weyne/kaliwiki
1
0
Fork 0
mirror of https://github.com/mubix/kaliwiki.git synced 2025-10-29 16:59:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #42 from Eid010n/master

Browse Source 
filling in information gathering menu and tools
This commit is contained in:
Will Pennell 2014-03-30 14:52:32 -04:00
commit db039406eb
21 changed files with 1857 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
infogathering/index.md
View File

@ -116,30 +116,40 @@ SMB Analysis
SMTP Analysis
------------
* [first]()
* [second]()
* [third]()
* [nmap](../tools/nmap.md)
* [smtp-user-enum](../tools/smtp-user-enum.md)
* [swaks](../tools/swaks.md)
SNMP Analysis
------------
* [first]()
* [second]()
* [third]()
* [braa](../tools/braa.md)
* [cisco-auditing-tool](../tools/CAT.md)
* [cisco-torch](../tools/cisco-torch.pl.md)
* [cisco-router-config](../tools/cisco-router-config.pl.md)
* [merge-router-config](../tools/merge-router-config.pl.md)
* [nmap](../tools/nmap.md)
* [onesixtyone](../tools/onesixtyone.md)
* [snmp-check](../tools/snmpcheck.md)
SSL Analysis
------------
* [first]()
* [second]()
* [third]()
* [sslcaudit](../tools/sslcaudit.md)
* [ssldump](../tools/ssldump.md)
* [sslh](../tools/sslh.md)
* [sslscan](../tools/sslscan.md)
* [sslsniff](../tools/sslsniff.md)
* [sslstrip](../tools/sslstrip.md)
* [sslyze](../tools/sslyze.md)
* [stunnel4](../tools/stunnel4.md)
* [TLSSLed](../tools/tlssled.md)
Telephony Analysis
------------
* [first]()
* [second]()
* [third]()
* [ace](../tools/ace.md)
Traffic Analysis
------------

27
tools/CAT.md Normal file
View File

@ -0,0 +1,27 @@
# CAT (Cisco Auditing Tool)
Notes
-------
Help Text
-------
```
Cisco Auditing Tool - g0ne [null0]
Usage:
-h hostname (for scanning single hosts)
-f hostfile (for scanning multiple hosts)
-p port # (default port is 23)
-w wordlist (wordlist for community name guessing)
-a passlist (wordlist for password guessing)
-i [ioshist] (Check for IOS History bug)
-l logfile (file to log to, default screen)
-q quiet mode (no screen output)
```
Example Usage
-------
Links
-------

4
tools/_template.md
View File

@ -5,9 +5,13 @@ Notes
Help Text
-------
```
Text output goes here
```
Example Usage
-------
Links
-------

52
tools/ace.md Normal file
View File

@ -0,0 +1,52 @@
# ace Automated Corporate (Data) Enumerator
Notes
-------
Help Text
-------
```
ACE v1.10: Automated Corporate (Data) Enumerator
Usage: ace [-i interface] [ -m mac address ] [ -t tftp server ip address | -c cdp mode | -v voice vlan id | -r vlan interface | -d verbose mode ]
-i <interface> (Mandatory) Interface for sniffing/sending packets
-m <mac address> (Mandatory) MAC address of the victim IP phone
-t <tftp server ip> (Optional) tftp server ip address
-c <cdp mode 0|1 > (Optional) 0 CDP sniff mode, 1 CDP spoof mode
-v <voice vlan id> (Optional) Enter the voice vlan ID
-r <vlan interface> (Optional) Removes the VLAN interface
-d (Optional) Verbose | debug mode
Example Usages:
Usage requires MAC Address of IP Phone supplied with -m option
Usage: ace -t <TFTP-Server-IP> -m <MAC-Address>
Mode to automatically discover TFTP Server IP via DHCP Option 150 (-m)
Example: ace -i eth0 -m 00:1E:F7:28:9C:8e
Mode to specify IP Address of TFTP Server
Example: ace -i eth0 -t 192.168.10.150 -m 00:1E:F7:28:9C:8e
Mode to specify the Voice VLAN ID
Example: ace -i eth0 -v 96 -m 00:1E:F7:28:9C:8E
Verbose mode
Example: ace -i eth0 -v 96 -m 00:1E:F7:28:9C:8E -d
Mode to remove vlan interface
Example: ace -r eth0.96
Mode to auto-discover voice vlan ID in the listening mode for CDP
Example: ace -i eth0 -c 0 -m 00:1E:F7:28:9C:8E
Mode to auto-discover voice vlan ID in the spoofing mode for CDP
Example: ace -i eth0 -c 1 -m 00:1E:F7:28:9C:8E
```
Example Usage
-------
Links
-------

51
tools/braa.md Normal file
View File

@ -0,0 +1,51 @@
# Braa
Notes
-------
Help Text
-------
```
braa 0.81 - Mateusz 'mteg' Golicz <mtg@elsat.net.pl>, 2003 - 2006
usage: braa [options] [query1] [query2] ...
-h Show this help.
-2 Claim to be a SNMP2C agent.
-v Show short summary after doing all queries.
-x Hexdump octet-strings
-t <s> Wait <s> seconds for responses.
-d <s> Wait <s> microseconds after sending each packet.
-p <s> Wait <s> miliseconds between subsequent passes.
-f <file> Load queries from file <file> (one by line).
-a <time> Quit after <time> seconds, independent on what happens.
-r <rc> Retry count (default: 3).
Query format:
GET: [community@]iprange[:port]:oid[/id]
WALK: [community@]iprange[:port]:oid.*[/id]
SET: [community@]iprange[:port]:oid=value[/id]
Examples:
public@10.253.101.1:161:.1.3.6.*
10.253.101.1-10.253.101.255:.1.3.6.1.2.1.1.4.0=sme
10.253.101.1:.1.3.6.1.2.1.1.1.0/description
It is also possible to specify multiple queries at once:
10.253.101.1-10.253.101.255:.1.3.6.1.2.1.1.4.0=sme,.1.3.6.*
(Will set .1.3.6.1.2.1.1.4.0 to 'me' and do a walk starting from .1.3.6)
Values for SET queries have to be prepended with a character specifying the value type:
i is INTEGER
a is IPADDRESS
s is OCTET STRING
o is OBJECT IDENTIFIER
If the type specifier is missing, the value type is auto-detected
```
Example Usage
-------
Links
-------

45
tools/cisco-torch.pl.md Normal file
View File

@ -0,0 +1,45 @@
# cisco-torch.pl
Notes
-------
Help Text
-------
```
Using config file torch.conf...
Loading include and plugin ...
version
usage: ./cisco-torch.pl <options> <IP,hostname,network>
or: ./cisco-torch.pl <options> -F <hostlist>
Available options:
-O <output file>
-A All fingerprint scan types combined
-t Cisco Telnetd scan
-s Cisco SSHd scan
-u Cisco SNMP scan
-g Cisco config or tftp file download
-n NTP fingerprinting scan
-j TFTP fingerprinting scan
-l <type> loglevel
c critical (default)
v verbose
d debug
-w Cisco Webserver scan
-z Cisco IOS HTTP Authorization Vulnerability Scan
-c Cisco Webserver with SSL support scan
-b Password dictionary attack (use with -s, -u, -c, -w , -j or -t only)
-V Print tool version and exit
examples: ./cisco-torch.pl -A 10.10.0.0/16
./cisco-torch.pl -s -b -F sshtocheck.txt
./cisco-torch.pl -w -z 10.10.0.0/16
./cisco-torch.pl -j -b -g -F tftptocheck.txt
```
Example Usage
-------
Links
-------

25
tools/copy-router-config.pl.md Normal file
View File

@ -0,0 +1,25 @@
# copy-router-config.pl
Notes
-------
Help Text
-------
```
######################################################
# Copy Cisco Router config - Using SNMP
# Hacked up by muts - muts@offensive-security.com
#######################################################
Usage : ./copy-copy-config.pl <router-ip> <tftp-serverip> <community>
Make sure a TFTP server is set up, prefferably running from /tmp !
```
Example Usage
-------
Links
-------

25
tools/merge-router-config.pl.md Normal file
View File

@ -0,0 +1,25 @@
# merge-router-config.pl
Notes
-------
Help Text
-------
```
######################################################
# Merge Cisco Router config - Using SNMP
# Hacked up by muts - muts@offensive-security.com
#######################################################
Usage : ./merge-copy-config.pl <router-ip> <tftp-serverip> <community>
Make sure a TFTP server is set up, prefferably running from /tmp !
```
Example Usage
-------
Links
-------

26
tools/onesixtyone.md Normal file
View File

@ -0,0 +1,26 @@
# onesixtyone
Notes
-------
Help Text
-------
```
onesixtyone 0.3.2 [options] <host> <community>
-c <communityfile> file with community names to try
-i <inputfile> file with target hosts
-o <outputfile> output log
-d debug mode, use twice for more information
-w n wait n milliseconds (1/1000 of a second) between sending packets (default 10)
-q quiet mode, do not print log to stdout, use with -l
examples: ./s -c dict.txt 192.168.4.1 public
./s -c dict.txt -i hosts -o my.log -w 100
```
Example Usage
-------
Links
-------

46
tools/smtp-user-enum.md Normal file
View File

@ -0,0 +1,46 @@
# smtp-user-enum
Notes
-------
Help Text
-------
```
smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )
Usage: smtp-user-enum.pl [options] ( -u username | -U file-of-usernames ) ( -t host | -T file-of-targets )
options are:
-m n Maximum number of processes (default: 5)
-M mode Method to use for username guessing EXPN, VRFY or RCPT (default: VRFY)
-u user Check if user exists on remote system
-f addr MAIL FROM email address. Used only in "RCPT TO" mode (default: user@example.com)
-D dom Domain to append to supplied user list to make email addresses (Default: none)
Use this option when you want to guess valid email addresses instead of just usernames
e.g. "-D example.com" would guess foo@example.com, bar@example.com, etc. Instead of
simply the usernames foo and bar.
-U file File of usernames to check via smtp service
-t host Server host running smtp service
-T file File of hostnames running the smtp service
-p port TCP port on which smtp service runs (default: 25)
-d Debugging output
-t n Wait a maximum of n seconds for reply (default: 5)
-v Verbose
-h This help message
Also see smtp-user-enum-user-docs.pdf from the smtp-user-enum tar ball.
Examples:
$ smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1
$ smtp-user-enum.pl -M EXPN -u admin1 -t 10.0.0.1
$ smtp-user-enum.pl -M RCPT -U users.txt -T mail-server-ips.txt
$ smtp-user-enum.pl -M EXPN -D example.com -U users.txt -t 10.0.0.1
```
Example Usage
-------
Links
-------

35
tools/snmpcheck.md Normal file
View File

@ -0,0 +1,35 @@
# snmpcheck
Notes
-------
Help Text
-------
```
snmpcheck.pl v1.8 - SNMP enumerator
Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org)
Usage ./snmpcheck.pl -t <IP address>
-t : target host;
-p : SNMP port; default port is 161;
-c : SNMP community; default is public;
-v : SNMP version (1,2); default is 1;
-r : request retries; default is 0;
-w : detect write access (separate action by enumeration);
-d : disable 'TCP connections' enumeration!
-T : force timeout in seconds; default is 20. Max is 60;
-D : enable debug;
-h : show help menu;
```
Example Usage
-------
Links
-------

55
tools/sslcaudit.md Normal file
View File

@ -0,0 +1,55 @@
# sslcaudit
Notes
-------
Help Text
-------
```
Usage: sslcaudit [OPTIONS]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-l LISTEN_ON Specify IP address and TCP PORT to listen on, in
format of HOST:PORT. Default is 0.0.0.0:8443
-m MODULES Launch specific modules. For now the only functional
module is 'sslcert'. There is also 'dummy' module used
for internal testing or as a template code for new
modules. Default is sslcert
-v VERBOSE Increase verbosity level. Default is 0. Try 1.
-d DEBUG_LEVEL Set debug level. Default is 0, which disables
debugging output. Try 1 to enable it.
-c NCLIENTS Number of clients to handle before quitting. By
default sslcaudit will quit as soon as it gets one
client fully processed.
-N TEST_NAME Set the name of the test. If specified will appear in
the leftmost column in the output.
-T SELF_TEST Launch self-test. 0 - plain TCP client, 1 - CN
verifying client, 2 - curl.
--user-cn=USER_CN Set user-specified CN.
--server=SERVER Where to fetch the server certificate from, in
HOST:PORT format.
--user-cert=USER_CERT_FILE
Set path to file containing the user-supplied
certificate.
--user-key=USER_KEY_FILE
Set path to file containing the user-supplied key.
--user-ca-cert=USER_CA_CERT_FILE
Set path to file containing certificate for user-
supplied CA.
--user-ca-key=USER_CA_KEY_FILE
Set path to file containing key for user-supplied CA.
--no-default-cn Do not use default CN
--no-self-signed Don't try self-signed certificates
--no-user-cert-signed
Do not sign server certificates with user-supplied one
```
Example Usage
-------
Links
-------

19
tools/ssldump.md Normal file
View File

@ -0,0 +1,19 @@
# ssldump
Notes
-------
Help Text
-------
```
Usage: ssldump [-r dumpfile] [-i interface]
[-k keyfile] [-p password] [-vtaTnsAxVNde]
[filter]
```
Example Usage
-------
Links
-------

35
tools/sslh.md Normal file
View File

@ -0,0 +1,35 @@
# sslh
Notes
-------
Help Text
-------
```
sslh: option '--http' requires an argument
sslh v1.13b
usage:
sslh [-v] [-i] [-V] [-f] [-n] [-F <file>]
[-t <timeout>] [-P <pidfile>] -u <username> -p <add> [-p <addr> ...]
-v: verbose
-V: version
-f: foreground
-n: numeric output
-F: use configuration file
-t: timeout before connecting to SSH.
-p: address and port to listen on.
Can be used several times to bind to several addresses.
--[ssh,ssl,...]: where to connect connections from corresponding protocol.
-F: specify a configuration file
-P: PID file.
-i: Run as a inetd service.
```
Example Usage
-------
Links
-------

65
tools/sslscan.md Normal file
View File

@ -0,0 +1,65 @@
# sslscan
Notes
-------
Help Text
-------
```
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
SSLScan is a fast SSL port scanner. SSLScan connects to SSL
ports and determines what ciphers are supported, which are
the servers preferred ciphers, which SSL protocols are
supported and returns the SSL certificate. Client
certificates / private key can be configured and output is
to text / XML.
Command:
sslscan [Options] [host:port | host]
Options:
--targets=<file> A file containing a list of hosts to
check. Hosts can be supplied with
ports (i.e. host:port).
--no-failed List only accepted ciphers (default
is to listing all ciphers).
--ssl2 Only check SSLv2 ciphers.
--ssl3 Only check SSLv3 ciphers.
--tls1 Only check TLSv1 ciphers.
--pk=<file> A file containing the private key or
a PKCS#12 file containing a private
key/certificate pair (as produced by
MSIE and Netscape).
--pkpass=<password> The password for the private key or
PKCS#12 file.
--certs=<file> A file containing PEM/ASN1 formatted
client certificates.
--starttls If a STARTTLS is required to kick an
SMTP service into action.
--http Test a HTTP connection.
--bugs Enable SSL implementation bug work-
arounds.
--xml=<file> Output results to an XML file.
--version Display the program version.
--help Display the help text you are now
reading.
Example:
sslscan 127.0.0.1
```
Example Usage
-------
Links
-------

40
tools/sslsniff.md Normal file
View File

@ -0,0 +1,40 @@
# sslsniff
Notes
-------
Help Text
-------
```
Usage: sslsniff [options]
Modes:
-a Authority mode. Specify a certificate that will act as a CA.
-t Targeted mode. Specify a directory full of certificates to target.
Required Options:
-c <file|directory> File containing CA cert/key (authority mode) or
directory containing a collection of certs/keys
(targeted mode)
-s <port> Port to listen on for SSL interception.
-w <file> File to log to
Optional Options:
-u <updateLocation> Loction of any Firefox XML update files.
-m <certificateChain> Location of any intermediary certificates.
-h <port> Port to listen on for HTTP interception (required for
fingerprinting).
-f <ff,ie,safari,opera,ios> Only intercept requests from the specified browser(s).
-d Deny OCSP requests for our certificates.
-p Only log HTTP POSTs
-e <url> Intercept Mozilla Addon Updates
-j <sha256> The sha256sum value of the addon to inject
```
Example Usage
-------
Links
-------

29
tools/sslstrip.md Normal file
View File

@ -0,0 +1,29 @@
# sslstrip
Notes
-------
Help Text
-------
```
sslstrip 0.9 by Moxie Marlinspike
Usage: sslstrip <options>
Options:
-w <filename>, --write=<filename> Specify file to log to (optional).
-p , --post Log only SSL POSTs. (default)
-s , --ssl Log all SSL traffic to and from server.
-a , --all Log all SSL and HTTP traffic to and from server.
-l <port>, --listen=<port> Port to listen on (default 10000).
-f , --favicon Substitute a lock favicon on secure requests.
-k , --killsessions Kill sessions in progress.
-h Print this help message.
```
Example Usage
-------
Links
-------

108
tools/sslyze.md Normal file
View File

@ -0,0 +1,108 @@
# sslyze
Notes
-------
Help Text
-------
```
REGISTERING AVAILABLE PLUGINS
-----------------------------
PluginCompression
PluginOpenSSLCipherSuites
PluginSessionResumption
PluginCertInfo
PluginSessionRenegotiation
Usage: sslyze [options] target1.com target2.com:443 etc...
Options:
--version show program's version number and exit
-h, --help show this help message and exit
--xml_out=XML_FILE Writes the scan results as an XML document to the file
XML_FILE.
--targets_in=TARGETS_IN
Reads the list of targets to scan from the file
TARGETS_IN. It should contain one host:port per line.
--timeout=TIMEOUT Sets the timeout value in seconds used for every
socket connection made to the target server(s).
Default is 5s.
--https_tunnel=HTTPS_TUNNEL
Sets an HTTP CONNECT proxy to tunnel SSL traffic to
the target server(s). HTTP_TUNNEL should be
'host:port'. Requires Python 2.7
--starttls=STARTTLS Identifies the target server(s) as a SMTP or an XMPP
server(s) and scans the server(s) using STARTTLS.
STARTTLS should be 'smtp' or 'xmpp'.
--xmpp_to=XMPP_TO Optional setting for STARTTLS XMPP. XMPP_TO should be
the hostname to be put in the 'to' attribute of the
XMPP stream. Default is the server's hostname.
--regular Regular HTTPS scan; shortcut for --sslv2 --sslv3
--tlsv1 --reneg --resum --certinfo --http_get
--hide_rejected_ciphers --compression --tlsv1_1
--tlsv1_2
Client certificate support:
--cert=CERT Client certificate filename.
--certform=CERTFORM
Client certificate format. DER or PEM (default).
--key=KEY Client private key filename.
--keyform=KEYFORM Client private key format. DER or PEM (default).
--pass=KEYPASS Client private key passphrase.
PluginCompression:
--compression Tests the server for Zlib compression support.
PluginOpenSSLCipherSuites:
Scans the target server for supported OpenSSL cipher suites.
--sslv2 Lists the SSL 2.0 OpenSSL cipher suites supported by
the server.
--sslv3 Lists the SSL 3.0 OpenSSL cipher suites supported by
the server.
--tlsv1 Lists the TLS 1.0 OpenSSL cipher suites supported by
the server.
--tlsv1_1 Lists the TLS 1.1 OpenSSL cipher suites supported by
the server.
--tlsv1_2 Lists the TLS 1.2 OpenSSL cipher suites supported by
the server.
--http_get Option - For each cipher suite, sends an HTTP GET
request after completing the SSL handshake and returns
the HTTP status code.
--hide_rejected_ciphers
Option - Hides the (usually long) list of cipher
suites that were rejected by the server.
PluginSessionResumption:
Analyzes the target server's SSL session resumption capabilities.
--resum Tests the server for session ressumption support,
using session IDs and TLS session tickets (RFC 5077).
--resum_rate Performs 100 session resumptions with the target
server, in order to estimate the session resumption
rate.
PluginCertInfo:
--certinfo=CERTINFO
Verifies the target server's certificate validity
against Mozilla's trusted root store, and prints
relevant fields of the certificate. CERTINFO should be
'basic' or 'full'.
PluginSessionRenegotiation:
--reneg Tests the target server's support for client-initiated
renegotiations and secure renegotiations.
```
Example Usage
-------
Links
-------

32
tools/stunnel4.md Normal file
View File

@ -0,0 +1,32 @@
# stunnel4
Notes
-------
Help Text
-------
```
Clients allowed=500
stunnel 4.53 on i486-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
Reading configuration from file -h
-h: No such file or directory (2)
Cannot read configuration
Syntax:
stunnel [<filename>] ] -fd <n> | -help | -version | -sockets
<filename> - use specified config file
-fd <n> - read the config file from a file descriptor
-help - get config file help
-version - display version and defaults
-sockets - display default socket options
str_stats: 1 block(s), 3 data byte(s), 42 control byte(s)
```
Example Usage
-------
Links
-------

1090
tools/swaks.md Normal file
View File

File diff suppressed because it is too large Load Diff

26
tools/tlssled.md Normal file
View File

@ -0,0 +1,26 @@
# tlssled
Notes
-------
Help Text
-------
```
------------------------------------------------------
TLSSLed - (1.2) based on sslscan and openssl
by Raul Siles (www.taddong.com)
------------------------------------------------------
+ openssl version: OpenSSL 1.0.1e 11 Feb 2013
+ sslscan version 1.8.2
------------------------------------------------------
Usage: /usr/bin/tlssled HOSTNAME_or_IP PORT
```
Example Usage
-------
Links
-------