Using BiDiBLAH: Very concise getting started guide. 1
Tables of contents Using BiDiBLAH... 3 Install procedure:... 3 Installing the raw socket driver:... 3 Install and/or configure your firewall... 5 Configure BiDiBLAH to your liking... 7 Notes on using Forward... 10 Notes on Reverse... 11 Notes on using the portscanner... 12 Notes on the design of BiDiBLAH... 13 2
Using BiDiBLAH Install procedure: You need to have the.net framework installed. The install shield should assist you if you don t have it installed yet. If you plan to make use of BiDiBLAH s vulnerability scans you must install a Nessus server and/or have a valid username and password on the Nessus server. Nessus can be found at http://www.nessus.org If you plan to make of the MetaSploit functionality you need to install Metasploit (>=2.4) locally on your machine the default install should be good. Metasploit can be found at http://www.metasploit.org BiDiBLAH uses Microsoft s Office (Word) 2003 for reporting. If you want to use BiDiBLAH to write reports you should have Office 2003 installed. Because of differences in the Office automation libraries in.net Office 2002 is not supported sorry. The crippleware version of BiDiBLAH is limited as follows: o It will exit after 7 minutes of usage this should be more than enough time to see how things work, but not enough time for script kiddies to cause real damage o The saving and loading (of data) has been disabled After the install shield has exited please following these procedures: Installing the raw socket driver: Because Microsoft decided to disable the use of raw socket for writing in XP service pack 2, BiDiBLAH uses a raw socket driver and drops down to Ethernet layer. You must thus install this driver as it is used for the asynchronous portscanner/banner grabber. Do the following: Go to the control panel, open Network connections and right click on the Local Area Connection you wish to use. Go to properties: 3
Go to Internet Protocol (TCP/IP) and click on Install: Choose Protocol and click on Have disk. Navigate to the ndisprot.inf file and select it (it is in the driver directory from the program base): 4
You will see that the driver is not signed: NB: After the driver is installed YOU NEED TO REBOOT for the install to complete. Install and/or configure your firewall BiDiBLAH sends SYN packet when doing the portscan and the banner grabber. This happens outside of the normal TCP/IP stack. The stack thus does not know about these packets. Because of this you need to do two things: 1. Disable XP s internal firewall 2. Make sure your stack does not send RST packets You can do this in two easy steps. First we need to disable the internal XP firewall. This is easy. Go to your control panel -> Windows Firewalls -> Off: 5
Next we need to block RST packets. You can do this on your upstream firewall but in most cases it is just easier to do it locally. Download the Windows version of the famous BSD based firewall ipfw called WIPFW (it s free, and works very nicely, a breeze to install, really powerful and way small to download). You can get WIPFW from: http://sourceforge.net/projects/wipfw/ You should download wipfw-stable. Once you have unzipped it run the file install.cmd: After this everything happen from the command line. You can now use wipfw as you would use ipfw under Unix. You need to only add one rule to deny RST packets. This is done with this following rule: 6
wipfw add 5 deny TCP from any to any tcpflags rst You add this rule at the command prompt. You do something like this (assuming that wipfw was extracted in c:\tools) : On a network level we are now ready to go. Make sure that, when you are using the portscanner or the banner grabber inside of BiDiBLAH, your firewall is always configured as described above. Else BiDiBLAH WON T WORK. Configure BiDiBLAH to your liking Now open BiDiBLAH. Click on the SETUP tab: 7
In order to use BiDiBLAH properly you need to configure it go to the SETUP tab: At the Subdomain tab: Enter your Google API key (You can get a key at api.google.com) The Google depth (in multiples of 10) sets how many queries should be returned The Google keywords are words that BidiBLAH use to combine with queries At Forwards tab: Select where your BFDNS files are. The application will look for any file that ends with a.bfdns extension and add its content to the list of names that will be used for brute force. The test depth sets how deep within each file the application will test before assuming a naming scheme If you want to test all the entries you can check the override checkbox At Portscan tab: Enter the source IP where QAlive will send packets from. If this is not your IP address, packets will be spoofed from the address that you selected. This could be useful when you are running a tcpdump somewhere else Enter your source mac address you can get it doing an ipconfig /all in a DOS window. If you wish to spoof your mac address (why??) you may do it here. 8
Enter the destination mac address. Because we haven t implemented ARP you need to set this up manually. Most of the time it isn t a big deal though you will probably be scanning machines on the other side of your default gateway. That makes the destination mac address that of your default gateway. You can get this easily by looking at your ARP table. Do an arp a in a DOS window. If you are scanning locally sorry (or you can hook a router between you and your local net. We will implement ARP in a next release if there s demand for it). Load the port list file this is a single text file containing the ranges of ports you wish to see as a drop down list (in QAlive). At Nessus tab: Select the Nessus server (IP or DNS name), Nessus username and password Select where the application should find the PLG files (Nessus plugin selection file). This will appear in the plugin set drop down list in the Nessus section. At MetaSploit tab: Enter the location of Metasploit framework s web interface Enter the location of your local MSF home this is used when configuring your exploits If your exploits are already configured you can save the config strings in file and load it You should also load the MetaSploit 2 Nessus text file. This matches Nessus plugins to MetaSploit exploits The PERL interpreter used for Metasploit needs to be set You can test your Metasploit setup by clicking load exploits in the MetaSploit tab you should see a list of exploits. Double clicking on the exploit brings up the exploit configuration screen. When you are done configuring: Click on the SAVE button in the Config Load/Save section next time you start BiDiBLAH you can now just click on the blue LOAD button and you don t have to go through the whole mission again. Loading and saving configurations: Choose the Load Config tab to load a sample configuration file located in c:\bidiblah\config (if you chose defaults). The location of the BFDNS files, a default set of ports in the portlist file as well as the IP2C DB should be configured correctly. If you installed the application in a different location you need to configure these manually. At any stage you can save the configuration (and load it later again) Saving/Loading your data (DISABLED IN CRIPPLED VERSION) At any stage you can go to the SETUP tab and hit the Save button in the Data Load/Save combo. This will save the contents of all the forms the Load button will load it back into the forms. 9
Keep in mind that it will ADD the entries to all the forms. That s why there s a CLEAR ALL button this will clear all entries from all forms. Notes on using Forward The last entry on a line tells you what type of entry it is: FL: normal forward lookup from brute force GFL: Google forward lookup means we got the name from a Google search ZT: from a zone transfer NS: this is a name server for the domain MX: this is a mail server for the domain ZTCN: alias found in a zone transfer ZTMX: alias for an MX record found in zone transfer 10
Notes on Reverse Matched entries (reverse DNS entries that match the filter) get a RL at the end that s for Reverse Listing. Unmatched entries get RLNM (Reverse Listing Non- Matched). You will see that hostnames are also collected. This is done in order to create custom host list (possibly as a custom.bfdns file). The idea here is that organization might re-use host names between domains. Matched additional domains are populated by trying to figure out the domain of a reverse DNS entry where the entry matches the filter, but the domain is not found as an input domain (neither in domains or sub domains). 11
Notes on using the portscanner 1. YOU NEED TO DISABLE ANY HOST BASED FIREWALL. 2. Keep in mind that this process is not kind on NAT devices (it works fine but I am glad I don t need to keep state of the stuff going out). For the same reasons your admin might not be pleased when running this behind a stateful firewall. I am using it with NAT and a stateful firewall (and tunneling) and it works fine but I guess it hurts. 3. Click on the Import app button this imports the netblocks from the netblock section you may add or delete blocks here. 4. Click on Bind driver this binds the driver 5. Click on the Adaptor drop down list. Select the interface you want to use to send the packets. This might be interesting when you have multiple interfaces. 6. Select a port list from the Ports drop down. If a port file was not found in the configuration a default list of ports will be shown. 7. Hit Start. 8. You can adjust the delay on the fly (at SETUP tab > portscanner tab) I have used it down to 6ms between packets. To know if you are losing responses, do a ping in another window you can ping anything at the other end of your connection but it makes sense to ping something as close as possible to your target. As soon as you see packet loss on the ping you know you might be losing responses. 9. When the scan is done the driver will unbind this ensures that you don t forget to unbind it when using the banner scanner. 12
Notes on the design of BiDiBLAH 1. BiDiBLAH was built for users that understand what it is that they want to do. It was built to be as flexible as possible with a power user in mind. It was not build to be a point and click tool. If it does not work for you then you probably should not be using it in the first place. 2. As far as possible forms are text boxes these boxes are hot in other words you can make a change in the text box and it will be carried over the other parts in the application. It also means you can copy, cut and paste from these forms to reports or other applications. The exception in the filters in the reverse scan once you started the scan you cannot change the values (well you can change it but it s not going to affect the results). Keep in mind that this method limits us to do sanity checks of the text you enter. 3. The application is database-less. Information is stored in the forms itself. While this could be a pitfall in the long run it means that one can very easily make changes on the fly to the data. 4. On just about every tab you will see two buttons Import (App) and Import (file). You can either get data for the section from the previous section, or you can import it from a file. When importing from file every item is on a separate line. 5. You will also see preserve checkboxes just about everywhere. If you check this data that s in the form won t be deleted when you import new data (nice for adding stuff). 6. Almost all text based forms has two small buttons a red clr and a white s/u. The clr clears the form it does not wait for confirmation. The s/u button performs the same as an UNIX sort uniq on the text in the form nice if you suspect that duplicate entries crept in. 13