Humour In Verse

From The warped mind of Emac

Sunday, April 26, 2020

Networking | Routing And Switching | Tutorial 4 | 2018

Welcome to my 4th new tutorial of the series of networking. In this blog you'll the content about network switches. You'll learn about how to make a communication successful and secure in the same network (LAN) by using STP. As Spanning tree protocol (STP) we used in multi-switched networks. Why we use this protocol in multi-switched network etc.

What is Switch?

A switch is an intelligent device used to connect multiple devices within the same network. The intelligence of is that it requires Media Access Control (MAC) address for communication and doesn't allow broadcast. Let's understand the whole thing by a little example, consider there is a network having 3 end devices name Device-A, Device-B,Device-C connected with each other respectively with the help of switch. When a Device-A sends data to Device-C so that data will only forwarded by switch to Device-C not to Device-B.

What is Media Access Control (MAC) address?

A Media Access Control (MAC) address is 48-bit unique physical address given to network interface controller (NIC) or network adapter, for communication within the same network which is given by its manufacturer. It is made up of hexadecimal numbers like a1:b1:cc:ac:2e:f1.

What is STP?

STP stands for Spanning tree protocol which is basically used in bridge and switches to prevent loops when you have a redundant links in the Ethernet networks. If the loop is present in the Ethernet network so the whole network will suffer because there will MAC instability in the MAC table, duplicate frames generation and so on. Let's move to the video for further detail.

RapidScan's screenshots:

RapidScan helping menu

RapidScan Intro

RapidScan Outro

How to contribute? If you want to contribute to the author. Read this.

Download RapidScan

More articles

Structure Part I: The Basics

Today we are going to go through Structures from defining structures to using structures.
Structures are just a collection of different types under one roof (you can even put one type only!). So that means they give you flexibility of grouping different data types (like int, char, or even char[]) under one name.
So let us start with obviously defining a Structure. In `C` we declare a structure as simply as this:-
struct dob {
    int day;
    int month;
    int year;};
1: In the above code segment struct is a keyword which defines structure.
2: Followed by struct keyword (dob) is the name of our structure.
3: Elements of struct are defined inside braces '{}' as we did (int day; etc).
4: After ending brace we place a terminator ';' to end the declaration.
So now you know how to define a structure but how to create its instances now?
To create a variable of our structure we just need to do this:
struct dob date;
This now declares date as a structure variable of type dob.
1: Here 'struct dob' is our above declared structure.
2: date is a variable of type dob.
So ok we have a structure and a variable of that type but how can i access its parts?
well we can access it and assign it so simply like this:-
date.day = 19;date.month = 10;date.year = 1990;
Note here we use the dot (.) operator to access the fields (parts) of our structure.
ok everything looks nice so for but how in the world can i read data into this structure variable? Again no worries its again simple:-
scanf("%d", &date.day);scanf("%d", &date.month);
that was pretty easy but I was wondering how can i print its data?
Just do it like this:-
printf("Day: %d", date.day);printf("Month: %d",date.month);printf("Year: %d", date.year);
Again remember we use dot (.) operator to access members of a structure.
So we now know how to define and declare a structure, how to access its members, how to read data in it, and how to print data of a structure. Oh that was a tough job..!
Now let us put it together in a single C Program.

/***********************************************/
#include <stdio.h>
struct dob {
   int day;
   int month;
   int year;
};
int main(void) {
struct dob date;
date.day = 19;
date.month = 10;
date.year = 1990;
printf("Day is : %d, Month is: %d, and Year is %d\n",
           date.day,date.month, date.year);
printf("Enter Day, Month, and Year separated by spaces: ");
scanf("%d %d %d", &date.day,&date.month,&date.year);
printf("Your entered Date is: %d/%d/%d",
date.day,date.month,date.year);
return 0;
}

Output:
Day is : 19, Month is: 10, and Year is 1990
Enter Day, Month, and Year separated by spaces: 1 1 2014
Your entered Date is: 1/1/2014

More info

Wednesday, April 22, 2020

Arris Cable Modem Backdoor - I'm A Technician, Trust Me.

Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -

Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.

Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW

After successfully providing the correct login and password to the modems administration page, the following cookie is set (client side):

Cookie: credential=eyJ2YWxpZCI6dHJ1ZSwidGVjaG5pY2lhbiI6ZmFsc2UsImNyZWRlbnRpYWwiOiJZV1J0YVc0NmNHRnpjM2R2Y21RPSIsInByaW1hcnlPbmx5IjpmYWxzZSwiYWNjZXNzIjp7IkFMTCI6dHJ1ZX0sIm5hbWUiOiJhZG1pbiJ9

All requests must have a valid "credential" cookie set (this was not the case in a previous FW release - whoops) if the cookie is not present the modem will reply with "PLEASE LOGIN". The cookie value is just a base64 encoded json object:

{"valid":true,"technician":false,"credential":"YWRtaW46cGFzc3dvcmQ=","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

And after base64 decoding the "credential" value we get:

{"valid":true,"technician":false,"credential":"admin:password","primaryOnly":false,"access":{"ALL":true},"name":"admin"}

Sweet, the device is sending your credentials on every authenticated request (without HTTPS), essentially they have created basic-auth 2.0 - As the kids say "YOLO". The part that stuck out to me is the "technician" value that is set to "false" - swapping it to "true" didn't do anything exciting, but after messing around a bit I found that the following worked wonderfully:

Cookie: credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9

Which decodes to the following:

{"credential":"dGVjaG5pY2lhbjo="}

And finally:

{"credential":"technician:"}

Awesome, the username is "technician" and the password is empty. Trying to log into the interface using these credentials does not work :(

That is fairly odd. I can't think of a reasonable reason for a hidden account that is unable to log into the UI. So what exactly can you do with this account? Well, the web application is basically a html/js wrapper to some CGI that gets/sets SNMP values on the modem. It is worth noting that on previous FW revisions the CGI calls did NOT require any authentication and could be called without providing a valid "credential" cookie. That bug was killed a few years ago at HOPE 9.

Now we can resurrect the ability to set/get SNMP values by setting our "technician" account:

That's neat, but we would much rather be using the a fancy "web 2.0" UI that a normal user is accustomed to, instead of manually setting SNMP values like some sort of neckbearded unix admin. Taking a look at the password change functionality appeared to be a dead end as it requires the previous password to set a new one:

Surprisingly the application does check the value of the old password too! Back to digging around the following was observed in the "mib.js" file:

SysCfg.AdminPassword= new Scalar("AdminPassword","1.3.6.1.4.1.4115.1.20.1.1.5.1",4);

Appears that the OID "1.3.6.1.4.1.4115.1.20.1.1.5.1" holds the value of the "Admin" password! Using the "technician" account to get/walk this OID comes up with nothing:

HTTP/1.1 200 OK
Date: Tue, 23 Sep 2014 19:58:40 GMT
Server: lighttpd/1.4.26-devel-5842M
Content-Length: 55
{
"1.3.6.1.4.1.4115.1.20.1.1.5.1.0":"",
"1":"Finish"
}

What about setting a new value? Surely that will not work....

That response looks hopeful. We can now log in with the password "krad_password" for the "admin" user:

This functionality can be wrapped up in the following curl command:

curl -isk -X 'GET' -b 'credential=eyJjcmVkZW50aWFsIjoiZEdWamFHNXBZMmxoYmpvPSJ9' 'http://192.168.100.1:8080/snmpSet?oid=1.3.6.1.4.1.4115.1.20.1.1.5.1.0=krad_password;4;'

Of course if you change the password you wouldn't be very sneaky, a better approach would be re-configuring the modems DNS settings perhaps? It's also worth noting that the SNMP set/get is CSRF'able if you were to catch a user who had recently logged into their modem.

The real pain here is that Arris keeps their FW locked up tightly and only allows Cable operators to download revisions/fixes/updates, so you are at the mercy of your Cable operator, even if Arris decides that its worth the time and effort to patch this ~~bug~~ backdoor - you as the end user CANNOT update your device because the interface doesn't provide that functionality to you! Next level engineering.

Continue reading

Android SSHControl V1.0 Relased!!!

Hoy sabado 15, he subido al Market de Android la versión 1.0 de SSHControl, con nuevas funcionalades y la esperada opción "Custom Commands".

Esta aplicación permite controlar tus servidores linux, bsd y unix con solo un dedo, mediante esta app Android.
Y soluciona las siguientes problemáticas:
- Manejar una shell desde el pequeño teclado de un móvil es engorroso.
- Leer todos los resultados de un comando en la pantalla del móvil, nos dejamos la vista.

Esta app permite interactuar con servidores remotos simplemente haciendo pulsaciones en la pantalla, mediante un explorador de ficheros, de conexiones, etc..

Las funcionalidades nuevas de esta versión 1.0 son:

- Administración del Firewall Iptables.
- Opción de Custom Commands, tal como había prometido.

Las funcionalidades ya presentes en la v0.8 son:

- escalada a root mediante su y sudo
- gestor de procesos
- explorador de ficheros, editor de ficheros, editor de permisos.
- monitorización y baneo de conexiones
- Visualizadores de logs
- administrador de drivers
- estadisticas de disco

Para la versión 2.0 preveo:

- Escuchar música remota
- Descarga de ficheros (wget)
- Transferencia segura de ficheros entre servidores (scp)
- Gestures, para administrar los sitemas en plan minority report :)

App disponible en el market para 861 tipos de dispositivos y pronto disponible en tablets.

https://market.android.com/details?id=net.ssh.SSHControl

Cualquier sugerencia de mejora: sha0 [4t] badchecksum [d0t] net

More information

WHO IS ETHICAL HACKER

Who is hacker?
A hacker is a Creative person and a creative Programmer,who have knowledge about Networking,Operating system,hacking & a best creative social engineer who control anyone's mind he is also a knowledgeable person.

Hacker are the problem solver and tool builder.

A hacker is an individual who uses computer, networking and other skills to overcome a technical problem but it often refers to a person who uses his or her abilities to gain unauthorized access to system or networks in order to commit crimes.

Read more

Monday, April 20, 2020

OpenVAS

"OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core is a server component with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications." read more...

Website: http://www.openvas.org

Related word

CEH Practical: Gathering Target Information: Reconnaissance And Competitive Intelligence

CEH Exam Objectives:

Describe Reconnaissance.

Describe aggressive/competitive intelligence.

Reconnaissance

Reconnaissance is the process of gathering informative data about a particular target of a malicious hack by exploring the targeted system. Basically two types of Reconnaissance exist i.e. Active and Passive. Active reconnaissance typically related to port scanning and observing the vulnerabilities about the targeted system (i.e., which ports are left vulnerable and/or if there are ways around the firewall and routers). Passive reconnaissance typically you will not be directly connected to a computer system. This process is used to gather essential information without ever interacting with the target systems.

Understand Aggressive Intelligence

Competitive intelligence means information gathering about competitors' products, marketing, and technologies. Most competitive intelligence is non intrusive to the company being investigated and is benign in nature. It's used for product comparison or as a sales and marketing tactic to better understand how competitors are positioning their products or services.

Online tools to gather competitive intelligence

Exercise 1.1

Using KeywordSpy

To use the KeywordSpy online tool to gather competitive intelligence information:

Go to the www.keywordspy.com website and enter the website address of the target in the search field

Review the report and determine valuable keywords, links, or other information.

Exercise 1.2

Using spyfu

Go to your browser and type www.spyfu.com and enter the website address of the target in the search field.

Exercise 1.3

Using the EDGAR Database to Gather Information

1. Determine the company's stock symbol using Google.

2. Open a web browser to www.sec.gov.

3. On the right side of the page, click the link EDGAR Filers.

4. Click the Search For Filings menu and enter the company name or stock symbol to search the filings for information. You can learn, for example, where the company is registered and who reported the filing.

5. Use the Yahoo! yellow pages ( http://yp.yahoo.com ) to see if an address or phone number is listed for any of the employee names you have located.