k, bpscan is basically a scanner that currently scans for various cgi vulnerabilities, remotely exploitable daemons, and wingates. its just getting started and in the future i hope to have learned a bit more about interfacing with the rpc daemon so i can implement statd scanning. another add on planned for future versions is a udp named scanner. currently, i havent seen most of these cgis so im trusting various advisories for the exploit syntax which shouldnt be too problematic but if you have worked with these cgis at all, any info would be a great help, or if you have a host in mind with the cgis installed that would be great.
isnt this the same as logiks asaka?
heh, no. couple of things. this is a scanner, logiks asaka focuses on one site and as far as i know only focuses on various cgi holes(many which are covered in bpscan but he does have some cool ones i dont). ive heard asaka hailed as the SATAN for mac, well, following that analogy, bpscan would be the mscan(by jsbach; this is a great, if used properly, scanner for linux) for mac. also, this scanner, as i mentioned before, looks for a couple(for now) exploitable daemons(imap and qpop; in the future i hope to include: named, statd, tfptd, BO, and sendmail) and wingates.
words to the wise(aka, if you are going to be cracking with bpscan, read this)
because wingates are not yet implemented scanning could be hazardous to your health. scanning for cgis, daemons, and wingates should not amount to much trouble, but a log full of requests for known exploitable cgis coupled with a paranoid but adept admin could get you at least yelled at by him/your isp(maybe even kicked off, depending on your isp). a step up would be scanning for and attempting to exploit these cgis which could get you in a bit more trouble depending on your success and what you do from there. if you wanna play it safe, scanning for imap, qpop, and wingates only shouldnt get you in any trouble at all(dont hold me to this though), but to exploit these daemons(imap and qpop) you gotta have a shell to run the code from so whatever. k, if you read and understand all of this, the ball is in your court, you decide how much you wanna risk. again, i take no responsibility for your actions concerning this program(see disclaimer at the top, below the title). peace, and please, dont be a dumbfuck with this prgm. its not meant for (no)cluebie crackers with rm -rf / skill or mad index.html defacing skill. thats fuckn dumb. if you do crack, please dont fuck anything up on whosevers box it is. thats fuckn lame, immature, and unethical.
a couple last things(tips on usage, etc.)
• this scanner isnt going to be the fastest thing, especially if you run it with every option checked. the most pertinent cgi i would have to say is definitely phf. although its rare to get a hit with this ancient exploit, you can still find some out there. we just recently found and succesfully exploited 3 or so so phf aint dead yet. so, basically pick your scan parameters wisely or if you have alot of time(leave it on over night) go for it all if you want(read above about risks involved ;P).
• for those of you that dont have (illegit) shells, scanning for imap and qpop is kinda pointless, for now at least. bpscan cant exploit these two daemons although work is being done to investigate a possible port of the overflow to bpscan.
• as far as scan range goes, thats up to you and your time constraints.
• the info2www cgi is exploited by mailing the passwd file to a given address. therefore, if this option is selected and the program is set to exploit the vulns, you will need to provide a mail address. i am pretty sure i can just change the syntax to a standard /bin/cat%20/etc/passwd but as i have never been able to expeirment with this cgi i am not sure. all other cgis that are exploited will yield a passwd file. this will be logged to the same dir as the scan app and placed in a file called '<ip> pw'. wait, excuse me, another unique cgi is test-cgi which yields directory contents and server info. this will be logged to '<ip> info'.
• while we are on logs, the session(any holes found) will be logged to a file and any subsequent scans will be appended to that file if it exists otherwise a new one will be created.
• this scanner works best at times of low network activity and remote server loads. basically, run it at night while the world(or your hemisphere at least) sleeps. this is because i have allowed for 2 seconds for a request response and if there is alot of network traffic or the server being scanned is bogged down with requests then the target may take more then 2 seconds to respond to your request. but, after 2 seconds, connections are dropped and the scanner moves on to the next ip. so, basically, if you are on a dialup and you want the absolute best results, let the scanner run while you are afk and preferably at night(like 12am-5am etc.).
• flames/rants/threats(hope not) to /dev/null(this goes for all my other prgms too). i didnt ask you to think this was a cool prgm, like it, or even use it and i dont run around inflating my ego/reputation and proclaiming my leetness. if you dont like it, dont bother tracking me down and telling me so, just trash it and forget about it. if you do like it or have suggestions on it id appreciate a comment or two to: nail3d@badmoon(hotline); nail3d@efnet(#shellz, #shells, #adept); nailed@geocities.com(email; might be dead soon though, or changed).
• shit, thats a long list of a couple last things. later, i hope you read some of this.
version history
v1.0
• made it look nicer
• added log feature to sessions stopped by the user
• fixed a problem that logged older sessions if the program was not restarted
• fixed wingate scanner to include StarTech gates
v1.0b3:
• implemented version checking
• fixed logic error for checking ip ranges(#2; dont you just hate logic ;P)
• added an info section to show scan progress
v1.0b2:
• fixed logic error for checking ip ranges
• fixed problem with stopping scans
• modified the readme
• first beta made available to badmoon admins (burger king)