Advertisement
Guest User

aramosf

a guest
Oct 15th, 2009
709
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.40 KB | None | 0 0
  1. #!/bin/sh
  2. # Tue Feb  6 14:02:54 CET 2007
  3. # A.Ramos <aramosf@gmail.com|514.es>
  4. # http://www.securitybydefault.com
  5.  
  6.  
  7. ############################# CONFIG ###############################
  8. NMAP="/usr/bin/nmap"
  9. NMAPSWEEPOPTS="-n -sP -PM -PE -PP -PS21,22,25,53,80,110,135,143,139"
  10. NMAPOSOPTS="-n -O -oG -"
  11. NMAPSCAN="-n -sT -oG - "
  12. HPING="/usr/sbin/hping2"
  13. HPINGTS="-c 1 -S --tcp-timestamp -p"
  14. ####################################################################
  15.  
  16. function help {
  17.   echo "syntax: $0 <ip> <network> <-i/-o/-t>"
  18.   echo "  -i: use IPID"
  19.   echo "  -t: use TCP timestamp (portscan+syn with tstamp flag)"
  20.   echo "  -o: use nmap fingerprint"
  21.   echo "example: $0 192.168.1.5 192.168.1.0-255 -i -t"
  22.   exit 0
  23. }
  24.  
  25. if [ -z $3 ]; then help; fi
  26. if [[ $* != *-o* ]] && [[ $* != *-i* ]] && [[ $* != *-t* ]]; then
  27.   help
  28. fi
  29.  
  30. IP=$1; RANGE=$2
  31.  
  32. if [ `echo $IP | grep -cE '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*$'` == 0 ]
  33.   then
  34.         help
  35. fi
  36.  
  37. if [ ! -f $NMAP ]; then echo "NMap not found in: $NMAP"; exit 0; fi
  38. if [ ! -f $HPING ]; then echo "Hping not found in: $HPING"; exit 0; fi
  39.  
  40.  
  41. echo "+ Looking for alive IP address in $RANGE"
  42. UP=`$NMAP $NMAPSWEEPOPTS $RANGE | awk '/Host/ {print $2}'`
  43. echo "- FOUND:" `echo "$UP"|wc -l` IP
  44.  
  45. function fprint {
  46. echo "+ Fingerprinting OS in alive IP address"
  47. OS=`$NMAP $NMAPOSOPTS $UP 2>/dev/null \
  48.  | awk -F: '/Host/ { print $2,$4}' \
  49.  | sed -e 's/ \(.*\) .*Ports  \(.*\).*Seq.*/\2:\1/g'`
  50. OS=`echo "$OS"| sed -e 's/.*IPID.*:/NO OS:/g'`
  51. MYOS=`echo "$OS"|grep $IP| cut -d: -f1`
  52. echo "- Systems with same OS in $RANGE: ($MYOS)"
  53. MYEQOS=`echo "$OS"| grep "$MYOS"| cut -d: -f2|grep -v $IP`
  54. for i in $MYEQOS; do echo "--+ $i YES!"; done
  55. }
  56.  
  57.  
  58. function rpid {
  59. IP=$1
  60. echo -n "+ Testing random IPID ($IP)... "
  61. IPIDS=`$HPING -1 -c 5 $IP 2>/dev/null \
  62.   |grep id| sed -e 's/.*id=\(.*\) icmp.*/\1/g'`
  63. echo $IPIDS
  64. if [ -z "$IPIDS" ]; then IPIDS="0\n2000"; fi
  65. FIRST=`echo "$IPIDS" | head -1`
  66. LAST=`echo "$IPIDS" | tail -1`
  67. if [ $(( $LAST - $FIRST )) -gt -50 ] && [ $(( $LAST - $FIRST )) -lt 50 ]; then
  68.         randomipid=0
  69. else
  70.         randomipid=1
  71. fi
  72. }
  73.  
  74. function tstest {
  75. IP=$1
  76. echo -n "+ Testing TCP Timestamp ($IP)... "
  77. nmapscan $IP 1
  78. HOST=`echo $OPORT | cut -d: -f1`
  79. PORT=`echo $OPORT | cut -d: -f2`
  80. TS=`$HPING $HPINGTS $PORT $HOST  2>/dev/null |
  81.   awk -F= '/tcpts/ { print $2 }'`
  82. echo "$TS"
  83. if [ ! -z $TS  ]; then
  84.         tcptstest=1
  85. else
  86.         tcptstest=0
  87. fi
  88. }
  89.  
  90. function sameipid {
  91. IP=$1; TEST=$2
  92. IPID=`$HPING -1 -c 1 $IP 2>/dev/null|grep id| sed -e 's/.*id=\(.*\) icmp.*/\1/g'`
  93. IPID2=`$HPING -1 -c 1 $TEST 2>/dev/null|grep id| sed -e 's/.*id=\(.*\) icmp.*/\1/g'`
  94. if [ -z $IPID2 ]; then IPID2=0; fi
  95. if [ $(( $IPID - $IPID2 )) -gt -20 ] && [ $(( $IPID - $IPID2 )) -lt 20 ];
  96.   then
  97.         sameip=1
  98.    else
  99.         sameip=0
  100. fi
  101. }
  102.  
  103.  
  104. function nmapscan {
  105. IP=$1; O=$2
  106. OPORT=`$NMAP $IP $NMAPSCAN | awk -F: '/Host/ { print $2,$3}' \
  107.  | sed -e 's/ \(.*\) (.*Ports.* \([0-9]*\)\/open.*/\1:\2/g'`
  108. if [ ! -z $O ]; then OORIG=$OPORT; fi
  109. }
  110.  
  111. function hpingts {
  112. HOST=`echo $OORIG | cut -d: -f1`
  113. PORT=`echo $OORIG | cut -d: -f2`
  114. HOST2=`echo $OPORT | cut -d: -f1`
  115. PORT2=`echo $OPORT | cut -d: -f2`
  116. TS=`$HPING $HPINGTS $PORT $HOST  2>/dev/null |
  117.   awk -F= '/tcpts/ { print $2 }'`
  118. TS2=`$HPING $HPINGTS $PORT2 $HOST2 2>/dev/null |
  119.  awk -F= '/tcpts/ { print $2 }'`
  120. if [ -z $TS2 ]; then TS2=0; fi
  121. if [ $(( $TS - $TS2 )) -gt -2000 ] && [ $(( $TS - $TS2 )) -lt 2000 ]; then
  122.         sameip=1
  123. else
  124.         sameip=0
  125. fi
  126. }
  127.  
  128. if [[ "$*" == *-o* ]]; then fprint; fi
  129.  
  130. if [[ "$*" == *-i* ]]; then
  131.  rpid $IP
  132.  if [ $randomipid == 0 ]; then
  133.         echo "- Good! No random IPID"
  134.         echo "-+ Testing IPID of alive hosts"
  135.         for S in $UP; do
  136.          sameipid $IP $S
  137.          if [ $sameip == 1 ]; then
  138.                 echo "--+ $S YES! ($IPID2)"
  139.                 MYEQIPID="$MYEQIPID $S"
  140.          else
  141.                 echo -n ''
  142.         fi
  143.         done
  144.   else
  145.         echo "- Bad luck!. IP $IP have random IPID"
  146.         exit 0
  147.   fi
  148. fi
  149.  
  150.  
  151. if [[ "$*" == *-t* ]]; then
  152.   tstest $IP
  153.   if [ $tcptstest  == 1 ]; then
  154.     echo "- Good! TCP Timestamp enabled"
  155.     echo "+ Scanning ports..."
  156.     for S in $UP; do
  157.      nmapscan $S
  158.      hpingts
  159.      if [ $sameip == 1 ]; then
  160.         echo "--+ $S YES!"
  161.         MYEQTS="$MYEQTS $S"
  162.      else
  163.         echo -n ''
  164.      fi
  165.     done
  166.   else
  167.         echo "- Bad luck!. IP $IP dont have tcp timestamp"
  168.         exit 0
  169.   fi
  170. fi
  171.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement