임시

Re-building은 build-firmware.sh [-nopad] [-min]

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t care about security to test networks and hosts. A subset of the stuff you can do using hping:

-Firewall testing

-Advanced port scanning

-Network testing, using different protocols, TOS, fragmentation

-Manual path MTU discovery

-Advanced traceroute, under all the supported protocols

-Remote OS fingerprinting

-Remote uptime guessing

-TCP/IP stacks auditing

-hping can also be useful to students that are learning TCP/IP.

Base

-c, --count: 지정한 패킷만 전송 후 종료

-i, --interval: 간격 정하기

 --fast      alias for -i u10000 (10 packets for second)

      --faster    alias for -i u1000 (100 packets for second)

      --flood    sent packets as fast as possible. Don't show replies.

-V, --verbose: 자세히 보기

IP Related

-a, --spoof: 출발지 ip 변조 (상당히 강력)

--rand-source: 출발지 ip를 랜덤값으로 바꿈(MAC 주소는 안바뀐다고 들었는데 확인 필요)

TCP/UDP Related

-p, --destport: 목적지 port

TCP Flags

-F --fin,  -S --syn, -R --rst, -A --ack

MODE

-1: icmp

-2: udp

-8: scan

Use this tool to search for a specific file type in a given domain.

GoLismero is an open source framework for security testing. It’s currently geared towards web security, but it can easily be expanded to other kinds of scans.

The most interesting features of the framework are:

Real platform independence. Tested on Windows, Linux, *BSD and OS X.

No native library dependencies. All of the framework has been written in pure Python.

Good performance when compared with other frameworks written in Python and other scripting languages.

Very easy to use.

Plugin development is extremely simple.

The framework also collects and unifies the results of well known tools: sqlmap, xsser, openvas, dnsrecon, theharvester

Integration with standards: CWE, CVE and OWASP.

Designed for cluster deployment in mind (not available yet).

$su

# apt-get install python2.7 python2.7-dev python-pip python-docutils git perl nmap sslscan

#cd /opt

#git clone https://github.com/golismero/golismero.git

#cd golismero

#pip install -r requirements.txt

#pip install -r requirements_unix.txt

#ln -s /opt/golismero/golismero.py /usr/bin/golismero

#exit

$sudo -s

#easy_install-2.7 -U distribute

#easy_install install pip

#port install nmap sslscan

#cd /opt

#git clone https://github.com/golismero/golismero.git

#cd golismero

#pip install -r requirements.txt

#pip install -r requirements_unix.txt

#ln -s /opt/golismero/golismero.py /usr/bin/golismero

#exit

cd %HOME%

git clone https://github.com/golismero/golismero.git

cd golismero

pip install -r requirements.txt

Plugin list

-------------

-= Import plugins =-

csv_nikto:

    Import the results of a Nikto scan in CSV format.

csv_spiderfoot:

    Import the results of a SpiderFoot scan in CSV format.

xml_nmap:

    Import the results of an Nmap scan in XML format.

xml_openvas:

    Import the results of an OpenVAS scan in XML format.

xml_sslscan:

    Import the results of an SSLScan run in XML format.

-= Recon plugins =-

dns:

    DNS resolver plugin.

    Without it, GoLismero can't resolve domain names to IP addresses.

dns_malware:

    Detect if a domain has been potentially spoofed, hijacked.

exploitdb:

    Integration with Exploit-DB (http://www.exploit-db.com/)

    This plugin requires a working Internet connection to run.

fingerprint_web:

    Fingerprinter of web servers.

geoip:

    Geolocates IP addresses using online services.

    This plugin requires a working Internet connection to run.

punkspider:

    Integration with PunkSPIDER (http://punkspider.hyperiongray.com/)

    This plugin requires a working Internet connection to run.

robots:

    Analyzes robots.txt files and extracts their links.

shodan:

    Integration with Shodan: http://www.shodanhq.com/

    This plugin requires a working Internet connection to run.

spider:

    Web spider plugin.

    Without it, GoLismero can't crawl web sites.

spiderfoot:

    Integration with SpiderFoot: http://www.spiderfoot.net/

theharvester:

    Integration with theHarvester: https://github.com/MarioVilas/theHarvester/

-= Scan plugins =-

brute_directories:

    Tries to discover hidden folders by brute force:

    www.site.com/folder/ -> www.site.com/folder2 www.site.com/folder3 ...

brute_dns:

    Tries to find hidden subdomains by brute force.

brute_url_extensions:

    Tries to discover hidden files by brute force:

    www.site.com/index.php -> www.site.com/index.php.old

brute_url_permutations:

    Tries to discover hidden files by bruteforcing the extension:

    www.site.com/index.php -> www.site.com/index.php2

brute_url_predictables:

    Tries to discover hidden files at predictable locations.

    For example: (Apache) www.site.com/error_log

brute_url_prefixes:

    Tries to discover hidden files by bruteforcing prefixes:

    www.site.com/index.php -> www.site.com/~index.php

brute_url_suffixes:

    Tries to discover hidden files by bruteforcing suffixes:

    www.site.com/index.php -> www.site.com/index2.php

nikto:

    Integration with Nikto: https://www.cirt.net/nikto2

nmap:

    Integration with Nmap: http://nmap.org/

openvas:

    Integration with OpenVAS: http://www.openvas.org/

plecost:

    WordPress vulnerabilities analyzer, completely rewritten for GoLismero,

    based on the original idea of Plecost (https://code.google.com/p/plecost/)

    and their team: @ffranz and @ggdaniel

sslscan:

    Integration with SSLScan: http://sourceforge.net/projects/sslscan/

zone_transfer:

    Detects and exploits DNS zone transfer vulnerabilities.

-= Attack plugins =-

heartbleed:

    Test for the CVE-2014-0160 vulnerability (aka "heartbleed attack").

sqlmap:

    SQL Injection plugin, using SQLMap.

    Only retrieves the DB banner, does not exploit any vulnerabilities.

xsser:

    Integration with XSSer: http://xsser.sourceforge.net/

-= Report plugins =-

bson:

    BSON (Binary JSON) output for programmatic access.

csv:

    Writes reports in Comma Separated Values format.

html:

    Writes reports as offline web pages.

json:

    JSON output for programmatic access.

latex:

    Writes reports in LaTeX document format (.tex).

log:

    Extracts only the logs.

ltsv:

    Extracts only the logs, in labeled tab-separated values format.

msgpack:

    MessagePack output for programmatic access.

    See: http://msgpack.org/

odt:

    Writes reports in OpenOffice document format (.odt).

rst:

    Writes reports in reStructured Text format.

text:

    Writes plain text reports to a file or on screen.

xml:

    XML output for programmatic access.

yaml:

    YAML output for programmatic access.

-= UI plugins =-

console:

    Console user interface. This is the default.

disabled:

    Empty user interface. Used by some unit tests.

[openvas]

host = localhost

[testing/scan/openvas]

user = admin

password = <your password>

[shodan:Configuration]

apikey = <your shodan key>

http://goo.gl/im2FLe for detailed instructions on setting up OpenVAS

http://www.shodanhq.com/account/register for a shodan API key

결론

1) linux deploy 다운로드

2) Distribution -> kali linux로 변경

3) Component -> X server, Kali components 추가

4) 우선 설치해보자(사용자 단말에 따라 image size 허용이 다를 수 있기 때문에)

5) 에러메시지 확인(에러 없으면 땡큐~)

The selected extractor cannot be found: ar

-> busybox meefik's 로 다시 설치

linux deploy making new disk image (512mb) fail

-> image size 7128로 변경

This program was written in the hopes that a more precise testing methodology might be applied to the area of network intrusion detection, which is still a black art at best.

Conceptually, fragrouter is just a one-way fragmenting router – IP packets get sent from the attacker to the fragrouter, which transforms them into a fragmented data stream to forward to the victim.

ettercap: http://kkn1220.tistory.com/63 참고

dsniff: http://kkn1220.tistory.com/72 참고 

fragrouter 부분 또한 http://kkn1220.tistory.com/72 에서 dnsspoof 부분을 참고

실제 웹페이지 패스워드 도청: http://kkn1220.tistory.com/32 참고

First what Fierce is not. Fierce is not an IP scanner, it is not a DDoS tool, it is not designed to scan the whole Internet or perform any un-targeted attacks. It is meant specifically to locate likely targets both inside and outside a corporate network. Only those targets are listed (unless the -nopattern switch is used). No exploitation is performed (unless you do something intentionally malicious with the -connect switch). Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics.

syntax: #fierce -dns example.com

-delay    The number of seconds to wait between lookups.

-dns     The domain you would like scanned.

-dnsfile   Use DNS servers provided by a file (one per line) for reverse lookups (brute force).

-dnsserver Use a particular DNS server for reverse lookups 

-file A file you would like to output to be logged to.

-help This screen.

-range Scan an internal IP range (must be combined with -dnsserver).  

Usage: #fierce-range 111.222.333.0-255 -dnsserver ns1.example.co

-search  Search list.  When fierce attempts to traverse up and

down ipspace it may encounter other servers within other

domains that may belong to the same company.  If you supply a 

comma delimited list to fierce it will report anything found.

This is especially useful if the corporate servers are named

different from the public facing website.  

Usage: #fierce -dns examplecompany.com -search corpcompany,blahcompany 

Note that using search could also greatly expand the number of

hosts found, as it will continue to traverse once it locates

servers that you specified in your search list.  The more the

better.

-traverse Specify a number of IPs above and below whatever IP you

have found to look for nearby IPs.  Default is 5 above and 

below.  Traverse will not move into other C blocks.

-wordlist Use a seperate wordlist (one word per line).  

Usage: #fierce -dns examplecompany.com -wordlist dictionary.txt

output("Okay, trying the good old fashioned way... brute force"); 

$wordlist = $wordlist || 'hosts.txt'; 

if (-e $wordlist) { 

# user provided or default 

open (WORDLIST, '<', $wordlist) or 

open (WORDLIST, '<', 'hosts.txt') or 

quit_early("Can't open $wordlist or the default wordlist");

Searchable archive from The Exploit Database.

A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.

Overview:

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.

The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.

Key features:

RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)

User listing (When RestrictAnonymous is set to 0 on Windows 2000)

Listing of group membership information

Share enumeration

Detecting if host is in a workgroup or a domain

Identifying the remote operating system

Password policy retrieval (using polenum)

#enum4linux -v target-ip

자세히 모드

#enum4linux -a target-ip

target에 대해 모든 옵션 실행(apart from dictionary based share name guessing)

#enum4linux -U target-ip

username list 출력

#enum4linux -u administrator -p password -U target-ip

username, password 명시

#enum4linux -r target-ip

RID 사이클을 통해 user 나열

#enum4linux -R 500-550 target-ip

RID범위를 지정하여 실행

#enum4linux -G target-ip

그룹과 멤버리스트 출력

#enum4linux -S target-ip

sharelist 출력

#enum4linux -s <share_file> target-ip

share_file을 가지고 무차별 대입 실시

#enum4linux -o target-ip

os정보 출력

등등

It’s a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.

Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module.

It’s written in perl programming language and can be run either under *NIX or Windows platforms. It’s the first Mexican tool included in BackTrack Linux (BT4 R2).

Fuzzing modules supported in this version:

HTTP

HTTP URL

FTP

TFTP

Payload (Protocol independent)

STDOUT

./dotdotpwn.pl -m http -h 192.168.1.1 -x 8080 -f /etc/hosts -k "localhost" -d 8 -t 200 -s

-m(mode), -h(hostname), -x(port), -f(file), -k(text pattern), -d(depth of traversals), -t(request time), -s(service)

./dotdotpwn.pl -m http-url -u http://192.168.1.1:10000/unauthenticated/TRAVERSAL -O -k "root:" -r webmin.txt

-m(mode), -u(specified URL), -O(os), -k(text pattern), -r(report file name)

./dotdotpwn.pl -m ftp -h 192.168.1.1 -s -U nitr0us -P n1tr0u5pwnzj00 -o windows -q -r ftp_server.txt

-m(mode), -h(hostname), -s(sevice), -U(specified Username), -P(password), -o(known os), -q(quiet mode)

./dotdotpwn.pl -m tftp -h 192.168.1.1 -b -t 1 -f windows/system32/drivers/etc/hosts

-m(mode), -h(hostname), -b(취약점 발견시 종료), -t(request time), -f(file)

./dotdotpwn.pl -m payload -h 192.168.1.1 -x 10000 -p payload_sample_1.txt -k "root:" -f /etc/passwd

./dotdotpwn.pl -m stdout -d 5

The Traversal Engine will create fuzz pattern strings with 8 levels of deepness and DotDotPwn will 

print the results to STDOUT, so you can use it as you wish, by example, passing the traversal 

patterns as a parameter to another application, pipe, socket, etc.