Cloaked Exploit Scanner
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Cloaked Exploit Scanner

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    324

    Cloaked Exploit Scanner

    Overview

    In parts IV and V of my TCPUtil articles I'm going to look at how to cloak the requests that are sent from our sockets script. Cloaking in this context means hiding your IP address from the server with which we wish to communicate.

    To hide our IP address we use a proxy server, which accepts connections from ourselves and passes them on to another computer. The receiving computer logs the IP address of the proxy server rather than our IP address.

    If you have not already read parts I - III of this set of articles please refer to these threads first before attempting the following:
    Scripting Internet Connections Under Window$
    Search Engine submission 'exploit'
    Google 'exploit' - TCPUtil pt III

    This is part one of a two part article on how to use the TCPUtil code to write a cloaked exploit scanner. This article, part IV, covers how to create the list of live anonising proxy-servers that we will use in part V.

    You can see Part II of this two part tutorial here.

    Proxy Servers

    What Is a proxy server?

    A proxy server is a kind of buffer between your computer and the Internet resources you are accessing (e.g. Web sites or FTP archives). The data you request come to the proxy first, and only then it transmits the data to you.
    From: http://www.inetprivacy.com/a4proxy/a...-proxy-faq.htm
    You can proxy a request via telnet or netcat. To do this we would use the following syntax:
    Code:
    NC {ProxyIP} {Port}
    GET http://www.targetserver.com/ HTTP/1.0 <crlf>
    <crlf>
    The <crlf>'s above are carrige return line feeds, or enter on your keyboard. Notice here that rather than GETting the root file, or just '/', from the webserver we GET the fully qualified URL including the host name. The proxy forwards our request and responds with the information return ed from the proxy.

    An anonising proxy is a proxy server that does not pass on information about your IP. There is a list of anonising proxy servers on the multiproxy website at http://www.multiproxy.org/anon_list.htm. The code here only works with IP addresses so if you plan to rebuild the proxy list provided in the zip file then remember to select the top Domain as IP address only before copying the host list.

    Finding Live Proxies.

    Ok - so now you have your list of anonising proxies from multiproxy all you have to do is figure out which of them work. I couldn't be bothered to sit and try them each individually so I decided to write a script to check the eack proxy in the hosts file using TCPUtil and a new Ping control (both provided at the end of the article) to test if they were live. The source code for the ping control is zipped seperately at the end of this article.

    The hosts file is in the following format:

    Code:
    {ProxyIP}:{ProxyPort}
    24.132.153.105:3128 
    211.0.113.202:80 
    194.225.166.1:80 
    .
    Notice the ':' deliminator that splits the dotted quad IP address and the port address. Also notice that the last line MUST contain the '.' character to tell the script it has reached the end of the file.

    Registration of the controls

    You need to register the networkfunc.ocx and sbwinsock.ocx control provided in the zip file at the on of this post. To register the OCX component run the following command:

    regsvr32 <path_to_OCX>\<component_name>.OCX
    Usage

    The output file specifid by the -o option selects where to save the list of live proxy servers.

    Code:
    Usage: CheckHosts.vbs [--outputfile|-o]
            [--Delay|-d] Page Time Out delay (in seconds) Default: 3 Seconds
            [--Verbose|-v]
            [--debug|-vv]
            [--Help|/?]>
    
    EXAMPLE: Checkhosts.vbs -o livehosts
    The results

    The script creates a list of live proxy servers. The results (from my computer at least) were as follows:

    207.2.54.2:80
    12.34.48.126:80
    12.34.48.129:80
    66.64.3.154:80
    208.144.37.7:80
    207.35.39.100:80
    204.60.171.225:80
    200.23.209.209:80
    206.228.51.3:80
    206.105.71.2:80
    209.11.25.1:80
    207.232.162.139:80
    193.164.99.165:80
    204.184.137.1:80
    204.185.138.59:80
    209.152.98.155:80
    211.17.150.163:80
    63.162.212.2:80
    193.164.99.105:80
    64.5.220.82:80
    202.106.169.20:80
    204.196.104.27:80
    194.209.157.111:80
    194.106.137.20:80
    195.53.255.242:80
    193.52.220.2:80
    212.80.166.163:80
    194.79.171.67:80
    195.223.151.7:80
    196.40.22.179:80
    200.41.234.241:80
    203.53.209.66:80
    203.41.81.65:80
    209.88.62.54:80
    218.44.134.139:80
    211.100.0.34:80
    195.53.242.35:80
    217.144.0.5:80
    195.56.183.77:80
    61.142.169.98:80
    212.80.166.163:8080
    63.98.0.177:80
    194.65.77.1:80
    164.58.28.250:80
    210.196.156.203:80
    196.40.9.146:80
    202.110.225.196:80
    200.199.249.66:80
    200.231.33.233:80
    203.58.25.15:80
    195.47.14.193:80
    64.123.185.66:80
    210.178.112.1:80
    211.35.78.36:80
    210.178.187.250:80
    207.167.236.137:80
    203.37.71.14:80
    192.116.162.68:80
    .
    The Code!

    This script uses the ping control to attempt a ping each proxy server in the hosts file. If the proxy responds to the ping the script will then proceed to attempt to retreive the HEAD information from google's home page. If the proxy returns the page correctly then the script adds the proxy and host to the output file specified with the -o switch.

    Code:
    WScript.Echo "--Proxy Vaidation Script."
    WScript.Echo "--July 2002 by NTSA."
    WScript.Echo "--www.ntsa.org.uk"
    WScript.Echo ""
    
    Const ForReading = 1, ForWriting = 2
    Dim pingx,fso, MyFile
    
    dim buffer,blncon,blnSkip,wtresp,secwait,blnLastcmdnull 'Program Vars
    DIM blnbuff,blnifile,lang,sdelay,Verbose,debug,iFile,Ofile,str,Target 'User Vars
    Dim oArgs, ArgNum 'Argument vars
    
    Const sckTCPProtocol=0 
    Const sckUDPProtocol=1
    
    const FlgDebug =1
    const flgVerbose =2
    const flgEcho =3
    
    'Create a FSO for file I/O operations
    Set fso = CreateObject("Scripting.FileSystemObject")
    'Create the winsock object and pass the event handler tp wsPop_
    on error resume next
    Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
    if err.number > 0 then 
    out "Could not create an instance of the SBWinsck control.",flgEcho
    out "You need to register SBWinsck.ocx using the regsvr32",flgEcho
    out "command. (ie regsvr32 c:\path\sbWinsck.ocx where c:\path",flgEcho
    out "is the full path to the ocx file.",flgEcho
    end if
    Set Pingx = WScript.CreateObject("Networkfuncs.pingx")
    Set hosts = fso.OpenTextFile("hosts", ForReading)
    Set livehosts = fso.OpenTextFile("livehosts", ForWriting, True)
    
    GetUserParams
    
    do while trim(host) <> "."
    host = hosts.ReadLine
    if len(trim(host)) > 0 and trim(host) <> "." then
    h =  split(host,":")
    
    IF (PingX.ping(cstr(h(0))) = true) then
    
    	str = "HEAD http://www.google.com/ HTTP/1.0" & vbcrlf
    
    	Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
    
    	tcpClient.Protocol = sckTCPProtocol
    	tcpClient.RemoteHost = h(0) 
    	tcpClient.RemotePort =  h(1)
    
    	tcpClient.Connect
    
    	tio = 0
    	do until blncon = true or blnskip = true or tio = sdelay *2
    		WSCRIPT.SLEEP 500
    		out "Waiting for connection...",FlgDebug
    		tio = tio + 1
    	LOOP
    
    	con = true
    	'Timed out - Could not connect
    	if tio = sdelay *2 and blnskip =false then 
    		out "Could not connect to: " & tcpClient.RemoteHost & _
    		" on port: " & tcpClient.RemotePort & ".",FlgEcho
    		con = false
    	end if
    	
    	if con = true then
    		tio = 0
    		do until blncon = false or tio = sdelay *2
    			WSCRIPT.SLEEP 500
    			out "Waiting for disconnection...",FlgDebug
    			tio = tio + 1
    		loop
    
    		'Output buffer to screen
    		out "Returncode>" & mid(buffer,10,3),FlgEcho
    		IF mid(buffer,10,3) = "200" then
    			con = true
    		else
    			con = false
    		end if
    	end if
    
    	blncon = false
    	blnskip = false
    	buffer = ""
    	tcpclient.disconnect
    	Set tcpClient=nothing
    
    	if con = true then
    		out "Checking: " & h(0) & "...Live!",flgecho
    		livehosts.WriteLine h(0) & ":" & h(1)
    	else
    		out "Checking: " & h(0) & "...fails.",flgverbose
    	end if
    else
    	out "Checking: " & h(0) & "...fails.",flgverbose
    end if
    end if
    loop
    livehosts.WriteLine "."
    
    Sub wsPop_DataArrival(Byval b)
    
    dim strdata
    out "Data Arrival...",flgverbose	
    '/* Get the data and add it to the buffer...
    '*/
    tcpClient.GetData strData,vbstring
    
    if blnbuff = true then
    buffer = buffer &  strdata
    else
    out strdata,Flgverbose
    end if
    
    'Data has just arrived - wait some 
    'more to see if anything further comes
    secwait = 100
    blnskip = true
    
    end sub
    
    Sub wsPop_Connected()
    
    blncon = true
    blnskip = true
    out "Connected...",flgverbose
    'sending data to the host
    out "Sending data...",flgverbose
    
    sendandlog str & vbcrlf
    
    out "Data sent.",flgverbose
    
    End Sub
    
    sub sendandlog(data)
    
    tcpclient.SendData data & vbCrLf
    LogDataSend(data)
    
    end sub
    
    sub LogDataSend(poststr)
    
    if port = 80 then
    out "Sending:> " & poststr,Flgverbose
    else 
    'out "Sending:> " & poststr,FlgEcho
    end if
    
    end sub
    
    Sub wsPop_Close()
    
    blncon = false
    out "Disconnected...",flgverbose
    
    End Sub
    
    
    function IsEmpty(str)
    
    if str & "" = "" then 
    isempty = true
    else
    isempty = false
    end if
    
    end function
    
    function iCount(str,del)
    
    icount =0
    
    for i = 1 to len(str)
    if mid(str,i,1) = del then
    	icount = icount +1
    end if
    next
    
    icount = icount - 1
    
    end function
    
    function input(quest)
    
    WScript.StdOut.Write(quest & ":>")
    input = WScript.StdIn.ReadLine()
    
    end function
    
    sub out(str,flg)
    
    select case flg
    case flgEcho
    	wscript.echo str
    case flgVerbose
    	if verbose = true or debug = true then
    		wscript.echo str
    	end if
    case FlgDebug
    	if debug = true then
    		wscript.echo str
    	end if
    end select
    end sub
    
    function RemoveDel(str)
    
    RemoveDel = replace(str,"/","")
    RemoveDel = replace(RemoveDel,"-","")
    RemoveDel = replace(RemoveDel,"--","")
    
    end function
    
    sub GetUserParams
    
    buffset = 0
    
    Set oArgs = WScript.Arguments
    ArgNum = 0
    While ArgNum < oArgs.Count
    
    Select Case RemoveDel(LCase(oArgs(ArgNum)))
    	Case "outputfile","o":
    		ArgNum = ArgNum + 1
    		If (fso.FileExists(oArgs(ArgNum))) Then
    			oFile = oArgs(ArgNum)
    		else
    			out "Error! The file " & oArgs(ArgNum) & _
    			" was not found.",FlgEcho
    			out "",FlgEcho
    			displayusage
    			wscript.quit(1)
    		end if
    	Case "delay","d":
    		ArgNum = ArgNum + 1
    		sdelay = oArgs(ArgNum)
    	Case "help","?":
    		Call DisplayUsage
    	Case "verbose", "v":
    		Verbose = true
    	Case "debug","vv":
    		debug = true
    	Case Else:
    		WScript.Echo "Unknown argument "& oArgs(ArgNum)
    		Call DisplayUsage
    		wscrip.quit(1)
    End Select	
    ArgNum = ArgNum + 1
    Wend
    
    'debug = true
    'verbose = true
    'sdelay = 3
    blnbuff = true
    
    if isempty(sdelay) then
    'Set default as 3 second delay before breaking connection
    sdelay = 3
    end if
    
    if isempty(ofile) then
    'Set default as 3 second delay before breaking connection
    out "Please specify where to output the file.",flgecho
    displayusage
    wscript.quit(1)
    end if
    
    end sub
    
    Sub DisplayUsage
    
    WScript.Echo "Usage: CheckHosts.vbs [--outputfile|-o]"
    WScript.Echo "        [--Delay|-d] Page Time Out delay" & _ 
    		   "(in seconds) Default: 3 Seconds"
    WScript.Echo "        [--Verbose|-v]"
    WScript.Echo "        [--debug|-vv]"
    WScript.Echo "        [--Help|/?]>"
    WScript.Echo ""
    WScript.Quit (1)	
    
    End Sub
    If you enjoyed this thread you may enjoy these others:

    Cloaked Exploit Scanner Part I and Part II
    Google 'exploit' - TCPUtil pt III
    Open Source FTP Control
    Web based classes
    Backing up the IIS metabase.
    What port is that?
    Building your own IDS tripwire.
    Credit card security
    Dumping SQL data to a text file
    Hunting down skript kiddies
    Search Engine submission 'exploit'
    Forced shutdown of a remote nt/2k server
    Securing an installation of IIS 4. (No, seriously)
    Remote DSN Connections, using WinAPIs and the registry
    Scripting Internet Connections Under Window$
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.
    Share on Google+

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    324

    PingX Control Source Code

    This is the source code for the pingx control that is used by the above script to check if a proxy is responding to pings.

    The control has been written in VB6.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.
    Share on Google+

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    324

    Check Hosts Script

    This is the above script zipped for your offline pleasure. The zip file also contains the 'hosts' file that the script uses to build a list of live proxy servers and the sbwinsock.ocx control.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.
    Share on Google+

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,049
    wow ntsa another good tut man have u been 2 work lately J/K
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/
    Share on Google+

  5. #5
    Member
    Join Date
    Jul 2002
    Posts
    65
    Looks good. But something to note, I have found that not all of the proxies on multiproxy.com are anonymous proxies. Your code does not make any attempt to verify that the proxies are indeed anonymous, but rather checks solely for an active host.

    Another thing I have noticed while using a proxy from multiproxy.com's list, is that the working ones are very slow. Unfortunatly, pinging each one does not give us an accurate measurment of the expected throughput.

    Also, where do they get these lists of proxies? Are they accquired from port scanning active subnets in search of poorly configured proxies that allow outside connections? Are people really supposed to be using them?

    But other than that, nice job. It looks like it could be a handy tool for someone who hunts for proxy servers.

    --Sudo
    Share on Google+

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    not all of the proxies on multiproxy.com are anonymous proxies
    Good point - Well spotted that man For the purposes of this article however I was not as worried about the anomimity of the proxy, just if it was live or not. (It just interested me how one could write the code in Part II of this article, rather using it to actually hack servers). All this script is intended to do was retreive a list of live proxies for use in Part II of this article.

    As you rightly suggest, a production version would obviously require more sanity checking in this part of the script to ensurse that the poxies on this list were anomymous aswell as just live.

    Unfortunatly, pinging each one does not give us an accurate measurment of the expected throughput.
    You can set a low delay (with the -d switch) for this script so as to only return proxys that respond quickly.

    Good comment You get greens.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.
    Share on Google+

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    Sure - there are lots of ways of getting a list of proxies.

    As I said, for the purposes of this article all I needed was a list of live proxies. I didn't write a check of the proxy servers anonimity because I wasn't about to use it for a real exploit.

    The proxy list that is created by this script is used in Part II of this tutorial. In this part I just wanted to show how such a list might be arrived at. If you have a better way of arriving at a list of live proxies (and, yes, you could add a check for anonimity if you wanted) skip straight on to Part II of this article in which I show how to rotate requests from a file against a target machine via an array of proxies.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.
    Share on Google+

  8. #8
    Junior Member
    Join Date
    Jun 2006
    Posts
    6

    Question

    ntsa: can you post here a list of exploit list file and also a proxy list file?

    this is why, i couldn't understand the reason of splitting the proxy and exploit list with "," delimiter character in your code.

    i want to see the list file format.

    second reason is, to get an updated exploit list.

    my exploit list is attached.

    thanks.
    let me breath!
    Share on Google+

  9. #9
    Member
    Join Date
    Jun 2004
    Posts
    37
    You wrote a proxy scanner in vbs?

    Crazy.
    Share on Google+

  10. #10
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Being that this post if from 2002, and NTSA hasn't posted since 2003, I really doubt you're going to get a response to this message. Just a feeling I have...
    Share on Google+

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides