Future Patching, got no clue how to call it otherwise, is in my opinion creating a crack/keygen that will patch future versions of the software without having to reverse it again. First time I saw this was on the awarenetwork website. They created a rather interesting crack for winrar. Since then I was intrigued by the concept, it’s just a lot of work imo to keep finding patterns manually and coding them, until I decided to give immunity debugger another go. For some librecognition will be nothing new and they already know the commands by heart, others will be pleased to see something being made easy.
So I’m trying to setup a really tight server and one of the things left to secure was DNS. How do I make sure that if the server gets rooted the backdoor will not be able to connect through DNS to it’s C&C? I decided to write a custom “firewall dns”, which would only allow DNS requests if they matched a certain host. You might now be yelling things like “YOU RETARD, never code something if there is an existing and probably working alternative”, true; thing is I’ve never really done anything with DNS on a coding level so it seemed like this was my opportunity.
Well with all the posting of wordlists, I haven’t had the time to actually develop any scripts. Sometimes “internet” really makes things easy. Anyhow the only thing I’ve done until now with scripting and wordlists is a quick snippet to extract all entries containing 8 characters or more. Just pipe the wordlist to it and save the output.
#!/usr/bin/env python #DiabloHorn - https://diablohorn.wordpress.com import sys import os import string #import fileinput #uncomment if needed if __name__ == "__main__": """ if for some reason it only returns single characters use this instead for n in fileinput.input() """ for n in sys.stdin: t = string.strip(n) if(len(t) >= 8): print t
This is just some quick script I hacked up to scan TCP ports using different source ports. The aim of the script is to find badly configured firewalls that allow traffic from certain source ports. This is for instance explained in the NMAP book. I’ve done it in scapy (yeah I know python ones again) and still admire scapy, it’s a wonderful piece of software. Here are some nice references if you decide to write your own networking stuff in scapy:
You can find the source here.
I chose manual output analysis, this means that the script doesn’t have any logic whatsoever and you will have to decide, if it allows or doesn’t allow traffic from different source ports yourself. Example output:
Received 34 packets, got 8 answers, remaining 28 packets
srcport, dstport, flags, humanflags
Hope it’s also useful for someone out there.
So I took on a new challenge, understanding how to develop your own Master Boot Record (MBR). So how do you start to develop your own bootloader? The first answer that came into mind was the setup of a development environment. No development environment , no bootloader. Actually that’s my thought on every new coding project I undertake. In this blog post I’m going to explain the steps I went through and why I finally choose for a somewhat rather basic development environment. Anyways let’s get started.
p.s. Happy New Year
p.s.2. HACK THE PLANET!!!
Or like most people will call it “just another mod_negotiation script”. Well yeah that’s true. I still think it has it’s added value during a brute force if it’s available. I’m not going to waste any space on explaining what the whole mod_negotiation thing is, because there are a number of excellent resources out there:
For the ones that are just curious how this boils down to source you can of course read the source of the module and some documentation about it, which is available over here:
So why did I write “yet another” script for this? Well first because I wanted to keep learning and practicing python. Also because I wanted my brute force attacks to be a little bit more efficient. So with this script instead of trying to guess the entire name(including the extension) of the file, I just guess the name and mod_negotiation will do the rest for me(read the links I provide, because it only works for mime types that are known to apache). So with a bit of luck you need less requests to find more files. For the ones working with w3af, it already has support for mod_negotiation testing.
The way to use this script would be to combine it with the excellent tool DirBuster. Just have DirBuster do a recursive directory brute force. Then take those results and feed them to my script with a decent file name list. This script is kind of an alpha version, just something I quickly whipped up.
[*] DiabloHorn https://diablohorn.wordpress.com
[*] Mod Negotiate File Brute Force
[*] mfbrute.py -t <target> -d <dir list> -f <file list>
[*] -t target to scan
[*] -d directories which will be scanned
[*] -f files which will be scanned
[*] -v verbose
[*] -h this help
You can get the src from here.
I have been intrigued by nmap’s feature to scan a target using an idle zombie pc which has an incremental ip id. I have also been intrigued by scapy. Finally I have also been intrigued by metasploit. At first I combined nmap and metasploit and the end result was, that I was not able to get the IPIDSEQ module to work. So I turned to scapy and tried porting the metasploit module to python. It was fun and I finally employed python for something besides playing with it to learn.
I’ve also finally learned why it’s nice to prepend your output with “[*]”, since I’ve been lazy with the verbose output I have just used the one from scapy to know if my script should output or shouldn’t output verbose messages. This means that the output gets cluttered. So by prepending “[*]” you can just grep the results to have a clear view of what the script is doing without the scapy stuff in between it.
Finally scapy is a real nice toy. I had to implement 0.0 code to support cidr notation. So when you for example want to scan a /24 range you can just go like: “microsoft.com/24”. isn’t that neat? Hope you enjoy it and find a way to use it. For me it was more fun to write it and learn a lot along the way, then the actual goal I wrote it for. oh btw the non-verbose output looks like:
[*] 188.8.131.52 = Randomized
oh a second btw I recommend putting the timeout/waittime on 5 or something like that.