Nmap Announce mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nmap and xlogmaster

From: Dave Dittrich <dittrich () cac washington edu>
Date: Fri, 29 Jan 1999 11:55:10 -0800 (PST)
On Fri, 29 Jan 1999, Lamont Granquist wrote:


On Fri, 29 Jan 1999, Steve Palmer wrote:

My  NID kicks off a shell script that does an nslookup, whois' (arin, apnic,
nic.mil, nic.gov, and internic), does an nmap probe, then emails me the
results. [....]
I would like to get my hands on the tool that they are using.[...]
that some of these sites are owned.  I thought the tool might be mscan, sscan,
or some variant, but I have not yet been able to reproduce the desired "#" (in
my lab of course).  If anyone could point me in the right direction, I would
greatly appriciate it.


Try also hitting the systat port and capturing the output along with the
nslookup, etc.  Since these are 0wn3d poor-security linux boxes you'll
come across ones that have systat open, and that gives you a 'ps xauww'
and you should be able to figure out which proc is bashing on your system.


Here's a start at doing what Lamont suggests (Not too robust or
sophisticated, but is still useful - damn I wish I had more time!  If
anyone modifies it to do the stuff listed above, send me a copy!)


#!/usr/bin/perl
# $Source$
#
# This program relies on the following programs:
#  o Hobbit's "netcat" program (a.k.a. "nc")
#    
#  o Safe finger
#    
#  o nmap
#    
#
# Gather as much information as possible about an intruder's system
# as long as (s)he stays online.  (I guess there is also an opportunity
# to fight back to defend yourself, but I'll leave that as an excercise
# for the reader at this point).

chop($ZERO=`basename $0`);

# Default constants.
$DEFLOG = "$ZERO.log";
$DEFSLEEP = 60;
$FINGER="finger";
$NMAP="/usr/local/bin/nmap";
$NC="/usr/local/bin/nc";

require "newgetopt.pl";

sub usage {
        print STDERR <<EOD;
Usage: $ZERO [options] host

     -repeat [N]    Continue to gather dynamic data (netstat, systat,
                    finger, etc.) as long as system is running, or
                    the number of times specified.
     -sleep N       Number of seconds to sleep between queries
                    (default $DEFSLEEP).
     -log FILE      Log to FILE (default $DEFLOG).
     -quiet         Shhhhhhhh.
     -help          Print this stuff.
EOD
        exit(1);
}

sub options {
    if ( !&NGetOpt("debug", "help", "log=s", "repeat:n",
                    "sleep:n", "quiet") ||
        $opt_help) {
        &usage;
    }
}


&options() if @ARGV > 0 && $ARGV[0] =~ /^-+[^-]+/;
@ARGV = ("-") unless @ARGV > 0;
$host = shift(@ARGV);
&usage() if ($opt_help || $host eq "-");

$SEP=
"============================================================================";

# Keep track of what services we obtained the first time, so we don't
# keep trying unavailable ones.
$finger = $netstat = $systat = 1;

($target,$aliases,$addrtype,$length,@addrs) = gethostbyname($host);

select(STDERR); $| = 1;
select(STDOUT); $| = 1;

$SIG{'HUP'} = 'handler';

$log = ($opt_log) ? $opt_log : $DEFLOG;
$sleep = ($opt_sleep > 0) ? $opt_sleep : $DEFSLEEP;
$opt_repeat = (defined $opt_repeat) ? $opt_repeat : 1;
$repeat = ($opt_repeat > 0) ? $opt_repeat : 1;

open(O, ">$log") ||
        die "can't open $log: $!";
select(O); $| = 1; select(STDOUT);
print STDOUT "This process is $$\n";
print STDOUT "Log file is $log\n" unless $opt_quiet;

print O <<EOD unless $opt_quiet;
Target: $target
Aliases: $aliases

$SEP
EOD

# Get static information.
print STDERR "Scanning active ports\n" unless $opt_quiet;
&getnreport("Active services", "$NMAP -p1-2046,6000-7000 $target", O);
print STDERR "Getting exports lists\n" unless $opt_quiet;
&getnreport("NFS exports", "(showmount -a $target; showmount -e $target) 2>&1", O);

do {
        # Get dynamic data, and keep on getting it while the system is
        # alive.
        unless (!$finger) {
                print STDERR "Fingering \@$target\n" unless $opt_quiet;
                $finger = &getnreport("finger", "echo \"\" | $NC $target 79", O);
        }
        unless (!$netstat) {
                print STDERR "Getting netstat\n" unless $opt_quiet;
                $netstat = &getnreport("netstat", "$NC $target 15", O);
        }
        unless (!$systat) {
                print STDERR "Getting systat\n" unless $opt_quiet;
                $systat = &getnreport("systat", "$NC $target 11", O);
        }
        --$repeat unless ($opt_repeat == 0);
        if ($repeat && &alive($target)) {
                print STDERR "sleeping $sleep seconds..." unless $opt_quiet;
                sleep($sleep);
                print STDERR "(yawn)\n" unless $opt_quiet;
        } else {
                $die++;
        }
} while ($repeat && ! $die);
close(O);
exit(0);

sub alive {
        my($t) = @_;
        my($p) = `$NMAP -P $target | grep -n "appears to be up"`;
        return ($p);
}

sub handler {
        $die++;
        return;
}

sub getnreport {
        my($title,$cmd,$fh) = @_;
        my($lines) = 0;
        open(I,"$cmd |") || die "can't open pipe for \"$cmd\": $!\n";
        print $fh "$title [command: $cmd]\n", scalar localtime, "\n\n";
        while(<I>) { $lines++; print $fh $_; }
        close(I);
        print $fh "Nothing available for $title\n" unless $lines;
        print $fh "$SEP\n";
        return $lines;
}

--
Dave Dittrich                 Client Services
dittrich () cac washington edu   Computing & Communications
                              University of Washington

<a href="http://www.washington.edu/People/dad/";>
Dave Dittrich / dittrich () cac washington edu [PGP Key]</a>
Previous By Date Next
Previous By Thread Next

Current thread: