OWASP O2 Platform Blog

O2 Script: Util – Util – Show Open Ports (via NetStat -afo).h2

Here is are two scripts that show how to parse ‘kind-off’ unstructured data into a table.

In the first example we grab the output from netstat -fa , parse it in order to extract the port numbers and display it on a table. The 2nd example uses netstat-fao which will also contain the process id (which is used by the script to find the process name)

For reference,  in netstat

  • a = Displays all connections and listening ports
  • f = Displays Fully Qualified Domain Names (FQDN) for foreign addresses.
  • o = Displays the owning process ID associated with each connection

1st version (netstat -fa)

var topPanel = O2Gui.open<Panel>("Util - Show Open Ports (via NetStat -na)",700,600);
//var topPanel = panel.clear().add_Panel();
var tableList = topPanel.add_TableList();

Action showNetStatOnTable =
    ()=>{
            var lines = "netstat.exe".startProcess_getConsoleOut("-na")
                                     .lines()
                                     .removeRange(0,2);
            var netstatData = (from line in lines
                               let fragments = line.split(" ").removeEmpty()
                               let value0 = fragments.value(0)
                               let value1 = fragments.value(1)
                               let value2 = fragments.value(2)
                               let value3 = fragments.value(3)
                               select new {
                                               @Type = value0 ,  
                                               //Local_Address = value1,
                                               Local_Address_IP = value1.replace("::","__").split(":")[0].replace("__","::"),
                                               Local_Address_Port =  value1.replace("::","__").split(":")[1] ,
                                               //Foreign_Address = value2 ,
                                               Foreign_Address_IP = value2.replace("::","__").split(":")[0].replace("__","::"),
                                               Foreign_Address_Port =  value2.replace("::","__").split(":")[1] ,
                                               State = value3
                                              });       
            tableList.show(netstatData);                                 
        }; 

topPanel.insert_Above(40, "Actions")
        .add_Link("Refresh", ()=> showNetStatOnTable())
        .click();

2nd version (netstat -fao)

var topPanel = O2Gui.open<Panel>("Util - Show Open Ports (via NetStat -afo)",700,600);
//var topPanel = panel.clear().add_Panel();

var tableList = topPanel.add_TableList();
tableList.title("Table showing parsed version of netstat command");
var selectedProcess = 0;

Action showNetStatOnTable =
    ()=>{
            var lines = "netstat.exe".startProcess_getConsoleOut("-afo")
                                     .lines()
                                     .removeRange(0,2);
            var netstatData = (from line in lines
                               let fragments = line.split(" ").removeEmpty()
                               let value0 = fragments.value(0)
                               let value1 = fragments.value(1)
                               let value2 = fragments.value(2)
                               let value3 = fragments.value(3)
                               let value4 = fragments.value(4)                              
                               select new {
                                               @Type = value0 ,  
                                               //Local_Address = value1,
                                               Local_Address_IP = value1.replace("::","__").split(":")[0].replace("__","::"),
                                               Local_Address_Port =  value1.replace("::","__").split(":")[1] ,
                                               //Foreign_Address = value2 ,
                                               Foreign_Address_IP = value2.replace("::","__").split(":")[0].replace("__","::"),
                                               Foreign_Address_Port =  value2.replace("::","__").split(":")[1] ,
                                               State = value3,
                                               Process_ID = value4,
                                               Process_Name = Processes.getProcess(value4.toInt()).ProcessName //,
                                               //Executable = value5
                                              });       
            tableList.show(netstatData);                                 
        }; 
       
Action stopSelectedProcess =
    ()=>{
            if (selectedProcess ==0)
                "Cannot Stop process with ID 0".error();
            else
            {
                var process = Processes.getProcess(selectedProcess);               
                "Stopping process: {0} (id: {1})".info(process.ProcessName, process.Id);
                process.stop()
                       .WaitForExit();
                showNetStatOnTable();
            }
        };

topPanel.insert_Above(40, "Actions")
        .add_Link("Refresh", ()=> showNetStatOnTable())
        .append_Link("Stop Selected Process", ()=> stopSelectedProcess()).leftAdd(100);
       

tableList.add_ContextMenu()
         .add_MenuItem("Stop Selected Process", ()=> stopSelectedProcess());
        
tableList.afterSelect_get_Cell(6,
            (value)=> {
                        selectedProcess = value.toInt();
                        "selectedProcess: {0}".info(selectedProcess);
                      });
                     
showNetStatOnTable();
//return "netstat.exe".startProcess_getConsoleOut("-afo");       
return "ok";       

This script is now part of O2’s Scripts as Util – Show Open Ports (via NetStat -afo).h2

November 26, 2011 Posted by | Network Security, Tools | Leave a comment

O2 script to Send Spoofed Emails (using direct SMTP connections)

Note: Use this script to test if email servers (namely yours) are able to detect spoofed emails (be careful since this can be VERY distressing for the receiving party).

These scripts are a variation of a PoC that I wrote a couple months ago while delivering a training class. I wanted to show how SMTP worked and how it is easy it was to get a user to click on a link.

The Util – Send Spoofed email.h2 script (screenshot below) allows the easy sending of emails using user provided TO, FROM, Subject and Body values)

So how does this work? Using a couple powerful networking APIs from http://mailsystem.codeplex.com , It is possible to send emails using:

                _message.From = new Address(From_Email,From_Name);
                foreach(var item in To)           
                    _message.To.Add(new Address(item.Key,item.Value)); //syntax: (email, name)
       
                _message.Subject = Subject;
                _message.BodyText.Text = Body.line().line() + Body_SpoofEmailAlertFooter;
                "about to send message".info();
                SmtpClient.DirectSend(_message);

Basically the SmtpClient.DirectSend method sends raw SMTP message to the specified server. SMTP is a clear text protocol, just like HTTP.

Since we are able to define both TO and FROM addresses, the interesting question is: “can we define ANY email address in the TO field”? Unfortunately, in 2011, the answer is still YES, for most email servers this is  still posible (so much of email authentication and verifiablity).

I’ve tested this in a number of places and it worked perfectly (including gmail), so let me know if you find cases/servers where it doesn’t work (and the reasons why not) 

To help testing this, I added an API to O2 that helps to do send spoofed emails.

You can use it like this:

var spoofEmail = new API_ActiveUp_SendEmail();
 
spoofEmail.From_Email = "<a href="mailto:me@thisDomainDoesntExist.com">me@thisDomainDoesntExist.com</a>";
spoofEmail.From_Name = "me (at no Domain)";
spoofEmail.To.add("<a href="mailto:myEmail@myDomain.net">myEmail@myDomain.net</a>", "My Email");
spoofEmail.Subject = "Spoof test"; 
spoofEmail.Body = "If all worked OK, this email will look like it was sent from an thisDomainDoesnExist.com. Check out the from address :)";</pre>
&nbsp;

return  spoofEmail.sendEmail();

or like this:

var spoofEmail = new API_ActiveUp_SendEmail();
spoofEmail.sendEmail("<a href="mailto:me@thisDomainDoesnExist.com">me@thisDomainDoesnExist.com</a>", 
                    "me (at no Domain)" ,
                    "<a href="mailto:myEmail@myDomain.net">myEmail@myDomain.net</a>",
                    "My Email" ,
                    "Spoof test",
                    "If all worked OK, this email will look like it was sent from an thisDomainDoesnExist.com. Check out the from address :)");

Here is the Full Script of the API (note the import of the ActiveUp Smtp,Dns and Common dlls):

using System;
using System.Linq;
using System.Collections.Generic;
using System.Windows.Forms;
using System.Text;
using ActiveUp.Net.Mail;
using O2.Kernel.ExtensionMethods;
using O2.DotNetWrappers.ExtensionMethods;
//O2Ref:ActiveUp.Net.Smtp.dll
//O2Ref:ActiveUp.Net.Dns.dll
//O2Ref:ActiveUp.Net.Common.dll</pre>
&nbsp;

namespace O2.XRules.Database.APIs
{
    public class API_ActiveUp_SendEmail
    {       
        public Dictionary<string,string> To { get; set; }//syntax: (email, name)
        public string From_Name { get; set; }
        public string From_Email { get; set; }
        public string Subject { get; set; }
        public string Body { get; set; }
        public string Body_SpoofEmailAlertFooter { get; set; }
        public ActiveUp.Net.Mail.Message _message { get; set; }
       
        public API_ActiveUp_SendEmail()
        {
            To = new Dictionary<string,string>();           
            _message = new ActiveUp.Net.Mail.Message();
           
            Body_SpoofEmailAlertFooter = "NOTE: this is a spoofed email, i.e. this was not sent by the current contact show in the To field.".line() +
                                         "      this email was sent using an O2 Platform (<a href="http://o2platform.com/">http://o2platform.com</a>) script that is designed to show".line() +
                                         "      how easy it is to send spoofed emails ";
        }
       
        public bool sendEmail()
        {       
            "In send email".info();
            try
            {
                _message.From = new Address(From_Email,From_Name);
                foreach(var item in To)           
                    _message.To.Add(new Address(item.Key,item.Value)); //syntax: (email, name)
       
                _message.Subject = Subject;
                _message.BodyText.Text = Body.line().line() + Body_SpoofEmailAlertFooter;
                "about to send message".info();
                SmtpClient.DirectSend(_message);
                "message sent".info();
                return true;
            }
            catch(Exception ex)
            {
                ex.log();
                return false;
            }
        }
       
        public bool sendEmail(string fromEmail, string fromName, string toEmail, string toName, string subject ,string body)
        {
            this.From_Email = fromEmail;
            this.From_Name = fromName;
            this.To.add(toEmail, toName);
            this.Subject = subject;
            this.Body = body;
            return  this.sendEmail();
        }
    }
}

You can find the GUI and API script in C:\O2\O2Scripts_Database\_Scripts\APIs\ActiveUp_SMTP  folder.

 

August 9, 2011 Posted by | Network Security | Leave a comment