diff --git a/infogathering/index.md b/infogathering/index.md index e37a7fc..1855999 100644 --- a/infogathering/index.md +++ b/infogathering/index.md @@ -13,6 +13,8 @@ DNS Analysis * [fierce](../tools/fierce.md) * [maltego](../tools/maltego.md) * [nmap](../tools/nmap.md) + * [urlcrazy](../tools/urlcrazy.md) + * [zenmap](../tools/zenmap.md) IDS / IPS Identification ------------ @@ -45,20 +47,26 @@ Live Host Identification * [thcping6](../tools/tchping6.md) * [wol-e](../tools/wol-e.md) * [xprobe2](../tools/xprobe2.md) + * [zenmap](../tools/zenmap.md) Network Scanners ------------ - * [first]() - * [second]() - * [third]() + * [dmitry](../tools/dmitry.md) + * [dnmap-client](../tools/dnmap-client.md) + * [dnmap-server](../tools/dnmap-server.md) + * [netdiscover](../tools/netdiscover.md) + * [nmap](../tools/nmap.md) + * [zenmap](../tools/zenmap.md) OS Fingerprinting ------------ - * [first]() - * [second]() - * [third]() + * [dnmap-client](../tools/dnmap-client.md) + * [dnmap-server](../tools/dnmap-server.md) + * [miranda](../tools/miranda.md) + * [nmap](../tools/nmap.md) + * [zenmap](../tools/zenmap.md) OSINT Analysis ------------ @@ -136,281 +144,3 @@ VPN Analysis * [first]() * [second]() * [third]() - - -### dnsenum - -### dnsmap - -### dnsrecon - -### dnsrevenum6 - -### dnstracer - -### dnswalk - -### fierce - -### maltego - -### nmap -[include](infogathering/nmap.md) - -### urlcrazy - -### zenmap - -IDS/IPS Identification - - -### fragroute - -### fragrouter - -### ftest - -### lbd - -### wafw00f - -Live Host Identification - - -### alive6 - -### arping - -### cdpsnarf - -### detect-new-ip6 - -### detect_sniffer6 - -### dmitry - -### dnmap-client - -### dnmap-server - -### fping - -### hping3 - -### inverse_lookup6 - -### miranda - -### ncat - -### netdiscover - -### nmap -[include](infogathering/nmap.md) - -### passive_discovery6 - -### thcping6 - -### wol-e - -### xprobe2 - -### zenmap - -Network Scanners - - -### dmitry - -### dnmap-client - -### dnmap-server - -### netdiscover - -### nmap -[include](infogathering/nmap.md) - -### zenmap - -OS Fingerprinting - - -### dnmap-client - -### dnmap-server - -### miranda - -### nmap -[include](infogathering/nmap.md) - -### zenmap - -OSINT Analysis - - -### casefile - -### creepy - -### jigsaw - -### maltego - -### metagoofil - -### theharvester - -### twofi - -### urlcrazy - -Route Analysis - - -### 0trace - -### dnmap-client - -### dnmap-server - -### intrace - -### netmask - -### trace6 - -Service Fingerprinting - - -### dnmap-client - -### dnmap-server - -### implementation6 - -### implementation6d - -### ncat - -### nmap -[include](infogathering/nmap.md) - -### sslscan - -### sslyze - -### tlssled - -### zenmap - -SMB Analysis - - -### acccheck - -### nbtscan - -### nmap -[include](infogathering/nmap.md) - -### zenmap - -SMTP Analysis - - -### nmap -[include](infogathering/nmap.md) - -### smtp-user-enum - -### swaks - -### zenmap - -SNMP Analysis - - -### braa - -### cisco-auditing-tool - -### cisco-torch - -### copy-router-config - -### merge-router-config - -### nmap -[include](infogathering/nmap.md) - -### onesixtyone - -###snmpcheck - -### zenmap - -SSL Analysis - - -### sslcaudit - -### ssldump - -### sslh - -### sslscan - -### sslsniff - -### sslsniff - -### sslsplit - -### sslstrip - -### sslyze - -### stunnel4 - -### tlssled - -Telephony Analysis - - -### ace - -Traffic Analysis - - -### 0trace - -### cdpsnarf - -### ftest - -### intrace - -### irpas-ass - -### irpass-cdp - -### p0f - -### tcpflow - -### wireshark - -VoIP Analysis - - -### ace - -### enumiax - -VPN Analysis - - -### ike-scan diff --git a/tools/alive6.md b/tools/alive6.md new file mode 100644 index 0000000..012c983 --- /dev/null +++ b/tools/alive6.md @@ -0,0 +1,41 @@ +# alive6 + +Notes +------- + +Help Text +------- +``` +alive6 v2.3 (c) 2013 by van Hauser / THC www.thc.org + +Syntax: alive6 [-I srcip6] [-i file] [-o file] [-DM] [-p] [-F] [-e opt] [-s port,..] [-a port,..] [-u port,..] [-W TIME] [-dlrvS] interface [unicast-or-multicast-address [remote-router]] + +Shows alive addresses in the segment. If you specify a remote router, the +packets are sent with a routing header prefixed by fragmentation +Options: + -i file check systems from input file + -o file write results to output file + -M enumerate hardware addresses (MAC) from input addresses (slow!) + -D enumerate DHCP address space from input addresses + -p send a ping packet for alive check (default) + -e dst,hop send an errornous packets: destination (default), hop-by-hop + -s port,port,.. TCP-SYN packet to ports for alive check + -a port,port,.. TCP-ACK packet to ports for alive check + -u port,port,.. UDP packet to ports for alive check + -d DNS resolve alive ipv6 addresses + -n number how often to send each packet (default: local 1, remote 2) + -W time time in ms to wait after sending a packet (default: 1) + -S slow mode, get best router for each remote target or when proxy-NA + -I srcip6 use the specified IPv6 address as source + -l use link-local address instead of global address + -v verbose (twice: detailed information, thrice: dumping all packets) +Target address on command line or in input file can include ranges in the form +of 2001:db8::1-fff or 2001:db8::1-2:0-ffff:0:0-ffff, etc. +Returns -1 on errors, 0 if a system was found alive or 1 if nothing was found. +``` + +Example Usage +------- + +Links +------- diff --git a/tools/arping.md b/tools/arping.md new file mode 100644 index 0000000..7718ddf --- /dev/null +++ b/tools/arping.md @@ -0,0 +1,20 @@ +# arping + +Notes +------- + +Help Text +------- +``` +ARPing 2.11, by Thomas Habets +usage: arping [ -0aAbdDeFpqrRuv ] [ -w ] [ -S ] + [ -T ] [ -t ] [ -c ] + [ -i ] +For complete usage info, use --help or check the manpage. +``` + +Example Usage +------- + +Links +------- diff --git a/tools/cdpsnarf.md b/tools/cdpsnarf.md new file mode 100644 index 0000000..60e2f04 --- /dev/null +++ b/tools/cdpsnarf.md @@ -0,0 +1,28 @@ +# cdpsnarf + +Notes +------- + +Help Text +------- +``` +CDPSnarf v0.1.6 [$Rev: 797 $] initiated. + Author: Tasos "Zapotek" Laskos + + + Website: http://github.com/Zapotek/cdpsnarf + +cdpsnarf -i [-h] [-w savefile] [-r dumpfile] [-d] + + -i define the interface to sniff on + -w write packets to PCAP dump file + -r read packets from PCAP dump file + -d show debugging information + -h show help message and exit +``` + +Example Usage +------- + +Links +------- diff --git a/tools/detect-new-ipv6.md b/tools/detect-new-ipv6.md new file mode 100644 index 0000000..86e4f9c --- /dev/null +++ b/tools/detect-new-ipv6.md @@ -0,0 +1,22 @@ +# detect-new-ipv6 + +Notes +------- + +Help Text +------- +``` +detect-new-ip6 v2.3 (c) 2013 by van Hauser / THC www.thc.org + +Syntax: detect-new-ip6 interface [script] + +This tools detects new ipv6 addresses joining the local network. +If script is supplied, it is executed with the detected IPv6 address as first +and the interface as second command line option. +``` + +Example Usage +------- + +Links +------- diff --git a/tools/detect_sniffer6.md b/tools/detect_sniffer6.md new file mode 100644 index 0000000..79c4684 --- /dev/null +++ b/tools/detect_sniffer6.md @@ -0,0 +1,23 @@ +# detect_sniffer6 + +Notes +------- + +Help Text +------- +``` +detect_sniffer6 v2.3 (c) 2013 by van Hauser / THC www.thc.org + +Syntax: detect_sniffer6 interface [target6] + +Tests if systems on the local LAN are sniffing. +Works against Windows, Linux, OS/X and *BSD +If no target is given, the link-local-all-nodes address is used, which +however rarely works. +``` + +Example Usage +------- + +Links +------- diff --git a/tools/dmitry.md b/tools/dmitry.md new file mode 100644 index 0000000..488f2d9 --- /dev/null +++ b/tools/dmitry.md @@ -0,0 +1,30 @@ +# dmitry + +Notes +------- + +Help Text +------- +``` +Deepmagic Information Gathering Tool +"There be some deep magic going on" + +Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host + -o Save output to %host.txt or to file specified by -o file + -i Perform a whois lookup on the IP address of a host + -w Perform a whois lookup on the domain name of a host + -n Retrieve Netcraft.com information on a host + -s Perform a search for possible subdomains + -e Perform a search for possible email addresses + -p Perform a TCP port scan on a host +* -f Perform a TCP port scan on a host showing output reporting filtered ports +* -b Read in the banner received from the scanned port +* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 ) +*Requires the -p flagged to be passed +``` + +Example Usage +------- + +Links +------- diff --git a/tools/dnmap_client.md b/tools/dnmap_client.md new file mode 100644 index 0000000..6d6b52b --- /dev/null +++ b/tools/dnmap_client.md @@ -0,0 +1,33 @@ +# dnmap_client + +Notes +------- + +Help Text +------- +``` ++----------------------------------------------------------------------+ +| dnmap Client Version 0.6 | +| This program is free software; you can redistribute it and/or modify | +| it under the terms of the GNU General Public License as published by | +| the Free Software Foundation; either version 2 of the License, or | +| (at your option) any later version. | +| | +| Author: Garcia Sebastian, eldraco@gmail.com | +| www.mateslab.com.ar | ++----------------------------------------------------------------------+ + +usage: /usr/bin/dnmap_client +options: + -s, --server-ip IP address of dnmap server. + -p, --server-port Port of dnmap server. Dnmap port defaults to 46001 + -a, --alias Your name alias so we can give credit to you for your help. Optional + -d, --debug Debuging. + -m, --max-rate Force nmaps commands to use at most this rate. Useful to slow nmap down. Adds the --max-rate parameter. +``` + +Example Usage +------- + +Links +------- diff --git a/tools/dnmap_server.md b/tools/dnmap_server.md new file mode 100644 index 0000000..8346f56 --- /dev/null +++ b/tools/dnmap_server.md @@ -0,0 +1,39 @@ +# dnmap_server + +Notes +------- + +Help Text +------- +``` ++----------------------------------------------------------------------+ +| dnmap_server Version 0.6 | +| This program is free software; you can redistribute it and/or modify | +| it under the terms of the GNU General Public License as published by | +| the Free Software Foundation; either version 2 of the License, or | +| (at your option) any later version. | +| | +| Author: Garcia Sebastian, eldraco@gmail.com | +| www.mateslab.com.ar | ++----------------------------------------------------------------------+ + +usage: /usr/bin/dnmap_server +options: + -f, --nmap-commands Nmap commands file + -p, --port TCP port where we listen for connections. + -L, --log-file Log file. Defaults to /var/log/dnmap_server.conf. + -l, --log-level Log level. Defaults to info. + -v, --verbose_level Verbose level. Give a number between 1 and 5. Defaults to 1. Level 0 means be quiet. + -t, --client-timeout How many time should we wait before marking a client Offline. We still remember its values just in case it cames back. + -s, --sort Field to sort the statical value. You can choose from: Alias, #Commands, UpTime, RunCmdXMin, AvrCmdXMin, Status + -P, --pem-file pem file to use for TLS connection. By default we use the server.pem file provided with the server in the current directory. + +dnmap_server uses a '.dnmaptrace' file to know where it must continue reading the nmap commands file. If you want to start over again, +just delete the '.dnmaptrace' file +``` + +Example Usage +------- + +Links +------- diff --git a/tools/fping.md b/tools/fping.md new file mode 100644 index 0000000..cd2ee79 --- /dev/null +++ b/tools/fping.md @@ -0,0 +1,46 @@ +# fping + +Notes +------- + +Help Text +------- +``` +Usage: fping [options] [targets...] + -a show targets that are alive + -A show targets by address + -b n amount of ping data to send, in bytes (default 68) + -B f set exponential backoff factor to f + -c n count of pings to send to each target (default 1) + -C n same as -c, report results in verbose format + -e show elapsed time on return packets + -f file read list of targets from a file ( - means stdin) (only if no -g specified) + -g generate target list (only if no -f specified) + (specify the start and end IP in the target list, or supply a IP netmask) + (ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24) + -H n Set the IP TTL value (Time To Live hops) + -i n interval between sending ping packets (in millisec) (default 25) + -l loop sending pings forever + -m ping multiple interfaces on target host + -n show targets by name (-d is equivalent) + -p n interval between ping packets to one target (in millisec) + (in looping and counting modes, default 1000) + -q quiet (don't show per-target/per-ping results) + -Q n same as -q, but show summary every n seconds + -r n number of retries (default 3) + -s print final stats + -I if bind to a particular interface + -S addr set source address + -t n individual target initial timeout (in millisec) (default 500) + -T n ignored (for compatibility with fping 2.4) + -u show targets that are unreachable + -O n set the type of service (tos) flag on the ICMP packets + -v show version + targets list of targets to check (if no -f specified) +``` + +Example Usage +------- + +Links +------- diff --git a/tools/fragroute.md b/tools/fragroute.md new file mode 100644 index 0000000..8d5c1ca --- /dev/null +++ b/tools/fragroute.md @@ -0,0 +1,31 @@ +# fragroute + +Notes +------- + +Help Text +------- +``` +Usage: fragroute [-f file] dst +Rules: + delay first|last|random + drop first|last|random + dup first|last|random + echo ... + ip_chaff dup|opt| + ip_frag [old|new] + ip_opt lsrr|ssrr ... + ip_ttl + ip_tos + order random|reverse + print + tcp_chaff cksum|null|paws|rexmit|seq|syn| + tcp_opt mss|wscale + tcp_seg [old|new] +``` + +Example Usage +------- + +Links +------- diff --git a/tools/fragrouter.md b/tools/fragrouter.md new file mode 100644 index 0000000..0a15ab1 --- /dev/null +++ b/tools/fragrouter.md @@ -0,0 +1,42 @@ +# fragrouter + +Notes +------- + +Help Text +------- +``` +Version 1.6 +Usage: fragrouter [-i interface] [-p] [-g hop] [-G hopcount] ATTACK + + where ATTACK is one of the following: + + -B1: base-1: normal IP forwarding + -F1: frag-1: ordered 8-byte IP fragments + -F2: frag-2: ordered 24-byte IP fragments + -F3: frag-3: ordered 8-byte IP fragments, one out of order + -F4: frag-4: ordered 8-byte IP fragments, one duplicate + -F5: frag-5: out of order 8-byte fragments, one duplicate + -F6: frag-6: ordered 8-byte fragments, marked last frag first + -F7: frag-7: ordered 16-byte fragments, fwd-overwriting + -T1: tcp-1: 3-whs, bad TCP checksum FIN/RST, ordered 1-byte segments + -T3: tcp-3: 3-whs, ordered 1-byte segments, one duplicate + -T4: tcp-4: 3-whs, ordered 1-byte segments, one overwriting + -T5: tcp-5: 3-whs, ordered 2-byte segments, fwd-overwriting + -T7: tcp-7: 3-whs, ordered 1-byte segments, interleaved null segments + -T8: tcp-8: 3-whs, ordered 1-byte segments, one out of order + -T9: tcp-9: 3-whs, out of order 1-byte segments + -C2: tcbc-2: 3-whs, ordered 1-byte segments, interleaved SYNs + -C3: tcbc-3: ordered 1-byte null segments, 3-whs, ordered 1-byte segments + -R1: tcbt-1: 3-whs, RST, 3-whs, ordered 1-byte segments + -I2: ins-2: 3-whs, ordered 1-byte segments, bad TCP checksums + -I3: ins-3: 3-whs, ordered 1-byte segments, no ACK set + -M1: misc-1: Windows NT 4 SP2 - http://www.dataprotect.com/ntfrag/ + -M2: misc-2: Linux IP chains - http://www.dataprotect.com/ipchains/ +``` + +Example Usage +------- + +Links +------- diff --git a/tools/ftest.md b/tools/ftest.md new file mode 100644 index 0000000..4daa380 --- /dev/null +++ b/tools/ftest.md @@ -0,0 +1,38 @@ +# ftest + +Notes +------- + +Help Text +------- +``` +FTester client v1.0 +Copyright (C) 2001-2006 Andrea Barisani + +Configuration options: + -f + -c :::::: + -v + +Timing options: + -d + -s + +Evasion options: + -e + -t + +Connection options: + -r + -F + -g + -p + -k + -m +``` + +Example Usage +------- + +Links +------- diff --git a/tools/hping3.md b/tools/hping3.md new file mode 100644 index 0000000..4cebbd5 --- /dev/null +++ b/tools/hping3.md @@ -0,0 +1,102 @@ +# hping3 + +Notes +------- + +Help Text +------- +``` +usage: hping3 host [options] + -h --help show this help + -v --version show version + -c --count packet count + -i --interval wait (uX for X microseconds, for example -i u1000) + --fast alias for -i u10000 (10 packets for second) + --faster alias for -i u1000 (100 packets for second) + --flood sent packets as fast as possible. Don't show replies. + -n --numeric numeric output + -q --quiet quiet + -I --interface interface name (otherwise default routing interface) + -V --verbose verbose mode + -D --debug debugging info + -z --bind bind ctrl+z to ttl (default to dst port) + -Z --unbind unbind ctrl+z + --beep beep for every matching packet received +Mode + default mode TCP + -0 --rawip RAW IP mode + -1 --icmp ICMP mode + -2 --udp UDP mode + -8 --scan SCAN mode. + Example: hping --scan 1-30,70-90 -S www.target.host + -9 --listen listen mode +IP + -a --spoof spoof source address + --rand-dest random destionation address mode. see the man. + --rand-source random source address mode. see the man. + -t --ttl ttl (default 64) + -N --id id (default random) + -W --winid use win* id byte ordering + -r --rel relativize id field (to estimate host traffic) + -f --frag split packets in more frag. (may pass weak acl) + -x --morefrag set more fragments flag + -y --dontfrag set don't fragment flag + -g --fragoff set the fragment offset + -m --mtu set virtual mtu, implies --frag if packet size > mtu + -o --tos type of service (default 0x00), try --tos help + -G --rroute includes RECORD_ROUTE option and display the route buffer + --lsrr loose source routing and record route + --ssrr strict source routing and record route + -H --ipproto set the IP protocol field, only in RAW IP mode +ICMP + -C --icmptype icmp type (default echo request) + -K --icmpcode icmp code (default 0) + --force-icmp send all icmp types (default send only supported types) + --icmp-gw set gateway address for ICMP redirect (default 0.0.0.0) + --icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp) + --icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask) + --icmp-help display help for others icmp options +UDP/TCP + -s --baseport base source port (default random) + -p --destport [+][+] destination port(default 0) ctrl+z inc/dec + -k --keep keep still source port + -w --win winsize (default 64) + -O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4) + -Q --seqnum shows only tcp sequence number + -b --badcksum (try to) send packets with a bad IP checksum + many systems will fix the IP checksum sending the packet + so you'll get bad UDP/TCP checksum instead. + -M --setseq set TCP sequence number + -L --setack set TCP ack + -F --fin set FIN flag + -S --syn set SYN flag + -R --rst set RST flag + -P --push set PUSH flag + -A --ack set ACK flag + -U --urg set URG flag + -X --xmas set X unused flag (0x40) + -Y --ymas set Y unused flag (0x80) + --tcpexitcode use last tcp->th_flags as exit code + --tcp-mss enable the TCP MSS option with the given value + --tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime +Common + -d --data data size (default is 0) + -E --file data from file + -e --sign add 'signature' + -j --dump dump packets in hex + -J --print dump printable characters + -B --safe enable 'safe' protocol + -u --end tell you when --file reached EOF and prevent rewind + -T --traceroute traceroute mode (implies --bind and --ttl 1) + --tr-stop Exit when receive the first not ICMP in traceroute mode + --tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop + --tr-no-rtt Don't calculate/show RTT information in traceroute mode +ARS packet description (new, unstable) + --apd-send Send the packet described with APD (see docs/APD.txt) +``` + +Example Usage +------- + +Links +------- diff --git a/tools/inverse_lookup6.md b/tools/inverse_lookup6.md new file mode 100644 index 0000000..1b9a085 --- /dev/null +++ b/tools/inverse_lookup6.md @@ -0,0 +1,21 @@ +# inverse_lookup6 + +Notes +------- + +Help Text +------- +``` +inverse_lookup6 v2.3 (c) 2013 by van Hauser / THC www.thc.org + +Syntax: inverse_lookup6 interface mac-address + +Performs an inverse address query, to get the IPv6 addresses that are assigned +to a MAC address. Note that only few systems support this yet. +``` + +Example Usage +------- + +Links +------- diff --git a/tools/lbd.md b/tools/lbd.md new file mode 100644 index 0000000..e03b90b --- /dev/null +++ b/tools/lbd.md @@ -0,0 +1,19 @@ +# lbd + +Notes +------- + +Help Text +------- +``` +lbd - load balancing detector 0.1 - Checks if a given domain uses load-balancing. + Written by Stefan Behte (http://ge.mine.nu) + Proof-of-concept! Might give false positives. +usage: /usr/bin/lbd [domain] +``` + +Example Usage +------- + +Links +------- diff --git a/tools/miranda.md b/tools/miranda.md new file mode 100644 index 0000000..d0da3b9 --- /dev/null +++ b/tools/miranda.md @@ -0,0 +1,24 @@ +# miranda.md + +Notes +------- + +Help Text +------- +``` +Command line usage: /usr/bin/miranda [OPTIONS] + + -s Load previous host data from struct file + -l Log user-supplied commands to log file + -i Specify the name of the interface to use (Linux only, requires root) + -u Disable show-uniq-hosts-only option + -d Enable debug mode + -v Enable verbose mode + -h Show help +``` + +Example Usage +------- + +Links +------- diff --git a/tools/ncat.md b/tools/ncat.md new file mode 100644 index 0000000..30eef29 --- /dev/null +++ b/tools/ncat.md @@ -0,0 +1,65 @@ +# ncat + +Notes +------- + +Help Text +------- +``` +Ncat 6.40 ( http://nmap.org/ncat ) +Usage: ncat [options] [hostname] [port] + +Options taking a time assume seconds. Append 'ms' for milliseconds, +'s' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms). + -4 Use IPv4 only + -6 Use IPv6 only + -U, --unixsock Use Unix domain sockets only + -C, --crlf Use CRLF for EOL sequence + -c, --sh-exec Executes the given command via /bin/sh + -e, --exec Executes the given command + --lua-exec Executes the given Lua script + -g hop1[,hop2,...] Loose source routing hop points (8 max) + -G Loose source routing hop pointer (4, 8, 12, ...) + -m, --max-conns Maximum simultaneous connections + -h, --help Display this help screen + -d, --delay