Difference between revisions of "Summerschool Aachen 2004/Building Attacks Lab"

From C4 Wiki
Jump to: navigation, search
(Notes on Lab Session)
Line 60: Line 60:
 
* [http://www.google.de/search?hl=en&ie=UTF-8&as_qdr=all&q=inurl%3A%22robots.txt%22+Disallow+secret&btnG=Search inurl:"robots.txt" Disallow secret]
 
* [http://www.google.de/search?hl=en&ie=UTF-8&as_qdr=all&q=inurl%3A%22robots.txt%22+Disallow+secret&btnG=Search inurl:"robots.txt" Disallow secret]
 
* [http://www.google.de/search?hl=en&ie=UTF-8&q=%22phpScheduleIt+v1.0.0+RC1%22&btnG=Google+Search "phpScheduleIt v1.0.0 RC1"] - Get a free homepage (see bug report [http://www.securityfocus.com/bid/11080 Bugtraq 11080])
 
* [http://www.google.de/search?hl=en&ie=UTF-8&q=%22phpScheduleIt+v1.0.0+RC1%22&btnG=Google+Search "phpScheduleIt v1.0.0 RC1"] - Get a free homepage (see bug report [http://www.securityfocus.com/bid/11080 Bugtraq 11080])
 +
 +
== nmap - always print fingerprint bad bad idea ==
 +
 +
diff -Nau nmap-3.70/output.cc nmap-3.70.mm/output.cc
 +
--- nmap-3.70/output.cc 2004-08-29 11:12:03.000000000 +0200
 +
+++ nmap-3.70.mm/output.cc 2004-09-23 19:14:13.000000000 +0200
 +
@@ -353,8 +353,9 @@
 +
  snprintf(portinfo, sizeof(portinfo), "%d/%s", current->portno, protocol);
 +
state = statenum2str(current->state);
 +
  current->getServiceDeductions(&sd);
 +
- if (sd.service_fp && saved_servicefps.size() <= 8)
 +
-   saved_servicefps.push_back(sd.service_fp);
 +
+    // always print the fingerprint
 +
+ if (sd.service_fp)
 +
+     saved_servicefps.push_back(sd.service_fp);
 +
 
 +
  if (o.rpcscan) {
 +
    switch(sd.rpc_status) {
 +
diff -Nau nmap-3.70/service_scan.cc nmap-3.70.mm/service_scan.cc
 +
--- nmap-3.70/service_scan.cc 2004-08-29 11:12:03.000000000 +0200
 +
+++ nmap-3.70.mm/service_scan.cc 2004-09-23 19:20:57.000000000 +0200
 +
@@ -1825,6 +1825,9 @@
 +
 
 +
      if (MD && MD->serviceName) {
 +
        // WOO HOO!!!!!!  MATCHED!  But might be soft
 +
+      // mm: print a fingerprint everytime
 +
+        svc->addToServiceFingerprint(MD->serviceName, readstr, readstrlen);
 +
+
 +
        if (MD->isSoft && svc->probe_matched) {
 +
  if (strcmp(svc->probe_matched, MD->serviceName) != 0)
 +
    error("WARNING:  service %s:%hi had allready soft-matched %s, but now soft-matched %s; ignoring second value\n", svc->target->NameIP(), svc->portno, svc->probe_matched, MD->serviceName);
 +
@@ -1967,7 +1970,8 @@
 +
    *(*svc)->product_matched? (*svc)->product_matched : NULL,
 +
    *(*svc)->version_matched? (*svc)->version_matched : NULL,
 +
    *(*svc)->extrainfo_matched? (*svc)->extrainfo_matched : NULL,
 +
-   NULL);
 +
+                      (*svc)->getServiceFingerprint(NULL));
 +
+   //NULL); // always pass the fingerprint
 +
 
 +
    } else if ((*svc)->probe_state == PROBESTATE_FINISHED_SOFTMATCHED) {
 +
      (*svc)->port->setServiceProbeResults((*svc)->probe_state,
 +
 +
 +
  
 
[[Category:Summerschools]]
 
[[Category:Summerschools]]
 
[[Category:Events]]
 
[[Category:Events]]
 
[[Category:Hacks]]
 
[[Category:Hacks]]

Revision as of 18:31, 23 September 2004

Network Basics

The slides can be found here

Notes on Presentations

Network Basics

The second lecture today will cover the basics of network programming. Here are a few links that could help you during the lab session:

Linux clock timings

These show some measurements I have take on the Linux 2.4 kernel clock using gettimeofday(). This returns results with microsecond precision, so I wanted to make sure that this precision was significant. These graphs show that both the millisecond and microsecond parts give fairly uniform results.

Milliseconds
http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_msec.png

Microseconds
http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_usec.png

-- Steven Murdoch

A mathematical theory of communication

I've uploaded this famous paper by C.E. Shannon to http://berlin.ccc.de/~cc/shannon-a_mathematical_theory_of_communication.pdf.
You may download it, if you're interested.

--Cpunkt 12:21, 23 Sep 2004 (CEST)

Billy the kid

a python lib that allows you to make raw sockets.

Notes on Lab Session

Google Search String Competition

Insert here your Favorite (novel) search strings:

nmap - always print fingerprint bad bad idea

diff -Nau nmap-3.70/output.cc nmap-3.70.mm/output.cc
--- nmap-3.70/output.cc	2004-08-29 11:12:03.000000000 +0200
+++ nmap-3.70.mm/output.cc	2004-09-23 19:14:13.000000000 +0200
@@ -353,8 +353,9 @@
 	snprintf(portinfo, sizeof(portinfo), "%d/%s", current->portno, protocol);
	state = statenum2str(current->state);
 	current->getServiceDeductions(&sd);
-	if (sd.service_fp && saved_servicefps.size() <= 8)
-	  saved_servicefps.push_back(sd.service_fp);
+    // always print the fingerprint
+	if (sd.service_fp)
+	    saved_servicefps.push_back(sd.service_fp);
 
 	if (o.rpcscan) {
 	  switch(sd.rpc_status) {
diff -Nau nmap-3.70/service_scan.cc nmap-3.70.mm/service_scan.cc
--- nmap-3.70/service_scan.cc	2004-08-29 11:12:03.000000000 +0200
+++ nmap-3.70.mm/service_scan.cc	2004-09-23 19:20:57.000000000 +0200
@@ -1825,6 +1825,9 @@
 
     if (MD && MD->serviceName) {
       // WOO HOO!!!!!!  MATCHED!  But might be soft
+      // mm: print a fingerprint everytime
+        svc->addToServiceFingerprint(MD->serviceName, readstr, readstrlen);
+
       if (MD->isSoft && svc->probe_matched) {
 	if (strcmp(svc->probe_matched, MD->serviceName) != 0)
 	  error("WARNING:  service %s:%hi had allready soft-matched %s, but now soft-matched %s; ignoring second value\n", svc->target->NameIP(), svc->portno, svc->probe_matched, MD->serviceName);
@@ -1967,7 +1970,8 @@
 					  *(*svc)->product_matched? (*svc)->product_matched : NULL, 
 					  *(*svc)->version_matched? (*svc)->version_matched : NULL, 
 					  *(*svc)->extrainfo_matched? (*svc)->extrainfo_matched : NULL, 
-					  NULL);
+                      (*svc)->getServiceFingerprint(NULL));
+					  //NULL); // always pass the fingerprint
 
    } else if ((*svc)->probe_state == PROBESTATE_FINISHED_SOFTMATCHED) {
     (*svc)->port->setServiceProbeResults((*svc)->probe_state,