[IOML] Shell/Perl/Whatever script wanted

Simon Booth simon.booth at felikz.net
Thu Jul 21 08:07:58 BST 2005

Thanks Dylan,

I will have a go at knocking something up in Perl, it seems like it will 
do the trick.  Maybe if I explain why I want this it may help others 
have some ideas of how I could achieve this goal.

Basically, I am in the process of making a physical vulnerability 
assessing tool, i.e. a black box.  The idea is that this can be used to 
assess network traffic and perform some assessments on machines inside a 
LAN.  The reason that I want to be able to find an outward bound proxy 
is because I want to be able to get a reverse shell from the machine 
(using cryptcat and tunnelling it over HTTP using gnuhttptunnel).  This 
I believe is the most sure-fire way of getting a connection out as 
whilst most companies block a lot of traffic they generally allow HTTP.

Obviously I'm not going to be sneaking around poping this box on network 
connections I find around offices on the island, but, I already have a 
few UK customers interested in internal VA's and as I already work full 
time on the island it would make sense to use this technology to simply 
send out to them and have it contact my machines here and give me a 
reverse shell.  This also means that they don't have to change any 
security at their end.

I can get around this function by requesting the information from the 
client before I send the box out, but, it would just be much better to 
be able to automatically find a route out to the internet.

One thing I guess I can't get around is if the client uses 
authentication on the proxy so obviously that is a scenario where they 
would have to provide some credentials, but, I'm not sure how mainstream 
that is.

Scanning for proxies in the way you described outside of a /24 shouldn't 
be too difficult either, if I think about the code correctly.

Thanks for your help



P.S. Wonder if rather than writing a Perl app to do the scanning it 
would be quicker/easier to grep some NMap results ?

Dylan Smith wrote:

> On 20 Jul 2005, at 16:10, Simon Booth wrote:
>> Hi Guys,
>> I'm not sure any of you guys will be able to help me with this but 
>> it's worth a try.  I am in need of some sort of script or app which 
>> is small and can be run from a linux shell which will discover a 
>> route out to the internet from whatever network it is put on.
> I take it there's nothing more straightforward you can use to discover 
> this sort of stuff (such as a combo of DHCP+DNS)...
> The default gateway is easy enough to discover. Just have your script 
> run 'route -n' then parse the output (i.e. look for the route to 
> I used to have to do this back when Linux used FreeSWAN for 
> ipsec and KLIPS couldn't figure out the default route on its own. Once 
> you find the line with in it you can just split it (using 
> whitespace as the delimiter) and pull out the appropriate element of 
> the array you get back which contains the IP address of your default 
> gateway.
> Testing for proxies can probably be done pretty easily using Perl's 
> LWP (libwww perl) module, which I think handles proxies just fine - 
> just set a proxy address and see if you get something back, and try 
> something else if you don't. The perldoc for LWP has an example of 
> using LWP::UserAgent to do something like wget (although the proxy is 
> set by the environment - there may be a method to override this). For 
> something lower level just use IO::Socket::INET - you can connect to a 
> remote socket with two lines of code.
> Scanning a network for a proxy on the usual ports would also be pretty 
> easy (well for a /24 at least) using IO::Socket::INET so long as all 
> the machines on the subnet aren't filtering ports (i.e. you get 
> Connection Refused if you try and connect and there's nothing 
> listening, instead of having to wait for it to time out).
> _______________________________________________
> IOM mailing list
> IOM at mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/iom

More information about the IOM mailing list