Friday, April 30, 2010

Install WhatWeb 0.4.2 in BT4

Quick guide to get Whatweb going in BT4
WhatWeb is a "Next generation web scanner. Identify what websites are running."

First and foremost grab some shell in BT, and get the tar.gz:

root@dorkbox:/pentest/enumeration# wget

Next unpack the archive:

root@dorkbox:/pentest/enumeration# tar xvf whatweb*

Remove the archive, and change into the new directory:

root@dorkbox:/pentest/enumeration# rm -f whatweb-0.4.2.tar.gz
root@dorkbox:/pentest/enumeration# cd whatweb*

Next read the Install file.

root@dorkbox:/pentest/enumeration/whatweb-0.4.2# cat INSTALL | less

As you can see by the install file it mentions using ruby 1.9
Well BT4 comes with Ruby 1.8.7 I am not sure if this will make a difference since there is no mention in the documentation nor the website of any type of dependencies. So far during my experiments with WhatWeb, I have not seen any problems. YMMV. There is also mention to a couple other packages but these are already included in BT4 so no problems there.

As for using the program see also the readme.

The readme will contain a good bit of info on using whatweb.

root@dorkbox:/pentest/enumeration/whatweb-0.4.2# cat README | less

But as an example of some generic output:

root@bt:/pentest/enumeration/whatweb# ./whatweb [301] title[301 Moved Permanently], server-header[Apache], redirect-location[], md5[0670664f17b872398a96c6a58e812c2d], header-hash[0671564f07b972398a96c6a58e812c2d] [200] Google-Analytics-GA[791888], Joomla[1.4], server-header[Apache], meta-generator[Joomla! 1.4 - Open Source Content Management], title[Example Websites Design], md5[fcb3ec0df12e54dfdef2e991a24f1c1], footer-hash[a19d726fa5771113aceaec0c61b1bf8ea7], div-span-structure[e56dd07d6f482ee11342e4ea99a9e6a8], header-hash[4379923363b07114470bde23484214e3f]

As a side note the above is not a real website.

Thanks to and Andrew Horton aka urbanadventurer
Have fun and remember don't mess with networks that you don't have permission for.

TCPDump Flags

I was trying to capture some data the other day and was using TCPDump. This is really for my own needs but I like to share when I can.
Here are a few flags to use when trying to capture certain data types in TCP.
There are more and you can read online to find more if needed.

Sniff all SYN flagged packets:

root@bt:~# tcpdump 'tcp[13] & 2 != 0'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
ctrl+c: Indicates that I stopped the capture.
0 packets captured
0 packets received by filter
0 packets dropped by kernel

With the above resulting output.

Sniff all PSH flagged packets:
root@bt:~# tcpdump 'tcp[13] & 8 != 0'

Sniff all URG flagged packets:
root@bt:~# tcpdump 'tcp[13] & 32 != 0'

Sniff all RST flagged packets:
root@bt:~# tcpdump 'tcp[13] & 4 != 0'

Sniff all ACK flagged packets:
root@bt:~# tcpdump 'tcp[13] & 16 != 0'

Sniff all FIN flagged packets:
root@bt:~# tcpdump 'tcp[13] & 1 != 0'

Sniff all SYN-ACK flagged packets:
root@bt:~# tcpdump 'tcp[13] = 18'