Rabu, 07 Oktober 2009

pentest backtrack: Autonomous System Scanner (ASS)

Autonomous System Scanner (ASS) adalah sebuah script app yang digunakan untuk mencari sebuah informasi sebuah Router, Ass juga mendukung beberapa Protokol, misalnya: IRDP, IGRP, EIGRP, RIPv1, RIPv2, CDP, HSRP.

keterangan Protokol:
IRDP --> Icmp Router Discovery Protocol
IGRP --> Interior Gateway Routing Protocol
EIGRP --> Enhanced Interior Gateway Routing Protocol
RIPv1 v2--> Routing Information Protocol
CDP --> Cisco Discovery Protocol
HSRP --> Hot Standby Routing Protocol

Nah biasanya app ini saya gunakan untuk mencari informasi sebuah Router,.contoh: penggunaanNya..
#ass -i ath0 //--> digunakan untuk mode pasif (menangkap informasi secara broadcast dan multicast)
#ass -i ath0 -A //--> digunakan untuk mencari (menjelajahi) sebuah ruter dengan cara menanyakan informasi kepada router secara broadcast dan multicast.
(-M) di gunakan untuk mode multicast, biasanya untuk scan Ip target tertentu
(-p) Scan dengan protokol tertentu (* I=IGRP * E =EIGRP * R =IRDP * 1=RIPv1 * 2=RIPv2)

Contohnya: [-p IER12]
nahh contoh dari perintah eksekusi di atas.
#ass [-v[v[v]]] -i [-p] [-c] [-A] [-M] [-P IER12]

dan keteranganNya,.
(-v) di gunakan untuk mode verbose, biasanya untuk akurasi pencarian aja.
(-p) yaa seperti di atas tadi (scan protokol).
(-c) mematikan app setelah selesai scan,. tapi sebaikNya jangan tambah mode ini,. masalahnya gimana kita mau ngelihatin hasil ScanNannya, kalok applikasinya terminated.. :P
(-A) di gunakan untuk mode aktif scan, Bukan pasif.
(-M) sudah ada di atas tuh,. tambahanNya, System EIGRP akan di scan dengan mode multicast alamat tertentu dan tidak memanfaatkan dari HELLO enumerasi dan direct query. (kalok enggak ngerti tanya si embah). :P
(-p) sudah juga di terangin di atas,. masak minta di terangin lagi..
Exmp: #ass -vvv -i ath0 -P EIR12 -M -a -p -D
nahh Loohh,..terus cara bacanya gimana kalok bgt,..?
hehehehehehe,.. yaa bacanya dengan kamus di atas tuh..

sekedar tambahan buat bantuin cara bacanya lagi..
(-i ath0) i adalah singkatan dari interface ath0 adalah aliass wifi card saya.
(-D) D adalah singkatan dari "destination". dan setelah D baru ada Ip address,. (kalok enggak ngerti destination cari di kamus ato suruh si embah lagi).

contoh dari hasil scanNya.
#ass -v -i ath0 Router
10.165.xxx.xxx (RIPv1 )
RIP1 [ n/a ] 10.x.x.x (metric 1)
RIP1 [ n/a ] 127.xx.x.x (metric 1)
RIP1 [ n/a ] 10.xxx.xxx.x (metric 1)
RIP1 [ n/a ] 172.xx.x.x (metric 1)

Router 192.168.xx.xxx (CDP )
CDP [ n/a ] Device ID MikroTik
Port ID (null)
Platform MikroTik
- Layer 3 Router
Duplex Half

Sumber : di sini

ASS, the autonomous system scanner, is designed to find the AS of the router. It supports the following protocols: IRDP, IGRP, EIGRP, RIPv1, RIPv2, CDP, HSRP and OSPF.
In passive mode (./ass -i eth0), it just listens to routing protocol packets (like broadcast and multicast hellos).
In active mode (./ass -i eth0 -A), it tries to discover routers by asking for information. This is done to the appropriate address for each protocol (either broadcast or multicast addresses). If you specify a destination address, this will be used but may be not as effective as the defaults.
EIGRP scanning is done differently: While scanning, ASS listens for HELLO packets and then scans the AS directly on the router who advertised himself. You can force EIGRP scanning into the same AS-Scan behavior as IGRP uses by giving a destination or into multicast scanning by the option -M.
For Active mode, you can select the protocols you want to scan for. If you don't select them, all are scanned. You select protcols by giving the option -P and any combination of the following chars: IER12, where:
1 = RIPv1
2 = RIPv2
Usage is trival:

./ass [-v[v[v]]] -i [-p] [-c] [-A] [-M] [-P IER12]
-a -b
[-S ] [-D ]
[-T ]
-i interface
-v verbose
-A this sets the scanner into active mode
-P see above (usage: -P EIR12)
-M EIGRP systems are scanned using the multicast
address and not by HELLO enumeration and
direct query
-a autonomous system to start from
-b autonomous system to stop with
-S maybe you need this
-D If you don't specify this, the appropriate
address per protocol is used
-p don't run in promiscuous mode (bad idea)
-c terminate after scanning. This is not
recommened since answers may arrive later and
you could see some traffic that did not show
up during your scans
-T packets how many packets should we wait some
miliseconds (-T 1 is the slowest scan
-T 100 begins to become unreliable)
I really suggest to use -v !
I'm not going to explain why you do not get answers from routers in the Internet. If you don´t know what the 'network x.y.z.0' statement for cisco means, forget that you know this program exists (sorry..)
ASS output might look a little strange, but has it's meanings:
Routers are identified by the sender's IP address of the packet. This may lead to several routers showing up as more then one since they used different sender interfaces. In the brackets, the protocols this router runs are shown.
Routing protocols are shown as one or more indented lines. First, there is the routing protocol name (like EIGRP), followed by the autonomous system number in brackets. Aligned to the right is the target network if applicable.
IGRP routing info shows the target network and in brackets the following values: Delay, Bandwidth, MTU, Reliability, Load and Hopcount.
The IRDP info is limmited to the announced gateway (router) and it's preference
RIPv1 info just gives you the classified target network (remember RIPv1 network boundaries) and it's metric
RIPv2 info contains after the target network the following infos: Netmask, next hop, arbitary tag, and the metric. An additional line may appear on the routers section that gives you the authentication if enabled in the protocol. For text auth, the password is there.
EIGRP basic
The basic EIGRP just gives you the autonomous system number, the IOS and EIGRP version as found in the HELLO packet
EIGRP routes
The EIGRP routes section depends on the type of route. All of them include the fields destination network, destination mask and in the last line (in brackets) the values for Delay, Bandwidth, MTU, Reliability, Load and Hopcount. External routes also include the originating router, the originating autonomous system, the external metric and the source of this route.
HSRP info is not routing, therefore the third field is the virtual IP address of the standby group, followed by the state, the auth string, Hello, Hold and priority values.
OSPF info includes the destination network as well as the Area in IP format, the authentication used (and, if applicable the auth string), netmask, designated and backup router and the values for Dead, Priority and Hello.

Sumber : disini, disini dan disini

Tidak ada komentar:

Posting Komentar