Difference between revisions of "Summerschool Aachen 2004/Network Reconnaissance Lab"

From C4 Wiki
Jump to: navigation, search
(SNMP Reconnaissance)
m (added pre for C0DE)
Line 13: Line 13:
  
 
To find out if the task was really unbearable I sat down myself and implemented what I asked for. The basic parser was quickly done:
 
To find out if the task was really unbearable I sat down myself and implemented what I asked for. The basic parser was quickly done:
 
+
<pre>
 
     def loadFingerprints(self):  
 
     def loadFingerprints(self):  
 
         # seek list of probes  
 
         # seek list of probes  
Line 34: Line 34:
 
                 continue  
 
                 continue  
 
             probes.append([x.replace('</td>', '').replace('tr>', '').strip(' </\n') for x in l.split('<td>')])
 
             probes.append([x.replace('</td>', '').replace('tr>', '').strip(' </\n') for x in l.split('<td>')])
 +
</pre>
 +
Crude, but works. Mostly. I get entries like
  
Crude, but works. Mostly. I get entries like
 
 
  ['', 'BIND 9.2', '4q', '5', '5', '1q', '2', '1q', '1q', '1q', '1q', '3AA', '0AA', '3AA', '3AA', '3AA', '3AA', '3AA', '4q', '4q', '4q', '3AA', '3AA', '5', '0AAD, 2, 5']
 
  ['', 'BIND 9.2', '4q', '5', '5', '1q', '2', '1q', '1q', '1q', '1q', '3AA', '0AA', '3AA', '3AA', '3AA', '3AA', '3AA', '4q', '4q', '4q', '3AA', '3AA', '5', '0AAD, 2, 5']
 +
 
that is fine, but others are not
 
that is fine, but others are not
 +
 
  ['', '1', '1', 't', 't', 't', 't', 't', 't', '1', 't', '0', 't', '0', '15', '0Z0', '0', '0', 't', 't', 't', '0', '0', 't', '4']
 
  ['', '1', '1', 't', 't', 't', 't', 't', 't', '1', 't', '0', 't', '0', '15', '0Z0', '0', '0', 't', 't', 't', '0', '0', 't', '4']
 +
 
I decided to leave that problem for later.
 
I decided to leave that problem for later.
  
 
Scaning was easy now:
 
Scaning was easy now:
+
<pre>
 
     def scanTargets(self, targetlist, timeout=1):  
 
     def scanTargets(self, targetlist, timeout=1):  
 
         for target in targetlist:
 
         for target in targetlist:
Line 68: Line 72:
 
                     flags.extend(self.checkFlags(reply))  
 
                     flags.extend(self.checkFlags(reply))  
 
                 print "xxx", flags  
 
                 print "xxx", flags  
 
+
</pre>
 
I did parse the response:
 
I did parse the response:
 
+
<pre>
 
     def checkFlags(self, reply):  
 
     def checkFlags(self, reply):  
 
   
 
   
Line 94: Line 98:
 
         # print vars(r)  
 
         # print vars(r)  
 
         return flags  
 
         return flags  
 
+
</pre>
 
But I failed to implement matching against the fingerprints database. I also got far to much timeouts to my DNS queries. I didn't investigate further. :-(
 
But I failed to implement matching against the fingerprints database. I also got far to much timeouts to my DNS queries. I didn't investigate further. :-(
  
 
-- MaxDornseif
 
-- MaxDornseif

Revision as of 19:22, 27 September 2004

Notes on Presentations

Notes on Lab Session

SNMP Reconnaissance

This is a placeholder for the results of the SNMP scanning I've been doing, but here's a list of default passwords that others might find useful

-- Stephen Lewis

Fingerprinting

So we gave out some mandatory work for today. It was considered boring and frustrating by most and they considered all other possibilities more entertaining. Is that a patter about the grass being greener elsewhere? Alexander seemed to consider the requirement of doing something he doesn't enjoy for a whole afternoon to hard and left without notice. I'm disappointed about that.

To find out if the task was really unbearable I sat down myself and implemented what I asked for. The basic parser was quickly done:

    def loadFingerprints(self): 
        # seek list of probes 
        for l in sys.stdin: 
            if 'Here are the DNS packets sent by the surveying program:' in l: 
                break 
        for l in sys.stdin: 
            if l.startswith('<tr><td align=right>'): 
                fields = l.split('<td>') 
                # this IS exploiutable 
                tests.append((eval(fields[1].strip('</>tdtr')), fields[2].strip('</>tdtr</td></tr>\n'))) 
            if '</table>' in l: 
                break 
 
        # seek list of probes 
        for l in sys.stdin: 
            if not l.startswith('<tr><td>'): 
                continue 
            if l.startswith('<tr><td>Software</td>'): 
                continue 
            probes.append([x.replace('</td>', '').replace('tr>', '').strip(' </\n') for x in l.split('<td>')])

Crude, but works. Mostly. I get entries like

[, 'BIND 9.2', '4q', '5', '5', '1q', '2', '1q', '1q', '1q', '1q', '3AA', '0AA', '3AA', '3AA', '3AA', '3AA', '3AA', '4q', '4q', '4q', '3AA', '3AA', '5', '0AAD, 2, 5']

that is fine, but others are not

[, '1', '1', 't', 't', 't', 't', 't', 't', '1', 't', '0', 't', '0', '15', '0Z0', '0', '0', 't', 't', 't', '0', '0', 't', '4']

I decided to leave that problem for later.

Scaning was easy now:

     def scanTargets(self, targetlist, timeout=1): 
        for target in targetlist:
            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 
            s.settimeout(timeout)
            s.connect((target, 53)) 
            for test, desc in tests: 
                flags = []    
                reply = None 
                retries = 5 
                while 1: 
                    print 'sending %r ...' %test, 
                    s.send(test) 
                    try: 
                        reply = s.recv(1500)     
                        print repr(reply) 
                        break   
                    except socket.timeout: 
                        print "timeout"
                        retries -= 1 
                        if retries < 0: 
                            flags.append('t') 
                            break
                if reply: 
                    flags.extend(self.checkFlags(reply)) 
                print "xxx", flags 

I did parse the response:

    def checkFlags(self, reply): 
 
        flags = [] 
        u = DNS.Lib.Munpacker(reply) 
        r = DNS.Lib.DnsResult(u, []) 
        # check RCODE 
        flags.append(r.header['rcode']) 
        if r.header['tc']: 
            flags.append('TC') 
        if r.header['rd']: 
            flags.append('RD') 
        if r.header['aa']: 
            flags.append('AA') 
        if r.answers: 
            flags.append('D') 
        if len(r.questions) == 0: 
            flags.append('q') 
        if len(r.questions) == 0: 
            flags.append('Q2') 
        # X is missing 
 
        # print vars(r) 
        return flags 

But I failed to implement matching against the fingerprints database. I also got far to much timeouts to my DNS queries. I didn't investigate further. :-(

-- MaxDornseif