I could be a complete idiot, but it reminds me of Net-discover in BT2
new tool
Im not sure why this tool isnt in Backtrack. I really thought it was. its a simple arp & discovery tool. I went to use it today and realized it was not there.DUH
Here is a example of a generic scan of a whole local subnet.
Pureh@te ~ # arp-scan --interface=ath0 --localnet
Interface: ath0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1 00:1a:70:48:fb:19 Cisco-Linksys, LLC
192.168.1.10 00:c0:9f:11:27:11 QUANTA COMPUTER, INC.
192.168.1.45 00:0d:56:53:45:82 Dell PCBA Test
192.168.1.23 00:11:50:96:08:3e Belkin Corporation
192.168.1.33 00:1b:fc:9a:be:f3 ASUSTek COMPUTER INC.
192.168.1.199 00:01:02:c2:06:1b 3COM CORPORATION
192.168.1.210 00:13:02:85:1e:a5 Intel Corporate
192.168.1.31 00:0e:9b:c3:cd:aa Ambit Microsystems Corporation
192.168.1.13 00:03:94:04:9d:8b Connect One
192.168.1.34 00:13:ce:91:30:0d Intel Corporate
20 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.6: 256 hosts scanned in 1.426 seconds (179.52 hosts/sec). 10 responded
It can also be used in this manner
Pureh@te ~ # arp-fingerprint -o "--interface=ath0" 192.168.1.1
192.168.1.1 11110000000 Linux 2.0, MacOS 10.4, IPSO 3.2.1, Minix 3, Cisco VPN Concentrator 4.7
since Im doing some work Im posting the outputs for a sort of lesson. Here is how to use amap with a nmap
file
Pureh@te ~ # nmap -sV -P0 -oM test.nmap 192.168.1.1
Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-01 11:22 GMT
Interesting ports on 192.168.1.1:
Not shown: 1693 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp closed ftp
23/tcp closed telnet
80/tcp open http Intoto httpd 1.0
MAC Address: 00:1A:70:48:FB:19 (Unknown)
Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 26.989 seconds
Pureh@te ~ # amap -i test.nmap -o test.amap -m
amap v5.2 (www.thc.org/thc-amap) started at 2007-08-01 11:26:38 - MAPPING mode
Protocol on 192.168.1.1:80/tcp matches http
Protocol on 192.168.1.1:80/tcp matches webmin
Unidentified ports: none.
amap v5.2 finished at 2007-08-01 11:26:49
The reason this tool is helpful is that if your crafty (like me) you will runn you services on non standard ports to avoid easy detection .amap can get around this issue for you
Or with out the file
Pureh@te ~ # amap 192.168.1.1 80
amap v5.2 (www.thc.org/thc-amap) started at 2007-08-01 11:31:11 - MAPPING mode
Protocol on 192.168.1.1:80/tcp matches http
Protocol on 192.168.1.1:80/tcp matches webmin
Unidentified ports: none.
amap v5.2 finished at 2007-08-01 11:31:22
amap is also updateable
Pureh@te ~ # amap -W
Running Online Update for fingerprints, connecting to www.thc.org/thc-amap
No new updates for file /usr/local/etc/appdefs.resp available
No new updates for file /usr/local/etc/appdefs.trig available
No new updates for file /usr/local/etc/appdefs.rpc available
Done with Online Update.
And finnaly here is the begining of a complete port scan with switches.Im not going to list it all as there are 65535 ports but you will get the idea.
Pureh@te ~ # amap -1bqv 192.168.1.1 1-65535
Using trigger file /usr/local/etc/appdefs.trig ... loaded 35 triggers
Using response file /usr/local/etc/appdefs.resp ... loaded 390 responses
Using trigger file /usr/local/etc/appdefs.rpc ... loaded 450 triggers
amap v5.2 (www.thc.org/thc-amap) started at 2007-08-01 11:34:53 - MAPPING mode
Total amount of tasks to perform in plain connect mode: 1834980
ECT..............................Im feeling pure nice today
The next tool Ill be featuring is nikto. here is a example of a nikto scan.I have changed to ip to protect the inocent.
pureh@te nikto # nikto.pl -h 69.2.223.101 -p 21,80,443,8000,8080 -g -e 167
---------------------------------------------------------------------------
- Nikto 1.36/1.37 - www.cirt.net
+ Target IP: 69.2.223.101
+ Target Hostname: 69.2.223.101
+ Target Port: 80
+ Using IDS Evasion: Random URI encoding (non-UTF8)
+ Using IDS Evasion: TAB as request spacer
+ Using IDS Evasion: Random case sensitivity
+ Start Time: Wed Aug 1 11:56:39 2007
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/5.0
- Server did not understand HTTP 1.1, switching to HTTP 1.0
+ Server does not respond with '404' for error messages (uses '400').
+ This may increase false-positives.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Microsoft-IIS/5.0 appears to be outdated (4.0 for NT 4, 5.0 for Win2k)
+ %2fmSadc/..%2%355C%2e.%2f%2e.%%325%35c%2e.%2f%2e%2e%%325%35 c%2e./WiNn%74/sY%53t%65%4d32/%63%6d%64%2e%45X%65?/C%2bDi%52%2bc:%5c - May be able to issue arbitrary commands to host. (GET)
o issue arbitrary commands to host. (GET)
+ 2741 items checked - 1 item(s) found on remote host(s)
+ End Time: Wed Aug 1 12:02:10 2007 (331 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
-h = target
-p = ports
-g force scan (no trust server)
-e evaision teqniques
I could be a complete idiot, but it reminds me of Net-discover in BT2
I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!
Yep, pretty much.Originally Posted by spankdidly
"\x74\x68\x65\x70\x72\x65\x7a\x39\x38";
Yep, I'm an Idiot, or Yep it reminds you of Net-discover? I'm thinking both.
I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!
Posting Permissions