Nmap 6.49BETA4 on Android

I’m working on Android port of Nmap for quite some time now. It was some time ago I did port Nmap 6.47 to Android and you can find that Android binaries here:
http://seclists.org/nmap-dev/2015/q1/45

Almost same process as 6.46 was used to compile 6.47:
https://k0st.wordpress.com/2014/08/17/nmap-6-46-on-android/

In the meantime, 6.49BETA4 got released, so I’ve managed to cross compile the new version as well.

For those who just wants the binaries, they are here (binaries should work on Android 4+ out of the box):
https://s3.amazonaws.com/nmap-dl/nmap-android/nmap-6.49BETA4-android-arm-bin.tar.bz2
https://s3.amazonaws.com/nmap-dl/nmap-android/nmap-6.49BETA4-android-i686-bin.tar.bz2
https://s3.amazonaws.com/nmap-dl/nmap-android/nmap-6.49BETA4-android-mipsel-bin.tar.bz2

Or if you don’t want to bother with this all, you can download Network Mapper application from Play store at following URL:
https://play.google.com/store/apps/details?id=org.kost.nmap.android.networkmapper

Since, I’m using completely different approach in building it from the source, it’s worth mentioning major changes: binaries are now dynamically linked (due to DNS issues) and compiled with PIE support (due to Lollipop support). Dynamic linking is done against minimal number of libraries for DNS to work (mostly libc).

Read more of this post

Identifying and exploiting IBM WebSphere Application Server

IBM WebSphere is application server similar to Tomcat, JBoss and WebLogic. Therefore, it should be interesting to any penetration tester doing enterprise scale work where Websphere might be present. It should be also interesting to anyone who is working on securing enterprise environment since Websphere allows deploying own (malicious or not) code to the server.

I have written NSE scripts to identify IBM Websphere consoles of application servers and to brute force any usernames and passwords. I will also demonstrate basics of WebSphere exploitation.

Read more of this post

Running commands on multiple meterpreter sessions

Recently I had a need of launching large number of meterpreter sessions in order to quickly scrape large number of computers. This is what I occasionaly need, but I always forget to document. So, this is also note for myself. Imagine scenario where you have domain admin privileges on large windows network or same exploit working on large number of computers and you want to launch keyboard sniffer on all of them. Another example would be if you want to launch specific command on all (or specific) meterpreter sessions.

Read more of this post

Identifying and exploiting rom-0 vulnerabilities

I will talk about simple, but dangerous vulnerability present on many network devices which are using RomPager Embedded Web Server. Attacker is able to get your ISP password, wireless password and other sensitive information by issuing single HTTP GET request to ‘/rom-0’ URI. Mentioned information disclosure is present in RomPager Embedded Web Server. Affected devices include ZTE, TP-Link, ZynOS, Huawei and many others. Vulnerability was published in 2014 (by looking at CVE), but I see lot of people don’t know about it: mainly because there was no hype about it and most of the popular vulnerability scanners failed in identifying it.

I still think that vulnerability is pretty dangerous: if administration web interface of router is exposed on Internet – that means that anyone on Internet is able to know your ISP password, wireless password and router password by single unauthorized http request. But attacker does not have to stop there – since it knows your router password, attacker can change router settings and redirect your network traffic as he likes (by changing route or DNS settings). Attacker can also expose your LAN to Internet or access your internal services or computers by abusing port forwarding features. So, I hope this vulnerability will get better treatment after this blog post and NSE script.

Read more of this post

Using bloom filter for hash database

Summary

For those who are short on time: This is way to shrink large hash database (bigger than 2 GB) into very small data set called bloom filter. You can test it out by issuing following command (check if MD5 is found in NSRL):
docker run --rm k0st/kfh 16f769bc1d37cc14e3093b9881cf1691
You can find image and build instructions on Docker Hub.

Read more of this post

Rip or Pillage DVCS – story about git

I hope you have read Ron’s excellent post about .git on web sites and how you can take advantage of nmap script to find out if you have them. In the comments you can find even Google Dork to find out indexed ones. Problem about his approach was assuming that directory browsing is enabled which was not my case. Recent post on carnal0wnage also gives good tips about getting .git files on the web server. It’s hard to miss DVCS-pillage tool and Baldwin’s paper. It’s pretty good tool, but DVCS-Pillage did not support https for git (you can find patch on my github page) and it was also very slow due to repeatable “git log” usage.
Step further is git plugin for Metasploit. Still, they all hope they downloaded everything.

I really wanted to have support for other branches than master and make sure that I downloaded whole git tree, so I can get ALL files and do it fast. So, of course, I’ve made my own solution in Perl available here (only for git now):
https://github.com/kost/dvcs-ripper

You just need to say:
rip-git.pl -v -u http://www.example.com/.git/

rip-git.pl will download git repository, check what is missing and download that, so you can fully checkout the source.
Note that it will do “git checkout -f” for you as well. That assumes that you have git on the same machine as script as it is using git commands.

It also supports other branches (just specify -b branch for other than master).

One neat trick is that my tool is actually using “git fsck” to find missing entries and download them which is quite faster than using repeatable “git log”.

Let me know if it works for you!

Nmap 5.61TEST4 on Amazon Kindle

Amazon Kindle running Nmap

Amazon Kindle running Nmap

Happy New Year! Since Fyodor released Nmap 5.61TEST4 version, I had to compile it for Kindle. Again, this port to Amazon Kindle was pretty straightforward (as previous ones). No source patches were needed.

Download

It is available at usual location:
http://ftp.linux.hr/kindle/nmap-5.61TEST4-kindle-bin.tar.bz2

How you should install it?

  • extract nmap-5.61TEST4-kindle-bin.tar.bz2 to opt directory of the root of storage location. That means /mnt/us/opt
    cd /mnt/us/opt
    tar xvjf nmap-5.61TEST4-kindle-bin.tar.bz2
  • check that you have following directory structure: /mnt/us/opt/nmap-5.61TEST4
    ls /mnt/us/opt/nmap-5.61TEST4
  • run nmap
    /mnt/us/opt/nmap-5.61TEST4/bin/nmap 127.0.0.1
  • Compilation

  • Download appropriate scratchbox for kindle
  • run configure

    LDFLAGS="-static" ac_cv_linux_vers=2 ./configure --host=arm-none-linux --prefix=/mnt/us/opt/nmap-5.61TEST4 --enable-static --without-zenmap --with-pcap=linux --with-liblua=included --with-libpcap=internal

    or if building with OpenSSL (you have to cross compile OpenSSL first which is different story):

    ac_cv_func_EVP_sha256=yes LDFLAGS="-static" ac_cv_linux_vers=2 ./configure --host=arm-none-linux --prefix=/mnt/us/opt/nmap-5.61TEST4 --enable-static --without-zenmap --with-pcap=linux --with-liblua=included --with-libpcap=internal --with-openssl=/mnt/us/opt/openssl-1.0.0e-s
    make
    make install
  • that’s it
  • Tips

    If you’re not familar with Nmap on Amazon Kindle or getting shell on Amazon Kindle, I would recommend to read my previous posts on Nmap on Amazon Kindle:

  • Nmap on Amazon Kindle
  • my post on nmap-dev mailing list
  • Good luck and let me if it works for you!

    Metasploit on Amazon Kindle

    Metasploit running on Amazon Kindle

    Metasploit running on Amazon Kindle

    Since Nmap and Ruby is working on Kindle (check my previous posts how I’ve done that), next step is Metasploit – of course! Let me tell you immediately, no patches to Metasploit needed. You can run full blown version of Metasploit with Kindle’s 256 MB of RAM, but dont’ expect miracles.

    Download

  • http://ftp.linux.hr/kindle/ruby-1.9.3-p0-kindle-bin.tar.bz2
  • http://downloads.metasploit.com/data/releases/framework-latest.tar.bz2
  • Install

  • Create opt directory and extract files there
    mkdir /mnt/us/opt && cd /mnt/us/opt
    tar xvjf ruby-1.9.3-p0-kindle.tar.bz2
    tar xvjf framework-latest.tar.bz2
  • Test that you have following directory structures:
    /mnt/us/opt/msf/
    /mnt/us/opt/ruby-1.9.3-p0/
  • export HOME=/mnt/us
  • and run metasploit
    cd /mnt/us/opt/msf3/
    ../ruby-1.9.3-p0/bin/ruby msfconsole
  • I have made small script in /mnt/us/opt which starts msf, so I don’t have to do it every time. It’s straightforward:

    #!/bin/sh

    export HOME=/mnt/us
    cd /mnt/us/opt/msf
    ../ruby-1.9.3-p0/bin/ruby msfconsole

    Let me know if it works for you!

    Ruby on Amazon Kindle

    Porting Ruby on Amazon Kindle was not too hard. I’ve just reused my cross compiling environment for Nmap. There were few changes required in the source (ext/socket/extconf.rb) due to IPv6 structures used even if you disabled IPv6. The rest was straightforward.

    Download

    http://ftp.linux.hr/kindle/ruby-1.9.3-p0-kindle-bin.tar.bz2

    Install

  • Create opt directory and extract files there
    mkdir /mnt/us/opt && cd /mnt/us/opt
    tar xvjf ruby-1.9.3-p0-kindle.tar.bz2
  • Run

  • Just call the ruby binary
    /mnt/us/opt/ruby-1.9.3-p0/bin/ruby
  • …or invoke interactive Ruby shell:
    /mnt/us/opt/ruby-1.9.3-p0/bin/irb
  • Compile

    For building statically linked Ruby, I have used appropriate scratchbox for kindle and following command line:

    ac_cv_linux_vers=2 ./configure --prefix=/mnt/us/opt/ruby-1.9.3-p0 --host=arm-none-linux --with-baseruby=/opt/ruby-1.9.3-p0/bin/ruby --with-static-linked-ext --disable-shared

    Note that –disable-ipv6 and –without-ipv6 does not work any more.
    I have made following changes in order to compile the source:
    http://ftp.linux.hr/kindle/ruby-1.9.3-kindle.diff

    Nmap on Amazon Kindle

    Amazon Kindle running Nmap

    Amazon Kindle running Nmap

    Since Nmap is already ported to ARM architecture including Android, I’ve managed to successfully compile 5.51 version of Nmap on Amazon Kindle just recently. This port to Amazon Kindle was pretty straightforward. No source patches were needed.

    Download

    I’ve just compiled newer version(5.61TEST2 to be exact) of Nmap with OpenSSL support. Initial version (5.51) did not had OpenSSL compiled in. It is available at usual location:
    http://ftp.linux.hr/kindle/nmap-5.61TEST2-kindle-bin.tar.bz2

    How you should install it?

  • extract nmap-5.61TEST2-kindle-bin.tar.bz2 to opt directory of the root of storage location. That means /mnt/us/opt
    cd /mnt/us/opt
    tar xvjf nmap-5.61TEST2-kindle-bin.tar.bz2
  • check that you have following directory structure: /mnt/us/opt/nmap-5.61TEST2
    ls /mnt/us/opt/nmap-5.61TEST2
  • run nmap
    /mnt/us/opt/nmap-5.61TEST2/bin/nmap 127.0.0.1
  • Tips

    If you’re not familar, few usual tips. Thanks to various Kindle enthusiasts it is possible to get shell terminal directly on Kindle, so you can run nmap directly from Kindle (you can also run it through ssh – of course!). I’m talking about Kindle 3. Take a look at Amazon Liberation Project and specifically this blog post.

    Compilation

  • Download appropriate scratchbox for kindle
  • run configure
    ac_cv_linux_vers=2 ./configure --host=arm-none-linux --prefix=/mnt/us/opt/nmap-5.61TEST2 --enable-static
    --without-zenmap --with-pcap=linux --with-liblua=included --with-libpcap=internal
    make
    make install
  • that’s it
  • Sample session from initial version

    [root () kindle root]# uname -a
    Linux kindle 2.6.26-rt-lab126 #5 Thu Sep 8 22:30:01 PDT 2011 armv6l unknown
    [root () kindle root]# head -5 /proc/cpuinfo
    Processor : ARMv6-compatible processor rev 3 (v6l)
    BogoMIPS : 255.59
    Features : swp half thumb fastmult vfp edsp java
    CPU implementer : 0x41
    CPU architecture: 6TEJ
    [root () kindle root]# /mnt/us/nmap-5.51/bin/nmap 127.0.0.1

    Starting Nmap 5.51 ( http://nmap.org ) at 2011-12-11 07:18 CET
    Nmap scan report for localhost.localdomain (127.0.0.1)
    Host is up (0.00013s latency).
    Not shown: 999 closed ports
    PORT STATE SERVICE
    22/tcp open ssh

    Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds

    Good luck and let me if it works for you!