Core dump overflow

Core dump in progress...

Kali tools catalog - Information Gathering

| Comments

Kali is an awesome distribution for pentesting. But with so many choices, one may find it daunting to find a specific tool for a task without having used it before. Or maybe you’re wondering about some tools but don’t feel like testing every single one. So I decided to briefly go over the tools provided by Kali and provide a quick description. Where available, I will use the ones presented on their respective websites / manpages etc.

So, let’s begin!

DNS Analysis

dnsdict6

Enumerates a domain for DNS entries, it uses a dictionary file if supplied or a built-in list otherwise. This tool is based on dnsmap by gnucitizen.org.

dnsdict6

dnsenum

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

dnsenum

dnsmap

dnsmap is mainly meant to be used by pentesters during the informatio ngathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (I rarely see zone transfers being publicly allowed these days by the way).

dnsmap

dnsrecon

DNS Enumueration and Scanning Tool

The script will perform the following:

Standard Record Enumeration for a given domain (A, NS, SOA and MX).

Top Leven Domain Expansion for a given domain.

Zone Transfer against all NS records of a given domain.

Reverse Lookup against a given IP Range given a start and end IP.

SRV Record enumeration

Brute force hostnames and subdomains of a given target domain using a wordlist.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Version: 0.8.8
Usage: dnsrecon.py <options>

Options:
   -h, --help                  Show this help message and exit
   -d, --domain      <domain>  Domain to Target for enumeration.
   -r, --range       <range>   IP Range for reverse look-up brute force in formats (first-last)
                               or in (range/bitmask).
   -n, --name_server <name>    Domain server to use, if none is given the SOA of the
                               target will be used
   -D, --dictionary  <file>    Dictionary file of sub-domain and hostnames to use for
                               brute force.
   -f                          Filter out of Brute Force Domain lookup records that resolve to
                               the wildcard defined IP Address when saving records.
   -t, --type        <types>   Specify the type of enumeration to perform:
                               std      To Enumerate general record types, enumerates.
                                        SOA, NS, A, AAAA, MX and SRV if AXRF on the
                                        NS Servers fail.

                               rvl      To Reverse Look Up a given CIDR IP range.

                               brt      To Brute force Domains and Hosts using a given
                                        dictionary.

                               srv      To Enumerate common SRV Records for a given 

                                        domain.

                               axfr     Test all NS Servers in a domain for misconfigured
                                        zone transfers.

                               goo      Perform Google search for sub-domains and hosts.

                               snoop    To Perform a Cache Snooping against all NS 
                                        servers for a given domain, testing all with
                                        file containing the domains, file given with -D
                                        option.

                               tld      Will remove the TLD of given domain and test against
                                        all TLD's registered in IANA

                               zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.

   -a                          Perform AXFR with the standard enumeration.
   -s                          Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
                               targeted domain with the standard enumeration.
   -g                          Perform Google enumeration with the standard enumeration.
   -w                          Do deep whois record analysis and reverse look-up of IP
                               ranges found thru whois when doing standard query.
   -z                          Performs a DNSSEC Zone Walk with the standard enumeration.
   --threads          <number> Number of threads to use in Range Reverse Look-up, Forward
                               Look-up Brute force and SRV Record Enumeration
   --lifetime         <number> Time to wait for a server to response to a query.
   --db               <file>   SQLite 3 file to save found records.
   --xml              <file>   XML File to save found records.
   --iw                        Continua bruteforcing a domain even if a wildcard record resolution is 
                               discovered.
   -c, --csv          <file>   Comma separated value file.
   -j, --json         <file>   JSON file.
   -v                          Show attempts in the bruteforce modes.

dnsrevenum6

Performs a fast reverse DNS enumeration and is able to cope with slow servers.

dnsrevenum6

dnstracer

Determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data.

dnstracer

dnswalk

DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as for correctness according to accepted practices with the Domain Name System.

fierce

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It’s really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That’s especially useful in targeted malware.

urlcrazy

Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.

urlcrazy

IDS/IPS Identification

fragroute

intercept, modify, and rewrite egress traffic

fragroute

fragrouter

network intrusion detection evasion toolkit

fragrouter

ftest

FTester is a tool designed for testing firewalls filtering policies and Intrusion Detection System (IDS) capabilities.

ftest

lbd

load balancing detector – Checks if a given domain uses load-balancing

wafw00f

Web Application Firewall Detection Tool

wafw00f

Live Host Identification

alive6

an effective alive scanner, which will detect all systems listening to this address

alive6

arping

sends ARP and/or ICMP requests to the specified host and displays the replies.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
ARPing 2.11, by Thomas Habets <thomas@habets.se>
usage: arping [ -0aAbdDeFpqrRuv ] [ -w <us> ] [ -S <host/ip> ]
              [ -T <host/ip ] [ -s <MAC> ] [ -t <MAC> ] [ -c <count> ]
              [ -i <interface> ] <host/ip/MAC | -B>

Options:

    -0     Use this option to ping with source IP address 0.0.0.0. Use this
           when you haven't configured your interface yet.  Note that  this
           may  get  the  MAC-ping  unanswered.   This  is  an alias for -S
           0.0.0.0.
    -a     Audiable ping.
    -A     Only count addresses matching  requested  address  (This  *WILL*
           break  most things you do. Only useful if you are arpinging many
           hosts at once. See arping-scan-net.sh for an example).
    -b     Like -0 but source broadcast source  address  (255.255.255.255).
           Note that this may get the arping unanswered since it's not nor-
           mal behavior for a host.
    -B     Use instead of host if you want to address 255.255.255.255.
    -c count
           Only send count requests.
    -d     Find duplicate replies. Exit with 1 if there are answers from
           two different MAC addresses.
    -D     Display answers as exclamation points and missing packets as dots.
    -e     Like -a but beep when there is no reply.
    -F     Don't try to be smart about the interface name.  (even  if  this
           switch is not given, -i overrides smartness)
    -h     Displays a help message and exits.
    -i interface
           Use the specified interface.
    -q     Does not display messages, except error messages.
    -r     Raw output: only the MAC/IP address is displayed for each reply.
    -R     Raw output: Like -r but shows "the other one", can  be  combined
           with -r.
    -s MAC Set source MAC address. You may need to use -p with this.
    -S IP  Like  -b and -0 but with set source address.  Note that this may
             get the arping unanswered if the target does not have routing to
           the  IP.  If you don't own the IP you are using, you may need to
           turn on promiscious mode on the interface (with -p).  With  this
           switch  you can find out what IP-address a host has without tak-
           ing an IP-address yourself.
    -t MAC Set target MAC address to use when pinging IP address.
    -T IP  Use -T as target address when pinging MACs that won't respond to
           a broadcast ping but perhaps to a directed broadcast.
           Example:
           To check the address of MAC-A, use knowledge of MAC-B and  IP-B.
           $ arping -S <IP-B> -s <MAC-B> -p <MAC-A>
    -p     Turn  on  promiscious  mode  on interface, use this if you don't
           "own" the MAC address you are using.
    -u     Show index=received/sent instead  of  just  index=received  when
           pinging MACs.
    -v     Verbose output. Use twice for more messages.
    -w     Time to wait between pings, in microseconds.
Report bugs to: thomas@habets.se
Arping home page: <http://www.habets.pp.se/synscan/>
Development repo: http://github.com/ThomasHabets/arping

cdpsnarf

Cisco Discovery Protocol Sniffer

CDPSnarf is a network sniffer exclusively written to extract information from CDP packets. It provides all the information a “show cdp neighbors detail” command would return on a Cisco router and even more.

cdpsnarf

detect-new-ip6

This tool detects new IPv6 addresses joining the local network.

detect-new-ip6

detect_sniffer6

Tests if systems on the local LAN are sniffing. Works against Windows, Linux, OS/X and *BSD If no target is given, the link-local-all-nodes address is used, which however not always works.

dmitry

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux command line application with the ability to gather as much information as possible about a host.

Basic functionality of DMitry allows for information to be gathered about a target host from a simple whois lookup on the target to uptime reports and TCP portscans.

The application is considered a tool to assist in information gathering when information is required quickly by removing the need to enter multiple commands and the timely process of searching through data from multiple sources.

dmitry

dnmap-client & dnmap-server

dnmap is a framework to distribute nmap scans among several clients. It reads an already created file with nmap commands and send those commands to each client connected to it. The framework use a client/server architecture. The server knows what to do and the clients do it. All the logic and statistics are managed in the server. Nmap output is stored on both server and client. Usually you would want this if you have to scan a large group of hosts and you have several different internet connections (or friends that want to help you)

1
2
3
4
5
6
7
usage: /usr/bin/dnmap_client <options>
options:
  -s, --server-ip        IP address of dnmap server.
  -p, --server-port      Port of dnmap server. Dnmap port defaults to 46001
  -a, --alias      Your name alias so we can give credit to you for your help. Optional
  -d, --debug      Debuging.
  -m, --max-rate      Force nmaps commands to use at most this rate. Useful to slow nmap down. Adds the --max-rate parameter.
1
2
3
4
5
6
7
8
9
10
11
12
13
usage: /usr/bin/dnmap_server <options>
options:
  -f, --nmap-commands        Nmap commands file
  -p, --port        TCP port where we listen for connections.
  -L, --log-file        Log file. Defaults to /var/log/dnmap_server.conf.
  -l, --log-level       Log level. Defaults to info.
  -v, --verbose_level         Verbose level. Give a number between 1 and 5. Defaults to 1. Level 0 means be quiet.
  -t, --client-timeout         How many time should we wait before marking a client Offline. We still remember its values just in case it cames back.
  -s, --sort          Field to sort the statical value. You can choose from: Alias, #Commands, UpTime, RunCmdXMin, AvrCmdXMin, Status
  -P, --pem-file         pem file to use for TLS connection. By default we use the server.pem file provided with the server in the current directory.

dnmap_server uses a '<nmap-commands-file-name>.dnmaptrace' file to know where it must continue reading the nmap commands file. If you want to start over again,
just delete the '<nmap-commands-file-name>.dnmaptrace' file

fping

send ICMP ECHO_REQUEST packets to network hosts

fping

hping3

hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Using hping3 you are able to perform at least the following stuff:

  • Test firewall rules
  • Advanced port scanning
  • Test net performance using different protocols, packet size, TOS (type of service) and fragmentation.
  • Path MTU discovery
  • Transferring files between even really fascist firewall rules.
  • Traceroute-like under different protocols.
  • Firewalk-like usage.
  • Remote OS fingerprinting.
  • TCP/IP stack auditing.
  • A lot of others.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
usage: hping3 host [options]
  -h  --help      show this help
  -v  --version   show version
  -c  --count     packet count
  -i  --interval  wait (uX for X microseconds, for example -i u1000)
      --fast      alias for -i u10000 (10 packets for second)
      --faster    alias for -i u1000 (100 packets for second)
      --flood    sent packets as fast as possible. Don't show replies.
  -n  --numeric   numeric output
  -q  --quiet     quiet
  -I  --interface interface name (otherwise default routing interface)
  -V  --verbose   verbose mode
  -D  --debug     debugging info
  -z  --bind      bind ctrl+z to ttl           (default to dst port)
  -Z  --unbind    unbind ctrl+z
      --beep      beep for every matching packet received
Mode
  default mode     TCP
  -0  --rawip      RAW IP mode
  -1  --icmp       ICMP mode
  -2  --udp        UDP mode
  -8  --scan       SCAN mode.
                   Example: hping --scan 1-30,70-90 -S www.target.host
  -9  --listen     listen mode
IP
  -a  --spoof      spoof source address
  --rand-dest      random destionation address mode. see the man.
  --rand-source    random source address mode. see the man.
  -t  --ttl        ttl (default 64)
  -N  --id         id (default random)
  -W  --winid      use win* id byte ordering
  -r  --rel        relativize id field          (to estimate host traffic)
  -f  --frag       split packets in more frag.  (may pass weak acl)
  -x  --morefrag   set more fragments flag
  -y  --dontfrag   set don't fragment flag
  -g  --fragoff    set the fragment offset
  -m  --mtu        set virtual mtu, implies --frag if packet size > mtu
  -o  --tos        type of service (default 0x00), try --tos help
  -G  --rroute     includes RECORD_ROUTE option and display the route buffer
  --lsrr           loose source routing and record route
  --ssrr           strict source routing and record route
  -H  --ipproto    set the IP protocol field, only in RAW IP mode
ICMP
  -C  --icmptype   icmp type (default echo request)
  -K  --icmpcode   icmp code (default 0)
      --force-icmp send all icmp types (default send only supported types)
      --icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)
      --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)
      --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)
      --icmp-help  display help for others icmp options
UDP/TCP
  -s  --baseport   base source port             (default random)
  -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec
  -k  --keep       keep still source port
  -w  --win        winsize (default 64)
  -O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen / 4)
  -Q  --seqnum     shows only tcp sequence number
  -b  --badcksum   (try to) send packets with a bad IP checksum
                   many systems will fix the IP checksum sending the packet
                   so you'll get bad UDP/TCP checksum instead.
  -M  --setseq     set TCP sequence number
  -L  --setack     set TCP ack
  -F  --fin        set FIN flag
  -S  --syn        set SYN flag
  -R  --rst        set RST flag
  -P  --push       set PUSH flag
  -A  --ack        set ACK flag
  -U  --urg        set URG flag
  -X  --xmas       set X unused flag (0x40)
  -Y  --ymas       set Y unused flag (0x80)
  --tcpexitcode    use last tcp->th_flags as exit code
  --tcp-mss        enable the TCP MSS option with the given value
  --tcp-timestamp  enable the TCP timestamp option to guess the HZ/uptime
Common
  -d  --data       data size                    (default is 0)
  -E  --file       data from file
  -e  --sign       add 'signature'
  -j  --dump       dump packets in hex
  -J  --print      dump printable characters
  -B  --safe       enable 'safe' protocol
  -u  --end        tell you when --file reached EOF and prevent rewind
  -T  --traceroute traceroute mode              (implies --bind and --ttl 1)
  --tr-stop        Exit when receive the first not ICMP in traceroute mode
  --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop
  --tr-no-rtt     Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
  --apd-send       Send the packet described with APD (see docs/APD.txt)

inverse_lookup6

Performs an inverse address query, to get the IPv6 addresses that are assigned to a MAC address. Note that only few systems support this yet.

miranda

Miranda can discover UPnP hosts either passively or actively, and all of a host’s reported devices types, services, actions and variables can be enumerated with a single command.

miranda

ncat

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project and is the culmination of the currently splintered family of Netcat incarnations. It is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.

Among Ncat’s vast number of features there is the ability to chain Ncats together; redirection of TCP, UDP, and SCTP ports to other sites; SSL support; and proxy connections via SOCKS4 or HTTP proxies (with optional proxy authentication as well).

ncat

netdiscover

an active/passive arp reconnaissance tool.

netdiscover

passive_discovery6

Passivly sniffs the network and dump all client’s IPv6 addresses detected.

passive_discovery6

thcping6

Craft a ICMPv6/TCP/UDP packet with special IPv6 or EH header options.

thcping6

wol-e

WOL-E is a suite of tools for the Wake on LAN feature of network attached computers, this is now enabled by default on many Apple computers. These tools include:

Bruteforcing the MAC address to wake up clients Sniffing WOL attempts on the network and saving them to disk Sniffing WOL passwords on the network and saving them to disk Waking up single clients (post sniffing attack) Scanning for Apple devices on the network for WOL enabling Sending bulk WOL requests to all detected Apple clients.

wol-e

xprobe2

xprobe2 is an active operating system fingerprinting tool with a different approach to operating system fingerprinting. xprobe2 relies on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database.

xprobe2

Network Scanners

nmap

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
Nmap 6.47 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of 
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --log-errors: Log errors/warnings to the normal-format output file
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

unicornscan

asynchronous network stimulus delivery/response recoring tool.

unicornscan

zenmap

Zenmap is a multi-platform graphical Nmap frontend and results viewer. Zenmap aims to make Nmap easy for beginners to use while giving experienced Nmap users advanced features. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

zenmap

OS Fingerprinting

Covered in the above

OSINT Analysis

casefile

CaseFile is the little brother to Maltego. It targets a unique market of ‘offline’ analysts whose primary sources of information are not gained from the open-source intelligence side or can be programmatically queried. We see these people as investigators and analysts who are working ‘on the ground’, getting intelligence from other people in the team and building up an information map of their investigation.

CaseFile gives you the ability to quickly add, link and analyze data having the same graphing flexibility and performance as Maltego without the use of transforms.

casefile

creepy

creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.

creepy

jigsaw

Email harvesting, can search on jigsaw.com

maltego

Maltego is a program that can be used to determine the relationships and real world links between:

People

Groups of people (social networks)

Companies

Organizations

Web sites

Internet infrastructure such as:

Domains

DNS names

Netblocks

IP addresses

Phrases

Affiliations

Documents and files

These entities are linked using open source intelligence.

maltego

metagoofil

Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.

Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner? and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.

metagoofil

recon-ng

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.

recon-ng

theharvester

The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.

theharvester

twofi

Twitter Words Of Interest

Build a custom wordlist based on Twitter keywords

twofi

Route analysis

0trace

Trace route to target

intrace

InTrace is a traceroute-like application that enables users to enumerate IP hops exploiting existing TCP connections, both initiated from local network (local system) or from remote hosts.

netmask

This program accepts and produces a variety of common network address and netmask formats. Not only can it convert address and netmask notations, but it will optimize the masks to generate the smallest list of rules. This is very handy if you’ve ever configured a firewall or router and some nasty network administrator before you decided that base 10 numbers were good places to start and end groups of machines.

netmask

trace6

A basic but very fast traceroute6 program. If no port is specified, ICMP6 Ping requests are used, otherwise TCP SYN packets to the specified port.

trace6

Service Fingerprinting

implementation6

Performs some IPv6 implementation checks, can be used to test some firewall features too. Takes approx. 2 minutes to complete.

implementation6

implementation6d

Identifies test packets by the implementation6 tool, useful to check what packets passed a firewall

sslscan

SSLScan is a fast SSL port scanner. SSLScan connects to SSL ports and determines what ciphers are supported, which are the servers preferred ciphers, which SSL protocols are supported and returns the SSL certificate. Client certificates / private key can be configured and output is to text / XML.

sslscan

sslyze

SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify misconfigurations affecting their SSL servers.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
Usage: sslyze [options] target1.com target2.com:443 etc...

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  --xml_out=XML_FILE    Writes the scan results as an XML document to the file
                        XML_FILE.
  --targets_in=TARGETS_IN
                        Reads the list of targets to scan from the file
                        TARGETS_IN. It should contain one host:port per line.
  --timeout=TIMEOUT     Sets the timeout value in seconds used for every
                        socket connection made to the target server(s).
                        Default is 5s.
  --https_tunnel=HTTPS_TUNNEL
                        Sets an HTTP CONNECT proxy to tunnel SSL traffic to
                        the target server(s). HTTP_TUNNEL should be
                        'host:port'. Requires Python 2.7
  --starttls=STARTTLS   Identifies the target server(s) as a SMTP or an XMPP
                        server(s) and scans the server(s) using STARTTLS.
                        STARTTLS should be 'smtp' or 'xmpp'.
  --xmpp_to=XMPP_TO     Optional setting for STARTTLS XMPP.  XMPP_TO should be
                        the hostname to be put in the 'to' attribute of the
                        XMPP stream. Default is the server's hostname.
  --regular             Regular HTTPS scan; shortcut for --sslv2 --sslv3
                        --tlsv1 --reneg --resum --certinfo --http_get
                        --hide_rejected_ciphers --compression --tlsv1_1
                        --tlsv1_2

  Client certificate support:
    --cert=CERT         Client certificate filename.
    --certform=CERTFORM
                        Client certificate format. DER or PEM (default).
    --key=KEY           Client private key filename.
    --keyform=KEYFORM   Client private key format. DER or PEM (default).
    --pass=KEYPASS      Client private key passphrase.

  PluginOpenSSLCipherSuites:
    Scans the target server for supported OpenSSL cipher suites.

    --sslv2             Lists the SSL 2.0 OpenSSL cipher suites supported by
                        the server.
    --sslv3             Lists the SSL 3.0 OpenSSL cipher suites supported by
                        the server.
    --tlsv1             Lists the TLS 1.0 OpenSSL cipher suites supported by
                        the server.
    --tlsv1_1           Lists the TLS 1.1 OpenSSL cipher suites supported by
                        the server.
    --tlsv1_2           Lists the TLS 1.2 OpenSSL cipher suites supported by
                        the server.
    --http_get          Option - For each cipher suite, sends an HTTP GET
                        request after completing the SSL handshake and returns
                        the HTTP status code.
    --hide_rejected_ciphers
                        Option - Hides the (usually long) list of cipher
                        suites that were rejected by the server.

  PluginCertInfo:
    --certinfo=CERTINFO
                        Verifies the target server's certificate validity
                        against Mozilla's trusted root store, and prints
                        relevant fields of the certificate. CERTINFO should be
                        'basic' or 'full'.

  PluginSessionRenegotiation:
    --reneg             Tests the target server's support for client-initiated
                        renegotiations and secure renegotiations.

  PluginCompression:
    --compression       Tests the server for Zlib compression support.

  PluginSessionResumption:
    Analyzes the target server's SSL session resumption capabilities.

    --resum             Tests the server for session ressumption support,
                        using session IDs and TLS session tickets (RFC 5077).
    --resum_rate        Performs 100 session resumptions with the target
                        server, in order to estimate the session resumption
                        rate.

tlssled

ssl tls scanner

SMB Analysis

acccheck

Attempts to connect to the IPC$ and ADMIN$ shares depending on which flags have been chosen, and tries a combination of usernames and passwords in the hope to identify the password to a given account via a dictionary password guessing attack.

acccheck

nbtscan

nbtscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address (such as Ethernet).

nbtscan

SMTP Analysis

smtp-user-enum

Username guessing tool primarily for use against the default Solaris SMTP service. Can use either EXPN, VRFY or RCPT TO

smtp-user-enum

swaks

Swiss Army Knife SMTP, the all-purpose smtp transaction tester

swaks’ primary design goal is to be a flexible, scriptable, transaction-oriented SMTP test tool. It handles SMTP features and extensions such as TLS, authentication, and pipelining; multiple version of the SMTP protocol including SMTP, ESMTP, and LMTP; and multiple transport methods including unix-domain sockets, internet- domain sockets, and pipes to spawned processes. Options can be specified in environment variables, configuration files, and the command line allowing maximum configurability and ease of use for operators and scripters.

SNMP Analysis

braa

Braa is a tool for making SNMP queries. It is able to query hundreds or thousands of hosts simultaneously, while being completely single-threaded. It does not need any SNMP libraries, as it is equipped with its own SNMP engine

braa

cisco-auditing-tool

Perl script which scans cisco routers for common vulnerabilities. Checks for default passwords, easily guessable community names, and the IOS history bug. Includes support for plugins and scanning multiple hosts.

cisco-auditing-tool

cisco-torch

mass scanning, application layer fingerprinting, and exploitation tool to discover and attack remote Cisco hosts running Telnet, SSH, Web, TFTP, NTP and SNMP services. Useful in auditing large networks for misconfigured/un-updated Ciscos.

cisco-torch

copy-router-config

copy an entire router configuration file from a Cisco device

copy-router-config

merge-router-config

make changes to a Cisco router configuration file and merge those changes to a Cisco router

onesixtyone

simple SNMP scanner which sends requests for the sys‐Descr value asynchronously with user-adjustable sending times.

onesixtyone

snmpcheck

SNMP device enumerator

snmpcheck

SSL Analysis

sslcaudit

This tool is designed to automate testing SSL/TLS clients for resistance against MITM attacks

sslcaudit

ssldump

ssldump is an SSL/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSL/TLS traffic. When it identifies SSL/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.

sslh

ssl/ssh multiplexer

sslh

sslsniff

sslsniff is designed to create man-in-the-middle (MITM) attacks for SSL/TLS connections, and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by any certificate that is provided. sslsniff also supports other attacks like null-prefix or OCSP attacks to achieve silent interceptions of connections when possible.

sslsniff

sslsplit

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing.

sslsplit

sslstrip

SSL/TLS man-in-the-middle attack tool

sslstrip

stunnel

The stunnel program is designed to work as SSL encryption wrapper between remote clients and local (inetd-startable) or remote servers. The concept is that having non-SSL aware daemons running on your system you can easily set them up to communicate with clients over secure SSL channels.

stunnel

Telephony Analysis

ace

Automated Corporate (Data) Enumerator

ace

Traffic Analysis

irpas-ass

Autonomous System Scanner

irpass-cdp

This program is for sending CDP (Cisco router Discovery Protocol) messages to the wire.

irpass-cdp

p0f

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way.

Some of its capabilities include:

  • Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms,

  • Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), and so on.

  • Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.

  • Detection of dishonest clients / servers that forge declarative statements such as X-Mailer or User-Agent.

p0f

tcpflow

tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging.

tcpflow

wireshark

Wireshark is a GUI network protocol analyzer. It lets you interactively browse packet data from a live network or from a previously saved capture file.

wireshark

VoIP Analysis

enumiax

enumIAX is an Inter Asterisk Exchange version 2 (IAX2) protocol username brute-force enumerator.

enumiax

VPN Analysis

ike-scan

Discover and fingerprint IKE hosts (IPsec VPN servers)

1
2
3
4
5
6
7
8
9
10
Target hosts must be specified on the command line unless the --file option is
given, in which case the targets are read from the specified file instead.

The target hosts can be specified as IP addresses or hostnames.  You can also
specify IPnetwork/bits (e.g. 192.168.1.0/24) to specify all hosts in the given
network (network and broadcast addresses included), and IPstart-IPend
(e.g. 192.168.1.3-192.168.1.27) to specify all hosts in the inclusive range.

These different options for specifying target hosts may be used both on the
command line, and also in the file specified with the --file option.

Ok, that took forever. I will make posts with the other categories as well.

The only way to keep your health is to eat what you don’t want, drink what you don’t like, and do what you’d rather not.

— Mark Twain

Comments