You are here:

Inguma

CLI

Modules::gather

anticrypt apps11i archanix arppoison dnsspoof dtspc example fakearp firetest identify

ifxinfo ikescan mssqlcrack nids nikto nmapfp nmapscan nmbstat oascheck oracrack11g

oratool oratt70info p0f portscan protoscan rainbow rainbowmd5 rpcdump samrdump smbclient

smbgold sniffer tcpproxy tcpscan tnscmd udpscan unicornscan webserver winspdetect xmlrpc

anticrypt

Description

Try to automagically guess the password algorithm

Parameters

• hash = <hash of the password>
• password = <original unencrypted password>

Example

inguma> hash = "Ej6riJbICoXVQ"
inguma> password = "Password01"
inguma> anticrypt
[+] Trying to guess the encryption algorithm ...
  --> Uses Crypt
  --> Uses Plain
  --> Algorigthm: ['Crypt']

inguma> hash="dGhpc2lzbXlwYXNzd29yZA==" 
inguma> password="thisismypassword" 
inguma> anticrypt
[+] Trying to guess the encryption algorithm ...
  --> Uses Base64
  --> Uses Plain
  --> Algorigthm: ['Base64']

---

apps11i

Description

Get information from Oracle E-Business Suite 11i

Parameters

• hash = <hash of the password>
• password = <original unencrypted password>
• inguma> help apps11i
• target = <target host or network>
• port = <target port>
• timeout = <timeout>
• dad = <DAD name>

Example

---

archanix

Description

Gather information from archaic Unix systems

Parameters

• target = <target host or network>
• port = <target port>
• timeout = <timeout>

Example

inguma> target = "192.168.100.24"
inguma> scanType = "S"
inguma> portscan

Portscan results
----------------

Port 80/www is opened at 192.168.100.24
Port 3306/mysql is opened at 192.168.100.24
Port 111/sunrpc is opened at 192.168.100.24

inguma> port = 80
inguma> archanix
SYSSTAT
-------
None

NETSTAT
-------
None

FINGER
------
None

---

arppoison

Description

Poison target's ARP cache

Parameters

• target = <target host or network>
• interval = <interval>

Example

---

dnsspoof

Description

DNS spoofing tool

Parameters

• target = <target host or network>

Example

---

dtspc

Description

Gather information from DTSPCD

Parameters

• target = <target host or network>
• port = <target port>
• timeout = <timeout>

Example

---

fakearp

Description

Fake ARP server

Parameters

• target = <target host or network>

Example

inguma> target = "192.168.1.21"
inguma> fakearp
[+] Using 192.168.191.135
Ether / ARP who has 192.168.1.21 says 192.168.1.11 / Padding ==> Ether / ARP is at 00:00:00:00:00:00 says 192.168.1.21
Ether / ARP who has 192.168.191.128 says 192.168.191.2 / Padding ==> Ether / ARP is at 00:0c:29:**:**:** says 192.168.191.128
Ether / ARP who has 192.168.191.2 says 192.168.191.135 ==> Ether / ARP is at 00:0c:29:**:**:** says 192.168.191.2
Ether / ARP who has 192.168.1.11 says 192.168.1.26 / Padding ==> Ether / ARP is at 00:0c:29:**:**:** says 192.168.1.11
Ether / ARP who has 192.168.1.11 says 192.168.1.26 / Padding ==> Ether / ARP is at 00:0c:29:**:**:** says 192.168.1.11
Ether / ARP who has 192.168.1.26 says 192.168.1.21 ==> Ether / ARP is at 00:0c:29:**:**:** says 192.168.1.26
Ether / ARP who has 192.168.191.2 says 192.168.191.135 ==> Ether / ARP is at 00:0c:29:**:**:** says 192.168.191.2
Ether / ARP who has 192.168.1.11 says 192.168.1.26 / Padding ==> Ether / ARP is at 00:0c:29:**:**:** says 192.168.1.11

---

firetest

Description

A firewall testing tool

Parameters

• target = <target host or network>
• port = <target port>
• timeout = <timeout>
• iface = <interface to use>

Example

inguma> target = "192.168.1.1"
inguma> firetest
[+] Scanning for available IP protocols at 192.168.1.1
[!] Target appears to have all protocols enabled!
[+] Tracing route to 192.168.1.1
[+] Arpinging host 192.168.1.1

List of discovered hosts
------------------------

[+] ICMP probes with a MTU of 16
[+] Sending packet ICMP_TIME_EXCEEDED ... 
[+] Sending packet ICMP_ECHO_REQUEST ... 
[+] Sending packet ICMP_DEST_UNREACH ... 
[+] Sending packet ICMP_INFORMATION_REQUEST ... 
[+] Sending packet ICMP_INFORMATION_RESPONSE ... 
[+] Sending packet ICMP_TIMESTAMP_REQUEST ... 
[+] Sending packet ICMP_REDIRECT ... 
[+] Sending packet ICMP_TIMESTAMP_REPLY ... 
[+] Sending packet ICMP_PARAMETER_PROBLEM ... 
[+] Sending packet ICMP_ROUTER_SOLICITATION ... 
[+] Sending packet ICMP_ROUTER_ADVERTISEMENT ... 
[+] Sending packet ICMP_ADDRESS_MASK_REPPLY ... 
[+] Sending packet ICMP_ECHO_REPLY ... 
[+] Sending packet ICMP_ADDRESS_MASK_REQUEST ... 
[+] Sending packet ICMP_SOURCE_QUENCH ... 
[+] Restoring to the old MTU 32767
[+] ICMP probes
[+] Sending packet ICMP_TIME_EXCEEDED ... 
[+] Sending packet ICMP_ECHO_REQUEST ... 
[+] Sending packet ICMP_DEST_UNREACH ... 
[+] Sending packet ICMP_INFORMATION_REQUEST ... 
[+] Sending packet ICMP_INFORMATION_RESPONSE ... 
[+] Sending packet ICMP_TIMESTAMP_REQUEST ... 
[+] Sending packet ICMP_REDIRECT ... 
[+] Sending packet ICMP_TIMESTAMP_REPLY ... 
[+] Sending packet ICMP_PARAMETER_PROBLEM ... 
[+] Sending packet ICMP_ROUTER_SOLICITATION ... 
[+] Sending packet ICMP_ROUTER_ADVERTISEMENT ... 
[+] Sending packet ICMP_ADDRESS_MASK_REPPLY ... 
[+] Sending packet ICMP_ECHO_REPLY ... 
[+] Sending packet ICMP_ADDRESS_MASK_REQUEST ... 
[+] Sending packet ICMP_SOURCE_QUENCH ... 
[+] TCP/IP probes
[+] SYN scan against 192.168.1.1
  Discovered open port 22
  Discovered open port 25
  Discovered open port 80
  Discovered open port 3128
  Discovered open port 8080
  Discovered open port 111
[+] SYN+FIN scan against 192.168.1.1
[+] ACK scan against 192.168.1.1
[+] NULL scan (no flags) against 192.168.1.1
[+] XMAS scan against 192.168.1.1
[+] SYN+ACK scan against 192.168.1.1
Setting source port 8080
[+] SYN scan against 192.168.1.1
[+] SYN+FIN scan against 192.168.1.1
[+] ACK scan against 192.168.1.1
[+] NULL scan (no flags) against 192.168.1.1
[+] XMAS scan against 192.168.1.1
[+] SYN+ACK scan against 192.168.1.1
Target 192.168.1.1 is promiscuous: False
[+] Checking if port 8080 is NATed: True
Setting source port 111
[+] SYN scan against 192.168.1.1
[+] SYN+FIN scan against 192.168.1.1
[+] ACK scan against 192.168.1.1
[+] NULL scan (no flags) against 192.168.1.1
[+] XMAS scan against 192.168.1.1
[+] SYN+ACK scan against 192.168.1.1
Target 192.168.1.1 is promiscuous: False
[+] Checking if port 111 is NATed: True
Setting source port 80
[+] SYN scan against 192.168.1.1
[+] SYN+FIN scan against 192.168.1.1
[+] ACK scan against 192.168.1.1
[+] NULL scan (no flags) against 192.168.1.1
[+] XMAS scan against 192.168.1.1
[+] SYN+ACK scan against 192.168.1.1
Target 192.168.1.1 is promiscuous: False
[+] Checking if port 80 is NATed: True
Setting source port 22
[+] SYN scan against 192.168.1.1
[+] SYN+FIN scan against 192.168.1.1
[+] ACK scan against 192.168.1.1
[+] NULL scan (no flags) against 192.168.1.1
[+] XMAS scan against 192.168.1.1
[+] SYN+ACK scan against 192.168.1.1
Target 192.168.1.1 is promiscuous: False
[+] Checking if port 22 is NATed: True
Setting source port 3128
[+] SYN scan against 192.168.1.1
[+] SYN+FIN scan against 192.168.1.1
[+] ACK scan against 192.168.1.1
[+] NULL scan (no flags) against 192.168.1.1
[+] XMAS scan against 192.168.1.1
[+] SYN+ACK scan against 192.168.1.1
Target 192.168.1.1 is promiscuous: False
[+] Checking if port 3128 is NATed: True
Setting source port 25
[+] SYN scan against 192.168.1.1
[+] SYN+FIN scan against 192.168.1.1
[+] ACK scan against 192.168.1.1
[+] NULL scan (no flags) against 192.168.1.1
[+] XMAS scan against 192.168.1.1
[+] SYN+ACK scan against 192.168.1.1
Target 192.168.1.1 is promiscuous: False
[+] Checking if port 25 is NATed: True
Firetest results
----------------
Port 8080/http-alt is opened at 192.168.1.1
Port 111/sunrpc is opened at 192.168.1.1
Port 80/www is opened at 192.168.1.1
Port 22/ssh is opened at 192.168.1.1
Port 3128 is opened at 192.168.1.1
Port 25/smtp is opened at 192.168.1.1

---

identify

Description

Identify services using discovered ports

Parameters

Mandatory parameters

• target = <target host or network>

Optional parameters

• port = <target port>

Example

inguma> target = "192.168.100.24"
inguma> port = 80
inguma> identify
Port 80:  Apache/2.2.17 (Unix) PHP/5.3.5
inguma> port = 22
inguma> identify
Port 22: 2.0-OpenSSH_5.1p1 Debian-5

---

ifxinfo

Description

Gather information from an Informix database server

Parameters

• target = <target host or network>
• port = <target port>
• timeout = <timeout>

Example

---

ikescan

Description

An IKE Scan module to locate and identify VPN concentrators

Parameters

• target = <target host or network>
• port = <target port>

Example

inguma> target = "192.168.1.254"
inguma> ikescan
No vendorID received :(

---

mssqlcrack

Description

Crack a MS SQL Server 7 or 2000 password

Parameters

• hash = <hash of the password>

Example

inguma> hash="0x01008444930543174C59CC918D34B6A12C9CC9EF99C4769F819B43174C59CC918D34B6A12C9CC9EF99C4769F819B"
inguma> mssqlcrack
Header           :  0x64
Key              :  84
Password         :  44930543174C59CC918D34B6A12C9CC9
Password (Upper) :  EF99C4769F819B43174C59CC918D34B6A12C9CC9EF99C4769F819B
[!] No match
0x100846FD840F904FCAD709D35C8D4E67EE9C2E5F6F9FE95282065C0195B9901CF8DAAC7C5EA69ED6BED8C
0x01008444930543174C59CC918D34B6A12C9CC9EF99C4769F819B43174C59CC918D34B6A12C9CC9EF99C4769F819B

---

nids

Description

A simple network based Intrusion Detection System (IDS)

Parameters

You will have to enter the nids module to access the parameters:

inguma> nids
IDS> help

Here are the parameters:

run

Run the Intrusion Detection System

help

Show this help

exit

Exit from the IDS interface

filter <pcap filter>

Specify a valid pcap filter

iface <iface>

Specify which iface will be used

Example

---

nikto

Description

Nikto web server scanner module for Inguma

Parameters

• target = <target host or URL (without prefix http/s)>
• port = <target port>
• timeout = <timeout>
• ssl = True|False

Example

inguma> target = "192.168.100.24"
inguma> nikto
[+] Using port 80
[+] Reading signatures ... 
[i] To upgrade signatures run python lib/libnikto.py

Nikto is a web server assessment tool designed to find various default and insecure files, configurations and programs on any type of web server.

For updated databases and more information, navigate to:
http://www.cirt.net

Checking url list...

Adding vulnerable URL '/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000'...
----------------------------------------
OSVDB: 12184
URI: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Match: 'phpinfo'
Summary: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
----------------------------------------

Adding vulnerable URL '/forum/'...
----------------------------------------
OSVDB: 3092
URI: /forum/
Match: '200'
Summary: This might be interesting...
----------------------------------------

Adding vulnerable URL '/images/'...
----------------------------------------
OSVDB: 3268
URI: /images/
Match: 'Index of '
Summary: Directory indexing is enabled: /images
----------------------------------------

Done.

The following vulnerable URL(s) were found:

               /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
               /forum/
               /images/

---

nmapfp

Description

Os detect with Nmap fingerprinting

Parameters

• target = <target host or network>
• oport = <opened port>
• cport = <closed port>

Example

inguma> target="192.168.1.21" 
inguma> nmapfp
Possible Operative System List
------------------------------

  Netscreen 5XP firewall+vpn (OS 3.0.1r2)
  Netscreen 5XP firewall+vpn (os 4.0.3r2.0)

Accuracy: 96.25 %

inguma> target="192.168.1.254" 
inguma> nmapfp
WARNING: Test T5 answered by an ICMP
WARNING: Test T6 answered by an ICMP
WARNING: more Test T7 answered by an ICMP
Possible Operative System List
------------------------------

  FreeSCO 0.27 (Linux 2.0.38)
  Gentoo 1.2 linux (Kernel 2.4.19-gentoo-rc5)
  Linux 2.4.0 - 2.5.20
  Linux 2.4.18
  Linux 2.4.18 - 2.4.20 (x86)
  Linux 2.4.19 w/grsecurity patch
  Linux 2.4.20
  Linux 2.4.20 (X86, Redhat 7.3)
  Linux 2.4.20 - 2.4.22 w/grsecurity.org patch
  Linux 2.4.21 (x86, RedHat)
  Linux 2.4.22 (SPARC)
  Linux 2.4.22 or 2.6.4 - 2.6.10
  Linux 2.4.22-ck2 (x86)   w/grsecurity.org and HZ=1000 patches
  Linux 2.4.22-gentoo-rc
  Linux 2.4.25 w/grsec (x86)
  Linux 2.4.30
  Linux 2.4.7 - 2.6.11
  Linux 2.5.25 - 2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7
  Linux 2.6.0-test10 (x86)
  Linux 2.6.0-test9 - 2.6.0 (x86)
  Linux 2.6.3 - 2.6.10
  Linux 2.6.3 - 2.6.7 (X86)
  Linux 2.6.6
  Linux 2.6.7 - 2.6.8
  Microsoft Windows 2000 SP4

Accuracy: 83.75 %

---

nmapscan

Description

A module for port scanning using Nmap

Parameters

You will have to enter the nmapscan module to be able to access the parameters:

inguma> nmapscan
NMAP> help

The parameters:

help

Show this help

nmaphelp

Show Nmap's help

nmap <options>

Execute Nmap with options specified

exit

Exit from nmapscan interface

Example

inguma> nmapscan
NMAP> nmap -sS 192.168.100.24
Host IP:	192.168.100.24
Host Ports:

       Port: 3306

       Port: 80

       Port: 111

       Port: 22

Traceroute:

---

nmbstat

Description

Gather NetBIOS information from the target. For example, you can know if the target is the master browser of a domain, what the domain is, if it is a Windows or Unix based server, ...

Parameters

• target = <target host or network>
• port = <target port>

Example

inguma> target = "192.168.100.16"
inguma> nmbstat
NetBIOS Information
-------------------

TESTLAB-ED7B8FBD  Workstation       00-0C-29-11-09-5E ACTIVE 
WORKGROUP         Workstation       00-0C-29-11-09-5E ACTIVE  GROUP 
TESTLAB-ED7B8FBD  Server            00-0C-29-11-09-5E ACTIVE 
WORKGROUP         Browser Server    00-0C-29-11-09-5E ACTIVE  GROUP 

MAC Address: 00:0C:29:11:09:5E (Unknow)
Is a Windows based server.

---

oascheck

Description

Check an Oracle App. Server for the most common vulnerable URLs

Parameters

• target = <target host or network>
• port = <target port>
• timeout = <timeout>
• ssl = True|False

Example

---

oracrack11g

Description

Crack an Oracle 11g password

Parameters

• hash = <hash of the password>

Example

---

oratool

Description

Oracle wrapper for all related stuff

Parameters

• target = <target host or network>
• port = <target port>
• sid = <sid name>
• user = <database's username>
• password = <user's password>
• dad = <dad>
• method = <PL/SQL gateway bypass method>

Example

---

oratt70info

Description

Gather information from Oracle Times Ten 70

Parameters

• target = <target host or network>
• port = <target port>

Example

---

p0f

Description

Inguma's p0f interface -os detection-

Parameters

Enter p0f module to access configuration screen:

inguma> p0f
P0F> help

Here are the parameters:

filter <pcap filter>

Specify a valid pcap filter

iface <iface>

Specify which iface will be used

run

Start p0f-ing

help

Show this help

exit

Exit from the p0f interface

Example

See defect here: http://code.google.com/p/inguma/issues/detail?id=4

---

portscan

Description

A port scanner for SYN, ACK, XMAS and SYN/ACK, TCP Connect scans

Parameters

• iface = <interface>
• target = <target host or network>
• port = <target port>
• sport = <source port>
• scanType = <scan type>

scanType can be one of the following:

• S: SYN Scan
• None (undefined): TCP Connect
• A: ACK Scan
• SAFRC: XMAS Scan
• SA: SYN/ACK Scan

Example

inguma> target = "192.168.100.16"
inguma> scanType = "S"
inguma> portscan

Portscan results
----------------

Port 1029 is opened at 192.168.100.16
Port 135/loc-srv is opened at 192.168.100.16
Port 3306/mysql is opened at 192.168.100.16
Port 139/netbios-ssn is opened at 192.168.100.16
Port 5900 is opened at 192.168.100.16
Port 80/www is opened at 192.168.100.16
Port 445/microsoft-ds is opened at 192.168.100.16

---

protoscan

Description

An IP protocol scanner. Workstations and desktops will only have support for ICMP, IGMP, TCP and UDP while other servers (specially routers) will have several other protocols enabled. You can enumerate all supported IP protocols by using this tool.

Parameters

• target = <target host or network>

Example

inguma> target = "192.168.100.16"
inguma> protoscan
[!] Target appears to have all protocols enabled!
inguma> target = "192.168.100.50"
inguma> protoscan

Protocol scan results
---------------------

Protocol 1 enabled at 192.168.100.50
Protocol 2 enabled at 192.168.100.50
Protocol 3 enabled at 192.168.100.50
Protocol 4 enabled at 192.168.100.50
Protocol 5 enabled at 192.168.100.50
Protocol 6 enabled at 192.168.100.50
Protocol 7 enabled at 192.168.100.50
(...TUNCATED...)

---

rainbow

Description

Get the password for a hash using public rainbow tables

Parameters

• hash = <hash of the password>

Example

---

rainbowmd5

Description

Get the password for a MD5 hash using public rainbow tables

Parameters

• hash = <hash of the password>

Example

inguma> hash = "5f4dcc3b5aa765d61d8327deb882cf99"
inguma> rainbowmd5
[+] Password: password
inguma> hash = "75b71aa6842e450f12aca00fdf54c51d"
inguma> rainbowmd5
[+] Password: not found

---

rpcdump

Description

DCE/RPC endpoint mapper dumper

Parameters

• target = <target host or network>
• port = <target port>

Optional arguments:

• user = <username>
• password = <password>

Example

inguma> target = "192.168.100.16"
inguma> rpcdump
[+] Trying an anonymous connection ... 

Gathered data
-------------

[+] Retrieving endpoint list from 192.168.100.16
[+] Trying protocol 80/HTTP...
[!] Protocol failed: HTTPTransport instance has no attribute '_HTTPTransport__socket'
[+] Trying protocol 445/SMB...
[!] Protocol failed: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a', 'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code: ERRnoaccess(Access denied.)
[+] Trying protocol 135/TCP...
[!] Protocol failed: unpack requires a string argument of length 12
[+] Trying protocol 139/SMB...
[!] Protocol failed: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a', 'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code: ERRnoaccess(Access denied.)
[+] Trying protocol 135/UDP...
[!] Protocol failed: timed out
No endpoints found.

---

samrdump

Description

Dump the SAM database

Parameters

• target = <target host or network>
• port = <target port>

Optional arguments:

• username = <username>
• password = <password>

Example

inguma> target = "192.168.100.16"
inguma> user = "user1"
inguma> password = "pass1"
inguma> samrdump
[+] Trying an anonymous connection ... 
[+] Retrieving endpoint list from 192.168.100.16
[+] Trying protocol 445/SMB...
Found domain(s):

 . TESTLAB-ED7B8FBD
 . Builtin

Looking up users in domain TESTLAB-ED7B8FBD ... 

Found user: Administrateur, uid = 500
Found user: ASPNET, uid = 1006
Found user: HelpAssistant, uid = 1000
Found user: Invité, uid = 501
Found user: IUSR_TESTLAB-ED7B8FBD, uid = 1007
Found user: IWAM_TESTLAB-ED7B8FBD, uid = 1008
Found user: user1, uid = 1003
Found user: SUPPORT_388945a0, uid = 1002

User Administrateur
-------------------

Administrateur (500)Enabled:true
timestamp out of range for platform time_t
timestamp out of range for platform time_t
Administrateur (500)Kickoff:mar., 21 déc. 2010 05:57:15
timestamp out of range for platform time_t
Administrateur (500)PWD Can Change:mar., 21 déc. 2010 05:57:15
Administrateur (500)PWD Must Change:Infinity
Administrateur (500)Group id: 513
Administrateur (500)Bad pwd count: 5
Administrateur (500)Logon count: 0
Administrateur (500) Comment: 
Administrateur (500) Logon hours: Unlimited
Administrateur (500) Parameters: 
Administrateur (500) Script: 
Administrateur (500) Account Name: Administrateur
Administrateur (500) Full Name: 
Administrateur (500) Profile: 
Administrateur (500) Workstations: 
Administrateur (500) Description: Compte d'utilisateur d'administration
Administrateur (500) Home Drive: 
Administrateur (500) Home: 

(...TRUNCATED...)

User user1
----------

user1 (1003)Enabled:true
user1 (1003)Last Logon:mar., 25 janv. 2011 16:05:01
timestamp out of range for platform time_t
user1 (1003)Kickoff:mar., 25 janv. 2011 15:58:47
timestamp out of range for platform time_t
user1 (1003)PWD Can Change:mar., 25 janv. 2011 15:58:47
user1 (1003)PWD Must Change:Infinity
user1 (1003)Group id: 513
user1 (1003)Bad pwd count: 0
user1 (1003)Logon count: 51
user1 (1003) Comment: 
user1 (1003) Logon hours: Unlimited
user1 (1003) Parameters: 
user1 (1003) Script: 
user1 (1003) Account Name: user1
user1 (1003) Full Name: 
user1 (1003) Profile: 
user1 (1003) Workstations: 
user1 (1003) Description: 
user1 (1003) Home Drive: 
user1 (1003) Home: 

(...TRUNCATED...)

Received 8 entries.

---

smbclient

Description

A simple SMB Client

Parameters

Enter smbclient module to access the configuration:

inguma> smbclient
[+] Trying a NULL connection ... 
[+] Ok. It works.
Current connection information
------------------------------

Domain name      : WORKGROUP
Lanman           : Windows 2000 LAN Manager
Server name      : OZYRIS-ED7B8FBD
Operative System : Windows 5.1
Server Time      : ven., 28 janv. 2011 06:14:39 GMT -1 
Session Key      : 0

Is login required? True

SMB> help

Here is the list of arguments:

open host port

opens a SMB connection against the target host/port

login username passwd

logs into the current SMB connection

login_hash username lmhash nthash

logs into the current SMB connection using the password hashes

logoff

logs off

info

Get information about the current connection

shares

list available shares

use sharename

connect to an specific share

cd path

changes the current directory to {path}

pwd

shows current remote directory

ls wildcard

lists all the files in the current directory

rm file

removes the selected file

mkdir dirname

creates the directory under the current path

rmdir dirname

removes the directory under the current path

put filename

uploads the filename into the current path

get filename

downloads the filename from the current path

cat filename

Show the contents of the filename

close

closes the current SMB Session

exit

terminates the server process (and this session)

Example

---

smbgold

Description

Search for 'gold' in shared SMB directories

Parameters

• target = <target host or network>

Optional arguments:

• user = <username>
• password = <password>

Example

See issue here: http://code.google.com/p/inguma/issues/detail?id=11

---

sniffer

Description

A simple sniffer

Parameters

You must enter into the sniffer module to access the parameters:

inguma> sniffer
SNIFFER> help

Here is the list of parameters:

filter <pcap filter>

Specify a valid pcap filter

iface <iface>

Specify which iface will be used

run

Start sniffing

save

Save the packets to a file

help

Show this help

exit

Exit from the sniffer

Example

In this example, we sniff HTTP requests to get a picture. We configure the interface that will listen to the traffic:

inguma> sniffer
SNIFFER> iface wlan0
Interface is: wlan0

The "run" command starts the capture. To stop the capture, use ^C (CTRL+C).

SNIFFER> run
Sniffing in iface wlan0 ...
Ether / IP / TCP 192.168.100.18:35233 > 86.66.38.134:www PA / Raw
0000   00 50 8B BB F3 2E 70 F1  A1 A7 85 95 08 00 45 00   .P....p.......E.
0010   04 68 D8 ED 40 00 40 06  BC 1F C0 A8 64 12 56 42   .h..@[email protected]
0020   26 86 89 A1 00 50 EA C3  59 32 4D AB 0B 0B 80 18   &....P..Y2M.....
0030   02 EE 13 BB 00 00 01 01  08 0A 00 09 AC 89 29 63   ..............)c
(...TRUNCATED...)
03f0   33 0D 0A 43 6F 6F 6B 69  65 3A 20 46 35 5F 41 47   3..Cookie: F5_AG
0400   45 46 49 50 48 3D 33 33  36 32 39 37 31 31 34 36   EFIPH=3362971146
0410   2E 32 30 34 38 30 2E 30  30 30 30 0D 0A 49 66 2D   .20480.0000..If-
0420   4E 6F 6E 65 2D 4D 61 74  63 68 3A 20 22 32 30 64   None-Match: "20d
0430   64 32 39 36 33 64 31 34  63 62 31 3A 32 63 64 22   d2963d14cb1:2cd"
0440   0D 0A 49 66 2D 4D 6F 64  69 66 69 65 64 2D 53 69   ..If-Modified-Si
0450   6E 63 65 3A 20 46 72 69  2C 20 32 35 20 4A 75 6E   nce: Fri, 25 Jun
0460   20 32 30 31 30 20 30 38  3A 30 38 3A 32 36 20 47    2010 08:08:26 G
0470   4D 54 0D 0A 0D 0A                                  MT....
Ether / IP / TCP 192.168.100.18:35233 > 86.66.38.134:www PA / Raw
0000   00 50 8B BB F3 2E 70 F1  A1 A7 85 95 08 00 45 00   .P....p.......E.
0010   04 68 D8 EE 40 00 40 06  BC 1E C0 A8 64 12 56 42   .h..@[email protected]
0020   26 86 89 A1 00 50 EA C3  59 32 4D AB 0B 0B 80 18   &....P..Y2M.....
0030   02 EE 13 7D 00 00 01 01  08 0A 00 09 AC C7 29 63   ...}..........)c
0040   D7 E0 47 45 54 20 2F 6E  65 77 73 6C 65 74 74 65   ..GET /newslette
0050   72 73 2F 6C 61 73 74 5F  6E 6C 5F 70 72 6F 2F 69   rs/last_nl_pro/i
0060   6D 61 67 65 73 2F 5F 62  6C 61 6E 6B 2E 67 69 66   mages/_blank.gif
0070   20 48 54 54 50 2F 31 2E  31 0D 0A 48 6F 73 74 3A    HTTP/1.1..Host:
(...TRUNCATED...)
^C

Once the capture is complete, use the "save" command to save the capture in a file. You will be prompted for a file name.

SNIFFER> save
Output filename:inguma.sniff.pcap

When you leave the sniffer's module, you will be presented with a sum-up of the capture:

SNIFFER> 0000 Ether / IP / TCP 192.168.100.18:35233 > 86.66.38.134:www PA / Raw
0001 Ether / IP / TCP 192.168.100.18:35233 > 86.66.38.134:www PA / Raw
0002 Ether / IP / TCP 86.66.38.134:www > 192.168.100.18:35233 PA / Raw
0003 Ether / IP / TCP 192.168.100.18:35233 > 86.66.38.134:www A
0004 Ether / IP / TCP 192.168.100.18:35233 > 86.66.38.134:www PA / Raw
0005 Ether / IP / TCP 86.66.38.134:www > 192.168.100.18:35233 A / Raw
0006 Ether / IP / TCP 86.66.38.134:www > 192.168.100.18:35233 PA / Raw
0007 Ether / IP / TCP 192.168.100.18:35233 > 86.66.38.134:www A
0008 Ether / IP / TCP 86.66.38.134:www > 192.168.100.18:35233 PA / Raw
0009 Ether / IP / TCP 192.168.100.18:35233 > 86.66.38.134:www A
0010 Ether / ARP who has 192.168.100.18 says 192.168.100.1 / Padding
0011 Ether / ARP is at 70:f1:a1:a7:85:95 says 192.168.100.18

Sniffed a total of 12 packet(s)

---

tcpproxy

Description

A simple TCP proxy for port forwarding

Parameters

• target = <target host or network>
• port = <target port>
• newport = <new target port>

Example

---

tcpscan

Description

Simple TCP port scanner

Parameters

• target = <target host or network>
• timeout = <timeout>

Example

inguma> target = "192.168.100.16"
inguma> tcpscan
Scanning port 17004 (418/418)
Open Ports
----------

Port 1029 is open
Port 135/loc-srv is open
Port 3306/mysql is open
Port 139/netbios-ssn is open
Port 5900 is open
Port 80/www is open
Port 445/microsoft-ds is open

---

tnscmd

Description

Interact with an Oracle TNS Listener

Parameters

• target = <target host or network>
• port = <target port>
• sid = <sid name>

Example

---

udpscan

Description

Simple UDP port scanner

Parameters

• target = <target host or network>
• timeout = <timeout>

Example

---

unicornscan

Description

A wrapper for the Unicornscan tool.

Parameters

• target = <target host or network>
• source = <source address>
• port = <target port>
• sport = <source port>
• pps = <packets per second>
• mode = <scan mode>
  • U: UDP
  • T: TCP SYN (used by default)
  • 'sf': TCP Connect
  • A: arp

For -mT you can also specify tcp flags following the T like -mTsFpU for example that would send tcp syn packets with (NO Syn|FIN|NO Push|URG).

Example

---

webserver

Description

A simple Web Server and Crawler, usefull if used with DnsSpoof module

Parameters

• crawl = <True/False>
• target = <target URL to crawl if True>
• port = <server port>

Example

---

winspdetect

Description

Detect service pack using remote registry (LAME).

Parameters

• target = <target host or network>

Example

---

xmlrpc

Description

Interact with an XMLRPC server

Parameters

• target = <target host or network>
• port = <target port>

Example