Security

Command line banner grabbing

For security audit, banner grabbing is one of the first activities to determine information about services on a remote computer. This article describe some very simple methods for command line banner grabbing without nmap.

telnet

# Example
$ telnet example.com 80
GET / HTTP/1.1
Host: example.com
[ENTER]

netcat

# Example
$ nc example.com 80
GET / HTTP/1.1
Host: example.com
[ENTER]

curl

# Example
$ curl -I example.com

“-I” for fetch only HTTP-header

wget

# example
$ wget -q -S example.com

“-q” for turn off Wget’s output. “-S” for print the headers

Layer 3 discovery with Ping

If ICMP (Internet Control Message Protocol) is not blocked – the ping command is one of my most used tools.

Example

# Syntax
$ ping -c <number> <target>

# Example
$ ping -c 1 192.168.0.1

Usage

With a small bash-script it is possible to identify all hosts that respond to ICMP requests.

#!/usr/bin/env bash

# define shell options
set -e
set -u

# define magic variables
declare -r FILE_NAME=$(basename "$0")
declare -r -i SUCCESS=0
declare -r -i NO_ARGS=84
declare -r -i BAD_ARGS=85

# usage function
function fc_usage() {
  printf "Usage: %s -i 192.168.1.0" "$FILE_NAME"
  printf " [-h]\n"
}

# help function
function fc_help() {
  fc_usage
}

# error communication functions
function fc_no_args() {
  printf "Error: no arguments supplied\n"
  exit "$NO_ARGS"
}

function fc_bad_args() {
  printf "Error: wrong arguments supplied\n"
}

# check script arguments
if [ "$#" -eq 0 ]; then
  fc_no_args
fi

while getopts "hi:" OPTION; do
  case "$OPTION" in
      h)
        fc_help exit "$SUCCESS" ;;
      i)
        PREFIX=$(echo "$OPTARG" | cut -d '.' -f 1-3) ;;
      *)
        fc_bad_args
        fc_usage exit "$BAD_ARGS" ;;
  esac
done 

# main
for ADDR in $(seq 1 254); do
  ping -c 1 "$PREFIX"."$ADDR" | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 &
done

# exit
exit "$SUCCESS"

Wireshark and OS X Yosemite

Since X11 is no more included, you need XQuartz to run Wireshark on Yosemite. Wireshark is expecting XQuartz (X11) to be inside the folder “/usr” but it is now under “/opt”. With a symbolic link you can solve it easily.

# create symbolic link
$ sudo ln -s /opt/X11 /usr/X11

After install and create symbolic link you download can install Wireshark. Now you can start Wireshark.

# start wireshark
$ sudo wireshark

Note: The start may take some time.

Layer 2 discovery on same subnet

A little tip for penetration testers to scan their own network with arping (Layer 2 discovery).

Preparation

We need arping. Therefor we can use ports to install them.

# install arping via ports
$ sudo port install arping

Example

# Syntax
$ sudo arping -c <number> <target>

# Example
$ sudo arping -c 4 192.168.0.1

Usage

Now we use ARP (Address Resolution Protocol) to discover.

#!/usr/bin/env bash

# define shell options
set -e
set -u

# define magic variables
declare -r FILE_NAME=$(basename "$0")
declare -r -i NO_ARGS=84
declare -r -i BAD_ARGS=85

# usage function
function fc_usage() {
  printf "Usage: %s -i <interface>" "$FILE_NAME"
}

# error function
function fc_no_args() {
  printf "Error: no arguments supplied\n"
  exit "$NO_ARGS"
}

# check script arguments
if [ "$#" -eq 0 ]; then
  fc_no_args
fi

while getopts "i:" OPTION; do
  case "$OPTION" in
    i)
      INTERFACE="$OPTARG";;
    *)
      fc_usage
      exit "$BAD_ARGS";;
  esac
done


PREFIX=$(ifconfig "$INTERFACE" | grep 'inet' | cut -d ' ' -f2 | sed -n 2p | cut -d '.' -f 1-3)

for addr in $(seq 1 254); do
  arping -c 1 "$PREFIX"."$addr" | grep "bytes from" | cut -d " " -f 5 | cut -d "(" -f 2 | cut -d ")" -f 1 &
done

Scan for available http methods

This small script helps penetration testers to find all available http methods for a specific host.

#!/usr/bin/env bash

# define shell options
set -e
set -u

# define magic variables
declare -r FILE_NAME=$(basename "$0")
declare -r -i SUCCESS=0
declare -r -i NO_ARGS=84
declare -r -i BAD_ARGS=85

# usage function function
fc_usage() {
  printf "Usage: %s -i <host>" "$FILE_NAME"
}

# error function function
fc_no_args() {
  printf "Error: no arguments supplied\n"
  exit "$NO_ARGS"
}

# check script arguments
if [ "$#" -eq 0 ]; then
  fc_no_args
fi

while getopts "i:" OPTION; do
  case "$OPTION" in
    i)
        HOST="$OPTARG";;
    *)
        fc_usage exit "$BAD_ARGS";;
  esac
done

# show http method function
function fc_http_method() {
  for METH in GET POST PUT TRACE CONNECT OPTIONS PROPFIND; do
    printf "%s - " "$METH"
    printf "$METH / HTTP/1.1\nHost: $HOST\n\n" | nc -w 1 $HOST 80 | grep "HTTP/1.1"
  done
}

fc_http_method
exit "$SUCCESS"

RATS

RATS – Rough Auditing Tool for Security. Open-Source software to scan C, C++, Perl, PHP and Python code. For other languages see Fortify.

Installation

# CentOS
$ yum install rats

# Debian
$ aptitude install rats

# wget
$ wget http://www.fortify.com/servlet/download/public/rats-2.3.tar.gz 

# curl
$ curl --remote-name http://www.fortify.com/servlet/download/public/rats-2.3.tar.gz

# extract
$ tar xfz rats-2.3.tar.gz

# change directory
$ cd rats-2.3

# compile
$ ./configure && make && sudo make install

Execute RATS

# Simple run
$ rats --resultsonly <directory>

# Advanced run
$ rats --quiet --xml -w 3 <directory>