Examples of common backtrack Comprehensive scanning tools

Use of DNS scanning tools
DNS scanning tools can be used to collect information including: domain name registration information, domain name resolution server (DNS server), valid sub-domain names
(Information that can be used to collect: domain name registration information, name, phone number, email address, expiration time, valid subdomain name ....)
1. Whois
Usage: whois top-level domain name (must be top-level domain name)
Domain name status:
The server group used to resolve DNS:
Domain Name and New Time:
Registration Time:
Expiration time: (domain names can be obtained)
Administrator contact information
Telephone, fax, and address

2. dnsenum
You can use Google to query domain names and subdomain names.
You can also specify dictionary brute-force cracking.
The query will check the region transfer every time.

-F dns.txt specifies the brute-force cracking File
-Dnsserver 8.8.8.8: You can specify an official DNS server for Google.

Path:/pentest/enumeration/DNS/dnsenum #
Method 1:./dnsenum. pl top-level domain name (Zone transfers uses the region transfer technology by default, which is very insecure and almost eliminated)
Method 2:./dnsenum. pl-Enum top-level domain name (search for subdomain names based on Google)
Method 3 :. /dnsenum. pl-F dns.txt -- dnsserver 8.8.8.8/8.8.4.4 (guess which top-level domain names are used according to the dictionary)-O output.txt (import the report to a file) and opendns dictionary brute force cracking

3. dnsmap
Path:/pentest/enumeration/DNS/dnsmap #
Usage:./dnmap top-level domain name to be attacked-W wordlist_tlas.txt (specify dictionary file)-R result.txt
-C result.csv (the final output file is CSV which can be used in Excel format)
4. dnswalk (DNS servers are queried and queried through simple regional transfer technology)
Path:/pentest/enumeration/DNS/dnswalk #
Usage:./dnswalk. pl top-level domain name. (Note that you need to add a point after the top-level domain name)
Exercise: Create a Chinese DNS dictionary?

Route collection:
Tracert functions in Traceroute and win are different. Traditional firewall traversal is not very effective.
Send a UDP high port package and return an ICMP packet.

When tcptraceroute receives SYN, Ack indicates that it has arrived at the destination.
Tctrace
Tctrace-I (specified Interface) eth0-D (specified destination) www.baidu.com and tcptraceroute are similar

Iv. Use of Integrated host scanning tools

Main process:
Host discovery
Arping-C (specified number of times, can only be used for direct connection to the network, cannot cross-network segment) 3 10.2.12.21
Fping-s (display result)-R count-g (Network range) Quick Scan
Fping-S-R 3-G 192.168.130.0/24
Genlist more simply, it only lists surviving hosts.
Hpin3-C (specified number of times) 8 is very powerful, you can make any data packet you want to send
Hping3 send {IP (daddr = 10.1.1.1) + ICMP (type = 8, code = 0 )}
Nbtscan can be used to scan the NetBIOS Name of the window host.
Nbtscan 192.168.130.1-180
Nping-C (times) 5 -- TCP-P (port) 80 -- flags SYN 192.168.1.12
Onesixtyone is an SNMP scanning tool
Onesixtyone-C dict.txt (dictionary file) 192.168.130.212
PROTOS is mainly used to detect target hosts, especially those protocols enabled for routing.
PROTOS-I (Interface)-D (target host) 192.168.1.12-V (detailed display)
PROTOS-I eth0-D 192.168.130.66-V

Operating System fingerprint
P0f passive operating system fingerprint monitoring tool (passive identification)
(For example, the learning function of the operating system is enabled by default after the IPs' signature filter rules are passed)

Xprobe2 (active identification tool, hybrid scan)
Xprobe2 192.168.130.66

NMAP-V (display scanned information)-SP-N (without DNS resolution) 192.168.1.0/24
NMAP-v-n-SP 192.168.130.0/24
-A (is a comprehensive scan that includes the service version, operating system fingerprint, and so on)
NMAP-v-n-A 192.168.1.12

The AMAP service detects what service a port number is.
AMAP-BQ 192.168.130.66 10243 (port)

Httpprint-H 192.168.1.12-s signature.txt (specified feature code file) is unreliable

Ike-scan is a specialized Ike scanning tool used to detect IPSec and VPN policies.
Ike-scan-m-V 192.168.1.12

Sslscan Algorithm
Sslscan router address includes obtaining the policy certificate
Vulnerability scan
Cisco vulnerability scanning tool
Cat-H 192.168.1.12-W wordlist.txt (dictionary)-A paswd( .txt-I
Cisco-OCs 192.168.1.1.12-T (timeout) 6-C 10
SNMP scanning tool
HTTP Vulnerability scanning tool
Burnsuite
Netstat


1. tcptraceroute
Principle: Send TCP/Syn packets instead of UDP or ICMP response packets,
Can penetrate most firewalls
Method 1: tcptraceroute Domain Name
Method 2: tcptraceroute-Q (times) 1-N domain name

2. netenum
Fast for LAN
Path:/pentest/enumeration/irpas #
Usage:./netenum 192.168.0.0/24 3 (timeout time 3 seconds) 1

3. NMAP
Method 1: NMAP-sp ip or CIDR Block
Note: The host status is determined based on the returned response information by sending a specific ICMP message.

Method 2: NMAP-VV-ss ip address or network segment
Note: Use SYN semi-open scan to quickly scan open ports

Method 3: NMAP-o ip address or CIDR Block
Note: By scanning open ports of the target, the Nmap built-in operating system fingerprint library is collected to identify the target operating system version.

Method 4: NMAP-sv ip address or CIDR Block
Remarks: scan the service type and version information running on the target Open Port


4. hping2
Principle and function: it can send custom ICMP, UDP, and TCP packets.
Receive all feedback. It also contains a small routing tracking module.
This tool can be used when common tools fail to detect firewall-protected hosts.

Method 1: hping2 IP
Method 2: hping2-A/f/s-p port IP address or domain name
Note: "-a" is used to set the ACK flag, "-F" is used to set the FIN flag, and "-s" is used to set the SYN flag, "-P" specifies the port to be tested.
 
5. genlist
Function: Quickly scans active hosts.
Usage: genlist-s 192.168.0 .\*

6. nbtscan
Usage: nbtscan 192.168.0.1-254

7. xprobe2
Function: the master node detects the target operating system and version.
Usage: xprobe2 IP

8. AMAP
Function: scans and identifies running services and versions on the target open port.
Usage: AMAP-v-d ip Port

9. httprint
Path:/pentest/enumeration/www/httprint/Linux #
Function: Judge the Web service program and version by reading HTTP banner data.
Usage:./httprint-h ip-s signature.txt

10. httsquash
Path:/pentest/scanners/httsquash #
Function: Judge the Web service program and version by reading HTTP banner data.
Usage:./httsquash-r IP

This article is from the "Fifi Linux" blog, please be sure to keep this source http://feifeilinux.blog.51cto.com/7505939/1553040

Examples of common backtrack Comprehensive scanning tools