All posts by fabe419

Docsis Engineer System Toolkit

DOCSIS Engineer’s System Toolkit (DEST or DET) was written with testing in mind of DOCSIS CPE devices. The objective is to allow testing with ease by providing Docsis Engineer’s easy access tools needed in their day to day testing. I spend time testing cable modem gateways so I’ve written this to speed up repeatable cases.

Download Link
MD5: 81f191604e973eb4540c0bf63634c496
SHA1: a7f43f9b76d3e2cc2703160db85ab04d33c74415

DETCapture

Most of the demo is in YouTube so feel free to watch and make use of the different features.

 

WordList Maker for Windows

Wordlist Maker for Windows

Publish Date: January 2014
Download Link
MD5: c7f1cb85f11ac43cd59a72b05ded623d
SHA1:6cb7390bbbdf22391d3d6a9b6d9d5531f5b8d5e4

Capture

Word List Maker (WLM) is a simple tool to generate WORDLISTS use by Security/Penetration Testers

Wordlist Options:

–sgen   Generate simple wordlists based on upper and lower characters only
–mxgen Generate mixed wordlists based on mixed upper/lower characters and numbers
–cxgen Generate complex wordlists based on the upper/lower characters, numbers and symbols
–permute Generate all possible permutations of a given word/string

Hashing Options:

–getmd5 Computes the MD5 Hash value of each word from existing wordlists
–getsha1 Computes the SHA1 Hash value of each word from existing wordlists
–getsha256 Computes the SHA256 Hash value of each word from existing wordlists
–getsha384 Computes the SHA384 Hash value of each word from existing wordlists
–getsha512 Computes the SHA512 Hash value of each word from existing wordlists
–getripemd160 Computes the SHA1 Hash value of each word from existing wordlists
–getallhash Computes the Hash value of each word from existing wordlists using different hashing algorithm

Encoding/Decoding Options:

–encbase64 Encode each word from existing wordlists to Base64 Encoding
–decbase64 Decode each word from existing wordlists from Base64 Encoding
–2hex Converts each word from existing wordlists to Hex value

Harvest Options:

–append Extract words from any text readable file and appends to existing wordlist avoiding duplication
–web Extract words from Web page source of a given URL.

–h Display this help section

Syntax/Usage:

wlm –sgen [number_characters] [numbers_of_words_to_generate]

Example 1 : wlm –sgen 8 10
Example 2 : wlm –sgen 8 50 > wordlist.txt

Example 2 generates 50 words of 8 characters and redirect output to a text file.

wlm –cxgen [number_characters] [numbers_of_words_to_generate]
wlm –mxgen [number_characters] [numbers_of_words_to_generate]
wlm –permute [string]
wlm –getmd5 [existing_wordlist_textfile]
wlm –append [any_text_file] [existing_wordlist_file_to_append]
wlm –web [web_url] [existing_wordlist_file_to_append]

PingHTTP

While testing modem, I needed to know when the internet connection drops, pinging an IP is not enough for my test so just created one. A simple tool that will let allow you to monitor web servers as well as grabbing banners of web servers. Included in the response is the version of web service such as apache or IIS and in some mis configured server, it will also provide the version number.

pingHTTP – is a simple HTTP ping utility for Windows OS.

However, the pingHTTP does not use ICMP but rather HTTP-REQUEST for monitoring Web Servers.

It includes timestamp and provides HTTP response codes as well as the type of responding WEB Server

and HTTP protocol version. This simple tool can also target specific web pages of web directories.

C:\>pingHTTP.exe http://www.pentestplus.co.uk

**********************************
pingHTTP v.1
Coded by : F Abe

http://www.pentestplus.co.uk

**********************************

02/01/2013 13:50:04 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:05 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:06 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:07 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:09 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:10 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:11 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:12 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:14 Status: 200 OK Server: Apache HTTP v:1.1
02/01/2013 13:50:15 Status: 200 OK Server: Apache HTTP v:1.1

Enjoy!

IPSec High Level Overview

IP traffic are inherently insecure therefore a way to protect sensitive information that it carries needs to be incorporated. This is where IPSec comes into the picture. In its simplest form, the IPSec provides security services on top of a typical IP packet. This services may include replay protection, integrity, data origin authentication and confidentiality thru the use of cryptography.

It’s implementations operates in three different configurations:

1. Host to Host (HH)
2. Host to Gateway (HG)
3. Gateway to Gateway (GG)

There are known two modes of operation:

1. Transport mode
2. Tunnel mode

The transport mode is use for HH and HG communication where as the tunnel mode is use for GG.

Common to both modes of operations are two protocols use to provide the protection or security services. These are the:

1. Authentication Header (AH)
2. Encapsulating Security Payload (ESP)

The AH provides integrity only while ESP provides integrity and confidentiality. You can think of it such as AH use cryptographic hashing to provides integrity while ESP use hashing and encryption to provide integrity and confidentiality. A question would be, why select AH if you can use ESP to do both? Well, the options are there for different implementations. One may prefer to use AH only if confidentiality is not a concern thus removing a bit of overhead.

Typical IP packet includes

[ IP header] [Data]

In Transport mode, the AH/ESP protocols are included to provide integrity to data and some portion of the header

[IP header] [AH/ESP] [Data]

In Tunnel mode, the AH/ESP protocols are included to provide integrity and confidentiality to both IP header and Data. Obviously, you cannot encrypt the IP header because gateways on both sides needs this information to route the packets. Therefore, a new IP header is created.

[New IP header] [AH/ESP] [ Original IP header] [Data]

The new IP header includes both addresses of the communicating gateways but not the hosts behind those gateways. If a sniffer is placed between the two gateways to capture the packets, only the gateway information is revealed thus providing protection between the actual host that is talking. However , it is important to note that traffic between the host and it’s respective gateway are not protected .

If you like to deep dive to IPSec, best to look into RFC 4301, 4302 and 4303.

Internet Protocol

Another important part of the TCP/IP suite and probably the most well known protocol in Internetworking world today is the Internet Protocol or IP. Its job is to deliver packets from end to end solely based on the IP address. IP is connectionless, unreliable and packets are delivered in best effort basis. This means packets sent by IP maybe lost somewhere, packets maybe duplicated at the receiving end, and may arrived not in order. No flow control, sequencing and error checking mechanism. All the needed checks are provided by the upper layers.

Figure 3-2 shows the structure of an IP packet. Note that we’re talking IP version 4 here, I’ll discuss the IPv6 formerly known as the Next-Generation IP in the later chapters.

Like the TCP, understanding the IP structure will give us better understanding on how it works.

IP Header Structure

  • Version (4 bits) — indicates IP protocol version
  • Internet Header Length (IHL – 4 bits) —indicates the header length in 32-bit words.
  • Type-of-Service (8 bits) — Indication of the quality of service
  • Total Length (16 bits)—indicates the length in bytes of the datagram, including the data and header.
  • Identification (16 bits) — contains a value assigned by the sender to aid in assembling together datagram fragments.
  • Flags (3 bits) — a 3 bit field of various control flags
  • Fragment Offset — is measured in units of 8 octets (64 bits). The first fragment has offset zero.
  • Time-to-Live (8 bits) — indicates a counter that gradually decrements during its travel down to zero where datagram is discarded.
  • Protocol (8 bits) — Indicates the higher level protocol used in the data portion of the internet datagram
  • Header Checksum (16 bits) — specifies the integrity of the IP header.
  • Source Address (32 bits) — specifies the source address
  • Destination Address (32 bits) — specifies the destination address
  • Options + Padding (variable) — indicate various options such as security. Datagram is padded if Options were used.
  • Data — the data in the datagram being passed to the higher level protocol.

The complete specification of IP is described in RFC 791. You can view this at IETF website at http://www.ietf.org/rfc/rfc791.txt

IP Addressing

For our network device to communicate with each other in a TCP/IP network, an IP address must be assigned. So what is an IP address? For this topic, I will be discussing the IPv4. An IP address is represented in 32 bit value divided into four octets. An octet is an 8 bits value. 192.168.100.1 is an example of IP address expressed in decimal format. You will notice that there are four number value separated by “dots” or “.”. To read the address, you would say “192 dot 168 dot 100 dot 1”. This “dot” format is called “dotted decimal notation”. Let’s format it again:

192. 168. 100. 1 – Dotted decimal format
11000000. 10101000. 1100100. 00000001 – dotted binary format

We have now represented our IP address to binary format where you can see that there are four octets again separated by “dot”. Each octet consists of eight binary digits. Counting all the digits will give you 32 bits in total. Not to worry if you don’t know how to convert decimal to binary, I will discuss this on the next chapter. For now, just remember that IP address version 4 or IPv4 is a 32 bit value represented in dotted notation.

IP Address Classes

Some of the bits in the IP address represent the network and some bits represent the host. We could simple say that IP address = Network bits + Host bits. So how do we identify this?

In general, IP addresses are divided into five classes namely A, B, C, D, and E but the most common are the A, B and C. The Class D are reserved for Multicasting while the Class E are use for future experimental purposes.

ip address

Class A

In this class, 7 bits are assigned as the network and 24 bits are assigned as the hosts. The first bit is reserved. Using the following formula, we should be able to get the total number of host.

Possible Host = 2x – 2

Where: x is the number of bits

Therefore, for class A, we have 27 = 128 networks and 224-2 = 16,777,214 hosts. Class A is best use when extremely large number of host is needed and network number are only limited.

By looking at the first octet, Class A has a network range of 0 to 127. In binary, that is:

 

0 = 00000000

127 = 01111111

 

However, 127 is not a real network number. I’ll discuss this to you later.

Class B

This class uses 14 bits for the network address and 16 bits for the host address. The first two bits are reserved.

Network = 214 = 16,384

Hosts = 216 – 2 = 65, 534

Obviously, this class is best use when more network addresses are required yet the number of host required still in mid range. Class B has a network range of 128 to 191 in the first octet.

Class C

The first 3 bits are reserved. A total of 221= 2,097,152 networks and 28 – 2 = 254 hosts. This class is best used when extremely number of networks is required.

Class C is in the range of 192 to 223.

There are some IP addresses which are not usable or reserved. Most of these have all bits set to 0 or 1. These addresses have been allocated with different meaning/purpose.

 

All 0’s in network address – meaning “this network”.

All 1’s in network address – meaning “all network”

All 0’s in host address – meaning “any host in the network”

All 1’s in host address – meaning “all host” in the network

All 0’s in entire IP address – meaning any network

All 1’s in entire IP address – meaning broadcast

127.0.0.1 – reserved for loop back testing.

 

Private IP Address

When the IP address has been released initially, its team of creator somehow forgot to consider the number of IP addresses to be distributed worldwide. They seem to believe that there are enough IP addresses for every network devices in the world. There are more than 2 billion host addresses for Class A network but in the end, they found out that it’s not nearly enough for everybody. Every single company in the world may have 10’s or hundred’s or even thousands of network devices including computers. Not to mention the schools, universities and households have computers as well. There are no IP addresses left for these computers if they need connecting to the internet.

The good news is, they found a magical solution – the creation of private IP addresses.

These IP creators or designers realized that not all computers in the world need to be routed or connected to the internet. In a single company, the computers are networked together but some are only used internally and need not have connectivity to the outside world. Because of this, private IP addresses we’re introduced. Private IP’s are not routable and cannot be seen in the internet. These IP’s is for internal use only. And because it’s not routable, all the company can allocate them for their own internal use. This private IP addresses can then be translated to use a single public IP if they needed internetwork connectivity. (I’ll explain further when we talk about NAT). This saves a lot of public IP addresses.

 

Private IP’s are as follows:

 

  • Ø For Class A: 10.0.0.0 networks
  • Ø For Class B: 172.16.0.0 to 172.31.0.0 networks
  • Ø For Class A: 192.168.0.0 to 192.168.255.0 networks

 

Any type of these private addresses can be used by any organization. Because they are not routable, it saves the organization from spending costly globally unique IP address and helped in saving worldwide scarcity of IP addresses.

Transmission Control Protocol

As mentioned before, TCP is one of the most important parts of the IP protocol suite. It provides reliable delivery of data, sequencing, flow control, acknowledgement and re-transmission of packets. In its simplest operation, TCP requires establishment of connection first or sometime we call it handshake before actual transmission. The handshake is in three phases:

 

  1. Host A needs to send SYN signal to Host B
  2. Host B will then reply with SYN-ACK signal
  3. Host A finally will send an ACK signal.

 

Once the three way handshake is successful, a connection has been established. The host can then transfer data to another host. After data has been transferred, the established connection will then be closed. The process will be repeated again on another transmission.

 

TCP Header

Figure 3-1 TCP Header Information

You will find tons of books out there written just on TCP alone because the topics are broad. However, even though our aim is to get started with our Cisco as soon as possible, it is important for you to understand the TCP concept. Figure 3-1 gives us the TCP header information. Understanding its structure will give us better understanding of its characteristic. The parts of the Header are as follows:

 

 

  • Source Port (16 bits) – Identifies the Source port number

 

  • Destination Port (16 bits) – Identifies the Destination port number

 

  • Sequence Number (32 bits) – is the sequence number of the first data byte. If the SYN bit flag is set, the sequence number is the initial sequence number and the first data byte is the sequence number plus 1

 

  • Acknowledgement Number (32 bits ACK) – If the ACK flag bit is set, this field contains the value of the next sequence number that the receiver is expecting to get.

 

  • Data Offset (4 bits) – In the header, this specifies the number it 32-bit words. This is where the data begins.

 

  • Reserved (6 bits) – Reserved for future use. Must be Zero.
  • URG (1 bit) – describes that the urgent pointer field is significant.
  • ACK (1 bit) – describes that the acknowledgement field is significant.

 

  • PSH (1 bit)- Push function

 

  • RST (1 bit) – Resets the connection

 

  • SYN (1 bit)– This synchronize the sequence numbers

 

  • FIN (1 bit) – describes that no more data from the sender

 

  • Window (16 bits) – this describes the number of bytes the receiver is willing to receive indicated in the ACK.

 

  • Checksum(16 bits) – this field is used for checking error in the header

 

  • Urgent Pointer (16 bits) – this is only important when the URG control bit is set. This holds an offset pointer to the end following urgent data.

 

  • Options – a variable length option at the end of the header. It can be one of the following format:

 

  • A single octet of option-kind
  • An octet of option-kind, an octet of option-length and the option-data octets.

 

  • Padding – is used to ensure that the data and the header begins on a 32 bit boundary

 

 

The complete specification of TCP is described in RFC 793. You can view this at IETF website at http://www.ietf.org/rfc/rfc0793.txt?number=793

Introduction to Internet Protocol Suite

The internet protocol suite is a set of communication protocols most commonly known as the TCP/IP. It is the most widely used network protocol in the internet today. The TCP and IP is the two most important member of the family thus the name was derived from. Protocol in its simplest form is the rules in communication. It describes how network devices should communicate to each other by following well defined rules.

Like the OSI, the Internet Protocols Suite or TCP/IP suite are defined in layers. The four layers are:

Application Layer –This includes all the high-level application protocols and corresponds to the last three layer of the OSI model (Application, Presentation and Session layer). One example of application protocols are the FTP for high speed data/file transfer.

Transport Layer –corresponds to the transport layer of the OSI model. It provides end to end delivery of data from an application to another. This layer can be connection-oriented as the case of TCP or connectionless as the case of UDP. The TCP or Transmission Control Protocol provides reliable delivery of data, sequencing, flow control, acknowledgement and re-transmission of packets. On the other hand, the UDP or User Datagram Protocol provides unreliable delivery of data; packets are not numbered in sequence and no data recovery. However, UDP is a lightweight protocol and is faster than the TCP because of some overhead being not available.

Internetwork Layer – This layer corresponds to the network layer of the OSI model. It provides virtual transmission of packets on the internetwork including handling of routes. All network devices in the network communicate by assigning an IP address to each device. IP stands for Internet Protocol and is the main protocol use by this layer. Like the Transport Layer UDP, IP is a connectionless protocol which doesn’t provide error recovery and flow control. All these mechanism must be provided by the higher layer protocols.

Link Layer – This layer corresponds to the Data Link and Physical Layer of the OSI model. Its main function relates to hardware addressing mechanism and how the data is being transmitted over the network medium.

 

TCP/IP Application, Services and Common Ports

FTP – File Transfer Protocol is used for high speed transfer of files over the network. This the most favorite method of transferring files over the internet. FTP server located remotely must be configured to accept incoming traffic from FTP client programs. Authentication is also needed for successful connection. Some server provides Anonymous connection and uses email as password. However, this method is setup by administrators for limited access. FTP listens to TCP port 21.

SSH – Secure Shell provides superiority to Telnet. This network protocol was primarily designed to replace Telnet by connecting to remote devices using a secure channel. While Telnet send all data in plaintext, SSH sends information in encrypted form protecting data from prying eyes. SSH server uses TCP port 22.

Telnet – A telnet is a terminal emulation program use to connect to remote devices and use its resources. This method of remote connection has been used for long time until now. From the remote device, a client can use the program which refers as the Telnet Client to connect to the Telnet server. Cisco router and switches uses telnet to configure remote devices. Telnet uses TCP port 23.

SMTP – Simple Mail Transfer Protocol is the protocol for sending email. You will likely to encounter this protocol when configuring your email client such as Microsoft Outlook or Outlook Express. The SMTP server address is normally provided by your Internet Service Provider (ISP). While SMTP is used to send email, POP3 (Post Office Protocol) is the most common protocol for receiving mail. SMTP uses TCP port 25.

DNS

Without the DNS, you need to memorize all the IP addresses of every website that you want to visit. Thanks to DNS, you don’t need to. DNS uses TCP/UDP port 53.

TFTP – Trivial File Transfer Protocol is the express version of FTP. It is use in basic file transfer if authentication and encryption is not an issue. A Cisco router uses TFTP to perform IOS backup and upgrade. TFTP uses UDP port 69.

HTTP – Hypertext Transfer Protocol is the language of the internet. It describes the rules of transferring HTML documents which may contains graphics, text, documents, audio and video. HTTP uses TCP port 80 by default.

SNMP – Simple Network Management Protocol is use in managing the network system. It provides the ability to monitor network device status and functionalities by polling object variables. These objects can be seen in the Management Information Base or MIB which describes the collection of objects in hierarchical order. Agent software in the managed device reports back the status of the polled object. By using SNMP, Network Engineers or Administrators can monitor performance of the network and helps in troubleshooting networks issues. SNMP uses UDP port 161.

HTTPS – is an acronym for Hypertext Transfer Protocol over SSL. Some also referred to this as Secured Http. It was taken from HTTP and combined with encrypted secured socket layer or SSL. The SSL encryption is used to secure information sent in the internet. HTTPS uses TCP port 443.

DHCP – Dynamic Host Configuration Protocol enables the assigning of IP network parameters to its connected clients dynamically. These parameters include but not limited to IP address, Subnet Masks, DNS address, Gateways etc. A dedicated DHCP server is configured with pool of addresses to be assigned to client requesting for IP parameters. This provides flexibility when additional nodes need to be added in the network.

ARP /RARP– Before communication between network hosts takes place, the Physical address of each other must be known. This is the job of the Address Resolution Protocol or ARP. It maps the Hardware Physical Address or MAC address when the IP address is known. An ARP request is broadcast to all hosts and the receiving host with matching IP address will then reply with its MAC address. On the other hand Reverse ARP is the opposite of ARP. It is used to map IP address when the Physical address is only known.