PL - English http://pierre.droids-corp.org/blog/html/ Mon SYN, tu l'aimes et tu l'acquittes en-us Thu, 05 Apr 2007 00:00:00 +0200 http://pierre.droids-corp.org/blog/html/2007/04/05/n800_with_scapy_and_metasploit.html http://pierre.droids-corp.org/blog/html/2007/04/05/n800_with_scapy_and_metasploit.html <![CDATA[N800 with scapy and metasploit]]> N800 with scapy and metasploit

Thanks to the python package provided by the Maemo “Extras” repository and to the osso-xterm provided by the Maemo-Hackers repository, I have had scapy running on my Nokia N800 for a while.

I have seen that some people had the Metasploit Framework running, thanks to an unreleased Ruby package.

As there is a Ruby file with mud-builder, I have built a Ruby package (you can get it here if you are too lazy to build it yourself) for N800, and… that’s it. Just get Metasploit, and run msfcli from an xterm, it works.

As it’s not that easy to work with an xterm on the N800 (as on any pocket-sized device), we really need a GUI. For metasploit, one could think of using msfweb plus the integrated web browser. But msfweb does not work for now (needs at least RubyGems and Rails).

]]>
Thu, 05 Apr 2007 00:00:00 +0200
http://pierre.droids-corp.org/blog/html/2007/04/10/msfweb_on_n800.html http://pierre.droids-corp.org/blog/html/2007/04/10/msfweb_on_n800.html <![CDATA[msfweb on N800]]> msfweb on N800

As I said earlier, I wanted to have msfweb (the Metasploit Framework web interface) running on my N800, because it could be far more easy to use on that kind of devices. Finally it works!

First of all, install Metasploit (read this).

Then, you “only” need to get RubyGems (you can try my package), and get gem files for Rails and its dependencies (you’ll find the whole set here). Install each dependency, then Rails itself (run “gem install package-version.gem”).

You should be able to run from an xterm (in the directory where you’ve put Metasploit) the command ./msfweb.

It’s a bit slow to start, but it seems to work:

../../../_images/screenshot-2007-04-10-16-11-11.png ]]>
Tue, 10 Apr 2007 00:00:00 +0200
http://pierre.droids-corp.org/blog/html/2007/04/11/metasploit_automated_exploitation_on_n800.html http://pierre.droids-corp.org/blog/html/2007/04/11/metasploit_automated_exploitation_on_n800.html <![CDATA[Metasploit Automated Exploitation on N800]]> Metasploit Automated Exploitation on N800

As suggested by spaceaquarium, I’ve tried to get Metasploit Automated Exploitation (one of the killer features of Metasploit Framework 3) working on my N800. And that’s easy.

Read more...

]]>
Wed, 11 Apr 2007 00:00:00 +0200
http://pierre.droids-corp.org/blog/html/2007/04/11/scapext__scapy_extended.html http://pierre.droids-corp.org/blog/html/2007/04/11/scapext__scapy_extended.html <![CDATA[Scapext: Scapy Extended]]> Scapext: Scapy Extended

Scapy is a great tool for network packets manipulation (sniff, dissect, create, send,…).

When I use this tool, I feel some features miss. So I have written an extension (called Scapext) that, for now, includes:

  • GeoIP support (through Maxmind GeoIP Python API). This is faster than the method used in Scapy for now, and easier.
  • PFLog pcap type (used by the OpenBSD Packet Filter to log packets; this allows PF to store valuable information on what happened to the packets logged).
  • Early SunRPC support with state handling.

Interested? See my posts about Scapy.

]]>
Wed, 11 Apr 2007 00:00:00 +0200
http://pierre.droids-corp.org/blog/html/2008/01/13/scapy__using_p0f.html http://pierre.droids-corp.org/blog/html/2008/01/13/scapy__using_p0f.html <![CDATA[Scapy: using p0f]]> Scapy: using p0f

I’ve recently released a not-yet-applied patch for scapy which improves the use of p0f functionalities.

First, p0f now comes with databases designed for other TCP packets than only SYN packets (one database for SYN/ACK packets, one for RST and RST/ACK packets, and the last one for “stray” ACK packets). Those new databases are slightly different than the original one, and an effort was required to enable scapy’s p0f functions to use them.

Read more...

]]>
Sun, 13 Jan 2008 00:00:00 +0100
http://pierre.droids-corp.org/blog/html/2014/09/12/_active__network_recon_with_ivre.html http://pierre.droids-corp.org/blog/html/2014/09/12/_active__network_recon_with_ivre.html <![CDATA[(Active) network recon with IVRE]]> (Active) network recon with IVRE

Let’s see how to use IVRE to dig some Nmap scan results.

I’ll assume you have (successfully) installed Docker and followed the instructions in the IVRE documentation about Docker.

You should now have two running containers (ivredb and ivreweb) and one ready to run (ivreclient). The database has been initialized from the client (the --init commands in the documentation).

Read more...

]]>
Fri, 12 Sep 2014 00:00:00 +0200
http://pierre.droids-corp.org/blog/html/2014/12/23/scapy_2_3_1_is_out__merry_christmas_.html http://pierre.droids-corp.org/blog/html/2014/12/23/scapy_2_3_1_is_out__merry_christmas_.html <![CDATA[Scapy 2.3.1 is out, Merry Christmas!]]> Scapy 2.3.1 is out, Merry Christmas!

After the release of Scapy 2.3.0 just a few days ago, Guillaume Valadon figured out we actually needed some more fixes (PR 88 & PR 89).

After some work, Scapy 2.3.1 is out, with some good news (read Guillaume’s e-mail announcing Scapy 2.3.0 for a non-exhaustive list), including Robin Jarry’s excellent work to add IPSec support (FR).

You can download the release from Bitbucket (ZIP).

If you are a package maintainer for a Linux distribution, please consider updating Scapy to 2.3.1.

Enjoy!

]]>
Tue, 23 Dec 2014 00:00:00 +0100
http://pierre.droids-corp.org/blog/html/2015/02/24/scanning_internet_exposed_modbus_devices_for_fun___fun.html http://pierre.droids-corp.org/blog/html/2015/02/24/scanning_internet_exposed_modbus_devices_for_fun___fun.html <![CDATA[Scanning Internet-exposed Modbus devices for fun & fun]]> Scanning Internet-exposed Modbus devices for fun & fun

There is a French expression that says (translation is mine) “you don’t shoot at an ambulance”. Well, I do. Shooting at ambulances is fun. Plus it has a lot of advantages:

  • It’s less risky than shooting at a tank.
  • As my friend Renzo likes to say, ambulances are easy to spot in the jungle and they bear cross-shaped targets.
  • There are often other easy targets hanging around (casualties, doctors, etc.).

Anyway, here is a scan I have run against the whole IPv4 address space, looking for Internet-exposed Modbus services.

Read more...

]]>
Tue, 24 Feb 2015 00:00:00 +0100
http://pierre.droids-corp.org/blog/html/2015/03/06/mining_public_keys_with_ivre.html http://pierre.droids-corp.org/blog/html/2015/03/06/mining_public_keys_with_ivre.html <![CDATA[Mining public keys with IVRE]]> Mining public keys with IVRE

Background

In my previous post I explain how I have run a scan against Internet-exposed Modbus-enabled devices, and share the results obtained.

I have been asked several times why had I chosen to run a Zmap + Nmap scan instead of a Zmap + Zgrab, which would have been a lot faster.

Here is my answer: I wanted to scan the other services running on the Modbus-enabled devices, because:

  • They tells a lot about the device behind the IP address (the screenshots is a feature I really like, but anonymous FTP file listing is also great, for example)
  • They often show intersting weaknesses.

Read more...

]]>
Fri, 06 Mar 2015 00:00:00 +0100
http://pierre.droids-corp.org/blog/html/2015/07/01/ivre__new__cool__features.html http://pierre.droids-corp.org/blog/html/2015/07/01/ivre__new__cool__features.html <![CDATA[IVRE: new (cool) features]]> IVRE: new (cool) features

Long time no post… so here is a Prévert-style inventory of some recent IVRE’s features.

Read more...

]]>
Wed, 01 Jul 2015 00:00:00 +0200
http://pierre.droids-corp.org/blog/html/2015/08/12/ivre_has_a_new_home_.html http://pierre.droids-corp.org/blog/html/2015/08/12/ivre_has_a_new_home_.html <![CDATA[IVRE has a new home!]]> IVRE has a new home!

Together with a new logo, IVRE now has its own website: ivre.rocks!

By the way, we have a demonstration instance there which is only accessible with an account. Just e-mail us to get an access! It runs the latest version from the repository, using Docker images.

For the record, the original domain (iv.re) has been deleted (after a one day notice!) because Afnic (who handles .re) discovered that the domain validity check for .re was broken and should not have allowed such a domain.

]]>
Wed, 12 Aug 2015 00:00:00 +0200
http://pierre.droids-corp.org/blog/html/2016/10/25/ivre_screenshot_all_the_things.html http://pierre.droids-corp.org/blog/html/2016/10/25/ivre_screenshot_all_the_things.html <![CDATA[IVRE: screenshot all the things!]]> IVRE: screenshot all the things!
The title of this blog comes from a nice article from 2014 named Scan Internet and Screenshot all the things

Some people have been asking us how the screenshots published with the Internet-wide Modbus scan had been taken.

Truth is, there was nothing to be proud of, and nothing worth publishing. As an example, I used a PhantomJS script to screenshot a Web-based RDP client…

But there are some great news: four Nmap scripts are now integrated to IVRE to take screenshots, and handle four different protocols.

Read more...

]]>
Tue, 25 Oct 2016 00:00:00 +0200