ARP detection Netdiscover Port Scan Zenmap and dark search engine Shodan

ARP detection Netdiscover Port Scan Zenmap and dark search engine Shodan
ARP detection Netdiscover Port Scan Zenmap and dark search engine ShodanARP detection tool -- NetdiscoverNetdiscover is an active/passive ARP detection tool in the penetration test tutorial of Kail Linux. This tool is useful in wireless networks that do not use DHCP. The Netdiscover tool can be used to scan IP addresses on the network, check online hosts or search for ARP requests sent for them. The following describes how to use the Netdiscover tool.
First, check the help information of the Netdiscover tool and execute the following command:

Root @ kali :~ # Netdiscover-h

Netdiscover 0.3-beta7 [Active/passive arp reconnaissance tool]

Written by: Jaime Penalba

Usage: netdiscover [-I device] [-r range |-l file |-p] [-s time] [-n node] [-c count] [-f] [-d] [-S] [-P] [-C]

-I device: your network device

-R range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8

-L file: scan the list of ranges contained into the given file

-P passive mode: do not send anything, only sniff

-F filter: Customize pcap filter expression (default: "arp ")

-S time: time to sleep between each arp request (miliseconds)

-N node: last ip octet used for scanning (from 2 to 253)

-C count: number of times to send each arp reques (for nets with packet loss)

-F enable fastmode scan, saves a lot of time, recommended for auto

-D ignore home config files for autoscan and fast mode

-S enable sleep time supression betwen each request (hardcore mode)

? -P print results in a format suitable for parsing by another program

-L in parsable output mode (-P), continue listening after the active scan is completed

If-r,-l or-p are not enabled, netdiscover will scan for common lan addresses.

The output information shows the syntax format and available parameters of Netdiscover.

[Instance 3-3] Use Netdiscover to scan all hosts in the LAN. Run the following command:

Root @ kali :~ # Netdiscover

After the preceding command is executed, the following information is displayed:

Currently scanning: 10.7.99.0/8 | Screen View: Unique Hosts

 

692 Captured ARP Req/Rep packets, from 3 hosts. Total size: 41520

_____________________________________________________________________________

IP At MAC Address Count Len MAC Vendor

Bytes -------------------------------------------------------------------------------------------------------------------------------

192.168.6.102 00: e0: 1c: 3c: 18: 79 296 17760 Cradlepoint, Inc

192.168.6.1 14: e6: e4: ac: fb: 20 387 23220 Unknown vendor

192.168.6.110 00: 0c: 29: 2e: 2b: 02 09 540 VMware, Inc.

The output information shows that three hosts are scanned.

Port scanner -- Zenmap

Zenmap (port scanner) is an open-source network detection and security audit tool. It is the front-end of the graphic interface of the Nmap security scanning tool. It supports cross-platform. The Zenmap tool can be used to quickly scan information of a large network or a single host. For example, scan hosts to provide services and operating systems. This section describes how to use the Zenmap tool.

[Instance 3-4] Use Zenmap to scan all hosts in the 192.168.6.0/24 network. The procedure is as follows:

(1) Start the Zenmap tool. On the Kali Linux desktop, select Application | Kali Linux | "Information Collection" | "DNS Analysis" | zenmap command. The page shown in 3.2 is displayed.

Figure 3.2 Zenmap startup page

Or execute the following command on the terminal:

Root @ kali :~ # Zenmap

(2) The Zenmap tool is divided into three parts. The first part is used to specify scan targets, commands, and descriptions. The second part is used to display scan hosts. The third part is used to display scan details. Enter 192.168.6.0/24 in the text box corresponding to Target, and click Scan to display the page shown in 3.3.

Figure 3.3 scan results

(3) you can see the details of all hosts in the network of 192.168.6.0/24. The active hosts in the network are displayed in the left column of Zenmap, And the Nmap output information is displayed in the right column. You can also click the switch tab to view the port number, topology, and details of each host. For example, check the port number/host of host 192.168.6.1, as shown in Figure 3.4.

Figure 3.4 host port number information

(4) port 80 and port 1900 are enabled on the host 192.168.6.1. If you want to view the Details of the Host, select the Host Details tab. The page shown in 3.5 is displayed.

Figure 3.5 host details

(5) You can view the host status, address, and operating system on this page.

Dark search engine tool-Shodan

Shodan is the most powerful search engine tool on the Internet. This tool does not search for URLs on the Internet, but directly searches for servers. Shodan can be said to be a "dark" Google, constantly looking for all servers, cameras, printers, routers and other Internet connections. Every month, information is collected on around 0.5 billion servers day and night. This section describes how to use the Shodan tool. The official Shodan website is www.shodanhq.com. Open the web page, as shown in Figure 3.6.

Figure 3.6 shodan Official Website

If you want to search for something, enter the search content in the text box corresponding to SHODAN. Then, click the Search button to start searching. For example, if you want to Search for a Cisco router, enter Cisco in the Search box and click the Search button. After the search result is found, the page 3.7 is displayed.

Figure 3.7 search results

You can see that the more than 3 million Cisco router is found in the world. On this page, you can click any IP address to find the device.

When using the Shodan search engine, you can use a filter to quickly query required items by narrowing the search scope. To find all IIS services running on IIS 8.0 in the United States, you can use the following search method, as shown in Figure 3.8.

Figure 3.8 search for IIS services

An IIS 8.0 server is displayed on this page. You can view the title information, country, host name, and text information about the server from the device you have searched.

When searching Shodan, pay attention to the syntax of some filter commands. Common situations are as follows:

1. CITY and COUNTRY commands

You can use the City and Country commands to narrow down the search location. For example:

Q country: US indicates searching from the United States.

Q city: Memphis indicates searching from the city of Memphis.

City and Country commands can also be used in combination. For example:

Q country: US city: Memphis

2. HOSTNAME command

The HOSTNAME command scans the entire domain name by specifying the host name.

Q hostname: google indicates searching for google hosts.

3. NET command

Use the NET command to scan a single IP address or a network range. As follows:

Q net: 192.168.1.10: Scan host 192.168.1.10.

Q net: 192.168.1.0/24: scan all hosts in the network of 192.168.1.0/24.

4. TITLE command

You can use the Title command to search for projects. As follows:

Q title: "Server Room" indicates searching Server Room information.

5. Keyword Search

Shodan is the most popular way to search with a keyword. If you know the server type or Embedded Server name used by the target system, it is easy to search for a Web page. As follows:

Q apache/2.2.8 200 OK: searches for all versions of 2.2.8 that are running the Apache service and only searches for open sites.

Q apache/2.2.8-401-302: indicates that the 401 illegal page or 302 Delete page is skipped.

6. Combined search

Q IIS/7.0 hostname: YourCompany.com city: Boston indicates searching all Microsoft servers running IIS/7.0 in Boston.

Q IIS/5.0 hostname: YourCompany.com country: FR indicates searching all systems running IIS/5.0 in France.

Q Title: camera hostname: YourCompany.com indicates that a host is named with information about camera.

Q geo: 33.5, 36.3 OS: Linux indicates that the Linux operating system is searched using the coordinate axis (longitude 33.5, latitude 36.3.

7. other search terms

Q Port: search by Port number.

Q OS: search by operating system.

Q After or Before: use the time search service.

[Instance 3-5] Use Metasploit to implement Shodan search. The procedure is as follows:

(1) register a free account on Shodanhq.com.

(2) obtain the API key from http://www.shodanhq.com/api_doc, as shown in page 3.9. Obtain the API key for later use.

Figure 3.9API key

(3) Start the PostgreSQL service. Run the following command:

Root @ kali :~ # Service postgresql start

(4) Start the Metasploit service. Run the following command:

Root @ kali :~ # Service metasploit start

(5) Start the MSF terminal and run the following command:

Root @ kali :~ # Msfconsole

Msf>

(6) Select the auxiliary/gather/shodan_search module and view the option parameters that can be configured in this module. Run the following command:

Msf> use auxiliary/gather/shodan_search

Msf auxiliary (shodan_search)> show options

Module options (auxiliary/gather/shodan_search ):

Name Current Setting Required Description

----------------------------------------------------------------------------------------------------------------------

DATABASE false no Add search results to the database

FILTER no Search for a specific IP/City/Country/Hostname

MAXPAGE 1 yes Max amount of pages to collect

OUTFILE no A filename to store the list of IPs

Proxies no Use a proxy chain

QUERY yes Keywords you want to search

SHODAN_APIKEY yes The shodan api key

VHOST www.shodanhq.com yes The virtual host name to use in requests

From the above output information, we can see that there are four required option parameters. Two options are configured, and QUERY and SHODAN_APIKEY are not configured.

(7) configure the QUERY and SHODAN_APIKEY option parameters. Run the following command:

Msf auxiliary (shodan_search)> set SHODAN_APIKEY duv9vwgcmo0odfw?wafax8sj0zua5bu

SHODAN_APIKEY => duv9vwgcmo0odfw?wafax8sj0zua5bu

Msf auxiliary (shodan_search)> set QUERY iomega

QUERY => iomega

From the output information, we can see that the QUERY and SHODAN_APIKEY options are successfully configured.

(8) start the search engine. Run the following command:

Msf auxiliary (shodan_search)> run

[*] Total: 160943 on 3219 pages. Showing: 1

[*] Country Statistics:

[*] United Kingdom (GB): 27408

[*] United States (US): 25648

[*] France (FR): 18397

[*] Germany (DE): 12918

[*] Netherlands (NL): 6189

[*] Collecting data, please wait...

IP Results

============

IP City Country Hostname

---------------------------------------------------------------------------

104.33.212.215: 80 N/A cpe-104-33-212-215.socal.res.rr.com

107.3.154.29: 80 Cupertino United States c-107-3-154-29.hsd1.ca.comcast.net

108.0.152134: 443 Thousand Oaks United States pool-108-0-152-164.lsanca.fios.verizon.net

108.20.167.210: 80 Maynard United States pool-108-20-167-210.bstnma.fios.verizon.net

108.20.213.253: 443 Franklin United States pool-108-20-213-253.bstnma.fios.verizon.net

109.156.24.235: 443 Sheffield United Kingdom host109-156-24-235.range109-156.btcentralplus.com

129.130.72.209: 443 Manhattan United States

130.39.112.9: 80 Baton Rouge United States lsf-museum.lsu.edu

146.52.252.157: 80 Leipzig Germany ip9234fc9d.dynamic.kabel-deutschland.de.

147.156.26.160: 80 Valencia Spain gpoeibak. optica. uv. es

......

94.224.87.80: 8080 Peutie Belgium 94-224-87-80.access.telenet.be

95.93.3.155: 80 Faro Portugal a95-93-3-155.cpe.netcaboNaN

96.232.103.131: 80 Brooklyn United States pool-96-232-103-131.nycmny.fios.verizon.net

96.233.79.small: 80 Woburn United States pool-96-233-79-133.bstnma.fios.verizon.net

96.240.130.179: 443 arington United States pool-96-240-130-179.washdc.fios.verizon.net

97.116.40.223: 443 minneapois United States 97-116-40-223.mpls.qwest.net

97.76.110.250: 80 Clearwater United States rrcs-97-76-110-250.se.biz.rr.com

98.225.213.167: 443 Warminster United States c-98-225-213-167.hsd1.pa.comcast.net

[*] Auxiliary module execution completed

The output information above shows all information that matches the iomega keyword. The search results show the IP address, city, country, and host name. If you want to use a filter keyword or get more response pages, you must purchase a paid APIkey.