Playing around with nmap's random IP generator, I thought to myself how interesting it would be to randomly probe systems on the web for services, as opposed to simply port scanning network ranges that you happen across. With a random approach to targeting and thus discovery, the rate of deep web discovery is much greater as there's no relative concept to why an IP is being targeted.
Enter TuRandula, my new side project I've been hacking together for about 6 hours now. The original goal was to generate a pool of randomly generated IP addresses, and send one port-service-specific packet to it to see if it's open. It's a simple concept that has a lot of potential.
A simple subroutine to generate 4 integeters between 1 and 254 and return it as an IP was the first thing written.
There's a module called ipaddr
that is phenomenal when it comes to IP address manipulation, but I needed something quick and dirty.
The Generator class is initialized with a number (the total amount of IP addresses you need to randomly generate), and a pool of IP addresses are created and stored in a host pool.
The current functions of Generator include methods to probe an IP address for a service and record it's response --if it responds.
Using scapy, a single SYN packet is sent to an IP address in the host pool. Scapy listens for return packets, which indicate whether the service is there (SA - SYNACK), is closed (RA-RSTACK), timed out (ICMP TCPerror time-exceeded), or was unreachable (ICMP TCPerror - dest-unreach).
When this is executed, packets are returned from hosts that contain running services, and stored in the attribute lists http_servers, https_servers, ftp_servers, ssh_servers, and custom_servers. The attribute list 'networks' includes hosts that return RST-ACK packets, because they indicate that something is there and the network range should be investigated further.
The return packets are parsed by way of the summary function of the packet object. When scapy recieves a reply it stores them based on the TCP flag.
You wind up with a collection of servers to further interrogate, scan, and attack at your will. Just don't get caught.
Now, further development has me thinking that I can import some modularized attacks and perform them once certain systems are found. Low and slow, unobtrusive things like a couple of default cred attempts, spread out over an hour. Scraping accessible web sites, port scanning the box, etc.
I thought about building out my own brute force subroutines, but hey, why reinvent the wheel. There's a great tool out there called patator that has a brute force module for a variety of services.
-- 11:18 AM
Anyway, I generalized the initialization of discovery that will require the manual management of a port dictionary. It's obvious that different services can all be interrogated and attacked in different ways.
HTTP servers can be scraped, bruteforced, fuzzed, basic auth brute forced, dir traversal.
FTP servers can be brute forced, vuln checked, scanned, fuzzed, and DoS'ed.
SSH servers can be brute forced, vuln checked, and scanned.
SMTP servers can be vuln checked, fuzzed, scanned, relay-validated
DNS servers can be vuln checked, fuzzed, z-transferred
HTTPS servers can be brute forced, vuln checked, scraped, scanned, and harvested
Telnet servers can be brute forced, vuln checked, scanned
I suppose the goal is to build a highly accessible data base that contains potential entry points for private networks. I consider the idea of being able to target random IP's by country, organization, university or ISP would gleam some interesting results.
For example, if you know COX Communications owns 220.127.116.11 - 18.104.22.168, which is really just 22.214.171.124/18, you can supply the Generator an argument that would allow you to specify a range (or key value pair) that will only target random IP addresses in that range.
More to come...