To attack a target you must know where the target is. On numerous occasions we have seen that attacking the front door is of no use. Rather attack a branch or subsidiary and attack the main network from there. If a recipe exists for mapping a network from the Internet it would involve some or all of the following steps:
• Find out what "presence" the target has on the Internet. This include looking at web server-, mail exchanger and NS server IP addresses. If a zone transfer can be done it is a bonus. Also look for similar domains (in our case it included checks for all country extensions
- 18 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
(with .com and .co appended) and the domain citicorp.com) It might involve looking at web page content, looking for partners and affiliates. Its mainly mapping known DNS names to IP address space.
• Reverse DNS scanning will tell you if the blocks the target it is contains more equipment that belongs to the target. The reverse names could also give you an indication of the function and type of equipment.
• Finding more IP addresses - this can be done by looking if the target owns the netblock were the mail exchanger/web server/name server is located. It could also include looking at the Registries (APNIC,RIPE and ARIN) for additional netblocks and searches where possible.
• Tracerouting to IP addresses within the block to find the actual location of the endpoints. This helps you to get an idea which blocks bound together and are physically located in the same spot.
• Look at routing tables on core routers. Find out which parts of the netblocks are routed - it makes no sense to attack IP numbers that is not routed over the Internet.
The tools used in this section are actually quite simple. They are the Unix "host" command, "traceroute", and a combination of PERL, AWK, and standard Unix shell scripting. I also used some websites that might be worth visiting:
• APNIC http://www.apnic.net (Asian pacific)
• RIPE http://www.ripe.net/cgi-bin/WHOIS (Euopean)
• ARIN http://www.arin.net/WHOIS/index.html (American)
For completeness sake I put the (really not well written) shell and PERL scripts here. They are all very simple...:
Reversescanner.pl:
(the input for this script is a IP range e.g. 160.124.19.0-160.124.19.100. Output is sent to STDOUT so >& it...)
#!/usr/bin/perl
# Usage: perl reversecanner.pl 160.124.19.0-160.124.19.100
$|=1;
@een=split(/-/,@ARGV[0]);
@ip1=split(/\./,@een[0]);
@ip2=split(/\./,@een[$#een]);
for ($a=@ip1[0]; $a<1+@ip2[0]; $a++) {
for ($b=@ip1[1]; $b<1+@ip2[1]; $b++) {
for ($c=@ip1[2]; $c<1+@ip2[2]; $c++) {
for ($d=@ip1[3]; $d<1+@ip2[3]; $d++) {
print "$a.$b.$c.$d : ";
system "host $a.$b.$c.$d";
}}}}
Tracerouter.pl:
Input is a network or subnet e.g. 160.124.19.10. Output is to STDOUT so >& it. It takes the next IP in the specified input block and trace to it. (the script also provides for the a.b.c.d-w.x.y.z input format as the reversescanner)
#!/usr/bin/perl
# Usage: perl tracerouter.pl 160.124.21.92
@een=split(/-/,@ARGV[0]);
@ip1=split(/\./,@een[0]);
my $string;
$string=@ip1[0].".".@ip1[1].".".@ip1[2].".".(1+@ip1[3]);
system "traceroute -m 50 $string";
Domain_info.sh:
- 19 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
All the domains you want to investigate should be in a file called "domains". Output is appended to file called "all". Change as you wish...:)
#!/usr/local/bin/tcsh
foreach a (`cat domains`)
echo " " >> all
echo ====Domain: $a >> all
echo --Zone transfer: >> all
host -l $a >> all
echo --Webserver: >> all
host www.$a >> all
echo --Nameservers: >> all
host -t ns $a >> all
echo --Mailservers: >> all
host -t mx $a >> all
continue
end
Get_routes.pl:
This perl script logs into core router route1.saix.net and displays to STDOUT the routing tables that matches any given net. Input field is the route search term (makes use of the Net::Telnet module that can be found on CPAN).
#!/usr/local/bin/perl
#Usage: perl get_routes.pl 192.193
use Net::Telnet ();
$t = new Net::Telnet (Timeout => 25,Prompt=>'/\>/');
$t->open("route1.saix.net");
$soeker=@ARGV[0];
$t->waitfor('/>/');
@return=$t->cmd("terminal length 0");
@return=$t->cmd("show ip route | include $soeker");
print "@return\n";
The rest of the results were compiled using these tools in scripts or piping output to other ad hoc scripts, but this is not worth listing here.
Added later: hey! I wrote a script that does a lot of these things for you automatically. It uses a nifty tool called “The Geektools proxy”, written by a very friendly chap named Robb Ballard <robb@centergate.com> . Before you try this, ask Robb if you may have the PERL code to the script – he is generally a cool dude, and without it you miss a lot of functionality. Oh BTW, it also uses Lynx for site crawling. Hereby the code (its really lots of glue code – so bear with me):
#!/usr/bin/perl
use Socket;
$domain=@ARGV[0];
$nameserver="196.4.160.2";
sub qprint
{
open(db,">>$domain.report") || die "Couldnt open quickwrite\n";
print db @_;
close (db);
}
open (IN,"@ARGV[1]") || die "Couldnt open brute force DNS names file\n";
while (<IN>){
chomp;
@tries[$i]=$_;
$i++;
}
qprint "==Report begin\n";
###############################first get the www record
@results=`host -w www.$domain $nameserver`;
if ($#results<1) {qprint "No WWW records\n";}
else
{
foreach $line (@results) {
if ($line =~ /has address/) {
- 20 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
@quick=split(/has address /,$line);
$www=@quick[1]; chomp $www;
qprint "Webserver have address $www\n";
}
}
}
$counter=0;
##################################### MX records
$counter=0; @mxdb=();
@results=`host -w -t mx $domain $nameserver`;
if ($#results<1) {qprint "No MX records\n";}
else {
foreach $line (@results) {
@quick=split(/by /,$line);
@pre=split(/pri=/,$line);
@pre1=split(/\)/,@pre[1]);
$mx=@quick[1];
chomp $mx;
if (length($mx)>0) {
@resolve=`host -w $mx $nameserver`;
foreach $line2 (@resolve) {
chomp $line2;
if ($line2 =~ /has address/) {
@quicker=split(/has address/,$line2);
}
}
$mxip=@quicker[1];
$mxip=~s/ //g;
chomp $mxip;
@ip[$counter]=$mxip;
qprint "MX record priority @pre1[0] : $mxip\n";
$counter++;
}
}
}
#Check Zonetransfer
@results=`host -w -l $domain`;
if ($#results<2) {
qprint "==Could not do ZT - going to do brute force\n";
#########################################Brute force
foreach $try (@tries){
@response=`host $try.$domain`;
foreach $line (@response){
if ($line =~ /has address/) {
@quick=split(/has address /,$line);
$ip=@quick[1]; chomp $ip;
$name=@quick[0]; chomp $name;
qprint " $name: $ip\n";
@ip[$counter]=$ip;
@name[$counter]=$name;
$counter++;
}
}
}
}
######################################## normal ZT
else {
qprint "==Zone Transfer\n";
foreach $line (@results){
if ($line =~ /has address/) {
@quick=split(/has address /,$line);
$ip=@quick[1]; chomp $ip;
$name=@quick[0]; chomp $name;
qprint " $name: $ip\n";
@ip[$counter]=$ip;
@name[$counter]=$name;
$counter++;
}
}
}
###################################### PART II ###############Now we want to check the class Cs
# we have names in @name and ips in @ip
@sip=sort @ip;
@sname=sort @name;
###################################class Cs & uniq:
- 21 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
qprint "\n";
foreach $line (@sip){
if (!($line =~ /127.0.0.1/)){
@splitter=split(/\./,$line);
$classc=@splitter[0].".".@splitter[1].".".@splitter[2];
$justc{$classc}++;
}
}
$counter=0;
@sclassc=sort (keys (%justc));
foreach $line (@sclassc){
@class[$counter]=$line;
qprint "ClassC with $justc{$line} : $line\n";
$counter++;
}
foreach $line (@sname){
$justnames{$line}=1;
}
$counter=0;
@namesl=sort (keys (%justnames));
foreach $line (@namesl){
@nam[$counter]=$line;
qprint "names: $line\n";
$counter++;
}
######################### do some whois - GEEKTOOLS
foreach $subnet (@class){
qprint "==Geektools whois of block $subnet:\n";
@response=`perl whois.pl $subnet`;
qprint @response;
}
################################reversescans
#first try quick way
foreach $subnet (@class){
@splitter=split(/\./,$subnet);
$classr=@splitter[2].".".@splitter[1].".".@splitter[0].".in-addr.arpa";
@results=`host -l $classr`;
if ($#results<1) {
qprint "==No reverse entry for block $subnet - have go manual\n";
for ($d=1; $d<255; $d++) {
@response=`host $subnet.$d`;
foreach $line (@response){
if ($line =~ /pointer/) {
@quick=split(/domain name pointer /,$line);
@splitter2=split(/\./,@quick[0]);
$reverse=@splitter2[3].".".@splitter2[2].".".@splitter2[1].".".@splitter2[0];
qprint $reverse.":".@quick[1];
}
}
}
}
else
{
qprint "==Reverse lookup for block $subnet permitted\n";
foreach $line (@results) {
if ($line =~ /pointer/) {
@quick=split(/domain name pointer /,$line);
@splitter2=split(/\./,@quick[0]);
$reverse=@splitter2[3].".".@splitter2[2].".".@splitter2[1].".".@splitter2[0];
qprint $reverse.":".@quick[1];
}
}
}
}
################################### ping sweeps
foreach $subnet (@class){
qprint "\n==Nmap pingsweep of subnet $subnet\n\n";
@results=`nmap -sP -PI $subnet.1-255`;
qprint @results;
}
#system "rm *.dat";
#############################search the webpage
qprint "\n==Doing WWW harvest\n";
@dummy=`lynx -accept_all_cookies -crawl -traversal http://www.$domain`;
- 22 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
qprint "http://www.$domain\n";
@response = `cat ./reject.dat`;
foreach $line (@response){
chomp $line;
if ($line =~ /http/){
@splitter=split(/\//,$line);
$uniql{@splitter[2]}++;
}
if ($line =~ /mailto/){
@splitter=split(/:/,$line);
$uniqm{@splitter[1]}++;
}
}
foreach $links (keys (%uniql)){
qprint "External link $uniql{$links} : $links\n";
}
foreach $links (keys (%uniqm)){
qprint "External email $uniqm{$links} : $links\n";
}
The file “common” looks like this (its used for guessing common DNS names within a domain(its not really in 3 columns, I just save some trees. )
www
ftp
ns
mail
3com
aix
apache
back
bastion
bind
border
bsd
business
chains
cisco
content
corporate
cvp
debian
dns
domino
dominoserver
download
e-bus
e-business
e-mail
e-safe
email
esafe
external
extranet
firebox
firewall
freebsd
front
ftp
fw
fw-
fwe
fwi
gate
gatekeeper
gateway
gauntlet
group
help
hop
hp
hp-ux
hpjet
hpux
http
https
hub
ibm
ids
info
inside
internal
internet
intranet
ipchains
ipfw
irix
jet
list
lotus
lotusdomino
lotusnotes
lotusserver
mail
mailfeed
mailgate
mailgateway
mailgroup
mailhost
maillist
mailmarshall
mailpop
mailrelay
mandrake
mimesweeper
ms
msproxy
mx
nameserver
news
newsdesk
newsfeed
newsgroup
newsroom
newsserver
nntp
notes
noteserver
notesserver
ns
nt
openbsd
outside
pix
pop
pop3
pophost
popmail
popserver
print
printer
printspool
private
proxy
proxyserver
public
qpop
raptor
read
redcreek
redhat
route
router
router
scanner
screen
screening
secure
seek
slackware
smail
smap
smtp
smtpgateway
smtpgw
sniffer
snort
solaris
sonic
spool
squid
sun
sunos
suse
switch
transfer
trend
trendmicro
unseen
vlan
wall
web
webmail
webserver
webswitch
win2000
- 23 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
win2k
win31
win95
win98
winnt
write
ww
www
xfer
• Find out what "presence" the target has on the Internet. This include looking at web server-, mail exchanger and NS server IP addresses. If a zone transfer can be done it is a bonus. Also look for similar domains (in our case it included checks for all country extensions
- 18 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
(with .com and .co appended) and the domain citicorp.com) It might involve looking at web page content, looking for partners and affiliates. Its mainly mapping known DNS names to IP address space.
• Reverse DNS scanning will tell you if the blocks the target it is contains more equipment that belongs to the target. The reverse names could also give you an indication of the function and type of equipment.
• Finding more IP addresses - this can be done by looking if the target owns the netblock were the mail exchanger/web server/name server is located. It could also include looking at the Registries (APNIC,RIPE and ARIN) for additional netblocks and searches where possible.
• Tracerouting to IP addresses within the block to find the actual location of the endpoints. This helps you to get an idea which blocks bound together and are physically located in the same spot.
• Look at routing tables on core routers. Find out which parts of the netblocks are routed - it makes no sense to attack IP numbers that is not routed over the Internet.
The tools used in this section are actually quite simple. They are the Unix "host" command, "traceroute", and a combination of PERL, AWK, and standard Unix shell scripting. I also used some websites that might be worth visiting:
• APNIC http://www.apnic.net (Asian pacific)
• RIPE http://www.ripe.net/cgi-bin/WHOIS (Euopean)
• ARIN http://www.arin.net/WHOIS/index.html (American)
For completeness sake I put the (really not well written) shell and PERL scripts here. They are all very simple...:
Reversescanner.pl:
(the input for this script is a IP range e.g. 160.124.19.0-160.124.19.100. Output is sent to STDOUT so >& it...)
#!/usr/bin/perl
# Usage: perl reversecanner.pl 160.124.19.0-160.124.19.100
$|=1;
@een=split(/-/,@ARGV[0]);
@ip1=split(/\./,@een[0]);
@ip2=split(/\./,@een[$#een]);
for ($a=@ip1[0]; $a<1+@ip2[0]; $a++) {
for ($b=@ip1[1]; $b<1+@ip2[1]; $b++) {
for ($c=@ip1[2]; $c<1+@ip2[2]; $c++) {
for ($d=@ip1[3]; $d<1+@ip2[3]; $d++) {
print "$a.$b.$c.$d : ";
system "host $a.$b.$c.$d";
}}}}
Tracerouter.pl:
Input is a network or subnet e.g. 160.124.19.10. Output is to STDOUT so >& it. It takes the next IP in the specified input block and trace to it. (the script also provides for the a.b.c.d-w.x.y.z input format as the reversescanner)
#!/usr/bin/perl
# Usage: perl tracerouter.pl 160.124.21.92
@een=split(/-/,@ARGV[0]);
@ip1=split(/\./,@een[0]);
my $string;
$string=@ip1[0].".".@ip1[1].".".@ip1[2].".".(1+@ip1[3]);
system "traceroute -m 50 $string";
Domain_info.sh:
- 19 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
All the domains you want to investigate should be in a file called "domains". Output is appended to file called "all". Change as you wish...:)
#!/usr/local/bin/tcsh
foreach a (`cat domains`)
echo " " >> all
echo ====Domain: $a >> all
echo --Zone transfer: >> all
host -l $a >> all
echo --Webserver: >> all
host www.$a >> all
echo --Nameservers: >> all
host -t ns $a >> all
echo --Mailservers: >> all
host -t mx $a >> all
continue
end
Get_routes.pl:
This perl script logs into core router route1.saix.net and displays to STDOUT the routing tables that matches any given net. Input field is the route search term (makes use of the Net::Telnet module that can be found on CPAN).
#!/usr/local/bin/perl
#Usage: perl get_routes.pl 192.193
use Net::Telnet ();
$t = new Net::Telnet (Timeout => 25,Prompt=>'/\>/');
$t->open("route1.saix.net");
$soeker=@ARGV[0];
$t->waitfor('/>/');
@return=$t->cmd("terminal length 0");
@return=$t->cmd("show ip route | include $soeker");
print "@return\n";
The rest of the results were compiled using these tools in scripts or piping output to other ad hoc scripts, but this is not worth listing here.
Added later: hey! I wrote a script that does a lot of these things for you automatically. It uses a nifty tool called “The Geektools proxy”, written by a very friendly chap named Robb Ballard <robb@centergate.com> . Before you try this, ask Robb if you may have the PERL code to the script – he is generally a cool dude, and without it you miss a lot of functionality. Oh BTW, it also uses Lynx for site crawling. Hereby the code (its really lots of glue code – so bear with me):
#!/usr/bin/perl
use Socket;
$domain=@ARGV[0];
$nameserver="196.4.160.2";
sub qprint
{
open(db,">>$domain.report") || die "Couldnt open quickwrite\n";
print db @_;
close (db);
}
open (IN,"@ARGV[1]") || die "Couldnt open brute force DNS names file\n";
while (<IN>){
chomp;
@tries[$i]=$_;
$i++;
}
qprint "==Report begin\n";
###############################first get the www record
@results=`host -w www.$domain $nameserver`;
if ($#results<1) {qprint "No WWW records\n";}
else
{
foreach $line (@results) {
if ($line =~ /has address/) {
- 20 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
@quick=split(/has address /,$line);
$www=@quick[1]; chomp $www;
qprint "Webserver have address $www\n";
}
}
}
$counter=0;
##################################### MX records
$counter=0; @mxdb=();
@results=`host -w -t mx $domain $nameserver`;
if ($#results<1) {qprint "No MX records\n";}
else {
foreach $line (@results) {
@quick=split(/by /,$line);
@pre=split(/pri=/,$line);
@pre1=split(/\)/,@pre[1]);
$mx=@quick[1];
chomp $mx;
if (length($mx)>0) {
@resolve=`host -w $mx $nameserver`;
foreach $line2 (@resolve) {
chomp $line2;
if ($line2 =~ /has address/) {
@quicker=split(/has address/,$line2);
}
}
$mxip=@quicker[1];
$mxip=~s/ //g;
chomp $mxip;
@ip[$counter]=$mxip;
qprint "MX record priority @pre1[0] : $mxip\n";
$counter++;
}
}
}
#Check Zonetransfer
@results=`host -w -l $domain`;
if ($#results<2) {
qprint "==Could not do ZT - going to do brute force\n";
#########################################Brute force
foreach $try (@tries){
@response=`host $try.$domain`;
foreach $line (@response){
if ($line =~ /has address/) {
@quick=split(/has address /,$line);
$ip=@quick[1]; chomp $ip;
$name=@quick[0]; chomp $name;
qprint " $name: $ip\n";
@ip[$counter]=$ip;
@name[$counter]=$name;
$counter++;
}
}
}
}
######################################## normal ZT
else {
qprint "==Zone Transfer\n";
foreach $line (@results){
if ($line =~ /has address/) {
@quick=split(/has address /,$line);
$ip=@quick[1]; chomp $ip;
$name=@quick[0]; chomp $name;
qprint " $name: $ip\n";
@ip[$counter]=$ip;
@name[$counter]=$name;
$counter++;
}
}
}
###################################### PART II ###############Now we want to check the class Cs
# we have names in @name and ips in @ip
@sip=sort @ip;
@sname=sort @name;
###################################class Cs & uniq:
- 21 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
qprint "\n";
foreach $line (@sip){
if (!($line =~ /127.0.0.1/)){
@splitter=split(/\./,$line);
$classc=@splitter[0].".".@splitter[1].".".@splitter[2];
$justc{$classc}++;
}
}
$counter=0;
@sclassc=sort (keys (%justc));
foreach $line (@sclassc){
@class[$counter]=$line;
qprint "ClassC with $justc{$line} : $line\n";
$counter++;
}
foreach $line (@sname){
$justnames{$line}=1;
}
$counter=0;
@namesl=sort (keys (%justnames));
foreach $line (@namesl){
@nam[$counter]=$line;
qprint "names: $line\n";
$counter++;
}
######################### do some whois - GEEKTOOLS
foreach $subnet (@class){
qprint "==Geektools whois of block $subnet:\n";
@response=`perl whois.pl $subnet`;
qprint @response;
}
################################reversescans
#first try quick way
foreach $subnet (@class){
@splitter=split(/\./,$subnet);
$classr=@splitter[2].".".@splitter[1].".".@splitter[0].".in-addr.arpa";
@results=`host -l $classr`;
if ($#results<1) {
qprint "==No reverse entry for block $subnet - have go manual\n";
for ($d=1; $d<255; $d++) {
@response=`host $subnet.$d`;
foreach $line (@response){
if ($line =~ /pointer/) {
@quick=split(/domain name pointer /,$line);
@splitter2=split(/\./,@quick[0]);
$reverse=@splitter2[3].".".@splitter2[2].".".@splitter2[1].".".@splitter2[0];
qprint $reverse.":".@quick[1];
}
}
}
}
else
{
qprint "==Reverse lookup for block $subnet permitted\n";
foreach $line (@results) {
if ($line =~ /pointer/) {
@quick=split(/domain name pointer /,$line);
@splitter2=split(/\./,@quick[0]);
$reverse=@splitter2[3].".".@splitter2[2].".".@splitter2[1].".".@splitter2[0];
qprint $reverse.":".@quick[1];
}
}
}
}
################################### ping sweeps
foreach $subnet (@class){
qprint "\n==Nmap pingsweep of subnet $subnet\n\n";
@results=`nmap -sP -PI $subnet.1-255`;
qprint @results;
}
#system "rm *.dat";
#############################search the webpage
qprint "\n==Doing WWW harvest\n";
@dummy=`lynx -accept_all_cookies -crawl -traversal http://www.$domain`;
- 22 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
qprint "http://www.$domain\n";
@response = `cat ./reject.dat`;
foreach $line (@response){
chomp $line;
if ($line =~ /http/){
@splitter=split(/\//,$line);
$uniql{@splitter[2]}++;
}
if ($line =~ /mailto/){
@splitter=split(/:/,$line);
$uniqm{@splitter[1]}++;
}
}
foreach $links (keys (%uniql)){
qprint "External link $uniql{$links} : $links\n";
}
foreach $links (keys (%uniqm)){
qprint "External email $uniqm{$links} : $links\n";
}
The file “common” looks like this (its used for guessing common DNS names within a domain(its not really in 3 columns, I just save some trees. )
www
ftp
ns
3com
aix
apache
back
bastion
bind
border
bsd
business
chains
cisco
content
corporate
cvp
debian
dns
domino
dominoserver
download
e-bus
e-business
e-safe
esafe
external
extranet
firebox
firewall
freebsd
front
ftp
fw
fw-
fwe
fwi
gate
gatekeeper
gateway
gauntlet
group
help
hop
hp
hp-ux
hpjet
hpux
http
https
hub
ibm
ids
info
inside
internal
internet
intranet
ipchains
ipfw
irix
jet
list
lotus
lotusdomino
lotusnotes
lotusserver
mailfeed
mailgate
mailgateway
mailgroup
mailhost
maillist
mailmarshall
mailpop
mailrelay
mandrake
mimesweeper
ms
msproxy
mx
nameserver
news
newsdesk
newsfeed
newsgroup
newsroom
newsserver
nntp
notes
noteserver
notesserver
ns
nt
openbsd
outside
pix
pop
pop3
pophost
popmail
popserver
printer
printspool
private
proxy
proxyserver
public
qpop
raptor
read
redcreek
redhat
route
router
router
scanner
screen
screening
secure
seek
slackware
smail
smap
smtp
smtpgateway
smtpgw
sniffer
snort
solaris
sonic
spool
squid
sun
sunos
suse
switch
transfer
trend
trendmicro
unseen
vlan
wall
web
webmail
webserver
webswitch
win2000
- 23 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
win2k
win31
win95
win98
winnt
write
ww
www
xfer
No comments:
Post a Comment