Summerschool Aachen 2004/Network Reconnaissance Lab

From C4 Wiki
< Summerschool Aachen 2004
Revision as of 19:14, 27 September 2004 by 137.226.59.159 (talk) (SNMP Reconnaissance)
Jump to: navigation, search

Notes on Presentations

Notes on Lab Session

SNMP Reconnaissance

This is a placeholder for the results of the SNMP scanning I've been doing, but here's a list of default passwords that others might find useful

-- Stephen Lewis

Fingerprinting

So we gave out some mandatory work for today. It was considered boring and frustrating by most and they considered all other possibilities more entertaining. Is that a patter about the grass being greener elsewhere? Alexander seemed to consider the requirement of doing something he doesn't enjoy for a whole afternoon to hard and left without notice. I'm disappointed about that.

To find out if the task was really unbearable I sat down myself and implemented what I asked for. The basic parser was quickly done:

   def loadFingerprints(self): 
       # seek list of probes 
       for l in sys.stdin: 
           if 'Here are the DNS packets sent by the surveying program:' in l: 
               break 
       for l in sys.stdin: 
           if l.startswith('<tr><td align=right>'): 
               fields = l.split('<td>') 
               # this IS exploiutable 
               tests.append((eval(fields[1].strip('</>tdtr')), fields[2].strip('</>tdtr</td></tr>\n'))) 
           if '</table>' in l: 
               break 

       # seek list of probes 
       for l in sys.stdin: 
           if not l.startswith('<tr><td>'): 
               continue 
           if l.startswith('<tr><td>Software</td>'): 
               continue 
           probes.append([x.replace('</td>', ).replace('tr>', ).strip(' </\n') for x in l.split('<td>')])

Crude, but works. Mostly. I get entries like

[, 'BIND 9.2', '4q', '5', '5', '1q', '2', '1q', '1q', '1q', '1q', '3AA', '0AA', '3AA', '3AA', '3AA', '3AA', '3AA', '4q', '4q', '4q', '3AA', '3AA', '5', '0AAD, 2, 5']

that is fine, but others are not

[, '1', '1', 't', 't', 't', 't', 't', 't', '1', 't', '0', 't', '0', '15', '0Z0', '0', '0', 't', 't', 't', '0', '0', 't', '4']

I decided to leave that problem for later.

Scaning was easy now:

    def scanTargets(self, targetlist, timeout=1): 
       for target in targetlist:
           s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 
           s.settimeout(timeout)
           s.connect((target, 53)) 
           for test, desc in tests: 
               flags = []    
               reply = None 
               retries = 5 
               while 1: 
                   print 'sending %r ...' %test, 
                   s.send(test) 
                   try: 
                       reply = s.recv(1500)     
                       print repr(reply) 
                       break   
                   except socket.timeout: 
                       print "timeout"
                       retries -= 1 
                       if retries < 0: 
                           flags.append('t') 
                           break
               if reply: 
                   flags.extend(self.checkFlags(reply)) 
               print "xxx", flags 

I did parse the response:

   def checkFlags(self, reply): 

       flags = [] 
       u = DNS.Lib.Munpacker(reply) 
       r = DNS.Lib.DnsResult(u, []) 
       # check RCODE 
       flags.append(r.header['rcode']) 
       if r.header['tc']: 
           flags.append('TC') 
       if r.header['rd']: 
           flags.append('RD') 
       if r.header['aa']: 
           flags.append('AA') 
       if r.answers: 
           flags.append('D') 
       if len(r.questions) == 0: 
           flags.append('q') 
       if len(r.questions) == 0: 
           flags.append('Q2') 
       # X is missing 

       # print vars(r) 
       return flags 

But I failed to implement matching against the fingerprints database. I also got far to much timeouts to my DNS queries. I didn't investigate further. :-(

-- MaxDornseif