SSL Analysis: tlssled
The purpose of the TLSSLed tool is to simplify the output of a couple of commonly used tools, and highlight the most relevant security findings of any target SSL/TLS implementation.
TLSSLed is a Linux shell script used to evaluate the security of a target SSL/TLS (HTTPS)
web server implementation. The current tests include checking if the target supports theSSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits),the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities. To start testing, open a terminal and type “tlssled URL port“. It will start to test the certificate to find data, where the port is 443.tlssled sscoetjalgaon.ac.in 443
References:
6. Dmitry
DMitry (Deepmagic Information Gathering Tool) is a UNIX/Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more.
Perform a whois lookup on the IP address or domain name of a host. It also searches for possible subdomains. dmitry -w sscoetjalgaon.ac.in
The following is a list of the current features:
Retrieve possible uptime data, system and server data.
Perform an E-Mail address search on a target host.
Perform a TCP Portscan on the host target.
References:
7. p0f:
P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications without interfering in any way. p0f is a tool that can identify the operating system of a target host simply by examining captured packets even when the device in question is behind a packet firewall. Type the command: “p0f –i eth0 –p -o file name ”. Where the parameter "-i" is the interface name as shown above. "-p" means it is in promiscuous mode. "-o" means the output will be saved in a file. Open a webpage with the address 172.16.0.7 From the results, you can observe that the Webserver is using apache version and the OS. p0f -i eth0 -p -o abc
References:
1. https://tools.kali.org/information-gathering/p0f
2. https://www.tutorialspoint.com/kali_linux/index.html
Page updated
Google Sites
Report abuse