翻译作品之六100 Industrial-Strength Tips & Tools for the ScriptKiddie (UNIX Ver.)
一.前言:
本人翻译系列文章,很担心里面出错的地方会误人,不过心里还是有去做一做的,我
是通过自己的理解来翻译的,如果我的理解错误了,或许是我不理解的部分也不经意翻译
了,那必然会给各位多多少少的误导,所以我在文章后面都附上原文。请想看对照原文来
阅读!最主要是自己去理解,不要单看我一家之言。
二.正文:
100个给脚本小子的强有力的工业化的技巧和工具(UNIX Ver.)
(好,100 是无论怎么样的都要达到的目标.......)
技巧数:13(递送这些技巧!)
------------------------------------------------------
1.产生目标主机的ip列表
------------------------------------------------------
从一个普通的命令行扫描器得到ip地址列表
------------------------------------------------------
nmap是众所周知的端口扫描器,对很多事情都很有用,通过用nmap产生一个列表,你
能用cut和grep命令来得到一个很好的ip地址的列表。首先我一步步地用这些命令,因此
你能理解整个逻辑:
root# nmap -sL 192.168.1.0/24
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (192.168.1.0) not scanned
Host (192.168.1.1) not scanned
Host (192.168.1.2) not scanned
Host (192.168.1.3) not scanned
Host (192.168.1.4) not scanned
...and so on until 192.168.1.255
这个-sL选项告诉nmap,仅仅是创建一个列表和不扫描ip地址。在这种情况下,我们只有
想这个结果是用"Host"与grep命令精细地混合起来:
root# nmap -sL 192.168.1.0/24 | grep "^Host"
Host (192.168.1.0) not scanned
Host (192.168.1.1) not scanned
Host (192.168.1.2) not scanned
Host (192.168.1.3) not scanned
Host (192.168.1.4) not scanned
现在每行都类似的,允许我们更进一步用cut命令处理输出:
root# nmap -sL 192.168.1.0/24 | grep "^Host" | cut -d '(' -f2
192.168.1.0) not scanned
192.168.1.1) not scanned
192.168.1.2) not scanned
192.168.1.3) not scanned
192.168.1.4) not scanned
...continues
首先我们用-d'('划定一个范围,因此第一块事实上"Host (",第二块就是留下的部分。现在我们需要摆脱ip地址后面的,因此我们仍旧再用cut 用 -d')' 和指定第一块:
root# nmap -sL 192.168.1.0/24 | grep "^Host" | cut -d '(' -f2| cut -d ')' -f1
192.168.1.0
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
...continues
试着更加秘密地随机排列ip地址:
root# nmap -sL 192.168.1.0/24 --randomize_hosts | grep "^Host" | cut -d '(' -f2| cut -d ')' -f1
192.168.1.44
192.168.1.192
192.168.1.201
192.168.1.43
192.168.1.149
...continues
因为我们想去产生一个列表,每次去打这些命令很浪费时间,最好的放这些命令到一个shell脚本:
#!/bin/bash
nmap -sL $1 --randomize_hosts | grep '^Host' | cut -d '(' -f 2 | cut -d
')' -f 1
保存它到一个文件,令他可以被执行,重定向输出到一个文件:
root# chmod +x iplist.sh
root# ./iplist.sh 192.168.1.0/24 > iplist.txt
root# head -5 iplist.txt
192.168.1.215
192.168.1.39
192.168.1.168
192.168.1.11
192.168.1.225
同样可以看:
nmap: http://www.insecure.org/nmap
grep man page
cut man page
head man page
-------------------------------------------------------------------
2.倾销htlm源码
-------------------------------------------------------------------
从头到尾搜索html源码,得到一个有用的信息
-------------------------------------------------------------------
抓取html源码能帮助得到目标的信息,几个例子可能包括检查一个网站的应用程序和查看http头.以下是一个简单的封装的用于netcat的脚本:
#!/bin/sh
echo -e "GET $2 HTTP/1.0\n\n" | nc -vv $1 80
我们试这个脚本在我们喜欢的目标站点,了解他们运行了什么:
]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php
Warning: inverse host lookup failed for 192.168.1.102: Unknown host
www.elitehax0r.com [192.168.1.102] 80 (www) open
HTTP/1.1 200 OK
Date: Sat, 08 Mar 2003 22:08:03 GMT
Server: Apache/1.3.27 (Unix) mod_log_bytes/1.0 mod_bwlimited/1.0 PHP/4.3.1
FrontPage/5.0.2.2510 mod_ssl/2.8.12 OpenSSL/0.9.6b
X-Powered-By: PHP/4.3.1
Connection: close
Content-Type: text/html
等等.在这点我们甚至可以开始通过关键词grep 输出文件:
]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php | grep -i 或者
]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php | > grep -i "type=\"password\""
发挥自己的想象取得和尝试查询字符串,默认的脚本,sql关键词,等.
-----------------------------------------------------------------
3.耕作网站的连接和email地址
-----------------------------------------------------------------
创建一个网站连接和email地址穷举的相关的数据库
-----------------------------------------------------------------
lynx 命令行的浏览器同样能用来反映一个当地的站点:
$ lynx -crawl -traversal "http://www.elitehax0r.com"
然后 一个简单的调用我们友好的grep和cut去耕作目标的信息:
$ grep "http://" * | cut -d "/" -f3 | sort | uniq > links.txt
尝试"mailto:".等等,对于email地址,这个分界符和块号可能需要一下改变来使得他正确工作.
------------------------------------------------------------------
4.产生一个dns服务列表
------------------------------------------------------------------
通过bind版本脚本得到dns列表
------------------------------------------------------------------
在产生一个ip地址列表之后,你可能想去产生另外一个dns服务列表,这个可以通过进一步用一个bind版本扫描器来加工.
如果我们手工打入一个c类的ip,会永远进行下去,让我们用www.elitehax0r.com作为一个例子(不敢肯定域名是否存在):
]modular@truncode$ host www.elitehax0r.com
www.elitehax0r.com. has address 192.168.1.101
]modular@truncode$ whois 192.168.1.101
OrgName: ELITE HAX0R, INC.
OrgID: HAX
Address: 31337 Hax0r Parkway
City: ScriptKiddie
StateProv: CA
PostalCode: 31337
Country: US
NetRange: 192.168.1.0 - 192.168.1.255
CIDR: 192.168.1.0/24
NetName: HAX0R
NetHandle: NET-666-666-66-0-1
Parent: NET-666-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ELITEHAX0R.COM
NameServer: NS2.ELITEHAX0R.COM
NameServer: NS3.ELITEHAX0R.COM
NameServer: NS4.ELITEHAX0R.COM
Comment:
RegDate: 2000-10-16
Updated: 2001-04-15
TechHandle: HAX-ARIN
TechName: Elite Hax0r, Inc.
TechPhone: +1-900-BAD-CODE
TechEmail: arin-contact@elitehax0r.com
# ARIN WHOIS database, last updated 2003-03-07 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
我们想那些以'NameServer:'的所有行,因此你可能认为,恰好用grep和cut:
]modular@truncode$ whois 216.239.53.101 |grep '^NameServer:' |cut -d' ' -f2
NS1.ELITEHAX0R.COM
NS2.ELITEHAX0R.COM
NS3.ELITEHAX0R.COM
NS4.ELITEHAX0R.COM
当然这样可以。你甚至可以放那些行到一个脚本和读一个ip地址的文件,但是我想这个perl脚本是一流的解决方法:
#!/usr/bin/perl
open(FILE,$ARGV[0]);
while() {
chomp;
@domains = (@domains,$_);
}
close FILE;
foreach $domain(@domains) {
@lines=`whois $domain`;
$input = join(" ",@lines);
while($input =~ s/NameServer:\s(\S*)//) {
@nameservers = (@nameservers,$1);
}
foreach $nameserver(@nameservers) { print "$nameserver\n"; }
undef (@nameservers);
}
这个脚本是恰恰是做了我们用grep和cut所做的,它读取一个文件的命令行。对每一个ip地址,whois被执行。任何行匹配'NameServer:'被考虑成匹配的和这个dns服务被放到@nameservers数组 在脚本的最后输出这个数组.
尝试修改这个脚本去输出到一个文件为了能更进一步地加工它.
以下的脚本是一个解决的方法对于一个主机名列表胜于ip地址:
#!/usr/bin/perl
print "modular\@truncode.org\n\n";
if($#ARGV<0) { print "usage: ./nsrip.pl
\n\n"; }
else {
$output = $ARGV[1];
open(IN, "$ARGV[0]");
open(OUT, ">>$output");
while () {
@result = `host -tns $_`;
foreach $line (@result) {
if($line =~ /name server/) {
chomp($line);
($ichi, $ni, $san, $shi) = split(/ /,$line);
}
print OUT "$shi\n";
}
}
close (IN);
close (OUT);
}
----------------------------------------------------------------------
5.找到dns服务,进行溢出.
----------------------------------------------------------------------
搜索一个子网,找到有漏洞的bind版本(这是无价值的网络管理人员)
----------------------------------------------------------------------
如果你成功产生一个dns服务列表从技巧#4,你可以用这些主机名去完成下面的例子.
如果你想在一个bind名字服务器通过连接到假冒的域的version.bind ,在一个CHAOSNET 类里查询一个txt档案,你可能得到一些和如下类似的:
$ dig @ns1.elitehax0r.com version.bind txt chaos
; <<>> DiG 9.2.1 <<>> version.bind txt chaos
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5096
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.2.1"
任何聪明的网络管理员也会改变version.bind的输出或者是完全不返回任何东西,我们的目标是取得出现漏洞的版本.
一个简单的shell脚本应该有能力:
#!/bin/bash
IN=$1
OUT=$2
for LIST in `cat $IN`
do
echo "Checking Server : $LIST" >> $OUT
dig @$LIST version.bind chaos txt | grep -i VERSION.BIND | cut -f6 >> $OUT
done
输出会看起来类似这样:
Checking Server : NS1.ELITEHAX0R.COM
; <<>> DiG 9.1.2 <<>> @NS1.ELITEHAX0R.COM version.bind chaos txt
"9.2.1"
Checking Server : NS2.ELITEHAX0R.COM
; <<>> DiG 9.1.2 <<>> @NS2.ELITEHAX0R.COM version.bind chaos txt
"9.2.1"
Checking Server : NS3.ELITEHAX0R.COM
; <<>> DiG 9.1.2 <<>> @NS3.ELITEHAX0R.COM version.bind chaos txt
"9.2.1"
Checking Server : NS4.ELITEHAX0R.COM
; <<>> DiG 9.1.2 <<>> @NS4.ELITEHAX0R.COM version.bind chaos txt
"9.2.1"
注意:有时你可能不得不改动块号而用cut来显示正确的块.
这是很好的,不过有一些缺点,我们可以grep一些漏洞版本用来制成输出文件,但是这是单调乏味的,仅增加一个函数功能到脚本可以解救我们.
------------------------------------------------------------------
6.反向查找一个ip地址列表
------------------------------------------------------------------
反向查找一个ip地址列表得到他们的各自主机名
------------------------------------------------------------------
这个技术在一个危及网络安全的足迹定位方面是很有用的.在我们检测目标域拥有的网络块之后,我们能加工去进行反向查找所有的机器.这个正确点是什么呢?好的,有时一些公司做一愚蠢的事情和命名他们的机器为mail,ftp,router,和firewall。例如:我肯定你能看到这些可能性!
这是微不足道的去写一个小的可以自动化反向查找的perl脚本:
#!/usr/bin/perl
if($#ARGV<0){ print "usage: ./revip.pl \n"; }
else {
open(IN,"$ARGV[0]") or die ("cannot open $ARGV[0]");
open(OUT,">>$ARGV[1]") or die ("cannot create $ARGV[1]");
}
while () {
@numbers = split(/\./, $_);
$ip_number = pack("C4", @numbers);
($name) = (gethostbyaddr($ip_number, 2))[0];
if ($name) {
print OUT "$name\n";
} else { ; }
}
close (IN);
close (OUT);
这个脚本获得一个文件,在点的地方,分离成八字节的各自ip地址.那时这个pack()函数得到4个无符号变量值和包装他们成为一个二进制结构,因为gethostbyaddr() 每次返回主机名。
----------------------------------------------------------------
7.暴力夺取普通域后缀
----------------------------------------------------------------
假如你有个特别的目标域在心中和你想要迅速查出他们延伸到多远。你能用host命令:
$ host www.elitehax0r.com.sg
www.elitehax0r.com.sg. is an alias for portal.sg.elitehax0r.com.sg.
portal.sg.elitehax0r.com.sg. has address 192.168.1.22
这是很好的对一个国家,但是这个目标将看到多少个国家指定他们的域,留给perl来工作:
#!/usr/bin/perl
$site = $ARGV[0];
$output = $ARGV[1];
open(OUT, ">>$output");
# country codes
@codes=('as', 'at', 'be', 'ca', 'cc', 'ch', 'cl', 'co.at', 'co.cc',
'co.cx', 'co.dk', 'co.id', 'co.in', 'co.io', 'co.jp', 'co.ke',
'co.kr', 'co.nz', 'co.pl', 'co.pt', 'co.th', 'co.tv', 'co.tw',
'co.uk', 'co.vi', 'co.ws', 'com', 'com.ar', 'com.au', 'com.bh',
'com.bi', 'com.br', 'com.bs', 'com.co', 'com.ec', 'com.gt', 'com.gu',
'com.hk', 'com.ky', 'com.mo', 'com.mx', 'com.my', 'com.ph', 'com.pk',
'com.pl', 'com.pr', 'com.py', 'com.sg', 'com.tj', 'com.tr', 'com.tw',
'com.ws', 'cz', 'de', 'es', 'fr', 'gr', 'hu', 'ie', 'io', 'it', 'lu',
'mc', 'mw', 'nl', 'nu', 'pl', 'ro', 'ru', 'tv', 'ws', 'cx');
$max = @codes;
for ($count = 0; $count <= $max; $count++)
{
$return = `host site.@codes[$count]$site.@codes[$count]`;
if ($return =~ /has address/i) {
($domain,$has,$address,$ip) = split(/ /,$return);
chomp $ip;
if ($ip =~ /alias/i)
{
;
} else {
print OUT "$ip\n";
}
}
}
close (OUT);
}
这个脚本声明了一个指定域后缀的数组然后用host来循环他们当搜索那些有'has address'的那些行。那时行被分离成多个标记,最后打印出被发现的ip地址.
如果需要的话,可以简单地增加新的后缀到这个数组.
----------------------------------------------------------------------
8.读取和替代apache的access-log文件
----------------------------------------------------------------------
http 请求运行apache服务器取得记录到access-log文件。在一个特别的机器,我显示三个例子:
root# locate access_log
/usr/local/apache/logs/access_log
/usr/oracle/Apache/Apache/logs/access_log
/var/log/apache/access_log
在一个繁忙的web服务器上,你能找到无数的日志,例如 access-log.1 access-log.2
以下的简单输入显示7块:
ppp.hax0r.net - - [11/Sep/2001:09:15:06 -0700] "GET /cgi-perl/newsgrab.pl?group=alt.binaries.centerfolds HTTP/1.0" 200 683015
第一块是客户端地址。第二快是用一个认证协议来检测使用者的身份(在这里是空白).
第三块能被填充用使用者的名字(在这里同样用空白).第4块出示当地的日期和时间.
第五块:出示http请求(正确的请求).第六块出示状态代码.第七块出示多少字节被送到客户端.
有两个可能的块:咨询和客户端所用的软件.
以下的脚本简单查找出那些指定access-log所用的参数一和参数二的不匹配的每样东西.输出被定向到一个临时文件然后移回到原始的access-log文件。这个简单的方法能显而易见被用在任何纯文本日志文件.
#!/bin/sh
grep -v '$1' $2 > tmp && mv tmp $2
rm tmp
-------------------------------------------------------------
9.做一个快速的区传输
-------------------------------------------------------------
产生一个ip地址列表从一个dns区传输列表
-------------------------------------------------------------
一个dns区传输能从一个域给出一个很好的目标服务列表.同过用host命令我们能查出是否一个dns服务器能提供给我们一个区传输:
$ host -l elitehax0r.com ns1.eliteisp.com
Using domain server:
Name: ns1.eliteisp.com
Address: 192.168.1.50#53
Aliases:
elitehax0r.com. SOA ns1.eliteisp.com. support.eliteisp.com. 1032896511 28800
7200 3600000 86400
elitehax0r.com. mail is handled by 0 elitehax0r.com.
elitehax0r.com. name server ns1.eliteisp.com.
elitehax0r.com. name server ns2.eliteisp.com.
elitehax0r.com. has address 192.168.1.102
0wnz.elitehax0r.com. has address 192.168.1.102
31337.elitehax0r.com. has address 192.168.1.102
ftp.elitehax0r.com. is an alias for elitehax0r.com.
localhost.elitehax0r.com. has address 127.0.0.1
mail.elitehax0r.com. is an alias for elitehax0r.com.
www.elitehax0r.com. is an alias for elitehax0r.com.
elitehax0r.com. SOA dns.eliteisp.com. support.eliteisp.com. 1032896511 28800
7200 3600000 86400
有时,我们可能想去产生一个ip地址列表从一个区传输,这是一个微不足道的任务对于perl来说:
#!/usr/bin/perl
print "modular\@truncode.org\n\n";
if($#ARGV<0) { print "usage: ./ztquick.pl
\n\n"; }
else {
$domain = $ARGV[0];
$ns = $ARGV[1];
$file = $ARGV[2];
open(OUT, ">>$file");
@zones = `host -l $domain $ns`;
foreach $line (@zones) {
if($line =~ /has address/) {
($ichi,$ni,$san,$shi) = split(/\./, $line);
print OUT "$ichi.$ni.$san.$shi\n";
}
}
}
close (OUT);
当做一个练习你可能修改这个脚本来读取在多域和dns服务器.
------------------------------------------------------------------
10,暴力夺取普通dns主机名
------------------------------------------------------------------
通过暴力夺取普通主机来鉴别一个服务任务
------------------------------------------------------------------
很多公司用普通主机名象mail,ftp,和gateway,例如,为了减轻系统管理员的任务.
这当然是愉快的对于一个攻击者,因为他泄露了服务意图和有时甚至是某种系统正在运行.
以下的perl脚本通过打开一个普通的主机名文件和加入每行到目标域来工作,gethostbyname函数被调用来完成dns的查找。
这个列表文件应该被填充用普通后缀例如ftp,mail,firewall,gateway,router,cisco,smtp,pop,dns,等等.在internet上搜索会找到足够数目的可用的列表.
#!/usr/bin/perl -w
$domain = $ARGV[0];
$list = $ARGV[1];
open(FILE, "$list") or die "\ncannot open $list\n $!";
foreach $host () {
chomp $host;
$target = $host . "." . $domain;
my ($name, $aliases, $addrtype, $length, @addrs) = gethostbyname($target);
foreach $i (@addrs) {
my ($a, $b, $c, $d) = unpack('C4', $i);
print "$target\t";
print "$a.$b.$c.$d\n";
}
}
重定向输出到一个文件或者修改到自己符合自己的品味.
-------------------------------------------------------------------------
11.找到一个suid文件
-------------------------------------------------------------------------
搜索所有被root拥有的文件
-------------------------------------------------------------------------
有suid位组的文件(当执行'ls'是可以从列表中看到在owner/group的地方有一个s的)允许一个使用者执行这个程序来假定identity/group有这个程序所有者的权限.
以下的shell脚本用一个find命令来找到所有文件属主和可被root执行的文件.
#!/bin/sh
for proggy in `find / -type -f -perm +5000 -print`
do
if [ -x $proggy ] ; then
owner="`ls -ld $proggy | awk '{print $3}'`"
lastmod="`ls -ld $proggy | awk '{print $6\" \"$7\" \"$8}'`"
echo " " $proggy " (owner is \"$owner\" and lastmod is $lastmod)"
fi
done
exit 0
-----------------------------------------------------------------------
12.暴力夺取smtp使用者
-----------------------------------------------------------------------
通过expn来暴力夺取普通使用者
-----------------------------------------------------------------------
expn命令允许某人telnet到一个sendmail服务器和提供服务器一个别名.这个expn命令扩展这个别名进入一个实际收件人的列表.
以下脚本允许自动操作发出expn命令到一个sendmail服务器的25端口:
#!/usr/bin/perl
use Socket;
$target = $ARGV[0];
$list = $ARGV[1];
$port = 25;
$in_addr = (gethostbyname($target))[4];
$t_addr = sockaddr_in($port, $in_addr);
$proto = getprotobyname('tcp');
socket(SOCKET, AF_INET, SOCK_STREAM, $proto) || die ("error: socket()");
connect(SOCKET, $t_addr) || die ("error: connect()\n");
select(SOCKET); $| = 1; select(STDOUT);
$sd = ; print "$sd\n\n";
open(FILE, "$list") or die "\ncannot open $list\n $!";
foreach $username () {
chomp $username;
print "$username:\n";
$string = "expn ".$username."\n";
print S $string;
$resp = ;
print "$resp";
sleep 1;
}
这个使用者列表应该包含普通用户象'root'.'guest', 'ftp', 'http', 'system',等.
------------------------------------------------------------------------
13.从一个web连接产生一个ip列表
------------------------------------------------------------------------
用lynx和perl从web连接产生一个ip地址列表
------------------------------------------------------------------------
在一个攻击者足迹定位中,它很有作用去耕作所有在一个目标web网页的连接和了解是否有那些任何关联到目标的连接.首先这个目标站点是被反映:
$ lynx -accept-all-cookies -crawl -traversal http://www.victim.net
那时我们搜索所有的连接和保存那些主机名到一个文件 :
$ grep -r "http://" * | cut -d"/" -f3 |sort |uniq > domains.txt
现在我们能运行一个合并host命令的perl脚本来产生一个ip地址列表:
#!/usr/bin/perl
open(FILE,$ARGV[0]);
while() {
chomp;
@hosts = (@hosts, $_);
}
close FILE;
foreach $line(@hosts){
$host = `host $line`;
if ($host =~ /has address/i) {
@ip = split(/has address /,$host);
$addr = @ip[1]; chomp $addr;
print "$addr\n";
}
}
三.原文:
100 Industrial-Strength Tips & Tools for the Script Kiddie (UNIX Ver.)
(well, 100 is the goal anyways...)
_ _
| |_ ___ _ _ ___ ___ ___ _| |___
| _| _| | | | _| . | . | -_|
|_| |_| |___|_|_|___|___|___|___|
* truncode security development *
modular <modular@truncode.org>
TIP COUNT: 13 (send in those tips!)
-------------------------------------------------------------------------------
1. Generate a list of target IP addresses
-------------------------------------------------------------------------------
A list of IP addresses to feed into a generic network command-line scanner
-------------------------------------------------------------------------------
The well-known port scanner, nmap, is useful for many things. By generating a
list with nmap, you can use the cut and grep commands to make a nice list of
IP addresses. First I will work through the commands step by step so you can
understand the logic:
root# nmap -sL 192.168.1.0/24
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (192.168.1.0) not scanned
Host (192.168.1.1) not scanned
Host (192.168.1.2) not scanned
Host (192.168.1.3) not scanned
Host (192.168.1.4) not scanned
...and so on until 192.168.1.255
The -sL option tells nmap to just create a list and not scan the IP address. In
this case we only want the lines beginning with "Host". The grep command fits
here nicely:
root# nmap -sL 192.168.1.0/24 | grep "^Host"
Host (192.168.1.0) not scanned
Host (192.168.1.1) not scanned
Host (192.168.1.2) not scanned
Host (192.168.1.3) not scanned
Host (192.168.1.4) not scanned
Now every line is similar, allowing us to process the output further with the
cut command:
root# nmap -sL 192.168.1.0/24 | grep "^Host" | cut -d '(' -f2
192.168.1.0) not scanned
192.168.1.1) not scanned
192.168.1.2) not scanned
192.168.1.3) not scanned
192.168.1.4) not scanned
...continues
First we delimit the fields with a -d'(' so the first field is actually
"Host (". The second field in this case would be the rest of the line. Now we
need to get rid of everything after the IP address, so we use cut yet again
with a -d')' and specify the first field:
root# nmap -sL 192.168.1.0/24 | grep "^Host" | cut -d '(' -f2| cut -d ')' -f1
192.168.1.0
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
...continues
Try randomizing the IP addresses to be more stealthy:
root# nmap -sL 192.168.1.0/24 --randomize_hosts | grep "^Host" | cut -d '(' -f2| cut -d ')' -f1
192.168.1.44
192.168.1.192
192.168.1.201
192.168.1.43
192.168.1.149
...continues
Since it is a waste of time to type this command out everytime we want to
generate a list, it is best to put these commands into a shell script:
#!/bin/bash
nmap -sL $1 --randomize_hosts | grep '^Host' | cut -d '(' -f 2 | cut -d
')' -f 1
Save it to a file, make it an executable, and direct the output to a file:
root# chmod +x iplist.sh
root# ./iplist.sh 192.168.1.0/24 > iplist.txt
root# head -5 iplist.txt
192.168.1.215
192.168.1.39
192.168.1.168
192.168.1.11
192.168.1.225
See also:
nmap: http://www.insecure.org/nmap
grep man page
cut man page
head man page
-------------------------------------------------------------------------------
2. Dumping HTML source
-------------------------------------------------------------------------------
Search through HTML source for useful information
-------------------------------------------------------------------------------
Grabbing HTML source can aid in a number of objectives. A few examples might
include inspecting a web application or looking at HTTP headers. The following
is a simple wrapper script for netcat:
#!/bin/sh
echo -e "GET $2 HTTP/1.0\n\n" | nc -vv $1 80
We try the script on our favorite target site to see what they are running:
]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php
Warning: inverse host lookup failed for 192.168.1.102: Unknown host
www.elitehax0r.com [192.168.1.102] 80 (www) open
HTTP/1.1 200 OK
Date: Sat, 08 Mar 2003 22:08:03 GMT
Server: Apache/1.3.27 (Unix) mod_log_bytes/1.0 mod_bwlimited/1.0 PHP/4.3.1
FrontPage/5.0.2.2510 mod_ssl/2.8.12 OpenSSL/0.9.6b
X-Powered-By: PHP/4.3.1
Connection: close
Content-Type: text/html
And so on. At this point we could even start to grep the output for keywords:
]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php | grep -i \
or
]modular@truncode$ ./cathead.sh www.elitehax0r.com /index.php | > grep -i "type=\"password\""
Get creative and try query strings, default scripts, sql keywords, etc.
-------------------------------------------------------------------------------
3. Farming Web Links and Email Addresses
-------------------------------------------------------------------------------
Create a database of web links and email addresses to enumerate associations
-------------------------------------------------------------------------------
The lynx command-line browser can also be used to mirror a site locally:
$ lynx -crawl -traversal "http://www.elitehax0r.com"
and then a simple call to our friends grep and cut to farm the target
information:
$ grep "http://" * | cut -d "/" -f3 | sort | uniq > links.txt
Try "mailto:", etc. for email addresses. The delimiter and field number may
need some tweaking to get it working correctly.
-------------------------------------------------------------------------------
4. Generating a List of DNS Servers
-------------------------------------------------------------------------------
A list of DNS servers to feed into a BIND version script
-------------------------------------------------------------------------------
After generating a list of IP addresses, you might like to generate another
list of DNS servers, that can be further processed by a BIND version scanner.
If we were to manually type in a class C network it would take forever. Let's
use www.elitehax0r.com as an example (not sure if that domain exists):
]modular@truncode$ host www.elitehax0r.com
www.elitehax0r.com. has address 192.168.1.101
]modular@truncode$ whois 192.168.1.101
OrgName: ELITE HAX0R, INC.
OrgID: HAX
Address: 31337 Hax0r Parkway
City: ScriptKiddie
StateProv: CA
PostalCode: 31337
Country: US
NetRange: 192.168.1.0 - 192.168.1.255
CIDR: 192.168.1.0/24
NetName: HAX0R
NetHandle: NET-666-666-66-0-1
Parent: NET-666-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ELITEHAX0R.COM
NameServer: NS2.ELITEHAX0R.COM
NameServer: NS3.ELITEHAX0R.COM
NameServer: NS4.ELITEHAX0R.COM
Comment:
RegDate: 2000-10-16
Updated: 2001-04-15
TechHandle: HAX-ARIN
TechName: Elite Hax0r, Inc.
TechPhone: +1-900-BAD-CODE
TechEmail: arin-contact@elitehax0r.com
# ARIN WHOIS database, last updated 2003-03-07 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
We want all lines that begin with 'NameServer:'. So you might think, just use
grep and cut now:
]modular@truncode$ whois 216.239.53.101 |grep '^NameServer:' |cut -d' ' -f2
NS1.ELITEHAX0R.COM
NS2.ELITEHAX0R.COM
NS3.ELITEHAX0R.COM
NS4.ELITEHAX0R.COM
Of course this works. You could even put that line in a script and read a file
of IP addresses, but I think a perl script is a more elegant solution:
#!/usr/bin/perl
open(FILE,$ARGV[0]);
while() {
chomp;
@domains = (@domains,$_);
}
close FILE;
foreach $domain(@domains) {
@lines=`whois $domain`;
$input = join(" ",@lines);
while($input =~ s/NameServer:\s(\S*)//) {
@nameservers = (@nameservers,$1);
}
foreach $nameserver(@nameservers) { print "$nameserver\n"; }
undef (@nameservers);
}
This script is really just doing what we did with grep and cut. It reads in a
file off the command-line. For each IP address, whois is executed. Any line
that matches 'NameServer:' is considered a match and that DNS server is put into
the @nameservers array which is printed at the end of the script.
Try modifying this script to output to a file for further processing.
The following script is a solution for a list of hostnames rather than IP
addresses:
#!/usr/bin/perl
print "modular\@truncode.org\n\n";
if($#ARGV<0) { print "usage: ./nsrip.pl
\n\n"; }
else {
$output = $ARGV[1];
open(IN, "$ARGV[0]");
open(OUT, ">>$output");
while () {
@result = `host -tns $_`;
foreach $line (@result) {
if($line =~ /name server/) {
chomp($line);
($ichi, $ni, $san, $shi) = split(/ /,$line);
}
print OUT "$shi\n";
}
}
close (IN);
close (OUT);
}
-------------------------------------------------------------------------------
5. Finding DNS Servers to Exploit
-------------------------------------------------------------------------------
Search a subnet for vunerable BIND versions (That's a worthless Administrator)
-------------------------------------------------------------------------------
If you managed to generate a list of DNS servers from tip #4, you could use
those hostnames to complete this next example.
If you were to query a BIND name server for a TXT record attached to the pseudo
domain name version.bind in the CHAOSNET class you might get something similar
to the following:
$ dig @ns1.elitehax0r.com version.bind txt chaos
; <<>> DiG 9.2.1 <<>> version.bind txt chaos
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5096
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.2.1"
Any intelligent Administrator would either change the version.bind output or
not return anything at all. Our goal is to get a vulnerable version to appear.
A simple shell script should suffice:
#!/bin/bash
IN=$1
OUT=$2
for LIST in `cat $IN`
do
echo "Checking Server : $LIST" >> $OUT
dig @$LIST version.bind chaos txt | grep -i VERSION.BIND | cut -f6 >> $OUT
done
The output should look similar to this:
Checking Server : NS1.ELITEHAX0R.COM
; <<>> DiG 9.1.2 <<>> @NS1.ELITEHAX0R.COM version.bind chaos txt
"9.2.1"
Checking Server : NS2.ELITEHAX0R.COM
; <<>> DiG 9.1.2 <<>> @NS2.ELITEHAX0R.COM version.bind chaos txt
"9.2.1"
Checking Server : NS3.ELITEHAX0R.COM
; <<>> DiG 9.1.2 <<>> @NS3.ELITEHAX0R.COM version.bind chaos txt
"9.2.1"
Checking Server : NS4.ELITEHAX0R.COM
; <<>> DiG 9.1.2 <<>> @NS4.ELITEHAX0R.COM version.bind chaos txt
"9.2.1"
NOTE: Sometimes you may have to meddle with the field number to get cut to
show the correct field.
This is fine, but has some disadvantages. We could grep for vulnerable versions
out of the output file, but this is tedious. It saves us a step to just add
this functionality into the script.
-------------------------------------------------------------------------------
6. Reverse Lookup a List of IP Addresses
-------------------------------------------------------------------------------
Reverse an IP address list to their respective hostnames
-------------------------------------------------------------------------------
This technique is useful in the footprinting phase of a network compromise.
After we determine the network blocks that a target domain owns, we can proceed
to do reverse lookups on all the machines. What's the point exactly? Well,
sometimes companies do something stupid and name their machines mail, ftp,
router, and firewall, for example. I'm sure you can see the possibilities.
It is trivial to write a small perl script that will automate reverse lookups:
#!/usr/bin/perl
if($#ARGV<0){ print "usage: ./revip.pl \n"; }
else {
open(IN,"$ARGV[0]") or die ("cannot open $ARGV[0]");
open(OUT,">>$ARGV[1]") or die ("cannot create $ARGV[1]");
}
while () {
@numbers = split(/\./, $_);
$ip_number = pack("C4", @numbers);
($name) = (gethostbyaddr($ip_number, 2))[0];
if ($name) {
print OUT "$name\n";
} else { ; }
}
close (IN);
close (OUT);
This script takes a file and splits each octet of the respective IP address at
the dot. Then the pack() function takes the 4 unsigned char values and packs
them into a binary structure for the gethostbyaddr() function which returns the
hostname.
-------------------------------------------------------------------------------
7. Brute Forcing Common Domain Suffixes
-------------------------------------------------------------------------------
Suppose that you have a particular target domain in mind and you would like to
quickly check how far their reach across the globe is. You can check with the
host command:
$ host www.elitehax0r.com.sg
www.elitehax0r.com.sg. is an alias for portal.sg.elitehax0r.com.sg.
portal.sg.elitehax0r.com.sg. has address 192.168.1.22
This is fine for one country, but the objective is to see how many country
specific domains they have. This is a job for perl:
#!/usr/bin/perl
$site = $ARGV[0];
$output = $ARGV[1];
open(OUT, ">>$output");
# country codes
@codes=('as', 'at', 'be', 'ca', 'cc', 'ch', 'cl', 'co.at', 'co.cc',
'co.cx', 'co.dk', 'co.id', 'co.in', 'co.io', 'co.jp', 'co.ke',
'co.kr', 'co.nz', 'co.pl', 'co.pt', 'co.th', 'co.tv', 'co.tw',
'co.uk', 'co.vi', 'co.ws', 'com', 'com.ar', 'com.au', 'com.bh',
'com.bi', 'com.br', 'com.bs', 'com.co', 'com.ec', 'com.gt', 'com.gu',
'com.hk', 'com.ky', 'com.mo', 'com.mx', 'com.my', 'com.ph', 'com.pk',
'com.pl', 'com.pr', 'com.py', 'com.sg', 'com.tj', 'com.tr', 'com.tw',
'com.ws', 'cz', 'de', 'es', 'fr', 'gr', 'hu', 'ie', 'io', 'it', 'lu',
'mc', 'mw', 'nl', 'nu', 'pl', 'ro', 'ru', 'tv', 'ws', 'cx');
$max = @codes;
for ($count = 0; $count <= $max; $count++)
{
$return = `host site.@codes[$count]$site.@codes[$count]`;
if ($return =~ /has address/i) {
($domain,$has,$address,$ip) = split(/ /,$return);
chomp $ip;
if ($ip =~ /alias/i)
{
;
} else {
print OUT "$ip\n";
}
}
}
close (OUT);
}
This script declares an array of country specific domain suffixes and then uses
host to loop through them while searching for lines with 'has address'. Then
that line can be split into tokens, finally printing out the found IP address.
Simply add new suffixes to the array if needed.
-------------------------------------------------------------------------------
8. Reading and Replacing the Apache access_log file
-------------------------------------------------------------------------------
HTTP requests on servers running Apache get logged to access_log file. On one
particular machine I show 3 instances:
root# locate access_log
/usr/local/apache/logs/access_log
/usr/oracle/Apache/Apache/logs/access_log
/var/log/apache/access_log
On a busy web server you may find numerous logs e.g. access_log.1,
access_log.2.
The following sample entry shows 7 fields:
ppp.hax0r.net - - [11/Sep/2001:09:15:06 -0700] "GET /cgi-perl/newsgrab.pl?group=alt.binaries.centerfolds HTTP/1.0" 200 683015
The 1st field is the client address. The 2nd field uses the ident protocol
to determine the identity of the user (blank in this case). The 3rd field can
be filled in with a username (also blank in this case). The 4th field shows
the local date and time. The 5th field shows the HTTP Request (what is he
requesting exactly?!). The 6th field shows the status code. The 7th field
shows how many bytes were sent to the client.
There are two more possible fields: referer and the client software being used.
The following script simply greps out everything that doesn't match argument
one and argument two specifies which access_log to use. This output is directed
into a temporary file and then moved back into the original access_log. This
simple method can obviously be used on any plain text log file.
#!/bin/sh
grep -v '$1' $2 > tmp && mv tmp $2
rm tmp
-------------------------------------------------------------------------------
9. Doing a Quick Zone Transfer
-------------------------------------------------------------------------------
Generate a list of IP addresses from a DNS zone transfer listing
-------------------------------------------------------------------------------
A DNS zone transfer can give a nice list of target servers from a domain. By
using the host command we can check if a DNS server will give us a zone
transfer:
$ host -l elitehax0r.com ns1.eliteisp.com
Using domain server:
Name: ns1.eliteisp.com
Address: 192.168.1.50#53
Aliases:
elitehax0r.com. SOA ns1.eliteisp.com. support.eliteisp.com. 1032896511 28800
7200 3600000 86400
elitehax0r.com. mail is handled by 0 elitehax0r.com.
elitehax0r.com. name server ns1.eliteisp.com.
elitehax0r.com. name server ns2.eliteisp.com.
elitehax0r.com. has address 192.168.1.102
0wnz.elitehax0r.com. has address 192.168.1.102
31337.elitehax0r.com. has address 192.168.1.102
ftp.elitehax0r.com. is an alias for elitehax0r.com.
localhost.elitehax0r.com. has address 127.0.0.1
mail.elitehax0r.com. is an alias for elitehax0r.com.
www.elitehax0r.com. is an alias for elitehax0r.com.
elitehax0r.com. SOA dns.eliteisp.com. support.eliteisp.com. 1032896511 28800
7200 3600000 86400
Sometimes we may want to generate a list of IP addresses from a zone
transfer. It is a trivial task for perl:
print "modular\@truncode.org\n\n";
if($#ARGV<0) { print "usage: ./ztquick.pl
\n\n"; }
else {
$domain = $ARGV[0];
$ns = $ARGV[1];
$file = $ARGV[2];
open(OUT, ">>$file");
@zones = `host -l $domain $ns`;
foreach $line (@zones) {
if($line =~ /has address/) {
($ichi,$ni,$san,$shi) = split(/\./, $line);
print OUT "$ichi.$ni.$san.$shi\n";
}
}
}
close (OUT);
As an exercise you might modify the script to read in multiple domains and
DNS servers.
-------------------------------------------------------------------------------
10. Brute Forcing Common DNS Hostnames
-------------------------------------------------------------------------------
Identify a server's role by brute forcing common hostnames
-------------------------------------------------------------------------------
Many companies use common hostnames like mail, ftp, and gateway, for example,
to ease the task of system administration. This is of course wonderful for an
attacker because it gives away the purpose of the server and even sometimes
the type of OS it is running.
The following perl script works by opening a file of common hostnames and
joining each line to the target domain. The gethostbyname function is called
to do the DNS lookups.
The list file should be filled with common prefixes such as ftp, mail,
firewall, gateway, router, cisco, smtp, pop, dns, etc. A search on the
Internet will turn up a sufficient number of lists to use.
#!/usr/bin/perl -w
$domain = $ARGV[0];
$list = $ARGV[1];
open(FILE, "$list") or die "\ncannot open $list\n $!";
foreach $host () {
chomp $host;
$target = $host . "." . $domain;
my ($name, $aliases, $addrtype, $length, @addrs) = gethostbyname($target);
foreach $i (@addrs) {
my ($a, $b, $c, $d) = unpack('C4', $i);
print "$target\t";
print "$a.$b.$c.$d\n";
}
}
Direct the output to a file or modify to your taste.
-------------------------------------------------------------------------------
11. Finding SUID Files
-------------------------------------------------------------------------------
Search for all files owned by root
-------------------------------------------------------------------------------
Files which have the SUID bit set (an "s" where the execute bit for the
owner/group is shown in 'ls' listings) allows the user executing the program
to assume the identity/group of the owner of the program.
The following shell script uses the 'find' command to find all files owned and
executable by root:
#!/bin/sh
for proggy in `find / -type -f -perm +5000 -print`
do
if [ -x $proggy ] ; then
owner="`ls -ld $proggy | awk '{print $3}'`"
lastmod="`ls -ld $proggy | awk '{print $6\" \"$7\" \"$8}'`"
echo " " $proggy " (owner is \"$owner\" and lastmod is $lastmod)"
fi
done
exit 0
-------------------------------------------------------------------------------
12. Brute Forcing SMTP Usernames
-------------------------------------------------------------------------------
Use brute forcing of common usernames with EXPN
-------------------------------------------------------------------------------
The expn command allows someone to telnet to a Sendmail server and give the
server an alias. The expn command expands the alias into the list of actual
recipients.
The following script allows for automation of issuing expn commands to
port 25 of a Sendmail server:
#!/usr/bin/perl
use Socket;
$target = $ARGV[0];
$list = $ARGV[1];
$port = 25;
$in_addr = (gethostbyname($target))[4];
$t_addr = sockaddr_in($port, $in_addr);
$proto = getprotobyname('tcp');
socket(SOCKET, AF_INET, SOCK_STREAM, $proto) || die ("error: socket()");
connect(SOCKET, $t_addr) || die ("error: connect()\n");
select(SOCKET); $| = 1; select(STDOUT);
$sd = ; print "$sd\n\n";
open(FILE, "$list") or die "\ncannot open $list\n $!";
foreach $username () {
chomp $username;
print "$username:\n";
$string = "expn ".$username."\n";
print S $string;
$resp = ;
print "$resp";
sleep 1;
}
The list of usernames should contain common usernames like 'root',
'guest', 'ftp', 'http', 'system', etc.
-------------------------------------------------------------------------------
13. Generate a List of IP Addresses From Web Links
-------------------------------------------------------------------------------
Use lynx and perl to generate a list of IP addresses from web links
-------------------------------------------------------------------------------
In the footprinting phase of an attack it is useful to farm all the links on
a target web page and see if any of those links relate to the target. First
the target website is mirrored:
$ lynx -accept-all-cookies -crawl -traversal http://www.victim.net
Then we search for all links and save those hostnames into a file:
$ grep -r "http://" * | cut -d"/" -f3 |sort |uniq > domains.txt
Now we can run a perl script which incorporates the host command to generate
a list of IP addresses:
#!/usr/bin/perl
open(FILE,$ARGV[0]);
while() {
chomp;
@hosts = (@hosts, $_);
}
close FILE;
foreach $line(@hosts){
$host = `host $line`;
if ($host =~ /has address/i) {
@ip = split(/has address /,$host);
$addr = @ip[1]; chomp $addr;
print "$addr\n";
}
}
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
