IV Needle Injecting Tech into the Vein

Kismet Options

This is a great resource for understanding Kismet's interface...

Kismet Main Page

Network Sweeping

ICMP-type8 Echo Requests ‘Pings’

• Frequently blocked
• Noisy + frequently monitored / signature

TCP packets to likely open ports

• 3-way initialization
• Various possibilities
• May traverse IDS/IPS

UDP packets to likely closed ports

• ICMP Port Unreachable messages
• Non-reliable

Angry IP Scanner (v2.21 Apr 04 / v3.0-beta4 Mar 09) [Some AV software may have signature]

• v2.x - Windows-XP
• - Standalone binary
• v3.x - Cross-platform
• - Requires Java
• - Windows 2000/XP/Vista | MacOS X Intel/PPC | Linux
• Threaded for each scanned IP
• ICMP Echo Request sweep
• TCP port scan
• Gets MAC addresses
• Gathers NetBIOS names and Workgroups

ICMPQuery (v1.0.3 2000) [Dave Andersen cs.ut.edu -> cs.cmu.edu]

• CLI Linux/Unix
• ICMP Timestamp (t13) and Address Mask Request (t17)

War Driving

• 2001... Peter Shipley
• -Drove around Silicon Valley
• -Discovered hundreds of APs
• War Walking
• War Flying
• War Biking
• War Chalking
• All = War Driving (AKA 'stumbling')
• http://www.wardriving.com/

Active Scanning

• Sending probe packets
• 802.11 packets with ESSID of 'Any'
• Response from WLAN access points

NetStumbler v0.4.0 (Apr 2004)

• 802.11a/b/g
• MAC addresses
• ESSID
• Wireless channels
• Signal strength
• [IP addresses]
• Wireless Security

Passive Listening

• Wireless promiscuous mode
• rfmon mode
• vistarfmon (Josh Wright http://inguardians.com/tools/)
• All wireless packets incl. mgmt frames

Wellenreiter (v1.9 Aug 2003) [Ger: wave runner / surfer]

• Stealth ESSID broadcasts
• Channel
• MAC Addresses
• Security
• DHCP / ARP
• -list of IPs
• tcpdump compatible

Wellenreiter II (handhelds)

Kismet (v2008-05-R1 May 08)

• 802.11a/b/g + GPS mapping
• tcpdump compatibility
• Hidden SSID decloaking
• Graphical network mapping
• Mfgr/Model APs and clients
• Known defaults detection

War Dialing

• Numbers
• Range: random, sequential, list
• Nudging
• Jamming
• THC-Scan v2.1 (Oct 2005)

Scanning

• War Dialing
• War Driving
• Sweeping
• Mapping (tracing)
• Port Scanning
• OS Fingerprinting
• Version Scanning
• Vulnerability Scanning

BT3 – USB Wireless HCL

Below is the list of wireless usb dongles and their compatibility with BackTrack3 from a VMware machine...

HCL:Wireless - Offensive-security.com

More Recon Tools

Sam Spade (by Steve Atkins)

• Network query tool for Windows
• Ping, DNS Lookup, Whois, DNS Zone Transfer, Traceroute, Finger, SMTP Verify, Mirror Website, Check Time, Keep-alive, etc.

Spiderfoot (by Steve Micallef)

• Input domain name(s)
• Crawls website(s) for links and subdomains
• Reverse DNS lookups for IPs of findings + given block(s)
• Whois lookups {www,mail}.domains.{com,us,etc}
• Google searches with SOAP API

BiLE Suite

• BiLE-weigh.pl ($ ./BiLE-weigh.pl [site_of_interest] [BiLE_output.mine]) - Comples weighting algorithm to determine 'related' score
• tld-expand.pl - Over 250 TLDs and does DNS lookup
• vet-IPrange.pl + vet-mx.pl - Are results of previous tools in defined range - (ex. What are the mail-servers for each domain?)
• qtrace.pl - Uses hping to traceroute all target IPs - Outputs hop-by-hop paths to target

BiLE Recon Assembly-Line

BiLE -> Bile-weigh -> tld-expand -> vet-IPrange + vet-mx -> qtrace

BiLE DNS Tools

• Jarf-rev - Input target network range - Output reverse DNS lookups for each address
• Jarf-dnsbrute - Input domain + dictionary - Output DNS lookup for every sub-domain

Metadata

Info in Metadata

Includes MAC address, user names, edits, GPS info (depending on file format)

• JPG
• - EXIF (Exchangeable image file format)
• - IPTC (International Press Telecommunications Council)
• PDF
• DOC
• DOCX
• EXE
• XLS
• XLSX
• PNG
• Etc

Metadata Tools

• Strings
• Metagoofil
• EXIF Tool
• EXIF Viewer Plugin
• Jeffrey's Exif Viewer
• EXIF Reader
• Flickramio
• Pauldotcom

Recon Automation

Automating Google Recon

• SiteDigger (v2.0 Released Jan 2005) [Win]
• Wikto (v2.1 Released Dec 2008) [Win]
• Gooscan (~2006) [Lin] ... can be found in BackTrack
• Goolag (v1.0.0.41 Mar 2008) [cDc/Win]

Google Proxies

• Dec 2006... Google stops giving out SOAP API keys (deprecated)
• Mar 2009 AJAX API 'graduates' from Google Code
• Aug 2009... Google will disable the SOAP API

Google Proxy Tools

• AURA (API Usable / Re-usable Again)
• EvilAPI (defunct?)

Google Hacking

“Google, properly leveraged, has more intrusion potential than any hacking tool.” - Adrian Lamo (Grey Hat Hacker, hacked NY Times, Yahoo, etc.)

See this book: Google Hacking For Penetration Testers - Johnny Long

Google Searching Basics

• Web
• Images
• Groups
• Shopping
• Books
• Scholor
• Finance
• Blogs
• More

Preferences and Advanced

• Preferences
• Language Tools
• Advanced Search

Advanced Directives

• site: (Searches only within a given domain)
• [all]intext: (Shows pages with all terms in page text)
• [all]inurl: (Shows pages whose URL matches)
• [all]intitle: (Shows pages whose title matches)
• filetype: (ext:) vs. searchterm
• phonebook: (General)
• bphonebook: (Business)
• rphonebook: (Residential)
• link: (Shows all sites linked to a given site)
• related: (Shows similar pages [hit/miss])
• cache: (Google cache)
• info: (Cached + link: + related: ... Not very useful)
• daterange: (Indexed by Google during dates within range) -Must always be a range - Must be in Julian Date form (Number of days since Jan 1, 4713 B.C.)
• vs &as_qdr={h.d.w.m.y}[2..x]

Operators

• ""
• (|) / (OR v. or)
• (-) (+)
• (.) (*)
• (..) / numrange
• (~)

Google Hacking Database

• Available remote desktop systems
• Default web material
• Indexable directories
• UserIDs and passwords
• Shell history
• GHDB of "GoogleDorks" (http://johnny.ihackstuff.com)