Metabrik Core And Repository 1.10 Released

Following our lightning talk from Hack.lu 2015 conference, we are proud to release the version 1.10 of Metabrik Core and Repository. Update using Mercurial or follow the installation procedure.

You can find the few slides which were presented at the following link.

Lots of new awesome Briks

We added many Briks for this new release, here is the description for them:

  • api::bluecoat: play with Bluecoat REST API
  • api::splunk: play with the Splunk REST API
  • api::virustotal: play with Virustotal REST API
  • client::udp: a UDP socket client (UDP netcat)
  • client::ssl: check various stuff about a SSL/TLS connection
  • client::rest: the base REST client for use with Briks from API Category
  • client::rsync: a wrapper around rsync program
  • client::twitter: a Twitter client
  • database::mysql: interract with MySQL databases
  • file::dump: read and write dump files
  • file::hash: genrated various digests from files
  • file::ole: play with Microsoft files that embed OLE components
  • lookup::iplocation: geolocation for IP addresses
  • string::ascii: convert ASCII characters
  • string::csv: encode/decode CSV strings
  • string::hostname: parse a FQDN
  • string::regex: experiment with regexes
  • system::freebsd::pf: control Packet Filter
  • system::freebsd::jail: control jails

Just type help <Brik> to know more:

Meta:~> use string::regex 
[*] core::shell: use: Brik [string::regex] success
Meta:~> help string::regex 
[+] run string::regex encode <$regex|$regex_list>

Complete list of changes

Core

1.10 Tue Oct 27 20:13:36 CET 2015
   - FEATURE: core::context: allows to pass complex structs arguments to run and set Commands
     Example: run network::arp scan $info->{subnet}
   - FEATURE: core::context: allows also to execute Perl code within an Argument of a
     run Command
     Example: run client::dns ptr_lookup "[ map { @$_ } values %$RUN ]"
   - FEATURE: core::shell: allows to complete aliases (can be disabled via
     aliases_completion Attribute
   - FEATURE: shell::command: use_sudo Attribute to launch sudo on executing external command
   - FEATURE: shell::command: file globbing enabled with capture Command
   - UPDATE: moved attributes_default() from brik_use_properties to brik_properties when
     there is no need to use $self. It allows instanciated Attributes inheritage to work.
   - UPDATE: shell::command: do not print STDERR when using capture Command when there is no
     STDERR string captured.
   - new: shell::command: execute Command to use capture_mode Attribute to launch either
     capture or system Command
   - bugfix: core::context: save_state to use Metabrik brik_attributes Command to correctly
     retrieve all Brik Attributes even those inherited
   - bugfix: core::shell: display error on chdir() failure
   - bugfix: core::shell: escapes " character when executing a multiline Perl/Metabrik Code
             example:
             my $test = 'root'
             for (0..1) {
                'run shell::command system "ls /$test"'
             }
   - bugfix: Metabrik: error checking within new_from_brik_init Command
   - bugfix: Metabrik: logging correctly on class calls to _log_*()

Repository

- bugfixes and new Briks

20151011
   AFFECT: network::arp

   - network::arp scan Command now returns a hashref with results sorted
     with keys named by_mac, by_ipv4 and by_ipv6

20151003
   AFFECT: network::rsync

   - network::rsync renamed to client::rsync

20150418
   AFFECT: crypto::x509

   - Argument order changed for ca_sign_csr and cert_verify Commands

20150322
   AFFECT: file::csv

   - removed get_col_by_name and get_col_by_number obsolete Commands

Metabrik Core And Repository 1.08 Released

A new version of Metabrik Core and Repository is available. Update using Mercurial or follow the installation procedure.

Changes

Core

1.08 Thu Mar 19 06:48:34 CET 2015
 - FEATURE: core::shell: run executable commands found in PATH through system Command
 - UPDATE: shell::command: now use IPC::Run3 to capture shell commands output
 - update: shell::command: system Command now returns $? on success
 - update: Metabrik: display every missing items from brik_require_*_check() before erroring
 - update: new dependance on IPC::Run3

1.07 Sun Mar 8 17:52:37 CET 2015
 - bugfix: shell::history: correctly writes $* variables when calling history Commands
 - new: shell::rc: create an alias to make it easy to switch to root from Shell
 - new: brik::search and perl::module Briks integrated in main distribution
 - remove: no more metabrik-cpanm, enforce use of standard cpanm

Repository

- bugfixes and new Briks

20150316
 AFFECT: http::proxy, iana::countrycode, network::arpdiscover

 - http::proxy Brik renamed to proxy::http
 - iana::countrycode Brik renamed lookup::countrycode
 - network::arpdiscover removed: merged with network::arp

20150311
 AFFECT: client::www

 - post Command returns an HASHREF i/o of WWW::Mechanize object

20150309
 AFFECT: network::portscan

 - synscan Command renamed to tcp_syn

 

Metabrik Core And Repository 1.06 Released

A new version of Metabrik Core and Repository is available. Update using Mercurial or follow the installation procedure.

Changes

Core

1.06 Fri Feb 27 07:17:59 CET 2015
 - bugfix: shell::command: go trough PATH to find a cmd to run (like less PAGER)
 - bugfix: core::shell: on SIGINT handling, now allows to break multiline and run Commands
 - bugfix: core::shell: allow user to get out of multiline mode by hitting Ctrl+C
 - bugfix: core::shell: better management of Metabrik Commands in multiline mode
 => you can put Metabrik Commands within single quotes anywhere
 - update: shell::script: load Command can take an optional file parameter
 - update: metabrik, shell::rc/script, core::shell: easier handling of rc file loading
 - new: metabrik: --script-rc argument to load a specific rc file for scripts

Repository

- bugfixes and new Briks
- see UPDATING file for changes since your last update

 

One Packet OS Fingerprinting And API Access Unveiled

The latest version of SinFP3 (v1.20, as of this writing) introduces two new cool features: the ability to perform a SYN scan and doing OS fingerprinting at the same time. The idea is to use SYN|ACK answers to the SYN scanning process to accurately identify the remote operating system nature. The second new feature is a server mode allowing third-party applications to access the SinFP3 fingerprinting engine. We also created a new output plugin to display results in a simpler manner than in previous versions of SinFP3.

One packet OS fingerprinting

If you don’t have installed SinFP3 yet, you can follow these guides:

Then, try to identify your target’s classic TOP10 open ports as follows. The -synscan-fingerprint is the new argument giving access to the feature, and the new default output plugin is the simple one:

# sinfp3.pl -synscan-fingerprint -target openbsd.org -port top10 -best-score
[+] [J:0] Loaded Input:  Net::SinFP3::Input::SynScan
[+] [J:0] Loaded DB:     Net::SinFP3::DB::SinFP3
[+] [J:0] Loaded Mode:   Net::SinFP3::Mode::Active
[+] [J:0] Loaded Search: Net::SinFP3::Search::Active
[+] [J:0] Loaded Output: Net::SinFP3::Output::Simple
[+] [J:0] Starting of Input [Net::SinFP3::Input::SynScan]
[+] [J:1] Starting of job with Next [199.185.137.3]:25 flags: 0x12
[+] [J:2] Starting of job with Next [199.185.137.3]:80 flags: 0x12
[199.185.137.3  ]:80     reverse: unknown  [ 94%: OpenBSD 4.x]
[199.185.137.3  ]:80     reverse: unknown  [ 94%: OpenBSD 3.x]
[199.185.137.3  ]:25     reverse: unknown  [100%: OpenBSD 4.x]
[199.185.137.3  ]:25     reverse: unknown  [100%: OpenBSD 3.x]

 

You can see that two open ports have been found, and the detected operating system (on a per open port basis) appears to be OpenBSD 3.x or 4.x.

You can still access the more verbose output by launching the fingerprinting process in full mode (2 packets for Internet fingerprinting with -active-2 parameter) and displaying results with the console output plugin with -output-console parameter:

# sinfp3.pl -active-2 -target openbsd.org -port top10 -best-score -output-console 
[+] [J:0] Loaded Input:  Net::SinFP3::Input::SynScan
[+] [J:0] Loaded DB:     Net::SinFP3::DB::SinFP3
[+] [J:0] Loaded Mode:   Net::SinFP3::Mode::Active
[+] [J:0] Loaded Search: Net::SinFP3::Search::Active
[+] [J:0] Loaded Output: Net::SinFP3::Output::Console
[+] [J:0] Starting of Input [Net::SinFP3::Input::SynScan]
[+] [J:1] Starting of job with Next [199.185.137.3]:25 hostname[openbsd.org] \ 
   reverse[unknown] mac[00:24:d4:ae:f4:3c]
[+] [J:2] Starting of job with Next [199.185.137.3]:80 hostname[openbsd.org] \ 
   reverse[unknown] mac[00:24:d4:ae:f4:3c]
Result for target [199.185.137.3]:80:
S1: B11113 F0x12 W16384 O0204ffff M1460 S0 L4
S2: B11113 F0x12 W16384 O0204ffff01010402010303ff0101080affffffff44454144 M1460 S3 L24
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.3
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.5
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.8
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.6
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.0
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.6
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.8
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.5
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.2
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.7
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.9
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.7
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.4
Result for target [199.185.137.3]:25:
S1: B11113 F0x12 W16384 O0204ffff M1460 S0 L4
S2: B11113 F0x12 W16384 O0204ffff01010402010303ff0101080affffffff44454144 M1460 S0 L24
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.3
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.5
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.8
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.6
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.0
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.6
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.8
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.5
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.2
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.7
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.9
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.7
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.4

 

SinFP3 API access with the SinFP3 network protocol

The second feature allows access to the SinFP3 server. The idea is to launch SinFP3 in daemon mode, and have a client/server communication protocol to “ask” the fingerprinting engine to perform actions. This protocol is described within an RFC, available here.

You can implement this protocol in any language you want, and you will be able to use the fingerprinting engine in whatever language you prefer. For now, a Perl version of the communication protocol exists: Net::Frame::Layer::SinFP3.

Here is how to launch the SinFP3 server:

% sinfp3.pl -input-server -output-client -passive -best-score
[+] [J:0] Loaded Input:  Net::SinFP3::Input::Server
[+] [J:0] Loaded DB:     Net::SinFP3::DB::SinFP3
[+] [J:0] Loaded Mode:   Net::SinFP3::Mode::Passive
[+] [J:0] Loaded Search: Net::SinFP3::Search::Passive
[+] [J:0] Loaded Output: Net::SinFP3::Output::Client
[+] [J:0] Starting of Input [Net::SinFP3::Input::Server]

 

The server is now listening on localhost with port 32000/TCP. An example client application is available in the examples/ directory of Net::SinFP3 distribution. For now, only the passive mode is implemented within the server. If there is some interest from the community, we will enhance it to give access to the active mode.

The example below is crafting a client request embedding a TCP SYN packet in raw format (sent by the sinfp3-request-passive-netcat.pl script). It is sent to the SinFP3 server which is configured in passive mode. Then, the reply is analyzed by sinfp3-decode-netcat.pl script and printed on standard output.

% perl examples/sinfp3-request-passive-netcat.pl | nc localhost 32000 | \ 
   perl examples/sinfp3-decode-netcat.pl
SinFP3: version:1  type:0x04  flags:0x0270
SinFP3: code:0x01  tlvCount:4  length:88
SinFP3::Tlv: type:0x24  length:7  value:46726565425344 [FreeBSD]
SinFP3::Tlv: type:0x25  length:3  value:372e34 [7.4]
SinFP3::Tlv: type:0x26  length:3  value:372e78 [7.x]
SinFP3::Tlv: type:0x29  length:1  value:64 [100%]
SinFP3::Tlv: type:0x24  length:7  value:46726565425344 [FreeBSD]
SinFP3::Tlv: type:0x25  length:3  value:372e33 [7.3]
SinFP3::Tlv: type:0x26  length:3  value:372e78 [7.x]
SinFP3::Tlv: type:0x29  length:1  value:64 [100%]
SinFP3::Tlv: type:0x24  length:7  value:46726565425344 [FreeBSD]
SinFP3::Tlv: type:0x25  length:3  value:382e33 [8.3]
SinFP3::Tlv: type:0x26  length:3  value:382e78 [8.x]
SinFP3::Tlv: type:0x29  length:1  value:64 [100%]
SinFP3::Tlv: type:0x24  length:7  value:46726565425344 [FreeBSD]
SinFP3::Tlv: type:0x25  length:3  value:382e32 [8.2]
SinFP3::Tlv: type:0x26  length:3  value:382e78 [8.x]
SinFP3::Tlv: type:0x29  length:1  value:64 [100%]

 

On the server, a new job has been processed:

[+] [J:1] Starting of job with Next [127.0.0.1]:37125

 

That’s all for today, folks. Feel free to follow @metabrik for updates, or subscribe to SinFP mailing list:

Full list of changes for v1.20

1.20 Sun Nov 25 14:44:37 CET 2012
   - NEW: Input::Server: runs as a daemon to answer requests coming from
          clients. They must speak the SinFP3 protocol.
   - NEW: Output::Simple: now default mode instead of Output::Console
   - NEW: Input::SynScan: can be used to fingerprint target by just using the
          SYN|ACK response to our SYN (one packet fingerprinting \o/)
   - UPDATE: verbose mode 1 is now default. Many updates on log messages
             levels.
   - NEW: sinfp3.pl: -synscan-fingerprint argument
   - new: sinfp3.pl: -version prints Perl modules version
   - new: sinfp3.pl: -quiet to set verbose level 0
   - new: sinfp3.pl: -passive to set to Mode::Passive and Search::Passive
                     plugins
   - new: integration of p0f-3.06b passive signatures into sinfp3.db
   - update: Input::Sniff: must use Net::Frame::Dump 1.12 now
   - bugfix: on -dns-reverse, moved to Search modules, when generating Results
   - bugfix: Search::Passive: sets ip and port attributes for Results
   - bugfix: Global: when -port argument has an invalid format
   - bugfix: sinfp3.pl: usage help

SinFP3 Operating System Fingerprinting Tool Released

SinFP3 is now available (mass press coverage wanted 😉 ). You can download
latest version from CPAN:

Net-SinFP3

First, you have to install C libraries (either manually or using your system package manager):

  • libpcap (with devel headers)
  • libdnet (with devel headers)

Then, you will have to install some Perl modules available on CPAN. Type the following as root, or use your system’s package manager.

# cpan Class::Gomor
# cpan DBD::SQLite
# cpan Digest::MD5
# cpan Net::Frame
# cpan Net::Frame::Device
# cpan Net::Frame::Dump
# cpan Net::Frame::Layer::IPv6
# cpan Net::Frame::Simple
# cpan Net::Libdnet
# cpan Net::Netmask
# cpan Net::Write
# cpan Net::Write::Fast
# cpan Parallel::ForkManager

Then, if all goes well, install Net::SinFP3:

# tar zxvf Net-SinFP3-X.YZ.tar.gz
# cd Net-SinFP3-X.YZ
# perl Makefile.PL
# make
# make test
# make install

You can find some support at the following mailing list:

SinFP mailing list