Using BiDiBLAH: Very concise getting started guide.

Similar documents
Assessment. automation: Deux ex Machina. Rube Goldberg Machine? 2005 LAS VEGAS

SensePost. Automation - Deus ex Machina or Rube Goldberg Machine?

MAC Address Filtering Setup (3G18Wn)

CCNA 1 Chapter 2 v5.0 Exam Answers %

Nmap & Metasploit. Chun-Jen (James) Chung. Arizona State University

Figure 1-1. When we finish Part 2, our server will be ready to have workstations join the domain and start sharing files. Now here we go!

CCNA 1 Chapter 2 v5.0 Exam Answers 2013

Install & Configure Windows 10, Visual Studio, & MySQL Dr. Tom Hicks Trinity University

Lesson 12 Lab Key Lab Exercises

AWS Remote Access VPC Bundle

How to Set-up Your DVR/NVR on a Network

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

Installing the L-Series Library Admin and Personality Module on the L180 and L700 Series Libraries

Sam Spade 1.14 Open Source Security Tool by Steve Atkins

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

HOME AUTOMATION, INC. Model 93A00-1. Serial Server. User s Manual

6.1. Getting Started Guide

Configuring RentalPoint Web Services

Lab - Observing DNS Resolution

Setting Up Windows 2K VPN Connection Through The Symantec Raptor Firewall Firewall

UKNova s Getting Connectable Guide

If you have a computer enabled with Intel Active Management Technology

Loadbalancer.org Virtual Appliance quick start guide v6.3

Broadband Router DC 202

Date : June 16, 2011 Version : 1

2. The next screen will tell you to press the lighted Cisco logo on the Router. After you have pressed the logo, click the Next button to continue.

Networks Lab Pod Diagram

GSS Administration and Troubleshooting

A Practical (and Personal) Perspective on IPv6 for Servers. Geoff Huston June 2011

Assignment 2 TCP/IP Vulnerabilities

Lab - Using Wireshark to Examine a UDP DNS Capture

agility17dns Release latest Jun 15, 2017

SP PRO Communications Internet Connectivity

Static routing KTHNOC/SUNET. January 18, 2004

Implementing DVN. directpacket Product Guide

SonicWALL / Toshiba General Installation Guide

ISA 674 Understanding Firewalls & NATs

PreLab for CS356 Lab NIL (Lam) (To be submitted when you come for the lab)

Endian Proxy / Firewall

Step-by-Step Configuration

CS 356 Lab #1: Basic LAN Setup & Packet capture/analysis using Ethereal

FW- 525B Quick Start Guide

CHAPTER 7 ADVANCED ADMINISTRATION PC

Configuring DDoS Prevention

Port Forwarding Setup (NB7)

SOA Software API Gateway Appliance 6.3 Administration Guide

Configuring a Palo Alto Firewall in AWS

Firewalls. Types of Firewalls. Schematic of a Firewall. Conceptual Pieces Packet Filters Stateless Packet Filtering. UDP Filtering.

Internet Load Balancing Guide. Peplink Balance Series. Peplink Balance. Internet Load Balancing Solution Guide

Windows Help document Part A

Link Gateway Initial Configuration Manual

Wireless Setup Instructions

Packet: Data can be broken into distinct pieces or packets and then reassembled after delivery. Computers on the Internet communicate via packets.

Computer Security and Privacy

NetBrain OE System Quick Start Guide

Security Concerns With Tunneling draft-ietf-v6ops-tunnel-security-concerns-00

TCP/IP Diagnostic Utilities on Windows 2008 Server

An Introduction to Google Calendar

TexSaw Penetration Te st in g

Hackveda Training - Ethical Hacking, Networking & Security

RX3041. User's Manual

Upgrading from TrafficShield 3.2.X to Application Security Module 9.2.3

6. 3. Media Sharing Access the USB disk. 5. Click OK. Tips:

Configuration Guide. For Managing EAPs via EAP Controller

INBOUND AND OUTBOUND NAT

DOWNLOAD PDF CISCO ASA 5505 CONFIGURATION GUIDE

Detecting Specific Threats

CS 326e Lab 2, Edmondson-Yurkanan, Spring 2004 Router Configuration, Routing and Access Lists

SAGEMCOM 5355 GATEWAY

Comodo One Software Version 3.8

Access Switch VLAN Y Y.1 /24

Basics of executing a penetration test

LevelOne FBR User s Manual. 1W, 4L 10/100 Mbps ADSL Router. Ver

NETWORK LAB 2 Configuring Switch Desktop

ELEC5616 COMPUTER & NETWORK SECURITY

AppWizard Installation/Upgrade Guide (v.4.00)

Table of contents. Digifobpro User Instructions - WiFi Module Page - 2

CSC 574 Computer and Network Security. TCP/IP Security

SelfMon VirtualKeypad Configuration Guide

Computer Security II Lab Network Security

Networking Basics Sharing a network printer

8.9.2 Lab: Configure an Ethernet NIC to use DHCP in Windows Vista

M1 Z Wave Gateway Setup Guide

Lab - Using Wireshark to Examine a UDP DNS Capture

Lab 8: Introduction to Pen Testing (HPING)

DC-228. ADSL2+ Modem/Router. User Manual. -Annex A- Version: 1.0

AirCruiser G Wireless Router GN-BR01G

MikroTik lifehacking. Daniel Starnowski

XBox Setup.

History Page. Barracuda NextGen Firewall F

Configuring OpenVPN on pfsense

Openvpn Client Do Not Change Default Gateway

REMOTE ACCESS DDNS CONFIGURATION MANUAL

Computer Network Vulnerabilities

ch02 True/False Indicate whether the statement is true or false.

Wireless-G Router User s Guide

Sucuri Webinar Q&A HOW TO IDENTIFY AND FIX A HACKED WORDPRESS WEBSITE. Ben Martin - Remediation Team Lead

F5 WANJet 200. Quick Start Guide. Quick Start Overview

4-Port Router. Share your broadband Internet connection. E Wired. Ethernet. Ethernet. User Manual. F5D5231-4_uk

UPDATING SOCRATES Version Build May 2018

Transcription:

Using BiDiBLAH: Very concise getting started guide. 1

Tables of contents Using BiDiBLAH... 3 Install procedure:... 3 Installing the raw socket driver:... 3 Install and/or configure your firewall... 5 Configure BiDiBLAH to your liking... 7 Notes on using Forward... 10 Notes on Reverse... 11 Notes on using the portscanner... 12 Notes on the design of BiDiBLAH... 13 2

Using BiDiBLAH Install procedure: You need to have the.net framework installed. The install shield should assist you if you don t have it installed yet. If you plan to make use of BiDiBLAH s vulnerability scans you must install a Nessus server and/or have a valid username and password on the Nessus server. Nessus can be found at http://www.nessus.org If you plan to make of the MetaSploit functionality you need to install Metasploit (>=2.4) locally on your machine the default install should be good. Metasploit can be found at http://www.metasploit.org BiDiBLAH uses Microsoft s Office (Word) 2003 for reporting. If you want to use BiDiBLAH to write reports you should have Office 2003 installed. Because of differences in the Office automation libraries in.net Office 2002 is not supported sorry. The crippleware version of BiDiBLAH is limited as follows: o It will exit after 7 minutes of usage this should be more than enough time to see how things work, but not enough time for script kiddies to cause real damage o The saving and loading (of data) has been disabled After the install shield has exited please following these procedures: Installing the raw socket driver: Because Microsoft decided to disable the use of raw socket for writing in XP service pack 2, BiDiBLAH uses a raw socket driver and drops down to Ethernet layer. You must thus install this driver as it is used for the asynchronous portscanner/banner grabber. Do the following: Go to the control panel, open Network connections and right click on the Local Area Connection you wish to use. Go to properties: 3

Go to Internet Protocol (TCP/IP) and click on Install: Choose Protocol and click on Have disk. Navigate to the ndisprot.inf file and select it (it is in the driver directory from the program base): 4

You will see that the driver is not signed: NB: After the driver is installed YOU NEED TO REBOOT for the install to complete. Install and/or configure your firewall BiDiBLAH sends SYN packet when doing the portscan and the banner grabber. This happens outside of the normal TCP/IP stack. The stack thus does not know about these packets. Because of this you need to do two things: 1. Disable XP s internal firewall 2. Make sure your stack does not send RST packets You can do this in two easy steps. First we need to disable the internal XP firewall. This is easy. Go to your control panel -> Windows Firewalls -> Off: 5

Next we need to block RST packets. You can do this on your upstream firewall but in most cases it is just easier to do it locally. Download the Windows version of the famous BSD based firewall ipfw called WIPFW (it s free, and works very nicely, a breeze to install, really powerful and way small to download). You can get WIPFW from: http://sourceforge.net/projects/wipfw/ You should download wipfw-stable. Once you have unzipped it run the file install.cmd: After this everything happen from the command line. You can now use wipfw as you would use ipfw under Unix. You need to only add one rule to deny RST packets. This is done with this following rule: 6

wipfw add 5 deny TCP from any to any tcpflags rst You add this rule at the command prompt. You do something like this (assuming that wipfw was extracted in c:\tools) : On a network level we are now ready to go. Make sure that, when you are using the portscanner or the banner grabber inside of BiDiBLAH, your firewall is always configured as described above. Else BiDiBLAH WON T WORK. Configure BiDiBLAH to your liking Now open BiDiBLAH. Click on the SETUP tab: 7

In order to use BiDiBLAH properly you need to configure it go to the SETUP tab: At the Subdomain tab: Enter your Google API key (You can get a key at api.google.com) The Google depth (in multiples of 10) sets how many queries should be returned The Google keywords are words that BidiBLAH use to combine with queries At Forwards tab: Select where your BFDNS files are. The application will look for any file that ends with a.bfdns extension and add its content to the list of names that will be used for brute force. The test depth sets how deep within each file the application will test before assuming a naming scheme If you want to test all the entries you can check the override checkbox At Portscan tab: Enter the source IP where QAlive will send packets from. If this is not your IP address, packets will be spoofed from the address that you selected. This could be useful when you are running a tcpdump somewhere else Enter your source mac address you can get it doing an ipconfig /all in a DOS window. If you wish to spoof your mac address (why??) you may do it here. 8

Enter the destination mac address. Because we haven t implemented ARP you need to set this up manually. Most of the time it isn t a big deal though you will probably be scanning machines on the other side of your default gateway. That makes the destination mac address that of your default gateway. You can get this easily by looking at your ARP table. Do an arp a in a DOS window. If you are scanning locally sorry (or you can hook a router between you and your local net. We will implement ARP in a next release if there s demand for it). Load the port list file this is a single text file containing the ranges of ports you wish to see as a drop down list (in QAlive). At Nessus tab: Select the Nessus server (IP or DNS name), Nessus username and password Select where the application should find the PLG files (Nessus plugin selection file). This will appear in the plugin set drop down list in the Nessus section. At MetaSploit tab: Enter the location of Metasploit framework s web interface Enter the location of your local MSF home this is used when configuring your exploits If your exploits are already configured you can save the config strings in file and load it You should also load the MetaSploit 2 Nessus text file. This matches Nessus plugins to MetaSploit exploits The PERL interpreter used for Metasploit needs to be set You can test your Metasploit setup by clicking load exploits in the MetaSploit tab you should see a list of exploits. Double clicking on the exploit brings up the exploit configuration screen. When you are done configuring: Click on the SAVE button in the Config Load/Save section next time you start BiDiBLAH you can now just click on the blue LOAD button and you don t have to go through the whole mission again. Loading and saving configurations: Choose the Load Config tab to load a sample configuration file located in c:\bidiblah\config (if you chose defaults). The location of the BFDNS files, a default set of ports in the portlist file as well as the IP2C DB should be configured correctly. If you installed the application in a different location you need to configure these manually. At any stage you can save the configuration (and load it later again) Saving/Loading your data (DISABLED IN CRIPPLED VERSION) At any stage you can go to the SETUP tab and hit the Save button in the Data Load/Save combo. This will save the contents of all the forms the Load button will load it back into the forms. 9

Keep in mind that it will ADD the entries to all the forms. That s why there s a CLEAR ALL button this will clear all entries from all forms. Notes on using Forward The last entry on a line tells you what type of entry it is: FL: normal forward lookup from brute force GFL: Google forward lookup means we got the name from a Google search ZT: from a zone transfer NS: this is a name server for the domain MX: this is a mail server for the domain ZTCN: alias found in a zone transfer ZTMX: alias for an MX record found in zone transfer 10

Notes on Reverse Matched entries (reverse DNS entries that match the filter) get a RL at the end that s for Reverse Listing. Unmatched entries get RLNM (Reverse Listing Non- Matched). You will see that hostnames are also collected. This is done in order to create custom host list (possibly as a custom.bfdns file). The idea here is that organization might re-use host names between domains. Matched additional domains are populated by trying to figure out the domain of a reverse DNS entry where the entry matches the filter, but the domain is not found as an input domain (neither in domains or sub domains). 11

Notes on using the portscanner 1. YOU NEED TO DISABLE ANY HOST BASED FIREWALL. 2. Keep in mind that this process is not kind on NAT devices (it works fine but I am glad I don t need to keep state of the stuff going out). For the same reasons your admin might not be pleased when running this behind a stateful firewall. I am using it with NAT and a stateful firewall (and tunneling) and it works fine but I guess it hurts. 3. Click on the Import app button this imports the netblocks from the netblock section you may add or delete blocks here. 4. Click on Bind driver this binds the driver 5. Click on the Adaptor drop down list. Select the interface you want to use to send the packets. This might be interesting when you have multiple interfaces. 6. Select a port list from the Ports drop down. If a port file was not found in the configuration a default list of ports will be shown. 7. Hit Start. 8. You can adjust the delay on the fly (at SETUP tab > portscanner tab) I have used it down to 6ms between packets. To know if you are losing responses, do a ping in another window you can ping anything at the other end of your connection but it makes sense to ping something as close as possible to your target. As soon as you see packet loss on the ping you know you might be losing responses. 9. When the scan is done the driver will unbind this ensures that you don t forget to unbind it when using the banner scanner. 12

Notes on the design of BiDiBLAH 1. BiDiBLAH was built for users that understand what it is that they want to do. It was built to be as flexible as possible with a power user in mind. It was not build to be a point and click tool. If it does not work for you then you probably should not be using it in the first place. 2. As far as possible forms are text boxes these boxes are hot in other words you can make a change in the text box and it will be carried over the other parts in the application. It also means you can copy, cut and paste from these forms to reports or other applications. The exception in the filters in the reverse scan once you started the scan you cannot change the values (well you can change it but it s not going to affect the results). Keep in mind that this method limits us to do sanity checks of the text you enter. 3. The application is database-less. Information is stored in the forms itself. While this could be a pitfall in the long run it means that one can very easily make changes on the fly to the data. 4. On just about every tab you will see two buttons Import (App) and Import (file). You can either get data for the section from the previous section, or you can import it from a file. When importing from file every item is on a separate line. 5. You will also see preserve checkboxes just about everywhere. If you check this data that s in the form won t be deleted when you import new data (nice for adding stuff). 6. Almost all text based forms has two small buttons a red clr and a white s/u. The clr clears the form it does not wait for confirmation. The s/u button performs the same as an UNIX sort uniq on the text in the form nice if you suspect that duplicate entries crept in. 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback