piątek, 22 lipca 2016


Couple of days ago I decided to write some “small script in Bash” to automate a little bit the work related to (so called) “information gathering” during the pentests. I decided to choose Bash because I’m working with it, most of time during the day anyway, so…

After writing 150 lines ;D I decide to switch to Python. ;) And that’s how I wrote a(nother) big a nasty code called ‘bikoz.py’. Maybe you will find it useful: 

Idea was simple: do what we’re doing during the pentest, and… do any-next-step-if-needed. ;)

  1. nmap target host/range/ip/domain to log
  2. grep openPorts log
  3. define sploits from metasploit to use it later
  4. ...as generated .rc file. ;)

Cases like ‘save to file’ and so on, I will leave for you. For now, let’s say ‘as a dirty-hack’ it’s enough to save the output like “> file.txt” (yeah, yeah… coding…) 

"Let's get to work."

I started few VMs to check some output from nmap when we will use flags like:

$ nmap –sV –T4 –A –n –v <host> -oN host.log 

List of tested hosts (including OS’s) below:
Debian 7
Kali Linux


Example output for Win8.1:
root@kali:/home/c/src/bikoz/logs#  nmap -sV -T4 -A -n -v -oN log.win8
Discovered open port 135/tcp on
Discovered open port 139/tcp on
Discovered open port 445/tcp on
Discovered open port 5357/tcp on
Discovered open port 49155/tcp on
Discovered open port 2869/tcp on
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows 98 netbios-ssn
445/tcp   open  microsoft-ds (primary domain: WORKGROUP)
2869/tcp  open  tcpwrapped
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
49155/tcp open  msrpc        Microsoft Windows RPC
Running: Microsoft Windows 2008|7|Phone|Vista
OS details: Windows Server 2008 R2, Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Phone 7.5       or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2,       Windows 7 SP1, or Windows Server 2008
; below you will find few logs from smb NSE tests…
Nmap done: 1 IP address (1 host up) scanned in 113.77 seconds

Example output for WinXP SP3:
Nmap scan report for
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows 98 netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
Running: Microsoft Windows XP|2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Service Info: OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp

Example output for Debian:
Host is up (0.00082s latency).
Not shown: 995 closed ports
22/tcp  open  ssh      OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
| ssh-hostkey: (…)
80/tcp  open  http     Apache httpd 2.2.22 ((Debian))
|_http-methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open  rpcbind  2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          38473/udp  status
|_  100024  1          53270/tcp  status
143/tcp open  imap     Dovecot imapd
|_imap-capabilities: (…)IMAP4rev1
993/tcp open  ssl/imap Dovecot imapd
|_imap-capabilities: (…)IMAP4rev1 ENABLE (…)
Running: Linux 3.X
OS details: Linux 3.2 - 3.13
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Example output for Kali:
root@kali:/home/c/src/bikoz/logs# cat log.kali
# Nmap 6.49BETA4 scan initiated Fri Jul 22 00:07:04 2016 as: nmap -sV -T4 -A -n -v -oN log.kali
22/tcp   open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   1024 ae:16:d4:c5:19:c7:de:f1:df:99:38:00:48:a4:e1:36 (DSA)
|   2048 3d:3b:53:27:ad:bb:71:19:03:b3:8d:d8:62:b7:61:1d (RSA)
|_  256 6f:1b:ac:c2:34:57:05:dd:ba:33:39:c0:ac:28:b5:22 (ECDSA)
80/tcp   open  http    Apache httpd 2.4.10 ((Debian))
|_http-methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Apache2 Debian Default Page: It works
3306/tcp open  mysql   MySQL (unauthorized)
Running: Linux 3.X
OS details: Linux 3.7 - 3.18

So, normally during your pentest, you will now have a list of possible open and interesting ports to check as a “next step”. grep for open ports should look like this:


(“In my opinion”) Base idea of Metasploit is: define a bug, exploit it, go-to-root. Ok.
When you will run it, normally, you will have to choose (or add) some payload/exploit/module and run it against a target host or range(s) of IP’s. We will do the same but in a different way.
Assuming - if you’re reading this - you already know a little bit about the python programming, shell scripting or Metasploit (as well as you know something about ‘how to use nmap’), we will now prepare a long, long ;) python script to use msfconsole against logs from nmap.

Spoiler: as you will see below… ;] code is extremely advanced and very, very 1337, so use it carefully and only when you will have permissions and necessary agreements. 

I will not paste the whole source here, so one more screen below:

For now in the code you will find few tests prepared for ports like:

Spoiler2: if you already know ‘some ruby’ (like ‘some python’ few lines before) you already know how simple it will be to:
  • find webapp bug
  • write .rb module
  • add it to msf and run with bikoz.py ;)

As you will see in the source, there are only few modules added. Feel free to let me know if you have any suggestion about what should be added (or modified) here. If you will find few minutes to update the script and add there something ‘favourite’ from your pentests – feel free to let me know. I will update this post.

Maybe someone will find it useful.

Have fun and remember to use it only for legal purpose.


Brak komentarzy:

Prześlij komentarz