임시

This program was written in the hopes that a more precise testing methodology might be applied to the area of network intrusion detection, which is still a black art at best.

Conceptually, fragrouter is just a one-way fragmenting router – IP packets get sent from the attacker to the fragrouter, which transforms them into a fragmented data stream to forward to the victim.

ettercap: http://kkn1220.tistory.com/63 참고

dsniff: http://kkn1220.tistory.com/72 참고 

fragrouter 부분 또한 http://kkn1220.tistory.com/72 에서 dnsspoof 부분을 참고

실제 웹페이지 패스워드 도청: http://kkn1220.tistory.com/32 참고

First what Fierce is not. Fierce is not an IP scanner, it is not a DDoS tool, it is not designed to scan the whole Internet or perform any un-targeted attacks. It is meant specifically to locate likely targets both inside and outside a corporate network. Only those targets are listed (unless the -nopattern switch is used). No exploitation is performed (unless you do something intentionally malicious with the -connect switch). Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics.

syntax: #fierce -dns example.com

-delay    The number of seconds to wait between lookups.

-dns     The domain you would like scanned.

-dnsfile   Use DNS servers provided by a file (one per line) for reverse lookups (brute force).

-dnsserver Use a particular DNS server for reverse lookups 

-file A file you would like to output to be logged to.

-help This screen.

-range Scan an internal IP range (must be combined with -dnsserver).  

Usage: #fierce-range 111.222.333.0-255 -dnsserver ns1.example.co

-search  Search list.  When fierce attempts to traverse up and

down ipspace it may encounter other servers within other

domains that may belong to the same company.  If you supply a 

comma delimited list to fierce it will report anything found.

This is especially useful if the corporate servers are named

different from the public facing website.  

Usage: #fierce -dns examplecompany.com -search corpcompany,blahcompany 

Note that using search could also greatly expand the number of

hosts found, as it will continue to traverse once it locates

servers that you specified in your search list.  The more the

better.

-traverse Specify a number of IPs above and below whatever IP you

have found to look for nearby IPs.  Default is 5 above and 

below.  Traverse will not move into other C blocks.

-wordlist Use a seperate wordlist (one word per line).  

Usage: #fierce -dns examplecompany.com -wordlist dictionary.txt

output("Okay, trying the good old fashioned way... brute force"); 

$wordlist = $wordlist || 'hosts.txt'; 

if (-e $wordlist) { 

# user provided or default 

open (WORDLIST, '<', $wordlist) or 

open (WORDLIST, '<', 'hosts.txt') or 

quit_early("Can't open $wordlist or the default wordlist");

Searchable archive from The Exploit Database.

A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.

Overview:

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.

The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.

Key features:

RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)

User listing (When RestrictAnonymous is set to 0 on Windows 2000)

Listing of group membership information

Share enumeration

Detecting if host is in a workgroup or a domain

Identifying the remote operating system

Password policy retrieval (using polenum)

#enum4linux -v target-ip

자세히 모드

#enum4linux -a target-ip

target에 대해 모든 옵션 실행(apart from dictionary based share name guessing)

#enum4linux -U target-ip

username list 출력

#enum4linux -u administrator -p password -U target-ip

username, password 명시

#enum4linux -r target-ip

RID 사이클을 통해 user 나열

#enum4linux -R 500-550 target-ip

RID범위를 지정하여 실행

#enum4linux -G target-ip

그룹과 멤버리스트 출력

#enum4linux -S target-ip

sharelist 출력

#enum4linux -s <share_file> target-ip

share_file을 가지고 무차별 대입 실시

#enum4linux -o target-ip

os정보 출력

등등

It’s a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.

Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module.

It’s written in perl programming language and can be run either under *NIX or Windows platforms. It’s the first Mexican tool included in BackTrack Linux (BT4 R2).

Fuzzing modules supported in this version:

HTTP

HTTP URL

FTP

TFTP

Payload (Protocol independent)

STDOUT

./dotdotpwn.pl -m http -h 192.168.1.1 -x 8080 -f /etc/hosts -k "localhost" -d 8 -t 200 -s

-m(mode), -h(hostname), -x(port), -f(file), -k(text pattern), -d(depth of traversals), -t(request time), -s(service)

./dotdotpwn.pl -m http-url -u http://192.168.1.1:10000/unauthenticated/TRAVERSAL -O -k "root:" -r webmin.txt

-m(mode), -u(specified URL), -O(os), -k(text pattern), -r(report file name)

./dotdotpwn.pl -m ftp -h 192.168.1.1 -s -U nitr0us -P n1tr0u5pwnzj00 -o windows -q -r ftp_server.txt

-m(mode), -h(hostname), -s(sevice), -U(specified Username), -P(password), -o(known os), -q(quiet mode)

./dotdotpwn.pl -m tftp -h 192.168.1.1 -b -t 1 -f windows/system32/drivers/etc/hosts

-m(mode), -h(hostname), -b(취약점 발견시 종료), -t(request time), -f(file)

./dotdotpwn.pl -m payload -h 192.168.1.1 -x 10000 -p payload_sample_1.txt -k "root:" -f /etc/passwd

./dotdotpwn.pl -m stdout -d 5

The Traversal Engine will create fuzz pattern strings with 8 levels of deepness and DotDotPwn will 

print the results to STDOUT, so you can use it as you wish, by example, passing the traversal 

patterns as a parameter to another application, pipe, socket, etc.

dnswalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as accuracy.

OPTIONS

-r     Recursively descend sub-domains of the specified domain.  Use with care.

-a     Turn on warning of duplicate A records.  (see below)

-d     Print debugging and 'status' information to stderr.  (Use only if redirecting stdout)  See

       DIAGNOSTICS section.

-m     Perform checks only if the zone has been modified since the previous run.

-F     perform  "fascist"  checking.  When checking an A record, compare the PTR name for each IP

       address with the forward name and report mismatches.  (see below)   I  recommend  you  try

       this option at least once to see what sorts of errors pop up - you might be surprised!.

-i     Suppress check for invalid characters in a domain name.  (see below)

-l     Perform  "lame  delegation"  checking.   For every NS record, check to see that the listed

      host is indeed returning authoritative answers for this domain.

X A Y: no PTR record

              X  has an IP address Y, but there is no PTR record to map the IP address Y back to a host‐

              name (usually X). Many Internet servers (such as anonymous FTP servers) will not  talk  to

              addresses that don't have PTR records.

dnstracer determines where a given Domain Name Server (DNS) gets its information from for a given hostname, and follows the chain of DNS servers back to the authoritative answer.

Non-recursive means: if the name-server knows it, it will return the data requested.
If the name-server doesn't know it, it will return pointers to name-servers that are authoritive for the domain part in

the name or it will return the addresses of the root name-servers.

DNSRecon provides the ability to perform:

• Check all NS Records for Zone Transfers
• Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
• Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
• Check for Wildcard Resolution
• Brute Force subdomain and host A and AAAA records given a domain and a wordlist
• Perform a PTR Record lookup for a given IP Range or CIDR
• Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
• Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services. It is defined in RFC 2782, and its type code is 33. 

dnsmap was originally released back in 2006 and was inspired by the fictional story “The Thief No One Saw” by Paul Craig, which can be found in the book “Stealing the Network – How to 0wn the Box”.

dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (I rarely see zone transfers being publicly allowed these days by the way).

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

OPERATIONS:

• Get the host’s addresse (A record).
• Get the namservers (threaded).
• Get the MX record (threaded).
• Perform axfr queries on nameservers and get BIND VERSION (threaded).
• Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).
• Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
• Calculate C class domain network ranges and perform whois queries on them (threaded).
• Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
• Write to domain_ips.txt file ip-blocks.