Script started on Wed Sep 20 10:00:49 2000 blue(gbnewby) [1] ../INLS187/Sep20 } date Wed Sep 20 10:00:54 EDT 2000 blue(gbnewby) [2] ../INLS187/Sep20 } ls total 6496 0 Sep20-script.txt 4 mscan/ 4 sniffit.0.3.5/ 784 ss-1.3.tgz 3704 a 28 mscan.tgz 12 sniffit.0.3.5.p1.tar 4 lrk4/ 4 pdump/ 804 sniffit.0.3.5.tar 884 lrk4.tgz 260 pdump.tar.gz 4 ss-1.3/ blue(gbnewby) [3] ../INLS187/Sep20 } rm a blue(gbnewby) [4] ../INLS187/Sep20 } clear blue(gbnewby) [5] ../INLS187/Sep20 } ls total 2792 0 Sep20-script.txt 4 mscan/ 260 pdump.tar.gz 804 sniffit.0.3.5.tar 4 lrk4/ 28 mscan.tgz 4 sniffit.0.3.5/ 4 ss-1.3/ 884 lrk4.tgz 4 pdump/ 12 sniffit.0.3.5.p1.tar 784 ss-1.3.tgz blue(gbnewby) [6] ../INLS187/Sep20 } rm -rf mscan blue(gbnewby) [7] ../INLS187/Sep20 } ls total 2788 0 Sep20-script.txt 28 mscan.tgz 4 sniffit.0.3.5/ 4 ss-1.3/ 4 lrk4/ 4 pdump/ 12 sniffit.0.3.5.p1.tar 784 ss-1.3.tgz 884 lrk4.tgz 260 pdump.tar.gz 804 sniffit.0.3.5.tar blue(gbnewby) [8] ../INLS187/Sep20 } gunzip mscan.tgsz blue(gbnewby) [9] ../INLS187/Sep20 } ls total 2856 0 Sep20-script.txt 96 mscan.tar 4 sniffit.0.3.5/ 4 ss-1.3/ 4 lrk4/ 4 pdump/ 12 sniffit.0.3.5.p1.tar 784 ss-1.3.tgz 884 lrk4.tgz 260 pdump.tar.gz 804 sniffit.0.3.5.tar blue(gbnewby) [10] ../INLS187/Sep20 } tarx  xof mscan.tar blue(gbnewby) [11] ../INLS187/Sep20 } ls total 2860 0 Sep20-script.txt 4 mscan/ 260 pdump.tar.gz 804 sniffit.0.3.5.tar 4 lrk4/ 96 mscan.tar 4 sniffit.0.3.5/ 4 ss-1.3/ 884 lrk4.tgz 4 pdump/ 12 sniffit.0.3.5.p1.tar 784 ss-1.3.tgz blue(gbnewby) [12] ../INLS187/Sep20 } clear blue(gbnewby) [13] ../INLS187/Sep20 } cd mscan blue(gbnewby) [14] ../Sep20/mscan } ls total 120 4 COMPAT-README-NOW 4 checkos.c 4 make* 4 showmount.c 16 README-NOW 4 connect_timeo.c 4 mscan.h 4 statd.c 4 check2_data.c 8 count.c 16 multiscan.c 4 system_timeo.c 4 checkXdisplay.c 4 finger.c 4 portscan.c 4 testnamed.c 4 check_data.c 4 getports.c 4 rdns.c 16 z0ne* blue(gbnewby) [15] ../Sep20/mscan } ./make - mscan, jsbach, june 1998 - please wait while i make mscan...this will take like a minute checkXdisplay.c:11: X11/Xlib.h: No such file or directory done with mscan, compiling rdns blue(gbnewby) [16] ../Sep20/mscan } cp checkXdisplay.c checkXdispla.c.disty. blue(gbnewby) [17] ../Sep20/mscan } vi checkXdisplay.c [?25l"checkXdisplay.c" 32L, 610C/* Check if a remote display allows us to open it... * if it does, return one, else return 0. * being open means we can sniff keystrokes, etc, etc.. */ // this function iz kiddie proof.. if you kno a bit you can uncomment it // and edit the make script with the right include/lib paths. #include #include #include int checkXdisplay(char *ip) { /* char buff[32], buff2[32]; strcpy(buff, (ip - 2)); strcat(buff, "\0"); sprintf(buff2, "%s:0", ip); #ifdef DEBUG printf("DEBUG: checkXdisplay: %s\n", ip); #endif if (XOpenDisplay(buff2) != NULL) return 1; */[?25h [?25l-- INSERT --[?25h[?25l/#include /[?25h[?25l/#include //[?25h[?25l #include // [?25h[?25l[?25h[?25l:[?25hwe [?25lNot an editor command: we[?25h[?25l:[?25hw [?25l"checkXdisplay.c" 32L, 613C written[?25h[?25l:st [?25h Suspended blue(gbnewby) [18] ../Sep20/mscan } ./make - mscan, jsbach, june 1998 - please wait while i make mscan...this will take like a minute done with mscan, compiling rdns blue(gbnewby) [19] ../Sep20/mscan } fg vi checkXdisplay.c [?25l/* Check if a remote display allows us to open it... * if it does, return one, else return 0. * being open means we can sniff keystrokes, etc, etc.. */ // this function iz kiddie proof.. if you kno a bit you can uncomment it // and edit the make script with the right include/lib paths. #include #include // #include int checkXdisplay(char *ip) { /* char buff[32], buff2[32]; strcpy(buff, (ip - 2)); strcat(buff, "\0"); sprintf(buff2, "%s:0", ip); #ifdef DEBUG printf("DEBUG: checkXdisplay: %s\n", ip); #endif if (XOpenDisplay(buff2) != NULL) return 1; */[?25h[?25l:[?25hq [?25l[?25hblue(gbnewby) [20] ../Sep20/mscan } clear blue(gbnewby) [21] ../Sep20/mscan } ls total 176 4 COMPAT-README-NOW 4 checkos.c 36 mscan* 4 showmount.c 16 README-NOW 4 connect_timeo.c 4 mscan.h 4 statd.c 4 check2_data.c 8 count.c 16 multiscan.c 4 system_timeo.c 4 checkXdisplay.c 4 finger.c 4 portscan.c 4 testnamed.c 4 checkXdisplay.c.dist 4 getports.c 16 rdns* 16 z0ne* 4 check_data.c 4 make* 4 rdns.c blue(gbnewby) [22] ../Sep20/mscan } ./mscan Usage: ./mscan [-r ip of net] [-z network] [-h network] [scan options] -r [ip of net] : reverse DNS lookup the network (use when nameservers don't allow host -l type queries) refer to README-NOW for more info. -z [network] : use z0ne to gather IP's; you should use this if the nameserver allows host -l queries. -h [network] : use 'host -l | grep "has address" | awk '{print $4}' to gather ip addresses. This only gathers IP's from the top level so z0ne is preferred. -c number : How many children to spawn. (i.e. if you do -c 50, mscan will be scanning 50 hosts at any given time.) Default is 9 (rather slow). -n : don't gather ip's, read from .ipdb. -f file : use "file" as IP database. When this opt isn't provided mscan logs to .ipdb. -S : check for boxes running statd. -E : check for boxes that export filesystems to everyone. -C : check for boxes running vulnerable cgi programs. -X : check for open X servers. -W : check for wingate servers and open routers. -I : check for redhat boxes running IMAP. -N : report linux and freebsd servers running vulnerable named versions. -F : attempt to get info via finger. -P : check for pop3d when the server is vulnerable to another exploit which allows us to get account names (test.cgi, finger, phf, handler.) -V : print OS type (if identified), open ports, and misc old vulnerabilities (AIX running rlogind, rex, sendmail 8.6.9, etc) -t : truncate output, only report boxes that you can immediately hax0r and don't print pop banners, telnet banners and portscan info. -a : report everything except X servers and exports. -b : report everything. (this is significantly slower than -a.) hint: pick only the options you need@&@ Example : ./mscan -c 60 -h ac.kr -at > ac.kr.log & *-* by jsbach, june/1998 *-* blue(gbnewby) [23] ../Sep20/mscan } l total 176 4 COMPAT-README-NOW 4 checkos.c 36 mscan* 4 showmount.c 16 README-NOW 4 connect_timeo.c 4 mscan.h 4 statd.c 4 check2_data.c 8 count.c 16 multiscan.c 4 system_timeo.c 4 checkXdisplay.c 4 finger.c 4 portscan.c 4 testnamed.c 4 checkXdisplay.c.dist 4 getports.c 16 rdns* 16 z0ne* 4 check_data.c 4 make* 4 rdns.c blue(gbnewby) [24] ../Sep20/mscan } cat clear blue(gbnewby) [25] ../Sep20/mscan } cat > testfile-addresses.txt 152.2.81.93 154 2.2.81.13 152.2.81.1 64.65.0.149 blue(gbnewby) [26] ../Sep20/mscan } ./mscan -f tesfile-addresses.txt ERROR: fatal error, couldn't open ip database. blue(gbnewby) [27] ../Sep20/mscan } ./mscan -f tesfile-addresses.txttf - . . . mscan by jsbach --june/1998. thanks to #kode for keeping me sane this year, being my friends, and inspiring me to write this prog. blue(gbnewby) [28] ../Sep20/mscan } -**-' scanning 152.2.81.93 `-**- '*********************` -**-' scanning 152.2.81.13 `-**- '*********************` '*********************` '*********************` -**-' scanning 152.2.81.1 `-**- '*********************` '*********************` -**-' scanning 64.65.0.149 `-**- '*********************` '*********************` blue(gbnewby) [28] ../Sep20/mscan } blue(gbnewby) [28] ../Sep20/mscan } blue(gbnewby) [28] ../Sep20/mscan } ./mscan Usage: ./mscan [-r ip of net] [-z network] [-h network] [scan options] -r [ip of net] : reverse DNS lookup the network (use when nameservers don't allow host -l type queries) refer to README-NOW for more info. -z [network] : use z0ne to gather IP's; you should use this if the nameserver allows host -l queries. -h [network] : use 'host -l | grep "has address" | awk '{print $4}' to gather ip addresses. This only gathers IP's from the top level so z0ne is preferred. -c number : How many children to spawn. (i.e. if you do -c 50, mscan will be scanning 50 hosts at any given time.) Default is 9 (rather slow). -n : don't gather ip's, read from .ipdb. -f file : use "file" as IP database. When this opt isn't provided mscan logs to .ipdb. -S : check for boxes running statd. -E : check for boxes that export filesystems to everyone. -C : check for boxes running vulnerable cgi programs. -X : check for open X servers. -W : check for wingate servers and open routers. -I : check for redhat boxes running IMAP. -N : report linux and freebsd servers running vulnerable named versions. -F : attempt to get info via finger. -P : check for pop3d when the server is vulnerable to another exploit which allows us to get account names (test.cgi, finger, phf, handler.) -V : print OS type (if identified), open ports, and misc old vulnerabilities (AIX running rlogind, rex, sendmail 8.6.9, etc) -t : truncate output, only report boxes that you can immediately hax0r and don't print pop banners, telnet banners and portscan info. -a : report everything except X servers and exports. -b : report everything. (this is significantly slower than -a.) hint: pick only the options you need@&@ Example : ./mscan -c 60 -h ac.kr -at > ac.kr.log & *-* by jsbach, june/1998 *-* blue(gbnewby) [29] ../Sep20/mscan } ./mscan -f testfile-addresses.txt -V - . . . mscan by jsbach --june/1998. thanks to #kode for keeping me sane this year, being my friends, and inspiring me to write this prog. - checking OS for 152.2.81.13 blue(gbnewby) [30] ../Sep20/mscan } - checking OS for 152.2.81.1 - checking OS for 152.2.81.93 beryl.ils.unc.edu (via blue.ils.unc.edu) A transparent precious stone of a pale-green colour passing into light-blue, yellow, and white; distinguished only by colour from the more precious emerald. When of pale bluish green it is called an aquamarine; its yellow or yellowish varieties are the chrysoberyl, and, perhaps, the chrysoprase, and chrysolite of the ancients. SunOS 5.7 152.2.81.1: SCAN: runs solaris. -**-' scanning 152.2.81.1 `-**- PORTSCAN: runs httpd. PORTSCAN: runs imapd. '*********************` '*********************` Red Hat Linux release 6.2 (Zoot) Kernel 2.2.14-5.0 on an i586 152.2.81.93: SCAN: runs Red Hat linux. -**-' scanning 152.2.81.93 `-**- PORTSCAN: runs httpd. '*********************` '*********************` -**-' scanning 152.2.81.13 `-**- PORTSCAN: runs httpd. '*********************` '*********************` -**-' scanning 64.65.0.149 `-**- PORTSCAN: runs httpd. '*********************` '*********************` blue(gbnewby) [30] ../Sep20/mscan } blue(gbnewby) [30] ../Sep20/mscan } blue(gbnewby) [30] ../Sep20/mscan } blue(gbnewby) [30] ../Sep20/mscan } ssh ruby.ils.unc.edu gbnewby@ruby.ils.unc.edu's password: You have new mail. 12:10pm up 5 days, 14:04, 69 users, load average: 0.20, 0.14, 0.14 gbnewby pts/5 newby.ils.unc.ed Wed Sep 20 09:45 still logged in gbnewby pts/45 64-40-66-193.dia Tue Sep 19 12:28 - 00:07 (11:39) ruby(gbnewby) [26] ~ } cd inls187/notes ruby(gbnewby) [27] ../inls187/notes } ls total 32 2 Aug28/ 2 Sep18/ 4 notes.shtml 8 187notes.css 2 Aug30/ 2 Sep20/ 4 notes.shtml~ 2 Aug23/ 2 Sep13/ 2 Sep6/ 2 template.html ruby(gbnewby) [28] ../inls187/notes } ls Sep13 total 1606 2 black/ 1600 black-091100.tar 4 notes.html ruby(gbnewby) [29] ../inls187/notes } ls */probe* 10 Sep18/probe_tcp_ports.c ruby(gbnewby) [30] ../inls187/notes } ls Sep18 total 42 20 a.out* 10 probe_tcp_ports.c 10 a.c 2 notes.html ruby(gbnewby) [31] ../inls187/notes } cd !$ cd Sep18 ruby(gbnewby) [32] ../notes/Sep18 } rm a.c a.out ruby(gbnewby) [33] ../notes/Sep18 } cp probe* ../Sep20 ruby(gbnewby) [34] ../notes/Sep18 } cd !$ cd ../Sep20 ruby(gbnewby) [35] ../notes/Sep20 } ls total 200 8 notes.html 10 probe_tcp_ports.c 180 a.tar 2 notes.html~ ruby(gbnewby) [36] ../notes/Sep20 } rm a.tar ruby(gbnewby) [37] ../notes/Sep20 } purge ruby(gbnewby) [38] ../notes/Sep20 } clear ruby(gbnewby) [39] ../notes/Sep20 } ls total 18 8 notes.html 10 probe_tcp_ports.c ruby(gbnewby) [40] ../notes/Sep20 } gcc -0o probe_tcp)poirts_ports.c  probe_tcp_ports.c probe_tcp_ports.c: In function `Probe_TCP_Port': probe_tcp_ports.c:167: warning: passing arg 2 of `connect' from incompatible pointer type /var/tmp/ccGZEkNJ.o: In function `Probe_TCP_Ports': /var/tmp/ccGZEkNJ.o(.text+0x38c): undefined reference to `gethostbyname' /var/tmp/ccGZEkNJ.o(.text+0x3ac): undefined reference to `inet_addr' /var/tmp/ccGZEkNJ.o: In function `Probe_TCP_Port': /var/tmp/ccGZEkNJ.o(.text+0x518): undefined reference to `socket' /var/tmp/ccGZEkNJ.o(.text+0x590): undefined reference to `getservbyport' /var/tmp/ccGZEkNJ.o(.text+0x5f0): undefined reference to `connect' /var/tmp/ccGZEkNJ.o(.text+0x69c): undefined reference to `getservbyport' collect2: ld returned 1 exit status ruby(gbnewby) [41] ../notes/Sep20 } gcc -o probe_tcp_ports probe_tcp_ports.c l-lcossocket probe_tcp_ports.c: In function `Probe_TCP_Port': probe_tcp_ports.c:167: warning: passing arg 2 of `connect' from incompatible pointer type ruby(gbnewby) [42] ../notes/Sep20 } ls total 38 20 probe_tcp_ports* 8 notes.html 10 probe_tcp_ports.c ruby(gbnewby) [43] ../notes/Sep20 } ./probe_tcp_ports 15.2.282.52.81.93 Host 152.2.81.93, Port 21 ("ftp" service) connection ... open. Host 152.2.81.93, Port 22 connection ... open. Host 152.2.81.93, Port 23 ("telnet" service) connection ... open. Host 152.2.81.93, Port 25 ("smtp" service) connection ... open. Host 152.2.81.93, Port 80 connection ... open. Host 152.2.81.93, Port 111 ("sunrpc" service) connection ... open. Host 152.2.81.93, Port 113 connection ... open. Host 152.2.81.93, Port 515 ("printer" service) connection ... open. Host 152.2.81.93, Port 958 connection ... open. Host 152.2.81.93, Port 1024 connection ... open. ruby(gbnewby) [44] ../notes/Sep20 } ^Dlogout Connection to ruby.ils.unc.edu closed. blue(gbnewby) [31] ../Sep20/mscan } tail /var/log/messages Sep 20 11:12:30 blue sshd2[25568]: connection from "152.2.81.1" Sep 20 11:12:30 blue sshd2[25911]: Local disconnected: Connection closed by remote host. Sep 20 11:12:30 blue sshd2[25911]: connection lost: 'Connection closed by remote host.' Sep 20 11:12:30 blue ftpd[25910]: lost connection to ruby.ils.unc.edu [152.2.81.1] Sep 20 11:12:30 blue ftpd[25910]: FTP session closed Sep 20 11:12:30 blue inetd[481]: pid 25910: exit status 255 Sep 20 11:12:31 blue telnetd[25914]: ttloop: peer died: EOF Sep 20 11:12:31 blue inetd[481]: pid 25914: exit status 1 Sep 20 11:12:31 blue kernel: lockd: connect from unprivileged port: 152.2.81.1:49574<4>lockd: accept failed (err 11)! Sep 20 11:12:31 blue kernel: lockd: accept failed (err 11)! blue(gbnewby) [32] ../Sep20/mscan } cd .. blue(gbnewby) [33] ../INLS187/Sep20 } ls total 2876 16 Sep20-script.txt 4 mscan/ 260 pdump.tar.gz 804 sniffit.0.3.5.tar 4 lrk4/ 96 mscan.tar 4 sniffit.0.3.5/ 4 ss-1.3/ 884 lrk4.tgz 4 pdump/ 12 sniffit.0.3.5.p1.tar 784 ss-1.3.tgz blue(gbnewby) [34] ../INLS187/Sep20 } blue(gbnewby) [34] ../INLS187/Sep20 } blue(gbnewby) [34] ../INLS187/Sep20 } blue(gbnewby) [34] ../INLS187/Sep20 } ^Dexit Script done on Wed Sep 20 11:16:05 2000