Month: December 2010

mod_negotiation metasploit aux modules

A while ago I wrote about more efficient brute forcing if mod_negotiation is enabled. Also released a python script to automate this. Well now I’ve written some metasploit auxiliary modules that perform the same task. One module can be used to scan ranges for web servers that have it enabled, the other module can be used to actually brute force files. You can find them on github:

https://github.com/DiabloHorn/DiabloHorn/tree/5e495eb8553001946f4f98a79bd9542812de5b3e/metasploit/mod_negotiation

I’ve also made a redmine ticket on metasploit and submitted them, if you are lazy and just want to wait until metasploit includes them. Assuming they do, after all it’s my first attempt at contributing to metasploit and my code might not be up to the standards.

https://www.metasploit.com/redmine/issues/3257

For the ones paying attention to every detail, yes I fucked up and made a typo while submitting the ticket :)

If you want to use them you can place them in the following directory:

[metasploit-root]/modules/auxiliary/scanner/http/

After you’ve place them there, just fire up metasploit and perform a search for negotiation, they should show up in the results. If something goes wrong, read the code I didn’t do a lot of error checking. If you are wondering why I choose to make modules for the mod_negotiation issue…like always I wanted to learn something new and I was familiar with it so was more confident I could implement them. If it all went well it should all look like the following:

Continue reading “mod_negotiation metasploit aux modules”

Moving source codes to github

Well after a long while of yelling and getting frustrated with my own development process of thoughts, projects and midnight thoughts I’ve decided to move over to github. This will (hopefully) also make it easier to get the source codes for my projects/general messing around things. You can find them over here:

https://github.com/DiabloHorn/DiabloHorn

Please bare with me, since I’ve dived right into it…without really having any prior knowledge. It worked when I had to learn how to swim…so let’s just hope it works the same way to learn about git and github.

DnsCat traffic post-dissector

Well previously I blogged about actually parsing DnsCat traffic, this blog post will be about converting it into an actual Wireshark post-dissector. As with dissecting DnsCat traffic using LUA I’ve also never written a wireshark post-dissector up until now. This is how it will finally look like:


Things you should know(read: things that could/should be improved) about this post-dissector:

  • It assumes you are tunneling plain ascii (dnscat –listen –exec ‘/bin/sh’)
  • It will only decode incoming&outgoing packets if you use the wireshark development version
  • I think it would be more efficient if this would have been a chained-dissector
  • It’s only been tested locally (dnscat –dns 127.0.0.1)
  • It will happily parse every DNS packet it encounters

Just as the previous post, this one will contain the source code (pastebin) and the references at the end of the post. Now let’s get going with building our post-dissector.

Continue reading “DnsCat traffic post-dissector”

What’s in a picture?

Most of us are familiar with steganography (stegano) who better to explain it then wikipedia:

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity.

So who can guess what’s in the following picture:

Continue reading “What’s in a picture?”

Lua based DnsCat traffic parser

For the ones who don’t know DnsCat it’s an awsome tool and even has metasploit shellcodes. Here’s a little quote from the website:

dnscat is designed in the spirit of netcat, allowing two hosts over the Internet to talk to each other. The major difference between dnscat and netcat, however, is that dnscat routes all traffic through the local (or a chosen) DNS server. This has several major advantages:

  • Bypasses pretty much all network firewalls
  • Bypasses many local firewalls
  • Doesn’t pass through the typical gateway/proxy and therefore is stealthy

Which brings us to my original quest of finding a nice protocol to experiment with Wireshark dissector prototyping using LUA. I decided to try and make a dissector for DnsCat traffic. This post won’t contain the dissector, instead it contains a stand alone LUA DnsCat traffic parser(main dissector logic). Reason for this is that I’m not entirely happy with the dissector as it is right now,  I want to try and improve some things on it before publishing it. To be able to run this parser you’ll need to install an additional LUA library though, since LUA doesn’t have native support for bitwise operators. You can get the library from the following website:

http://bitop.luajit.org/

The installation is pretty straightforward, if you are on ubuntu you could also just do the following:

sudo apt-get install liblua5.1-bitop0

Ones you have that in place you should be able to run the parser without any problems. You can get the parser from pastebin or at the end of this post. If you are really impatient you can throw together a quick dissector yourself and just reuse this code for the dissecting part. I’ve also included some references at the end of this post that I’ve used while developing the parser.

Continue reading “Lua based DnsCat traffic parser”