• No results found

enum4linux

In document Kali Linux Final (Page 42-47)

ENUM4LINUX PACKAGE D ESCRIPTION

A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.

Overview:

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.

The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.

Key features:

 RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)

 User listing (When RestrictAnonymous is set to 0 on Windows 2000)

 Listing of group membership information

 Share enumeration

 Detecting if host is in a workgroup or a domain

 Identifying the remote operating system

 Password policy retrieval (using polenum)

Source: https://labs.portcullis.co.uk/tools/enum4linux/

enum4linux Homepage | Kali enum4linux Repo

 Author: Mark Lowe

 License: GPLv2

TOOLS INCLUDED IN THE ENUM4LINUX PACKAGE

enum4linux

root@kali:~# enum4linux -h

enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/)

43

Copyright (C) 2011 Mark Lowe ([email protected])

Simple wrapper around the tools in the samba package to provide similar functionality to enum.exe (formerly from www.bindview.com). Some additional features such as RID cycling have also been added for convenience.

Usage: ./enum4linux.pl [options] ip

Options are (like "enum"):

-U get userlist -M get machine list*

-S get sharelist

-P get password policy information -G get group and member list

-d be detailed, applies to -U and -S -u user specify username to use (default "") -p pass specify password to use (default "")

The following options from enum.exe aren't implemented: -L, -N, -D, -f

Additional options:

-a Do all simple enumeration (-U -S -G -P -r -o -n -i).

This opion is enabled if you don't provide any other options.

-h Display this help message and exit -r enumerate users via RID cycling

-R range RID ranges to enumerate (default: 500-550,1000-1050, implies -r) -K n Keep searching RIDs until n consective RIDs don't correspond to a username. Impies RID range ends at 999999. Useful

against DCs.

-l Get some (limited) info via LDAP 389/TCP (for DCs only) -s file brute force guessing for share names

-k user User(s) that exists on remote system (default:

administrator,guest,krbtgt,domain admins,root,bin,none) Used to get sid with "lookupsid known_username"

Use commas to try several users: "-k admin,user1,user2"

-o Get OS information -i Get printer information

-w wrkg Specify workgroup manually (usually found automatically) -n Do an nmblookup (similar to nbtstat)

-v Verbose. Shows full commands being run (net, rpcclient, etc.)

RID cycling should extract a list of users from Windows (or Samba) hosts which have RestrictAnonymous set to 1 (Windows NT and 2000), or "Network

44

access: Allow anonymous SID/Name translation" enabled (XP, 2003).

NB: Samba servers often seem to have RIDs in the range 3000-3050.

Dependancy info: You will need to have the samba package installed as this script is basically just a wrapper around rpcclient, net, nmblookup and smbclient. Polenum from http://labs.portcullis.co.uk/application/polenum/

is required to get Password Policy info.

ENUM4LINUX USAGE EXA MPLE

Attempt to get the userlist (-U) and OS information (-o) from the target (192.168.1.200): root@kali:~# enum4linux -U -o 192.168.1.200

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Aug 17 12:17:32 2014

==========================

| Target Information | ==========================

Target ... 192.168.1.200 RID Range ... 500-550,1000-1050 Username ... ''

Password ... ''

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

======================================================

| Enumerating Workgroup/Domain on 192.168.1.200 | ======================================================

[+] Got domain/workgroup name: KALI

CATEGORIES: I N F O R M A T I O N G A T H E R I N GTAGS: E N U M E R A T I O N , I N F O G A T H E R I N G , R E C O N , S M B

enumIAX

ENUMIAX PACKAGE DESC RIPTION

enumIAX is an Inter Asterisk Exchange protocol username brute-force enumerator. enumIAX may operate in two distinct modes; Sequential Username Guessing or Dictionary Attack.

Source: http://enumiax.sourceforge.net/

enumIAX Homepage | Kali enumIAX Repo

 Author: Dustin D. Trammell

45

 License: GPLv2

TOOLS INCLUDED IN THE ENUMIAX PACKAGE

enumiax–IAXprotocolusernameenumerator

root@kali:~# enumiax -h enumIAX 0.4a

Dustin D. Trammell <[email protected]>

Usage: enumiax [options] target options:

-d <dict> Dictionary attack using <dict> file

-i <count> Interval for auto-save (# of operations, default 1000) -m # Minimum username length (in characters)

-M # Maximum username length (in characters) -r # Rate-limit calls (in microseconds) -s <file> Read session state from state file

-v Increase verbosity (repeat for additional verbosity) -V Print version information and exit

-h Print help/usage information and exit

ENUMIAX USAGE EXAMPL E

Run a dictionary attack (-d /usr/share/wordlists/metasploit/unix_users.txt) against the target host (192.168.1.1): root@kali:~# enumiax -d /usr/share/wordlists/metasploit/unix_users.txt 192.168.1.1

CATEGORIES: I N F O R M A T I O N G A T H E R I N GTAGS: E N U M E R A T I O N , I N F O G A T H E R I N G , R E C O N , V O I P

exploitdb

EXPLOITDB PACKAGE DE SCRIPTION

Searchable archive from The Exploit Database.

exploitdb Homepage | Kali exploitdb Repo

 Author: Kali Linux

 License: GPLv2

TOOLS INCLUDED IN THE EXPLOITDB PACKAGE

searchsploit–UtilitytosearchtheExploitDatabasearchive

root@kali:~# searchsploit -h

Usage: searchsploit [options] term1 [term2] ... [termN]

46

Example: searchsploit oracle windows local

=======

Options

=======

-c Perform case-sensitive searches; by default, searches will try to be greedy

-h, --help Show help screen

-v By setting verbose output, description lines are allowed to overflow their columns

*NOTES*

Use any number of search terms you would like (minimum of one).

Search terms are not case sensitive, and order is irrelevant.

EXPLOITDB USAGE EXAM PLE

Search for remoteoracle exploits for windows:

root@kali:~# searchsploit oracle windows remote

Description Path ---

Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit | /windows/remote/80.c

Oracle 9.2.0.1 Universal XDB HTTP Pass Overflow Exploit | /windows/remote/1365.pm

Oracle 9i/10g ACTIVATE_SUBSCRIPTION SQL Injection Exploit | /windows/remote/3364.pl

Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit | /windows/remote/8336.pl

Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit | /windows/remote/9652.sh

CATEGORIES: I N F O R M A T I O N G A T H E R I N GTAGS: E X P L O I T A T I O N

Fierce

FIERCE PACKAGE DESCRIPTION

First what Fierce is not. Fierce is not an IP scanner, it is not a DDoS tool, it is not designed to scan the whole Internet or perform any un-targeted attacks. It is meant specifically to locate likely targets both inside and outside a corporate network. Only those targets are listed (unless the -nopattern switch is used). No exploitation is performed (unless you do something intentionally malicious with the -connect switch). Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics.

47

Source: http://ha.ckers.org/fierce/

Fierce Homepage | Kali Fierce Repo

 Author: RSnake

 License: GPLv2

TOOLS INCLUDED IN THE FIERCE PACKAGE

In document Kali Linux Final (Page 42-47)
Download now "Kali Linux Final"

Outline

Related documents