Today I am going to share some automation skills related to the recent Norton Symantec PCAnywhere exploit.
After some discussions with some colleagues I realized not everyone was even sure how to go about starting to clean up from the exploit. To start, I am going to share with you my method for finding machines that are potentially open to this exploit that you may not have realized existed so you can patch them.
I tried to make this as easy to understand and tweak for your environment as possible so there are places where I have taken two small steps rather than one big one. For those of you comfortable chaining this all together, go for it if you haven’t done it already and please share in the comments.
There are a lot of ways for this scan to happen. For instance, you can do this almost completely in Nmap, but then you wouldn’t learn about any other automation tools.
Go Download Nmap. (nmap.org) I used the Windows GUI for it since it was already on the workstation I used, Feel free to run this on Linux with the few obvious modifications needed.
Enter the following Nmap Command replacing my a.b.c.d ranges with the actual ranges you would like scanned. For my purposes I had a few separate subnets I wanted to scan.
nmap -p 5631 -T3 -oG C:\nmapscans\OpenPort5631.txt -oX c:\nmapscans\zenmap-xml.xml --open A.B.1-50.1-254 A.B.1-255.1-254 A.B.25-200.1-254 A.B.37.1-254
This is quick and direct and probably just what you are looking for if you are new to Nmap and trying to learn about its basic usage.
I have this scan set to do the following in our search for PCAnywhere’s Open port:
- Check for Port 5631’s Status -p 5631
- Scan 4 different ranges. a.b.c.d
- Scan at a Medium Speed, this was a 6500 user network so I tried to take it easy. –T3
- I’ve told it to only output open ports. –open
- Output this data in a Grepable format. What’s that my friend? You don’t know what grep is? Learn. -oG
- Output the data from this scan into OpenPort5631.txt
Sometimes you will require –oX with the above command line for a temp file and xml output. What’s this mean? It means it will output only machines with an open port 5631 in your ranges. I've got 4 ranges. You may have more or less.
Ok. So you’ve got this grepable output Data right?
This alone might be good enough for some of you in smaller environments or in places where you only have a few hits and you know exactly which machines they are. Just view as is or import into a spreadsheet and you are good to go.
For the rest of us, the following.
All of the below is best done from a Linux shell or Linux emulation command line like MinGW or Cygwin.
cut -d"," -f2 OpenPort5631.txt > file1.txt
sort -u file1.txt > file2.txt -skip to the grep below if you’re environment is heavy in Virtual machines, If they share an IP address on the network you might miss a machine if you sort for unique IPs.
sort file1.txt > file3.txt
diff file3.txt file2.txt > result.txt
grep "<" result.txt |cut -d" " -f2 > output.txt
What we’ve done here is:
- Taken out the IP addresses and dumped them into file1.txt
- Sorted the list for only unique address and dumped that into file2.txt
- Sort file1.txt again and dump that into file3.txt
- Check for the differences and dump that into result.txt
- Remove the “gibberish” data diff enters and take only the IP addresses and cleanly dump them into output.txt
Great Job, so far you’ve learned to scan for specific ports in Nmap, and learned the basic concepts of Cut, Sort, Diff & Grep.
What’s that? Your IP addresses need names so you can identify the machine?
Sounds to me like you need a ping loop.
For ip in $(cat output.txt);do ping -c1 -a $ip |grep Pinging |cut -d" " -f2 |Sort > Results.txt
Some of you may need this in a .sh file.
for ip in $(cat output.txt);do ping -c1 -a $ip |grep Pinging |cut -d" " -f2 |Sort > Results.txt
So now that you’ve got your IP address and names, go out there and secure your environment.