User Controls
Posts by LiquidIce
-
2016-02-19 at 5:21 PM UTC in How does this phising site look?10/10 would get scammed again.
-
2016-02-19 at 4:54 PM UTC in ATTN SophiePMs would be nice. I wonder if there's a serverless solution to this problem, something like JS + webrtc to sync mailboxes between users that are online at the same moment. Not ideal, but then info could be beamed straight from user to user, no need to hit the server/vb/whatevs.
-
2016-02-19 at 3:41 PM UTC in C raw TCP packet, including headersHere's my go at it. I modified your first code with what little C I know to do these things:
- add a field to the tcpheader struct called "tcph_msg"
- change the stuff with argc to pass in data through the cli as the last argument
- copy the string from argv[5] into tcph_msg
- calculate the length of the packet and set ip->iph_len to it
I haven't tested it but I hope it at least gives you a rough idea what's involved in adding a piece of data to the packet. The tricky part for me was understanding what lines 59 and 60 do and I think that this is what happens:
- take a 8192 long piece of memory (which is more than enough)
- create a pointer *ip to the start of the buffer(at position buffer[0]) that is cast as the ipheader struct.
- create a pointer *tcp to LENGTH_OF_IP_HEADER (at position buffer[LEN_OF_IP_HEADER]) that is cast as the tcpheader struct.
- zero the whole buffer out.
#include <unistd.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#define PCKT_LEN 8192
#define MSG_LEN 1024
struct ipheader {
unsigned char iph_ihl :5, /* Little-endian */
iph_ver :4;
unsigned char iph_tos;
unsigned short int iph_len;
unsigned short int iph_ident;
unsigned char iph_flags;
unsigned short int iph_offset;
unsigned char iph_ttl;
unsigned char iph_protocol;
unsigned short int iph_chksum;
unsigned int iph_sourceip;
unsigned int iph_destip;
};
struct tcpheader {
unsigned short int tcph_srcport;
unsigned short int tcph_destport;
unsigned int tcph_seqnum;
unsigned int tcph_acknum;
unsigned char tcph_reserved :4, tcph_offset :4;
unsigned int tcp_res1 :4, /*little-endian*/
tcph_hlen :4, /*length of tcp header in 32-bit words*/
tcph_fin :1, /*Finish flag "fin"*/
tcph_syn :1, /*Synchronize sequence numbers to start a connection*/
tcph_rst :1, /*Reset flag */
tcph_psh :1, /*Push, sends data to the application*/
tcph_ack :1, /*acknowledge*/
tcph_urg :1, /*urgent pointer*/
tcph_res2 :2;
unsigned short int tcph_win;
unsigned short int tcph_chksum;
unsigned short int tcph_urgptr;
char tcph_msg[MSG_LEN];
};
unsigned short csum(unsigned short *buf, int len) {
unsigned long sum;
for (sum = 0; len > 0; len--){
sum += *buf++;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
return (unsigned short) (~sum);
}
int main(int argc, char *argv[]) {
int sd;
// No data, just datagram
char buffer[PCKT_LEN];
// The size of the headers
struct ipheader *ip = (struct ipheader *) buffer;
struct tcpheader *tcp = (struct tcpheader *) (buffer + sizeof(struct ipheader));
struct sockaddr_in sin, din;
int one = 1;
const int *val = &one;
memset(buffer, 0, PCKT_LEN);
if (argc != 6) {
printf("- Invalid parameters!!!\n");
printf("- Usage: %s <source hostname/IP> <source port> <target hostname/IP> <target port> <data>\n", argv[0]);
exit(-1);
}
sd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
if (sd < 0) {
perror("socket() error");
exit(-1);
} else {
printf("socket()-SOCK_RAW and tcp protocol is OK.\n");
}
// The source is redundant, may be used later if needed
// Address family
sin.sin_family = AF_INET;
din.sin_family = AF_INET;
// Source port, can be any, modify as needed
sin.sin_port = htons(atoi(argv[2]));
din.sin_port = htons(atoi(argv[4]));
// Source IP, can be any, modify as needed
sin.sin_addr.s_addr = inet_addr(argv[1]);
din.sin_addr.s_addr = inet_addr(argv[3]);
// IP structure
ip->iph_ihl = 5;
ip->iph_ver = 4;
ip->iph_tos = 16;
ip->iph_len = sizeof(struct ipheader) + sizeof(struct tcpheader);
ip->iph_ident = htons(54321);
ip->iph_offset = 0;
ip->iph_ttl = 64;
ip->iph_protocol = 6; // TCP
ip->iph_chksum = 0; // Done by kernel
// Source IP, modify as needed, spoofed, we accept through command line argument
ip->iph_sourceip = inet_addr(argv[1]);
// Destination IP, modify as needed, but here we accept through command line argument
ip->iph_destip = inet_addr(argv[3]);
// The TCP structure. The source port, spoofed, we accept through the command line
tcp->tcph_srcport = htons(atoi(argv[2]));
// The destination port, we accept through command line
tcp->tcph_destport = htons(atoi(argv[4]));
tcp->tcph_seqnum = htonl(1);
tcp->tcph_acknum = 0;
tcp->tcph_offset = 5;
tcp->tcph_syn = 1;
tcp->tcph_ack = 0;
tcp->tcph_win = htons(32767);
tcp->tcph_chksum = 0; // Done by kernel
tcp->tcph_urgptr = 0;
strncpy(*tcp->tcph_msg, *argv[5], MSG_LEN)
// Calculate the ip len after adding data
ip->iph_len = sizeof(struct ipheader) + sizeof(struct tcpheader) + strlen(tcp->tcph_msg)
// IP checksum calculation
ip->iph_chksum = csum((unsigned short *) buffer, (sizeof(struct ipheader) + sizeof(struct tcpheader)));
// Inform the kernel do not fill up the headers' structure, we fabricated our own
if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, val, sizeof(one)) < 0) {
perror("setsockopt() error");
exit(-1);
} else {
printf("setsockopt() is OK\n");
}
printf("Using:::::Source IP: %s port: %u, Target IP: %s port: %u.\n", argv[1], atoi(argv[2]), argv[3], atoi(argv[4]));
// sendto() loop, send every 2 second for 50 counts
unsigned int count;
for (count = 0; count < 20; count++) {
if (sendto(sd, buffer, ip->iph_len, 0, (struct sockaddr *) &sin, sizeof(sin)) < 0){ // Verify
perror("sendto() error");
exit(-1);
} else {
printf("Count #%u - sendto() is OK\n", count);
}
sleep(2);
}
close(sd);
return 0;
}
Here's a diff:
< #define MSG_LEN 1024
43d41
< char tcph_msg[MSG_LEN];
69c67
< if (argc != 6) {
---
> if (argc != 5) {
71c69
< printf("- Usage: %s <source hostname/IP> <source port> <target hostname/IP> <target port> <data>\n", argv[0]);
---
> printf("- Usage: %s <source hostname/IP> <source port> <target hostname/IP> <target port>\n", argv[0]);
120,123d117
< strncpy(*tcp->tcph_msg, *argv[5], MSG_LEN)
<
< // Calculate the ip len after adding data
< ip->iph_len = sizeof(struct ipheader) + sizeof(struct tcpheader) + strlen(tcp->tcph_msg)
149d142
< }
\ No newline at end of file
Another way to add data to this whole thing would be to create a char pointer at buffer[sizeof(ipheader) sizeof(tcpheader)], then write data to it (making sure it doesn't exceed 8192 - sizeof(ipheader) - sizeof(tcpheader), then calculate and set the ip->iph_len.
It'd be cool if someone else could confirm this as I havent touched C since 2013. -
2016-02-18 at 5:52 PM UTC in What are you hacking on?Ok, one last thing today, I promise - you can drain someone's phone battery by running an aggressive nmap scan again the phone when it's on a wifi network. Just run
nmap -A -T5 <phone's ip>
And sit back.
-
2016-02-18 at 10:33 AM UTC in What are you hacking on?Sup dawgs. I made a little greasemonkey script to enhancement out the shitty forums from this beautiful site and also to move TT way up top so I don't have to scroll. I'm thinking of adding some more enhancementing, perhaps based on topic titles or usernames and definitely gonna add a "click this button to load this image which is from http://..." function.
(function() {
var parentGetter = function(node, parentTag) {
if (node.nodeName == parentTag) {
return node;
} else {
return parentGetter(node.parentNode, parentTag);
}
}
var whiteList = ['Help and Suggestions', 'Nigga News', 'DIY', 'Flora & Fauna',
'Money Money Money...', 'STEMpremacy', 'Games People Play',
'Gearheads', 'Oh the Humanities!', 'Politics: Left, Reich, and Center',
'Printed Matter', 'Reinvent Yourself', 'Technophiliacs & Technophiles'];
var forums = document.querySelectorAll('.forum-title');
var tt = document.querySelector(
'.forum-title[href="http://niggasin.space/forum/technophiliacs-technophiles"]');
var ttClone = parentGetter(tt, 'TR').cloneNode(true);
var tbodyParent = parentGetter(forums[0], 'TBODY');
tbodyParent.insertBefore(ttClone, parentGetter(forums[0], 'TR'));
for (var i = 0; i < forums.length; i++) {
if (whiteList.indexOf(forums[i].text) < 0) {
var row = parentGetter(forums[i], 'TR');
row.remove();
}
};
})();
Im also trying to cancel image loading before the browser starts making GET requests, but no luck with greasemonkey yet, most likely because the event triggers come too late. Here's what I got so far though:
(function() {
MutationObserver = window.MutationObserver;
var observer = new MutationObserver(function(mutations) {
mutations.forEach(function(mutation) {
var addedNodes = mutation.addedNodes;
for (var i = 0; i < addedNodes.length; i++) {
if (addedNodes[i].nodeName == 'IMG') {
addedNodes[i].src = '';
}
}
});
});
// pass in the target node, as well as the observer options
observer.observe(document, {childList: true, subtree: true, attributes: true});
setTimeout(function() {
observer.disconnect();
}, 2000);
})();
-
2016-02-18 at 9:18 AM UTC in Official "My PMs and New Threads don't work" bump threadI like the personal touch of
console.log('sup niggers');
in the the js. Just noticed it. -
2016-02-18 at 8 AM UTC in An Unresponsive Port
Damn, no seeds anywhere though…
https://kat.cr/fuzzing-brute-force-vulnerability-discovery-sec-con-aphorist-t10158952.html
The book is nearly ten years old.
Try bookzz.org too. Damn, there's really very little out there about fuzzing. I found some tools that are easier to setup:
http://tools.kali.org/vulnerability-analysis/sfuzz
https://www.secforce.com/media/tools/proxyfuzz.py.txt (python, woo!)
http://eternal-todo.com/tools/malybuzz-network-fuzzer
And not fuzz-related: http://security.stackexchange.com/a/45039 (nmap - " version detection turned up to 11 " - Im running this against my own router now).
This thread gets my gears turning.
-
2016-02-17 at 9:37 AM UTC in An Unresponsive PortI just thought of this - if trying a few different approaches doesn't work, maybe it's time to fuzz!
I think the most probable case is that it's a udp or tcp port so it'd be most cost effective to try these two first and mess with application layer stuff before messing with transport layer stuff (not all cards or OS's even support other protocols ie. sctp is nice but not supported everywhere). My idea is to just fuzz the hell out of this port. I know nothing of fuzzers except the general idea, but I'd imagine the hammering the port with random data until something clicks could be worthwhile because it can be totally automated and pretty damn fast (ie. java + wlan).
I need to get http://www.amazon.com/Fuzzing-Brute-Force-Vulnerability-Discovery/dp/0321446119/ to figure this shit out. -
2016-02-16 at 7:12 PM UTC in I learned to PHP
If you have to define functions by actually typing the word function and have to put brackets and arrows everywhere thats2verbose4me.
<?php
function writeMsg() {
echo "Hello world!";
}
writeMsg();
?>
What's even up with the silly brackets?
def hello():
print "Hello world!"
hello()
As demonstrated by this simple example, python is superior in all respects.
-
2016-02-16 at 8:58 AM UTC in What are you hacking on?Having finished fucking around with PHP, I'm focusing on a toy python project that I can show off and that might net me in some contracts or at least - github stars. I also got some bug bounties, but nowhere near enough to support myself, so Im trying to figure out a way to get mo' money. Maybe sometime this week I'll actually post some code that cant be linked back to me but that's still worth sharing.
-
2016-02-16 at 8:54 AM UTC in Is it possible to log log in attempts made on an access point?
If you have any serious concerns about privacy NETSEC, you should never use an ISP router. Not only that, it ends up more expensive in the long run.
ISP routers don't often have security logs in them because these functions reveal how frequently ISPs scan ports and stuff. ISPs also consider the routers "their property" that you're "renting" so they can legally mine it for data and theoretically access it whenever they want. Don't get me wrong, it's not like the network engineers are sitting around poking through peoples' data for the lulz (very often), but this hardware is intentionally vulnerable because it's designed to allow technicians at your ISP to troubleshoot in real time.
True dat. I've got my own openwrt router running behind the ISP's router just for this reason. Yeah, I could get a router/modem combo, but where I live, I don't have to pay to rent the isp modem/router. I'll have to setup a honeypot on my network to monitor if my ISP is doing any portscans and if yes - retreat back behind my openwrt router.
BTW, just my 2cents - it's easier to rally support if you already have a project going, even if it's just a readme or a few functions or an outline on how to approach a problem, than if you're trying to get support starting from 0. I got this from my own experience of trying to get people into a cool project.
The idea sounds pretty damn interesting, but I'm out of spare capacity at the moment due to trying at this freelance thing. I'm turning down a guy today because he wants to pay me in "eeh-kwi-tee" dollars. -
2016-02-16 at 8:50 AM UTC in An Alternate Internet
Your options seem to be between good privately owned infrastructure which, by definition, is beholden to corporate interests, good publicly owned infrastructure which is subject to the same issue in addition to the surveillance issue, or shitty mesh-infrastructure where it takes an indeterminate amount of time to send a packed across the continent. The mesh option means we really once and for all gives up the notion of reliable network communications but then it was an illusion to start with, you can just ignore it before getting to a certain level of ops. Public adoption is the obvious blocker, equipment and slow-as-ass connections don't exactly win over the paying public.
I imagine this mesh internet would look like something from mad max. The 2nd movie, not the new one. Imagine leather-wearing packets trying to make their way through the wastelands, having to fight off raiders and radscorpions.
Looking back the early 2000's, I'm amazed at how simple everything was. You didn't have fancy JS frameworks, servers didn't have to handle traffic from xmlhttprequests/websockets/sse's, html documents were really documents - not js applications, people put in a lot of time and effort into making small sized jpegs/gifs/pngs and you only had to take care of 800x600/1024x768 screens. Apart from sounding like an old fart, I mean to say that the way we interact with the web is becoming more and more abstract. 10 years ago you could focus on requests, but now we have this websocket/webrtc/whatever hotness that ensures more performance (for these fucking fat 15mb+ websites w/ ads and shit) and more and more people focus on this higher-level stuff and have no idea about the underlying workings. This feels bad to me because it means people are giving up part of their freedom. Like, you can't make a simple html website nowadays, you either need to learn a lot of stuff or give away your freedom and use super high level libraries/paas like heroku/config management magic. Sure, that automation is nice and all, but only if you know what it's really doing. Yesterday I met a front-end developer who said he's never heard of "sprites", wtf. So we have normal users for whom the internet is pure fucking magic and we have "developers" who have no idea about networks/dbs (backenders) or sop/cors/invalid markup (frontenders). Great.
The outlook is pretty fucking bleak.
I started looking into software defined radio as I think that might be a viable option, but Ive only played around with it. Radio packet network meshes might be where it's at because of how easy it is to set them up and somewhat easy to keep them running. Of course, we'd need good crypto to ensure that even if an enemy controls nodes, the information would still be safe.
Problem here is the radio spectrum is licensed by the state and if we'd have to keep to the 2.4ghz/5ghz open portions of it, that would severely limit the range of each node. I remember reading that we could do internet in the spectrum of the now-free analog tv frequencies and we'd get gigabit speeds easily because the spectrum is so big. It'd also help with range because, if I remember my high school physics correctly, analog tv waves carry energy further and can bounce off the stratosphere whereas the current wifi waves are great at penetrating stuff like walls and doors, but lose their energy very quickly.
-
2016-02-16 at 8:28 AM UTC in I learned to PHPWhen I read about globals in php5, I couldn't believe what Im reading. Even more so when I read about its relationship with mysql. You could get more good out of writing websites in bash. I mean, for god's sake, it's a templating language! I always marvel at how some companies build huge applications using php - anything else would be better, even god damned java.
That said, I do see a certain need for PHP, at least a bare minimum of knowledge necessary to throw up a simple script on a free/1cent-per-year host. After reading up on it, I understand why hordes of people own up to knowing this language, but I can't imagine why'd anyone focus on it and stick with it if there are alternatives such a ruby/python/lua/etc. out there. -
2016-02-15 at 3:54 PM UTC in Is it possible to log log in attempts made on an access point?
A lot of routers have this information available through their GUI when you connect to them through your web browser. I've done work on probably 4 different routers consistently and they all have this feature. Even if it's not explicitly listed, if there's some kind of "security" setting you can typically see it in the log. Often times you have to manually enable the log so that it records this stuff.
Huh, interesting. The ISP router's I've always had were shitty enough to not have this and I was pretty bamboozled when I saw this kinda thing on an OpenWRT router. Niggas4learning. -
2016-02-15 at 11:46 AM UTC in Is it possible to log log in attempts made on an access point?
-
2016-02-13 at 7:26 AM UTC in What are you hacking on?
I'd be kind of cool if you put the finished game on this site. Also, you may want to look into https://libgdx.badlogicgames.com/ (this has grow a bit since I've used it back before an official release). That's what I used to make my first game, and I used it to start others including two 3D games, but never finished any of these.
I'm personally messing with some routers at free wifi hotspots and messing around with a little VirginMobile hotspot I have. I have come across one router where I a response from a high port that says "Vty password is not set".
That's pretty cool shit, looking forward to reading about your findings. I think that these public wifi routers can't be all that secure, especially since you're on the same network and it'd be relatively easy to brute force stuff.
I found the ftp server on my ISP's router doesn't work because it expects a USB drive - Imma going to plug one in and try to authenticate with anonymous:anonymous.There's this dumb proprietary DB we use at work and the only way to query it is through this shitty late 90s era windows legacy app. All it does is send off SQL and wait for a response. And since it's an ugly ass GUI there's no way to automate anything with it. People ask me to run daily reports using this thing which is a drag. I'm working on a CLI client to the same DB that will, gods willing, at least let me rig this thing up to a cronjob and take out some of the tedium of generating reports done.
The more interesting project I'm working on is an implementation of Yinsh. I'm trying to make it as purely functional as possible (drawing to the screen is obviously not pure, but everything up to rendering is) and that's pretty fun. I have the rules implemented and a 2D representation of the game but now I want to write a webGL frontend to it because I want to do at least one 3D graphics project before I die.
Ugh, that proprietary DB stuff sounds fucking annoying. How did you figure out how to connect to the db to make your CLI client work? I'd assume the protocol would be proprietary as well. Ditto on the 3d game project.So I'm still in the process of making my network as secure as possible. I got a new modem / router, only to find that it didn't have a Coax cable port (yeah I know that was stupid). So now I have to buy a new one.
I'm also building my network. I designed and built a solar powered "micro computer" thing that I built and I'm probably going to turn it into a linux server for a pentesting lab.
I have two older computers that I'm fixing up and selling.
Beyond that I'm trying to work on some python because I joined a club dedicated to making duckduckgo better or something.
Pics man, pics! Who do you sell these computers to if you dont mind me asking?
Me, I'm wrapping up that PHP resource and trying my hand at analyzing code to find vulnerabilities that way. I gotta get better at blackbox testing if I wanna make any cash money off of bug bounties.
-
2016-02-12 at 3:07 PM UTC in New stuff to improve site
That doesn't seem like it would be hard.
It'd rule out 99% of users. -
2016-02-12 at 2:13 PM UTC in New stuff to improve siteI've heard that Lanny checks whether you are worthy by asking you if you know this site's real ip address.
Edit: After skimming through a book on PHP, I can't believe how retarded this language is. I can see why it was popular when there was nothing else (ie. early 2000's) but if you're using php now, you might as well just use coldfusion or cgi or whatevs*. I mean, it's an overgrown template language. Imagine writing web applications in .erb, handlebars, jinja, or markdown.
[SIZE=8px]*This is written from the perspective of php5[/SIZE] -
2016-02-11 at 5:32 PM UTC in How do I install linux?
See I grew up just booting stuff from USB back in oldschool BIOS. You just threw in a USB and told BIOS to boot from it.
Then I learned about UEFI and felt silly.
Yeah, same here, this UEFI thing totally blew up on me. I can see that it's sorta nice from a technical perspective, but I think it's implemented in a half-assed way and it just causes a lot of pain as soon as you step off the beaten/vendor-approved(apple/ms/ibm) path. -
2016-02-11 at 11:22 AM UTC in What are you hacking on?I thought I'd make a thread similar to the immortal "What are you reading?" thread from the book nook so that people can post what they're tech stuff theyre working on from time to time.
I've gotten back into infosec, mainly webapp/browser stuff and I've been scanning sites for vulns - already got some minor hits. It's hard for me to admit this, but I'm reading up on PHP because hurr durr, there's so much of it in the wild.
How bout you's?