信息收集(Information Gathering)


acccheck

February 15, 2014 ports(端口) Information Gathering(信息收集)Password Attacks(密码攻击)

acccheck Package Description

这个工具是利用 SMB 协议 来对 windows 用户认证进行 密码字典攻击。因基于 smbclient 的二次封装,所以依赖于smbclient。
The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the ‘smbclient’ binary, and as a result is dependent on it for its execution.

Source:https://labs.portcullis.co.uk/tools/acccheck/
acccheck Homepage | Kali acccheck Repo

  • Author: Faisal Dean
  • License: GPLv2

Tools included in the acccheck package

acccheck – Password dictionary attack tool for SMB (针对 SMB 的密码字典工具)
root@kali:~# acccheck

acccheck v0.2.1 - By Faiz

Description:
企图连接 IPC$ 或者 ADMIN$,并且试图组合 usernames 和 passwords 来希望通过密码字典猜解攻击来破解特定账户的密码。  
Attempts to connect to the IPC$ and ADMIN$ shares depending on which flags have been chosen, and tries a combination of usernames and passwords in the hope to identify the password to a given account via a dictionary password guessing attack.


Usage = ./acccheck [optional] #用法

-t [single host IP address] #单IP
OR
-T [file containing target ip address(es)] #多IP

Optional:
-p [single password] #单密码
-P [file containing passwords] #多密码
-u [single user] #单用户名
-U [file containing usernames] #多用户名
-v [verbose mode] #详细模式

Examples
Attempt the 'Administrator' account with a [BLANK] password. #默认
acccheck -t 10.10.10.1
Attempt all passwords in 'password.txt' against the 'Administrator' account. #多密码
acccheck -t 10.10.10.1 -P password.txt
Attempt all password in 'password.txt' against all users in 'users.txt'. #多用户和多密码
acccehck -t 10.10.10.1 -U users.txt -P password.txt
Attempt a single password against a single user. #单密码单用户
acccheck -t 10.10.10.1 -u administrator -p password
acccheck Usage Example

Scan the IP addresses contained in smb-ips.txt (-T) and use verbose output (-v):

root@kali:~# acccheck.pl -T smb-ips.txt -v #扫描smb-ips中的ip地址(-T)并打开详细模式(-V)
Host:192.168.1.201, Username:Administrator, Password:BLANK

Tags: infogathering passwords smb


ace-voip

February 15, 2014 ports(端口) Information Gathering(信息收集)

ace-voip Package Description

ACE (社区目录自动枚举器)是一个简单但至今强力有效的 VoIP 社区目录枚举工具,它通过模仿一个IP电话的行为达到获取名称和可以展示在电话屏幕上的扩展项。
正如 VoIP 听筒的社区目录特性可以让用户轻易地用 VoIP 设备根据名字来拨号,ACE 是一个从 VoIP Hopper 到对企业目录的名称进行针对性自动 VoIP 攻击的研究思路。 在未来,攻击将会基于用户的名字来针对用户进行,而不是针对随机 RTP 通信音频流或 IP 地址的 VoIP 网络通信。
为了下载 VoIP 社区目录,ACE 使用 DHCP,TFTP 和 HTTP 工作。 它会输出目录到一个文本文件中,这目录可以用于其它 VoIP 评估工具的输入。
ACE (Automated Corporate Enumerator) is a simple yet powerful VoIP Corporate Directory enumeration tool that mimics the behavior of an IP Phone in order to download the name and extension entries that a given phone can display on its screen interface.
In the same way that the “corporate directory” feature of VoIP hardphones enables users to easily dial by name via their VoIP handsets, ACE was developed as a research idea born from “VoIP Hopper” to automate VoIP attacks that can be targeted against names in an enterprise Directory.
The concept is that in the future, attacks will be carried out against users based on their name, rather than targeting VoIP traffic against random RTP audio streams or IP addresses.
ACE works by using DHCP, TFTP, and HTTP in order to download the VoIP corporate directory.
It then outputs the directory to a text file, which can be used as input to other VoIP assessment tools.
译者:Corporate 翻译为公司,企业?

Source:http://ucsniff.sourceforge.net/ace.html
acccheck Homepage | Kali acccheck Repo

  • Author: Sipera VIPER Lab
  • License: GPLv3

Tools included in the ace-voip package

ace – A simple VoIP corporate directory enumeration tool (一个简单的社区目录枚举工具)
root@kali:~# ace
ACE v1.10: Automated Corporate (Data) Enumerator
Usage: ace [-i interface] [ -m mac address ] [ -t tftp server ip address | -c cdp mode | -v voice vlan id | -r vlan interface | -d verbose mode ]

-i <interface> (Mandatory) Interface for sniffing/sending packets #嗅探或这发送包的网卡接口 必须
-m <mac address> (Mandatory) MAC address of the victim IP phone #目标 IP 的 MAC 地址 必须
-t <tftp server ip> (Optional) tftp server ip address #tftp 服务器地址
-c <cdp mode 0|1 > (Optional) 0 CDP sniff mode, 1 CDP spoof mode #0 嗅探模式 1 欺骗模式
-v <voice vlan id> (Optional) Enter the voice vlan ID #说话人的 vlan ID
-r <vlan interface> (Optional) Removes the VLAN interface #移除 VLAN 接口
-d          (Optional) Verbose | debug mode #详细模式或调试模式

Example Usages:
Usage requires MAC Address of IP Phone supplied with -m option
Usage:  ace -t <TFTP-Server-IP> -m <MAC-Address>

Mode to automatically discover TFTP Server IP via DHCP Option 150 (-m)
Example:  ace -i eth0 -m 00:1E:F7:28:9C:8e

Mode to specify IP Address of TFTP Server
Example:  ace -i eth0 -t 192.168.10.150 -m 00:1E:F7:28:9C:8e

Mode to specify the Voice VLAN ID
Example: ace -i eth0 -v 96 -m 00:1E:F7:28:9C:8E

Verbose mode
Example: ace -i eth0 -v 96 -m 00:1E:F7:28:9C:8E -d

Mode to remove vlan interface
Example: ace -r eth0.96

Mode to auto-discover voice vlan ID in the listening mode for CDP
Example: ace -i eth0 -c 0 -m 00:1E:F7:28:9C:8E

Mode to auto-discover voice vlan ID in the spoofing mode for CDP
Example: ace -i eth0 -c 1 -m 00:1E:F7:28:9C:8E
acccheck Usage Example
root@kali:~# coming soon

Tags: cdp enumeration sniffing voip


Amap

February 15, 2014 ports(端口) Information Gathering(信息收集)

Amap Package Description

Amap 是第一个 pentesters 的下一代扫描工具。它尝试去检测目标应用,尽管它们运行在异于平常的端口。
它同样可以基于应用检测 non-ascii。这是通过发送触发报文并查询特定字符响应来实现的。
Amap was the first next-generation scanning tool for pentesters. It attempts to identify applications even if they are running on a different port than normal.
It also identifies non-ascii based applications. This is achieved by sending trigger packets, and looking up the responses in a list of response strings.
译者:next-generation 应不应该翻译为下一代呢?

Source:https://www.thc.org/thc-amap/
acccheck Homepage | Kali acccheck Repo

  • Author: van Hauser and DJ RevMoon
  • License: Other

Tools included in the amap package

amapcrap – sends random data to a UDP, TCP or SSL’ed port to illicit a response(发送随机数据到 UDP,TCP 或 SSL 端口来检测非法响应)
root@kali:~# amapcrap
amapcrap v5.4 (c) 2011 by van Hauser/THC <vh@thc.org>

Syntax: amapcrap [-S] [-u] [-m 0ab] [-M min,max] [-n connects] [-N delay] [-w delay] [-e] [-v] TARGET PORT

Options:
    -S           use SSL after TCP connect (not usuable with -u)
    -u           use UDP protocol (default: TCP) (not usable with -c)
    -n connects  maximum number of connects (default: unlimited)
    -N delay     delay between connects in ms (default: 0)
    -w delay     delay before closing the port (default: 250)
    -e           do NOT stop when a response was made by the server
    -v           verbose mode
    -m 0ab       send as random crap:0-nullbytes, a-letters+spaces, b-binary
    -M min,max   minimum and maximum length of random crap
    TARGET PORT  target (ip or dns) and port to send random crap

This tool sends random data to a silent port to illicit a response, which can
then be used within amap for future detection. It outputs proper amap
appdefs definitions. Note: by default all modes are activated (0:10%, a:40%,
b:50%). Mode 'a' always sends one line with letters and spaces which end with
\r\n. Visit our homepage at http://www.thc.org
amap – Application MAPper: next-generation scanning tool for pentesters (针对 pentesters 的下一代扫描工具)
root@kali:~# amap
amap v5.4 (c) 2011 by van Hauser <vh@thc.org> www.thc.org/thc-amap
Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
Modes:
  -A         Map applications: send triggers and analyse responses (default)
  -B         Just grab banners, do not send triggers
  -P         No banner or application stuff - be a (full connect) port scanner
Options:
  -1         Only send triggers to a port until 1st identification. Speeeeed!
  -6         Use IPv6 instead of IPv4
  -b         Print ascii banner of responses
  -i FILE    Nmap machine readable outputfile to read ports from
  -u         Ports specified on commandline are UDP (default is TCP)
  -R         Do NOT identify RPC service
  -H         Do NOT send application triggers marked as potentially harmful
  -U         Do NOT dump unrecognised responses (better for scripting)
  -d         Dump all responses
  -v         Verbose mode, use twice (or more!) for debug (not recommended :-)
  -q         Do not report closed ports, and do not print them as unidentified
  -o FILE [-m] Write output to file FILE, -m creates machine readable output
  -c CONS    Amount of parallel connections to make (default 32, max 256)
  -C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
  -T SEC     Connect timeout on connection attempts in seconds (default 5)
  -t SEC     Response wait timeout in seconds (default 5)
  -p PROTO   Only send triggers for this protocol (e.g. ftp)
  TARGET PORT   The target address and port(s) to scan (additional to -i)
amap is a tool to identify application protocols on target ports.
Note: this version was NOT compiled with SSL support!
Usage hint: Options "-bqv" are recommended, add "-1" for fast/rush checks.
amap Usage Example

扫描 192.168.1.15 的 80 端口。显示接收到的 banners(b),不显示关闭的端口(q),并且开启详细模式(v):
Scan port 80 on 192.168.1.15. Display the received banners (b), do not display closed ports (q), and use verbose output (v):

root@kali:~# amap -bqv 192.168.1.15 80
Using trigger file /etc/amap/appdefs.trig ... loaded 30 triggers
Using response file /etc/amap/appdefs.resp ... loaded 346 responses
Using trigger file /etc/amap/appdefs.rpc ... loaded 450 triggers

amap v5.4 (www.thc.org/thc-amap) started at 2014-05-13 19:07:16 - APPLICATION MAPPING mode

Total amount of tasks to perform in plain connect mode: 23
Protocol on 192.168.1.15:80/tcp (by trigger ssl) matches http - banner: \n\n501 Method Not Implemented\n\n
<h1>Method Not Implemented</h1>
\n

to /index.html not supported.
\n

\n

<hr />

\n

<address>Apache/2.2.22 (Debian) Server at 12
Protocol on 192.168.1.15:80/tcp (by trigger ssl) matches http-apache-2 - banner: \n\n501 Method Not Implemented\n\n</address>
<h1>Method Not Implemented</h1>
\n

to /index.html not supported.
\n

\n

<hr />

\n

<address>Apache/2.2.22 (Debian) Server at 12
Waiting for timeout on 19 connections ...</address>amap v5.4 finished at 2014-05-13 19:07:22

Tags: enumeration infogathering portscanning