Summerschool Aachen 2004/Building Attacks Lab
Contents
Notes on Presentations
Network Basics
The slides can be found here
The second lecture today will cover the basics of network programming. Here are a few links that could help you during the lab session:
- Socket Programming in Perl
- Socket Programming in Python
- A Crash Course in UNIX TCP/IP Socket Programming in C
- An Introduction to Socket Programming in C
- Libnet Packet Construction Library Developer Documentation for libnet 1.1.x, Doku from Fred
- Socket Tutorial in C
- UNIX Network Programming with many examples
- Beej's Guide to Network Programming
- Unix Socket FAQ
- Twisted, an event-driven networking framework written in Python, pdf-file
- POE - Perl Object Enviroment, really simple Servers
- Simple webserver in perl
- python module for libpcap
- Programming with pcap in C
- Packet Capture With libpcap and other Low Level Network Tricks
- Documentation to Net::RawIP
- Ruby/Pcap extension library
- Libnet documentation
- Search for RFCs
Linux clock timings
These show some measurements I have take on the Linux 2.4 kernel clock using gettimeofday(). This returns results with microsecond precision, so I wanted to make sure that this precision was significant. These graphs show that both the millisecond and microsecond parts give fairly uniform results.
Milliseconds
http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_msec.png
Microseconds
http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_usec.png
A mathematical theory of communication
I've uploaded this famous paper by C.E. Shannon to http://berlin.ccc.de/~cc/shannon-a_mathematical_theory_of_communication.pdf.
You may download it, if you're interested.
--Cpunkt 12:21, 23 Sep 2004 (CEST)
Billy the kid
a python lib that allows you to make raw sockets.
Notes on Lab Session
Google Search String Competition
Insert here your Favorite (novel) search strings:
- inurl:"robots.txt" Disallow secret
- inurl:"robots.txt" Disallow (secret|admin|stat|stats|config|conf|inc|include|intern|interneal)
- "phpScheduleIt v1.0.0 RC1" - Get a free homepage (see bug report Bugtraq 11080)
nmap - always print fingerprint bad bad idea
diff -Nau nmap-3.70/output.cc nmap-3.70.mm/output.cc --- nmap-3.70/output.cc 2004-08-29 11:12:03.000000000 +0200 +++ nmap-3.70.mm/output.cc 2004-09-23 19:14:13.000000000 +0200 @@ -353,7 +353,8 @@ snprintf(portinfo, sizeof(portinfo), "%d/%s", current->portno, protocol); state = statenum2str(current->state); current->getServiceDeductions(&sd); - if (sd.service_fp && saved_servicefps.size() <= 8) + // always print the fingerprint + if (sd.service_fp) saved_servicefps.push_back(sd.service_fp); if (o.rpcscan) { diff -Nau nmap-3.70/service_scan.cc nmap-3.70.mm/service_scan.cc --- nmap-3.70/service_scan.cc 2004-08-29 11:12:03.000000000 +0200 +++ nmap-3.70.mm/service_scan.cc 2004-09-23 19:20:57.000000000 +0200 @@ -1825,6 +1825,9 @@ if (MD && MD->serviceName) { // WOO HOO!!!!!! MATCHED! But might be soft + // mm: print a fingerprint everytime + svc->addToServiceFingerprint(MD->serviceName, readstr, readstrlen); + if (MD->isSoft && svc->probe_matched) { if (strcmp(svc->probe_matched, MD->serviceName) != 0) error("WARNING: service %s:%hi had allready soft-matched %s, but now soft-matched %s; ignoring second value\n", svc->target->NameIP(), svc->portno, svc->probe_matched, MD->serviceName); @@ -1967,7 +1970,8 @@ *(*svc)->product_matched? (*svc)->product_matched : NULL, *(*svc)->version_matched? (*svc)->version_matched : NULL, *(*svc)->extrainfo_matched? (*svc)->extrainfo_matched : NULL, - NULL); + (*svc)->getServiceFingerprint(NULL)); + //NULL); // always pass the fingerprint } else if ((*svc)->probe_state == PROBESTATE_FINISHED_SOFTMATCHED) { (*svc)->port->setServiceProbeResults((*svc)->probe_state,
Making a fingerprinter
Yesterday I decided to make a (ring) fingerprinting tool in the labsession. the full description of this fingerprinting method is described in: http://www.intranode.com/fr/doc/ring-full-paper.pdf It took a bit more work then I had planned (I'd also planned to play a little with the metasploit framework, but there was no time left) but eventually I got a perlscript which looks ok and which the perl interpreter seems to like. I haven't tested it yet (when the code was finished it was already around 8 or so), but I'll try to test it today or tomorrow.
-- Ilja van Sprundel
Tunnelling IP over DNS
Although there are already tools available to do this (cf. [NSTX ] and [DeNiSe]), I decided it would be an interesting project to try during the afteroon. Working on OpenBSD, I started to write the client part of the code using libnet and libpcap (taking 'inspiration' from various places, including nos-tun). It took quite a while to work out simple things like the correct ioctls for the tun interface, but I've made enough progress that I think it might be nice to continue with this on the project day. I'll try to add some code to this entry once there's enough to be worth looking at!