Research and Development

UNIXSocketScanner is a UNIX domain socket scanner.

Key features

  • Multi threaded
  • Supports both internal probes format and nmap probes format

Overview

UNIX domain sockets are “files” that follow the semantics of the UNIX socket interface and can be utilised by applications to offer services to other processes that are present on the same host. Whilst it can often be clear what protocols such services support from the name of the socket and/or the process that created it, this is not always the case especially if the process isn’t part of a well known F/OSS application.

UNIXSocketScanner allows the UNIX domain sockets offered by a given application to be enumerated using both nmap and internal probes to determine the likely protocol. As discussed in my presentation at 44CON 2013 entitled “I Miss LSD“, the results are sometimes surprising – who knew that CUPS offered HTTP over a UNIX domain socket?

Installation

UNIXSocketScanner does not require installation but simply requires that the necessary dependencies have been installed.

Usage

$ find / -type s | UNIXSocketScanner.pl [-v] -x <maximumprocess> <-p <probesfilename> | -n <nmapprobesfilename>>

Examples

Scanning the CUPS UNIX domain socket:

$ echo /var/run/cups/cups.sock | UNIXSocketScanner.pl -x 2 -n /usr/share/nmap/nmap-service-probes 
I: /var/run/cups/cups.sock
I: /var/run/cups/cups.sock finished
/var/run/cups/cups.sock
+ matches nmap-response-ssl
+ matches nmap-probe-SSLSessionReq
+ matches nmap-probe-GetRequest
+ matches nmap-response-ipp
+ matches nmap-probe-SSLv23SessionReq
+ matches nmap-probe-HTTPOptions

Connecting to the Avahi UNIX domain socket manually with socat:

$ socat UNIX:/var/run/cups/cups.sock STDIO
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Date: Tue, 12 Nov 2013 22:50:04 GMT
Server: CUPS/1.5
Content-Language: en_US
Content-Type: text/html; charset=utf-8
Last-Modified: Mon, 18 Mar 2013 14:36:53 GMT
Content-Length: 3796

Scanning the Avahi UNIX domain socket:

$ echo /var/run/avahi-daemon/socket | UNIXSocketScanner.pl -x 2 -p src/probes 
I: /var/run/avahi-daemon/socket
I: /var/run/avahi-daemon/socket finished
/var/run/avahi-daemon/socket
+ matches avahi-fuck

Connecting to the Avahi UNIX domain socket manually with socat:

$ socat UNIX:/var/run/avahi-daemon/socket STDIO
FUCK
+ FUCK: Go fuck yourself!
UNIXSocketScanner-0.4 Tar
5.3 KiB
MD5 hash: ccf7b78735ca12eb2d7195c1193979ba
Details

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)