分享
 
 
 

翻译作品之六100 Industrial-Strength Tips & Tools for the ScriptKiddie (UNIX Ver.)

王朝system·作者佚名  2006-01-29
窄屏简体版  字體: |||超大  

翻译作品之六100 Industrial-Strength Tips & Tools for the ScriptKiddie (UNIX Ver.)

一.前言:

本人翻译系列文章,很担心里面出错的地方会误人,不过心里还是有去做一做的,我

是通过自己的理解来翻译的,如果我的理解错误了,或许是我不理解的部分也不经意翻译

了,那必然会给各位多多少少的误导,所以我在文章后面都附上原文。请想看对照原文来

阅读!最主要是自己去理解,不要单看我一家之言。

二.正文:

100个给脚本小子的强有力的工业化的技巧和工具(UNIX Ver.)

(好,100 是无论怎么样的都要达到的目标.......)

技巧数:13(递送这些技巧!)

------------------------------------------------------

1.产生目标主机的ip列表

------------------------------------------------------

从一个普通的命令行扫描器得到ip地址列表

------------------------------------------------------

nmap是众所周知的端口扫描器,对很多事情都很有用,通过用nmap产生一个列表,你

能用cut和grep命令来得到一个很好的ip地址的列表。首先我一步步地用这些命令,因此

你能理解整个逻辑:

root# nmap -sL 192.168.1.0/24

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Host (192.168.1.0) not scanned

Host (192.168.1.1) not scanned

Host (192.168.1.2) not scanned

Host (192.168.1.3) not scanned

Host (192.168.1.4) not scanned

...and so on until 192.168.1.255

这个-sL选项告诉nmap,仅仅是创建一个列表和不扫描ip地址。在这种情况下,我们只有

想这个结果是用"Host"与grep命令精细地混合起来:

root# nmap -sL 192.168.1.0/24 | grep "^Host"

Host (192.168.1.0) not scanned

Host (192.168.1.1) not scanned

Host (192.168.1.2) not scanned

Host (192.168.1.3) not scanned

Host (192.168.1.4) not scanned

现在每行都类似的,允许我们更进一步用cut命令处理输出:

root# nmap -sL 192.168.1.0/24 | grep "^Host" | cut -d '(' -f2

192.168.1.0) not scanned

192.168.1.1) not scanned

192.168.1.2) not scanned

192.168.1.3) not scanned

192.168.1.4) not scanned

...continues

首先我们用-d'('划定一个范围,因此第一块事实上"Host (",第二块就是留下的部分。现在我们需要摆脱ip地址后面的,因此我们仍旧再用cut 用 -d')' 和指定第一块:

root# nmap -sL 192.168.1.0/24 | grep "^Host" | cut -d '(' -f2| cut -d ')' -f1

192.168.1.0

192.168.1.1

192.168.1.2

192.168.1.3

192.168.1.4

...continues

试着更加秘密地随机排列ip地址:

root# nmap -sL 192.168.1.0/24 --randomize_hosts | grep "^Host" | cut -d '(' -f2| cut -d ')' -f1

192.168.1.44

192.168.1.192

192.168.1.201

192.168.1.43

192.168.1.149

...continues

因为我们想去产生一个列表,每次去打这些命令很浪费时间,最好的放这些命令到一个shell脚本:

#!/bin/bash

nmap -sL $1 --randomize_hosts | grep '^Host' | cut -d '(' -f 2 | cut -d

')' -f 1

保存它到一个文件,令他可以被执行,重定向输出到一个文件:

root# chmod +x iplist.sh

root# ./iplist.sh 192.168.1.0/24 > iplist.txt

root# head -5 iplist.txt

192.168.1.215

192.168.1.39

192.168.1.168

192.168.1.11

192.168.1.225

同样可以看:

nmap: http://www.insecure.org/nmap

grep man page

cut man page

head man page

-------------------------------------------------------------------

2.倾销htlm源码

-------------------------------------------------------------------

从头到尾搜索html源码,得到一个有用的信息

-------------------------------------------------------------------

抓取html源码能帮助得到目标的信息,几个例子可能包括检查一个网站的应用程序和查看http头.以下是一个简单的封装的用于netcat的脚本:

#!/bin/sh

echo -e "GET $2 HTTP/1.0\n\n" | nc -vv $1 80

我们试这个脚本在我们喜欢的目标站点,了解他们运行了什么:

]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php

Warning: inverse host lookup failed for 192.168.1.102: Unknown host

www.elitehax0r.com [192.168.1.102] 80 (www) open

HTTP/1.1 200 OK

Date: Sat, 08 Mar 2003 22:08:03 GMT

Server: Apache/1.3.27 (Unix) mod_log_bytes/1.0 mod_bwlimited/1.0 PHP/4.3.1

FrontPage/5.0.2.2510 mod_ssl/2.8.12 OpenSSL/0.9.6b

X-Powered-By: PHP/4.3.1

Connection: close

Content-Type: text/html

等等.在这点我们甚至可以开始通过关键词grep 输出文件:

]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php | grep -i 或者

]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php | > grep -i "type=\"password\""

发挥自己的想象取得和尝试查询字符串,默认的脚本,sql关键词,等.

-----------------------------------------------------------------

3.耕作网站的连接和email地址

-----------------------------------------------------------------

创建一个网站连接和email地址穷举的相关的数据库

-----------------------------------------------------------------

lynx 命令行的浏览器同样能用来反映一个当地的站点:

$ lynx -crawl -traversal "http://www.elitehax0r.com"

然后 一个简单的调用我们友好的grep和cut去耕作目标的信息:

$ grep "http://" * | cut -d "/" -f3 | sort | uniq > links.txt

尝试"mailto:".等等,对于email地址,这个分界符和块号可能需要一下改变来使得他正确工作.

------------------------------------------------------------------

4.产生一个dns服务列表

------------------------------------------------------------------

通过bind版本脚本得到dns列表

------------------------------------------------------------------

在产生一个ip地址列表之后,你可能想去产生另外一个dns服务列表,这个可以通过进一步用一个bind版本扫描器来加工.

如果我们手工打入一个c类的ip,会永远进行下去,让我们用www.elitehax0r.com作为一个例子(不敢肯定域名是否存在):

]modular@truncode$ host www.elitehax0r.com

www.elitehax0r.com. has address 192.168.1.101

]modular@truncode$ whois 192.168.1.101

OrgName: ELITE HAX0R, INC.

OrgID: HAX

Address: 31337 Hax0r Parkway

City: ScriptKiddie

StateProv: CA

PostalCode: 31337

Country: US

NetRange: 192.168.1.0 - 192.168.1.255

CIDR: 192.168.1.0/24

NetName: HAX0R

NetHandle: NET-666-666-66-0-1

Parent: NET-666-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.ELITEHAX0R.COM

NameServer: NS2.ELITEHAX0R.COM

NameServer: NS3.ELITEHAX0R.COM

NameServer: NS4.ELITEHAX0R.COM

Comment:

RegDate: 2000-10-16

Updated: 2001-04-15

TechHandle: HAX-ARIN

TechName: Elite Hax0r, Inc.

TechPhone: +1-900-BAD-CODE

TechEmail: arin-contact@elitehax0r.com

# ARIN WHOIS database, last updated 2003-03-07 20:00

# Enter ? for additional hints on searching ARIN's WHOIS database.

我们想那些以'NameServer:'的所有行,因此你可能认为,恰好用grep和cut:

]modular@truncode$ whois 216.239.53.101 |grep '^NameServer:' |cut -d' ' -f2

NS1.ELITEHAX0R.COM

NS2.ELITEHAX0R.COM

NS3.ELITEHAX0R.COM

NS4.ELITEHAX0R.COM

当然这样可以。你甚至可以放那些行到一个脚本和读一个ip地址的文件,但是我想这个perl脚本是一流的解决方法:

#!/usr/bin/perl

open(FILE,$ARGV[0]);

while() {

chomp;

@domains = (@domains,$_);

}

close FILE;

foreach $domain(@domains) {

@lines=`whois $domain`;

$input = join(" ",@lines);

while($input =~ s/NameServer:\s(\S*)//) {

@nameservers = (@nameservers,$1);

}

foreach $nameserver(@nameservers) { print "$nameserver\n"; }

undef (@nameservers);

}

这个脚本是恰恰是做了我们用grep和cut所做的,它读取一个文件的命令行。对每一个ip地址,whois被执行。任何行匹配'NameServer:'被考虑成匹配的和这个dns服务被放到@nameservers数组 在脚本的最后输出这个数组.

尝试修改这个脚本去输出到一个文件为了能更进一步地加工它.

以下的脚本是一个解决的方法对于一个主机名列表胜于ip地址:

#!/usr/bin/perl

print "modular\@truncode.org\n\n";

if($#ARGV<0) { print "usage: ./nsrip.pl

\n\n"; }

else {

$output = $ARGV[1];

open(IN, "$ARGV[0]");

open(OUT, ">>$output");

while () {

@result = `host -tns $_`;

foreach $line (@result) {

if($line =~ /name server/) {

chomp($line);

($ichi, $ni, $san, $shi) = split(/ /,$line);

}

print OUT "$shi\n";

}

}

close (IN);

close (OUT);

}

----------------------------------------------------------------------

5.找到dns服务,进行溢出.

----------------------------------------------------------------------

搜索一个子网,找到有漏洞的bind版本(这是无价值的网络管理人员)

----------------------------------------------------------------------

如果你成功产生一个dns服务列表从技巧#4,你可以用这些主机名去完成下面的例子.

如果你想在一个bind名字服务器通过连接到假冒的域的version.bind ,在一个CHAOSNET 类里查询一个txt档案,你可能得到一些和如下类似的:

$ dig @ns1.elitehax0r.com version.bind txt chaos

; <<>> DiG 9.2.1 <<>> version.bind txt chaos

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5096

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;version.bind. CH TXT

;; ANSWER SECTION:

version.bind. 0 CH TXT "9.2.1"

任何聪明的网络管理员也会改变version.bind的输出或者是完全不返回任何东西,我们的目标是取得出现漏洞的版本.

一个简单的shell脚本应该有能力:

#!/bin/bash

IN=$1

OUT=$2

for LIST in `cat $IN`

do

echo "Checking Server : $LIST" >> $OUT

dig @$LIST version.bind chaos txt | grep -i VERSION.BIND | cut -f6 >> $OUT

done

输出会看起来类似这样:

Checking Server : NS1.ELITEHAX0R.COM

; <<>> DiG 9.1.2 <<>> @NS1.ELITEHAX0R.COM version.bind chaos txt

"9.2.1"

Checking Server : NS2.ELITEHAX0R.COM

; <<>> DiG 9.1.2 <<>> @NS2.ELITEHAX0R.COM version.bind chaos txt

"9.2.1"

Checking Server : NS3.ELITEHAX0R.COM

; <<>> DiG 9.1.2 <<>> @NS3.ELITEHAX0R.COM version.bind chaos txt

"9.2.1"

Checking Server : NS4.ELITEHAX0R.COM

; <<>> DiG 9.1.2 <<>> @NS4.ELITEHAX0R.COM version.bind chaos txt

"9.2.1"

注意:有时你可能不得不改动块号而用cut来显示正确的块.

这是很好的,不过有一些缺点,我们可以grep一些漏洞版本用来制成输出文件,但是这是单调乏味的,仅增加一个函数功能到脚本可以解救我们.

------------------------------------------------------------------

6.反向查找一个ip地址列表

------------------------------------------------------------------

反向查找一个ip地址列表得到他们的各自主机名

------------------------------------------------------------------

这个技术在一个危及网络安全的足迹定位方面是很有用的.在我们检测目标域拥有的网络块之后,我们能加工去进行反向查找所有的机器.这个正确点是什么呢?好的,有时一些公司做一愚蠢的事情和命名他们的机器为mail,ftp,router,和firewall。例如:我肯定你能看到这些可能性!

这是微不足道的去写一个小的可以自动化反向查找的perl脚本:

#!/usr/bin/perl

if($#ARGV<0){ print "usage: ./revip.pl \n"; }

else {

open(IN,"$ARGV[0]") or die ("cannot open $ARGV[0]");

open(OUT,">>$ARGV[1]") or die ("cannot create $ARGV[1]");

}

while () {

@numbers = split(/\./, $_);

$ip_number = pack("C4", @numbers);

($name) = (gethostbyaddr($ip_number, 2))[0];

if ($name) {

print OUT "$name\n";

} else { ; }

}

close (IN);

close (OUT);

这个脚本获得一个文件,在点的地方,分离成八字节的各自ip地址.那时这个pack()函数得到4个无符号变量值和包装他们成为一个二进制结构,因为gethostbyaddr() 每次返回主机名。

----------------------------------------------------------------

7.暴力夺取普通域后缀

----------------------------------------------------------------

假如你有个特别的目标域在心中和你想要迅速查出他们延伸到多远。你能用host命令:

$ host www.elitehax0r.com.sg

www.elitehax0r.com.sg. is an alias for portal.sg.elitehax0r.com.sg.

portal.sg.elitehax0r.com.sg. has address 192.168.1.22

这是很好的对一个国家,但是这个目标将看到多少个国家指定他们的域,留给perl来工作:

#!/usr/bin/perl

$site = $ARGV[0];

$output = $ARGV[1];

open(OUT, ">>$output");

# country codes

@codes=('as', 'at', 'be', 'ca', 'cc', 'ch', 'cl', 'co.at', 'co.cc',

'co.cx', 'co.dk', 'co.id', 'co.in', 'co.io', 'co.jp', 'co.ke',

'co.kr', 'co.nz', 'co.pl', 'co.pt', 'co.th', 'co.tv', 'co.tw',

'co.uk', 'co.vi', 'co.ws', 'com', 'com.ar', 'com.au', 'com.bh',

'com.bi', 'com.br', 'com.bs', 'com.co', 'com.ec', 'com.gt', 'com.gu',

'com.hk', 'com.ky', 'com.mo', 'com.mx', 'com.my', 'com.ph', 'com.pk',

'com.pl', 'com.pr', 'com.py', 'com.sg', 'com.tj', 'com.tr', 'com.tw',

'com.ws', 'cz', 'de', 'es', 'fr', 'gr', 'hu', 'ie', 'io', 'it', 'lu',

'mc', 'mw', 'nl', 'nu', 'pl', 'ro', 'ru', 'tv', 'ws', 'cx');

$max = @codes;

for ($count = 0; $count <= $max; $count++)

{

$return = `host site.@codes[$count]$site.@codes[$count]`;

if ($return =~ /has address/i) {

($domain,$has,$address,$ip) = split(/ /,$return);

chomp $ip;

if ($ip =~ /alias/i)

{

;

} else {

print OUT "$ip\n";

}

}

}

close (OUT);

}

这个脚本声明了一个指定域后缀的数组然后用host来循环他们当搜索那些有'has address'的那些行。那时行被分离成多个标记,最后打印出被发现的ip地址.

如果需要的话,可以简单地增加新的后缀到这个数组.

----------------------------------------------------------------------

8.读取和替代apache的access-log文件

----------------------------------------------------------------------

http 请求运行apache服务器取得记录到access-log文件。在一个特别的机器,我显示三个例子:

root# locate access_log

/usr/local/apache/logs/access_log

/usr/oracle/Apache/Apache/logs/access_log

/var/log/apache/access_log

在一个繁忙的web服务器上,你能找到无数的日志,例如 access-log.1 access-log.2

以下的简单输入显示7块:

ppp.hax0r.net - - [11/Sep/2001:09:15:06 -0700] "GET /cgi-perl/newsgrab.pl?group=alt.binaries.centerfolds HTTP/1.0" 200 683015

第一块是客户端地址。第二快是用一个认证协议来检测使用者的身份(在这里是空白).

第三块能被填充用使用者的名字(在这里同样用空白).第4块出示当地的日期和时间.

第五块:出示http请求(正确的请求).第六块出示状态代码.第七块出示多少字节被送到客户端.

有两个可能的块:咨询和客户端所用的软件.

以下的脚本简单查找出那些指定access-log所用的参数一和参数二的不匹配的每样东西.输出被定向到一个临时文件然后移回到原始的access-log文件。这个简单的方法能显而易见被用在任何纯文本日志文件.

#!/bin/sh

grep -v '$1' $2 > tmp && mv tmp $2

rm tmp

-------------------------------------------------------------

9.做一个快速的区传输

-------------------------------------------------------------

产生一个ip地址列表从一个dns区传输列表

-------------------------------------------------------------

一个dns区传输能从一个域给出一个很好的目标服务列表.同过用host命令我们能查出是否一个dns服务器能提供给我们一个区传输:

$ host -l elitehax0r.com ns1.eliteisp.com

Using domain server:

Name: ns1.eliteisp.com

Address: 192.168.1.50#53

Aliases:

elitehax0r.com. SOA ns1.eliteisp.com. support.eliteisp.com. 1032896511 28800

7200 3600000 86400

elitehax0r.com. mail is handled by 0 elitehax0r.com.

elitehax0r.com. name server ns1.eliteisp.com.

elitehax0r.com. name server ns2.eliteisp.com.

elitehax0r.com. has address 192.168.1.102

0wnz.elitehax0r.com. has address 192.168.1.102

31337.elitehax0r.com. has address 192.168.1.102

ftp.elitehax0r.com. is an alias for elitehax0r.com.

localhost.elitehax0r.com. has address 127.0.0.1

mail.elitehax0r.com. is an alias for elitehax0r.com.

www.elitehax0r.com. is an alias for elitehax0r.com.

elitehax0r.com. SOA dns.eliteisp.com. support.eliteisp.com. 1032896511 28800

7200 3600000 86400

有时,我们可能想去产生一个ip地址列表从一个区传输,这是一个微不足道的任务对于perl来说:

#!/usr/bin/perl

print "modular\@truncode.org\n\n";

if($#ARGV<0) { print "usage: ./ztquick.pl

\n\n"; }

else {

$domain = $ARGV[0];

$ns = $ARGV[1];

$file = $ARGV[2];

open(OUT, ">>$file");

@zones = `host -l $domain $ns`;

foreach $line (@zones) {

if($line =~ /has address/) {

($ichi,$ni,$san,$shi) = split(/\./, $line);

print OUT "$ichi.$ni.$san.$shi\n";

}

}

}

close (OUT);

当做一个练习你可能修改这个脚本来读取在多域和dns服务器.

------------------------------------------------------------------

10,暴力夺取普通dns主机名

------------------------------------------------------------------

通过暴力夺取普通主机来鉴别一个服务任务

------------------------------------------------------------------

很多公司用普通主机名象mail,ftp,和gateway,例如,为了减轻系统管理员的任务.

这当然是愉快的对于一个攻击者,因为他泄露了服务意图和有时甚至是某种系统正在运行.

以下的perl脚本通过打开一个普通的主机名文件和加入每行到目标域来工作,gethostbyname函数被调用来完成dns的查找。

这个列表文件应该被填充用普通后缀例如ftp,mail,firewall,gateway,router,cisco,smtp,pop,dns,等等.在internet上搜索会找到足够数目的可用的列表.

#!/usr/bin/perl -w

$domain = $ARGV[0];

$list = $ARGV[1];

open(FILE, "$list") or die "\ncannot open $list\n $!";

foreach $host () {

chomp $host;

$target = $host . "." . $domain;

my ($name, $aliases, $addrtype, $length, @addrs) = gethostbyname($target);

foreach $i (@addrs) {

my ($a, $b, $c, $d) = unpack('C4', $i);

print "$target\t";

print "$a.$b.$c.$d\n";

}

}

重定向输出到一个文件或者修改到自己符合自己的品味.

-------------------------------------------------------------------------

11.找到一个suid文件

-------------------------------------------------------------------------

搜索所有被root拥有的文件

-------------------------------------------------------------------------

有suid位组的文件(当执行'ls'是可以从列表中看到在owner/group的地方有一个s的)允许一个使用者执行这个程序来假定identity/group有这个程序所有者的权限.

以下的shell脚本用一个find命令来找到所有文件属主和可被root执行的文件.

#!/bin/sh

for proggy in `find / -type -f -perm +5000 -print`

do

if [ -x $proggy ] ; then

owner="`ls -ld $proggy | awk '{print $3}'`"

lastmod="`ls -ld $proggy | awk '{print $6\" \"$7\" \"$8}'`"

echo " " $proggy " (owner is \"$owner\" and lastmod is $lastmod)"

fi

done

exit 0

-----------------------------------------------------------------------

12.暴力夺取smtp使用者

-----------------------------------------------------------------------

通过expn来暴力夺取普通使用者

-----------------------------------------------------------------------

expn命令允许某人telnet到一个sendmail服务器和提供服务器一个别名.这个expn命令扩展这个别名进入一个实际收件人的列表.

以下脚本允许自动操作发出expn命令到一个sendmail服务器的25端口:

#!/usr/bin/perl

use Socket;

$target = $ARGV[0];

$list = $ARGV[1];

$port = 25;

$in_addr = (gethostbyname($target))[4];

$t_addr = sockaddr_in($port, $in_addr);

$proto = getprotobyname('tcp');

socket(SOCKET, AF_INET, SOCK_STREAM, $proto) || die ("error: socket()");

connect(SOCKET, $t_addr) || die ("error: connect()\n");

select(SOCKET); $| = 1; select(STDOUT);

$sd = ; print "$sd\n\n";

open(FILE, "$list") or die "\ncannot open $list\n $!";

foreach $username () {

chomp $username;

print "$username:\n";

$string = "expn ".$username."\n";

print S $string;

$resp = ;

print "$resp";

sleep 1;

}

这个使用者列表应该包含普通用户象'root'.'guest', 'ftp', 'http', 'system',等.

------------------------------------------------------------------------

13.从一个web连接产生一个ip列表

------------------------------------------------------------------------

用lynx和perl从web连接产生一个ip地址列表

------------------------------------------------------------------------

在一个攻击者足迹定位中,它很有作用去耕作所有在一个目标web网页的连接和了解是否有那些任何关联到目标的连接.首先这个目标站点是被反映:

$ lynx -accept-all-cookies -crawl -traversal http://www.victim.net

那时我们搜索所有的连接和保存那些主机名到一个文件 :

$ grep -r "http://" * | cut -d"/" -f3 |sort |uniq > domains.txt

现在我们能运行一个合并host命令的perl脚本来产生一个ip地址列表:

#!/usr/bin/perl

open(FILE,$ARGV[0]);

while() {

chomp;

@hosts = (@hosts, $_);

}

close FILE;

foreach $line(@hosts){

$host = `host $line`;

if ($host =~ /has address/i) {

@ip = split(/has address /,$host);

$addr = @ip[1]; chomp $addr;

print "$addr\n";

}

}

三.原文:

100 Industrial-Strength Tips & Tools for the Script Kiddie (UNIX Ver.)

(well, 100 is the goal anyways...)

_ _

| |_ ___ _ _ ___ ___ ___ _| |___

| _| _| | | | _| . | . | -_|

|_| |_| |___|_|_|___|___|___|___|

* truncode security development *

http://truncode.org

modular <modular@truncode.org>

TIP COUNT: 13 (send in those tips!)

-------------------------------------------------------------------------------

1. Generate a list of target IP addresses

-------------------------------------------------------------------------------

A list of IP addresses to feed into a generic network command-line scanner

-------------------------------------------------------------------------------

The well-known port scanner, nmap, is useful for many things. By generating a

list with nmap, you can use the cut and grep commands to make a nice list of

IP addresses. First I will work through the commands step by step so you can

understand the logic:

root# nmap -sL 192.168.1.0/24

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Host (192.168.1.0) not scanned

Host (192.168.1.1) not scanned

Host (192.168.1.2) not scanned

Host (192.168.1.3) not scanned

Host (192.168.1.4) not scanned

...and so on until 192.168.1.255

The -sL option tells nmap to just create a list and not scan the IP address. In

this case we only want the lines beginning with "Host". The grep command fits

here nicely:

root# nmap -sL 192.168.1.0/24 | grep "^Host"

Host (192.168.1.0) not scanned

Host (192.168.1.1) not scanned

Host (192.168.1.2) not scanned

Host (192.168.1.3) not scanned

Host (192.168.1.4) not scanned

Now every line is similar, allowing us to process the output further with the

cut command:

root# nmap -sL 192.168.1.0/24 | grep "^Host" | cut -d '(' -f2

192.168.1.0) not scanned

192.168.1.1) not scanned

192.168.1.2) not scanned

192.168.1.3) not scanned

192.168.1.4) not scanned

...continues

First we delimit the fields with a -d'(' so the first field is actually

"Host (". The second field in this case would be the rest of the line. Now we

need to get rid of everything after the IP address, so we use cut yet again

with a -d')' and specify the first field:

root# nmap -sL 192.168.1.0/24 | grep "^Host" | cut -d '(' -f2| cut -d ')' -f1

192.168.1.0

192.168.1.1

192.168.1.2

192.168.1.3

192.168.1.4

...continues

Try randomizing the IP addresses to be more stealthy:

root# nmap -sL 192.168.1.0/24 --randomize_hosts | grep "^Host" | cut -d '(' -f2| cut -d ')' -f1

192.168.1.44

192.168.1.192

192.168.1.201

192.168.1.43

192.168.1.149

...continues

Since it is a waste of time to type this command out everytime we want to

generate a list, it is best to put these commands into a shell script:

#!/bin/bash

nmap -sL $1 --randomize_hosts | grep '^Host' | cut -d '(' -f 2 | cut -d

')' -f 1

Save it to a file, make it an executable, and direct the output to a file:

root# chmod +x iplist.sh

root# ./iplist.sh 192.168.1.0/24 > iplist.txt

root# head -5 iplist.txt

192.168.1.215

192.168.1.39

192.168.1.168

192.168.1.11

192.168.1.225

See also:

nmap: http://www.insecure.org/nmap

grep man page

cut man page

head man page

-------------------------------------------------------------------------------

2. Dumping HTML source

-------------------------------------------------------------------------------

Search through HTML source for useful information

-------------------------------------------------------------------------------

Grabbing HTML source can aid in a number of objectives. A few examples might

include inspecting a web application or looking at HTTP headers. The following

is a simple wrapper script for netcat:

#!/bin/sh

echo -e "GET $2 HTTP/1.0\n\n" | nc -vv $1 80

We try the script on our favorite target site to see what they are running:

]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php

Warning: inverse host lookup failed for 192.168.1.102: Unknown host

www.elitehax0r.com [192.168.1.102] 80 (www) open

HTTP/1.1 200 OK

Date: Sat, 08 Mar 2003 22:08:03 GMT

Server: Apache/1.3.27 (Unix) mod_log_bytes/1.0 mod_bwlimited/1.0 PHP/4.3.1

FrontPage/5.0.2.2510 mod_ssl/2.8.12 OpenSSL/0.9.6b

X-Powered-By: PHP/4.3.1

Connection: close

Content-Type: text/html

And so on. At this point we could even start to grep the output for keywords:

]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php | grep -i \

or

]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php | > grep -i "type=\"password\""

Get creative and try query strings, default scripts, sql keywords, etc.

-------------------------------------------------------------------------------

3. Farming Web Links and Email Addresses

-------------------------------------------------------------------------------

Create a database of web links and email addresses to enumerate associations

-------------------------------------------------------------------------------

The lynx command-line browser can also be used to mirror a site locally:

$ lynx -crawl -traversal "http://www.elitehax0r.com"

and then a simple call to our friends grep and cut to farm the target

information:

$ grep "http://" * | cut -d "/" -f3 | sort | uniq > links.txt

Try "mailto:", etc. for email addresses. The delimiter and field number may

need some tweaking to get it working correctly.

-------------------------------------------------------------------------------

4. Generating a List of DNS Servers

-------------------------------------------------------------------------------

A list of DNS servers to feed into a BIND version script

-------------------------------------------------------------------------------

After generating a list of IP addresses, you might like to generate another

list of DNS servers, that can be further processed by a BIND version scanner.

If we were to manually type in a class C network it would take forever. Let's

use www.elitehax0r.com as an example (not sure if that domain exists):

]modular@truncode$ host www.elitehax0r.com

www.elitehax0r.com. has address 192.168.1.101

]modular@truncode$ whois 192.168.1.101

OrgName: ELITE HAX0R, INC.

OrgID: HAX

Address: 31337 Hax0r Parkway

City: ScriptKiddie

StateProv: CA

PostalCode: 31337

Country: US

NetRange: 192.168.1.0 - 192.168.1.255

CIDR: 192.168.1.0/24

NetName: HAX0R

NetHandle: NET-666-666-66-0-1

Parent: NET-666-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.ELITEHAX0R.COM

NameServer: NS2.ELITEHAX0R.COM

NameServer: NS3.ELITEHAX0R.COM

NameServer: NS4.ELITEHAX0R.COM

Comment:

RegDate: 2000-10-16

Updated: 2001-04-15

TechHandle: HAX-ARIN

TechName: Elite Hax0r, Inc.

TechPhone: +1-900-BAD-CODE

TechEmail: arin-contact@elitehax0r.com

# ARIN WHOIS database, last updated 2003-03-07 20:00

# Enter ? for additional hints on searching ARIN's WHOIS database.

We want all lines that begin with 'NameServer:'. So you might think, just use

grep and cut now:

]modular@truncode$ whois 216.239.53.101 |grep '^NameServer:' |cut -d' ' -f2

NS1.ELITEHAX0R.COM

NS2.ELITEHAX0R.COM

NS3.ELITEHAX0R.COM

NS4.ELITEHAX0R.COM

Of course this works. You could even put that line in a script and read a file

of IP addresses, but I think a perl script is a more elegant solution:

#!/usr/bin/perl

open(FILE,$ARGV[0]);

while() {

chomp;

@domains = (@domains,$_);

}

close FILE;

foreach $domain(@domains) {

@lines=`whois $domain`;

$input = join(" ",@lines);

while($input =~ s/NameServer:\s(\S*)//) {

@nameservers = (@nameservers,$1);

}

foreach $nameserver(@nameservers) { print "$nameserver\n"; }

undef (@nameservers);

}

This script is really just doing what we did with grep and cut. It reads in a

file off the command-line. For each IP address, whois is executed. Any line

that matches 'NameServer:' is considered a match and that DNS server is put into

the @nameservers array which is printed at the end of the script.

Try modifying this script to output to a file for further processing.

The following script is a solution for a list of hostnames rather than IP

addresses:

#!/usr/bin/perl

print "modular\@truncode.org\n\n";

if($#ARGV<0) { print "usage: ./nsrip.pl

\n\n"; }

else {

$output = $ARGV[1];

open(IN, "$ARGV[0]");

open(OUT, ">>$output");

while () {

@result = `host -tns $_`;

foreach $line (@result) {

if($line =~ /name server/) {

chomp($line);

($ichi, $ni, $san, $shi) = split(/ /,$line);

}

print OUT "$shi\n";

}

}

close (IN);

close (OUT);

}

-------------------------------------------------------------------------------

5. Finding DNS Servers to Exploit

-------------------------------------------------------------------------------

Search a subnet for vunerable BIND versions (That's a worthless Administrator)

-------------------------------------------------------------------------------

If you managed to generate a list of DNS servers from tip #4, you could use

those hostnames to complete this next example.

If you were to query a BIND name server for a TXT record attached to the pseudo

domain name version.bind in the CHAOSNET class you might get something similar

to the following:

$ dig @ns1.elitehax0r.com version.bind txt chaos

; <<>> DiG 9.2.1 <<>> version.bind txt chaos

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5096

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;version.bind. CH TXT

;; ANSWER SECTION:

version.bind. 0 CH TXT "9.2.1"

Any intelligent Administrator would either change the version.bind output or

not return anything at all. Our goal is to get a vulnerable version to appear.

A simple shell script should suffice:

#!/bin/bash

IN=$1

OUT=$2

for LIST in `cat $IN`

do

echo "Checking Server : $LIST" >> $OUT

dig @$LIST version.bind chaos txt | grep -i VERSION.BIND | cut -f6 >> $OUT

done

The output should look similar to this:

Checking Server : NS1.ELITEHAX0R.COM

; <<>> DiG 9.1.2 <<>> @NS1.ELITEHAX0R.COM version.bind chaos txt

"9.2.1"

Checking Server : NS2.ELITEHAX0R.COM

; <<>> DiG 9.1.2 <<>> @NS2.ELITEHAX0R.COM version.bind chaos txt

"9.2.1"

Checking Server : NS3.ELITEHAX0R.COM

; <<>> DiG 9.1.2 <<>> @NS3.ELITEHAX0R.COM version.bind chaos txt

"9.2.1"

Checking Server : NS4.ELITEHAX0R.COM

; <<>> DiG 9.1.2 <<>> @NS4.ELITEHAX0R.COM version.bind chaos txt

"9.2.1"

NOTE: Sometimes you may have to meddle with the field number to get cut to

show the correct field.

This is fine, but has some disadvantages. We could grep for vulnerable versions

out of the output file, but this is tedious. It saves us a step to just add

this functionality into the script.

-------------------------------------------------------------------------------

6. Reverse Lookup a List of IP Addresses

-------------------------------------------------------------------------------

Reverse an IP address list to their respective hostnames

-------------------------------------------------------------------------------

This technique is useful in the footprinting phase of a network compromise.

After we determine the network blocks that a target domain owns, we can proceed

to do reverse lookups on all the machines. What's the point exactly? Well,

sometimes companies do something stupid and name their machines mail, ftp,

router, and firewall, for example. I'm sure you can see the possibilities.

It is trivial to write a small perl script that will automate reverse lookups:

#!/usr/bin/perl

if($#ARGV<0){ print "usage: ./revip.pl \n"; }

else {

open(IN,"$ARGV[0]") or die ("cannot open $ARGV[0]");

open(OUT,">>$ARGV[1]") or die ("cannot create $ARGV[1]");

}

while () {

@numbers = split(/\./, $_);

$ip_number = pack("C4", @numbers);

($name) = (gethostbyaddr($ip_number, 2))[0];

if ($name) {

print OUT "$name\n";

} else { ; }

}

close (IN);

close (OUT);

This script takes a file and splits each octet of the respective IP address at

the dot. Then the pack() function takes the 4 unsigned char values and packs

them into a binary structure for the gethostbyaddr() function which returns the

hostname.

-------------------------------------------------------------------------------

7. Brute Forcing Common Domain Suffixes

-------------------------------------------------------------------------------

Suppose that you have a particular target domain in mind and you would like to

quickly check how far their reach across the globe is. You can check with the

host command:

$ host www.elitehax0r.com.sg

www.elitehax0r.com.sg. is an alias for portal.sg.elitehax0r.com.sg.

portal.sg.elitehax0r.com.sg. has address 192.168.1.22

This is fine for one country, but the objective is to see how many country

specific domains they have. This is a job for perl:

#!/usr/bin/perl

$site = $ARGV[0];

$output = $ARGV[1];

open(OUT, ">>$output");

# country codes

@codes=('as', 'at', 'be', 'ca', 'cc', 'ch', 'cl', 'co.at', 'co.cc',

'co.cx', 'co.dk', 'co.id', 'co.in', 'co.io', 'co.jp', 'co.ke',

'co.kr', 'co.nz', 'co.pl', 'co.pt', 'co.th', 'co.tv', 'co.tw',

'co.uk', 'co.vi', 'co.ws', 'com', 'com.ar', 'com.au', 'com.bh',

'com.bi', 'com.br', 'com.bs', 'com.co', 'com.ec', 'com.gt', 'com.gu',

'com.hk', 'com.ky', 'com.mo', 'com.mx', 'com.my', 'com.ph', 'com.pk',

'com.pl', 'com.pr', 'com.py', 'com.sg', 'com.tj', 'com.tr', 'com.tw',

'com.ws', 'cz', 'de', 'es', 'fr', 'gr', 'hu', 'ie', 'io', 'it', 'lu',

'mc', 'mw', 'nl', 'nu', 'pl', 'ro', 'ru', 'tv', 'ws', 'cx');

$max = @codes;

for ($count = 0; $count <= $max; $count++)

{

$return = `host site.@codes[$count]$site.@codes[$count]`;

if ($return =~ /has address/i) {

($domain,$has,$address,$ip) = split(/ /,$return);

chomp $ip;

if ($ip =~ /alias/i)

{

;

} else {

print OUT "$ip\n";

}

}

}

close (OUT);

}

This script declares an array of country specific domain suffixes and then uses

host to loop through them while searching for lines with 'has address'. Then

that line can be split into tokens, finally printing out the found IP address.

Simply add new suffixes to the array if needed.

-------------------------------------------------------------------------------

8. Reading and Replacing the Apache access_log file

-------------------------------------------------------------------------------

HTTP requests on servers running Apache get logged to access_log file. On one

particular machine I show 3 instances:

root# locate access_log

/usr/local/apache/logs/access_log

/usr/oracle/Apache/Apache/logs/access_log

/var/log/apache/access_log

On a busy web server you may find numerous logs e.g. access_log.1,

access_log.2.

The following sample entry shows 7 fields:

ppp.hax0r.net - - [11/Sep/2001:09:15:06 -0700] "GET /cgi-perl/newsgrab.pl?group=alt.binaries.centerfolds HTTP/1.0" 200 683015

The 1st field is the client address. The 2nd field uses the ident protocol

to determine the identity of the user (blank in this case). The 3rd field can

be filled in with a username (also blank in this case). The 4th field shows

the local date and time. The 5th field shows the HTTP Request (what is he

requesting exactly?!). The 6th field shows the status code. The 7th field

shows how many bytes were sent to the client.

There are two more possible fields: referer and the client software being used.

The following script simply greps out everything that doesn't match argument

one and argument two specifies which access_log to use. This output is directed

into a temporary file and then moved back into the original access_log. This

simple method can obviously be used on any plain text log file.

#!/bin/sh

grep -v '$1' $2 > tmp && mv tmp $2

rm tmp

-------------------------------------------------------------------------------

9. Doing a Quick Zone Transfer

-------------------------------------------------------------------------------

Generate a list of IP addresses from a DNS zone transfer listing

-------------------------------------------------------------------------------

A DNS zone transfer can give a nice list of target servers from a domain. By

using the host command we can check if a DNS server will give us a zone

transfer:

$ host -l elitehax0r.com ns1.eliteisp.com

Using domain server:

Name: ns1.eliteisp.com

Address: 192.168.1.50#53

Aliases:

elitehax0r.com. SOA ns1.eliteisp.com. support.eliteisp.com. 1032896511 28800

7200 3600000 86400

elitehax0r.com. mail is handled by 0 elitehax0r.com.

elitehax0r.com. name server ns1.eliteisp.com.

elitehax0r.com. name server ns2.eliteisp.com.

elitehax0r.com. has address 192.168.1.102

0wnz.elitehax0r.com. has address 192.168.1.102

31337.elitehax0r.com. has address 192.168.1.102

ftp.elitehax0r.com. is an alias for elitehax0r.com.

localhost.elitehax0r.com. has address 127.0.0.1

mail.elitehax0r.com. is an alias for elitehax0r.com.

www.elitehax0r.com. is an alias for elitehax0r.com.

elitehax0r.com. SOA dns.eliteisp.com. support.eliteisp.com. 1032896511 28800

7200 3600000 86400

Sometimes we may want to generate a list of IP addresses from a zone

transfer. It is a trivial task for perl:

print "modular\@truncode.org\n\n";

if($#ARGV<0) { print "usage: ./ztquick.pl

\n\n"; }

else {

$domain = $ARGV[0];

$ns = $ARGV[1];

$file = $ARGV[2];

open(OUT, ">>$file");

@zones = `host -l $domain $ns`;

foreach $line (@zones) {

if($line =~ /has address/) {

($ichi,$ni,$san,$shi) = split(/\./, $line);

print OUT "$ichi.$ni.$san.$shi\n";

}

}

}

close (OUT);

As an exercise you might modify the script to read in multiple domains and

DNS servers.

-------------------------------------------------------------------------------

10. Brute Forcing Common DNS Hostnames

-------------------------------------------------------------------------------

Identify a server's role by brute forcing common hostnames

-------------------------------------------------------------------------------

Many companies use common hostnames like mail, ftp, and gateway, for example,

to ease the task of system administration. This is of course wonderful for an

attacker because it gives away the purpose of the server and even sometimes

the type of OS it is running.

The following perl script works by opening a file of common hostnames and

joining each line to the target domain. The gethostbyname function is called

to do the DNS lookups.

The list file should be filled with common prefixes such as ftp, mail,

firewall, gateway, router, cisco, smtp, pop, dns, etc. A search on the

Internet will turn up a sufficient number of lists to use.

#!/usr/bin/perl -w

$domain = $ARGV[0];

$list = $ARGV[1];

open(FILE, "$list") or die "\ncannot open $list\n $!";

foreach $host () {

chomp $host;

$target = $host . "." . $domain;

my ($name, $aliases, $addrtype, $length, @addrs) = gethostbyname($target);

foreach $i (@addrs) {

my ($a, $b, $c, $d) = unpack('C4', $i);

print "$target\t";

print "$a.$b.$c.$d\n";

}

}

Direct the output to a file or modify to your taste.

-------------------------------------------------------------------------------

11. Finding SUID Files

-------------------------------------------------------------------------------

Search for all files owned by root

-------------------------------------------------------------------------------

Files which have the SUID bit set (an "s" where the execute bit for the

owner/group is shown in 'ls' listings) allows the user executing the program

to assume the identity/group of the owner of the program.

The following shell script uses the 'find' command to find all files owned and

executable by root:

#!/bin/sh

for proggy in `find / -type -f -perm +5000 -print`

do

if [ -x $proggy ] ; then

owner="`ls -ld $proggy | awk '{print $3}'`"

lastmod="`ls -ld $proggy | awk '{print $6\" \"$7\" \"$8}'`"

echo " " $proggy " (owner is \"$owner\" and lastmod is $lastmod)"

fi

done

exit 0

-------------------------------------------------------------------------------

12. Brute Forcing SMTP Usernames

-------------------------------------------------------------------------------

Use brute forcing of common usernames with EXPN

-------------------------------------------------------------------------------

The expn command allows someone to telnet to a Sendmail server and give the

server an alias. The expn command expands the alias into the list of actual

recipients.

The following script allows for automation of issuing expn commands to

port 25 of a Sendmail server:

#!/usr/bin/perl

use Socket;

$target = $ARGV[0];

$list = $ARGV[1];

$port = 25;

$in_addr = (gethostbyname($target))[4];

$t_addr = sockaddr_in($port, $in_addr);

$proto = getprotobyname('tcp');

socket(SOCKET, AF_INET, SOCK_STREAM, $proto) || die ("error: socket()");

connect(SOCKET, $t_addr) || die ("error: connect()\n");

select(SOCKET); $| = 1; select(STDOUT);

$sd = ; print "$sd\n\n";

open(FILE, "$list") or die "\ncannot open $list\n $!";

foreach $username () {

chomp $username;

print "$username:\n";

$string = "expn ".$username."\n";

print S $string;

$resp = ;

print "$resp";

sleep 1;

}

The list of usernames should contain common usernames like 'root',

'guest', 'ftp', 'http', 'system', etc.

-------------------------------------------------------------------------------

13. Generate a List of IP Addresses From Web Links

-------------------------------------------------------------------------------

Use lynx and perl to generate a list of IP addresses from web links

-------------------------------------------------------------------------------

In the footprinting phase of an attack it is useful to farm all the links on

a target web page and see if any of those links relate to the target. First

the target website is mirrored:

$ lynx -accept-all-cookies -crawl -traversal http://www.victim.net

Then we search for all links and save those hostnames into a file:

$ grep -r "http://" * | cut -d"/" -f3 |sort |uniq > domains.txt

Now we can run a perl script which incorporates the host command to generate

a list of IP addresses:

#!/usr/bin/perl

open(FILE,$ARGV[0]);

while() {

chomp;

@hosts = (@hosts, $_);

}

close FILE;

foreach $line(@hosts){

$host = `host $line`;

if ($host =~ /has address/i) {

@ip = split(/has address /,$host);

$addr = @ip[1]; chomp $addr;

print "$addr\n";

}

}

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有