hardCIDR

A Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test. This information is maintained by the five Regional Internet Registries (RIRs):

ARIN (North America)
RIPE (Europe/Asia/Middle East)
APNIC (Asia/Pacific)
LACNIC (Latin America)
AfriNIC (Africa)

In addition to netblocks and IP addresses, Autonomous System Numbers (ASNs) are also of interest. ASNs are used as part of the Border Gateway Protocol (BGP) for uniquely identifying each network on the Internet. Target organizations may have their own ASNs due to the size of their network or as a result of redundant service paths from peered service providers. These ASNs will reveal additional netblocks owned by the organization.

ipcalc (for RIPE, APNIC, LACNIC, AfriNIC queries)

A note on LACNIC before diving into the usage. LACNIC only allows query of either network range, ASN, Org Handle, or PoC Handle. This does not help us in locating these values based upon the organization name. They do however publish a list of all assigned ranges on a publically accessible FTP server, along with their rate-limiting thresholds. So, there is an accompanying data file, which the script checks for, used to perform LACNIC queries locally. The script includes an update option -r, that can be used to update this data on an interval of your choosing. Approximate run time is just shy of 28 hours.

The script with no specified options will query ARIN and a pool of BGP route servers. The route server is selected at random at runtime. The -h option lists the help:

The options may be used in any combination, all, or none. Unfortunately, none of the “other” RIRs note the actual CIDR notation of the range, so ipcalc is used to perform this function. If it is not installed on your system, the script will install it for you.

At the prompts, enter the organization name, the email domain, and whether country codes are used as part of the email. If answered Y to country codes, you will be prompted as to whether they precede the domain name or are appended to the TLD. A directory will be created for the output files in /tmp/. If the directory is found to exist, you will be prompted whether to overwrite. If answered N, a time stamp will be appended to the directory name.

The script queries each RIR, as well as a BGP route server, prompting along the way as to whether records were located. Upon completion, three files will be generated: a CSV based on Org Handle, a CSV based on PoC Handle, and a line delimited file of all located raanges in CIDR notation.

Cancelling the script at any time will remove any temporary working files and the directory created for the resultant output files.

It should be noted that, due to similarity in some organization names, you could get back results not related to the target. The CSV files will provide the associated handles and URLs for further validation where necessary. It is also possible that employees of the target organization used their corporate email address to register their own domains. These will be found within the results as well.

docker build -t hardcidr .

Building the hardcidr image

docker run -v $(pwd):/tmp -it hardcidr

Running the container. Output will be saved to current directory

The post HardCIDR – Network CIDR and Range Discovery Tool appeared first on Tech Chronicles.

Screenshots

Features

Comprehensive Nmap XML Parsing

• Multiple File Support: Parse and analyze two Nmap XML output files.
• Structured Data: Converts Nmap’s XML output into a structured format for further processing.

Comparative Analysis

• Change Detection: Compare results from two Nmap scans to identify new, altered, or removed services and ports. Useful for when you scan the same IPs from different source IPs or over time.
• Excel Reporting: Automatically generates detailed Excel spreadsheets with the comparison results and some stats.

Statistical Overview And Visualization

• Network Exposure Statistics: Offers statistical analysis on detected services and open ports.
• Excel Visualizations: Includes pie charts in Excel reports for a graphical representation of the network’s security posture.

AI-Powered Insights With GPT

• GPT Report Generation: Uses OpenAI’s GPT to generate insightful analysis reports based on Nmap result stats. The tool uses a hardcoded prompt that sets the tone and requirements, then the script inserts the stats (no identifying information is provided) and if -c –context has been provided, it’ll add the context to the bottom of the prompt.
• Customizable Context: Enhance GPT analysis by providing additional context, tailoring the report to specific needs.

Usage

The script prints the help page if no args are passed, or you can access with python nmap-analysis.py -h

• Comparing Nmap Scans:

python nmap-analysis.py compare -ff (--first-nmap-file) path/to/first.xml -lf (--last-nmap-file) path/to/second.xml

• Generating a GPT Report:

python nmap-analysis.py gpt-report -gf (--gpt-nmap-file) path/to/nmap.xml -c (--context) "Your optional context here"

Installation and Setup

Prerequisites

• 3.10+ probably (created using 3.12)
• An OpenAI API key for GPT report generation that is set in local env

Secure Installation with venv

1. Clone the Repository:

git clone https://github.com/FlyingPhish/Nmap-Analysis
cd nmap-analysis-tool

2. Create a Virtual Environment:

python3 -m venv venv

3. Activate the Virtual Environment:

• On Windows:

.\venv\Scripts\activate

The post Nmap Analysis Tool – Enhancing Network Security Through Advanced Analysis And Reporting appeared first on Tech Chronicles.

Designed for both novices and experienced cybersecurity professionals, this tool streamlines the process of identifying and exploiting weaknesses in network security.

With its user-friendly interface and powerful features, NTLM Relay Gat serves as a critical asset in the toolkit of ethical hackers and penetration testers aiming to enhance their network defense strategies.

Description

NTLM Relay Gat is a powerful tool designed to automate the exploitation of NTLM relays using ntlmrelayx.py from the Impacket tool suite. By leveraging the capabilities of ntlmrelayx.py, NTLM Relay Gat streamlines the process of exploiting NTLM relay vulnerabilities, offering a range of functionalities from listing SMB shares to executing commands on MSSQL databases.

Features

• Multi-threading Support: Utilize multiple threads to perform actions concurrently.
• SMB Shares Enumeration: List available SMB shares.
• SMB Shell Execution: Execute a shell via SMB.
• Secrets Dumping: Dump secrets from the target.
• MSSQL Database Enumeration: List available MSSQL databases.
• MSSQL Command Execution: Execute operating system commands via xp_cmdshell or start SQL Server Agent jobs.

Prerequisites

Before you begin, ensure you have met the following requirements:

• proxychains properly configured with ntlmrelayx SOCKS relay port
• Python 3.6+

Installation

To install NTLM Relay Gat, follow these steps:

1. Ensure that Python 3.6 or higher is installed on your system.
2. Clone NTLM Relay Gat repository:

git clone https://github.com/ad0nis/ntlm_relay_gat.git
cd ntlm_relay_gat

Install dependencies, if you don’t have them installed already:

pip install -r requirements.txt

NTLM Relay Gat is now installed and ready to use.

Usage

To use NTLM Relay Gat, make sure you’ve got relayed sessions in ntlmrelayx.py‘s socks command output and that you have proxychains configured to use ntlmrelayx.py‘s proxy, and then execute the script with the desired options. Here are some examples of how to run NTLM Relay Gat:

# List available SMB shares using 10 threads
python ntlm_relay_gat.py --smb-shares -t 10

# Execute a shell via SMB
python ntlm_relay_gat.py --smb-shell --shell-path /path/to/shell

# Dump secrets from the target
python ntlm_relay_gat.py --dump-secrets

# List available MSSQL databases
python ntlm_relay_gat.py --mssql-dbs

# Execute an operating system command via xp_cmdshell
python ntlm_relay_gat.py --mssql-exec --mssql-method 1 --mssql-command 'whoami'

The post NTLM Relay Gat – Automating Exploitation Of NTLM Relay Vulnerabilities appeared first on Tech Chronicles.

Netdata’s distributed, real-time monitoring Agent collects thousands of metrics from systems, hardware, containers, and applications with zero configuration. It runs permanently on all your physical/virtual servers, containers, cloud deployments, and edge/IoT devices, and is perfectly safe to install on your systems mid-incident without any preparation.

You can install Netdata on most Linux distributions (Ubuntu, Debian, CentOS, and more), container platforms (Kubernetes clusters, Docker), and many other operating systems (FreeBSD, macOS). No sudo required.

Netdata is designed by system administrators, DevOps engineers, and developers to collect everything, help you visualize metrics, troubleshoot complex performance problems, and make data interoperable with the rest of your monitoring stack.

People get addicted to Netdata. Once you use it on your systems, there’s no going back! You’ve been warned…

Features

Here’s what you can expect from Netdata:

• 1s granularity: The highest possible resolution for all metrics.
• Unlimited metrics: Netdata collects all the available metrics—the more, the better.
• 1% CPU utilization of a single core: It’s unbelievably optimized.
• A few MB of RAM: The highly-efficient database engine stores per-second metrics in RAM and then “spills” historical metrics to disk long-term storage.
• Minimal disk I/O: While running, Netdata only writes historical metrics and reads error and access logs.
• Zero configuration: Netdata auto-detects everything, and can collect up to 10,000 metrics per server out of the box.
• Zero maintenance: You just run it. Netdata does the rest.
• Stunningly fast, interactive visualizations: The dashboard responds to queries in less than 1ms per metric to synchronize charts as you pan through time, zoom in on anomalies, and more.
• Visual anomaly detection: Our UI/UX emphasizes the relationships between charts to help you detect the root cause of anomalies.
• Scales to infinity: You can install it on all your servers, containers, VMs, and IoT devices. Metrics are not centralized by default, so there is no limit.
• Several operating modes: Autonomous host monitoring (the default), headless data collector, forwarding proxy, store and forward proxy, central multi-host monitoring, in all possible configurations. Use different metrics retention policies per node and run with or without health monitoring.

Netdata works with tons of applications, notifications platforms, and other time-series databases:

• 300+ system, container, and application endpoints: Collectors autodetect metrics from default endpoints and immediately visualize them into meaningful charts designed for troubleshooting. See everything we support.
• 20+ notification platforms: Netdata’s health watchdog sends warning and critical alarms to your favorite platform to inform you of anomalies just seconds after they affect your node.
• 30+ external time-series databases: Export resampled metrics as they’re collected to other local- and Cloud-based databases for best-in-class interoperability.

Want to leverage the monitoring power of Netdata across entire infrastructure? View metrics from any number of distributed nodes in a single interface and unlock even more features with Netdata Cloud.

Get Netdata

To install Netdata from source on most Linux systems (physical, virtual, container, IoT, edge), run our one-line installation script. This script downloads and builds all dependencies, including those required to connect to Netdata Cloud if you choose, and enables automatic nightly updates and anonymous statistics.

wget -O /tmp/netdata-kickstart.sh https://my-netdata.io/kickstart.sh && sh /tmp/netdata-kickstart.sh

docker run -d --name=netdata \
  -p 19999:19999 \
  -v netdataconfig:/etc/netdata \
  -v netdatalib:/var/lib/netdata \
  -v netdatacache:/var/cache/netdata \
  -v /etc/passwd:/host/etc/passwd:ro \
  -v /etc/group:/host/etc/group:ro \
  -v /proc:/host/proc:ro \
  -v /sys:/host/sys:ro \
  -v /etc/os-release:/host/etc/os-release:ro \
  --restart unless-stopped \
  --cap-add SYS_PTRACE \
  --security-opt apparmor=unconfined \
  netdata/netdata

The post Netdata – Real-time Performance Monitoring appeared first on Tech Chronicles.

Astsu: Network Scanning Tool

Astsu performs three major tasks. The first function is the ability to scan common ports and check whether they are open or not. If a port is open, the tool will then use nmap to check the service being run on the port. The second ability of Astsu is to discover hosts operating on the network. It does this by using the routers IP to map all possible IP’s and then send packets to each IP and wait for a response. The last objective which Astsu achieves is the ability to determine the Operating System of a host on a network. It does this by analyzing a packet received from the target for the OS details.

A great option of this tool is that the user can choose the network protocol to use in the scan. In addition to this, the user can also define how long the tool should wait before it timeouts.

Features:

• Perform basic network reconnaissance with this tool
• Scan the ports of a target IP address and check which ports are open or closed and what services are running on them
• Discover the hosts in a network
• Scan a host for the Operating System
• Can be used in the reconnaissance phase of a penetration test
• Option to use a stealth scan method to hide the user’s identity
• Option to scan a range of ports or scan all the ports

How it works

• Scan common ports

Send a TCP Syn packet to the destination on the defined port, if the port is open, use an nmap scan to check the service running on the port and prints all the ports found.

• Discover hosts in network

Uses as a base the router’s ip to map all possible ips. It then sends an ICMP packet to each IP, and waits for a response, if it receives any response saved in an array the IP of the online host, and when it finishes checking all hosts, prints all hosts online.

• OS Scan

Sends an ICMP packet to the destination and waits for a response. Then, extracts the TTL from the destination response and checks the possible OS in a list, if have founded, prints it.

OS Support

• Windows
• Linux
• Mac

How to install

Clone this repository git clone https://github.com/ReddyyZ/astsu.git

• Install python 3.
  • Linux
    • apt-get install python3
    • chmod +x *
    • python3 -m pip install -r requirements.txt
    • python3 install.py
    • Done!
  • Windows
    • Python 3, download and install
    • python3 -m pip install -r requirements.txt
    • python3 install.py
    • Done!

Arguments

• -sC | Scan common ports
  • -p | Protocol to use in the scan
  • -i | Interface to use
  • -t | Timeout to each request
  • -st | Use stealth scan method (TCP)
• -sA | Scan all ports
  • -p | Protocol to use in the scan
  • -i | Interface to use
  • -t | Timeout to each request
  • -st | Use stealth scan method (TCP)
• -sP | Scan a range ports
  • -p | Protocol to use in the scan
  • -i | Interface to use
  • -t | Timeout to each request
  • -st | Use stealth scan method (TCP)
• -sO | Scan OS of a target
• -d | Discover hosts in the network
  • -p | Protocol to use in the scan
  • -i | Interface to use

Examples

• Discover hosts

astsu -d

• Scan common ports using SYN Scan

astsu -sC -st 192.168.1.1

• Scan a range of ports

astsu 192.168.1.1 -sP 1 443

• Scan OS

astsu -sO 192.168.1.1

License

This project is under the MIT License.

The post Astsu: Network Scanning Tool appeared first on Tech Chronicles.

Network protocols

A network protocol is a set of conditions and rules that specify how network devices communicate on a given network. It provides a common framework for establishing and maintaining a communications channel, and how to handle errors or faults should they occur. Network protocols allow communication between different network-enabled devices, for example, laptops, tablets, smartphones, desktops, servers, and other network-enabled devices.

The network protocol is an essential building block in the design of an organization’s network architecture. There are many network protocols available. Each network protocol has many properties that govern its use and implementation.

Let’s define a few terms before we look at some of the commonly used network protocols.

What is a network address?

A network address is a unique identifier that identifies a network-enabled device. A network-enabled device might have more than one address type. Although there are more address types, for this discussion, we’ll focus on only two of these address types.

The first type is a media access control (MAC) address that identifies the network interface on the hardware level. The second type is an Internet Protocol (IP) address that identifies the network interface on a software level.

We’ll explore these two address types in more detail later.

What is a data packet?

A data packet is a unit that’s used to describe the message two devices on a network send each other. A data packet consists of raw data, headers, and potentially also a trailer. The header contains several information items. For example, it includes the sender and destination device addresses, the size of the packet, the protocol used, and the packet number. The trailer in a data packet deals with error checking.

The concept is similar to sending someone a letter in the mail. But instead of sending several pages in one envelope, each page is sent in a separate envelope. Enough information is sent in each envelope to allow the recipient to piece together the complete message after they have all the pages.

What is a datagram?

A datagram is considered the same as a data packet. Datagrams commonly refer to data packets of an unreliable service, where delivery can’t be guaranteed.

What is routing?

Routing, in the context of networks, refers to the mechanism used to make sure that data packets follow the correct delivery path between the sending and receiving devices on different networks.

For example, think about the PC you’re using and the server that’s serving the page you’re currently reading. Multiple networks might connect your PC and the server, and various paths might be available between these two devices.

Protocol categories

Several types of applications and hardware devices depend on specific network protocols on a typical network. For example, browsing the internet by using a web browser relies on a different protocol than sending or receiving an email. Converting the data that you see in the browser and sending this information over the network requires another protocol.

Protocols fall into three categories:

• Network communication protocols
• Network security protocols
• Network management protocols

Let’s have a look at some of the protocols in these categories.

Network communication protocols

Communication protocols focus on establishing and maintaining a connection between devices. As you work with different devices and network services, you’ll make use of various network communication protocols.

First, we need to define three foundational protocols of all internet-based networks. These three protocols are Transmission Control Protocol (TCP), Internet Protocol (IP), and User Datagram Protocol (UDP). These protocols are concerned with the logical transmission of data over the network.

• Transmission Control Protocol: TCP chunks up data into data packets that can be sent securely and quickly while minimizing the chance of data loss. It provides a stable and reliable mechanism for the delivery of data packets across an IP-based network. Even though TCP is an effective connection-oriented protocol, it has overhead.
• Internet Protocol: IP is responsible for the addressing of a data packet. IP encapsulates the data packet to be delivered and adds an address header. The header contains information on the sender and recipient IP addresses. This protocol isn’t concerned about the order in which the packets are sent or received. It also doesn’t guarantee that a packet will be delivered, only the address.
• User Datagram Protocol: UDP is a connectionless protocol that offers a low-latency and loss-tolerant implementation. UDP is used with processes that don’t need to verify that the recipient device received a datagram.

The rest of the protocols that we’ll discuss here are based on a type of application, for example, an email client or a web browser. Here are the most commonly used network communication protocols:

• Hypertext Transfer Protocol (HTTP): The HTTP protocol uses TCP/IP to deliver web page content from a server to your browser. HTTP can also handle the download and upload of files from remote servers.
• File Transfer Protocol (FTP): FTP is used to transfer files between different computers on a network. Typically, FTP is used to upload files to a server from a remote location. While you can use FTP to download files, web-based downloads are typically handled through HTTP.
• Post Office Protocol 3 (POP3): POP3 is one of three email protocols. It’s most commonly used by an email client to allow you to receive emails. This protocol uses TCP for the management and delivery of an email.
• Simple Mail Transfer Protocol (SMTP): SMTP is another one of the three email protocols. It’s most commonly used to send emails from an email client via an email server. This protocol uses the TCP for management and transmission of the email.
• Interactive Mail Access Protocol (IMAP): IMAP is the more powerful of the three email protocols. With IMAP and an email client, you can manage a single mailbox on an email server in your organization.

Network security protocols

Network security protocols are designed to maintain the security and network of data across your network. These protocols encrypt in-transmission messages between users, services, and applications.

Network security protocols use encryption and cryptographic principles to secure messages.

To implement a secure network, you must match the right security protocols for your needs. The following list explores the leading network security protocols:

• Secure Socket Layer (SSL): SSL is a standard encryption and security protocol. It provides a secure and encrypted connection between your computer and the target server or device that you accessed over the internet.
• Transport Layer Security (TLS): TLS is the successor to SSL and provides a stronger and more robust security encryption protocol. Based on the Internet Engineering Task Force (IETF) standard, it’s designed to stop message forgery and tampering and eavesdropping. It’s typically used to protect web browser communications, email, VoIP, and instant messaging. While TLS is now used, the replacement security protocol is often still called SSL.
• Hypertext Transfer Protocol Secure (HTTPS): HTTPS provides a more secure version of the standard HTTP protocol by using the TLS or SSL encryption standard. This combination of protocols ensures that all data transmitted between the server and the web browser is encrypted and secure from eavesdropping or data packet sniffing. The same principle is applied to the POP, SMTP, and IMAP protocols listed previously to create secure versions known as POPS, SMTPS, and IMAPS.
• Secure Shell (SSH): SSH is a cryptographic network security protocol that provides a secure data connection across a network. SSH is designed to support command-line execution of instructions, which includes remote authentication to servers. FTP uses many of the SSH functions to provide a secure file transfer mechanism.
• Kerberos: This validation protocol provides a robust authentication for client-server-based applications through secret-key cryptography. Kerberos assumes that all endpoints in the network are insecure. It enforces strong encryption for all communications and data at all times.

Network management protocols

In your network, it’s perfectly acceptable to have multiple different protocols running concurrently. Previously, we discussed communications and security protocols. Equally important to the successful day-to-day running and operating of a network are the management protocols. The focus of this type of protocol is the sustainability of the network by looking at faults and performance.

Network administrators need to monitor their networks and any devices attached to them. Each device in your network exposes some indicators about the state and health of the device. These indicators are requested by the network administrator tool and can be used for monitoring and reporting.

Two network management protocols are available:

• Simple Network Management Protocol (SNMP): SNMP is an internet protocol that allows for the collection of data from devices on your network and the management of those devices. The device has to support SNMP to gather information. Devices that typically support SNMP include switches, routers, servers, laptops, desktops, and printers.
• Internet Control Message Protocol (ICMP): ICMP is one of the protocols included within the Internet Protocol suite (IPS). It allows network-connected devices to send warning and error messages, along with operation information about the success or failure of a connection request, or if a service is unavailable. Unlike other network transport protocols like UDP and TCP, ICMP isn’t used to send or receive data from devices on the network.

Ports

A port is a logical construct that allows the routing of incoming messages to specific processes. There’s a particular port for every type of IPS. A port is an unsigned 16-bit number in the range 0 to 65535 and is also known as a port number. Ports are assigned by the sending TCP or UDP layer based on the communications protocol used.

There are specific port numbers reserved for every service. The first 1,024 ports, called the well-known port numbers, are reserved for the commonly used services. The high-numbered ports, called the ephemeral ports, are unreserved and used by dedicated applications.

Every port links to a specific service or communications protocol. It means that the target network device, say a server, can receive multiple requests on each port and service each of them without conflict.

Well-known port numbers

Much in the same way that IP addresses are split into classes, so are ports. There are three ranges of ports: the well-known ports, the registered ports, and the dynamic/private ports.

The Internet Assigned Numbers Authority (IANA) manages the allocation of port numbers, the regional assignment of IP addresses, and Domain Name System (DNS) root zones. IANA also manages a central repository for protocol names and the registry used in internet protocols.

The following table lists some of the more common well-known port numbers.

Internet Protocol suite

The Internet Protocol suite is a collection of communication protocols, also called a protocol stack. It’s also sometimes referred to as the TCP/IP protocol suite since both TCP and IP are primary protocols used in the suite.

The IPS is an abstract, layered networking reference model. The IPS describes the different layered protocols used to send and receive data on the internet and similar networks.

The IPS model is one of several similar networking models that varies between three and seven layers. The best-known model is the Open Systems Interconnection (OSI) networking reference model. We’re not going to cover the OSI model here. A documentation link is available in the “Learn more” section at the end of this module.

• Application layer: The top layer of this stack is concerned with application or process communication. The application layer is responsible for determining which communication protocols to use based on what type of message is transmitted. For example, the layer assigns the correct email protocols such as POP, SMTP, or IMAP if the message is email content.
• Transport layer: This layer is responsible for host-to-host communication on the network. The protocols associated with this layer are TCP and UDP. TCP is responsible for flow control. UDP is responsible for providing a datagram service.
• Internet layer: This layer is responsible for exchanging datagrams. A datagram contains the data from the transport layer and adds in the origin and recipient IP addresses. The protocols associated with this layer are IP, ICMP, and the Internet Protocol Security (IPsec) suite.
• Network access layer: The bottom layer of this stack is responsible for defining how the data is sent across the network. The protocols associated with this layer are ARP, MAC, Ethernet, DSL, and ISDN.

The post Network Protocols appeared first on Tech Chronicles.