Using Backtrack 4: Information Gathering: Route: 0trace

Information Gathering: Route: 0trace Opening Instructions: Usage: /usr/local/sbin/0trace.sh iface target_ip [ target_port ] Purpose: This tool is designed to circumvent routers that block regular ICMP packets (pings and traceroutes, among others) by enumerating hosts (servers and routers). When you can’t use traceroute because ICMP is blocked, you can get similar functionality with 0trace, with the …

Stuxnet infects Iranian power system; FBI wants keys to everyone’s encryption

Ron T. writes me: You probably caught this little tidbit, but it was interesting. http://www.bbc.co.uk/news/mobile/world-middle-east-11414483 and this one as well… http://www.pcworld.com/businesscenter/article/205420/siemens_stuxnet_worm_hit_industrial_systems.html Yes, I saw the Stuxnet news, and my surprise is (surprise!) microscopic. The topic I find really interesting: Hmm, just exactly who would have the expertise and resources to worm into the Iranian power …

Using Backtrack 4: Information Gathering: DNS: lbd

lbd Opening Instructions: lbd – load balancing detector 0.1 – Checks if a given domain uses load-balancing. Written by Stefan Behte (http://ge.mine.nu) Proof-of-concept! Might give false positives.usage: ./lbd.sh [domain] Purpose: Determining if a domain uses a load-balancing scheme. Knowing this might suggest an exploit against, for instance, Apache’s load-balancing and sticky-session operations, or a head …

Using BackTrack 4: Information Gathering: DNS: Fierce

fierce Opening Instructions: Usage: perl fierce.pl [-dns example.com] [OPTIONS] Overview: Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.  It’s really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.  This …

Using BackTrack 4: Information Gathering: DNS: dnsrecon

dnsrecon Opening Instructions: This is a simple tool written for target enumeration during authorized penetration testengagements. This tool provides different methods for enumerating targets through DNS service.USAGE:ruby dnsrecon.rb <type> <arguments> <Optional:nameserver to use>TYPES: *** Reverse Lookup for Range ***ruby dnsrecon.rb -r <start ip> <end ip> <Optional:nameserver to use> *** Top Level Domain Expansion ***ruby dnsrecon.rb …

Using BackTrack 4: Information Gathering: DNS

Information Gathering: The DNS Menu Why do I want DNS information? Denial of Service: find your target’s DNS server and bring it down, or corrupt DNS records to make a site unavailable. Service Enumeration: find your target’s web, database, email etc. servers so you can target *them*. Find Internal DNS Information: explore organizations’ internal network …

(In)Security in Practice: What the New School Is Likely to Look Like

In my last post I discussed what I called an “old school” security tool, WinArpAttacker. It’s a nifty MAC-layer tool for enumerating hosts, performing man-in-the-middle attacks, spoofing MAC or IP addresses – or detecting these exploits. But this is network security at the level of the oil-change mechanic. This kind of tool is still necessary, …

(In)Security Tool: WinArpAttacker

My security students often are a little mystified about the true nature of security as a practice. Here’s a good example of “old school” security: what I’ll label a “LAN tool,” WinArpAttacker. There’s a review at TechKranti.com (http://www.techkranti.com/2010/09/scan-attack-detect-protect-on-lan.html), with points for completeness but marked with some language problems. I call this a LAN tool because …

Using Backtrack 4: Information Gathering: DNS: dnsmap-bulk

dnsmap-bulk Description: This script lets you do “bulk” mapping of multiple domains using dnsmap. Purpose: Mapping domains and subdomains, finding remote access or unpatched servers, and finding embedded devices like IP cameras. Stage: Information Gathering Opening Instructions: usage: dnsmap-bulk.sh <domains-file> [results-path]e.g.:dnsmap-bulk.sh domains.txtdnsmap-bulk.sh domains.txt /tmp/