Information Gathering Tools

From Embedded Lab Vienna for IoT & Security
Revision as of 05:58, 21 June 2021 by VHorvathova (talk | contribs)
Jump to navigation Jump to search

Summary

This is a draft. Comparing various available pre-installed information gathering tools in Kali and comparing differences to ParrotOS. This document is NOT a documentation of the tools, it is merely a comparison and practical evaluation of the tools for an average security specialist or a security newbie wanting to start using the tools.

Requirements

  • Operating system: Kali Linux 2021.1 amd64, Parrot Security 4.10 amd64

Disclaimer: all possible examples and tests done have been done in VMWare in a Kali Linux and ParrotOS VM.

Tools

Nmap

Category: Information Gathering - Network & Port Scanners
Nmap is known to be a very powerful tool for information gathering and vulnerability scanning. It offers loads of options, offering for example for host discovery, scans (TCP, UDP, IP...), service/version detection, OS detection, firewalls/IDS evasion and spoofing, script scanning etc. Since this is not meant to be a full documentation of the tools, but rather an evaluation overview, compared to the other tools in this category, Nmap is the one main tool that most of the other secondary tools are using and it is very powerful. See the following tools for some comparison and Nmap examples.

Conclusion: If your goal is to perform a network scan to determine alive hosts, open ports, used systems on ports or used operation systems on the hosts, this would be the way to go. It is fast and efficient (speed depends on the range of hosts and ports scanned though). The other tools that offer these results are using Nmap anyway, for example the way DMitry or Legion use it.

For more information please refer to the full tool documentation.

Spiderfoot

Category: Information Gathering - OSINT
This is a reconnaissance framework that uses many modules for information gathering, working on the OSINT principle. You can access a GUI by starting the framework on a port on localhost and accessing that address via web browser once it starts:
$ spiderfoot -l 127.0.0.1:5001
You can then set up a new scan, where you would give the program a target: this can be a domain/sub-domain name, IPv4 or IPv6 address, hostname, subnet, ASN, e-mail address, phone number, a person's actual name or username. This gives a really wide spectrum on options, some of which will be demonstrated below.

scan www.fh-campuswien.ac.at for a full scan, where you "get anything and everything about the target":

Execution takes a fairly long time, depending on the size of the target and the information available on the internet to that target. This specific inquiry took several hours to complete and collect all information.
Results:

Conclusion:

For more information please refer to the full tool documentation.

Legion

Category: Information Gathering - general
Legion is a GUI tool, a network penetration testing framework, that offers many options. It automatically detects CVEs and provides nmap, Vulners, whataweb, webslayer, sslyzer, SMBenum, dirbuster, nikto, Hydra and other additional scripts. Its execution takes up to a couple of minutes. A demonstration:

scan www.fh-campuswien.ac.at
  • Results of Legion Scan on www.fh-campuswien.ac.at

No CVEs have been found.
Below is a comparison with the Metasploitable2 machine that can be found in the same subnet, so that it is clear how the vulnerabilities are shown in an actual weak system:

  • Results of Legion Scan on Metasploitable2 VM

It is safe to say that it is a very powerful and useful tool, also very user friendly and quite fast. Maybe not the best for domains in the internet because it won't offer much more information than nmap and whois lookup, but when you look at the metasploitable output, so a scan of a server, you can see how much information is shown. The implementation of Hydra also gets you the cracked passwords in the vulnerabilities which is very useful.

Conclusion: Overall definitely a recommended tool, nice GUI, works quickly and efficiently and is very well arranged and easy to navigate.

For more information please refer to the full official Legion Framework website.

DMitry

Category: Information Gathering - general
DMitry is a CLI tool to gather information about a host - possible subdomains, uptime information, tcp port scan, email addresses, whois lookups etc. It is mostly used to reveal information that exists through search engines about the owner or host of a web page, i.e. for social engineering attacks.
When using the portscan option, the results show less open ports than doing that same TCP scan with nmap.
DMitry:

HostIP:192.168.0.130                                                                                                                                                                    
HostName:                                                                                                                                                                                                                                                                                                                                                                
Gathered TCP Port information for 192.168.0.130                                                                                                                                                                                                                                                                               
Port           State
23/tcp          open
Portscan Finished: Scanned 150 ports, 148 ports were in state closed

Nmap:

Nmap scan report for 192.168.0.130
Host is up (0.20s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
554/tcp  open  rtsp
843/tcp  open  unknown
5001/tcp open  commplex-link
MAC Address: 7C:DD:90:AF:4E:7D (Shenzhen Ogemray Technology)
Nmap done: 1 IP address (1 host up) scanned in 2.33 seconds

To find out information about a domain, you need either the IP or the domain same.
Whois lookup on the other hand gets you some nice useful results. Below is an example of using dmitry -w www.fh-campuswien.ac.at on the college website of FH Campus Wien www.fh-campuswien.ac.at, and it just goes to show that it is exactly the same output as if you were to type whois fh-campuswien.ac.at

HostIP:91.213.77.62
HostName:www.fh-campuswien.ac.at
Gathered Inic-whois information for fh-campuswien.ac.at
---------------------------------
domain:         fh-campuswien.ac.at
registrar:      
registrant:     FCW1942152-NICAT
admin-c:        
tech-c:         NLTU11579014-NICAT
nserver:        ns.nextlayer.at
remarks:        81.16.150.30
nserver:        ns2.nextlayer.at
remarks:        81.16.151.30
changed:        20171003 19:16:08
source:         AT-DOM
personname:     
organization:   fh campus wien
street address: Favoritenstrasse 226
postal code:    A-1100
city:           Vienna
country:        Austria
phone:          +43160668771000
fax-no:         +43160668771009
e-mail:         office@fh-campuswien.ac.at
nic-hdl:        FCW1942152-NICAT
changed:        20100323 17:12:46
source:         AT-DOM
personname:     Hostmaster Hostmaster
organization:   next layer Telekommunikationsdienstleistungs- und BeratungsGmbH
street address: Mariahilfer Guertel 37- 7
postal code:    1150
city:           Vienna
country:        Austria
phone:          +43517649
e-mail:         hostmaster@nextlayer.at
nic-hdl:        NLTU11579014-NICAT
changed:        20170929 13:17:54
source:         AT-DOM


Conclusion: Overall a nice tool, useful for beginners who don't have experience with the basic tools yet. However, to an experienced IT Security specialist, the tools that DMitry is based on, like nmap and whois would be the better choice to use here, since they just offer you the same output and nmap and whois itself offer much more options. One drawback however is that you need to install whois separately, whilst DMitry will be in the preinstalled set of tools. When it comes to portscan, it offers pretty insufficient results in DMitry. This tool is fairly outdated nowadays, although it used to be very good a few years ago. Now there are better alternatives.

For more information please refer to the full tool documentation.

Recon-ng

Category: Information Gathering - general

Maltego

Category: Information Gathering - OSINT

Netdiscover

Category: Information Gathering - Route Analysis
This is another reconnaissance tool that can be used for host discovery on wireless and switched networks. You can scan your subnet at home or at work, wherever your device is connected. It works through ARP requests and can detect hosts either by actively sending requests, or if you set it to passive mode, only by sniffing.
If Nmap is too much for a given moment and you just want to see quickly who is in your network, this is the way to go. Below is a comparison of Netdiscover used on a local subnet, a very well-arranged output, and nmap, which in some situations offers too much:

$ netdiscover -r 192.168.0.0/24
20 Captured ARP Req/Rep packets, from 16 hosts.   Total size: 1200                                                                                                                      
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.0.1     00:xx:xx:xx:xx:c2      2     120  Cisco Systems, Inc                                                                                                                    
192.168.0.9     00:xx:xx:xx:xx:a9      1      60  Weinzierl Engineering GmbH                                                                                                            
192.168.0.10    50:xx:xx:xx:xx:c7      1      60  Loxone Electronics GmbH                                                                                                               
192.168.0.80    54:xx:xx:xx:xx:a0      1      60  Hangzhou Hikvision Digital Technology Co.,Ltd.                                                                                        
192.168.0.81    18:xx:xx:xx:xx:50      1      60  Hangzhou Hikvision Digital Technology Co.,Ltd.                                                                                        
192.168.0.82    54:xx:xx:xx:xx:ff      1      60  Hangzhou Hikvision Digital Technology Co.,Ltd.                                                                                        
192.168.0.83    28:xx:xx:xx:xx:27      1      60  Hangzhou Hikvision Digital Technology Co.,Ltd.                                                                                        
192.168.0.84    18:xx:xx:xx:xx:d7      1      60  Hangzhou Hikvision Digital Technology Co.,Ltd.                                                                                        
192.168.0.101   48:xx:xx:xx:xx:2e      1      60  ZENNIO AVANCE Y TECNOLOGIA, S.L.                                                                                                      
192.168.0.102   00:xx:xx:xx:xx:bb      1      60  VMware, Inc.                                                                                                                          
192.168.0.109   fc:xx:xx:xx:xx:f9      4     240  Ubiquiti Networks Inc.                                                                                                                
192.168.0.112   04:xx:xx:xx:xx:a5      1      60  ASUSTek COMPUTER INC.                                                                                                                 
192.168.0.132   00:xx:xx:xx:xx:d4      1      60  VMware, Inc.                                                                                                                          
192.168.0.149   c4:xx:xx:xx:xx:48      1      60  Hewlett Packard                                                                                                                       
192.168.0.172   8c:xx:xx:xx:xx:eb      1      60  Apple, Inc.                                                                                                                           
192.168.0.195   f2:xx:xx:xx:xx:3a      1      60  Unknown vendor   

If you were to do this same information in Nmap, you would need to perform a host discovery scan first:

$ nmap -sP 192.168.0.0/24                                                                                                                                                         
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-20 16:34 CEST
Nmap scan report for 192.168.0.1    Host is up (0.0051s latency).
Nmap scan report for 192.168.0.10   Host is up (0.00058s latency).
Nmap scan report for 192.168.0.80   Host is up (0.00034s latency).
Nmap scan report for 192.168.0.81   Host is up (0.0018s latency).
Nmap scan report for 192.168.0.82   Host is up (0.0017s latency).
Nmap scan report for 192.168.0.83   Host is up (0.0037s latency).
Nmap scan report for 192.168.0.84   Host is up (0.0019s latency).
Nmap scan report for 192.168.0.101  Host is up (0.00045s latency).
Nmap scan report for 192.168.0.102  Host is up (0.00018s latency).
Nmap scan report for 192.168.0.107  Host is up (0.00021s latency).
Nmap scan report for 192.168.0.109  Host is up (0.00049s latency).
Nmap scan report for 192.168.0.132  Host is up (0.00033s latency).
Nmap scan report for 192.168.0.172  Host is up (0.089s latency).
Nmap done: 256 IP addresses (13 hosts up) scanned in 2.42 seconds

Only then you can scan each alive host separately for their Hostname/OS/MAC address with sudo nmap -O <IP address>. That is unless you want to wait several hours by scanning the whole subnet for their OS which I would not recommend since it takes so long. If you need a quick swipe, Nmap is possibly the inferior option here and could be used once you want to find out more about each host, their ports etc.

Conclusion: Definitely a useful tool for an initial scan, or in a case where you don't know what range to look for exactly, since it is very fast. If you just want to find alive hosts and their IPs in a big range, this would be a good option. Nmap however, offers alive hosts discovery as well, and if you turn portscan off, it will be much faster than Netdiscover. Netdiscover kind of connects the various options of Nmap by showing IPs, MACs and Hostnames and makes it fairly easy to use, without having to read the extensive documentation of Nmap in the hope to find the correct options to perform a simple initial scan.

For more information please refer to the full tool documentation.

Ike-scan

Category: Information Gathering - general
Ike-scan is useful for VPN endpoints. To explain this a little, first we should know what IKE is. It is Internet Key Exchange protocol, which is used by IPsec. The majority of IPsec VPNs use IKE for key exchange. The Ike-scan tool is for discovering, testing and fingerprinting IPsec VPN systems. It sends IKE phase 1 packets to the target and displays the received responses. To be able to test this, we now need a target that we are certain uses IKE for key exchange. To achieve this, we will demonstrate this on an IP address found through www.shodan.io, where you need to search for the keyword "IKE" to find targets that satisfy this condition. For demonstration, we chose the IP 110.142.206.85, which should be a VPN in Melbourne, Australia.

$ ike-scan 110.142.206.85
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
110.142.206.85  Main Mode Handshake returned HDR=(CKY-R=49cc50cbfcf85509) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=dbfb81eb5760b0788562067da102d755 VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
Ending ike-scan 1.9.4: 1 hosts scanned in 0.356 seconds (2.81 hosts/sec).  1 returned handshake; 0 returned notify

This returns the main mode handshake and shows information like security associations (hash, encoding, authentication) and also vendor ID etc.
The following scan tries to fingerprint the firewall in use and additionally to the previous output it shows the following:

$ ike-scan --showbackoff -v -v 110.142.206.85
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
---     Sending packet #1 to host entry 1 (110.142.206.85) tmo 500000 us
---     Received packet #1 from 110.142.206.85
---     Removing host entry 1 (110.142.206.85) - Received 152 bytes
IKE Backoff Patterns:                                                                                                                                                              
IP Address      No.     Recv time               Delta Time                                                                                                                                
110.142.206.85  1       1624204029.790995       0.000000                                                                                                                                  
110.142.206.85  Implementation guess: Linksys Etherfast
Ending ike-scan 1.9.4: 1 hosts scanned in 60.426 seconds (0.02 hosts/sec).  1 returned handshake; 0 returned notify

There is a possibility to use the so called aggressive mode (default is Main Mode) which uses a 3-way-handshake where the VPN sends an unencrypted message to the client containing the hashed PSK. If you manage to capture the plaintext hash, you could use psk-crack to perform a brute force attack and try to recover the PSK (Pre-shared key).

Conclusion: This is not a very well known tool, however it can offer some valuable insights to experienced security experts and a possibility to use the recovered data in further exploitation/scanning.

For more information please refer to the full tool documentation.

Dnsenum

Category: Information Gathering - DNS Analysis
This is an efficient and well-performing tool for locating all DNS servers and DNS entries for a given organization. A demonstration on the example of google.com is shown below:

For more information please refer to the full tool documentation.

What's different in ParrotOS?

As we know, you can install any tools from Kali also on ParrotOS, and the other way around, that's why in this context, the preinstalled tools are meant. Overall you can say, that the "main" tools are the same on both operating systems, however ParrotOS offers some extras.

  • Information Gathering Tools Menu Preview Comparison

On the first glance the tools look very similar, however when you click on the the various sub-categories, there are differences:

Tool Category >>>>>Kali<<<<< >>>>>Parrot<<<<<
DNS Analysis

dnsenum
dnsrecon
fierce

dnsdict6
dnsenum
dnsmap
dnsrecon
dnstracer
dnswalk
fierce
gobuster
urlcrazy

IDS/IPS Identification

lbd
wafw00f

lbd
fragrouter
ftest

Live Host Identification

arping
fping
hping3
masscan
thcping6

arping
cdpsnarf
detect-new-ip6
fping
hping3
inverse_lookup6
ncat
passive_discovery6
thcping6
xprobe2

Network & port scanners

masscan
nmap

amap
etherape
masscan
nmap
unicornscan
wireshark

OSINT Analysis

maltego
spiderfoot
spiderfoot-cli
theharvester

casefile
maltego
metagoofil
theharvester
urlcrazy

Route Analysis

netdiscover
netmask

0trace
intrace
irpas-ass
irpass-cdp
netmask
trace6

SMB Analysis

enum4linux
nbtscan
smbmap

enum4linux
nbtscan
smbmap

SMTP Analysis swaks

smtp-user-enum
swaks

SNMP Analysis

onesixtyone
snmp-check

braa
onesixtyone
snmp-check

SSL Analysis

ssldump
sslh
sslscan
sslyze

ssldump
sslh
sslscan
sslyze


Used Hardware

Device to be used with this documentation Maybe another device to be used with this documentation

Courses

References