Backtrack 4: Information Gathering: Route: Netenum – Produce lists of hosts for other programs

The next tool up for review is the netenum script. Netenum can be used to produce lists of hosts for other programs. It’s not as powerful as other ping-sweep tools, but it’s simple. When giving a timeout, it uses ICMP echo request to find available hosts. If you don’t supply a timeout, it just prints an IP address per line, so you can use them in shell scripts.

Lets take a look at the syntax for the tool:

root@666:~# netenum
Netenum
netenum <destination> [timeout] [verbosity]
if timeout is >0, pings are used to enum

Timeout applies for the whole operation!
Verbosity is between 0 (quiet) to 3 (verbose)

As you can see this is a really simple tool. Its best use would be to use it in a shell script.

Check out the following example for a HSRP attack:

 for i in `netenum 192.168.1.0/26`
 do
 	./hsrp -d ${i} -v192.168.1.22 -a cisco -g 1 -i eth0
 done

It can also just be used by itself to get a quick ping scan of a network:

root@666:~# netenum 192.168.1.0/24 10
192.168.1.1
192.168.1.5
192.168.1.30
192.168.1.100
192.168.1.104
192.168.1.144
192.168.1.187
192.168.1.195
192.168.1.241
192.168.1.242

Here is a example using the more verbose output:

root@666:~# netenum 192.168.1.0/24 10 3
        Netmask: 255.255.255.0
Targeting from 192.168.1.0 to 192.168.1.255
192.168.1.1 respond ... good
192.168.1.5 respond ... good
192.168.1.30 respond ... good
192.168.1.100 respond ... good
192.168.1.104 respond ... good
192.168.1.144 respond ... good
192.168.1.187 respond ... good
192.168.1.195 respond ... good
192.168.1.241 respond ... good
192.168.1.242 respond ... good
ping round is at 1
192.168.1.30 respond ... good
192.168.1.5 respond ... good
192.168.1.30 respond ... good
192.168.1.5 respond ... good
192.168.1.1 respond ... good
192.168.1.5 respond ... good
192.168.1.30 respond ... good
192.168.1.195 respond ... good
192.168.1.100 respond ... good
192.168.1.104 respond ... good
ping round is at 2
192.168.1.144 respond ... good
192.168.1.187 respond ... good
192.168.1.241 respond ... good
192.168.1.242 respond ... good
192.168.1.195 respond ... good
192.168.1.30 respond ... good
192.168.1.5 respond ... good
192.168.1.195 respond ... good
192.168.1.30 respond ... good
192.168.1.5 respond ... good
192.168.1.1 respond ... good
192.168.1.5 respond ... good
ping round is at 3
192.168.1.30 respond ... good
192.168.1.100 respond ... good
192.168.1.104 respond ... good
192.168.1.144 respond ... good
192.168.1.187 respond ... good
192.168.1.195 respond ... good
192.168.1.241 respond ... good
192.168.1.242 respond ... good
192.168.1.30 respond ... good
192.168.1.5 respond ... good
192.168.1.195 respond ... good
10 targets found
192.168.1.1
192.168.1.5
192.168.1.30
192.168.1.100
192.168.1.104
192.168.1.144
192.168.1.187
192.168.1.195
192.168.1.241
192.168.1.242

Once again, not the best tool in the world but useful to be able to easily call in scripts.

See larger image Linux System Administration Black Book: The Definitive Guide to Deploying and Configuring the Leading Open Source Operating System (Paperback) By (author) Dee-Ann LeBlanc List Price: $49.99 USD New From: $199.99 In Stock Used from: $8.41 In Stock

See larger image Penetration Tester's Open Source Toolkit, Vol. 2 (Paperback) By (author) Jeremy Faircloth, Chris Hurley, Jesse Varsalone List Price: $61.95 USD New From: $43.04 In Stock Used from: $17.91 In Stock

This entry was posted on Tuesday, June 1st, 2010 at 4:20 PM and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.