Difference between revisions of "Summerschool Aachen 2004/Network Reconnaissance Lab"

From C4 Wiki
Jump to: navigation, search
(SNMP Reconnaissance)
Line 7: Line 7:
  
 
-- [[Stephen Lewis]]
 
-- [[Stephen Lewis]]
 +
 +
=== Fingerprinting ===
 +
 +
So we gave out some mandatory work for today. It was considered boring and frustrating by most and they considered all other possibilities more entertaining. Is that a patter about the grass being greener elsewhere? Alexander seemed to consider the requirement of doing something he doesn't enjoy for a whole afternoon to hard and left without notice. I'm disappointed about that.
 +
 +
To find out if the task was really unbearable I sat down myself and implemented what I asked for. The basic parser was quickly done:
 +
 +
    def loadFingerprints(self):
 +
        # seek list of probes
 +
        for l in sys.stdin:
 +
            if 'Here are the DNS packets sent by the surveying program:' in l:
 +
                break
 +
        for l in sys.stdin:
 +
            if l.startswith('<tr><td align=right>'):
 +
                fields = l.split('<td>')
 +
                # this IS exploiutable
 +
                tests.append((eval(fields[1].strip('</>tdtr')), fields[2].strip('</>tdtr</td></tr>\n')))
 +
            if '</table>' in l:
 +
                break
 +
 +
        # seek list of probes
 +
        for l in sys.stdin:
 +
            if not l.startswith('<tr><td>'):
 +
                continue
 +
            if l.startswith('<tr><td>Software</td>'):
 +
                continue
 +
            probes.append([x.replace('</td>', '').replace('tr>', '').strip(' </\n') for x in l.split('<td>')])
 +
 +
Crude, but works. Mostly. I get entries like
 +
['', 'BIND 9.2', '4q', '5', '5', '1q', '2', '1q', '1q', '1q', '1q', '3AA', '0AA', '3AA', '3AA', '3AA', '3AA', '3AA', '4q', '4q', '4q', '3AA', '3AA', '5', '0AAD, 2, 5']
 +
that is fine, but others are not
 +
['', '1', '1', 't', 't', 't', 't', 't', 't', '1', 't', '0', 't', '0', '15', '0Z0', '0', '0', 't', 't', 't', '0', '0', 't', '4']
 +
I decided to leave that problem for later.
 +
 +
Scaning was easy now:
 +
 +
    def scanTargets(self, targetlist, timeout=1):
 +
        for target in targetlist:
 +
            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 +
            s.settimeout(timeout)
 +
            s.connect((target, 53))
 +
            for test, desc in tests:
 +
                flags = []   
 +
                reply = None
 +
                retries = 5
 +
                while 1:
 +
                    print 'sending %r ...' %test,
 +
                    s.send(test)
 +
                    try:
 +
                        reply = s.recv(1500)   
 +
                        print repr(reply)
 +
                        break 
 +
                    except socket.timeout:
 +
                        print "timeout"
 +
                        retries -= 1
 +
                        if retries < 0:
 +
                            flags.append('t')
 +
                            break
 +
                if reply:
 +
                    flags.extend(self.checkFlags(reply))
 +
                print "xxx", flags
 +
 +
I did parse the response:
 +
 +
    def checkFlags(self, reply):
 +
 +
        flags = []
 +
        u = DNS.Lib.Munpacker(reply)
 +
        r = DNS.Lib.DnsResult(u, [])
 +
        # check RCODE
 +
        flags.append(r.header['rcode'])
 +
        if r.header['tc']:
 +
            flags.append('TC')
 +
        if r.header['rd']:
 +
            flags.append('RD')
 +
        if r.header['aa']:
 +
            flags.append('AA')
 +
        if r.answers:
 +
            flags.append('D')
 +
        if len(r.questions) == 0:
 +
            flags.append('q')
 +
        if len(r.questions) == 0:
 +
            flags.append('Q2')
 +
        # X is missing
 +
 +
        # print vars(r)
 +
        return flags
 +
 +
But I failed to implement matching against the fingerprints database. I also got far to much timeouts to my DNS queries. I didn't investigate further. :-(
 +
 +
-- MaxDornseif

Revision as of 19:14, 27 September 2004

Notes on Presentations

Notes on Lab Session

SNMP Reconnaissance

This is a placeholder for the results of the SNMP scanning I've been doing, but here's a list of default passwords that others might find useful

-- Stephen Lewis

Fingerprinting

So we gave out some mandatory work for today. It was considered boring and frustrating by most and they considered all other possibilities more entertaining. Is that a patter about the grass being greener elsewhere? Alexander seemed to consider the requirement of doing something he doesn't enjoy for a whole afternoon to hard and left without notice. I'm disappointed about that.

To find out if the task was really unbearable I sat down myself and implemented what I asked for. The basic parser was quickly done:

   def loadFingerprints(self): 
       # seek list of probes 
       for l in sys.stdin: 
           if 'Here are the DNS packets sent by the surveying program:' in l: 
               break 
       for l in sys.stdin: 
           if l.startswith('<tr><td align=right>'): 
               fields = l.split('<td>') 
               # this IS exploiutable 
               tests.append((eval(fields[1].strip('</>tdtr')), fields[2].strip('</>tdtr</td></tr>\n'))) 
           if '</table>' in l: 
               break 

       # seek list of probes 
       for l in sys.stdin: 
           if not l.startswith('<tr><td>'): 
               continue 
           if l.startswith('<tr><td>Software</td>'): 
               continue 
           probes.append([x.replace('</td>', ).replace('tr>', ).strip(' </\n') for x in l.split('<td>')])

Crude, but works. Mostly. I get entries like

[, 'BIND 9.2', '4q', '5', '5', '1q', '2', '1q', '1q', '1q', '1q', '3AA', '0AA', '3AA', '3AA', '3AA', '3AA', '3AA', '4q', '4q', '4q', '3AA', '3AA', '5', '0AAD, 2, 5']

that is fine, but others are not

[, '1', '1', 't', 't', 't', 't', 't', 't', '1', 't', '0', 't', '0', '15', '0Z0', '0', '0', 't', 't', 't', '0', '0', 't', '4']

I decided to leave that problem for later.

Scaning was easy now:

    def scanTargets(self, targetlist, timeout=1): 
       for target in targetlist:
           s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 
           s.settimeout(timeout)
           s.connect((target, 53)) 
           for test, desc in tests: 
               flags = []    
               reply = None 
               retries = 5 
               while 1: 
                   print 'sending %r ...' %test, 
                   s.send(test) 
                   try: 
                       reply = s.recv(1500)     
                       print repr(reply) 
                       break   
                   except socket.timeout: 
                       print "timeout"
                       retries -= 1 
                       if retries < 0: 
                           flags.append('t') 
                           break
               if reply: 
                   flags.extend(self.checkFlags(reply)) 
               print "xxx", flags 

I did parse the response:

   def checkFlags(self, reply): 

       flags = [] 
       u = DNS.Lib.Munpacker(reply) 
       r = DNS.Lib.DnsResult(u, []) 
       # check RCODE 
       flags.append(r.header['rcode']) 
       if r.header['tc']: 
           flags.append('TC') 
       if r.header['rd']: 
           flags.append('RD') 
       if r.header['aa']: 
           flags.append('AA') 
       if r.answers: 
           flags.append('D') 
       if len(r.questions) == 0: 
           flags.append('q') 
       if len(r.questions) == 0: 
           flags.append('Q2') 
       # X is missing 

       # print vars(r) 
       return flags 

But I failed to implement matching against the fingerprints database. I also got far to much timeouts to my DNS queries. I didn't investigate further. :-(

-- MaxDornseif