JTB in Action

The Investigator

Updates

So my last post was about a new tool/framework I had written in python to make looking up general information about hostnames/ips easier. Since I made that blog post I have updated it quite a bit. I added ASN information lookups as well as blacklist checking. I made functionality improvements such as being able to use all the menu options from the command line in various combinations. You can now investigate many hosts at once with the Mass Investigator and combine reports of the same format into 1 file.

Next Steps

So far I had been so focused on developing this tool I had yet to really use it in action and thoroughly test it. In this post I want to walk through some uses I have found recently. Hopefully this will help you guys see different use cases for this tool and how it can make your life easier. With the added functionality and switches, the application has grown widely so let’s see what it can do!

JTB in the Wild

Doing recon on your network

This example doesn’t utilize much of the functionality but shows 1 use case that can likely apply to many people:

First, install netdiscover and run netdiscover -r <ip range of your network> to get an output like:
192.168.200.86 1c:1b:0d:7d:39:c8 3 180 GIGA-BYTE TECHNOLOGY CO.,LTD.
192.168.200.1 5c:e2:8c:8f:6e:3c 1 60 Zyxel Communications Corporation
192.168.200.118 70:4f:57:ea:80:2e 1 42 TP-LINK TECHNOLOGIES CO.,LTD.
192.168.200.141 b8:27:eb:33:64:25 1 60 Raspberry Pi Foundation
192.168.200.207 d0:67:e5:20:88:1f 1 60 Dell Inc.
192.168.200.215 78:8a:20:b9:2b:6d 1 60 Ubiquiti Networks Inc.
192.168.200.240 6c:3b:e5:29:f5:b6 1 60 Hewlett Packard
192.168.200.248 30:9c:23:4a:91:4e 1 60 Micro-Star INTL CO., LTD.
192.168.200.23 78:e1:03:31:9b:07 1 42 Amazon Technologies Inc.

Save that output to a file named network.txt and cat network.txt | awk '{print $1}' > ips_home.txt to save just the IPs to a new file named ips_home.txt. (The “ips_” at the beginning is necessary for JTB to recognize if the it is a file of ips or host names.)

Then, to get hostnames and open ports on your network run ./jtb.py -m ips.txt to create a new csv report in reports/csv/ for each host with the gathered information. Or for prettier text reports run ./jtb.py -m ips_home.txt -f txt or to get the prettier text report and combine ALL reports stored into 1 file for each format run ./jtb.py -m ips_home.txt -c home where “home” is the beginning of the filename stored in reports/txt/home_combined.txt. The combine function is still rough so it will combine all saved reports that aren’t already combined reports.

Investigating an SSH bruteforce attack

If any of you have spun up a server in cloud you know that it’s SSH service gets bruteforced like crazy. When I noticed this in the logs I moved the SSH port to a high port and threw a simple honey pot on that port to catch the attempted credentials and the IP address that it came from. I would then run a script to collect the IP addresses in the logs into a single file named ips_bruteforce.txt.

Then just run ./jtb.py -m ips_bruteforce.txt -c bruteforce to get all the information it can on the hosts and spit the info into reports/txt/bruteforce_combined.txt. This is probably one of the most useful use-cases for this tool as it can provide a wealth of information about attackers.

BitSight Alerts

And last but not least, dealing with BitSight alerts, the reason I wrote the tool in the first place. BitSight will throw an alert that only provides your Public IP that caused the alert and when they detected it. In order to track this down I need to look up information about that IP such as where it is registered, I work for an international company, the hostname for the IP, check blacklists to see if it is sending out lots of bad traffic, and search splunk for the IP to see if I can track down the offender.

To get all the info I can on the offending IP I would simply run ./jtb.py -i <offending ip> -f txt which will also create a text report which is the easiest to read. If I wanted to further process this information with different scripts or tools I could export it as CSV or JSON. Or if I was worried about interacting with the target I could tack on the -p flag to make it run in passive mode and disable nmap.

In order to search splunk I need to convert the UTC time BitSight gives me to the local time zone. Luckily I can just run ./jtb.py -t <time> to get the UTC time in local time.

Just like that I have all this information that would have taken multiple tools, copying and pasting, and likely some googling to find out, very quickly and easily, and in 1 central place to reference.

That’s Not all Folks!

There are many more use-cases for this tool out there. I tried to write it as robust as possible so that if any 1 module fails it won’t break the whole thing but if I missed anything let me know!

As the tool continues to grow, and I add more modules, functionality, and build integration the use-cases will continue to grow and I will likely make a follow up post as I use and develop JTB.

That’s all for today’s rambling. Thanks for listening!

-Th3J0kr

Leave a Reply

Your email address will not be published. Required fields are marked *