Difference between revisions of "Summerschool Aachen 2004/Sniffing & Spoofing Lab"

From C4 Wiki
Jump to: navigation, search
m (ettercap 0.8 cmd lines)
m (Reverted edits by Oxudocopaj (talk) to last revision by Mario Manno)
 
(10 intermediate revisions by 9 users not shown)
Line 1: Line 1:
= Notes on Presentations =
+
= Notes on Lab Session =
== Sniffing & Spoofing ==
+
 
 +
== Indtalling a DHCP server and Using Sniffing and Spoofing Tools ==
 +
I used this lab session with Flwong in order to install a DHCP server on a notebook and to
 +
prepare a DoS attack on the currently used DHCP server in order to use our DHCP server for
 +
spoofing wrong name server addresses, ... . However, as almost everybody left after 6 pm we did
 +
not have any time to launch the attack after installing the DHCP server. After everybody
 +
had already left, Ilja and me stayed at the department and I further tested some sniffing and spoofing tools such as tcpdump, ethereal (with hping2), nmapfe, ... .So that I got home at about
 +
10 pm.
 +
 
 +
-- [[Samad Nasserian]]
 +
 
 +
 
 +
== Implementing the RST attack in Perl ==
 +
I have used this lab session to implement an RST based attack in a few lines of perl code, after Lutz had already written a shell script for it using nemesis and I had found out that we don't have a switch available which would allow me to have some fun with TSP. I used Net::RawIP to create the RST packets and basically loop creating more packets until the connection dies and the user cancels the script. This is pretty basic stuff, but I now finally got to actually using the mentioned module. Thanks to Mario, Thorsten and Chris for hinting me on one or the other occasion.
 +
 
 +
Work for the weekend might include semi-automating the script so you only give it a target ip (or a range of such) and it detects connections and automatically gets the needed header fields to construct the right RST packets.
 +
 
 +
-- [[Ernest Hammerschmidt]]
 +
 
 +
 
 +
== perl sucks (sometimes) ==
 +
 
 +
I've done the TCP reset attack in perl, using Net::RawIP, too. Interestingly enough, with some special source/destination address combinations Net::RawIP does not send the generated frame on the NIC with FreeBSD.
 +
After having done that, I tried to build ARP packets with different perl packages. It turned out, that none of these packages that I suppose to work with Linux, did any reasonable work on my FreeBSD system.
  
The slides can be found [http://www.mmweg.rwth-aachen.de/~thorsten.holz/sniffing.pdf here]
+
--[[User:Cpunkt|Cpunkt]] 10:06, 27 Sep 2004 (CEST)
  
== ettercap 0.8 cmd lines ==
 
with  10.0.0.1 as gw and 10.0.0.100 as client
 
  
ettercap -T -M arp:remote /10.0.0.1/ /10.0.0.100/
+
== Cows and sharks ==
  
== dsniff related links ==
+
I made a tcp reset tool in perl (which was a lot easier then I though it would be) called cow.pl which can be found [http://ilja.netric.org/lab/sniffspoof/cow.pl here]. After that I made an arp poisoning tool in c. I first wanted to implement it in perl with some nifty library, but as it turns out there is no such library :(
* [http://www.monkey.org/~dugsong/john-1.6.krb4.patch-3 john kerberos patch]
+
so I had to write it in c, which normally takes a lot longer. Luckely I had written some arp tools in c before, and could reuse a large part of that code. I named it shark which can be found [http://ilja.netric.org/lab/sniffspoof/shark.c here].
* [http://www.monkey.org/~dugsong/kdcspoof.tar.gz kerberos spoof]
+
 
* [http://www.monkey.org/~dugsong/kdcspoof.tar.gz dsniff libnids wlan patch]
+
-- Ilja van Sprundel
  
= Notes on Lab Session =
 
  
 
[[Category:Summerschools]]
 
[[Category:Summerschools]]
[[Category:Events]]
 
 
[[Category:Hacks]]
 
[[Category:Hacks]]

Latest revision as of 17:36, 24 November 2010

Notes on Lab Session

Indtalling a DHCP server and Using Sniffing and Spoofing Tools

I used this lab session with Flwong in order to install a DHCP server on a notebook and to prepare a DoS attack on the currently used DHCP server in order to use our DHCP server for spoofing wrong name server addresses, ... . However, as almost everybody left after 6 pm we did not have any time to launch the attack after installing the DHCP server. After everybody had already left, Ilja and me stayed at the department and I further tested some sniffing and spoofing tools such as tcpdump, ethereal (with hping2), nmapfe, ... .So that I got home at about 10 pm.

-- Samad Nasserian


Implementing the RST attack in Perl

I have used this lab session to implement an RST based attack in a few lines of perl code, after Lutz had already written a shell script for it using nemesis and I had found out that we don't have a switch available which would allow me to have some fun with TSP. I used Net::RawIP to create the RST packets and basically loop creating more packets until the connection dies and the user cancels the script. This is pretty basic stuff, but I now finally got to actually using the mentioned module. Thanks to Mario, Thorsten and Chris for hinting me on one or the other occasion.

Work for the weekend might include semi-automating the script so you only give it a target ip (or a range of such) and it detects connections and automatically gets the needed header fields to construct the right RST packets.

-- Ernest Hammerschmidt


perl sucks (sometimes)

I've done the TCP reset attack in perl, using Net::RawIP, too. Interestingly enough, with some special source/destination address combinations Net::RawIP does not send the generated frame on the NIC with FreeBSD. After having done that, I tried to build ARP packets with different perl packages. It turned out, that none of these packages that I suppose to work with Linux, did any reasonable work on my FreeBSD system.

--Cpunkt 10:06, 27 Sep 2004 (CEST)


Cows and sharks

I made a tcp reset tool in perl (which was a lot easier then I though it would be) called cow.pl which can be found here. After that I made an arp poisoning tool in c. I first wanted to implement it in perl with some nifty library, but as it turns out there is no such library :( so I had to write it in c, which normally takes a lot longer. Luckely I had written some arp tools in c before, and could reuse a large part of that code. I named it shark which can be found here.

-- Ilja van Sprundel