WHAT IS GHOST EYE ?

Because of the latest release of BlackBuntu and considering that Ghost Eye is included therein, I was asked to write about Ghost Eye.

Ghost Eye is an Information Gathering - Foot printing and Reconnaissance Tool made in Python 3. It includes some important tools for Information Gathering. For more information please feel free to visit the Github repository.

Install Ghost Eye on Linux

I advise everyone to read this carefully, it is often forgotten during installation that Ghost Eye is using python3. So before to move further, please check if Python 3 is already present in your machine. If you need to install it, just follow the below commands.

Install Python 3 on Arch Linux and its distros:

sudo pacman -S python3

Install Python 3 on Debian and its distros:

sudo apt install python3

Futhermore, you will need to install also Nmap and EtherApe too:

On Arch Linux and its distros:

sudo pacman -S nmap etherape

On Debian and its distros:

sudo apt install nmap etherape

If you are done with the above requirements, you can move on the next step and clone the Ghost Eye repository to your computer.

sudo git clone https://github.com/BullsEye0/ghost_eye.git
cd ghost_eye
sudo pip3 install -r requirements.txt

Usage

python3 ghost_eye.py

In some case Ghost Eye can require root privilege to execute third-parties applications such as EtherApe.

sudo python3 ghost_eye.py

The unique thing you have to do, it's to complete the above command with the website or the IP address you want to scan.

getting-started-with-ghost-eye


ETHERAPE

Let's start with the third (Option 3). Personally, I think this is one of the nicest and most useful tools to see what is happening in your network environment. Certainly in combination with Wireshark. I would say, try this amazing tool, and see what happens if you open a random link. You will be amazed by this ..!

getting-started-with-ghost-eye

EtherApe is a graphical network monitor and a packet sniffer that collects information and displays it graphically and it supports Ethernet, FDDI, Token Ring, ISDN, PPP, SLIP and WLAN devices, plus several encapsulation formats. It can filter traffic to be shown, and can read packets from a file as well as live from the network.

Below something more extensive

Ethernet: (IEEE 802.3) is a network standard with which computers in a LAN communicate with each other. The Institute of Electrical and Electronics Engineers (IEEE) defines Ethernet as protocol 802.3. But "Ethernet" is a lot easier to pronounce, and probably also the name under which you know this essential connection to the internet. On top of the Ethernet layer are protocols, of which TCP / IP is the best known and most used.

WLAN: Abbreviation for 'Wireless LAN', or 'Wireless Local Area Network'. A wireless connection between different computers or computer devices that are close together. There are various techniques for setting up a wireless local network. The most important are WiFi and Bluetooth. This gives users the ability to move around within the area and yet still be connected to the network. Through a gateway, a WLAN can also provide a connection to the wider Internet.

FDDI: Fiber Distributed Data Interface which is an optical data communication standard used for long distance networks provides communication with fiber optic lines up to 200 kilometers at a speed of 100 megabit per second (Mbps).


Token Ring: A local area network in which a node can only transmit when in possession or a sequence of bits (the token), which is passed to each node in turn.

EterApe was originally written by Juan Toledo. The first version of EtherApe (version 0.0.1) was released on February 18, 2000. Because it has been around for a long time, it also reflects the power of this tool. The Node statistics can also be exported.

TO USE ETHERAPE YOU NEED ROOT PRIVILEGES

If you are using any the latest version of pentest distributions such as Kali Linux, Parrot Security or BlackArch, EtherApe is already installed. If EtherApe is not present in your machine and you need to install it, simply open your terminal and use the below commands.

Debian-based:

sudo apt install etherape

Arch-based:

pacman -S etherape

Fedora:

dnf install etherape

Centos:

yum install etherape

You may receive an error message during installation. This is often GNOME related, and especially with old distros. In such case, I recommend to check whether the below packages are installed in your machine. If theses packages are not yet installed, you can install it using the below commands:

Debian-Based:

# Install missing packages
sudo apt install libglade2-0 libglib2.0-0 libgnomecanvas2-0 libgtk2.0-0 libpango1.0-0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libcap2 libpopt0 libxml2

# Install missing dependencies
sudo apt -f install

getting-started-with-ghost-eye

There are so many options for using EtherApe. To move further, you can take a look around or use the man page.

man etherape

WHOIS LOOKUP

The second tool that we will discuss is the whois tool (Option 1 in Ghost Eye tool). whois searches for an object in a whois database. whois is a query and response protocol that is widely used for searching databases that present users from an internet source, such as a domain name of an IP address.

As part of the domain registration process, registrants must provide their registrar with correct and dependable contact details and make sure this information is kept up to date. Failing to provide reliable information, or a willful failure to replace out of date data supplied to a registrar, can lead to your registration being canceled. The registrar that you pick will ask you to offer contact and technical records, some of which are required by ICANN (The Internet Corporation for Assigned Names and Numbers). Personal data such as e-mail address, address, etc. can be included in a WHOIS result.

There will be the following details of the registrant.

  • Name
  • Organization
  • Street
  • City
  • State
  • Postal Code
  • Country
  • Phone
  • Fax
  • Email

As you can see, to get information from a certain website or IP address, the whois tool is very useful, and can provides you quickly accurate information.

getting-started-with-ghost-eye


THE DNS LOOKUP

The next option that we will discuss is the DNS Lookup tool (Option 2 in Ghost Eye tool). DNS stands for "Domain Name System" and is the process by which a DNS record has been returned from a DNS server. Just like looking up a phone number in a phone book - that's why it's referred to as a "lookup".

Interconnected computers, servers and smart phones need to know how to translate the email addresses and domain names people use into meaningful numerical addresses. A DNS lookup performs this function. There is so much to tell about DNS, but I wouldn't bore you with that.

getting-started-with-ghost-eye



NMAP PORT SCAN

Nmap port scan (Option 4 in Ghost Eye tool). Nmap is the most used tool for scanning open ports. Naturally, Nmap can do much more than that. Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing.

In Ghost Eye, the Nmap scans the specified link or IP address and searches for open ports. An nmap -Pn scan is used in the Ghost Eye script. -Pn is used to treat all hosts as online - skip host discovery

getting-started-with-ghost-eye

As you can see in the example above there are quite a lot of open ports. On the basis of this you could investigate whether a port is vulnerable or not. For further research I can refer you to one of my previous articles explaining how to use Nmap NSE scripts to find vulnerabilities.


HTTP HEADER GRABBER

HTTP Header Grabber (Option 5 in Ghost Eye tool). The HyperText Transfer Protocol (HTTP) is a client-server protocol powering most of the internet. Every time you surf the internet, your browser sends HTTP requests for HTML pages, images, scripts, and style sheets. Web servers handle these requests by returning responses containing the requested resource, thus completing the HTTP request-response cycle.

getting-started-with-ghost-eye


CLICKJACKING TEST - X-FRAME-OPTIONS HEADER

Clickjacking - X-Frame Options (Option 6 in Ghost Eye tool). Clickjacking is an attack when an attacker uses a transparent iframe in a window to trick a user into clicking on button or link, to another server in which they have an identical looking window. The attacker in a sense hijacks the clicks meant for the original server and sends them to the other server.

X-Frame-Options is an HTTP response header, also referred to as an HTTP security header. This header tells your browser how to behave when handling your site’s content.

X-Frame-Options are used to indicate whether the browser can render a page in an iframe, frame or object. The three possible values are:

  • DENY: The page cannot be rendered in a frame under any circumstance.
  • SAMEORIGIN: The page can only be displayed in a frame if the "framing" site is on the same origin.
  • ALLOW-FROM: The page can only be framed from a specific origin.

HOW TO ENABLE X-FRAME-OPTIONS HEADER

Enable on Nginx

To enable the x-frame-options header on Nginx simply add it to your server block config.

add_header x-frame-options "SAMEORIGIN" always;

Enable on Apache

To enable on Apache simply add it to your httpd.conf file (Apache config file).

header always set x-frame-options "SAMEORIGIN"

Enable on IIS

To enable on IIS simply add it to your site’s Web.config file.

<system.webServer>
    <httpProtocol>
        <customHeaders>
          <add name="X-Frame-Options" value="SAMEORIGIN" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

getting-started-with-ghost-eye


ROBOTS.TXT SCANNER

Robots.txt Scanner (Option 7 in Ghost Eye tool). The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site that robots are allowed, or not allowed, to crawl and index.

When you say “move along, nothing to see here”, the bad guys get interested

Vulnerabilities in robots.txt Detection is a Low risk vulnerability that is one of the most frequently found on networks around the world. BUT sometimes you come across something special. Nevertheless, in this case I must also refer you back to the article about Google Dorks.


Is someone trying to hide their password? :-D

Google Dork

inurl:"/robots.txt" + "Disallow: passwords.txt"

getting-started-with-ghost-eye getting-started-with-ghost-eye

Again ... You should be very careful when you are writing your "robots.txt" because if someone checks it or someone with some imagination searches on Google with this types of queries, you could be a hacker's target !

Hacking can be so difficult ... But sometimes it's oh so easy ..!


LINK GRABBER

Link Grabber (Option 8 in Ghost Eye tool). The Link Grabber will parse the html source code of a website and extract links from the page. The hrefs or "page links" are displayed in plain text for easy review.

The purpose of this tool is to find hidden links and look for irregularities on a website. It can be use also to find login or registration page and much more.

getting-started-with-ghost-eye


IP LOCATION FINDER

IP Location Finder (Option 9 in Ghost Eye tool). Have you ever wondered where a certain website or IP address can be located ? With the IP Location Finder you can retrieve this information. For a given URL or IP, the tool will return you the latitude and longitude of the device or the server. There is not so much to tell about this tool, I think it cannot be clearer.

getting-started-with-ghost-eye


TRACE ROUTE

Trace Route (Option 10 in Ghost Eye tool). As the name suggests trace route, means tracing the path. Trace route is a network based utility which shows the path over the network between two systems and lists all the intermediate routers to get to the final destination. The main purpose of trace route is to fix network problems. This helps you in identifying, while connecting to some network where the connection is actually slowing down, which intermediate router is responsible for that.

Using the internet to connect to anything that’s not on your local network or handled by your internet service provider traceroute tracks the route packets taken from an IP network on their way to a given host. It utilizes the IP protocol's time to live (TTL) field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to the host.

When reviewing your results, you’ll see the following information for the path:

  • The number
  • The amount of time it took for each of the three tries in milliseconds
  • The IP address of the node at that hop
  • The domain name (if available).

getting-started-with-ghost-eye


HAVE I BEEN PWNED

Have I been pwned (Option 11 in Ghost Eye tool). Have I been pwned is a script that I wrote and placed in Ghost Eye. It allows you to search across multiple data breaches to see if your email address has been compromised.

Have I been pwned is a website that allows internet users to check if their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for internet users wishing to protect their own security and privacy. More information can be found in the Wikipedia page.

Website: https://haveibeenpwned.com

Conclusion

I hope you found it informative. Look at the Github page now and then to see if the Ghost Eye tool has been updated. I definitely intend to expand this tool in the future.

If you have any questions about this article or if you want to share your thoughts with us, please feel free to do it using the below comment form.