Nmap Announce mailing list archives
Re: Nmap and xlogmaster
From: Dave Dittrich <dittrich () cac washington edu>
Date: Fri, 29 Jan 1999 11:55:10 -0800 (PST)
On Fri, 29 Jan 1999, Lamont Granquist wrote:
On Fri, 29 Jan 1999, Steve Palmer wrote:My NID kicks off a shell script that does an nslookup, whois' (arin, apnic, nic.mil, nic.gov, and internic), does an nmap probe, then emails me the results. [....] I would like to get my hands on the tool that they are using.[...] that some of these sites are owned. I thought the tool might be mscan, sscan, or some variant, but I have not yet been able to reproduce the desired "#" (in my lab of course). If anyone could point me in the right direction, I would greatly appriciate it.Try also hitting the systat port and capturing the output along with the nslookup, etc. Since these are 0wn3d poor-security linux boxes you'll come across ones that have systat open, and that gives you a 'ps xauww' and you should be able to figure out which proc is bashing on your system.
Here's a start at doing what Lamont suggests (Not too robust or sophisticated, but is still useful - damn I wish I had more time! If anyone modifies it to do the stuff listed above, send me a copy!) #!/usr/bin/perl # $Source$ # # This program relies on the following programs: # o Hobbit's "netcat" program (a.k.a. "nc") # # o Safe finger # # o nmap # # # Gather as much information as possible about an intruder's system # as long as (s)he stays online. (I guess there is also an opportunity # to fight back to defend yourself, but I'll leave that as an excercise # for the reader at this point). chop($ZERO=`basename $0`); # Default constants. $DEFLOG = "$ZERO.log"; $DEFSLEEP = 60; $FINGER="finger"; $NMAP="/usr/local/bin/nmap"; $NC="/usr/local/bin/nc"; require "newgetopt.pl"; sub usage { print STDERR <<EOD; Usage: $ZERO [options] host -repeat [N] Continue to gather dynamic data (netstat, systat, finger, etc.) as long as system is running, or the number of times specified. -sleep N Number of seconds to sleep between queries (default $DEFSLEEP). -log FILE Log to FILE (default $DEFLOG). -quiet Shhhhhhhh. -help Print this stuff. EOD exit(1); } sub options { if ( !&NGetOpt("debug", "help", "log=s", "repeat:n", "sleep:n", "quiet") || $opt_help) { &usage; } } &options() if @ARGV > 0 && $ARGV[0] =~ /^-+[^-]+/; @ARGV = ("-") unless @ARGV > 0; $host = shift(@ARGV); &usage() if ($opt_help || $host eq "-"); $SEP= "============================================================================"; # Keep track of what services we obtained the first time, so we don't # keep trying unavailable ones. $finger = $netstat = $systat = 1; ($target,$aliases,$addrtype,$length,@addrs) = gethostbyname($host); select(STDERR); $| = 1; select(STDOUT); $| = 1; $SIG{'HUP'} = 'handler'; $log = ($opt_log) ? $opt_log : $DEFLOG; $sleep = ($opt_sleep > 0) ? $opt_sleep : $DEFSLEEP; $opt_repeat = (defined $opt_repeat) ? $opt_repeat : 1; $repeat = ($opt_repeat > 0) ? $opt_repeat : 1; open(O, ">$log") || die "can't open $log: $!"; select(O); $| = 1; select(STDOUT); print STDOUT "This process is $$\n"; print STDOUT "Log file is $log\n" unless $opt_quiet; print O <<EOD unless $opt_quiet; Target: $target Aliases: $aliases $SEP EOD # Get static information. print STDERR "Scanning active ports\n" unless $opt_quiet; &getnreport("Active services", "$NMAP -p1-2046,6000-7000 $target", O); print STDERR "Getting exports lists\n" unless $opt_quiet; &getnreport("NFS exports", "(showmount -a $target; showmount -e $target) 2>&1", O); do { # Get dynamic data, and keep on getting it while the system is # alive. unless (!$finger) { print STDERR "Fingering \@$target\n" unless $opt_quiet; $finger = &getnreport("finger", "echo \"\" | $NC $target 79", O); } unless (!$netstat) { print STDERR "Getting netstat\n" unless $opt_quiet; $netstat = &getnreport("netstat", "$NC $target 15", O); } unless (!$systat) { print STDERR "Getting systat\n" unless $opt_quiet; $systat = &getnreport("systat", "$NC $target 11", O); } --$repeat unless ($opt_repeat == 0); if ($repeat && &alive($target)) { print STDERR "sleeping $sleep seconds..." unless $opt_quiet; sleep($sleep); print STDERR "(yawn)\n" unless $opt_quiet; } else { $die++; } } while ($repeat && ! $die); close(O); exit(0); sub alive { my($t) = @_; my($p) = `$NMAP -P $target | grep -n "appears to be up"`; return ($p); } sub handler { $die++; return; } sub getnreport { my($title,$cmd,$fh) = @_; my($lines) = 0; open(I,"$cmd |") || die "can't open pipe for \"$cmd\": $!\n"; print $fh "$title [command: $cmd]\n", scalar localtime, "\n\n"; while(<I>) { $lines++; print $fh $_; } close(I); print $fh "Nothing available for $title\n" unless $lines; print $fh "$SEP\n"; return $lines; } -- Dave Dittrich Client Services dittrich () cac washington edu Computing & Communications University of Washington <a href="http://www.washington.edu/People/dad/"> Dave Dittrich / dittrich () cac washington edu [PGP Key]</a>
Current thread:
- Nmap and xlogmaster Erik Parker (Jan 28)
- Re: Nmap and xlogmaster Max Vision (Jan 28)
- Re: Nmap and xlogmaster Adam Shostack (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 28)
- Re: Nmap and xlogmaster Erik Parker (Jan 28)
- Re: Nmap and xlogmaster HD Moore (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 29)
- Re: Nmap and xlogmaster Steve Palmer (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 29)
- Re: Nmap and xlogmaster Dave Dittrich (Jan 29)
- Re: Nmap and xlogmaster Max Vision (Jan 28)