Author Topic: [Tutorial] Portscanning Fun  (Read 8118 times)

0 Members and 1 Guest are viewing this topic.

Offline neusbeer

  • Knight
  • **
  • Posts: 223
  • Cookies: 11
  • Beer makes you stronger XD
    • View Profile
    • http://www.facebook.nl/hackneus
[Tutorial] Portscanning Fun
« on: December 10, 2011, 07:30:41 pm »
(A HowDoI*-document)

*I prefer HowDoI instead of Tutorial, because it isn't a tutorial :P

When I'm totaly bored (which is often) I go take a walk in the park....

but in this case the park is the internet :-)
Tired of google or sql injecting/xss sites, etc etc.
I go searching for fun stuff on the not-crawled/indexed ip's.
A lot to see, test, exploit, browse or just irritate people.

So, what do I use

- Linux (or cygwin - linux-in-windows, great program, a must for windows users)
- GeoIPGen (http://code.google.com/p/geoipgen/) from
  Download geolite database (wget wget http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip)
  unpack it in same directory as GeoIPGen
- AngryIP Scanner (http://sourceforge.net/projects/ipscan/files/ipscan3-binary/3.0-beta6/ipscan_3.0-beta6_i386.deb)
  (or windows/other version at http://www.angryip.org/w/Download)
- any scan/pentest program you need.
 
ok then, let's go hunting..
I want to find ip adresses only from the netherlands..
can be any country you want (database is nog 100% correct,
Lite version.. but good enough!)

Let's get a list of ip adresses (-n num of ips)
$ ./geoipgen -n 10000 NL > iplist_10000_NL.lst

(it will keep track of already found IP adresses in ~/.geoipgen/ so when you search again
it won't show the same ones again).

now start AngryIP Scanner;
$ sudo java -jar ipscan-linux-3.0-git.jar

I change the options a little bit, to save some time scanning.
Preferences:
  Scanning
   Delay 0
   Max num threads 200
   Pinging Method ICMP Echo (that why I use sudo - ICMP uses RAW tcp/ip,
                      you can also add CAP's to the jarfile
                      sudo setcap cap_new_raw,cap_net_admin=eip ipscan-linux-3.0-git.jar)
   Scan dead hosts   Checked
   Skip likely broadcast IP unchecked
   
  Ports
    Adapt timeout 100
   Port selection: 21,23,80,8080
   *can choose more or others, but these are the most often open ports.
     because the size of my scans I limited to these 4,
     adding 110,137,139,443,3306,etc can give more valuable info
     but takes much much more time.
     Yesterday I scanned 100.000 ip adresses within a few hours.
     
  Display
    Host with open ports only
then "Select fetchers" option I use only Ports,Filtered Ports,Web detect (in this order)
   
Now I import the IP list
Press Start... and wait wait wait ;P
after scan export all..

and see a nice fun list to explore:
example (a actual list from my scans, don't misuse :P )
Quote
82.73.18.101    80              23                                        Boa/0.93.15 (with Intersil Extensions)
82.73.170.156   23,80           21,8080                                   Unknown/0.0 UPnP/1.0 GlobespanVirata-EmWeb/R6_1_0
82.73.178.248   21,80           23,8080                                   Apache/2.2.21 (Win32) PHP/5.3.6
130.161.36.25   80              [n a]                                     Apache/1.3.33 (Unix) PHP/4.0.6 mod_ssl/2.8.24 OpenSSL/0.9.7g
130.89.136.11   21,80           [n a]                                     thttpd                       
130.89.150.65   80              [n a]                                     Oracle-Application-Server-10g/10.1.3.4.0 Oracle-HTTP-Server
130.89.152.195  80              [n a]                                     Virata-EmWeb/R6_2_1           
130.89.161.245  21              [n a]                                     [n a]                         
130.89.1.98     80              21,23,8080                                Microsoft-IIS/6.0             
130.89.162.203  80              21,23,8080                                Apache/2.2.16 (Unix) PHP/5.3.3
131.155.111.71  21,80           [n a]                                     Apache/2.2.20 (Ubuntu)       
131.155.112.29  80              [n a]                                     Virata-EmWeb/R6_2_1           
131.155.151.103 80              21,23,8080                                Microsoft-IIS/6.0             
131.174.37.150  23,80           [n a]                                     [n a]                         
131.174.61.212  80              21,23,8080                                Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
131.211.85.13   80              21,23,8080                                Apache/2.0.46 (CentOS)       
132.229.83.17   80              [n a]                                     Apache/2.0.63 (NETWARE) mod_jk/1.2.23
134.146.113.193 80              21,23,8080                                Microsoft-IIS/6.0             
134.146.64.111  80              21,23,8080                                Citrix Web PN Server         
134.146.81.39   80              21,23,8080                                Microsoft-IIS/6.0             
134.221.194.154 80              21,23,8080                                Apache/2.2.14 (Ubuntu)     
137.56.169.221  80              21,23,8080                                Microsoft-IIS/7.5             
139.122.202.162 80              21,23,8080                                Microsoft-IIS/6.0             
141.138.204.64  21,80           [n a]                                     Apache/2                     
141.0.174.208   21              23,80                                     nginx                         
141.138.203.106 21,80           23,8080                                   Apache                       
141.93.35.152   80              21,23,8080                                Lotus-Domino     
145.3.1.201     21,80           23,8080                                   Microsoft-IIS/6.0             
145.36.247.12   80              21,23,8080                                Microsoft-IIS/5.0             
145.36.42.43    80              21,23,8080                                IBM_HTTP_Server               
145.36.40.127   80              21,23,8080                                Apache/2.0.55 (Unix) DAV/2 mod_jk/1.2.6
145.43.216.70   80              21,23,8080                                Microsoft-IIS/6.0             
145.58.35.29    80              21,23,8080                                [n a]                         
145.64.132.127  21              23,80,8080                                [n a]                         
145.7.91.179    80              21,23,8080                                Microsoft-IIS/6.0             
145.74.103.21   80              21,23,8080                                Roxen                         
145.94.95.82    80              21,23,8080                                [n a]                         
145.97.222.37   80              21,23,8080                                [n a]                         
145.97.223.209  80              21,23,8080                                [n a]                         
145.99.120.189  80              [n a]                                     [n a]                         
145.99.115.185  23,80           [n a]                                     ISOS/9.0 UPnP/1.0 Conexant-EmWeb/R6_1_0
145.99.237.2    23,80           [n a]                                     ISOS/9.0 UPnP/1.0 Conexant-EmWeb/R6_1_0
145.99.104.5    21              8080                                      [n a]                         
145.99.112.97   80              23,8080                                   ISOS/9.0 UPnP/1.0 Conexant-EmWeb/R6_1_0

so you see, a lot of neat things to explore
routers,printers,old http servers,naz's,etc.
today I even found a climate control system webbased without password. grinnn..
routers are mostly unsecured, standard passwords, simple exploits by bypassing security,
or resetting to standard-factory-defaults, etc. (I'm actualy busy at the moment to
make a router tool which has all the vulns,advisories,poc's,exploits listed per router
and some scanning and exploit abilities)
explore the ftp for anonymous logins with metasploit or other scanners,
irritate people by nuking there printers (sending pages, DoS them or whatever)
Watch there security camera's, or try to root them..
Unlimited possibilties..

for a closer look at the systems use nmap or metasploit, nessus, nexpose or windows
users eEye Retina, N-stalker or Acunetix (Acunetix is handy for exploring routers etc.)



small tip:
cat *.lst | grep RomPager
(as an example) will give all the ip's with RomPage banner info
(99% chance it's a router)
so can you sort out your findings.
this can be inputed in WhatWeb


cat *.lst | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
extracts ip's from list


so:
$ cat *.lst | grep RomPager | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'  > rompagers.lst
$ ./whatweb -i rompagers.lst --log-brief=rompagers.ww -a=4


now rompages.ww has all the founded ip adresses with http bannergrab info RomPager and finds valuable info with WhatWeb.
Example: rompagers.txt
« Last Edit: January 14, 2012, 12:00:38 pm by neusbeer »
--Neusbeer

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: [Tutorial] Portscanning Fun
« Reply #1 on: December 10, 2011, 08:03:14 pm »
i do not have the time to read this tonight,   but in advance +1 :D
~Factionwars

Offline sp0rk

  • Serf
  • *
  • Posts: 38
  • Cookies: -1
    • View Profile
Re: [Tutorial] Portscanning Fun
« Reply #2 on: December 24, 2011, 05:28:40 am »
I appreciated this post, can you reply with some instruction on how to run a script or something to nmap the list of IPs this enumerates?

P.S This no longer is working for me,
Quote
optx@ubuntu:~$ sudo java -jar ipscan-linux-3.0-git.jar
Unable to access jarfile ipscan-linux-3.0-git.jar

« Last Edit: December 24, 2011, 06:04:49 am by Shogun »

Welcome. Sit on the couch in the corner and I'll bring in the bitches.

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: [Tutorial] Portscanning Fun
« Reply #3 on: December 24, 2011, 02:27:42 pm »
I appreciated this post, can you reply with some instruction on how to run a script or something to nmap the list of IPs this enumerates?
You can write all the IP's to the list and then do

Code: [Select]
kulverstukas@kulverstukas-desktop:~$ nmap -sP -iL ~/ips.list

Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-24 15:26 EET
Host bru01m01-in-f105.1e100.net (209.85.147.105) is up (0.067s latency).
Host ir1.fp.vip.mud.yahoo.com (209.191.122.70) is up (0.17s latency).
Host xvm-100-57.ghst.net (173.246.100.57) is up (0.14s latency).
Nmap done: 3 IP addresses (3 hosts up) scanned in 2.80 seconds

-sP states that it should do nothing else but ping the host.
-iL states that it will scan all IP's in the given list, ips.list file in my case.

Offline ZonTa

  • /dev/null
  • *
  • Posts: 10
  • Cookies: 0
  • -[s3cr3tz]-
    • View Profile
Re: [Tutorial] Portscanning Fun
« Reply #4 on: December 24, 2011, 03:25:00 pm »
You can write all the IP's to the list and then do

Code: [Select]
kulverstukas@kulverstukas-desktop:~$ nmap -sP -iL ~/ips.list

Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-24 15:26 EET
Host bru01m01-in-f105.1e100.net (209.85.147.105) is up (0.067s latency).
Host ir1.fp.vip.mud.yahoo.com (209.191.122.70) is up (0.17s latency).
Host xvm-100-57.ghst.net (173.246.100.57) is up (0.14s latency).
Nmap done: 3 IP addresses (3 hosts up) scanned in 2.80 seconds

-sP states that it should do nothing else but ping the host.
-iL states that it will scan all IP's in the given list, ips.list file in my case.

Most new routers and cameras doesn't respond to icmp.
- People Hate BlackHats , But They Ignore WhiteHats.
                                                                                 - NeX

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: [Tutorial] Portscanning Fun
« Reply #5 on: December 24, 2011, 04:12:22 pm »
Most new routers and cameras doesn't respond to icmp.

Then don't do the ICMP part? :P
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline NeX

  • Peasant
  • *
  • Posts: 74
  • Cookies: 5
    • View Profile
Re: [Tutorial] Portscanning Fun
« Reply #6 on: December 24, 2011, 08:44:14 pm »
I think all of this can be done by nmap itself, with a little help of grep, ofc.
nmap's -iR generates IP's
-p21,23,80,8080 for the ports part,
-Pn for no ping
-n for no dns resolution (faster scan)
and -oG to save in grep format..
Reading the nmap manual page would explain it better than me, but yeah, my point is.. no need for all these tools, cause nmap & grep does it all ;)

Happy scanning? xD

Offline neusbeer

  • Knight
  • **
  • Posts: 223
  • Cookies: 11
  • Beer makes you stronger XD
    • View Profile
    • http://www.facebook.nl/hackneus
Re: [Tutorial] Portscanning Fun
« Reply #7 on: December 24, 2011, 11:29:21 pm »
I don't ping them and no dns-resolution
using NMap option -PN
Code: [Select]
#!/bin/bash
sudo nmap -PN -iL "$1".txt -sS -p 21 --open --script=ftp-anon,banner -oN "$1"_ftp_scan.log -n -v
where input is a ip list without .txt
so I use this script as:
I have a iplist named: biglist_of_ip.txt
./scanp21 biglist_of_ip
and will end up in a scanned list named: biglist_of_ip_ftp_scan.log


-PN for not pingen the host, but just resume it exists then

-sS for scan connect (-p 21) port 21
outputs only open ports (--open)
with 2 scripts ftp-anon and banner(grabbing)
-oN is output normal text. -oG is better for grepping.


this is a fast way to scan. my normal reports take about:
# Nmap done at Sun Dec 18 17:19:46 2011 -- 50000 IP addresses (50000 hosts up) scanned in 3355.15 seconds
« Last Edit: December 24, 2011, 11:36:13 pm by neusbeer »
--Neusbeer