Couple of days ago I decided to
write some “small script in Bash” to automate a little bit the work related to
(so called) “information gathering” during the pentests. I decided to choose
Bash because I’m working with it, most of time
during the day anyway, so…
After writing 150 lines ;D I decide to switch to
Python. ;) And that’s how I wrote a(nother) big a nasty code called ‘bikoz.py’.
Maybe you will find it useful:
Idea
Idea was simple: do what we’re
doing during the pentest, and… do any-next-step-if-needed. ;)
Ok.
<pseudocode>
- nmap target host/range/ip/domain to log
- grep openPorts log
- define sploits from metasploit to use it later
- ...as generated .rc file. ;)
</pseudocode>
Cases like ‘save to file’ and
so on, I will leave for you. For now, let’s say ‘as a dirty-hack’ it’s enough
to save the output like “> file.txt” (yeah, yeah… coding…)
"Let's get to work."
I started few VMs to check
some output from nmap when we will use flags like:
$ nmap –sV –T4 –A –n –v <host> -oN host.log
List of tested hosts
(including OS’s) below:
OS
|
IP
|
Debian 7
|
192.168.56.70
|
WinXP SP3
|
192.168.56.100
|
Win8.1
|
192.168.56.8
|
Kali Linux
|
192.168.56.123
|
Example output for Win8.1:
root@kali:/home/c/src/bikoz/logs# nmap -sV -T4 -A -n -v -oN log.win8
192.168.56.8
(…)
Discovered open port 135/tcp on 192.168.56.8
Discovered open port 139/tcp on 192.168.56.8
Discovered open port 445/tcp on 192.168.56.8
Discovered open port 5357/tcp on 192.168.56.8
Discovered open port 49155/tcp on 192.168.56.8
Discovered open port 2869/tcp on 192.168.56.8
(…)
PORT
STATE SERVICE VERSION
135/tcp
open msrpc Microsoft Windows RPC
139/tcp
open netbios-ssn Microsoft Windows 98 netbios-ssn
445/tcp
open microsoft-ds (primary
domain: WORKGROUP)
2869/tcp
open tcpwrapped
5357/tcp
open http Microsoft HTTPAPI httpd 2.0
(SSDP/UPnP)
|_http-methods: No Allow or Public header in OPTIONS
response (status code 503)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49155/tcp open
msrpc Microsoft Windows
RPC
(…)
Running: Microsoft Windows 2008|7|Phone|Vista
(…)
OS details: Windows Server 2008 R2, Microsoft
Windows 7 Professional or Windows 8, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows Vista SP0 or
SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
(…)
; below you will find few logs from smb NSE tests…
(…)
Nmap done: 1 IP address (1 host up) scanned in
113.77 seconds
root@kali:/home/c/src/bikoz/logs#
|
Example output for WinXP SP3:
Nmap scan report for 192.168.56.100
(…)
PORT STATE
SERVICE VERSION
135/tcp open
msrpc Microsoft Windows
RPC
139/tcp open
netbios-ssn Microsoft Windows
98 netbios-ssn
445/tcp open
microsoft-ds Microsoft Windows XP microsoft-ds
(…)
Running: Microsoft Windows XP|2003
(…)
OS details: Microsoft Windows XP SP2 or SP3, or
Windows Server 2003
(…)
Service Info: OSs: Windows, Windows 98, Windows XP;
CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98,
cpe:/o:microsoft:windows_xp
|
Example output for Debian:
Host is up (0.00082s latency).
Not shown: 995 closed ports
PORT STATE
SERVICE VERSION
22/tcp
open ssh OpenSSH 6.0p1 Debian 4+deb7u4 (protocol
2.0)
| ssh-hostkey: (…)
80/tcp
open http Apache httpd 2.2.22 ((Debian))
|_http-methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open
rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program
version port/proto service
|
100000 2,3,4 111/tcp rpcbind
|
100000 2,3,4 111/udp rpcbind
|
100024 1 38473/udp status
|_
100024 1 53270/tcp status
143/tcp open
imap Dovecot imapd
|_imap-capabilities: (…)IMAP4rev1
(…)
993/tcp open
ssl/imap Dovecot imapd
|_imap-capabilities: (…)IMAP4rev1 ENABLE (…)
Running: Linux 3.X
(…)
OS details: Linux 3.2 - 3.13
(…)
Service Info: OS: Linux; CPE:
cpe:/o:linux:linux_kernel
|
Example output for Kali:
root@kali:/home/c/src/bikoz/logs# cat log.kali
# Nmap 6.49BETA4 scan initiated Fri Jul 22 00:07:04
2016 as: nmap -sV -T4 -A -n -v -oN log.kali 192.168.56.123
(…)
PORT STATE
SERVICE VERSION
22/tcp
open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 1024 ae:16:d4:c5:19:c7:de:f1:df:99:38:00:48:a4:e1:36
(DSA)
| 2048
3d:3b:53:27:ad:bb:71:19:03:b3:8d:d8:62:b7:61:1d (RSA)
|_ 256
6f:1b:ac:c2:34:57:05:dd:ba:33:39:c0:ac:28:b5:22 (ECDSA)
80/tcp
open http Apache httpd 2.4.10 ((Debian))
|_http-methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Apache2 Debian Default Page: It works
3306/tcp open
mysql MySQL (unauthorized)
(…)
Running: Linux 3.X
(…)
OS details: Linux 3.7 - 3.18
(…)
root@kali:/home/c/src/bikoz/logs#
|
So, normally during your pentest,
you will now have a list of possible open and interesting ports to check as a
“next step”. grep for open ports should look like this:
Connection
(“In my opinion”) Base idea of
Metasploit is: define a bug, exploit it, go-to-root. Ok.
When you will run it,
normally, you will have to choose (or add) some payload/exploit/module and run
it against a target host or range(s) of IP’s. We will do the same but in a
different way.
Assuming - if you’re reading
this - you already know a little bit about the python programming, shell
scripting or Metasploit (as well as you know something about ‘how to use nmap’),
we will now prepare a long, long ;) python script to use msfconsole against logs from nmap.
Spoiler: as you will see below…
;] code is extremely advanced and very, very 1337, so use it carefully and only
when you will have permissions and necessary agreements.
I will not paste the whole
source here, so one more screen below:
For now in the code you will
find few tests prepared for ports like:
Spoiler2: if you already know ‘some
ruby’ (like ‘some python’ few lines before) you already know how simple it will
be to:
- find webapp bug
- write .rb module
- add it to msf and run with bikoz.py ;)
As you will see in the source,
there are only few modules added. Feel free to let me know if you have any
suggestion about what should be added (or modified) here. If you will find few
minutes to update the script and add there something ‘favourite’ from your
pentests – feel free to let me know. I will update this
post.
Maybe someone will find it
useful.
Have fun and remember to use
it only for legal purpose.
Cheers,
o/
Updated: 14.08.2018 - FYI
Brak komentarzy:
Prześlij komentarz