3. STUDY OF INFORMATION GATHERING TOOLS IN KALI LINUX

Live host identification: Hping3

hping is a command-line oriented TCP/IP packet assembler/analyzer. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t care about security to test networks and hosts. A subset of the stuff you can do using hping:

• Firewall testing

• Advanced port scanning

• Network testing, using different protocols, TOS, fragmentation

• Manual path MTU discovery

• Advanced traceroute, under all the supported protocols

• Remote OS fingerprinting

• Remote uptime guessing

• TCP/IP stacks auditing

• hping can also be useful to students that are learning TCP/IP.

usage: hping3 host [options]

  -h  --help      show this help

  -v  --version   show version

  -c  --count     packet count

  -i  --interval  wait (uX for X microseconds, for example -i u1000)

      --fast      alias for -i u10000 (10 packets for second)

      --faster    alias for -i u1000 (100 packets for second)

      --flood      sent packets as fast as possible. Don't show replies.

  -n  --numeric   numeric output

  -q  --quiet     quiet

  -I  --interface interface name (otherwise default routing interface)

  -V  --verbose   verbose mode

  -D  --debug     debugging info

  -z  --bind      bind ctrl+z to ttl           (default to dst port)

  -Z  --unbind    unbind ctrl+z

      --beep      beep for every matching packet received

Mode

  default mode     TCP

  -0  --rawip      RAW IP mode

  -1  --icmp       ICMP mode

  -2  --udp        UDP mode

  -8  --scan       SCAN mode.

                   Example: hping --scan 1-30,70-90 -S www.target.host

  -9  --listen     listen mode

IP

  -a  --spoof      spoof source address

  --rand-dest      random destionation address mode. see the man.

  --rand-source    random source address mode. see the man.

  -t  --ttl        ttl (default 64)

  -N  --id         id (default random)

  -W  --winid      use win* id byte ordering

  -r  --rel        relativize id field          (to estimate host traffic)

  -f  --frag       split packets in more frag.  (may pass weak acl)

  -x  --morefrag   set more fragments flag

  -y  --dontfrag   set don't fragment flag

  -g  --fragoff    set the fragment offset

  -m  --mtu        set virtual mtu, implies --frag if packet size > mtu

  -o  --tos        type of service (default 0x00), try --tos help

  -G  --rroute     includes RECORD_ROUTE option and display the route buffer

  --lsrr           loose source routing and record route

  --ssrr           strict source routing and record route

  -H  --ipproto    set the IP protocol field, only in RAW IP mode

ICMP

  -C  --icmptype   icmp type (default echo request)

  -K  --icmpcode   icmp code (default 0)

      --force-icmp send all icmp types (default send only supported types)

      --icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)

      --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)

      --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)

      --icmp-help  display help for others icmp options

UDP/TCP

  -s  --baseport   base source port             (default random)

  -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec

  -k  --keep       keep still source port

  -w  --win        winsize (default 64)

  -O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen / 4)

  -Q  --seqnum     shows only tcp sequence number

  -b  --badcksum   (try to) send packets with a bad IP checksum

                   many systems will fix the IP checksum sending the packet

                   so you'll get bad UDP/TCP checksum instead.

  -M  --setseq     set TCP sequence number

  -L  --setack     set TCP ack

  -F  --fin        set FIN flag

  -S  --syn        set SYN flag

  -R  --rst        set RST flag

  -P  --push       set PUSH flag

  -A  --ack        set ACK flag

  -U  --urg        set URG flag

  -X  --xmas       set X unused flag (0x40)

  -Y  --ymas       set Y unused flag (0x80)

  --tcpexitcode    use last tcp->th_flags as exit code

  --tcp-mss        enable the TCP MSS option with the given value

  --tcp-timestamp  enable the TCP timestamp option to guess the HZ/uptime

Common

  -d  --data       data size                    (default is 0)

  -E  --file       data from file

  -e  --sign       add 'signature'

  -j  --dump       dump packets in hex

  -J  --print      dump printable characters

  -B  --safe       enable 'safe' protocol

  -u  --end        tell you when --file reached EOF and prevent rewind

  -T  --traceroute traceroute mode              (implies --bind and --ttl 1)

  --tr-stop        Exit when receive the first not ICMP in traceroute mode

  --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop

  --tr-no-rtt       Don't calculate/show RTT information in traceroute mode

ARS packet description (new, unstable)

  --apd-send       Send the packet described with APD (see docs/APD.txt)

Outputs:

$ hping3 sscoetjalgaon.ac.in

$ hping3 --scan 1-30,70-90 -S sscoetjalgaon.ac.in 

Network and Port Scanner: NMAP

Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.

Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan.

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

  Can pass hostnames, IP addresses, networks, etc.

  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

  -iL : Input from list of hosts/networks

  -iR : Choose random targets

  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks

  --excludefile : Exclude list from file

HOST DISCOVERY:

  -sL: List Scan - simply list targets to scan

  -sn: Ping Scan - disable port scan

  -Pn: Treat all hosts as online -- skip host discovery

  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports

  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

  -PO[protocol list]: IP Protocol Ping

  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]

  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers

  --system-dns: Use OS's DNS resolver

  --traceroute: Trace hop path to each host

SCAN TECHNIQUES:

  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

  -sU: UDP Scan

  -sN/sF/sX: TCP Null, FIN, and Xmas scans

  --scanflags : Customize TCP scan flags

  -sI : Idle scan

  -sY/sZ: SCTP INIT/COOKIE-ECHO scans

  -sO: IP protocol scan

  -b : FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

  -p : Only scan specified ports

    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9

  --exclude-ports : Exclude the specified ports from scanning

  -F: Fast mode - Scan fewer ports than the default scan

  -r: Scan ports consecutively - don't randomize

  --top-ports : Scan  most common ports

  --port-ratio : Scan ports more common than 

SERVICE/VERSION DETECTION:

  -sV: Probe open ports to determine service/version info

  --version-intensity : Set from 0 (light) to 9 (try all probes)

  --version-light: Limit to most likely probes (intensity 2)

  --version-all: Try every single probe (intensity 9)

  --version-trace: Show detailed version scan activity (for debugging)

SCRIPT SCAN:

  -sC: equivalent to --script=default

  --script=:  is a comma separated list of

           directories, script-files or script-categories

  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts

  --script-args-file=filename: provide NSE script args in a file

  --script-trace: Show all data sent and received

  --script-updatedb: Update the script database.

  --script-help=: Show help about scripts.

            is a comma-separated list of script-files or

           script-categories.

OS DETECTION:

  -O: Enable OS detection

  --osscan-limit: Limit OS detection to promising targets

  --osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE:

  Options which take are in seconds, or append 'ms' (milliseconds),

  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

  -T<0-5>: Set timing template (higher is faster)

  --min-hostgroup/max-hostgroup : Parallel host scan group sizes

  --min-parallelism/max-parallelism : Probe parallelization

  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies

      probe round trip time.

  --max-retries : Caps number of port scan probe retransmissions.

  --host-timeout : Give up on target after this long

  --scan-delay/--max-scan-delay : Adjust delay between probes

  --min-rate : Send packets no slower than  per second

  --max-rate : Send packets no faster than  per second

FIREWALL/IDS EVASION AND SPOOFING:

  -f; --mtu : fragment packets (optionally w/given MTU)

  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys

  -S : Spoof source address

  -e : Use specified interface

  -g/--source-port : Use given port number

  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies

  --data : Append a custom payload to sent packets

  --data-string : Append a custom ASCII string to sent packets

  --data-length : Append random data to sent packets

  --ip-options: Send packets with specified ip options

  --ttl : Set IP time-to-live field

  --spoof-mac : Spoof your MAC address

  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum

OUTPUT:

  -oN/-oX/-oS/-oG : Output scan in normal, XML, s|     and Grepable format, respectively, to the given filename.

  -oA : Output in the three major formats at once

  -v: Increase verbosity level (use -vv or more for greater effect)

  -d: Increase debugging level (use -dd or more for greater effect)

  --reason: Display the reason a port is in a particular state

  --open: Only show open (or possibly open) ports

  --packet-trace: Show all packets sent and received

  --iflist: Print host interfaces and routes (for debugging)

  --append-output: Append to rather than clobber specified output files

  --resume : Resume an aborted scan

  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML

  --webxml: Reference stylesheet from Nmap.Org for more portable XML

  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC:

  -6: Enable IPv6 scanning

  -A: Enable OS detection, version detection, script scanning, and traceroute

  --datadir : Specify custom Nmap data file location

  --send-eth/--send-ip: Send using raw ethernet frames or IP packets

  --privileged: Assume that the user is fully privileged

  --unprivileged: Assume the user lacks raw socket privileges

  -V: Print version number

  -h: Print this help summary page.

EXAMPLES:

  nmap -v -A scanme.nmap.org

  nmap -v -sn 192.168.0.0/16 10.0.0.0/8

  nmap -v -iR 10000 -Pn -p 80

Outputs:

$ nmap -O sscoetjalgaon.ac.in

$ nmap -p 1-500 -T 4 sscoetjalgaon.ac.in

NMAP Stealth Scan

    Stealth scan or SYN is also known as half-open scan, as it doesn’t complete the TCP three way handshake. A hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it’s assumed the target would complete the connect and the port is listening. If an RST is received back from the target, then it is assumed the port isn’t active or is closed.

Output:

$ nmap -sS -T 4 sscoetjalgaon.ac.in

DNS Analysis: dnsenum

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

OPERATIONS:

• Get the host’s addresse (A record).

• Get the namservers (threaded).

• Get the MX record (threaded).

• Perform axfr queries on nameservers and get BIND VERSION (threaded).

• Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).

• Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).

• Calculate C class domain network ranges and perform whois queries on them (threaded).

• Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).

• Write to domain_ips.txt file ip-blocks.

Usage: dnsenum [Options]

[Options]:

Note: the brute force -f switch is obligatory.

GENERAL OPTIONS:

  --dnsserver  

            Use this DNS server for A, NS and MX queries.

  --enum        Shortcut option equivalent to --threads 5 -s 15 -w.

  -h, --help        Print this help message.

  --noreverse       Skip the reverse lookup operations.

  --nocolor     Disable ANSIColor output.

  --private     Show and save private ips at the end of the file domain_ips.txt.

  --subfile   Write all valid subdomains to this file.

  -t, --timeout  The tcp and udp timeout values in seconds (default: 10s).

  --threads  The number of threads that will perform different queries.

  -v, --verbose     Be verbose: show all the progress and all the error messages.

GOOGLE SCRAPING OPTIONS:

  -p, --pages    The number of google search pages to process when scraping names,

            the default is 5 pages, the -s switch must be specified.

  -s, --scrap    The maximum number of subdomains that will be scraped from Google (default 15).

BRUTE FORCE OPTIONS:

  -f, --file  Read subdomains from this file to perform brute force.

  -u, --update  <a|g|r|z>

            Update the file specified with the -f switch with valid subdomains.

    a (all)     Update using all results.

    g       Update using only google scraping results.

    r       Update using only reverse lookup results.

    z       Update using only zonetransfer results.

  -r, --recursion   Recursion on subdomains, brute force all discovred subdomains that have an NS record.

WHOIS NETRANGE OPTIONS:

  -d, --delay    The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.

  -w, --whois       Perform the whois queries on c class network ranges.

             **Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.

REVERSE LOOKUP OPTIONS:

  -e, --exclude

            Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.

OUTPUT OPTIONS:

  -o --output     Output in XML format. Can be imported in MagicTree (www.gremwell.com)

Output:

$ dnsenum sscoetjalgaon.ac.in

SSL Analysis: tlssled

TLSSLed is a Linux shell script whose purpose is to evaluate the security of a target SSL/TLS (HTTPS) web server implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool. The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.

root@kali:~# tlssled

------------------------------------------------------

 TLSSLed - (1.3) based on sslscan and openssl

                 by Raul Siles (www.taddong.com)

------------------------------------------------------

    openssl version: OpenSSL 1.0.1e 11 Feb 2013

    sslscan version 1.8.2

------------------------------------------------------

    Date: 20140520-110731

------------------------------------------------------

[!] Usage: /usr/bin/tlssled

To start testing, open a terminal and type “tlss le d URL port“. It will start to test the
certificate to find data, where the port is 443.

Output:

$ tlssled sscoetjalgaon.ac.in 443

Dmitry

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more.

The following is a list of the current features:

• An Open Source Project.

• Perform an Internet Number whois lookup.

• Retrieve possible uptime data, system and server data.

• Perform a SubDomain search on a target host.

• Perform an E-Mail address search on a target host.

• Perform a TCP Portscan on the host target.

• A Modular program allowing user specified modules

Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host

-o Save output to %host.txt or to file specified by -o file

-i Perform a whois lookup on the IP address of a host

-w Perform a whois lookup on the domain name of a host

-n Retrieve Netcraft.com information on a host

-s Perform a search for possible subdomains

-e Perform a search for possible email addresses

-p Perform a TCP port scan on a host

* -f Perform a TCP port scan on a host showing output reporting filtered ports

* -b Read in the banner received from the scanned port

* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )

*Requires the -p flagged to be passed

Output:

$ dmitry -w sscoetjalgaon.ac.in

P0f Package Description

P0f Package Description is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
Some of p0f’s capabilities include:

• Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.

• Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.

• Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.

• Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.

Usage: p0f [ ...options... ] [ 'filter rule' ]

Network interface options:

  -i iface  – listen on the specified network interface
  -r file   – read offline pcap data from a given file
  -p        – put the listening interface in promiscuous mode
  -L        – list all available interfaces

Operating mode and output settings:

  -f file   – read fingerprint database from ‘file’ (/etc/p0f/p0f.fp)
  -o file   – write information to the specified log file
  -s name   – answer to API queries at a named unix socket
  -u user   – switch to the specified unprivileged account and chroot
  -d        – fork into background (requires -o or -s)

Performance-related options:

  -S limit  – limit number of parallel API connections (20)
  -t c,h    – set connection / host cache age limits (30s,120m)
  -m c,h    – cap the number of active connections / hosts (1000,10000)

Optional filter expressions (man tcpdump) can be specified in the command
line to prevent p0f from looking at incidental network traffic.

Output:

Where the parameter “-i” is the interface name as shown above. “-p” means it is in
promiscuous mode. “-o” means the output will be saved in a file.
Open a webpage with the address “google.com“
From the results, you can observe that the Webserver is using apache version and the OS.

$ p0f –i eth0 –p -o output