Egyptian Revolution – Freedom

Congratulation to Egypt and all the Egyptians for the freedom. Congratulation for having our country back. I am proud to be part of this revolution. I am specially proud to have participated in the pivotal day in the revolution (Friday 28 Feb 2011). On that day we went to the streets completely disconnected from the world (no internet, no mobile phones). We risked our lives and fought peacefully against the government’s tear gas, rubber bullets and live ammunition. I saw the Egyptians like I never saw them before. The spirit in Tahrir square was amazing.

I want to say a lot but don’t have the time now. I just wanted to add this post to mark these days that will be marked in history as the days were the most beautiful revolution took place.

I will leave you with the video shoot by my brother for a song created by the youth of this revolution.

Extracting images and files from network capture

A cool thing to do after doing a MITM Attack is to extract images and files from live network stream or network capturing dumps

Tools needed:

driftnet : http://www.ex-parrot.com/~chris/driftnet/ : sudo apt-get install driftnet

tcpxtract : http://tcpxtract.sourceforge.net/ : sudo apt-get install tcpxtract

tcpreplay : http://tcpreplay.synfin.net/ : sudo apt-get install tcpreplay

Extracting from live network traffic:

you just need to run driftnet and point it to the network device to capture from. for example “sudo driftnet -i eth0”. A window will open displaying any images that are passing through the eth0 adapter.

tcpxtract can extract up to 26 file types (including image files) unlike driftnet which only captures 3 file type all of them image types. to use tcpxtract run “sudo tcpxtract -d eth0 -o output/” this will listen on device eth0 and output all captured files in directory “output”

Extracting from network dump:

What if you want to extract information from a network dump you took earlier. Drfitnet doesn’t yet support direct extraction from dump files you will have to replay the dump file. You will have to use “tcpreply” to replay the dump file. you can do this by running “sudo tcpreply -i lo dump” where “lo” is the loopback interface and “dump” if the file containing the network dump.Of course you run that command after running driftnet and pointing it to the loopback interface “sudo driftnet -i lo”.

As for tcpxtract you can just run “sudo tcpxtract -f dump -o output/” where “dump” is the file containing the network dump and “output” is the directly where all the captured files will be saved.

Thats it for now.

Dunning–Kruger effect

A friend of mine just pointed me to a great read about a great psychological discovery. It’s called the “Dunning-Kruger effect”. You can find a Wikipedia entry here and you can download the PDF format of the study here. It’s not that new but many people didn’t hear about it.

It can be summarized in the following quote:

“The trouble with the world is that the stupid are cocksure and the intelligent are full of doubt.” – Bertrand Russell

In brief the study found out the ignorant people tend to be more confident in themselves while intelligent people under-estimate their capabilities. I think this makes sense since when you learn and know more about something you realise how ignorant you are.

Here is a list of things discovered in the study  :

1. Incompetent individuals tend to overestimate their own level of skill.
2. Incompetent individuals fail to recognize genuine skill in others.
3. Incompetent individuals fail to recognize the extremity of their inadequacy.
4. If they can be trained to substantially improve their own skill level, these individuals can recognize and acknowledge their own previous lack of skill.

It’s a good read and i am sure anyone will identify people who he/she worked with that fit into that criteria.

WiFi MITM (DHCP Exhaustion) Attack

Hello Again.

I will be using this blog as knowledge base for me. I will be posting stuff that I learned about so I could go back and remember them when I need. One more thing before I start, anything posted in this blog is for educational purpose only and I am not responsible about any malicious usage of the information.

okay let start with a new attack I just read about. A new way to do MITM attack that I think could be used in both WiFi and wired networks.But its WiFi usage is more interesting so i will explain the attack with the WiFi version of the attack in mind.

So a lot of people know about the traditional man in the middle (MITM) attack which involves Arp poisoning. For those who don’t know about it you can google it and you’ll find lots of resources that explains it better than i will. I might explain it in another post later but i won’t promise to do so :). Okay back to the subject at hand. So lets say you are in a cafe where there is a WiFi network. You connect to the wifi network and everything is great. Lets say that you want to do a MITM attack without overloading the network with Arp requests (which is not the best thing to do on WiFi networks). One way to do it the new attack I want to write about today, “DHCP Server Exhaustion”. It might not really be a new attack but i just learned about it.

So what is a DHCP Server. DHCP Server is the thing in the router that gives away IP addresses to new machine joining the network. What happens is that when you connect your machine to the wifi network, in the cafe we were talking about, you machine send out a broadcast that it needs an IP. The DHCP server replies with a free IP for your machine to use and It also replies with the default gateway IP, subnet mask and DNS server IP.

So back to our story. you’re connected to the wifi network and you launch a script that keeps broadcasting these DHCP requests asking for an IP with different, spoofed, mac addresses. This goes on untill the DHCP server runs out of IPs. usually a network such as the one in the cafe we are taking about will have 255 IPs. one IP used for the gateway which is the router, one used for broadcast and one for you machine. then you will have only 252 ips to  request until you exhaust the DHCP server. What happenes if you exhaust the DHCP server and another machine joins the network and does a broadcast asking for a new ip?. Nothing. The DHCP server doesn’t reply. Not even to say that there is no IPs left. This is interesting cause now you can start your own DHCP server on your machine and set it to send out an IP with the gateway being you machine and a DNS server also being you machine. So now the victim thinks that he is connected to the network and everything looks normal. But it’s not. you are now in the middle between the victim and the internet. MITM attack was achieved without bombarding the network with Arp requests and even if there is a tool watching for arp positing on the network it won’t notice the attack.

So what if the victim already acquired an ip before i join the network and started my attack? well since you are on a WiFi network you can do a de-authentication attack where you disconnect all the clients from the wifi network and force them to rejoin and resend the DHCP broadcast packet.

Notice that you need to set up routing on you machine so that when the victim requests google.com you can forward the request and return the response back to the victim without him noticing. All the requests from the victim is routed through you so you can do lots of stuff from sniffing credentials to browser exploitation.

I know that the description is not the best and some of my info might not be totally correct but i think you get the idea. Is there any tools to do the thing you described? Yes, but I didn’t try them. When i do i might do another post about how to use the tools to do the attack.

Gmail Hack

I am currently reading a book about Google Hacks (this is also its name) which I found interesting. I started with the Gmail chapter and I came across a very useful hack.

If you have a Gmail account (if you don’t get one now!!!) and your mail lets say me@gmail.com you can receive emails to any email in this format : me+anything@gmail.com. This + thing can go on forever for example me+anything+anything2@gmail.com .Did i get your attention yet!!.

Ok lets see how is this helpful. lets say, and i think this is a common situation, you are registering for this website that sends you a registration confirmation thing so you put your mail address as me+thewebsitename@gmail.com, you can later easily track all the mails coming from this website and even if this site becomes a pain in the a** and you don’t want to receive any mail from it again, you can apply a filter that will send all the mail coming from that website to the trash automatically.

Well this just a though about how to use but how can you make it beneficially to you is up to your imagination.

Hello World!

First post :)…i am usualy energitic when i start somthing new, but as times goes on my energy fades away…I wounder how can i keep my self posting blogs on a regular basis.