""""""" "" """""""""" """""""""""""""""" """ """""""""""" """"" """"""""" """" , crewl underground madness . : _____________________ ____ ; hc ; _ _ ____l__ _ _ __ __ _\ / / \ \/ /_ __ __ _____ __:___ ___|_ ( __ ((_ )__ (( _ __// , --<< << << _ _ >>>__)_ ___))__ (__ ___ )) _ k q \________\________\___\/___/ p : ; : ' "we do whatever tickles our dick!" . """""" """"""""" """" """""""""" """"""""""""""" """""""""" """"""""""""" """ +-----------------[CUM Security Toolkit v1.41 - CST v1.41]--------------------+ The CUM Security Toolkit contains two tools: a script scanner, and a port scanner - both are written in Java. You need a Java runtime environment to run them, check http://java.sun.com/ for one (look for j2se or a Java virtual machine). The script scanner has various anti-IDS options, supports multiple proxy servers and comes with big editable script databases. The port scanner is a simple TCP scanner with banner output (so it shows what reply comes from an open port) and has the ability to send custom strings to the open ports, so it's more like an enumeration / stress tool. 1) The CST scriptscanner: ------------------------- To scan a server, start cst_cgis.class like this: java cst_cgis -db: -d: -h: -db: ------------ is the database with scripts to scan for - in this release, there are 3 that come standard: cst_unx.db , cst_win.db and big.db cst_unx.db is best suited for all types of Apache, NCSA etc. webservers cst_win.db is best suited for IIS, Lotus-Domino, Netscape etc. webservers big.db when you're not sure, or really want to test *alot* - this one contains over 1600 files/dirs to check - not recommended to scan a host that's not yours since it will make alot of noise in the logs If you think the scanner should scan for an extra directory or file, you can add the directory/file into one of the two databases with a texteditor of your choice (vi, pico, notepad...), or you can create a new database. Suppose you want to add a check for "newscript.cgi", which is normally found in the bin directory, you can add this in the cst_unx.db as: /$CSTBINDIR$/newscript.cgi When supplied to the scriptscanner, this will scan for the script "newscript.cgi" in the scriptdir supplied on the command line. If you want to add a certain script that always gets installed in the same directory, for example /secretfiles/password.pl, you can add this on a new line in a database: /secretfiles/password.pl If you have a good custom database, or know some extra directories/files to scan for, please let us know via email: webmaster@blackhat.be or go to our site ( http://www.blackhat.be/ ) - in the cst section we have a form where you can submit new scripts to check, and there you can also download the latest scan databases -d: -------- With this option, you can specify in which scriptdir the scanner should scan for certain standard scripts -- for an Apache Unix webserver, you would normally use the flag: -d:cgi-bin The scriptscanner will then substitute all "$CSTBINDIR$" strings in the db with the directory supplied, and scan them on the target server. -h: --------- With this flag, you can specify which server to scan, so if you want to scan www.test.net , you would add the flag: -h:www.test.net If you want to scan for scripts on another port than the standard port 80 on the target server, you can supply an extra : after this flag, so if you want to scan www.test.net for scripts on port 81, you would add the flag: -h:www.test.net:81 -H: ------------- With this flag, you can specify a list with servers to scan. If you have a file "serverlist" with in it a list of servers, you would add the flag: -H:serverlist In this file, each server needs to be on a new line. You can still use the ":" option after a server to specify a port different from the standard port 80. sample hostfile: www.test.net www.test.com:81 www.test.org Notes: - both names and IP's can be used (for the hostfile and single host). - if you specify a hostfile, you can still add 1 more server on the commandline with the -h: flag - so both flags can be used together. - the CST scriptscanner sends a "Host:" header along with the request so it can successfully scan virtual domains. These first three arguments are mandatory - if you do not supply them, you will get the following errorscreen: <-- START ERRORSCREEN-- cst_cgis -db: -d: [-h: or -H:] -db: = The database with files to scan [+] -d: = The scriptdir to use (cgi-bin, bin, scripts, ...) [+] -h:[:] = Server to scan (+ port [standard 80]) [+] -H: = File with hosts to scan [+] -p:[:] = Proxyserver (+ port [standard 8080]) -P: = File with proxyservers + ports to use -l: = Logfile to use (standard cst_cgis.log) -ai1 = Anti-IDS 1 - Hexadecimal values -ai2 = Anti-IDS 2 - Double slashes -ai3 = Anti-IDS 3 - Self-reference directories -ai4 = Anti-IDS 4 - Session splicing -ai5 = Anti-IDS 5 - Parameter hiding -ai6 = Anti-IDS 6 - HTTP misformatting -ai7 = Anti-IDS 7 - DOS/Win directory syntax -ai8 = Anti-IDS 8 - Case sensitivity -ai9 = Anti-IDS 9 - NULL method processing -ai10 = Anti-IDS 10 - Long URLs -ai11 = Anti-IDS 11 - Premature request ending -go = Use google searchstring referer -nf = Don't show 403 (forbidden) answers -sc:[,,] = Show answers starting with -get = Use GET instead of HEAD -w: = Waittime between 2 downloads (standard 0 sec) -t: = Specify timeout (standard 30 sec) <-- END ERRORSCREEN-- As you can see, you can also scan a server using a proxyserver, this with the option -p: -p: ---------- This option let's you specify a proxyserver to use for the scan, for example if you want to use www.proxy.net to scan the Apache 1.3.27 webserver www.test.net , you would start the scriptscanner like this: java cst_cgis cst_unx.db -d:cgi-bin -h:www.test.net -p:www.proxy.net This will use the server www.proxy.net on port 8080 for the scan. If you want to use another port for the proxyserver, you can supply one by adding : to the -p: flag, so suppose the proxyserver on www.proxy.net resides on port 81, you would start the scriptscanner like this: java cst_cgis cst_unx.db -d:cgi-bin -h:www.test.net -p:www.proxy.net:81 -P: -------------- This option let's you specify a list with proxyservers to use for the scan. Each proxy needs to be on a new line, and you can optionally specify the proxyport with a ":" after the proxy (if no port is specified, port 8080 will be used). an example of a valid proxylist: www.proxy1.com www.proxy2.com:81 www.proxy3.com www.proxy4.com:8181 www.proxy5.com:9001 ... you get the point. (Note that the proxy needs to be put in the beginning of a new line -- the example here has spaces in front - you'll have to get rid of them.) You don't need as much proxies as you have scripts in your scandb (but that would be optimal ofcourse). If the scanner reaches the end of the proxylist before it reaches the end of the scriptdb, it will cycle through the list again from the beginning. -l: ------------ The scriptscanner saves (appends) the full screen output to a file called cst_cgis.log in the same directory as the scriptscanner. If you wish to save the results in another file, you can use the -l: option to specify another file. If the file you specify already exists, the result will be appended to the file. -t: ------------ With this option you can specify the I/O timeout to use for the scan. Without this option, the scanner uses a 30 second timeout. -w: ------------ With this option, you can supply a certain ammount of seconds to wait between each script fetch - if you do not use this option, the scriptscanner will scan for all scripts/dirs as fast as possible (so without waiting between the downloads) - so if you want to be a bit more "undercover", you can supply a waittime to spread the scan a bit in the target logs. So, if you want to use the proxyserver www.proxy.net to scan the Apache 1.3.27 webserver www.test.net , using a waittime of 20 seconds between each download, you would start the scriptscanner like this: java cst_cgis cst_unx.db -d:cgi-bin -h:www.test.net -p:www.proxy.net -w:20 To hide your scan even more, the CST scriptscanner has +11 different Anti Intrusion Detection Systems: -ai1 ---- When supplying this option, the scriptscanner will substitute certain characters of the script/dir to scan with their corresponding hexadecimal value, so scanning for /cgi-bin/test-cgi will look like this: /cg%69-b%69n/t%65st-cg%69 -ai2 ---- When supplying this option, the scriptscanner will substitute each slash with a double slash - so /cgi-bin/test-cgi will become: //cgi-bin//test-cgi Note: - This option does not work for scanning Lotus-Domino (4.6.3) and Netscape-Enterprise (3.5.1) webservers. -ai3 ---- When supplying this option, the scriptscanner will substitute each slash with a slash-dot-slash - so /cgi-bin/test-cgi will become: /./cgi-bin/./test-cgi Note: - This option does not work for scanning Lotus-Domino (4.6.3) and Netscape-Enterprise (3.5.1) webservers. -ai4 ---- When supplying this option, the scriptscanner will split the request in smaller packets (2 to 4 byte), and send those to the target. Note: - This option can't be used with a proxyserver, since a proxyserver reassembles the packets, and sends that to the target - so when supplying this option, NO proxy is used, even if you do supply one on the command line. -ai5 ---- When supplying this option, the scriptscanner will "hide" the script/dir request in a html parameter - so /cgi-bin/test-cgi will become: /index.html%3Fparam=/../cgi-bin/test-cgi Note: - This option does not work for scanning Netscape-Enterprise (3.5.1) webservers. -ai6 ---- When supplying this option, the scriptscanner will "misformat" the HTTP request. A request must look like this (according to the RFC standards): methodURIHTTP/ This option will send a instead of a Note: - This option does not work for scanning Netscape-Enterprise (3.5.1), IIS or Lotus-Domino (4.6.3) webservers. It does work for Apaches. - If you're using a proxy server, the proxy needs to support this, and this isn't always the case. -ai7 ---- When supplying this option, the scriptscanner will substitute any "/" with a "\" (starting from the second "/"). For example /scripts/secretfiles/password.lst will become: /scripts\secretfiles\password.lst Note: - This option works for most DOS/Windows based webservers. -ai8 ---- When supplying this option, the scriptscanner will turn the script into uppercase. For example /scripts/secretfiles/password.lst will become: /SCRIPTS/SECRETFILES/PASSWORD.LST Note: - This option works for most webservers running on a case insensitive operating system (Windows, DOS, Novell). -ai9 ---- When supplying this option, the scriptscanner will add a NULL character before the script-to-scan. A request for /data/secretfile.mdb will look like this: HEAD%00 /data/secretfile.mdb HTTP/1.0 Note: - This option only works for IIS webservers (it sometimes does work for Apaches but only when the response is 403, so it's quite useless then). -ai10 ----- When supplying this option, the scriptscanner will add about 2K of chars before the actual script. So /cgi-bin/test-cgi will become: /dsfjkgdjfg...[around2kofgarbage]...sdfkjsd/../cgi-bin/test-cgi -ai11 ----- When supplying this option, the scriptscanner will send a request for the target index page, and request the script in one of the Headers. A request for /cgi-bin/test-cgi will look like this: GET / HTTP/1.0%0d%0aHeader:%20/../../cgi-bin/test-cgi HTTP/1.0%0d%0a%0d%0a These 11 options all try to hide the scan in the target logs (the requests will still be in their logs, but if they use certain "grep"-style log- analysers, or even some smart Intrusion Detection System (IDS), they won't notice the scan). Please note that you can supply more than one anti-IDS at a time, supplying -ai1 , -ai3 and -ai5 at the same time will change /cgi-bin/test-cgi to: /index.html%3Fparam=/.././cg%69-b%69n/./t%65st-cg%69 although not all combinations will work. Note: - When supplying both -ia2 and -ia3, the first substitution will be / -> // and then / -> /./ -- so / becomes /.//./ and not //.// For further anonimity, the scriptscanner also sends a fake "X-Forwarded-For:" header with a random IP, generated every time you start the scriptscanner, and a fake browser version, taken out of the file cst_agents.db (cst cycles through the cst_agent.db - so when it reaches the end, it starts from the beginning again). If wanted, you can also let cst send a fake "Referer:" header, showing a Google search query ("how to install "), you can do that by supplying the flag "-go" on the command line. -get ---- When requesting the scripts/dirs, the CST scriptscanner uses standard a HTTP HEAD instead of a GET (because HEAD is faster). If you want to use a GET instead of HEAD, you can supply this option. -nf --- When you supply this option, the scriptscanner won't show files returning a 403 (forbidden) return code. This can be usefull for scanning servers that always return a 403, even if the file doesn't exist (like most IIS servers). -sc:[,,] ----------------- This version shows a message when the HTTP return code for the script/dir is either 200, 201, 202, 204, 403 or 401. If you want the scriptscanner to output other HTTP return codes, you can use this option. is either a full return code (like 500) or a part of a code. If you want the scriptscanner to output the return code 500 too, you use the flag -sc:500 If you want the scriptscanner to output the codes 500 and 400 too, you use the flag -sc:500,400 Partial codes are also allowed, so if you want the scanner to output the 400 return code and all codes starting with a 5, you would use the flag: -sc:5,400 2) The CST port scanner: ------------------------ To portscan a server, start cst_ports.class like this: java cst_ports [-h: or -H:] -p:[-,,...] -h: --------- This is the address/IP of a single server you want to portscan -H: ------------- With this flag, you can specify a list with servers to portscan. If you have a file "serverlist" with in it a list of servers, you would add the flag: -H:serverlist In this file, each server needs to be on a new line. -p:[-,,...] -------------------------------- You can use two ways to supply which ports to scan: - a single port, ex: 22 - - a portrange, ex: 20-1024 or 1000-800 You aren't limited to 1 port or portrange, suppose you want to portscan www.test.net on the ports 21, 22, 23, 25, 80, 110, and 200 to 1024, start the portscanner like this: java cst_ports -h:www.test.net -p:21-23,25,80,110,200-1024 Note: if you supply a portrange in descending order, these ports will also get scanned in that order. -s: ----------- Standard the portscanner sends the string "HELP\n\n\n" (without the quotes) to each open port. If you want it to send a different string, you can supply one on the command line with the -s: option. It supports all characters, and the following escape sequences: \n, \t, \b, \r, \f, \0 If you're running the portscanner in a windows environment, you can just use the escape sequences as is, for example to send "\nHELP\n" you would use: java cst_ports -h:www.test.net -p:22 -s:\nHELP\n In a unix environment you'll have to escape the escape sequences, otherwise they get interpreted by the shell, so te send "\nHELP\n" then you would use: java cst_ports -h:www.test.net -p:22 -s:\\nHELP\\n If you know any interesting strings to send, let us know. -l: ------------ The portscanner saves (appends) the full screen output to a file called cst_ports.log in the same directory as the scanner. If you wish to save the results in another file, you can use the -l: option to specify another file. If the file you specify already exists, the result will be appended to the file. At the moment, the CST portscanner isn't really advanced - it can only perform full-connection TCP scans, no UDP yet, and no threads either (this will be improved in some next version of CST). If you forget an option, you'll get an errorscreen: <-- START ERRORSCREEN-- cst_ports [-h: or -H:] -p:[-,,...] -h: = Host to scan [+] -H: = File with hosts to scan [+] -p:,- = Single port or range to scan [+] -s: = String to send to open port -l: = Logfile to use (standard cst_ports.log) <-- END ERRORSCREEN-- 3) Last words / greets: ----------------------- If you find a bug in either the CST scriptscanner or the CST port scanner, or have an idea for a feature that would be cool in one of the CST tools (or a new tool for CST), please let us know via email: toxic@blackhat.be webmaster@blackhat.be Check our site http://www.blackhat.be/ for the lastest version of CST, its databases, and scanstrings. greets/thanks to everybody who supports us +----------------------------- cum memberlist --------------------------------+ .___ immortal intruder : .,-------, .___ _/ \..,-------, - functions : coder, phreaker, techlab \____________/ \_ maintenance, weedsupply \____________/ toxic ocean : ,;--------. /___/ \___\ - functions : hacker, coder, phreaker, page / \.,-------, maintenance, techlab maintenance `-------> '--- \_ /___________/ ___ / : _________ hacker : _/ ;--, _\ / \____, \/ ,---< - functions : grafix, ascii's | \________\ |_____\ ,________ liquid-x : \ / ___ ____ \ /---\ `." / - functions : grafix, page maintenance/design \ ' >- --< `-------'__.l,___\ +---------------------------------- board list -------------------------------+ - world headquarters - ___, ,______ ________ / :___ _________ : /---, / -- / / ' < - \_______;_ / / _______/ -,--;_ hc/cum `-----; \___;_____\ / -; / -- >____: \ [= = = ==== : \ ==== < . ---<< \ \_/ -----'-, ==`-----' ==== = = ] ,______\ \________\____\___/___________\ ( H A C K E R T O W N ) number - [+32]-xxxxxxxxxx � world headquarters cum!! sysop - immortal intruder � offline - belgian agora - ..... ... ..... : ......... ..... ... __________: .__ : : ....../ _ _ \\_\ __\ -,-----,,-----/--------;_________ : : "---/ \---'" \ ' /__________/ //__ _ : _/ \__________ __>>-- --<<_<__ __<< . ---<< : : : _ _\\________/ ___ \_/ , \ \________\\_\__ \_ : /___________/-----:"-----' : : : : : : ....... .... ..... : : : hc/cum _________; __,__ : number - +32-xxxxxxx : / , / ________:_ _/ ' \\_ _______ sysop - toxic ocean ; /____/ /---/ ___ \_/ \ \-/ -- >>__ _ : belgian agora cum! ...` / ' /___________/____;____> -----'-,......; offline `---------: : /___________\\__ ; : .... ..... ... .... ...... .... - courier zone - . . . . . � . . . � . . . ______ ______ ______ ______ ______ ______ ___ _ _______| _|___| _|___| _|_/ ___|___| _|_/ __ _| | _ _ ___ \_\\ \_ | \_ \_ | \____ \_ | \_____ \_ |______\_\__\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | \\___ _ |___| |\___ _ |\___ _ |\___ _ |___| |\___ _ | MtL!<<<<____�<<<<____�<<<<____�<<<<____�<<<<____�<<<<____�<<<<____�tPY! .... P R O J E C T .... :...........................................................................: number � [+32]-xxxxxxxxxx - courier zone cum! sysop � hacker - offline +---------------------------------- other info -------------------------------+ i-net site : http://www.blackhat.be/ e-mail : webmaster@blackhat.be +------------------ we are immune to the system! -------------------+ +--- ascii by hacker for cum / last updated by toxic ocean on 30 Dec 2002 ----+