First step in hacking - know your neighboring machines

The simplest way I can do is use ping, I can send a broadcast packet to everyone in a subnet, so that they can response back. Let say I am in subnet of 192.168.0.x and the broadcast IP is 192.168.0.255, I can do this:

ping -b 192.168.0.255

How I know the broadcast IP is 192.168.0.255? I can check with ifconfig.

ifconfig eth0 | grep Bcast

Some routers are configured to filter broadcast and multicast packets to prevent broadcast storm, if so, broadcast is useless.

So what are the alternatives way?

I can ping the IP one by one with a line of bash script.

for ((i=1;i<255;i++));>

The result will look like this:

--- 192.168.0.1 ping statistics ---
--- 192.168.0.2 ping statistics ---
--- 192.168.0.3 ping statistics ---
--- 192.168.0.4 ping statistics ---
64 bytes from 192.168.0.5: icmp_seq=1 ttl=249 time=11.0 ms
--- 192.168.0.5 ping statistics ---
64 bytes from 192.168.0.6: icmp_seq=1 ttl=248 time=12.3 ms
--- 192.168.0.6 ping statistics ---
--- 192.168.0.7 ping statistics ---
--- 192.168.0.8 ping statistics ---
--- 192.168.0.9 ping statistics ---
--- 192.168.0.10 ping statistics ---
--- 192.168.0.11 ping statistics ---

Let me explain the ping options I use, -c (count) indicates how many attempt of ping for a single IP, -W specified the timeout in second, ping will waits until timeout to declare the attempt is fail.

From the sample results, I discovered 192.168.0.5 and 192.168.0.6.

Due to the limitation of ping, I can’t specified the timeout less than 1 seconds, to scan a class C LAN, it may takes up 255 seconds, which is extremely slow.

Read more

HowTo hide information in a image or sound file

OutGuess
OutGuess is console-based universal steganographic tool that can hide information inside picture objects. It supports inserting objects into PPM, PNM, and JPEG image formats. OutGuess can be used on Linux, *BSD, Solaris, AIX, HP-UX, Mac OS X, and Windows.

Suppose I want to securely send a root password for a production server. I can start by putting the password in a pass.txt file, then encrypt it with a secret key and mix the encrypted version with an image called grill.jpg. OutGuess can do that with one command:

~$ outguess -k key -d pass.txt grill.jpg summer-grill.jpg

You don't need to use the -k option to encrypt the sensitive data with a secret key. If you leave it off, however, anyone who knows there's a file buried in the image can extract the output file.

Now I have an image named summer-grill.jpg that holds my production server's root password, and I can mail it to my coworker. Anyone who sees the picture won't notice anything strange, since the data in the image object is not visible to the human eye.

When my coworker receives the picture, he needs to extract the information from the file. As long as he knows the secret key I used for the encryption, he can run the command:

~$ outguess -k key -r summer-grill.jpg pass.txt

If you don't specify the -k option and provide the key, OutGuess will extract the pass.txt file, but it won't be readable.

Steghide
Steghide is another program you can use to hide sensitive data inside image and audio files. The latest version of Steghide supports hiding sensitive information inside BMP and JPEG image formats as well as in AU and WAV audio formats. The default encryption algorithm is Rijndael with a key size of 128 bits, which is basically AES (Advanced Encryption Standard), but you can choose from many other encryption algorithms as well. Steghide runs under both Linux and Windows.

Let's use the same scenario from our previous example. The equivalent Steghide command is:

~$ steghide embed -cf grill.jpg -sf summer-grill.jpg -ef pass.txt -p summer

To extract the pass.txt file from the summer-grill.jpg picture, use this Steghide command:

~$ steghide extract -sf summer-grill.jpg

You'll be asked for a password, and the utility will extract the pass.txt only if your password (secret key) is correct. Note that when extracting we didn't specify any output file. That's because Steghide automatically knows what the file name was that was inserted and extracts the file with the same name.

Stegtools
Stegtools is a pair of command-line tools for reading and writing hidden information. The latest version of stegtools supports 24bpp bitmap images, and runs on Linux and FreeBSD operating systems.

Using the same example again:

cat pass.txt | /usr/local/stegotools-0.4b/stegwrite grill.jpg summer-grill.jpg 1

Here I redirect the standard input (the output of cat command) into the stegwrite tool and specify an existing and desired output picture object. I used the full path to my stegwrite tools, since they're not in my $PATH. The number at the end of the command represents the number of last bits of the grill.jpg image that will be used to hide my data. The value may be 1, 2, or 4. More in-depth explanation can be found in the software's README file.

Stegread reads the hidden information from a picture object and writes it to the standard output. If I want to extract the password from summer-grill.jpg image, I can use this command:

~$ /usr/local/stegotools-0.4b/stegread summer-grill.jpg 1 > pass.txt

You need to have the right number of last bits in order to successfully extract the password from the object file. If you don't know the right number, the utility leaves you with an empty pass.txt file.

SteGUI, a Steghide GUI
SteGUI is a Linux-based graphical front end to Steghide. Before you install SteGUI you need the stegtools, FLTK toolkit, PStreams, ALSA, and Libjpeg libraries installed.

The menus in SteGUI allow you to open objects (picture or sound) and extract or embed information by selecting and clicking on the screen. Here you can see that I've opened my grill.jpg picture and am preparing to embed the pass.txt file. You can also see how many cryptographic algorithms are available for the job. Although it's a nice interface, SteGUI is useful only with objects made with the Steghide program.

Read more

Service redirection on other machine

xinetd can be used as a transparent proxy, It allows to send a service request towards an other machine to the desired port.

service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
only_from = 192.168.1.0/24
redirect = 192.168.1.15 23
}

Let's watch what's going on now:

>>telnet server
Trying 192.168.1.1...
Connected to server.
Escape character is '^]'.

Welcome to openSUSE 10.3 (i586)
Poison login:

At first, the connection seems to be established on server but the following shows that poison took over. This mecanism can be both useful and dangerous. When setting it up, logging must be done on both ends of the connection.

Read more

HowTo make two instance of postfix running on same machine

What's involved?

Creating a second instance of Postfix from an existing one involves the following steps:

1. Add an IP address to the server
2. Copy the /etc/postfix directory and all files
3. Create an additional spool directory
4. Edit the config files
5. Create startup and administration scripts

Step one: Add an IP address

The second instance of Postfix will be used for all outbound e-mail. Users will configure their e-mail clients to connect to that IP as their "SMTP server".

Follow the procedure appropriate to your server's version of Linux to add a second IP. The new IP can exist on the same network card as the first (eg. as device eth0:1 on Linux) or can be tied to a second NIC, whichever best suits your requirements.

The new IP address must resolve to a name. Either add a name for it in your DNS, or add an entry in the server's /etc/hosts file. Postfix will not work unless the IP address resolves to a name on the server Postfix is installed on.

As an alternative, the new instance can share the same IP but receive mail on a port other than port 25. We won't show that here, but it's an alternative to be aware of.

Step two: copy /etc/postfix

Copy your existing /etc/postfix directory to /etc/postfix-out:

cp -rp /etc/postfix /etc/postfix-out

The new directory should have all the files with the same ownership and permissions as the original.

To make the next step easier, edit file /etc/postfix-out/main.cf. Change the following setting or add it if it does not exist:

queue_directory = /var/spool/postfix-out

Save the changes to the file before proceeding to the next step.

Step three: create an additional spool directory

Each instance of Postfix must have it's own mail spool directory. To avoid file conflicts, the default directory /var/spool/postfix must not be shared among instances.

Create a directory named /var/spool/postfix-out and let Postfix create the appropriate subdirectories and permissions:

mkdir /var/spool/postfix-out
postfix -c /etc/postfix-out check

The result should be directory /var/spool/postfix-out containing something similar to the following:

drwxr-xr-x 14 root root 336 Jan 30 10:20 .
drwxr-xr-x 15 root root 384 Jan 30 10:20 ..
drwx------ 2 postfix root 48 Jan 30 10:20 active
drwx------ 2 postfix root 48 Jan 30 10:20 bounce
drwx------ 2 postfix root 48 Jan 30 10:20 corrupt
drwx------ 2 postfix root 48 Jan 30 10:20 defer
drwx------ 2 postfix root 48 Jan 30 10:20 deferred
drwx------ 2 postfix root 48 Jan 30 10:20 flush
drwx------ 2 postfix root 48 Jan 30 10:20 incoming
drwx-wx--- 2 postfix postdrop 48 Jan 30 10:20 maildrop
drwxr-xr-x 2 root root 48 Jan 30 10:20 pid
drwx------ 2 postfix root 48 Jan 30 10:20 private
drwx--x--- 2 postfix postdrop 48 Jan 30 10:20 public
drwx------ 2 postfix root 48 Jan 30 10:20 saved

If directory /var/spool/postfix contains directories named etc, usr and lib, your first Postfix instance was probably installed chrooted: if those directories exist, manually copy them to /var/spool/postfix-out:

cp -rp /var/spool/postfix/etc /var/spool/postfix-out
cp -rp /var/spool/postfix/usr /var/spool/postfix-out
cp -rp /var/spool/postfix/lib /var/spool/postfix-out

Step four: edit the config files

Edit the file /etc/postfix/main.cf and add the following near the bottom of the file:

alternate_config_directories = /etc/postfix-out

The above setting is required to inform the Postfix daemons about the second instance.

Next, edit the file /etc/postfix-out/main.cf and change the following setting:

inet_interfaces = second-IP-address-NAME

Note: in the above you must specify the DNS name of the second IP address, not the IP address. If the IP address does not have a DNS name, add an entry for it to /etc/hosts so it can be resolved locally on the server.

You should also remove settings such as reject_maps_rbl and content filtering that only need to be applied to inbound e-mail, and change syslog_facility so logging of outbound mail sent to a different file than inbound.

You might also want to change the setting myhostname so the second instance uses a name difference than the first (eg. "mx1-out"). This is required if the two instances will exchange mail with each other, otherwise Postfix will complain mail "loops back to myself".

Lastly, you can force mail being sent from the outbound instance to send using the same IP address as the inbound instance. This is useful when the mail server is behind a firewall and you want only one IP address to communicate with the Internet. To send mail on a different IP, add the setting smtp_bind_address to main.cf similar to the following:

smtp_bind_address = 192.168.1.1

(Of course, replace the IP address above with your own server's inbound SMTP IP address)

Step five: Create startup and administration scripts
Startup script
The second instance can be started using the normal postfix start command, except you must point to the other configuration directory. For example:

postfix -c /etc/postfix-out start

To create a startup script for the second instance, either edit your existing Postfix startup script and add the above command after the existing postfix start command, or copy the existing startup script to a new name and change the copy. If you copy the start script, be sure to also follow your operating system's instructions for installing a new init script (for example, chkconfig on Redhat Linux, update-rc.d on Debian Linux).

Read more

Change Postfix to accept incoming mail on port 1054 or other but send outgoing mail on 25

modify /etc/services
add a new service (say smtp2) with port 1054.
leave smtp at 25

modify /etc/postfix./master.cf
change the line that reads

"smtp inet n - n - - smtpd"
to
"smtp2 inet n - n - - smtpd"

restart postfix
postfix reload

Read more