Termux ID: Perl -->

    Social Items

Home / Perl

A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.
Enum4linux is a tool for enumerating information from Windows and Samba systems.

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.

Key features
  • RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)
  • User listing (When RestrictAnonymous is set to 0 on Windows 2000)
  • Listing of group membership information
  • Share enumeration
  • Detecting if host is in a workgroup or a domain
  • Identifying the remote operating system
  • Password policy retrieval (using polenum)

Overview

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.
It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.
The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.

Dependencies

You will need to have the Samba package installed as this script is basically just a wrapper around rpcclient, net, nmblookup and smbclient.

Usage
$ enum4linux.pl -h
enum4linux v0.8.2 (https://labs.portcullis.co.uk/application/enum4linux/)
Copyright (C) 2006 Mark Lowe (mrl@portcullis-security.com)

Simple wrapper around the tools in the samba package to provide similar functionality
to enum (http://www.bindview.com/Services/RAZOR/Utilities/Windows/enum_readme.cfm).
Some additional features such as RID cycling have also been added for convenience.

This is an ALPHA release only.  Some of the options supported by the original "enum"
aren't implemented in this release.

Usage: /usr/local/bin/enum4linux.pl [options] ip

Options are (like "enum"):
-U             get userlist
-M             get machine list*
-N             get namelist dump (different from -U|-M)*
-S             get sharelist
-P             get password policy information*
-G             get group and member list
-L             get LSA policy information*
-D             dictionary crack, needs -u and -f*
-d             be detailed, applies to -U and -S
-u username    specify username to use (default "")
-p password    specify password to use (default "")
-f filename    specify dictfile to use (wants -D)*

* = Not implemented in this release.

Additional options:
-a             Do all simple enumeration (-U -S -G -r -o -n)
-h             Display this help message and exit
-r             enumerate users via RID cycling
-R range       RID ranges to enumerate (default: 500-550,1000-1050, implies -r)
-s filename    brute force guessing for share names
-k username    User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none)
Used to get sid with "lookupsid known_username"
Use commas to try several users: "-k admin,user1,user2"
-o             Get OS information
-i             Get printer information
-w workgroup   Specify workgroup manually (usually found automatically)
-n             Do an nmblookup (similar to nbtstat)
-v             Verbose.  Shows full commands being run (net, rpcclient, etc.)

RID cycling should extract a list of users from Windows (or Samba) hosts which have
RestrictAnonymous set to 1 (Windows NT and 2000), or "Network access: Allow
anonymous SID/Name translation" enabled (XP, 2003).

If no usernames are known, good names to try against Windows systems are:
- administrator
- guest
- none
- helpassistant
- aspnet

The following might work against samba systems:
- root
- nobody
- sys

NB: Samba servers often seem to have RIDs in the range 3000-3050.

Examples

Below are examples which demonstrate most of the features of enum4linux. Output has been edited for brevity in most cases.

Verbose mode
Before we delve into the features of enum4linux, it’s worth pointing out that verbose mode shows you the underlying commands being run by enum4linux (rpcclient, smblient, etc.). This is useful if you want to use the underlying commands manually, but can’t figure out the syntax to use. Note the lines beginning with [V] in the output below:
$ enum4linux.pl -v 192.168.2.55
[V] Dependent program "nmblookup" found in /usr/bin/nmblookup
[V] Dependent program "net" found in /usr/bin/net
[V] Dependent program "rpcclient" found in /usr/bin/rpcclient
[V] Dependent program "smbclient" found in /usr/bin/smbclient
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:18:51 2008

----- Enumerating Workgroup/Domain on 192.168.2.55 ------
[V] Attempting to get domain name with command: nmblookup -A '192.168.2.55'
[+] Got domain/workgroup name: WORKGROUP

----- Getting domain SID for 192.168.2.55 -----
[V] Attempting to get domain SID with command: rpcclient -U''%'' 192.168.2.55 -c 'lsaquery' 2>&1
Domain Name: WORKGROUP
Domain Sid: S-0-0
[+] Host is part of a workgroup (not a domain)

----- Session Check on 192.168.2.55 -----
[V] Attempting to make null session using command: smbclient //'192.168.2.55'/ipc$ -U''%'' -c 'help' 2>&1
[+] Server 192.168.2.55 allows sessions using username '', password ''

The “Do Everything” option
As you read through the following section you’ll probably think that there are a lot of options you need to remember. If you just want enum4linux to try to enumerate all the information it can from a remote host, just use the -a option:
$ enum4linux.pl -a 192.168.2.55
NB: This won’t do dictionary-based share name guessing, but does pretty much everything else.

Obtain list of usernames (RestrictAnonymous = 0)
This feature is similar to enum.exe -U IP. It returns a complete list of usernames if the server allows it. On Windows 2000 the RestrictAnonymous registry setting must be set to 0 for this feature to work. The user list is show twice in two different formats because type different underlying commands are used to retrieve the data.
$ enum4linux.pl -U 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 27 16:02:50 2008

----- Users on 192.168.2.55 -----
index: 0x1 RID: 0x1f4 acb: 0x210 Account: Administrator Name: Desc: Built-in account for administering the computer/domain
index: 0x2 RID: 0x3ee acb: 0x10 Account: basic Name: basic Desc:
index: 0x3 RID: 0x3ed acb: 0x10 Account: blah Name: Desc:
index: 0x4 RID: 0x1f5 acb: 0x215 Account: Guest Name: Desc: Built-in account for guest access to the computer/domain
index: 0x5 RID: 0x3e9 acb: 0x214 Account: IUSR_PORTCULLIS Name: Internet Guest Account Desc: Built-in account for anonymous access to Internet Information Services
index: 0x6 RID: 0x3ea acb: 0x214 Account: IWAM_PORTCULLIS Name: Launch IIS Process Account Desc: Built-in account for Internet Information Services to start out of process applications
index: 0x7 RID: 0x3ec acb: 0x10 Account: mark Name: Desc:
index: 0x8 RID: 0x3e8 acb: 0x214 Account: TsInternetUser Name: TsInternetUser Desc: This user account is used by Terminal Services.

user:[Administrator] rid:[0x1f4]
user:[basic] rid:[0x3ee]
user:[blah] rid:[0x3ed]
user:[Guest] rid:[0x1f5]
user:[IUSR_PORTCULLIS] rid:[0x3e9]
user:[IWAM_PORTCULLIS] rid:[0x3ea]
user:[mark] rid:[0x3ec]
user:[TsInternetUser] rid:[0x3e8]

Obtain a list of usernames (using authentication)
If you’ve managed to obtain a username and password for the host, you can use it to retrieve a complete list of users regardless of RestrictAnonymous settings. In the example below we use the administrator account, but any account will do:
$ enum4linux.pl -u administrator -p password -U 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 13:19:35 2008

----- Users on 192.168.2.55 -----
index: 0x1 RID: 0x1f4 acb: 0x210 Account: Administrator Name: Desc: Built-in account for administering the computer/domain
index: 0x2 RID: 0x3ee acb: 0x10 Account: basic Name: basic Desc:
index: 0x3 RID: 0x3ed acb: 0x10 Account: blah Name: Desc:
index: 0x4 RID: 0x1f5 acb: 0x215 Account: Guest Name: Desc: Built-in account for guest access to the computer/domain
index: 0x5 RID: 0x3e9 acb: 0x214 Account: IUSR_PORTCULLIS Name: Internet Guest Account Desc: Built-in account for anonymous access to Internet Information Services
index: 0x6 RID: 0x3ea acb: 0x214 Account: IWAM_PORTCULLIS Name: Launch IIS Process Account Desc: Built-in account for Internet Information Services to start out of process applications
index: 0x7 RID: 0x3ec acb: 0x10 Account: mark Name: Desc:
index: 0x8 RID: 0x3e8 acb: 0x214 Account: TsInternetUser Name: TsInternetUser Desc: This user account is used by Terminal Services.

user:[Administrator] rid:[0x1f4]
user:[basic] rid:[0x3ee]
user:[blah] rid:[0x3ed]
user:[Guest] rid:[0x1f5]
user:[IUSR_PORTCULLIS] rid:[0x3e9]
user:[IWAM_PORTCULLIS] rid:[0x3ea]
user:[mark] rid:[0x3ec]
user:[TsInternetUser] rid:[0x3e8]

Obtaining a List of Usernames via RID Cycling (RestrictAnonymous = 1)
To obtain the usernames corresponding to a default range of RIDs (500-550,1000-1050) use the -r option:
$ enum4linux.pl -r 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:27:21 2008

----- Target information -----
Target ........... 192.168.2.55
RID Range ........ 500-550,1000-1050
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

----- Users on 192.168.2.55 via RID cycling (RIDS: 500-550,1000-1050) -----
[I] Assuming that user "administrator" exists
[+] Got SID: S-1-5-21-1801674531-1482476501-725345543 using username '', password ''
S-1-5-21-1801674531-1482476501-725345543-500 W2KSQL\Administrator (Local User)
S-1-5-21-1801674531-1482476501-725345543-501 W2KSQL\Guest (Local User)
S-1-5-21-1801674531-1482476501-725345543-513 W2KSQL\None (Domain Group)
S-1-5-21-1801674531-1482476501-725345543-1000 W2KSQL\TsInternetUser (Local User)
S-1-5-21-1801674531-1482476501-725345543-1001 W2KSQL\IUSR_PORTCULLIS (Local User)
S-1-5-21-1801674531-1482476501-725345543-1002 W2KSQL\IWAM_PORTCULLIS (Local User)
S-1-5-21-1801674531-1482476501-725345543-1004 W2KSQL\mark (Local User)
S-1-5-21-1801674531-1482476501-725345543-1005 W2KSQL\blah (Local User)
S-1-5-21-1801674531-1482476501-725345543-1006 W2KSQL\basic (Local User)
You can specify a custom range of RIDs using the -R option. This implies -r, so your don’t have specify the -r option:
$ enum4linux.pl -R 500-520 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:27:53 2008

----- Target information -----
Target ........... 192.168.2.55
RID Range ........ 500-520
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

----- Users on 192.168.2.55 via RID cycling (RIDS: 500-520) -----
[I] Assuming that user "administrator" exists
[+] Got SID: S-1-5-21-1801674531-1482476501-725345543 using username '', password ''
S-1-5-21-1801674531-1482476501-725345543-500 W2KSQL\Administrator (Local User)
S-1-5-21-1801674531-1482476501-725345543-501 W2KSQL\Guest (Local User)
S-1-5-21-1801674531-1482476501-725345543-513 W2KSQL\None (Domain Group)
Before RID cycling can start, enum4linux needs to get the SID from the remote host. It does this by requesting the SID of a known username / group (pretty much the same thing every other RID-cycling tool does). You can see in the above output a list of known usernames. These are tried in turn, until enum4linux finds the SID of the remote host.
If you’ve very unlucky, this list won’t be good enough and you won’t be able to get the SID. In this case, use the -k option to specify a different known username:
$ enum4linux.pl -k anotheruser -R 500-520 192.168.2.55
You can specify a list using commas:
$ enum4linux.pl -k user1,user2,user3 -R 500-520 192.168.2.55

Group membership
If the remote host allow it, you can get a list of groups and their members using the -G option (like in enum.exe):
$ enum4linux.pl -G 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 13:54:48 2008

----- Groups on 192.168.2.55 -----
[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]

[+] Getting builtin group memberships:
Group 'Guests' (RID: 546) has members:
W2KSQL\Guest
W2KSQL\TsInternetUser
W2KSQL\IUSR_PORTCULLIS
W2KSQL\IWAM_PORTCULLIS
Group 'Users' (RID: 545) has members:
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
W2KSQL\mark
W2KSQL\blah
W2KSQL\basic
Group 'Replicator' (RID: 552) has members:
Group 'Power Users' (RID: 547) has members:
Group 'Administrators' (RID: 544) has members:
W2KSQL\Administrator
W2KSQL\mark
W2KSQL\blah
Group 'Backup Operators' (RID: 551) has members:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:
group:[None] rid:[0x201]

[+] Getting domain group memberships:
Group 'None' (RID: 513) has members:
W2KSQL\Administrator
W2KSQL\Guest
W2KSQL\TsInternetUser
W2KSQL\IUSR_PORTCULLIS
W2KSQL\IWAM_PORTCULLIS
W2KSQL\mark
W2KSQL\blah
W2KSQL\basic
As with the -U option for user enumeration, you can also specify -u user -p pass to provide login credentials if required. Any user account will do, you don’t have to be an admin.

Check if host is part of a domain or workgroup
Enum4linux uses rpcclient’s lsaquery command to ask for a host’s Domain SID. If we get a proper SID we can infer that it is part of a domain. If we get the answer S-0-0 we can infer the host is part of a workgroup. This is done by default, so no command line options are required:
$ enum4linux.pl 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 27 16:02:50 2008

----- Getting domain SID for 192.168.2.55 -----
Domain Name: WORKGROUP
Domain Sid: S-0-0
[+] Host is part of a workgroup (not a domain)

Getting nbtstat Information
The -n option causes enum4linux to run nmblookup and does some extra parsing on it’s output to provide human-readable information about the remote host.
$ enum4linux.pl -n 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:21:13 2008

----- Nbtstat Information for 192.168.2.55 -----
Looking up status of 192.168.2.55
W2KSQL <00> - B <tt>Workstation Service
W2KSQL <20> - B </tt><tt>File Server Service
WORKGROUP <00> - </tt><tt>B </tt><tt>Domain/Workgroup Name
INet~Services <1c> - </tt><tt>B </tt><tt>IIS
WORKGROUP <1e> - </tt><tt>B </tt><tt>Browser Service Elections
W2KSQL <03> - B </tt><tt>Messenger Service
IS~W2KSQL <00> - B </tt><tt>IIS
ADMINISTRATOR <03> - B </tt><tt>Messenger Service</tt>

MAC Address = 00-0C-29-A4-12-6C

Listing Windows shares
If the server allows it, you can obtain a complete list of shares with the -S option. This uses smbclient under the bonnet which also seems to grab the browse list.
Enum4linux will also attempt to connect to each share with the supplied credentials (null session usually, but you could use -u user -p pass to use something else). It will report whether it could connect to the share and whether it was possible to get a directory listing.
$ enum4linux.pl -S 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:28:28 2008

----- Enumerating Workgroup/Domain on 192.168.2.55 ------
[+] Got domain/workgroup name: WORKGROUP

----- Share Enumeration on 192.168.2.55 -----
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
IPC$ IPC Remote IPC
ADMIN$ Disk Remote Admin
C$ Disk Default share
session request to 192.168.2.55 failed (Called name not present)
session request to 192 failed (Called name not present)

Server Comment
--------- -------
W2KSQL
WEBVULNB
WINORACLE

Workgroup Master
--------- -------
PTT SBS
WORKGROUP WEBVULNB

----- Attempting to map to shares on 192.168.2.55 -----
//192.168.2.55/IPC$ Mapping: OK Listing: DENIED
//192.168.2.55/ADMIN$ Mapping: DENIED, Listing: N/A
//192.168.2.55/C$ Mapping: DENIED, Listing: N/A
Some hosts don’t let your retrieve a share list. In these situations, it is still possible to perform a dictionary attack to guess share names. First we demonstrate the -S option failing:
$ enum4linux.pl -S 192.168.2.76
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:54:02 2008</tt>

----- Share Enumeration on 192.168.2.76 -----
[E] Can't list shares: NT_STATUS_ACCESS_DENIED

----- Attempting to map to shares on 192.168.2.76 -----
The output below show the use of the -s option with a dictionary file guess the names of some shares:
$ enum4linux.pl -s share-list.txt 192.168.2.76
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:54:20 2008</tt>

----- Session Check on 192.168.2.76 -----
[+] Server 192.168.2.76 allows sessions using username '', password ''

----- Brute Force Share Enumeration on 192.168.2.76 -----
c$ EXISTS
e$ EXISTS
admin$ EXISTS
ipc$ EXISTS, Allows access using username: '', password: ''

Getting OS information
The -o option gets OS information using smbclient. Certain versions of Windows (e.g. 2003) even return service pack information.
$ enum4linux.pl -o 192.168.2.76
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:55:11 2008</tt>

----- OS information on 192.168.2.76 -----
[+] Got OS info for 192.168.2.76 from smbclient: Domain=[PTT] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
[E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED

Printer information
You can get some information about printers known to the remote device with the -i option. I don’t know why you’d want to do this. I only implemented it because I could.

$ enum4linux.pl -i 192.168.2.69
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:55:32 2008</tt>

----- Getting printer info for 192.168.2.69 -----
flags:[0x800000]
name:[\\192.168.2.69\SharedFax]
description:[\\192.168.2.69\SharedFax,Microsoft Shared Fax Driver,]
comment:[]


enum4linux - Tool for Enumerating Information from Windows and Samba Systems


Seccubus automates regular vulnerability scans with various tools and aids security people in the fast analysis of its output, both on the first scan and on repeated scans.
On repeated scan delta reporting ensures that findings only need to be judged when they first appear in the scan results or when their output changes.
Seccubus 2.x is the only actively developed and maintained branch and all support for Seccubus V1 has officially been dropped.

Seccubus V2 works with the following scanners:
  • Nessus
  • OpenVAS
  • Skipfish
  • Medusa (local and remote)
  • Nikto (local and remote)
  • NMap (local and remote)
  • OWASP-ZAP (local and remote)
  • SSLyze
  • Medusa
  • Qualys SSL labs
  • testssl.sh (local and remote)
For more information visit [www.seccubus.com]

Seccubus Docker container

Usage

Running a full stack (db/app/frontend) in a single container. And get an interactive shell
docker run -it seccubus/seccubus /bin/bash
By default the container holds a mysql server that runs and stores data locally. If you want data persistency there are two options:
Connect the container to a remote mysql/MariaDB database with environment viariables:
docker run -ti seccubus/seccubus -e DBHOST=dns.name.of.db.host \
-e DBPOSRT=3306 \
-e DBNAME=name.of.database \
-e DBUSER=db.username \
-e DBPASS=password \
/bin/bash
Or, mount a data volume with a db directory on it
mkdir data
mmdir data/db
docker run -it seccubus/seccubus -v ($pwd)/data:/opt/seccubus/data /bin/bash
Please be aware that you can only run one container at a time if you mount a local directory on /var/lib/mysql.

Running a scan
Run the following command to start the scan 'ssllabs' in workspace 'Example' (this workspace is created by default if you use the local mysql database)
docker run -ti seccubus/seccubus scan Example ssllabs
Please be aware that you need soem data persistency here or the data will be stored in a local database that will be deleted whent he container terminates

Running a scheduler
You can run a docker container as a scheduler. This will make it run cron and allow your crontab to execute scans.You can populate the crontab by either placing a file called crontab in the /opt/seccubus/data volume or puting the lines of you crontab in evironement variables starting with CRON_
docker run -e "STACK=cron" -e "CRON_1=* 0 * * * bin/do-scan -w Example -s ssllabs" -ti seccubus/seccubus
This will spin up a container that executes scan ssllabs from workspace Example at midnight every night.
You can set the TZ vairable to control the timezone.

Controlling TLS certificates
The Seccubus container is TLS enabled by default. The environment variable TLS controls this behaviour. Of it is set to anything other then yes, TLS is turned off.
There are three ways to control the certificate:
  • Do nothing : Self signed certificates will be generated for you
  • Populate the variables TLSCERT and TLSKEY : The contents will be placed in /opt/seccubus/data/seccubus.pem and /opt/seccubus/data/seccubus.key and used
  • Put the certificates in the files seccubus.pem and seccubus.key on a data volume and mount it on /opt/seccubus/data

Show this help message
docker run -ti seccubus/seccubus help

Default command
If you don't specify a command to docker run
docker run seccubus/seccubus
The web server access log and error log will be tailed to the screen.

Other options
You can set the following environment variables:
  • STACK - Determines which part of the stack is run
    • full - Run everything
    • front - Start apache to serve the html/javascript frontend (this requires that the APIURL variable is set too)
    • api - Start apache to serve the json api at / (starts MariaDB too if required)
    • web - Start apache to serve both the html/javascript frontend and the json
    • perl - Do not start apache, just use this container as an perl backend
  • DBHOST, DBPORT, DBNAME, DBUSER, DBPASS - Database connection parameters
    • If DBHOST/DBPORT are set to 127.0.0.1/3306 the local MariaDB instance is started
  • APIURL - Path to the API url
    • Set this if your set STACK to front to redirect the API calls to an alternative relative or absolute URL.
  • BASEURI - Base URI for seccubus
    • Server the application at the value provided
  • SMTPSERVER - IP address or host name of an SMTP server to be used for notifications
  • SMTPFROM - From address used in notifications
  • TICKETURL_HEAD/TICKETURL_TAIL - If these are set ticket numberrs will be linked to this URL
  • SSHKEY1, SSHKEY2, SSHKEY3 .. SSHKEY9
    • The content of this environment variable will stored in the file /opt/seccubus/.ssh/SSHKEY1 etc.
    • You can use this mechanism to provide ssh keys that are used to start remote scans
  • HTTP_AUTH_HEADER - Set the http authentication header
    • If you are using something like OpenAM to authenticate your users, this allows you to set which http request header contains the user that OpenAM detected
  • TZ - Set the timezone of the container
  • TLS - Controls TLS behaviour yes means TLS is on, otherwise TLS is off. TLS is on by default.
  • JIT_GROUP - Controls JIT provisioning of users
  • CRON_MAIL_TO - Mail cron messages to this addres
  • CRON_* - Add these lines to crontab in alphabetical order

Seccubus - Easy Automated Vulnerability Scanning, Reporting And Analysis

The Port Scan Attack Detector psad is a lightweight system daemon written in is designed to work with Linux iptables/ip6tables/firewalld firewalling code to detect suspicious traffic such as port scans and sweeps, backdoors, botnet command and control communications, and more. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options, reverse DNS info, email and syslog alerting, automatic blocking of offending IP addresses via dynamic configuration of iptables rulesets, passive operating system fingerprinting, and DShield reporting. In addition, psad incorporates many of the TCP, UDP, and ICMP signatures included in the Snort intrusion detection system. to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (Mstream, Shaft), and advanced port scans (SYN, FIN, XMAS) which are easily leveraged against a machine via nmap. psad can also alert on Snort signatures that are logged via fwsnort, which makes use of the iptables string match extension to detect traffic that matches application layer signatures. As of the 2.4.4 release, psad can also detect the IoT default credentials scanning phase of the Mirai botnet.
The complete feature list is below.

Features
  • Detection for TCP SYN, FIN, NULL, and XMAS scans as well as UDP scans.
  • Support for both IPv4 and IPv6 logs generated by iptables and ip6tables respectively.
  • Detection of many signature rules from the Snort intrusion detection system.
  • Forensics mode iptables/ip6tables logfile analysis (useful as a forensics tool for extracting scan information from old iptables/ip6tables logfiles).
  • Passive operating system fingerprinting via TCP syn packets. Two different fingerprinting strategies are supported; a re-implementation of p0f that strictly uses iptables/ip6tables log messages (requires the --log-tcp-options command line switch), and a TOS-based strategy.
  • Email alerts that contain TCP/UDP/ICMP scan characteristics, reverse dns and whois information, snort rule matches, remote OS guess information, and more.
  • When combined with fwsnort and the iptables string match extension, psad can generate alerts for application layer buffer overflow attacks, suspicious application commands, and other suspect layer 7 traffic.
  • Icmp type and code header field validation.
  • Configurable scan thresholds and danger level assignments.
  • Iptables ruleset parsing to verify "default drop" policy stance.
  • IP/network danger level auto-assignment (can be used to ignore or automatically escalate danger levels for certain networks).
  • DShield alerts.
  • Auto-blocking of scanning IP addresses via iptables/ip6tables and/or tcpwrappers based on scan danger level. (This feature is NOT enabled by default.)
  • Parsing of iptables/ip6tables log messages and generation of CSV output that can be used as input to AfterGlow. This allows iptables/ip6tables logs to be visualized. Gnuplot is also supported.
  • Status mode that displays a summary of current scan information with associated packet counts, iptables/ip6tables chains, and danger levels.

Visualizing Malicious Traffic
psad offers integration with gnuplot and afterglow to produce graphs of malicious traffic. The following two graphs are of the Nachi worm from the Honeynet Scan30 challenge. First, a link graph produced by afterglow after analysis of the iptables log data by psad:
"Nachi Worm Link Graph"

The second shows Nachi worm traffic on an hourly basis from the Scan30 iptables data:
"Nachi Worm Hourly Graph"

Configuration Information
Information on config keywords referenced by psad may be found both in the psad(8) man page, and also here:
http://www.cipherdyne.org/psad/docs/config.html

Methodology
All information psad analyzes is gathered from iptables log messages. psad by default reads the /var/log/messages file for new iptables messages and optionally writes them out to a dedicated file (/var/log/psad/fwdata). psad is then responsible for applying the danger threshold and signature logic in order to determine whether or not a port scan has taken place, send appropriate alert emails, and (optionally) block offending ip addresses. psad includes a signal handler such that if a USR1 signal is received, psad will dump the contents of the current scan hash data structure to /var/log/psad/scan_hash.$$ where "$$" represents the pid of the running psad daemon.
NOTE: Since psad relies on iptables to generate appropriate log messages for unauthorized packets, psad is only as good as the logging rules included in the iptables ruleset. Hence if your firewall is not configured to log packets, then psad will NOT detect port scans or anything else. Usually the best way setup the firewall is with default "drop and log" rules at the end of the ruleset, and include rules above this last rule that only allow traffic that should be allowed through. Upon execution, the psad daemon will attempt to ascertain whether or not such a default deny rule exists, and will warn the user if not. See the FW_EXAMPLE_RULES file for example firewall rulesets that are compatible with psad.
Additionally, extensive coverage of psad is included in the book "Linux Firewalls: Attack Detection and Response" published by No Starch Press, and a supporting script in this book is compatible with psad. This script can be found here:
http://www.cipherdyne.org/LinuxFirewalls/ch01/

Installation
Depending on the Linux distribution, psad may already be available in the default package repository. For example, on Debian or Ubuntu systems, installation is done with a simple:
apt-get install psad
If psad is not available in the package repository, it can be installed with the install.pl script bundled in the psad sources. The install.pl script also handles upgrades if psad is already installed. psad requires several perl modules that may or may not already be installed on your Linux system. These modules are included in the deps/ directory in the psad sources, and are automatically installed by the install.pl script. The list of modules is:
  • Bit::Vector
  • Date::Calc
  • IPTables::ChainMgr
  • IPTables::Parse
  • NetAddr::IP
  • Storable
  • Unix::Syslog
psad also includes a whois client written by Marco d'Itri (see the deps/whois directory). This client does better than others at collecting the correct whois information for a given IP address.

Firewall Setup
The main requirement for an iptables configuration to be compatible with psad is simply that iptables logs packets. This is commonly accomplished by adding rules to the INPUT and FORWARD chains like so:
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
The rules above should be added at the end of the INPUT and FORWARD chains after all ACCEPT rules for legitimate traffic and just before a corresponding DROP rule for traffic that is not to be allowed through the policy. Note that iptables policies can be quite complex with protocol, network, port, and interface restrictions, user defined chains, connection tracking rules, and much more. There are many pieces of software such as Shorewall and Firewall Builder, that build iptables policies and take advantage of the advanced filtering and logging capabilities offered by iptables. Generally the policies built by such pieces of software are compatible with psad since they specifically add rules that instruct iptables to log packets that are not part of legitimate traffic. Psad can be configured to only analyze those iptables messages that contain specific log prefixes (which are added via the --log-prefix option), but the default is for psad to analyze all iptables log messages for evidence of port scans, probes for backdoor programs, and other suspect traffic.

Platforms
psad generally runs on Linux systems, and is available in the package repositories of many major Linux distributions. If there are any operational issues with psad, please open an issue on psad

psad - Intrusion Detection and Log Analysis with iptables

Halo, selamat malam. Kali ini gua mau sharing lagi gimana socket server.
Masih inget gimana kemarin Meme Comic Indonesia (MCI) kena deface di PORT 1337?
Yap, gua pake metode ini.



Oke langsung aja.
Sebelumnya untuk melakukan socket server, kalian harus terlebih dahulu masuk ke dalam server target kalian lewat backdoor yang kalian pasang di salah satu website.


Disini saya menggunakan Script Perl yang saya dapat dari referensi google, lalu sedikit saya modifikasi agar koneksinya selalu open.

Script: https://pastebin.com/zk8v8jp6

Upload script socket perl diatas tadi ke backdoor kalian.
Setelah di upload, jalankan command berikut untuk menjalankan file perlnya.
$ perl perlcgi.pl
 [perlcgi.pl] adalah nama file kalian.

Metode ini akan membuka koneksi pada port yang sudah ditentukan.
 Setelah itu, lalu jalankan command berikut untuk memastikan.
$ ps aux | grep 'perl'

Saya menamai file perlnya dengan nama  'percgi.pl', maka akan menghasilkan seperti di gambar (perl [namafile].pl)

Setelah itu, coba kita buka [IP:PORT] pada browser kita untuk memastikan lagi. Apakah koneksinya berhasil?

PORT yang saya buka adalah port 1337.



Yap Berhasil!!!.

Sekarang, kita Reverse IP tersebut dan lihat ada berapa banyak domain dalam IP yang sama.

Disini saya menggunakan
www.yougetsignal.com/tools/web-sites-on-web-server/


Coba salah satu website yang muncul disana dan tambahkan port 1337, karena di script tersebut saya set port 1337.


Dan lainnya pun sama.
---------------------------------------------------
--------------------------------------------------------


Oke sekian dulu yoooooo ~

Tutorial Socket Server with Perl

Subscribe to: Posts (Atom)