Difference between revisions of "Summerschool Aachen 2004/Notes"

From C4 Wiki
Jump to: navigation, search
m (Wiederhergestellt zur letzten Änderung von
Line 1: Line 1:
General Notes about the Summerschool, Aachen,  Software, whatever comes to your mind.
= Lab Net =
== TSocks ==
If you still have trouble with socks i suggest the tsocks package, works nicely with openssh and apt-get. I guess you already know about proxy enviroment variables.
dante is the other LD wrapper for socks.
== Proxy ENV ==
export http_proxy=
export ftp_proxy=
== Socat SSH ==
socat command line to get SSH working
I used these commands to access SSH on $REMOTEMACHINE
$ socat TCP4-LISTEN:31228,reuseaddr \
$ ssh localhost -p31228
== corkscrew ==
ilja@nikita:~/corkscrew-2.0%cat ~/.ssh/config
ProxyCommand /home/ilja/corkscrew-2.0/corkscrew 3128 %h %p
== dante ==
(Running on OpenBSD under VMWare, but should work anywhere...)
$ cat /etc/socks.conf
# have a route making all connections to loopback addresses be direct.
route {
        from:  to:  via: direct
        command: connect udpassociate # everything but bind, bind confuses us.
route {
        from:  to:  via: direct
route {
        from:  to:  via: port = 1080
        protocol: tcp udp                # server supports tcp and udp.
        proxyprotocol: socks_v4 socks_v5 # server supports socks v4 and v5.
        method: none #username          # we are willing to authenticate via
                                        # method "none", not "username".
On Debian/GNU Linux the config file is called /etc/dante.conf
After configuring dante, the "socksify" script can be used to make applications use the SOCKS proxy.
== One of the printers has some issues ==
While I was sniffing my own traffic I noticed some broadcast from some device (which later
turned out to be a printer). The remarkable thing about this packet was that the ethernet frame
padding wasn't something like "\x00\x00\x00" instead it was some random string. This is probably
an etherleak [http://www.atstake.com/research/advisories/2003/a010603-1.txt more info on them here].
Then i decided to do an os fingerprint to see what kind of device it was, the coolest piece of info
I got from nmap said:
TCP Sequence Prediction: Class=trivial time dependency
                          Difficulty=0 (Trivial joke)
Then I used isnprobe (you can get that from ftp.ubizen.com) to check the isn's more carefully
this is the output:
root@nikita:/home/ilja/isnprober-1.02#./isnprober -n 10
-- ISNprober / 1.02 / Tom Vandepoel (Tom.Vandepoel@ubizen.com) --
Using eth0:
Probing host: on TCP port 80.
Host:port          ISN            Delta    3146095                3146096        1        3146097        1        3146098        1        3146099        1        3146100        1        3146101        1        3146102        1        3146103        1        3146104        1             
My guess is that the ISN gets incremented by 1 every second.
-- Ilja van Sprundel
== Captured Data from the Lab ==
I used ethereal and [[tethereal]] to do some analysis of the collected data.
=== Statistics ===
* ca. 16h of traffic
* from 2004-09-29 21:59:04 to 2004-09-30 13:55:18
* number of packets: 1876888
* packets/s: 32.713
* Size: 1.6gb

Revision as of 22:45, 18 February 2006