Discovery tools are used to gather information about a target network or system. The tools enable you to easily perform many otherwise manual processes, such as whois queries, DNS zone transfers, SNMP queries, and other information-gathering processes. The tools help you gather DNS records, contact information, network configuration information, host information, and identify systems that are active on a network. The information you gather will help you determine where a target is located and who is controlling it. All of this information helps you build a picture of the environment you are testing. In Chapters 5 and 7, we discussed how discovery tools fit into the penetration-testing methodology. In this chapter we describe some of the more popular discovery tools, explain how they work, and provide tips for using them more effectively.
URL: www.ipswitch.com
Client OS: Windows 9x/NT
Target OS: TCP/IP networks
Classification: Discovery tool
Price: Less than $100
Description: WS_Ping ProPack serves as an excellent starting point for any penetration test. WS_Ping ProPack provides an easy way to gather information about your target network and gives you the base information needed to start assessing your target. The tool runs on Windows 9x/NT/2000 and has an easy-to-use GUI. WS_Ping ProPack provides whois, finger, ping, DNS, and SNMP information. In addition, you can use WS_Ping ProPack to quickly ping an IP address range or host name.
Use: WS_Ping ProPack is easy to install. Simply double-click the setup file and follow the installation instructions. WS_Ping ProPack is as easy to use as it is to install. You can see in Figure 12-1 that WS_Ping ProPack offers the following options as tabs near the top of the window: Info, Time, HTML, Ping, TraceRoute, Lookup, Finger, Whois, LDAP, Quote, Scan, SNMP, WinNet, Throughput, and About.
Info provides preliminary information about a target host name or IP address (see its screen in Figure 12-1). This is a good place to start when beginning the engagement. Info basically runs a whois query and DNS lookup on the host name or IP addresses you enter into the tool. It also pings the host to verify connectivity. Keep in mind that if you are using a host name, you need to enter the fully qualified domain name (such as Navigator.kelvinsky.com); otherwise, the query will fail.
Time is a feature that we do not use often in testing.
HTML basically provides you with the same functionality as the View Source option in Microsoft Internet Explorer. It issues a GET request to the Web server and returns source information. While the functionality is nearly the same as that in Internet Explorer, it's nice to have this function integrated into a discovery tool.
Ping provides a nice GUI front end, shown in Figure 12-2, to the Ping utility. You can easily adjust the number of packets sent and the size of the packet, as well as a delay and timeout. Ping is one way we attempt to find out whether a host is alive (functioning and accessible on the network). All Ping really tells us is whether the host responds to ICMP ECHO requests. If the target is blocking ICMP ECHO requests at the border router or firewall, Ping either won't return any information or will return a “host/destination unreachable” message. Ping is useful, but usually we want to ping a range of hosts. WS_Ping ProPack does offer this functionality, but not on the Ping menu. The Scan utility (explained below) enables you to ping ranges of IP addresses.
TraceRoute traces the path a packet travels to the target. TraceRoute is useful for determining how far away a target is located and whether the packet passes through any other hosts on the way to the target. Many times we can build a pretty accurate network map by using the TraceRoute results. If the target or any of the systems along the way are blocking traceroutes, the tool may return a “destination unreachable” message. Also, if a system in the path is configured to not respond to traceroutes, the tool will list a number for the hop but will not return any information such as the IP address. The WS_Ping ProPack TraceRoute utility displayed in Figure 12-3 provides a nice GUI interface for the TraceRoute command and enables you to adjust timeouts and the maximum hopcount (how many routers and hosts the packet will travel through in its journey to the target before it gives up). Also, you can use the Resolve Addresses option to determine the IP address from the host name and vice versa.
Lookup offers a lot of functionality by performing DNS lookups. Figure 12-4 demonstrates a DNS lookup on www.klevinsky.com. By selecting among the various query types in the Query Type drop-down box (shown in Figure 12-5) you can discover many different pieces of information, including host information (CPU and operating system) and mail information; resolve an address; determine the name servers; perform a zone transfer; and gather additional DNS information. Keep in mind that you need a host name or IP address of a DNS server in the DNS Server box for this utility to work properly. You can use the stack option in place of a name server, but all you will be able to do is resolve IP addresses and host names. You can start by using the DNS server your own system normally uses and then enter the target's name server as you gather that information.
Normally, when we use the tool we start by resolving a host name or IP address and then gather the host information (HINFO), mail information (MX), and name servers (NS) for the target. Once we have the name servers, we enter the primary DNS server into the DNS Server box. Once this is complete, we can perform the zone transfer (referred to as “zone listing” by the tool) using the ZONE option. Zone transfers can yield information about additional hosts in the domain and other potential targets. Be sure to try the zone transfer on all name servers listed for the domain because often one server restricts zone transfers while another does not. Zone transfers can consume significant resources on a name server, and therefore the process may border on illegality. Therefore, make sure you are authorized to perform the zone transfer before attempting to use this function.
Finger provides information about the users who operate on the target server. You could just use the finger command on the command line, but while you have the tool open you may want to take advantage of the GUI. In order to get any information from the WS_Ping ProPack Finger utility, the finger service needs to be running on the target host. Normally we do not attempt to finger a host until we have determined it is likely the finger service is running. If we learn that port 79 is open on the host during our port scans, we can be fairly sure finger is running on the host. Once we learn this information, we perform a finger against the target to determine whether any users are on the system. We can then use these user accounts as potential targets for brute force guessing or other exploits. Remember you need to use a fully qualified domain name such as [email protected] or use the IP address.
Whois provides useful contact information about a target domain, such as mailing address, phone number, and e-mail address. To use the Whois function you need to specify a whois server in the server block. Several default whois servers are listed in the tool: rs.internic.net (users registered with Internic), whois.internic.net, nic.ddn.mil (military addresses), whois.nic.mil, whois.arin.net (American registry), and whois.ripe.net (European addresses). If you have a target domain that does not fall into one of the default categories, you will need to determine an appropriate whois server for that address space. If you do not know the complete host name you can enter part of the name followed by one or more dots (.). This performs a wild-card search for any entry matching the text or name you provided. Figure 12-6 shows a sample whois query on klevinsky.com.
LDAP enables you to query an LDAP directory for useful information on a target network. The target network must be using an LDAP directory service. If the target is not using LDAP directory services, you can skip this tab. If the target is using an LDAP-compliant directory server, you can build a query to find mail information, organizational names, departments, or any other information published in the directory.
To use this utility, enter the fully qualified domain name of the target LDAP server in the LDAP Host box. Then use the three boxes below it to build your query. If the target has an LDAP directory, this can be a useful tool for selecting target accounts and systems. There are some signs to help you guess whether the target is using an LDAP directory. Generally, ports 389 and 636 are associated with LDAP over TLS and SSL, respectively.
Quote is another feature we rarely use during penetration testing.
Scan is used to scan a network range or host for services or just to ping to see if the host(s) respond. In the Scan screen, displayed in Figure 12-7, enter the start and end addresses in the appropriate boxes. Next select the services you wish to scan for by checking the appropriate boxes. Conversely, you can select a port range to scan by checking the Scan Ports option and specifying a range of ports. The utility offers an option for slow networks that enables you to increase the timeouts to account for network latency. While this is a relatively easy-to-use port scanner, it does not offer much flexibility and is not as fast as other port scanners. You cannot specify a host list of individual systems. Additionally, you cannot build a highly customized port list other than specifying a range of ports. Because of these reasons, we normally use WS_Ping ProPack only for ping scanning or ping sweeping. Ping sweeps involve pinging a range of addresses in an attempt to find active hosts. Some other port scanners are more configurable, offering more options and flexibility. (Port scanners are covered in greater detail in Chapter 13.)
The SNMP utility can be used to retrieve valuable information about a host or target network. SNMP is used to manage network devices. If SNMP has not been implemented securely, attackers can exploit this service and gather information that will help them plan future exploits against the target. By exploiting SNMP, we can learn information about the system such as the name of the device and the person responsible for managing it, the type and configuration of the network interface, and IP route information. The target host has to support SNMP, and we need to know the community string (password). Generally, UDP ports 161 and 162 are associated with SNMP. In addition, we often find that some system administrators do not change the default community string from “public” to a unique name. In some instances the administrator may allow write access to the public community name, in which case you would be able to manipulate the SNMP information and configuration. If the administrator has changed the name to a private one you will have to attempt to guess the new string.
To use the SNMP utility you first have to select the SNMP tab, shown in Figure 12-8. Next enter the IP address of the target in the Address box. Right below the address box is the Community box; use “public” unless “public” did not work previously or you know the administrator changed the community name to a private name. If you know the private name, enter it in the box; otherwise, you will need to employ educated guessing. Next, you need to specify what information you want to retrieve. By clicking the radio button near the What box you can select the types of information you want to gather. Figure 12-8 shows the options available when the What button has been selected. We commonly select mib, or mgmt information, for our purposes and select Get All Subitems to retrieve all mib information. All information the tool can retrieve is displayed in the output box at the bottom of the screen. If you get an error message, it could mean the host does not support SNMP, you have the wrong community name, or there are other restrictions placed on the SNMP service, such as access control lists. In these cases, try guessing a few different community names before giving up.
WinNet can be used to scan the network on which your system resides for Windows network resource information. This includes information such as shared resources, printers, open shares, domain names, and so on. To use WinNet simply select the type of information you are looking for from the drop-down box and select Start. If you are looking only for specific information, select it from the drop-down list; otherwise, select All to retrieve all available information.
Throughput is another feature we rarely use during penetration testing.
About provides the normal licensing and vendor information, but in addition it provides information concerning the local host. So if you have any questions about your domain name, available hard drive space, IP information, or Winsock information, just access the About utility and it can provide you with some information on the subject.
Benefits: WS_Ping ProPack has been a tremendous resource to us on engagements, especially in the early discovery phase of testing. The tool is quick at what it does, and it integrates a lot of functionality into one interface. We use WS_Ping ProPack to gather initial DNS information with the Lookup and Whois utilities. The Scan option is useful for performing ping sweeps, even though Rhino9 Pinger may be faster. We normally use other scanners for port scanning due to the limitations and lack of flexibility in WS_Ping ProPack's scanner. However, it is convenient to have the Scan option available within the tool to quickly scan for a port that you may want to check while gathering other information with the tool. Even though the tool may not be the best at providing the functionality it offers in each of its options, the convenience of having the capability readily available within one integrated tool is nice. One of the greatest benefits of WS_Ping ProPack is that the help function is excellent. Help on any option provides easy-to-follow, step-by-step directions and examples of tool output. Finally, the tool is inexpensive, costing less than $100.
Con: We normally use other port scanners for detailed, surgical port scans since WS_Ping ProPack is easy to detect and may not be as flexible as some of the more advanced scanners.
URL: www.nwpsw.com/
Client OS: Windows 9x/NT/2000
Target OS: TCP/IP networks
Classification: Discovery tool
Price: Less than $50
Description: NetScanTools is another excellent discovery tool similar to WS_Ping ProPack. NetScanTools provides a nice GUI and enables you to probe for ping, SNMP, ports, DNS, and other discovery information. NetScanTools operates on Windows NT/9x/2000 and can be purchased for under $50.
Use: NetScanTools is another comprehensive discovery tool. It provides much of the same functionality as WS_Ping ProPack. NetScanTools provides the following options: Name Server Lookup, Finger, Ping, Trace Route, Whois, NetScanner, TCP Term, Daytime, Quote, Character Generator, Echo, Time Sync, IDENT Server, Database Tests, and Winsock Info.
Name Server Lookup offers a lot of functionality through DNS lookups, including DNS information, mail server information, zone transfers, and more. Figure 12-9 displays the Name Server Lookup tab. Start by entering the host's fully qualified domain name, IP address, or target domain name in the Hostname, Domain Name or IP Address box. If you enter only this information, you can perform only a simple query that resolves the host name or IP address. Figure 12-9 displays sample output from a simple query of www.klevinsky.com.
To use the more advanced options select the A Q Setup button for an advanced query setup. Under Advanced Query Options, you can select several options under Query Type (see Figure 12-10). In the Current Server box, enter the IP address of a valid DNS server. You can start by using your name server and then enter the target's name server after you gather that information. Normally when we use the tool we start by resolving a host name or IP address and gather the host information (HINFO), mail information (MX), and name servers (NS) for the target. Once we have the name servers for the target we enter the primary DNS server into the Current Server box. Then we can perform the zone transfer (referred to as “List Domain” by the tool) using the List Domain radio button on the Name Server Lookup main page. Zone transfers can yield information about additional hosts in the domain and other target information. Be sure to try the zone transfer on all name servers listed for the domain because often one server will restrict zone transfers while another will yield DNS records. Also, check the Verbose Mode option so that the tool displays all the steps it performs and the information it finds. If you do not want to see all this information, uncheck the Verbose Mode box.
Finger provides information about the users who operate on the server. In order to get any information from the Finger utility, the finger service needs to be running on the target host. Finger is not used much any more, but sometimes a system administrator forgets to disable it. Therefore, we do not attempt to finger a host until after we have determined it is likely the finger service is running. If we learn that port 79 is open on the host during our port scans, we can be pretty sure finger is running. When you perform a finger query you need to remember to use a fully qualified domain name such as [email protected] or the IP address. We can use the finger information for selecting accounts for brute force and password guessing attacks.
Ping provides a nice GUI, shown in Figure 12-11 , for the Ping command. The Setup button enables you to easily adjust the number and size of the packet as well as a delay and timeout. AutoPing can be used to ping a list of addresses contained in a text file. All Ping really tells us is whether the host responds to an ICMP ECHO request. If a target is blocking ping at the border router or firewall, it won't tell you anything or will return a “host/destination unreachable” message. Remember to check the box for the Resolve IP addresses to host names option to resolve the name of the target host you are pinging. Keep in mind, however, that your scan will take longer if you resolve host names. Weigh the utility of retrieving the host name against the need for speed if you scan using the Resolve option.
Trace Route shows the path a packet travels to the target. Trace Route is useful for determining how far away a target is and whether any other hosts are passed through on the way. In addition, Trace Route's results can be useful for identifying potential routers and firewalls. The trace results may also show segmentation in a network. The Setup button of this utility enables you to adjust timeouts and maximum hopcounts (how many routers and hosts the packet travels through in its journey to the target). Also, you can use the Resolve IP addresses option to determine the IP address or host name from the other. Again, resolving host names will cause your trace to take longer to complete. If time is not an issue, resolve the names. The more information you have about the target network the better. Using the information from the traceroutes we can build a network map that can be used to refine the testing strategy. Figure 12-12 shows a sample traceroute using NetScanTools.
Whois provides useful contact information about a target domain, such as mailing address, phone number, and e-mail address. Normally, when using the Whois utility, you need to specify a whois server. There are many whois servers on the Internet, and at times picking the correct one can be time consuming. NetScanTools has a “smart whois” function through which it will attempt to locate and use the correct whois server for your query. In addition, you can enter “help” into the Enter Query box and select Query to receive more information on what whois server to use. If you do not know the complete host name you can enter part of the name followed by one or more dots (.). This entry performs a wild-card search for anything matching the partial name you provided. (Figure 12-13 shows an example of a whois query using the trailing dots.) Otherwise, enter the name of a target domain, host, or company and select the Query button. This query returns contact information, name servers, and other information that can be used to help devise an attack.
NetScanner can be used to perform a ping sweep of an IP address range or to ping an IP range for a selected port. If we find very few target hosts respond to a regular ICMP ping, we can select a port number in the Port Name/No. box to perform a TCP ping. If the host uses the selected port, it should respond to the TCP ping. Port 80 is usually an excellent choice for the target port since most hosts have it open for HTTP.
NetScanTools provides a lot of options within the NetScanner utility. First you can enter your target host range in the Start IP and End IP boxes. The Setup button to the right of the Start IP and End IP boxes can be used to specify timeouts, packet size, fragmentation or no fragmentation, maximum hopcount, and retries. If you use the Verify hosts file IPs button, NetScanner will attempt to ping each IP address in your system's /etc/hosts file. You could use this option and edit your /etc/hosts file to ping a range that could not easily be defined with the Start IP and End IP address boxes. If you do use this method, be sure to return your /etc/hosts file back to its original configuration when you are done.
The Whois Setup button enables you to choose an appropriate whois server and to set the option to use a proxy server if you need to use one to access the Internet. (See the paragraph above on the Whois utility for help in choosing an appropriate whois server.) If you plan to use the Whois utility within NetScanner, be sure to check the Enable Smart Whois or Enable Whois Queries boxes below the Whois Setup button. If you want to resolve the IP addresses in your range to host names, check the Translate IPs to Host Names option. While your scan will take longer when you are resolving host names, the added information can be useful. If you have the time, translate the host names.
The Ignore host/net unreachable responses option is very important if you plan to use the TCP ping option. If you find the target host or network has disabled ping responses (ICMP echo reply) and you want to use the TCP port check to find target hosts, you need to check the Ignore host/net unreachable responses box. If you do not check this option, the tool will attempt to ping the target first, and if the target does not respond, the tool will skip the TCP port check. Keep in mind that you are not limited to the ports listed in the Port Name/No. drop-down box. You can enter a port number in the box and the tool will attempt a port check using that port. Figure 12-14 demonstrates the use of the TCP port check to identify hosts not responding to ICMP.
TCP Term can be used for banner grabbing. Banner grabbing is the process of capturing the banner that a service displays when it receives incoming connections. For instance, services such as FTP and telnet often have a banner that states “Welcome,” provides version information, and offers a login prompt. This information can be useful in building an attack. Figure 12-15 shows the TCP Term interface.
To use the TCP Term utility, enter the target IP address or host name in the Target Hostname or IP address window. Select, or enter, the desired port name or number to connect to in the Target Port Name/No. drop-down box. Next, click on Connect and wait for the tool to return the banner information or the error message if the connection was refused. A nice feature TCP Term includes is the ability to specify a different source port. For instance, many target networks' firewalls permit only traffic originating from specific source ports to connect to a particular service. This is done to keep other tools or hacks from directly connecting to the service through a different port. Using the Source Port Name/No. box you can specify the source port the service should be using to connect to the target service. To specify a source port, uncheck the Any box and either select a port from the drop-down list or enter your own port in the box. Ports 80 (HTTP) and 53 (DNS) are usually good choices for bypassing packet-filtering routers and firewalls.
Daytime, Quote, Character Generator, Echo, and Time Sync are features we do not often use during penetration testing.
IDENT Server is sometimes required by target hosts when you use finger. Using the IDENT Server you can configure the information you provide to the target host. Additionally, you can log the IDENT Server's activity. IDENT Server is not a feature that we commonly use during penetration testing. However, it can be useful when trying to hide your identity during testing. By configuring the IDENT Server with information similar to the domain you are targeting, you can somewhat hide your real identity.
Database Tests is another tool that we do not use often. This utility tests your Winsock's TCP and UDP protocols database translation ability.
Winsock Info returns your current Winsock information.
Benefits: NetScanTools includes a lot of functionality in one tool. It offers tremendous utility and provides the capability to perform almost all steps in the discovery phase with this one tool. We like to use NetScanTools to gather DNS information, perform zone transfers, and conduct some limited port scans. While we prefer Nmap as the port scanner of choice, NetScanTools is an excellent scanner for the NT platform. The NetScanner function provides flexibility in performing port scans. The ability to specify source ports is also a major benefit.
Cons: While NetScanTools is a useful tool, it does have some drawbacks. First, the help utility is not as robust as some of the other tools. The descriptions of each area of the tool leave much to be desired, and no sample output is provided. Additionally, the port scanner allows you to scan only one port at a time.
URL: www.samspade.org
Client OS: Windows 9x/NT/2000
Target OS: TCP/IP networks
Classification: Discovery tool
Price: Free
Description: Sam Spade is a useful tool that can assist with the discovery phase of penetration testing. While most of the functionality Sam Spade provides can be performed from the command line, Sam Spade provides a consolidated GUI that is easy to use. Sam Spade provides much of the same functionality as WS_Ping ProPack and NetScanTools and it offers some additional options such as crawling and mirroring a Web site. Sam Spade runs on Windows 9x/NT/2000. It provides an intuitive GUI and integrates a lot of functionality into one tool. Sam Spade can perform whois queries, pings, DNS Dig (advanced DNS request), traceroute, finger, zone transfers, SMTP mail relay checking, and Web site crawling and mirroring.
Use: Sam Spade is pretty self-explanatory. The main tool bar provides shortcuts for the majority of functions. However, some of the additional functions, such as zone transfers, can be accessed only through the Tools menu. If you like right mouse button functionality, you are in luck—Sam Spade offers many options and shortcuts through the use of the right mouse button. When using the tool, try exploring the right mouse button. We think you'll find the shortcuts save time and make your life easier.
Before you start using Sam Spade, you should configure your options. This is a very important step because if you do not set up your options correctly, you cannot perform zone transfers nor access other functions. Remember, if you try to access the zone transfer function from the menu and it is grayed out and unavailable, you probably forgot to configure your options. So, save yourself some headaches and configure the options before you start using the tool. To configure your options select Options from the Edit menu. Figure 12-16 shows the Advanced options tab where you can enable zone transfers, active probing, and relay checking.
Once you have configured your options you are ready to begin using Sam Spade. Start by exploring the input fields on the main screen and determining the information you need to enter in each field. First, enter the domain name, IP address, or company name of the target in the upper left window. Next, you need to enter a DNS server in the .net .12.1 box. Normally start with your default name server. The Telephone drop-down box, shown in Figure 12-17, enables you to select a whois server for performing whois queries. Magic is a good whois server to start with since it will select the appropriate whois server for you. Once you have these boxes and options filled in, you are ready to start using the tool.
To the right of the top input field you will find a row of radio buttons. We find these buttons easier to use than the pull-down menus and therefore explain the tool using the radio buttons. However, you can access each function that the radio buttons provide through the pull-down menus. So if you prefer the menus, explore a little on your own. The names of the functions are the same, and the explanations and techniques work just as well no matter which way you access them. Below we explain the functions of the tool, starting from the left radio button and working toward the right of the screen.
Ping, accessed through the first button (the green and black sphere), enables you to ping the target. You can specify the number of ping attempts you want the tool to perform each time you select the Ping option by using the up and down arrows on the left bottom box. The default number of ping attempts is 10; we recommend setting this value to 3 unless you are not worried about someone detecting your activity. Sometimes a single ping may fail due to the system or network being busy, thus yielding inaccurate results. Three pings should be sufficient to generate accurate test results without generating enough activity to significantly increase the chance of detection. Figure 12-18 provides sample output from a ping of www.klevinsky.com.
DNS information is provided by using the next button, the .net .12.1 button. When you select this option, the tool performs a DNS lookup and delivers name server, contact, and other useful information. Figure 12-19 provides sample DNS output.
The red phone activates the Whois option. To perform whois queries you need to specify a whois server in the red phone drop-down box. Several default whois servers are listed: rs.internic.net (users registered with Internic), whois.internic.net, nic.ddn.mil (military addresses), whois.nic.mil, whois.arin.net (American registry), and whois.ripe.net (European addresses). If you have a target domain that does not fall into one of the default categories, you will need to determine an appropriate whois server for that address space. Magic will help locate the appropriate whois server for your domain. Whois queries return contact information, IP blocks, addresses, name servers, and other information that you can use to devise an attack. Once you have found the name server for the target, you can add this server as your name server input for advanced queries. In Figure 12-20 you can see the options available when you right-click on the name server. Try right-clicking on the new name server in the output window and select Copy to nameserver. You will need to use the target name server to perform zone transfers and other advanced DNS functions.
The IP Block icon is used for obtaining the IP blocks of a target address space. When you specify a domain name or IP address, the tool queries DNS servers to find the IP blocks that contain that name or address. This function usually returns the Class A, B, C, or subnetted IP blocks owned by the target. Sometimes it can be difficult to find the IP block if the Internet service provider does not list the blocks owned by each of its customers. Also, you need to keep in mind that some companies have several domain names and may have IP blocks registered under each domain name. So be persistent and do not stop at the first IP block you find. Try a few domain names and see if you get better results. Figure 12-21 displays sample IP block information.
The Dig shovel icon provides you with the capability to dig on an address or domain name. A dig is essentially an advanced DNS query. It requests all DNS records, including host information, domain information, services, mail information, geographic locations, and much more. Dig gives you a lot of information you may not use, but you'll know you looked for as much as you could. Figure 12-22 provides sample Dig output.
The connected dots icon accesses the Traceroute function. Traceroute shows the path a packet travels to the target. Traceroute is useful in determining how far away a target is located and whether any other hosts are passed through on the way to the target. Many times we can build a fairly accurate network map using Traceroute results and determine whether common IP addresses may be routers or firewalls. Although it is not readily apparent by looking at the main screen, you can configure such Traceroute options as timeouts and so on. Under the Edit menu, select Options and then the Traceroute tab. Figure 12-23 shows the Traceroute screen. Figure 12-24 displays a sample traceroute using Sam Spade.
Finger provides information about the users who operate on the server. In order to get any information from the Finger utility, the finger service needs to be running on the target host. Normally we do not attempt to finger a host until after we have determined it is likely the finger service is running. If we learn that port 79 is open on the host during our port scans, we can be fairly certain that finger is running. Once we learn this information we perform a finger query against the host. Remember, you need to use a fully qualified domain name such as [email protected] or the IP address. Finger information can be useful for selecting accounts to attempt to use to crack a server.
SMTP Verify is a feature of Sam Spade that we do not often use during our testing. The utility enables you to query a mail server to determine whether an e-mail address is valid. This can be useful for determining valid e-mail addresses to use for mail forging. If the SMTP server is vulnerable to mail forging, you could craft an e-mail using SMTP commands from any user to any other user without authorization. For instance, you could send an e-mail from a valid user to the help desk requesting a password reset. (More detailed information on e-mail forging using SMTP can be found in Chapter 9.)
Check Time is a feature that we do not often use during testing.
The View Raw Website utility is also called Browse web in the Tools menu. Using this function you can view the source for a Web page, similar to the View Source function in Microsoft Internet Explorer. Viewing the raw HTML can be useful for searching for passwords, password hints, or Common Gateway Interface (CGI) scripts that may be exploitable. To use this function, enter the URL or IP address of the Web site in the Address window and select the View Raw Website button.
We do not find the Keep Alive utility very useful for penetration testing. Keep Alive sends an HTTP request to a Web site every minute to maintain an active connection.
The following options can be accessed only through the Tools menu, shown in Figure 12-25
Zone Transfer returns all DNS records for the domain. Zone transfers use a lot of system resources on the name server. While the target would probably not detect this action, it can be considered an invasive procedure and may border on illegality. Be careful running the Zone Transfer utility; run it only when legitimately testing systems and only with authorization from the target. Finally, remember you have to set your options to enable zone transfers. Select Options from the Edit menu, then on the Advanced tab select Enable zone transfers.
SMTP Relay check allows you to test a mail server to see whether it will relay e-mail back to you. You could perform the same test by using raw SMTP over port 25. However, we find Sam Spade's tool easier and faster. Before you run this test, you need to ensure you have approval and authorization to perform this test on the SMTP server. In addition, before you run the test you need to configure your options. Select Options from the Edit menu and select the Configuration tab. Enter your e-mail address as shown in Figure 12-26. Next, access the Advanced tab and check Enable relay checking as demonstrated in Figure 12-27. We liken this to taking the safety off a gun. This test borders the edge of legality since you are essentially using the target's mail server without permission. Therefore, be sure you have permission from a person with authority over the server before trying this function. Once you have configured your options correctly, select the SMTP Relay check from the Tools menu. Enter the fully qualified domain name or IP address of the SMTP server. The tool then attempts to send an e-mail back to you via the SMTP server you are testing. Figure 12-28 shows a sample of SMTP relay. If you get an e-mail back, the test was successful and the server is susceptible to SMTP relaying. Servers that allow SMTP relaying are susceptible to spam. Spam is bad for two reasons. First, it can put undo stress on the system resources of the company's mail server. Second, it can give the perception that the targeted organization sent the mail.
The Scan Addresses utility enables you to perform port scanning against a range of hosts. To use this feature you must access the Advanced tab (select Options from the Edit menu) and check the box for Enable active probing. Once this option has been set, you may select Scan Addresses from the Tools menu. When you select the Scan Addresses option, a Scan addresses window opens, as shown in Figure 12-29. This window has input windows for the start and end IP addresses as well as six default ports (Reverse DNS, Mail, Usenet, Web, telnet, and Nameserver). In addition, the Advanced tab allows you to select additional ports up to 17007. By holding down the CTRL key you can select multiple ports. The more ports you select, the longer the scan will take.
Crawl website is a nice feature for searching Web sites for useful information. Crawl website enables you to mirror a Web site to hard disk or network drive and to search the Web site for passwords, e-mail addresses, and other useful information. To access Crawl website, select it from the Tools menu. The Crawl website window appears, as displayed in Figure 12-30. In the top box, enter the URL of the target Web site. The Extra seed URLs box enables you to enter URLs on the Web site that are not accessible from the URL listed in the top window. Below this box is an option that enables you to restrict the type of information to be searched or mirrored. By checking the option, you limit the crawler to HTML, ASP, and text files. Without this option checked the crawler will attempt to search and return everything on the site. Next you find the option that enables you to mirror the site. By mirroring the site, you copy it to a local drive. While this may use a lot of hard disk space, it can be helpful to have offline copies of Web sites for access when you do not have Internet access.
Another option, Search website for, enables you to search for the defaults: Web addresses, e-mail addresses, images, links, and regular expression keywords. This can be very useful when searching Web sites for passwords, password hints, or other clues.
Benefits: Sam Spade is an outstanding tool for the discovery phase, and it's freeware. The SMTP relaying check and Web site crawling features set it apart from other discovery tools we have seen.
Cons: Some of the more advanced features are difficult to use it you are not familiar with the tool. Also, the port scanner is sufficient for scanning one or two hosts for a range of ports. However, for more advanced port scanning, use one of the more robust port scanners described in Chapter 13.
Client OS: Windows 9x/NT/2000
Target OS: TCP/IP networks
Classification: Discovery tool—ping sweep
Price: Free
Description: After learning DNS information about an organization and finding domain names and IP blocks, the next step is to find hosts, or targets, that are active on the target network. The goal is to find the targets that are up and running on the target network without being detected. The simplest way to determine whether a host is active on the network is to ping it. Ping uses ICMP ECHO requests and reply. The pinger sends an ICMP ECHO request, and the target sends back an ECHO reply unless the border router or another filtering device is blocking ping or the host has otherwise been configured to not respond to ICMP requests.
Rhino9 Pinger, often referred to as Pinger, is a fast, efficient ping sweep utility. You can adjust the number of times Pinger pings the target by entering a number in the Num. Passes window, but we recommend you leave it at two. The Timeout default of 3,000 ms should also be sufficient unless you have an unusually slow network, but even then the higher you increase the timeout, the longer you will be waiting for it to finish. Pinger can quickly sweep multiple Class C addresses or a single Class B address looking for active hosts. The disadvantage to being fast is that the tool sometimes misses active hosts. Also, the tool is a no-frills offering with very little added utility other than the ping sweep. Other tools such as Sam Spade, NetScanTools, and WS_Ping ProPack provide a similar ping tool. We like Pinger because it is fast and simple. Everyone has their own preferences, so use whichever ping tool you want as long as you get good results.
Use: There really is not a lot to explain with this tool; what you see is what you get. Figure 12-31 provides a view of the Pinger interface. To use Pinger, input the IP address range into the From and To boxes at the top of the screen. Leave the timeout at the default unless you have reason to believe you need to extend the timeout due to network latency or other problems. Select the number of passes, or pings, you wish the tool to perform. We recommend staying with two so you draw less attention to yourself. Many intrusion detection systems and other monitoring tools may be alerted by multiple pings to many hosts, so be careful if you are trying to remain undetected. Check the Resolve Hosts box if you wish to obtain the host names in addition to knowing if the system is active. We recommend resolving the host names. The more information you can collect, the better you can design your test. Many times host names give away the purpose of the system and help enable you to quickly select attractive targets. But beware—sometimes a target that is too good to be true really is; it could be a honey pot. Honey pots are essentially traps put out on the network to entice hackers. What the hacker doesn't know is the system is really a trap. All activity is being logged and alerts are being sent to the system administrators.
Benefits: Pinger is easy to use and install. It requires very little configuration. We've found it to be one of the fastest Ping tools we have used. You can't beat it for the price (free).
Con: The tool provides only ping functionality.
URL: www.visualroute.com
Client OS: Windows 9x/NT
Target OS: TCP/IP networks
Classification: Discovery tool
Price: Under $50
Description: VisualRoute is an excellent tool for performing traceroutes, and it provides nice graphical pictures displaying each hop on a world map. It runs on Windows NT and Windows 9x. We normally use VisualRoute to perform traceroutes to each target host. Using the output from the traceroutes we can build a preliminary network map. Many times the network maps we generate are as accurate as the client's. Additionally, VisualRoute can identify the distance, hops, and time to a target system. While the map really doesn't add much value, it is pretty neat. By clicking on a section of the map you can zoom in on that area in greater detail. Node information is displayed in a chart format providing the fully qualified domain name, location, and host network. This information is useful for keeping track of where each packet goes and where the route changes as the packet enters the target network. The trace results can help you identify firewalls, routers, and other systems. You can attempt to determine whether two systems are on the same network segment or separated by a router. This information becomes handy when you move into the exploit phases. Even if you know your network topology well, performing traceroutes can be an eye-opening experience. Look at the output from the point of view of an outsider and try to determine what information you can learn from this tool. Using this technique, you can begin to learn where the greatest risk lies on your network and how to start addressing that risk.
As an added bonus, VisualRoute can identify the software and version of a Web server.
VisualRoute connects the target server on port 80 and identifies the software that hosts the Web site. You can use this information to tailor your test to the particular type and version of the Web server software.
Version information is normally displayed by default when loading a Web server. What most system administrators do not realize is that you can alter this information to mask the type and version of the software. The less information you let an outsider know about your network and host, the safer you are.
Use: VisualRoute is very easy to install and use. Be sure that your Web browser supports Java; otherwise, you will receive an error message the first time you run VisualRoute, prompting you to load a Java machine. The installation is relatively easy. Just launch the self-extracting installation file and follow the instructions. Once the tool has been installed and you have a compatible browser, you are ready to begin. Start by entering the target host name, URL, or IP address in the Host/URL box. Next, click on the green arrow to launch the traceroute. The tool then launches the traceroute and begins returning information as it attempts to finish the trace.
VisualRoute does offer some interesting options. First under the Options menu is Scan Network. Be careful using this option since it could alert intrusion detection sensors or could be perceived as a ping attack. With Scan Network selected, if the tool is unable to reach the destination you have selected, it will attempt to ping one address higher and one lower until it finds an active host or reaches the end of the address range. This helps you determine whether the host you selected was unreachable or whether the entire network was unreachable. Figure 12-32 provides a sample traceroute using VisualRoute.
Benefits: VisualRoute is an outstanding traceroute tool. It provides more information than a normal command line traceroute utility. The added information enables you to build a better picture of the network to aid in future testing phases. The GUI is excellent, making the tool fun to use in addition to its good functionality. The tool enables you to save the output as a text or JPEG file, which is nice for reporting and analysis.
Con: The tool is not free. Fortunately, it is relatively inexpensive for a single user license (under $50). A 30-day trial version is available at www.visualroute.com.
Client OS: UNIX, Windows NT (ported by eEye Digital Security)
Target OS: TCP/IP networks
Classification: Discovery tool
Price: Free
Description: While Nmap is a most powerful port scanner, it can also serve as a more sophisticated ping sweep utility. In this chapter, we discuss only Nmap's ping capability. In Chapter 13 we delve into the details of Nmap's utility as a robust port scanner.
If the target network is blocking ICMP ECHO requests and replies, Pinger and other normal ping utilities will not be able to identify any active systems. Additionally, the target network may have the most crucial systems configured to not respond to ICMP ping but may allow some nonessential systems to respond to ICMP ping to trick attackers. By finding some interesting hosts that respond to ping, the attacker may not think to use a more sophisticated ping tool to identify hosts not responding to ICMP ping. Nmap provides the capability to perform TCP pings on TCP ports rather than the usual ICMP that everyone associates with ping. Nmap sends a TCP ACK or SYN packet to the specified port in hopes that the target will send an RST packet indicating it is up. By pinging the hosts on a TCP port or using a different source port, you may be able to identify hosts that have restricted ICMP ECHO replies but are still alive on the network. Additionally, Nmap has a detection function that enables it to guess the operating system of the target through analysis of the TCP/IP sequence.
Nmap is a powerful, stealthy tool. If used properly it can provide excellent results while enabling you to remain undetected on the target network. Nmap can be difficult to use if you are not familiar with UNIX. This tool gives you an excellent reason to learn enough about UNIX to get by so you can take advantage of all the features of this tool. There is a GUI version of the tool called NmapFE. NmapFE does not offer all the options the command line Nmap offers, but it is easy to use.
Use: Nmap operates on Linux and a host of other UNIX-flavored operating systems and requires a command line interface, unless you are using NmapFE. Nmap has also been ported to Windows NT by eEye Digital Security, but we have had problems getting it to work properly and prefer the Linux version. Nmap has several options for scanning networks, but in this chapter we cover only those options that pertain to TCP pings and OS identification. Whether or not you find active hosts on the network, TCP pings should be performed to find those hosts that may not be responding to ICMP pings. TCP pings use TCP ACK or SYN packets to elicit an RST from the target. Nmap provides a TCP ping utility using the -sP option. For root users, -sP sends both ICMP and TCP ACK. You can specify TCP ACK packets by using the -PT option or SYN packets using -PS. Nmap sends these packets to port 80 by default, but you may need to vary the port to find one that is not filtered by the target. Normally ports 80, 53, and 443 are good ports to try.
The following command performs a TCP ping by sending a TCP ACK packet to the target IP address on port 53:
nmap -PT53 ipaddress -o outputfile.txt
Another option Nmap provides is OS identification. Knowing the operating system is a critical piece of information during penetration testing. When you use the -O option in Nmap, the tool attempts to guess the operating system of the target through TCP/IP fingerprinting. Nmap performs a number of tests against the system being scanned and compares the profile of the target's TCP stack against a database of known fingerprints. The following command performs OS identification in addition to a port scan:
nmap -sT -O ipaddress
Benefits: Nmap is a powerful tool that is considered one of the best port scanners in the industry. It offers many different options and the output is very reliable.
Con: The tool can be difficult to use and install if you are not familiar with UNIX.
Client OS: Windows 9x/NT
Target OS: IP systems
Classification: Discovery tool
Price: Free
Description: What's running is a banner-grabbing program that runs on Windows 9x/NT. Once you have identified services that are running through the use of port scanners, you can use this program to determine what versions of the services are running. By knowing the versions of the services, you can search for vulnerabilities related to those specific versions and tailor your attacks on those services.
Use: What's running is simple to install and use. Simply launch What's running and use the GUI. Enter the host name or IP address in the appropriate window and select the service to which you wish to connect. The option titled Other can be used to test services that are not listed simply by typing the port number in the window. Once the program connects to the service, What's running displays the service and version information in the output window if any information is available.
Benefits: What's running is free and simple to use. It captures banner information that contains software version information that can be used to develop specific attacks against services.
Con: The tool does not offer any utility other than banner grabbing.