Results 1 to 4 of 4

Thread: new tool

Hybrid View

  1. #1
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default new tool

    Im not sure why this tool isnt in Backtrack. I really thought it was. its a simple arp & discovery tool. I went to use it today and realized it was not there.DUH

    Here is a example of a generic scan of a whole local subnet.


    Pureh@te ~ # arp-scan --interface=ath0 --localnet
    Interface: ath0, datalink type: EN10MB (Ethernet)
    Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
    192.168.1.1 00:1a:70:48:fb:19 Cisco-Linksys, LLC
    192.168.1.10 00:c0:9f:11:27:11 QUANTA COMPUTER, INC.
    192.168.1.45 00:0d:56:53:45:82 Dell PCBA Test
    192.168.1.23 00:11:50:96:08:3e Belkin Corporation
    192.168.1.33 00:1b:fc:9a:be:f3 ASUSTek COMPUTER INC.
    192.168.1.199 00:01:02:c2:06:1b 3COM CORPORATION
    192.168.1.210 00:13:02:85:1e:a5 Intel Corporate
    192.168.1.31 00:0e:9b:c3:cd:aa Ambit Microsystems Corporation
    192.168.1.13 00:03:94:04:9d:8b Connect One
    192.168.1.34 00:13:ce:91:30:0d Intel Corporate

    20 packets received by filter, 0 packets dropped by kernel
    Ending arp-scan 1.6: 256 hosts scanned in 1.426 seconds (179.52 hosts/sec). 10 responded

    It can also be used in this manner

    Pureh@te ~ # arp-fingerprint -o "--interface=ath0" 192.168.1.1
    192.168.1.1 11110000000 Linux 2.0, MacOS 10.4, IPSO 3.2.1, Minix 3, Cisco VPN Concentrator 4.7

    since Im doing some work Im posting the outputs for a sort of lesson. Here is how to use amap with a nmap
    file

    Pureh@te ~ # nmap -sV -P0 -oM test.nmap 192.168.1.1

    Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-01 11:22 GMT
    Interesting ports on 192.168.1.1:
    Not shown: 1693 filtered ports
    PORT STATE SERVICE VERSION
    20/tcp closed ftp-data
    21/tcp closed ftp
    23/tcp closed telnet
    80/tcp open http Intoto httpd 1.0
    MAC Address: 00:1A:70:48:FB:19 (Unknown)

    Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
    Nmap finished: 1 IP address (1 host up) scanned in 26.989 seconds
    Pureh@te ~ # amap -i test.nmap -o test.amap -m
    amap v5.2 (www.thc.org/thc-amap) started at 2007-08-01 11:26:38 - MAPPING mode

    Protocol on 192.168.1.1:80/tcp matches http
    Protocol on 192.168.1.1:80/tcp matches webmin

    Unidentified ports: none.

    amap v5.2 finished at 2007-08-01 11:26:49

    The reason this tool is helpful is that if your crafty (like me) you will runn you services on non standard ports to avoid easy detection .amap can get around this issue for you

    Or with out the file

    Pureh@te ~ # amap 192.168.1.1 80
    amap v5.2 (www.thc.org/thc-amap) started at 2007-08-01 11:31:11 - MAPPING mode

    Protocol on 192.168.1.1:80/tcp matches http
    Protocol on 192.168.1.1:80/tcp matches webmin

    Unidentified ports: none.

    amap v5.2 finished at 2007-08-01 11:31:22

    amap is also updateable

    Pureh@te ~ # amap -W
    Running Online Update for fingerprints, connecting to www.thc.org/thc-amap
    No new updates for file /usr/local/etc/appdefs.resp available
    No new updates for file /usr/local/etc/appdefs.trig available
    No new updates for file /usr/local/etc/appdefs.rpc available
    Done with Online Update.

    And finnaly here is the begining of a complete port scan with switches.Im not going to list it all as there are 65535 ports but you will get the idea.

    Pureh@te ~ # amap -1bqv 192.168.1.1 1-65535
    Using trigger file /usr/local/etc/appdefs.trig ... loaded 35 triggers
    Using response file /usr/local/etc/appdefs.resp ... loaded 390 responses
    Using trigger file /usr/local/etc/appdefs.rpc ... loaded 450 triggers

    amap v5.2 (www.thc.org/thc-amap) started at 2007-08-01 11:34:53 - MAPPING mode

    Total amount of tasks to perform in plain connect mode: 1834980
    ECT..............................Im feeling pure nice today

    The next tool Ill be featuring is nikto. here is a example of a nikto scan.I have changed to ip to protect the inocent.

    pureh@te nikto # nikto.pl -h 69.2.223.101 -p 21,80,443,8000,8080 -g -e 167
    ---------------------------------------------------------------------------
    - Nikto 1.36/1.37 - www.cirt.net
    + Target IP: 69.2.223.101
    + Target Hostname: 69.2.223.101
    + Target Port: 80
    + Using IDS Evasion: Random URI encoding (non-UTF8)
    + Using IDS Evasion: TAB as request spacer
    + Using IDS Evasion: Random case sensitivity
    + Start Time: Wed Aug 1 11:56:39 2007
    ---------------------------------------------------------------------------
    + Server: Microsoft-IIS/5.0
    - Server did not understand HTTP 1.1, switching to HTTP 1.0
    + Server does not respond with '404' for error messages (uses '400').
    + This may increase false-positives.
    + No CGI Directories found (use '-C all' to force check all possible dirs)
    + Microsoft-IIS/5.0 appears to be outdated (4.0 for NT 4, 5.0 for Win2k)
    + %2fmSadc/..%2%355C%2e.%2f%2e.%%325%35c%2e.%2f%2e%2e%%325%35 c%2e./WiNn%74/sY%53t%65%4d32/%63%6d%64%2e%45X%65?/C%2bDi%52%2bc:%5c - May be able to issue arbitrary commands to host. (GET)
    o issue arbitrary commands to host. (GET)
    + 2741 items checked - 1 item(s) found on remote host(s)
    + End Time: Wed Aug 1 12:02:10 2007 (331 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested


    -h = target
    -p = ports
    -g force scan (no trust server)
    -e evaision teqniques

  2. #2
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    I could be a complete idiot, but it reminds me of Net-discover in BT2
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  3. #3
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by spankdidly View Post
    I could be a complete idiot, but it reminds me of Net-discover in BT2
    Yep, pretty much.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  4. #4
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    Yep, I'm an Idiot, or Yep it reminds you of Net-discover? I'm thinking both.
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •