User Controls
Posts by TreyGowdy
-
2017-01-30 at 2:45 AM UTC in One in four US hackers 'is an FBI informer'Here is a recent article.
http://www.burojansen.nl/bvd-aivd/dutch-secret-service-tries-to-recruit-tor-admin/Recently a Dutch man with an MSc (Master of Science) at the Delft University of Technology and admin of Tor-exit nodes was approached by two agents of the Dutch intelligence service, the AIVD. They wanted to recruit the man as an informant or undercover agent, who would also infiltrate foreign hacker communities. The person tells his story.
-
2017-01-30 at 2:40 AM UTC in Open Ports Changing
Originally posted by SBTlauien Actually, they do show up as open in /proc/net/{tcp, tcp6}, not with 'netstat' though.
It appears as if the browser checks to make sure the port isn't aleady open and then uses it. It also seems that browsers likes to start in the 5xxx range. "Keep-alive" will actually use the same port for multiple requests, up to a specific time(this is based on the server and I read somewhere that there is a general time limit but can't remember. It's like 10 seconds or something).
I've since made my program so that I can press a little play button and it'll refresh the contents of the four files(/proc/net/{tcp, tcp6, udp, udp6} and keep track of what is opening and what is closing. I just don't understand why there is so much activity even though I'm not doing anything.
I see it in both... Either way it is being used, but I wouldn't consider it open. I have tons of established connections to remote servers, none of these ever show up in nmap or other scans. And the ports in question are only apparent when scanning locally. I still would guess a partial connection from scan1 is being completed by scan2. I could be wrong, I really don't know what types of guards are in place to prevent this. The host, source, and destination, would be good, the only check is the packet isn't corrupted. -
2017-01-30 at 12:32 AM UTC in Assigning C structs into array?
Originally posted by SBTlauien This site here has some great examples. It's what I've been using. But I have been doing most of it on Android, so I can send packets and do network attacks via my phone. I know there are apps that do this, I like doing it on my own.
How does the Arpspoof program work for you on your machines? I'm not getting many packets. It looks like a lot of the packets are repeats as well.
It works well, I made a few modifications so it can take a victim MAC:
https://github.com/shatwofiftysix/arp-poison/blob/master/arp-poison.c
I'm not sure what you mean by "repeats" but it's sending the same packet over and over so it should be a repeat. Run wireshark and should be able to see lots of them. Mostly ARP is for making requests ("who has 192.168.100.1? tell 192.168.100.22"), this is an advertisement (I forget the right word), so you see: "192.168.100.1 is at ff:ff:ff:ff:ff:ff".
Oh I also enabled packet forwarding and some iptables rules for NAT, otherwise your machine will just drop the victim traffic it gets.
sysctl -w net.ipv4.ip_forward=1
# permanent change:
# echo 1 > /proc/sys/net/ipv4/ip_forward
# probably not required, but maybe...
# modprobe iptable_nat
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The IP and MAC used should be the gateway/router (and in my modification an optional victim too). The original program wasn't too clear about what addresses were actually supposed to be used.
For debugging with wireshark:
1. Make sure there are ARPs and that they have the expected info (and that they are the advertisement ARPs and not regular traffic - step 3 can help differentiate them if need be, nobody on your network will have DE:EA:D0:00:BE:EF and then search wireshark for that term)
2. Look for victim traffic, hit a few http sites to make this easy
3. Try a garbage MAC and traffic should break on the victim machines -
2017-01-29 at 11:55 PM UTC in Open Ports ChangingWhen you connect to a website at say niggasin.space:80 (wtf lanny no ssl?), your computer will pick a random source port to use. I don't know how it works, but these don't show up as open. I'm not really sure how it works and how these don't show open but still recieve packets. In the case of TCP it probably just ignores any new connection attempts, but how could UDP know one way or the other?
I'm seeing the same and only when I do it locally. For example a line like this showed up:
tcp 0 0 192.168.99.99:35062 192.168.99.99:35062 TIME_WAIT
Then it disappears. Same port showed up in my scan. This must have been triggered by the scan.
If I toggle my interface and then scan, so it's completely clean, I only get the expected ports. Then the next run I get a bunch of random high numbered ones.
Also the port isn't open/LISTEN according to netstat. If my program says open it's because I successfully opened a socket and did the 4 tcp handshake. And for some reason nmap enhancements these out.
I want to say it's connecting to itself/hasn't fully given up on the connection. Is this possible? It does seems like a small chance the src and dst ports would be flipped like that.
scan 1:
---src:33333 dst:4444 ---syn--->
X
X
X
scan 2:
---src:4444 dst:3333 ---syn--->
<------ acks scan 1 -------
-
2017-01-29 at 10:05 PM UTC in Heard you kids are into port scanning
Originally posted by SBTlauien Is this another agent?
Nope just a Congressman. -
2017-01-29 at 10:03 PM UTC in Heard you kids are into port scanning
Originally posted by Sophie Hey Trey, welcome to the forum. We are into a lot of mischief including port scanning. Thank you for sharing your program. I like the way you write C, very readable.
Also, i know you from github. ( ͡° ͜ʖ ͡°)
I'm glad to hear. And yes I'm not new, just a name reset ;) -
2017-01-29 at 9:49 PM UTC in Heard you kids are into port scanningThis is my implementation in C. It does a full connect scan which I read isn't the stealthiest, but it works.
The subnet library is a nifty way to do the bitwise ip logic although it's not great because I assemble a big endian bit string for the ip, but the architecture might not interpret it the same way. I'm on a little endian (intel) and it works. If you have a big endian machine you should let me know if it does or doesn't (I'll spin up a VM eventually too). I might need to explicitly test for endianess.
Trying to make sense of how I assemble the string, then how the architecture will interpret it, and then how the network structs will interpret that... making my head hurt. I just know I switch the endianess before sticking it into the addr struct.
https://github.com/shatwofiftysix/host-scan
edit: fuck it just look at the code on github
Post last edited by TreyGowdy at 2017-01-29T21:52:48.916741+00:00