Portcullis Labs - enumeration

udp-proto-scanner | Content

Wed, 26 Nov 2008 16:23:36 GMT

udp-proto-scanner.pl discovers UDP services by sending triggers to a list of hosts:

$ udp-proto-scanner.pl -f ips.txt
$ udp-proto-scanner.pl 10.0.0.0/16 172.16.16.1 192.168.0.1
$ udp-proto-scanner.pl -p ntp -f ips.txt

The probe names (for -p) are defined in udp-proto-scanner.conf. List probe names using the -l option:

$ udp-proto-scanner.pl -l

What's it Used For?

It's used in the host-discovery and service-discovery phases of a pentest.

It can be helpful if you need to discover hosts that only offer UDP services
and are otherwise well firewalled - e.g. if you want to find all the DNS
servers in a range of IP addresses. Alternatively on a LAN, you might want
a quick way to find all the TFTP servers.

Not all UDP services can be discovered in this way (e.g. SNMPv1 won't respond
unless you know a valid community string). However, many UDP services can be
discovered, e.g.:

DNS
TFTP
NTP
NBT
SunRPC
MS SQL
DB2
SNMPv3

It's Not a Portscanner

It won't give you a list of open and closed ports for each host. It's simply
looking for specific UDP services.

Efficiency

It's most efficient to run udp-proto-scanner.pl against whole networks (e.g.
256 IPs or more). If you run it against small numbers of hosts it will seem
quite slow because it waits for 1 second between each different type of probe.

One cool feature of udp-proto-scanner is that it doesn't load the whole host list
into memory. Therefore if you want to scan 17 million IPs, you can. It'll
take a while, but you won't run out of memory.

Credits

The UDP probes are mainly taken from amap, nmap and ike-scan.
Inspiration for the scanning code was drawn from ike-scan.
Net::Netmask by David Muir Sharnoff is included in this tool.

Apache Users | Content

Thu, 11 Sep 2008 11:22:18 GMT

This Perl script will enumerate the usernames on any system that uses Apache with the UserDir module.

nbtscan-1.5.2 | Content

Thu, 03 Apr 2008 14:24:31 GMT

NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

Banner Grab | Content

Wed, 02 Apr 2008 12:36:30 GMT

BannerGrab is a tool that performs connection, trigger-based and basic information collection from network services. The program has two modes of operation; simple connection banner grabbing and the default mode which makes use of service triggers to enumerate additional information.

BannerGrab can connect to TCP services, UDP services and can connect to SSL services. SSL service banner grabbing will also return the SSL connection details.

Requirements

BannerGrab requires the GNU C compiler and has been tested on Linux, but should work on other UNIX type systems. It has even been known to run from an iPhone.

BannerGrab has an optional requirement of the OpenSSL library to perform SSL-based grabs. However, SSL support can be disabled.

Download

BannerGrab can be downloaded from the Source Forge project site at sourceforge.net/projects/bannergrab.

Compiling

BannerGrab includes a Makefile, so it can be built in the usual way:

make
make install (as root)

However, it can be manually compiled as follows:

gcc -lssl -o bannergrab bannergrab.c

On Mac OS-X systems it can be compiled as follows:

gcc -lssl -lcrypto -o bannergrab bannergrab.c

It can be compiled without OpenSSL support as follows:

gcc -DNOSSL -o bannergrab bannergrab.c

Running

BannerGrab can be run in its simplest form by specifying a host and port as the parameters. For example:

bannergrab 127.0.0.1 80

More advanced options can be shown using the online help with the following command:

bannergrab --help

License

BannerGrab is covered by the GPL v3 license with the following exception:

In addition, as a special exception, the copyright holders give
permission to link the code of portions of this program with the
OpenSSL library under certain conditions as described in each
individual source file, and distribute linked combinations
including the two.
You must obey the GNU General Public License in all respects
for all of the code used other than OpenSSL. If you modify
file(s) with this exception, you may extend this exception to your
version of the file(s), but you are not obligated to do so. If you
do not wish to do so, delete this exception statement from your
version. If you delete this exception statement from all source
files in the program, then also delete it here.