Cloaked Exploit Scanner

[ntsa]

Overview

In parts IV and V of my TCPUtil articles I'm going to look at how to cloak the requests that are sent from our sockets script. Cloaking in this context means hiding your IP address from the server with which we wish to communicate.

To hide our IP address we use a proxy server, which accepts connections from ourselves and passes them on to another computer. The receiving computer logs the IP address of the proxy server rather than our IP address.

If you have not already read parts I - III of this set of articles please refer to these threads first before attempting the following:
Scripting Internet Connections Under Window$
Search Engine submission 'exploit'
Google 'exploit' - TCPUtil pt III

This is part one of a two part article on how to use the TCPUtil code to write a cloaked exploit scanner. This article, part IV, covers how to create the list of live anonising proxy-servers that we will use in part V.

You can see Part II of this two part tutorial here.

Proxy Servers

What Is a proxy server?

A proxy server is a kind of buffer between your computer and the Internet resources you are accessing (e.g. Web sites or FTP archives). The data you request come to the proxy first, and only then it transmits the data to you.
From: http://www.inetprivacy.com/a4proxy/a...-proxy-faq.htm

You can proxy a request via telnet or netcat. To do this we would use the following syntax:

Code:

NC {ProxyIP} {Port}
GET http://www.targetserver.com/ HTTP/1.0 <crlf>
<crlf>

The <crlf>'s above are carrige return line feeds, or enter on your keyboard. Notice here that rather than GETting the root file, or just '/', from the webserver we GET the fully qualified URL including the host name. The proxy forwards our request and responds with the information return ed from the proxy.

An anonising proxy is a proxy server that does not pass on information about your IP. There is a list of anonising proxy servers on the multiproxy website at http://www.multiproxy.org/anon_list.htm. The code here only works with IP addresses so if you plan to rebuild the proxy list provided in the zip file then remember to select the top Domain as IP address only before copying the host list.

Finding Live Proxies.

Ok - so now you have your list of anonising proxies from multiproxy all you have to do is figure out which of them work. I couldn't be bothered to sit and try them each individually so I decided to write a script to check the eack proxy in the hosts file using TCPUtil and a new Ping control (both provided at the end of the article) to test if they were live. The source code for the ping control is zipped seperately at the end of this article.

The hosts file is in the following format:

Code:

{ProxyIP}:{ProxyPort}
24.132.153.105:3128 
211.0.113.202:80 
194.225.166.1:80 
.

Notice the ':' deliminator that splits the dotted quad IP address and the port address. Also notice that the last line MUST contain the '.' character to tell the script it has reached the end of the file.

Registration of the controls

You need to register the networkfunc.ocx and sbwinsock.ocx control provided in the zip file at the on of this post. To register the OCX component run the following command:

regsvr32 <path_to_OCX>\<component_name>.OCX

Usage

The output file specifid by the -o option selects where to save the list of live proxy servers.

Code:

Usage: CheckHosts.vbs [--outputfile|-o]
        [--Delay|-d] Page Time Out delay (in seconds) Default: 3 Seconds
        [--Verbose|-v]
        [--debug|-vv]
        [--Help|/?]>

EXAMPLE: Checkhosts.vbs -o livehosts

The results

The script creates a list of live proxy servers. The results (from my computer at least) were as follows:

207.2.54.2:80
12.34.48.126:80
12.34.48.129:80
66.64.3.154:80
208.144.37.7:80
207.35.39.100:80
204.60.171.225:80
200.23.209.209:80
206.228.51.3:80
206.105.71.2:80
209.11.25.1:80
207.232.162.139:80
193.164.99.165:80
204.184.137.1:80
204.185.138.59:80
209.152.98.155:80
211.17.150.163:80
63.162.212.2:80
193.164.99.105:80
64.5.220.82:80
202.106.169.20:80
204.196.104.27:80
194.209.157.111:80
194.106.137.20:80
195.53.255.242:80
193.52.220.2:80
212.80.166.163:80
194.79.171.67:80
195.223.151.7:80
196.40.22.179:80
200.41.234.241:80
203.53.209.66:80
203.41.81.65:80
209.88.62.54:80
218.44.134.139:80
211.100.0.34:80
195.53.242.35:80
217.144.0.5:80
195.56.183.77:80
61.142.169.98:80
212.80.166.163:8080
63.98.0.177:80
194.65.77.1:80
164.58.28.250:80
210.196.156.203:80
196.40.9.146:80
202.110.225.196:80
200.199.249.66:80
200.231.33.233:80
203.58.25.15:80
195.47.14.193:80
64.123.185.66:80
210.178.112.1:80
211.35.78.36:80
210.178.187.250:80
207.167.236.137:80
203.37.71.14:80
192.116.162.68:80
.

The Code!

This script uses the ping control to attempt a ping each proxy server in the hosts file. If the proxy responds to the ping the script will then proceed to attempt to retreive the HEAD information from google's home page. If the proxy returns the page correctly then the script adds the proxy and host to the output file specified with the -o switch.

Code:

WScript.Echo "--Proxy Vaidation Script."
WScript.Echo "--July 2002 by NTSA."
WScript.Echo "--www.ntsa.org.uk"
WScript.Echo ""

Const ForReading = 1, ForWriting = 2
Dim pingx,fso, MyFile

dim buffer,blncon,blnSkip,wtresp,secwait,blnLastcmdnull 'Program Vars
DIM blnbuff,blnifile,lang,sdelay,Verbose,debug,iFile,Ofile,str,Target 'User Vars
Dim oArgs, ArgNum 'Argument vars

Const sckTCPProtocol=0 
Const sckUDPProtocol=1

const FlgDebug =1
const flgVerbose =2
const flgEcho =3

'Create a FSO for file I/O operations
Set fso = CreateObject("Scripting.FileSystemObject")
'Create the winsock object and pass the event handler tp wsPop_
on error resume next
Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
if err.number > 0 then 
out "Could not create an instance of the SBWinsck control.",flgEcho
out "You need to register SBWinsck.ocx using the regsvr32",flgEcho
out "command. (ie regsvr32 c:\path\sbWinsck.ocx where c:\path",flgEcho
out "is the full path to the ocx file.",flgEcho
end if
Set Pingx = WScript.CreateObject("Networkfuncs.pingx")
Set hosts = fso.OpenTextFile("hosts", ForReading)
Set livehosts = fso.OpenTextFile("livehosts", ForWriting, True)

GetUserParams

do while trim(host) <> "."
host = hosts.ReadLine
if len(trim(host)) > 0 and trim(host) <> "." then
h =  split(host,":")

IF (PingX.ping(cstr(h(0))) = true) then

	str = "HEAD http://www.google.com/ HTTP/1.0" & vbcrlf

	Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")

	tcpClient.Protocol = sckTCPProtocol
	tcpClient.RemoteHost = h(0) 
	tcpClient.RemotePort =  h(1)

	tcpClient.Connect

	tio = 0
	do until blncon = true or blnskip = true or tio = sdelay *2
		WSCRIPT.SLEEP 500
		out "Waiting for connection...",FlgDebug
		tio = tio + 1
	LOOP

	con = true
	'Timed out - Could not connect
	if tio = sdelay *2 and blnskip =false then 
		out "Could not connect to: " & tcpClient.RemoteHost & _
		" on port: " & tcpClient.RemotePort & ".",FlgEcho
		con = false
	end if
	
	if con = true then
		tio = 0
		do until blncon = false or tio = sdelay *2
			WSCRIPT.SLEEP 500
			out "Waiting for disconnection...",FlgDebug
			tio = tio + 1
		loop

		'Output buffer to screen
		out "Returncode>" & mid(buffer,10,3),FlgEcho
		IF mid(buffer,10,3) = "200" then
			con = true
		else
			con = false
		end if
	end if

	blncon = false
	blnskip = false
	buffer = ""
	tcpclient.disconnect
	Set tcpClient=nothing

	if con = true then
		out "Checking: " & h(0) & "...Live!",flgecho
		livehosts.WriteLine h(0) & ":" & h(1)
	else
		out "Checking: " & h(0) & "...fails.",flgverbose
	end if
else
	out "Checking: " & h(0) & "...fails.",flgverbose
end if
end if
loop
livehosts.WriteLine "."

Sub wsPop_DataArrival(Byval b)

dim strdata
out "Data Arrival...",flgverbose	
'/* Get the data and add it to the buffer...
'*/
tcpClient.GetData strData,vbstring

if blnbuff = true then
buffer = buffer &  strdata
else
out strdata,Flgverbose
end if

'Data has just arrived - wait some 
'more to see if anything further comes
secwait = 100
blnskip = true

end sub

Sub wsPop_Connected()

blncon = true
blnskip = true
out "Connected...",flgverbose
'sending data to the host
out "Sending data...",flgverbose

sendandlog str & vbcrlf

out "Data sent.",flgverbose

End Sub

sub sendandlog(data)

tcpclient.SendData data & vbCrLf
LogDataSend(data)

end sub

sub LogDataSend(poststr)

if port = 80 then
out "Sending:> " & poststr,Flgverbose
else 
'out "Sending:> " & poststr,FlgEcho
end if

end sub

Sub wsPop_Close()

blncon = false
out "Disconnected...",flgverbose

End Sub


function IsEmpty(str)

if str & "" = "" then 
isempty = true
else
isempty = false
end if

end function

function iCount(str,del)

icount =0

for i = 1 to len(str)
if mid(str,i,1) = del then
	icount = icount +1
end if
next

icount = icount - 1

end function

function input(quest)

WScript.StdOut.Write(quest & ":>")
input = WScript.StdIn.ReadLine()

end function

sub out(str,flg)

select case flg
case flgEcho
	wscript.echo str
case flgVerbose
	if verbose = true or debug = true then
		wscript.echo str
	end if
case FlgDebug
	if debug = true then
		wscript.echo str
	end if
end select
end sub

function RemoveDel(str)

RemoveDel = replace(str,"/","")
RemoveDel = replace(RemoveDel,"-","")
RemoveDel = replace(RemoveDel,"--","")

end function

sub GetUserParams

buffset = 0

Set oArgs = WScript.Arguments
ArgNum = 0
While ArgNum < oArgs.Count

Select Case RemoveDel(LCase(oArgs(ArgNum)))
	Case "outputfile","o":
		ArgNum = ArgNum + 1
		If (fso.FileExists(oArgs(ArgNum))) Then
			oFile = oArgs(ArgNum)
		else
			out "Error! The file " & oArgs(ArgNum) & _
			" was not found.",FlgEcho
			out "",FlgEcho
			displayusage
			wscript.quit(1)
		end if
	Case "delay","d":
		ArgNum = ArgNum + 1
		sdelay = oArgs(ArgNum)
	Case "help","?":
		Call DisplayUsage
	Case "verbose", "v":
		Verbose = true
	Case "debug","vv":
		debug = true
	Case Else:
		WScript.Echo "Unknown argument "& oArgs(ArgNum)
		Call DisplayUsage
		wscrip.quit(1)
End Select	
ArgNum = ArgNum + 1
Wend

'debug = true
'verbose = true
'sdelay = 3
blnbuff = true

if isempty(sdelay) then
'Set default as 3 second delay before breaking connection
sdelay = 3
end if

if isempty(ofile) then
'Set default as 3 second delay before breaking connection
out "Please specify where to output the file.",flgecho
displayusage
wscript.quit(1)
end if

end sub

Sub DisplayUsage

WScript.Echo "Usage: CheckHosts.vbs [--outputfile|-o]"
WScript.Echo "        [--Delay|-d] Page Time Out delay" & _ 
		   "(in seconds) Default: 3 Seconds"
WScript.Echo "        [--Verbose|-v]"
WScript.Echo "        [--debug|-vv]"
WScript.Echo "        [--Help|/?]>"
WScript.Echo ""
WScript.Quit (1)	

End Sub

If you enjoyed this thread you may enjoy these others:

Cloaked Exploit Scanner Part I and Part II
Google 'exploit' - TCPUtil pt III
Open Source FTP Control
Web based classes
Backing up the IIS metabase.
What port is that?
Building your own IDS tripwire.
Credit card security
Dumping SQL data to a text file
Hunting down skript kiddies
Search Engine submission 'exploit'
Forced shutdown of a remote nt/2k server
Securing an installation of IIS 4. (No, seriously)
Remote DSN Connections, using WinAPIs and the registry
Scripting Internet Connections Under Window$

[ntsa]

This is the source code for the pingx control that is used by the above script to check if a proxy is responding to pings.

The control has been written in VB6.

[ntsa]

This is the above script zipped for your offline pleasure. The zip file also contains the 'hosts' file that the script uses to build a list of live proxy servers and the sbwinsock.ocx control.

[prodikal]

wow ntsa another good tut man have u been 2 work lately J/K

[Sudo]

Looks good. But something to note, I have found that not all of the proxies on multiproxy.com are anonymous proxies. Your code does not make any attempt to verify that the proxies are indeed anonymous, but rather checks solely for an active host.

Another thing I have noticed while using a proxy from multiproxy.com's list, is that the working ones are very slow. Unfortunatly, pinging each one does not give us an accurate measurment of the expected throughput.

Also, where do they get these lists of proxies? Are they accquired from port scanning active subnets in search of poorly configured proxies that allow outside connections? Are people really supposed to be using them?

But other than that, nice job. It looks like it could be a handy tool for someone who hunts for proxy servers.

--Sudo

[ntsa]

not all of the proxies on multiproxy.com are anonymous proxies

Good point - Well spotted that man For the purposes of this article however I was not as worried about the anomimity of the proxy, just if it was live or not. (It just interested me how one could write the code in Part II of this article, rather using it to actually hack servers). All this script is intended to do was retreive a list of live proxies for use in Part II of this article.

As you rightly suggest, a production version would obviously require more sanity checking in this part of the script to ensurse that the poxies on this list were anomymous aswell as just live.

Unfortunatly, pinging each one does not give us an accurate measurment of the expected throughput.

You can set a low delay (with the -d switch) for this script so as to only return proxys that respond quickly.

Good comment You get greens.

[ntsa]

Sure - there are lots of ways of getting a list of proxies.

As I said, for the purposes of this article all I needed was a list of live proxies. I didn't write a check of the proxy servers anonimity because I wasn't about to use it for a real exploit.

The proxy list that is created by this script is used in Part II of this tutorial. In this part I just wanted to show how such a list might be arrived at. If you have a better way of arriving at a list of live proxies (and, yes, you could add a check for anonimity if you wanted) skip straight on to Part II of this article in which I show how to rotate requests from a file against a target machine via an array of proxies.

[asb]

ntsa: can you post here a list of exploit list file and also a proxy list file?

this is why, i couldn't understand the reason of splitting the proxy and exploit list with "," delimiter character in your code.

i want to see the list file format.

second reason is, to get an updated exploit list.

my exploit list is attached.

thanks.

[kcore]

You wrote a proxy scanner in vbs?

Crazy.

[zENGER]

Being that this post if from 2002, and NTSA hasn't posted since 2003, I really doubt you're going to get a response to this message. Just a feeling I have...