public static string GetInfo(string ip, int port) { string returnInfo = ""; string bannerResult = General.BannerGrab(ip, port, "GET cache_object://" + ip + "/menu HTTP/1.0\r\n\r\n"); // Get the version if (bannerResult.Contains("Server: squid")) { string versionInfo = bannerResult.Remove(0, bannerResult.IndexOf("Server: ")); // Some use \r\n, Some just use \n versionInfo = versionInfo.Substring(0, versionInfo.IndexOf("\n")).Replace("\r", "").Remove(0, 8); returnInfo += "- Version: " + versionInfo + Environment.NewLine; } else { returnInfo += "- Version: Unknown"; } // Get useful info if (bannerResult.Contains("HTTP/1.1 401 Unauthorized") && bannerResult.Contains("ERR_CACHE_MGR_ACCESS_DENIED")) { returnInfo += "- Password authentication is enabled and a password is required"; } else if (bannerResult.Contains("Cache Manager Interface")) { returnInfo += "- Unauthorized Cache Mananger Menu Access! Bug Reelix to update this!"; } else { returnInfo += "- Malformed return info - Bug Reelix to update this"; } return(returnInfo.Trim(Environment.NewLine.ToCharArray())); }
public static string GetInfo(string ip, int port) { string returnInfo; string bannerInfo = General.BannerGrab(ip, port); // * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2018 Double Precision, Inc. See COPYING for distribution information. // * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot ready. // Rare: * OK NS572126 EmailArchitect IMAP4 Service, Version: 2019.11.0.2.1 ready at Wed, 15 Jul 2020 00:49:19 -0700 if (bannerInfo.StartsWith("* OK ")) { bannerInfo = bannerInfo.Remove(0, 5); if (bannerInfo.Substring(0, 12) == "[CAPABILITY ") { // It has capabilities! string capabilities = bannerInfo.Remove(0, bannerInfo.IndexOf("[CAPABILITY ") + 12); capabilities = capabilities.Substring(0, capabilities.IndexOf("] ")); bannerInfo = bannerInfo.Remove(0, bannerInfo.IndexOf("] ") + 2); returnInfo = "- Version: " + bannerInfo + Environment.NewLine; returnInfo += "- Capabilities: " + capabilities; } else { returnInfo = "- Version: " + bannerInfo; } returnInfo += Environment.NewLine + "- Maybe you can use this to log into a relevant email account?"; } else { returnInfo = "- Non-IMAP Banner Detected: " + bannerInfo; } return(returnInfo); }
public static string TestBaseLFI(string ip, int port) { string result = General.BannerGrab(ip, port, "GET /../../../../../../etc/passwd HTTP/1.1" + Environment.NewLine + "Host: " + ip + Environment.NewLine + Environment.NewLine, 2500); if (result.Contains("root")) { return("- /etc/passwd File Found VIA Base LFI! --> GET /../../../../../../etc/passwd" + Environment.NewLine + result); // Need to format this better... } result = General.BannerGrab(ip, port, "GET /../../../../../../windows/win.ini HTTP/1.1" + Environment.NewLine + "Host: " + ip + Environment.NewLine + Environment.NewLine, 2500); if (result.Contains("for 16-bit app support")) { return("- /windows/win.ini File Found VIA Base LFI! --> GET /../../../../../../windows/win.ini" + Environment.NewLine + result); } return(""); }
public static string FtpLogin(string target, string username = "", string password = "") { string ftpLoginResult = ""; string ftpServer = target; if (!ftpServer.StartsWith("ftp://")) { ftpServer = "ftp://" + ftpServer; } FtpWebRequest request = (FtpWebRequest)WebRequest.Create(ftpServer); request.Timeout = 5000; request.UseBinary = true; // Better for downloading files if we ever need request.UsePassive = true; // A better way to receive file listing request.KeepAlive = false; // Closes FTP after we're done request.Method = WebRequestMethods.Ftp.PrintWorkingDirectory; request.Credentials = new NetworkCredential(username, password); // FtpState state = new FtpState(); // state.Request = request; // state.FileName = fileName; try { FtpWebResponse response = (FtpWebResponse)request.GetResponse(); // If it gets here - It's connected! string bannerMessage = response.BannerMessage.Trim(); if (bannerMessage.StartsWith("220 ")) { bannerMessage = bannerMessage.Remove(0, 4); if (bannerMessage.StartsWith("(") && bannerMessage.EndsWith(")")) { bannerMessage = bannerMessage.Remove(0, 1); bannerMessage = bannerMessage.Remove(bannerMessage.Length - 1, 1); } } if (!string.IsNullOrEmpty(bannerMessage)) { ftpLoginResult += Environment.NewLine + "- Version: " + bannerMessage; } if (response.WelcomeMessage.Trim() != "230 Login successful.") { ftpLoginResult += Environment.NewLine + "- Welcome Message: " + response.WelcomeMessage.Trim(); } if (response.SupportsHeaders) { WebHeaderCollection headers = response.Headers; if (headers != null && headers.Count != 0) { ftpLoginResult += Environment.NewLine + "- Headers (Contact Reelix): " + string.Join(",", headers.AllKeys); } } if (string.IsNullOrEmpty(username) || username == "anonymous") { ftpLoginResult += Environment.NewLine + "- " + "Anonymous login allowed (Username: anonymous Password: *Leave Blank*)".Pastel(Color.Orange); } else { Console.WriteLine("Woof!"); } return(ftpLoginResult); } catch (WebException ex) { if (ex.Message == "Unable to connect to the remote server") { return(Environment.NewLine + "- Unable to connect :<"); } if (ex.Response != null) { FtpWebResponse response = (FtpWebResponse)ex.Response; if (response != null) { if (response.BannerMessage != null && response.StatusDescription != null) { ftpLoginResult += Environment.NewLine + "- Banner: " + response.BannerMessage.Trim(); ftpLoginResult += Environment.NewLine + "- Status: " + response.StatusDescription.Trim(); } else { ftpLoginResult += "- Unable to get any FTP response: " + ex.Message + Environment.NewLine; try { ftpLoginResult += "- Banner: " + General.BannerGrab(target, 21); } catch (Exception iex) { ftpLoginResult += "- Unable to get any banner response: " + iex.Message; } } } else { ftpLoginResult += "- Unable to get FTP response: " + ex.Message + Environment.NewLine; try { ftpLoginResult += "- Banner: " + General.BannerGrab(target, 21); } catch (Exception iex) { ftpLoginResult += "- Unable to get any banner response: " + iex.Message; } } return(ftpLoginResult); } else { ftpLoginResult += "- Unable to get any any response: " + ex.Message; return(ftpLoginResult); } } }
// For the "Some things you probably want to do" list public static string GetAdditionalPortInfo(string target, int port) { string postScanActions = ""; // Additional port info if (port == 23) { postScanActions += "- Telnet: Just telnet in - Bug Reelix to update this though..." + Environment.NewLine; } else if (port == 53) { // TODO: https://svn.nmap.org/nmap/scripts/dns-nsid.nse postScanActions += $"- Try a reverse lookup (Linux): dig @{target} -x {target}" + Environment.NewLine; postScanActions += $"- Try a zone transfer (Linux): dig axfr domain.com @{target}" + Environment.NewLine; } else if (port == 80) { postScanActions += $"- gobuster dir -u=http://{target}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-http-medium.txt -x.php,.txt" + Environment.NewLine; postScanActions += $"- gobuster dir -u=http://{target}/ -w ~/wordlists/common.txt -t 25 -o gobuster-http-common.txt -x.php,.txt" + Environment.NewLine; } else if (port == 88) { // Post Scan string defaultNamingContext = LDAP.GetDefaultNamingContext(target, true); defaultNamingContext = defaultNamingContext.Replace("DC=", "").Replace(",", "."); // Username enum postScanActions += $"- Kerberos Username Enum: kerbrute userenum --dc {defaultNamingContext}/ -d {target} users.txt" + Environment.NewLine; // Requests TGT (Ticket Granting Tickets) for users postScanActions += $"- Kerberos TGT Request: sudo GetNPUsers.py {defaultNamingContext}/ -dc-ip {target} -request" + Environment.NewLine; // Test for users with 'Do not require Kerberos preauthentication' postScanActions += $"- Kerberos non-preauth: sudo GetNPUsers.py {defaultNamingContext}/ -usersfile sampleUsersHere.txt -dc-ip {target}" + Environment.NewLine; // Post exploitation postScanActions += $"- If you get details: python3 secretsdump.py usernameHere:\"passwordHere\"@{target} | grep :" + Environment.NewLine; } else if (port == 443) { postScanActions += $"- gobuster dir -u=https://{target}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-https-medium.txt -x.php,.txt" + Environment.NewLine; postScanActions += $"- gobuster dir -u=https://{target}/ -w ~/wordlists/common -t 25 -o gobuster-https-common.txt -x.php,.txt" + Environment.NewLine; } else if (port == 445) { if (General.GetOS() == General.OS.Windows) { postScanActions += $"- Port 445 - Linux (SMBClient) has better info on this: smbclient -L {target} --no-pass" + Environment.NewLine; } postScanActions += $"- Port 445 - I miss a lot: nmap -sC -sV -p445 {target}" + Environment.NewLine; postScanActions += $"- Port 445 - Testing passwords: crackmapexec smb {target} -u users.txt -p passwords.txt" + Environment.NewLine; postScanActions += $"- Port 445 - Authenticated SID Lookup: sudo lookupsid.py DOMAIN/Username:password@{target}" + Environment.NewLine; } else if (port == 2049) { postScanActions += "- NFS: rpcinfo -p " + target + Environment.NewLine; } else if (port == 3128) { postScanActions += $"- Squid: If you get a password, run: squidclient -v -h {target} -w 'passwordHere' mgr:menu" + Environment.NewLine; } else if (port == 3306) { postScanActions += $"- Try: hydra -L users.txt -P passwords.txt {target} mysql" + Environment.NewLine; } else if (port == 3389) { // TODO: https://nmap.org/nsedoc/scripts/rdp-ntlm-info.html // https://svn.nmap.org/nmap/scripts/rdp-ntlm-info.nse /* * string NTLM_NEGOTIATE_BLOB = "30 37 A0 03 02 01 60 A1 30 30 2E 30 2C A0 2A 04 28" + "4e 54 4c 4d 53 53 50 00" // Identifier - NTLMSSP + "01 00 00 00" //Type: NTLMSSP Negotiate -01 + "B7 82 08 E2 " // Flags(NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE) + "00 00 " // DomainNameLen + "00 00" // DomainNameMaxLen + "00 00 00 00" // DomainNameBufferOffset + "00 00 " // WorkstationLen + "00 00" // WorkstationMaxLen + "00 00 00 00" // WorkstationBufferOffset + "0A" // ProductMajorVersion = 10 + "00 " // ProductMinorVersion = 0 + "63 45 " // ProductBuild = 0x4563 = 17763 + "00 00 00" // Reserved + "0F"; // NTLMRevision = 5 = NTLMSSP_REVISION_W2K3 + + + byte[] byteData = General.StringToByteArray(NTLM_NEGOTIATE_BLOB); + string result = General.BannerGrabBytes(ip, port, byteData); + Console.WriteLine("Result: " + result); */ } else if (port == 3690) { // Banner: ( success ( 2 2 ( ) ( edit-pipeline svndiff1 accepts-svndiff2 absent-entries commit-revprops depth log-revprops atomic-revprops partial-replay inherited-props ephemeral-txnprops file-revs-reverse list ) ) ) postScanActions += "- SVN: svn diff -r1 svn://" + target + Environment.NewLine; } else if (port == 4369) { // TODO: https://svn.nmap.org/nmap/scripts/epmd-info.nse postScanActions += $"- EPMD: nmap {target} -p4369 --script=epmd-info -sV" + Environment.NewLine; } else if (port == 5222) { // TODO: Jabber // 5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later } else if (port == 5269) { // jabber / xmpp-server postScanActions += "- nmap --script=xmpp-info " + target + " -p" + port; } // 5269/tcp open xmpp Wildfire XMPP Client ??? else if (port == 5672) { string portHeader = "Port 5672 - Advanced Message Queuing Protocol (AMQP)"; string portData = General.BannerGrab(target, 5672, "Woof" + Environment.NewLine + Environment.NewLine); if (portData.StartsWith("AMQP")) { if (portData[4] == 0 && portData[5] == 0 && portData[6] == 9 && portData[7] == 1) { portData = "- Version 0-9-1"; // theBanner = General.BannerGrab(ip, port, theBanner); // Need to send the bytes of AMQP0091 // Oh gawd.... // \u0001\0\0\0\0\u0001?\0\n\0\n\0\t\0\0\u0001?\fcapabilitiesF\0\0\0?\u0012publisher_confirmst\u0001\u001aexchange_exchange_bindingst\u0001\nbasic.nackt\u0001\u0016consumer_cancel_notifyt\u0001\u0012connection.blockedt\u0001\u0013consumer_prioritiest\u0001\u001cauthentication_failure_closet\u0001\u0010per_consumer_qost\u0001\u000fdirect_reply_tot\u0001\fcluster_nameS\0\0\0\u0010rabbit@dyplesher\tcopyrightS\0\0\0.Copyright (C) 2007-2018 Pivotal Software, Inc.\vinformationS\0\0\05Licensed under the MPL. See http://www.rabbitmq.com/\bplatformS\0\0\0\u0011Erlang/OTP 22.0.7\aproductS\0\0\0\bRabbitMQ\aversionS\0\0\0\u00053.7.8\0\0\0\u000ePLAIN AMQPLAIN\0\0\0\u0005en_US? // https://svn.nmap.org/nmap/nselib/amqp.lua postScanActions += $"- AMQP is up and nmap knows more: nmap --script amqp-info -p{port} {target}" + Environment.NewLine; } else { portData = "- 5672.Unknown Version - Bug Reelix"; } } else { portData = "- 5672.Unknown - Bug Reelix"; } Console.WriteLine(portHeader + Environment.NewLine + portData + Environment.NewLine); } else if (port == 9100) { // TODO: Clean - Should the file be named "Printer.cs" or "jetdirect.cs" ??? string portHeader = $"Port {port} - Printer (jetdirect)"; // PJL // http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet // Yoinked from Nmap string bannerInfo = General.BannerGrab(target, port, "@PJL INFO ID\r\n"); string portData = ""; if (bannerInfo != "") { portData += "- Version: " + bannerInfo + Environment.NewLine; // Yoinked from PRET List <string> dirList = General.BannerGrab(target, port, "@PJL FSDIRLIST NAME=\"0:/ \" ENTRY=1 COUNT=65535\r\n").Split("\r\n".ToCharArray()).ToList(); // Clean new lines dirList.RemoveAll(string.IsNullOrEmpty); // Append each item portData += "- Directory List: " + Environment.NewLine; foreach (string dir in dirList) { portData += "-- " + dir + Environment.NewLine; } portData = portData.Trim(Environment.NewLine.ToCharArray()); // PFL Successful - Add pjl to the post scan actions postScanActions += portData + Environment.NewLine + $"- Printer: pret.py {target} pjl ( https://github.com/RUB-NDS/PRET )" + Environment.NewLine; } else { portData = "- Unknown - Bug Reelix!"; } // TODO: Add PCL (Printer Command Language), XEX, IPDS Console.WriteLine(portHeader + Environment.NewLine + portData + Environment.NewLine); } else if (port == 11211) { postScanActions += "- 11211 - Memcache" + Environment.NewLine; postScanActions += "-- Verify: stats (Dumps \"STAT\")" + Environment.NewLine; postScanActions += "-- Dump key names: lru_crawler metadump all" + Environment.NewLine; postScanActions += "-- Read key: get keyname" + Environment.NewLine; } else if (port == 27017) { // MongoDB postScanActions += "- 27017 - MongoDB: NMap can get the version" + Environment.NewLine; // Nmap can get the version - What else can we get? } return(postScanActions); }