What information can you gather without informing the target that you are gathering information? What information can others gather about you?
- Untangling the Web (NSA declassified document)
- Hurricane Electric’s BGP Toolkit can find the address ranges of an organization:http://bgp.he.net/search?search%5Bsearch%5D=amazon
- Google Hacking Diggity Project
- Google Hacking Database (GHDB), GoogleDorks
- Google Docs:
site:docs.google.com inurl:docid intext:(jpmorgan|barclays|citibank|santander|hsbc|rbs)
site:dl.dropbox.com (ext:txt | ext:pdf | ext:doc | ext:xls) site:dropbox.com/gallery
site:live.com “skydrive” ext:dmp
- Amazon S3 Storage (this will reveal “buckets”, many of which yield “access denied” but some of which are open):
- Google Docs:
- push2check and analyseurl reveal web information and consolidate web statistics
- GXFR, a search engine-based domain transfer tool
- WebSitez database
- DomTools (axfr)
- Sam Spade
- Enumerate host names and email addresses from public sources using free tools at Infosec Island
- PlotIP, WebBoar would be more for statistics
- Spokeo, Yasni for people
- nslookup with ls -d example.tld to simulate a zone transfer
- dnsenum.pl to enumerate DNS information
- Chaosmap is an information gathering tool and dns / whois / web server scanner written in Python. It can be used to lookup DNS names with a dictionary with or without using a salt.
- sl, SuperScan windows utilities for ping sweeps, port scanning
- Fping for ping sweeps
- Fing is a tool for network discovery and scanning
- nc, portqry for port scanning
- nmap for ping sweeps, port scanning, OS mapping and more. nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. [video] Fyodor – Advanced Network Reconnaissance with Nmap ShmooCon 2006, Nmap 5 cheatsheet [pdf]. PaulDotCom Episode 207 and PaulDotCom Episode 242, too.A stealth inventory, which requires nmap 5.51 or later:
nmap -P0 -script=broadcast
- Frustrate port scanners using portspoof.
The portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. It is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security infrastructure.
The general goal of the program is to make the port scanning software (Nmap/Unicornscan/etc) process slow and output very difficult to interpret, thus making the attack reconnaissance phase a challenging and bothersome task.
- amap (THC-amap) for application mapping (banner grabbing, penetration test) [video]
- p0f is an advanced passive OS/network fingerprinting utility. [video]
- Firewalk for port scanning
- Hping is a command-line oriented TCP/IP packet assembler/analyzer (ICMP TCP UDP). [video]
- Gobbler for spoofed source OS mapping, port scanning and Dynamic Host Configuration Protocol (DHCP)
- Dsniff is a collection of tools for network auditing and penetration testing. [video]
- SSLdump is an SSLv3/TLS network protocol analyzer. [video]
- Tcpreplay is a suite of BSD licensed tools written by Aaron Turner for UNIX (and Win32 under Cygwin) operating systems which gives you the ability to use previously captured traffic in libpcap format to test a variety of network devices. [video]
- Metoscan is a tiny tool for scanning the HTTP methods supported by a web server. [video]
- DNSmap is a passive DNS network mapper and subdomains bruteforcer. [video]
- SING is a tool that sends ICMP packets fully customized from command line. [video]
- SIPVicioussuite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools:
- svmap – this is a sip scanner. Lists SIP devices found on an IP range
- svwar – identifies active extensions on a PBX
- svcrack – an online password cracker for SIP PBX
- svreport – manages sessions and exports reports to various formats
- svcrash – attempts to stop unauthorized svwar and svcrack scans
- Ip phone Scanning Made Easy (ISME) scans a VOIP environment, adapts to enterprise VOIP, and exploits the possibilities of being connected directly to an IP Phone VLAN. It seeks to get the phone’s configuration file directly from a TFTP server, enable SIP/SIPS (TCP/UDP), communicate with an embedded Web server and Web server banner, identify the editor by MAC address, and identify potential default login/password combinations which should be changed.
- DHCPdump parses DHCP packets from tcpdump. [video]
- TCPdump is a common packet analyzer that runs under the command line. [video]
- Yersiniafor reconnaissance of layer 2 protocols:
- Spanning Tree Protocol (STP)
- Cisco Discovery Protocol (CDP)
- Dynamic Trunking Protocol (DTP)
- Dynamic Host Configuration Protocol (DHCP)
- Hot Standby Router Protocol (HSRP)
- IEEE 802.1Q
- IEEE 802.1X
- Inter-Switch Link Protocol (ISL)
- VLAN Trunking Protocol (VTP)
- CHScanner is an ARP, IPv4 and IPv6 network scanner with 31 scan methods: it scans for open ports, protocols, NetBIOS information’s and Windows shares, SNMP information, and WMI (WBEM) information. CHScanner can turn on a remote Windows host (using Wake-On-LAN) or shut it down or reboot it. CHScanner an automatic (scriptable) working mode, a hunt mode, a passive mode, and the normal scanning mode.
- SoftPerfect Network Scanner is a free multi-threaded IP, NetBIOS and SNMP scanner with a modern interface and many advanced features. It is intended for both system administrators and general users interested in computer security. The program pings computers, scans for listening TCP/UDP ports and displays which types of resources are shared on the network (including system and hidden).
- Arp-scan fingerprint with ARP scans
- ike-scan fingerprint VPN devices, learn IPSec (along with Steve Friedl’s Unixwiz.net Tech Tips An Illustrated Guide to IPsec)
- WS_Ping ProPack
- Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.
Using ICMP with a time-to-live (TTL) of 1. If the ICMP packet reaches a device and the time-to-live drops to zero, you get a response, you get to know something is there.
|IANA Port Numbers||The well Known Ports (0 through 1023),
the Registered Ports (1024 through 49151), and
the Dynamic and/or Private Ports (49152 through 65535).
|Neohapsis Ports List||Consolidated list standard and exploited ports.|
|SANS Trojan Ports||Port numbers of well known Trojans.|
|ISS Exploit Ports|
What does the server or application say it is?
|Generic form||telnet example.com 80
HEAD / HTTP/1.0
|What PHP version is running?||http://example.com/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
http://example.com/index.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42Note that “page not found” indicates PHP is used.
|Telnet||telnet host port|
|nc||nc -v host port|
|Web||#nc -v host 80
HEAD / HTTP/1.0
|sl||sl -b host(s)|
|NMAP||nmap -O host(s)|
|NMAP||nmap -O -p port host(s)|