Network Mapping The network mapping directory contains software for exploring and documenting the layout of a network, traffic paths through a network, services provided by machines on a network, and performance between nodes on a network. o amap Amap is a next-generation scanning tool that identifies applications and services even if they are not listening on the default port by creating a bogus communication. o arping Broadcasts a who-has ARP packet on the network and prints answers. Very useful when you are trying to pick an unused IP for a net that you don't yet have routing to. o cheops Cheops is a network "swiss army knife". It's "network neighborhood" done right (or gone out of control, depending on your perspective). It's a combination of a variety of network tools to provide system adminstrators and users with a simple interface to managing and accessing their networks. Additionally, cheops has taken on the role of a network management system, in the same category as one might put HP Openview. o clink clink (Characterize Links) is a utility I wrote that does the same thing as pathchar -- it estimates the latency and bandwidth of Internet links by sending UDP packets from a single source and measuring round-trip times. The basic mechanism is similar to ping and traceroute, except that clink generally has to send many more packets. o dnstracer dnstracer determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data. o domtools domtools allows you to traverse DNS domain hierarchies, list all hosts (or subdomains) within a given domain, convert host name to IP address and vice-versa, convert a normal IP address to the "in-addr.arpa." format and vice-versa, and more. These commands can be used manually, or included as building blocks for higher level DNS tools. They generate output that is easily computer parsable. o filterrules Filterrules is a program which allows you to determine the rules of a firewall in a very reliable way. It is made up of two parts: a "master", in charge of forging several IP packets, and a "slave", which listens on the other side of the firewall, and which tells to the master which packets passed through. At the end of the test, the firewall rules are displayed in the ipfw format. o firewalk Firewalking is a technique developed by Mike D. Schiffman and David E. Goldsmith that employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. o fping fping is a ping like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a host is up. fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. o gps gps (ghost port scan) is a port scanner and firewall rules disclosure tool that uses IP spoofing, ARP cache poisoning and other methods in order to collect information on a host while inserting misleading information into any IDS watching the host or network that is being scanned. o hping hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features. While hping was mainly used as a security tool in the past, it can be used in many ways by people that don't care about security to test networks and hosts. o mtr mtr combines the functionality of the 'traceroute' and 'ping' programs in a single network diagnostic tool. As mtr starts, it investigates the network connection between the host mtr runs on and a user-specified destination host. After it determines the address of each network hop between the machines, it sends a sequence ICMP ECHO requests to each one to determine the quality of the link to each machine. As it does this, it prints running statistics about each machine. o NBTScan NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address. o NetPerf Netperf is a benchmark that can be used to measure the performance of many different types of networking. It provides tests for both unidirecitonal throughput, and end-to-end latency. The environments currently measureable by netperf include TCP and UDP via BSD Sockets, DLPI, Unix Domain Sockets, Fore ATM API, HP HiPPI Link Level Access. o nmap Nmap ("Network Mapper") is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. o p0f p0f is a passive OS fingerprinting utility that can identify a remote machine from just the TCP SYN packet of an incoming connection. p0f can also detect the type of network the remote machine is connected to, will often detect NAT, firewall presence, and even the name of the remote machine's ISP, all without generating any network traffic. Now integrated into OpenBSD's "pf" packet filter. o pchar pchar is a tool to characterize the bandwidth, latency, and loss of links along an end-to-end path through the Internet. It is based on the algorithms of the pathchar utility written by Van Jacobson, formerly of Lawrence Berkeley Laboratories. o siphon The Siphon Project is a passive network mapping software suite. This software has the ability to map network information including port information, operating system detection, topology mapping, vulnerability analysis and network usage statistics without sending out a single packet. o winfingerprint Winfingerprint is a an application to fingerprint a computer running Windows, providing information about the OS itself, what services it is running, lists of users, shares, transports, sessions, service packs and hotfixes in place, date and time, disks etc. o xprobe Written and maintained by Fyodor Yarochkin and Ofir Arkin, Xprobe (I & II) is an Active OS fingerprinting tools based on Ofir Arkin's ICMP Usage In Scanning Research project. Xprobe is an alternative to some tools which are heavily dependent upon the usage of the TCP protocol for remote active operating system fingerprinting. (Note: This list of software and information available at Wiretapped is not exhaustive. Users are encouraged to browse and search the archive and read any available "-README.txt" files that are available)