Friday, June 27, 2008

There have been some new tools released over the past few days and I would like to put up some basic info on some of them. Here are a few new or newer voip testing tools.

VoIPER0.06
VoIPER is a VoIP security testing toolkit incorporating several VoIP fuzzers and auxilliary tools to assist the auditor. It can currently generate over 200,000 SIP tests and H.323/IAX modules are in development.

SipBomber0.8
SipBomber is sip-protocol testing tool for Linux originally developed by Metalink in 2003 for internal use and released later as GPL open source product.


Sip Rogue
You can find more info about Sip Rogue in the Book Hacking VoIP Exposed.


These tools can be found in the newest version of Back|Track.

Thursday, June 19, 2008

A new security podcast is available announcing the new release of Back|Track 3 on PaulDotCom The podcast entitled PaulDotCom Security Weekly Episode 112 -June 19, 2006 is available here
This episode features members of the Back|Track development team.
To get the latest version of Back|Track follow the link here.

Monday, May 26, 2008

Multipart PortScanning Tutorial Part 7

Multipart PortScanning Tutorial Part 7

In this edition we will be looking at the results of some Xmas Tree scans.

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!

[b]
OK so first things first If you are not up to speed here are the other tutorials I have done on nmap.[/B]
[url="http://forums.remote-exploit.org/showthread.php?t=11001"]Part1[/url]
[URL="http://forums.remote-exploit.org/showthread.php?t=11003"]Part2[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11010"]Part3[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11025"]Part4[/URL]
[url="http://forums.remote-exploit.org/showthread.php?t=11216"]Part5[/url]
[url="http://forums.remote-exploit.org/showthread.php?t=14195]Part6[/url]

OK so let's look at what a Xmas Tree scan is.
[quote]Xmas scan (-sX)

Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
[b]From the nmap online documentation. [/b] [/quote]

So what does this mean?
Well for starters we know about the three-way handshake with TCP/IP. So what we are doing is sending packets out that have the "FIN", "PSH" and "URG" flags set.
So let's look at these flags. The first one "FIN" tells the target that we are finished with our connection. And normally it would send back and "ACK" Packet.
The second is the "PSH" or push packet. TCP designates data being sent to an application by using the "PSH" flag. To ensure that data sent from a node has been received TCP uses an "ACK" flag that specifies which "PSH" packets have been received. "ACK"s are sent in response to "PSH" data grams in two different scenarios:
1. When data has been received by a node.
2. When the "ACK" delay has been reached.
The third flag is the "URG" flag. The "URG" flag is used to tell a node that information needing immediate attention is present within a packet.
A "URG" also tells a receiving node that the sender requests all buffered data to be passed to the application. Normally TCP holds data in a memory buffer until enough is collected then it is passed to the application needing said data. With the "URG" flag TCP sends the data immediately. Ok so now might be a good idea to take a break!

Now that we know what the packets mean let's take a look at why this can be important to the pen-tester.

First when we do a Xmas tree scan and the target sends us a "RST" or reset packet then we know that a target port is closed. But if the target port is open then there will be silence. This is the same thing when doing a "FIN" scan. All of this takes place due to RFC 793 Transmission Control Protocol.
During a Xmas tree scan nmap categorizes the response as either closed or open|filtered. The open|filtered result is combined because firewalls often drop these packets. Because it's impossible to determine if a missing response was due to an open port or a filtered network connection, there's no way to tell the difference between an open or filtered port. Different implementations of the TCP/IP stack will handle these scans in different ways. Windows for example will reply with a "RST" regardless of the status of the port. If an open|filtered port is picked up then the node is not windows based. Special attention must be given when the results show all ports as closed as this may not be true.
Ok so now if you are still with me let's take a look at some scans.
First in the default mode with a look at the flags.
[code]
#nmap -sX -v -v 192.168.1.5 [/code]
-sX xmas tree scan
-v verbosity
[b] And our results. [/b]
[code]

Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-01 13:30 EDT
Initiating ARP Ping Scan at 13:30
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 13:30, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:30
Completed Parallel DNS resolution of 1 host. at 13:30, 0.05s elapsed
Initiating XMAS Scan at 13:30
Scanning 192.168.1.5 [1715 ports]
Increasing send delay for 192.168.1.5 from 0 to 5 due to 21 out of 70 dropped probes since last increase.
Completed XMAS Scan at 13:30, 16.56s elapsed (1715 total ports)
Host 192.168.1.5 appears to be up ... good.
All 1715 scanned ports on 192.168.1.5 are closed
MAC Address: 00:12:34:56:AA:FF (Cisco-Linksys)
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 17.024 seconds
Raw packets sent: 1821 (72.842KB) | Rcvd: 1718 (79.024KB)
[/code]
As you can see we really didn't learn much about our target. The only thing that we learned is that the ports all appear to be closed.
But this is not really the case. I know that there are open ports because the target is actually a print server.

[b]This time lets look more in depth at our target.[/b]
[code]
#nmap -sV -v -v -F -sX -O 192.168.1.5
[/code]
-sV service version
-O Operating system
-F Only scan ports listed on services.

[b] Now the relevant results[/b]
[code] Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: storage-misc|printer
Running: Hotway embedded, IBM embedded, Packard Bell embedded
OS details: Hotway HDC-U2LA NAS device, IBM 6400 Printer (software version 7.0.9.6), Packard Bell NetStore 3500
OS Fingerprint:
Purposely removed [/code]
This time we can see that nmap returned us a print server. The device type is still incorrect. This can mean the difference between accessing the network and being shut out.
This print server like most usually have TCP ports 515, 631 open. There is usually one or two more like http or telnet open as well.

So we see that even though the two scans are not 100% accurate we did gain some valuable information about our target. Again a lot of devices will not respond to this type of scanning but there are some that will. Using the Xmas tree scan we can also help mask our intentions from a IDS. But remember most system administrators worth their weight in salt will ensure that there IDS's pick up this type of scan. There are ways around this as well.
Try playing with this type of scan and see what kind of results you get.

Drop a line if this has helped or hindered you.

Sunday, May 25, 2008

Multipart PortScanning Tutorial Part 6

Because there has been some interest I will try to do a couple more tutorials on [URL="http://nmap.org/"]nmap[/URL]. I am using the latest version available.

[B]In this edition we will be looking at the results of some "ACK" Scans[/B].

Disclaimer: This information is for educational purposes only and not to commit a crime! If you do something that causes you to hose your box don't cry to me. All IP Address' MAC Address' etc. have been munged!
[B]
OK so first things first If you are not up to speed here are the other tutorials I have done on nmap.[/B]
[url="http://forums.remote-exploit.org/showthread.php?t=11001"]Part1[/url]
[URL="http://forums.remote-exploit.org/showthread.php?t=11003"]Part2[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11010"]Part3[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=11025"]Part4[/URL]
[url="http://forums.remote-exploit.org/showthread.php?t=11216"]Part5[/url]

[B]Next lets talk a minute about what a "ACK" scan is.[/B]
[quote]-sA (TCP ACK scan)
This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 1, 2, 3, 9, 10, or 13), are labeled filtered.
[URL="http://nmap.org/docs.html"]From the nmap online documentation[/URL]. [/quote]

So what does this mean to us. First when dealing with TCP/IP we all know how the connections work, so when a connection is finished one would normally see an ACK or Acknowledgment. Meaning that the connection was made and a transfer of some sort took place. So when we scan for hosts by sending out ACK packets what we are doing is telling the target machine that we have "received the transmission". But since this is our first real communication with said target. It will not no how to respond. This is turn will generate RST or reset packets. Now if we look above we see that nmap will label them as unfiltered, and in turn they are reachable. This second part is really the only part we care about. By sending out ACK packets we can then determine if a host is alive and possibly not set of IDS alarms. Now there is a caveat to this. If there are a lot of ACK packets hitting a target then an IDS will most likely see this and of course set off the alarm.
There are several ways we can mitigate this with nmap. Which I will show more of in a later tutorial.
[b]So our first default scan should look something like this.[/b]
[code]#nmap -v -v -sA 192.168.1.5 [/code]
Now I included the -v -v for verbosity level two just to get all of the information out of this basic scan that we can.
[b]Now lets look at the results. [/b]
[code]
Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-00 12:26 EDT
Initiating ARP Ping Scan at 12:26
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 12:26, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:26
Completed Parallel DNS resolution of 1 host. at 12:26, 0.05s elapsed
Initiating ACK Scan at 12:26
Scanning 192.168.1.5 [1715 ports]
Increasing send delay for 192.168.1.5 from 0 to 5 due to 40 out of 133 dropped probes since last increase.
Completed ACK Scan at 12:26, 15.39s elapsed (1715 total ports)
Host 192.168.1.5 appears to be up ... good.
All 1715 scanned ports on 192.168.1.5 are unfiltered
MAC Address: 00:12:34:45:AA:FF (Cisco-Linksys)
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 15.828 seconds
Raw packets sent: 1836 (73.442KB) | Rcvd: 1716 (78.932KB)[/code]

Now the only thing that we learned is that the target is there, which we should already have known before we started scanning it. Blindly scanning a target is how we set off alarms!
Ok now lets look at it again only this time we will be trying to find out some info on the OS and what services are running.
But remember we do not want to trip the alarm so we are going to be a little sneaky with our throttling. Note this may or may not hide us, That is not the real point here.
[code]
#nmap -sV -v -v -F -T Paranoid -sA -O -PN 192.168.1.5
[/code]
This time we have several flags set.
-sV for service versions.
-v -v again verbosity level 2
-F to only scan the ports listed on the service version scan. No sense scanning all possible ports as this could trigger alarms.
-T Paranoid again to help mask what we are doing.
-sA is for the ACK scan itself.
-O for OS detection
-PN so that we do not ping the target before scanning. Again to mask what we are doing from the target itself.
[b]And of course the output[/b]
[code]
Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-00 13:04 EDT
Initiating ARP Ping Scan at 13:04
Scanning 192.168.1.5 [1 port]
Completed ARP Ping Scan at 13:04, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:04
Completed Parallel DNS resolution of 1 host. at 13:04, 0.05s elapsed
Initiating ACK Scan at 13:04
Scanning 192.168.1.5 [1276 ports]
Increasing send delay for 192.168.1.5 from 0 to 5 due to 45 out of 150 dropped probes since last increase.
Completed ACK Scan at 13:04, 11.45s elapsed (1276 total ports)
Initiating Service scan at 13:04
Initiating OS detection (try #1) against 192.168.1.5
SCRIPT ENGINE: Initiating script scanning.
Host 192.168.1.5 appears to be up ... good.
All 1276 scanned ports on 192.168.1.5 are unfiltered
MAC Address: 00:12:34:45:AA:FF(Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: storage-misc|printer
Running: Hotway embedded, IBM embedded, Packard Bell embedded
OS details: Hotway HDC-U2LA NAS device, IBM 6400 Printer (software version 7.0.9.6), Packard Bell NetStore 3500
OS Fingerprint:
Purposely Removed
Network Distance: 1 hop
Read data files from: /usr/local/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.866 seconds
Raw packets sent: 1343 (55.504KB) | Rcvd: 1283 (59.160KB) [/code]

So this time we picked up a bit more detail. I will say that what was reported by the scan's OS details is incorrect but they device type is. Also note that the mac address is listed as Cisco-Linksys. This along with the device type is the most relevant info we have gained. In order for us to actually penetrate the target we need more information. Which I will leave up to you to learn about.

So again we have covered using an ACK scan with nmap. There are more options, reasons, and ways of using this type of scan. I have showed you only the basics.
When I get the chance I will be showing more options for IDS spoofing and evasion techniques. I have purposely left this info out of this tutorial!

If this has helped or hindered you say something. :)

Sunday, April 6, 2008

How to Setup a Trixbox image using Vmware player

How to Setup a Trixbox image using Vmware player.

This guide will show you how to setup a target PBX machine in your own pentesting lab.
This will allow you to use several tools that are available in BT in order to learn about VOIP.

So this guide will assume a few things.
1. You have at least two computers on some sort of network
2. One of them is capable of running BT
3. The other is running windows xp.

Now if you need help with any of that then see
google

Now in order to get our machine setup we need to download a few things.
1. the player
2. the trixbox image

You need to download the Vmware image titled: trixbox CE 2.6.0.7
There are md5sums for it as well.

Ok now setup the vmware player as per the documentation
Next you will need to unzip the trixbox image.
Once this is done you will need to start the player. Once it opens chose from the commands "open" and navigate to the folder where your recently unzipped folder.
Then find the file that is labeled "trixbox-ce-2.6.0.2" This is the needed image.
Now select open and the OS should start too boot inside of the player. It takes a few minutes to get to the log on prompt.
If there are any errors that prevent you from getting a root log in prompt then you will need to work those out first.
You can post in this thread but I can only offer limited help for this. Best go to the trixbox website.

Now that our OS is booted we can leave it alone.
If you have the desire you can log onto it using
logon:root
password: trixbox

But there is really nothing to see there.
You will do all configuration from the web gui interface.
You should also see on the player the IP address to access this web interface.
If not find the IP of your machine and this will be it.
Ok so on another machine open a browser and navigate to the IP address.

Then once you have the page the next few steps are real easy.
Upper right hand corner find the user mode and switch to maint.
you will need to supply the user and password

User: maint
Password: password

Now it will reload the page. Next find on the left side toward the top "Asterix" and then in the drop down "FreePBX"
Click on it and it reloads. This is the page where we can add our extensions. This is basically the user and there associated phone number.
Just like when you call some business or whatever and the prompt asks for an extension.
Choose in the middle the drop down box that should say "SIP" device.
Then you will need to fill out the following.
The extension number
You should give a name but it is not necessary.
Then down the list you will see "secret" this is the password field put something in there or leave it blank.

Next go to the very bottom and hit the submit button and back up to the top of the page is an orange button for adding the new extension to the database and turning it on.
At this point you are done. If you want to mess with the other features by all means go for it. For our testing purposes we are finished with the web interface.
You can the just navigate to another website or close the browser.


Now in order for us to make use of the SipVicious tools you will need to navigate to the SipVicious directory and add a word list.
The default is "dictionary.txt" At this point you can either add some words or whatever but you need to ensure that your secrets from above are in there.
Save the file and exit.

So to see the video that shows how to set up our trixbox please follow this link it will take you to blip.tv


For more info on using the SipVicious tools see my other tutorial here.

Hope you enjoy it and please leave some feed back!
There is also a thread over at remote-exploits forums for using the SipVicious tool set.

Join the conversation.

I should have the other video and thread (on setting up a target machine in your own private network) up later today.

Friday, April 4, 2008

Abusing VOIP Networks with SipVicious

As promised here is the video uploaded to blip.tv
You can get it here from blip.tv
It is also available from here on media fire for download
It is saved in the ".mpeg" format so you may need some sort of codec to make it work for you.
Hope you enjoy it !

Tuesday, April 1, 2008

SipVicious Hacking

I did a small video on using the SipVicious tools under Back|Track
I will post more info later at the remote exploits forums.
I will also post a small video on setting up our target machine.
There are two formats for the video a .html and a .swf

The files have been pulled temporarily will repost them later on tonight.

Monday, March 24, 2008

Here are a few VOIP Info tutorials I have picked up in the last few days
they are hosted on mediafire.com There are 3 .PDF files in one folder


I am currently finishing up a thread that I will post with lots of info about VOIP on the Back|Track Forums.

Saturday, March 22, 2008

Sipvicious

There is mention of my tutorial over on the Sipvicious website.
Nothing special just mentions the tutorial and the fix for the tool in Back|Track 3 beta on the
Back|Track Wiki

Special thanks to Sandro Gauci for making this tool and sharing it with the community.

Thursday, March 20, 2008

Small SipVicious Guide

Small SipVicious Guide

This is a small guide on getting the SipVicious tool pack

SIPVicious suite is a set of tools that can be used to audit SIP based systems. It currently consists of four tools:

* svmap - this is a sip scanner. Lists SIP devices found on an IP range
* svwar - identifies active extensions on a PBX
* svcrack - an online password cracker for SIP PBX
* svreport - manages sessions and exports reports to various formats


The home page is located here: Blog

The code is here: Code

SipVicious requires python 2.4 or greater. For BT2 and 3 beta you have this so no need to worry.

There is a video tutorial that will help you out on setting it up and a small walk through using the tools located here:
Video
This video uses the tools found on the Getting Started page below.

There is also a page with info on setting up a VMware player and Trixbox image to use SipVicious against located here:
GettingStarted

The whole thing is pretty straightforward and easy to use.

Have fun with your SIP auditing!

Special thanks to Sandro Gauci for making the tools and video!

Saturday, March 15, 2008

How to for List-Urls

How to for List-Urls

Disclaimer this is for education purposes only and not to commit a crime, you are on your own!!
All address have been changed!!


This is a quick guide to using the python script for List-Urls
This is a tool that I believe was written by Muts however I am not 100% sure of this.
To access this tool use the K menu Backtrack|Vulnerabilty Identification|Web Analysis|List-Urls

This opens a shell that looks like the following

Code:
+++++++++++++++++++++++++++++++++++++++++++++++++++++
Extract links form webpage - v.0.1
+++++++++++++++++++++++++++++++++++++++++++++++++++++

Usage : ./list-urls.py
Eg: ./list-urls.py http://www.whoppix.net

+++++++++++++++++++++++++++++++++++++++++++++++++++++
bt list-urls #
Now in order for us to use this we need a target website I will be using http://www.victimluser.com
Now lets execute this script against our target
at the prompt type ./list-urls.py http://www.victimluser.com
It should look like the following.
Code:
bt list-urls # ./list-urls.py http://www.victimluser.com
##########################################################
# #
# Extract URLS from a web page #
# email removed for spam control #
# #
##########################################################

index.html
news.html
lusers.html
victims.html
disclaimer.html
http://www.victimluser.com
bt list-urls #
Ok now we have seen what success looks like.
The next one shows what our target actually looks like since this is not a real target but a fake one.
Code:
bt list-urls # ./list-urls.py http://www.victimluser.com

##########################################################
# #
# Extract URLS from a web page #
# email removed for spam control #
# #
##########################################################

Could not reach http://www.victimluser.com !
Did you remember to put an http:// before the domain name?
bt list-urls #

DNSMap Tutorial

DNSMap Tutorial

This tutorial will show you how to use DNSMap


Disclaimer
: This is for educational purposes only not for committing a crime you are on your own!
All IP's have been changed.

Background: Dnsmap is a small C based tool that perform brute-forcing of domains. The tool can use an internal wordlist, or work with an external dictionary file.
Info: http://ikwt.dyndns.org/ This site seems to be down.
(Source http://backtrack.offensive-security....p/Tools#dnsmap )

Ok now to acccess the tool go to K Menu | Backtrack | Information Gathering | DNS| DNSMap


Ok it will open a shell and show you
Code:
dnsmap - DNS Network Mapper by pagvac
(http://ikwt.com, http://foro.elhacker.net)
Usage: dnsmap [dictionary-file]
Examples:
dnsmap yourtarget.com
dnsmap yourtarget.com yourwordlist.txt

bt dnsmap #
Once you have it open you can check the readme by doing a nano README This will provide lots more info.
Be sure to read it there are some limitations when using this tool.

Next we need to give dnsmap a target to search again we will use http://www.victimluser.com
so
Code:
bt dnsmap # victimluser.com
This will return us with:
Code:
dnsmap - DNS Network Mapper by pagvac
(http://ikwt.com, http://foro.elhacker.net)
Searching subhosts on domain victimluser.com

forum.victimluser.com
IP Address #1:192.168.1.1

mail.victimluser.com
IP Address #1:192.168.1.2

ftp.victimluser.com
IP Address #1:192.168.1.3

pop.victimluser.org
IP Address #1:192.168.1.4
Also you can create a wordlist.txt that you can supply at the command line like this
Code:
 bt dnsmap # dnsmap targetdomain.com wordlist.txt
This will force dnsmap to use a supplied wordlist to bruteforce subdomains if you do not supply a wordlist then dnsmap
will use the built in one by default.

The readme also give links to a few wordlist you can download.

Monday, February 18, 2008

Voiphopper How To

This is a small howto on installing voiphopper version 0.9.7

"VoIP Hopper is the answer to all voip solution providers who make people believe that VLANS is all you need to secure VoIP" - Sachin Joglekar, Sipera VIPER Lab

"VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific Ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone, in both Cisco and Avaya IP Phone environments."

(SOURCE = Voiphopper readme.txt )

This tool was released at shmoocon this past weekend.

voiphopper

Download and save( I saved mine to "/root") Then use:
Code:
bt ~# tar xvfz voiphopper-0.9.7.tar.gz
This will "untar" and "ungzip" the package.
Code:
bt ~ # tar xvfz voiphopper-0.9.7.tar.gz
voiphopper-0.9.7/
voiphopper-0.9.7/Makefile
voiphopper-0.9.7/arp.c
voiphopper-0.9.7/buildmsg.c
voiphopper-0.9.7/cache.c
voiphopper-0.9.7/client.c
voiphopper-0.9.7/dhcpconfig.c
voiphopper-0.9.7/mac.c
voiphopper-0.9.7/netinfo.c
voiphopper-0.9.7/peekfd.c
voiphopper-0.9.7/signals.c
voiphopper-0.9.7/udpipgen.c
voiphopper-0.9.7/voiphopper.c
voiphopper-0.9.7/buildmsg.h
voiphopper-0.9.7/client.h
voiphopper-0.9.7/dhcpcd.h
voiphopper-0.9.7/kversion.h
voiphopper-0.9.7/mac.h
voiphopper-0.9.7/maclist.h
voiphopper-0.9.7/netinfo.h
voiphopper-0.9.7/pathnames.h
voiphopper-0.9.7/signals.h
voiphopper-0.9.7/udpipgen.h
voiphopper-0.9.7/LICENSE
voiphopper-0.9.7/README
Next "cd" to the directory where you saved it
Code:
bt ~# cd/root/voiphopper-0.9.7 #
and then use "make" to install it
Code:
 bt ~# cd/root/voiphopper-0.9.7 # make
You should see the following as the output
Code:
INSTALLATION
bt voiphopper-0.9.7 # make
gcc -c voiphopper.c
gcc -c dhcpconfig.c
gcc -c buildmsg.c
gcc -c cache.c
gcc -c udpipgen.c
gcc -c peekfd.c
gcc -c client.c
gcc -c arp.c
gcc -c signals.c
gcc -c mac.c
gcc -c netinfo.c
gcc voiphopper.o dhcpconfig.o buildmsg.o cache.o udpipgen.o peekfd.o client.o arp.o signals.o mac.o netinfo.o -lpcap -o voiphopper
bt voiphopper-0.9.7 #
Usage looks like the following:

1. To sniff for CDP and run a VLAN Hop into the Voice VLAN, simply run VoIP Hopper on the Ethernet interface, in the following way:
Code:
voiphopper -i eth1
2. VoIP Hopper also allows one to VLAN Hop to an arbitrary VLAN, without sniffing for CDP. If you already know the Voice VLAN ID, or would like to VLAN Hop into another VLAN (without sniffing for CDP), you can run it in the following way:
Code:
voiphopper -i eth1 -v 200
3. To Discover the Voice VLAN in an Avaya IP Phone environment:
Code:
voiphopper -i eth1 -a
4. To spoof the MAC Address of an IP Phone by sniffing for CDP (this changes the MAC address of default interface and new interface):
Code:
voiphopper -i eth1 -m AA:AA:AA:AA:AA:AA
5. To spoof the MAC Address of an IP Phone using an Avaya DHCP request (this changes the MAC address of default interface and new interface) :
Code:
voiphopper -i eth1 -a -m AA:AA:AA:AA:AA:AA
6. To spoof the MAC Address of an IP Phone by VLAN Hopping without CDP or DHCP (this changes the MAC address of default interface and new interface):
Code:
voiphopper -i eth1 -v 200 -m AA:AA:AA:AA:AA:AA
7. To spoof the MAC Address of an IP Phone without changing the MAC Address of the default ethernet interface (only spoof the new voice interface's MAC Address):
Code:
voiphopper -i eth1 -v 200 -m AA:AA:AA:AA:AA:AA -D
(SOURCE = Voiphopper readme.txt )

Well I hope that helps you get started
Have fun and play nice
This tutorial is not all of my own work credits to:
AUTHOR
Jason Ostrom
And the other Developers.

Wednesday, February 13, 2008

How to Using MTR

How to Using MTR

Background:

MTR combines the functionality of the traceroute and ping programs in a single net-work diagnostic tool.
As mtr starts, it investigates the network connection between the host mtr runs on
and HOSTNAME. by sending packets with purposely low TTLs. It continues to send packets
with low TTL, noting the response time of the intervening routers. This allows
mtr to print the response percentage and response times of the Internet route to
HOSTNAME. A sudden increase in packet-loss or response time is often an indication of
a bad (or simply overloaded) link.

(SOURCE MTR man pages)

Disclaimer: This information is for educational purposes only and not to commit a crime.
I stress the first part because this may get you into trouble with your ISP or Network Admins.
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP and MAC address' have been munged!


First off I did this using BT2 Final but the process is the exact same using BT3 the only change is now there is graphical front-end using GTK+
I am going to show a couple of examples of this tool and leave the rest up to you for now. I may add more later on.

The purpose of this tool is to provide a ping and traceroute utility in one package.
This is good for 1 allowing us to determine if a target is alive and 2 what hops our packets take in order to get to said target.
When Pentesting once we have identified a target on a network we try to learn about other networks that interact with it and this is one of the ways.
This will also help us what else may stand in our way.

To use mtr we need to open a terminal and type at the prompt
Code:
 bt ~ # mtr --help
usage: mtr [-hvrctglspni46] [--help] [--version] [--report]
[--report-cycles=COUNT] [--curses] [--gtk]
[--raw] [--split] [--no-dns] [--address interface]
[--psize=bytes/-s bytes]
[--interval=SECONDS] HOSTNAME [PACKETSIZE]
bt ~ #
This shows us the usage flags and options.
So in order to know more about the different flags we will take a look at them now:

OPTIONS
-h help
Print the summary of command line argument options.

-v --version
Print the installed version of mtr.

-r --report
This option puts mtr into report mode. When in this mode, mtr will run for
the number of cycles specified by the -c option, and then print statistics and
exit.
This mode is useful for generating statistics about network quality. Note
that each running instance of mtr generates a significant amount of network
traffic. Using mtr to measure the quality of your network may result in
decreased network performance.

-c COUNT --report-cycles COUNT
Use this option to set the number of pings sent to determine both the machines
on the network and the reliability of those machines. Each cycle lasts one
second.

-s BYTES --psize BYTES

PACKETSIZE
These options or a trailing PACKETSIZE on the commandline sets the packet size
used for probing. It is in bytes inclusive IP and ICMP headers

If set to a negative number, every iteration will use a different, random
packetsize upto that number.

-t --curses
Use this option to force mtr to use the curses based terminal interface (if available).

-n --no-dns
Use this option to force mtr to display numeric IP numbers and not try to
resolve the host names.

-g --gtk
Use this option to force mtr to use the GTK+ based X11 window interface (if
available). GTK+ must have been available on the system when mtr was built
for this to work. See the GTK+ web page at
www DOT gimp DOTorg/gtk/for more information about GTK+.

-p --split
Use this option to set mtr to spit out a format that is suitable for a split-
user interface.


-l --raw
Use this option to tell mtr to use the raw output format. This format is better
suited for archival of the measurement results. It could be parsed to be
presented into any of the other display methods.

-a IP.ADD.RE.SS

--address IP.ADD.RE.SS
Use this option to bind outgoing packets' socket to specific interface, so
that any packet will be sent through this interface. NOTE that this option
doesn't apply to DNS requests (which could be and could not be what you want).

-i SECONDS

--interval SECONDS
Use this option to specify the positive number of seconds between ICMP ECHO
requests. The default value for this parameter is one second.

-4
Use IPv4 only.

-6
Use IPv6 only.

Ok now we see that we have lots of options to play with here.

Ok back to the terminal we are going to look at a target computer with the -r (report mode) and -c (count) set to 1 packet

Code:
bt ~ # mtr -r -c 1 www.yourexampletarget.com
To see the output of this command click on the picture here:
output

NOTE: I had to use this picture in order to get the formatting to show up like it would in a shell.


NOTE: we can use both domain names like above or we can use IP address the result is the same.

Ok now let's see what we got back, we only care about the first two columns. The first is the name of the nodes along the route,and the second is the percent of packets that were lost. If we lose packets then the traceroute must find a new way to get to the destination. Sometimes nodes along our route will drop these packets.
So we see that in number 3 above it would seem we lost a packet however the node just dropped it.
But our trace continues until it gets to 13 and the same thing happens. Also this could be the result of a node not advertising itself blindly. Could be good or bad.
And last we arrive at 14 our target network. Remember just like any traceroute the first node returned is the closest to your box and the last is farthest away.
If we are Pentesting we can use a whois command and lookup the network node names above and may learn more about the route our packets take to our target.
This may help us determine if our target is sitting on the edge of the network or not.
Also when doing this if you do not specify the number of packets with the -c flag this process will continue to run until you stop it!
This can be bad depending on the TOS from your ISP or other networks along the route. Generally speaking most admins will not want you repeatedly pinging their networks. Sometimes one or two ping attempts may be ok. At a minimum it is plain rude to needlessly ping a node!


This tutorial should give you enough information to work with MTR.

Saturday, January 19, 2008

How to Using Vinetto

How to Using Vinetto 0.06 (r56)
This is part of the Digital Forensics section of BT2 and 3
Note: If using BT3 and this tool doesn't work then please see the thread here: Possible bug

Some Background: Vinetto is a forensics tool to examine Thumbs.db files.
It is a command line python script that works on Linux, Mac OS X and Cygwin(win32).
Source: Vinetto

Disclaimer: This information is for educational purposes only and not to commit a crime.
If you do something that causes you to hose your box don't come kicking and screaming on the forums!

OK you may be asking your self "why would I need this tool?" This tool and the whole "forensics section" of BT is one that the average person is not going to use. Now on the other hand if you conduct forensics investigation as either some type of "police official" or as a pen tester, then this tool can come in very handy for you.
Now there are other tools that can do the same basic thing however if you need it it's included.

NOTE: When doing any type of forensic work it is imperative that we do not damage the target computer in any way. Having said that we should boot our BT disk over our target computer using the "bt nohd" boot option. If you don't know what this means then stop here and go read about it here: Cheats

Ok in order to get this to work we need to go to the command line or alternatively through K>Backtrack>Digital Forensics>All>Vinetto
Now lets have a look at the options that are presented when we do a --help
Code:
 bt ~ # vinetto --help
usage: vinetto [OPTIONS] [-o DIR] file

options:
--version show program's version number and exit
-h, --help show this help message and exit
-o DIR write thumbnails to DIR
-H write html report to DIR
Now the output shows us only two useful switches -o will write our thumbnail to a given directory and the -H creates a html report to a directory
and these two can be combined like so -Ho this will give us both the thumbs and and report in html format. This is useful if we have a lot of thumbs to go through.
So far so good right? OK now for my example usage.

I booted BT over my laptop that has Windblows XP next I opened a shell and did a:
Code:
# find / -name Thumbs.db
/mnt/hda1/Program Files/Windows NT/Thumbs.db
/mnt/hda1/RECYCLER/Thumbs.db
/mnt/hda1/WINDOWS/Thumbs.db
/mnt/hda1/Program Files/Microsoft Office Old/Office/Bitmaps/Dbwiz/Thumbs.db
bt ~ #
The above is a truncated version of the output, yours will be different. Our target file will be the last one, the "/Dbwiz/Thumbs.db"
So now you need to setup a storage device of some sort I used a usb stick seems to be the easiest. now go ahead and mount it and make a directory in it.
I used "thumbs" for mine. Ok now we have both a target directory and a "save location" we can go ahead and extract our thumbs to it.
so in a shell again give:
Code:
# vinetto -Ho  /mnt/sda1_removable/thumbs "/mnt/hda1/Program Files/Microsoft Office Old/Office/Bitmaps/Dbwiz/Thumbs.db"

** Warning: Cannot find "Image" module.
Vinetto will only extract Type 2 thumbnails.


Root Entry modify timestamp : Tue Apr 4 02:15:03 2006

------------------------------------------------------

0001 Mon Mar 22 01:00:00 1999 ORDPROC.GIF
0002 Mon Mar 22 01:00:00 1999 ASSETS.GIF
0003 Mon Mar 22 01:00:00 1999 CONTACTS.GIF
0004 Mon Mar 22 01:00:00 1999 EVTMGMT.GIF
0005 Mon Mar 22 01:00:00 1999 EXPENSES.GIF
0006 Mon Mar 22 01:00:00 1999 INVENTRY.GIF
0007 Mon Mar 22 01:00:00 1999 LEDGER.GIF

------------------------------------------------------

7 Type 2 thumbnails extracted to /mnt/sda1_removable/thumbs/
hit enter and you should see the same basic output as above.
This shows us the thumbs that we have recovered and the time they were created on our target and as well as their respective names.
Now we can go to our "save location" to verify our files are there. Also check out the .html output file as this is easier to manage then all of the other files.
I have posted some photos of the output if you need look at them VinettoOutput

And that's it, a simple program that can help if you need it.
Please leave some feedback if this helped or hindered you, Thanks

NOTE: Credit to the author of this tool and to the authors of THE BOOK
This is where I got most of the information from as well as the vinetto website.
I did find in my experiments that you need to use the flags as "-Ho" and not "-oH" doing so I got a "vinetto: error: incorrect number of arguments" error each time.

How To get a Monitor Working in BT3 beta

This is the first tutorial I did for Back|Track this one is using xorgconfig to get a monitor working.

http://forums.remote-exploit.org/showthread.php?t=10407

How to using NetDiscover.

How to using NetDiscover.

Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without DHCP server, when you are wardriving. It can be also used on hub/switched networks. (Source NetDiscover )

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!


This tool will allow us to quickly gather IP address on a given network and as stated above work great in wireless networks that have no DHCP server.
I am using this tool in BT2 Final. However in BT3 the process is the same.
Ok so to gain access to this tool open a shell and type:
Code:
bt ~ # netdiscover -help
This will show us what flags we can use.

Code:
Netdiscover 0.3-beta6 [Active/passive arp reconnaissance tool]
Written by: Jaime Penalba

Usage: netdiscover [-i device] [-r range | -p] [-s time] [-n node] [-c count] [-f] [-S]
-i device: your network device
-r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
-p passive mode do not send anything, only sniff
-s time: time to sleep between each arp request (miliseconds)
-c count: number of times to send each arp reques (for nets with packet loss)
-n node: last ip octet used for scanning (from 2 to 253)
-S enable sleep time supression betwen each request (hardcore mode)
-f enable fastmode scan, saves a lot of time, recommended for auto

If -p or -r aren't enabled, netdiscover will scan for common lan addresses
Ok so let's look at the flags so that we know what we are dealing with.
"-i" simply put is the network card
"-r" the range to scan that you will insert on the command later
"-p" send no packets out on the network
"-s" time to sleep between the arp requests simply means how long netdiscover should wait.
"-c" count is the number or arp requests to send each time
"-n" node again this is a number you will insert on the command latter.
"-S" this will prevent netdiscover from "sleeping" between arp requests"
"-f" fast as stated above

Ok now in order for netdiscover to work it needs to send out "arp requests" this is the Address Resolution Protocol request. Simply put we are asking the network for a host's address.
For more info about ARP go here
ARPWIKI

So now if you understand the above we can move on.
What we are doing is asking a host some basic info about the network.
"Who has 192.168.0.1? Tell 192.168.0.67"
This keeps going until all the nodes or ranges we specify have answered.
When using I used wireshark to help visualize the process however this is not needed.The pictures are located here:
Netdiscover


Now we are going to look at an example of netdiscover in action
with no flags set. This will cause ND to scan for common LAN address'
Code:
bt ~ # netdiscover
Hit enter and watch
Code:
 Currently scanning: 192.168.4.0/16   |   Our Mac is: 00:11:22:AA:BB:CC - 0

2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 120
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.1.1 00:11:22:AA:BB:CC 01 060 Cisco-Linksys
192.168.1.2 00:11:22:AA:BB:CC 01 060 Cisco-Linksys
In order to stop the scan you can hit control + c .

We see above that we have found 2 hosts and the IP and MAC address's as well as the Vendor of said MAC's

Ok now we will look at some sample commands
Code:
bt ~ # netdiscover -i ath0 -r 192.168.1.0/24
The above is Set to scan a class "C" network to see what hosts are alive
Code:
bt ~ # netdiscover -i eth0
The above is Set to scan "common networks"
Code:
 bt ~ # netdiscover -i ath1 -p
The above is Set to scan passively

This means that it will not send ARP packets out but will wait for them to come from another source.
This is useful when we don't want to make noise and set off the alarms! This will happen on any good network with a decent IDS/IPS in place
because we are sending multiple ARP packets.
Ok so I have provided a few pictures of the tool in action and wireshark showing what is going on.

Netdiscover

Sunday, January 13, 2008

How To Using DNS-Ptr

How To Using DNS-Ptr

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!



DNS-PTR Is a tool that allows you to learn DNS names of IP address' This is like doing a reverse DNS lookup.
You have the IP address but want to know if there is a domain name associated with it.
Using this tool will allow us to do mass lookups rather quickly.
This is a very simple tool to use.

To access this tool K>Backtrack>InformationGathering>All>DNS-Ptr

OK opening this will give the following
Code:
Usage : ./Allhosts  
Mass DNS Query program for vicy, by crisk
bt dns-ptr #
OK so for some background for those that don't know. DNS the Domain Name System translates Domain Names like www.yourexampleofadomain.com into 192.168.1.100
Of course this address is for "internal or private use only".
Now we can use lots of tools to gain this info I will leave that alone.
If you have maybe the IP address and want to find a domain name that may be associated with the IP we can use DNS-Ptr
Using the IP to find an associated Domain name is called a Reverse DNS lookup.

To use the tool on the command line type the IP address that you want to lookup.

Code:
Usage : ./Allhosts  
Mass DNS Query program for vicy, by crisk
bt dns-ptr # dns-ptr 192.168.1.1

The output will show us.


Code:
Beginning DNS lookups
192.1.168.1.1
Ending DNS lookups.
bt dns-ptr #
If we want to see if other IP address' close to our start IP are associated then we can set the End IP and run it again.

In this example I used 5 (remember leave a space)

Code:
Usage : ./Allhosts  
Mass DNS Query program for vicy, by crisk
bt dns-ptr # dns-ptr 192.168.1.1 5
Code:
Beginning DNS lookups
192.1.168.1.1 : fac34-7-yourexampleofadomain.com
192.1.168.1.2 : fac34-7-yourexampleofadomain.com
192.1.168.1.3 : fac34-7-yourexampleofadomain.com
192.1.168.1.4 : fac34-7-yourexampleofadomain.com
192.1.168.1.5 : someotherexampleofadomain.com
Ending DNS lookups.
bt dns-ptr #
As you can see the first 4 IPs belong to www.yourexampleofadomain.com, but the 5th one belongs to someone else.
Again this is a simple tool to use.

Multipart PortScanning Tutorial Part 5

Multipart PortScanning Tutorial Part 5

In this edition we will be looking at the results of NULL Scans.
We are using Nmap

The other parts are located here:
Part1
Part2
Part3
Part4

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!


Ok first off a NULL Scan is a scan in which there are no TCP Flags set. This is normally something that doesn't happen or shouldn't happen in the "real world". If the scanned ports are closed then we should get a RST (Reset) packet back from our target.

The basic scan uses the -sN flag.

So it will look like the following on a windows box with a firewall in place.

Code:
 bt ~# nmap -sN -vv 192.168.1.4
As always we are using the -vv (very verbose) flags.
And the following is our typical output:

Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
Initiating ARP Ping Scan at 11:35
Scanning 192.168.1.4 [1 port]
Completed ARP Ping Scan at 11:35, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:35
Completed Parallel DNS resolution of 1 host. at 11:35, 0.05s elapsed
Initiating NULL Scan at 11:35
Scanning 192.168.1.4 [1697 ports]
Completed NULL Scan at 11:36, 36.33s elapsed (1697 total ports)
Host 192.168.1.4 appears to be up ... good.
All 1697 scanned ports on 192.168.1.4 are open|filtered
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)

Nmap finished: 1 IP address (1 host up) scanned in 37.093 seconds
Raw packets sent: 3395 (135.802KB) | Rcvd: 1 (42B)
And now the same scan without the firewall in place.

Code:
 bt ~# nmap -sN -vv 192.168.1.4

This time I will show only the info that is relevant.


Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
All 1697 scanned ports on 192.168.1.4 are closed
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Notice the difference? The only thing is that now the ports are showing up as closed! This is a huge bit of information.
We also learned in both that the host is "up" as well as the network interface's MAC address.
But most importantly we probably didn't set off any alarms on the target network.
Because I did this on my network I know that it didn't.

Now lets look at one more scan, only this time we will do it against a *nix box.

Code:
 bt ~# nmap -sN -vv 192.168.1.101
Again the output shows only what is relevant.
Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008

Host 192.168.1.101 appears to be up ... good.
All 1697 scanned ports on 192.168.1.101 are open|filtered
MAC Address: 11:00:22:AA:BB:CC (Cisco-Linksys, LLC)

Nmap finished: 1 IP address (1 host up) scanned in 36.094 seconds
Raw packets sent: 3395 (135.802KB) | Rcvd: 1 (42B)
This time we see that the *nix box showed the ports as being in a open or filtered state.

The advantage of doing a NULL Scan are no TCP sessions are created for this scan, it is normally quiet from the perspective of the remote device's applications. Therefore, none of these scans should appear in any of the application logs. This is a huge advantage when scanning a firewall or router that is facing the internet on a target network. These scans are also some of the most minimal port-level scans that nmap can do. For a closed port, only two packets are transferred. This is all that is needed to find an open port!

The Disadvantages of doing this type of scan are, Some implementations of the TCP stack will render this scan useless. For instance with Microsoft this scan will show all ports as closed regardless of their actual state. But even this can work to your advantage, since any device showing open ports must not be a Windows-based device!
There is another caveat to the above, Software based firewalls can override this rule, as shown in the first scan.

So now that we know what a NULL Scan can do for us or against us we should be able to better protect our networks.
Ideally and in my opinion we want our box to respond as being open | filtered as shown above. This makes it harder for an intruder to guess what the target is.

Sunday, January 6, 2008

How to Using Vinetto

How to Using Vinetto 0.06 (r56)
This is part of the Digital Forensics section of BT2 and 3
Note: If using BT3 and this tool doesn't work then please see the thread here: [url=http://forums.remote-exploit.org/showthread.php?t=10744]Possible bug[/url]

Some Background: Vinetto is a forensics tool to examine Thumbs.db files.It is a command line python script that works on Linux, Mac OS X and Cygwin(win32).
Source: [url=http://vinetto.sourceforge.net/]Vinetto[/url]

Disclaimer: This information is for educational purposes only and not to commit a crime.
If you do something that causes you to hose your box don't come kicking and screaming on the forums!

OK you may be asking your self "why would I need this tool?" This tool and the whole "forensics section" of BT is one that the average person is not going to use. Now on the other hand if you conduct forensics investigation as either some type of "police official" or as a pen tester, then this tool can come in very handy for you.
Now there are other tools that can do the same basic thing however if you need it it's included.

NOTE: When doing any type of forensic work it is imperative that we do not damage the target computer in any way. Having said that we should boot our BT disk over our target computer using the "bt nohd" boot option. If you don't know what this means then stop here and go read about it here: [url=http://backtrack.offensive-security.com/index.php/Cheats]Cheats[/url]

Ok in order to get this to work we need to go to the command line or alternatively through K>Backtrack>Digital Forensics>All>Vinetto
Now lets have a look at the options that are presented when we do a --help
[code] bt ~ # vinetto --help
usage: vinetto [OPTIONS] [-o DIR] file

options:
--version show program's version number and exit
-h, --help show this help message and exit
-o DIR write thumbnails to DIR
-H write html report to DIR [/code]

Now the output shows us only two useful switches -o will write our thumbnail to a given directory and the -H creates a html report to a directory
and these two can be combined like so -Ho this will give us both the thumbs and and report in html format. This is useful if we have a lot of thumbs to go through.
So far so good right? OK now for my example usage.

I booted BT over my laptop that has Windblows XP next I opened a shell and did a:
[code]# find / -name Thumbs.db
/mnt/hda1/Program Files/Windows NT/Thumbs.db
/mnt/hda1/RECYCLER/Thumbs.db
/mnt/hda1/WINDOWS/Thumbs.db
/mnt/hda1/Program Files/Microsoft Office Old/Office/Bitmaps/Dbwiz/Thumbs.db
bt ~ #
[/code]
The above is a truncated version of the output, yours will be different. Our target file will be the last one, the "/Dbwiz/Thumbs.db"
So now you need to setup a storage device of some sort I used a usb stick seems to be the easiest. now go ahead and mount it and make a directory in it.
I used "thumbs" for mine. Ok now we have both a target directory and a "save location" we can go ahead and extract our thumbs to it.
so in a shell again give:
[code vinetto -Ho /mnt/sda1_removable/thumbs "/mnt/hda1/Program Files/Microsoft Office Old/Office/Bitmaps/Dbwiz/Thumbs.db"

** Warning: Cannot find "Image" module.
Vinetto will only extract Type 2 thumbnails.


Root Entry modify timestamp : Tue Apr 4 02:15:03 2006

------------------------------------------------------

0001 Mon Mar 22 01:00:00 1999 ORDPROC.GIF
0002 Mon Mar 22 01:00:00 1999 ASSETS.GIF
0003 Mon Mar 22 01:00:00 1999 CONTACTS.GIF
0004 Mon Mar 22 01:00:00 1999 EVTMGMT.GIF
0005 Mon Mar 22 01:00:00 1999 EXPENSES.GIF
0006 Mon Mar 22 01:00:00 1999 INVENTRY.GIF
0007 Mon Mar 22 01:00:00 1999 LEDGER.GIF

------------------------------------------------------

7 Type 2 thumbnails extracted to /mnt/sda1_removable/thumbs/
[/code] hit enter and you should see the same basic output as above.
This show use the thumbs that we have recovered and the time they were created on our target and as well as their respective names.
Now we can go to our "save location" to verify our files are there. Also check out the .html output file as this is easier to manage then all of the other files.
I have posted some photos of the output if you need look at them [url=http://picasaweb.google.com/Archangel.Amael/VinettoTutorial]VinettoOutput[/url]

And that's it, a simple program that can help if you need it.
Please leave some feedback if this helped or hindered you, Thanks :)

NOTE: Credit to the author of this tool and to the authors of the [url=http://www.amazon.com/Penetration-Testers-Open-Source-Toolkit/dp/1597492132/ref=sr_1_1?ie=UTF8&s=books&qid=1198971560&sr=1-1]THE BOOK[/url]
This is where I got most of the information from as well as the vinetto website.
I did find in my experiments that you need to use the flags as "-Ho" and not "-oH" doing so I got a "vinetto: error: incorrect number of arguments" error each time.

HOW TO using HTTPrint

HOW TO using HTTPrint Version .301 in BT

Ok this tutorial is about using httprint to gather info from a webserver. We are going to use the GUI version; there is also a command line version that does the same thing.

Disclaimer: This information is for educational purposes only and not to commit a crime.
If you do something that causes you to hose your box don't come kicking and screaming on the forums.

Background: httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. Httprint can also be used to detect web enabled devices which do not have a server banner string, such as wireless access points, routers, switches, cable modems, etc. httprint uses text signature strings and it is very easy to add signatures to the signature database.
Source: [url=http://www.net-square.com/httprint/.com/]Httprint[/url]
To get the CLI use:
[CODE]
#cd /pentest/enumeration/www/httprint_301/linux
# httprint [/CODE]


Now first things first you should probably go ahead and update your "Signature File"
So it will usually be in: [CODE] /pentest/enumeration/www/httprint_301/linux [/CODE] look for signatures.txt
ok now to update just go to [url=http://www.net-square.com/httprint/signatures.txt]signatures[/url] and do a save as make sure you use a .txt extension. Overwriting the one we found earlier.

Next let’s get the input.txt file and set it up (its located in the same place as before)
This is the second file that we want to work with so and open it up using your favorite text editor.
Ok you should see something like:
[CODE]
# inputs for httprint can be:
# - individual IP addresses (default port 80)
# - http://servername:[port]/
# - https://servername:[port]/
# - IP ranges xx.xx.xx.xx-yy.yy.yy.yy
#
http://www.apache DOT org/ [/CODE]

We are going to be looking at the webserver over at http://yourexampleofawebserver.com/ so replace apache DOT org with it.
Note: You can insert as shown several URLS, IP Address or Domain names, we are only using one right now.
Once that is done go ahead do a save and exit.

Ok now let's start using the tool: K>BT>Networkmapping>All>Httprint Gui
Now at the top of the gui we should see our "Input File" and "Signature File" If they are not the ones we just worked with then go ahead and fix them now.
Now let's look at the option for "Input File". Notice that we have the ability to use Text files or an Nmap version which is a simple .xml file that you created using Nmap.
Note: using Nmap is outside the scope of this tutorial however it is fairly simple to do.
Next let's look at the middle of our GUI, We should see the following, Host/Port/Banner Reported/Banner Deduced/Confidence/
First up is the Host field, This gives us yourexampleofawebserver.com, next we have a port (the default is 80) and the last is 0.00% for a confidence rating.
This means nothing to us yet, so looking at the GUI you should see a green play button go ahead and hit it. This will start the process of info gathering for us.
Note: If you load multiple targets into your input.txt it may take awhile, and If you need to you can hit the stop button.

Once complete you should see our fields from before populate and a popup window should report that it is complete. Now we have some useful data about our target. You should see info about what the banner reported. (This may or may not be true; our server may be running MS IIS) For our example we see that our server is running Apache and it gives us some version numbers. Next is the Banner Deduced field. (This is what the server is actually running based on our signatures. We see that the program reports with 84.34% confidence that it is correct based on our signature file from earlier. It also gives us a symbol or icon as well.
Now You will also see some text data and hex, this is what got reported back from our server that allows for the deductions to be made. Further down on the left side we can see a listing of the different signatures that might correspond with the reported data. On the left side if it was present would be info about SSL analysis.
We don't have SSL running on our server so we see a blank instead.

Ok now let's move onto our Report File at the bottom. Right now it just shows where it will be saved at once we hit the floppy to the right to save. Also notice that it gives options for saving. I chose the .html format you can use what you want.
Now let's go look at this file. I opened the httprintoutput.html and It shows us information again about our server. This time the output is a little more eye friendly.

So now with this information we should know allot more about our target.
Httprint can be run with multiple targets, and ports to see what all is running on your target server. It's not just for webservers either, see above for more ideas.
Again this is just the basics to show you how to get the program up and running so that you can do your own fingerprinting.
I have added the link to some pictures of the output to look at as well but you don't really need them if you just use the program instead.

Using Dmitry in Backtrack

This is a small tutorial on using DMITRY in Backtrack.
Disclaimer: This information is for educational purposes only and not to commit a crime.
If you do something that causes you to hose your box don't come kicking and screaming on the forums.

First off a little background info. DMITRY aka Deep Magic Information Gathering Tool is a GNU/Linux command line application that's coded in C.
It has the ability to give as much info as possible about a host. It is open source, can be used to perform Internet Number whois lookups, Possible to retrieve up time system and server data. The ability to perform SubDomain searches on a target. Perform Email search on a target, and TCP port scanning as well.
(Source http://www.moh-pah.net/index.php?file=projects/dmitry)
Ok now on to the tool.
There are two ways to access the tool either through the menus K>Backtrack>Information Gathering>All>Dmitry or from the command line, either way works the same,
[code]
#dmitry [/code]
OK now we need to be able to use the program so let's first look at the switches presented
-o allows us to specify with a given name our output the default is host.txt you could name it anything you want.
-i allows us to perform a whois lookup of the IP address of a host, this tells us that if we only no the name that dmitry will find the IP for us.
-w will perform a whois lookup on the domain name of a host.
-n will give us Netcraft.com information on a host (if you don't know about netcraft.com then go have a look you won't be disappointed).
-s performs a search for possible subdomains (www.yournetwork.com being a top level domain and www.yoursite.yournetwork.com being a subdomain.)
-e will perform a search for possible email addresses. (youremail@yournetwork.com)
-p will perform a TCP port scan on a host
*-f will perform a TCP port scan on a host showing output reporting filtered ports (useful if there is a firewall in place)
*-b will report to you a banner received from a scanned port (Note this will only work if the port sends us a banner when scanned).
(This may reveal some type of software running on a given port.)
*-t 0-9 is used to set the TTL in seconds when scanning the default is 2
The * means that the -p flag must also be set in order to work.

So now that we know what the flags mean let look at an example usage of the command.
[code]
#dmitry -winsepffb -o hosts.txt www.yournetwork.com[/code]

Ok so we see that we are going to use all of the flags available to us to gather as much information about our target as possible and write the info to a file called
hosts.txt The next part is the domain name of our target.

Now for the good part the first thing we will see is that dmitry is writing the output to our file.
Next we should see:
[code]
HostIP:192.168.1.1
HostName:www.yournetwork.com [/code]
Next we will see :[code]
Gathered Inet-whois information for 192.168.1.1 [/code]
You will be provided lots of whois info about the IP address
I will not print it all here for you but rather, whois should give you the Organization's name and address info. As well as info about the network itself
You should see the net ranges for example the netnames and their registration date.
Next you should see: [code]
Gathered Inic-whois information for www.yournetwork.com
---------------------------------
Domain Name: YOURNETWORK.COM
Registrar: The Registrars info here
Whois Server: whois.example.com
Referral URL: http://www.example.com
Name Server: NS1.YOURNETWORK.COM
Name Server: NS2.YOURNETWORK.COM
Name Server: NS3.YOURNETWORK.COM
Name Server: NS4.YOURNETWORK.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 10-apr-2006
Creation Date: 15-sep-1997
Expiration Date: 14-sep-2011
>>> Last update of whois database: Sun, 23 Dec 2007 06:42:27 UTC [/code]
Again this provides more information about our target network. Now we have the names servers as well and the name of the registrar.
All of this is useful when we are "reconning" our target.
Next up netcraft with: [code]
Gathered Netcraft information for www.yournetwork.com
---------------------------------
Retrieving Netcraft.com information for www.yournetwork.com
Operating System: winblows server edition2007
WebServer: winblowswebserver v1.0
No uptime reports available for host: www.yournetwork.com
Netcraft.com Information gathered
[/code]
Now if our target network was using something other than the poorly coded Winblows Server Edition 2007
Then it might not get presented here for us. Same thing with the webserver info.
And because it’s so poorly coded we see that there is not uptime because it’s only on for about an hour before a reboot is needed.
[code]
Gathered Subdomain information for yournetwork.com
---------------------------------
Searching Google.com:80...
HostName:images.yournetwork.com
HostIP:192.168.1.2
HostName:maps.yournetwork.com
HostIP:192.168.1.3
HostName:news.yournetwork.com
HostIP:192.168.1.100
HostName:www.yournetwork.com
HostIP:192.168.1.1
HostName:mail.yournetwork.com
HostIP:192.168.1.5
Found 5 possible subdomain(s) for host yournetwork.com, Searched 1 pages containing 1 result. [/code]
And on and on until it has searched through all the subdomains that it finds.
Next we will see: [code]
Gathered E-Mail information for yournetwork.com
admin AT yournetwork DOT com
joeuser AT yournetwork DOT com
[/code]
And finally the output from our TCP scan [code]
Gathered TCP Port information for 192.168.1.1
---------------------------------
Port State
20 Open
21 Open
80 Open
[/code]
Etc, Etc, Etc, because www.yournetwork.com is running winblows server edition 2007 and left all the common ports open by default!
So I hope that this tutorial gets you going and you can start using dmitry to do some "reconning".
BTW All names and IP address have been changed to protect me!
If you feed in private block numbers like 192..... Then the data for whois will tell you that it is for internal network use only.
The only useful part of the entire scan will be port scanning!

Multipart PortScanning Tutorial Part 4

In part four of our "scanning journey" we are looking at FIN scans against our target box.
I am going to show you various combinations of the FIN scan and the resulting output.
If you have not done so you may need to brush up on the other lessons.

Part1
Part2
Part3

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!



This is our standard FIN Scan. Again this is a TCP SCAN NOT UDP. I am using the Insane scan because it is a local network with the firewall and IDS turned off! So no need to worry about that.
Remember if you are doing this on a network that is not yours outside of the legality issues remember the faster you go the more likely you will be discovered by IDS/IPS (Intrusion Detection Systems/ Intrusion Prevention Systems). If a firewall was turned on then we probably won't get much in the way of information. However we will see that a little later on in this lesson.


OK on a FIN scan we are only sending FIN or "Finished packets" to our target. This tells the target who we prior to our scan did not actually "talk" to so in essence we are "finishing a conversation" or connection that never took place. This will normally net us some weird results. Sometimes the target can get confused and tell us more than it should! Sometimes it will not say anything and that it what a good hardened target box should do!

These probes are only using the default port list not the entire range of ports. All Scans listed are with the "-vv" very verbose and
"-T5" Insane speed level.

Code:
bt~# nmap -sV -T5 -vv 192.168.102
Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
All 1697 scanned ports on 192.168.1.102 are open|filtered
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)

Nmap finished: 1 IP address (1 host up) scanned in 36.649 seconds
We didn't get much in the way of info with just the basic scan so we are moving on. This time using the version probe and the OS detection
Our command looks like this:
Code:
nmap -sF -sV -O -T5 -vv 192.168.1.102
And our output is as follows.

Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
Initiating ARP Ping Scan at 11:43
Scanning 192.168.1.102 [1 port]
Completed ARP Ping Scan at 11:43, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:43
Completed Parallel DNS resolution of 1 host. at 11:43, 0.05s elapsed
Initiating FIN Scan at 11:43
Scanning 192.168.1.102 [1697 ports]
Completed FIN Scan at 11:44, 2.31s elapsed (1697 total ports)
Initiating Service scan at 11:44
Warning: OS detection for 192.168.1.102 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 192.168.1.102
Host 192.168.1.102 appears to be up ... good.
All 1697 scanned ports on 192.168.1.102 are closed
MAC Address:00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows 2003 Server SP1, Microsoft Windows Server 2003 Enterprise Edition 64-Bit SP1 (firewall disabled)
OS Fingerprint:
OS:SCAN THIS PART WAS INTENTIONALLY REMOVED BY ME!!

Network Distance: 5 hops

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 2.880 seconds
Raw packets sent: 1839 (74.156KB) | Rcvd: 1704 (78.744KB)

An now the same scan with a firewall in place.

Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
Initiating ARP Ping Scan at 12:05
Scanning 192.168.1.102 [1 port]
Completed ARP Ping Scan at 12:05, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:05
Completed Parallel DNS resolution of 1 host. at 12:05, 0.05s elapsed
Initiating FIN Scan at 12:05
Scanning 192.168.1.102 [1697 ports]
Completed FIN Scan at 12:05, 18.93s elapsed (1697 total ports)
Initiating Service scan at 12:05
Scanning 1689 services on 192.168.1.102
Service scan Timing: About 6.42% done; ETC: 12:13 (0:07:17 remaining)
Completed Service scan at 12:12, 425.24s elapsed (1697 services on 1 host)
Warning: OS detection for 192.168.1.102 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 192.168.1.102
Host 192.168.1.102 appears to be up ... good.
All 1697 scanned ports on 192.168.1.102 are open|filtered
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint by osscan system #2:
SCAN(P=i686-pc-linux-gnu)
U1(R=N)
IE(R=N)
Network Distance: 5 hops

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 445.304 seconds
Raw packets sent: 3419 (139.138KB) | Rcvd: 1 (42B)
Notice this time in the first scan we went from a possible Windows 2003 Server type box to a possible Linux box. The only difference was the addition of a firewall that was thrown in the mix. This can make a HUGE difference when we are looking for attack vectors!

This lesson shows you what FIN Scans look like. Remember that you can change some of the other options in Nmap to help evade and spoof IDS/IPS etc.
However right now we are only concerned with the basics.
In the next lesson we will be looking at a FIN|ACK scan.

Saturday, January 5, 2008

Multipart PortScanning Tutorial Part 3

We will now continue with our "scanning journey". In this installment we are going to look at another TCP scan using
BT2 as our target machine. I am also using the latest version of Nmap on a windows box.

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!


On our third installment we are going to look at out BT2 box. This is a fresh install of BT2 on a HDD. This will show exactly what it is others may see if you are running BT2 on your network. Now keep in mind things may be different for each individual setup possibility.

I used the latest version of Nmap it comes complete with a nice GUI if you are so inclined. I was since its on a windows box anyway! And yes you can get this for yourBT2 or 3 Box.
The only reason I did it that way is because I only have one BT Box setup right now and it was the easiest option for me. However If you have the option then go for it and post your results here as well!

So we used the same basic commands as before and it looks like:
Code:
 # nmap -A -v 192.168.1.102
Again this is still a TCP SYN Scan.
The output shows us the following:

Code:
 Starting Nmap 4.52 ( http://insecure.org ) at 2008-01-05 22:42
Initiating ARP Ping Scan at 22:42
Scanning 192.168.1.100 [1 port]
Completed ARP Ping Scan at 22:42, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:42
Completed Parallel DNS resolution of 1 host. at 22:42, 0.05s elapsed
Initiating SYN Stealth Scan at 22:42
Scanning 192.168.1.100 [1714 ports]
Discovered open port 6000/tcp on 192.168.1.102
Discovered open port 631/tcp on 192.168.1.102
Completed SYN Stealth Scan at 22:42, 0.19s elapsed (1714 total ports)
Initiating Service scan at 22:42
Scanning 2 services on 192.168.1.102
Completed Service scan at 22:43, 6.02s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.102
SCRIPT ENGINE: Initiating script scanning.
Host 192.168.1.102 appears to be up ... good.
Interesting ports on 192.168.1.102:
Not shown: 1712 closed ports
PORT STATE SERVICE VERSION
631/tcp open ipp CUPS 1.1
6000/tcp open X11 (access denied)
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.23, Linux 2.6.20-15-server (Ubuntu 7.04 server, x86)
Uptime: 0.050 days (since Sat Jan 05 21:30:36 2008)
Network Distance: 12 hops
TCP Sequence Prediction: Difficulty=188 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Unix

Read data files from: G:\Nmap
OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.822 seconds
Raw packets sent: 1737 (78.040KB) | Rcvd: 1729 (79.864KB)
Now notice the output looks a little different, however all of the information is there. Since we used the "-A"
we get our services information in the output. This is some of the critical info that malicious users need in order to compromise a system.

Notice that we have TCP port 631 ipp open, with CUPS1.1 running.
Now for those that don't know this is the service for printing under *nixes.
This would allow users to print from the machine or remote users connect and print as well. Printing (with explicit permission) over a networked computer can be fun and malicious! A malicious user could connect to a networked printer and print out anything they wanted to.

We also see that we have TCP port 6000 open with X11 running but notice is say (access denied). This is the X Window System that allows out BT box to have a desktop.
This is a service because on *nix boxes we can have multiple users from multiple locations logged onto the box itself. And those other users can have a desktop and it can be customized to their liking. Also notice that our scan tells us what kernel we are running in this case 2.6.X

The OS details is for the Distro that we are running and this can and will be different. This data is not correct however because the "signatures that Nmap is using is not correct. At the end of the report we have an option to submit incorrect results to Nmap.

We also see the Uptime of 0.050 days, with a date. This can be very useful information for us. If we scan a box over several days or weeks we may learn that A. our computer is not very stable. B. It gets turned off at night or C. The computer is malfunctioning and needs to reboot.

This can be very useful when doing our pen testing.
A computer that is constantly rebooting may be having problems that we can take advantage of!

This scan gives you a chance to see what your BT box looks like on the net. This is how others may "see" you.

Stay tuned for more scanning in our next part we will look at a FIN Scan.

If this tutorial is helping you or hindering you let me know!

The other parts are located here if you need them: