5.8 - ACCESORIOS PARA ALTAVOCES

TShark 1.10.2 (SVN Rev 51934 from /trunk-1.10) Dump and analyze network traffic.

See http://www.wireshark.org for more information.

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Usage: tshark [options] ...

Capture interface:

-i <interface> name or idx of interface (def: first non-loopback) -f <capture filter> packet filter in libpcap filter syntax

-s <snaplen> packet snapshot length (def: 65535) -p don't capture in promiscuous mode -I capture in monitor mode, if available -B <buffer size> size of kernel buffer (def: 2MB)

-y <link type> link layer type (def: first appropriate) -D print list of interfaces and exit

134

-L print list of link-layer types of iface and exit

Capture stop conditions:

-c <packet count> stop after n packets (def: infinite) -a <autostop cond.> ... duration:NUM - stop after NUM seconds filesize:NUM - stop this file after NUM KB files:NUM - stop after NUM files

Capture output:

-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs filesize:NUM - switch to next file after NUM KB files:NUM - ringbuffer: replace after NUM files Input file:

-r <infile> set the filename to read from (no pipes or stdin!)

Processing:

-2 perform a two-pass analysis

-R <read filter> packet Read filter in Wireshark display filter syntax -Y <display filter> packet displaY filter in Wireshark display filter syntax -n disable all name resolutions (def: all enabled)

-N <name resolve flags> enable specific name resolution(s): "mntC" -d <layer_type>==<selector>,<decode_as_protocol> ...

"Decode As", see the man page for details Example: tcp.port==8888,http

-H <hosts file> read a list of entries from a hosts file, which will then be written to a capture file. (Implies -W n) Output:

-w <outfile|-> write packets to a pcap-format file named "outfile" (or to the standard output for "-")

-C <config profile> start with specified configuration profile -F <output file type> set the output file type, default is pcapng an empty "-F" option will list the file types -V add output of packet tree (Packet Details) -O <protocols> Only show packet details of these protocols, comma separated

-P print packet summary even when writing to a file -S <separator> the line separator to print between packets -x add output of hex and ASCII dump (Packet Bytes) -T pdml|ps|psml|text|fields

format of text output (def: text)

-e <field> field to print if -Tfields selected (e.g. tcp.port, col.Info); this option can be repeated to print multiple fields

-E<fieldsoption>=<value> set options for output when -Tfields selected: header=y|n switch headers on and off

135

separator=/t|/s|<char> select tab, space, printable character as separator occurrence=f|l|a print first, last or all occurrences of each field aggregator=,|/s|<char> select comma, space, printable character as

aggregator

quote=d|s|n select double, single, no quotes for values

-t a|ad|d|dd|e|r|u|ud output format of time stamps (def: r: rel. to first) -u s|hms output format of seconds (def: s: seconds)

-l flush standard output after each packet

-q be more quiet on stdout (e.g. when using statistics) -Q only log true errors to stderr (quieter than -q) -g enable group read access on the output file(s) -W n Save extra information in the file, if supported. n = write network address resolution information -X <key>:<value> eXtension options, see the man page for details -z <statistics> various statistics, see the man page for details

Miscellaneous:

-h display this help and exit -v display version info and exit -o <name>:<value> ... override preference setting

-K <keytab> keytab file to use for kerberos decryption -G [report] dump one of several available reports and exit default report="fields"

use "-G ?" for more help

TSHARK USAGE EXAMPLE

root@kali:~# tshark -f "tcp port 80" -i eth0

WIRESHARK USAGE EXAMPLE

136

CATEGORIES: I N F O R M A T I O N G A T H E R I N G , S N I F F I N G / S P O O F I N GTAGS: A N A L Y S I S , G U I , N E T W O R K I N G , S N I F F I N G

WOL-E

WOL-E PACKAGE DESCRIPTION

WOL-E is a suite of tools for the Wake on LAN feature of network attached computers, this is now enabled by default on many Apple computers. These tools include:

 Bruteforcing the MAC address to wake up clients

 Sniffing WOL attempts on the network and saving them to disk

 Sniffing WOL passwords on the network and saving them to disk

 Waking up single clients (post sniffing attack)

 Scanning for Apple devices on the network for WOL enabling

 Sending bulk WOL requests to all detected Apple clients Source: https://code.google.com/p/wol-e/

137

WOL-E Homepage | Kali WOL-E Repo

 Author: Nathaniel Carew

 License: GPLv3

TOOLS INCLUDED IN THE WOL-E PACKAGE

wol-e–WakeonLANExplorer

root@kali:~# wol-e -h

[*] WOL-E 1.0

[*] Wake on LAN Explorer - A collection a WOL tools. [*] by Nathaniel Carew

-m

Waking up single computers.

If a password is required use the -k 00:12:34:56:78:90 at the end of the above command.

wol-e -m 00:12:34:56:78:90 -b 192.168.1.255 -p <port> -k <pass> Defaults:

Port: 9

Broadcast: 255.255.255.255 Pass: empty

-s

Sniffing the network for WOL requests and passwords.

All captured WOL requests will be displayed on screen and written to /usr/share/wol-e/WOLClients.txt.

wol-e -s -i eth0

-a

Bruteforce powering on WOL clients. wol-e -a -p <port>

Place the address ranges into the bfmac.lst that you wish to bruteforce. They should be in the following format:

00:12:34:56 Default port: 9

-f

Detecting Apple devices on the network for WOL enabling.

This will output to the screen and write to /usr/share/wol-e/AppleTargets.txt for detected Apple MAC's.

138

-fa

Attempt to wake all detected Apple targets in /usr/share/wol-e/AppleTargets.txt. This will send a single WOL packet to each client in the list and tell you how many clients were attempted.

wol-e -fa

WOL-E USAGE EXAMPLE

Detect Apple devices on the network (-f):

root@kali:~# wol-e -f

[*] WOL-E 1.0 [*]

[*] Wake on LAN Explorer - Scan for Apple devices.

[*] arping 192.168.1.0/24 on eth0

[*] Apple device detected: de:ad:be:ef:46:32 192.168.1.12. saving to AppleTargets.txt

CATEGORIES: I N F O R M A T I O N G A T H E R I N GTAGS: E N U M E R A T I O N , I N F O G A T H E R I N G

Xplico

XPLICO PACKAGE DESCR IPTION

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP, MGCP, H323), FTP, TFTP, and so on. Xplico is not a network protocol analyzer.

Xplico Homepage | Kali Xplico Repo

 Author: Gianluca Costa, Andre de Franceschi

 License: GPLv2

TOOLS INCLUDED IN THE XPLICO PACKAGE

xplico–NetworkForensicAnalysisTool(NFAT)

root@kali:~# xplico -h

xplico v1.0.1

Internet Traffic Decoder (NFAT).

See http://www.xplico.org for more information.

Copyright 2007-2012 Gianluca Costa & Andrea de Franceschi and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

139

This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.

usage: xplico [-v] [-c <config_file>] [-h] [-g] [-l] [-i <prot>] -m <capute_module> -v version

-c config file -h this help

-i info of protocol 'prot'

-g display graph-tree of protocols -l print all log in the screen -m capture type module

NOTE: parameters MUST respect this order!

XPLICO USAGE EXAMPLE

Use the rltm module (-m rltm) and analyze traffic on interface eth0 (-i eth0):

root@kali:~# xplico -m rltm -i eth0 xplico v1.0.1

Internet Traffic Decoder (NFAT).

See http://www.xplico.org for more information.

Copyright 2007-2012 Gianluca Costa & Andrea de Franceschi and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.

Configuration file (/opt/xplico/cfg/xplico_cli.cfg) found! GeoLiteCity.dat found!

pcapf: running: 0/0, subflow:0/0, tot pkt:1 pol: running: 0/0, subflow:0/0, tot pkt:0 eth: running: 0/0, subflow:0/0, tot pkt:1 pppoe: running: 0/0, subflow:0/0, tot pkt:0 ppp: running: 0/0, subflow:0/0, tot pkt:0 ip: running: 0/0, subflow:0/0, tot pkt:0

CATEGORIES: F O R E N S I C S , I N F O R M A T I O N

G A T H E R I N GTAGS: E N U M E R A T I O N , F O R E N S I C S , I N F O G A T H E R I N G , N E T W O R K I N G , V O I P

SNIFFING & SPOOFING



Burp Suite

140



fiked



hamster-sidejack



HexInject



iaxflood



inviteflood



iSMTP



isr-evilgrade



mitmproxy



ohrwurm



protos-sip



rebind



responder



rtpbreak



rtpinsertsound



rtpmixsound



sctpscan



SIPArmyKnife



SIPp



SIPVicious



SniffJoke



SSLsplit



sslstrip



THC-IPV6

141



VoIPHopper



WebScarab



Wifi Honey



Wireshark



xspy



Yersinia



zaproxy

BurpSuite

BURP SUITE PACKAGE DESCRIPTION

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Source: http://portswigger.net/burp/

Burp Suite Homepage | Kali Burp Suite Repo

 Author: PortSwigger

 License: Commercial

TOOLS INCLUDED IN THE BURPSUITE PACKAGE

burpsuite–Platformforsecuritytestingofwebapplications

Tool for security testing of web applications.

BURPSUITE USAGE EXAM PLE

142

CATEGORIES: P A S S W O R D A T T A C K S , S N I F F I N G / S P O O F I N G , W E B

A P P L I C A T I O N STAGS: F U Z Z I N G , G U I , H T T P , H T T P S , P A S S W O R D S , P R O X Y , S N I F F I N G , V U L N A N A L Y S I S , W E B A P P S

DNSChef

DNSCHEF PACKAGE DESC RIPTION

DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts. A DNS proxy (aka “Fake DNS”) is a tool used for application network traffic analysis among other uses. For example, a DNS proxy can be used to fake requests for “badguy.com” to point to a local machine for termination or interception instead of a real host somewhere on the Internet.

There are several DNS Proxies out there. Most will simply point all DNS queries a single IP address or implement only rudimentary filtering. DNSChef was developed as part of a penetration test where there was a need for a more configurable system. As a result, DNSChef is cross-platform application capable of forging responses based on inclusive and exclusive domain lists, supporting multiple DNS record types, matching domains with wildcards, proxying true responses for nonmatching domains, defining external configuration files, IPv6 and many other features. You can find detailed explanation of each of the features and suggested uses below.

143

The use of DNS Proxy is recommended in situations where it is not possible to force an application to use some other proxy server directly. For example, some mobile applications completely ignore OS HTTP Proxy settings. In these cases, the use of a DNS proxy server such as DNSChef will allow you to trick that application into forwarding connections to the desired destination.

Source: http://thesprawl.org/projects/dnschef/

DNSChef Homepage | Kali DNSChef Repo

 Author: iphelix

 License: GPLv3

TOOLS INCLUDED IN THE DNSCHEF PACKAGE

dnschef–DNSproxyforpenetrationtesters

root@kali:~# dnschef -h

Usage: dnschef.py [options]:

_ _ __ | | version 0.1 | | / _| __| |_ __ ___ ___| |__ ___| |_ / _` | '_ \/ __|/ __| '_ \ / _ \ _| | (_| | | | \__ \ (__| | | | __/ | \__,_|_| |_|___/\___|_| |_|\___|_| [email protected]

DNSChef is a highly configurable DNS Proxy for Penetration Testers and Malware Analysts. It is capable of fine configuration of which DNS replies to modify or to simply proxy with real responses. In order to take advantage of the tool you must either manually configure or poison DNS server entry to point to DNSChef. The tool requires root privileges to run.

Options:

-h, --help show this help message and exit --fakeip=192.168.1.100

IP address to use for matching DNS queries. If you use this parameter without specifying domain names, then all queries will be spoofed. Consider using --file argument if you need to define more than one IP address.

--fakedomains=thesprawl.org,google.com

A comma separated list of domain names which will be resolved to a FAKE value specified in the --ip

144

their true values. --truedomains=thesprawl.org,google.com

A comma separated list of domain names which will be resolved to their TRUE values. All other domain names will be resolved to a fake value specified in the --ip parameter.

--nameservers=4.2.2.1,4.2.2.2

A comma separated list of alternative DNS servers to use with proxied requests. A randomly selected server from the list will be used for proxy requests. By default, the tool uses Google's public DNS server 8.8.8.8.

--file=FILE Specify a file containing a list of DOMAIN=IP pairs (one pair per line) used for DNS responses. For

example: google.com=1.1.1.1 will force all queries to 'google.com' to be resolved to '1.1.1.1'. You can be even more specific by combining --file with other arguments. However, data obtained from the file will take precedence over others.

--interface=0.0.0.0 Define an interface to use for the DNS listener. For example, use 127.0.0.1 to listen for only requests coming from a loopback device.

--tcp Use TCP DNS proxy instead of the default UDP. -q, --quiet Don't show headers.

DNSCHEF USAGE EXAMPL E

root@kali:~# dnschef _ _ __ | | version 0.1 | | / _| __| |_ __ ___ ___| |__ ___| |_ / _` | '_ \/ __|/ __| '_ \ / _ \ _| | (_| | | | \__ \ (__| | | | __/ | \__,_|_| |_|___/\___|_| |_|\___|_| [email protected]

[*] DNS Chef started on interface: 127.0.0.1 [*] Using the following nameservers: 8.8.8.8

[*] No parameters were specified. Running in full proxy mode

145

fiked

FIKED PACKAGE DESCRIPTION

FakeIKEd, or fiked for short, is a fake IKE daemon supporting just enough of the standards and Cisco extensions to attack commonly found insecure Cisco VPN PSK+XAUTH based IPsec authentication setups in what could be described as a semi MitM attack. Fiked can impersonate a VPN gateway’s IKE responder in order to capture XAUTH login credentials; it doesn’t currently do the client part of full MitM.

Source: http://www.roe.ch/FakeIKEd

fiked Homepage | Kali fiked Repo

 Author: Daniel Roethlisberger

 License: GPLv2

TOOLS INCLUDED IN THE FIKED PACKAGE

fiked–CiscoVPNattacktool

In document Security Systems. Pág INFORMACIÓN DE INTERÉS (página 33-38)