[Tutorial] Portscanning Fun - IP listings
(A HowDoI*-document)
*I prefer HowDoI instead of Tutorial, because it isn't a tutorial.. just how I do it..
Needed:
- linux/cygwin
- geoipgen 0.4 (see [Tutorial] Portscanning Fun for installtion guide)
- nmap (try to install newest - SVN base just changed this week!,
svn co https://svn.nmap.org/nmap windows version can be used, but mind the lack of RAW package use)
I explained earlier how to get some country specific ip's from geoipgen.
./geoipgen -n 5000 NL > 5000_ip_nl.txt.. will result in a ip list of 5000 dutch ip's.
note: to get random ip's you can use NMap's command -iR <num random ports>,
sudo nmap -iR 5000 -sC -p 21 --script=ftp-anon,banner -PN -n -oN output.txt will scan for anon ftp acces without resolve dns (faster), no port open scan (just try)
on 5000 random ip's. (choose -iL <iplist> for specific ip's - gathered from geoipgen)
My Workingdir is getting messy with al those lists, scans, ect.
let's get it clean and thight..
I want to target dutch ip's in this example.
You can ofcourse change everything for your own needs.
first create a main working dir
mkdir ip_fungo to dir
and make a data dir for your ip-lists
mkdir ipsok, because of the size of our possibilities I'm gonna make a list of ip's-list files.
I'm gonna make ip lists of 50000 ip's and 50 of them.
(Or less.. choose what you need.. I want a big list, so I go for 50 files of 50000 ip's (2.500.000 ip's))
make a bash script:
#!/bin/bash
COUNTER=0
while [ $COUNTER -lt 50 ]; do
let COUNTER=COUNTER+1
./geoipgen -n 50000 nl > nl_50000_"$COUNTER".txt
donethis will make me a list of 50 files named nl_50000_<num>.txt
move these to your new-made dir
/ip_fun/ips
now you can scan a little more specific and faster.
let's try.....
nmap scan for anonymous ftp acces and juicy files. (one of my favorite
)
sudo nmap -iL /ip_fun/ips/nl_50000_1.txt -v -n -sS --open -p 21 -PN --script=ftp-anon,banner -oN /ip_fun/nmap_p21_scan.txtor port 80 scan
sudo nmap -iL /ip_fun/ips/nl_50000_1.txt -v -n -sS --open -p 80,8080 -PN --script=banner,http-headers,http-favicon,http-malware-host,http-enum,http-robots.txt,http-php-version,http-usedir-enum,http-trace,http-auth,address-info -oN /ip_fun/nl_50000_1.scan_port80.txtnote: if you use nmap for windows, it's an older version and not all the scripts are added.
http-robots,http-php-version,http-usedir-enum are recently.
To get some automated scans ordely I suggest the following structure
(This is how I do it)
First I scan some of my ip lists.
I make another dir in ip_fun.
mkdir scansI'm in to the port 21 for looking around in other peoples stuff..
I made a small automating script for this *mind that I use .txt extension for this use.
#!/bin/bash
# $1 : ipfile list WITHOUT extension (cause output file uses same name)
sudo nmap -v -iL ips/"$1".txt -Pn -n -p 21 -oN scans/"$1".scan_port21.txt --script=ftp-anon,banner,ftp-proftpd-backdoor,ftp-vsftpd-backdoor --open -sCsafe this in: /ip_fun/scan_p21.sh
now hit off with
(filename can be different ofcourse)
./scan_p21 nl_50000_01
./scan_p21 nl_50000_02
./scan_p21 nl_50000_03
./scan_p21 nl_50000_04
./scan_p21 nl_50000_05
that will give me 5*50000 scanned ip's for port 21
listed at /ip_fun/scans/*.scan_port21.txt
You can manualy read them or grep for nice things.
(nmap's output is Normal (you can use -oG for easier grepping) but I choose this method for my manualy reading)
camera's
cat *.txt | grep -B 5 -i "camera" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -v "192.168" | sort -g | uniq > searches/cameras.txtyou see I made a different dir for the output (else the further searches will have those outputs also.
this will result in a sorted IP list of the gives search.
or NAS (harddrives)
cat *.txt | grep -B 5 -i "nas" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -v "192.168" | sort -g | uniq > searches/nas.txt or just search for a ftp server you know how to exploit
there a lot of exploitable ftp servers.
eg. ProFTPD 1.3.1 (in some cases vurnerable to sql injection by password and name input )
(
http://www.hackerscenter.com/index.php?/Feeds/Exploits/ProFTPD-mod_sql-Username-SQL-Injection-Vulnerability.html)
cat *.txt | grep -B 5 -i "proftpd 1.3.0" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -v "192.168" | sort -g | uniq > searches/proftpd_1.3.1.txt short code explanation:
first grep is the search keyword (-B 5 is for 5 lines before finding, need to have the ip ;-))
second grep is the IP grep, third grep is to check if ip starts with 192.168. if so, don't output.. don't need them..
ofcourse I script this.. :-D
#!/bin/bash
# $1: keyword search
cat *.txt | grep -B 5 -i "$1" | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | grep -v "192.168" | sort -g | uniq > searches/"$1".txttry dreambox, disk, ect.
I just finished 50 ip-lists of 50000 ip's on port 21.
and I truly did find some juicy files ..
rofl.. I even found a usb-drive backup from a head of the police in amsterdam/rijnland.
EPIC fun..
(no I will not share it
)
notes:
- a lot of nas/harddrives has password web protected authentication, but FTP anonymous login
possibilities. (enough exploits on the web to jump out of the anony-box and run free on their servers/drives.
- dreamboxes are fun to watch. television. (you can change their actualy viewing channels remote, (and send them on-screen messages. fun!)
- a lot of music, movies, iso's are shared.
- people don't like updates. so a lot of old software is in use.
- port 21 info can say a lot about the running server, if it looks interesting scan some more
(port 80,8080,443,110,etc)
a short overview:
after this I have a path structure of
/ip_fun/
/ips
/scans
/searches
with a lof of ip files in ips, scan info in 'scans' and my search results in searches.
I'm just a beginner at this.. I just share my experiences..
feel free to critisize or add to my ideas..
