|
-
July 17th, 2002, 04:44 PM
#1
Cloaked Exploit Scanner
Overview
In parts IV and V of my TCPUtil articles I'm going to look at how to cloak the requests that are sent from our sockets script. Cloaking in this context means hiding your IP address from the server with which we wish to communicate.
To hide our IP address we use a proxy server, which accepts connections from ourselves and passes them on to another computer. The receiving computer logs the IP address of the proxy server rather than our IP address.
If you have not already read parts I - III of this set of articles please refer to these threads first before attempting the following:
Scripting Internet Connections Under Window$
Search Engine submission 'exploit'
Google 'exploit' - TCPUtil pt III
This is part one of a two part article on how to use the TCPUtil code to write a cloaked exploit scanner. This article, part IV, covers how to create the list of live anonising proxy-servers that we will use in part V.
You can see Part II of this two part tutorial here.
Proxy Servers
What Is a proxy server?
A proxy server is a kind of buffer between your computer and the Internet resources you are accessing (e.g. Web sites or FTP archives). The data you request come to the proxy first, and only then it transmits the data to you.
From: http://www.inetprivacy.com/a4proxy/a...-proxy-faq.htm
You can proxy a request via telnet or netcat. To do this we would use the following syntax:
The <crlf>'s above are carrige return line feeds, or enter on your keyboard. Notice here that rather than GETting the root file, or just '/', from the webserver we GET the fully qualified URL including the host name. The proxy forwards our request and responds with the information return ed from the proxy.
An anonising proxy is a proxy server that does not pass on information about your IP. There is a list of anonising proxy servers on the multiproxy website at http://www.multiproxy.org/anon_list.htm. The code here only works with IP addresses so if you plan to rebuild the proxy list provided in the zip file then remember to select the top Domain as IP address only before copying the host list.
Finding Live Proxies.
Ok - so now you have your list of anonising proxies from multiproxy all you have to do is figure out which of them work. I couldn't be bothered to sit and try them each individually so I decided to write a script to check the eack proxy in the hosts file using TCPUtil and a new Ping control (both provided at the end of the article) to test if they were live. The source code for the ping control is zipped seperately at the end of this article.
The hosts file is in the following format:
Code:
{ProxyIP}:{ProxyPort}
24.132.153.105:3128
211.0.113.202:80
194.225.166.1:80
.
Notice the ':' deliminator that splits the dotted quad IP address and the port address. Also notice that the last line MUST contain the '.' character to tell the script it has reached the end of the file.
Registration of the controls
You need to register the networkfunc.ocx and sbwinsock.ocx control provided in the zip file at the on of this post. To register the OCX component run the following command:
regsvr32 <path_to_OCX>\<component_name>.OCX
Usage
The output file specifid by the -o option selects where to save the list of live proxy servers.
Code:
Usage: CheckHosts.vbs [--outputfile|-o]
[--Delay|-d] Page Time Out delay (in seconds) Default: 3 Seconds
[--Verbose|-v]
[--debug|-vv]
[--Help|/?]>
EXAMPLE: Checkhosts.vbs -o livehosts
The results
The script creates a list of live proxy servers. The results (from my computer at least) were as follows:
207.2.54.2:80
12.34.48.126:80
12.34.48.129:80
66.64.3.154:80
208.144.37.7:80
207.35.39.100:80
204.60.171.225:80
200.23.209.209:80
206.228.51.3:80
206.105.71.2:80
209.11.25.1:80
207.232.162.139:80
193.164.99.165:80
204.184.137.1:80
204.185.138.59:80
209.152.98.155:80
211.17.150.163:80
63.162.212.2:80
193.164.99.105:80
64.5.220.82:80
202.106.169.20:80
204.196.104.27:80
194.209.157.111:80
194.106.137.20:80
195.53.255.242:80
193.52.220.2:80
212.80.166.163:80
194.79.171.67:80
195.223.151.7:80
196.40.22.179:80
200.41.234.241:80
203.53.209.66:80
203.41.81.65:80
209.88.62.54:80
218.44.134.139:80
211.100.0.34:80
195.53.242.35:80
217.144.0.5:80
195.56.183.77:80
61.142.169.98:80
212.80.166.163:8080
63.98.0.177:80
194.65.77.1:80
164.58.28.250:80
210.196.156.203:80
196.40.9.146:80
202.110.225.196:80
200.199.249.66:80
200.231.33.233:80
203.58.25.15:80
195.47.14.193:80
64.123.185.66:80
210.178.112.1:80
211.35.78.36:80
210.178.187.250:80
207.167.236.137:80
203.37.71.14:80
192.116.162.68:80
.
The Code!
This script uses the ping control to attempt a ping each proxy server in the hosts file. If the proxy responds to the ping the script will then proceed to attempt to retreive the HEAD information from google's home page. If the proxy returns the page correctly then the script adds the proxy and host to the output file specified with the -o switch.
Code:
WScript.Echo "--Proxy Vaidation Script."
WScript.Echo "--July 2002 by NTSA."
WScript.Echo "--www.ntsa.org.uk"
WScript.Echo ""
Const ForReading = 1, ForWriting = 2
Dim pingx,fso, MyFile
dim buffer,blncon,blnSkip,wtresp,secwait,blnLastcmdnull 'Program Vars
DIM blnbuff,blnifile,lang,sdelay,Verbose,debug,iFile,Ofile,str,Target 'User Vars
Dim oArgs, ArgNum 'Argument vars
Const sckTCPProtocol=0
Const sckUDPProtocol=1
const FlgDebug =1
const flgVerbose =2
const flgEcho =3
'Create a FSO for file I/O operations
Set fso = CreateObject("Scripting.FileSystemObject")
'Create the winsock object and pass the event handler tp wsPop_
on error resume next
Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
if err.number > 0 then
out "Could not create an instance of the SBWinsck control.",flgEcho
out "You need to register SBWinsck.ocx using the regsvr32",flgEcho
out "command. (ie regsvr32 c:\path\sbWinsck.ocx where c:\path",flgEcho
out "is the full path to the ocx file.",flgEcho
end if
Set Pingx = WScript.CreateObject("Networkfuncs.pingx")
Set hosts = fso.OpenTextFile("hosts", ForReading)
Set livehosts = fso.OpenTextFile("livehosts", ForWriting, True)
GetUserParams
do while trim(host) <> "."
host = hosts.ReadLine
if len(trim(host)) > 0 and trim(host) <> "." then
h = split(host,":")
IF (PingX.ping(cstr(h(0))) = true) then
str = "HEAD http://www.google.com/ HTTP/1.0" & vbcrlf
Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
tcpClient.Protocol = sckTCPProtocol
tcpClient.RemoteHost = h(0)
tcpClient.RemotePort = h(1)
tcpClient.Connect
tio = 0
do until blncon = true or blnskip = true or tio = sdelay *2
WSCRIPT.SLEEP 500
out "Waiting for connection...",FlgDebug
tio = tio + 1
LOOP
con = true
'Timed out - Could not connect
if tio = sdelay *2 and blnskip =false then
out "Could not connect to: " & tcpClient.RemoteHost & _
" on port: " & tcpClient.RemotePort & ".",FlgEcho
con = false
end if
if con = true then
tio = 0
do until blncon = false or tio = sdelay *2
WSCRIPT.SLEEP 500
out "Waiting for disconnection...",FlgDebug
tio = tio + 1
loop
'Output buffer to screen
out "Returncode>" & mid(buffer,10,3),FlgEcho
IF mid(buffer,10,3) = "200" then
con = true
else
con = false
end if
end if
blncon = false
blnskip = false
buffer = ""
tcpclient.disconnect
Set tcpClient=nothing
if con = true then
out "Checking: " & h(0) & "...Live!",flgecho
livehosts.WriteLine h(0) & ":" & h(1)
else
out "Checking: " & h(0) & "...fails.",flgverbose
end if
else
out "Checking: " & h(0) & "...fails.",flgverbose
end if
end if
loop
livehosts.WriteLine "."
Sub wsPop_DataArrival(Byval b)
dim strdata
out "Data Arrival...",flgverbose
'/* Get the data and add it to the buffer...
'*/
tcpClient.GetData strData,vbstring
if blnbuff = true then
buffer = buffer & strdata
else
out strdata,Flgverbose
end if
'Data has just arrived - wait some
'more to see if anything further comes
secwait = 100
blnskip = true
end sub
Sub wsPop_Connected()
blncon = true
blnskip = true
out "Connected...",flgverbose
'sending data to the host
out "Sending data...",flgverbose
sendandlog str & vbcrlf
out "Data sent.",flgverbose
End Sub
sub sendandlog(data)
tcpclient.SendData data & vbCrLf
LogDataSend(data)
end sub
sub LogDataSend(poststr)
if port = 80 then
out "Sending:> " & poststr,Flgverbose
else
'out "Sending:> " & poststr,FlgEcho
end if
end sub
Sub wsPop_Close()
blncon = false
out "Disconnected...",flgverbose
End Sub
function IsEmpty(str)
if str & "" = "" then
isempty = true
else
isempty = false
end if
end function
function iCount(str,del)
icount =0
for i = 1 to len(str)
if mid(str,i,1) = del then
icount = icount +1
end if
next
icount = icount - 1
end function
function input(quest)
WScript.StdOut.Write(quest & ":>")
input = WScript.StdIn.ReadLine()
end function
sub out(str,flg)
select case flg
case flgEcho
wscript.echo str
case flgVerbose
if verbose = true or debug = true then
wscript.echo str
end if
case FlgDebug
if debug = true then
wscript.echo str
end if
end select
end sub
function RemoveDel(str)
RemoveDel = replace(str,"/","")
RemoveDel = replace(RemoveDel,"-","")
RemoveDel = replace(RemoveDel,"--","")
end function
sub GetUserParams
buffset = 0
Set oArgs = WScript.Arguments
ArgNum = 0
While ArgNum < oArgs.Count
Select Case RemoveDel(LCase(oArgs(ArgNum)))
Case "outputfile","o":
ArgNum = ArgNum + 1
If (fso.FileExists(oArgs(ArgNum))) Then
oFile = oArgs(ArgNum)
else
out "Error! The file " & oArgs(ArgNum) & _
" was not found.",FlgEcho
out "",FlgEcho
displayusage
wscript.quit(1)
end if
Case "delay","d":
ArgNum = ArgNum + 1
sdelay = oArgs(ArgNum)
Case "help","?":
Call DisplayUsage
Case "verbose", "v":
Verbose = true
Case "debug","vv":
debug = true
Case Else:
WScript.Echo "Unknown argument "& oArgs(ArgNum)
Call DisplayUsage
wscrip.quit(1)
End Select
ArgNum = ArgNum + 1
Wend
'debug = true
'verbose = true
'sdelay = 3
blnbuff = true
if isempty(sdelay) then
'Set default as 3 second delay before breaking connection
sdelay = 3
end if
if isempty(ofile) then
'Set default as 3 second delay before breaking connection
out "Please specify where to output the file.",flgecho
displayusage
wscript.quit(1)
end if
end sub
Sub DisplayUsage
WScript.Echo "Usage: CheckHosts.vbs [--outputfile|-o]"
WScript.Echo " [--Delay|-d] Page Time Out delay" & _
"(in seconds) Default: 3 Seconds"
WScript.Echo " [--Verbose|-v]"
WScript.Echo " [--debug|-vv]"
WScript.Echo " [--Help|/?]>"
WScript.Echo ""
WScript.Quit (1)
End Sub
If you enjoyed this thread you may enjoy these others:
Cloaked Exploit Scanner Part I and Part II
Google 'exploit' - TCPUtil pt III
Open Source FTP Control
Web based classes
Backing up the IIS metabase.
What port is that?
Building your own IDS tripwire.
Credit card security
Dumping SQL data to a text file
Hunting down skript kiddies
Search Engine submission 'exploit'
Forced shutdown of a remote nt/2k server
Securing an installation of IIS 4. (No, seriously)
Remote DSN Connections, using WinAPIs and the registry
Scripting Internet Connections Under Window$
\"I may not agree with what you say, but I will defend to the death your right to say it.\"
Sir Winston Churchill.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
