Difference between revisions of "Summerschool Aachen 2004/Building Attacks Lab"
(added links for network programming) |
m (Removed protection from "Summerschool Aachen 2004/Building Attacks Lab") |
||
(56 intermediate revisions by 28 users not shown) | |||
Line 1: | Line 1: | ||
− | = | + | = Notes on Lab Session = |
− | + | == Google and special characters == | |
− | * | + | The star * and the full stop . do not work as wildcards. |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | --[[Alexander Becher]] | |
− | + | ||
− | * [http://www. | + | == Linux clock timings == |
− | * [http://www. | + | |
− | + | These show some measurements I have take on the Linux 2.4 kernel clock using gettimeofday(). This returns results with microsecond precision, so I wanted to make sure that this precision was significant. These graphs show that both the millisecond and microsecond parts give fairly uniform results. | |
− | + | ||
− | + | '''Milliseconds'''<br> | |
+ | http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_msec.png | ||
+ | |||
+ | '''Microseconds'''<br> | ||
+ | http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_usec.png | ||
+ | |||
+ | -- [[Steven Murdoch]] | ||
+ | |||
+ | A comment from the NetBSD 1.6.2 Kernel, file src/sys/kern/kern_microtime.c: | ||
+ | /* | ||
+ | * Ordinarily, the current clock time is guaranteed to be later | ||
+ | * by at least one microsecond than the last time the clock was | ||
+ | * read. However, this rule applies only if the current time is | ||
+ | * within one second of the last time. Otherwise, the clock wil | ||
+ | * (shudder) be set backward. The clock adjustment daemon or | ||
+ | * human equivalent is presumed to be correctly implemented and | ||
+ | * to set the clock backward only upon unavoidable crisis. | ||
+ | */ | ||
+ | |||
+ | |||
+ | |||
+ | == A mathematical theory of communication == | ||
+ | |||
+ | I've uploaded this famous paper by C.E. Shannon to http://berlin.ccc.de/~cc/shannon-a_mathematical_theory_of_communication.pdf.<br /> | ||
+ | You may download it, if you're interested. | ||
+ | |||
+ | --[[User:Cpunkt|Cpunkt]] 12:21, 23 Sep 2004 (CEST) | ||
+ | |||
+ | == Billy the kid == | ||
+ | |||
+ | [http://home.student.utwente.nl/g.v.berg/btk/ a python lib that allows you to make raw sockets.] | ||
+ | |||
+ | == Google Search String Competition == | ||
+ | |||
+ | Insert here your Favorite (novel) search strings: | ||
+ | |||
+ | * [http://www.google.de/search?hl=en&ie=UTF-8&as_qdr=all&q=inurl%3A%22robots.txt%22+Disallow+secret&btnG=Search inurl:"robots.txt" Disallow secret] | ||
+ | * [http://www.google.com/search?q=inurl:%22robots.txt%22+Disallow+(secret%7Cadmin%7Cstat%7Cstats%7Cconfig%7Cconf%7Cinc%7Cinclude%7Cintern%7Cinterneal)&ie=UTF-8&oe=UTF-8 inurl:"robots.txt" Disallow (secret|admin|stat|stats|config|conf|inc|include|intern|interneal)] | ||
+ | * [http://www.google.de/search?hl=en&ie=UTF-8&q=%22phpScheduleIt+v1.0.0+RC1%22&btnG=Google+Search "phpScheduleIt v1.0.0 RC1"] - Get a free homepage (see bug report [http://www.securityfocus.com/bid/11080 Bugtraq 11080]) | ||
+ | |||
+ | == nmap - always print fingerprint bad bad idea == | ||
+ | |||
+ | diff -Nau nmap-3.70/output.cc nmap-3.70.mm/output.cc | ||
+ | --- nmap-3.70/output.cc 2004-08-29 11:12:03.000000000 +0200 | ||
+ | +++ nmap-3.70.mm/output.cc 2004-09-23 19:14:13.000000000 +0200 | ||
+ | @@ -353,7 +353,8 @@ | ||
+ | snprintf(portinfo, sizeof(portinfo), "%d/%s", current->portno, protocol); | ||
+ | state = statenum2str(current->state); | ||
+ | current->getServiceDeductions(&sd); | ||
+ | - if (sd.service_fp && saved_servicefps.size() <= 8) | ||
+ | + // always print the fingerprint | ||
+ | + if (sd.service_fp) | ||
+ | saved_servicefps.push_back(sd.service_fp); | ||
+ | |||
+ | if (o.rpcscan) { | ||
+ | diff -Nau nmap-3.70/service_scan.cc nmap-3.70.mm/service_scan.cc | ||
+ | --- nmap-3.70/service_scan.cc 2004-08-29 11:12:03.000000000 +0200 | ||
+ | +++ nmap-3.70.mm/service_scan.cc 2004-09-23 19:20:57.000000000 +0200 | ||
+ | @@ -1825,6 +1825,9 @@ | ||
+ | |||
+ | if (MD && MD->serviceName) { | ||
+ | // WOO HOO!!!!!! MATCHED! But might be soft | ||
+ | + // mm: print a fingerprint everytime | ||
+ | + svc->addToServiceFingerprint(MD->serviceName, readstr, readstrlen); | ||
+ | + | ||
+ | if (MD->isSoft && svc->probe_matched) { | ||
+ | if (strcmp(svc->probe_matched, MD->serviceName) != 0) | ||
+ | error("WARNING: service %s:%hi had allready soft-matched %s, but now soft-matched %s; ignoring second value\n", svc->target->NameIP(), svc->portno, svc->probe_matched, MD->serviceName); | ||
+ | @@ -1967,7 +1970,8 @@ | ||
+ | *(*svc)->product_matched? (*svc)->product_matched : NULL, | ||
+ | *(*svc)->version_matched? (*svc)->version_matched : NULL, | ||
+ | *(*svc)->extrainfo_matched? (*svc)->extrainfo_matched : NULL, | ||
+ | - NULL); | ||
+ | + (*svc)->getServiceFingerprint(NULL)); | ||
+ | + //NULL); // always pass the fingerprint | ||
+ | |||
+ | } else if ((*svc)->probe_state == PROBESTATE_FINISHED_SOFTMATCHED) { | ||
+ | (*svc)->port->setServiceProbeResults((*svc)->probe_state, | ||
+ | |||
+ | --[[User:Mario Manno|MM]] 17:12, 5 Oct 2004 (CEST) | ||
+ | |||
+ | == Making a fingerprinter == | ||
+ | |||
+ | Yesterday I decided to make a (ring) fingerprinting tool in the labsession. the full description of this fingerprinting method is described in: [http://www.intranode.com/fr/doc/ring-full-paper.pdf http://www.intranode.com/fr/doc/ring-full-paper.pdf] It took a bit more work then I had planned (I'd also planned to play a little with the metasploit framework, but there was no time left) but eventually I got a perlscript which looks ok and which the perl interpreter seems to like. | ||
+ | I haven't tested it yet (when the code was finished it was already around 8 or so), but I'll try to test it today or tomorrow. | ||
+ | |||
+ | -- Ilja van Sprundel | ||
+ | |||
+ | == Tunnelling IP over DNS == | ||
+ | |||
+ | Although there are already tools available to do this (cf. [[http://nstx.dereference.de/nstx/ NSTX ]] and [[http://c0re.23.nu/c0de/snap/DeNiSe-snap-20021026.tar.gz DeNiSe]]), I decided it would be an interesting project to try during the afteroon. Working on OpenBSD, I started to write the client part of the code using libnet and libpcap (taking 'inspiration' from various places, including nos-tun). It took quite a while to work out simple things like the correct ioctls for the tun interface, but I've made enough progress that I think it might be nice to continue with this on the project day. I'll try to add some code to this entry once there's enough to be worth looking at! | ||
+ | |||
+ | -- [[Stephen Lewis]] | ||
+ | |||
+ | == Tunneling information through ICMP == | ||
+ | |||
+ | I've written a small perl script, which uses Net::RawIP to open a pcap listener and looks for ICMP packets with a special combination of type and code. If it sees such a packet, it interprets the payload as a command. Currently, it is possible to send it a "get file" command, which the scripts responds to by splitting the file into 32 bit chunks, sending them back to the requestor. The chunks are being encoded in the ID and sequence fields in the ICMP header. | ||
+ | I have not implemented some kind of flow control yet. This should be done for real world use... | ||
+ | |||
+ | --[[User:Cpunkt|Cpunkt]] 09:58, 27 Sep 2004 (CEST) | ||
+ | |||
+ | [[Category:Summerschools]] | ||
+ | [[Category:Hacks]] |
Latest revision as of 22:23, 24 September 2018
Contents
Notes on Lab Session
Google and special characters
The star * and the full stop . do not work as wildcards.
Linux clock timings
These show some measurements I have take on the Linux 2.4 kernel clock using gettimeofday(). This returns results with microsecond precision, so I wanted to make sure that this precision was significant. These graphs show that both the millisecond and microsecond parts give fairly uniform results.
Milliseconds
http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_msec.png
Microseconds
http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_usec.png
A comment from the NetBSD 1.6.2 Kernel, file src/sys/kern/kern_microtime.c:
/* * Ordinarily, the current clock time is guaranteed to be later * by at least one microsecond than the last time the clock was * read. However, this rule applies only if the current time is * within one second of the last time. Otherwise, the clock wil * (shudder) be set backward. The clock adjustment daemon or * human equivalent is presumed to be correctly implemented and * to set the clock backward only upon unavoidable crisis. */
A mathematical theory of communication
I've uploaded this famous paper by C.E. Shannon to http://berlin.ccc.de/~cc/shannon-a_mathematical_theory_of_communication.pdf.
You may download it, if you're interested.
--Cpunkt 12:21, 23 Sep 2004 (CEST)
Billy the kid
a python lib that allows you to make raw sockets.
Google Search String Competition
Insert here your Favorite (novel) search strings:
- inurl:"robots.txt" Disallow secret
- inurl:"robots.txt" Disallow (secret|admin|stat|stats|config|conf|inc|include|intern|interneal)
- "phpScheduleIt v1.0.0 RC1" - Get a free homepage (see bug report Bugtraq 11080)
nmap - always print fingerprint bad bad idea
diff -Nau nmap-3.70/output.cc nmap-3.70.mm/output.cc --- nmap-3.70/output.cc 2004-08-29 11:12:03.000000000 +0200 +++ nmap-3.70.mm/output.cc 2004-09-23 19:14:13.000000000 +0200 @@ -353,7 +353,8 @@ snprintf(portinfo, sizeof(portinfo), "%d/%s", current->portno, protocol); state = statenum2str(current->state); current->getServiceDeductions(&sd); - if (sd.service_fp && saved_servicefps.size() <= 8) + // always print the fingerprint + if (sd.service_fp) saved_servicefps.push_back(sd.service_fp); if (o.rpcscan) { diff -Nau nmap-3.70/service_scan.cc nmap-3.70.mm/service_scan.cc --- nmap-3.70/service_scan.cc 2004-08-29 11:12:03.000000000 +0200 +++ nmap-3.70.mm/service_scan.cc 2004-09-23 19:20:57.000000000 +0200 @@ -1825,6 +1825,9 @@ if (MD && MD->serviceName) { // WOO HOO!!!!!! MATCHED! But might be soft + // mm: print a fingerprint everytime + svc->addToServiceFingerprint(MD->serviceName, readstr, readstrlen); + if (MD->isSoft && svc->probe_matched) { if (strcmp(svc->probe_matched, MD->serviceName) != 0) error("WARNING: service %s:%hi had allready soft-matched %s, but now soft-matched %s; ignoring second value\n", svc->target->NameIP(), svc->portno, svc->probe_matched, MD->serviceName); @@ -1967,7 +1970,8 @@ *(*svc)->product_matched? (*svc)->product_matched : NULL, *(*svc)->version_matched? (*svc)->version_matched : NULL, *(*svc)->extrainfo_matched? (*svc)->extrainfo_matched : NULL, - NULL); + (*svc)->getServiceFingerprint(NULL)); + //NULL); // always pass the fingerprint } else if ((*svc)->probe_state == PROBESTATE_FINISHED_SOFTMATCHED) { (*svc)->port->setServiceProbeResults((*svc)->probe_state,
--MM 17:12, 5 Oct 2004 (CEST)
Making a fingerprinter
Yesterday I decided to make a (ring) fingerprinting tool in the labsession. the full description of this fingerprinting method is described in: http://www.intranode.com/fr/doc/ring-full-paper.pdf It took a bit more work then I had planned (I'd also planned to play a little with the metasploit framework, but there was no time left) but eventually I got a perlscript which looks ok and which the perl interpreter seems to like. I haven't tested it yet (when the code was finished it was already around 8 or so), but I'll try to test it today or tomorrow.
-- Ilja van Sprundel
Tunnelling IP over DNS
Although there are already tools available to do this (cf. [NSTX ] and [DeNiSe]), I decided it would be an interesting project to try during the afteroon. Working on OpenBSD, I started to write the client part of the code using libnet and libpcap (taking 'inspiration' from various places, including nos-tun). It took quite a while to work out simple things like the correct ioctls for the tun interface, but I've made enough progress that I think it might be nice to continue with this on the project day. I'll try to add some code to this entry once there's enough to be worth looking at!
Tunneling information through ICMP
I've written a small perl script, which uses Net::RawIP to open a pcap listener and looks for ICMP packets with a special combination of type and code. If it sees such a packet, it interprets the payload as a command. Currently, it is possible to send it a "get file" command, which the scripts responds to by splitting the file into 32 bit chunks, sending them back to the requestor. The chunks are being encoded in the ID and sequence fields in the ICMP header. I have not implemented some kind of flow control yet. This should be done for real world use...
--Cpunkt 09:58, 27 Sep 2004 (CEST)