Category Archives: tools

Scapy with WiFi monitor (rfmon) mode on OS X

After taking the 617 SANS class in Orlando I got curious and wanted to get Scapy working natively on OS X rather than messing about with a Virtual Linux image. A key motivator was the fact that I was running out of space on my Macbook Air and not only had to carry around an external USB WiFi adapter, but also a USB hard drive.

Continue reading

15 new nmap scripts

I just posted 15 new nmap scripts to the nmap-dev mailing list. For anyone curios to check them out have a look over here. I’ve been working on these new scripts for a while and they add yet more database support to nmap allowing users to perform password guessing against both Oracle and Informix servers. In addition custom SQL queries can be made to Informix servers directly from nmap.

I’ve also created a number of scripts which can be suitable when pen testing Lotus Domino. These scripts include support for collecting Internet password hashes and user ID files. ID files can be collected both as an authenticated user from the person web view or unauthenticated using the vulnerability CVE-2006-5835. Oh, and you can add Lotus Domino 8.5 to the list of vulnerable versions in that advisory. There are also two scripts that allow you to interact with the IBM Lotus Domino remote console. One script allows for password guessing, while the other one allows you to interact with the console ones your authenticated.

There’s a tiny script in the zip file that supports querying for registered objects in a ORB Naming Service using the GIOP protocol.

Last but not least I’ve created a framework for other password guessing scripts to use. The framework runs using multiple worker threads and does all the looping, iteration and other basic logic used by most of my previous brute scripts.

The zip file included in the nmap-dev post can be downloaded from here. Please help me out testing the scripts so that they can be added to the subversion version of nmap!

Detecting Apple Mac OS X AFP vulnerability CVE-2010-0533 with Nmap

During the development of my AFP library for Nmap I came a cross a critical vulnerability in Apple’s implementation of AFP on Snow Leopard. The vulnerability occurs due to improper input validation and allows an attacker to access (list, read, and/or write) files in the parent directory of any AFP sharepoint.

Continue reading

Nmap-scripts cleanup

I’ve cleaned up the Nmap scripts page a bit to better reflect reality. Most of the scripts published on that page have been commited to the Nmap development release. I’m actively working on getting the remainder commited to. Once the scripts have been commited, they’re no longer maintained here. So, in order to try them out I recommend you to install the latest development release of Nmap. In order to do so, follow the steps outlined here.

5 new SNMP scripts in Nmap SVN

As of yesterday there are now 5 new SNMP scripts in the development release of Nmap. I commited a new ASN.1 library a re-worked SNMP library and 5 new scripts. The new scripts are:

  • snmp-netstat shows listening and connected sockets
  • snmp-processes shows process information including name, pid, path and parameters
  • snmp-win32-services shows the names of running Windows services
  • snmp-win32-shares shows the names and path of Windows shares
  • snmp-win32-software shows a list of installed Windows software
  • snmp-win32-users shows a list of local Windows users

Make sure to check them out over at insecure.org. In order to use them you need to check out the development sources from subversion. More info on that over here.

nfs-showmount total re-write

I received a bug report for my Nmap nfs-showmount script a few days ago. I ended up re-writing the whole thing as it was my first script, which is short for “ugly as hell”. I moved all NFS and RPC stuff into a new library called rpc.lua and added some more functionality as well.

I’ve also added two more scripts that make use of the library nfs-get-stats and nfs-get-dirlist. The first retrieves disk usage for each export and the second lists files on a share. They’re both available from the nmap-scripts page as usual.

Nmap does more MySQL

I’ve just added some code to my Nmap MySQL library that enables query support. With this code in place it’s possible to run queries against MySQL directly from a Nmap script. In order to illustrate this I’ve added three scripts: mysql-list-users, mysql-list-databases and mysql-show-variables.

While messing around with the library I also cleaned up the code for mysql-brute and mysql-empty-password. All of the scripts that query the database obviously require credentials to do so. These can be provided on the command line using script arguments mysqluser and mysqlpassword or by running the mysql-brute or mysql-empty-password on the same time. There are dependencies set up so that the query scripts wait until these two scripts have collected the credentials. Here’s some sample output from the scripts …

Continue reading

DAAP script for nmap

I’ve added a script that queries a DAAP service for it’s library. Depending on the version of the service it then attempts to query it for for a list of artists, albums and songs. It’s available, together with more other scripts, over at the nmap-scripts page.

Here’s a sample output when running against the Firefly Media Server:

| daap-get-library:
|   BUBBA|TWO
|     Fever Ray
|       Fever Ray (Deluxe Edition)
|         Concrete Walls
|         I’m Not Done
|         Here Before
|         Now’s The Only Time I Know
|         Stranger Than Kindness
|         Dry And Dusty
|         Keep The Streets Empty For Me
|         Triangle Walks
|         If I Had A Heart
|         Seven
|         When I Grow Up
|_       Coconut