Practical 3

Name : Premsagar Manoj Pawar

Subject : Cyber Security Lab

Class : BE Computer

Section : B

Roll No : 30

Aim: Study of Information Gathering Tools in Kali Linux

Live host identification:

Hping3 Hping3 is nearly similar to ping tools but is more advanced, as it can bypass the firewall filter and use TCP, UDP, ICMP and RAW-IP protocols. It has a traceroute mode. hping3 172.16.0.7 hping3 --scan 1-30,70-90 -S sscoetjalgaon.ac.in.

hping commands for scanning methods

ICMP ping

hping3 -1 10.0.0.25

Hping performs an ICMP ping scan by specifying the argument -1 on the command line. You may use –ICMP of -1 argument in the command line. By issuing the above command, hping sends ICMP-echo request to 10.0.0.25 and receives ICMP-reply, the same as with a ping utility.

ACK scan on port 80

hping3 –A 10.0.0.25 –p 80

Hping can be configured to perform an ACK scan by specifying the argument -A in the command line. Here, you are setting ACK flag in the probe packets and performing the scan. You perform this scan when a host does not respond to a ping request. By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.

UDP scan on port 80

hping3 -2 10.0.0.25 –p 80

Hping uses TCP as its default protocol. Using the argument -2 in the command line specifies that Hping operates in UDP mode. You may use either --udp of -2 arguments in the command line. By issuing the above command, Hping sends UDP packets to port 80 on the host (10.0.0.25). It returns an ICMP port unreachable message if it finds the port closed, and does not respond with a message if the port is open.

Collecting Initial Sequence Number

hping3 192.168.1.103 -Q -p 139 –s

By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host (192.168.1.103).

Firewalls and Time Stamps

hping3 -S 72.14.207.99 -p 80 --tcp-timestamp

Many firewalls drop those TCP packets that do not have TCP Timestamp option set. By adding the –tcp-timestamp argument in the command line, you can enable TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99).

SYN scan on port 50-60

hping3 -8 50-60 –S 10.0.0.25 –V

By using the argument -8 (or) --scan in the command, you are operating Hping in scan mode in order to scan a range of ports on the target host. Adding the argument -S allows you to perform a SYN scan. Therefore, the above command performs a SYN scan on ports 50-60 on the target host.

FIN, PUSH and URG scan on port 80

hping3 –F –P –U 10.0.0.25 –p 80

By adding the arguments –F, -P, and –U in the command, you are setting FIN, PUSH, and URG packets in the probe packets. By issuing this command, you are performing FIN, PUSH, and URG scans on port 80 on the target host (10.0.0.25). If port 80 is open on the target, you will not receive a response. If the port is closed, Hping will return an RST response.

Scan entire subnet for live host

hping3 -1 10.0.1.x --rand-dest –I eth0

By issuing this command, Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other words, it sends ICMP-echo request randomly (--rand-dest) to all the hosts from 10.0.1.0 – 10.0.1.255 that are connected to the interface eth0. The hosts whose ports are open will respond with an ICMP-reply. In this case, you have not set a port, so Hping sends packets to port 0 on all IP addresses by default.

Intercept all traffic containing HTTP signature

hping3 -9 HTTP –I eth0

The argument -9 will set the Hping to listen mode. So, by issuing the command -9 HTTP, Hping starts listening on port 0 (of all the devices connected in the network to interface eth0), intercepts all the packets containing HTTP signature, and dump from signature end to the packet’s end. For example, on issuing the command hping2 -9 HTTP, if Hping reads a packet that contains data 234-09sdflkjs45-HTTPhello_world, it will display the result as hello_world.

SYN flooding a victim

hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

The attacker employs TCP SYN flooding techniques by using spoofed IP addresses to perform DoS attack.

Determine number of pings

hping3 -c 3 10.10.10.10

Here, -c 3 means that we only want to send three packets to the target machine

Use random source address

--rand-source

Set data size

Set data packet size in bytes --data <size>

Spoof source address

hping3 -S <IP address attacked> -a <spoofed IP address>

or

hping3 -S <IP address attacked> --spoof <spoofed IP address>

Examples

hping3 <Target IP> -Q -p 139 -s

By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host.

hping3 –A <Target IP> –p 80

By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.

hping3 -S <Target IP> -p 80 --tcp-timestamp

By adding the –tcp-timestamp argument in the command line, Hping enable TCP timestamp option and try to guess the timestamp update frequency and uptime of the target host.

hping3 –F –P –U 10.0.0.25 –p 80

By issuing this command, an attacker can perform FIN, PUSH, and URG scans on port 80 on the target host.

hping3 –scan 1-3000 -S 10.10.10.10

Here, –scan parameter defines the port range to scan and –S represents SYN flag

hping3 10.10.10.10 --udp --rand-source --data 500

Perform UDP packet crafting.

Network and Port Scanner:

NMAP NMAP uses raw IP packets in novel ways to determine which hosts are available on the network, what services (application name and version) those hosts are offering, which operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, etc.

Step 1 − To open, go to Applications → 01-Information Gathering → nmap or zenmap.

Step 2 − The next step is to detect the OS type/version of the target host. Based on the help indicated by NMAP, the parameter of OS type/version detection is variable “-O”. nmap -O 172.16.0.7 nmap -O sscoetjalgaon.ac.in.

Step 3 − Next, open the TCP and UDP ports. To scan all the TCP ports based on NMAP, use the following command − nmap -p 1-65535 -T4 172.16.0.7 Where the parameter “–p” indicates all the TCP ports that have to be scanned.

In this case, we are scanning all the ports and “-T4” is the speed of scanning at which NMAP has to run.

References:

1. https://www.jigsawacademy.com/blogs/cyber-security/nmap-commands/

2. https://www.youtube.com/watch?v=5Q1wFDS3iOo

3. https://www.tutorialspoint.com/kali_linux/index.html

NMAP Stealth Scan

Stealth scan or SYN is also known as half-open scan, as it doesn’t complete the TCP threeway handshake. A hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it’s assumed the target would complete the connect and the port is listening. If an RST is received back from the target, then it is assumed the port isn’t active or is closed.

nmap -sS 172.16.0.7

nmap -sS -T4 sscoetjalgaon.ac.in

References:

1. https://nmap.org/book/synscan.html

2. https://www.tutorialspoint.com/kali_linux/index.html

DNS Analysis:

dnsenum Dnsenum helps to get MX, A, and other records connect to a domain.

dnsenum sscoetjalgaon.ac.in

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

OPERATIONS:

Source: https://github.com/fwaeytens/dnsenum

References:

1. https://tools.kali.org/information-gathering/dnsenum

2. https://www.youtube.com/watch?v=mCbz92LdEfY

3. https://www.tutorialspoint.com/kali_linux/index.html

SSL Analysis:tlssled

TLSSLed is a Linux shell script used to evaluate the security of a target SSL/TLS (HTTPS) web server implementation. The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.

To start testing, open a terminal and type “tlssled URL port“. It will start to test the certificate to find data, where the port is 443.

tlssled sscoetjalgaon.ac.in 443

References:

1. https://tools.kali.org/information-gathering/tlssled

2. https://www.youtube.com/watch?v=D6PuHT6sVQI

3. https://www.tutorialspoint.com/kali_linux/index.html

Dmitry:

Perform a whois lookup on the IP address or domain name of a host. It also searches for possible subdomains.

dmitry -w sscoetjalgaon.ac.in

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line program coded purely in C with the ability to gather as much information as possible about a host.

DMitry has a base functionality with the ability to add new functions. Basic functionality of DMitry allows for information to be gathered about a target host from a sim- ple whois lookup on the target to UpTime reports and TCP portscans.

The application is considered a tool to assist in informa- tion gathering when information is required quickly by removing the need to enter multiple commands and the timely process of searching through data from multiple sources.

To get straight into DMitry without reading this document, you can initially type "dmitry target", this will perform the majority of functions on the target.

References:

1. https://github.com/jaygreig86/dmitry

2. https://www.youtube.com/watch?v=z2EUhV11QB4

3. https://www.tutorialspoint.com/kali_linux/index.html

p0f:

p0f is a tool that can identify the operating system of a target host simply by examining captured packets even when the device in question is behind a packet firewall.

Type the command: “p0f –i eth0 –p -o filename”.

Where the parameter "-i" is the interface name as shown above. "-p" means it is in promiscuous mode.

"-o" means the output will be saved in a file.

Open a webpage with the address 172.16.0.7 From the results, you can observe that the Webserver is using apache version and the OS.

p0f -i eth0 -p -o abc.


Dimitry :

hping3 :

Nmap :

dnsenum :

NMAP Stealth Scan :

p0f :

SSL Analysis :