Difference between revisions of "Summerschool Aachen 2004/Building Attacks Lab"

From C4 Wiki
Jump to: navigation, search
(Google Search String Competition)
Line 105: Line 105:
 
Yesterday I decided to make a (ring) fingerprinting tool in the labsession. the full description of this fingerprinting method is described in: [http://www.intranode.com/fr/doc/ring-full-paper.pdf http://www.intranode.com/fr/doc/ring-full-paper.pdf] It took a bit more work then I had planned (I'd also planned to play a little with the metasploit framework, but there was no time left) but eventually I got a perlscript which looks ok and which the perl interpreter seems to like.  
 
Yesterday I decided to make a (ring) fingerprinting tool in the labsession. the full description of this fingerprinting method is described in: [http://www.intranode.com/fr/doc/ring-full-paper.pdf http://www.intranode.com/fr/doc/ring-full-paper.pdf] It took a bit more work then I had planned (I'd also planned to play a little with the metasploit framework, but there was no time left) but eventually I got a perlscript which looks ok and which the perl interpreter seems to like.  
 
I haven't tested it yet (when the code was finished it was already around 8 or so), but I'll try to test it today or tomorrow.  
 
I haven't tested it yet (when the code was finished it was already around 8 or so), but I'll try to test it today or tomorrow.  
 +
 +
-- Ilja van Sprundel
  
 
== Tunnelling IP over DNS ==
 
== Tunnelling IP over DNS ==

Revision as of 09:42, 24 September 2004

Notes on Presentations

Network Basics

The slides can be found here

The second lecture today will cover the basics of network programming. Here are a few links that could help you during the lab session:

Linux clock timings

These show some measurements I have take on the Linux 2.4 kernel clock using gettimeofday(). This returns results with microsecond precision, so I wanted to make sure that this precision was significant. These graphs show that both the millisecond and microsecond parts give fairly uniform results.

Milliseconds
http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_msec.png

Microseconds
http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_usec.png

-- Steven Murdoch

A mathematical theory of communication

I've uploaded this famous paper by C.E. Shannon to http://berlin.ccc.de/~cc/shannon-a_mathematical_theory_of_communication.pdf.
You may download it, if you're interested.

--Cpunkt 12:21, 23 Sep 2004 (CEST)

Billy the kid

a python lib that allows you to make raw sockets.

Notes on Lab Session

Google Search String Competition

Insert here your Favorite (novel) search strings:

nmap - always print fingerprint bad bad idea

diff -Nau nmap-3.70/output.cc nmap-3.70.mm/output.cc
--- nmap-3.70/output.cc	2004-08-29 11:12:03.000000000 +0200
+++ nmap-3.70.mm/output.cc	2004-09-23 19:14:13.000000000 +0200
@@ -353,7 +353,8 @@
	snprintf(portinfo, sizeof(portinfo), "%d/%s", current->portno, protocol);
	state = statenum2str(current->state);
	current->getServiceDeductions(&sd);
-	if (sd.service_fp && saved_servicefps.size() <= 8)
+    // always print the fingerprint
+	if (sd.service_fp)
	  saved_servicefps.push_back(sd.service_fp);

	if (o.rpcscan) {
diff -Nau nmap-3.70/service_scan.cc nmap-3.70.mm/service_scan.cc
--- nmap-3.70/service_scan.cc	2004-08-29 11:12:03.000000000 +0200
+++ nmap-3.70.mm/service_scan.cc	2004-09-23 19:20:57.000000000 +0200
@@ -1825,6 +1825,9 @@
 
     if (MD && MD->serviceName) {
       // WOO HOO!!!!!!  MATCHED!  But might be soft
+      // mm: print a fingerprint everytime
+        svc->addToServiceFingerprint(MD->serviceName, readstr, readstrlen);
+
       if (MD->isSoft && svc->probe_matched) {
 	if (strcmp(svc->probe_matched, MD->serviceName) != 0)
 	  error("WARNING:  service %s:%hi had allready soft-matched %s, but now soft-matched %s; ignoring second value\n", svc->target->NameIP(), svc->portno, svc->probe_matched, MD->serviceName);
@@ -1967,7 +1970,8 @@
 					  *(*svc)->product_matched? (*svc)->product_matched : NULL, 
 					  *(*svc)->version_matched? (*svc)->version_matched : NULL, 
 					  *(*svc)->extrainfo_matched? (*svc)->extrainfo_matched : NULL, 
-					  NULL);
+                      (*svc)->getServiceFingerprint(NULL));
+					  //NULL); // always pass the fingerprint
 
    } else if ((*svc)->probe_state == PROBESTATE_FINISHED_SOFTMATCHED) {
     (*svc)->port->setServiceProbeResults((*svc)->probe_state, 


Making a fingerprinter

Yesterday I decided to make a (ring) fingerprinting tool in the labsession. the full description of this fingerprinting method is described in: http://www.intranode.com/fr/doc/ring-full-paper.pdf It took a bit more work then I had planned (I'd also planned to play a little with the metasploit framework, but there was no time left) but eventually I got a perlscript which looks ok and which the perl interpreter seems to like. I haven't tested it yet (when the code was finished it was already around 8 or so), but I'll try to test it today or tomorrow.

-- Ilja van Sprundel

Tunnelling IP over DNS

Although there are already tools available to do this (cf. [NSTX ] and [DeNiSe]), I decided it would be an interesting project to try during the afteroon. Working on OpenBSD, I started to write the client part of the code using libnet and libpcap (taking 'inspiration' from various places, including nos-tun). It took quite a while to work out simple things like the correct ioctls for the tun interface, but I've made enough progress that I think it might be nice to continue with this on the project day. I'll try to add some code to this entry once there's enough to be worth looking at!

-- Stephen Lewis