July 2011
1 post
2 tags
Decrypt IPSEC traffic with wireshark
I’ve setup a VPN IPSEC link between a Cisco and a Linux to demo the ESP decrypting feature of wireshark.
After having configured both sides of the IPSEC link, it’s time to test from the Cisco router:
ping 192.168.3.1 source 192.168.2.1 size 123 data CAFE Type escape sequence to abort. Sending 5, 123-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds: Packet sent with a source...
June 2011
1 post
2 tags
BPF aka Boolean Packet Filter language
Yes. BPF is Berkeley Packet Filter but could be renamed Boolean Packet Filter as the filter function output a true or false regarding a packet traveling from the kernel to the application.
This result can be obtained glad to a directed acyclic control flow graph composed of comparison predicates and boolean operations.
Here is how to decrypt the language helped by the next two examples. The...
May 2011
2 posts
1 tag
Racket vs Packetfu in Metasploit
Why the hell did I think I wrote this in packetfu? Looks like my hard disk contains a traffic hijacker glad to HSRP written with the racket lib. That was wrote a long time ago and I decided to push it before I forget it another time in the not-so-used inodes.
http://dev.metasploit.com/redmine/issues/4568
AFAIK, Tod is doing some nice work actually on the packetfu lib. Stay tuned for the next...
1 tag
EAP-MD5 sucks *for real*
EAP-MD5 is deprecated since Windows Vista in the Microsoft world.
A KB exists to pinpoint the dictionary attack. That’s not the case for Cisco. EAP-MD5 is so great you can still use it on the Cisco’s IP phones. Also, I have found no documents referring to the EAP-MD5 security weakness but the deployment guides that helps the poor administrators to be powned in the future. Hopefully...
March 2011
2 posts
1 tag
XeroX and netsec-catalog
New Metasploit module developed: https://dev.metasploit.com/redmine/issues/4007 (XeroX workcentre users enumeration)
New repository containing network security documents and videos : http://code.google.com/p/netsec-catalog/
See you later.
1 tag
Links of the day - malware oriented
http://eicar.org/anti_virus_test_file.htm
http://spamassassin.apache.org/gtube/
http://www.malwaredomainlist.com/mdl.php
http://www.malwaredomains.com/
http://www.securelist.com/en/analysis/204792166/Monthly_Malware_Statistics_February_2011
http://www.fortiguard.com/report/roundup_february_2011.html
February 2011
2 posts
1 tag
networkvulns twitter account
3 hours later… the networkvulns proof of concept is born.
The tool is a mix of python modules: pyparsing, sqlite3, oauth, python-twitter.
His goal is to tell you if the software your network device runs is safe or not:
You must follow @networkvulns in order to get the reply via a direct message.
Example of valid request: fortinet,fortigate,4.0MR2
As you understand it follows the...
1 tag
Routerdefense 0.5.1 BGP quick update
Minor add to Routerdefense:
BGP maximum as-path limit support. Did you know the average AS-PATH is 4.64?
eBGP infrastructure ACL support
revision 17: http://code.google.com/p/routerdefense/source/detail?r=17
Cheers
January 2011
2 posts
1 tag
packetfu now includes HSRP layer
Hi packets monkeyz and others,
Better late than never.. contribution to the packetfu project to add the HSRP layer.
The first application layer added to the project by the 24 of December 2010!
http://code.google.com/p/packetfu/source/detail?r=156
http://code.google.com/p/packetfu/source/detail?r=157
A Cisco HSRP traffic hijacker is already coded to be included into metasploit but waiting...
1 tag
Metasploit updates
Some code I wrote for the Metasploit project …
DNS(SEC) fuzzer, Cisco IOS configuration grabber via SNMP, Cisco VPN enumeration module, [cisco] TTL Expiry Attack, Cisco IOS SNMP file copy (TFTP).
News coverage by Rapid7 …
Cisco IOS Penetration Testing with Metasploit
HAPPY 2011 !
October 2010
2 posts
1 tag
Cisco bar magic potion
Hi,
Ingredients:
Google Chrome (my main browser)
TamperMonkey
ciscobar.user.js
Result: the annoying blue Cisco bar is automagically removed from cisco.com pages.
Cheers
1 tag
dorkmaster 0.1
Hi Hackers,
dorkmaster 0.1 is out.
It check your company’s data leak prevention policy against the google and bing search engines.
Testing against the google hacking and bing hacking database from the diggity project.
http://code.google.com/p/dorkmaster
Keep in mind that search engines are more evil than the interns.
Please generate your Bing App ID here to enable the bing feature.
...
September 2010
1 post
1 tag
BruCON 2010 security conference
Hi Hackers,
I’ll be there from 23th of september until 26th for attending and giving a lightning talk about routerdefense.
Schedule:
First day
KEYNOTE: Memoirs of a Data Security Street Fighter
You Spent All That Money And You Still Got Owned…
GSM security: fact and fiction
The Monkey Steals the Berries
Cyber [Crime|War] - connecting the dots
Embedded System Hacking and My...
July 2010
1 post
1 tag
SPF DNS top domains report
As of 24th july:
dig +short TXT -f top10 | grep spf | wc -l => 7
dig +short TXT -f top100 | grep spf | wc -l => 67
No ip6 filtering within the top100
June 2010
1 post
1 tag
May 2010
7 posts
1 tag
2 tags
Scapy and checksum calculation
Sometimes you have to (re)calculate a checksum when you modify packets or when you try to solve friends networking challenge like the following:
I’m 45000064000f0000fe013726c0a80108c0a8030b - a 20 bytes IP header.
What will be my checksum after the next hop? :-)
It’s easy with scapy … first, import the hex, modify the TTL, delete the checksum then apply show2() function. This one...
1 tag
OpenBSD 4.7 goodies and Cisco
Meat and goodies:
OpenBSD and Cizcoeee:
OpenBSD 4.7 official release date is 19th May of 2010 but already available as pre-order.
2 tags
Big LAN and ARP broadcast
Sometimes the network suffers from a very BAD design (like large L2 domain).
In this situation, some (normal) network behavior are more visible than it should if the network had a better designer.
The reason of the bad design is often part of the history OR the hired consultant dislikes th company he works for and ship them with a bad design :D
One of the visible phenomenon occurs when many...
1 tag
Wireshark configuration for Check Point fw monitor
Here is how to set-up correctly wireshark in order to read fw monitor output friendly:
ctrl+shift+p
Protocols / Ethernet / Attempt to interpret as Firewall-1 monitor file
Protocols / FW-1 / Monitor file includes UUID and Interface list includes chain position
User Interface / Columns / Add : fw-1 chain|FW-1 monitor if/direction
Apply preferences
View / Coloring rules / New
preIn /...
1 tag
802.3x prezo
Breaking the myth about 802.3x usage. Here is a public prezo I did for a customer.
Click here to download the prezo.
Table of contents:
Do you really know Flow Control?
802.3x standard
Places where you will find 802.3x
Pause frames were created to defeat non wirerates switches
Symetric vs Asymetric 802.3x
Asymetric speed connected to the same L2 device
Flow control on...
1 tag
Wireshark: extract HTTP objects from captured...
Looking for an elegant way to extract HTTP objects (images, javascript, …) from a pcap file?
Open the pcap file under wireshark then click on FILE => Export => Objects => HTTP.
April 2010
10 posts
1 tag
802.3x blackhat pownage
Little leak from a future prezo for a customer:
802.3x flow control is a quick&dirty protocol. If you have physical access to install a hub anywhere on the network or already have a victim host under control it could lead to a massive Ethernet Denial of Service.
It’s very easy to kill a network at layer 2 if mitm is possible and flow control receive is on by replaying quanta 65535...
1 tag
1 tag
3 tags
ldpscapy
My last intern developped a MPLS LDP scapy layer.
You can find it here : http://savannah.nongnu.org/p/ldpscapy
Usage example:
LDP(id=”10.2.1.2”)/LDPHello(params=[180,1,1])/LDPInit(id=0x18,rid=rid)/LDPKeepAlive(id=0x19)
1 tag
1 tag
4 tags
2 tags
2 tags
My spare time is somewhat busy the past weeks
Because of:
Aggressive inline skating - My Salomon STI pro with Featherlite2 frames rolls again as the sunny days are back
A coding project in Python about network security. Actually 3476 lines and growing up every day
Focus focus focus on the objectives
1 tag
WatchHappy Easter 2010! Roller Bunny
March 2010
14 posts
1 tag
EDNS0 DNS PMTU
EDNS pmtu calculation:
$ dnsfunnel -t A @c.dns.gandi.net packetfault.org 217.70.182.20 4096B 0.001536 217.70.182.20 2304B 0.001531 217.70.182.20 1408B 0.001587 217.70.182.20 960B 0.001484 217.70.182.20 736B 0.001468 217.70.182.20 624B 0.001484 217.70.182.20 568B 0.001468 217.70.182.20 540B 0.001444 217.70.182.20 526B 0.001635 217.70.182.20 519B ...
1 tag
BGP ASN collision
Gem from the past:
% whois -h whois.ripe.net AS1712
aut-num: AS1712
as-name: FR-RENATER-ENST
descr: Ecole Nationale Superieure des Telecommunications,
descr: Paris, France.
descr: FR
% whois -h whois.arin.net AS1712
OrgName: Twilight Communications
City: Wallis
StateProv: TX
Country: US
oups!
1 tag
The great firewall block dns g root server
The great firewall of China block the g root serv0r
http://www.cymru.com/monitoring/dnssumm/index.html
2 tags
Behavior caused by bad programming (or not)
Sometimes I play with Cisco IOS and stuff occurs despite my will…
A14-7206#dir nvram: Directory of nvram:/ %Error calling getdents for nvram:/ (Device or resource busy) 129016 bytes total (111124 bytes free)
Astalavista… IOS!
1 tag
“6 stages of debugging: 1) can’t happen 2) doesn’t repro 3)...”
– FX
IOStrojan: Who really owns your router? http://bit.ly/dn0QTR #sans #cisco #tcl
1 tag
whois AS number
$ whois AS23724
Don’t play with this AS! it’s EVIL!
1 tag
python debuggers
A list of python debuggers I found with my google-fu:
pdb (pdb.set_trace), pydb, winpdb, gdb (pystack..for debugging python himself), ddd
1 tag
python pdb is your friend
Yo! python debugger pdb in da place for handling npeid issue.
Little debugger but helpful :)
imhidden@Networker:/home/hidden# ./npeid.py
> /home/hidden/npeid.py(18)handleTcpStream()
-> toserver = tcp.server.data[:tcp.server.count]
(Pdb) n
> /home/hidden/npeid.py(19)handleTcpStream()
-> toclient = tcp.client.data[:tcp.client.count]
(Pdb) n
>...
1 tag
How to reset Internet Protocol (TCP/IP) →
1 tag
VMWARE virtual networking concepts →
1 tag
tcp timestamps
TCP timestamps notes:
rfc1323
Timestamps: TSval 4125101209, TSecr 0 (SYN)
Timestamps: TSval 15477599, TSecr 4125101209 (SYN/ACK)
No timestamps with RST pkts (Linux 2.6.31 stack)
No timestamps with SYN&SYN/ACK (windows … need to be tested with win7)
Bad: rttm only when the tcp window is low. Not realistic. Lead to introducing “aliasing” artifacts into the estimated RTT....
1 tag
traceroute nanog version
Determine route of packets in TCP/IP networks (NANOG variant) This is the traceroute program maintained by Ehud Gavron. It is based on the Van Jacobson/BSD traceroute and has additional features like AS lookup, TOS support, microsecond timestamps, path MTU discovery, parallel probing and others. The NANOG traceroute upstream FTP archive can be found at ...
1 tag
February 2010
4 posts
1 tag
“We do ‘RIP version Ropert protocol’”
– A colleague working with me during a packets crafting session
1 tag
1 tag
Internet AS1 Level3 in 1984 →
1 tag
Bug: Cisco CDP and RFC1071 checksum calculation →