Getting IP addresses from contacts on Skype as told by Noize.

Posted on by
3

Skype is an extremely popular, proprietary, cross-platform, peer-to-peer Voice-over-IP software client written by Skype Communications SARL, which is now owned by Microsoft Corporation. Due to its peer-to-peer always-on nature it is possible for a researcher to determine characteristics about a target computer, without the user’s knowledge. This can be leveraged to obtain information like the IP address of a target computer.

This is an Educational Guide only; use knowledge at your own risk! and always “the quieter you become, the more you are able to hear”.

Prerequisites

  • Your IP address

Skype Setup

  1. Head into Tools -> Options -> Advanced -> Connection
  2. Uncheck the checkbox labeled: “Use port 80 and 443 as alternative for incoming connections.”
  3. Use port 1210 for incoming connections.  Located right about the checkbox from step 2
    The reason for using this port is because it’s a unassigned tcp/udp port so we will not be DoSing a port, or cause other issues.

Wireshark Setup

  1. Open wireshark and start watching your incoming and outgoing traffic.
    Sniff the interface you will be using Skype on
  2. Create a filter like this 
    ip.src == $your_ip_address and udp.srcport == 1210

Capture IP

  1. Start a call to a person, online or offline
  2. Watch wireshark and it will start to give you outgoing and incoming connections
  3. Once you have an outgoing IP that is consistent to the incoming IP, you have found it.

Happy Hacking!

Many thanks to Noize for writing this up and allowing us to share it.

May meeting recap

Posted on by
Reply

The May meeting was another great one. Both Ngharo and my self were late because of traffic and junk so darkwind got things started with his popular demo of sniffing pager messages from the air. I Showed up at the tail end and when he was done I started the introductions. It was good to see all the new faces. After everyone talked for about 15 minutes I gave a live demo on using actionscript “flash” to inject a XSS exploit into a other wise secure website. Then Noize took over and gave a interesting live demo of getting IP addresses from contacts on Skype. Then dw5304 showed some of the features in the untangled firewall software. Congrats to ALee for winning the dc414 free junk giveaway!! Here are some pictures I took of the meeting.

ALee and his winnings!

Cisco DDR2200 ADSL2 Residential Gateway Router Vulnerabilities

Posted on by
Reply

I have discovered two Vulnerabilities in the Cisco DDR2200 ADSL2 Residential Gateway Router. The first vulnerability is that this device responds to UPNP multicast packets and UPNP SOAP requests out side of its local area network. Allowing attackers to forward ports and redirect traffic with out being authenticated, all of which can be exploited using dc414’s Upnp Exploiter.

The second vulnerability is remote command execution in the web based ping function. You can inject a pipe “|” followed by your command and it will get run on the shell and return the results as shown below.

Ping PoC: http://192.168.1.254/waitPingqry.cgi?showPingResult=1&pingAddr=127.0.0.1|ls

Screenshot from 2013-04-15 18:55:59

Upnp Exploiter

Posted on by
15

dc414 and I are proud to introduce Upnp Exploiter! A Upnp scanner and exploit tool. This tool comes with two main scanning functions and exploit functions.

The first scanning functions is the target scan. Here you can pick a single IP or IP range to find anything that reports back to a UPNP multicast packet sent to the normal UPNP broadcast address “239.255.255.250 on port 1900” If target responds it takes a closer look and sees if it can get the targets UPNP profile letting us know what type of device it is, what UPNP functions it supports, its IP, and other information. When used remotely, this all takes advantage of the fact that the target device violates the UPNP specs and responds to UPNP requests outside of the deices local area network.

The second scanning function only works in a local area network and just sends out a UPNP broadcast. This function is just using the UPNP protocol as intended.

Once a list of UPNP supported devices are found the script mines some information from it like device type, UPNP functions, IP. If its a gateway device it prompts you and asks if you want to attempt to exploit it.

The first option is to forward ports. If doing this LAN side its best to do some network recon with NMAP or something, find some fun services running on a internal server and forward them to the web for later hacking. While gathering information on the device it gets a list of other ports forwarded via UPNP and the devices internal IP. This is supper helpful when doing things on the remote side. One of my personal favs is routing the modems internal port 80 to 81 on WAN. This should give you access to the routers internal web UI for configuration. Most of the time the default creds will work for admin access >:)
This of course violates lots of rfc’s, protocols, and other stuff lol.

The second exploit option tries to turn a gateway device into a proxy. Now this works using IP addresses and one host per port. So if you want to connect to Victim A on port 8 you use the script to forward all data coming in on any port you choose “for now we will say 88” to VA on port 80. So you connect to port 88 on the Victim B “the gateway device” and all the traffic is forwarded to VA on port 80. This also breaks UPNP rules, but who cares.

The last little thing this script does is parse the replies for the unique_service_name() vulnerability and reports to you if it finds anything with some helpful information to aid in exploiting it.

You can get the script from the git page HERE. If you like it please consider donating to dc414 or me (Anarchy Angel – anarchy@new.dc414.org) for taking the time to make such an awesome script 🙂 If anyone would like to help with development please contact Anarchy Angel (me).

Many thanks to Ngharo for help with the regex and list stuff.

April meeting recap

Posted on by
Reply

Aprils meeting was awesome! Ngharo started us off with room introductions, which was helpful considering all the new faces at this meeting. Next I gave a quick demo of my new tool Upnp Exploiter. Which lead to me disclosing two 0day vulnerabilities in the Cisco DDR2200 ADSL2 Residential Gateway Router “expect more on all this later”! Then dw5304 gave his SNMP demo again and showed all the n00bs how to pwn Cisco routers using SNMP to upload a your own config to them. Then we all started messing around with trying to draw words on an oscilloscope with my arduino. Because of a late start that is all we had time for. Congrats to BigStarHero for winning a Emerson switch board in the free junk giveaway! Here is some pictures from the meeting.

Free junk giveaway big winner!

windows 8/server 2012 unsigned driver hell no more.

Posted on by
4

So I have this nice new computer that I built with a asus p9x79 motherboard. I wanted it to become a 2012 server for some stuff. After loading the OS I found out that the nic is “incompatible” seeing intel thinks that its a desktop board and should not be used in a server. I went looking though the inf file and found out that it was ignoring the hardware id’s.

[ControlFlags]
ExcludeFromSelect = \
PCI\VEN_8086&DEV_1502,\
PCI\VEN_8086&DEV_1503

Well this sucks…. lets fix it.

I then removed the exludefromselect and the two lines fallowing it.

went to install the modified driver and ended up with image

well at least I know its ok :). Now lets fix the catalog’s hash.

A hunt on google told me I needed inf2cat so lets download it here.

inf2cat /driver:”C:\Driver” /os:8_X64

My new catalog was created :).
went and tried installing my new driver once again and Damm :(… digital signature is missing wtf???? how the hell am I going to fix that I thought.

A little more searching found out we can make a self signed cert and attach it to a driver “he he”…. nice try Microsoft…..

So lets get this sucker signed. download here

makecert -r -n "CN=Intelnic" -pe -ss MyCertStore -sr LocalMachine

Now I needed to export this cert with its private key so we can import it into “Trusted Root CAs” and “Trusted Publishers” on my local machine I was creating the driver and also on the target machine I wanted to install my driver at :).

Now that we have it imported lets sign this sucker.
signtool sign /s MyCertStore /n "Intelnic" /t http://timestamp.verisign.com/scripts/timestamp.dll "C:\Driver\e1c63x64.cat"

Went back to my server installed the cert int trusted root cas and trusted publishers hey look my nic now works :).

it works

Thanks Microsoft for making a “secure” os that has to have drivers that are signed … but wait…. I just made it my self o well there went that idea….

March meeting madness!

Posted on by
Reply

The March meeting was no let down, we had lots of people and as always great demos. Ngharo got it started with a make your own pringles can cantenna. 9 luck attendees got to make and take home their own cantenna!  Then he kept it going with a quick demo of radio Mobile and how to use it to make a long range wireless mesh network. Then the professor gave a demo on metasploit using a java exploit to root a windows box. dw5304 took over and gave a little demo of a hacked xbox360 and using a laptop to control everything the console does. Here are some pictures from the meeting. Congrats to uberushaximus for winning 100 free hours to AOL high speed!!

bucketworks PA project

Posted on by
Reply

Earlier last week I ended up making a new pa system for Bucketworks. Now what most people will not realize is everything at Bucketworks is hacked to gather and this is no different. I was asked to make a low power radio system for notifying people within Bucketworks for people at the door and other uses, seeing we would need to file for an fcc licence i decided to go another route and the Bucketworks pa project was born.

during our wondering around at Bucketworks we (paul,eli,and I) have come across manly things one of them things was an old pa speaker and I got to thinking does it still work? I ended up wiring one up to an amp, we found in the basement along with a old audio mixer seen below after finding out we had a bad 1/4″ cable.

and low and behold it worked.
https://www.youtube.com/embed/Lehy4tTpVCg

The next step was to figure out where all the rest of the speakers were located and where to run the wires back to the server room where we were going to store the audio equipment. we ended up finding a total of 5 speakers wired them in and played some Pandora over the new pa system. I had to modify a cable to go from the “server” to the audio board.

I then set to making the Bucketworks pa bot. This bot is a windows client that logs in into an irc channel and organically just sent text to a text to speech function over the sound board. I expanded it to authenticate, noaa weather warnings, play music, tell the time and a few other functions.

After showing it to a few guys we ended up hearing this and we all started laughing.

and the Bucketworks pa project was complete.
If there is any interest i will upload the code if it is wanted.

Some awesome useful irssi scripts.

Posted on by
Reply

If you dont already know to use scripts you have to put any scripts in:

/home/< your_user >/.irssi/scripts/

And to load it into irssi use:

/script load < script_name.pl >

adv_windowlist.pl – If you have lots of windows open in irssi like me this script will make your life much easier. It adds a permanent advanced window list in a statusbar by default. You can configure it to put it on a sidebar if you like.

trackbar.pl – This little script will do just one thing: it will draw a line each time you switch away from a window. This way, you always know just up to where you’ve been reading that window 🙂 It also removes the previous drawn line, so you don’t see double lines.

nickcolor.pl – In channels with lots of activity, all nicks having the same old white color can get a little crazy, this script gives each user is own color and put a little organization to the chaos.

spell.pl – Spell check for irssi. This script takes a little setup. first you have to install Lingua::Ispell and Ispell using the following commands:

$ sudo apt-get install ispell liblingua-ispell-perl

It should pull in a number of other packages including a dictionary. I actually received an error as well, but it seems safe to ignore:

error in control file: `Index' value missing for format `info' at /usr/sbin/install-docs line 709, line 16.

Now load the script into irssi and bind Alt-s as a short cut to check the line you wish to send.
to bind Alt-s type the following into irssi:

/bind meta-s /_spellcheck

Also set the max guesses:

/set spell_max_guesses 3

Now your ready to use this script. After you type a message before you hit enter hit Alt-s and this script if you have any misspelled words and give you up to three guesses for correction.