DnsCat traffic post-dissector

Well previously I blogged about actually parsing DnsCat traffic, this blog post will be about converting it into an actual Wireshark post-dissector. As with dissecting DnsCat traffic using LUA I’ve also never written a wireshark post-dissector up until now. This is how it will finally look like:


Things you should know(read: things that could/should be improved) about this post-dissector:

  • It assumes you are tunneling plain ascii (dnscat –listen –exec ‘/bin/sh’)
  • It will only decode incoming&outgoing packets if you use the wireshark development version
  • I think it would be more efficient if this would have been a chained-dissector
  • It’s only been tested locally (dnscat –dns 127.0.0.1)
  • It will happily parse every DNS packet it encounters

Just as the previous post, this one will contain the source code (pastebin) and the references at the end of the post. Now let’s get going with building our post-dissector.

Continue reading “DnsCat traffic post-dissector”

InternetQueryOption, INTERNET_OPTION_USER_AGENT – Replacement

This is a clear case of …. uhmm got no clue. All I know is that I’ve tried in quite a few different ways to use the InternetQueryOption API function to retrieve the default User Agent and all have failed. The internet contains posts about other people also not being able to retrieve the User Agent…so I got really frustrated. Finally decided to just retrieve the User Agent the old fashioned way, by directly talking to the registry. So here is a quick function to do that:


/*
 Returns a pointer to the useragent string.
 Return NULL if something goes wrong.
 do NOT forget to free it!
*/
char *getUA(){
 LONG res;
 HKEY regopen;
 char *ua;
 DWORD type;
 DWORD size = 80;

 ua = (char *)malloc(80);
 SecureZeroMemory(ua,80);
 res = RegOpenKeyEx(HKEY_CURRENT_USER, TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"),0,KEY_QUERY_VALUE,&regopen);
 if(res == ERROR_SUCCESS){
 res = RegQueryValueEx(regopen,TEXT("User Agent"),0,&type,(BYTE *)ua,&size);
 if(res == ERROR_SUCCESS){
 RegCloseKey(regopen);
 return ua;
 }
 }
 free(ua);
 return NULL;
}

raw sockets, pcap files & wireshark quirks?

So this is one of those things that you don’t stumble upon until you are playing with it. When writing sniffers you can use libpcap or it’s win32 version winpcap. Now that doesn’t really do the job in all circumstances, since sometimes you don’t want to install an additional library. Lucky for us you can also sniff traffic by using raw sockets(I’m assuming win32, for the rest of the blog entry). Usually when sniffing with raw sockets you are looking for something specific in the stream of data and can just output it to a good old plain text file…however sometimes you’d just like to capture everything that comes through the network interface. That’s when it becomes interesting to save packets in the PCAP format, so I decided to write my own quick & dirty implementation.

Now here comes the fun part, when sniffing the packets you get everything above the Physical Layer. This means that the Ethernet header is lost and you directly receive the IP header. I did not realize this until I had written the packets into a PCAP file. When trying to open the file with Wireshark, it tries to interpret the first bytes as a Ethernet header which fails horribly. So I came up with two possible solutions:

  • Understand / Configure wireshark to start directly with the IP interpretation
    • Tried this for a while, then decided to go for the second option just for fun.
  • Add a fake Ethernet header to each packet.
    • As previously stated this was the final choice

Well it worked like a charm, Wireshark correctly interpreted the packets and dissected the rest of the contents just as I was used to with normal captures. If anyone knows how to correct the problem WITHOUT writing the fake Ethernet header, by just configuring wireshark correctly DO share.

Here is one last and small warning/readme, before I post the src, for those wanting to play with raw sockets…I’ve noticed some weird behavior myself when testing the sniffer on Win7.

http://www.nirsoft.net/utils/smsniff.html#problems

Under Windows 2000/XP (or greater), SmartSniff also allows you to capture TCP/IP packets without installing any capture driver, by using ‘Raw Sockets’ method. However, this capture method has some limitations and problems:

  • Outgoing UDP and ICMP packets are not captured.
  • On Windows XP SP1 outgoing packets are not captured at all – Thanks to Microsoft’s bug that appeared in SP1 update…
    This bug was fixed on SP2 update, but under Vista, Microsoft returned back the outgoing packets bug of XP/SP1.
  • On Windows Vista with SP1, only UDP packets are captured. TCP packets are not captured at all.
  • On Windows 7, it seems that ‘Raw Sockets’ method works properly again, at least for now…

The header file:


/*

DiabloHorn, fun with pcap and raw sockets

*/

#include <stdio.h>
#include <winsock2.h>
#include <windows.h>
#include <time.h>

typedef struct pcap_hdr_s {
 unsigned int magic_number;   /* magic number */
 unsigned short version_major;  /* major version number */
 unsigned short version_minor;  /* minor version number */
 int  thiszone;       /* GMT to local correction */
 unsigned int sigfigs;        /* accuracy of timestamps */
 unsigned int snaplen;        /* max length of captured packets, in octets */
 unsigned int network;        /* data link type */
} pcap_hdr;

typedef struct pcaprec_hdr_s {
 unsigned int ts_sec;         /* timestamp seconds */
 unsigned int ts_usec;        /* timestamp microseconds */
 unsigned int incl_len;       /* number of octets of packet saved in file */
 unsigned int orig_len;       /* actual length of packet */
} pcaprec_hdr;

HANDLE openpcap(LPCWSTR);
void writepcaprec(HANDLE,void *,int);
void closepcap(HANDLE);

The C file


/*

 DiabloHorn, fun with pcap and raw sockets

 */
#include "pcap.h"

/*
 Opens a pcap file for appending, file is set to +S +H.
 Writes the general header.
*/
HANDLE openpcap(LPCWSTR filename){
 HANDLE hFile = NULL;
 pcap_hdr *genHeader;
 DWORD numWritten;
 //create file with shared read access and set it's attrib to +S +H
 hFile = CreateFile(filename,FILE_APPEND_DATA,FILE_SHARE_READ,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM,NULL);
 if(hFile == INVALID_HANDLE_VALUE){
 return hFile;
 }else if(GetLastError() == ERROR_ALREADY_EXISTS){
 printf("Appending to existing pcap file\n");
 return hFile;
 }
 printf("Created empty pcap file\n");
 genHeader = (pcap_hdr *)malloc(sizeof(pcap_hdr));
 memset(genHeader,0,sizeof(pcap_hdr));
 genHeader->magic_number = 0xa1b2c3d4;
 genHeader->network = 1;//ethernet
 genHeader->sigfigs = 0;
 genHeader->snaplen = 65535;
 genHeader->thiszone = 0;
 genHeader->version_major = 2;
 genHeader->version_minor = 4;
 printf("Writing general pcap header\n");

 if(WriteFile(hFile,genHeader,sizeof(pcap_hdr),&numWritten,NULL) == 0){
 //need something more sexy here
 return INVALID_HANDLE_VALUE;
 }
 free(genHeader);
 return hFile;
}

/*
 Write the record of the pcap file
 Write record header (does not take into account the time stuff)
 Write fake eth header
 Write actual ip load data
 NOTE: supplied data must be max size 65521, due to specs in general header
 reason cause of fakeeth and me liking 65535 as a number :-)
*/
void writepcaprec(HANDLE hFile,void *data,int datalen){
 pcaprec_hdr *recHeader;
 DWORD numWritten;
 time_t seconds;
 //fake eth header
 byte fakeeth[14] = {0xde,0xde,0xde,0xde,0xde,0xad,0xbe,0xbe,0xbe,0xbe,0xbe,0xef,0x08,0x00};
 seconds = time(NULL);
 //write pcap record header stuff
 recHeader = (pcaprec_hdr *)malloc(sizeof(pcaprec_hdr));
 memset(recHeader,0,sizeof(pcaprec_hdr));
 recHeader->incl_len = datalen+sizeof(fakeeth);
 recHeader->orig_len = datalen+sizeof(fakeeth);
 recHeader->ts_sec = (unsigned int)seconds;
 recHeader->ts_usec = 0;
 printf("Writing record pcap header\n");
 WriteFile(hFile,recHeader,sizeof(pcaprec_hdr),&numWritten,NULL);
 free(recHeader);
 printf("Writing fake eth header\n");
 //write fake eth header, to fix wireshark
 WriteFile(hFile,fakeeth,sizeof(fakeeth),&numWritten,NULL);
 printf("Writing record data\n");
 //write pcap data stuff
 WriteFile(hFile,data,datalen,&numWritten,NULL);
}

/*
 Prolly hardly used but ohwell...
*/
void closepcap(HANDLE hFile){
 CloseHandle(hFile);
}

Quick Snippet

Well with all the posting of wordlists, I haven’t had the time to actually develop any scripts. Sometimes “internet” really makes things easy. Anyhow the only thing I’ve done until now with scripting and wordlists is a quick snippet to extract all entries containing 8 characters or more. Just pipe the wordlist to it and save the output.

#!/usr/bin/env python
#DiabloHorn - https://diablohorn.wordpress.com

import sys
import os
import string
#import fileinput #uncomment if needed

if __name__ == "__main__":
 """
 if for some reason it only returns single characters use this instead
 for n in fileinput.input()
 """
 for n in sys.stdin:
 t = string.strip(n)
 if(len(t) >= 8):
 print t

Bittorrent Downloads

Well I’ve decided to make somewhat of a download section, you can find it on the right. Since I don’t really have stable hosting(thanks to my current hoster for hosting my stuff though) I’ve decided to offer my downloads using bittorrent. I must say I’m pleasantly surprised by it. I like the benefits of distributed content and the possibility to share really large files like wordlists and virtual machines. Happy leeching.

oh and a huge ass wordlist can be found here: http://www.nomorecrypto.com/ I’m working on a wordlist myself with the only difference that it will only contain 8character or more words/phrases. Not sure if I will offer it for download since it’s composed from the wordlists offered by:

So maybe I’ll just share the scripts I used to create my own wordlist instead of sharing the list itself.

The helping hand of URL shortening services

We all know that URL shortening services are a great aid when you want to shorten a URL. What I did not realize is that they can fill up one of the many gaps when performing a search for something(someone) on the internet. Usually you exhaust all the usual places like web, ftp,usenet, torrent, twitter,ftp search engines. But there is a whole(maybe not that big) world out there of short URL messaging. A good example is bit.ly this URL shortening service even has statistics about short URLs and every time you shorten a URL it is shortened to the same short URL(based on parameters, maybe time, unknown to me at this moment), now that does make things easier when using them to track something(someone) down. For example:

http://www.google.com = http://bit.ly/14d7yE

So you can use the short URL to perform more investigations about web pages mentioning it or tweets using it. If you want to see bit.ly own history about the URL you can just hit their history link, for google.com that is:

http://bit.ly/info/14d7yE

The statistics page also seems to uncover different short URL’s for the same domain which you can then use in your search. For example:

http://bit.ly/4d3xjX and http://bit.ly/676wYo both point to the NSA.

Now that sure does make things easy to continue searching, it will at least contribute to your search results by making it possible to find things(people) you would have otherwise possibly missed.

For all the people hating short URLs, you could always use www.longurl.org to verify you are not being scammed ;)

Art Exposition

Well like you probably don’t remember a while back I wrote about art I enjoyed. Well to my surprise the artist has a exposition right at the airport of Madrid. It seems like the information is only available in Spanish for the moment being. Although the most important bit of information can be translated quite easily:

La exposición, situada en el pasillo que da acceso al Terminal T-2 del Aeropuerto desde el Metro y el Parking P-2

translates to:

The exposition which is stationed in the hallway that gives access to the T-2 terminal of the airport coming from the metro and parking P-2

So if anyone is going to Madrid I recommend having a look. It is available until the end of July.
For people interested in art events in Madrid I recommend the following blog:

which at the time beeing happens to also inform about the exposition at the airport of Madrid.

Backerdie

Well that was a real nasty experience…beeing a while without access to internet. You could call me an addict but oh well. Anyways I had some moving in between houses issues and a little problem with my ISP. I’m on temp internet now with some weird usb stick which is treating me pretty good until now. Anyways I’ll get back to posting some random stuff as usual. It feels good to finally have access to internet again.

Python hidden love and hate

This is just my little hate/love affair with python. This post will be a bit chaotic but ohwell…

Well when I first read about python my inmediate reaction was: HATE HATE HATE. This reaction was only triggered because of one reason: indentation. This kept going on for a while until I finally decided to try python out and create my opinion based on using the language instead of prejudices. I’ll explain what the word ‘hidden’ does in the title of this blog posting later on.

Continue reading “Python hidden love and hate”

Truecrypt Update & Speeds

Well truecrypt 6.1 has been released and I thought it was time to update my machine. Since I’ve started using truecrypt I’ve kept screenshot of the benchmarks so for the ones who love numbers here they are. I’ve also made volume headers backup and disabled the boot message that states the machine is encrypted with truecrypt. I have to admit I’m totally fond of truecrypt it’s easy and good for free. Oh and YES I’ve made volume header backups and rescuedisks, you never know when bad luck strikes.

Continue reading “Truecrypt Update & Speeds”

ubuntu 8.10 mobile support

w000t :D

I love it. It was like so easy to get my internet connection going on my ubuntu through my mobile phone. All I had to do was connect the mobile to my laptop using a mini-usb cable. Ubuntu then automatically recognized it all and all I had to do was choose my provider and it WORKED!!!

I’ve installed ubuntu 8.10 on my laptop just to see how it goes and well I have to admit it works pretty good. Until now I haven’t had any problem with it.

Well so much for my ubuntu experience, I’ll keep you posted because somehow I always screw up when I use linux. So I really hope I hang on to it this time.

busy busy?!?

Ah man…beeing busy really ***** (sucks). I don’t like censoring words….

Lucky for me this time it was pleasure busy. I’ve been away for a few days in one of the cities famous for their diamonds. It was really impressive to see a whole street with only juwel stores. The funny thing was that the local building for diamond exchange seemed to have better security measure then the bank that was next door. Just to clarify things up , I wasn’t there for the diamonds. Those are boring. They just shine and well shine. So what’s next? I’ve been thinking about posting my todo list but then again…if I do that people will actually see that I never get it done.

So I’ll just post stuff when it’s done.

For the moment beeing I’m concentrating on the latest burp release which is comming up in december I can’t wait till I can hit the download button. Got some nice ideas to expand the current poc’s I’ve written and hopefully abuse the new and improved API.

If you get the impression this was written in a hurry , yes it was. I’m tired and want to sleep but I also wanted to write so this is the end result, I’m now going to sleep.

It’s not always technical

Well like the title says you can’t always dedicate your time to technical things. I’ve always loved art…it didn’t really mather to me what kind of art it was as long as it really speaks to me.

So lateley I’ve encountered a art form I really like. Abstract expressionism. It’s wonderfull you can imagine all you want there is nothing defined and it really speaks to me.

I’ve encountered an artist who’s art I really like. It’s so full of color and so different. The only down part is , that her page is only in spanish for the moment beeing, I’ve emailed her and the english portion of her website will be published soon. I’ve added a non-technical categorie in the links section so you can all visit her page and enjoy her art just like I did.