Thursday, October 30, 2008

Backdoor Port Scanner

.
1 - Intro


Scanning heavily filtered networks its a slow process because when
the target host drop the packages and don't send any reply Nmap
should wait the time out and then retry 10 times before marking the
port as filtered.

Calculating correctly RTT (Round Time Trip) and ABW (Available bandwidth)
values can improve Nmap timming considerabily, but a port scan fast or
slow still will be noisy.

So the idea is to do a port scan without doing it.

2 - The technique

The basic idea is using a traversal exploit or a web shell to get the files

/proc/net/tcp
/proc/net/udp

and then feed them to the tool bpscan that will parse the results and show
them in a human readable way.

The same can be done with tcp6, udp6 and raw files for IPv6 and raw sockets.

3 - What info can we get doing it

What a better way than seeing some examples

We can use it as a normal port scanner, as you will see bpscan will resolve
the service name.

Port Service
21 ftp
25 smtp
80 http
3306 mysql
5560 Unknown
37237 Unknown
37297 Unknown


Or we can use the "a" flag to see all the results from the dump without removing
the duplicates.






80
http93.129.xxx.xxx3514
3306mysql0.0.0.00
3306mysql72.232.xxx.xxx40140
5560Unknown0.0.0.00
37237Unknown72.232.xxx.xxx3306

This last example its resumed or it will be too long.

We can see the IP and port of the remote end.
If we have filtered ports we will be able to know what IPs are allowed to bypass
the firewall, spoof anyone?
The 0.0.0.0:0 are the TCP_LISTEN state ports.

But wait, lets see the same but with remote service resolution...





80http93.129.xxx.xxx3514must-p2p
3306mysql0.0.0.00Unknown
3306mysql72.232.xxx.xxx40140Unknown
5560Unknown0.0.0.00Unknown
37237Unknown72.232.xxx.xxx3306mysql

The first one haves a high port that resolves to must-p2p, it is the random
assigned port to connect to the 80 for sure, same with the IP connecting to the
mysql.
But... the last one is interesting, we can see our target is connecting to a
remote mysql... nice
This is useful to get a better understanding of our target and its network map.

4 - The tool

The tool its coded in Perl, I made it for personal use but decided to share it.

It's use is easy, check the manual.

Options:
-h Shows this really useful help
-i Defines the input file, if isn't defined, bpscan will use stdin
-f Sets the flags

Valid Flags:
a Shows all the entries, including the remote ip and port where the socket connects
r Resolve remote service

Examples:
bpscan -i=tcp.txt -f=ar
cat /proc/net/tcp | bpscan


5 - Conclusion

Ok guys I hope you find it useful.
I would like to thanks to Rudelgurke for his helpful info on Linux and BSD inner workings.
Please any comment, suggestion or idea, contact me at apx[dot]808[at]gmail[dot]com

6 - Download

http://sites.google.com/site/apx808/Home/bpscan.zip

7 - Extra

For a few comments I received I think there are some guys who don't really understand what is the tool for.
So, this is like 5 great reasons to use bpscan.

1 - If you only have a traversal xploit, you can search for open ports to discover new attack
vectors.
2 - If you have a web shell, you can get the same results using netstat, but you'll need to parse
the info by yourself and you cant get only once each open port like a "select distinct".
3 - bpscan will see the ports from behind, so if you have an open port behind a firewall you'll see
it too.
4 - If you see an incoming connection to a port you can't connect, seeing its IP can allow you to
guess the firewall rule, or discover a trusted host.
5 - You can see your target outgoing connections, and for what service are those for, so you can
gain a better understanding of your target's network map, other targets or new attack vectors.


.

No comments:

 
hit counter script