Security Slice

Tag: linux tools

Security tools that can run on Linux

GetUserSPNs.py

Description

Part of the Impacket network tool suite – queries target domain for SPNs that are running under a user account (requires valid domain credentials).

Usage

Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation
 
usage: GetUserSPNs.py [-h] [-target-domain TARGET_DOMAIN]
                      [-usersfile USERSFILE] [-request]
                      [-request-user username] [-save]
                      [-outputfile OUTPUTFILE] [-debug]
                      [-hashes LMHASH:NTHASH] [-no-pass] [-k]
                      [-aesKey hex key] [-dc-ip ip address]
                      target
 
Queries target domain for SPNs that are running under a user account
 
positional arguments:
  target                domain/username[:password]
 
optional arguments:
  -h, --help            show this help message and exit
  -target-domain TARGET_DOMAIN
                        Domain to query/request if different than the domain
                        of the user. Allows for Kerberoasting across trusts.
  -usersfile USERSFILE  File with user per line to test
  -request              Requests TGS for users and output them in JtR/hashcat
                        format (default False)
  -request-user username
                        Requests TGS for the SPN associated to the user
                        specified (just the username, no domain needed)
  -save                 Saves TGS requested to disk. Format is
                        <username>.ccache. Auto selects -request
  -outputfile OUTPUTFILE
                        Output filename to write ciphers in JtR/hashcat format
  -debug                Turn DEBUG output ON
 
authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from
                        ccache file (KRB5CCNAME) based on target parameters.
                        If valid credentials cannot be found, it will use the
                        ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256
                        bits)
  -dc-ip ip address     IP Address of the domain controller. If ommited it use
                        the domain part (FQDN) specified in the target
                        parameter. Ignoredif -target-domain is specified.

Examples

 GetUserSPNs.py hiboxy.com/bgreen:Password1 -request -dc-ip 10.130.10.4 | tee /tmp/spns.output

This will return SPNs for accounts that might have elevated privileges. Grep out the hashes into a separate file and crack them with hashcat.

Blog Posts

gobuster

Description

Gobuster is a tool used to brute-force:

  • URIs (directories and files) in web sites.
  • DNS subdomains (with wildcard support).
  • Virtual Host names on target web servers.
  • Open Amazon S3 buckets
PlatformLinux
AuthorOJ
LicenseFree
URLhttps://github.com/OJ/gobuster

Usage

Usage:
  gobuster [command]
 
Available Commands:
  dir         Uses directory/file enumeration mode
  dns         Uses DNS subdomain enumeration mode
  fuzz        Uses fuzzing mode
  help        Help about any command
  s3          Uses aws bucket enumeration mode
  version     shows the current version
  vhost       Uses VHOST enumeration mode
 
Flags:
      --delay duration    Time each thread waits between requests (e.g. 1500ms)
  -h, --help              help for gobuster
      --no-error          Don't display errors
  -z, --no-progress       Don't display progress
  -o, --output string     Output file to write results to (defaults to stdout)
  -p, --pattern string    File containing replacement patterns
  -q, --quiet             Don't print the banner and other noise
  -t, --threads int       Number of concurrent threads (default 10)
  -v, --verbose           Verbose output (errors)
  -w, --wordlist string   Path to the wordlist

Examples

gobuster dir -u x.x.x.x -w /usr/share/dirb/wordlists/common.txt -x .php

This is how you brute force enumerate a website using a wordlist and specific file extensions to search for.

└──╼ [★]$ gobuster dir -u 10.129.152.242 -w /usr/share/dirb/wordlists/common.txt -x .php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.152.242
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2022/03/20 21:03:35 Starting gobuster in directory enumeration mode
===============================================================
/.hta.php             (Status: 403) [Size: 279]
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htaccess.php        (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/assets               (Status: 301) [Size: 317] [--> http://10.129.152.242/assets/]
/config.php           (Status: 200) [Size: 0]                                     
/css                  (Status: 301) [Size: 314] [--> http://10.129.152.242/css/]  
/dashboard            (Status: 301) [Size: 320] [--> http://10.129.152.242/dashboard/]
/fonts                (Status: 301) [Size: 316] [--> http://10.129.152.242/fonts/]   
/index.html           (Status: 200) [Size: 58565]                                    
/js                   (Status: 301) [Size: 313] [--> http://10.129.152.242/js/]      
/login.php            (Status: 200) [Size: 1577]                                     
/logout.php           (Status: 302) [Size: 0] [--> login.php]                        
/server-status        (Status: 403) [Size: 279]                                      
                                                                                       
===============================================================
2022/03/20 21:03:38 Finished
===============================================================

Blog Posts

masscan

Description

masscan is an Internet-scale port scanner, useful for large scale surveys of the Internet, or of internal networks. While the default transmit rate is only 100 packets/second, it can optional go as fast as 25 million
packets/second, a rate sufficient to scan the Internet in 3 minutes for one port.

PlatformLinux
AuthorRobert Graham
LicenseFree
URLhttps://github.com/robertdavidgraham/masscan

Usage

OPTIONS
       ·   <ip/range>: anything on the command-line not prefixed with a ´-´ is assumed to be an IP address or range. There are three valid formats. The first is a single IPv4 address like "192.168.0.1". The second is a  range
           like  "10.0.0.1-10.0.0.100". The third is a CIDR address, like "0.0.0.0/0". At least one target must be specified. Multiple targets can be specified. This can be specified as multiple options separated by space, or
           can be separated by a comma as a single option, such as 10.0.0.0/8,192.168.0.1.
 
       ·   --range <ip/range>: the same as target range spec described above, except as a named parameter instead of an unnamed one.
 
       ·   -p <ports, --ports <ports>: specifies the port(s) to be scanned. A single port can be specified, like -p80. A range of ports can be specified,  like  -p  20-25.  A  list  of  ports/ranges  can  be  specified,  like
           -p80,20-25. UDP ports can also be specified, like --ports U:161,U:1024-1100.
 
       ·   --banners: specifies that banners should be grabbed, like HTTP server versions, HTML title fields, and so forth. Only a few protocols are supported.
 
       ·   --rate  <packets-per-second>:  specifies  the  desired  rate for transmitting packets. This can be very small numbers, like 0.1 for transmitting packets at rates of one every 10 seconds, for very large numbers like
           10000000, which attempts to transmit at 10 million packets/second. In my experience, Windows and can do 250 thousand packets per second, and latest versions of Linux can do  2.5  million  packets  per  second.  The
           PF_RING driver is needed to get to 25 million packets/second.
 
       ·   -c <filename>, --conf <filename>: reads in a configuration file. The format of the configuration file is described below.
 
       ·   --resume <filename>: the same as --conf, except that a few options are automatically set, such as --append-output. The format of the configuration file is described below.
 
       ·   --echo: don´t run, but instead dump the current configuration to a file. This file can then be used with the -c option. The format of this output is described below under ´CONFIGURATION FILE´.
 
       ·   -e <ifname>, --adapter <ifname>: use the named raw network interface, such as "eth0" or "dna1". If not specified, the first network interface found with a default gateway will be used.
 
       ·   --adapter-ip  <ip-address>:  send  packets  using  this IP address. If not specified, then the first IP address bound to the network interface will be used. Instead of a single IP address, a range may be specified.
           NOTE: The size of the range must be an even power of 2, such as 1, 2, 4, 8, 16, 1024 etc. addresses.
 
       ·   --adapter-port <port>: send packets using this port number as the source. If not specified, a random port will be chosen in the range 40000 through 60000. This port should be filtered by  the  host  firewall  (like
           iptables) to prevent the host network stack from interfering with arriving packets. Instead of a single port, a range can be specified, like 40000-40003. NOTE: The size of the range must be an even power of 2, such
           as the example above that has a total of 4 addresses.
 
       ·   --adapter-mac <mac-address>: send packets using this as the source MAC address. If not specified, then the first MAC address bound to the network interface will be used.
 
       ·   --router-mac <mac address>: send packets to this MAC address as the destination. If not specified, then the gateway address of the network interface will be ARPed.
 
       ·   --ping: indicates that the scan should include an ICMP echo request. This may be included with TCP and UDP scanning.
 
       ·   --exclude <ip/range>: blacklist an IP address or range, preventing it from being scanned. This overrides any target specification, guaranteeing that this address/range won´t be scanned. This has the same format  as
           the normal target specification.
 
       ·   --excludefile <filename>: reads in a list of exclude ranges, in the same target format described above. These ranges override any targets, preventing them from being scanned.
 
       ·   --append-output: causes output to append to file, rather than overwriting the file.
 
       ·   --iflist: list the available network interfaces, and then exits.
 
       ·   --retries: the number of retries to send, at 1 second intervals. Note that since this scanner is stateless, retries are sent regardless if replies have already been received.
 
       ·   --nmap: print help aobut nmap-compatibility alternatives for these options.
 
       ·   --pcap-payloads:  read  packets from a libpcap file containing packets and extract the UDP payloads, and associate those payloads with the destination port. These payloads will then be used when sending UDP packets
           with the matching destination port. Only one payload will be remembered per port. Similar to --nmap-payloads.
 
       ·   --nmap-payloads <filename>: read in a file in the same format as the nmap file nmap-payloads. This contains UDP payload, so that we can send useful UDP packets instead of empty ones. Similar to --pcap-payloads.
 
       ·   --http-user-agent <user-agent>: replaces the existing user-agent field with the indicated value when doing HTTP requests.
 
       ·   --open-only: report only open ports, not closed ports.
 
       ·   --pcap <filename>: saves received packets (but not transmitted packets) to the libpcap-format file.
 
       ·   --packet-trace: prints a summary of those packets sent and received. This is useful at low rates, like a few packets per second, but will overwhelm the terminal at high rates.
 
       ·   --pfring: force the use of the PF_RING driver. The program will exit if PF_RING DNA drvers are not available.
 
       ·   --resume-index: the point in the scan at when it was paused.
 
       ·   --resume-count: the maximum number of probes to send before exiting. This is useful with the --resume-index to chop up a scan and split it among multiple instances, though the --shards option might be better.
 
       ·   --shards <x>/<y>: splits the scan among instances. x is the id for this scan, while y is the total number of instances. For example, --shards 1/2 tells an instance to send every other packet, starting with index 0.
           Likewise, --shards 2/2 sends every other packet, but starting with index 1, so that it doesn´t overlap with the first example.
 
       ·   --rotate  <time>:  rotates  the  output file, renaming it with the current timestamp, moving it to a separate directory. The time is specified in number of seconds, like "3600" for an hour. Or, units of time can be
           specified, such as "hourly", or "6hours", or "10min". Times are aligned on an even boundary, so if "daily" is specified, then the file will be rotated every day at midnight.
 
       ·   --rotate-offset <time>: an offset in the time. This is to accommodate timezones.
 
       ·   --rotate-dir <directory>: when rotating the file, this specifies which directory to move the file to. A useful directory is /var/log/masscan.
 
       ·   --seed <integer>: an integer that seeds the random number generator. Using a different seed will cause packets to be sent in a different random order. Instead of an integer, the string time can be specified,  which
           seeds using the local timestamp, automatically generating a differnet random order of scans. If no seed specified, time is the default.
 
       ·   --regress: run a regression test, returns ´0´ on success and ´1´ on failure.
 
       ·   --ttl <num>: specifies the TTL of outgoing packets, defaults to 255.
 
       ·   --wait <seconds>: specifies the number of seconds after transmit is done to wait for receiving packets before exiting the program. The default is 10 seconds. The string forever can be specified to never terminate.
 
       ·   --offline:  don´t actually transmit packets. This is useful with a low rate and --packet-trace to look at what packets might´ve been transmitted. Or, it´s useful with --rate 100000000 in order to benchmark how fast
           transmit would work (assuming a zero-overhead driver). PF_RING is about 20% slower than the benchmark result from offline mode.
 
       ·   -sL: this doesn´t do a scan, but instead creates a list of random addresses. This is useful for importing into other tools. The options --shard, --resume-index, and --resume-count can be useful with this feature.
 
       ·   --interactive: show the results in realtime on the console. It has no effect if used with --output-format or --output-filename.
 
       ·   --output-format <fmt>: indicates the format of the output file, which can be xml, binary, grepable, list, or JSON. The option --output-filename must be specified.
 
       ·   --output-filename <filename>: the file which to save results to. If the parameter --output-format is not specified, then the default of xml will be used.
 
       ·   -oB <filename>: sets the output format to binary and saves the output in the given filename. This is equivelent to using the --output-format and --output-filename parameters. The option --readscan can then be  used
           to read the binary file. Binary files are mush smaller than their XML equivelents, but require a separate step to convert back into XML or another readable format.
 
       ·   -oX <filename>: sets the output format to XML and saves the output in the given filename. This is equivelent to using the --output-format xml and --output-filename parameters.
 
       ·   -oG <filename>: sets the output format to grepable and saves the output in the given filename. This is equivelent to using the --output-format grepable and --output-filename parameters.
 
       ·   -oJ <filename>: sets the output format to JSON and saves the output in the given filename. This is equivelent to using the --output-format json and --output-filename parameters.
 
       ·   -oL <filename>: sets the output format to a simple list format and saves the output in the given filename. This is equivelent to using the --output-format list and --output-filename parameters.
 
       ·   --readscan  <binary-files>: reads the files created by the -oB option from a scan, then outputs them in one of the other formats, depending on command-line parameters. In other words, it can take the binary version
           of the output and convert it to an XML or JSON format.

Examples

masscan -p22,445,3389 –rate 15000 -oB myscan.mass x.x.x.x/8

This will check the specified ports in the /8 network at a rate of 15,000 packets per minute. This is probably the max rate you should ever run masscan. The -oB option will save the output in masscans binary format (to save space), and the output file can be converted to other formats as needed.

sec@slingshot:~$ sudo masscan --ports 0-65535 --rate 15000 --src-port=55555 -oB /tmp/local.masscan 127.0.0.1
 
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2022-03-15 15:21:58 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
masscan –readscan myscan.mass -oX myscan.xml

This will read a previous scan that was saved in binary format and save a copy as XML. The following is the contents of an example XML format scan.

<?xml version="1.0"?>
<!-- masscan v1.0 scan -->
<?xml-stylesheet href="" type="text/xsl"?>
<nmaprun scanner="masscan" start="1647358016" version="1.0-BETA"  xmloutputversion="1.03">
<scaninfo type="syn" protocol="tcp" />
<host endtime="1640365642"><address addr="10.130.10.4" addrtype="ipv4"/><ports><port protocol="tcp" portid="3268"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365644"><address addr="10.130.10.4" addrtype="ipv4"/><ports><port protocol="tcp" portid="49699"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365672"><address addr="10.130.10.6" addrtype="ipv4"/><ports><port protocol="tcp" portid="5986"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365691"><address addr="10.130.10.4" addrtype="ipv4"/><ports><port protocol="tcp" portid="49667"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365693"><address addr="10.130.10.21" addrtype="ipv4"/><ports><port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365693"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="6402"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365698"><address addr="10.130.10.44" addrtype="ipv4"/><ports><port protocol="tcp" portid="5986"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365699"><address addr="10.130.10.21" addrtype="ipv4"/><ports><port protocol="tcp" portid="5986"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365723"><address addr="10.130.10.44" addrtype="ipv4"/><ports><port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365735"><address addr="10.130.10.6" addrtype="ipv4"/><ports><port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365743"><address addr="10.130.10.4" addrtype="ipv4"/><ports><port protocol="tcp" portid="5986"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365746"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="477"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640365748"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="477"><state state="open" reason="response" reason_ttl="128" /><service name="ftp" banner="220 mail01.hiboxy.com MICROSOFT ESMTP MAIL SERVICE READY AT Fri, 24 Dec 2021 17:09:06 +0000\x0a503 5.5.1 Bad sequence of commands"></service></port></ports></host>
...
<host endtime="1640366213"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="587"><state state="open" reason="response" reason_ttl="128" /><service name="smtp" banner="220 mail01.hiboxy.com Microsoft ESMTP MAIL Service ready at Fri, 24 Dec 2021 17:16:49 +0000\x0a250-mail01.hiboxy.com Hello [10.130.10.99]\x0a250-SIZE 37748736\x0a250-PIPELINING\x0a250-DSN\x0a250-ENHANCEDSTATUSCODES\x0a250-STARTTLS\x0a250-AUTH GSSAPI NTLM\x0a250-8BITMIME\x0a250-BINARYMIME\x0a250-CHUNKING\x0a250 SMTPUTF8\x0a220 2.0.0 SMTP server ready"></service></port></ports></host>
<host endtime="1640366218"><address addr="10.130.10.4" addrtype="ipv4"/><ports><port protocol="tcp" portid="49674"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366220"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="6744"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366222"><address addr="10.130.10.44" addrtype="ipv4"/><ports><port protocol="tcp" portid="135"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366229"><address addr="10.130.10.10" addrtype="ipv4"/><ports><port protocol="tcp" portid="23"><state state="open" reason="syn-ack" reason_ttl="64"/></port></ports></host>
<host endtime="1640366230"><address addr="10.130.10.10" addrtype="ipv4"/><ports><port protocol="tcp" portid="23"><state state="open" reason="response" reason_ttl="64" /><service name="ssh" banner="SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3"></service></port></ports></host>
<host endtime="1640366233"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="135"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366235"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="25"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366236"><address addr="10.130.10.33" addrtype="ipv4"/><ports><port protocol="tcp" portid="5985"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366237"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="475"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366239"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="475"><state state="open" reason="response" reason_ttl="128" /><service name="ftp" banner="220 mail01.hiboxy.com MICROSOFT ESMTP MAIL SERVICE READY AT Fri, 24 Dec 2021 17:17:17 +0000\x0a503 5.5.1 Bad sequence of commands"></service></port></ports></host>
<host endtime="1640366239"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="25"><state state="open" reason="response" reason_ttl="128" /><service name="smtp" banner="220 mail01.hiboxy.com Microsoft ESMTP MAIL Service ready at Fri, 24 Dec 2021 17:17:15 +0000\x0a250-mail01.hiboxy.com Hello [10.130.10.99]\x0a250-SIZE 37748736\x0a250-PIPELINING\x0a250-DSN\x0a250-ENHANCEDSTATUSCODES\x0a250-STARTTLS\x0a250-X-ANONYMOUSTLS\x0a250-AUTH NTLM\x0a250-X-EXPS GSSAPI NTLM\x0a250-8BITMIME\x0a250-BINARYMIME\x0a250-CHUNKING\x0a250-SMTPUTF8\x0a250 XRDST\x0a220 2.0.0 SMTP server ready"></service></port></ports></host>
<host endtime="1640366241"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="139"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366245"><address addr="10.130.10.44" addrtype="ipv4"/><ports><port protocol="tcp" portid="139"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366250"><address addr="10.130.10.4" addrtype="ipv4"/><ports><port protocol="tcp" portid="49674"><state state="open" reason="response" reason_ttl="128" /><service name="unknown" banner="ncacn_http/1.0"></service></port></ports></host>
<host endtime="1640366256"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="717"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366258"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="717"><state state="open" reason="response" reason_ttl="128" /><service name="ftp" banner="220 mail01.hiboxy.com Microsoft ESMTP MAIL Service ready at Fri, 24 Dec 2021 17:17:36 +0000\x0a503 5.5.2 Send hello first"></service></port></ports></host>
<host endtime="1640366264"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366277"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="2105"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366278"><address addr="10.130.10.22" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="64"/></port></ports></host>
<host endtime="1640366279"><address addr="10.130.10.4" addrtype="ipv4"/><ports><port protocol="tcp" portid="49677"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366281"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366289"><address addr="10.130.10.11" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="64"/></port></ports></host>
<host endtime="1640366290"><address addr="10.130.10.4" addrtype="ipv4"/><ports><port protocol="tcp" portid="464"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366303"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="6768"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366306"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="5985"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366308"><address addr="10.130.10.45" addrtype="ipv4"/><ports><port protocol="tcp" portid="445"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366311"><address addr="10.130.10.22" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="response" reason_ttl="64" /><service name="title" banner="Welcome to nginx!"></service></port></ports></host>
<host endtime="1640366311"><address addr="10.130.10.22" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="response" reason_ttl="64" /><service name="http" banner="HTTP/1.1 200 OK\x0d\x0aServer: nginx/1.18.0 (Ubuntu)\x0d\x0aDate: Fri, 24 Dec 2021 17:18:00 GMT\x0d\x0aContent-Type: text/html\x0d\x0aContent-Length: 612\x0d\x0aLast-Modified: Fri, 24 Dec 2021 00:56:16 GMT\x0d\x0aConnection: close\x0d\x0aETag: \x2261c51ab0-264\x22\x0d\x0aAccept-Ranges: bytes\x0d\x0a\x0d"></service></port></ports></host>
<host endtime="1640366314"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="response" reason_ttl="128" /><service name="http" banner="HTTP/1.1 403 Forbidden\x0d\x0aServer: Microsoft-IIS/10.0\x0d\x0aDate: Fri, 24 Dec 2021 17:18:05 GMT\x0d\x0aConnection: close\x0d\x0aContent-Length: 0\x0d\x0a\x0d"></service></port></ports></host>
<host endtime="1640366316"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="6001"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366320"><address addr="10.130.10.11" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="response" reason_ttl="64" /><service name="title" banner="Welcome to nginx!"></service></port></ports></host>
<host endtime="1640366320"><address addr="10.130.10.11" addrtype="ipv4"/><ports><port protocol="tcp" portid="80"><state state="open" reason="response" reason_ttl="64" /><service name="http" banner="HTTP/1.1 200 OK\x0d\x0aServer: nginx/1.18.0 (Ubuntu)\x0d\x0aDate: Fri, 24 Dec 2021 17:18:12 GMT\x0d\x0aContent-Type: text/html\x0d\x0aContent-Length: 612\x0d\x0aLast-Modified: Fri, 24 Dec 2021 00:56:15 GMT\x0d\x0aConnection: close\x0d\x0aETag: \x2261c51aaf-264\x22\x0d\x0aAccept-Ranges: bytes\x0d\x0a\x0d"></service></port></ports></host>
<host endtime="1640366601"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="593"><state state="open" reason="response" reason_ttl="128" /><service name="unknown" banner="ncacn_http/1.0"></service></port></ports></host>
<host endtime="1640366601"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="81"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366617"><address addr="10.130.10.4" addrtype="ipv4"/><ports><port protocol="tcp" portid="593"><state state="open" reason="response" reason_ttl="128" /><service name="unknown" banner="ncacn_http/1.0"></service></port></ports></host>
<host endtime="1640366642"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="6630"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366709"><address addr="10.130.10.11" addrtype="ipv4"/><ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/></port></ports></host>
<host endtime="1640366710"><address addr="10.130.10.11" addrtype="ipv4"/><ports><port protocol="tcp" portid="22"><state state="open" reason="response" reason_ttl="64" /><service name="ssh" banner="SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3"></service></port></ports></host>
<host endtime="1640366713"><address addr="10.130.10.22" addrtype="ipv4"/><ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/></port></ports></host>
<host endtime="1640366714"><address addr="10.130.10.22" addrtype="ipv4"/><ports><port protocol="tcp" portid="22"><state state="open" reason="response" reason_ttl="64" /><service name="ssh" banner="SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3"></service></port></ports></host>
<host endtime="1640366726"><address addr="10.130.10.10" addrtype="ipv4"/><ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/></port></ports></host>
<host endtime="1640366726"><address addr="10.130.10.25" addrtype="ipv4"/><ports><port protocol="tcp" portid="6548"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366727"><address addr="10.130.10.10" addrtype="ipv4"/><ports><port protocol="tcp" portid="22"><state state="open" reason="response" reason_ttl="64" /><service name="ssh" banner="SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3"></service></port></ports></host>
<host endtime="1640366727"><address addr="10.130.10.5" addrtype="ipv4"/><ports><port protocol="tcp" portid="5986"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<host endtime="1640366735"><address addr="10.130.10.44" addrtype="ipv4"/><ports><port protocol="tcp" portid="5985"><state state="open" reason="syn-ack" reason_ttl="128"/></port></ports></host>
<runstats>
<finished time="1647358016" timestr="2022-03-15 15:26:56" elapsed="0" />
<hosts up="131" down="0" total="131" />
</runstats>
</nmaprun>
masscan –readscan myscan.mass -oG myscan.grep

This will read a binary format scan and save a copy in a grepable format.

# Masscan 1.0.3 scan initiated Fri Dec 24 17:07:14 2021
# Ports scanned: TCP(0;) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.130.10.4 ()    Ports: 3268/open/tcp////
Host: 10.130.10.4 ()    Ports: 49699/open/tcp////
Host: 10.130.10.6 ()    Ports: 5986/open/tcp////
Host: 10.130.10.4 ()    Ports: 49667/open/tcp////
Host: 10.130.10.21 ()   Ports: 445/open/tcp////
Host: 10.130.10.25 ()   Ports: 6402/open/tcp////
Host: 10.130.10.44 ()   Ports: 5986/open/tcp////
Host: 10.130.10.21 ()   Ports: 5986/open/tcp////
Host: 10.130.10.44 ()   Ports: 445/open/tcp////
Host: 10.130.10.6 ()    Ports: 445/open/tcp////
Host: 10.130.10.4 ()    Ports: 5986/open/tcp////
Host: 10.130.10.25 ()   Ports: 477/open/tcp////
Host: 10.130.10.25 ()   Port: 477   Service: ftp    Banner: 220 mail01.hiboxy.com MICROSOFT ESMTP MAIL SERVICE READY AT Fri, 24 Dec 2021 17:09:06 +0000\x0a503 5.5.1 Bad sequence of commands
Host: 10.130.10.25 ()   Ports: 443/open/tcp////
Host: 10.130.10.25 ()   Ports: 6593/open/tcp////
Host: 10.130.10.33 ()   Ports: 5985/open/tcp////
Host: 10.130.10.25 ()   Ports: 475/open/tcp////
Host: 10.130.10.25 ()   Port: 475   Service: ftp    Banner: 220 mail01.hiboxy.com MICROSOFT ESMTP MAIL SERVICE READY AT Fri, 24 Dec 2021 17:17:17 +0000\x0a503 5.5.1 Bad sequence of commands
Host: 10.130.10.25 ()   Port: 25    Service: smtp   Banner: 220 mail01.hiboxy.com Microsoft ESMTP MAIL Service ready at Fri, 24 Dec 2021 17:17:15 +0000\x0a250-mail01.hiboxy.com Hello [10.130.10.99]\x0a250-SIZE 37748736\x0a250-PIPELINING\x0a250-DSN\x0a250-ENHANCEDSTATUSCODES\x0a250-STARTTLS\x0a250-X-ANONYMOUSTLS\x0a250-AUTH NTLM\x0a250-X-EXPS GSSAPI NTLM\x0a250-8BITMIME\x0a250-BINARYMIME\x0a250-CHUNKING\x0a250-SMTPUTF8\x0a250 XRDST\x0a220 2.0.0 SMTP server ready
Host: 10.130.10.25 ()   Ports: 139/open/tcp////
Host: 10.130.10.44 ()   Ports: 139/open/tcp////
Host: 10.130.10.4 ()    Port: 49674 Service: unknown    Banner: ncacn_http/1.0
Host: 10.130.10.25 ()   Ports: 717/open/tcp////
Host: 10.130.10.25 ()   Port: 717   Service: ftp    Banner: 220 mail01.hiboxy.com Microsoft ESMTP MAIL Service ready at Fri, 24 Dec 2021 17:17:36 +0000\x0a503 5.5.2 Send hello first
Host: 10.130.10.25 ()   Ports: 445/open/tcp////
Host: 10.130.10.25 ()   Ports: 2105/open/tcp////
...
Host: 10.130.10.25 ()   Ports: 6768/open/tcp////
Host: 10.130.10.25 ()   Ports: 5985/open/tcp////
Host: 10.130.10.45 ()   Ports: 445/open/tcp////
Host: 10.130.10.22 ()   Port: 80    Service: title  Banner: Welcome to nginx!
Host: 10.130.10.22 ()   Port: 80    Service: http   Banner: HTTP/1.1 200 OK\x0d\x0aServer: nginx/1.18.0 (Ubuntu)\x0d\x0aDate: Fri, 24 Dec 2021 17:18:00 GMT\x0d\x0aContent-Type: text/html\x0d\x0aContent-Length: 612\x0d\x0aLast-Modified: Fri, 24 Dec 2021 00:56:16 GMT\x0d\x0aConnection: close\x0d\x0aETag: \x2261c51ab0-264\x22\x0d\x0aAccept-Ranges: bytes\x0d\x0a\x0d
Host: 10.130.10.25 ()   Port: 80    Service: http   Banner: HTTP/1.1 403 Forbidden\x0d\x0aServer: Microsoft-IIS/10.0\x0d\x0aDate: Fri, 24 Dec 2021 17:18:05 GMT\x0d\x0aConnection: close\x0d\x0aContent-Length: 0\x0d\x0a\x0d
Host: 10.130.10.25 ()   Ports: 6001/open/tcp////
Host: 10.130.10.11 ()   Port: 80    Service: title  Banner: Welcome to nginx!
Host: 10.130.10.11 ()   Port: 80    Service: http   Banner: HTTP/1.1 200 OK\x0d\x0aServer: nginx/1.18.0 (Ubuntu)\x0d\x0aDate: Fri, 24 Dec 2021 17:18:12 GMT\x0d\x0aContent-Type: text/html\x0d\x0aContent-Length: 612\x0d\x0aLast-Modified: Fri, 24 Dec 2021 00:56:15 GMT\x0d\x0aConnection: close\x0d\x0aETag: \x2261c51aaf-264\x22\x0d\x0aAccept-Ranges: bytes\x0d\x0a\x0d
Host: 10.130.10.4 ()    Ports: 53/open/tcp////
Host: 10.130.10.4 ()    Ports: 445/open/tcp////
Host: 10.130.10.21 ()   Ports: 5985/open/tcp////
Host: 10.130.10.25 ()   Ports: 6401/open/tcp////
Host: 10.130.10.25 ()   Ports: 9710/open/tcp////
Host: 10.130.10.25 ()   Port: 6001  Service: unknown    Banner: ncacn_http/1.0
Host: 10.130.10.33 ()   Ports: 445/open/tcp////
Host: 10.130.10.45 ()   Ports: 5985/open/tcp////
Host: 10.130.10.25 ()   Ports: 5986/open/tcp////
Host: 10.130.10.33 ()   Ports: 5986/open/tcp////
Host: 10.130.10.25 ()   Ports: 6565/open/tcp////
Host: 10.130.10.25 ()   Ports: 6674/open/tcp////
Host: 10.130.10.25 ()   Ports: 593/open/tcp////
Host: 10.130.10.4 ()    Ports: 593/open/tcp////
Host: 10.130.10.25 ()   Port: 593   Service: unknown    Banner: ncacn_http/1.0
Host: 10.130.10.25 ()   Ports: 81/open/tcp////
Host: 10.130.10.4 ()    Port: 593   Service: unknown    Banner: ncacn_http/1.0
Host: 10.130.10.25 ()   Ports: 6630/open/tcp////
Host: 10.130.10.11 ()   Ports: 22/open/tcp////
Host: 10.130.10.11 ()   Port: 22    Service: ssh    Banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
Host: 10.130.10.22 ()   Ports: 22/open/tcp////
Host: 10.130.10.22 ()   Port: 22    Service: ssh    Banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
Host: 10.130.10.10 ()   Ports: 22/open/tcp////
Host: 10.130.10.25 ()   Ports: 6548/open/tcp////
Host: 10.130.10.10 ()   Port: 22    Service: ssh    Banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
Host: 10.130.10.5 ()    Ports: 5986/open/tcp////
Host: 10.130.10.44 ()   Ports: 5985/open/tcp////
# Masscan done at Tue Mar 15 15:36:59 2022
masscan –readscan myscan.mass -oJ myscan.json

This will read a binary format scan and save a copy in JSON format.

{   "ip": "10.130.10.4",   "ports": [ {"port": 3268, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.4",   "ports": [ {"port": 49699, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.6",   "ports": [ {"port": 5986, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.4",   "ports": [ {"port": 49667, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.21",   "ports": [ {"port": 445, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 6402, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.44",   "ports": [ {"port": 5986, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.21",   "ports": [ {"port": 5986, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.44",   "ports": [ {"port": 445, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.6",   "ports": [ {"port": 445, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.4",   "ports": [ {"port": 5986, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 477, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 477, "proto": "tcp", "service": {"name": "ftp", "banner": "220 mail01.hiboxy.com MICROSOFT ESMTP MAIL SERVICE READY AT Fri, 24 Dec 2021 17:09:06 +0000\u000a503 5.5.1 Bad sequence of commands"} } ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 443, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 6593, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 6682, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 6812, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 1801, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.33",   "ports": [ {"port": 1433, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 3875, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
...
{   "ip": "10.130.10.25",   "ports": [ {"port": 6768, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 5985, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.45",   "ports": [ {"port": 445, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.22",   "ports": [ {"port": 80, "proto": "tcp", "service": {"name": "title", "banner": "Welcome to nginx!"} } ] },
{   "ip": "10.130.10.22",   "ports": [ {"port": 80, "proto": "tcp", "service": {"name": "http", "banner": "HTTP/1.1 200 OK\u000d\u000aServer: nginx/1.18.0 (Ubuntu)\u000d\u000aDate: Fri, 24 Dec 2021 17:18:00 GMT\u000d\u000aContent-Type: text/html\u000d\u000aContent-Length: 612\u000d\u000aLast-Modified: Fri, 24 Dec 2021 00:56:16 GMT\u000d\u000aConnection: close\u000d\u000aETag: \u002261c51ab0-264\u0022\u000d\u000aAccept-Ranges: bytes\u000d\u000a\u000d"} } ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 80, "proto": "tcp", "service": {"name": "http", "banner": "HTTP/1.1 403 Forbidden\u000d\u000aServer: Microsoft-IIS/10.0\u000d\u000aDate: Fri, 24 Dec 2021 17:18:05 GMT\u000d\u000aConnection: close\u000d\u000aContent-Length: 0\u000d\u000a\u000d"} } ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 6001, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.11",   "ports": [ {"port": 80, "proto": "tcp", "service": {"name": "title", "banner": "Welcome to nginx!"} } ] },
{   "ip": "10.130.10.11",   "ports": [ {"port": 80, "proto": "tcp", "service": {"name": "http", "banner": "HTTP/1.1 200 OK\u000d\u000aServer: nginx/1.18.0 (Ubuntu)\u000d\u000aDate: Fri, 24 Dec 2021 17:18:12 GMT\u000d\u000aContent-Type: text/html\u000d\u000aContent-Length: 612\u000d\u000aLast-Modified: Fri, 24 Dec 2021 00:56:15 GMT\u000d\u000aConnection: close\u000d\u000aETag: \u002261c51aaf-264\u0022\u000d\u000aAccept-Ranges: bytes\u000d\u000a\u000d"} } ] },
{   "ip": "10.130.10.4",   "ports": [ {"port": 53, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.4",   "ports": [ {"port": 445, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.21",   "ports": [ {"port": 5985, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 6401, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 9710, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 6565, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 6674, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 593, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.4",   "ports": [ {"port": 593, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 593, "proto": "tcp", "service": {"name": "unknown", "banner": "ncacn_http/1.0"} } ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 81, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.4",   "ports": [ {"port": 593, "proto": "tcp", "service": {"name": "unknown", "banner": "ncacn_http/1.0"} } ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 6630, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.11",   "ports": [ {"port": 22, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 64} ] },
{   "ip": "10.130.10.11",   "ports": [ {"port": 22, "proto": "tcp", "service": {"name": "ssh", "banner": "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3"} } ] },
{   "ip": "10.130.10.22",   "ports": [ {"port": 22, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 64} ] },
{   "ip": "10.130.10.22",   "ports": [ {"port": 22, "proto": "tcp", "service": {"name": "ssh", "banner": "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3"} } ] },
{   "ip": "10.130.10.10",   "ports": [ {"port": 22, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 64} ] },
{   "ip": "10.130.10.25",   "ports": [ {"port": 6548, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.10",   "ports": [ {"port": 22, "proto": "tcp", "service": {"name": "ssh", "banner": "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3"} } ] },
{   "ip": "10.130.10.5",   "ports": [ {"port": 5986, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{   "ip": "10.130.10.44",   "ports": [ {"port": 5985, "proto": "tcp", "status": "open", "reason": "syn-ack", "ttl": 128} ] },
{finished: 1}

Blog Posts

netcat

Description

The swiss army knife of pen testing.

PlatformAll
Author
LicenseFree
URL

Usage

[v1.10-46]
connect to somewhere:   nc [-options] hostname port[s] [ports] ...
listen for inbound:     nc -l -p port [-options] [hostname] [port]
options:
        -c shell commands       as `-e'; use /bin/sh to exec [dangerous!!]
        -e filename             program to exec after connect [dangerous!!]
        -b                      allow broadcasts
        -g gateway              source-routing hop point[s], up to 8
        -G num                  source-routing pointer: 4, 8, 12, ...
        -h                      this cruft
        -i secs                 delay interval for lines sent, ports scanned
        -k                      set keepalive option on socket
        -l                      listen mode, for inbound connects
        -n                      numeric-only IP addresses, no DNS
        -o file                 hex dump of traffic
        -p port                 local port number
        -r                      randomize local and remote ports
        -q secs                 quit after EOF on stdin and delay of secs
        -s addr                 local source address
        -T tos                  set Type Of Service
        -t                      answer TELNET negotiation
        -u                      UDP mode
        -v                      verbose [use twice to be more verbose]
        -w secs                 timeout for connects and final net reads
        -C                      Send CRLF as line-ending
        -z                      zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').

Examples

nc -nzv -w 3 <ip> <port>

This command scans a port to see if it’s open without establishing a full 3-way handshake. It waits for 3 seconds before disconnecting.

┌──(root💀kali)-[/home/kali/proving_grounds/Bratarina]
└─# nc -zv -w 3 192.168.145.71 443                                    
bratarina [192.168.145.71] 443 (https) : Connection timed out
                                                                                                                                                             
┌──(root💀kali)-[/home/kali/proving_grounds/Bratarina]
└─# nc -zv -w 3 192.168.145.71 25                                                                                                                   
bratarina [192.168.145.71] 25 (smtp) open
nc -nlvp 1337 -e /bin/bash

Starts a back door listener on port 1337 and presents the user with a bash shell when the user connects.

nc -nlvp 1337 < /tmp/file.txt

Sends file.txt over the socket when the user connects. The other side of the connection would look like “nc <ip> 1337 > file.txt”

Blog Posts

nmap

Description

A free and open source utility for network discovery and security auditing.

PlatformAll
Author
LicenseFree
URLnmap.org

Usage

Nmap 7.91 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

Examples

nmap x.x.x.x

he default nmap scan will check if common ports are open.

└─# nmap 192.168.145.71  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 14:09 EDT
Nmap scan report for bratarina (192.168.145.71)
Host is up (0.038s latency).
Not shown: 995 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  open   smtp
53/tcp  closed domain
80/tcp  open   http
445/tcp open   microsoft-ds
nmap -A x.x.x.x -p 22,25,53,80,445

The -A option enables OS detection, version detection, script scanning, and traceroute output.

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 14:12 EDT
Nmap scan report for bratarina (192.168.145.71)
Host is up (0.038s latency).
 
PORT    STATE  SERVICE     VERSION
22/tcp  open   ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:dd:2c:ea:2f:85:c5:89:bc:fc:e9:a3:38:f0:d7:50 (RSA)
|   256 e3:b7:65:c2:a7:8e:45:29:bb:62:ec:30:1a:eb:ed:6d (ECDSA)
|_  256 d5:5b:79:5b:ce:48:d8:57:46:db:59:4f:cd:45:5d:ef (ED25519)
25/tcp  open   smtp        OpenSMTPD
| smtp-commands: bratarina Hello bratarina [192.168.49.145], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP,
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
53/tcp  closed domain
80/tcp  open   http        nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title:         Page not found - FlaskBB       
445/tcp open   netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Aggressive OS guesses: Linux 2.6.32 (88%), Linux 2.6.32 or 3.10 (88%), Linux 2.6.39 (88%), Linux 3.10 - 3.12 (88%), Linux 4.4 (88%), WatchGuard Fireware 11.8 (88%), Synology DiskStation Manager 5.1 (87%), Linux 2.6.35 (87%), Linux 4.9 (87%), Linux 3.4 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m35s, median: 0s
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: bratarina
|   NetBIOS computer name: BRATARINA\x00
|   Domain name: \x00
|   FQDN: bratarina
|_  System time: 2021-04-11T14:12:39-04:00
| smb-security-mode:
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-04-11T18:12:38
|_  start_date: N/A
 
TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   38.83 ms 192.168.49.1
2   38.83 ms bratarina (192.168.145.71)
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.03 seconds
nmap -sT -p 1-65535 x.x.x.x

This command will do a full TCP connect scan on every port.

sudo nmap -n -sT x.x.x.x/24 -oA /tmp/scan

The -n will not resolve host names, the -sT will do a TCP connect scan on the subnet specified, and the -oA will save normal, grepable, and XML output to /tmp/scan.

sec@slingshot:~$ sudo nmap -n -sT 10.130.10.0/24 -oA /tmp/scan
 
Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-15 14:25 UTC
Nmap scan report for 10.130.10.4
Host is up (0.030s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.5
Host is up (0.030s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.6
Host is up (0.030s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.10
Host is up (0.029s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
9100/tcp open  jetdirect
 
Nmap scan report for 10.130.10.11
Host is up (0.028s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9100/tcp open  jetdirect
 
Nmap scan report for 10.130.10.21
Host is up (0.029s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.22
Host is up (0.026s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
9100/tcp open  jetdirect
 
Nmap scan report for 10.130.10.25
Host is up (0.030s latency).
Not shown: 978 filtered ports
PORT     STATE SERVICE
25/tcp   open  smtp
80/tcp   open  http
81/tcp   open  hosts2-ns
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
444/tcp  open  snpp
445/tcp  open  microsoft-ds
465/tcp  open  smtps
587/tcp  open  submission
593/tcp  open  http-rpc-epmap
808/tcp  open  ccproxy-http
1801/tcp open  msmq
2103/tcp open  zephyr-clt
2105/tcp open  eklogin
2107/tcp open  msmq-mgmt
2525/tcp open  ms-v-worlds
3389/tcp open  ms-wbt-server
6001/tcp open  X11:1
6502/tcp open  netop-rc
6565/tcp open  unknown
6646/tcp open  unknown
 
Nmap scan report for 10.130.10.33
Host is up (0.029s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
1433/tcp open  ms-sql-s
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.44
Host is up (0.031s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
 
Nmap scan report for 10.130.10.45
Host is up (0.030s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
 
Nmap done: 256 IP addresses (11 hosts up) scanned in 26.57 seconds
 sudo nmap -n -O -sT –open x.x.x.x-x

This will do a scan without resolving names, OS fingerprinting, a full-connect TCP scan, and only display open ports.

sec@slingshot:~$ ping -c2 10.130.10.10
PING 10.130.10.10 (10.130.10.10) 56(84) bytes of data.
64 bytes from 10.130.10.10: icmp_seq=1 ttl=63 time=26.8 ms
64 bytes from 10.130.10.10: icmp_seq=2 ttl=63 time=26.9 ms
 
--- 10.130.10.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 26.868/26.889/26.910/0.021 ms
sec560@slingshot:~$ sudo nmap -n -O -sT --open 10.130.10.21-22
 
Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-15 16:19 UTC
Nmap scan report for 10.130.10.21
Host is up (0.030s latency).
Not shown: 998 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized
Running (JUST GUESSING): AVtech embedded (87%)
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (87%)
No exact OS matches for host (test conditions non-ideal).
 
Nmap scan report for 10.130.10.22
Host is up (0.030s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
9100/tcp open  jetdirect
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=3/15%OT=22%CT=1%CU=38811%PV=Y%DS=2%DC=I%G=Y%TM=6230BC9
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)SEQ(SP=FD
OS:%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=
OS:M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=F4B3%W2=F4
OS:B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M54DNNSNW7
OS:%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=
OS:Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%
OS:RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
 
Network Distance: 2 hops
 
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 19.22 seconds
 sudo nmap -n -sT -sV –open x.x.x.x-x

This scan will not resolve host names, perform a TCP full-connect, connect to services and perform version scanning (using /usr/share/nmap/nmap-service-probes), and only show open ports.

sec@slingshot:~$ sudo nmap -n -sT -sV --open 10.130.10.21-22
 
Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-15 16:44 UTC
Nmap scan report for 10.130.10.21
Host is up (0.032s latency).
Not shown: 998 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE       VERSION
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Nmap scan report for 10.130.10.22
Host is up (0.032s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
9100/tcp open  jetdirect?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 16.19 seconds
 nmap –proxy socks4://127.0.0.1:4444 x.x.x.x

This is how you route nmap traffic through a dynamic proxy, like the kind you can create with ssh -D.

 nmap -Pn <ip>

The -Pn option will skip the host discovery portion of the scan. This is useful if a firewall is filtering ICMP packets like the Windows firewall does by default.

Additional Details

  • When not running as root, nmap does a full TCP connect.
  • /usr/share/nmap/nmap-service-probes
    • where nmap stores service version identification checks
  • /usr/share/nmap/scripts/script.db
    • index of all the local NSE scripts
    • can grep for specific scripts
  • /usr/share/nmap/nmap-services
    • nmap’s personal /etc/services
SEC560HANDOUT_NmapCheatSheetv1.1_D02_01

Blog Posts

strdeob.pl

Description

This script will attempt to print stack strings discovered in the provided executable. The formatting isn’t the best, but it get’s the job done.

PlatformLinux
AuthorTotalHash
LicenseFree
URLhttps://github.com/REMnux/distro/blob/master/files/strdeob.pl

Usage

Usage: strdeob.pl <file>

Examples

 strdeob.pl file.exe

In this example, strdeob.pl outputs what it believes are stack strings from file.exe.

remnux@remnux:~/malware/day5$ strdeob.pl 9.exe
user32.dll\Program Files\Common Files\WinSta0\DefaultTLSrundll32.exeimm32.dllImmInstallIMEAimm32.dllImmGetIMEFileNameAdragonnest.exednlauncher.exexcb.datKernel32.dllLoadLibraryExWimeutil.exesgtool.exedragonnest.exednlauncher.exeqqlogin.exeiexplore.exexcb.dat\Program Files\Common Files\\Program Files\Common Files\dragonnest.exexcb.datKernel32.dllLoadLibraryExWV
...0+%|w?t=%s&a=%s&s=%s&sp=%s&r=%s&tn=%d&mb=%s&bsmb=%d&pin=%s&pin2=%s&cap=%d&hsn=%s&GA=%sdelphi.}.YWININET.dllInternetWriteFileHttpOpenRequestAHttpSendRequestExAHttpEndRequestAInternetConnectA?action=testlock&u=%s?action=breakline&u=%s?action=exception&u=%s?action=destroy&u=%s?action=frozen&u=%s?action=getproc&u=%s?action=playerlogin&u=%s
ws2_32.dllrecvrecvfromIphlpapi.dllGetAdaptersInfo8ui1qw31adSoftware\Nexon\CStrike-Online\SettingsRegionCodeexplorer.exerundll32.execonfig.exesogou360safe.exe360tray.exeexplorer.exe..YU..6..2.EZ.~..c
.
..Mup........cD............uP.d...
^H.~h
..A.B...
.I.
.8.

Blog Posts

translate.py

Description

Translate bytes according to a Python expression.

PlatformN/A – Python
AuthorDidier Stevens
LicenseFree / Public Domain
URLhttps://blog.didierstevens.com/

Usage

Usage: translate.py [options] [file-in] [file-out] command [script]
 
Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -o OUTPUT, --output=OUTPUT
                        Output file (default is stdout)
  -s SCRIPT, --script=SCRIPT
                        Script with definitions to include
  -f, --fullread        Full read of the file
  -r REGEX, --regex=REGEX
                        Regex to search input file for and apply function to
  -R FILTERREGEX, --filterregex=FILTERREGEX
                        Regex to filter input file for and apply function to
  -m, --man             print manual

Examples

translate.py encoded.raw decoded.txt ‘byte ^ 0x5b’

XORs encoded.raw with the key 0x5b. Hex ASCII can be encoded as raw bytes by using the command “xxd -r -p encoded.hex > encoded.raw”.

translate.py -o svchost.exe.dec svchost.exe ‘byte ^ 0x10’

“byte” is the current byte in the file, ‘byte ^ 0x10’ does an XOR 0x10
Extra functions:
rol(byte, count)
ror(byte, count)
IFF(expression, valueTrue, valueFalse)
Variable “position” is an index into the input file, starting at 0

Blog Posts

FLOSS

Description

The FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like `strings.exe` to enhance basic static analysis of unknown binaries.

PlatformWindows, Mac, Linux
AuthorFireEye Labs
LicenseApache License 2.0
URLhttps://github.com/fireeye/flare-floss/releases

Usage

Usage: floss [options] FILEPATH
 
Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -n MIN_LENGTH, --minimum-length=MIN_LENGTH
                        minimum string length (default is 4)
  -f FUNCTIONS, --functions=FUNCTIONS
                        only analyze the specified functions (comma-separated)
  --save-workspace      save vivisect .viv workspace file in current directory
 
  Extraction options:
    Specify which string types FLOSS shows from a file, by default all
    types are shown
 
    --no-static-strings
                        do not show static ASCII and UTF-16 strings
    --no-decoded-strings
                        do not show decoded strings
    --no-stack-strings  do not show stackstrings
 
  Format Options:
    -g, --group         group output by virtual address of decoding functions
    -q, --quiet         suppress headers and formatting to print only
                        extracted strings
 
  Logging Options:
    -v, --verbose       show verbose messages and warnings
    -d, --debug         show all trace messages
 
  Script output options:
    -i IDA_PYTHON_FILE, --ida=IDA_PYTHON_FILE
                        create an IDAPython script to annotate the decoded
                        strings in an IDB file
    -r RADARE2_SCRIPT_FILE, --radare=RADARE2_SCRIPT_FILE
                        create a radare2 script to annotate the decoded
                        strings in an .r2 file
 
  Identification Options:
    -p PLUGINS, --plugins=PLUGINS
                        apply the specified identification plugins only
                        (comma-separated)
    -l, --list-plugins  list all available identification plugins and exit
 
  FLOSS Profiles:
    -x, --expert        show duplicate offset/string combinations, save
                        workspace, group function output

Examples

 floss –no-static-strings file.exe

The following example shows decoded and stack strings found in 9.exe. Although floss has the ability to show regular static strings as well, you’re typically only interested in seeing the encoded strings by the time you run floss.

remnux@remnux:~$ floss --no-static-strings file.exe
 
FLOSS decoded 16 strings
\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Fil
\system32\
.ocx
whh27018
WinSta0\Default
WinSta0\Default
WinSta0\Default
user32.dll
syst<
@\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
user32.dll
systH
@\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
syst
\system32\AA
\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 
FLOSS extracted 4 stackstrings
WinSta0\Default
user32.dll
\Program Files\Common Files\
rundll32.exe
 
Finished execution after 3.978650 seconds

Blog Posts

base64dump.py

Description

Extracts and decodes base64 strings (or other encodings) found inside the provided file. base64dump looks for sequences of base64 characters (or other encodings) in the provided file and tries to decode them.

PlatformN/A – Python
AuthorDidier Stevens
LicenseFree / Public Domain
URLhttps://blog.didierstevens.com/

Usage

Usage: base64dump.py [options] [file]
Extract base64 strings from file
 
Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -e ENCODING, --encoding=ENCODING
                        select encoding to use (default base64)
  -s SELECT, --select=SELECT
                        select item nr for dumping (a for all)
  -d, --dump            perform dump
  -x, --hexdump         perform hex dump
  -a, --asciidump       perform ascii dump
  -S, --strings         perform strings dump
  -n NUMBER, --number=NUMBER
                        minimum number of bytes in decoded data
  -c CUT, --cut=CUT     cut data
  -w, --ignorewhitespace
                        ignore whitespace

Examples

base64dump.py file.txt

The following output shows the sections that base64dump.py has attempted to decode using base64. However, this file isn’t using the default base64 encoding so see the next example.

remnux@remnux:~$ base64dump.py file.txt
ID  Size    Encoded          Decoded          MD5 decoded                    
--  ----    -------          -------          -----------                    
 1:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
 2:       8 wstwaxap         ��pk.�           b5d83e3988cda1f8e903e138131cba91
 3:       8 yaoduhc=         ɪ.�.            c2b2fd4a95ff2e8d6ed65268e8e0a7f7
 4:       8 DDpNVDfX         .:MT7�           9a6466eb801a8374f53d7102a7066290
 5:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
 6:       8 kzV0IivL         �5t"+�           a8c4a29cd68eb8da8e0bbe87b3a916c4
 7:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
 8:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
 9:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
10:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
11:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
12:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
13:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
14:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
15:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
16:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
17:       8 S3GBCRNU         Kq�..T           d04eae77c1362316d251db3a3af7a8d5
18:       8 ecBcfdoM         y�\}�.           b185fd8b77394b6c5902b8291c1aa2b6
19:       8 brIW1yTY         n�.�$�           ed0645bcfb574a402ccebc8785ca56f0
20:       8 unescape         �w�q�^           b282069f16d4d9dbee625d0c231a53fd
21:       8 VWAbzxUP         U`.�..           e603829f07f2b06cbe2b53af4d94b716
22:       8 0x400000         �.4�M4           084838d4f4261ed700f3d5ca57681d9f
23:       8 WCoEYFdo         X*.`Wh           9e71afc328eab02982d2cd44d58697bc
24:       8 brIW1yTY         n�.�$�           ed0645bcfb574a402ccebc8785ca56f0
25:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
26:       8 VWAbzxUP         U`.�..           e603829f07f2b06cbe2b53af4d94b716
27:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
28:       8 unescape         �w�q�^           b282069f16d4d9dbee625d0c231a53fd
29:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
30:       8 kzV0IivL         �5t"+�           a8c4a29cd68eb8da8e0bbe87b3a916c4
31:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
32:       8 N1tTAUIH         7[S.B.           118b846fe67df0a2788da838295a1271
33:       8 jpwZA7Ef         ..�.           cd49f8f2c65a543daf4dca9899ebf1ea
34:       8 ecBcfdoM         y�\}�.           b185fd8b77394b6c5902b8291c1aa2b6
35:       8 0x400000         �.4�M4           084838d4f4261ed700f3d5ca57681d9f
36:       8 xEzYibKs         �L؉��           40ea154032b38b073adc25c546dba81d
37:       8 jpwZA7Ef         ..�.           cd49f8f2c65a543daf4dca9899ebf1ea
38:       8 DDpNVDfX         .:MT7�           9a6466eb801a8374f53d7102a7066290
39:       8 xEzYibKs         �L؉��           40ea154032b38b073adc25c546dba81d
40:       8 rqYY0o0m         ��.ҍ&           23cad0abd1ac80f7ede1c4a52425625a
41:       8 brIW1yTY         n�.�$�           ed0645bcfb574a402ccebc8785ca56f0
42:       8 function         ~�ܶ*'           b1d8813f892c457768a77f88837a6289
43:       8 Qy9QDRgu         C/P...           16adea19ef8d17f9a2b3368f9e381e08
44:       8 S3GBCRNU         Kq�..T           d04eae77c1362316d251db3a3af7a8d5
45:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
46:       8 unescape         �w�q�^           b282069f16d4d9dbee625d0c231a53fd
47:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
48:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
49:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
50:       4 this             �.�              8e5a04323b343a97433a353a663678b3
51:      16 collectEmailInfo r�ey�D���"w�     128fa58edb7890e176d063411c06b917
52:       4 subj             ���              6214419727646d38fa39dc0c6bc72ee4
53:       8 YTDNPHwC         a0�<|.           5c5496bec5bfb00cecf1a6a3c00036a8
54:       8 Qy9QDRgu         C/P...           16adea19ef8d17f9a2b3368f9e381e08
55:      16 collectEmailInfo r�ey�D���"w�     128fa58edb7890e176d063411c06b917
56:       4 subj             ���              6214419727646d38fa39dc0c6bc72ee4
base64dump.py -e pu file.txt

This example shows how base64dump.py attempts to decode “percent u” encoded base64. You’re normally interested in the section with the largest size.

remnux@remnux:~$ base64dump.py -e pu file.txt
ID  Size    Encoded          Decoded                MD5 decoded                    
--  ----    -------          -------                -----------                    
 1:    1260 %u00e8%u0000%u5d �....]��.��...�=  889060967c0b481fa97ba2fb3447963c
 2:      12 %u9090%u9090     ����                a5cc288c0d8fad7eda458b7241548977
 3:      12 %u0c0c%u0c0c     ....                   d5aba5b36cbaf9dcb46a48418c3d6241
base64dump.py -e pu file.txt s 1 -d > file.bin

In this example, base64dump.py decodes and dumps section 1 from this file and outputs the results to a file named collab.bin. See the previous example for section definitions.

remnux@remnux:~$ base64dump.py -e pu file.txt -s 1 -d > file.bin
remnux@remnux:~$ ls -l file.bin
-rw-rw-r-- 1 remnux remnux 420 Aug 17 18:58 collab.bin
remnux@remnux:~$ file file.bin
collab.bin: data
, , , ,

procDOT

Description

ProcDOT takes output from Process Monitor (procmon) and a packet capture, and graphs the activity based on the selected process. It shows every file and registry key the process touched, every child process or thread spawned, and every file and registry key touched by the children. It also allows the activity to be played back sequentially.

PlatformWindows and Linux
AuthorChristian Wojner
LicenseISC
URLhttps://www.procdot.com/

Usage

In Procmon

  1. Configure the displayed columns in procmon to show TID and Sequence number.
  2. Under Filter, make sure “Enable Advanced Output” is disabled.
  3. Save the output as a CSV and make sure to save all events, not just filtered ones.

In ProcDOT

  1. Load the procmon CSV into procdot (and optionally the packet capture).
  2. Click the “…” next to Launcher and select the starting process you want to analyze.
  3. Click Refresh to update the graph.

Examples

In the following example, powershell was used to launch an executable while Procmon was recording. The output was then fed into ProcDOT so the file and registry interactions could be displayed visually.

Blog Posts

, , ,