Difference between revisions of "Summerschool Aachen 2004/Network Reconnaissance Lab"
(→SNMP Reconnaissance) |
Mario Manno (talk | contribs) m (added pre for C0DE) |
||
| Line 13: | Line 13: | ||
To find out if the task was really unbearable I sat down myself and implemented what I asked for. The basic parser was quickly done: | To find out if the task was really unbearable I sat down myself and implemented what I asked for. The basic parser was quickly done: | ||
| − | + | <pre> | |
def loadFingerprints(self): | def loadFingerprints(self): | ||
# seek list of probes | # seek list of probes | ||
| Line 34: | Line 34: | ||
continue | continue | ||
probes.append([x.replace('</td>', '').replace('tr>', '').strip(' </\n') for x in l.split('<td>')]) | probes.append([x.replace('</td>', '').replace('tr>', '').strip(' </\n') for x in l.split('<td>')]) | ||
| + | </pre> | ||
| + | Crude, but works. Mostly. I get entries like | ||
| − | |||
['', 'BIND 9.2', '4q', '5', '5', '1q', '2', '1q', '1q', '1q', '1q', '3AA', '0AA', '3AA', '3AA', '3AA', '3AA', '3AA', '4q', '4q', '4q', '3AA', '3AA', '5', '0AAD, 2, 5'] | ['', 'BIND 9.2', '4q', '5', '5', '1q', '2', '1q', '1q', '1q', '1q', '3AA', '0AA', '3AA', '3AA', '3AA', '3AA', '3AA', '4q', '4q', '4q', '3AA', '3AA', '5', '0AAD, 2, 5'] | ||
| + | |||
that is fine, but others are not | that is fine, but others are not | ||
| + | |||
['', '1', '1', 't', 't', 't', 't', 't', 't', '1', 't', '0', 't', '0', '15', '0Z0', '0', '0', 't', 't', 't', '0', '0', 't', '4'] | ['', '1', '1', 't', 't', 't', 't', 't', 't', '1', 't', '0', 't', '0', '15', '0Z0', '0', '0', 't', 't', 't', '0', '0', 't', '4'] | ||
| + | |||
I decided to leave that problem for later. | I decided to leave that problem for later. | ||
Scaning was easy now: | Scaning was easy now: | ||
| − | + | <pre> | |
def scanTargets(self, targetlist, timeout=1): | def scanTargets(self, targetlist, timeout=1): | ||
for target in targetlist: | for target in targetlist: | ||
| Line 68: | Line 72: | ||
flags.extend(self.checkFlags(reply)) | flags.extend(self.checkFlags(reply)) | ||
print "xxx", flags | print "xxx", flags | ||
| − | + | </pre> | |
I did parse the response: | I did parse the response: | ||
| − | + | <pre> | |
def checkFlags(self, reply): | def checkFlags(self, reply): | ||
| Line 94: | Line 98: | ||
# print vars(r) | # print vars(r) | ||
return flags | return flags | ||
| − | + | </pre> | |
But I failed to implement matching against the fingerprints database. I also got far to much timeouts to my DNS queries. I didn't investigate further. :-( | But I failed to implement matching against the fingerprints database. I also got far to much timeouts to my DNS queries. I didn't investigate further. :-( | ||
-- MaxDornseif | -- MaxDornseif | ||
Revision as of 19:22, 27 September 2004
Notes on Presentations
Notes on Lab Session
SNMP Reconnaissance
This is a placeholder for the results of the SNMP scanning I've been doing, but here's a list of default passwords that others might find useful
Fingerprinting
So we gave out some mandatory work for today. It was considered boring and frustrating by most and they considered all other possibilities more entertaining. Is that a patter about the grass being greener elsewhere? Alexander seemed to consider the requirement of doing something he doesn't enjoy for a whole afternoon to hard and left without notice. I'm disappointed about that.
To find out if the task was really unbearable I sat down myself and implemented what I asked for. The basic parser was quickly done:
def loadFingerprints(self):
# seek list of probes
for l in sys.stdin:
if 'Here are the DNS packets sent by the surveying program:' in l:
break
for l in sys.stdin:
if l.startswith('<tr><td align=right>'):
fields = l.split('<td>')
# this IS exploiutable
tests.append((eval(fields[1].strip('</>tdtr')), fields[2].strip('</>tdtr</td></tr>\n')))
if '</table>' in l:
break
# seek list of probes
for l in sys.stdin:
if not l.startswith('<tr><td>'):
continue
if l.startswith('<tr><td>Software</td>'):
continue
probes.append([x.replace('</td>', '').replace('tr>', '').strip(' </\n') for x in l.split('<td>')])
Crude, but works. Mostly. I get entries like
[, 'BIND 9.2', '4q', '5', '5', '1q', '2', '1q', '1q', '1q', '1q', '3AA', '0AA', '3AA', '3AA', '3AA', '3AA', '3AA', '4q', '4q', '4q', '3AA', '3AA', '5', '0AAD, 2, 5']
that is fine, but others are not
[, '1', '1', 't', 't', 't', 't', 't', 't', '1', 't', '0', 't', '0', '15', '0Z0', '0', '0', 't', 't', 't', '0', '0', 't', '4']
I decided to leave that problem for later.
Scaning was easy now:
def scanTargets(self, targetlist, timeout=1):
for target in targetlist:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.settimeout(timeout)
s.connect((target, 53))
for test, desc in tests:
flags = []
reply = None
retries = 5
while 1:
print 'sending %r ...' %test,
s.send(test)
try:
reply = s.recv(1500)
print repr(reply)
break
except socket.timeout:
print "timeout"
retries -= 1
if retries < 0:
flags.append('t')
break
if reply:
flags.extend(self.checkFlags(reply))
print "xxx", flags
I did parse the response:
def checkFlags(self, reply):
flags = []
u = DNS.Lib.Munpacker(reply)
r = DNS.Lib.DnsResult(u, [])
# check RCODE
flags.append(r.header['rcode'])
if r.header['tc']:
flags.append('TC')
if r.header['rd']:
flags.append('RD')
if r.header['aa']:
flags.append('AA')
if r.answers:
flags.append('D')
if len(r.questions) == 0:
flags.append('q')
if len(r.questions) == 0:
flags.append('Q2')
# X is missing
# print vars(r)
return flags
But I failed to implement matching against the fingerprints database. I also got far to much timeouts to my DNS queries. I didn't investigate further. :-(
-- MaxDornseif
