Backtrack Manual Part3


Published on

enjoy part3...For any query contact:

Published in: Education, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Backtrack Manual Part3

  1. 1. Project Report on Project by - Nutan Kumar Panda Technology Evangelist ISEH R&D - ATL GuwahatiProject By: Nutan Kumar Panda
  2. 2. INSTALLED FEATURESDNStracer determines where a given Domain Name Server (DNS) gets its informationfrom, and follows the chain of DNS servers back to the servers which know the data. SYNOPSIS dnstracer [options] name DESCRIPTION dnstracer determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data. Options are: -c Disable local caching. -C Enable negative caching. -o Enable overview of received answers at the end. -q q>u>e>r>y>c>l>a>s>s> Change the query-class, default is A. You can either specify a number of the type (if youre brave) or one of the following strings: a, aaaa, a6, soa, cname, hinfo, mx, ns, txt and ptr. -r r>e>t>r>i>e>s> Number of retries for DNS requests, default 3. -s s>e>r>v>e>r> DNS server to use for the initial request, default is acquired from the system. If a dot is specified (.), A.ROOT-SERVERS.NET will be used. -v Be verbose on what sent or received. -4 Use only IPv4 servers, dont query IPv6 servers (only available when IPv6 support hasnt been disabled) -S s>o>u>r>c>e>a>d>d>r>e>s>s> Use this as source-address for the outgoing packets. HOW IT WORKS It sends the specified name-server a non-recursive request for the name.Project By: Nutan Kumar Panda
  3. 3. Non-recursive means: if the name-server knows it, it will return the data requested. If the name-server doesnt know it, it will return pointers to name- servers that are authoritive for the domain part in the name or it will return the addresses of the root name-servers. If the name server does returns an authoritative answer for the name,the next server is queried. If it returns an non-authoritative answer for the name, the name servers in the authority records will be queried. The program stops if all name-servers are queried. Make sure the server youre querying doesnt do forwarding towards other servers, as dnstracer is not able to detect this for you. It detects so called lame servers, which are name-servers which has been told to have information about a certain domain, but dont have this information. EXAMPLES Search for the A record of on your local nameserver: dnstracer Search for the MX record of on the root-nameservers: dnstracer "-s" . "-q" mx Search for the PTR record (hostname) of dnstracer "-q" ptr And for IPv6 addresses: dnstracer "-q" ptr "-s" . "-o" By: Nutan Kumar Panda
  4. 4. tcptraceroute: A traceroute implementation using TCP packets The moretraditional traceroute(8) sends out either UDP or ICMP ECHO packets with a TTL of one,and increments the TTL until the destination has been reached. By printing the gatewaysthat generate ICMP time exceeded messages along the way, it is able to determine the pathpackets are taking to reach the destination. The problem is that with the widespread use offirewalls on the modern Internet, many of the packets that traceroute(8) sends out end upbeing filtered, making it impossible to completely trace the path to the destination.However, in many cases, these firewalls will permit inbound TCP packets to specific portsthat hosts sitting behind the firewall are listening for connections on. By sending out TCPSYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the mostcommon firewall filters.It is worth noting that tcptraceroute never completely establishes a TCP connection with thedestination host. If the host is not listening for incoming connections, it will respond with anRST indicating that the port is closed. If the host instead responds with a SYN|ACK, the port isknown to be open, and an RST is sent by the kernel tcptraceroute is running on to tear downthe connection without completing three-way handshake. This is the same half-open scanningtechnique that nmap(1) uses when passed the -sS flag.To trace the path to a web server listening for connections on port 80:tcptraceroute webserverTo trace the path to a mail server listening for connections on port 25:tcptraceroute mailserver 25Project By: Nutan Kumar Panda
  5. 5. Nmap ("Network Mapper") is a utility for network exploration or securityauditing. Many systems and network administrators also find it useful for tasks such asnetwork inventory, managing service upgrade schedules, and monitoring host or serviceuptime. Nmap uses raw IP packets in novel ways to determine what hosts are available onthe network, what services (application name and version) those hosts are offering, whatoperating systems (and OS versions) they are running, what type of packet filters/firewallsare in use, and dozens of other characteristics. It was designed to rapidly scan largenetworks, but works fine against single hosts. Nmap runs on all major computer operatingsystems, and official binary packages are avalable for Linux, Windows, and Mac OS X.Command >nmap -v -A targethostNmap features include: Host Discovery - Identifying hosts on a network, for example listing the hosts which respond to pings, or which have a particular port open Port Scanning - Enumerating the open ports on one or more target hosts Version Detection - Interrogating listening network services listening on remote devices to determine the application name and version number OS Detection - Remotely determining the operating system and some hardware characteristics of network devices.Project By: Nutan Kumar Panda
  6. 6.  Scriptable interaction with the target - using Nmap Scripting Engine (NSE) and Lua programming language customized queries can be made Nmap Scripting Engine.Typical uses of Nmap: Auditing the security of a device, by identifying the network connections which can be made to it Identifying open ports on a target host in preparation for auditing Network inventory, Network mapping, maintenance, and asset management Auditing the security of a network, by identifying unexpected new serversNmap is used to discover computers and services on a computer network, thus creating a“map” of the network. Just like many simple port scanners, Nmap is capable of discoveringpassive services on a network despite the fact that such services aren’t advertisingthemselves with a service discovery protocol. In addition Nmap may be able to determinevarious details about the remote computers. These include operating system, device type,uptime, software product used to run a service, exact version number of that product,presence of some firewall techniques and, on a local area network, even vendor of theremote network card.By default, Nmap performs a SYN Scan, which works against any compliant TCP stack,rather than depending on idiosyncrasies of specific platforms. It can be used to quickly scanthousands of ports, and it allows clear, reliable differentiation between ports in open,closed and filtered states.To perform a SYN scan on the host,use the commandnmap www.yourorg.comSyntaxnmap [Scan Type(s)] [Options] {target specification}TARGET SPECIFICATION:-iL Input from list of hosts/networksProject By: Nutan Kumar Panda
  7. 7. -iR Choose random targets--exclude Exclude hosts/networks<host1[,host2][,host3],...>--excludefile Exclude list from file<exclude_file>HOST DISCOVERY:-sL List Scan - simply list targets to scan-sP Ping Scan - go no further than determining if host is online-P0 Treat all hosts as online -- skip host discovery-PS/PA/PU [portlist] TCP SYN/ACK or UDP discovery to given ports-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes-n/-R Never do DNS resolution/Always resolve [default: sometimes]--dns-servers Specify custom DNS servers<serv1[,serv2],...>--system-dns Use OSs DNS resolverSCAN TECHNIQUES:-sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon scans-sN/sF/sX TCP Null, FIN, and Xmas scans--scanflags <flags> Customize TCP scan flags-sI <zombie Idlescanhost[:probeport]>-sO IP protocol scan-b <ftp relay host> FTP bounce scanPORT SPECIFICATION AND SCAN ORDER:-p <port ranges> Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080-F Fast - Scan only the ports listed in the nmap-services file)Project By: Nutan Kumar Panda
  8. 8. -r Scan ports consecutively - dont randomizeSERVICE/VERSION DETECTION:-sV Probe open ports to determine service/version info--version-intensity Set from 0 (light) to 9 (try all probes)<level>--version-light Limit to most likely probes (intensity 2)--version-all Try every single probe (intensity 9)--version-trace Show detailed version scan activity (for debugging)OS DETECTION:-O Enable OS detection--osscan-limit Limit OS detection to promising targets--osscan-guess Guess OS more aggressivelyTIMING AND PERFORMANCE:Options which take <time> are in milliseconds, unless you append s (seconds), m(minutes), or h (hours) to the value (e.g. 30m).-T[0-5] Set timing template (higher is faster)--min- Parallel host scan group sizeshostgroup/max-hostgroup <size>--min- Probe parallelizationparallelism/max-parallelism <time>--min-rtt- Specifies probe round trip time.timeout/max-rtt-timeout/initial-rtt-timeout <time>--max-retries <tries> Caps number of port scan probe retransmissions.--host-timeout Give up on target after this long<time>Project By: Nutan Kumar Panda
  9. 9. --scan-delay/--max- Adjust delay between probesscan-delay <time>FIREWALL/IDS EVASION AND SPOOFING:-f; --mtu <val> fragment packets (optionally w/given MTU)-D Cloak a scan with decoys<decoy1,decoy2[,ME],...>-S <IP_Address> Spoof source address-e <iface> Use specified interface-g/--source-port Use given port number<portnum>--data-length <num> Append random data to sent packets--ttl <val> Set IP time-to-live field--spoof-mac <mac Spoof your MAC addressaddress/prefix/vendorname>--badsum Send packets with a bogus TCP/UDP checksumOUTPUT:-oN/-oX/-oS/-oG Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to th<file> given filename.-oA <basename> Output in the three major formats at once-v Increase verbosity level (use twice for more effect)-d[level] Set or increase debugging level (Up to 9 is meaningful)--packet-trace Show all packets sent and received--iflist Print host interfaces and routes (for debugging)--log-errors Log errors/warnings to the normal-format output file--append-output Append to rather than clobber specified output files--resume <filename> Resume an aborted scan--stylesheet XSL stylesheet to transform XML output to HTML<path/URL>Project By: Nutan Kumar Panda
  10. 10. --webxml Reference stylesheet from Insecure.Org for more portable XML--no-stylesheet Prevent associating of XSL stylesheet w/XML outputMISC:-6 Enable IPv6 scanning-A Enables OS detection and Version detection--datadir <dirname> Specify custom Nmap data file location--send-eth/--send-ip Send using raw ethernet frames or IP packets--privileged Assume that the user is fully privileged-V Print version number nmap -P0 Running the above port scan on the Computer Hope IP address would give information similar to the below example. Keep in mind that with the above command its -P<zero> not the letter O. Interesting ports on ( Not shown: 1019 filtered ports, 657 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 113/tcp open auth 443/tcp open httpsProject By: Nutan Kumar Panda
  11. 11. LanmapLanmap Listens to all available traffic on the interface of your choice, figures out who’s talkingto who, how much, using which protocols. This information is then put into a nice human-readable 2d image (various formats are available) which can be used to understand a network’stopology.sudo aptitude install lanmapThis will complete the installationUsing lanmaplanmap syntaxlanmap [-o directory] [-e program] [-T {png,gif,svg}] [-f filtetr] [-D {#,all,raw}] [-r seconds][-i {?,*wildcard*,iface}] [-h] [-v] [-V]lanmap examplelanmap -i eth0 -r 30 -T png -o /tmp/This will create a lanmap.png file under tmp folderProject By: Nutan Kumar Panda
  12. 12. You can see the same screen herelanmap available options-o directory - The directory in which to save the generated images. Default is the currentdirectory.-e program - The program to use to generate images. Default is twopi.-T {png,gif,svg} - Output image format. Default is png.-f filter - Traffic filter, in libpcap syntax.-D {#,all,raw} - Debug mode; lots of output, use with caution. #: payload bytes to dump (default:0)-r seconds - Set the time interval between 2 consecutive graph generations. Default is 60seconds.-i {?,*wildcard*,iface} - Interface to use: ?: list all devices and exit *3Com*: use the first NICwith“3Com” in it-V - Version info.-vv - Verbose mode, up to 3 levels (-vv, -vv09:21 29/11/2007v).-h - Help message.SPIKE is written in C and exposes an API for quickly and efficiently developingnetwork protocol fuzzers. . SPIKE utilizes a novel technique for representing and thereafterfuzzing network protocols. Protocol data structures are broken down and represented asblocks, also referred to as a SPIKE, which contains both binary data and the block size.Block-based protocol representation allows for abstracted construction of various protocollayers with automatic size calculations. To better understand the block-based concept,consider the following simple example from the whitepaper "The Advantages of Block-Based Protocol Analysis for Security Testing":8Project By: Nutan Kumar Panda
  13. 13. s_block_size_binary_bigendian_word("somepacketdata"); s_block_start("somepacketdata")s_binary("01020304"); s_block_end("somepacketdata");This basic SPIKE script (SPIKE scripts are written in C) defines a block namedsomepacketdata, pushes the four bytes 0x01020304 into the block and prefixes the blockwith the block length. In this case the block length would be calculated as 4 and stored as abig endian word. Note that most of the SPIKE API is prefixed with either s_ orspike_.The s_binary() API is used to add binary data to a block and is quite liberal with itsargument format, allowing it to handle a wide variety of copied and pasted inputs such asthe string 4141 x41 0x41 41 00 41 00. Although simple, this example demonstrates thebasics and overall approach of constructing a SPIKE. As SPIKE allows blocks to beembedded within other blocks, arbitrarily complex protocols can be easily broken downinto their smallest atoms. Expanding on the previous example:s_block_size_binary_bigendian_word("somepacketdata");s_block_start("somepacketdata")s_binary("01020304");s_blocksize_halfword_bigendian("innerdata");s_block_start("innerdata");s_binary("00 01");s_binary_bigendian_word_variable(0x02);s_string_variable("SELECT");s_block_end("innerdata");s_block_end("somepacketdata");In this example, two blocks are defined, somepacketdata and innerdata. The latter block iscontained within the former block and each individual block is prefixed with a size value.The newly defined innerdata block begins with a static two-byte value (0x0001), followedby a four-byte variable integer with a default value of 0x02, and finally a string variablewith a default value of SELECT.Thes_binary_bigendian_word_variable()and s_string_variable() APIs will loop through apredefined set of integer and string variables (attack heuristics), respectively, that havebeen known in the past to uncover security vulnerabilities. SPIKE will begin by loopingthrough the possible word variable mutations and then move on to mutating the stringvariable. The true power of this framework is that SPIKE will automatically update thevalues for each of the size fields as the various mutations are made. To examine or expandthe current list of fuzz variables, look at SPIKE/src/spike.c.Version 2.9 of the frameworkcontains a list of almost 700 error-inducing heuristics.Using the basic concepts demonstrated in the previous example, you can begin to see howarbitrarily complex protocols can be modeled in this framework. A number of additionalAPIs and examples exist. Refer to the SPIKE documentation for further information.Sticking to the running example, the following code excerpt is from an FTP fuzzerdistributed with SPIKE. This is not the best showcase of SPIKEs capabilities, as no blocksare actually defined, but it helps to compare apples with apples.Project By: Nutan Kumar Panda
  14. 14. s_string("HOST ");s_string_variable("");s_string("rn");s_string_variable("USER");s_string(" v);s_string_variable("bob");s_string("rn");s_string("PASS ");s_string_variable("bob");s_string("rn");s_string("SITE ");s_string_variable("SEDV");s_string("rn");s_string("ACCT ");s_string_variable("bob");s_string("rn");s_string("CWD ");s_string_variable(".");s_string("rn");s_string("SMNT ");s_string_variable(".");s_string("rn");s_string("PORT ");s_string_variable("1");s_string(",");s_string_variable("2");s_string(",");s_string_variable("3");s_string(",");s_string_variable("4");s_string(",");s_string_variable("5");s_string(",");s_string_variable("6");s_string("rn");The Goals of SPIKE Find new vulnerabilities by ● Making it easy to quickly reproduce a complex binary protocol ● Develop a base of knowledge within SPIKE about different kinds of bugclasses affecting similar protocols ● Test old vulnerabilities on new programs ● Make it easy to manually mess with protocolsProject By: Nutan Kumar Panda
  15. 15. How the SPIKE API works Unique SPIKE data structure supports lengths and blocks ● s_block_start(), s_block_end(), s_blocksize_halfword_bigendian(); SPIKE utility routines make dealing with binary data, network code, and common marshalling routines easy ● s_xdr_string() SPIKE fuzzing framework automates iterating through all potential problem spots ● s_string(“Host: “); s_string_variable(“localhost”); A SPIKE is a kind of First In First Out Queue or “Buffer Class” A SPIKE can automatically fill in “length fields” ● s_size_string(“post”,5); ● s_block_start(“Post”); ● s_string_variable(“user=bob”); ● s_block_end(“post”);Httprint is a web server fingerprinting tool. It relies on web server characteristics toaccurately identify web servers, despite the fact that they may have been obfuscated bychanging the server banner strings, or by plug-ins such as mod_security or servermask.Httprint can also be used to detect web enabled devices which do not have a server bannerstring, such as wireless access points, routers, switches, cable modems, etc. httprint usestext signature strings and it is very easy to add signatures to the signature database.Source: HttprintTo get the CLI use:Code:#cd /pentest/enumeration/www/httprint_301/linuxProject By: Nutan Kumar Panda
  16. 16. # httprintNow first things first you should probably go ahead and update your "Signature File"So it will usually be in:Code:/pentest/enumeration/www/httprint_301/linuxlook for signatures.txtok now to update just go to signatures and do a save as make sure you use a .txt extension.Overwriting the one we found earlier.Next let’s get the input.txt file and set it up (its located in the same place as before)This is the second file that we want to work with so and open it up using your favorite texteditor.Ok you should see something like:Code:# inputs for httprint can be:# - individual IP addresses (default port 80)# - http://servername :[port] /# - https://servername:[port] /# - IP range xx.xx.xx.xx-yy.yy.yy.yy#http://www.apache DOT org /# inputs for httprint can be:# - individual IP addresses (default port 80)# - http://servername:[port]/# - https://servername:[port]/# - IP ranges xx.xx.xx.xx-yy.yy.yy.yy#http://www.apache DOT org/dsniff - password sniffer The ability to access the raw packets on a networkinterface (known as network sniffing), has long been an important tool for system andnetwork administrators. For debugging purposes it is often helpful to look at the networktraffic down to the wire level to see exactly what is being transmitted. Dsniff, as the nameimplies, is a network sniffer - but designed for testing of a different sort. dsniff is a packageof utilities that includes code to parse many different application protocols and extractinteresting information, such as usernames and passwords, web pages being visited,contents of email, and more. Additionally, it can be used to defeat the normal behaviour ofswitched networks and cause network traffic from other hosts on the same networksegment to be visible, not just traffic involving the host dsniff is running on.Project By: Nutan Kumar Panda
  17. 17. It also includes new programs to launch man-in-the-middle attacks on the SSH and HTTPSprotocols, which would allow viewing of the traffic unencrypted, and even the possibility oftaking over interactive SSH sessions.Synopsisdsniff [-c] [-d] [-m] [-n] [-i interface | -p pcapfile] [-s snaplen] [-f services] [-t trigger[,...]]] [-r|-w savefile] [expression]Descriptionoptions-cPerform half-duplex TCP stream reassembly, to handle asymmetrically routed traffic (suchas when using arpspoof(8) to intercept client traffic bound for the local gateway).-dEnable debugging mode.-mEnable automatic protocol detection.-nDo not resolve IP addresses to hostnames.-i interface Specify the interface to listen on.-p pcapfile Rather than processing the contents of packets observed upon the network process the given PCAP capture file.-s snaplen Analyze at most the first snaplen bytes of each TCP connection, rather than the default of 1024.-f services Load triggers from a services file.-t trigger[,...] Load triggers from a comma-separated list, specified as port/proto=service (e.g. 80/tcp=http).-r savefileProject By: Nutan Kumar Panda
  18. 18. Read sniffed sessions from a savefile created with the -w option.-w file Write sniffed sessions to savefile rather than parsing and printing them out.expression Specify a tcpdump(8) filter expression to select traffic to sniff.On a hangup signal dsniff will dump its current trigger table to Default trigger table/etc/dsniff/dsniff.magic Network protocol magicDsniff contains several powerful new network tools, written for use in penetration testing.Arpredirect is a very effective way of sniffing traffic on a switch by forging arp replies. Findgwdetermines the local gateway of an unknown network via passive sniffing, which can be used inconjunction with arpredirect to intercept all outgoing traffic on a switch. Macof floods thenetwork with random MAC addresses, causing some switches to fail in open repeating mode,facilitating sniffing. Dsniff is a simple password sniffer which parses passwords from manyprotocols, only saving the "interesting" bits. Mailsnarf is a fast and easy way to violate theElectronic Communications Privacy Act of 1986. urlsnarf outputs all requested URLs from HTTPtraffic. webspy sends URLs sniffed from a client to your local Netscape browser for display,updated in real-time (as the target surfs, your browser surfs along with them, automagically).Bluetooth is meant to be a wireless replacement for some of the functions USBfulfills, and Wi-Fi is more of a wireless replacement for Ethernet. Many high-end phones,laptops, PDAs, car stereos and other electronics are being shipped with Bluetoothcapability so they can communicateroot@slax:~# hciconfig hci0 uproot@slax:~# hciconfigjhci0: Type: USBBD Address: 00:0A:3A:52:69:8C ACL MTU: 192:8 SCO MTU: 64:8UP RUNNING PSCAN ISCANRX bytes:148 acl:0 sco:0 events:17 errors:0TX bytes:65 acl:0 sco:0 commands:17 errors:0Project By: Nutan Kumar Panda
  19. 19. root@slax:~#root@slax:~# hcitool scanScanning ...00:02:72:CA:14:6D TestToproot@slax:~#3proxy is universal proxy server. It can be used to provide internal users wuth fullycontrollable access to external resources or to provide external users with access tointernal resources. 3proxy is not developed to replace squid(8), but it can extendfunctionality of existing cashing proxy. It can be used to route requests between differenttypes of clients and proxy servers. Think about it as application level gateway withconfiguration like hardware router has for network layer. It can establish multiplegateways with HTTP and HTTPS proxy with FTP over HTTP support, SOCKS v4, v4.5 andv5, POP3 proxy, UDP and TCP portmappers. Each gateway is started from configuration filelike independantservice proxy(8) socks(8) pop3p(8)tcppm(8) udppm(8) ftppr(8) dnspr but 3proxy isnot a kind of wrapper or superserver for this daemons. It just has same code compiled in,but provides much more functionality. SOCKSv5 implementatation allows to use 3proxywith any UDP or TCP based client applications designed without proxy support(with SocksCAP, FreeCAP or another client-side redirector under Windows of withsocksification library under Unix). So you can play your favourite games, listen music,exchange files and messages and even accept incoming connections behind proxy server. dnspr does not exist as independant service. It DNS caching proxy (itrequires nscache and nserver to be set in configuration. Only A-records are cached. Pleasenote, the this caching is mostly a hack and has nothing to do with real DNS server, but itworks perfectly for SOHO networks. 3proxy supports access control lists (ACL) like network router. Source and destinationnetworks and destination port can be specified. In addition, usernames and gateway action(for example GET or POST) can be used in ACLs. In order to filter request on usernamebasis user must be authenticated somehow. There are few authentication types includingpassword authentication and authentication by NetBIOS name for Windows clients (itsvery like ident authentication). Depending on ACL action request can be allowed, denied orredirected to another host or to another proxy server or even to a chain of proxy servers. It supports different types of logging: to logfiles, syslog(3) (only under Unix) or to ODBCdatabase. Logging format is turnable to provide compatibility with existing log file parsers.It makes it possible to use 3proxy with IIS, ISA, Apache or Squid log parsers.OPTIONSconfig_fileProject By: Nutan Kumar Panda
  20. 20. Name of config file. See 3proxy.cfg(3) for configuration file format. Under Windows, if config_file is not specified, 3proxy looks for file named 3proxy.cfg in the default location (in same directory with executable file and in current directory). Under Unix, if no config file is specified, 3proxy reads configuration from stdin. It makes it possible to use 3proxy.cfg file as executable script just by setting +x mode and adding #!/usr/local/3proxy/3proxy as a first line in 3proxy.cfg--install (Windows NT family only) install 3proxy as a system service--remove (Windows NT family only) remove 3proxy from system services SIGNALSUnder Unix there are few signals 3proxy catches. See kill(1).SIGTERM cleanup connections and exitSIGPAUSE stop to accept new connections, on second signal - start and re-read configurationSIGCONT start to accept new conenctionsSIGUSR1 reload configurationUnder Windows, if 3proxy is installed as service you can standard service management tostart, stop, pause and continue 3proxy service, for example:net start 3proxynet stop 3proxynet pause 3proxynet continue 3proxy Web admin service can also be used to reload configuration. Use wget to automate thistask. FILES/usr/local/3proxy/3proxy.cfg (3proxy.cfg) 3proxy configuration file How to open portssocks -p28800Cryptcat is a simple Unix utility which reads and writes data across networkconnections, using TCP or UDP protocol while encrypting the data being transmitted. It isdesigned to be a reliable "back-end" tool that can be used directly or easily driven by otherprograms and scripts. At the same time, it is a feature-rich network debugging andProject By: Nutan Kumar Panda
  21. 21. exploration tool, since it can create almost any kind of connection you would need and hasseveral interesting built-in capabilities.And as a powerful back-end tool it also lets user to hide his IP and establish connection avictim would not know about. A hacker would also be able to run commands on yourcomputer through the connection. If you look through the features of Crypcat listed in thisarticle again, you will find out that it can easily switch ports and slow down the datasending process, so that you will never get an idea of being hacked, until you find out that,perhaps, your passwords, accounts information and credit-cards numbers are stolen.To sum up, Cryptcat is a powerful networking tool with almost unlimited performancecapabilities. On the one hand, it can provide security and save your information, but on theother hand any experienced hacker has it installed. And not only for security purposes.Cryptcat is the standard netcat enhanced with twofish encryption. Cryptcat is the standardnetcat enhanced with twofish encryption. Machine A: cryptcat -l -p 1234 < testfile Machine B: cryptcat <machine A IP> 1234This is identical to the normal netcat options for doing exactly the same thing. However, in this case the data transferred is encrypted.Vulnerability Note VU#165099 - cryptcat does not encrypt data communications when -ecommand argument is usedEncrypting Data with Cryptcat Cryptcat has the same syntax and functionsas netcatEncrypted data transfer.Encrypting files means that: Attacker’s sniffer cannot compromise yourinformation (Unless your passphrase iscompromised.) Encryption nearly eliminates risk of datacontamination or injectionNameSynopsiscryptcat -k secret [-options] hostname port[s] [ports] cryptcat -k secret -l -p port [-options] [hostname] [port]Project By: Nutan Kumar Panda
  22. 22. DescriptionCryptcat can act as a tcp or udp client or server - connecting to or listening on a socket,while otherwise working as the standard Unix command cat(1) .cryptcat takes a password as a salt to encrypt the data being sent over the connection.Without a specified password cryptcatmetallica’’. Needless to say, failure to specify adifferent password makes the connection as good as unencrypted. will default to thehardcoded password ‘‘OptionsThis programs does not follow the usual GNU command line syntax, with long optionsstarting with two dashes (‘-’). A summary of the options specific to cryptcat is includedbelow.-h Show summary of options.-k secret password Change the shared secret password to be used to establish a connection.BugsThis version of cryptcat does not support the -e command command line option availablein some versions of nc.Project By: Nutan Kumar Panda