All posts by fabe419

Docsis Engineer System Toolkit

DOCSIS Engineer’s System Toolkit (DEST or DET) was written with testing in mind of DOCSIS CPE devices. The objective is to allow testing with ease by providing Docsis Engineer’s easy access tools needed in their day to day testing. I spend time testing cable modem gateways so I’ve written this to speed up repeatable cases.

Download Link
MD5: 81f191604e973eb4540c0bf63634c496
SHA1: a7f43f9b76d3e2cc2703160db85ab04d33c74415

DETCapture

Most of the demo is in YouTube so feel free to watch and make use of the different features.

 

WordList Maker for Windows

Wordlist Maker for Windows

Publish Date: January 2014
Download Link
MD5: c7f1cb85f11ac43cd59a72b05ded623d
SHA1:6cb7390bbbdf22391d3d6a9b6d9d5531f5b8d5e4

Capture

Word List Maker (WLM) is a simple tool to generate WORDLISTS use by Security/Penetration Testers

Wordlist Options:

–sgen   Generate simple wordlists based on upper and lower characters only
–mxgen Generate mixed wordlists based on mixed upper/lower characters and numbers
–cxgen Generate complex wordlists based on the upper/lower characters, numbers and symbols
–permute Generate all possible permutations of a given word/string

Hashing Options:

–getmd5 Computes the MD5 Hash value of each word from existing wordlists
–getsha1 Computes the SHA1 Hash value of each word from existing wordlists
–getsha256 Computes the SHA256 Hash value of each word from existing wordlists
–getsha384 Computes the SHA384 Hash value of each word from existing wordlists
–getsha512 Computes the SHA512 Hash value of each word from existing wordlists
–getripemd160 Computes the SHA1 Hash value of each word from existing wordlists
–getallhash Computes the Hash value of each word from existing wordlists using different hashing algorithm

Encoding/Decoding Options:

–encbase64 Encode each word from existing wordlists to Base64 Encoding
–decbase64 Decode each word from existing wordlists from Base64 Encoding
–2hex Converts each word from existing wordlists to Hex value

Harvest Options:

–append Extract words from any text readable file and appends to existing wordlist avoiding duplication
–web Extract words from Web page source of a given URL.

–h Display this help section

Syntax/Usage:

wlm –sgen [number_characters] [numbers_of_words_to_generate]

Example 1 : wlm –sgen 8 10
Example 2 : wlm –sgen 8 50 > wordlist.txt

Example 2 generates 50 words of 8 characters and redirect output to a text file.

wlm –cxgen [number_characters] [numbers_of_words_to_generate]
wlm –mxgen [number_characters] [numbers_of_words_to_generate]
wlm –permute [string]
wlm –getmd5 [existing_wordlist_textfile]
wlm –append [any_text_file] [existing_wordlist_file_to_append]
wlm –web [web_url] [existing_wordlist_file_to_append]

PingHTTP

While testing modem, I needed to know when the internet connection drops, pinging an IP is not enough for my test so just created one. A simple tool that will let allow you to monitor web servers as well as grabbing banners of web servers. Included in the response is the version of web service such as apache or IIS and in some mis configured server, it will also provide the version number.

pingHTTP – is a simple HTTP ping utility for Windows OS.

However, the pingHTTP does not use ICMP but rather HTTP-REQUEST for monitoring Web Servers.

It includes timestamp and provides HTTP response codes as well as the type of responding WEB Server

and HTTP protocol version. This simple tool can also target specific web pages of web directories.

C:\>pingHTTP.exe http://www.pentestplus.co.uk

**********************************
pingHTTP v.1
Coded by : F Abe

http://www.pentestplus.co.uk

**********************************

02/01/2013 13:50:04 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:05 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:06 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:07 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:09 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:10 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:11 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:12 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:14 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:15 Status: 200 OK Server: Apache HTTP v:1.1

Enjoy!

IPSec High Level Overview

IP traffic are inherently insecure therefore a way to protect sensitive information that it carries needs to be incorporated. This is where IPSec comes into the picture. In its simplest form, the IPSec provides security services on top of a typical IP packet. This services may include replay protection, integrity, data origin authentication and confidentiality thru the use of cryptography.

It’s implementations operates in three different configurations:

1. Host to Host (HH)
2. Host to Gateway (HG)
3. Gateway to Gateway (GG)

There are known two modes of operation:

1. Transport mode
2. Tunnel mode

The transport mode is use for HH and HG communication where as the tunnel mode is use for GG.

Common to both modes of operations are two protocols use to provide the protection or security services. These are the:

1. Authentication Header (AH)
2. Encapsulating Security Payload (ESP)

The AH provides integrity only while ESP provides integrity and confidentiality. You can think of it such as AH use cryptographic hashing to provides integrity while ESP use hashing and encryption to provide integrity and confidentiality. A question would be, why select AH if you can use ESP to do both? Well, the options are there for different implementations. One may prefer to use AH only if confidentiality is not a concern thus removing a bit of overhead.

Typical IP packet includes

[ IP header] [Data]

In Transport mode, the AH/ESP protocols are included to provide integrity to data and some portion of the header

[IP header] [AH/ESP] [Data]

In Tunnel mode, the AH/ESP protocols are included to provide integrity and confidentiality to both IP header and Data. Obviously, you cannot encrypt the IP header because gateways on both sides needs this information to route the packets. Therefore, a new IP header is created.

[New IP header] [AH/ESP] [ Original IP header] [Data]

The new IP header includes both addresses of the communicating gateways but not the hosts behind those gateways. If a sniffer is placed between the two gateways to capture the packets, only the gateway information is revealed thus providing protection between the actual host that is talking. However , it is important to note that traffic between the host and it’s respective gateway are not protected .

If you like to deep dive to IPSec, best to look into RFC 4301, 4302 and 4303.

Internet Protocol

Another important part of the TCP/IP suite and probably the most well known protocol in Internetworking world today is the Internet Protocol or IP. Its job is to deliver packets from end to end solely based on the IP address. IP is connectionless, unreliable and packets are delivered in best effort basis. This means packets sent by IP maybe lost somewhere, packets maybe duplicated at the receiving end, and may arrived not in order. No flow control, sequencing and error checking mechanism. All the needed checks are provided by the upper layers.

Figure 3-2 shows the structure of an IP packet. Note that we’re talking IP version 4 here, I’ll discuss the IPv6 formerly known as the Next-Generation IP in the later chapters.

Like the TCP, understanding the IP structure will give us better understanding on how it works.

IP Header Structure

  • Version (4 bits) — indicates IP protocol version
  • Internet Header Length (IHL – 4 bits) —indicates the header length in 32-bit words.
  • Type-of-Service (8 bits) — Indication of the quality of service
  • Total Length (16 bits)—indicates the length in bytes of the datagram, including the data and header.
  • Identification (16 bits) — contains a value assigned by the sender to aid in assembling together datagram fragments.
  • Flags (3 bits) — a 3 bit field of various control flags
  • Fragment Offset — is measured in units of 8 octets (64 bits). The first fragment has offset zero.
  • Time-to-Live (8 bits) — indicates a counter that gradually decrements during its travel down to zero where datagram is discarded.
  • Protocol (8 bits) — Indicates the higher level protocol used in the data portion of the internet datagram
  • Header Checksum (16 bits) — specifies the integrity of the IP header.
  • Source Address (32 bits) — specifies the source address
  • Destination Address (32 bits) — specifies the destination address
  • Options + Padding (variable) — indicate various options such as security. Datagram is padded if Options were used.
  • Data — the data in the datagram being passed to the higher level protocol.

The complete specification of IP is described in RFC 791. You can view this at IETF website at http://www.ietf.org/rfc/rfc791.txt

IP Addressing

For our network device to communicate with each other in a TCP/IP network, an IP address must be assigned. So what is an IP address? For this topic, I will be discussing the IPv4. An IP address is represented in 32 bit value divided into four octets. An octet is an 8 bits value. 192.168.100.1 is an example of IP address expressed in decimal format. You will notice that there are four number value separated by “dots” or “.”. To read the address, you would say “192 dot 168 dot 100 dot 1”. This “dot” format is called “dotted decimal notation”. Let’s format it again:

192. 168. 100. 1 – Dotted decimal format
11000000. 10101000. 1100100. 00000001 – dotted binary format

We have now represented our IP address to binary format where you can see that there are four octets again separated by “dot”. Each octet consists of eight binary digits. Counting all the digits will give you 32 bits in total. Not to worry if you don’t know how to convert decimal to binary, I will discuss this on the next chapter. For now, just remember that IP address version 4 or IPv4 is a 32 bit value represented in dotted notation.

IP Address Classes

Some of the bits in the IP address represent the network and some bits represent the host. We could simple say that IP address = Network bits + Host bits. So how do we identify this?

In general, IP addresses are divided into five classes namely A, B, C, D, and E but the most common are the A, B and C. The Class D are reserved for Multicasting while the Class E are use for future experimental purposes.

ip address

Class A

In this class, 7 bits are assigned as the network and 24 bits are assigned as the hosts. The first bit is reserved. Using the following formula, we should be able to get the total number of host.

Possible Host = 2x – 2

Where: x is the number of bits

Therefore, for class A, we have 27 = 128 networks and 224-2 = 16,777,214 hosts. Class A is best use when extremely large number of host is needed and network number are only limited.

By looking at the first octet, Class A has a network range of 0 to 127. In binary, that is:

 

0 = 00000000

127 = 01111111

 

However, 127 is not a real network number. I’ll discuss this to you later.

Class B

This class uses 14 bits for the network address and 16 bits for the host address. The first two bits are reserved.

Network = 214 = 16,384

Hosts = 216 – 2 = 65, 534

Obviously, this class is best use when more network addresses are required yet the number of host required still in mid range. Class B has a network range of 128 to 191 in the first octet.

Class C

The first 3 bits are reserved. A total of 221= 2,097,152 networks and 28 – 2 = 254 hosts. This class is best used when extremely number of networks is required.

Class C is in the range of 192 to 223.

There are some IP addresses which are not usable or reserved. Most of these have all bits set to 0 or 1. These addresses have been allocated with different meaning/purpose.

 

All 0’s in network address – meaning “this network”.

All 1’s in network address – meaning “all network”

All 0’s in host address – meaning “any host in the network”

All 1’s in host address – meaning “all host” in the network

All 0’s in entire IP address – meaning any network

All 1’s in entire IP address – meaning broadcast

127.0.0.1 – reserved for loop back testing.

 

Private IP Address

When the IP address has been released initially, its team of creator somehow forgot to consider the number of IP addresses to be distributed worldwide. They seem to believe that there are enough IP addresses for every network devices in the world. There are more than 2 billion host addresses for Class A network but in the end, they found out that it’s not nearly enough for everybody. Every single company in the world may have 10’s or hundred’s or even thousands of network devices including computers. Not to mention the schools, universities and households have computers as well. There are no IP addresses left for these computers if they need connecting to the internet.

The good news is, they found a magical solution – the creation of private IP addresses.

These IP creators or designers realized that not all computers in the world need to be routed or connected to the internet. In a single company, the computers are networked together but some are only used internally and need not have connectivity to the outside world. Because of this, private IP addresses we’re introduced. Private IP’s are not routable and cannot be seen in the internet. These IP’s is for internal use only. And because it’s not routable, all the company can allocate them for their own internal use. This private IP addresses can then be translated to use a single public IP if they needed internetwork connectivity. (I’ll explain further when we talk about NAT). This saves a lot of public IP addresses.

 

Private IP’s are as follows:

 

  • Ø For Class A: 10.0.0.0 networks
  • Ø For Class B: 172.16.0.0 to 172.31.0.0 networks
  • Ø For Class A: 192.168.0.0 to 192.168.255.0 networks

 

Any type of these private addresses can be used by any organization. Because they are not routable, it saves the organization from spending costly globally unique IP address and helped in saving worldwide scarcity of IP addresses.