18 nov. 2008

Network recon

Voici un petit morceau de python pour tenir un peu le choc face à une météo pourrie et une fatigue très en forme (hein??)

Il s'agit d'un petit shell permettant d'effectuer simplement des opérations de découverte réseau. Il a été volontairement limité à une version sans RAW_SOCKET, le but étant de découvrir un réseau sans droit root sur aucune machine. Son utilisation et son code sont relativement simples. Je me suis un peu inspiré de la console de metasploit dans l'esprit.

Je vous laisse découvrir. La commande help ou la lecture du code vous guidera entre les écailles du Python (merci).




#!/usr/bin/env python

#
#
# Netreckon is a discovery shell designed to help
# a user to map an unknown IP network using
# several techniques
#
# Some parts inspired from a sample code from James Thiele
# available here : http://www.eskimo.com/~jet/python/examples/cmd/console.py
#

# Copyright (c) 2008, Hth
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
# * Neither the name of the Hth nor the names of its contributors
# may be used to endorse or promote products derived from this
# software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
#


import os
import sys
import cmd
import time
import random
import socket
# The following 'readline' module provides some bash like shortcuts
import readline



# No default timeout else...
socket.setdefaulttimeout( 1.0 )


# Global variables are all stored there to avoid conflicts
global_vars = {
# Software version
'version' : '0.1 dev',
# Author
'author' : 'Hth networks'
}



class NetReckon:
"""
Higher level stuff which reates the console
the user can see launching the script
"""
def __init__( self ):
"""
shell initialization
"""
# launch console
console = NetReckonConsole()
try:
console.cmdloop()
except:
self.exit_failure()


def exit_failure( self ):
""" Exit with return code 1 """
sys.exit( 1 )



class NetReckonConsole( cmd.Cmd ):
"""
Perform reckon actions according
to user's inputs
(interactive console)
"""

def __init__( self ):
"""
startup actions engine
"""
cmd.Cmd.__init__( self )
self.prompt = '>> '
self.intro = """
NetReckon < interactive user network recon console >

---[ %s ]
---[ %s ]

* Starting session at %s *
"""%( global_vars['version'], global_vars['author'], time.ctime() ) # As mentionned above, we insert version, author handle and actual date
# user defined variables are stored there to be used as arguments by actions
self.userVariables = {}


def do_set( self, argstr ):
"""
set a variable to a supplied value

"""
arglist = argstr.split() # Convert arguments from a string to a list
if len( arglist ) == 2:
self.userVariables[arglist[0]] = arglist[1]
else:
print 'Incorrect syntax!'
print '>> set '


def help_set( self ):
"""
Help about the `set` method
"""
print 'Create (or change the value of) a variable'
print 'set '


def do_unset( self, argstr ):
"""
unset a variable in the list
"""
if self.userVariables.has_key( argstr ):
try:
del self.userVariables[argstr]
except:
print 'Incorrect syntax!'
print 'unset '
else:
print 'Unknown variable supplied : %s'%argstr


def help_unset( self ):
"""
help about the `unset` method
"""
print 'Delete a previously defined variable'
print 'unset '


def do_show( self, argstr ):
"""
show stored variables
"""
print 'User variables :\n'
for entry in self.userVariables.keys():
print '%s\t%s'%(entry, self.userVariables[entry])


def help_show( self ):
"""
help about the `show` method
"""
print 'print out stored variables names and values'


def do_exit( self, argstr ):
"""
exit netreckon
"""
sys.exit( argstr )


def help_exit( self ):
"""
help about he `exit` method (...)
"""
print 'Exit netreckon'
print 'A message or a return code can be supplied as an argument :'
print 'exit -1'


#-- Command definitions to support Cmd object functionality --#
def do_shell( self, argstr ):
"""
execute a shell command
"""
os.system( argstr )


def do_EOF( self, args ):
"""
Exit on system end of file character
"""
return self.do_exit( args )


def emptyline( self ):
"""
Do nothing on empty input line
"""
pass


def do_help( self, argstr ):
"""
print out help on demand
"""
cmd.Cmd.do_help( self, argstr )


def help_help( self ):
"""
do we really have to explain this sir?
"""
print 'print stuff like this one'

#-- ------- ----------- -- ------- --- ------ ------------- --#
#-- Override methods in Cmd object --#

def preloop( self ):
"""
Called just before the main loop starts.
Call the initial preloop() and prepare variable dicts
to let user execute some python code later
"""
cmd.Cmd.preloop( self ) # sets up command completion
self._locals = {}
self._globals = {}


def postloop( self ):
"""
Finish everything that has to be
"""
cmd.Cmd.postloop( self ) # Clean up command completion
print ''
#-- -------- ------- -- --- ------ --#

def do_python( self, argstr ):
"""
Execute the command as python code
"""
try:
exec( argstr ) in self._locals, self._globals
except Exception, e:
print e.__class__, ":", e


def help_python( self ):
"""
Help about the `python` command
"""
print 'Execute the line as python code.'
print 'A context of variables is maintained separately'
print 'from the `set` variables for python code'
print 'eg. python a=2; print a'


## DNS Resolution

def do_dns( self, argstr ):
"""
Find out IP address of a known hostname
"""
arglist = argstr.split()
resolver = DnsResolver()

if len( arglist ) >= 1:
resolver.do_dns_resolution( arglist )
else:
print 'dns ...'


def help_dns( self ):
"""
Provide help concerning `dns` instruction
"""
print 'Try to resolve hostname(s) into IP addresses'
print 'dns ...'


## Reverse DNS Resolution
def do_revdns( self, argstr ):
"""
Perform reverse DNS requests
to discover a network
"""
ip_range = ''

# Can be called without argument if NETWORK has been set
if argstr != '':
ip_range = argstr
elif self.userVariables.has_key( 'NETWORK' ):
ip_range = self.userVariables['NETWORK']
else:
# else exit function
print 'No argument supplied'
self.help_revdns()
return

# Do reverse DNS resolution once arguments are parsed
resolver = DnsResolver()
resolver.do_reverse_dns_resolution( ip_range )


def help_revdns( self ):
"""
Provide some help for the `revdns` instruction
"""
print 'Try to resolve IP addresses into hostnames'
print 'both syntaxes are recognized :'
print 'revdns 192.168.1.1-5'
print 'and'
print 'set NETWORK 192.0-75.0-255.0-255'
print 'revdns'


## TCP connect() scan
def do_scantcp( self, argstr ):
"""
scan for open tcp ports of a given host
"""
if argstr != '':
ip_range = argstr
elif self.userVariables.has_key( 'TARGET' ):
ip_range = self.userVariables['TARGET']
else:
print 'No argument supplied'
self.help_scantcp()
return

scan = PortScanner()
if self.userVariables.has_key( 'PORTS' ):
scan.parse_port_sequence( self.userVariables['PORTS'] )
scan.connect_scan( ip_range )


def help_scantcp( self ):
"""
Provide some help for the `scantcp` instruction
"""
print 'perform a tcp connect() scan against target(s)'
print 'in order to find out open ports'
print 'You can set the PORTS variable to specify ports to scan'
print '(eg. set PORTS 21-90)'
print 'Targets can follow the instruction this way : '
print 'scantcp 192.168.1.0-5'
print 'or using the TARGET variable'
print 'set TARGET 192.168.1.0-5'
print 'scantcp'



class DnsResolver:
"""
Perform DNS operations
on ranges of IP addresses
"""
def __init__( self ):
pass


def do_dns_resolution( self, hostnames ):
"""
Find out IP address of a known hostname
"""
for hostname in hostnames:
try:
print '\t%-25s\t\t%s'%( hostname, socket.gethostbyname( hostname ) )
except:
print '\t%-25s\t\t(unknown host)'%hostname


def do_reverse_dns_resolution( self, addresses ):
"""
Perform reverse DNS requests
to discover a network
"""
addressesRange = AddrExtract( addresses )
while True:
addr = addressesRange.next()
if addr == '':
break
try:
host = socket.gethostbyaddr( addr )
print '\t%s\t\t%s'%( addr, host[0] )
except:
continue



class PortScanner:
"""
Perform basic port scanning
using tcp connect() scan.
Parse and randomize ranges of ports
"""
def __init__( self ):
"""
Set properties to their default values
"""
# default behavior is to scan the whole ports range
self.portList = range( 1, 65535 + 1 )
# used to print out open ports in a clean way
self.openPorts = []


def parse_port_sequence( self, portSeqStr ):
"""
build a list of ports to scan
from a string like 21,22,42-80
"""
# erase whatever has been saved before
self.portList = []
tmpList = []
for token in portSeqStr.split( ',' ):
tmpList.append( token )
for elt in tmpList:
if elt.count( '-' ) == 1:
for port in self.__get_ports_from_range( elt ):
self.portList.append( port )
else:
try:
self.portList.append( int( elt ) )
except:
print 'Invalid port supplied %s'%elt
continue


def __get_ports_from_range( self, portRange ):
"""
convert a string like 1-5
to a list of ports ( [1, 2, 3, 4, 5] )


"""
tmpRange = []
try:
# split string into start and stop values
subRange = portRange.split( '-' )
start = int( subRange[0] )
stop = int( subRange[1] ) + 1
# and add each port included between
for port in range( start, stop ):
tmpRange.append( port )
except:
# empty list is returned if an exception occurs
tmpRange = []
finally:
# list is returned whatever happens
return tmpRange


def connect_scan( self, targets ):
"""
Scan every host in a range of IP addresses
"""
addressesRange = AddrExtract( targets )
if addressesRange != None:
while True:
addr = addressesRange.next()
if addr == '':
break
try:
self.scan_host( addr )
except:
continue
else:
print 'Invalid IP range supplied!'



def scan_host( self, target ):
"""
Perform tcp connect() scan
"""
random.shuffle( self.portList )
self.openPorts = []

for probedPort in self.portList:
s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
try:
s.connect( ( target, probedPort ) )
self.openPorts.append( probedPort )
except socket.error:
pass
finally:
s.close()
# Once this is done :
self.__print_results( target )


def __print_results( self, target ):
"""
print out the list of open ports for scanned host
"""
print 'Open (tcp) ports on %s :'%( target )
print '( %i probed and %i found open )'%( len( self.portList ), len( self.openPorts ) )
self.openPorts.sort()
if len( self.openPorts ) == 0:
print ''
for port in self.openPorts:
print 'Port %i open'%port
print ''



class AddrExtract:
"""
find out every IP addresses
in a memory efficient way
from a string describing ranges of
addresses like 192.168.0-5.0.255
"""
def __init__( self, input ):
"""
extracter startup
"""
self.addressesParts = {
'A' : {
'start' : 0,
'stop' : 0
},
'B' : {
'start' : 0,
'stop' : 0
},
'C' : {
'start' : 0,
'stop' : 0
},
'D' : {
'start' : 0,
'stop' : 0
}
}
self.stringRange = input
self.nextAddress = ''
if not self.split_string():
self.reset_all()


def split_string( self ):
"""
split input string into
4 parts of IP addresses
"""
parts = self.stringRange.split( '.' )
# Number of fields must be 4 (IPv4 only...)
if len( parts ) != 4:
print 'Invalid IPv4 addresses range supplied : %s'%self.stringRange
return False
# Get ranges supplied in each field
for i in ['A', 'B', 'C', 'D']:
try:
self.addressesParts[i]['start'] = int( parts[ord(i) - ord('A')] ) # this is not a C program??
# On the following line we assign the starting value to the 'stop' field if the address field has not be specified as a range
# (otherwise an exception would have been raised above)
self.addressesParts[i]['stop'] = self.addressesParts[i]['start']
except:
try:
start, stop = parts[ord(i) - ord('A')].split( '-' )
self.addressesParts[i]['start'] = int( start )
self.addressesParts[i]['stop'] = int( stop )
except:
print 'Invalid IPv4 addresses range supplied : %s'%self.stringRange
return False
# Check computed values
if not self.check_addresses_range_values():
return False
# If we are there, then assume it's OK
return True


def check_addresses_range_values( self ):
"""
Are supplied values Ok for IP addresses ?
"""
for k in self.addressesParts.keys():
if self.addressesParts[k]['start'] not in range(0, 256):
print 'Invalid addresses Range supplied : %s'%self.stringRange
return False
if self.addressesParts[k]['stop'] not in range(0, 256):
print 'Invalid addresses Range supplied : %s'%self.stringRange
return False
return True


def reset_all( self ):
"""
Reset every field of addressesParts
to zero
"""
for key in self.addressesParts.keys():
for entry in self.addressesParts[key].keys():
self.addressesParts[key][entry] = 0


def next( self ):
"""
return the next IP address of the range
without storing the whole list of addresses
contained in this range
"""
# On first call
if self.nextAddress == '':
# Writing the first IP address of the range using format string and computed values
self.nextAddress = '%i.%i.%i.%i'%(
self.addressesParts['A']['start'],
self.addressesParts['B']['start'],
self.addressesParts['C']['start'],
self.addressesParts['D']['start'] )
# Catch some misinitializations...
if self.nextAddress == '0.0.0.0':
return ''
else:
return self.nextAddress
# For following calls
a, b, c, d = self.nextAddress.split( '.' )
a = int( a )
b = int( b )
c = int( c )
d = int( d )
# The big if - then - else labyrinth...
if d < self.addressesParts['D']['stop']:
d += 1
else:
d = self.addressesParts['D']['start']
if c < self.addressesParts['C']['stop']:
c += 1
else:
c = self.addressesParts['C']['start']
if b < self.addressesParts['B']['stop']:
b += 1
else:
b = self.addressesParts['B']['start']
if a < self.addressesParts['A']['stop']:
a += 1
else:
return ''

self.nextAddress = '%i.%i.%i.%i'%( a, b, c, d )
return self.nextAddress





# So all that stuff started here?!
if __name__ == '__main__':
NetReckon()






Voila, j'espère que le script plaira. C'est entre autre un exemple assez complet de l'utilisation du module cmd de python qui permet de réaliser facilement ce type de consoles avec historique des commandes, gestion de l'aide etc.

C'est tellement marrant la recon! =D

7 nov. 2008

Hdos - TCP resource exhaustion attack tool -

Voilà, je me suis décidé, je publie donc une version "gentille" de hdos, la version Hth du Ndos de Fyodor.

Juste pour ceux qui n'auraient pas suivi, Fyodor, le grand gourou du projet Nmap, a écris -mais jamais publié- un outil compagnon de nmap intitulé "Ndos". L'idée étant d'ouvrir des connections tcp sur un service sans passer par la pile Tcp/IP du kernel et donc de ne garder aucune trace des connections là où la cible va au contraire consommer beaucoup de ressources pour gérer ces connections.

(Cf. article ci-dessous)

Fyodor a simplement publié l'écran d'aide de Ndos, dont je me suis plus qu'inspiré!

L'outil Naphta implémente également cette attaque.

Hdos utilise la librairie Pcap et la Libnet (version 1.1.2.1) et suit un modèle de réception/envoi asynchrone. Des paquets SYN sont envoyés à haute vitesse tant que rien n'est disponible en réception. L'utilisation d'un filtre BPF (via la libpcap) fait que si quelque chose est disponible, alors il s'agit d'une réponse SYN+ACK provenant de la cible. Lorsque l'on en reçoit, on répond des ACK, jusqu'à ce que la file d'attente de la réception soit épuisée à nouveau, auquel cas on reprend l'envoi de SYN.

L'outil est donc relativement rapide et efficace. J'ai crashé (et bien comme il faut hein!!) mon eeepc en quelques centaines de connections sur le port 139.

Hdos pourrait être bien plus dangereux si on lui ajoutait la possibilité d'envoyer le contenu d'un fichier texte dans les connections ouvertes, afin de stimuler les services attaqués. Cette option, tout comme le mode "poli", n'a pas été implémentée par manque de temps et d'intérêt, vu que mon objectif n'était pas de releaser un missile pour script kiddies mais d'observer ce type d'attaques. Si Fyodor l'a fait, c'est qu'il utilise l'outil pour des pentest professionels, ce n'est pas mon cas.

Ceci dit, implémenter une telle option est tout à fait envisageable étant donné l'organisation du code (que j'ai essayé de commenter un peu).

Hdos est sous licence BSD, ce qui permet en gros à chacun d'en faire ce qu'il veut, y compris de ne pas diffuser d'éventuelles modifications. Ceci dit je serais bien content de recevoir quelques patchs ou feedback!

Un fichier README est associé au projet. Il rapelle notamment qu'il est nécessaire de configurer son firewall pour utiliser Hdos, afin de bloquer les paquets Tcp RST sortants (là encore, explications dans l'article ci-dessous).

hdos_0.1.tar.gz

MD5 (hdos_0.1.tar.gz) = c24829ca8684ca7ffb75d7dd1abcbf2f