Im not sure why this tool isnt in Backtrack. I really thought it was. its a simple arp & discovery tool. I went to use it today and realized it was not there.DUH

Here is a example of a generic scan of a whole local subnet.


Pureh@te ~ # arp-scan --interface=ath0 --localnet
Interface: ath0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1 00:1a:70:48:fb:19 Cisco-Linksys, LLC
192.168.1.10 00:c0:9f:11:27:11 QUANTA COMPUTER, INC.
192.168.1.45 00:0d:56:53:45:82 Dell PCBA Test
192.168.1.23 00:11:50:96:08:3e Belkin Corporation
192.168.1.33 00:1b:fc:9a:be:f3 ASUSTek COMPUTER INC.
192.168.1.199 00:01:02:c2:06:1b 3COM CORPORATION
192.168.1.210 00:13:02:85:1e:a5 Intel Corporate
192.168.1.31 00:0e:9b:c3:cd:aa Ambit Microsystems Corporation
192.168.1.13 00:03:94:04:9d:8b Connect One
192.168.1.34 00:13:ce:91:30:0d Intel Corporate

20 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.6: 256 hosts scanned in 1.426 seconds (179.52 hosts/sec). 10 responded

It can also be used in this manner

Pureh@te ~ # arp-fingerprint -o "--interface=ath0" 192.168.1.1
192.168.1.1 11110000000 Linux 2.0, MacOS 10.4, IPSO 3.2.1, Minix 3, Cisco VPN Concentrator 4.7

since Im doing some work Im posting the outputs for a sort of lesson. Here is how to use amap with a nmap
file

Pureh@te ~ # nmap -sV -P0 -oM test.nmap 192.168.1.1

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-01 11:22 GMT
Interesting ports on 192.168.1.1:
Not shown: 1693 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp closed ftp
23/tcp closed telnet
80/tcp open http Intoto httpd 1.0
MAC Address: 00:1A:70:48:FB:19 (Unknown)

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 26.989 seconds
Pureh@te ~ # amap -i test.nmap -o test.amap -m
amap v5.2 (www.thc.org/thc-amap) started at 2007-08-01 11:26:38 - MAPPING mode

Protocol on 192.168.1.1:80/tcp matches http
Protocol on 192.168.1.1:80/tcp matches webmin

Unidentified ports: none.

amap v5.2 finished at 2007-08-01 11:26:49

The reason this tool is helpful is that if your crafty (like me) you will runn you services on non standard ports to avoid easy detection .amap can get around this issue for you

Or with out the file

Pureh@te ~ # amap 192.168.1.1 80
amap v5.2 (www.thc.org/thc-amap) started at 2007-08-01 11:31:11 - MAPPING mode

Protocol on 192.168.1.1:80/tcp matches http
Protocol on 192.168.1.1:80/tcp matches webmin

Unidentified ports: none.

amap v5.2 finished at 2007-08-01 11:31:22

amap is also updateable

Pureh@te ~ # amap -W
Running Online Update for fingerprints, connecting to www.thc.org/thc-amap
No new updates for file /usr/local/etc/appdefs.resp available
No new updates for file /usr/local/etc/appdefs.trig available
No new updates for file /usr/local/etc/appdefs.rpc available
Done with Online Update.

And finnaly here is the begining of a complete port scan with switches.Im not going to list it all as there are 65535 ports but you will get the idea.

Pureh@te ~ # amap -1bqv 192.168.1.1 1-65535
Using trigger file /usr/local/etc/appdefs.trig ... loaded 35 triggers
Using response file /usr/local/etc/appdefs.resp ... loaded 390 responses
Using trigger file /usr/local/etc/appdefs.rpc ... loaded 450 triggers

amap v5.2 (www.thc.org/thc-amap) started at 2007-08-01 11:34:53 - MAPPING mode

Total amount of tasks to perform in plain connect mode: 1834980
ECT..............................Im feeling pure nice today

The next tool Ill be featuring is nikto. here is a example of a nikto scan.I have changed to ip to protect the inocent.

pureh@te nikto # nikto.pl -h 69.2.223.101 -p 21,80,443,8000,8080 -g -e 167
---------------------------------------------------------------------------
- Nikto 1.36/1.37 - www.cirt.net
+ Target IP: 69.2.223.101
+ Target Hostname: 69.2.223.101
+ Target Port: 80
+ Using IDS Evasion: Random URI encoding (non-UTF8)
+ Using IDS Evasion: TAB as request spacer
+ Using IDS Evasion: Random case sensitivity
+ Start Time: Wed Aug 1 11:56:39 2007
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/5.0
- Server did not understand HTTP 1.1, switching to HTTP 1.0
+ Server does not respond with '404' for error messages (uses '400').
+ This may increase false-positives.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Microsoft-IIS/5.0 appears to be outdated (4.0 for NT 4, 5.0 for Win2k)
+ %2fmSadc/..%2%355C%2e.%2f%2e.%%325%35c%2e.%2f%2e%2e%%325%35 c%2e./WiNn%74/sY%53t%65%4d32/%63%6d%64%2e%45X%65?/C%2bDi%52%2bc:%5c - May be able to issue arbitrary commands to host. (GET)
o issue arbitrary commands to host. (GET)
+ 2741 items checked - 1 item(s) found on remote host(s)
+ End Time: Wed Aug 1 12:02:10 2007 (331 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


-h = target
-p = ports
-g force scan (no trust server)
-e evaision teqniques