The
type and scope of the penetration test will determine the need for being
stealthy during a penetration test. The reasons to avoid detection
while testing are varied; one of the benefits would include testing the
equipment that is supposedly protecting the network, another could be
that your client would like to know just how long it would take the
Information Technology team to respond to a targeted attack on the
environment.
Not only will you need to be wary of
the administrators and other observers on the target network, you will
also need to understand the automated methods of detection such as web
application, network, and host-based intrusion detection systems that
are in place to avoid triggering alerts.
NOTE:-When
presented with the most opportune target, take the time to validate
that it is not some sort of honeypot that has been set up to trigger
alerts when abnormal traffic or activity is detected! No
sense in
walking into a trap set by a clever administrator. Note that if you do
find a system like this it is still very important to ensure it is set
up properly and not inadvertently allowing access to critical
internal assets due to a configuration error!
Lab preparation:-
BackTrack, pfSense, and Metasploitable virtual machines should be configured in the following manner:
Kali Linux guest machine:-
This machine will need to be
connected to the 192.168.10.0/24 subnet. In the Oracle VM VirtualBox
Manager console highlight the Kali Linux instance and select the Settings option from the top navigation bar. Ensure that only one network adapter is enabled. The adapter should use the Vlan1 internal network option.
Now power on your Kali machine and configure IP address manually as follow:
#ifconfig eth0 
192.168.10.10 netmask 255.255.255.0
As the pfSense machine will need to
be our router as well, we need to set it up as the default gateway. This
can be accomplished as follows:
# route add default gw 192.168.10.1
Metasploitable guest machine:-
The Metasploitable machine will be
used as the target. It needs to be configured to connect to VLAN2, which
is a new internal network we have not used before.To create an internal
network you will need to manually type VLAN2 into the network
configuration screen in the Oracle VM VirtualBox Manager. Your settings
should be similar to the following:
pfSense network setup:-
Configuring
our firewall is a bit more work. It needs to be able to route
restrictive traffic from the VLAN1 network to the VLAN2 subnet. There
are several configuration changes we will need to make to ensure this
works properly.
Our firewall guest machine will use
two network adapters. One will be used for the VLAN1 segment and the
other for the VLAN2 segment. VLAN1 will be treated as an untrusted wide
area network for the examples within this chapter. Network Adapter 1
should resemble the following screenshot:
Network Adapter 2 should be similar to the following:
Pfsense WAN IP configuration:-
The remaining networking setup will need to be performed from within the guest machine.
1.
Boot up your pfSense virtual instance. There may be an additional delay
as pfSense attempts to configure the WAN adapter. Allow it to fully
load until you see the following menu:
2. The WAN and LAN interfaces will need to be configured properly.Select option 2) Set interface(s) IP address.
3. Select option 1 – WAN.
4. When asked to configure the WAN interface via DHCP type n for no.
5. The IP for the WAN adapter should be 192.168.10.1.
6. Subnet bit count should be set to 24. Type 24 and press Enter.
7. Next is set default gateway in our case 192.168.10.1.
8.Next will ask about IPv6 in our type n and press enter.
9. Finally you got bellow screen:
10. Press Enter again to return to the configuration menu.
Your LAN and WAN IP ranges should match the following:
Pfsense LAN IP configuration:-
We
can set up the LAN IP information from the configuration menu as well.
One benefit of configuring the LAN here is that we can have a DHCP
server configured for VLAN2 at the same time.
1. Select option 2 from the configuration menu to start the LAN IP Configuration module.
2. Choose the LAN interface (Option 2).
3. When prompted to enter the IP address type 192.168.20.1.
4. The bit count should be set to 24.
5. Next is set default gateway in our case 192.168.20.1.
6. When asked if you would like a DHCP server to be enabled on LAN choose y for yes.
7. DHCP Client IP range start will be 192.168.20.10.
8. DHCP Client IP range stop will be 192.168.20.50.
9. Press Enter again to return to the configuration menu.Your LAN and WAN IP ranges should match the following:
Firewall configuration:-
pfSense
can be configured using its intuitive web interface. Boot up the Kali
Linux machine with VLAN2, open a terminal and perform a sudo dhclient to
pick up an address from the pfSense DHCP server on VLAN2
(192.168.20.0/24).
In a web browser on the Ubuntu machine type http://192.168.20.1/
to access the configuration panel. If you have reset to factory
defaults you will need to step through the wizard to get to the standard
console.
Note:-The default username and password combination for pfSense is: admin/pfsense.
To view the current firewall rules choose Firewall | Rules
and review the current configuration. By default the WAN interface
should be blocked from connecting internally as there are not
preestablished rules that allow any traffic through.
For testing purpose, we will enable ports 80, 443, 21, and allow ICMP. Add the rules as follows:
1. Click on the add a new rule button displayed in the preceding screenshot.
2. Use the following rule settings to enable ICMP pass-through:
- Action: Pass
- Interface: WAN
- Protocol: ICMP
- All others: Defaults
3. Click on the Save button at the bottom of the screen.
4. Click on the Apply Changes button at the top of the screen.
5. Use the Interface | WAN
navigation menu to enter the WAN interface configuration menu and
uncheck Block private networks. Apply the changes and return to
Firewall | Rules.
6. Click on the add new rule button.
7. Use the following rule settings to enable HTTP pass-through.
- Action: Pass
- Interface: WAN
- Protocol: TCP
- Destination port range: HTTP
8. Continue adding ports until the configuration matches the following:
At
this point any machine connected to VLAN1 can communicate through the
open ports as well as ping machines on the VLAN2 segment as can be seen
in the following screenshot
Finding out if the firewall is blocking certain ports:-
There
is a firewall; now what? The next step is to determine which ports are
being blocked by the firewall, or more importantly which are open.
Hping:-
Hping2 and Hping3 are included as part of the Kali Linux distribution. It can be accessed via the GUI navigation bar Applications | Kali Linux | Information Gathering | Live Host Identify Live Hosts | Hping3.
It can also be invoked at the command line by simply typing: hping2.
Hping2 is a powerful tool that can be used for various security testing
tasks. The following syntax can be used to find open ports while
remaining fully in control of your scan:
# hping3 -S 192.168.20.11 -c 80 -p ++1
This command allowed us to perform a SYN scan starting at port 1 and incrementing for 80 steps.
Depending
on the firewall configuration it may also be possible to send spoofed
packets. During a test it is beneficial to ensure that the configuration
does not allow for this behavior to occur. Hping is perfectly suited
for this task. The following is an example of how you may test if the
firewall allows this traffic to pass:
#hping3 -c 10 -S --spoof 192.168.20.11 -p 80 192.168.20.100
This command will spoof 10 packets from 192.168.20.11 to port 80 on 192.168.20.100. This is the basis for an idle scan and if successful would allow you to hping the 192.168.20.11
machine to look for an increase in the IP sequence number. In this case
we could enable monitoring on the pfSense machine to emulate what this
traffic looks like to a network administrator reviewing the logs.
Challenge
yourself to create and monitor different packets and uses of Hping so
that you can gain a good understanding of the traffic flow. The best
means of remaining undetected while testing is to fully understand the
technology that is being used. Take a look at the logs generated from a
successful scan and keep in mind that due to the amount of traffic
involved even secured networks will sometimes only log and trigger
events based on denied traffic.
Note:-Logging
per rule will need to be enabled on the firewall to see allowed
traffic. Not logging permitted traffic is fairly standard practice as it
reduces the firewall log size. Educate your clients that proactively
monitoring allowed traffic can also be beneficial when attempting to
truly secure a network.
Nmap firewalk script:-
One
of the easiest methods to test open ports on a firewall is to simply
use the firewalking script for Nmap. To test the open firewall ports you
will need a host behind the firewall as the target:
#nmap --script=firewalk --traceroute 192.168.20.11
The
command sequence is straightforward and familiar: we invoke nmap, use
the script option, and choose the firewalk script. We then provide the
input that firewalk needs by performing a traceroute to 192.168.20.11 which we know is behind our target firewall.
Although
we were able to determine which ports on the firewall were open (21,
80, and 443), if you take a look at the firewall denies it quickly
becomes apparent that this is not a quiet test and should only be used
when stealth is not needed. What this boils down to is that stealth
requires patience and a well made plan of action. It may be easier to
manually verify if there are any common ports open on the firewall and
then try to scan using one of the well-known ports.
Avoiding IDS:-
In
a secured environment you can count on running into IDS and IPS.
Properly configured and used as part of a true defense in depth model
increases their effectiveness tremendously. This means that the IDS will
need to be properly updated, monitored, and used in the proper
locations. A penetration tester will be expected to verify that the
IDS's are working properly in conjunction with all other security
controls to properly protect the environment.
The
primary method of bypassing any IDS is to avoid signatures that are
created to look for specific patterns. These signatures must be
fine-tuned to find only positively malicious behavior and should not be
so restrictive that alerts are triggered for normal traffic patterns.
Over the years, the maturity level of these signatures has increased
significantly, but a penetration tester or knowledgeable attacker will
be able to use various means to bypass even the most carefully crafted
signatures. In this section, we review some of the methods that have
been used by attackers in the wild.
Canonicalization Technique:-
Canonicalization
refers to the act of substituting various inputs for the canonical name
of a file or path. This practice can be as simple as substituting
hexadecimal representations ASCII text values. Here is an example of an
equivalent string:
• String A in Hex: "54:68:69:73:20:69:73:20:61:20:73:74:72:69:6e:67"
• String A in text: "This is a string"
• String A in ASCII: "084 104 105 115 032 105 115 032 097 032 115 116 114 105 110 103"
By
taking advantage of the fact there are sometimes literally thousands of
combinations possible for a single URL. To put this into perspective,
let's take a look at the address we can use to get from our browser to
our local Apache server:
#htpp://3232240651/
Luckily, this address confuses our Apache server and we receive the following message:
The
previous request attempted to load the local page at 127.0.0.1. Let's
see what occurs when we try to load the remote pfSense administration
console in the same manner:
#http://2130706433/
Here we are warned by the web server hosting the pfSense administrative console that a potential DNS Rebind attack occurred:
Let's try something else that actually works properly:
In the console, ping one of the addresses we listed above:
#ping 3232240651
As we can see, the IP address
resolved properly and we receive our replies as expected. This very same
concept is key when trying to bypass an IDS rule. If the type of IDS
can be determined, then it should be possible to get the signatures.
When reviewing these signatures you would look for opportunities to
obscure the URLs, filenames, or other path information enough that it is
able to bypass the existing ruleset.
Hacking - Operating System Fingerprinting using Different Tools & Techniques
After we know that the target machine is a live, we can then find out
the operating system used by the target machine. This method is commonly
known as Operating System (OS) fingerprinting.
There are two methods of doing OS fingerprinting:
In the active method, the tool sends network packets to the target
machine and then determines the operating system of the target machine
based on the analysis done on the response it has received. The
advantage of this method is that the fingerprinting process is fast.
However, the disadvantage is that the target machine may notice our
attempt to get its operating system's information.
To overcome the active method's disadvantage, there exists a passive
method of OS fingerprinting. This method was pioneered by Michal
Zalewsky when he released a tool called p0f. The disadvantage of the
passive method is that the process will be slower than the active
method.
In this section, we will describe a couple of tools that can be used for OS fingerprinting.
p0f:-
The p0f tool is used to fingerprint an
operating system passively. It can be used to identify an operating
system on the following machines:
• Machines that connect to your box (SYN mode; this is the default mode)
• Machines you connect to (SYN+ACK mode)
• Machines you cannot connect to (RST+ mode)
• Machines whose communications you can observe
The p0f tool works by analyzing the TCP packets sent during the network
activities. Then, it gathers the statistics of special packets that are
not standardized by default by any corporations.
An example is that the Linux kernel uses a 64-byte ping datagram,
whereas the Windows operating system uses a 32-byte ping datagram; or
the Time To Live (TTL ) value. For Windows, the TTL value is 128, while
for Linux this TTL value varies between the Linux distributions. These
information are then used by p0f to determine the remote machine's
operating system.
To use new version of p0f, just download the file from http://lcamtuf.coredump.cx/p0f3/releases/p0f-3.07b.tgz
Download and extract that file and relocate that folder Now Let's use
p0f to identify the operating system used in a remote machine we are
connecting to. Just type the following command in your console:
#p0f -f p0f.fp -o log.log
This will read the fingerprint database from the /root/p0f-3.07b/p0f.fp
file and save the log information to the log.log file. It will then
display the following information:
Next, you need to generate network activities involving a TCP
connection, such as browsing to the remote machine or letting the remote
machine to connect to your machine.
I use Netcat in another terminal for do that
#nc 192.168.198.131 80
If p0f has successfully fingerprinted the operating system, you will see
information of the remote machine's operating system in the console and
in the log file.
Based on the preceding result, we know that the target is a Linux 2.6.x machine.
The following screenshot shows the information from the target machine:
By comparing this information, we know that p0f got the OS information
correctly. The remote machine is using Linux Version 2.6.You can stop
p0f by pressing the Ctrl + C key combination.
Nmap:-
Nmap is a very popular and capable port
scanner. Besides this, it can also be used to fingerprint a remote
machine's operating system. It is an active fingerprinting tool. To use
this feature, you can give the -O option to the nmap command.
For example, if we want to fingerprint the operating system used on the 192.168.198.131 machine, we use the following command:
#nmap –O 192.168.198.131
Nmap was able to get the correct operating system information after fingerprinting the operating system of a remote machine.
Identifying the Target Machine using Different Tools & Technique
The tools included in this category are
used to identify the target machines that can be accessed by a
penetration tester. Before we start the identification process, we need
to know our client's terms and agreements. If the agreements require us
to hide pen-testing activities, we need to conceal our penetration
testing activities. Stealth technique may also be applied for testing
the Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) functionality. If there are no such requirements, we may not need to conceal our penetration testing activities.
ping:-
The ping tool is the most famous tool
that is used to check whether a particular host is available. The ping
tool works by sending an Internet Control Message Protocol (ICMP)
echo request packet to the target host. If the target host is available
and the firewall is not blocking the ICMP echo request packet, it will
reply with the ICMP echo reply packet.
Note:-The ICMP echo request and ICMP echo reply are two of the available ICMP control messages.
Although you can't find ping in the Kali Linux menu, you can open the console and type the ping command with its options.
To use ping, you can just type ping and the destination address as shown in the following screenshot:
#Ping 192.168.126.130
In Kali Linux, by default, ping will run continuously until you press Ctrl + C.
The ping tool has a lot of options, but the following are a few options that are often used:
• The -c count: This is the number of echo request packets to be sent.
• The -I interface address: This is the network interface of the source address. The argument may
be a numeric IP address (such as 192.168.56.102) or the name of the
device (such as eth0). This option is required if you want to ping the
IPv6 link-local address.
• The -s packet size: This specifies the number of data bytes to be sent. The default is 56 bytes,
which translates into 64 ICMP data bytes when combined with the 8 bytes of
the ICMP header data.
Let's use the preceding information in practice.
Suppose you are starting with
internal penetration testing work. The customer gave you access to their
network using a LAN cable. And, they also gave you the list of target
servers' IP addresses.
The first thing you would want to do
before launching a full penetration testing arsenal is to check whether
these servers are accessible from your machine. You can use ping for
this task.
The target server is located at
192.168.126.130, while your machine has an IP address of
192.168.126.129. To check the target server availability, you can give
the following command:
#ping -c 1 192.168.126.130
The following screenshot is the result of the preceding ping command:
Note:-ping also accepts hostnames as the destination.
From the preceding screenshot, we know that there is one ICMP echo
request packet sent to the destination (IP address: 192.168.126.130).
Also, the sending host (IP address: 192.168.126.129) received one ICMP
echo reply packet. The round-trip time required is 1.326 ms, and there
is no packet loss during the process.
Let's see the network packets that are transmitted and received by our
machine. We are going to use Wireshark, a network protocol analyzer, on
our machine to capture these packets, as shown in the following
screenshot:
From the preceding screenshot, we can see that our host
(192.168.126.130) sent one ICMP echo request packet to the destination
host (192.168.126.129). Since the destination is alive and allows the
ICMP echo request packet, it will send the ICMP echo reply packet back
to our machine.
If your target is using an IPv6 address, such as fe80::20c:29ff:fee1:96df, you can use the ping6 tool to check its availability. You need to give the -I option for the command to work against the link-local address:
The following screenshot shows the packets sent to complete the ping6 request:
From the preceding screenshot, we know that ping6 is using the ICMPv6 request and reply.
Security Tip:-To block
the ping request, the firewall can be configured to only allow the ICMP
echo request packet from a specific host and drop the packets sent from
other hosts.
arping:-
The arping tool is used to ping a host in the Local Area Network (LAN) using the Address Resolution Protocol (ARP) request. You can use arping to ping a target machine using its IP, host, or Media Access Control (MAC) address.
The arping tool operates on Open System Interconnection (OSI) layer 2 (network layer), and it can only be used in a local network. Moreover, ARP cannot be routed across routers or gateways.
To start arping, you can use the console to execute the following command:
# arping
This will display brief usage information on arping.
You can use arping to get the target host's MAC address:
# arping 192.168.126.130 -c 1
From the previous command output, we can see that the target machine has a MAC address of 00:0c:29:e1:96:df.
Let's observe the network packets captured by Wireshark on our machine during the arping process:
From the preceding screenshot, we can see that our network card (MAC
address: Vmware_e1:96:df) sends an ARP request to a broadcast MAC
address (Vmware_46:15:dc), looking for the IP address 192.168.126.130.
If the IP address 192.168.126.130 exists, it will send an ARP reply
mentioning its MAC address (Vmware_46:15:dc), as can be seen from packet
number 2.
However, if the IP address is not available, there will be no ARP
replies, informing the MAC address of the 192.168.126.129 IP address, as
can be seen from the following screenshot:
Another common use of arping is to detect duplicate IP addresses in a
local network. For example, your machine is usually connected to a local
network using an IP address of 192.168.126.40; one day, you would like
to change the IP address. Before you can use the new IP address, you
need to check whether that particular IP address has already been used.
You can use the following arping command to help you detect whether the IP address of 192.168.126.140 has been used:
# arping -d -i eth0 192.168.126.140 -c 2
# echo $?
If the code returns 0, it means that the IP address is
available.Whereas, if the code returns 1, it means that the IP address
of 192.168.126.140 has been used by more than one machine.
fping:-
The difference between ping and fping is that the fping tool can be used to send a ping (ICMP echo)
request to several hosts at once. You can specify several targets on
the command line, or you can use a file containing the hosts to be
pinged.
In the default mode, fping works by monitoring the reply from the target
host. If the target host sends a reply, it will be noted and removed
from the target list. If the host doesn't respond for a certain time
limit, it will be marked as unreachable.
By default, fping will try to send three ICMP echo request packets to each target.
To access fping, you can use the console to execute the following command:
# fping -h
This will display the description of usage and options available in fping.
The following scenarios will give you an idea of the fping usage:
• If we want to know the alive hosts of 192.168.126.129, 192.168.126.130 and 192.168.126.2 at once, we can use the following command:
#fping 192.168.126.129 192.168.126.130 192.168.126.2
The following is the result of the preceding command:
• We can also generate the host list automatically without
defining the IP addresses one by one and identifying the alive hosts.
Let's suppose we want to know the alive hosts in the 192.168.56.0
network; we can use the -g option and define the network to check, using
the following command:
# fping -g 192.168.126.0/24
The result for the preceding command is as follows:
• If we want to change the number of ping attempts made to the
target, we can use the -r option (retry limit) as shown in the following
command line. By default, the number of ping attempts is three.
#fping -r 1 -g 192.168.126.130 192.168.126.2
The result of the command is as follows:
• Displaying the cumulative statistics can be done by giving the -s option (print cumulative statistics) as follows:
#fping -s www.yahoo.com www.google.com www.msn.com
The following is the result of the preceding command line:
hping3:-
The hping3 tool is a command-line
network packet generator and analyzer tool. The capability to create
custom network packets allows hping3 to be used for TCP/IP and security
testing, such as port scanning, firewall rule testing, and network
performance testing.
• Test firewall rules
• Test Intrusion Detection System (IDS)
• Exploit known vulnerabilities in the TCP/IP stack
To access hping3, go to the console and type hping3. You can give
commands to hping3 in several ways, via the command line, interactive
shell, or script.
Without any given command-line options, hping3 will send a null TCP packet to port 0.
In order to change to a different protocol, you can use the following options in the command line to define the protocol:
When using the TCP protocol, we can use the TCP packet without any flags
(this is the default behavior) or we can give one of the following flag
options:
Let's use hping3 for several cases as follows:
• Send one ICMP echo request packet to a 192.168.126.130 machine.
The options used are -1 (for the ICMP protocol) and -c 1 (to set the
count to one packet):
#hping3 -1 192.168.126.130 -c 1
The following is the output of the command:
From the preceding output, we can note that the target machine is alive
because it has replied to our ICMP echo request. To verify this, we
captured the traffic using tcpdump and the following screenshot shows
the packets:
We can see that the target has responded with an ICMP echo reply packet.
• Besides giving the options in the command line, you can also
use hping3 interactively. Open the console and type hping3. You will
then see a prompt where you can type your Tcl commands.
For the preceding example, the following is the corresponding Tcl script:
hping send {ip(daddr=192.168.56.101)+icmp(type=8,code=0)}
Open a command-line window and give the following command to get a response from the target server:
#hping recv eth0
After that, open another command-line window to input the sending request.
The following screenshot shows the response received:
• You can also use hping3 to check for a firewall rule. Let's suppose you have the following firewall rules:
° Accept any TCP packets directed to port 22 (SSH)
° Accept any TCP packets related with an established connection
° Drop any other packets
To check these rules, you can give the following command in hping3 in order to send an ICMP echo request packet:
#hping3 -1 192.168.126.130 -c 1
The following code is the result:
We can see that the target machine has responded to our ping probe.
nping:-
The nping
tool is a tool that allows users to generate network packets of a wide
range of protocols (TCP, UDP, ICMP, and ARP). You can also customize the
fields in the protocol headers, such as the source and destination port
for TCP and UDP. The difference between nping and other similar tools
such as ping is that nping supports multiple target hosts and port
specification.
It can be used to send an ICMP echo
request just like in the ping command. nping can also be used for
network stress testing, Address Resolution Protocol (ARP) poisoning, and
the denial of service attacks.
In Kali Linux, nping is included with the Nmap package.The following are several probe modes supported by nping:
You need to open a console and type nping. This will display the usage and options' description.
In order to use nping to send an ICMP echo request to the target
machines 192.168.198.129, 192.168.198.130, and 192.168.198.131, you can
give the following command:
#nping -c 1 192.168.198.129-131
The following screenshot shows the command output:
From the preceding screenshot, we know that only the 192.168.198.131 machine is sending back the ICMP echo reply packet.
If the machine is not responding to the ICMP echo request packet ,you
can still find out whether it is alive by sending a TCP SYN packet to an
open port in that machine.For example, to send one (-c 1) TCP packet
(--tcp) to the IP address 192.168.198.131 port 22 (-p 22), you can give
the following command:
#nping --tcp -c 1 -p 22 192.168.198.131
Of course, you need to guess the ports which are open. We suggest that
you try with the common ports, such as 21, 22, 23, 25, 80, 443, 8080,
and 8443.
The following screenshot shows the result of the mentioned example:
From the preceding result, we can see that the remote machine
(192.168.198.131) is alive because when we sent the TCP packet to port
22, the target machine responded.
alive6:-
If you want to discover which machines are alive in an IPv6 environment,
you can't just ask the tool to scan the whole network. This is because
the address space is very huge. You may find that the machines have a
64-bit network range. Trying to discover the machines sequentially in
this network will require at least 264 packets. Of course, this is not a
feasible task in the real world.
Fortunately, there is a protocol called ICMPv6 Neighbor Discovery. This
protocol allows an IPv6 host to discover the link-local and
autoconfigured addresses of all other IPv6 systems on the local network.
In short, you can use this protocol to find a live host on the local
network subnet.
To help you do this, there is a tool called alive6, which can send an
ICMPv6 probe and is able to listen to the responses. This tool is part
of the THC-IPv6 Attack Toolkit developed by van Hauser from The Hackers
Choice group.
Suppose you want to find the active IPv6 systems on your local IPv6
network, the following command can be given with the assumption that the
eth0 interface is connected to the LAN:
#alive6 -p eth0
detect-new-ip6:-
This tool can be used if you want to detect the new IPv6 address joining
a local network. This tool is part of the THC-IPv6 Attack Toolkit
developed by van Hauser from The Hackers Choice group.
To access detect-new-ipv6, go to the console and type detect-new-ipv6. This will display the usage information.
Following is a simple usage of this tool; we want to find the new IPv6 address that joined the local network:
#detect-new-ip6 eth0
passive_discovery6:-
This tool can be used if you want to
sniff out the local network to look for the IPv6 address. This tool is
part of the THC-IPv6 Attack Toolkit developed by van Hauser from The
Hackers Choice group. Getting the IPv6 address without being detected by
an IDS can be useful.
To access passive_discovery6, go to
the console and type passive_discovery6. This will display the usage
information on the screen.The following command is an example of running
this tool:
#passive_discovery6 eth0
This tool simply waits for the ARP request/reply by monitoring the
network, and then it maps the answering hosts. The following are the
IPv6 addresses that can be discovered by this tool on the network:
• fe80::539:3035:77a4:dc68
• fe80::20c:29ff:fee1:96df
nbtscan:-
If you are doing an internal penetration
testing on a Windows environment, the first thing you want to do is get
the NetBIOS information. One of the tools that can be used to do this
is nbtscan.
The nbtscan tool will produce a report that contains the IP address,
NetBIOS computer name, services available, logged in username, and MAC
address of the corresponding machines. The NetBIOS name is useful if you
want to access the service provided by the machine using the NetBIOS
protocol that is connected to an open share. Be careful as using this
tool will generate a lot of traffic and it may be logged by the target
machines.
To access nbtscan, you can open the console and type nbtscan. As an
example, I want to find out the NetBIOS name of the computers located in
my network (192.168.198.0/24). The following is the command to be used:
#nbtscan 192.168.198.1-254
From the preceding result, we are able to find three NetBIOS names, METASPLOITABLE.
Let's find the service provided by these machines by giving the following command:
#nbtscan -hv 192.168.198.1-254
Option -h will print the service in a human-readable name. While, option -v will give more verbose output information.
From the preceding result, we can see that there are many services
available on METASPLOITABLE: Workstation,Messanger,File Server etc.
In our experience, this information is very useful because we know
which machine has a file sharing service. Next, we can continue to check
whether the file sharing services are open so that we can access the
files stored on those file sharing services.
URL: http://kungfuhacking.blogspot.in
