My first blog post! w00h00!
With this being a milestone of sorts, I figured what better way to kick off a new hobby than to give some insight as to what prompted me to make this little script of mine.
I am currently taking the OSCP course (expect a review very soon), and during my time in the labs, I have came to rely on a few tools to really help me to identify areas that help me to exploit the machine. The problem is that this process can become tedious at times, takes a while to complete, and… I’m lazy 🙂 Not to mention, I feel that one of the areas that I am severely lacking in, in terms of my skill set, is programming. I have done the tutorials, read books, but doing is learning, and if its not fun, I don’t wanna do it. Well pen testing is fun, so I figured this little simple script would be an exercise to help me learn some more python, as well as be fun to work on!
So first I had to come up with the requirements. The simple process I do is as follows:
- Nmap scan
- If it has web ports open run nikto and dirb
- If there are smb ports open, check it with enum4linux (another great wrapper with a few more utilities built in it)
- If there is an FTP server, I attempt to log in using anonymous access
Its fairly simple, and using those simple methods normally point me in the right direction as to where to go, to get a foot hold and grab a shell, to continue from there. Obviously there are situations to where non-standard ports are used for things, but hey, nothing is perfect 🙂
So enumerator v0.0001 was as simple as you could possibly get, simple os.system calls against the IP address. This failed miserably for obvious reasons, I needed to think like a programmer, and get some logic flowing! A few Google searches later, I was brought to this page: http://xael.org/norman/python/python-nmap/ . It just so happens that someone was kind enough to make an Nmap module for Python, giving me a far easier method of introducing logic into this script.
After that, it was seemingly simple, a few if/then statements of looking for ports and running processes based on the findings. Worked wonderful, but there was a flaw in my logic. This was built for the OSCP exam, not just me being lazy. I needed speed! The OSCP exam is a full court press of hacking for 24 hours. The issue here is that for the output files of these scans to finish, they have to finish scanning. I did not want to spend precious minutes waiting for a scan to finish, I wanted data immediately, even bad data is helpful, as it eliminates variables. Google to the rescue!
This lead me to what is probably the most controversial aspect of this little script (in terms of the feedback I have gotten), the use of the “xterm” windows. This allows the script to spawn child windows with the processes spawned inside of them. So now, as my scans are running, I can see how each one is doing. The output files are written to a folder that is created on the desktop, so even if I go down a wrong path during my enumeration phase, the information is saved to be examined later.
Overall it was a fun little project, it will not only give me a speed boost for the low hanging fruit that may be on the exam, but will also help me to keep from forgetting to run a scan due to the panic that I will no doubt be in 🙂
If you would like to give the script a run through, feel free, and leave me some feedback on it: https://github.com/overflowsecurity/enumerator
Here is a screen shot of it in action against a home server I set up.