Difference between revisions of "Summerschool Aachen 2004/Building Attacks Lab"

From C4 Wiki
Jump to: navigation, search
Line 1: Line 1:
= Notes on Lab Session =
+
[http://willa-ford-mp3.boom.ru/ | Willa Ford Mp3]
 
+
[http://used_ford_truck.chat.ru/ | Used Ford Truck]
== Google and special characters ==
+
[http://used_ford_rang.chat.ru/ | Used Ford Rang]
 
+
[http://used_ford_auto.chat.ru/ | Used Ford Auto]
The star * and the full stop . do not work as wildcards.
+
[http://texas-ford-dea.boom.ru/ | Texas Ford Dea]
 
+
[http://texas_ford_deale.chat.ru/ | Texas Ford Deale]
--[[Alexander Becher]]
+
[http://senator-john.boom.ru/ | Senator John]
 
+
[http://remanufactured_f.chat.ru/ | Remanufactured F]
== Linux clock timings ==
+
[http://q1997_ford_explo.chat.ru/ | Q1997 Ford Explo]
 
+
[http://q1997_ford_esc.chat.ru/ | Q1997 Ford Esc]
These show some measurements I have take on the Linux 2.4 kernel clock using gettimeofday(). This returns results with microsecond precision, so I wanted to make sure that this precision was significant. These graphs show that both the millisecond and microsecond parts give fairly uniform results.
+
[http://q1996_exporer.chat.ru/ | Q1996 Exporer]
 
+
[http://problem_with_for.chat.ru/ | Problem With For]
'''Milliseconds'''<br>
+
[http://picture-of-henry.boom.ru/  | Picture Of Henry ]
http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_msec.png
+
[http://old-ford-truck.boom.ru/ | Old Ford Truck]
 
+
[http://northern_califor.chat.ru/ | Northern Califor]
'''Microseconds'''<br>
+
[http://new-ford-truck.boom.ru/ | New Ford Truck]
http://www.cl.cam.ac.uk/users/sjm217/volatile/timing_usec.png
+
[http://model_a_ford.chat.ru/ | Model A Ford]
 
+
[http://melissa_ford_pho.chat.ru/ | Melissa Ford Pho]
-- [[Steven Murdoch]]
+
[http://john_ford_tennes.chat.ru/ | John Ford Tennes]
 
+
[http://john_bleakley_fo.chat.ru/ | John Bleakley Fo]
A comment from the NetBSD 1.6.2 Kernel, file src/sys/kern/kern_microtime.c:
+
[http://indiana_ford_dea.chat.ru/ | Indiana Ford Dea]
/*
+
[http://henry_ford_mus.chat.ru/ | Henry Ford Mus]
  * Ordinarily, the current clock time is guaranteed to be later
+
[http://henry_ford_hos.chat.ru/ | Henry Ford Hos]
  * by at least one microsecond than the last time the clock was
+
[http://ford-focus-svt.boom.ru/ | Ford Focus Svt]
  * read. However, this rule applies only if the current time is
+
[http://ford-explor.chat.ru/ | Ford Explor]
  * within one second of the last time. Otherwise, the clock wil
+
[http://ford-conversion.boom.ru/ | Ford Conversion]
  * (shudder) be set backward. The clock adjustment daemon or
+
[http://ford-commercial.boom.ru/ | Ford Commercial]
  * human equivalent is presumed to be correctly implemented and
+
[http://ford-body-part.boom.ru/ | Ford Body Part]
  * to set the clock backward only upon unavoidable crisis.
+
[http://ford-amphitheat.boom.ru/ | Ford Amphitheat]
  */
+
[http://ford_windstar_pa.chat.ru/ | Ford Windstar Pa]
 
+
[http://ford_truck_sea.chat.ru/ | Ford Truck Sea]
 
+
[http://ford_truck_recal.chat.ru/ | Ford Truck Recal]
 
+
[http://ford_truck_per.chat.ru/ | Ford Truck Per]
== A mathematical theory of communication ==
+
[http://ford_tractor.chat.ru/ | Ford Tractor]
 
+
[http://ford_thunderbi.chat.ru/ | Ford Thunderbi]
I've uploaded this famous paper by C.E. Shannon to http://berlin.ccc.de/~cc/shannon-a_mathematical_theory_of_communication.pdf.<br />
+
[http://ford_rangers_f.chat.ru/ | Ford Rangers F]
You may download it, if you're interested.
+
[http://ford_ranger_repa.chat.ru/ | Ford Ranger Repa]
 
+
[http://ford_probe_raced.chat.ru/ | Ford Probe Raced]
--[[User:Cpunkt|Cpunkt]] 12:21, 23 Sep 2004 (CEST)
+
[http://ford_probe_fo.chat.ru/ | Ford Probe Fo]
 
+
[http://ford_pickup_tr.chat.ru/ | Ford Pickup Tr]
== Billy the kid ==
+
[http://ford_part_restor.chat.ru/ | Ford Part Restor]
 
+
[http://ford_part_onl.chat.ru/ | Ford Part Onl]
[http://home.student.utwente.nl/g.v.berg/btk/ a python lib that allows you to make raw sockets.]
+
[http://ford_new_hol.chat.ru/ | Ford New Hol]
 
+
[http://ford_mustang_par.chat.ru/ | Ford Mustang Par]
== Google Search String Competition ==
+
[http://ford_mustang_for.chat.ru/ | Ford Mustang For]
 
+
[http://ford_mustang_cl.chat.ru/ | Ford Mustang Cl]
Insert here your Favorite (novel) search strings:
+
[http://ford_mustan.chat.ru/ | Ford Mustan]
 
+
[http://ford_motor_recal.chat.ru/ | Ford Motor Recal]
* [http://www.google.de/search?hl=en&ie=UTF-8&as_qdr=all&q=inurl%3A%22robots.txt%22+Disallow+secret&btnG=Search inurl:"robots.txt" Disallow secret]
+
[http://ford_motor_comp.chat.ru/ | Ford Motor Comp]
* [http://www.google.com/search?q=inurl:%22robots.txt%22+Disallow+(secret%7Cadmin%7Cstat%7Cstats%7Cconfig%7Cconf%7Cinc%7Cinclude%7Cintern%7Cinterneal)&ie=UTF-8&oe=UTF-8 inurl:"robots.txt" Disallow (secret|admin|stat|stats|config|conf|inc|include|intern|interneal)]
+
[http://ford_motor_co.chat.ru/ | Ford Motor Co]
* [http://www.google.de/search?hl=en&ie=UTF-8&q=%22phpScheduleIt+v1.0.0+RC1%22&btnG=Google+Search "phpScheduleIt v1.0.0 RC1"] - Get a free homepage (see bug report [http://www.securityfocus.com/bid/11080 Bugtraq 11080])
+
[http://ford_model_part.chat.ru/ | Ford Model Part]
 
+
[http://ford_m.chat.ru/ | Ford M]
== nmap - always print fingerprint bad bad idea ==
+
[http://ford_health_henr.chat.ru/ | Ford Health Henr]
 
+
[http://ford_gt_picture.chat.ru/ | Ford Gt Picture]
diff -Nau nmap-3.70/output.cc nmap-3.70.mm/output.cc
+
[http://ford_focus_r.chat.ru/ | Ford Focus R]
--- nmap-3.70/output.cc 2004-08-29 11:12:03.000000000 +0200
+
[http://ford_falcon_part.chat.ru/ | Ford Falcon Part]
+++ nmap-3.70.mm/output.cc 2004-09-23 19:14:13.000000000 +0200
+
[http://ford_falcon_for.chat.ru/ | Ford Falcon For]
@@ -353,7 +353,8 @@
+
[http://ford_factory_par.chat.ru/ | Ford Factory Par]
snprintf(portinfo, sizeof(portinfo), "%d/%s", current->portno, protocol);
+
[http://ford_f250_diesel.chat.ru/ | Ford F250 Diesel]
state = statenum2str(current->state);
+
[http://ford_f150_truck.chat.ru/ | Ford F150 Truck]
current->getServiceDeductions(&sd);
+
[http://ford_f150_sacra.chat.ru/ | Ford F150 Sacra]
- if (sd.service_fp && saved_servicefps.size() <= 8)
+
[http://ford_f_150_pictu.chat.ru/ | Ford F 150 Pictu]
+    // always print the fingerprint
+
[http://ford_explorer_r.chat.ru/ | Ford Explorer R]
+ if (sd.service_fp)
+
[http://ford_escort_z.chat.ru/ | Ford Escort Z]
  saved_servicefps.push_back(sd.service_fp);
+
[http://ford_escort_bo.chat.ru/ | Ford Escort Bo]
+
[http://ford_escape_p.chat.ru/ | Ford Escape P]
if (o.rpcscan) {
+
[http://ford_dealer_was.chat.ru/ | Ford Dealer Was]
diff -Nau nmap-3.70/service_scan.cc nmap-3.70.mm/service_scan.cc
+
[http://ford_dealer_st.chat.ru/ | Ford Dealer St]
--- nmap-3.70/service_scan.cc 2004-08-29 11:12:03.000000000 +0200
+
[http://ford_dealer_pa.chat.ru/ | Ford Dealer Pa]
+++ nmap-3.70.mm/service_scan.cc 2004-09-23 19:20:57.000000000 +0200
+
[http://ford_dealer_okla.chat.ru/ | Ford Dealer Okla]
@@ -1825,6 +1825,9 @@
+
[http://ford_dealer_nas.chat.ru/ | Ford Dealer Nas]
 
+
[http://ford_dealer_illi.chat.ru/ | Ford Dealer Illi]
      if (MD && MD->serviceName) {
+
[http://ford_dealer_fo.chat.ru/ | Ford Dealer Fo]
        // WOO HOO!!!!!!  MATCHED!  But might be soft
+
[http://ford_dealer_denv.chat.ru/ | Ford Dealer Denv]
+      // mm: print a fingerprint everytime
+
[http://ford_dealer_b.chat.ru/ | Ford Dealer B]
+        svc->addToServiceFingerprint(MD->serviceName, readstr, readstrlen);
+
[http://ford_deale.chat.ru/ | Ford Deale]
+
+
[http://ford_credit_com.chat.ru/ | Ford Credit Com]
        if (MD->isSoft && svc->probe_matched) {
+
[http://ford_credit_card.chat.ru/ | Ford Credit Card]
  if (strcmp(svc->probe_matched, MD->serviceName) != 0)
+
[http://ford_contour_svt.chat.ru/ | Ford Contour Svt]
    error("WARNING: service %s:%hi had allready soft-matched %s, but now soft-matched %s; ignoring second value\n", svc->target->NameIP(), svc->portno, svc->probe_matched, MD->serviceName);
 
@@ -1967,7 +1970,8 @@
 
    *(*svc)->product_matched? (*svc)->product_matched : NULL,
 
    *(*svc)->version_matched? (*svc)->version_matched : NULL,
 
    *(*svc)->extrainfo_matched? (*svc)->extrainfo_matched : NULL,
 
-   NULL);
 
+                      (*svc)->getServiceFingerprint(NULL));
 
+   //NULL); // always pass the fingerprint
 
 
 
    } else if ((*svc)->probe_state == PROBESTATE_FINISHED_SOFTMATCHED) {
 
      (*svc)->port->setServiceProbeResults((*svc)->probe_state,
 
 
 
--[[User:Mario Manno|MM]] 17:12, 5 Oct 2004 (CEST)
 
 
 
== Making a fingerprinter ==
 
 
 
Yesterday I decided to make a (ring) fingerprinting tool in the labsession. the full description of this fingerprinting method is described in: [http://www.intranode.com/fr/doc/ring-full-paper.pdf http://www.intranode.com/fr/doc/ring-full-paper.pdf] It took a bit more work then I had planned (I'd also planned to play a little with the metasploit framework, but there was no time left) but eventually I got a perlscript which looks ok and which the perl interpreter seems to like.  
 
I haven't tested it yet (when the code was finished it was already around 8 or so), but I'll try to test it today or tomorrow.  
 
 
 
-- Ilja van Sprundel
 
 
 
== Tunnelling IP over DNS ==
 
 
 
Although there are already tools available to do this (cf. [[http://nstx.dereference.de/nstx/ NSTX ]] and [[http://c0re.23.nu/c0de/snap/DeNiSe-snap-20021026.tar.gz DeNiSe]]), I decided it would be an interesting project to try during the afteroon. Working on OpenBSD, I started to write the client part of the code using libnet and libpcap (taking 'inspiration' from various places, including nos-tun). It took quite a while to work out simple things like the correct ioctls for the tun interface, but I've made enough progress that I think it might be nice to continue with this on the project day. I'll try to add some code to this entry once there's enough to be worth looking at!
 
 
 
-- [[Stephen Lewis]]
 
 
 
== Tunneling information through ICMP ==
 
 
 
I've written a small perl script, which uses Net::RawIP to open a pcap listener and looks for ICMP packets with a special combination of type and code. If it sees such a packet, it interprets the payload as a command. Currently, it is possible to send it a "get file" command, which the scripts responds to by splitting the file into 32 bit chunks, sending them back to the requestor. The chunks are being encoded in the ID and sequence fields in the ICMP header.
 
I have not implemented some kind of flow control yet. This should be done for real world use...
 
 
 
--[[User:Cpunkt|Cpunkt]] 09:58, 27 Sep 2004 (CEST)
 
 
 
[[Category:Summerschools]]
 
[[Category:Hacks]]
 

Revision as of 15:33, 29 July 2005

| Willa Ford Mp3 | Used Ford Truck | Used Ford Rang | Used Ford Auto | Texas Ford Dea | Texas Ford Deale | Senator John | Remanufactured F | Q1997 Ford Explo | Q1997 Ford Esc | Q1996 Exporer | Problem With For | Picture Of Henry | Old Ford Truck | Northern Califor | New Ford Truck | Model A Ford | Melissa Ford Pho | John Ford Tennes | John Bleakley Fo | Indiana Ford Dea | Henry Ford Mus | Henry Ford Hos | Ford Focus Svt | Ford Explor | Ford Conversion | Ford Commercial | Ford Body Part | Ford Amphitheat | Ford Windstar Pa | Ford Truck Sea | Ford Truck Recal | Ford Truck Per | Ford Tractor | Ford Thunderbi | Ford Rangers F | Ford Ranger Repa | Ford Probe Raced | Ford Probe Fo | Ford Pickup Tr | Ford Part Restor | Ford Part Onl | Ford New Hol | Ford Mustang Par | Ford Mustang For | Ford Mustang Cl | Ford Mustan | Ford Motor Recal | Ford Motor Comp | Ford Motor Co | Ford Model Part | Ford M | Ford Health Henr | Ford Gt Picture | Ford Focus R | Ford Falcon Part | Ford Falcon For | Ford Factory Par | Ford F250 Diesel | Ford F150 Truck | Ford F150 Sacra | Ford F 150 Pictu | Ford Explorer R | Ford Escort Z | Ford Escort Bo | Ford Escape P | Ford Dealer Was | Ford Dealer St | Ford Dealer Pa | Ford Dealer Okla | Ford Dealer Nas | Ford Dealer Illi | Ford Dealer Fo | Ford Dealer Denv | Ford Dealer B | Ford Deale | Ford Credit Com | Ford Credit Card | Ford Contour Svt

Retrieved from "https://wiki.koeln.ccc.de/index.php?title=Summerschool_Aachen_2004/Building_Attacks_Lab&oldid=6171"