public static string GetInfo(string ip, int port)
{
string returnInfo = "";
string bannerResult = General.BannerGrab(ip, port, "GET cache_object://" + ip + "/menu HTTP/1.0\r\n\r\n");
// Get the version
if (bannerResult.Contains("Server: squid"))
{
string versionInfo = bannerResult.Remove(0, bannerResult.IndexOf("Server: "));
// Some use \r\n, Some just use \n
versionInfo = versionInfo.Substring(0, versionInfo.IndexOf("\n")).Replace("\r", "").Remove(0, 8);
returnInfo += "- Version: " + versionInfo + Environment.NewLine;
}
else
{
returnInfo += "- Version: Unknown";
}
// Get useful info
if (bannerResult.Contains("HTTP/1.1 401 Unauthorized") && bannerResult.Contains("ERR_CACHE_MGR_ACCESS_DENIED"))
{
returnInfo += "- Password authentication is enabled and a password is required";
}
else if (bannerResult.Contains("Cache Manager Interface"))
{
returnInfo += "- Unauthorized Cache Mananger Menu Access! Bug Reelix to update this!";
}
else
{
returnInfo += "- Malformed return info - Bug Reelix to update this";
}
return(returnInfo.Trim(Environment.NewLine.ToCharArray()));
}
public static string GetInfo(string ip, int port)
{
string returnInfo;
string bannerInfo = General.BannerGrab(ip, port);
// * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2018 Double Precision, Inc. See COPYING for distribution information.
// * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot ready.
// Rare: * OK NS572126 EmailArchitect IMAP4 Service, Version: 2019.11.0.2.1 ready at Wed, 15 Jul 2020 00:49:19 -0700
if (bannerInfo.StartsWith("* OK "))
{
bannerInfo = bannerInfo.Remove(0, 5);
if (bannerInfo.Substring(0, 12) == "[CAPABILITY ")
{
// It has capabilities!
string capabilities = bannerInfo.Remove(0, bannerInfo.IndexOf("[CAPABILITY ") + 12);
capabilities = capabilities.Substring(0, capabilities.IndexOf("] "));
bannerInfo = bannerInfo.Remove(0, bannerInfo.IndexOf("] ") + 2);
returnInfo = "- Version: " + bannerInfo + Environment.NewLine;
returnInfo += "- Capabilities: " + capabilities;
}
else
{
returnInfo = "- Version: " + bannerInfo;
}
returnInfo += Environment.NewLine + "- Maybe you can use this to log into a relevant email account?";
}
else
{
returnInfo = "- Non-IMAP Banner Detected: " + bannerInfo;
}
return(returnInfo);
}
public static string TestBaseLFI(string ip, int port)
{
string result = General.BannerGrab(ip, port, "GET /../../../../../../etc/passwd HTTP/1.1" + Environment.NewLine + "Host: " + ip + Environment.NewLine + Environment.NewLine, 2500);
if (result.Contains("root"))
{
return("- /etc/passwd File Found VIA Base LFI! --> GET /../../../../../../etc/passwd" + Environment.NewLine + result);
// Need to format this better...
}
result = General.BannerGrab(ip, port, "GET /../../../../../../windows/win.ini HTTP/1.1" + Environment.NewLine + "Host: " + ip + Environment.NewLine + Environment.NewLine, 2500);
if (result.Contains("for 16-bit app support"))
{
return("- /windows/win.ini File Found VIA Base LFI! --> GET /../../../../../../windows/win.ini" + Environment.NewLine + result);
}
return("");
}
public static string FtpLogin(string target, string username = "", string password = "")
{
string ftpLoginResult = "";
string ftpServer = target;
if (!ftpServer.StartsWith("ftp://"))
{
ftpServer = "ftp://" + ftpServer;
}
FtpWebRequest request = (FtpWebRequest)WebRequest.Create(ftpServer);
request.Timeout = 5000;
request.UseBinary = true; // Better for downloading files if we ever need
request.UsePassive = true; // A better way to receive file listing
request.KeepAlive = false; // Closes FTP after we're done
request.Method = WebRequestMethods.Ftp.PrintWorkingDirectory;
request.Credentials = new NetworkCredential(username, password);
// FtpState state = new FtpState();
// state.Request = request;
// state.FileName = fileName;
try
{
FtpWebResponse response = (FtpWebResponse)request.GetResponse();
// If it gets here - It's connected!
string bannerMessage = response.BannerMessage.Trim();
if (bannerMessage.StartsWith("220 "))
{
bannerMessage = bannerMessage.Remove(0, 4);
if (bannerMessage.StartsWith("(") && bannerMessage.EndsWith(")"))
{
bannerMessage = bannerMessage.Remove(0, 1);
bannerMessage = bannerMessage.Remove(bannerMessage.Length - 1, 1);
}
}
if (!string.IsNullOrEmpty(bannerMessage))
{
ftpLoginResult += Environment.NewLine + "- Version: " + bannerMessage;
}
if (response.WelcomeMessage.Trim() != "230 Login successful.")
{
ftpLoginResult += Environment.NewLine + "- Welcome Message: " + response.WelcomeMessage.Trim();
}
if (response.SupportsHeaders)
{
WebHeaderCollection headers = response.Headers;
if (headers != null && headers.Count != 0)
{
ftpLoginResult += Environment.NewLine + "- Headers (Contact Reelix): " + string.Join(",", headers.AllKeys);
}
}
if (string.IsNullOrEmpty(username) || username == "anonymous")
{
ftpLoginResult += Environment.NewLine + "- " + "Anonymous login allowed (Username: anonymous Password: *Leave Blank*)".Pastel(Color.Orange);
}
else
{
Console.WriteLine("Woof!");
}
return(ftpLoginResult);
}
catch (WebException ex)
{
if (ex.Message == "Unable to connect to the remote server")
{
return(Environment.NewLine + "- Unable to connect :<");
}
if (ex.Response != null)
{
FtpWebResponse response = (FtpWebResponse)ex.Response;
if (response != null)
{
if (response.BannerMessage != null && response.StatusDescription != null)
{
ftpLoginResult += Environment.NewLine + "- Banner: " + response.BannerMessage.Trim();
ftpLoginResult += Environment.NewLine + "- Status: " + response.StatusDescription.Trim();
}
else
{
ftpLoginResult += "- Unable to get any FTP response: " + ex.Message + Environment.NewLine;
try
{
ftpLoginResult += "- Banner: " + General.BannerGrab(target, 21);
}
catch (Exception iex)
{
ftpLoginResult += "- Unable to get any banner response: " + iex.Message;
}
}
}
else
{
ftpLoginResult += "- Unable to get FTP response: " + ex.Message + Environment.NewLine;
try
{
ftpLoginResult += "- Banner: " + General.BannerGrab(target, 21);
}
catch (Exception iex)
{
ftpLoginResult += "- Unable to get any banner response: " + iex.Message;
}
}
return(ftpLoginResult);
}
else
{
ftpLoginResult += "- Unable to get any any response: " + ex.Message;
return(ftpLoginResult);
}
}
}
// For the "Some things you probably want to do" list
public static string GetAdditionalPortInfo(string target, int port)
{
string postScanActions = "";
// Additional port info
if (port == 23)
{
postScanActions += "- Telnet: Just telnet in - Bug Reelix to update this though..." + Environment.NewLine;
}
else if (port == 53)
{
// TODO: https://svn.nmap.org/nmap/scripts/dns-nsid.nse
postScanActions += $"- Try a reverse lookup (Linux): dig @{target} -x {target}" + Environment.NewLine;
postScanActions += $"- Try a zone transfer (Linux): dig axfr domain.com @{target}" + Environment.NewLine;
}
else if (port == 80)
{
postScanActions += $"- gobuster dir -u=http://{target}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-http-medium.txt -x.php,.txt" + Environment.NewLine;
postScanActions += $"- gobuster dir -u=http://{target}/ -w ~/wordlists/common.txt -t 25 -o gobuster-http-common.txt -x.php,.txt" + Environment.NewLine;
}
else if (port == 88)
{
// Post Scan
string defaultNamingContext = LDAP.GetDefaultNamingContext(target, true);
defaultNamingContext = defaultNamingContext.Replace("DC=", "").Replace(",", ".");
// Username enum
postScanActions += $"- Kerberos Username Enum: kerbrute userenum --dc {defaultNamingContext}/ -d {target} users.txt" + Environment.NewLine;
// Requests TGT (Ticket Granting Tickets) for users
postScanActions += $"- Kerberos TGT Request: sudo GetNPUsers.py {defaultNamingContext}/ -dc-ip {target} -request" + Environment.NewLine;
// Test for users with 'Do not require Kerberos preauthentication'
postScanActions += $"- Kerberos non-preauth: sudo GetNPUsers.py {defaultNamingContext}/ -usersfile sampleUsersHere.txt -dc-ip {target}" + Environment.NewLine;
// Post exploitation
postScanActions += $"- If you get details: python3 secretsdump.py usernameHere:\"passwordHere\"@{target} | grep :" + Environment.NewLine;
}
else if (port == 443)
{
postScanActions += $"- gobuster dir -u=https://{target}/ -w ~/wordlists/directory-list-2.3-medium.txt -t 25 -o gobuster-https-medium.txt -x.php,.txt" + Environment.NewLine;
postScanActions += $"- gobuster dir -u=https://{target}/ -w ~/wordlists/common -t 25 -o gobuster-https-common.txt -x.php,.txt" + Environment.NewLine;
}
else if (port == 445)
{
if (General.GetOS() == General.OS.Windows)
{
postScanActions += $"- Port 445 - Linux (SMBClient) has better info on this: smbclient -L {target} --no-pass" + Environment.NewLine;
}
postScanActions += $"- Port 445 - I miss a lot: nmap -sC -sV -p445 {target}" + Environment.NewLine;
postScanActions += $"- Port 445 - Testing passwords: crackmapexec smb {target} -u users.txt -p passwords.txt" + Environment.NewLine;
postScanActions += $"- Port 445 - Authenticated SID Lookup: sudo lookupsid.py DOMAIN/Username:password@{target}" + Environment.NewLine;
}
else if (port == 2049)
{
postScanActions += "- NFS: rpcinfo -p " + target + Environment.NewLine;
}
else if (port == 3128)
{
postScanActions += $"- Squid: If you get a password, run: squidclient -v -h {target} -w 'passwordHere' mgr:menu" + Environment.NewLine;
}
else if (port == 3306)
{
postScanActions += $"- Try: hydra -L users.txt -P passwords.txt {target} mysql" + Environment.NewLine;
}
else if (port == 3389)
{
// TODO: https://nmap.org/nsedoc/scripts/rdp-ntlm-info.html
// https://svn.nmap.org/nmap/scripts/rdp-ntlm-info.nse
/*
* string NTLM_NEGOTIATE_BLOB = "30 37 A0 03 02 01 60 A1 30 30 2E 30 2C A0 2A 04 28"
+ "4e 54 4c 4d 53 53 50 00" // Identifier - NTLMSSP
+ "01 00 00 00" //Type: NTLMSSP Negotiate -01
+ "B7 82 08 E2 " // Flags(NEGOTIATE_SIGN_ALWAYS | NEGOTIATE_NTLM | NEGOTIATE_SIGN | REQUEST_TARGET | NEGOTIATE_UNICODE)
+ "00 00 " // DomainNameLen
+ "00 00" // DomainNameMaxLen
+ "00 00 00 00" // DomainNameBufferOffset
+ "00 00 " // WorkstationLen
+ "00 00" // WorkstationMaxLen
+ "00 00 00 00" // WorkstationBufferOffset
+ "0A" // ProductMajorVersion = 10
+ "00 " // ProductMinorVersion = 0
+ "63 45 " // ProductBuild = 0x4563 = 17763
+ "00 00 00" // Reserved
+ "0F"; // NTLMRevision = 5 = NTLMSSP_REVISION_W2K3
+
+
+ byte[] byteData = General.StringToByteArray(NTLM_NEGOTIATE_BLOB);
+ string result = General.BannerGrabBytes(ip, port, byteData);
+ Console.WriteLine("Result: " + result);
*/
}
else if (port == 3690)
{
// Banner: ( success ( 2 2 ( ) ( edit-pipeline svndiff1 accepts-svndiff2 absent-entries commit-revprops depth log-revprops atomic-revprops partial-replay inherited-props ephemeral-txnprops file-revs-reverse list ) ) )
postScanActions += "- SVN: svn diff -r1 svn://" + target + Environment.NewLine;
}
else if (port == 4369)
{
// TODO: https://svn.nmap.org/nmap/scripts/epmd-info.nse
postScanActions += $"- EPMD: nmap {target} -p4369 --script=epmd-info -sV" + Environment.NewLine;
}
else if (port == 5222)
{
// TODO: Jabber
// 5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
}
else if (port == 5269)
{
// jabber / xmpp-server
postScanActions += "- nmap --script=xmpp-info " + target + " -p" + port;
}
// 5269/tcp open xmpp Wildfire XMPP Client ???
else if (port == 5672)
{
string portHeader = "Port 5672 - Advanced Message Queuing Protocol (AMQP)";
string portData = General.BannerGrab(target, 5672, "Woof" + Environment.NewLine + Environment.NewLine);
if (portData.StartsWith("AMQP"))
{
if (portData[4] == 0 && portData[5] == 0 && portData[6] == 9 && portData[7] == 1)
{
portData = "- Version 0-9-1";
// theBanner = General.BannerGrab(ip, port, theBanner); // Need to send the bytes of AMQP0091
// Oh gawd....
// \u0001\0\0\0\0\u0001?\0\n\0\n\0\t\0\0\u0001?\fcapabilitiesF\0\0\0?\u0012publisher_confirmst\u0001\u001aexchange_exchange_bindingst\u0001\nbasic.nackt\u0001\u0016consumer_cancel_notifyt\u0001\u0012connection.blockedt\u0001\u0013consumer_prioritiest\u0001\u001cauthentication_failure_closet\u0001\u0010per_consumer_qost\u0001\u000fdirect_reply_tot\u0001\fcluster_nameS\0\0\0\u0010rabbit@dyplesher\tcopyrightS\0\0\0.Copyright (C) 2007-2018 Pivotal Software, Inc.\vinformationS\0\0\05Licensed under the MPL. See http://www.rabbitmq.com/\bplatformS\0\0\0\u0011Erlang/OTP 22.0.7\aproductS\0\0\0\bRabbitMQ\aversionS\0\0\0\u00053.7.8\0\0\0\u000ePLAIN AMQPLAIN\0\0\0\u0005en_US?
// https://svn.nmap.org/nmap/nselib/amqp.lua
postScanActions += $"- AMQP is up and nmap knows more: nmap --script amqp-info -p{port} {target}" + Environment.NewLine;
}
else
{
portData = "- 5672.Unknown Version - Bug Reelix";
}
}
else
{
portData = "- 5672.Unknown - Bug Reelix";
}
Console.WriteLine(portHeader + Environment.NewLine + portData + Environment.NewLine);
}
else if (port == 9100)
{
// TODO: Clean - Should the file be named "Printer.cs" or "jetdirect.cs" ???
string portHeader = $"Port {port} - Printer (jetdirect)";
// PJL
// http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet
// Yoinked from Nmap
string bannerInfo = General.BannerGrab(target, port, "@PJL INFO ID\r\n");
string portData = "";
if (bannerInfo != "")
{
portData += "- Version: " + bannerInfo + Environment.NewLine;
// Yoinked from PRET
List <string> dirList = General.BannerGrab(target, port, "@PJL FSDIRLIST NAME=\"0:/ \" ENTRY=1 COUNT=65535\r\n").Split("\r\n".ToCharArray()).ToList();
// Clean new lines
dirList.RemoveAll(string.IsNullOrEmpty);
// Append each item
portData += "- Directory List: " + Environment.NewLine;
foreach (string dir in dirList)
{
portData += "-- " + dir + Environment.NewLine;
}
portData = portData.Trim(Environment.NewLine.ToCharArray());
// PFL Successful - Add pjl to the post scan actions
postScanActions += portData + Environment.NewLine + $"- Printer: pret.py {target} pjl ( https://github.com/RUB-NDS/PRET )" + Environment.NewLine;
}
else
{
portData = "- Unknown - Bug Reelix!";
}
// TODO: Add PCL (Printer Command Language), XEX, IPDS
Console.WriteLine(portHeader + Environment.NewLine + portData + Environment.NewLine);
}
else if (port == 11211)
{
postScanActions += "- 11211 - Memcache" + Environment.NewLine;
postScanActions += "-- Verify: stats (Dumps \"STAT\")" + Environment.NewLine;
postScanActions += "-- Dump key names: lru_crawler metadump all" + Environment.NewLine;
postScanActions += "-- Read key: get keyname" + Environment.NewLine;
}
else if (port == 27017)
{
// MongoDB
postScanActions += "- 27017 - MongoDB: NMap can get the version" + Environment.NewLine;
// Nmap can get the version - What else can we get?
}
return(postScanActions);
}
