Backtrack Manual Part3

Project Report
on

Project by - Nutan Kumar Panda

Technology Evangelist ISEH

R&D - ATL Guwahati

Project By: Nutan Kumar Panda

INSTALLED FEATURES
DNStracer determines where a given Domain Name Server (DNS) gets its information
from, and follows the chain of DNS servers back to the servers which know the data.

SYNOPSIS
dnstracer [options] name

DESCRIPTION
dnstracer determines where a given Domain Name Server (DNS) gets its
information from, and follows the chain of DNS servers back to the
servers which know the data.

Options are:

-c Disable local caching.

-C Enable negative caching.

-o Enable overview of received answers at the end.

-q q>u>e>r>y>c>l>a>s>s>
Change the query-class, default is A. You can either specify a number of the
type (if you're brave) or one of the following strings: a, aaaa, a6, soa, cname,
hinfo, mx, ns, txt and ptr.

-r r>e>t>r>i>e>s>
Number of retries for DNS requests, default 3.

-s s>e>r>v>e>r>
DNS server to use for the initial request, default is acquired from the
system. If a dot is specified (.), A.ROOT-SERVERS.NET will be used.

-v Be verbose on what sent or received.

-4 Use only IPv4 servers, don't query IPv6 servers (only available when IPv6
support hasn't been disabled)

-S s>o>u>r>c>e>a>d>d>r>e>s>s>
Use this as source-address for the outgoing packets.

HOW IT WORKS
It sends the specified name-server a non-recursive request for the name.


Non-recursive means: if the name-server knows it, it will return the data
requested. If the name-server doesn't know it, it will return pointers to name-
servers that are authoritive for the domain part in the name or it will return the
addresses of the root name-servers.

If the name server does returns an authoritative answer for the name,the next
server is queried. If it returns an non-authoritative answer for the name, the name
servers in the authority records will be
queried.

The program stops if all name-servers are queried.

Make sure the server you're querying doesn't do forwarding towards other
servers, as dnstracer is not able to detect this for you.

It detects so called lame servers, which are name-servers which has been told
to have information about a certain domain, but don't
have this information.

EXAMPLES
Search for the A record of www.mavetju.org on your local nameserver:

dnstracer www.mavetju.org

Search for the MX record of mavetju.org on the root-nameservers:

dnstracer "-s" . "-q" mx mavetju.org

Search for the PTR record (hostname) of 212.204.230.141:

dnstracer "-q" ptr 141.230.204.212.in-addr.arpa

And for IPv6 addresses:

dnstracer "-q" ptr "-s" . "-o"
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.4.0.2.0.0.0.0.8.b.0.e.f.f.3.ip6.int


tcptraceroute: A traceroute implementation using TCP packets The more
traditional traceroute(8) sends out either UDP or ICMP ECHO packets with a TTL of one,
and increments the TTL until the destination has been reached. By printing the gateways
that generate ICMP time exceeded messages along the way, it is able to determine the path
packets are taking to reach the destination. The problem is that with the widespread use of
firewalls on the modern Internet, many of the packets that traceroute(8) sends out end up
being filtered, making it impossible to completely trace the path to the destination.
However, in many cases, these firewalls will permit inbound TCP packets to specific ports
that hosts sitting behind the firewall are listening for connections on. By sending out TCP
SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most
common firewall filters.

It is worth noting that tcptraceroute never completely establishes a TCP connection with the
destination host. If the host is not listening for incoming connections, it will respond with an
RST indicating that the port is closed. If the host instead responds with a SYN|ACK, the port is
known to be open, and an RST is sent by the kernel tcptraceroute is running on to tear down
the connection without completing three-way handshake. This is the same half-open scanning
technique that nmap(1) uses when passed the -sS flag.

To trace the path to a web server listening for connections on port 80:

tcptraceroute webserver

To trace the path to a mail server listening for connections on port 25:

tcptraceroute mailserver 25


Nmap ("Network Mapper") is a utility for network exploration or security
auditing. Many systems and network administrators also find it useful for tasks such as
network inventory, managing service upgrade schedules, and monitoring host or service
uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on
the network, what services (application name and version) those hosts are offering, what
operating systems (and OS versions) they are running, what type of packet filters/firewalls
are in use, and dozens of other characteristics. It was designed to rapidly scan large
networks, but works fine against single hosts. Nmap runs on all major computer operating
systems, and official binary packages are avalable for Linux, Windows, and Mac OS X.

Command >nmap -v -A targethost

Nmap features include:

 Host Discovery - Identifying hosts on a network, for example listing the hosts which
respond to pings, or which have a particular port open
 Port Scanning - Enumerating the open ports on one or more target hosts
 Version Detection - Interrogating listening network services listening on remote
devices to determine the application name and version number
 OS Detection - Remotely determining the operating system and some hardware
characteristics of network devices.


 Scriptable interaction with the target - using Nmap Scripting Engine (NSE)
and Lua programming language customized queries can be made Nmap Scripting
Engine.
Typical uses of Nmap:

 Auditing the security of a device, by identifying the network connections which can be
made to it
 Identifying open ports on a target host in preparation for auditing
 Network inventory, Network mapping, maintenance, and asset management
 Auditing the security of a network, by identifying unexpected new servers

Nmap is used to discover computers and services on a computer network, thus creating a
“map” of the network. Just like many simple port scanners, Nmap is capable of discovering
passive services on a network despite the fact that such services aren’t advertising
themselves with a service discovery protocol. In addition Nmap may be able to determine
various details about the remote computers. These include operating system, device type,
uptime, software product used to run a service, exact version number of that product,
presence of some firewall techniques and, on a local area network, even vendor of the
remote network card.

By default, Nmap performs a SYN Scan, which works against any compliant TCP stack,
rather than depending on idiosyncrasies of specific platforms. It can be used to quickly scan
thousands of ports, and it allows clear, reliable differentiation between ports in open,
closed and filtered states.

To perform a SYN scan on the host www.yourorg.com,

use the command
nmap www.yourorg.com

Syntax

nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

-iL Input from list of hosts/networks


-iR Choose random targets
--exclude Exclude hosts/networks
<host1[,host2][,host3],...>
--excludefile Exclude list from file
<exclude_file>

HOST DISCOVERY:

-sL List Scan - simply list targets to scan
-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist] TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes
-n/-R Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers Specify custom DNS servers
<serv1[,serv2],...>
--system-dns Use OS's DNS resolver

SCAN TECHNIQUES:

-sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX TCP Null, FIN, and Xmas scans
--scanflags <flags> Customize TCP scan flags
-sI <zombie Idlescan
host[:probeport]>
-sO IP protocol scan
-b <ftp relay host> FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

-p <port ranges> Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F Fast - Scan only the ports listed in the nmap-services file)


-r Scan ports consecutively - don't randomize

SERVICE/VERSION DETECTION:

-sV Probe open ports to determine service/version info
--version-intensity Set from 0 (light) to 9 (try all probes)
<level>
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)

OS DETECTION:

-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively

TIMING AND PERFORMANCE:

Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm'
(minutes), or 'h' (hours) to the value (e.g. 30m).

-T[0-5] Set timing template (higher is faster)
--min- Parallel host scan group sizes
hostgroup/max-
hostgroup <size>
--min- Probe parallelization
parallelism/max-
parallelism <time>
--min-rtt- Specifies probe round trip time.
timeout/max-rtt-
timeout/initial-rtt-
timeout <time>
--max-retries <tries> Caps number of port scan probe retransmissions.
--host-timeout Give up on target after this long
<time>


--scan-delay/--max- Adjust delay between probes
scan-delay <time>

FIREWALL/IDS EVASION AND SPOOFING:

-f; --mtu <val> fragment packets (optionally w/given MTU)
-D Cloak a scan with decoys
<decoy1,decoy2[,ME],...>
-S <IP_Address> Spoof source address
-e <iface> Use specified interface
-g/--source-port Use given port number
<portnum>
--data-length <num> Append random data to sent packets
--ttl <val> Set IP time-to-live field
--spoof-mac <mac Spoof your MAC address
address/prefix/vendor
name>
--badsum Send packets with a bogus TCP/UDP checksum

OUTPUT:

-oN/-oX/-oS/-oG Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to th
<file> given filename.
-oA <basename> Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--log-errors Log errors/warnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume <filename> Resume an aborted scan
--stylesheet XSL stylesheet to transform XML output to HTML
<path/URL>


--webxml Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet w/XML output

MISC:

-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir <dirname> Specify custom Nmap data file location
--send-eth/--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number

nmap -P0 204.228.150.3

Running the above port scan on the Computer Hope IP address would give
information similar to the below example. Keep in mind that with the above command
it's -P<zero> not the letter O.

Interesting ports on www.computerhope.com (204.228.150.3):
Not shown: 1019 filtered ports, 657 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
113/tcp open auth
443/tcp open https


Lanmap
Lanmap Listens to all available traffic on the interface of your choice, figures out who’s talking
to who, how much, using which protocols. This information is then put into a nice human-
readable 2d image (various formats are available) which can be used to understand a network’s
topology.
sudo aptitude install lanmap
This will complete the installation

Using lanmap

lanmap syntax

lanmap [-o directory] [-e program] [-T {png,gif,svg}] [-f filtetr] [-D {#,all,raw}] [-r seconds]
[-i {?,*wildcard*,iface}] [-h] [-v] [-V]

lanmap example
lanmap -i eth0 -r 30 -T png -o /tmp/
This will create a lanmap.png file under tmp folder


You can see the same screen here

lanmap available options

-o directory - The directory in which to save the generated images. Default is the current
directory.
-e program - The program to use to generate images. Default is twopi.
-T {png,gif,svg} - Output image format. Default is png.
-f filter - Traffic filter, in libpcap syntax.
-D {#,all,raw} - Debug mode; lots of output, use with caution. #: payload bytes to dump (default:
0)
-r seconds - Set the time interval between 2 consecutive graph generations. Default is 60
seconds.
-i {?,*wildcard*,iface} - Interface to use: ?: list all devices and exit *3Com*: use the first NIC
with
“3Com” in it
-V - Version info.
-vv - Verbose mode, up to 3 levels (-vv, -vv09:21 29/11/2007v).
-h - Help message.

SPIKE is written in C and exposes an API for quickly and efficiently developing
network protocol fuzzers. . SPIKE utilizes a novel technique for representing and thereafter
fuzzing network protocols. Protocol data structures are broken down and represented as
blocks, also referred to as a SPIKE, which contains both binary data and the block size.
Block-based protocol representation allows for abstracted construction of various protocol
layers with automatic size calculations. To better understand the block-based concept,
consider the following simple example from the whitepaper "The Advantages of Block-
Based Protocol Analysis for Security Testing":8


s_block_size_binary_bigendian_word("somepacketdata"); s_block_start("somepacketdata")
s_binary("01020304"); s_block_end("somepacketdata");

This basic SPIKE script (SPIKE scripts are written in C) defines a block named
somepacketdata, pushes the four bytes 0x01020304 into the block and prefixes the block
with the block length. In this case the block length would be calculated as 4 and stored as a
big endian word. Note that most of the SPIKE API is prefixed with either s_ orspike_.
The s_binary() API is used to add binary data to a block and is quite liberal with its
argument format, allowing it to handle a wide variety of copied and pasted inputs such as
the string 4141 x41 0x41 41 00 41 00. Although simple, this example demonstrates the
basics and overall approach of constructing a SPIKE. As SPIKE allows blocks to be
embedded within other blocks, arbitrarily complex protocols can be easily broken down
into their smallest atoms. Expanding on the previous example:

s_block_size_binary_bigendian_word("somepacketdata");
s_block_start("somepacketdata")
s_binary("01020304");
s_blocksize_halfword_bigendian("innerdata");
s_block_start("innerdata");
s_binary("00 01");
s_binary_bigendian_word_variable(0x02);
s_string_variable("SELECT");
s_block_end("innerdata");
s_block_end("somepacketdata");

In this example, two blocks are defined, somepacketdata and innerdata. The latter block is
contained within the former block and each individual block is prefixed with a size value.
The newly defined innerdata block begins with a static two-byte value (0x0001), followed
by a four-byte variable integer with a default value of 0x02, and finally a string variable
with a default value of SELECT.
Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through a
predefined set of integer and string variables (attack heuristics), respectively, that have
been known in the past to uncover security vulnerabilities. SPIKE will begin by looping
through the possible word variable mutations and then move on to mutating the string
variable. The true power of this framework is that SPIKE will automatically update the
values for each of the size fields as the various mutations are made. To examine or expand
the current list of fuzz variables, look at SPIKE/src/spike.c.Version 2.9 of the framework
contains a list of almost 700 error-inducing heuristics.

Using the basic concepts demonstrated in the previous example, you can begin to see how
arbitrarily complex protocols can be modeled in this framework. A number of additional
APIs and examples exist. Refer to the SPIKE documentation for further information.
Sticking to the running example, the following code excerpt is from an FTP fuzzer
distributed with SPIKE. This is not the best showcase of SPIKE's capabilities, as no blocks
are actually defined, but it helps to compare apples with apples.


s_string("HOST ");
s_string_variable("10.20.30.40");
s_string("rn");
s_string_variable("USER");
s_string(" v);
s_string_variable("bob");
s_string("rn");
s_string("PASS ");
s_string("rn");
s_string("SITE ");
s_string_variable("SEDV");
s_string("rn");
s_string("ACCT ");
s_string("rn");
s_string("CWD ");
s_string_variable(".");
s_string("rn");
s_string("SMNT ");
s_string_variable(".");
s_string("rn");
s_string("PORT ");
s_string_variable("1");
s_string(",");
s_string(",");
s_string(",");
s_string(",");
s_string(",");
s_string("rn");

The Goals of SPIKE

Find new vulnerabilities by
● Making it easy to quickly reproduce a complex binary protocol
● Develop a base of knowledge within SPIKE about different kinds of
bugclasses affecting similar protocols
● Test old vulnerabilities on new programs
● Make it easy to manually mess with protocols


How the SPIKE API works

Unique SPIKE data structure supports lengths and blocks
● s_block_start(), s_block_end(), s_blocksize_halfword_bigendian();

SPIKE utility routines make dealing with binary data, network code, and common
marshalling routines easy
● s_xdr_string()

SPIKE fuzzing framework automates iterating through all potential problem spots
● s_string(“Host: “); s_string_variable(“localhost”);

A SPIKE is a kind of First In First Out Queue or “Buffer Class”

A SPIKE can automatically fill in “length fields”
● s_size_string(“post”,5);
● s_block_start(“Post”);
● s_string_variable(“user=bob”);
● s_block_end(“post”);

Httprint is a web server fingerprinting tool. It relies on web server characteristics to
accurately identify web servers, despite the fact that they may have been obfuscated by
changing the server banner strings, or by plug-ins such as mod_security or servermask.
Httprint can also be used to detect web enabled devices which do not have a server banner
string, such as wireless access points, routers, switches, cable modems, etc. httprint uses
text signature strings and it is very easy to add signatures to the signature database.
Source: Httprint
To get the CLI use:
Code:
#cd /pentest/enumeration/www/httprint_301/linux


# httprint

Now first things first you should probably go ahead and update your "Signature File"
So it will usually be in:
Code:
/pentest/enumeration/www/httprint_301/linux

look for signatures.txt
ok now to update just go to signatures and do a save as make sure you use a .txt extension.
Overwriting the one we found earlier.

Next let’s get the input.txt file and set it up (its located in the same place as before)
This is the second file that we want to work with so and open it up using your favorite text
editor.
Ok you should see something like:
Code:
# inputs for httprint can be:
# - individual IP addresses (default port 80)
# - http://servername :[port] /
# - https://servername:[port] /
# - IP range xx.xx.xx.xx-yy.yy.yy.yy
#http://www.apache DOT org /

# inputs for httprint can be:
# - individual IP addresses (default port 80)
# - http://servername:[port]/
# - https://servername:[port]/
# - IP ranges xx.xx.xx.xx-yy.yy.yy.yy
#
http://www.apache DOT org/

dsniff - password sniffer The ability to access the raw packets on a network
interface (known as network sniffing), has long been an important tool for system and
network administrators. For debugging purposes it is often helpful to look at the network
traffic down to the wire level to see exactly what is being transmitted. Dsniff, as the name
implies, is a network sniffer - but designed for testing of a different sort. dsniff is a package
of utilities that includes code to parse many different application protocols and extract
interesting information, such as usernames and passwords, web pages being visited,
contents of email, and more. Additionally, it can be used to defeat the normal behaviour of
switched networks and cause network traffic from other hosts on the same network
segment to be visible, not just traffic involving the host dsniff is running on.


It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPS
protocols, which would allow viewing of the traffic unencrypted, and even the possibility of
taking over interactive SSH sessions.

Synopsis

dsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[,...]]] [-
r|-w savefile] [expression]

Description

options

-c

Perform half-duplex TCP stream reassembly, to handle asymmetrically routed traffic (such
as when using arpspoof(8) to intercept client traffic bound for the local gateway).

-d

Enable debugging mode.

-m

Enable automatic protocol detection.

-n

Do not resolve IP addresses to hostnames.

-i interface
Specify the interface to listen on.
-p pcapfile
Rather than processing the contents of packets observed upon the network process
the given PCAP capture file.
-s snaplen
Analyze at most the first snaplen bytes of each TCP connection, rather than the
default of 1024.
-f services
Load triggers from a services file.
-t trigger[,...]
Load triggers from a comma-separated list, specified as port/proto=service (e.g.
80/tcp=http).
-r savefile


Read sniffed sessions from a savefile created with the -w option.
-w file
Write sniffed sessions to savefile rather than parsing and printing them out.
expression
Specify a tcpdump(8) filter expression to select traffic to sniff.
On a hangup signal dsniff will dump its current trigger table to dsniff.services.

Files

/etc/dsniff/dsniff.services

Default trigger table
/etc/dsniff/dsniff.magic
Network protocol magic

Dsniff contains several powerful new network tools, written for use in penetration testing.
Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies. Findgw
determines the local gateway of an unknown network via passive sniffing, which can be used in
conjunction with arpredirect to intercept all outgoing traffic on a switch. Macof floods the
network with random MAC addresses, causing some switches to fail in open repeating mode,
facilitating sniffing. Dsniff is a simple password sniffer which parses passwords from many
protocols, only saving the "interesting" bits. Mailsnarf is a fast and easy way to violate the
Electronic Communications Privacy Act of 1986. urlsnarf outputs all requested URL's from HTTP
traffic. webspy sends URLs sniffed from a client to your local Netscape browser for display,
updated in real-time (as the target surfs, your browser surfs along with them, automagically).

Bluetooth is meant to be a wireless replacement for some of the functions USB
fulfills, and Wi-Fi is more of a wireless replacement for Ethernet. Many high-end phones,
laptops, PDAs, car stereos and other electronics are being shipped with Bluetooth
capability so they can communicate

root@slax:~# hciconfig hci0 up
root@slax:~# hciconfig
jhci0: Type: USB
BD Address: 00:0A:3A:52:69:8C ACL MTU: 192:8 SCO MTU: 64:8
UP RUNNING PSCAN ISCAN
RX bytes:148 acl:0 sco:0 events:17 errors:0
TX bytes:65 acl:0 sco:0 commands:17 errors:0


root@slax:~#
root@slax:~# hcitool scan
Scanning ...
00:02:72:CA:14:6D TestTop
root@slax:~#

3proxy is universal proxy server. It can be used to provide internal users wuth fully
controllable access to external resources or to provide external users with access to
internal resources. 3proxy is not developed to replace squid(8), but it can extend
functionality of existing cashing proxy. It can be used to route requests between different
types of clients and proxy servers. Think about it as application level gateway with
configuration like hardware router has for network layer. It can establish multiple
gateways with HTTP and HTTPS proxy with FTP over HTTP support, SOCKS v4, v4.5 and
v5, POP3 proxy, UDP and TCP portmappers. Each gateway is started from configuration file
like independant
service proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy is
not a kind of wrapper or superserver for this daemons. It just has same code compiled in,
but provides much more functionality. SOCKSv5 implementatation allows to use 3proxy
with any UDP or TCP based client applications designed without proxy support
(with SocksCAP, FreeCAP or another client-side redirector under Windows of with
socksification library under Unix). So you can play your favourite games, listen music,
exchange files and messages and even accept incoming connections behind proxy server.

dnspr does not exist as independant service. It' DNS caching proxy (it
requires nscache and nserver to be set in configuration. Only A-records are cached. Please
note, the this caching is mostly a 'hack' and has nothing to do with real DNS server, but it
works perfectly for SOHO networks.

3proxy supports access control lists (ACL) like network router. Source and destination
networks and destination port can be specified. In addition, usernames and gateway action
(for example GET or POST) can be used in ACLs. In order to filter request on username
basis user must be authenticated somehow. There are few authentication types including
password authentication and authentication by NetBIOS name for Windows clients (it's
very like ident authentication). Depending on ACL action request can be allowed, denied or
redirected to another host or to another proxy server or even to a chain of proxy servers.

It supports different types of logging: to logfiles, syslog(3) (only under Unix) or to ODBC
database. Logging format is turnable to provide compatibility with existing log file parsers.
It makes it possible to use 3proxy with IIS, ISA, Apache or Squid log parsers.

OPTIONS
config_file


Name of config file. See 3proxy.cfg(3) for configuration file format. Under Windows,
if config_file is not specified, 3proxy looks for file named 3proxy.cfg in the default
location (in same directory with executable file and in current directory). Under
Unix, if no config file is specified, 3proxy reads configuration from stdin. It makes it
possible to use 3proxy.cfg file as executable script just by setting +x mode and
adding
#!/usr/local/3proxy/3proxy
as a first line in 3proxy.cfg
--install
(Windows NT family only) install 3proxy as a system service
--remove
(Windows NT family only) remove 3proxy from system services

SIGNALS
Under Unix there are few signals 3proxy catches. See kill(1).
SIGTERM
cleanup connections and exit
SIGPAUSE
stop to accept new connections, on second signal - start and re-read configuration
SIGCONT
start to accept new conenctions
SIGUSR1
reload configuration

Under Windows, if 3proxy is installed as service you can standard service management to
start, stop, pause and continue 3proxy service, for example:
net start 3proxy
net stop 3proxy
net pause 3proxy
net continue 3proxy

Web admin service can also be used to reload configuration. Use wget to automate this
task.

FILES
/usr/local/3proxy/3proxy.cfg (3proxy.cfg)
3proxy configuration file
How to open ports
socks -p28800

Cryptcat is a simple Unix utility which reads and writes data across network
connections, using TCP or UDP protocol while encrypting the data being transmitted. It is
designed to be a reliable "back-end" tool that can be used directly or easily driven by other
programs and scripts. At the same time, it is a feature-rich network debugging and


exploration tool, since it can create almost any kind of connection you would need and has
several interesting built-in capabilities.

And as a powerful back-end tool it also lets user to hide his IP and establish connection a
victim would not know about. A hacker would also be able to run commands on your
computer through the connection. If you look through the features of Crypcat listed in this
article again, you will find out that it can easily switch ports and slow down the data
sending process, so that you will never get an idea of being hacked, until you find out that,
perhaps, your passwords, accounts information and credit-cards numbers are stolen.

To sum up, Cryptcat is a powerful networking tool with almost unlimited performance
capabilities. On the one hand, it can provide security and save your information, but on the
other hand any experienced hacker has it installed. And not only for security purposes.

Cryptcat is the standard netcat enhanced with twofish encryption. Cryptcat is the standard
netcat enhanced with twofish encryption.

Machine A: cryptcat -l -p 1234 < testfile
Machine B: cryptcat <machine A IP> 1234

This is identical to the
normal netcat options for doing exactly the
same thing. However, in this case the data transferred is encrypted.

Vulnerability Note VU#165099 - cryptcat does not encrypt data communications when -e
command argument is used

Encrypting Data with Cryptcat

Cryptcat has the same syntax and functions
as netcat
Encrypted data transfer.
Encrypting files means that:
Attacker’s sniffer cannot compromise your
information (Unless your passphrase is
compromised.)
Encryption nearly eliminates risk of data
contamination or injection

Name

Synopsis

cryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-
options] [hostname] [port]


Description

Cryptcat can act as a tcp or udp client or server - connecting to or listening on a socket,
while otherwise working as the standard Unix command cat(1) .

cryptcat takes a password as a salt to encrypt the data being sent over the connection.
Without a specified password cryptcatmetallica’’. Needless to say, failure to specify a
different password makes the connection as good as unencrypted. will default to the
hardcoded password ‘‘

Options

This programs does not follow the usual GNU command line syntax, with long options
starting with two dashes (‘-’). A summary of the options specific to cryptcat is included
below.

-h

Show summary of options.

-k secret password

Change the shared secret password to be used to establish a connection.

Bugs

This version of cryptcat does not support the -e command command line option available
in some versions of nc.


Backtrack Manual Part3

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (9)

Similar to Backtrack Manual Part3

Similar to Backtrack Manual Part3 (20)

More from Nutan Kumar Panda

More from Nutan Kumar Panda (7)

Recently uploaded

Recently uploaded (20)

Backtrack Manual Part3