|
|
||||||||||
|
||||||||||
“If
there was an Encyclopedia Britannica of computer security, it would be
Hacking Exposed.”
--Marty Roesch, creator of the Snort tool
In our hacking travels we have created a number of Perl scripts to automate the often tedious process of enumeration and scanning. The following scripts call separate programs and based on the output create specific files that will help understand the threats present in your environment.
Both the Unixscan and NTscan scripts are ZIP password "protected" and the password can be found on page 81 of "Hacking Exposed 2nd edition" as the last name of the author of the netview scanner. For those of you without a copy of the book yet, buy one or hack the ZIP!). Please send comments and suggestions to stu@hackingexposed.com
Unixscan
(My apologies up front to those Unix purists for putting the Unix Perl
scripts in a ZIP)
This Perl script calls numerous integrated and public domain software
to port scan and otherwise enumerate all systems on the network. The script
offers a number of options including ping scanning before port scanning
to generate an array of hosts. And to avoid the intrusion detection product
radar, a randomize function allows you to scan your hosts with little
chance of being detected. Using strobe the script will detect open ports
and grab the banners available for each service. If DNS is open it will
attempt to determine the version of bind with the chaos directive. Also
if DNS is running, it will attempt a zone transfer to pull back all DNS
registered hosts. If NFS is open, the script will enumerate shares with
showmount. If RPC is open, the script will attempt to enumerate listening
ports with rpcinfo. If SNMP is open, the script will attempt to enumerate
SNMP information by using configurable community strings. Using icmpquery,
the script will attempt to determine the particular subnet mask being
used by an interface. If finger is running, the script will try numerous
techniques for enumerating users on the system. The output is organized
by running service and host. While not yet HTMLized, the script provides
a great head start for enumerating vulnerable systems on your network.
NTscan
This Perl script calls numerous integrated, public domain, and commercially
available enumeration tools to port scan and otherwise enumerate all NT
systems on your network. The script offers a number of options including
ping scans, port scans, and NT enumeration. Like Unixscan, NTscan offers
the ability to not ping scan before enumerating, and provides the randomizing
of hosts to elude network based intrusion detection products. Using netcat
to port scan a host, the script determines if the target is running NT
- if not but port 139 is open (signifying Samba or Win9x) it will attempt
to enumerate shares with the net view command and stop scanning. On the
other hand, if NT is running it will use many of the techniques discussed
in this book to begin complete user, group, share, and registry enumeration
of a target. If SNMP is running it will attempt to pull back information
using easy to guess (and configurable) community names such as "public"
and "private". If port 135 is open (NT's RPC port), the script
will attempt to enumerate the RPC endpoints of the system, often providing
the internal IP address of a dual homed system. The script is smart enough
to detect the RestrictAnonymous registry key and use user2sid/sid2user
to enumerate all users. The script produces a nice HTMLized series of
files that you can use to enumerate your vulnerable NT systems.
Webping
This Perl script uses Netcat to connect to systems and determine if it
is vulnerable to the IISHACK and/or the MDAC attack. IISHACK detection
is maybe 50% accurate while MDAC detection is over 90%. You’ll need to
have Netcat in your path and if you run the script under Unix you’ll need
to edit the script, changing the word “type” to “cat”.
