1. Gestión administrativa de los recursos materiales
1.2. Los sistemas de gestión en las instituciones de salud
root@kali:~# nmap -h
Nmap 6.40 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan
79
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 -F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts --script-args-file=filename: provide NSE script args in a file --script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma separted list of script-files or script-categories.
OS DETECTION:
-O: Enable OS detection
80
--osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-parallelism <numprobes>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes --min-rate <number>: Send packets no slower than <number> per second --max-rate <number>: Send packets no faster than <number> per second FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output MISC:
81
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute --datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges -V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
NMAP USAGE EXAMPLE
Scan in verbose mode (-v), enable OS detection, version detection, script scanning, and traceroute (-A), with version detection (-sV) against the target IP(192.168.1.1):
root@kali:~# nmap -v -A -sV 192.168.1.1
Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-13 18:40 MDT NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 18:40 Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 18:40, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 18:40
Completed Parallel DNS resolution of 1 host. at 18:40, 0.00s elapsed Initiating SYN Stealth Scan at 18:40
Scanning router.localdomain (192.168.1.1) [1000 ports]
Discovered open port 53/tcp on 192.168.1.1 Discovered open port 22/tcp on 192.168.1.1 Discovered open port 80/tcp on 192.168.1.1 Discovered open port 3001/tcp on 192.168.1.1
NPING USAGE EXAMPLE
Using TCP mode (–tcp) to probe port 22 (-p 22) using the SYN flag (–flags syn) with a TTL of 2 (–ttl 2) on the remote host (192.168.1.1):
root@kali:~# nping --tcp -p 22 --flags syn --ttl 2 192.168.1.1
Starting Nping 0.6.45 ( http://nmap.org/nping ) at 2014-05-13 18:43 MDT SENT (0.0673s) TCP 192.168.1.15:60125 > 192.168.1.1:22 S ttl=2 id=54240 iplen=40 seq=1720523417 win=1480
RCVD (0.0677s) TCP 192.168.1.1:22 > 192.168.1.15:60125 SA ttl=64 id=0
82
iplen=44 seq=3377886789 win=5840 <mss 1460>
SENT (1.0678s) TCP 192.168.1.15:60125 > 192.168.1.1:22 S ttl=2 id=54240 iplen=40 seq=1720523417 win=1480
RCVD (1.0682s) TCP 192.168.1.1:22 > 192.168.1.15:60125 SA ttl=64 id=0 iplen=44 seq=3393519366 win=5840 <mss 1460>
SENT (2.0693s) TCP 192.168.1.15:60125 > 192.168.1.1:22 S ttl=2 id=54240 iplen=40 seq=1720523417 win=1480
RCVD (2.0696s) TCP 192.168.1.1:22 > 192.168.1.15:60125 SA ttl=64 id=0 iplen=44 seq=3409166569 win=5840 <mss 1460>
SENT (3.0707s) TCP 192.168.1.15:60125 > 192.168.1.1:22 S ttl=2 id=54240 iplen=40 seq=1720523417 win=1480
RCVD (3.0710s) TCP 192.168.1.1:22 > 192.168.1.15:60125 SA ttl=64 id=0 iplen=44 seq=3424813300 win=5840 <mss 1460>
SENT (4.0721s) TCP 192.168.1.15:60125 > 192.168.1.1:22 S ttl=2 id=54240 iplen=40 seq=1720523417 win=1480
RCVD (4.0724s) TCP 192.168.1.1:22 > 192.168.1.15:60125 SA ttl=64 id=0 iplen=44 seq=3440460772 win=5840 <mss 1460>
Max rtt: 0.337ms | Min rtt: 0.282ms | Avg rtt: 0.296ms
Raw packets sent: 5 (200B) | Rcvd: 5 (230B) | Lost: 0 (0.00%) Nping done: 1 IP address pinged in 4.13 seconds
NDIFF USAGE EXAMPLE
Compare yesterday’s port scan (yesterday.xml) with the scan from today (today.xml): root@kali:~# ndiff yesterday.xml today.xml
-Nmap 6.45 scan initiated Tue May 13 18:46:43 2014 as: nmap -v -F -oX yesterday.xml 192.168.1.1
+Nmap 6.45 scan initiated Tue May 13 18:47:58 2014 as: nmap -v -F -oX today.xml 192.168.1.1
endian.localdomain (192.168.1.1, 00:01:6C:6F:DD:D1):
-Not shown: 96 filtered ports +Not shown: 97 filtered ports PORT STATE SERVICE VERSION -22/tcp open ssh
NCAT USAGE EXAMPLE
Be verbose (-v), running /bin/bash on connect (–exec “/bin/bash”), only allowing 1 IP address (–allow 192.168.1.123), listen on TCP port 4444 (-l 4444), and keep the listener open on disconnect (–keep-open): root@kali:~# ncat -v --exec "/bin/bash" --allow 192.168.1.123 -l 4444 --keep-open Ncat: Version 6.45 ( http://nmap.org/ncat )
Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
83
Ncat: Connection from 192.168.1.123.
Ncat: Connection from 192.168.1.123:39501.
Ncat: Connection from 192.168.1.15.
Ncat: Connection from 192.168.1.15:60393.
Ncat: New connection denied: not allowed
CATEGORIES: I N - D E P T H , I N F O R M A T I O N G A T H E R I N G , V U L N E R A B I L I T Y
A N A L Y S I STAGS: E N U M E R A T I O N , H T T P , H T T P S , I N F O G A T H E R I N G , P O R T S C A N N I N G , S M B , S M T P , S N M P , S S L , T F T P , V U L N A N A L Y S I S
ntop
NTOP PACKAGE DESCRIP TION
ntop is a tool that shows the network usage, similar to what the popular top Unix command does. ntop is based on pcapture (ftp://ftp.ee.lbl.gov/pcapture.tar.Z) and it has been written in a portable way in order to virtually run on every Unix platform.
ntop can be used in both interactive or web mode. In the first case, ntop displays the network status on the user’s terminal whereas in web mode a web browser (e.g. netscape) can attach to ntop (that acts as a web server) and get a dump of the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an embedded web interface.
ntop uses libpcap, a system-independent interface for user-level packet capture.
Source: ntop README
ntop Homepage | Kali ntop Repo
Author: Luca Deri
License: GPLv2
TOOLS INCLUDED IN THE NTOP PACKAGE
ntop–displaynetworkusageinwebbrowser
root@kali:~# ntop -h
Welcome to ntop v.4.99.3 (32 bit)
[Configured on Mar 2 2013 6:00:33, built on Mar 2 2013 06:01:55]
Copyright 1998-2012 by Luca Deri <[email protected]>
Get the freshest ntop from http://www.ntop.org/
Usage: ntop [OPTION]
Basic options:
[-h | --help] Display this help and exit
84
85
86
instance
[--p3p-cp] Set return value for p3p compact policy, header
[--p3p-uri] Set return value for p3p policyref header
[--skip-version-check] Skip ntop version check [--known-subnets <networks>] List of known subnets (separated by ,)
If the argument starts with @ it is assumed it is a file path
E.g.
192.168.0.0/14=home,172.16.0.0/16=private
NOTE
* You can configure further ntop options via the web interface [Menu Admin -> Config].
* The command line options are not permanent, i.e. they are not persistent across ntop initializations.
NTOP USAGE EXAMPLE
Display network usage, filtering for a specific IP address (-B “src host 192.168.1.1″): root@kali:~# ntop -B "src host 192.168.1.1"
CATEGORIES: I N F O R M A T I O N G A T H E R I N GTAGS: A N A L Y S I S , N E T W O R K I N G , S N I F F I N G
p0f
P0F PACKAGE DESCRIPTION
P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
Some of p0f’s capabilities include:
Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.
Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.
Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.
Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.
The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to.
87
Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics.
Source: http://lcamtuf.coredump.cx/p0f3/
p0f Homepage | Kali p0f Repo
Author: Michal Zalewski
License: LGPL-2
TOOLS INCLUDED IN THE P0F PACKAGE
p0f–PassiveOSfingerprintingtool
root@kali:~# p0f -h
--- p0f 3.06b by Michal Zalewski <[email protected]> ---
./p0f: invalid option -- 'h'
Usage: p0f [ ...options... ] [ 'filter rule' ]
Network interface options:
-i iface - listen on the specified network interface -r file - read offline pcap data from a given file
-p - put the listening interface in promiscuous mode -L - list all available interfaces
Operating mode and output settings:
-f file - read fingerprint database from 'file' (p0f.fp) -o file - write information to the specified log file -s name - answer to API queries at a named unix socket
-u user - switch to the specified unprivileged account and chroot -d - fork into background (requires -o or -s)
Performance-related options:
-S limit - limit number of parallel API connections (20) -t c,h - set connection / host cache age limits (30s,120m)
-m c,h - cap the number of active connections / hosts (1000,10000)
Optional filter expressions (man tcpdump) can be specified in the command line to prevent p0f from looking at incidental network traffic.
88
Problems? You can reach the author at <[email protected]>.
P0F USAGE EXAMPLE
Use interface eth0 (-i eth0) in promiscuous mode (-p), saving the results to a file (-o /tmp/p0f.log): root@kali:~# p0f -i eth0 -p -o /tmp/p0f.log
--- p0f 3.07b by Michal Zalewski <[email protected]> ---
[+] Closed 1 file descriptor.
[+] Loaded 320 signatures from 'p0f.fp'.
[+] Intercepting traffic on interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Log file '/tmp/p0f.log' opened for writing.
[+] Entered main event loop.
.-[ 192.168.1.15/35834 -> 173.246.39.185/873 (syn) ]-
|
| client = 192.168.1.15/35834
| os = Linux 2.2.x-3.x
| dist = 0
| params = generic
| raw_sig = 4:64+0:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0
CATEGORIES: F O R E N S I C S , I N F O R M A T I O N G A T H E R I N GTAGS: E N U M E R A T I O N , I N F O G A T H E R I N G , R E C O N
Parsero
PARSERO PACKAGE DESC RIPTION
Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries tell the search engines what directories or files hosted on a web server mustn’t be indexed.
For example, “Disallow: /portal/login” means that the content on www.example.com/portal/login it’s not allowed to be indexed by crawlers like Google, Bing, Yahoo… This is the way the administrator have to not share sensitive or private information with the search engines.
But sometimes these paths typed in the Disallows entries are directly accessible by the users without using a search engine, just visiting the URL and the Path, and sometimes they are not available to be visited by anybody… Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check
automatically if these directories are available or not.
Also, the fact the administrator write a robots.txt, it doesn’t mean that the files or directories typed in the Dissallow entries will not be indexed by Bing, Google, Yahoo… For this reason, Parsero is capable of searching in Bing to locate content indexed without the web administrator authorization. Parsero will check the HTTP status code in the same way for each Bing result.
89
Source: https://github.com/behindthefirewalls/Parsero Parsero Homepage | Kali parsero Repo
Author: Javier Nieto
License: GPLv2
TOOLS INCLUDED IN THE PARSERO PACKAGE