Breaking Code

April 20, 2012

Hackito Ergo Sum 2012

Filed under: Conferences — Tags: , , , , , , , , , , — Mario Vilas @ 11:27 pm

Hi everyone. Last week I’ve attended Hackito Ergo Sum 2012, and I wanted to share with you some of the things that I found most interesting during the talks. This won’t be a detailed review of each talk, but rather an account of a few details on the talks that I personally found more interesting, in no particular order. If you’re looking for a detailed review of each talk check out this blog.

Oh, by the way. I totally made up the names of the talks. I think it’s more fun that way. :)

The event took place at the headquarters of the French Communist Party, and I have to say the conference room was quite impressive. It was an underground dome all covered with white metallic plates and lamps behind, giving a peculiar visual effect.

An additional advantage of this place is that some security agencies can’t send their spooks there. Hurray to the ridiculously outdated cold war laws! :roll:

One thing I didn’t like though, was that the slides were projected in a sort of tilted curved screen, making it a bit difficult to read the slides unless you were sitting in the middle. I don’t think I was the only one with this problem because I saw a lot of heads tilted sideways… ;)

(more…)

April 2, 2010

Using Impacket/Pcapy with Python 2.6 on Windows

Filed under: Tools — Tags: , , , , , , , , , , — Mario Vilas @ 5:30 pm

Hello everyone! Today we’ll be installing Impacket and Pcapy for Python 2.6 on Windows. The Impacket module lets you parse network packets, this is very useful for example when developing a sniffer. The Pcapy module interfaces with WinPcap to do the actual packet capture.

From the CORE Security webpage:

What is Impacket?

Impacket is a collection of Python classes focused on providing access to network packets. Impacket allows Python developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB. Impacket is highly effective when used in conjunction with a packet capture utility or package such as Pcapy. Packets can be constructed from scratch, as well as parsed from raw data. Furthermore, the object oriented API makes it simple to work with deep protocol hierarchies.

What is Pcapy?

Pcapy is a Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network. Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for constructing and dissecting network packets.

There is a problem though – Pcapy hasn’t been updated in quite a while, so there is no MSI installer for Python 2.6. I’ve built it myself and hosted in here in the blog, so you don’t have to. :) I’ve also built an EXE installer for Impacket, it’s not really needed since it’s a pure Python module, but why not?

So this is the list of files we’ll be needing:

WinPcap_4_1_1.exe

pcapy-0.10.5.win32-py2.6.msi

Impacket-0.9.8.0.win32.exe

Installation is now pretty much straight forward. After running all the installers, let’s try it out with this example script to dump all connection attempts by sniffing SYN packets:

    C:\Documents and Settings\Mario Vilas\Desktop>python connections.py
    Available network interfaces:
            1 - \Device\NPF_GenericDialupAdapter
            2 - \Device\NPF_{5BE055D9-461D-4F51-99DD-188224D1A6D0}
            3 - \Device\NPF_{9B7DC2FB-7660-4E68-B4EC-DB9682C76E40}
            4 - \Device\NPF_{166A618C-4230-42E7-93AD-298D1145F5BC}
            5 - \Device\NPF_{BE987C8D-D523-49B8-8B95-DDDBAA46EB3F}

    Choose an interface [0 to quit]: 2
    Listening on: \Device\NPF_{5BE055D9-461D-4F51-99DD-188224D1A6D0}
    Connection attempt 10.0.2.15 -> 192.168.254.254
    Connection attempt 10.0.2.15 -> 192.168.254.254
    Connection attempt 10.0.2.15 -> 192.168.254.254
    Connection attempt 10.0.2.15 -> 192.168.254.254
    Connection attempt 10.0.2.15 -> 192.168.254.254
    Connection attempt 10.0.2.15 -> 209.85.227.106
    Connection attempt 10.0.2.15 -> 209.85.227.104
    Connection attempt 10.0.2.15 -> 209.85.227.104
    Connection attempt 10.0.2.15 -> 209.85.227.104
    Connection attempt 10.0.2.15 -> 209.85.227.100
    ^C

Below is the source code to the script. Enjoy! :)

Updates

  • A newer version of Impacket is hosted at Google Code, so I built a new installer. The previous version of the installer, based on the version of Impacket found in the Core Security webpage, is still available here: Impacket-0.9.6.0.win32.exe
  • Ge0 has built Pcapy for Python 2.7 using MingW to avoid having a depencency against the Visual Studio runtimes. You can download it from here: pcapy.pyd

Download

connections.py

Source code

(more…)

February 10, 2010

Quickpost: New remote authentication vulnerability in Windows

A new security advisory has been published today on a new remote vulnerability (MS10-012, CVE-2010-0231) in the SMB protocol on many Windows versions, ranging from the now ancient Windows NT to the latest Windows 7. This would allow an attacker to authenticate to almost any Windows box, read and write any files, or alternatively upload an executable file and run it. Just let me quote the following, it’s what caught my eye the most:

Given that Windows NT 4 was relased in ~1996 this vulnerability has been
present for ~14 years. If it is confirmed this vulnerablity is also
present in older systems such as Windows NT 3.1, released in ~1993,
Windows NTLMv1 authentication mechanism could have been vulnerable for
~17+ years
.

Whoa. That’s kind of scary.

Kudos to Hernan Ochoa and Agustin Azubel for this great find! :)

Below is the complete text of the advisory, except for the source code to the scripts, which were removed for brevity. The original advisory can be downloaded from: http://www.hexale.org/advisories/OCHOA-2010-0209.txt.

Update: Hernan Ochoa has also written an article regarding the risk assesment for this vulnerability.

(more…)

March 23, 2009

Netifera 1.0 released!

Filed under: Tools — Tags: , , , , , , , — Mario Vilas @ 9:23 am

After a long wait, Netifera version 1.0 was released. I talked about this tool in a previous post. The feature list seems to have remained pretty much the same, with some new bruteforcing modules – most notably the remote OS and architecture detection was drastically improved, and as expected contains many bugfixes compared to the previous betas.

Here’s the full feature list:

Tools

  • Full IPv6 support
  • TCP and UDP network scanning
  • Service detection
  • Operating system identification
  • Reverse DNS scanning
  • DNS name brute forcing
  • DNS zone transfer information gathering
  • Geographical information about network addresses
  • Authentication brute force attack (against HTTP, FTP,IMAP and POP3)
  • Web crawler discovers applications, collects email addresses and adds the site structure to the model
  • Integrated terminal for connecting to and interacting with network services

Passive Tools

  • Modular packet capture service
  • Capture packets on multiple interfaces simultaneously
  • Parse ’pcap’ format capture files as input to sniffing modules
  • HTTP traffic analysis
  • DNS information gathering from captured responses
  • Network stack fingerprinting
  • Service detection from captured banners and protocol packets
  • Client application detection
  • Credential sniffing for many protocols

Data Model

All information discovered by the netifera platform is persistently
stored in a workspace database. Our extension design allows for
developers to easily create their own data types and integrate them
into the platform.

User Interface

The platform provides an intuitive and professional quality graphical
user interface for using the tools written for our platform and
navigating the information they produce. Different tasks in our
application such as sniffing information from the network, or actively
collecting information by scanning networks, or exploring the local
environment of a remotely deployed probe (coming soon! ) each have a
specialized configuration of the user interface called a ’perspective’

Programming API

The netifera platform brings together high quality programming APIs
for tasks such as:

  • High performance asynchronous socket connection and communication
  • Link level packet capture and raw socket injection
  • 802.11 monitor mode packet capture and injection (coming soon! )
  • Network protocol header construction and analysis (ethernet, ip, tcp, etc…)
  • Application layer protocol libraries (http, dns, ftp, etc…)

December 13, 2008

Did you check out Netifera already?

Filed under: Tools — Tags: , , , , , — Mario Vilas @ 2:27 am

Netifera is a new open source security tool for network mapping and security auditing for Linux and Mac OS X (Windows will also be supported in the future). It’s a only beta for now, but I think we’ll be hearing much more about it!

There are two kinds of recon you can do with Netifera, active and passive. Today active recon seems a bit rough in the edges, but I’m sure it will evolve soon. There are TCP and UDP port scanners, a very complete DNS tool, a simple web crawler and a rudimentary FTP password bruteforcer.

The passive recon tool is much more remarkable, however. By sniffing the network, Netifera detects active hosts and open ports, maps which host has connected to which (that can help you deduce the function of each host in the network, or the relationships between them), and you can run active recon tools on said hosts while sniffing. Most notably the DNS information gathering tool can use any discovered host with port 53 open as a DNS server.

But there are two reasons for which it draws my attention so much. One is the development framework. Everything is done as Java plugins, pretty much like Eclipse, thus making it very extensible and easier to port to multiple platforms. Here is a tutorial on writing sniffer plugins for Netifera, to add functionality to the passive recon tool. I believe this is a key feature – the possibility of adding plugins for anything can quickly turn this quick-and-dirty recon tool into a much more advanced security audit tool in the future, as more users contribute to the project. It makes me think of Metasploit or nmap, they are what they are today thanks to user contributions, and Netifera may (hopefully) follow the same path. The one drawback I see here is the choice of language -Java- as opposed to scripting languages -Python, Perl, Ruby- which are much less robust but allow for faster development and quick-and-dirty tests scripts or macros.

The second reason I liked this so much is the probe idea they’ll be adding in upcoming versions. What is a probe? In a nutshell, it’s a tiny portable java runtime engine that you can deploy anywhere in the network. This probes can run any code from the Netifera framework (including your custom-made plugins of course), so it’s essentially the same as having the tool installed and running there, but without the hassle. :) By deploying many probes in your network you can map it from several points of view simultaneously, giving you a better perspective on it’s security. The beta you can download from the Netifera web page does not yet have the ability to deploy probes on other hosts, it’s a pity because I really wanted to try that out :( but I’ve been told it will be available soon, so stay tuned.

Well, enough said. Just go grab a copy and toy with it a little, don’t trust my word for it and see for yourselves! :)

The Silver is the New Black Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 2,481 other followers