>> How To Create A Powerful Exploit Tree (For Personal Use) <<
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
by t3ctrix
Email: t3ctrix[at]gmail[dot]com
Note From Author:
-----------------
This tutorial released under the GNU General Public License. A copy of this license can be found at http://www.fsf.org/licenses/gpl.html. Unofficial translations can also be found at http://www.fsf.org/l...anslations.html.
In this guide I'll show how to create and update a powerful exploit tree for personal use on Linux Box. I'll provide necessary codes, reference, and give details on how to setup an exploit database using various web resources. I'll use following websites directly or indrectly for codes, programs and exploits database.
1. http://www.remote-exploit.org/ [For backtrack + milworm and securityfocus exploits update script]
2. hackingdefined.com [For exploits CVS]
3. packetstormsecurity.org [For exploits database]
4. http://anyside.org/ [For exploits database]
5. http://secwatch.org/ [For exploits database]
6. http://www.brandonhutchinson.com/ [For packetstormsecurity exploits update script]
7. http://www.securityforest.com/ [For exploits database and securityforest exploits update script]
8. http://www.gnu.org/software/wget/ [For Wget]
Let the game begin...
**********
* PART 1 *
**********
Setting up Milw0rm and Securityfocus exploits database
------------------------------------------------------
Backtrack ships with Milw0rm and Securityfocus exploits archive update scripts using cvs from hackingdefined.com (seems like it's no longer maintained). I'll use the same for the first part of our guide.
.:Code listing:.
1. Setting Up
-------------
# cd / # mkdir -p pentest/exploits # cd /pentest/exploits # mkdir milw0rm secfocus anyside secwatch bin forest
2. Milw0rm.com
---------------
a. Create a file "makeindex-milw0rm" and paste the following script
#!/bin/bash rm -rf sploitlist.txt find . -xtype f >allfiles.txt for file in $(cat allfiles.txt);do echo $file $(head -n 1 $file|cut -d" " -f2-30)|grep -v CVS >>sploitlist.txt doneb. Save the file under /pentest/exploits/milw0rm directory.
c. Save a copy inside /pentest/exploits/bin directory.
d. Create a file "update-milw0rm" and paste the following script.
#!/bin/bash echo "Milw0rm Exploit CVS Update script" CVSROOT=:pserver:anonymous@www.hackingdefined.com:/root;export CVSROOT echo "Logging in - Press Enter when prompted" cvs login echo "Updating Exploits" cvs update milw0rm echo "Generating Local Database, please Wait" cp bin/makeindex-milw0rm milw0rm/ cd milw0rm ./makeindex-milw0rmSave it under /pentest/exploits directory
3. Assign proper permissions to all the files we've just created
# chmod +x /pentest/exploits/milw0rm/makeindex-milw0rm # chmod +x /pentest/exploits/update-milw0rm # chmod +x /pentest/exploits/bin/makeindex-milw0rm
3. Securityfocus.com
---------------------
a. Create a file "makeindex-secfocus" with follwing script
#!/bin/bash rm -rf sploitlist.txt curdir=`pwd`; find ./ -type d |cut -d"/" -f2 > dirlisttmp.txt #tail -n 2 dirlisttmp.txt > dirlist.txt for dir in $(cat dirlisttmp.txt);do cd $curdir cd $dir echo $dir $(cat bid*.txt 2>/dev/null) >>../sploitlist.txt cd .. #rm -rf dirlist* doneb. Save the file under /pentest/exploits/secfocus directory.
c. Save a copy inside /pentest/exploits/bin directory.
d. Create a file "update-secfocus" and paste the following script.
#!/bin/bash echo "Milw0rm Exploit CVS Update script" CVSROOT=:pserver:anonymous@www.hackingdefined.com:/root;export CVSROOT echo "Logging in - Press Enter when prompted" cvs login echo "Updating Exploits" cvs update secfocus cp bin/makeindex-secfocus secfocus/ echo "Generating Local Database, please Wait" cd secfocus ./makeindex-secfocusSave it under /pentest/exploits directory
3. Assign proper permissions
# chmod +x /pentest/exploits/secfocus/makeindex-secfocus # chmod +x /pentest/exploits/update-secfocus # chmod +x /pentest/exploits/bin/makeindex-secfocus
4. PacketStormSecurity.org
---------------------------
1. Create a "packetstorm" directory inside /pentest/exploits
# cd # mkdir /pentest/exploits/packetstorm2. Create a file "downloadpacket.sh" with following script
#!/bin/sh
# Destination directory
EXPLOITS_DIR=/pentest/exploits/packetstorm
# First year for which annual compilations are not available
STARTING_YEAR=2006
CURRENT_YEAR=`date +%Y`
# Create the exploits destination directory if it does not exist
[ ! -d $EXPLOITS_DIR ] && mkdir $EXPLOITS_DIR
cd $EXPLOITS_DIR
# Retrieve annual exploit bundles; skip them if already downloaded
#for YEAR in 1999 2000 2001 2002
#do
# TWO_DIGIT_YEAR=`echo $YEAR | cut -c3-4`
# [ -f ${YEAR}-exploits.tgz ] && continue
# echo -e "Retrieving $YEAR annual exploit bundle...\n"
# wget http://packetstormsecurity.org/${TWO_DIGIT_YEAR}12-exploits/${YEAR}-exploits.tgz
#done
# Retrieve monthly exploit bundles; skip them if already downloaded
while [ "$STARTING_YEAR" -le "$CURRENT_YEAR" ]
do
# Download the full year's worth of monthly exploit bundles
YEAR=`echo $STARTING_YEAR | cut -c3-4`
for MONTH in Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
do
FULL_MONTH=`date -d 1${MONTH} +%B`
NUMERIC_MONTH=`date -d 1${MONTH} +%m`
[ -f ${YEAR}${NUMERIC_MONTH}-exploits.tgz ] && continue
echo -e "Retrieving ${FULL_MONTH} 20${YEAR} exploit bundle...\n"
wget http://packetstormsecurity.org/${YEAR}${NUMERIC_MONTH}-exploits/${YEAR}${NUMERIC_MONTH}-exploits.tgz
done
STARTING_YEAR=`expr $STARTING_YEAR + 1`
done3. Assign appropriate permissions# cd # chmod +x /pentest/exploits/downloadpacket.sh
5. SecurityForest.com
----------------------
1. Create a file "ExploitTree.pl" with following script
#!/usr/bin/perl
#
# Coded by Loni - loni@securityforest.com
# Updated: 12/02/2005
#
# Client Utility for the ExploitTree CVS Repository on SecurityForest.com
$ver = "v0.6";
$name = "ExploitTree.pl";
$winexe = "no"; #Only applicable when distributed as an exe with binary unix utilities
if ($winexe eq "yes") {
$name = "ExploitTree.exe";
$dir = $0; $dir =~ s/\\$name//;
$ENV{'PATH'} = "$dir\\bin;$ENV{'PATH'}";
}
if ($#ARGV < 0) { &usage(); } $username = @ARGV[0];
sub usage {
print "ExploitTree $ver\nCoded by Loni - loni\@securityforest.com\nhttp:\/\/www.SecurityForest.com\n\n";
print "Normal Usage:\n";
print " - Run this tool from the directory that already or will contain\n";
print " the directory ExploitTree.\n";
print " - To download the repository run \"$name anonymous\" (blank password).\n\n";
print "ExploitTree Administrators and Contributers Usage:\n";
print " - To log in to the repository run \"$name <your_nick>\", enter your\n";
print " password when prompted.\n";
print " - When updating the repository, close the default editor\n";
print " and then c\<enter\> to continue when prompted.\n";
print " eg. vi: type \:q\<enter\>\n";
print " eg. nano: type \<ctrl\>x\n";
print " eg. notepad: type \<alt\>f,x\n\n";
exit(1);
}
$server = "cvs.securityforest.com"; $rep = "\/home/security/cvsroot";
$loggedin = 0;
$refreshbranches = 1;
&master();
sub master {
if ($username eq "anonymous") {
print "\nExploitTree Client Utility Manager $ver\n----------------------------------------\n\n";
print "1\) Initialize (first time download)\n";
print "2\) Update Repository\n";
print "3\) Print Exploit Statistics\n";
print "q\) Quit\n\n> ";
chomp($choice = <STDIN>);
if ($choice == 1) { &login($username); &initial_download(); }
if ($choice == 2) { &version(); &login($username); &update_local(); }
if ($choice == 3) { &version(); &stats(); print "\nHit Enter to continue>"; <STDIN>; &master(); }
elsif ($ch_list == "q") { print "Quiting...\n"; exit(1); }
} else {
print "\nExploitTree Client Utility Admin Manager $ver\n----------------------------------------\n\n";
print "1\) Initialize (first time download)\n";
print "2\) Update Local Copy\n";
print "3\) Update Repository - Upload files from one local branch\n";
print "4\) Update Repository - Add & upload ALL new branches from\n";
print " local copy\n";
print "5\) Update Repository - Add & upload ALL new branches\/files from\n";
print " local copy *recursivly* (ie. slow)\n";
print "6\) Print Exploit Statistics\n";
print "+---------------------------------------\nq\) Quit\n\n> ";
chomp($choice = <STDIN>);
if ($choice == 1) { &login($username); &initial_download();}
if ($choice == 2) { &version(); &login($username); &update_local(); &master();}
if ($choice == 3) { &version(); &login($username); &branches(); &update_repos_one(); &master();}
if ($choice == 4) { &version(); &login($username); &new_branches(); &branches(); &update_repos_one();
&commit(); &master();}
if ($choice == 5) { &version(); &login($username); &new_branches(); &branches(); &update_repos_all();
&commit(); &master();}
if ($choice == 6) { &version(); &stats(); print "\nHit Enter to continue>"; <STDIN>; &master(); }
elsif ($ch_list == "q") { print "Quiting...\n"; exit(1); }
}
}
sub version {
@latest_ver = &readfile("ExploitTree\/_Ver");
chomp($latest_ver[0]); chop($latest_ver[0]);
if ($latest_ver[0] ne $ver) {
print "Please use $name $latest_ver[0] - Available at SecurityForest.com\n";
print "http:\/\/www.securityforest.com\/downloads\/ExploitTree-pl.tar.gz or ExploitTree-Win32.zip";
exit(1);
}
}
sub branches {
if ($refreshbranches == 1) {
undef(@branches);
system("cd ExploitTree && ls -R * |grep : |grep -v CVS > ../branches.txt && cd ..");
@branches_tmp = &readfile("branches.txt");
foreach $branch_tmp (@branches_tmp) {
chomp($branch_tmp);
if ($winexe eq "yes") { $branch_tmp=~s/=://; } else { $branch_tmp=~s/://; }
push(@branches,$branch_tmp);
}
$refreshbranches == 0;
}
}
sub new_branches {
$refreshbranches = 1;
undef(@branches2);
system("cd ExploitTree && ls -R * > ../branches2.txt && cd ..");
@branches_tmp2 = &readfile("branches2.txt");
$bdots=0;
$branch_has_SF="no";
foreach $branch_tmp2 (@branches_tmp2) {
chomp($branch_tmp2);
if ($branch_tmp2=~/:/) { if ($bdots == 0) { $branch_tmp3 = $branch_tmp2; } $bdots++; }
if ($branch_tmp2=~/_SecurityForest/) { $branch_has_SF="yes"; }
if ($bdots == 1 && $branch_has_SF eq "yes" ) { $bdots=0; $branch_has_SF="no"; }
else {
if ($bdots == 2) { if ($branch_tmp3!~/CVS/) {
if ($winexe eq "yes") { $branch_tmp3=~s/=://; } else { $branch_tmp3=~s/://; }
push(@branches2,$branch_tmp3);
}
$branch_tmp3 = $branch_tmp2; $bdots=1;
}
}
}
$branch_num2 = 0;
for $branch_num2 (0..$#branches2) { &addbranch($branch_num2); }
}
sub readfile { #read in a files contents
undef @readfile_contents;
my ($readfile) = @_;
open READFILE, $readfile or die "Cannot open $readfile for read :$!\n";
while (<READFILE>) { push (@readfile_contents, $_); }
close READFILE;
return(@readfile_contents);
}
sub login {
my ($username) = @_;
if ($username eq "anonymous") { print "Password is blank (press enter), then wait...\n\n"; }
$cvsconnect = "cvs -d:pserver:$username\@$server:$rep";
if ($loggedin == 0) { system("$cvsconnect login"); $loggedin = 1; }
}
sub initial_download { system("$cvsconnect -z5 co ExploitTree"); }
sub update_local { system("cd ExploitTree && $cvsconnect update -dP && cd .."); }
# -d (build directories if new directories have been added to the repository since your
# checkout or last update) and -P (leave empty directories out of your working copy)
sub update_repos_one() {
$branch_num = "0";
print "\nChoose a branch to update\n-----------------------------\n";
foreach $branch (@branches) { print "$branch_num\) $branch\n"; $branch_num++; }
print "\nbranch> ";
chomp($branch_choice = <STDIN>);
&update($branch_choice);
}
sub update_repos_all {
$branch_num = 0;
for $branch_num (0..$#branches) { &update($branch_num); }
}
sub update {
my ($branch_num) = @_;
print "Updating @branches[$branch_num]\n";
system("cd ExploitTree && $cvsconnect add @branches[$branch_num]\/*.* && cd ..");
system("cd ExploitTree && $cvsconnect commit @branches[$branch_num] && cd ..");
}
sub addbranch {
my ($branch_num) = @_;
print "Adding @branches2[$branch_num2]\n";
system("cd ExploitTree && $cvsconnect add @branches2[$branch_num2] && cd ..");
system("cd ExploitTree && cp _SecurityForest @branches2[$branch_num2] && cd ..");
system("cd ExploitTree && $cvsconnect add @branches2[$branch_num2]\/_SecurityForest && cd ..");
}
sub commit { system("cd ExploitTree && $cvsconnect commit && cd .."); }
sub stats {
print "Please wait while calculating...";
system("ls -R ExploitTree | grep -v \":\\|CVS\\|Entries\\|Entries.Log\\|Repository\\|Root\\|_SecurityForest\" | grep
. | grep -e [*.*] | wc -l > stats.txt");
@stats = &readfile("stats.txt");
print "\nTotal Exploits: $stats[0]\n";
}
#EOFand save it under /pentest/exploits/forest directory2. Assign appropriate permissions
# chmod +x /pentest/exploits/forest/ExploitTree.pl
6. Anyside.org
---------------
For this part of tutorial i'll use Wget from http://www.gnu.org/software/wget/ You can also use your favorite website copier but make sure it comes with incremental/differential update feature.
1. Download appropriate source file from http://www.gnu.org/software/wget/ and compile it (Don't ask me how!)
2. Create a directory "anyside" under /pentest/exploits/ followed by Exploits under /pentest/exploits/anyside. Write an appropriate update script.
# mkdir -p /pentest/exploits/anyside/Exploits # cd /pentest/exploits/anyside/Exploits # echo "wget http://www.anyside.org/exp/ -l 2 -r -c" > update.sh # chmod +x update.sh
7. Secwatch.org
----------------
1. Create a directory "secwatch" under /pentest/exploits/ followed by Exploits under /pentest/exploits/secwatch. Write an appropriate update script.
# mkdir -p /pentest/exploits/secwatch/Exploits # cd /pentest/exploits/secwatch/Exploits # echo "wget http://www.anyside.org/exp/ -l 2 -r -c" > update.sh # chmod +x update.sh
**********
* PART 2 *
**********
Updating Milw0rm exploits database
----------------------------------
# cd /pentest/exploits/ # ./update-milworm
Updating Securityfocus exploits database
----------------------------------------
# cd /pentest/exploits/ # ./update-secfocus
Updating PacketStormSecurity.org exploits database
--------------------------------------------------
# cd /pentest/exploits/ # ./downloadpacket.sh
Updating SecurityForest exploits database
-----------------------------------------
# cd /pentest/exploits/forest # perl ./ExploitTree.pl anonymous
*Note: If you are updating your database for the first time select 1 or else select 2
Updating Anyside exploits database
----------------------------------
Do the following if you are updating the database for the first time:
# cd /pentest/exploits/anyside/Exploits # wget http://www.anyside.org/exp/ -l 2 -r
Do the following to update your database
# cd /pentest/exploits/anyside/Exploits # ./update.sh
Updating Secwatch.org exploits database
------------------------------------
Do the following if you are updating the database for the first time:
# cd /pentest/exploits/secwatch/Exploits # wget http://secwatch.org/exploits/ -l 2 -r
Do the following to update your database
# cd /pentest/exploits/secwatch/Exploits # ./update.sh
**********
* PART 3 *
**********
Searching Through The Database
------------------------------
In this part of the tutorial, I'll show how to search through some of the databases for particula exploits [Cisco exploits for instance]
1. Searching through Milw0rm exploits database
# cd /pentest/exploits/milw0rm # cat sploitlist.txt | grep Cisco
2. Searching through Securityfocus exploits database
# cd /pentest/exploits/secfocus # cat sploitlist.txt | grep Cisco
3. Searching through Anyside.org exploits database
# cd /pentest/exploits/anyside/www.anyside.org/exp # cat exploits_list.db | grep Cisco
4. Searching through Securityforest.com exploits database
# cd /pentest/exploits/forest/ExploitTree # perl ./perl xsearch2-beta.plThis spawns an interactive menu which can be used to search exploits via BID, exploit name, keyword, exploit name/keyword. Select 3 for intance if you want to search exploit via keyword and type "Cisco" followed by return key. This will give a list of available Cisco exploits. Press 'q' to quit.
Final Note: Use following websites as references for more information on sploits:
----------------
a} http://www.governmen...rg/exploits.php
b} http://insecure.org/sploits.html
c} http://www.securiteam.com/exploits/
d} http://www.iss.net/s...its/default.htm
e} http://www.hoobie.ne...urity/exploits/
Happy Exploiting !!
>>EOF<<
