Search the Community

169 exploituri https://packetstormsecurity.com/files/download/132117/1505-exploits.tgz

1. Introduction The process of IP fragmentation occurs when the data of the network layer is too large to be transmitted over the data link layer in one piece. Then the data of the network layer is split into several pieces (fragments), and this process is called IP fragmentation. The intention of this article is to present how IP fragmentation could be used by the attacker to bypass packet filters (IP fragmentation overlapping attack). Finally, it is shown how this attack can be prevented by stateful inspection. 2. Understanding IP fragmentation Two layers of the OSI model are specially interesting when IP fragmentation is discussed – layer 3 (network) and layer 2 (data link). Data of the network layer is called a datagram and data of the data link layer is called a frame. From the data flow perspective – the datagram becomes included in the frame (encapsulation) and is sent to the receiver via the physical medium in the form of ones and zeros (physical layer – layer 1 of the OSI model). It may occur that the data of the network layer might be too large to be sent over the data link layer in one piece. Then it needs to be fragmented. How much data can be sent in one frame? It is defined by the MTU (Maximum Transmission Unit) – for example MTU is 1500 bytes for the Ethernet, which is commonly used at the data link layer. Let’s describe now how IP fragmentation actually works. We need some indication that the fragments belong to the specified datagram (please keep in mind that these fragments need to be reassembled later by the receiver). For this purpose the identification number is used – the same value is used for all fragments that are created as a result of the datagram’s fragmentation. These fragments need to be reassembled to the original datagram, but how should they be reassembled (order of fragments)? Offset is used for this purpose. How does the receiver know the number of fragments? Here the flag MF (More Fragments) is used. When MF flag is set, the system knows that the next fragment is expected. The last fragment is the one without MF flag. To summarize: the sender chooses the size of datagram that is not greater than the MTU of attached network medium and then the process of IP fragmentation is delegated to the routers, which connect different network media with different MTUs. There is also another approach to IP fragmentation – Path MTU Discovery. The idea is that the sender sends a probe datagram with DF (Don’t Fragment) flag set. If the router gets this probe datagram and sees that it is larger than the MTU of the attached network medium, then the problem occurs – the router has to fragment it, but the probe datagram is said not to be fragmented. Then the message about this problem is sent to the sender who interprets the answer and knows that the datagram needs to be smaller to avoid fragmentation on the way to the receiver. The sender wants to find out how large the datagram can be to avoid fragmentation by the routers. That’s why this process is called Path MTU Discovery and fragmentation in this approach is delegated to the sender. The problem with this approach is that the probe datagram might have been sent via different route than the next datagrams. As a consequence, it may turn out that the smallest MTU discovered by the sender is actually not the smallest one for the next datagrams, and the fragmentation done by routers will still be needed. What happens when the fragment is lost? The retransmission occurs when TCP is used at the layer 4 of the OSI model (transport layer). 3. IP Fragmentation Overlapping Let’s assume that the packet filter allows only the connections to port 80, but the attacker wants to connect to port 23. Although the packet filter is configured to block the connections to port 23, the attacker might try to use IP fragmentation overlapping to bypass the packet filter and finally connect to this port. This attack works as follows. The packet filter might be implemented in the way that the first fragment is checked according to the implemented rules – when the connection to port 80 is seen, the packet filter accepts this fragment and forwards it to the receiver. Moreover, the packet filter may assume that the next fragments just include the data, and this is not interesting from its point of view. As a consequence, the packet filter forwards the next fragments to the receiver. Recall at this point that the reassembling occurs when the fragments arrive to the receiver. The next fragment (as it has been said – forwarded by the packer filter) might have been specially prepared by the attacker – the carefully chosen offset has been used to overwrite the value of the destination port from the first fragment. The receiver waits for all fragments, reassembles them, and finally the connection to port of the attacker’s choice is established. The assumption here is that the packet filter looks at the first fragment that has all the necessary information to make a decision about forwarding or denying the fragment – the other fragments are assumed not to have interesting data (from packet filter’s point of view) and are just forwarded. How could we solve this problem? If the packet filter reassembled the fragments before making a decision (forward or deny), then the attacker would be stopped. As we can see this approach is about understanding the state or context of the traffic and is called stateful inspection (in contrast to the previously described packet filter that is stateless). 4. Summary IP fragmentation occurs when the data of the network layer is too large to be sent over the data link layer in one piece. It was presented how IP fragmentation can be used to bypass packet filter (IP fragmentation overlapping attack) and how stateful inspection can prevent this attack. Source

This archive contains 174 exploits that were added to Packet Storm in April, 2015. 1504-exploits/ 1504-exploits/wpwoocommerceaa-shelldisclose.txt 1504-exploits/emailmarkerter-xss.txt 1504-exploits/projectsend561-xsrf.txt 1504-exploits/nodesstudio-sqlxssdiscose.txt 1504-exploits/wpsam-disclose.txt 1504-exploits/VL-1314.txt 1504-exploits/VL-1227.txt 1504-exploits/airties-exec.txt 1504-exploits/oracledotcom-xss.txt 1504-exploits/prolink-xsrf.txt 1504-exploits/PRL-2015-05.tgz 1504-exploits/wpphpec-upload.txt 1504-exploits/AS-WFTP0328.txt 1504-exploits/hippocms-crlf.txt 1504-exploits/bloofoxcms050-xss.txt 1504-exploits/wpbusinessintelligence-sql.txt 1504-exploits/wpthecartpress-xsslfi.txt 1504-exploits/netgearwnr2000v4-xssexec.txt 1504-exploits/SpiritSploit.py.txt 1504-exploits/ms15-034.txt 1504-exploits/mediasuitecms-disclose.txt 1504-exploits/proftpd135-filecopy.txt 1504-exploits/6kbbs80-xss.txt 1504-exploits/cve-2014-7822_poc.c 1504-exploits/proftpd135-exec.txt 1504-exploits/wpallinone-sql.txt 1504-exploits/multi_ncc_ping_exec.rb.txt 1504-exploits/phplist3010-insecure.txt 1504-exploits/6kbbs-sql.txt 1504-exploits/0xb16b00b5.tgz 1504-exploits/adbbackup-traversal.txt 1504-exploits/netcatcms-traversal.txt 1504-exploits/wp42-xss.txt 1504-exploits/fedoraabrt-racecondition.txt 1504-exploits/oraclehyperionsmart-dos.txt 1504-exploits/VL-1311.txt 1504-exploits/wpfusionengage-disclose.txt 1504-exploits/VL-1322.txt 1504-exploits/wpnexforms-sql.txt 1504-exploits/landesk-rfixsrf.txt 1504-exploits/VL-1445.txt 1504-exploits/wp_wpshop_ecommerce_file_upload.rb.txt 1504-exploits/wp_inboundio_marketing_file_upload.rb.txt 1504-exploits/honeywell-traversal.txt 1504-exploits/VL-1455.txt 1504-exploits/adobe_flash_casi32_int_overflow.rb.txt 1504-exploits/proverbswebcal212-xss.txt 1504-exploits/wtknetwork-sql.txt 1504-exploits/kemploadmaster-execxsrfxssdos.txt 1504-exploits/wpduplicator-sqlxsrf.txt 1504-exploits/VL-1215.txt 1504-exploits/wp_worktheflow_upload.rb.txt 1504-exploits/rootpipe.rb.txt 1504-exploits/6kbbs80-xsrf.txt 1504-exploits/fmp3cr2628-overflow.txt 1504-exploits/wpyoastgs-xss.txt 1504-exploits/ninja-racecondition.txt 1504-exploits/opointmedia-openredirect.txt 1504-exploits/wp_nmediawebsite_file_upload.rb.txt 1504-exploits/texttospeech-xss.txt 1504-exploits/wpnexforms3-sql.txt 1504-exploits/nasagov-xss.txt 1504-exploits/sambaopenldap-xss.txt 1504-exploits/wpcontentslide-xssxsrf.txt 1504-exploits/wpsam-upload.txt 1504-exploits/freepbx-xss.txt 1504-exploits/pligg202-xss.txt 1504-exploits/ZSL-2015-5240.txt 1504-exploits/netcatcms-inject.txt 1504-exploits/phpsfp-sql.txt 1504-exploits/ZSL-2015-5238.txt 1504-exploits/wptunelibrary154-sql.txt 1504-exploits/testdisk-overflow.txt 1504-exploits/websid-xss.txt 1504-exploits/wpshareaholic-xss.txt 1504-exploits/cpx_proftp.py.txt 1504-exploits/huaweiseqanalyst-xss.txt 1504-exploits/jaws111-xsrf.txt 1504-exploits/wpmon-disclose.txt 1504-exploits/untangle-xssdisclose.txt 1504-exploits/samsungipolis-exec.txt 1504-exploits/orangehrm321411-sqlxss.txt 1504-exploits/jboss_seam_upload_exec.rb.txt 1504-exploits/netsol_web_mail.pdf 1504-exploits/SA-20150409-0.txt 1504-exploits/VL-1444.txt 1504-exploits/edruttmsdpim-traversalfile.txt 1504-exploits/zenworks-exectraversal.txt 1504-exploits/hotexbilling-xss.txt 1504-exploits/osxrootpipe-escalate.txt 1504-exploits/miniupnpd-overflow.txt 1504-exploits/wprevolutionslider-shell.txt 1504-exploits/ossolution-sql.txt 1504-exploits/VL-1228.txt 1504-exploits/wpdesignfolio-shell.txt 1504-exploits/wpcommunityevents135-sql.txt 1504-exploits/thehunter.txt 1504-exploits/CORE-2015-0008.txt 1504-exploits/solarwinds_fsm_userlogin.rb.txt 1504-exploits/phptraffica23-xss.txt 1504-exploits/pimcorecms305-xsrf.txt 1504-exploits/wolfcms082-shell.txt 1504-exploits/otrs31x-xss.txt 1504-exploits/php-typeconfusion.txt 1504-exploits/avsarsoftmatbaa-shellxss.txt 1504-exploits/wooframework451-xss.txt 1504-exploits/joomlasimplephotogallery-shell.txt 1504-exploits/ubuntuusbcreator-escalate.txt 1504-exploits/wp_creativecontactform_file_upload.rb.txt 1504-exploits/weebly-hijack.txt 1504-exploits/wpultimatenewspaper-xss.txt 1504-exploits/wpvvci-shell.txt 1504-exploits/PRL-2015-04.tgz 1504-exploits/idm6-dllhijack.txt 1504-exploits/Mac-OS-X_Fat-DoS.c 1504-exploits/openletters-inject.txt 1504-exploits/encapsflashgallery-dos.txt 1504-exploits/VL-1438.txt 1504-exploits/adobe_flash_copy_pixels_to_byte_array.rb.txt 1504-exploits/flatpress10-xss.txt 1504-exploits/SA-20150410-0.txt 1504-exploits/synology-xss.txt 1504-exploits/VL-1453.txt 1504-exploits/wp_slideshowgallery_upload.rb.txt 1504-exploits/edruttmsdprv-xss.txt 1504-exploits/edruttmsdp-redirect.txt 1504-exploits/VL-1474.txt 1504-exploits/wpsam-sql.txt 1504-exploits/ZSL-2015-5242.txt 1504-exploits/VL-1452.txt 1504-exploits/javacom-xss.txt 1504-exploits/barracuda_5x_reports_postauth_root_exploit.rb.txt 1504-exploits/safari-crossdomain.txt 1504-exploits/SGMA15-002.txt 1504-exploits/VL-1359.txt 1504-exploits/comsenzsupesitecms70-xss.txt 1504-exploits/eceprojects-xss.txt 1504-exploits/apachespark-exec.txt 1504-exploits/ceragon_fibeair_known_privkey.rb.txt 1504-exploits/wpcitizenspace-xss.txt 1504-exploits/VL-1447.txt 1504-exploits/edruttmsdp-xss.txt 1504-exploits/ceragonfibeair-disclose.txt 1504-exploits/zyxel-dos.txt 1504-exploits/huaweiseqanalyst-xxe.txt 1504-exploits/wpqaengine-escalate.txt 1504-exploits/apportabrt-exec.txt 1504-exploits/qlik-redirect.txt 1504-exploits/wpvideogallery28-sql.txt 1504-exploits/pyscripter-dllhijack.txt 1504-exploits/bluedragon-traversal.txt 1504-exploits/meela-xss.txt 1504-exploits/unipdf12-overflow.txt 1504-exploits/wpworktheflow252-shell.txt 1504-exploits/VL-1446.txt 1504-exploits/soapfault-typeconfusion.txt 1504-exploits/wpnmediawcf-shell.txt 1504-exploits/mefa-xss.txt 1504-exploits/goautodial-execsqlupload.txt 1504-exploits/ZSL-2015-5239.txt 1504-exploits/ZSL-2015-5241.txt 1504-exploits/wpseopack180-shell.txt 1504-exploits/wpstatistics912-xss.txt 1504-exploits/wpvvp-shell.txt 1504-exploits/xoops2571-xss.txt 1504-exploits/androidbackupagent-exec.txt 1504-exploits/apportabrt-issues.txt 1504-exploits/freebsdkey-disclose.txt 1504-exploits/legend_rce.py.txt 1504-exploits/wpwdippu-upload.txt 1504-exploits/wp_reflexgallery_file_upload.rb.txt 1504-exploits/libarchive-dos.tgz 1504-exploits/log2space62-xss.txt 1504-exploits/wpajaxstorelocator-sql.txt tar: 1504-exploits/wpajaxstorelocator-sql.txt: time stamp 2015-05-16 05:33:33 is 1279061.268089756 s in the future Download

Packet crafting is the art of creating a packet according to various requirements to carry out attacks and to exploit vulnerabilities in a network. It’s mainly used to penetrate into a network’s structure. There are various vulnerability assessment tools used to craft such packets. As a coin has two sides, these tools could be used by hackers to find the vulnerabilities of a targeted system. Crafting is technically advanced and a complex type of vulnerability exploitation, and it’s difficult to detect and diagnose. Steps Involved in Packet Crafting The idea behind crafting is to try to simulate an attack and to identify the properties of a network. They are commonly used to invade firewalls and intrusion detection software. The following are the steps involved in packet crafting: Packet Assembly: This is the first step involved in packet crafting. In this process, the attacker selects the network to be cracked, collects the possible vulnerability information and creates the packet. The packet should be designed in such a way that it should be invisible while passing through a network. For example, for a packet to be invisible, the source address could be spoofed before sending it to a network. Packet Editing: In this step, the packets are tested before sending. The packets are edited in such a way that maximum information could be retrieved by injecting a minimum number of packets. Packet Playing: When the packets are ready, packet playing sends them to the targeted machine and collects the resultant packets for further analysis. If the required information is not obtained, the attacker again moves to the editing phase to modify the packet to obtain the required result. Packet Analysis: The sent packets are received by the attacker and they are analyzed to extract the information. Various sniffing tools like Wireshark, tcpdump, dsniff, etc. are used for this purpose. This step gives a route to the targeted system, or at least gives attackers enough data to tune up the attack. Tools For Packet Crafting: Hping, Nemesis, Netcat, Scapy, Socat Let’s carry out a test to understand the creation and working of a crafted packet and its effect on a firewall. Test Requirements Two Machines (One with Hping and Other with Snort installed). Working connection between two machines. Hping This is a utility that helps us to assemble and send ICMP, UDP or TCP packets and then display the results. It’s similar to the ping command, but it offers far more options to customize the packet to be sent. This helps to map the firewall set rules of a targeted system. Snort Sort is a free network intrusion detection and prevention software. It helps us to carry out real time traffic analysis packet logging, protocol analysis, content searching, etc. on a network. Testing Figure 1: Packet Crafting test setup Now we are going to check how a packet can be crafted from a system using Hping, and how it can be customized to be invisible in a network. We are using Snort as the IDS in the target machine. This could prove that packet crafting is a serious issue that should be studied to prevent attacks. Firstly install Hping on the source machine. It’s a command line multi-platform software. We are using two Linux machines for the test. The installation package could be downloaded from various websites. The next step is to install the intrusion detection software at the destination end. Download the latest version Snort with Winpcap and install it on the machine. Winpcap is a driver that helps in collecting packets. After setting up two machines, establish a connection between the two machines to transfer the packets. Check the connection before sending the packets. These are the steps to setup the test environment. Now we have to craft the packet using Hping. In Hping there are various arguments to modify the packet to be sent according to the requirement. These could be obtained from the manual page of Hping. Before sending the packet, determine the address of the target machine. Here it is 192.168.0.10. Now write the command for packet creation. Hping is a command line software. For creating the packets, the commands should be given in a perfect way so that the packet penetrates into the targeted system without being detected. An example is given below: hping 192.168.0.10 –udp –spoof 192.168.1.150 The packets are sent to the UDP port of machine 192.168.0.10 with a spoofed source IP of 192.168.1.150. Figure 2: Spoofing to UDP port. Figure 3: Spoofed address on target system hiding original address Packet crafting could be used to carry out DOS attacks to a targeted machine. This could be done by flooding packets to a predetermined port. The number of packets reaching the port is beyond the managing capacity of that port. This results in the failure of the system and finally becomes non-responsive to any request made to that particular system. Port Scanning Before sending a packet to the system Hping could be used to carry out a port scan. This helps the attacker to get the information on available open ports to carry out attack easily. The weakest port is selected to gain access to the system. hping3 -S 192.168.0.10 -p 80 -c 2 This command scans port number 80 of machine with IP 192.168.0.10. There are even commands to scan the complete ports in a machine. This will give the attacker the complete status of the ports in a system. hping 192.168.0.10 –S -p 22 –rand-source –flood This command floods the port number 22 of the mentioned machine. As the flooding starts, the machine becomes non responsive. When the flooding is stopped, the machine comes back to its normal state. Figure 4: Command for flooding a machine Figure 5: Result displayed by Snort after flooding. We can see from the above image that a large number of packets have been dumped to the targeted machine within a small amount of time. The IDS software does not detect the packets while the flooding is in process. But as soon as the flooding is stopped, Snort displays only the number of packets received. The traffic created by flooding the packets cannot be handled by the system and becomes non-responsive. No Signatures are generated during the process. DNS and ICMP Packet Crafting Domain Name System is the system responsible for resolving domain names. DNS uses ports 53 UDP for normal operations and can enlist port 53 TCP for zone transfers and other oversized replies. Once the address is entered into the URL, the browser will try to resolve the IP. If the address is not known, then a DNS request will be sent to the DNS server configured on the client. We could craft such a packet using Hping so that the firewall does not block the packet. hping -2 –p 53 -E data.dns -d 31 192.168.0.10 Here the packet is sent to the port number 53 of the target (192.168.0.10), with the packet containing a file called “data.dns”. The packet size has also been specified as 31. Figure 6: Sending a file to target’s DNS port When sending a data file through Hping, the IDS used in the target’s machine does not detect the presence of the attached file. It only displays the total number of packets transmitted and received. Even tough it shows unreachable, the packets are received at the target location. Hping can also be used to send ICMP (Internet Control Message Protocol) packets. ICMP packets are usually used to troubleshoot networks and for gathering basic information. These packets could be used to check whether a host is alive or not. In most of the firewalls, packets like ICMP and DNS request have the ability to pass by. These crafted ICMP packets helps us to pass through the firewall. At the senders end, we have to specify the type of packet, destination and other details for proper communication. hping 192.168.0.11 –d 100 –icmp –file /data.dns Here the file “data.dns” is sent to the target 192.168.0.11 using an ICMP packet. Figure 7: File sent using ICMP packet Using such crafted packets, a traffic firewall could be breached. From the above test, we can agree to the fact that packet crafting is a serious issue that should be taken care of. References Snort: 5 Steps to Install and Configure Snort on Linux LINUX HELP ALL: INSTALLING AND CONFIGURING SNORT ON REDHAT/CENTOS v5.5 Cyber Attacks Explained: Packet Crafting - Open Source For You Article : Cyber Security Packet crafting : Ethical Hacking Penetration Test Pune,India - Valency Networks Tools for creating TCP/IP packets | Linux Blog http://www.securitybistro.com/?p=8881 Source

The Packet Let's look at the packet. That's the thing that makes the internet work, lots of data goes on those, anywhere from 20bytes to 65335 bytes. However, in practice packets are usually around 600 bytes in size. That data stores a lot of info; some is redundant, some is needed, and some is 0'd out. There's a header, a body, extra space, and then error check and footer. It's actually kind of easy to end up with a couple screwed up bits in a packet (obviously not every packet is screwed up, but its not 1 out of every million either). Changing a little bit of the Packet What packet steganography is about is changing a couple of bits over a couple of packets. Similar to image steganography, it's almost impossible to detect (in small quantities) (assuming feds are downloading all the data) as packets are not known to all be made equally. I'm going to quickly give an example. Game A wants to send packet [00010101010001000010101010...000010101011000101...] to Game Server 3. However, you can copy that packet and then resend a slightly modified one, which will look like: [00010101010001000010101010...111110101001001000...] Since a massive amount of data is constantly being sent back and forth from the server to you, the packets can be modified a decent amount so information is carried, but one doesn't have to break the checksum by modifying too many bytes. Multiply 40 bits over a couple thousand packets, and a decent amount of data can be sent covertly from you to the server. What's the best part of this? If you hack servers that get a lot of traffic, it's almost impossible to tell who sent what modded packets to the server even if all of the data is logged because every single packet appears to be legitimate. While there is a decent amount of modded data transferred you can't just go and start downloading ripped movies with this. The point of packet steganography isn't to anonymize your downloads, but to send little messages over networks that won't be found by normal means. Obviously, if person A tries to send messages to person B, A won't send them directly. Instead, he could keep them in an encrypted part of a server. When person B wants to see the message, he unlocks the message by passing the correct key. Psuedocode example using MS Maplestory packets are nice, because they used to be pretty obvious as to what was going on. After the packet header the data of A)what action you were doing and (if a message) what the message was. The message was in plaintext hexidecimal format. Using the code below, we are going to edit a little character of every single message. To anyone looking at the packet it still appears to be a normal message, just with a small typing error. However, to the server and to you, the message really is no longer a message anymore. It's a specific set of instructions. The first couple of whispers to some random person validates to the server that you are the IP to grab the packets from. The final whisper (or packet) the server sees is a specific command to the server. It could be wipe the program on it, it could be tell these servers to do x, y, and z, or it could just be telling the server that there is going to be a new pattern to look out for, and at what certain time. Code for your side: public Whatever{ //obviously it depends for whatever server you hacked into, and what app communicates with the server, but for now lets pretend we hacked into a maplestory server //cool thing about MS is that the packets are pretty easy to understand //yes I realize I am turning Java into a scripting language below, but w/e public void initContact{ for(int i=0; i<10; i++){ String x=scan.grabPacket(); x=x.substring(0,12)+Integer.toHexString(i)+Integer.toHexString(i)+x.substri?ng(14,x.length()); XClass.sendPacket(x); //totally possible if string x winds up being a valid packet, which it is since it's just hex //obviously you have to make a sendPacket method if(scan.nextPacket.equals(neededPacket) XClass.sendPacket(endPacket(Action, Type, IP, Add_Instruct) else System.out.println("Connection was unable to be made"); } } public String endPacket(String x1, String x2, String x3, String x4){ return grabHeader() + " 3A BB 0C FF 2D "+mod(x1)+" "+mod(x2)+" 3C "+mod(x3)+" 85 26 "+mod(x4)+grabFooter(); } } Code for the server(the server is not constantly loading all packets, it only works for a specific amount of time): import everything2.etc //you have to watch out the data storage for this one class ServerInner{ public void acceptEverything() { //kills program in 2 minutes long num = 2 * 60 * 1000; //min*sec*milli Timer t = new Timer(); t.schedule( new TimerTask(){public void run(){} }, num); // no this isn't a legit method, you'd want to use outside resources for this part //but at least the method dies in the two minute timeframe XClass.storeAllPackets(); } public void sortThrough(PacketList P, Method a){ int x=p.length() for(int i=0; i<p.length(); i++){ if(!a.follows(p.get(i))){ p.rem(i); i--; } } //after that method runs, the only packets left should be from you //obviously it is theoretically possible someone else did the exact same as you, so you'd then check them for(int i=0; i<p.length(); i++){ if(!a.check(p.get(i))){ p.rem(i); i--; } } //now all that's left is the correct one } public void finishUP(){ if(p.length()>0){ //translates the info packet from the correct IP if an ip was gathered translate(XClass.nextPacketFrom(p.get1IP()), a); //runs whatever it got run(); } //wipes all data that was stored, logs in database StartClass.wipe(); } } Rough Example in Real Life Application Packet steganography can also be used for sending out instructions to a botnet since you don't really need to send that much information to tell x to DDOS y, now do you? Here's a rough guide of how you'd accomplish communicate through your bots to start a DDOS attack w/ packet steganoraphy, from the setting up the server to the attacking the kid who beat you in MW3 1) Find a good server that has a decent amount of traffic, but nothing too sketchy. 2) Get root access on this server. 3) Download wireshark if you don't already have it. 4a)Write your program to test the wireshark logs to find a pattern in packet anomalies (you figure this one out on your own ). 4b)Write the program that can send out edited packets from your machine. 5) Set up another program that connects the wireshark program with your botnet server. 6) Set up a last program that wipes your traces of you fucking off with the server. 7) Run 6 and leave the shell you set up if you want (I suggest keeping some part of it intact though, depends on what you want to do). 8) Set up a couple more of these steno servers. 9) Realize that you can now send instructions easily but make it look like its a normal connection. Want to ddos server agh554? Connect with one of those servers and send the right kind of packets for a little while. Next thing you know your DDOS servers will be connecting with each other to get the details down and start the attack at the time specified. Because of the way the information is transferred from you to the server it'll be hard to trace the botnet back to you and then convict you as the one who pulled the strings behind a DDOS of a n00b MW3 player. I know that a couple people already do this, but now you know how too. Ending Thoughts (Read it though) So why the hell does this matter? A) all the data will look legitimate you can send it from different sources and it doesn't really matter as long as the packets are getting screwed correctly C) You think it's easy to look through every single packet sent to a server that gets a lot of traffic for the past 4ish months and then find the packets that link with the pattern? D) can be used for stuff other than botnets i) You can send encryption keys through this and then wipe the programs you installed. ii) anonymous communcation E) MITM attacks don't matter unless the MITM got your src(look at number 4) Problems with this? 1) Server gets taken by the feds. They won't be too happy about this 2) A wingding manages to replicate the correct stream, and then gives out commands for your server. This is something you'll just have to accept. Anonymity is what we are going for, too many traces = too many chances of someone finding a link 3) No well known VPNs allow packet modification at the moment. 4) if the feds got your SRC since you and 800 other skids are using the same program, and they catch you are modding packets, you're kinda screwed if they catch you redhanded 5) "I don't get it" Solutions to the problems 1) If modded packets are the only connections between your bots and your servers, its a lot harder to trace since the server has a massive amount of people using it 2) Nothing really, make it so it can't easily be replicated 3) wait for it [breathing intensifies] 4) Don't be a skid 5) See above. Or, read the links at the bottom of the page, learn something interesting, and prove to me that there are users with brains here Credits: TF

Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information. Argus is composed of an advanced comprehensive network flow data generator, the Argus sensor, which processes packets (either capture files or live packet data) and generates detailed network flow status reports of all the flows in the packet stream. Argus captures much of the packet dynamics and semantics of each flow, with a great deal of data reduction, so you can store, process, inspect and analyze large amounts of network data efficiently. Argus provides reachability, availability, connectivity, duration, rate, load, good-put, loss, jitter, retransmission, and delay metrics for all network flows, and captures most attributes that are available from the packet contents, such as L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc…), protocol ids, SAP’s, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indications, etc. Argus is used by many sites to generate network activity reports for every network transaction on their networks. The network audit data that Argus generates is great for security, operations and performance management. The data is used for network forensics, non-repudiation, network asset and service inventory, behavioral baselining of server and client relationships, detecting covert channels, and analyzing Zero day events. Argus is an Open Source project, currently running on Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt, and has been ported to many hardware accelerated platforms, such as Bivio, Pluribus, Arista, and Tilera. The software should be portable to many other environments with littleor no modifications. Performance is such that auditing an entire enterprise’s Internet activity can be accomplished using modest computing resources. Download: ARGUS- Auditing Network Activity - Getting Argus