Irregular Expressions

Apr 27 2013   12:04AM GMT

SSH Brute Force Scanner – Part 5

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I have been doing some basic things with ‘atack’, one of the first things I do with samples is run ‘strings’ against it. I find this a great way to try and see what the binary is going to do before you start running it in your test environment. I have a few suspicions about it, one of them is I think it may have the ability to do file system operations like copy.

Another excellent tool you can use is IDA Pro Free. If you like IDA Pro Free the good news is you can but the retail version. The only feature that I think is work mentioning in the non-free version is it has the ability to transform your dump in to sudo-code. But other then that the free version will more then suffice for what we are doing.

The first place I go once I have a sample opened is the names window.
names

The good news is,  my initial feeling that ‘atack’ had the ability to copy files seems to be correct.

sftp_name

sftp

Now we can check our stings again and see if we what we have mentioned that looks like a file path. There is a few that I think are worth following.


strings atack | egrep "/\S+\/" | less
%s/.ssh/identity
%s/.ssh/id_dsa
%s/.ssh/id_rsa
%s/.ssh/identity.pub
%s/.ssh/id_dsa.pub
%s/.ssh/id_rsa.pub
/etc/resolv.conf
/etc/host.conf
/etc/nsswitch.conf
/etc/localtime
/usr/share/zoneinfo
/etc/mtab
/etc/fstab

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: