There’s some good analysis, predictable PRNG toys and more funny pictures from HD Moore.

Get it here: Metasploit Simple HTTP

Rename the file to .rb and install in the aux directory of your Metasploit installation.

If you need a PUT example, Carnal0wnage has a good module on his blog.

To remove this download the source and edit line 80 of Constant.java from

public static final String USER_AGENT = PROGRAM_NAME + “/” + PROGRAM_VERSION;

to

public static final String USER_AGENT = “”;

and recompile.

This should remove the obvious traces!

This doesn’t really change anything as the numbers generated by the device (at least in identify mode) can be created one by one offline, written down and then later used sequentially. I’ve seen enough people with pin numbers on Post-It’s attached to their cards to know that it won’t be long before the notes also contains PinSentry numbers. FaultyFlipper has some good discussion of peoples feelings towards the devices as well as the reasons it may have been introduced.

I’ve had a quick look at the numbers generated, and they seem to follow a sequential pattern of random increments. A very quick phase-space analysis of one hundred numbers from the device shows no discernable patterns, but more numbers are needed to carry this out thoroughly.

If anyone is interested in sample output from the device, I can supply the numbers I have used for testing. Likewise if you’d like to supply me with some numbers (and not any personal details) let me know.

Using some fuzzy matching, its possible to get a rough list of addresses for a domain, but manual verification is needed for each address found.

The scripts below can be used to train GOCR on facebook images, and can then attempt to pick addresses matching a certain domain from a directory of images.

The scripts are Training Script here and Matching Script here. You’ll need GOCR installed, String::Approx, and the ability to ignore silly Perl.

First download a selection of Facebook E-Mail images, we’ll use these with the training script to give GOCR something to go on.

Then run the matching script on the images you wish to convert, it’ll do some fuzzy matching if you give it domain to look for.

If I can improve this, I’ll try and automate it all a little more and work out some stats.

To enable IPv6 you first need to create an account with a tunnel provider such as SiXXs. A guide to doing this can be found at the Sixxs site. This gives you a remote endpoint for your IPv6 in IPv4 tunnel.

Once the account is setup enable IPv6 on the router via the “IPv6 Support” option under Administration, and then the Management tab.

The following script added to the routers startup config will start the tunnel when the router is rebooted.

ip tunnel add sixxs mode sit local aaa.aaa.aaa.aaa remote bbb.bbb.bbb.bbb
ip link set sixxs up
ip link set mtu 1280 dev sixxs
ip tunnel change sixxs ttl 64
ip -6 addr add 2051:4bd1:2002:9b::2/64 dev sixxs
ip -6 ro add default via 2001:4bd0:2000:9b::1 dev sixxs

aaa.aaa.aaa.aaa - A local, externally accesible IPv4 address.
bbb.bbb.bbb.bbb - The IPv4 address of the pop to connect to.

2051:4bd1:2002:9b::2/64 - Local IPv6 address.
2051:4bd1:2002:9b::1/64 - Remote IPv6 address.

Once the tunnel has been working for a week. SiXXs will allow you to assign a subnet to it that you can distribute using Radvd.

You’ve been warned, its buggy.

More updates soon.

This broke the architecture we had for displaying them, so it’s currently down.

Dynamic Network Address Translation maps several internal addresses to a single external address. All connections appear to come from that address. It is desirable sometimes to have static NAT where several external addresses that are forwarded to internal hosts.

For example:

195.167.182.123 -> 10.0.0.1
195.167.182.124 -> 10.0.0.2
195.167.182.125 -> 10.0.0.x

It may be useful to have a “catch all” address that other addresses can be translated to, this is shown in the last line of the example above.

Firstly add the external aliases to the external interface of the WRT54G, which is vlan1.

ifconfig vlan1:1 195.167.182.124 netmask 255.255.255.248 broadcast 195.167.182.127
ifconfig vlan1:2 195.167.182.125 netmask 255.255.255.248 broadcast 195.167.182.127

The catch all address is already specified as the routers external address.

The following IPTables commands will add NAT for these addresses, and ensure all other traffic is translated to the main address.

# Default accept all.
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

# Clear all chains.
cat /proc/net/ip_tables_names | while read table; do
iptables -t $table -L -n | while read c chain rest; do
if test “X$c” = “XChain” ; then
iptables -t $table -F $chain
fi
done
iptables -t $table -X
done

# Reset counters.
iptables -Z

# Allow new connections, to and from the router.
iptables -A INPUT -i lo -m state –state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state –state NEW -j ACCEPT
# Allow established and related connections.
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Nat mapping for 195.167.182.123 -> 10.0.0.1
iptables -t nat -I PREROUTING -i vlan1 -d 195.167.182.123 -j DNAT –to-destination 10.0.0.1
iptables -t nat -I POSTROUTING -o vlan1 -s 10.0.0.1 -j SNAT –to-source 195.167.182.123

# Nat mapping for 195.167.182.124 -> 10.0.0.2
iptables -t nat -I PREROUTING -i vlan1 -d 195.167.182.1241 -j DNAT –to-destination 10.0.0.2
iptables -t nat -I POSTROUTING -o vlan1 -s 10.0.0.2 -j SNAT –to-source 195.167.182.124

# NAT all other connections.
iptables -t nat -A POSTROUTING -o vlan1 -s 10.0.0.0/24 -j MASQUERADE

# Fix mss.
iptables -t mangle -A POSTROUTING -p tcp –tcp-flags SYN,RST SYN -m tcpmss –mss 1421:65535 -j TCPMSS –clamp-ms

Using custom chains within IPTables, can improve the efficiency and overall throughput of the firewall.

A good firewall design is important! Using the principle of Block All, Allow Some

As well as the standard INPUT, FORWARD and OUTPUT chains in IPTables it is very useful to add your own. Custom chains also allow selective tracking and logging of traffic flows.

For example:
# Make a new chain called “dropandlog”
iptables -N dropandlog

# Configure the chain.

# Limit how many log entries to make, and log.
iptables -A dropandlog -m limit –limit 15/minute -j LOG –log-prefix Firewall:

# Drop the packets passed to this chain.
iptables -A dropandlog -j DROP

Now any rules which have a jump (-j) target of dropandlog will pass the matched traffic to the chain.

For example:

iptables -A INPUT -p tcp –dport 22 -j dropandlog

This rule sends any packets on the default ssh port, coming in on the input chain to the chain dropandlog. They will be shown in the logfile with the prefix “Firewall:”.

Using separate chains cuts down the amount of rules traffic has to pass through and so improves firewall efficiency.

For example the following script:

iptables -A INPUT -p tcp ! –syn -m state –state NEW -j drop

iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j drop
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j drop
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j drop
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j drop
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j drop

These rules only match TCP traffic. However all UDP and ICMP traffic will also be forced to go through each rule, slowing them down. It is much more efficient therefore to refactor this to use protocol specific chains.

#New chain tcpfilter.
iptables -N tcpfilter

# Rules for chain tcpfilter.
iptables -A tcpfilter -p tcp ! –syn -m state –state NEW -j drop
iptables -A tcpfilter -p tcp –tcp-flags ALL FIN,URG,PSH -j drop
iptables -A tcpfilter -p tcp –tcp-flags ALL ALL -j drop
iptables -A tcpfilter -p tcp –tcp-flags ALL NONE -j drop
iptables -A tcpfilter -p tcp –tcp-flags SYN,RST SYN,RST -j drop
iptables -A tcpfilter -p tcp –tcp-flags SYN,FIN SYN,FIN -j drop

# Redirect all tcp traffic to tcpfilter
iptables -A INPUT -p tcp -j tcpfilter

This type of chain can be replicated for each protocol, or for different traffic Each traffic type can then make its way through the firewall, in the most efficient way possible.