Port scanning using pbnj!

Recently i installed Kali Linux on Vmware workstation. There was a tool called pbnj which can scan port and store results in mysql database. Sometime it is useful storing vulnerable assessment into database.But in Kali linux it is not installed as default. pbnj use nmap(with "-a [options] to scan network , I only use it store the result in database!

Let's  see how to install and use it to scan port and store to database

root@find:~# apt-cache search pbnj
pbnj - a suite of tools to monitor changes on a network
root@find:~# apt-get install pbnj



Start mysql services on Kali Linux:


root@find:~# /etc/init.d/mysql start
[ ok ] Starting MySQL database server: mysqld ..
[info] Checking for tables which need an upgrade, are corrupt or were
not closed cleanly..




Let's find all file related of pbnj :

root@find:~# updatedb;locate pbnj
/usr/bin/outputpbnj
/usr/bin/scanpbnj
/usr/share/doc/pbnj
/usr/share/doc/pbnj/BUGS
/usr/share/doc/pbnj/EXAMPLES
/usr/share/doc/pbnj/NOTES-ON-NMAP-VERSION
/usr/share/doc/pbnj/README.gz
/usr/share/doc/pbnj/changelog.Debian.gz
/usr/share/doc/pbnj/changelog.gz
/usr/share/doc/pbnj/copyright
/usr/share/doc/pbnj/examples
/usr/share/doc/pbnj/examples/csv.yaml
/usr/share/doc/pbnj/examples/mysql.yaml
/usr/share/doc/pbnj/examples/pg.yaml
/usr/share/doc/pbnj/examples/sqlite3.yaml
/usr/share/man/man1/outputpbnj.1p.gz
/usr/share/man/man1/scanpbnj.1p.gz
/var/cache/apt/archives/pbnj_2.04-4_all.deb
/var/lib/dpkg/info/pbnj.list
/var/lib/dpkg/info/pbnj.md5sums






I am going to use mysql so i am only interested in "/usr/share/doc/pbnj/examples/mysql.yaml" . So we need to edit this file to use correct username, password and database :


root@find:~# cp /usr/share/doc/pbnj/examples/mysql.yaml ~/.pbnj-2.0/config.yaml;\
nano ~/.pbnj-2.0/nano config.yaml
# YAML:1.0
# Config for connecting to a DBI database
# SQLite, mysql etc
db: mysql
# for SQLite the name of the file. For mysql the name of the database
database: pbnjdb
# Username for the database. For SQLite no username is needed.
user: root
# Password for the database. For SQLite no password is needed.
passwd:""
# Password for the database. For SQLite no host is needed.
host: localhost
# Port for the database. For SQLite no port is needed.
port: 3306


In Kali mysql password is blank and username "root". You should really change the username and password. But i am doing it without changing anything. Set let's configure mysql:


root@find:~# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 44
Server version: 5.5.28-1 (Debian)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database pbnjdb;
Query OK, 1 row affected (0.00 sec)

mysql>



We are ready to go now:


root@find:~# scanpbnj
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/scanpbnj, line 26.
Usage: scanpbnj [Options] {target specification}

Target Specification:
Can pass hostnames, IP addresses, networks, etc.
Ex: microsoft.com, 192.168.0.1, 192.168.1.1/24, 10.0.0.1-254
-i --iplist <iplist> Scan using a list of IPs from a file
-x --xml <xml-file> Parse scan/info from Nmap XML file

Scan Options:
-a --args <args> Execute Nmap with args (needs quotes)
-e --extraargs <args> Add args to the default args (needs quotes)
--inter <interface> Perform Nmap Scan using non default interface
-m --moreports <ports> Add ports to scan ex: 8080 or 3306,5900
-n --nmap <path> Path to Nmap executable
-p --pingscan Ping Target then scan the host(s) that are alive
--udp Add UDP to the scan arguments
--rpc Add RPC to the scan arguments
-r --range <ports> Ports for scan [def 1-1025]

--diffbanner Parse changes of the banner

Config Options:
-d --dbconfig <config> Config for results database [def config.yaml]
--configdir <dir> Directory for the database config file

--data <file> SQLite Database override [def data.dbl]
--dir <dir> Directory for SQLite or CSV file [def . ]

General Options:
--nocolors Don't Print Colors
--test Testing information
--debug Debug information
-v --version Display version
-h --help Display this information

Send Comments to Joshua D. Abraham ( jabra@ccs.neu.edu )



Now Let's scan port:


root@find:~# scanpbnj -a "-sS"  localhost
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/scanpbnj, line 26.

--------------------------------------
Starting Scan of 127.0.0.1
Inserting Machine
Inserting Service on 3306:tcp mysql
Inserting Service on 5432:tcp postgresql
Scan Complete for 127.0.0.1
--------------------------------------



Above the command option "-a" for nmap argument is "-sS". Scan finished and hopefully result written to database. Let's check:


root@find:~# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 52
Server version: 5.5.28-1 (Debian)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use pbnjdb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables
-> ;
+------------------+
| Tables_in_pbnjdb |
+------------------+
| machines |
| services |
+------------------+
2 rows in set (0.00 sec)

mysql> select * from services;
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
| mid | service | state | port | protocol | version | banner | machine_updated | updated_on |
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
| 12 | mysql | up | 3306 | tcp | unknown version | unknown product | 1364339543 | Tue Mar 26 19:12:23 2013 |
| 12 | postgresql | up | 5432 | tcp | unknown version | unknown product | 1364339543 | Tue Mar 26 19:12:23 2013 |
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
2 rows in set (0.00 sec)

mysql>



mysql> select * from machines;
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
| mid | ip | host | localh | os | machine_created | created_on |
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
| 1 | 192.168.2.92 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 2 | 192.168.2.96 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 3 | 192.168.2.91 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 4 | 192.168.2.98 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 5 | 192.168.2.99 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 6 | 192.168.2.100 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 7 | 192.168.2.97 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 8 | 192.168.2.94 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 9 | 192.168.2.93 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 10 | 192.168.2.90 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 11 | 192.168.2.95 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 12 | 127.0.0.1 | localhost | 1 | unknown os | 1364339543 | Tue Mar 26 19:12:23 2013 |
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
12 rows in set (0.00 sec)

mysql>


There is another tool installed called outputpbnj which can be used to dump the result without manually logging to MySQL.


root@find:~# locate outputpbnj
/usr/bin/outputpbnj
/usr/share/man/man1/outputpbnj.1p.gz



root@find:~# outputpbnj
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Usage: outputpbnj [Query Options] [Config Options] [General Options]
Query Options:
-q --query <name> Perform sql query
-t --type <type> Output Type [csv,tab,html]
-f --file <filename> Store the result in file otherwise stdout
--both Print results and store them in a file
--dir <dir> Store the result in this directory [def .]

-l --lookup <name> Lookup descrition based on name
--list List of names and descriptions
-n --name Lookup all the names
-d --desc Lookup all the descriptions
-s --sql Lookup all the sql queries

Config Options:
--qconfig <file> Config of sql queries [def query.yaml]
--dbconfig <file> Config for accessing database [def config.yaml]
--configdir <dir> Directory for the database config file

--data <file> SQLite Database override [def data.dbl]

General Options:
--test <level> Testing information
--debug <level> Debug information
-v --version Display version
-h --help Display this information

Send Comments to Joshua D. Abraham ( jabra@ccs.neu.edu )



Okay, Let's dump the latest result:
root@find:~# outputpbnj -q latestinfo
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Error in option spec: "test|=s"
Error in option spec: "debug|=s"


wtf!

It is not working for as expected, No problem i am going to edit the "outputpbnj"(perl script). I have to remove "|" from "test" and "debug". Kali linux use LeafPad text editor so "leafpad /usr/bin/outputpbnj" or you can use gedit or kate/kwrite(KDE) . Then searching for "test|=s":



GetOptions(
\%options,
'type|t=s', 'file|f=s', 'lookup|l=s', 'both|b',
'query|q=s', 'names|n', 'desc|d', 'sql|s', 'list',
'dbconfig=s', 'configdir=s', 'dir=s', 'data=s', 'qconfig=s',
'test|=s', 'debug|=s',
'help|h' => sub { help(); },
'version|v' => sub { print_version(); },
'both' => sub { $bothOutput = 1 },
)
or exit 1;

Just remove the pipe "|" from "test" and "debug", It should be :'test=s',    'debug=s'  Now save and run :


root@find:~# outputpbnj -q latestinfo
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Tue Mar 26 19:12:23 2013 localhost mysql up unknown versiontcp
Tue Mar 26 19:12:23 2013 localhost postgresql up unknown version tcp



It is possible save the output in different format. For example:


root@find:~# mkdir pbnjr
root@find:~# outputpbnj -q latestinfo -t html -f pbnjr/report.html
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.

root@find:~# cd pbnjr
root@find:~/pbnjr# ls
report.html
root@find:~/pbnjr# iceweasel report.html
root@find:~/pbnjr#



Another curiosity that i can use only one query("-q") or there are more.... no, I can use many command:
possiblevuln
sshmachines
allservices
services
unknown_version_up
unknown_banner_up
machines
mdump
servicesup
service_audit 


All the query command is available in outputpbnj script(With Description)!



These kind of tool really useful for vulnerability assessment. pbnj is really a nice tool.