Wednesday, September 28, 2016 18:44

Assembly Hangman Game (Linux / nasm)

March 15th, 2011

A bit tedious ~ 400 lines of code

Download here

C++ Elgamal / IDEA Encrypted Port Forwarding

May 19th, 2010

This is basically a multithreaded SSH clone written in C++, which I call “eglink”. It uses port forwarding over an established and encrypted channel to receive, encrypt then send data and visaversa on the opposite end. This is probably the most useful and efficient program I have ever made, as it has some extremely nice encryption schemes that make data transfer very fast (in fact, the same speed as normal, slowed only by the encryption process), and it has a HUGE number of potential uses.

Such things as blocked ports or protocols are a thing of the past as we can now port forward data over an arbitary port, and all data that is henceforth transfered is heavily encrypted. Furthermore, nc can now be a highly secure remote terminal session simply by piping it through eglink (this is true for ANY network program, they can all be highly secure by piping it through eglink).

Technical details of how it works are this:

Both listening and connecting eglinks wait for an incoming connection. The listening eglink runs on a server expecting incoming connections, and the connecting eglink waits for outgoing connections. The listening waits for an incoming encrypted connection, and the connecting is waiting for a nonencrypted connection.

Once the connecting eglink receives a connection from program A, it initialises a thread that connects and establishes a connection to the listening eglink, on the other end of the wire. The establishing of the connection works like so:

First it shakes hands and asks the listening eglink for it’s Elgamal public key. The public key itself has been generated using an initial prime in teh range of 10^350 to 10^400, which is considered secure in modern cryptography.

Once the public key is received, a random and temporary IDEA key is generated randomly through the use of /dev/random and sent encrypted using the public key.

Server side, the IDEA key is decrypted using the private key and then stored for the remainder of the session. From this point forward, all data to be sent encrypted is padded to be %8 == 0, then sent using IDEA encryption (which returns equally sized ciphertext from plaintext).

The connection has been established, so now the listening eglink creates a nonsecured connection to a listening host:port of choice running program B. Data is then transparently transfered between programs A and B and is fully encrypted when travelling between the eglinks. If eglinks are running locally on both computers, the data is encrypted for the entirety of its transfer.

‘eglink’ supports multiple connections and is stable in the case of sudden and unexpected disconnections or timeouts, in which case it cleanly closes the sockets and exits the forwarding thread.

Sample output for a listening eglink, to a `nc -l -e bash -p 4444`:

# ./eglink -h 127.0.0.1 -p 4444 -l 3333 -L

Listening for encrypted exchange connections on 3333
Encrypted exchange connection from 127.0.0.1:29635
Making plaintext connection to 127.0.0.1:4444…
…Done.
Shaking hands…
…Done.
Sending Public Key…
…Done.
Receiving IDEA Key…
…Done.
Connection Accepted, creating a 2 way forwarding thread
Port Forwarding Initialised: 127.0.0.1:29635  <—>  127.0.0.1:4444
Listening for encrypted exchange connections on 3333

Once the connection is terminated, the following output is seen:

Port Forwarding Terminated: 127.0.0.1:29635  <-/->  127.0.0.1:4444

From the connecting eglink, for which we were using `nc 127.0.0.1 1234`:

./eglink -h 127.0.0.1 -p 3333 -l 1234

Listening for unsecured connections on 1234
Plaintext connection from 127.0.0.1:54492
Making encrypted exchange connection to 127.0.0.1:3333…
…Done.
Shaking hands…
…Done.
Receiving Public Key…
…Done.
Sending IDEA Key…
…Done.
Connection Accepted, creating a 2 way forwarding thread
Port Forwarding Initialised: 127.0.0.1:3333  <—>  127.0.0.1:54492

*….. data is transfered for some time, no output shown….* Again once if the socket is closed or on either end malfunctions, the following is recevied:

Port Forwarding Terminated: 127.0.0.1:3333  <-/->  127.0.0.1:54492

Each step is checked and any inconsistencies result in forwarding termination. Each eglink may be used and reused, by single or multiple connections at once, making it an extremely versatile program.

The download will be up shortly.

Perl Arpspoofing / Packet Forwarding

May 19th, 2010

Arpspoofing is one of the most common and simplest ways to perform a mitm (man-in-the-middle) attack. Not only is it trivial to do, but it is extremely effective, and it is often very easy to avoid detection.

To show this I have made a complete set of mitm tools that allow, first, for the interception of packets from a victim computer on the network by means of “tricking” that computer into thinking I am the router. I then have another program that is able to filter the packets and send them on transparently to the real router, hence not breaking the datastream. So long as I do not specifically arpspoof the router, it becomes a little (but not much) harder for an IDS to actually detect I am now the mitm.

While in theory (and on wired networks) this is all well and good, on open and public networks there is often additional security in the form of both advanced IDS and source MAC filtering. This means that when a computer connects to a network, whatever MAC that is used in the dhcp transaction is saved, and from now on any packets received from this computer’s IP whos MAC varies from the saved MAC are dropped. This makes it a LOT more difficult to stay in the middle of a connection transparently (both 1 way and 2 way). But, there are another 2 options.

The most efficient option is to, when filtering and forwarding packets, change the incoming packet’s src IP to my own. This makes the packet valid as it is now coming from my MAC and IP which do not violate the saved MAC of the victim (as there is no mention of the victim at all). I then forward all packets addressed to my IP back to the victim’s computer. This has the obvious drawback of not being able to actually USE my connection as it would be a little difficult to differentiate between packets addressed to me and packets for the victim. It has another drawback, that any incoming syn packets to the victim will be messed up completely (and will never see a reply). Luckily, incoming opening packets are rare on public networks most of the time. The final drawback is that a connection can only be used for a single mitm attack. It is 1 or nothing, so that’s life.

The other option is to spoof the victims MAC, but this has the drawback of needing a connection to exactly the same AP as  the victim… It works if they are sitting within 10-20 meters of you, but apart from that, is not very useful.

Both options are implemented in my packet forwarding program. Both methods become obslete with wired networks, of course, where normal packetforwarding works off the bat.

There is also a small script included to do an arp scan on a range of IPs (exaclty like nmap formatting) using “arping”, then dns whoever is up using “host”. You need the program “arping” but if you don’t have it, get it. Arping rules.

Download will come later, after at least a little polish.

C++ Cellular Automaton

May 8th, 2010

This is another fairly simple opengl program for the rules given by Conway’s Game of Life. There are all kinds of cool patterns you can make, like in the picture above is 2 glider guns where the glider streams are colliding continuously forever (check out the wiki link for more info and the rules). In the program itself I have implemented a save and load system and a lot of cool patterns I made already I saved in a “saves” folder in the download.

I tried to make it as simple as possible without having to use anything other than glut menus and keyboard input, and I think I did fairly well. The program itself is very functional (apart from some minor bugs) but highly unoptimized. If I had time there are some very simple and obvious improvements that could be made. As it is, it checks every square regardless of what is next to it. Also, the grid could easily be dynamically sized to the maximum width of the cells, as the grid itself is just a vector of a vector. It is not too noticeable (about 1 second per 1000 generations).

It does do a few things other cellular automaton programs don’t do, like save a history (so you can backtrack through the generations).

If I ever get really bored I might fix slowness, but for now:

Download it here.

Python Regex

May 7th, 2010

I mainly made this as a bet a couple of months ago, but it turned out to be really fun to make and a lot harder than I expected.

Basically it is just a program that functions a lot like sed, but missing a lot of features. I believe it performs regex perfectly (as I have tested it a fair bit) but regex has quite a few quirks so it is likely there is a small bug here or there. It is 429 lines so not a small program at all, but I have rewritten the algorithm like 5 times now so I don’t think I can make it any more compact. Also, error messages are not nice if you mess up your regex ;)

Examples:

$ echo “hi robin, this is your computer” | ./regex “s/r(\w*?,)/R\$1/” | ./regex “s/i/I/g” | ./regex “s/y(.*?\s)(c)/\$1\$2/”

hI RobIn, thIs Is our computer

$ echo “aaaabcaaabc” | ./regex “m/[abc]+bc/”

aaaabcaaabc

$ echo “aaaabcaaabc” | ./regex “m/[^z]+?bc/”

aaaabc

Download it here.

Perl Cookie Stealing

May 7th, 2010

There are a serious lack of good “wireless / mitm” cookie stealers on the internet. I guess that is a good thing, but still, I thought it was about time a good one was released. Needless to say, mine is not it. It does however have potential and already works better than other well known cookie stealers like Hamster.

Speaking of which, if anyone has ever used / read about hamster, you can probably relate to this when I call them all really lame. They think they are so smart inventing a new security breaking technique called which they call “side-jacking”, but all they are doing is simple cookie stealing. AND they are not even doing it very well because for some reason they don’t set-cookie the root of the host, so often, despite you having enough cookies to access a page, hamster does not set them to the right path and you will get access denied, etc, from the page (unless it is that one is a blue moon time when someone actually goes to the root / after they have logged in, very rare).

Ok so anyway, mine is made in perl and is not very neat but surprisingly functional (I was surprised at least). It very easily is able to steal the sessions for facebook and hotmail (gmail used to work but they wisely went the way of https), and other random websites which send plaintext session cookies.

Read the README for info on how it is run (very easy to run), and its inner workings without having to go through the code. In a nutshell though, there are 3 parts: a packet sniffer, an http proxy, and an interface in the form of a website. The packet sniffer finds any plaintext cookies from nearby packets, and then saves them. When the cookie is set using the website interface, the proxy transparently adds a “set-cookie” header for the correct website using path /. The browser now has someone’s session cookies, or in simple terms, you are “logged in” as them. :D

Download it here.  (Note: you will need tshark / wireshark to run)

C++ Geoip Map

May 7th, 2010

This is a fairly simple program I made in opengl, which uses longitude and latitude data you collect and then plots the designated line. The line can be a curved, bright red to blue line, or a flat black line printed on the map.

The data can be from anywhere, so long as it involves longitudes and latitudes. In my case, I have used a geoIP database to look up active connections (the connections can be seen as the large curving lines). I then used tracert on the active connections and linked each tracert result together, to form the link of how the connection gets from 1 IP to the other, which is displayed on the map.

Basically it can visualize where in the world all your internet connections are going, and how they get there. Of course, you need to supply your own data…

Also, there is a huge number of options are at the top of GIPvis.h for compile time. And I should probably note that “C++” in the title is used very hesitantly as opengl makes it very difficult to code using OO, so there are no classes.

Download it here.