임시

Searchable archive from The Exploit Database.

A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.

Overview:

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.

The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.

Key features:

RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)

User listing (When RestrictAnonymous is set to 0 on Windows 2000)

Listing of group membership information

Share enumeration

Detecting if host is in a workgroup or a domain

Identifying the remote operating system

Password policy retrieval (using polenum)

#enum4linux -v target-ip

자세히 모드

#enum4linux -a target-ip

target에 대해 모든 옵션 실행(apart from dictionary based share name guessing)

#enum4linux -U target-ip

username list 출력

#enum4linux -u administrator -p password -U target-ip

username, password 명시

#enum4linux -r target-ip

RID 사이클을 통해 user 나열

#enum4linux -R 500-550 target-ip

RID범위를 지정하여 실행

#enum4linux -G target-ip

그룹과 멤버리스트 출력

#enum4linux -S target-ip

sharelist 출력

#enum4linux -s <share_file> target-ip

share_file을 가지고 무차별 대입 실시

#enum4linux -o target-ip

os정보 출력

등등

It’s a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.

Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module.

It’s written in perl programming language and can be run either under *NIX or Windows platforms. It’s the first Mexican tool included in BackTrack Linux (BT4 R2).

Fuzzing modules supported in this version:

HTTP

HTTP URL

FTP

TFTP

Payload (Protocol independent)

STDOUT

./dotdotpwn.pl -m http -h 192.168.1.1 -x 8080 -f /etc/hosts -k "localhost" -d 8 -t 200 -s

-m(mode), -h(hostname), -x(port), -f(file), -k(text pattern), -d(depth of traversals), -t(request time), -s(service)

./dotdotpwn.pl -m http-url -u http://192.168.1.1:10000/unauthenticated/TRAVERSAL -O -k "root:" -r webmin.txt

-m(mode), -u(specified URL), -O(os), -k(text pattern), -r(report file name)

./dotdotpwn.pl -m ftp -h 192.168.1.1 -s -U nitr0us -P n1tr0u5pwnzj00 -o windows -q -r ftp_server.txt

-m(mode), -h(hostname), -s(sevice), -U(specified Username), -P(password), -o(known os), -q(quiet mode)

./dotdotpwn.pl -m tftp -h 192.168.1.1 -b -t 1 -f windows/system32/drivers/etc/hosts

-m(mode), -h(hostname), -b(취약점 발견시 종료), -t(request time), -f(file)

./dotdotpwn.pl -m payload -h 192.168.1.1 -x 10000 -p payload_sample_1.txt -k "root:" -f /etc/passwd

./dotdotpwn.pl -m stdout -d 5

The Traversal Engine will create fuzz pattern strings with 8 levels of deepness and DotDotPwn will 

print the results to STDOUT, so you can use it as you wish, by example, passing the traversal 

patterns as a parameter to another application, pipe, socket, etc.

dnswalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as accuracy.

OPTIONS

-r     Recursively descend sub-domains of the specified domain.  Use with care.

-a     Turn on warning of duplicate A records.  (see below)

-d     Print debugging and 'status' information to stderr.  (Use only if redirecting stdout)  See

       DIAGNOSTICS section.

-m     Perform checks only if the zone has been modified since the previous run.

-F     perform  "fascist"  checking.  When checking an A record, compare the PTR name for each IP

       address with the forward name and report mismatches.  (see below)   I  recommend  you  try

       this option at least once to see what sorts of errors pop up - you might be surprised!.

-i     Suppress check for invalid characters in a domain name.  (see below)

-l     Perform  "lame  delegation"  checking.   For every NS record, check to see that the listed

      host is indeed returning authoritative answers for this domain.

X A Y: no PTR record

              X  has an IP address Y, but there is no PTR record to map the IP address Y back to a host‐

              name (usually X). Many Internet servers (such as anonymous FTP servers) will not  talk  to

              addresses that don't have PTR records.

dnstracer determines where a given Domain Name Server (DNS) gets its information from for a given hostname, and follows the chain of DNS servers back to the authoritative answer.

Non-recursive means: if the name-server knows it, it will return the data requested.
If the name-server doesn't know it, it will return pointers to name-servers that are authoritive for the domain part in

the name or it will return the addresses of the root name-servers.

DNSRecon provides the ability to perform:

• Check all NS Records for Zone Transfers
• Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
• Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
• Check for Wildcard Resolution
• Brute Force subdomain and host A and AAAA records given a domain and a wordlist
• Perform a PTR Record lookup for a given IP Range or CIDR
• Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
• Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services. It is defined in RFC 2782, and its type code is 33. 

dnsmap was originally released back in 2006 and was inspired by the fictional story “The Thief No One Saw” by Paul Craig, which can be found in the book “Stealing the Network – How to 0wn the Box”.

dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (I rarely see zone transfers being publicly allowed these days by the way).

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

OPERATIONS:

• Get the host’s addresse (A record).
• Get the namservers (threaded).
• Get the MX record (threaded).
• Perform axfr queries on nameservers and get BIND VERSION (threaded).
• Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).
• Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
• Calculate C class domain network ranges and perform whois queries on them (threaded).
• Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
• Write to domain_ips.txt file ip-blocks.

dnmap is a framework to distribute nmap scans among several clients. It reads an already created file with nmap commands and send those commands to each client connected to it.

The framework use a client/server architecture. The server knows what to do and the clients do it. All the logic and statistics are managed in the server. Nmap output is stored on both server and client.

Usually you would want this if you have to scan a large group of hosts and you have several different internet connections (or friends that want to help you).

• If the server gets down, it keeps connecting to it until it gets up again.

- 서버 다운시, 다시 실행될 때까지 연결 유지

• Strip strange characters from the command sent by the server. Tries to avoid command injection vulns.

- 전송 명령에서 이상한 문자 존재 시 명령 회피 시도

• It only executes the nmap command. It deletes the command send by the server and changes it by the

known and trusted nmap binary on the system.

- nmap 명령어로만 실행.

• You can select an alias for your user.

- 별칭 선택 가능

• You can change which port the client connects to.

- 클라이언트가 서버 연결할 때 포트 변경 가능

• If the command sent by the server does not have a -oA option, the client add it anyway to the command, so

it will always have a local copy of the output.

- 서버에서 보낸 명령 중 -oA 옵션이 없더라도 클라이언트는 명령 내용을 항상 로컬에 복사

USAGE ./dnmap_client -s <server-ip> -a <alias> (start any number of clients)

• If the server gets down, clients continue trying to connect until the server gets back online. 

- 서버 다운시, 클라이언트는 서버가 켜질 때까지 계속해서 연결 시도

• If the server gets down, when you put it up again it will send commands starting from the last command given before the shutdown. You do not need to remember where it was. 

- 서버 다운시, 마지막 명령에서부터 다시 전송 가능

• You can add new commands to the original file without having to stop the server. The server will read them automatically. 

- 새로운 명령어를 original파일에 추가시키고 싶을 때 서버를 멈추지 않아도 추가 가능. 서버는 자동적으로 읽음

• If some client goes down, the server will remember which command it was executing and it will re-schedule it for later. 

- 몇몇 클라이언트 다운시, 서버는 명령어를 기억하고 클라이언트 실행 시 재 전송 시작

• It will store every detail of the operations in a log file. 

- 로그파일 모든 상세 내용 저장

• It shows real time statistics about the operation of each client You can choose which port to use. Defaults to 46001. Only the Online clients are shown in the running stats. 

- 각각의 클라이언트 동작에 관한 실시간 통계 출력. 사용된 포트 선택 가능(기본값: 46001)

USAGE ./dnmap_server -f commands.txt (start dnmap server)

환경구성

server:192.168.100.14(kali)

client:192.168.100.14(kali)    -같은 pc로 그냥 진행함

target: 192.168.100.5(ubuntu)

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C.
DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more.