teenage mutant ninja hero coders

cat /usr/local/share/nmap/nmap-mac-prefixes | perl -npe ’s/(.{2})(.{2})(.{2}) (.*)/$1:$2:$3\t$4/;s/0?(.+):0?(.+):0?(.+)\t(.*)/$1:$2:$3\t$4/;’ > /usr/local/arpwatch/ethercodes.dat

Posted in c0re | No Comments »

Today, I found a link to the Apple Broadband Tuner. The description doesn’t sound that bad, except for:

The system parameters are sysctl variables that are set as follows:
net.inet.tcp.sendspace: 131072
net.inet.tcp.recvspace: 358400
kern.ipc.maxsockbuf: 512000

Wait? A 320 kB multipackage for 87 bytes of commands?


WOPR:/Volumes/Broadband Tuner/BroadbandTuner.mpkg/Contents/Packages/BroadbandTunerInstaller.pkg/Contents chris$ gzip -dc Archive.pax.gz | pax -v
drwxrwxr-t 3 root admin 0 Oct 24 20:28 .
drwxr-xr-x 3 root admin 0 Nov 14 2003 ./private
drwxr-xr-x 3 root admin 0 Nov 14 2003 ./private/var
drwxrwxrwt 3 root wheel 0 Dec 16 2003 ./private/var/tmp
-rwxr-xr-x 1 root admin 442 Nov 14 2003 ./private/var/tmp/BlankFile
pax: cpio vol 1, 5 files, 1493 bytes read, 0 bytes written.


The complete “magic” is in a perl script that is run after installation, Resources/postinstall:

@sysctl_commands = (
"kern.ipc.maxsockbuf=512000" ,
"net.inet.tcp.sendspace=131072" ,
"net.inet.tcp.recvspace=358400"
);


Not to mention that the installation of a pkg leaves traces in /Library/Receipts

Well, I think I can live without the Broadband Tuner…

Posted in c0re | No Comments »

In the last post I have shown how to research some Information in DNS using PTT – The Pen Testing Toolkit. But there should be more. Since everything of interest is on the Web nowadays, we will search the web.

If you installed PTT this morning you are already outdated. Get r801 here.

For the next step you need some adtitionsl modules: google and yahoo. You can use python bin/ptt-confcheck to see if it is installed:

md@hextatic ~ptt$ python bin/ptt-confcheck
I will check now if every is in place for the pen testing toolkit.
checking for module 'google' ... ok
checking for module 'yahoo' ... ok
checking for module 'ADNS' ... ok
checking for module 'OpenSSL' ... ok
checking for programm 'nmap' ...
checking for programm 'unicornscan' ...sh: line 1: unicornscan: command not found
checking for SIGINFO ... ok

If you miss the python google and yahoo bindings, and your package managment system does not provide them, try this:

md@hextatic ~/ptt$ cd thirdparty/
md@hextatic ~/ptt$ tar xzvf pygoogle-0.6.tar.gz
md@hextatic ~/ptt$ cd pygoogle-0.6
md@hextatic ~/ptt/pygoogle-0.6$ python setup.py build
md@hextatic ~/ptt/pygoogle-0.6$ sudo python setup.py install
md@hextatic ~/ptt$ cd ..
md@hextatic ~/ptt$ sudo rm -Rf pygoogle-0.6
md@hextatic ~/ptt$ tar xzvf yws-1.2.tgz
md@hextatic ~/ptt$ (cd yws-1.2/python/pYsearch-1.3/; \
                    sudo python setup.py install)
md@hextatic ~/ptt$ sudo rm -Rf yws-1.2

Try bin/ptt-confcheck to se if you successfully installed the stuff. Then go back to the directorycreated for our tests. We will look further into the Deutsche Bank.

md@hextatic ~/ptttest$ echo 'deutsche-bank.de' > target-domains.txt
md@hextatic ~/ptttest$ echo 'deutsche-bank.com' >> target-domains.txt
md@hextatic ~/ptttest$ echo 'db.com' >> target-domains.txt
md@hextatic ~/ptttest$ ptt-dnsbruteforce
[wait a long time]
md@hextatic ~/ptttest$ sort -u output/dnsbruteforce.txt target-domains.txt  > t
md@hextatic ~/ptttest$ mv t target-domains.txt

Now that we have a solid basis of host- and domainnames to work from, we add some hints on what might be a good searchterms for finding information related to our target.

echo "Deutsche Bank" > searchterms.txt # not that creative, he?

We start ptt-webharvest-hostsandemail which is menat to collect hostnames and E-Mailaddresses. ptt-webharvest-hostsandemail is very slow so don’t hold your breath while it is running.

ptt-webharvest-hostsandemail first tries to use major search engines (MSN, Google and Yahoo for now) to find hostnames not known to us so far by using the site: operator.

To be somewhat more agile, ptt-webharvest-hostsandemail creates a cache directory in the current pwd called “cache“. This directory can get VERY (several GB) big, but you may delete it whenever you want.

md@hextatic ~/ptttest$ python ptt-webharvest-hostsandemail
searching for 'site:db.com -site:ns5.db.com -site:brazil.db.com
-site:ra.db.com -site:www3.db.com -site:ns6.db.com -site:ns7.db.com
-site:ns2.db.com -site:wave.db.com -site:ftp.db.com
-site:australia.db.com -site:smtp6.db.com -site:gm.db.com
-site:ns4.db.com -site:ars.db.com -site:ns1.db.com -site:ger.db.com
-site:re.db.com -site:fix.db.com -site:argentina.db.com
-site:chile.db.com -site:em.db.com -site:ns3.db.com -site:wap.db.com'
53 results
Set([u'www.cib.db.com', u'index.db.com', u'www.alexbrown.db.com',
u'www.corporatefinance.db.com', u'www.autobahn-moneymarkets.db.com',
u'europe.dbtrader.db.com', u'www.deam-us.db.com',
u'primeservices.db.com', u'www.adr.db.com', u'www.community.db.com',
u'dweb.db.com', u'www.connect.db.com', u'conferences.db.com',
u'www.dbgcm.db.com', u'gm-secure.db.com', u'www.weblondon.db.com',
u'wows.db.com', u'equities.research.db.com', u'web-auth.db.com',
u'www.ederivatives.db.com', u'www.optionselect.db.com',
u'www.exchangelink.db.com', u'www.conferences.db.com',
u'ap.research.db.com', u'www.tss.db.com', u'dbrasweb.db.com',
u'eqfinance.db.com', u'vemex.db.com', u'www.db.com',
u'www.coins.db.com'])
searching for 'site:deutsche-bank.com -site:info.deutsche-bank.com
-site:banking.deutsche-bank.com -site:chat.deutsche-bank.com
-site:rp.deutsche-bank.com'
146 results
Set([u'dbmarkets-etrade.deutsche-bank.com',
'www.environment.deut [...] sche-bank.de'
53 results
Set([u'ghp.deutsche-bank.de', u'www.is-asp.pbc.deutsche-bank.de',
u'geschaeftsbericht.deutsche-bank.de', u'www.umwelt.deutsche-bank.de'])
[...]

In the next step we search for sites containing searchterms read from searchterms.txt and hostnames read from target.domains.txt with half a dozen searchengines, download the pages containing this terms and parsee them for hostnames and emailadresses. This Process basically takes forever.

searching for 'link:ns7.db.com'
3 results
http://www.hotmail.com Set(['loginnet.passport.com', 'login.passport.net',
'www.hotmail.com']) Set([])
http://www.w3.org/1999/xhtml Set(['www.w3.org', 'cgi.w3.org']) Set([])
searching for 'link:http://www.wob3.deutsche-bank.de/'
5 results
http://www.wob3.deutsche-bank.de/ Set(['www.wob3.deutsche-bank.de']) Set([])
http://wob.deutsche-bank.de/ Set(['www.db.com', 'wob.[...]']) Set([])
searching for 'link:http://ns4.db.com/'
4 results
http://ns4.db.com/ Set(['ns4.db.com']) Set([])
searching for 'link:http://banking.deutsche-bank.de/'
12 results
http://www.dm-online.de/ Set(['finaonl.ivwbox.de', [...]
http://www.froehner.us/Bookmarks/Bookmarks%20IBM-N.htm
Set([[...] 'guide.netscape.com', 'finanzen.yahoo.de', 'www.[...]']) Set([])

As you see, we find lot’s of hostnames obviously not directly related to the organiosation we are exploring. How to filter for interesting stuff will be explained in another posting.

Posted in c0re | 1 Comment »

Posted in Uncategorized | No Comments »

You already have installed the Pen Testing Toolkit and now want to use it. So we look at the DNS functionality.

The whole design of PTT is centered arround Project directories. So create a directory for your tests: mkdir ptttest; cd ptttest. We now try to find some interesting hostnames and domains. Create a file called target-domains.txt which contains the domains you want to research. For this example I will try domains from my employer and a german Bank. Since all of this ist DNS only, nobody should get to upset about this. But you should try something else.

md@hextatic ~/ptttest$ echo 'informatik.uni-mannheim.de' > target-domains.txt
md@hextatic ~/ptttest$ echo 'uni-mannheim.de' >> target-domains.txt
md@hextatic ~/ptttest$ echo 'deutsche-bank.de' >> target-domains.txt

Let’s go:

md@hextatic ~/ptttest$ ptt-dnsbruteforce -f ./target-domains.txt
calibrating for TLDs with wildcard dns ...
www.obscuredomainasdfghj.tk = 195.20.32.85
www.obscuredomainasdfghj.tk = 217.115.203.20
www.obscuredomainasdfghj.tk = 62.129.131.34
[...]
Domains which are suspected to use wildcard DNS and thus beeing excluded:
 Set(['ac', 'com.ph', 'pw', 'vg', 'net.ph', 'de.vu', 'sh', 'cd', 'museum',
      'tm', 'ws', 'vu', 'ph', 'st', 'mp', 'nu', 'org.ph', 'tk'])

The first thing dnsbruteforce is trying to do here is to find TLDs with those ugly wildcard entries which redirect you to some advertisement site run by the TLD operator. PTT generally spits out a lot of output, because we are hackers, we like blinkenlights and moving screen displays. But it also generates output in ./output/ where it never overwrites files but merges them with new information if appropriate.

The next thing dnsbruteforce does, is to check if the domains in target-domains.txt also exist in other TLDs. It not only checks for the domains you gave in target-domains.txt but also for slight variants. When it’s done the output appears in output/namesinothertlds.txt:

md@hextatic ~/ptttest$ cat output/namesinothertlds.txt
# Auto generated: 2005-11-18 Nov:11:42
www.uni-mannheim.de
www.deutsche-bank.de
www.deutschebank.ru
www.deutschebank.co.nz
www.deutschebank.ca
deutsche-bank.biz
www.unimannheim.de
uni-mannheim.com
unimannheim.de
www.uni-mannheim.com
[...]

Deutsche Bank has registered domains in many countries, no suprise there. I’m more suprise that they are not in the top 75 companies in DNS. But never the less, you would be probably interested in the branch offices.

Uni Mannheim seems th have a Typo-Squatting problem. The bomains found are all expect one owned by other entities. Sigh.

Depending on your objectives you might want to add some of the names in output/namesinothertlds.txt to target-domains.txt.

The the next step can take a few hours, so better let it run over night. First variants of very common hostnames in the domains you supplied are checked for ther existence. Next some other stilll common names are tried:

Trying 22 very common hostnames in 3 domains
@ deutsche-bank.de : wo1.prod.deutsche-bank.de
@ deutsche-bank.de : wo2.prod.deutsche-bank.de
@ deutsche-bank.de : fallback.mail.de.uu.net
. deutsche-bank.de : auth02.ns.de.uu.net
. deutsche-bank.de : auth52.ns.de.uu.net
. deutsche-bank.de : dgate1.db.com
. deutsche-bank.de : dgate2.db.com
www.deutsche-bank.de = 217.73.49.24
www.deutsche-bank.de = 217.73.49.24
www1.deutsche-bank.de = 212.96.254.10
www2.deutsche-bank.de = 212.96.254.1
wwwtest.deutsche-bank.de = 217.111.13.189
www3.deutsche-bank.de = 195.124.75.164
www5.deutsche-bank.de = 195.124.75.160
[...]
Writing data ... output/dnsbruteforce.txt
Trying 3868 hostnames in 3 domains
scorpius.informatik.uni-mannheim.de = 134.155.65.240
arwen.informatik.uni-mannheim.de = 134.155.81.154
[...]
Writing data ... output/dnsbruteforce.txt

The console output can be is meant to be greppable. Lines containing ‘ = ‘ mean an hostname=IP adress mapping (A record) has been found. Lines starting with ‘@ ‘ man an domainname-mailserver mapping (MX record) has been found and lines starting with ‘. ‘ man that an domainname-nameserver mapping (NS record) has been found.

Often checking the MX and NS records can reveal relationships between companies or providers. It is up to you to screen them.

When dnsbruteforce is finished, output/dnsbruteforce.txt contains the hostnames found:

md@hextatic ~/ptttest$ grep bank output/dnsbruteforce.txt
wob1.deutsche-bank.de
wwwtest.deutsche-bank.de
ccmail.deutsche-bank.de
wob.deutsche-bank.de
www2.deutsche-bank.de
info3.deutsche-bank.de
info1.deutsche-bank.de
rd2.deutsche-bank.de
jb2.deutsche-bank.de
info.deutsche-bank.de
info2.deutsche-bank.de
notes.deutsche-bank.de
public.deutsche-bank.de
rd1.deutsche-bank.de
banking.deutsche-bank.de
wobtest.deutsche-bank.de
wob3.deutsche-bank.de
jb1.deutsche-bank.de
www.deutsche-bank.de
notes2.deutsche-bank.de
www3.deutsche-bank.de
tp.deutsche-bank.de
www5.deutsche-bank.de
www1.deutsche-bank.de
notes1.deutsche-bank.de
chat.deutsche-bank.de
ml.deutsche-bank.de

Posted in c0re | No Comments »

I’m working on a collection of tools called the PenTestingToolkit (PTT). It is underdocumented and half-finished but it works for me – occasionally. One feature in PTT I use most is DNS enumeration/bruteforcing.

You can get the latest and greatest Version of ptt from here. To install it, do something like this:

md@hextatic ~$ wget http://c0re.23.nu/c0de/snap/ptt-snap-20051118-r800.tar.bz2
md@hextatic ~$ tar xjvf ptt-snap-20051118-r800.tar.bz2
md@hextatic ~$ cd ptt-snap-20051118-r800
md@hextatic ~/ptt-snap-20051118-r800$ python setup.py build
md@hextatic ~/ptt-snap-20051118-r800$ sudo python setup.py install # must run as root

Now the binaries should be installed in some reasonable place. Unfortulately many Python Installations are broken in a way that they put the binaries in obscure locations. Mine puts the binaries in /opt/local/Library/Frameworks/Python.framework/Versions/2.4/bin/ o_O. If your Python instalation is also that broken, you can move the binaries to something like /usr/local/bin or add the directory used by Python to your PATH environment variable.

In addition to the PTT you need the ADNS library end the python adns module. Every better package mannagment system has ready made packages for adns, so install them. If you can’t install the python module via your package managment, try this:

md@hextatic ~/ptt-snap-20051118-r800$ cd thirdparty/
md@hextatic thirdparty$ tar xzvf adns-python-1.1.0.tar.gz
md@hextatic thirdparty$ cd adns-python-1.1.0/
md@hextatic thirdparty$ sudo python setup.py install

If this fails you might have to edit setup.py. On my MAc I had to do this:

include_dirs = ['/opt/local/include']
library_dirs = ['/opt/local/lib']
runtime_library_dirs = ['/opt/local/lib']

Now you should be all set. Read more in PTT – The Pen Testing Toolkit: DNS-Bruteforcing.

Posted in c0re | No Comments »

If you see this, Cisco has deleded your /opt directory :-(

Posted in Uncategorized | No Comments »

Posted in Uncategorized | No Comments »

Nice Article A Comparison of Solaris, Linux, and FreeBSD Kernels by Max Bruning.

Will come handy when looking for real world examples of operating system concepts.

Posted in c0re | No Comments »

Posted in Uncategorized | No Comments »