Transparently sniffing and modify traffic with scapy in-path

January 29, 2017 at 19:42 (linux) (, , , , )

I decided to play a little bit with scapy and tried to find something in the internet that helped me to sniff and modify traffic without ARP-Storming the whole network.

I want to connect a box to my computer eth0 and the network to eth1, so that I’m between the box and the network.

Note: This one does not defeat SSL right now, but that could be easily done with all the tools out there.

The idea is to transparently forward all traffic and only pick out specific packets for modification with scapy.

I did do this with an combination of bridged interface, iptables NFQueue and scapy.

First we gonna create a bridge between eth0 and eth1 to transparently forward all traffic:

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
brctl addbr br0
brctl addif br0 eth0 eth1
ifconfig br0 up

Second, we need to setup iptables to send the traffic we want to change to an NFQueue.
Important is that this line is executed within the startup of the scapy script, so the actual modding only happens if the script is running.
It would be bad if the script is not running and the packets don’t traverse..

The line we need to set in the scapy script is:

iptables -A FORWARD -m physdev –physdev-in eth1  -s 192.168.1.10 -j NFQUEUE

Third, our scapy program catches those packets, modify them if they are of interest for us and forwards them accordingly.
Important is to command scapy that it should also forward traffic we do not want to be modified (e.g. other SNMP calls in this example):

https://codepaste.net/y2a2mt

What I actually do is to modify a response of our target system to the monitoring system.
I choose the SNMP response of an HP ProLiant power-supply check that checks if the power supplies are OK or not (or disconnected):

The “original” says that both power-supplies are degraded or in other words they have a problem:

# snmpwalk -v 1 -c public -O eq 192.168.1.10 1.3.6.1.4.1.232.6.2.9.3.1.4
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.1 3
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.2 3

# ./check_psu -H 192.168.1.10
PSU 1 DEGRADED, PSU 2 DEGRADED

after starting the scapy script, it will happily transform to something much better:

#./scapymod.py
Adding iptable rules :
iptables -A FORWARD -m physdev –physdev-in eth1 -s 192.168.1.10 -p udp -j NFQUEUE
[+] Running Main loop
Got a packet ! source ip : 192.168.1.10 dest: 192.168.1.60
Modding…
Old status: 2 (<ASN1_OID[‘.1.3.6.1.4.1.232.6.2.9.3.1.4.1.1’]>)
New status: 2 (OK)
Got a packet ! source ip : 192.168.1.10 dest: 192.168.1.60
Modding…
Old status: 2 (<ASN1_OID[‘.1.3.6.1.4.1.232.6.2.9.3.1.4.1.2’]>)
New status: 2 (OK)

and in the console:

# snmpwalk -v 1 -c public -O eq 192.168.1.10 1.3.6.1.4.1.232.6.2.9.3.1.4
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.1 2
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.2 2

# ./check_psu -H 192.168.1.10
PSU 1 OK, PSU 2 OK

And this all by just carefully crafting and modifying packets

Have Phun :)

Permalink Leave a Comment

ESXi 5: Expanding datastore by extending local array

April 21, 2012 at 21:48 (VMWare) (, , , , , , , , , , , , , , , , , , )

Recently i extended my RAID 5 array by replacing one-by-one hdd’s with bigger ones and waiting for each to rebuild.

All the instructions are executed on a HP DL360 G6 with an SmartArray P410i controller with only one logicaldisk.

It is highly recommended that you backup all your VM’s before executing a single command – everything worked fine for me but one error in a command could leas to a complete data loss of everything!

Read the rest of this entry »

Permalink 11 Comments

SSL Funambol on Android without adding Certificates

December 26, 2011 at 22:36 (Android) (, , , , , , , , )

Recently I wrote a blog entry about how to add a root certificate to your rooted android keystore for using SSL funambol.
This works perfectly as long as you have root access to the device.

Sometimes you come into the situation where you cannot root the device, eg. in a corporate environment or if you just don’t want to crack a new device just to make the funambol client working, like me for now.

I’ve got a new Motorola Xoom and needed funambol to sync my contacts and calendar entries.

After asking Mr. Google there are only 2 ways till Android 4.x is ready:

  • Using http without ssl
  • Using ssl and recode the funambol client to accept all cert’s

I decided to use the 2nd solution – this also refreshes my java a little bit :-)

Of course i want to share everything with you – if you’re too lazy to read all the stuff you can point your Android client here to install my compiled Funambol 10.0.8 client without the certificate check:

For Android < 4.0 this binary works:

Direct download with android: funambol-android-10.0.8_Tasks-devBioS.apk

Mirror 1: funambol-android-10.0.8_Tasks-devBioS.apk

Since ICS (>= 4.0) people having problems syncing Calender. This is because they made changes in the Calender API wich renders the Calendar Sync unusable, you can use this binary (which only works on ICS and greater):
Direct download with android: funambol-android-10.1.3_Tasks-devBioS.apk

UPDATE 2012-04-03: I activated the task sync feature also and re-uploaded the binary.
If anyone is intrested in the source on how to activate it, drop me a line and i will update the post.

Read the rest of this entry »

Permalink 32 Comments

Adding Root Certificates to Android Phone with root access

August 23, 2011 at 22:24 (Computer) (, , , )

Yeah, after being really busy with my real life, here is another intresting trick for you:

How to get some more root certificates on an android phone where you have root acces (or, at least, you can start & use root explorer).

Some background info:
I use a funabol community server to keep my phone’s and outlook’s in sync and recently my colleague sven did a great job converting my HTC HD2 with winmobile to Android 2.x (kudo’s to him! thanks!).

Update on 2011-12-27: I changed the client to allow self-signed certificates: here

The challenge is that if you use funabol with self signed ssl certificates you need to get those recognized by android which is a really complicated task if you don’t know how.  But here we go:

What you need before (and what i don’t describe):

Our steps include:

  1. Export the certificate out of the funambol java keystore
  2. Get the cacert.bks from the android device
  3. modify the cacerts.bks of android
  4. reboot and finished

Step 1 – Export the funambol certificate

  • Execute  “%JAVA_HOME%\bin\keytool -export -alias tomcat -file myroot.cer”  (in-detail like here)
  • copy the myroot.cer to the SD-Card of the android device (or download to another computer)

Step 2

  • insert the SD-Card to the android device, startup root explorer and navigate to /etc/security/
  • copy the file cacert.bks
  • navigate to /sd-card and paste the file
  • insert to another computer
  • Go and execute the Portecle Keytool and open the cacerts.bks from your SD-Card
  • When promtes for a password, just hit enter
  • go to Tools -> Import Key Pair   and select your myroot.cer, give it any name you want
  • save the cacerts.bks
  • re-insert the SD-Card to android device
  • open up root explorer, head to /sd-card, copy, paste to /etc/security/
  • make sure root explorer show “mounted as r/w” in the header of the program.
  • set permissions of the newly copied cacert.bks to rw-r–r– (owner,group,other: read     owner:write)

Step 3

  • double check if the permissions of cacerts.bks are set correctly to rw-r–r–
  • restart the phone
  • funambol sync should now complete.

Have phun to be in sync!

P.S. Keep in touch! the next xbee’s blogpost’s are half-way written, but i really don’t have time ATM… sry

Permalink Leave a Comment

QuickFix: IE8 hangup opening intranet pages

April 11, 2011 at 16:53 (Windows) (, , , , , )

Something that i always hate is when there is no update and a product stop’s working so i cannot do my work anymore.

In this case i (am forced to) use Internet Explorer to open up several intranet pages that allowed me to do my administration work.

The problem sums like this:

  • Google, and everything else on “the internet” works seemless
  • opening something internal just hang up IE8 for a couple of minutes and then just stop loading without an error
  • Same in FireFox with IETab installed
  • same in IE 7 + IE 8 64 bit and 32 bit

The solution is as easy as stupid:

In “Internet Options”  -> “Security” the “Local Intranet” is set up with disabled “Protected Mode”.
Enabling it fixed
the Problem instantly for IE8, IE7 and Firefox with IETab.

Permalink Leave a Comment

Weekend Project: Connect a letterbox to Jabber with XBee

May 16, 2010 at 19:05 (Electronics, linux) (, , , , , , )

As i promised this is my first XBee Project. I just needed a more or less useful application i can “test” the XBee’s in a real environment.

It is in my nature to do crazy things, so i thought it would be really cool to have a notification Jabber Message to my Phone when someone put some letters for me in my letterbox. Here it is ;)

01-08-2010 Update:
The FTDI Chip gives me A fscking LOT PAIN more to come in the next Post. DO NOT USE IT :)

This is my Setup:

  • XBee “Coordinator” API Mode connected through a FTDI USB Chip to a linux box
  • XBee “End Device” Interfaced with an Atmel ATTiny13v power by two 1.5v AA Batteries
  • Perl XBee Module API.pm from Thomas Jager
  • Jabber Perl Modules to enable sending messages
  • Siemens S685IP DECT Phone that can recieve Jabber messages

Before you read further you should note that i flashed the ZIGBEE firmware (XB24-ZB) API on my XBee’s because i don’t want to miss the mesh feature.

This Setup now runs with 2x Alkaline Batterys in the End-Device for 4 weeks now, and is still running!

Read the rest of this entry »

Permalink 4 Comments

Multi-Boot USB Thumb Drive

February 14, 2010 at 01:34 (linux, Uncategorized) (, , , , , , , )

Ever thought it might be cool to only have an USB-Stick where all your individual security / pentest / recovery / hack-a-tack bootdiscs can be booted?

I thought so!

Crawling the Internet looks promising and shows two different ways how to get an bootdisc on your USB thumbdrive:

  • Booting a bootdisc as ISO stored on the drive (which is not compatible to most bootdisc’s)
  • Booting abootdisc ISO extracted to a extra Partition on the USB-Drive (which is more compatible)

Remember: both ways are possible on a single Stick, so you can have ISO’s there AND extra partitions with the contents of the original ISO.

Read the rest of this entry »

Permalink Leave a Comment

Microsoft, please get a XBOX QA-Responsible!

February 1, 2010 at 17:17 (Computer, Everything Else) (, , , , )

Lol lol lol…

What i really like when i hear “Microsoft” is that they want to make good products but they always manages to make a very uber big FAIL.
I must say im not a fan of this company – but i use, like a lot of people, some of their products.

Today i started playing XBOX360 () in a free time schedule i had between my job and my familiy…
Playing playing pla, – zzzz – Freeze
Damn. Ok no prob. Console turned off and on again.

But what the heck is that?! 3 red lights?
Fuck! This is the red ring of death.

Read the rest of this entry »

Permalink Leave a Comment

SipToSis with Asterisk

February 1, 2010 at 16:59 (Asterisk) (, , , , , )

I was little busy these days, had a lot of work to do like re-waterproofing my bathtub..

2010-02-17 Edit: Please Read the references i shown on the end of this Post to have an HowTo how to exactly install SipToSis! If i find the Time i can write a detailed Howto with Display environment variables etc, but only if i get some comments to do so :)

Nevertheless i finally managed to Get a working Skype <-> Asterisk connection via SipToSis. Hurray!
I didn’t get Skypeiax to work..

This is how i did it – with Asterisk 1.4.x branch on the same machine skype should also do – running Debian 5.0

Read the rest of this entry »

Permalink 1 Comment

Windows 7, Windows XP and the strange Active Directory

September 17, 2009 at 14:04 (Windows) (, , , , )

Windows 7 and Windows XP just give different errormessages for the same Problem, mainly when you are in MANY AD Groups (like me) and you want to work with that System:

Windows XP says most time: 
“Not enough Storage is availible to Complete this command”

Windows 7 says:
 “Naming information cannot be located because:

The system detected a possible attempt to compromise security.
Please ensure that you can contact the server that authenticated you.
Contact your system administrator to verify that your domain is properly configured and is currently online.”

Under Win7 even Outlook 2007 didn’t wanted to start!

Win7 Kerberos Problem

Win7 Kerberos Problem

Here is the detailed cause and solution to the Problem:

Cause:
The user is not able to authenticate because the Kerberos token that is generated during authentication attempts has a fixed maximum size.

Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original released version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Microsoft Windows Server 2003, the MaxTokenSize value is 12,000 bytes.

If a user is a member of more than 120 groups, the buffer that is determined by the MaxTokenSize value is not large enough. As a result, users cannot authenticate, and they may receive an “out of memory” error message. Before you apply the hotfix that is described in this article, every group that is added to a user account increases this buffer by 40 bytes.

NOTE: In many scenarios, Windows NTLM authentication works as expected; you may not see the Kerberos authentication problem without analysis. However, scenarios in which Group Policy settings are applied may not work as expected.

Solution:

A registry parameter is available after you apply this hotfix that you can use to increase the Kerberos token size. For example, increasing the token size to 65 KB allows a user to be present in more than 900 groups. Because of the associated SID information, this number may vary.

To use this parameter:

  1. Start Registry Editor (Regedt32.exe).
  2. Locate and click the following key in the registry: HK_Local_Machine\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters*
  3. If this key is not present, create the key. To do so:
    • Click the following key in the registry: System\CurrentControlSet\Control\Lsa\Kerberos
    • On the Edit menu, click Add Key.
    • Create a Parameters key.
    • Click the new Parameters key.
  4. On the Edit menu, click Add Value, and then add the following registry value:
    • Value name: MaxTokenSize
    • Data type: REG_DWORD
    • Radix: Decimal
    • Value data: 65535
  5. Quit Registry Editor.

The default value for MaxTokenSize is 12000 decimal. We recommend that you set this value to 65535 decimal, FFFF hexadecimal. If you set this value incorrectly to 65535 hexadecimal (an extremely large value) Kerberos authentication operations may fail, and programs may return errors.

Permalink 3 Comments

Next page »