#!/usr/bin/perl # usage: own-kyx.pl narc1.txt # # this TEAM #PHRACK script will extract the email addresses # out of the narc*.txt files, enumerate the primary MX and NS # for each domain, and grab the SSHD and APACHE server version # from each of these hosts (if possible). # # For educational purposes only. Do not use. use IO::Socket; if ($#ARGV<0) {die "you didn't supply a filename\n";} $nrq =$ARGV[0]; $msearch = '([^":\s<>()/;]*@[^":\s<>()/;\.]*.[^":\s<>()/;]*)'; open (INF, "$nrq") or die $!; while(){ if (m,$msearch,ig){push(@targets, "$&");} } close INF; foreach $victim (@targets) { print "=====\t$victim \t=====\n"; my ($lusr, $domn) = split(/@/, $victim); $smtphost = `host -tMX $domn |cut -d\" \" -f7 | head -1`; $smtphost =~ s/[\r\n]+$//ge; print ":: Primary MX located at $smtphost\n"; sshcheq($smtphost); apachecheq($smtphost); $nshost = `host -tNS $domn |cut -d\" \" -f4 | head -1`; $nshost =~ s/[\r\n]+$//ge; sleep(3); print ":: Primary NS located at $nshost\n"; sshcheq($nshost); apachecheq($nshost); print "\n\n"; sleep(3); } sub sshcheq { (my $sshost) = @_; print ":: Testing $sshost for sshd version\n"; $g = inet_aton($sshost); my $prot = 22; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')) or die "$!\n"; if(connect(S,pack "SnA4x8",2,$prot,$g)) { my @in; select(S); $|=1; print "\n"; while(){ push @in, $_;} select(STDOUT); close(S); foreach $res (@in) { if ($res =~ /SSH/) { chomp $res; print ":: SSHD version - $res\n"; } } } else { return 0; } } sub apachecheq { (my $whost) = @_; print ":: Testing $whost for Apache version\n"; $g = inet_aton($whost); my $prot = 80; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')) or die "$!\n"; if(connect(S,pack "SnA4x8",2,$prot,$g)) { my @in; select(S); $|=1; print "HEAD / HTTP/1.0\r\n\r\n"; while(){ push @in, $_;} select(STDOUT); close(S); foreach $res (@in) { if ($res =~ /ache/) { chomp $res; print ":: HTTPD version - $res\n"; } } } else { return 0; } }