comment on

Monks,

I'm in need of some assistance. I have the following data:

-------------------------------------------------

Host: 192.168.1.202

Open ports:

Service: http (80/tcp)
Severity: Low

The IIS server appears to have the .IDA ISAPI filter mapped.

At least one remote vulnerability has been discovered for the .IDA
(indexing service) filter. This is detailed in Microsoft Advisory
MS01-033, and gives remote SYSTEM level access to the web server. 

-------------------------------------------------


Host: 192.168.1.21

Open ports:

Service: https (443/tcp)
Severity: High

The remote host seems to be using a version of OpenSSL which is
older than 0.9.6e or 0.9.7-beta3

This version is vulnerable to a buffer overflow which,
may allow an attacker to obtain a shell on this host.


Service: https (443/tcp)
Severity: Low

The remote host is using a version of OpenSSL which is
older than 0.9.6j or 0.9.7b

This version is vulnerable to a timing based attack which may
allow an attacker to guess the content of fixed data blocks and
may eventually be able to guess the value of the private RSA key
of the server.

-------------------------------------------------

Host: 192.168.1.22

Open ports:

Service: http (80/tcp)
Severity: High

It might be possible to make the remote IIS server execute
arbitrary code by sending it a too long url ending in .htr.
[download]

That I would like to format as such:



-------------------------------------------------

Vulnerability:

Service: http (80/tcp)
Severity: High

It might be possible to make the remote IIS server execute
arbitrary code by sending it a too long url ending in .htr.

Hosts:

192.168.1.22
192.168.1.202

-------------------------------------------------

Vulnerability:

Service: https (443/tcp)
Severity: High

The remote host seems to be using a version of OpenSSL which is
older than 0.9.6e or 0.9.7-beta3

This version is vulnerable to a buffer overflow which,
may allow an attacker to obtain a shell on this host.

Hosts:

192.168.1.21
[download]

Below is my code attempt. I'm thinking I need a hash with the key being the vulnerability and the value's being the ip's. I got the code for the hash here: Unique keys for multiple values with a Hash, but it's not working(nothing happens). The other problem is my regex. It works fine when a host only has one vulnerability to it, but not against multiple vulnerabilities (like 192.168.1.21 above) , I'm not sure the best way to write it to catch these.

My apologizes for the long post.
Dru


use strict;
use warnings;

my $file = 'input.txt';

my (%hash, @ips, @alerts);

open (FILE, "$file") or die "Can't open $file\n";

while (<FILE>){

  $/ = '-------------------------------------------------';

  $hash{$2}{1} = 0 if (/(Host: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*
                       (Service:.*Severity:.*)/ms);

}

foreach my $key (keys %hash) {
    $hash{$key} = [keys %{$hash{$key}}];
}
[download]

In reply to Building a Hash with Multiple Values by Dru

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.