temp

http://www.zdnet.com/blog/btl/quiz-hackers-and-patches-and-malware-oh-my/49099?tag=mantle_skin;content

Using Backtrack: Network Mapping: Identify Live Hosts: hping

[Registered users of my site can access a whole series of articles and tutorials on security and networking tools, including BackTrack. Here’s a taste.
– Glenn]

hping, hping2 and hping3

Purpose:

The various versions of hping provide either a command-line or TCL interface. All of them are used to craft packets at the very lowest level: you can choose the network protocol and individual packet flags, spoof your addresses, flood a target, pop a shell and transfer files.

Discussion:

This is a phenomenally powerful tool, one that can do simple, stupid DOS attacks, or brilliant, subtle exploits; take your pick. There are a whole lot of good tutorials and how-tos on the Internet, so I’m linking you to some of these.

Stage:

Information gathering

Home Page:

http://www.hping.org/

Wiki:

http://wiki.hping.org/

Tutorials:

Read this one first at The Ethical Hacker Network: http://ethicalhacker.net/content/view/72/24

Some good examples at Linux-Magazine.com: http://www.linux-magazine.com/Issues/2009/99/Hping/(offset)/6

Very short examples: http://rationallyparanoid.com/articles/hping.html

One lengthy procedure: http://www.compuhowto.com/linux/hping3-examples/

A 5-part tutorial at TheTazZone.com: http://www.thetazzone.com/tutorial-hping-basic-host-and-port-probing-tut-1-of-5/

Using Backtrack: Network Mapping: Identify Live Hosts: PBNJ

PBNJ: ScanPBNJ and OutputPBNJ

Purpose:

The PBNJ tools are Perl scripts that use nmap to audit and a database to track changes to your network, and display change notifications.

Discussion:

From the website:

PBNJ is a suite of tools written in Perl. PBNJ calls Nmap to perform a scan and then PBNJ correlates the information about the targets using Nmap’s result and the PBNJ database.

Stage:

Information gathering

Online at:

http://www.spl0it.org/files/PBNJ-sysadmin-article-feb07.html

Using Backtrack: Network Mapping: Identify Live Hosts: onesixtyone

onesixtyone

Purpose:

onesixtyone scans SNMP community strings. Simple Network Management Protocol, after all, does indeed offer management.

Discussion:

From the website:

onesixtyone takes a different approach to SNMP scanning. It takes advantage of the fact that SNMP is a connectionless protocol and sends all SNMP requests as fast as it can. Then the scanner waits for responses to come back and logs them, in a fashion similar to Nmap ping sweeps. By default onesixtyone waits for 10 milliseconds between sending packets, which is adequate for 100Mbs switched networks. The user can adjust this value via the -w command line option. If set to 0, the scanner will send packets as fast as the kernel would accept them, which may lead to packet drop.

Stage:

Information gathering

Home Page:

http://www.phreedom.org/solar/onesixtyone/

Using Backtrack: Network Mapping: Identify Live Hosts: nsat

nsat – the Network Security Analysis Tool

Discussion:

From the README:

NSAT is a fast, stable bulk security scanner designed to audit remote network
services and check for versions, security problems, gather information about
the servers and the machine and much more. Unlike many other auditing tools,
it can collect information about services independently of vulnerabilities,
which makes it “timeless”, meaning it doesn’t depend on frequent updates as new
vulnerabilities are found.

A manpage providing extensive information on NSAT has been included in the
distribution. It is available after a ‘make install’, or just by typing
‘man doc/nsat.8’ from this dir. It is suggested that you inform yourself at
least about the -v (scan verbosity) option and edit the configuration file.
To learn about changes in this version, please consult doc/CHANGES.

New to this version is support for distributed scanning. The manpage
describes how to do a distributed scan. Note that distributed scanning in
this version is just a preliminary, proof-of-concept, implementation with
no guarantees for its security, reliability, or performance.

Stage:

Information gathering

Home Page:

http://nsat.sourceforge.net/

Using Backtrack: Network Mapping: Identify Live Hosts: Netifera

Netifera

Purpose:

Network enumeration and packet sniffing.

Discussion:

Like Autoscan-Network, Netifera provides a nice GUI for scanning networks, with customizable workspaces and sub-spaces. It’s pretty, simple, and pretty simple to use. I did find that if I added hosts to an existing scan, when it was re-scanned Netifera didn’t detect them, or at least report them.

One potentially highly useful feature is that you can detect hosts (like nmap), then sniff traffic and save it, which is a nice feature pair.

Stage:

Network Mapping: Identifying Live Hosts

Home Page:

http://netifera.com

Getting Started:

http://netifera.com/doc/netifera_getting_started_guide/

Using Backtrack: Network Mapping: Identify Live Hosts: nmap

nmap

Purpose:

Network scanning

Discussion:

nmap is so critical to hacking and cracking, it’s as easy to overlook as the air. But you do need to understand how TCP works, and how nmap exploits it, in order to do the job. nmap lets you scan using TCP connect scans ( -sT ), UDP scans, ( -sU ), ping scans ( -sP ) and so forth. Do be clear that connect scans are visible and logged, while stealth ( -sS ) scans are not.

A simple scan is as easy as listing an IP address or subnet:

nmap 192.168.2.14
or
nmap 192.168.2.0/24

Use an option to refine the scan type:

nmap -sS 192.168.1.0/24

Study the first tutorial listed below. Understand exactly what it is talking about. Go.

Stage:

Network Mapping: Identifying Live Hosts

Home Page:

http://nmap.org

Tutorials:

Highly detailed: http://nmap.org/bennieston-tutorial/ – see Section 16

Simpler, and less complete: http://www.go2linux.org/nmap-command-graph-front-end-port-scan

Really brief examples: http://www.cyberciti.biz/tips/linux-scanning-network-for-open-ports.html

Using Backtrack: Network Mapping: Identify Live Hosts: NBTScan

nbtscan

Purpose:

Given an IP address range or subnet, nbtscan specifically returns NetBIOS names mapped toresponding IP addresses. Verbose output ( -v ) returns the entire cached NetBIOS name table from each responding Windows machine, which is a great way to map deeper into a network.

Note that this is a Windows-only scanner. Not that it runs only on Windows (though it will run there as well as on *nixes); but it only maps Windows-only NetBIOS names, not IP hostnames.

Home Page and Tutorial:

http://www.inetcat.net/software/nbtscan.html

Using Backtrack: Network Mapping: Identify Live Hosts: fping

fping

Purpose:

Fping does a “fast ping” of a list of hosts. It’s set up as a scripting-friendly tool, with output that’s easy to parse. Supply a list of target IPs at the command line, or use an input file. Then fping will (very quickly) ping each IP in series without waiting for a response. If a host responds, it’s up and ready to exploit.

Take note of the very nice Perl script example on the man page.

Stage:

Network Mapping: Identifying Live Hosts

Home Page:

http://fping.sourceforge.net/

Man Page:

http://fping.sourceforge.net/man/