From 26C3 Public Wiki
Wolpertinger
Contents |
What is this?
It is a distributed portscanner, which actually doesn't do anything else than scan (tcp-)ports. But it is fast. Really fast. So fast you can scan Class-B networks before you have to retire. And it is available from here. The output lands in a database (SQLite) you can do with that what you want. It runs on linux and is open source.
Hopefully we can conduct a little workshop. If you don't have a linux system, we might have some bootable usb-sticks with wolpertinger already set up (working on it). See "Requirements" for more info.
contact:wolpertwo@googlemail.com
Features
- Distributed portscanning from up to 128 hosts
- Error-management: failure of a drone will be compensated for
- no work lost when a drone becomes unreachable
- Workload-balancing: networks to scan are distributed between drones
- CRAM-MD5 Authentication between drones and master
- relational database support (SQLite)
Intended usage
Basically, it is intented for people who need to
- scan either lots of small networks or large networks fast
- prepare lists for security scanners and so on
- check a LAN/WLAN for bad things
- create some sort of inventory of systems/services
or for anyone who is interested in, well, portscanners.
Non-intended usage
- stress testing :)
Please note that wolpertinger is neither stealthy nor bandwidth-friendly. It is supposed to be used with fast/stable connections against networks whose owners don't mind being scanned.
The wolper-cluster
Wolpertinger consists of a bunch of components which need to be set up to create a wolper-cluster.
- the wolper-master
- controls scanning
- stores the results
- the sender-drone(s)
- sends packets
- the listener-drone
- receives packets from one or more sender-drones
At the moment, wolpertinger supports many sender-drones and a single listener. You can scan from a single maching, starting one sender- and one listener drone locally - however, this is really a debugging option and not suitable for "production".
The workshop
In the workshop, we'll do the follwowing
- provide the background info
- why another portscanner
- workings/machinations of a distributed scanner
- install wolpertinger
- or use prepared usb-sticks
- use it together in an responsible and sensible fashion :)
- bug the developer ;)
Requirements (important!)
Please bring your own switch and ethernet cables, if at all possible. That would really help. We've got just 2 small switches and cables. We couldn't really bring a lot of stuff. If you help out, there'll be gifts!
Installation
Consists of getting the source from ... sourceforge! And installing the required libraries - most of you will already have most, if not all of them. Testing was mainly done on debian/ubuntu and backtrack, some on gentoo.
Source
- svn co https://wolpertinger.svn.sourceforge.net/svnroot/wolpertinger wolpertinger
System requirements
- working 32/64 Linux
- shouldn't be much older than debian lenny/ubuntu intrepid ibex
- sqlite
- openssl
- libdnet from http://libdnet.sourceforge.net/
- not the DECT-lib! Please check your repository before installing.
- ./configure --prefix=/opt/libdnet && make && make install should work
- libpcap
- uuid-dev
That's it.
Preparing debian/ubuntu
aptitude install uuid-dev libsqlite3-dev libssl-dev libpcap0.8-dev
Installing/compiling
./configure --prefix=/usr && make && sudo make install
You might need to copy wolpertinger.dp from ./wolpertinger/data to /usr/local/wolpertinger/.
Usage
Begin with starting some drones. You'll need at least one sender and one listener drone - both can be on the same machine. However, another system should be used to control/use them. Scanning from one machine is a debugging option and "not safe".
Starting drones
Drones will ask you for a password when you start them. The master needs to know passwords to contact them, so you might want to tell the person running the master. But let's check the syntax of the wolperdrone-command:
#. /wolperdrone no drone type specified usage : ./wolperdrone -i <interface> -p <port> [-S|-L] -i <ifname> : interface used for sending/listening -p <port> : port to listen for master -L|-S : create a [S]ender or [L]istener drone -D : run as daemon in background
Example for starting a sender drone on port 667:
./wolperdrone -i eth0 -p 667 -S -D
Example for starting a listener drone on port 668:
./wolperdrone -i eth0 -p 668 -L -D
-D is daemon mode, use it if you want to keep drones running for a while.
Using the drones for scanning
You need the passwords, IP-addresses and ports the drones use. And at least a single sender- the listener-drone to continue. Let's check the syntax of the wolpertinger-command:
# ./wolpertinger -h usage : ./wolpertinger [options] <targets> options: -D <drones> : list of drones like ip:port,ip:port,... -iL <filename> : load hosts from file -s <pps> : packets per seconds -p <port str> : ports to scan (1-1000,2000, etc. a = all ports) -g <source port> : set source port for scan -L <seconds> : time to wait after packet are sent -t <tagname> : tag of the scan (identifier) -d : debug output -v : verbose output -h : this help --drone-list <filename> : read drones from file --retry <num> : repeat packet scan <num> times --with-tcpops (NYI) : Send packets with some TCP Options set targets: hostnames ipadresses cidr-notation ranges example: 192.168.2.0/24 www.yahoo.com 192.168.10.222 127.0.0-1.10-20,30-40
If you want to use the drones started above, you could use this:
wolpertinger -t fun -s 300 -p a -D 192.168.0.2:667,192.168.0.3:668 192.168.1.0/24
This would use the drones running on 192.168.0.2 and .3 to scan the network 192.168.1.0/24 for all ports with 300 packets per second per sender drone. Wolpertinger checks itself if drones are listeners or senders. If you want to test wolpertinger a lot, you might want to provide a drone-list with --drone-list. It should contain:
<Drone-IP-A>:<port> <Drone-IP-B>:<port>
... and so on.
Working with results
You can to use the wolper-mcp for that:
- wolper-mcp -l
- shows all scans
- wolper-mpc -s X
- shows scan X
You can also talk to the database directly.
Contact-Info
The main developer will be there, but he hates wikis (or not, who knows?) and is sleeping at the moment. So use me as the contact for congress. I'll assist with setting up the workshop and so on. Please use sourceforge for bug reports - using sourceforge helps keeping track of things, commenting on fixes and so on.
