Peter Van Eeckhoutte's Blog

Posts Tagged ‘script’

When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg has many advantages, it appeared not the best tool to search for good jump addresses, or to list non-safeseh compiled / non-aslr aware modules, etc….  Ok, looking for a simple “jmp esp” is trivial, but what if you are looking for all pop pop ret combinations in non-safeseh compiled modules…   Not an easy task. It is perfectly possible to build plugins for Windbg, but the ones that I have found (MSEC, byakugan (Metasploit)) don’t always work the way I want them …

After having to recover a broken Windows Server based print server yesterday, I decided to write this small article on how to set up print server backups, and describe the simple process of recovering the print server after a crash (or even roll back printer drivers in case a newly installed driver messes up your print server).
Backing up Windows 2000 / 2003 Print Server settings
Let’s assume you have one or more Windows server that hosts some or all of your network printers, so end users can connect & use these shared printers.  Each of these printers were probably added manually, a lot of drivers have been installed and configured manually, printers have been shared manually.   If this server breaks down, you would have to redo all of this work, unless you have a good backup of these printers.

In order to …

A couple of days ago, I have released a small perl script to back up Cisco IOS based switches via telnet.

I know there are a couple of similar scripts available on the internet, but most of them either use the “expect” functionality (which does not work all the time), or use SendKeys (which only works when the application has the ‘focus’, and thus cannot be safely scripted.), or are commercial tools.

So I decided to write a quick and dirty (free) script myself, which is purely based on a basic tcp socket connection.

I know, this script only works with telnet (clear text), but at least you can backup your switches (and if you have a dedicated management network, it may be ok to use telnet after all). Furthermore, you can safely schedule the script to run in the background, lean back, …

Just wanted to drop a quick note about the release of another free script. This time I’ve written a simple FTP fuzzer (with a little help from HDMoore) in Metasploit. You can read more about it (and download the script) at http://www.corelan.be:8800/index.php/my-free-tools/security/metasploit/simple-ftp-fuzzer-metasploit-module/

This is why I like Metasploit so much… :-)

Update : after running some fuzzing instances against a couple of FTP servers (Win32), I have noticed that some odd folders were created in my ftp root folder, and that these folders cannot be renamed or removed anymore

(Error message : “Cannot read from the source file or disk”)

Solution : the rmdir command allow you to remove these folders using a \\?\ reference

Let’s say the ftp root is located at ftp, and the folder that cannot be removed looks like a bunch of A’s, with spaces in between, then …

Insecure.org has released a new major version of the free, open source “nmap” security scanner. (Don’t just call nmap a port scanner – Thanks to many improvements over the last years, nmap has become an excellent security scanner).

Visit http://nmap.org/5/ for more information about this new version.

Although there are roughly 600 updates in this new version, these are the top 5 improvements in nmap 5 :

ncat (allows data transfer, redirection and debugging) – (Remember hobbit’s nc ?)
ndiff scan comparison
better performance
improved zenmap GUI (including a real neat feature to visually map the network you have scanned)
Improvement of nmap scripting engine (nse), reviewed existing scripts and added 32 new scripts.

Download and install the new version, buy/read the book, spread the word, and scan ‘til you drop !

Some of my favorite nmap parameters/scan parameters :

Detecting common stateless …

In one of my earlier posts, I have talked about setting up a Windows 2008 based Certificate Authority/PKI. Once your Windows 2008 CA setup is in place and configured, you can go ahead and starting issuing certificates. But at the same time, you need to put a maintenance/management procedure in place so you can stay on top of certain tasks, such as processing pending certificate requests or identify certificates that will expire and need manual renewal.  Unfortunately there is no easy way to get notified when new requests are pending, or certificates will expire somewhere in the future. I wrote a small script that will help you putting in place this maintenance process. This free utility requires .Net framework and requires proper permissions to connect to the CA admin interface.  It uses the Windows Server 2003, …

ike-scan is a great tool to audit VPN/IPSec implementations.  This tool, which runs under Lunix, Unix, MacOS and Windows, can be found at www.nta-monitor.com/tools/ike-scan/ (Latest version at time of writing is 1.9). My Nessus ike-scan NASL wrapper may or may not work with earlier versions or newer versions, so test test test)
Some of the great features of ike-scan include extracting the PSK, or transform attributes to find all algorithms that are enabled on a device. Especially this last function may require some scripting and lots of time to go through the log files in order to see whether your solution is configured the way it should be configured.
So I decided to write a nessus nasl plugin to run ike-scans.
The plugin is in fact a wrapper around ike-scan and will parse the output, looking for specific settings :

Does the …