How to hire hackers?

I was playing with tcpdump and I found it ...

tcpdump -n -i wlan0 port 80 -X -A -xx -n
0x0120: 436f 6f6b 6965 0d0a 582d 6861 636b 6572 Cookie..X-hacker
0x0130: 3a20 4966 2079 6f75 2772 6520 7265 6164'
0x0140: 696e 6720 7468 6973 2c20 796f 7520 7368 ing.this,
0x0150: 6f75 6c64 2076 6973 6974 2061 7574 6f6d ould.visit.autom
0x0160: 6174 7469 632e 636f 6d2f 6a6f 6273 2061
0x0170: 6e64 2061 7070 6c79 2074 6f20 6a6f 696e
0x0180: 2074 6865 2066 756e 2c20 6d65 6e74 696f,.mentio
0x0190: 6e20 7468 6973 2068 6561 6465 722e 0d0a n.this.header...

The URL ? wordpress! :-D Yes, this the wordpress way to hire hackers.

Grabbing and sending packets with Scapy (Scapy, part 2)

HI folk, in the last post (a long time ago), I write a short introduction to Scapy tool. With this post, I need, show to you, how grab and send packets with Scapy. This is a good way to develop tools to test any network application, such study Kaminsky's DNS flaw, since no talks about anything else on the Internet.

In scapy there are many methods to send or receive a packet in network. We have the families of commands, below:

  • Send family - Just send packets in layer 2 or 3.
  • Send and Receive family - Send packets in layer 2 or 3 and print or store results.
  • Sniff family - Receive packets in promisc mode and return them in a packet list.

This post is not intended as a reference for each of the families above. For more informations, execute lsc() in scapy and see Scapy doc.

You can see a sample of Sniff family in action, below (execute scapy as root):

>>> a=sniff(count=2)
>>> a
<Sniffed: UDP:2 ICMP:0 TCP:0 Other:0>
>>> a.nsummary()
0000 Ether / IP / UDP / DNS Qry ""
0001 Ether / IP / UDP / DNS Ans ""
>>> a[0].show()
###[ Ethernet ]###
dst= 00:03:99:89:83:a9
src= 00:1e:c9:1b:7b:da
type= 0x800
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 60
id= 12959
flags= DF
frag= 0L
ttl= 64
proto= udp
chksum= 0xd5af
options= ''
###[ UDP ]###
sport= 54584
dport= domain
len= 40
chksum= 0x329c
###[ DNS ]###
id= 16628
qr= 0L
opcode= QUERY
aa= 0L
tc= 0L
rd= 1L
ra= 0L
z= 0L
rcode= ok
qdcount= 1
ancount= 0
nscount= 0
arcount= 0
|###[ DNS Question Record ]###
|  qname= ''
|  qtype= A
|  qclass= IN
an= 0
ns= 0
ar= 0

You can have many parameters in sniff() function, like a filter , timeout , an interface (iface ), and a function to apply to each packet (prn and lfilter ).

>>>  sniff(filter="udp and port 53", count=2, iface="eth0")
<Sniffed: UDP:2 ICMP:0 TCP:0 Other:0>

Sending a simple ICMP packet

>>> pkt=IP(dst="")/ICMP()
>>> pkt
<IP  frag=0 proto=icmp dst= |<ICMP  |>>
>>> send(pkt,count=2)
Sent 2 packets.

Ok, this is a simple sample, I know, but you now can use your mind and play with Scapy.

Scapy, part 1

Okay, you can say: You are outdated!! Since it is a tool of five years old. But I never gave considerable attention to it. In last week I see in top 100 network security tool in Fyodor's site, and I can't stop using it. I am talking about the Scapy, a Python program that enables you to forge, dissect, emit or sniff network packets, probe, scan and what your mind wants.

This is a simple post, only to show the basic concepts of scapy.

What is scapy?

From Scapy:

"Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc."

What you saw in scapy?

If you, like me, needs tools to:

  • Does unitary tests (ping, arp, traceroute, hping2, etc...);
  • Sniffing tool for captures packets and possibly dissects them (tcpdump, ethereal, vomit, iptraf, etc...);
  • Scanning a given range (nmap, amap, firewalk, etc...);
  • Forges packets and sends them (packeth, packit, packet excalibur, nemesis, tcpinject, libnet, etc...), and possibly
  • know the service / version of some host. (nmap, xprobe, p0f, cron-OS, queso, etc...)

Then you need know scapy.

Scapy, has the following principle: Machines are good at decoding and humans are good at interpreting:

When a nmap tool say:

Interesting ports on
22/tcp filtered ssh

Is different to say: It was an ICMP host unreachable. The port is not filtered, but there is no host behing the firewall.

Okay, its show time!

Install Scapy in your Unix box. Detail in Scapy portability page.

Start scapy:

anita:~# scapy
Welcome to Scapy (v1.1.1 / -)

First steps with packet manipulation:

>>> ip=IP(ttl=10)
>>> ip
< IP ttl=10 |>
>>> ip.src
>>> ip.dst=""
>>> ip
< IP ttl=10 dst= |>
>>> ip.src
>>> del(ip.ttl)
>>> ip
< IP dst= |>
>>> ip.ttl
>>> tcp=TCP(flags="SF")
>>> pkt=ip/tcp
>>> pkt
>>> pkt.command()
"IP(dst='', ttl=10)/TCP(flags=3)"
###[ IP ]###
version= 4
ihl= 0
tos= 0x0
len= 0
id= 1
frag= 0
ttl= 10
proto= tcp
chksum= 0x0
options= ''
###[ TCP ]###
sport= ftp_data
dport= www
seq= 0
ack= 0
dataofs= 0
reserved= 0
flags= FS
window= 8192
chksum= 0x0
urgptr= 0
options= {}

Some stuff you can do on a packet:

  • str(pkt) to assemble the packet
  • hexdump(pkt) to have an hexa dump
  • ls(pkt) to have the list of fields values
  • pkt.summary() for a one-line summary
  • for a developped view of the packet
  • pkt.show2() same as show but on the assembled packet (checksum is calculated, for instance)
  • pkt.sprintf() fills a format string with fields values of the packet
  • pkt.decode_payload_as() changes the way the payload is decoded
  • pkt.psdump() draws a postscript with explained dissection
  • pkt.pdfdump() draws a PDF with explained dissection
  • pkt.command() return a Scapy command that can generate the packet

You can send, receive, sniffer, and more. I will try show others methods in nexts parts.

And the grand finale:

>>> pkt.pdfdump()

The output:

If I have time, I will write part 2. Bye.

Kids 0.1b released

It is my great pleasure to announce the availability of KIDS 0.1b, an Kernel (Network) Intrusion Detection System. This project is the result of a year of research on kernel and Network IDS. The Kernel Intrusion Detection System-KIDS, is a Network IDS, where the main part, packets grab/string match, is running at kernelspace, with a hook of Netfilter Framework. This project is not ready for use. It is only a proof of concept and should not be put in an environment in production, yet.

The main goal of KIDS is to try to reduce the delay in the processing of the rules, with the elimination of two changes in context (kernel-user-user-kernel), as this task is performed in kernelspace.

The main goal of KIDS is to try to reduce the delay in the processing of the rules, with the elimination of two changes in context (kernel-user-user-kernel), as this task is performed in kernelspace.

Very thanks to Amador Pahim, my boss and Teacher Advisor.

A more detailed document for development / hacking will be drafted later.

For more information about KIDS project, please see:


Quem disse que o Linux não trava ?? Que atire a primeira pedra quem nunca viu ao menos um kernel panic na tela ? Pois bem, quando um erro grave ocorre no sistema, entre outras coisas que o kernel faz uma delas é exibir no terminal e/ou sistema de log, uma mensagem bastante conhecida por quem já passou por isso, a famosa mensagem de Oops. Trata-se de um dump do estado do CPU e da pillha do Kernel no momento em que o problema ocorreu. A mensagem de Oops mais conhecida é a que vem acompanhada de um kernel panic. Muitos ao se deparar com isso, percebem que nada funciona (na maioria dos casos), Ctrl+Alt+Backspace, teclas de função, e nem água, ai, simplesmente reiniciam a máquina, podendo causar ainda mais problemas.

Abaixo um exemplo de uma mensagem de Oops:

Unable to handle kernel paging request at virtual address 00010015
 printing eip:
*pde = 00000000
Oops: 0000
CPU:    0
EIP:    0010:[usb_unlink_urb+8/64]    Tainted: P
EFLAGS: 00010202
eax: 00010001   ebx: d70c6494   ecx: c7c81000   edx: 00010001
esi: c7c81640   edi: d70c6400   ebp: d70c64f0   esp: d2daded0
ds: 0018   es: 0018   ss: 0018
Process kpilotDaemon (pid: 30778, stackpage=d2dad000)
Stack: d892a2ed 00010001 d70c6494 d70c6400 d3df51c0 00000000 d8924350 d70c6494
       d3df51c0 d725a000 cc5faa40 c16063c0 c018c460 d725a000 d3df51c0 d3df51c0
       cc5faa40 c16063c0 c8117e40 00000001 d3df51c0 bffff0e8 00000000 00000000
Call Trace: [] [] [release_dev+576/1280]
[n_tty_ioctl+257/1200] [tty_release+10/16]
   [fput+76/224] [filp_close+92/112] [sys_close+67/96] [system_call+51/56] 

Code: 8b 42 14 85 c0 74 21 8b 80 bc 00 00 00 85 c0 74 17 8b 40 18

Esta mensagem pode ajudar aos desenvolvedores do kernel a depurar melhor o problema, e mesmo que você não reporte o bug, você pode se utilizar de um recurso que foi desenvolvido pensando nisto: As Magic SysRq Keys.

Trata-se de uma combinação de teclas que é utilizada para comunicar-se com o kernel do Linux, caso a opção CONFIG_MAGIC_SYSRQ tiver sido habilitada durante a compilação do kernel, ou em /proc/sys/kernel/sysrq.

Basta apertar Alt+PrintScreen+Tecla e a saída (dependendo da tecla) é enviada para o dmesg. Abaixo apenas algumas teclas:

Tecla Descrição
t Lista de tarefas/processos com suas informações detalhadas
u Remonta todas as partições montadas, só que em read-only
m Mostra informações sobre o estado atual da memória
e Envia um sinal do tipo SIGTERM para todos os processos, exceto para o init

Existe a famosa combinação: Alt+PrintScreen+R E I S U B, onde basicamente mata todos os processos, sincroniza os discos, remonta todas os filesystems montados em read-only, e só então reinicia a máquina. Por tanto, antes de "meter o dedão" no botão de power, REISUB. :)

Sysadmin Appreciation Day

Parabéns a todos os Administradores de Sistemas, hoje é o nosso dia. A cada ano, desde 2000, toda última sexta-feira do mês de Julho, este ano, hoje, 27 de Julho, se comemora o Sysadmin Appreciation Day, um dia para apreciar e agradecer a existência do Sysadmin da sua empresa.

Hoje é um dia onde camisas com dizeres do tipo: "curve-se diante de mim, ser insignificante, pois eu sou o root." podem ser utilizadas sem muitos problemas e chantagens como esta ou até piores podem acontecer na sua empresa. Portanto não esqueça de bajular o seu sysadmin hoje.

Sede não é nada, imagem é que é tudo.

O ditado é antigo, mas é fato, uma imagem vale mais que mil palavras. Para quem trabalha com administração de servidores e necessita manipular as regras do Netfilter, pelo iptables, entender suas chains e tables, pode parecer confuso a primeira vista, mas seus problemas acabaram, sua vida irá mudar depois da imagem feita por Martin A. Brown, que explica da maneira mais simples possível, com uma simples imagem o funcionamento do fluxo do pacotes que atravessam o framework Netfilter e suas chains.

Cick na imagem para ampliar. Precisa explicar mais alguma coisa ?