|
""""""" "" """""""""" """""""""""""""""" """ """""""""""" """"" """"""""" """"
, crewl underground madness .
: _____________________ ____ ; hc ;
_ _ ____l__ _ _ __ __ _\ / / \ \/ /_ __ __ _____ __:___ ___|_
( __ ((_ )__ (( _ __// , --<< << << _ _ >>>__)_ ___))__ (__ ___ )) _
k q \________\________\___\/___/ p
: ; :
' "we do whatever tickles our dick!" .
"""""" """"""""" """" """""""""" """"""""""""""" """""""""" """"""""""""" """
+-----------------[CUM Security Toolkit v1.41 - CST v1.41]--------------------+
The CUM Security Toolkit contains two tools: a script scanner, and a port
scanner - both are written in Java. You need a Java runtime environment to
run them, check http://java.sun.com/ for one (look for j2se or a Java virtual
machine).
The script scanner has various anti-IDS options, supports multiple proxy
servers and comes with big editable script databases.
The port scanner is a simple TCP scanner with banner output (so it shows what
reply comes from an open port) and has the ability to send custom strings to
the open ports, so it's more like an enumeration / stress tool.
1) The CST scriptscanner:
-------------------------
To scan a server, start cst_cgis.class like this:
java cst_cgis -db: -d: -h:
-db:
------------
is the database with scripts to scan for - in this release, there
are 3 that come standard: cst_unx.db , cst_win.db and big.db
cst_unx.db is best suited for all types of Apache, NCSA etc. webservers
cst_win.db is best suited for IIS, Lotus-Domino, Netscape etc. webservers
big.db when you're not sure, or really want to test *alot* - this one
contains over 1600 files/dirs to check - not recommended to scan a host
that's not yours since it will make alot of noise in the logs
If you think the scanner should scan for an extra directory or file, you
can add the directory/file into one of the two databases with a texteditor
of your choice (vi, pico, notepad...), or you can create a new database.
Suppose you want to add a check for "newscript.cgi", which is normally found
in the bin directory, you can add this in the cst_unx.db as:
/$CSTBINDIR$/newscript.cgi
When supplied to the scriptscanner, this will scan for the script
"newscript.cgi" in the scriptdir supplied on the command line.
If you want to add a certain script that always gets installed in the same
directory, for example /secretfiles/password.pl, you can add this on a new
line in a database:
/secretfiles/password.pl
If you have a good custom database, or know some extra directories/files
to scan for, please let us know via email: webmaster@blackhat.be or go to
our site ( http://www.blackhat.be/ ) - in the cst section we have a form
where you can submit new scripts to check, and there you can also download
the latest scan databases
-d:
--------
With this option, you can specify in which scriptdir the scanner should scan
for certain standard scripts -- for an Apache Unix webserver, you would
normally use the flag:
-d:cgi-bin
The scriptscanner will then substitute all "$CSTBINDIR$" strings in the db
with the directory supplied, and scan them on the target server.
-h:
---------
With this flag, you can specify which server to scan, so if you want to scan
www.test.net , you would add the flag:
-h:www.test.net
If you want to scan for scripts on another port than the standard port 80
on the target server, you can supply an extra : after this flag, so
if you want to scan www.test.net for scripts on port 81, you would add the
flag:
-h:www.test.net:81
-H:
-------------
With this flag, you can specify a list with servers to scan. If you have a
file "serverlist" with in it a list of servers, you would add the flag:
-H:serverlist
In this file, each server needs to be on a new line. You can still use the
":" option after a server to specify a port different from the
standard port 80.
sample hostfile:
www.test.net
www.test.com:81
www.test.org
Notes: - both names and IP's can be used (for the hostfile and single host).
- if you specify a hostfile, you can still add 1 more server on the
commandline with the -h: flag - so both flags can be used
together.
- the CST scriptscanner sends a "Host:" header along with the request
so it can successfully scan virtual domains.
These first three arguments are mandatory - if you do not supply them, you
will get the following errorscreen:
<-- START ERRORSCREEN--
cst_cgis -db: -d: [-h: or -H:]
-db: = The database with files to scan [+]
-d: = The scriptdir to use (cgi-bin, bin, scripts, ...) [+]
-h:[:] = Server to scan (+ port [standard 80]) [+]
-H: = File with hosts to scan [+]
-p:[:] = Proxyserver (+ port [standard 8080])
-P: = File with proxyservers + ports to use
-l: = Logfile to use (standard cst_cgis.log)
-ai1 = Anti-IDS 1 - Hexadecimal values
-ai2 = Anti-IDS 2 - Double slashes
-ai3 = Anti-IDS 3 - Self-reference directories
-ai4 = Anti-IDS 4 - Session splicing
-ai5 = Anti-IDS 5 - Parameter hiding
-ai6 = Anti-IDS 6 - HTTP misformatting
-ai7 = Anti-IDS 7 - DOS/Win directory syntax
-ai8 = Anti-IDS 8 - Case sensitivity
-ai9 = Anti-IDS 9 - NULL method processing
-ai10 = Anti-IDS 10 - Long URLs
-ai11 = Anti-IDS 11 - Premature request ending
-go = Use google searchstring referer
-nf = Don't show 403 (forbidden) answers
-sc:[,,] = Show answers starting with
-get = Use GET instead of HEAD
-w: = Waittime between 2 downloads (standard 0 sec)
-t: = Specify timeout (standard 30 sec)
<-- END ERRORSCREEN--
As you can see, you can also scan a server using a proxyserver, this with
the option -p:
-p:
----------
This option let's you specify a proxyserver to use for the scan, for example
if you want to use www.proxy.net to scan the Apache 1.3.27 webserver
www.test.net , you would start the scriptscanner like this:
java cst_cgis cst_unx.db -d:cgi-bin -h:www.test.net -p:www.proxy.net
This will use the server www.proxy.net on port 8080 for the scan. If you
want to use another port for the proxyserver, you can supply one by adding
: to the -p: flag, so suppose the proxyserver on www.proxy.net
resides on port 81, you would start the scriptscanner like this:
java cst_cgis cst_unx.db -d:cgi-bin -h:www.test.net -p:www.proxy.net:81
-P:
--------------
This option let's you specify a list with proxyservers to use for the scan.
Each proxy needs to be on a new line, and you can optionally specify the
proxyport with a ":" after the proxy (if no port is specified, port
8080 will be used).
an example of a valid proxylist:
www.proxy1.com
www.proxy2.com:81
www.proxy3.com
www.proxy4.com:8181
www.proxy5.com:9001
...
you get the point. (Note that the proxy needs to be put in the beginning of
a new line -- the example here has spaces in front - you'll have to get rid
of them.)
You don't need as much proxies as you have scripts in your scandb (but that
would be optimal ofcourse). If the scanner reaches the end of the proxylist
before it reaches the end of the scriptdb, it will cycle through the list
again from the beginning.
-l:
------------
The scriptscanner saves (appends) the full screen output to a file called
cst_cgis.log in the same directory as the scriptscanner. If you wish to
save the results in another file, you can use the -l: option to
specify another file. If the file you specify already exists, the result
will be appended to the file.
-t:
------------
With this option you can specify the I/O timeout to use for the scan.
Without this option, the scanner uses a 30 second timeout.
-w:
------------
With this option, you can supply a certain ammount of seconds to wait
between each script fetch - if you do not use this option, the scriptscanner
will scan for all scripts/dirs as fast as possible (so without waiting
between the downloads) - so if you want to be a bit more "undercover", you
can supply a waittime to spread the scan a bit in the target logs.
So, if you want to use the proxyserver www.proxy.net to scan the
Apache 1.3.27 webserver www.test.net , using a waittime of 20 seconds
between each download, you would start the scriptscanner like this:
java cst_cgis cst_unx.db -d:cgi-bin -h:www.test.net -p:www.proxy.net -w:20
To hide your scan even more, the CST scriptscanner has +11 different
Anti Intrusion Detection Systems:
-ai1
----
When supplying this option, the scriptscanner will substitute certain
characters of the script/dir to scan with their corresponding hexadecimal
value, so scanning for /cgi-bin/test-cgi will look like this:
/cg%69-b%69n/t%65st-cg%69
-ai2
----
When supplying this option, the scriptscanner will substitute each slash
with a double slash - so /cgi-bin/test-cgi will become:
//cgi-bin//test-cgi
Note: - This option does not work for scanning Lotus-Domino (4.6.3) and
Netscape-Enterprise (3.5.1) webservers.
-ai3
----
When supplying this option, the scriptscanner will substitute each slash
with a slash-dot-slash - so /cgi-bin/test-cgi will become:
/./cgi-bin/./test-cgi
Note: - This option does not work for scanning Lotus-Domino (4.6.3) and
Netscape-Enterprise (3.5.1) webservers.
-ai4
----
When supplying this option, the scriptscanner will split the request in
smaller packets (2 to 4 byte), and send those to the target.
Note: - This option can't be used with a proxyserver, since a proxyserver
reassembles the packets, and sends that to the target - so when
supplying this option, NO proxy is used, even if you do supply one
on the command line.
-ai5
----
When supplying this option, the scriptscanner will "hide" the script/dir
request in a html parameter - so /cgi-bin/test-cgi will become:
/index.html%3Fparam=/../cgi-bin/test-cgi
Note: - This option does not work for scanning Netscape-Enterprise (3.5.1)
webservers.
-ai6
----
When supplying this option, the scriptscanner will "misformat" the HTTP
request. A request must look like this (according to the RFC standards):
methodURIHTTP/
This option will send a instead of a
Note: - This option does not work for scanning Netscape-Enterprise (3.5.1),
IIS or Lotus-Domino (4.6.3) webservers. It does work for Apaches.
- If you're using a proxy server, the proxy needs to support this,
and this isn't always the case.
-ai7
----
When supplying this option, the scriptscanner will substitute any "/"
with a "\" (starting from the second "/").
For example /scripts/secretfiles/password.lst will become:
/scripts\secretfiles\password.lst
Note: - This option works for most DOS/Windows based webservers.
-ai8
----
When supplying this option, the scriptscanner will turn the script into
uppercase. For example /scripts/secretfiles/password.lst will become:
/SCRIPTS/SECRETFILES/PASSWORD.LST
Note: - This option works for most webservers running on a case insensitive
operating system (Windows, DOS, Novell).
-ai9
----
When supplying this option, the scriptscanner will add a NULL character
before the script-to-scan. A request for /data/secretfile.mdb will look
like this:
HEAD%00 /data/secretfile.mdb HTTP/1.0
Note: - This option only works for IIS webservers (it sometimes does work
for Apaches but only when the response is 403, so it's quite
useless then).
-ai10
-----
When supplying this option, the scriptscanner will add about 2K of chars
before the actual script. So /cgi-bin/test-cgi will become:
/dsfjkgdjfg...[around2kofgarbage]...sdfkjsd/../cgi-bin/test-cgi
-ai11
-----
When supplying this option, the scriptscanner will send a request for the
target index page, and request the script in one of the Headers.
A request for /cgi-bin/test-cgi will look like this:
GET / HTTP/1.0%0d%0aHeader:%20/../../cgi-bin/test-cgi HTTP/1.0%0d%0a%0d%0a
These 11 options all try to hide the scan in the target logs (the requests
will still be in their logs, but if they use certain "grep"-style log-
analysers, or even some smart Intrusion Detection System (IDS), they won't
notice the scan).
Please note that you can supply more than one anti-IDS at a time, supplying
-ai1 , -ai3 and -ai5 at the same time will change /cgi-bin/test-cgi to:
/index.html%3Fparam=/.././cg%69-b%69n/./t%65st-cg%69
although not all combinations will work.
Note: - When supplying both -ia2 and -ia3, the first substitution will be
/ -> // and then / -> /./ -- so / becomes /.//./ and not //.//
For further anonimity, the scriptscanner also sends a fake
"X-Forwarded-For:" header with a random IP, generated every time you
start the scriptscanner, and a fake browser version, taken out of the
file cst_agents.db (cst cycles through the cst_agent.db - so when it
reaches the end, it starts from the beginning again).
If wanted, you can also let cst send a fake "Referer:" header, showing
a Google search query ("how to install "), you can do
that by supplying the flag "-go" on the command line.
-get
----
When requesting the scripts/dirs, the CST scriptscanner uses standard a HTTP
HEAD instead of a GET (because HEAD is faster). If you want to use a GET
instead of HEAD, you can supply this option.
-nf
---
When you supply this option, the scriptscanner won't show files returning
a 403 (forbidden) return code. This can be usefull for scanning servers that
always return a 403, even if the file doesn't exist (like most IIS servers).
-sc:[,,]
-----------------
This version shows a message when the HTTP return code for the script/dir
is either 200, 201, 202, 204, 403 or 401.
If you want the scriptscanner to output other HTTP return codes, you can
use this option. is either a full return code (like 500) or a part
of a code.
If you want the scriptscanner to output the return code 500 too, you use
the flag -sc:500
If you want the scriptscanner to output the codes 500 and 400 too, you use
the flag -sc:500,400
Partial codes are also allowed, so if you want the scanner to output the
400 return code and all codes starting with a 5, you would use the flag:
-sc:5,400
2) The CST port scanner:
------------------------
To portscan a server, start cst_ports.class like this:
java cst_ports [-h: or -H:] -p:[-,,...]
-h:
---------
This is the address/IP of a single server you want to portscan
-H:
-------------
With this flag, you can specify a list with servers to portscan. If you
have a file "serverlist" with in it a list of servers, you would add the
flag:
-H:serverlist
In this file, each server needs to be on a new line.
-p:[-,,...]
--------------------------------
You can use two ways to supply which ports to scan:
- a single port, ex: 22
- - a portrange, ex: 20-1024 or 1000-800
You aren't limited to 1 port or portrange, suppose you want to portscan
www.test.net on the ports 21, 22, 23, 25, 80, 110, and 200 to 1024, start
the portscanner like this:
java cst_ports -h:www.test.net -p:21-23,25,80,110,200-1024
Note: if you supply a portrange in descending order, these ports will also
get scanned in that order.
-s:
-----------
Standard the portscanner sends the string "HELP\n\n\n" (without the quotes)
to each open port. If you want it to send a different string, you can supply
one on the command line with the -s: option. It supports all characters,
and the following escape sequences: \n, \t, \b, \r, \f, \0
If you're running the portscanner in a windows environment, you can just use
the escape sequences as is, for example to send "\nHELP\n" you would use:
java cst_ports -h:www.test.net -p:22 -s:\nHELP\n
In a unix environment you'll have to escape the escape sequences, otherwise
they get interpreted by the shell, so te send "\nHELP\n" then you would use:
java cst_ports -h:www.test.net -p:22 -s:\\nHELP\\n
If you know any interesting strings to send, let us know.
-l:
------------
The portscanner saves (appends) the full screen output to a file called
cst_ports.log in the same directory as the scanner. If you wish to save the
results in another file, you can use the -l: option to specify
another file. If the file you specify already exists, the result will be
appended to the file.
At the moment, the CST portscanner isn't really advanced - it can only
perform full-connection TCP scans, no UDP yet, and no threads either (this
will be improved in some next version of CST).
If you forget an option, you'll get an errorscreen:
<-- START ERRORSCREEN--
cst_ports [-h: or -H:] -p:[-,,...]
-h: = Host to scan [+]
-H: = File with hosts to scan [+]
-p:,- = Single port or range to scan [+]
-s: = String to send to open port
-l: = Logfile to use (standard cst_ports.log)
<-- END ERRORSCREEN--
3) Last words / greets:
-----------------------
If you find a bug in either the CST scriptscanner or the CST port scanner,
or have an idea for a feature that would be cool in one of the CST tools
(or a new tool for CST), please let us know via email:
toxic@blackhat.be
webmaster@blackhat.be
Check our site http://www.blackhat.be/ for the lastest version of CST,
its databases, and scanstrings.
greets/thanks to everybody who supports us
+----------------------------- cum memberlist --------------------------------+
.___ immortal intruder :
.,-------, .___
_/ \..,-------, - functions : coder, phreaker, techlab
\____________/ \_ maintenance, weedsupply
\____________/
toxic ocean : ,;--------.
/___/ \___\
- functions : hacker, coder, phreaker, page / \.,-------,
maintenance, techlab maintenance `-------> '--- \_
/___________/
___
/ : _________ hacker :
_/ ;--, _\ /
\____, \/ ,---< - functions : grafix, ascii's
| \________\
|_____\
,________
liquid-x : \ / ___ ____
\ /---\ `." /
- functions : grafix, page maintenance/design \ ' >- --<
`-------'__.l,___\
+---------------------------------- board list -------------------------------+
- world headquarters -
___, ,______ ________
/ :___ _________ : /---, / -- /
/ ' < - \_______;_ / / _______/ -,--;_ hc/cum
`-----; \___;_____\ / -; / -- >____: \
[= = = ==== : \ ==== < . ---<< \ \_/ -----'-, ==`-----' ==== = = ]
,______\ \________\____\___/___________\
( H A C K E R T O W N )
number - [+32]-xxxxxxxxxx ö world headquarters cum!!
sysop - immortal intruder ö offline
- belgian agora -
..... ... .....
: ......... ..... ...
__________: .__ : :
....../ _ _ \\_\ __\ -,-----,,-----/--------;_________ :
: "---/ \---'" \ ' /__________/ //__ _
: _/ \__________ __>>-- --<<_<__ __<< . ---<< : :
: _ _\\________/ ___ \_/ , \ \________\\_\__ \_ :
/___________/-----:"-----' :
: : : :
: ....... .... ..... :
: : hc/cum
_________; __,__ :
number - +32-xxxxxxx : / , / ________:_ _/ ' \\_ _______
sysop - toxic ocean ; /____/ /---/ ___ \_/ \ \-/ -- >>__ _ :
belgian agora cum! ...` / ' /___________/____;____> -----'-,......;
offline `---------: : /___________\\__
; :
.... ..... ... .... ...... ....
- courier zone -
.
. . . . ø
. .
. ø . . .
______ ______ ______ ______ ______ ______ ___
_ _______| _|___| _|___| _|_/ ___|___| _|_/ __ _| | _ _ ___
\_\\ \_ | \_ \_ | \____ \_ | \_____ \_ |______\_\__\
| | | | | | | | | | | | | | |
| | | | | | | | | | | | | | |
\\___ _ |___| |\___ _ |\___ _ |\___ _ |___| |\___ _ |
MtL!<<<<____¬<<<<____¬<<<<____¬<<<<____¬<<<<____¬<<<<____¬<<<<____¬tPY!
.... P R O J E C T ....
:...........................................................................:
number ö [+32]-xxxxxxxxxx - courier zone cum!
sysop ö hacker - offline
+---------------------------------- other info -------------------------------+
i-net site : http://www.blackhat.be/
e-mail : webmaster@blackhat.be
+------------------ we are immune to the system! -------------------+
+--- ascii by hacker for cum / last updated by toxic ocean on 30 Dec 2002 ----+
|