# dnstracer -v old-releases.ubuntu.com
don't forget the -v
Tracing to old-releases.ubuntu.com[a] via 127.0.0.1, maximum of 3 retries
127.0.0.1 (127.0.0.1) IP HEADER
- Destination address: 127.0.0.1
DNS HEADER (send)
- Identifier: 0x3808
- Flags: 0x00 (Q )
- Opcode: 0 (Standard query)
- Return code: 0 (No error)
- Number questions: 1
- Number answer RR: 0
- Number authority RR: 0
- Number additional RR: 0
QUESTIONS (send)
- Queryname: (12)old-releases(6)ubuntu(3)com
- Type: 1 (A)
- Class: 1 (Internet)
DNS HEADER (recv)
- Identifier: 0x3808
- Flags: 0x8080 (R RA )
- Opcode: 0 (Standard query)
- Return code: 0 (No error)
- Number questions: 1
- Number answer RR: 0
- Number authority RR: 4
- Number additional RR: 0
QUESTIONS (recv)
- Queryname: (12)old-releases(6)ubuntu(3)com
- Type: 1 (A)
- Class: 1 (Internet)
AUTHORITY RR
- Domainname: (6)ubuntu(3)com
- Type: 2 (NS)
- Class: 1 (Internet)
- TTL: 25923 (7h12m3s)
- Resource length: 6
- Resource data: (3)ns1(3)p27(6)dynect(3)net
AUTHORITY RR
- Domainname: (6)ubuntu(3)com
- Type: 2 (NS)
- Class: 1 (Internet)
- TTL: 25923 (7h12m3s)
- Resource length: 6
- Resource data: (3)ns3(3)p27(6)dynect(3)net
AUTHORITY RR
- Domainname: (6)ubuntu(3)com
- Type: 2 (NS)
- Class: 1 (Internet)
- TTL: 25923 (7h12m3s)
- Resource length: 6
- Resource data: (3)ns4(3)p27(6)dynect(3)net
AUTHORITY RR
- Domainname: (6)ubuntu(3)com
- Type: 2 (NS)
- Class: 1 (Internet)
- TTL: 25923 (7h12m3s)
- Resource length: 20
- Resource data: (3)ns2(3)p27(6)dynect(3)net
|\___ ns1.p27.dynect.net [ubuntu.com] (No IP address)
|\___ ns3.p27.dynect.net [ubuntu.com] (No IP address)
|\___ ns4.p27.dynect.net [ubuntu.com] (No IP address)
\___ ns2.p27.dynect.net [ubuntu.com] (No IP address)
Tuesday, July 25, 2017
before you go crazy check dnstracer
Thursday, July 20, 2017
discover axis webcams when you're clueless
AXIS cameras have a severe remote compromise bug. I guess the cameras need to be found and patched. But, you know, I don’t recall where they’re at.
Let’s find them.
I do not remember, off the top of my head, all the subnets around. Happily, I'm in a mixed shop and Active Directory Sites and Services tells me what subnets are which. Cool.
On an AD controller, run PowerShell and enable script execution.
> Set-ExecutionPolicy RemoteSigned
Run the following cmdlet:
[cmdletbinding()]
param()
$Sites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites
$obj = @()
foreach ($Site in $Sites) {
foreach($sub in $site.subnets){
$obj += New-Object -Type PSObject -Property (
@{
"site" = $site.Name
"subnet" = $sub.name
}
)}
}
$obj | Export-Csv 'ADsites.csv' –NoType
The csv output shows:
"subnet","site"
"6.6.66.0/24","HELL"
"6.7.67.0/24","PANDEMONIUM"
"6.8.68.0/24","HELLS-GATE"
2. AXIS cameras have the following ports open by default:
TCP 21,80,554,49152
We can use nmap to discover and filter hosts that have the above:
$ nmap -p 21,80,554,49152 10.97.232.* -oG - | grep open | awk '!/closed/ && !/filtered/' >> axis
However, scanning UPnP port 49152 is unreliable. We could then narrow the ports, but we would be left with a guessing game as to whether or not the system is an Axis camera.
Luckily, Axis cameras all have a banner on FTP 21. It is either Axis or AXIS. This works better:
$ nmap -sS -sV -p 21 -n -Pn --script banner IPRANGE/CIDR -oG - | grep -i axis >> axis
To scan all the ranges, all we need to do is create a file and feed it the CIDR notated networks. I'm only concerned about my isolated networks, HELL and HELLS-GATE:
$ vi axis.subnet
6.6.66.0/24
6.8.68.0/24
Now, the completed command would be:
$ nmap -sS -sV -p 21 -n -Pn --script banner -iL axis.subnet -oG - | grep -i axis >> axis
Wednesday, July 19, 2017
discover axis webcams
i'm just going to leave this here.
nmap -sS -sV -p 21 -n -Pn --script banner -iL subnet.list -oG - | grep -i Axis > axis
Subscribe to:
Posts (Atom)