'command line'에 해당되는 글 3건

  1. 2012.04.17 sqlifuzzer: Command Line SQL Injection Web Scanner
  2. 2011.04.19 윈도우 커멘드라인 명령 패킷 스니퍼 RawCap
  3. 2011.04.05 FOR /F tokens and delims Step by step
2012.04.17 18:16

sqlifuzzer: Command Line SQL Injection Web Scanner

Features of Sqlifuzzer:

  • Payloads/tests for numeric, string, error and time-based SQL injection
  • Support for MSSQL, MYSQL and Oracle DBMS’s
  • Automated testing of ‘tricky’ parameters like POST URL query and mulipart form parameters
  • A range of filter evasion options:
  • case variation, nesting, double URL encoding, comments for spaces, ‘like’ for ‘equals’ operator, intermediary characters, null and CRLF prefixes, HTTP method swapping (GETs become POSTs / POSTs become GETs)
  • ORDER BY and UNION SELECT tests on vulnerable parameters to:
    • enumerate select query column numbers
    • identify data-type string columns in select queries
    • extract database schema and configuration information
  • Conditional tests to extract DBMS info when data extraction via UNION SELECT fails (i.e. no string type columns)
  • Boolean response-based XPath injection testing and data extraction
  • Support for automated detection and testing of parameters in POST URIs and multipart forms
  • Scan ‘state’ maintenance:
    • Halt a scan at any time – scan progress is saved and you can easily resume a scan from the URL where you stopped
    • Specify a specific request number to resume a scan from
  • Optional exclusion of a customizable list of parameters from scanning scope
  • Tracking of parameters scanned and avoidance of re-scanning scanned parameters
  • HTML format output with:
    • links/buttons to send Proof of Concept SQL injection requests
    • links to response difference files and to extracted data 

  • The only feature sqlifuzzer does not have as of now is the – web spider. Due to this, it has to depend on the Burp Proxy for it’s log files to build its internal list of fuzz requests.  This feature is available in the free version of Burp Suite.

    It depends on certain pre-defined files, which can be edited to include your own stuff. For example, you can add your own MYSQL, Oracle or MSSQL payloads, add your own time delay payloads, etc. All of these files can be found in the payload directory.

    Presumeably, sqlifuzzer depends on Burp Suite. Additionally, you need bash, cURL and replace. Some systems do need a few modifications. Sqlifuzzer is built and tested on BT5-R1 and does run flawlessly.

    Download Sqlfuzzer:

    Sqlifuzzer 0.5gsqlifuzzer-0.5g.tgzhttp://sqlifuzzer.googlecode.com/files/sqlifuzzer-0.5g.tgz



    출처 : PenTestIT


    Trackback 0 Comment 0
    2011.04.19 11:01

    윈도우 커멘드라인 명령 패킷 스니퍼 RawCap

    RawCap is a free command line network sniffer for Windows that uses raw sockets.


    Properties of RawCap:

    • Can sniff any interface that has got an IP address, including 127.0.0.1 (localhost/loopback)
    • RawCap.exe is just 17 kB
    • No external libraries or DLL's needed other than .NET Framework 2.0
    • No installation required, just download RawCap.exe and sniff
    • Can sniff most interface types, including WiFi and PPP interfaces
    • Minimal memory and CPU load
    • Reliable and simple to use 


    Usage

    You will need to have administrator privileges to run RawCap.

    F:\Tools>RawCap.exe --help
    NETRESEC RawCap version 0.1.2.0
    http://www.netresec.com

    Usage: RawCap.exe <interface_nr> <target_pcap_file>

     0.     IP        : 192.168.0.17
            NIC Name  : Local Area Connection
            NIC Type  : Ethernet

     1.     IP        : 192.168.0.47
            NIC Name  : Wireless Network Connection
            NIC Type  : Wireless80211

     2.     IP        : 90.130.211.54
            NIC Name  : 3G UMTS Internet
            NIC Type  : Ppp

     3.     IP        : 192.168.111.1
            NIC Name  : VMware Network Adapter VMnet1
            NIC Type  : Ethernet

     4.     IP        : 192.168.222.1
            NIC Name  : VMware Network Adapter VMnet2
            NIC Type  : Ethernet

     5.     IP        : 127.0.0.1
            NIC Name  : Loopback Pseudo-Interface
            NIC Type  : Loopback

    Example: RawCap.exe 0 dumpfile.pcap

    An alternative to supplying the interface number is to supply the IP address of the prefered interface instead, i.e. like this:

    RawCap.exe 192.168.0.17 dumpfile.pcap

    Interactive Console Dialog

    You can also start RawCap without any arguments, this will leave you with an interactive dialog:

    F:\Tools>RawCap.exe
    Network interfaces:
    0.     192.168.0.17    Local Area Connection
    1.     192.168.0.47    Wireless Network Connection
    2.     90.130.211.54   3G UMTS Internet
    3.     192.168.111.1   VMware Network Adapter VMnet1
    4.     192.168.222.1   VMware Network Adapter VMnet2
    5.     127.0.0.1       Loopback Pseudo-Interface
    Select network interface to sniff [default '0']: 1
    Output path or filename [default 'dumpfile.pcap']:
    Sniffing IP : 192.168.0.47
    File        : dumpfile.pcap
    Packets     : 1337

    Raw sockets limitations in Vista and Win7

    Due to current limitations in the raw sockets implementations for Windows Vista and Windows 7 we suggest running RawCap on Windows XP. The main problem with raw socket sniffing in Vista and Win7 is that you might not receive either incoming packets (Win7) or outgoing packets (Vista).

    Download RawCap

    You can download RawCap.exe here.


    Trackback 0 Comment 0
    2011.04.05 19:49

    FOR /F tokens and delims Step by step

    The general syntax of FOR /F commands, at least the part we are going to analyze, is:

    FOR /F "tokens=n,m* delims=ccc" %%A IN ('some_command') DO other_command %%A %%B %%C

    Using an example, we are going to try and find a way to define values for tokens and delims.

    For our example, we are going to find out who is logged on to a computer with a specified IP address (like, say, one found in our firewall logs).
    The command we'll use is NBTSTAT.

    NBTSTAT -A 10.100.0.14

    will return something like:

    Local Area Connection:
    Node IpAddress: [your own IP address] Scope Id: []
    
               NetBIOS Remote Machine Name Table
    
           Name               Type         Status
        ---------------------------------------------
        REMOTE_PC      <00>  UNIQUE      Registered
        MYDOMAIN       <00>  GROUP       Registered
        REMOTE_PC      <20>  UNIQUE      Registered
        MYDOMAIN       <1E>  GROUP       Registered
        REMOTE_PC      <03>  UNIQUE      Registered
        REMOTE_USER    <03>  UNIQUE      Registered
    
        MAC Address = 01-02-03-44-5A-F1
    

    We obviously need the information from the line that contains the string <03> but not the line with the computer name:

        REMOTE_PC      <03>  UNIQUE      Registered
        REMOTE_USER    <03>  UNIQUE      Registered
    

    However, since we started with an IP address, in this case there is no way to distinguish between a computer name and a user name.
    That's why we'll add another step:

    NBTSTAT -a REMOTE_PC

    will return the exact same result.
    Note the lower case -a (NBTSTAT /? will show you the syntax in detail).

    So if we know the remote PC name we know which line to filter out:

        REMOTE_PC      <03>  UNIQUE      Registered 
        REMOTE_USER    <03>  UNIQUE      Registered
    

    We'll use PING to convert the IP address to its associated computer name:

    PING -a 10.100.0.14 -n 1 -w 500

    will return something like:

    Pinging REMOTE_PC [10.100.0.14] with 32 bytes of data:
    
    Reply from 10.100.0.14: bytes=32 time<10ms TTL=128
    
    Ping statistics for 10.100.0.14:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum =  0ms, Average =  0ms
    

    What values for delims and tokens do we need to convert the IP address into its computer name?

    Let's have a closer look at the output of the PING command:

    • we want the (unknown) second word from the first line (actually, the second line, because the first line is blank)
    • that first line contains the (known) IP address enclosed in square brackets [10.100.0.14]
    • none of the other lines contain the IP address enclosed in square brackets, nor any other string in square brackets

    First let's mark (yellow highlights) the boundaries of the requested word REMOTE_PC:

    Pinging REMOTE_PC [10.100.0.14] with 32 bytes of data:
    
    Reply from 10.100.0.14: bytes=32 time<10ms TTL=128
    
    Ping statistics for 10.100.0.14:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 0ms, Maximum =  0ms, Average =  0ms
    

    This makes our choice for the delimiters, delims, quite obvious: a space.
    If we mark (yellow highlights) all spaces, we can easily see which tokens are available:

    Pinging REMOTE_PC [10.100.0.14] with 32 bytes of data:
    
    token=1  token=2     token=3      4  5    6   7    8
    

    In this case, we're only interested in tokens 2 and 3:

    • token 2 is the requested computer name
    • token 3 can be used to check if we're dealing with the correct line: it should equal our original IP address enclosed in square brackets

    So we're only interested in the tokens 2 and 3:

    Pinging REMOTE_PC [10.100.0.14] with 32 bytes of data:
    
             token=2     token=3
    

    This leads us to the following command line:

    FOR /F "tokens=2,3 delims= " %%A IN ('PING -a %1') DO IF "%%B"=="[%1]" SET PC=%%A

    %1 is the value of the first command line argument passed to our batch file.
    In our case, the IP address to be investigated.

    IF "%%B"=="[%1]" checks if the third word (token=3) equals the original IP address (%1) enclosed in square brackets ([%1]).
    If we were to skip this test, the end result for token 2 would be the equal sign (=) from the last line (just try it).
    If the test matches, the second word (token=2) is stored in a variable named PC.

    Note that the first token specified (token 2) is stored in the variable specified (%%A), and the following token specified (token 3) in the following variable (in this case: %%B).

    Our batch file thus far:

    @ECHO OFF
    FOR /F "tokens=2,3 delims= " %%A IN ('PING -a %1') DO IF "%%B"=="[%1]" SET PC=%%A
    SET PC
    

    The last line, SET PC, displays the actual value of the variable PC. I added it for debugging purposes.
    (Actually, SET PC will display all variables whose names begin with "PC".)

    Say we named our batch file FINDUSER.BAT then the command:

    FINDUSER 127.0.0.1

    should display your computer name:

    PC=mycomputer

     

    Now that we have the computer name, we can continue with the NBTSTAT command.

    Let us mark (yellow highlights) the requested substring in NBTSTAT's output:

    Local Area Connection:
    Node IpAddress: [your own IP address] Scope Id: []
    
               NetBIOS Remote Machine Name Table
    
           Name               Type         Status
        ---------------------------------------------
        REMOTE_PC      <00>  UNIQUE      Registered
        MYDOMAIN       <00>  GROUP       Registered
        REMOTE_PC      <20>  UNIQUE      Registered
        MYDOMAIN       <1E>  GROUP       Registered
        REMOTE_PC      <03>  UNIQUE      Registered
        REMOTE_USER    <03>  UNIQUE      Registered
        MAC Address = 01-02-03-44-5A-F1
    

    The choice for delims will be obvious: a space.

    Notes: (1) Multiple spaces are still treated as a single delimiter.
      (2) A row of characters in the delims definition is interpreted as "the first character OR the second character OR the third character" etcetera, so you can only use multiple single characters as delimiters in the delims definition, not entire "words".

    The token number may be less obvious, since there are several spaces before the first word.
    Since leading delimiters (before the first word) are ignored, however, it is still the first word in the line, so we need token 1.

    Aside: We can use this feature to strip any number of leading spaces from a string:

    FOR /F "tokens=*" %%A IN ("    some string") DO ECHO.%%A

    will return some string (without the leading spaces).
    And this isn't limited to spaces:

    FOR /F "tokens=* delims=0" %%A IN ("00000012") DO ECHO.%%A

    will return 12

    In this particular case, we will filter out the correct line not by checking the value of the second word (<03>) but by using the FINDcommand:

    NBTSTAT -a %PC% | FIND "<03>" | FIND /I /V "%PC%"

    will display only the line containing the user ID:

        REMOTE_USER    <03>  UNIQUE      Registered

    (Remember? %PC% is the value for the remote computer name that we just got using the PING command).

    To prevent error messages we need to escape the pipe symbols when we use them within brackets in a FOR /F command.
    I will skip the details right now, just remember to place a caret before pipe and redirection characters when used within parentheses of FOR /F commands.

    Our batch file now:

    @ECHO OFF
    ECHO IP=%1
    FOR /F "tokens=2,3 delims= " %%A IN ('PING -a %1') DO IF "%%B"=="[%1]" SET PC=%%A
    SET PC
    FOR /F "tokens=1 delims= " %%A IN ('NBTSTAT -a %PC% ˆ| FIND "<03>" ˆ| FIND /I /V "%PC%"') DO SET USER=%%A
    SET USER
    

    Note the use of carets (ˆhighlighted) as escape characters for the pipe symbols within the brackets of the second FOR loop!
    Also note that no escape characters are necessary when the redirection characters are quoted, as in FIND "<03>".

    This batch file could do with some error checking, but as long as we pass it a valid IP address on the command line it should correctly return the IP address, the computer name, and the logged on user.

    One could also use another FOR /F line, combined with the NET USER command, to retrieve the user's full name too, but I will leave that to you.

    You got the idea.


    출처 : www.robvanderwoude.com


    FYI, tasklist and taskkill already have filtering capabilities:

    tasklist /FI "imagename eq chrome.exe"
    taskkill /F /FI "imagename eq iexplore.exe"
    

    If you want more general functionality, batch scripts (ugh) can help. For example:

    for /f "tokens=1,2 delims= " %%i in ('tasklist /v') do (
      if "%%i" == "%~1" (
        echo TASKKILL /PID %%j
      )
    ) 
    There's a fair amount of help for the windows command-line. Type "help" to get a list of commands with a simple summary then type "help " for more information about that command (e.g. "help for"). 

    Trackback 0 Comment 0