Archive

Archive for the ‘Network’ Category

Beej’s Guide to Network Programming: Using Network Sockets

February 19, 2013 Leave a comment

This is an incredibly well written book that is made available for free online. If getting your hands dirty with C and learning about network sockets is your idea of a good time, get ready to live!

http://www.beej.us/guide/bgnet/output/html/singlepage/bgnet.html

More seriously, the author does an excellent job explaining a seemingly complex topic, and does so with a very casual and compelling writing style. For a “dry” topic, this is a very readable book.

Advertisement
Categories: Network, Tech

DNSCat traffic parser / dissector / decoder

January 14, 2013 1 comment

I’ve been playing with DNSCat recently, and it got me thinking about how to decode any DNSCat captured traffic (via libpcap capture).

Fortunately I found Diablo Horn’s very impressive LUA script that can be used for this task. I decided that there is value in having this as a Python script that I could run directly against a pcap, so I converted the LUA script to Python

I’ve placed my Python conversion of this script on GitHub here: https://github.com/MicksMix/DNSCatDecoder

How to use:
This requires a pcap network capture as its only input:

python ./dnscatdecoder.py dnscat_captured_traffic.pcap

I’ve also pasted the initial release of the script, however please refer to the GitHub repo for any updates/changes to this script.

#!/usr/bin/env python
#
# dnscatdecoder.py
# v0.1
#
# Jan 14, 2013
#
# entirely based off of this script:
#     http://diablohorn.wordpress.com/2010/12/05/dnscat-traffic-post-dissector/
#
# author: Mick Grove
# https://micksmix.wordpress.com
#
# License: The BSD 2-Clause License (http://opensource.org/licenses/bsd-license.php)
#
# requires dpkt --- https://code.google.com/p/dpkt/
#

import sys
import os
import re
import operator
import binascii
import dpkt

def decodeErr(data):
    ERR_SUCCESS = 0x00000000
    ERR_BUSY = 0x00000001
    ERR_INVSTATE = 0x00000002
    ERR_FIN = 0x00000003
    ERR_BADSEQ = 0x00000004
    ERR_NOTIMPLEMENTED = 0x00000005
    ERR_TEST = 0xFFFFFFFF

    if data == ERR_SUCCESS:
        errcode = "success"
    elif data == ERR_BUSY:
        errcode = "busy"
    elif data == ERR_INVSTATE:
        errcode = "invalidstate"
    elif data == ERR_FIN:
        errcode = "confin"
    elif data == ERR_BADSEQ:
        errcode = "badseqnum"
    elif data == ERR_NOTIMPLEMENTED:
        errcode = "not_implemented"
    elif data == ERR_TEST:
        errcode = "contest"

    return errcode


def decodeHex(data):
    data = data.upper()
    k = len(data)
    l = []
    for i in range(0, k, 2):
        try:
            l.append(binascii.unhexlify(data[i] + data[i+1]))
        except:
            pass

    return ''.join(l)


def decodeNetBios(data):
    data = data.upper()
    k = len(data)
    l = []
    for i in range(0, k, 2):
        try:
            l.append(chr(((ord(data[i]) - 0x41) << 4) |
                         ((ord(data[i+1]) - 0x41) & 0xf)))
        except:
            pass

    return ''.join(l)


def decodeFlags(data, fp):
    #-- protocol flags
    FLAG_STREAM = 0x00000001
    #-- deprecated
    FLAG_SYN = 0x00000002
    FLAG_ACK = 0x00000004
    #-- end of deprecated
    FLAG_RST = 0x00000008
    FLAG_HEX = 0x00000010
    FLAG_SESSION = 0x00000020
    FLAG_IDENTIFIER = 0x00000040

    blah = int(data,16)

    if operator.and_(blah, FLAG_STREAM) is not 0 :
        fp['stream'] = ""

    if operator.and_(blah, FLAG_SYN) is not 0 :
        fp['syn'] = ""

    if operator.and_(blah, FLAG_ACK) is not 0 :
        fp['ack'] = ""

    if operator.and_(blah, FLAG_RST) is not 0 :
        fp['rst'] = ""

    if operator.and_(blah, FLAG_HEX) is not 0 :
        fp['hex'] = ""

    if operator.and_(blah, FLAG_SESSION) is not 0 :
        fp['session'] = ""

    if operator.and_(blah, FLAG_IDENTIFIER) is not 0 :
        fp['identifier'] = ""


def getSubs(data):
    result = re.findall("(?im)[^%.]+", data)
    return result # = list


def main(data, fp):
    x = getSubs(data)
    x.pop(len(x)-1)
    fp['signature'] = x[0]
    x.pop(0)

    decodeFlags(x[0],fp)
    x.pop(0)

    if "identifier" in fp:
        fp['identifier'] = x[0]
        x.pop(0)

    if "session" in fp:
        fp['session'] = x[0]
        x.pop(0)

    if "stream" in fp:
        fp['seqnum'] = x[0]
        x.pop(0)

    if "rst" in fp:
        fp['err'] = decodeErr(x[0])
        x.pop(0)
        fp['garbage'] = x[0]
        fp['domain'] = x[1]
    else:
        fp['count'] = x[0]
        x.pop(0)

        fp['garbage'] = x[len(x)-1]
        fp['domain'] = x[len(x)-2]
        x.pop(len(x)-1)
        x.pop(len(x)-1)

        fp['asciidata'] = ""

        while len(x) > 0:
            if "hex" in fp:
                fp['asciidata'] = fp['asciidata'] + decodeHex(x[0])
            else:
                fp['asciidata'] = fp['asciidata'] + decodeNetBios(x[0])

            x.pop(0)


def parsePcapFile(pcap):
    fp ={}
    for (ts, buf) in pcap:
        try:
            eth = dpkt.ethernet.Ethernet(buf)
            #skip the frame if it doesn't contain IPv4 traffic
            if eth.type != 2048:
                continue

            ip = eth.data
             #let's only deal with udp
            if ip.p != 17:
                continue

            udp = ip.data
            #
            if udp.dport != 53:
                continue

            dns = dpkt.dns.DNS(udp.data)
            if len(dns.qd[0].name) < 1 :
                continue

            if dns.qd[0].type == 5:
                print "original line: %s\n" % dns.qd[0].name
                main(dns.qd[0].name, fp)
                print fp['asciidata']
                print("---")
                print("")
                fp.clear()

        except:
            pass


if __name__ == '__main__':
    if not os.path.exists(sys.argv[1]):
        sys.exit('ERROR: Pcap file <%s> was not found!' % sys.argv[1])

    inputfile = str(sys.argv[1])

    f = open(inputfile, "rb")
    pcap = dpkt.pcap.Reader(f)
    parsePcapFile(pcap)
Categories: Network, Python, Tech

inception — unlock any machine via firewire and then defeat BitLocker, TrueCrypt, FileVault, etc

December 23, 2012 1 comment

https://github.com/carmaa/inception

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost any machine you have physical access to.

Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks in order to unlock live computers using FireWire SBP-2 DMA. It it primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other (and better) ways to hack a machine that doesn’t pack encryption.

The tool works over any interface that expands and can master the PCIe bus. This includes FireWire, Thunderbolt, ExpressCard and PCMCIA (PC-Card).

More importantly, this works on Windows 8/7/Vista/XP, Mac OSX 10.5 -> 10.8, Ubuntu 11.04+, and Linux Mint 12+.

How it works

http://www.breaknenter.org/projects/inception

Inception’s main mode works as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim. Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s password authentication modules. Once found, the tool short circuits the code that is triggered if an incorrect password is entered.

An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the nerdy equivalent of a memory inception.

This will certainly add a new dimension to penetration tests that I perform…

SQLMap plugin for Burp

December 17, 2012 Leave a comment

InfosecInstitute.com has a great article on integrating SQLMap with Burp.

What is SQLMAP?

SQLMAP is an open source penetration testing tool that helps in automating the process of detecting and exploiting SQL injection vulnerabilities and taking full access over the database servers. SQLMAP comes with powerful detecting engine, and many niche features for the penetration tester and wide range of switches lasting from database fingerprinting, data fetching from the database, accessing the underlying file system and executing the commands on Operating System via Out-of-band Connections.

What is SQLMAP burp plug-in?

When we audit a web application, we normally configure an intermediate proxy to have more control over the request and response parameters.

SQLMAP plug-in is an add-on feature that we can configure to the burp through which we can redirect a URL or a request directly to the SQLMAP with a single mouse click

 

 

 

120712_1441_SQLInjectio4

Categories: Network, Tech

SSL Transitive Trust

November 22, 2012 Leave a comment

Is your browser vulnerable to common SSL flaws? Find out here: http://ssltest.offenseindepth.com/

From this great article on SSL:

While the flaws can be difficult to test, many can be exposed by visiting a web server that intentionally presents a malformed certificate and observing the result. To ease this process, Dell SecureWorks researchers have developed a website (https://ssltest.offenseindepth.com) that tests for many of these flaws.

Categories: Network, Tech

XCA: Cross platform GUI for creating SSL certs with OpenSSL

August 9, 2012 Leave a comment

http://sourceforge.net/projects/xca/

There are some of you that know your way around OpenSSL’s options in your sleep, but for me, I found this tool to be very helpful in learning the available options *and* creating SSL certificates for testing purposes with those options.

Works on Linux, Windows, BSD, and OS X.

Features

  • Start your own PKI and create all kinds of certificates, requests or CRLs
  • Manage your Smart-Cards via PKCS#11 interface
  • Export certificates and requests to a OpenSSL config file
  • Create name and/or extension templates to ease issuing similar certs
  • Convert existing certificates or requests to templates
  • Supports v3 extensions as flexible as OpenSSL but user friendlier
Categories: Apple, Linux, Network, Tech, Windows

What exactly is Representational State Transfer (REST)?

May 16, 2012 Leave a comment

This is one of the best explanations of REST that I have seen; it is spot-on.

In fact, as your browse this website (or basically any website), you are using an implementation of REST known as the world wide web.

I’ve copied/pasted the content for posterity:

 

Wife: Who is Roy Fielding?

Ryan: Some guy. He’s smart.

Wife: Oh? What did he do?

Ryan: He helped write the first web servers and then did a ton of research explaining why the web works the way it does. His name is on the specification for the protocol that is used to get pages from servers to your browser.

Wife: How does it work?

Ryan: The web?

Wife: Yeah.

Ryan: Hmm. Well, it’s all pretty amazing really. And the funny thing is that it’s all very undervalued. The protocol I was talking about, HTTP, it’s capable of all sorts of neat stuff that people ignore for some reason.

Wife: You mean http like the beginning of what I type into the browser?

Ryan: Yeah. That first part tells the browser what protocol to use. That stuff you type in there is one of the most important breakthroughs in the history of computing.

Wife: Why?

Ryan: Because it is capable of describing the location of something anywhere in the world from anywhere in the world. It’s the foundation of the web. You can think of it like GPS coordinates for knowledge and information.

Wife: For web pages?

Ryan: For anything really. That guy, Roy Fielding, he talks a lot about what those things point to in that research I was talking about. The web is built on an architectural style called REST. REST provides a definition of a resource, which is what those things point to.

Wife: A web page is a resource?

Ryan: Kind of. A web page is a representation of a resource. Resources are just concepts. URLs—those things that you type into the browser…

Wife: I know what a URL is..

Ryan: Oh, right. Those tell the browser that there’s a concept somewhere. A browser can then go ask for a specific representation of the concept. Specifically, the browser asks for the web page representation of the concept.

Wife: What other kinds of representations are there?

Ryan: Actually, representations is one of these things that doesn’t get used a lot. In most cases, a resource has only a single representation. But we’re hoping that representations will be used more in the future because there’s a bunch of new formats popping up all over the place.

Wife: Like what?

Ryan: Hmm. Well, there’s this concept that people are calling Web Services. It means a lot of different things to a lot of different people but the basic concept is that machines could use the web just like people do.

Wife: Is this another robot thing?

Ryan: No, not really. I don’t mean that machines will be sitting down at the desk and browsing the web. But computers can use those same protocols to send messages back and forth to each other. We’ve been doing that for a long time but none of the techniques we use today work well when you need to be able to talk to all of the machines in the entire world.

Wife: Why not?

Ryan: Because they weren’t designed to be used like that. When Fielding and his buddies started building the web, being able to talk to any machine anywhere in the world was a primary concern. Most of the techniques we use at work to get computers to talk to each other didn’t have those requirements. You just needed to talk to a small group of machines.

Wife: And now you need to talk to all the machines?

Ryan: Yes – and more. We need to be able to talk to all machines about all the stuff that’s on all the other machines. So we need some way of having one machine tell another machine about a resource that might be on yet another machine.

Wife: What?

Ryan: Let’s say you’re talking to your sister and she wants to borrow the sweeper or something. But you don’t have it – your Mom has it. So you tell your sister to get it from your Mom instead. This happens all the time in real life and it happens all the time when machines start talking too.

Wife: So how do the machines tell each other where things are?

Ryan: The URL, of course. If everything that machines need to talk about has a corresponding URL, you’ve created the machine equivalent of a noun. That you and I and the rest of the world have agreed on talking about nouns in a certain way is pretty important, eh?

Wife: Yeah.

Ryan: Machines don’t have a universal noun – that’s why they suck. Every programming language, database, or other kind of system has a different way of talking about nouns. That’s why the URL is so important. It let’s all of these systems tell each other about each other’s nouns.

Wife: But when I’m looking at a web page, I don’t think of it like that.

Ryan: Nobody does. Except Fielding and handful of other people. That’s why machines still suck.

Wife: What about verbs and pronouns and adjectives?

Ryan: Funny you asked because that’s another big aspect of REST. Well, verbs are anyway.

Wife: I was just joking.

Ryan: It was a funny joke but it’s actually not a joke at all. Verbs are important. There’s a powerful concept in programming and CS theory called polymorphism. That’s a geeky way of saying that different nouns can have the same verb applied to them.

Wife: I don’t get it.

Ryan: Well.. Look at the coffee table. What are the nouns? Cup, tray, newspaper, remote. Now, what are some things you can do to all of these things?

Wife: I don’t get it…

Ryan: You can get them, right? You can pick them up. You can knock them over. You can burn them. You can apply those same exact verbs to any of the objects sitting there.

Wife: Okay… so?

Ryan: Well, that’s important. What if instead of me being able to say to you, “get the cup,” and “get the newspaper,” and “get the remote”; what if instead we needed to come up with different verbs for each of the nouns? I couldn’t use the word “get” universally, but instead had to think up a new word for each verb/noun combination.

Wife: Wow! That’s weird.

Ryan: Yes, it is. Our brains are somehow smart enough to know that the same verbs can be applied to many different nouns. Some verbs are more specific than others and apply only to a small set of nouns. For instance, I can’t drive a cup and I can’t drink a car. But some verbs are almost universal like GET, PUT, and DELETE.

Wife: You can’t DELETE a cup.

Ryan: Well, okay, but you can throw it away. That was another joke, right?

Wife: Yeah.

Ryan: So anyway, HTTP—this protocol Fielding and his friends created—is all about applying verbs to nouns. For instance, when you go to a web page, the browser does an HTTP GET on the URL you type in and back comes a web page.

Web pages usually have images, right? Those are separate resources. The web page just specifies the URLs to the images and the browser goes and does more HTTP GETs on them until all the resources are obtained and the web page is displayed. But the important thing here is that very different kinds of nouns can be treated the same. Whether the noun is an image, text, video, an mp3, a slideshow, whatever. I can GET all of those things the same way given a URL.

Wife: Sounds like GET is a pretty important verb.

Ryan: It is. Especially when you’re using a web browser because browsers pretty much just GET stuff. They don’t do a lot of other types of interaction with resources. This is a problem because it has led many people to assume that HTTP is just for GETing. But HTTP is actually a general purpose protocol for applying verbs to nouns.

Wife: Cool. But I still don’t see how this changes anything. What kinds of nouns and verbs do you want?

Ryan: Well the nouns are there but not in the right format.

Think about when you’re browsing around amazon.com looking for things to buy me for Christmas. Imagine each of the products as being nouns. Now, if they were available in a representation that a machine could understand, you could do a lot of neat things.

Wife: Why can’t a machine understand a normal web page?

Ryan: Because web pages are designed to be understood by people. A machine doesn’t care about layout and styling. Machines basically just need the data. Ideally, every URL would have a human readable and a machine readable representation. When a machine GETs the resource, it will ask for the machine readable one. When a browser GETs a resource for a human, it will ask for the human readable one.

Wife: So people would have to make machine formats for all their pages?

Ryan: If it were valuable.

Look, we’ve been talking about this with a lot of abstraction. How about we take a real example. You’re a teacher – at school I bet you have a big computer system, or three or four computer systems more likely, that let you manage students: what classes they’re in, what grades they’re getting, emergency contacts, information about the books you teach out of, etc. If the systems are web-based, then there’s probably a URL for each of the nouns involved here: student, teacher, class, book, room, etc. Right now, getting the URL through the browser gives you a web page. If there were a machine readable representation for each URL, then it would be trivial to latch new tools onto the system because all of that information would be consumable in a standard way. It would also make it quite a bit easier for each of the systems to talk to each other. Or, you could build a state or country-wide system that was able to talk to each of the individual school systems to collect testing scores. The possibilities are endless.

Each of the systems would get information from each other using a simple HTTP GET. If one system needs to add something to another system, it would use an HTTP POST. If a system wants to update something in another system, it uses an HTTP PUT. The only thing left to figure out is what the data should look like.

Wife: So this is what you and all the computer people are working on now? Deciding what the data should look like?

Ryan: Sadly, no. Instead, the large majority are busy writing layers of complex specifications for doing this stuff in a different way that isn’t nearly as useful or eloquent. Nouns aren’t universal and verbs aren’t polymorphic. We’re throwing out decades of real field usage and proven technique and starting over with something that looks a lot like other systems that have failed in the past. We’re using HTTP but only because it helps us talk to our network and security people less. We’re trading simplicity for flashy tools and wizards.

Wife: Why?

Ryan: I have no idea.

Wife: Why don’t you say something?

Ryan: Maybe I will.

Categories: Network, Tech

pcap network analysis parsing tools

March 14, 2012 Leave a comment

I’ve talked about using the Perl script Chaosreader to parse pcap network captures in the past before. I still use it regularly and it works very well.

However, as an alternative, check out Network Miner. It comes in a free and paid version and runs on Windows (requires the .NET Framework) or Linux (via Mono runtime).

Categories: Network, Tech

Creating virtual access points with Windows 7

August 29, 2010 4 comments

Previously, I had always believed that the only way you could create a fake (aka virtual) access point was using a wireless card that supported monitor mode, Linux, and software like hostapd. Well, with the introduction of Windows Vista/7, Microsoft now requires certified drivers to support monitor mode, which allows the user to (among other things) create virtual access points.

Two free programs that take advantage of this are Connectify (free) and an open-source project (currently in beta) called Virtual Router. Turning your internet connected system into an access point can be useful for certain types of penetration testing, as well as just to allow those around you to access  your internet connection if they are unable to get connectivity.

Connectify Demo:

For more information about Virtual Router, check out the detailed review on freeware genius.

Categories: Network, Tech, Windows

802.11 Attacks

August 29, 2010 Leave a comment

Brad Antoniewicz, a senior security consultant at Foundstone, has published a whitepaper that provides a step-by-step walkthrough of popular 802.11 attacks. It’s very well written, and assumes the reader is a bit of a novice in the realm of 802.11 attacks. Great read.

On a slightly different topic, Josh Wright published a very interesting whitepaper: Vista Wireless Power Tools for the Penetration Tester

This paper is designed to illustrate the Vista tools useful for wireless penetration testing, the format of which is designed to be easy to read and utilize as a learning tool. Designed after the timeless work of “Unix Power Tools” by Sherry Powers, et al, this paper presents several “article-ettes” describing the requirements, Vista features and solutions for challenges faced by a penetration tester attacking wireless networks.
This paper also presents two new tools, vistarfmon and nm2lp, both available on the InGuardians Tools page.
Categories: Linux, Network, Tech, Windows