Experiment No 3

Name:- Patil Bhumi Sanjay

Class:- B.E. (A)

Subject:- Cyber Security Lab

Roll No:- 75

Aim: Study of Information Gathering Tools in Kali Linux

Live host identification: Hping3 Hping3 is nearly similar to ping tools but is more advanced, as it can bypass the firewall filter and use TCP, UDP, ICMP and RAW-IP protocols. It has a traceroute mode.

hping3 172.16.0.7

hping3 --scan 1-30,70-90 -S sscoetjalgaon.ac.in

Some hping commands for scanning methods

ICMP ping

hping3 -1 10.0.0.25

ACK scan on port 80

hping3 –A 10.0.0.25 –p 80

UDP scan on port 80

hping3 -2 10.0.0.25 –p 80

Collecting Initial Sequence Number

hping3 192.168.1.103 -Q -p 139 –s

Firewalls and Time Stamps

hping3 -S 72.14.207.99 -p 80 --tcp-timestamp.

SYN scan on port 50-60

hping3 -8 50-60 –S 10.0.0.25 –V

FIN, PUSH and URG scan on port 80

hping3 –F –P –U 10.0.0.25 –p 80

Scan entire subnet for live host

hping3 -1 10.0.1.x --rand-dest –I eth0

Intercept all traffic containing HTTP signature

hping3 -9 HTTP –I eth0

SYN flooding a victim

hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

Determine number of pings

hping3 -c 3 10.10.10.10

Use random source address

--rand-source

Set data size

Set data packet size in bytes --data <size>

Spoof source address

hping3 -S <IP address attacked> -a <spoofed IP address>

or

hping3 -S <IP address attacked> --spoof <spoofed IP address>

Examples

hping3 <Target IP> -Q -p 139 -s

By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host.

hping3 –A <Target IP> –p 80

By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.

hping3 -S <Target IP> -p 80 --tcp-timestamp

By adding the –tcp-timestamp argument in the command line, Hping enable TCP timestamp option and try to guess the timestamp update frequency and uptime of the target host.

hping3 –F –P –U 10.0.0.25 –p 80

By issuing this command, an attacker can perform FIN, PUSH, and URG scans on port 80 on the target host.

hping3 –scan 1-3000 -S 10.10.10.10

Here, –scan parameter defines the port range to scan and –S represents SYN flag

hping3 10.10.10.10 --udp --rand-source --data 500

Perform UDP packet crafting

Network and Port Scanner: NMAP

NMAP uses raw IP packets in novel ways to determine which hosts are available on the network, what services (application name and version) those hosts are offering, which operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, etc.

Step 1 − To open, go to Applications → 01-Information Gathering → nmap or zenmap.

Step 2 − The next step is to detect the OS type/version of the target host. Based on the help indicated by NMAP, the parameter of OS type/version detection is variable “-O”.

nmap -O 172.16.0.7

nmap -O sscoetjalgaon.ac.in

Step 3 − Next, open the TCP and UDP ports. To scan all the TCP ports based on NMAP, use the following command −

nmap -p 1-65535 -T4 172.16.0.7

Where the parameter “–p” indicates all the TCP ports that have to be scanned. In this case, we are scanning all the ports and “-T4” is the speed of scanning at which NMAP has to run.

NMAP Stealth Scan

Stealth scan or SYN is also known as half-open scan, as it doesn’t complete the TCP threeway handshake. A hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it’s assumed the target would complete the connect and the port is listening. If an RST is received back from the target, then it is assumed the port isn’t active or is closed.

nmap -sS 172.16.0.7

nmap -sS -T4 sscoetjalgaon.ac.in

DNS Analysis: dnsenum

Dnsenum helps to get MX, A, and other records connect to a domain.

dnsenum sscoetjalgaon.ac.in

SSL Analysis: tlssled

TLSSLed is a Linux shell script used to evaluate the security of a target SSL/TLS (HTTPS) web server implementation. The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.

To start testing, open a terminal and type “tlssled URL port“. It will start to test the certificate to find data, where the port is 443.

tlssled sscoetjalgaon.ac.in 443

Dmitry:

Perform a whois lookup on the IP address or domain name of a host. It also searches for possible subdomains.

dmitry -w sscoetjalgaon.ac.in

p0f:

p0f is a tool that can identify the operating system of a target host simply by examining captured packets even when the device in question is behind a packet firewall.

Type the command: “p0f –i eth0 –p -o filename”.

Where the parameter "-i" is the interface name as shown above. "-p" means it is in promiscuous mode. "-o" means the output will be saved in a file.

Open a webpage with the address 172.16.0.7

From the results, you can observe that the Webserver is using apache version and the OS.

p0f -i eth0 -p -o abc

References:

1. https://diarium.usal.es/pmgallardo/2020/10/16/hping3-syntax/

2. https://www.tutorialspoint.com/kali_linux/index.html

3. https://www.jigsawacademy.com/blogs/cyber-security/nmap-commands/

4. https://nmap.org/book/synscan.html

5. https://tools.kali.org/information-gathering/dnsenum

6. https://tools.kali.org/information-gathering/tlssled

7. https://github.com/jaygreig86/dmitry

8. https://tools.kali.org/information-gathering/p0f

https://sites.google.com/view/patilbhumisanjay-home/cyber-security-lab/experiment-no-3