Tuesday, July 25, 2017

before you go crazy check dnstracer

 # dnstracer -v old-releases.ubuntu.com  

don't forget the -v

 Tracing to old-releases.ubuntu.com[a] via 127.0.0.1, maximum of 3 retries  
 127.0.0.1 (127.0.0.1) IP HEADER  
 - Destination address: 127.0.0.1  
 DNS HEADER (send)  
 - Identifier:      0x3808  
 - Flags:        0x00 (Q )  
 - Opcode:        0 (Standard query)  
 - Return code:     0 (No error)  
 - Number questions:   1  
 - Number answer RR:   0  
 - Number authority RR: 0  
 - Number additional RR: 0  
 QUESTIONS (send)  
 - Queryname:      (12)old-releases(6)ubuntu(3)com  
 - Type:         1 (A)  
 - Class:        1 (Internet)  
 DNS HEADER (recv)  
 - Identifier:      0x3808  
 - Flags:        0x8080 (R RA )  
 - Opcode:        0 (Standard query)  
 - Return code:     0 (No error)  
 - Number questions:   1  
 - Number answer RR:   0  
 - Number authority RR: 4  
 - Number additional RR: 0  
 QUESTIONS (recv)  
 - Queryname:      (12)old-releases(6)ubuntu(3)com  
 - Type:         1 (A)  
 - Class:        1 (Internet)  
 AUTHORITY RR  
 - Domainname:      (6)ubuntu(3)com  
 - Type:         2 (NS)  
 - Class:        1 (Internet)  
 - TTL:         25923 (7h12m3s)  
 - Resource length:   6  
 - Resource data:    (3)ns1(3)p27(6)dynect(3)net  
 AUTHORITY RR  
 - Domainname:      (6)ubuntu(3)com  
 - Type:         2 (NS)  
 - Class:        1 (Internet)  
 - TTL:         25923 (7h12m3s)  
 - Resource length:   6  
 - Resource data:    (3)ns3(3)p27(6)dynect(3)net  
 AUTHORITY RR  
 - Domainname:      (6)ubuntu(3)com  
 - Type:         2 (NS)  
 - Class:        1 (Internet)  
 - TTL:         25923 (7h12m3s)  
 - Resource length:   6  
 - Resource data:    (3)ns4(3)p27(6)dynect(3)net  
 AUTHORITY RR  
 - Domainname:      (6)ubuntu(3)com  
 - Type:         2 (NS)  
 - Class:        1 (Internet)  
 - TTL:         25923 (7h12m3s)  
 - Resource length:   20  
 - Resource data:    (3)ns2(3)p27(6)dynect(3)net  
   
  |\___ ns1.p27.dynect.net [ubuntu.com] (No IP address)  
  |\___ ns3.p27.dynect.net [ubuntu.com] (No IP address)  
  |\___ ns4.p27.dynect.net [ubuntu.com] (No IP address)  
  \___ ns2.p27.dynect.net [ubuntu.com] (No IP address)  
   
   

Thursday, July 20, 2017

discover axis webcams when you're clueless

 AXIS cameras have a severe remote compromise bug. I guess the cameras need to be found and patched. But, you know, I don’t recall where they’re at.  
 Let’s find them.  
   
 I do not remember, off the top of my head, all the subnets around. Happily, I'm in a mixed shop and Active Directory Sites and Services tells me what subnets are which. Cool.  
   
 On an AD controller, run PowerShell and enable script execution.  
   
 > Set-ExecutionPolicy RemoteSigned  
   
 Run the following cmdlet:  
   
 [cmdletbinding()]  
 param()  
   
 $Sites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites  
 $obj = @()  
 foreach ($Site in $Sites) {  
 foreach($sub in $site.subnets){  
   
  $obj += New-Object -Type PSObject -Property (  
   @{  
   "site" = $site.Name  
   "subnet" = $sub.name  
   }  
   )}  
    
  }  
 $obj | Export-Csv 'ADsites.csv' –NoType  
   
 The csv output shows:  
   
 "subnet","site"  
 "6.6.66.0/24","HELL"  
 "6.7.67.0/24","PANDEMONIUM"  
 "6.8.68.0/24","HELLS-GATE"  
   
 2. AXIS cameras have the following ports open by default:  
 TCP 21,80,554,49152  
   
 We can use nmap to discover and filter hosts that have the above:  
 $ nmap -p 21,80,554,49152 10.97.232.* -oG - | grep open | awk '!/closed/ && !/filtered/' >> axis  
   
 However, scanning UPnP port 49152 is unreliable. We could then narrow the ports, but we would be left with a guessing game as to whether or not the system is an Axis camera.  
   
 Luckily, Axis cameras all have a banner on FTP 21. It is either Axis or AXIS. This works better:  
 $ nmap -sS -sV -p 21 -n -Pn --script banner IPRANGE/CIDR -oG - | grep -i axis >> axis  
   
 To scan all the ranges, all we need to do is create a file and feed it the CIDR notated networks. I'm only concerned about my isolated networks, HELL and HELLS-GATE:  
   
   
 $ vi axis.subnet  
   
 6.6.66.0/24  
 6.8.68.0/24  
   
 Now, the completed command would be:  
   
 $ nmap -sS -sV -p 21 -n -Pn --script banner -iL axis.subnet -oG - | grep -i axis >> axis  

Wednesday, July 19, 2017

discover axis webcams

i'm just going to leave this here.

 nmap -sS -sV -p 21 -n -Pn --script banner -iL subnet.list -oG - | grep -i Axis > axis