Monday, June 13, 2016
Sunday, June 12, 2016
so, the motherfuckers don't send the error message , hummm :) guess what ??? we get a error message displayed if ...user jcc tries to remove a filterIF
Turning off the “Dead Gateway Detection” on the HP-UX servers
HP-UX 11.00 onwards uses a Default Gateway detection method that keeps pinging the router, and if the router fails to respond it will remove the default gateway route.
This particular feature has caused a situation when the Radware proprietary redundancy mechanism is utilized, when the backup device takes over the IP address of the active unit, it takes it over only for routing purposes, however any traffic (such as pings etc.,) destined to the active units IP address when it is present on the backup unit will be discarded.
To see if the setting is turned on or off, issue the following command on the HP-UX server:
ndd -get /dev/ip ip_ire_gw_probe
If the result is 1, it means the detection feature is enabled.
To turn it off, issue the following command:
ndd -set /dev/ip ip_ire_gw_probe 0
The command is temporary.To make it permanent, edit your /etc/rc.config.d/nddconf file to add:
TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_ire_gw_probe
NDD_VALUE[0]=0
The array value [0] may need to be changed if [0] is already used by some other entries in the nddconf file.
Note:
- Make sure the HP-UX system has the latest patch for NDD, since some earlier versions had some issues with properly updating the NDD.
- Radware proprietary ARP redundancy mechanism is not supported starting AppDirector 2.30 and LinkProof 6.20.
http://kb.radware.com/Questions/AppDirector/Public/Using-Radware%E2%80
If...then....https://github.com/koalyptus/TableFilter/
%99s-proprietary-redundancy-in-HP-UX-se
HP-UX 11.00 onwards uses a Default Gateway detection method that keeps pinging the router, and if the router fails to respond it will remove the default gateway route.
This particular feature has caused a situation when the Radware proprietary redundancy mechanism is utilized, when the backup device takes over the IP address of the active unit, it takes it over only for routing purposes, however any traffic (such as pings etc.,) destined to the active units IP address when it is present on the backup unit will be discarded.
To see if the setting is turned on or off, issue the following command on the HP-UX server:
ndd -get /dev/ip ip_ire_gw_probe
If the result is 1, it means the detection feature is enabled.
To turn it off, issue the following command:
ndd -set /dev/ip ip_ire_gw_probe 0
The command is temporary.To make it permanent, edit your /etc/rc.config.d/nddconf file to add:
TRANSPORT_NAME[0]=ip
NDD_NAME[0]=ip_ire_gw_probe
NDD_VALUE[0]=0
The array value [0] may need to be changed if [0] is already used by some other entries in the nddconf file.
Note:
- Make sure the HP-UX system has the latest patch for NDD, since some earlier versions had some issues with properly updating the NDD.
- Radware proprietary ARP redundancy mechanism is not supported starting AppDirector 2.30 and LinkProof 6.20.
http://kb.radware.com/Questions/AppDirector/Public/Using-Radware%E2%80
If...then....https://github.com/koalyptus/TableFilter/
%99s-proprietary-redundancy-in-HP-UX-se
Saturday, June 11, 2016
Black Hat Python: Building a UDP Scanner
A few weeks ago, I talked about how to use Wireshark for packet sniffing, but what if you don't have Wireshark available to monitor a network traffic?
Again, Python comes with several solutions and today I'm going through the steps to build a UDP Host discovery tool. First, we are going to see how we deal with raw sockets to write a simple sniffer, which is able to view and decode network packets. Then we are going to multithread this process within a subnet, which will result in our scanner.
The cool thing about raw sockets is that they allow access to low-level networking information. For example, we can use it to check IP and ICMP headers, which are in the layer 3 of the OSI model (the network layer).
The cool thing about using UDP datagrams is that, differently from TCP, they do not bring much overhead when sent across an entire subnet (remember the TCP handshaking). All we need to do is wait for the ICMP responses saying whether the hosts are available or closed (unreachable). Remember that ICMP is essentially a special control protocol that issues error reports and can control the behavior of machines in data transfer.
Writing a Packet Sniffer
We start with a very simple task: with Python's socket library, we will write a very simple packet sniffer.In this sniffer we create a raw socket and then we bind it to the public interface. The interface should be in promiscuous mode, which means that every packet that the network card sees is captured, even those that are not destined to the host.
One detail to remember is that things are slightly different if we are using Windows: in this case we need to send a IOCTL package to set the interface to promiscuous mode. In addition, while Linux needs to use ICMP, Windows allow us to sniff the incoming packets independently of the protocol:
import socket
import os
# host to listen
HOST = '192.168.1.114'
def sniffing(host, win, socket_prot):
while 1:
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_prot)
sniffer.bind((host, 0))
# include the IP headers in the captured packets
sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
if win == 1:
sniffer.ioctl(socket.SIO_RCVALL, socket_RCVALL_ON)
# read in a single packet
print sniffer.recvfrom(65565)
def main(host):
if os.name == 'nt':
sniffing(host, 1, socket.IPPROTO_IP)
else:
sniffing(host, 0, socket.IPPROTO_ICMP)
if __name__ == '__main__':
main(HOST)
$ sudo python sniffer.py
$ sudo python raw_socket.py
('E\x00\x00T\xb3\xec\x00\x005\x01\xe4\x13J}\xe1\x11\xc0\xa8\x01r\x00\x00v\xdfx\xa2\x00\x01sr\x98T\x00\x00\x00\x008\xe3\r\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567', ('74.125.225.17', 0))
('E\x00\x00T\xb4\x1b\x00\x005\x01\xe3\xe4J}\xe1\x11\xc0\xa8\x01r\x00\x00~\xd7x\xa2\x00\x02tr\x98T\x00\x00\x00\x00/\xea\r\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567', ('74.125.225.17', 0))
Decoding the IP and ICMP Layers
The IP Header
A typical IP header has the following structure, where each field belongs to a variable (this header is originally written in C):
The ICMP Header
In the same way, ICMP can vary in its content but each message contains three elements that are consistent: type and code (tells the receiving host what type of ICMP message is arriving for decoding) and checksum fields.
For our scanner, we are looking for a type value of 3 and a code value of 3, which are the Destination Unreachable class and Port Unreachable errors in ICMP messages.
To represent this header, we create a class, with the help of Python's ctypes library:
import ctypes
class ICMP(ctypes.Structure):
_fields_ = [
('type', ctypes.c_ubyte),
('code', ctypes.c_ubyte),
('checksum', ctypes.c_ushort),
('unused', ctypes.c_ushort),
('next_hop_mtu',ctypes.c_ushort)
]
def __new__(self, socket_buffer):
return self.from_buffer_copy(socket_buffer)
def __init__(self, socket_buffer):
pass
Writing the Header Decoder
Now we are ready to write our IP/ICMP header decoder. The script below creates a sniffer socket (just as we did before) and then it runs a loop to continually read in packets and decode their information.Notice that for the IP header, the code reads the packet, unpacks the first 20 bytes to the raw buffer, and then prints the header variables. The ICMP header data comes right after it:
import socket
import os
import struct
import ctypes
from ICMPHeader import ICMP
# host to listen on
HOST = '192.168.1.114'
def main():
socket_protocol = socket.IPPROTO_ICMP
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)
sniffer.bind(( HOST, 0 ))
sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
while 1:
raw_buffer = sniffer.recvfrom(65565)[0]
ip_header = raw_buffer[0:20]
iph = struct.unpack('!BBHHHBBH4s4s' , ip_header)
# Create our IP structure
version_ihl = iph[0]
version = version_ihl >> 4
ihl = version_ihl & 0xF
iph_length = ihl * 4
ttl = iph[5]
protocol = iph[6]
s_addr = socket.inet_ntoa(iph[8]);
d_addr = socket.inet_ntoa(iph[9]);
print 'IP -> Version:' + str(version) + ', Header Length:' + str(ihl) + \
', TTL:' + str(ttl) + ', Protocol:' + str(protocol) + ', Source:'\
+ str(s_addr) + ', Destination:' + str(d_addr)
# Create our ICMP structure
buf = raw_buffer[iph_length:iph_length + ctypes.sizeof(ICMP)]
icmp_header = ICMP(buf)
print "ICMP -> Type:%d, Code:%d" %(icmp_header.type, icmp_header.code) + '\n'
if __name__ == '__main__':
main()
Testing the Decoder
Running the script in one terminal and sending a ping in other will return something like this (notice the ICMP type 0):$ ping www.google.com
PING www.google.com (74.125.226.16) 56(84) bytes of data.
64 bytes from lga15s42-in-f16.1e100.net (74.125.226.16): icmp_seq=1 ttl=56 time=15.7 ms
64 bytes from lga15s42-in-f16.1e100.net (74.125.226.16): icmp_seq=2 ttl=56 time=15.0 ms
(...)
$ sudo python ip_header_decode.py
IP -> Version:4, Header Length:5, TTL:56, Protocol:1, Source:74.125.226.16, Destination:192.168.1.114
ICMP -> Type:0, Code:0
IP -> Version:4, Header Length:5, TTL:56, Protocol:1, Source:74.125.226.16, Destination:192.168.1.114
ICMP -> Type:0, Code:0
(...)
$ traceroute www.google.com
traceroute to www.google.com (74.125.226.50), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 67.59.255.137 (67.59.255.137) 17.183 ms 67.59.255.129 (67.59.255.129) 70.563 ms 67.59.255.137 (67.59.255.137) 21.480 ms
4 451be075.cst.lightpath.net (65.19.99.117) 14.639 ms rtr102.wan.hcvlny.cv.net (65.19.99.205) 24.086 ms 451be075.cst.lightpath.net (65.19.107.117) 24.025 ms
5 64.15.3.246 (64.15.3.246) 24.005 ms 64.15.0.218 (64.15.0.218) 23.961 ms 451be0c2.cst.lightpath.net (65.19.120.194) 23.935 ms
6 72.14.215.203 (72.14.215.203) 23.872 ms 46.943 ms *
7 216.239.50.141 (216.239.50.141) 48.906 ms 46.138 ms 46.122 ms
8 209.85.245.179 (209.85.245.179) 46.108 ms 46.095 ms 46.074 ms
9 lga15s43-in-f18.1e100.net (74.125.226.50) 45.997 ms 19.507 ms 16.607 ms
sudo python ip_header_decode.py
IP -> Version:4, Header Length:5, TTL:252, Protocol:1, Source:65.19.99.117, Destination:192.168.1.114
ICMP -> Type:11, Code:0
(...)
IP -> Version:4, Header Length:5, TTL:250, Protocol:1, Source:72.14.215.203, Destination:192.168.1.114
ICMP -> Type:11, Code:0
IP -> Version:4, Header Length:5, TTL:56, Protocol:1, Source:74.125.226.50, Destination:192.168.1.114
ICMP -> Type:3, Code:3
IP -> Version:4, Header Length:5, TTL:249, Protocol:1, Source:216.239.50.141, Destination:192.168.1.114
ICMP -> Type:11, Code:0
(...)
IP -> Version:4, Header Length:5, TTL:56, Protocol:1, Source:74.125.226.50, Destination:192.168.1.114
ICMP -> Type:3, Code:3
Writing the Scanner
Installing netaddr
We are ready to write our full scanner. But, first, let's install netaddr, which is a Python library for representing and manipulating network addresses.Netaddr supports the ability to work with IPv4 and IPv6 addresses and subnets MAC addresses, among others. This is very useful for our problem, since we want to be able to use a subnet mask such as 192.168.1.0/24.
$ sudo pip install netaddr
import netaddr
ip = '192.168.1.114'
if ip in netaddr.IPNetwork('192.168.1.0/24'):
print('OK!')
Enter the Scanner
To write our scanner we are going to put together everything we have, and then add a loop to spray UDP datagrams with a string signature to all the address within our target subnet.To make this work, each packet will be sent in a separated thread, to make sure that we are not interfering with the sniff responses:
import threading
import time
import socket
import os
import struct
from netaddr import IPNetwork, IPAddress
from ICMPHeader import ICMP
import ctypes
# host to listen on
HOST = '192.168.1.114'
# subnet to target (iterates through all IP address in this subnet)
SUBNET = '192.168.1.0/24'
# string signature
MESSAGE = 'hellooooo'
# sprays out the udp datagram
def udp_sender(SUBNET, MESSAGE):
time.sleep(5)
sender = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
for ip in IPNetwork(SUBNET):
try:
sender.sendto(MESSAGE, ("%s" % ip, 65212))
except:
pass
def main():
t = threading.Thread(target=udp_sender, args=(SUBNET, MESSAGE))
t.start()
socket_protocol = socket.IPPROTO_ICMP
sniffer = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket_protocol)
sniffer.bind(( HOST, 0 ))
sniffer.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
# continually read in packets and parse their information
while 1:
raw_buffer = sniffer.recvfrom(65565)[0]
ip_header = raw_buffer[0:20]
iph = struct.unpack('!BBHHHBBH4s4s' , ip_header)
# Create our IP structure
version_ihl = iph[0]
ihl = version_ihl & 0xF
iph_length = ihl * 4
src_addr = socket.inet_ntoa(iph[8]);
# Create our ICMP structure
buf = raw_buffer[iph_length:iph_length + ctypes.sizeof(ICMP)]
icmp_header = ICMP(buf)
# check for the type 3 and code and within our target subnet
if icmp_header.code == 3 and icmp_header.type == 3:
if IPAddress(src_addr) in IPNetwork(SUBNET):
if raw_buffer[len(raw_buffer) - len(MESSAGE):] == MESSAGE:
print("Host up: %s" % src_addr)
if __name__ == '__main__':
main()
$ sudo python scanner.py
Host up: 192.168.1.114
(...)
By the way, the results from our scanner can be checked against the values of the IP addresses in your router's DHCP table. They should match!
That's all, folks. Hope you had fun.
http://bt3gl.github.io/black-hat-python-building-a-udp-scanner.html
resumed : If you want to find IP connectd to a specific Port enable TP Tracking in your swicth and run, "sh mac address-table". This will give which MAC is connected to which port. "sh ip device tracking interface gigabitEthernet ". This will give which IP is connectd to a port. "sh ip arp" will give you a IP to MAC table
TSGrinder – Brute Force Terminal Services Server
This is a tool that has been around quite some time too, it’s still
very useful though and it’s a very niche tool specifically for brute
forcing Windows Terminal Server.
TSGrinder is the first production Terminal Server brute force tool, and is now in release 2. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.
TSGringer is a “dictionary” based attack tool, but it does have some interesting features like “l337” conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a
username/password combination within a particular connection.
You can download TSGrinder 2.0.3 here:
tsgrinder-2.03.zip
Note that the tool requires the Microsoft Simulated Terminal Server Client tool, “roboclient,” which may be found here:
roboclient.zip
Or read more here.
http://www.darknet.org.uk/2008/07/tsgrinder-brute-force-terminal-services-server/
TSGrinder is the first production Terminal Server brute force tool, and is now in release 2. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.
TSGringer is a “dictionary” based attack tool, but it does have some interesting features like “l337” conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a
username/password combination within a particular connection.
You can download TSGrinder 2.0.3 here:
tsgrinder-2.03.zip
Note that the tool requires the Microsoft Simulated Terminal Server Client tool, “roboclient,” which may be found here:
roboclient.zip
Or read more here.
http://www.darknet.org.uk/2008/07/tsgrinder-brute-force-terminal-services-server/
RainbowCrack
http://project-rainbowcrack.com/
Introduction
RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. It crack hashes with rainbow tables.RainbowCrack uses time-memory tradeoff algorithm to crack hashes. It differs from brute force hash crackers.
A brute force hash cracker generate all possible plaintexts and compute the corresponding hashes on the fly, then compare the hashes with the hash to be cracked. Once a match is found, the plaintext is found. If all possible plaintexts are tested and no match is found, the plaintext is not found. With this type of hash cracking, all intermediate computation results are discarded.
A time-memory tradeoff hash cracker need a pre-computation stage, at the time all plaintext/hash pairs within the selected hash algorithm, charset, plaintext length are computed and results are stored in files called rainbow table. It is time consuming to do this kind of computation. But once the one time pre-computation is finished, hashes stored in the table can be cracked with much better performance than a brute force cracker.
In this project, we focus on the development of optimized time-memory tradeoff implementation. GPU acceleration is another key feature of RainbowCrack software. By offloading most runtime computation to NVIDIA/AMD GPU, overall hash cracking performance can be improved further.
Several TB of generated rainbow tables for LM, NTLM, MD5 and SHA1 hash algorithms are listed in this page.
Download
Features of RainbowCrack Software
- Full time-memory tradeoff tool suites, including rainbow table generation, sort, conversion and lookup
- Support rainbow table of any hash algorithm
- Support rainbow table of any charset
- Support rainbow table in raw file format (.rt) and compact file format (.rtc)
- Computation on multi-core processor support
- GPU acceleration with NVIDIA GPUs (CUDA technology)
- GPU acceleration with AMD GPUs (OpenCL technology)
- GPU acceleration with multiple GPUs
- Runs on Windows operating systems
- Runs on Linux operating systems
- Unified rainbow table file format on all supported operating systems
- Command line user interface
- Graphics user interface
Download RainbowCrack
RainbowCrack 1.6.1 is released on April 25, 2015.We strongly recommend 64-bit version of the software. As no more than 2 GB memory can be used by 32-bit application.
| Version | Software | Operating System | GPU Acceleration | |
|---|---|---|---|---|
| 1.6.1 |  | rainbowcrack-1.6.1-win32.zip | Windows 7/8 32-bit |   |
| rainbowcrack-1.6.1-win64.zip | Windows 7/8 64-bit | |||
 | rainbowcrack-1.6.1-linux32.zip | Linux 32-bit (x86) | No | |
| rainbowcrack-1.6.1-linux64.zip | Linux 64-bit (x86_64) | |||
| 1.6 | | rainbowcrack-1.6-win32.zip | Windows XP/Vista/7/8 32-bit | |
| rainbowcrack-1.6-win64.zip | Windows XP/Vista/7/8 64-bit | |||
| rainbowcrack-1.6-linux32.zip | Linux 32-bit (x86) | No | |
| rainbowcrack-1.6-linux64.zip | Linux 64-bit (x86_64) | |||
| 1.5 | | rainbowcrack-1.5-win32.zip | Windows XP/Vista/7/8 32-bit | No |
| rainbowcrack-1.5-win64.zip | Windows XP/Vista/7/8 64-bit | |||
| rainbowcrack-1.5-linux32.zip | Linux 32-bit (x86) | No | |
| rainbowcrack-1.5-linux64.zip | Linux 64-bit (x86_64) |
Subscribe to:
Posts (Atom)
Ambassador @EmbaixadaRusPt URGENT INTEL the guy hedge fund is stable wontget higher to convince investors until end of the day @realDonaldTrump desesperate either help friends either stay with some cents @USTreasury @POLITICOEurope @ecb @FT @WSJ @EUCouncil @DeptofDefense
https://www.mediaite.com/news/billionaire-trump-backer-bill-ackman-skewers-howard-lutnicks-glaring-conflict-of-interest-he-profits-when-ou...
