IT Breathes!

Some of my readers may have noticed I was missing some applications in part 1 and part 2. This discrepancy is caused by the fact that I wasn’t aware of the new Backtrack 4 pre-release. I’m not going to go back and visit those folders though; I’ll leave that exercise up to the reader.

Making our way to the next folder is the ‘enumeration’ folder. In this case enumeration really means gathering information/DNS.

Within the enumeration folder are multiple sub folders containing, in my opinion, an eclectic collection of tools. Starting with the first folder we have complemento. Within this folder is really three seperate tools. HTTPSquash, the first of the tools I looked is used to find the version of an HTTP server running. When scanned against a Win2k3 machine running IIS this is what it saw.

Yup, that's IIS 6

This is a nice tool to keep in your toolset when nmap or other tools are giving you conflicting answers. What is interesting is that the enumeration folder also contains another tool for identifying an HTTP server: HTTPrint. HTTPring also performs a scan and guesses which webserver is running on a given IP:

It means 'Eat At Joes'

Returning back to the complement folder we have Letdown. Letdown is a tool designed for performing a DoS attack on a given server and finally reverseraider which is a tool designed to brute force subdomains/domains for a given website, it does this through the use of a wordlist. You’ll notice a trend with the tools in the enumeration folder. Many of them are designed to gather DNS information. In my opinion a tool like Maltego is better served for some of these tasks.

DNS Enumeration

Instead of slowly walking through all the DNS enumeration tools one by one I’m simply going to list them all here. The command line options vary from tool to tool but the concept is the same:

DNSmap: Performs a map of your domains/subdomains using wordlists.

DNSwalk: A tool designed to troubleshoot dns zones and to detect where zone transfers are possible.

DNSenum: Using word lists or brute force this tool will discover machines on a certain domain. It also uses Google to help discover machines.

DNSRecon: Yet another DNS enumeration tool, this one written in ruby

Fierce: A wordlist based DNS enumerator written in perl.

Moving on we get to some of my favorite tools. The three following tools actually use Google to gather information instead of touching your target machines. This information can be useful in helping identify usernames, paths etc. Gooscan is a command line tool designed to scan a Google appliance for interesting folder/cgi-exploits by only talking to the goodle appliance. This means Google is doing all the research instead of identifying yourself.

Quite the frightening message. Better not test this at work.

Metagoofil is one of my new favorite toys. You give it a domain name and it will grab the files (such as Word Documents, PDF, Excel etc) and search those files for metadata such as usernames, paths, deleted text etc. It uses the ‘extract’ command to break out the metadata so you don’t really need this tool if you have some strong Google-fu. Though it is nice because it can give you an insight in to how a company is run. I had some initial problems getting this tool to run. You MUST but the #!/user/bin/python on the very first line of this script or it will not run (you can also issue the command “python metagoofil.py” but where’s the fun in that?

Who created this document? What kind of funky name is that?

The final Google tool is Goorecon. This tool uses Google to gather subdomains it may know about or email addresses. Why email addresses? Well knowing an email address may give you some insight in to account naming conventions and other interesting tidbits. You could also use it to social engineer yourself to access.

Now that we’re done with the Google and DNS Enumerators we can look at some of the other tools. The first tool on that list is LBD. LBD stands for Load Balancer Detector. It literally does what it’s called. You give it an IP address and it tells you if it’s being load balanced or not. List-URLS, in this same vein, also does exactly as advertised. You give it a website and it spiders the site for a listing or all URLs listed on the site.

There are two SNMP tools within this folder: SNMPcheck and SNMPenum. Both of them pretty much perform the same task: discover SNMP services running on a given IP address. This, again, is more about gathering information than gaining access.

The last tool in this folder is also very interesting. It’s called SEAT or Search Engine Assessment Tool.

Take a SEAT. See what I did there?

SEAT is a tool which performs the same functions as the Google tools but as you can see uses many more search engines to perform the searches. Using SEAT you can mine information from multiple sources using multiple queries to specify what you’re searching for. An interesting tool for any tool set.