c

c
c
c
c

cc

c c c
c
Michael J. Castner
IST 451: Network Security
December 17th, 2009
—

  
  
To begin with, I thought I would discuss why I even did this project in the first place, and the
short history behind this script. It started out as a project for the IST IDEAS program, but has since
evolved from a twenty-six line automated BASH / Python Script into a fully functional, one hundred and
fifty line BASH Script (with menu support painstakingly added in, I might say).

When I first conceived the idea for this script, I realized that it would be quite an ambitious
project. While there are many domain enumeration tools and online WHOIS services, there are very few
(if any) tools that can both automatically map and scan an entire domain for vulnerabilities with minimal
input from the user. When this script was being made for the IDEAS program, the main point of the
program was to create a map of the domain and display it in Zenmap. But, when we were assigned this
project for IST 451, I decided that I would revisit the code, and add in the potentially dangerous scanning
functionality that NMap provides...at the domain level.

Adding in this functionality truly sets this script apart, as there are no tools that I know of that
bruteforce / attack at the domain level in this way. The usefulness of such attacks has yet to be proven,
but the implications are already present. A user who scans an entire domain, rather than a single host,
has access to that much more information. They can get a quick feel of how an organization places its IT
resources, and how patch management works in their domain. Combined with the new NDiff tool
included with NMap, a user could also find out when new ports open on any system in the entire
domain, allowing them to watch for new avenues of attack. Before we get any deeper into the workings
of this script, however, we will have to investigate further the two tools which essentially make the
script what it is: NMap and DNSMap.

DNSMap is a program that few have likely heard of. It is a domain brute forcer / enumeration
tool that is included in the Backtrack Security Suite, but is usually only utilized if one cannot get the
more popular competitor, DNSEnum, working correctly. For this script, DNSMap's speed and simplicity
made it the obvious choice for me, as results with DNSEnum were taking far longer to complete. Also,
DNSMap applies a slightly different approach to DNS Enumeration, and can be made to evade an IDS
with some careful work. The stealth and speed combination, in the end, was far too attractive to turn
down.

The other tool that makes this script possible is NMap. Since I started working with Network
Security Tools, I have always had a fascination with NMap. It is a wonder of a program, producing more
than just the standard results of what ports are open on which systems, but going into incredible
amounts of detail about the underlying operating system and the potential vulnerabilities that exist.
These factors, combined with its incredible scalability and output engine, made it the perfect backend
for the scanning portion of the script. My own familiarity with the more esoteric command line options
included in NMap also made it an attractive prospect for this script, as I would be able to test out
functionality in the tool that I usually do not have an excuse to use.
 These two tools, with a few other options and utilities, comprise the entirety of the script that I
created. Now that the purpose of these tools are understood, we can look at and analyze the code line
by line.

R

  

(
 
#!/bin/bash

#Created by Michael J. Castner, originally for IST IDEAS Program, but

heavily modified for IST 451: Network Security.

#Revision 11 [11/29/2009]

#Declare Functions

This section of code simply declares that we are indeed looking at a BASH script, and that it was created
by me for this class. It's current incarnation is the eleventh such revision, and the last tweaks to the
code were made on November 29th, 2009. It also states that the next section will contain declarations
of individual functions.



 

#Default DNSMap Options

dnsmap_default ()
{
dnsmap $TARGET | egrep -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' | cat - > $FILE.txt
}

#DNSMap with Wordlist

dnsmap_word ()
{
dnsmap $TARGET -w $DICT | egrep -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' | cat - > $FILE.txt
}

This next section of code shows the functions of DNSMap that were implemented. The first function,
dnsmap_default, is what is executed if there are no new parameters from the user. The command takes
a $TARGET variable, and executes DNSMap on that domain. The egrep statement greps out only the IP
 Addresses from the DNSMap standard output. Cat then captures that standard output, and tosses it
into a file for NMap to read.

The second function is virtually the same, except that it takes an additional variable from the user,
$DICT. This variable defines a wordlist location so that a user can use a more comprehensive wordlist
then the default UNIX dictionary that DNSMap utilizes.



 

#NMap Ping and Traceroute ONLY

nmap_default ()
{
nmap -sP --traceroute -T5 -oX $FILE.xml -iL $FILE.txt | cat - > /dev/null
}

#NMap with Version and Operating System Detection

nmap_medium ()
{
nmap -sV -O --traceroute -T5 -oX $FILE.xml -iL $FILE.txt | cat - > /dev/null
}

#NMap with EVERYTHING

nmap_all ()
{
nmap -A --traceroute -T5 -oX $FILE.xml -iL $FILE.txt | cat - > /dev/null
}

This section of code shows the relevant NMap functions that can be called in the script. They each
indicate a different level of thoroughness for the scan, with the first one being a simple ping / traceroute
scan, the second being an Operating System / Open Port Version scan, and the final scan being an NMap
scan set to run all available scans on all hosts.

Each scan follows the same basic progression, with relevant scan options designated first (-sP, --
traceroute, -sV, -O, and -A), speed designated second (-T5, which specifies a rather aggressive scan
timing due to the large volume of hosts to be scanned), and input / output parameters designated last (-
oX tells NMapto output its scan results to an XML file; -iL tells NMap to read in targets from the DNSMap
results).

The cat command that all of these NMap scans share simply dumps their output into /dev/null (the UNIX
garbage can) so that the script looks more presentable to the end user.



 
#Zenmap
zenmap_exec ()
{
zenmap -f $FILE.xml
}

#Move Scans
move_scan ()
{
mv $FILE.* Scans
}

This section shows the final function calls that the program utilizes. The first function simply calls
Zenmap and has it display the results of the NMap XML Scan that we output earlier. The second
function provides some cleaning function, by moving scan results to a separate "Scans" directory.


  

#Define Target
#Prompt user for target
echo -n "Target Domain: "

#Read and store target variable

read -e TARGET

These are the first lines of code that are actually executed. The program prompts the user for a target
domain, and then reads their input into the variable TARGET.

 
 

#Store Info
#Prompt for filename
echo -n "Desired Filename: "

#Read and store filename variable

read -e FILE

#Show user where file will be

echo "Outputting to $PWD/Scans/$FILE.txt..."

#Blank Line for Clarity

echo " "
This section of code asks the user to name their file so that they can differentiate between scans. Once
again, it takes their input and stores it in a variable (in this case, FILE). It then tells the user where it will
be storing the files, which is in the previously mentioned "Scans" subdirectory.



#DNSMap 
#Choose dictionary level
echo "Choose a Wordlist
 Type..."
echo "1.) Default (Small)"
echo "2.) Cracklib (Large)"

echo "3.) General (Massive)"
echo -n "Wordlist Option: "
read -e WORDLIST

#Blank Line for Clarity

echo " "

#Tell user what's happening

echo "Executing DNSMap Scan..."

This section begins the actual attack. It asks the user what level of wordlist they would like, progressing
from the default list to a massive wordlist. The bigger the wordlist, the longer it will take to complete
the domain bruteforcing. Once they select the wordlist they'd like, it is stored in the WORDLIST variable
and the script moves on.


 

#Dictionary Levels
#Default
if [ "$WORDLIST" == 1 ]
then
dnsmap_default
fi

#Cracklist
if [ "$WORDLIST" == 2 ]
then
DICT="$PWD/Wordlists/cracklib.txt"
dnsmap_word
fi

#General
if [ "$WORDLIST" == 3 ]
then
DICT="$PWD/Wordlists/general.txt"
dnsmap_word
fi
 This section takes the user's wordlist selection, and applies it to the appropriate function calls. If they
selected the default wordlist, then the dnsmap_default function executes. If they selected the Cracklist
wordlist, then the dnsmap_word function executes, with the correct DICT variable specified to point to
the wordlist's location. And finally, if the General wordlist is selected, then the dnsmap_word function is
called with the correct DICT variable.



#NMap
#Define NMap Attack Pattern
echo "Choose an NMap Scan Type: "
echo "1.) Ping / Traceroute ONLY"
echo "2.) Operating System / Version Detection"
echo "3.) ALL Options Enabled"
echo -n "Scan Type: "
read -e SCAN
#Blank Line for Clarity
echo " "

#Tell user what's happening

echo "Executing Custom NMap Scan..."
This section begins the combination of DNSMap with NMap. It prompts the user to pick a scan type, and
then stores their input in the SCAN variable.


 

#NMap Levels
#Default
if [ "$SCAN" == 1 ]
then
nmap_default
fi

#Medium
if [ "$SCAN" == 2 ]
then
nmap_medium
fi

#All
if [ "$SCAN" == 3 ]
then
nmap_all
fi
Similar to the DNSMap scan, the second part of the NMap scan takes the SCAN variable and applies it to
the earlier defined functions. If they selected the first scan, nmap_default is called. If they selected the
second scan, nmap_medium is called. And finally, if they selected the third scan, nmap_all is called.


 
#Finale / Zenmap
#Tell user what's happening
echo "Outputting results to $PWD/Scans/$FILE.xml"
echo "Executing Zenmap Topology..."

#Execute Zenmap Topology

zenmap_exec

#Move to Scans Folder

move_scan

The final lines of the script take the output of the user initiated scan and display them in Zenmap so that
the built-in Topology viewer can be utilized. After this function is called, the scans are moved to the
Scans subfolder and the script terminates.

_ 


To show the effectiveness of this script, here are a few examples of domain topology after the
tool completed. All of these scans were completed with the least intrusive measures, as to remain
somewhat ethical:
An subsection of Google's domain level topology with a small wordlist.
A section of openwall.net's domain topology, with traceroute hosts included.

And finally, yahoo.com's domain level topology with a slightly larger wordlist then normal used.

R  
By completing this project, I feel I have contributed something useful to both the class and the
ethical hacking community at large. This script will help to fill the gap of tools that execute domain level
attacks, and can hopefully be used for ethical purposes such as monitoring network health at a domain
level and tracking down vulnerabilities.
 The possibilities for this script are endless, and shall remain so as long as there is room for
refinement. I hope that this paper has been enlightening, and not too boring for anyone who actually
read the whole thing!