Thursday, 13 February 2014

DNSMap Tutorial

DNSMap Tutorial

DNSMap Tutorial

This tutorial will show you how to use DNSMap




Background: Dnsmap is a small C based tool that perform brute-forcing of domains. The tool can use an internal wordlist, or work with an external dictionary file.
Info: http://ikwt.dyndns.org/ This site seems to be down.
(Source http://backtrack.offensive-security....p/Tools#dnsmap )

Ok now to acccess the tool go to K Menu | Backtrack | Information Gathering | DNS| DNSMap




Ok it will open a shell and show you

===========================
Code:
dnsmap - DNS Network Mapper by pagvac
(http://ikwt.com, http://foro.elhacker.net)
Usage: dnsmap <target-domain> [dictionary-file]
Examples:
dnsmap yourtarget.com
dnsmap yourtarget.com yourwordlist.txt

bt dnsmap #
==================================================



Once you have it open you can check the readme by doing a nano README This will provide lots more info.
Be sure to read it there are some limitations when using this tool.

Next we need to give dnsmap a target to search again we will use http://www.victimluser.com
so
Code:
=====================
bt dnsmap # victimluser.com

=========================================


This will return us with:


Code:
==========================
dnsmap - DNS Network Mapper by pagvac
(http://ikwt.com, http://foro.elhacker.net)
Searching subhosts on domain victimluser.com

forum.victimluser.com
IP Address #1:192.168.1.1

mail.victimluser.com
IP Address #1:192.168.1.2

ftp.victimluser.com
IP Address #1:192.168.1.3

pop.victimluser.org
IP Address #1:192.168.1.4


==========================

Also you can create a wordlist.txt that you can supply at the command line like this
Code:
================================
 bt dnsmap # dnsmap targetdomain.com wordlist.txt

=============================================================

This will force dnsmap to use a supplied wordlist to bruteforce subdomains if you do not supply a wordlist then dnsmap
will use the built in one by default.

The readme also give links to a few wordlist you can download.

Have fun using this tool!




Friday, 7 February 2014

nmap tutorial


Beginner's Guide to Nmap

hi,readers

Getting Nmap and Basic Use

You'll find Nmap packaged for most major Linux distros. [backtrack]
The basic syntax for Nmap is Nmap Scan Type Options target. Let's say you want to scan a host to see what operating system it is running. To do this, run the following:
nmap -O target.host.com
Note that Nmap requires root privileges to run this type of scan. The scan might take a minute or so to run, so be patient. When it finishes, you'll see something like this:
Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-27 23:52 EST
Nmap scan report for 10.0.0.1
Host is up (0.0015s latency).
Not shown: 997 closed ports
PORT      STATE SERVICE
53/tcp    open  domain
5009/tcp  open  airport-admin
10000/tcp open  snet-sensor-mgmt
MAC Address: 00:11:24:6B:43:E2 (Apple Computer)
Device type: WAP|printer
Running: Apple embedded, Canon embedded, Kyocera embedded, Xerox embedded
OS details: VxWorks: Apple AirPort Extreme v5.7 or AirPort Express v6.3; Canon imageRUNNER printer (5055, C3045, C3380, or C5185); Kyocera FS-4020DN printer; or Xerox Phaser 8860MFP printer
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.21 seconds
As you can see, Nmap provides a lot of data. Here it takes a guess at the operating system that might be running on the system. I ran this particular scan against an Apple Airport Extreme router. As an added bonus, Nmap tells me that the device is one hop away, the MAC address of the device and manufacturer of the NIC, the open ports, and how long the scan took.
Here's the result of another scan, against a desktop machine running Ubuntu 9.10:
Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-28 00:00 EST
Nmap scan report for 10.0.0.6
Host is up (0.0039s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:17:08:2A:D6:F0 (Hewlett Packard)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.19 - 2.6.31
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds
Here we see that the system has an HP NIC (it's an HP workstation), running the Linux kernel somewhere between Linux 2.6.19 and 2.6.31. You may not be able to get an explicit identification of the operating system down to the version of Linux.

Practice Hosts

In the examples above, I chose a local router and one of my workstations in part because I have the permission to scan them. You can use Nmap to scan virtually any host. However, it's a bad idea to run many scans against hosts you're not in control of or don't have permission to scan. The Nmap folks have a test host at scanme.nmap.org that can be used for testing, so long as you're not running any tests of exploits or Denial of Service (DoS) attacks.
Some admins don't appreciate unexpected scans, so use best judgment and restrict scans to hosts that are on your own network or that you have permission to scan. It may also be against your ISP's terms of service to use some of Nmap's more aggressive scan features, so be careful out there!

Multiple Hosts

You can scan more than one host at a time using nmap. If you're using IP addresses, you can specify a range like 10.0.0.1-6 or a range like 10.0.0.0/24. The 10.0.0.1-6 would scan hosts 10.0.0.1, 10.0.0.2, 10.0.0.3 through 10.0.0.6. Using the /24 notation would scan the whole range of hosts from 10.0.0.0 to 10.0.0.255. For example, to scan 10.0.0.1 through 10.0.0.42 to learn what OS they might be running I'd use nmap -O 10.0.0.1-42.
If you have hostnames instead of IP addresses, you can separate them with a space on the command line, like so:
nmap -O host1.target.com host2.target.com

Checking Open Ports

If you give Nmap no options at all and just point it at a given host it will scan for open ports and report back those that are open, and what service is running on them. For instance, running nmaptarget.hostname.com might yield something like this:
Interesting ports on target.hostname.com (10.0.0.88):
Not shown: 1711 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.228 seconds
Here you can see that there are three ports open: 22, 80, and 3306 which run SSH, HTTP, and MySQL respectively. Nmap recognizes six states: open, closed, filtered, unfiltered, open|filtered, and closed|filtered. These are mostly self-explanatory. See the Nmap docs for more on these states. If Nmap can tell what service is running, it will report it under the SERVICE column.
If you'd like a little more information, crank it up a notch by adding one or two -v options to the command. For example, using nmap -vv host.target.com would produce something like this:
Initiating Ping Scan at 11:44
Scanning 10.0.0.28 [1 port]
Completed Ping Scan at 11:44, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:44
Completed Parallel DNS resolution of 1 host. at 11:44, 0.00s elapsed
Initiating Connect Scan at 11:44
Scanning host.target.com (10.0.0.28) [1714 ports]
Discovered open port 22/tcp on 10.0.0.28
Discovered open port 80/tcp on 10.0.0.28
Discovered open port 3306/tcp on 10.0.0.28
Completed Connect Scan at 11:44, 0.08s elapsed (1714 total ports)
Host host.target.com (10.0.0.28) appears to be up ... good.
Interesting ports on host.target.com (10.0.0.28):
Not shown: 1711 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.104 seconds
Nmap provides a lot more information when using the verbose (-v) option.

Service Scans

If you're really curious about what services a host might be running, try the -sV options. This will do a more aggressive scan to try to figure out what versions of services are running on a given host, and also might help determine more specifically what OS a host is running. For instance, I ran nmap -sV against a test server and got this in response:
Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-28 00:15 EST
Nmap scan report for test.host.net (XX.XXX.XXX.XX)
Host is up (0.090s latency).
Not shown: 965 closed ports, 33 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.43 seconds
As you can see, Nmap can "fingerprint" the packets and identify the versions of the software running on the SSH and HTTP ports. Here you can see that the system being pinged is a Ubuntu box with Apache 2.2.8 and OpenSSH 4.7p1. This can be useful for a number of reasons. A quick Nmap scan can identify systems that are running unpatched systems and therefore ones that might be vulnerable to known exploits.

What's on My Network?

Not quite sure what might be running on your network? Try using nmap -sP, which will run a ping scan on the specified network. For instance, nmap -sP 10.0.0.0/24 will scan the 256 hosts from 10.0.0.0 through 10.0.0.255 to see if they're available, and report back. You can also use a range, such as nmap -sP 10.0.0.1-15.

Zenmap

Finally, if all this command line fun is not your bag, Nmap has a GUI that you can use to build and execute commands. Called Zenmap, the GUI will let you specify targets, run scans, display the results and even save and compare them against one another.
When you open Zenmap, you can give it a target to scan and select one of the profile scans to get started. It includes your basic ping scan, quick scans, some more intense scans that include UDP services, and so forth. The Zenmap GUI is a good way to get acquainted with Nmap, but it's also a good idea to know how to use Nmap from the command line if you're going to be working with it often.
In a future tutorial we'll take a more in-depth look at Nmap and specific tasks you might want to do with Nmap. I hope this overview gave a good sense what Nmap can do and helps you get started working with Nmap.

Saturday, 1 February 2014

Metasploit Tutorial: Introduction backtrack tutorial

Metasploit Tutorial: Introduction

  1. Metasploit Terms
  2. MSFconsole
  3. MSFcli
  4. Armitage
  5. MSFpayload
  6. MSFencode
Metasploit is a valuable tool in pen testing a network. However, it can be very confusing for a beginner. These metaspolit tutorials will help you get up and running with metasploit. Most of our hacking will be targeted to windows machines. As a reminder and site disclaimer: I am not responsible for your actions! This is for education only!



Metasploit Terms

Exploit – to take advantage of a security flaw within a system, network, or application.
Payload - is code that our victim computer to execute by the metasploit framework.
Module - a small piece of code that can be added to the metasploit framework to execute an attack.
Shellcode – a small piece of code used as a payload.

MSFconsole

Msfconsole is an all-in-one interface to most of the features in metasploit. Msfconsole can be used to launch attacks, creating listeners, and much, much more. We will be using Msfconsole throughout these tutorials, but mastering it will allow you to keep up with metaspolits rapidly changing framework. Metasploit comes installed by default on backtrack 5.


To access msfconsole, open your console and type:
root@bt: ~# cd /opt/framework3/msf3/
root@bt: ~#/opt/framework3/msf3# msfconsole
After sometime, the msfconsole will boot.

BackTrack Tutorials msfConsole

To view the help files, simply type help followed by the command you want to know more about. In our case, we want to learn about the connect command. The connect command allows us to communicate with a host.
msf > help connect

MSFcli

Msfcli is another way to access the metasploit framework but focuses more on scripting and interpretability with other console-based tools.

 To view the msfcli help type:
root@bt:~# cd /opt/framework3/msf3
root@bt:~# msfcli -h


backtrack tutorials msfcli help

Now we are going to do a little test run of msfcli. It’s important to note whenever you’re learning metasploit and you get stuck, you can see the options in a module by adding the letter O to the end of the line.

For example:
root@bt:~# msfcli windows/smb/ms08_067_netapt o
backtrack tutorials cli o


This module requires three options: RHOST, RPORT, and SMPIPE. Adding P to the end allows us to see what payloads we can use.
root@bt~# msfcli windows/smb/ms08_067_netapi RHOST=192.168.56.101 P


we can run our exploit by selecting a payload, fill out the options, and run it by passing the letter E to the ned of the msfcli argument string.


root@bt~# msfcli windows/smb/ms08_067_netapi RHOST=192.168.56.101 PAYLOAD=windows/shell/bind_tcp E
MSF Example 1

Note: the IP address assigned to RHOST is a windows XP machine that I have on a virtaul machine. It will act as our victim machine for testing. You will have to do the same with another computer or a virtual machine. For practice, do not update your victim machine or install anti-virus. We want to be able to use our exploits without them being patched over with windows updates. We will go over this more in-depth later on.


The armitage component is a fully interactive graphical user interface.

Running Armitage

  1. Run the command armitage.
  2. Select Start MSF.
armitage_gui

MSFpayload

The msfpayload component of metasploit that generates shellcode, and executables. Shellcoe can bew generated in many formats including C, Ruby, JavaScript and even Visuabl Basic. Each output will be useful in various situations.
For msfpayload help type: root@bt~# msfpayload -h
Just like msfcli, if you need to find out the required options, append the letter O on the command line.
root@bt:~# msfpayload windows/shell_reverse_tcp O

MSFencode

The shellcode generated by msfpayload is functional, but it contains several null characters that, when interpreted by many programs, signify the end of a string, and this will cause the code to terminate before completion.
In addition, shellcode traversing a network in cleartext is likely to be picked up by intrusion detection systems (IDSs) and antivirus software. To address this problem, Metasploit’s developers offer msfencode, which helps you to avoid bad characters and evade antivirus and IDSs by encoding the original payload in a way that does not include “bad” characters.
Enter msfencode -h to see a list of msfencode options.
Metasploit contains a number of different encoders for different situations. Some will be useful when you can use only alphanumeric characters as part of a payload, as is the case with many file format exploits or other applications that accept only printable characters as input, while others are great general purpose encoders that do well in every situation. A very popular and well known encoder is the: x86/shikata_ga_nai encoder.
To see the list of encoders available, append -l to msfencode as shown next. The payloads are ranked in order of reliability.


root@bt:~# msfencode -l
backtrack tutorials metasploit encoder list

Scanning backtrack tutorials

Scanning

The scanning process can be divided into three steps:
  1. Determining if a system is active.
  2. Port scanning the system.
  3. Scanning the system for vulnerabilities.



Step 1 is the process of determining whether a target system is turned on and capable of communicating or interacting with our machine. This step is the least reliable and we should always continue with steps 2 and 3 regardless of the outcome of this test.

Regardless, it is still important to conduct this step and make note of any machines that respond as alive.
Ports provide a way or location for software and networks to communicate with hardware like a computer. A port is a data connection that allows a computer to exchange information with other computers, software, or devices.

Common Ports and their Service

Port      Number Service
20        FTP data transfer
21        FTP control
22        SSH
23        Telnet
25        SMTP (e-mail)
53        DNS
80        HTTP
443      HTTPS

Pings and Ping Sweeps

A ping is a special type of network packet called an ICMP packet. Pings work by sending specific types of network traffic, called ICMP Echo Request packets, to a specific interface on a computer or network device. If the device (and the attached network card) that received the ping packet is turned on and not restricted from responding, the receiving machine will respond back to the originating machine with an Echo Reply packet. Aside from telling us that a host is alive and accepting traffic, pings provide other valuable information including the total time it took for the packet to travel to the target and return.
Pings also report traffic loss that can be used to gauge the reliability of a network
connection.


backtrack tutorials ping example
Ping google.com with the count argument -c 4 to ping 4 times.

Port Scanning

There are a total of 65,536 (0–65,535) ports on every computer. Ports can be
either TCP or UDP depending on the service using the port. We scan computers to see what ports are in use or “open”. This gives us a better picture of the purpose of the machine, which gives us a better idea about how to attack the box.

TCP 3-Way Handshake

Before we go on, we first have to know how computers on a network communicate with each other. When two computers want to communicate, they go through a processes known as the 3-way handshake. The first computer A will send a synchronize packet to the other computer B. Then, if computer B is listening (has its port open), it will respond back to A with a synchronize-acknowledgement packet. Finally, computer A will send an acknowledgement packet to computer B, and the two computers will communicate as usual.

Using Nmap

Nmap was written by Gordon Lyon and is available for free from www.insecure.org and is built into today’s Backtrack Linux 5.
Recommended Reading: Nmap Network Scanning
It is the official guide to using the nmap scanner. What more can I say? This book will cover nmap much more in depth than this site.
When we conduct a port scan, Nmap will create a packet and send it to each designated port on the computer just like the 3-way handshake. The goal is to determine what kind of a response we get from the target ports.


To use Nmap, open up the terminal and type:
nmap -p- 192.168.56.101
Backtrack Tutorials: Nmap Scran
Here I scan a Windows XP machine on my network.
The “-p-” tells nmap to scan all ports on a target machine. The 10.0.2.15 is the local ip of the target machine.