http://labs.portcullis.co.uk Labs Portcullis updates. en Labs portcullis Tue, 22 Feb 2011 11:21:15 GMT http://backend.userland.com/rss 60 hhttp://labs.portcullis.co.uk/mg/logo.gif http://labs.portcullis.co.uk Wed, 26 Nov 2008 16:23:36 GMT http://labs.portcullis.co.uk/application/udp-proto-scanner/ <p>udp-proto-scanner.pl discovers UDP services by sending triggers to a list of hosts:</p> <pre> $ udp-proto-scanner.pl -f ips.txt $ udp-proto-scanner.pl 10.0.0.0/16 172.16.16.1 192.168.0.1 $ udp-proto-scanner.pl -p ntp -f ips.txt </pre> <p>The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option:</p> <pre> $ udp-proto-scanner.pl -l </pre> <h2>What's it Used For?</h2> <p>It's used in the host-discovery and service-discovery phases of a pentest.<br /> <br /> It can be helpful if you need to discover hosts that only offer UDP services<br /> and are otherwise well firewalled - e.g. if you want to find all the DNS<br /> servers in a range of IP addresses. Alternatively on a LAN, you might want<br /> a quick way to find all the TFTP servers.<br /> <br /> Not all UDP services can be discovered in this way (e.g. SNMPv1 won't respond<br /> unless you know a valid community string). However, many UDP services can be<br /> discovered, e.g.:</p> <ul> <li>DNS</li> <li>TFTP</li> <li>NTP</li> <li>NBT</li> <li>SunRPC</li> <li>MS SQL</li> <li>DB2</li> <li>SNMPv3</li> </ul> <h2>It's Not a Portscanner</h2> <p>It won't give you a list of open and closed ports for each host. It's simply<br /> looking for specific UDP services.</p> <h2>Efficiency</h2> <p>It's most efficient to run udp-proto-scanner.pl against whole networks (e.g.<br /> 256 IPs or more). If you run it against small numbers of hosts it will seem<br /> quite slow because it waits for 1 second between each different type of probe.</p> <p>One cool feature of udp-proto-scanner is that it doesn't load the whole host list <br /> into memory. Therefore if you want to scan 17 million IPs, you can. It'll <br /> take a while, but you won't run out of memory.</p> <h2>Credits</h2> <p>The UDP probes are mainly taken from amap, nmap and ike-scan.<br /> Inspiration for the scanning code was drawn from ike-scan.<br /> Net::Netmask by David Muir Sharnoff is included in this tool.</p> Thu, 30 Oct 2008 11:51:42 GMT http://labs.portcullis.co.uk/application/vessl/ <p>vessl is a simple wrapper script that connects, extracts and then verifies the ssl certificate of an encrypted service. It was originally written in order to script up the ability to verify ssl certificates across a large network. </p> <h2>features</h2> <ul> <li>vessl will connect to any service that openssl can</li> <li>it will extract and verify against a given CA Pem file</li> <li>it will check that certificate matches the host it is on</li> <li>it produce a map going from ip's to hostname</li> <li>checks to see if certificate is based on a blacklisted debian key</li> </ul> <h2>dependencies</h2> <ul> <li>openssl</li> <li>ping</li> <li><a href="https://launchpad.net/ubuntu/+source/openssl-blacklist/">openssl-vulnkey</a></li> <li>mktemp</li> <li><a href="/content/vessl/generating-a-ca-pem-file/">CA Pem File</a></li> </ul> <h2>download</h2> <p><a href="/download/vessl-0.3.1.tar.bz2"> download vessl</a></p> <p>&nbsp;</p>