Portscanning Fun – IP listings

Portscanning Fun – IP listings
(A HowDoI*-document)

*I prefer HowDoI instead of Tutorial, because it isn’t a tutorial.. just how I do it.. 😛

Needed:
– linux/cygwin
– geoipgen 0.4 (see [Tutorial] Portscanning Fun for installation guide)
– nmap – try to install newest svn co https://svn.nmap.org/nmap
windows version can be used, but mind the lack of RAW package use,
so scan options can’t be SYN. use Connect -sC)

I explained earlier how to get some country specific ip’s from geoipgen.
./geoipgen -n 5000 NL > 5000_ip_nl.txt
.. will result in a ip list of 5000 dutch ip’s.

note: to get random ip’s you can use NMap’s command -iR <num random ports>,

sudo nmap -iR 5000 -sC -p 21 –script=ftp-anon,banner -PN -n -oN output.txt

will scan for anon ftp acces without resolve dns (faster), no port open scan (just try)
on 5000 random ip’s. (choose -iL <iplist> for specific ip’s – gathered from geoipgen)

My Workingdir is getting messy with al those lists, scans, ect.
let’s get it clean and thight..

I want to target dutch ip’s in this example.
You can ofcourse change everything for your own needs.

first create a main working dir
mkdir ip_fun

go to dir

and make a data dir for your ip-lists
mkdir ips

ok, because of the size of our possibilities I’m gonna make a list of ip’s-list files.
I’m gonna make ip lists of 50000 ip’s and 50 of them.
(Or less.. choose what you need.. I want a big list, so I go for 50 files of 50000 ip’s (2.500.000 ip’s))

make a bash script:

#!/bin/bash
COUNTER=0
while [ $COUNTER -lt 50 ]; do
let COUNTER=COUNTER+1
./geoipgen -n 50000 nl > nl_50000_”$COUNTER”.txt
done

this will make me a list of 50 files named nl_50000_<num>.txt

move these to your new-made dir
/ip_fun/ips

now you can scan a little more specific and faster.

let’s try…..
nmap scan for anonymous ftp acces and juicy files. (one of my favorite :P)

sudo nmap -iL /ip_fun/ips/nl_50000_1.txt -v -n -sS –open -p 21 -PN –script=ftp-anon,banner -oN /ip_fun/nmap_p21_scan.txt

or port 80 scan

sudo nmap -iL /ip_fun/ips/nl_50000_1.txt -v -n -sS –open -p 80,8080 -PN –script=banner,http-headers,http-favicon,http-malware-host,http-enum,http-robots.txt,http-php-version,http-usedir-enum,http-trace,http-auth,address-info -oN /ip_fun/nl_50000_1.scan_port80.txt

note: if you use nmap for windows, it’s an older version and not all the scripts are added.
http-robots,http-php-version,http-usedir-enum are recently.

To get some automated scans ordely I suggest the following structure
(This is how I do it)

First I scan some of my ip lists.
I make another dir in ip_fun.
mkdir scans
I’m in to the port 21 for looking around in other peoples stuff.. 😀
I made a small automating script for this *mind that I use .txt extension for this use.

#!/bin/bash
# $1 : ipfile list WITHOUT extension (cause output file uses same name)
sudo nmap -v -iL ips/”$1″.txt -Pn -n -p 21 -oN scans/”$1″.scan_port21.txt –script=ftp-anon,banner,ftp-proftpd-backdoor,ftp-vsftpd-backdoor –open -sC

safe this in: /ip_fun/scan_p21.sh
now hit off with
(filename can be different ofcourse)
./scan_p21 nl_50000_01
./scan_p21 nl_50000_02
./scan_p21 nl_50000_03
./scan_p21 nl_50000_04
./scan_p21 nl_50000_05

that will give me 5*50000 scanned ip’s for port 21
listed at /ip_fun/scans/*.scan_port21.txt

You can manualy read them or grep for nice things.
(nmap’s output is Normal (you can use -oG for easier grepping) but I choose this method for my manualy reading)
camera’s

cat *.txt | grep -B 5 -i “camera” | grep -o ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ | grep -v “192.168” | sort -g | uniq > searches/cameras.txt

you see I made a different dir for the output (else the further searches will have those outputs also.
this will result in a sorted IP list of the gives search.

or NAS (harddrives)

cat *.txt | grep -B 5 -i “nas” | grep -o ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ | grep -v “192.168” | sort -g | uniq > searches/nas.txt

or just search for a ftp server you know how to exploit
there a lot of exploitable ftp servers.
eg. ProFTPD 1.3.0 (in some cases vurnerable to sql injection by password and name input )
(http://www.hackerscenter.com/index.php?/Feeds/Exploits/ProFTPD-mod_sql-Username-SQL-Injection-Vulnerability.html)

cat *.txt | grep -B 5 -i “proftpd 1.3.0” | grep -o ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ | grep -v “192.168” | sort -g | uniq > searches/proftpd_1.3.1.txt

short code explanation:
first grep is the search keyword (-B 5 is for 5 lines before finding, need to have the ip ;-))
second grep is the IP grep, third grep is to check if ip starts with 192.168. if so, don’t output.. don’t need
them..

ofcourse I script this.. 😀

#!/bin/bash
# $1: keyword search
cat *.txt | grep -B 5 -i “$1” | grep -o ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ | grep -v “192.168” | sort -g | uniq > searches/”$1″.txt

try dreambox, disk, ect.

I just finished 50 ip-lists of 50000 ip’s on port 21.
and I truly did find some juicy files ..
rofl.. I even found a usb-drive backup from a head of the police in amsterdam/rijnland.
EPIC fun.. 😀
(no I will not share it :P)

notes:
– a lot of nas/harddrives has password web protected authentication, but FTP anonymous login possibilities. (enough exploits on the web to jump out of the anony-box and run free on their servers/drives.
– dreamboxes are fun to watch. television. (you can change their actualy viewing channels remote, (and send them on-screen messages. fun!)
– a lot of music, movies, iso’s are shared.
– people don’t like updates. so a lot of old software is in use.
– port 21 info can say a lot about the running server, if it looks interesting scan some more
(port 80,8080,443,110,etc)
a short overview:
after this I have a path structure of
/ip_fun/
/ips
/scans
/searches

with a lof of ip files in ips, scan info in ‘scans’ and my search results in searches.

I’m just a beginner at this.. I just share my experiences..
feel free to critisize or add to my ideas..

 

4 thoughts on “Portscanning Fun – IP listings

  1. ScanLine is a command-line port scanner for all Windows platforms.It can perform traditional ICMP “pinging”, optional additional ICMPTimeStamp scanning, can show host response times and number of hops, doTCP scanning, simple UDP scanning, banner grabbing and hostname resolving.Scanning is performed in a fast highly parallel fashion without resorting tousing multiple threads. It can handle huge numbers and ranges of IP addresseswithout a problem.

Leave a Reply to neusbeer Cancel reply

Your email address will not be published. Required fields are marked *