Common Security ACL

After browsing my CCNA Security books I noticed that it recommends blocking a large range of ports used for different services on the router and that are insecure on end devices. After compiling them all together, here is a working ACL that can be implemented.

Keep in mind to change the RFC1918 (implemented to conform with RFC2827) blocking depending on the topology and that this may block services that you want running.

deny tcp any any eq 1
deny udp any any eq 1
remark DENY ECHO
deny tcp any any eq 7
deny udp any any eq 7
deny tcp any any eq 9
deny udp any any eq 9
deny tcp any any eq 11
deny tcp any any eq 13
deny udp any any eq 13
deny tcp any any eq 15
deny tcp any any eq 19
deny udp any any eq 19
remark DENY TIME
deny tcp any any eq 37
deny udp any any eq 37
deny tcp any any eq 43
deny udp any any eq 67
deny udp any any eq 69
deny tcp any any eq 79
deny tcp any any eq 93
deny tcp any any eq 111
deny udp any any eq 111
deny tcp any any eq 135
deny udp any any eq 135
remark DENY NB-NS
deny tcp any any eq 137
deny udp any any eq 137
remark DENY NB-DGN
deny tcp any any eq 138
deny udp any any eq 138
remark DENY NB-SSN
deny tcp any any eq 139
deny udp any any eq 139
remark DENY SNMP
deny tcp any any eq 161
deny udp any any eq 161
deny tcp any any eq 162
deny udp any any eq 162
deny udp any any eq 177
deny tcp any any eq 445
deny tcp any any eq 512
deny udp any any eq 513
deny tcp any any eq 514
deny udp any any eq 514
remark DENY LPR
deny tcp any any eq 515
remark DENY TALK
deny udp any any eq 517
deny udp any any eq 518
remark DENY UUCP
deny tcp any any eq 540
deny tcp any any eq 550
deny udp any any eq 550
remark DENY IRC
deny tcp any any eq 667
deny tcp any any eq 1900
deny udp any any eq 1900
deny tcp any any eq 5000
deny udp any any eq 5000
remark DENY NFS
deny udp any any eq 2049
deny tcp any any range 6000 6063
deny tcp any any range 12345 12346
deny tcp any any eq 31337
deny udp any any eq 31337
permit icmp any any parameter-problem
permit icmp any any packet-too-big
permit icmp any any source-quench
deny icmp any any
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any
deny ip any

Asus UL30VT + BT4

I finally managed to purchase a new lappy the other day to replace my too small eee 701.

I considered all of the 13″ ulv models from where I’m from and the VT definitely stood out as the best value for money. Considering it has a dual core supporting vt-x extensions and 4bg of RAM I thought it would be great to run Backtrack 4 in a VM.

When I got everything installed and configured, I ran up my Alfa AWUS036H wireless USB adapter but started seeing some issues with it running under VM. There were certain circumstances in which the adapter would freeze and require a replug to fix, and then when it worked got poor performance with packet injection.

So I decided to do a proper HDD install of BT4. For this I have a 500gb external Seagate HDD that I bought for BT4 to hold some rainbow tabled on.

I ran into heaps of problems using the script from bt to install to a local harddisk. I kept receiving grub error 2 errors regardless of what I did and where I installed it to. After trying to sort through manually installing grub I kept getting grub error 15’s.

I trolled through massive amounts of forum posts trying to get the thing to work but everything I tried failed. Finally though I stumbled across a post on the Backtrack forums about setting up BT4PF to HDD referencing the Backtrack perfect install doco.

Regardless of it being written for BT4PF everything worked perfectly and I now have BT4 running on my external usb hdd on my ul30vt. Heres the details about how its done and the original thread for reference:

Perfect install:

Create new partitions

root@bt:~# fdisk /dev/sdb <-- NOTE this was the device node of my external usb hdd and it may be different for yours.
The number of cylinders for this disk is set to 1044.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
Command (m for help): n
Command action
e extended
p primary partition (1-4)
Partition number (1-4): 1
First cylinder (1-1044, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-1044, default 1044): +128M <-- NOTE: I had issues with partition size and space at 128mb, currently mine is running at +1G for future kernels etc.
Command (m for help): n
Command action
e extended
p primary partition (1-4)
Partition number (1-4): 2
First cylinder (10-1044, default 10):
Using default value 10
Last cylinder, +cylinders or +size{K,M,G} (10-1044, default 1044): +1024M <-- NOTE: this is the size of your swap space, seeing as I have 4GB of RAM, to make it easy I set the swap at +10G.
Command (m for help): n
Command action
e extended
p primary partition (1-4)
Partition number (1-4): 3
First cylinder (142-1044, default 142):
Using default value 142
Last cylinder, +cylinders or +size{K,M,G} (142-1044, default 1044): <-- NOTE: the default is the remainder of the disk and should have sufficient size for all the OS and BT files + any extra files you want to keep.
Using default value 1044
Command (m for help): t
Partition number (1-4): 2
Hex code (type L to list codes): 82
Changed system type of partition 2 to 82 (Linux swap / Solaris)
Command (m for help): a
Partition number (1-4): 1
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.

Format Partitions

 NOTE: the /dev/sdb device node was for my external usb hdd and may be different to yours.
root@bt:~# mke2fs /dev/sdb1
root@bt:~# mkswap /dev/sdb2
root@bt:~# swapon /dev/sdb2
root@bt:~# mkreiserfs /dev/sdb3

Mount and copy files

root@bt:~# mkdir /mnt/bt4
root@bt:~# mount /dev/sda3 /mnt/bt4/
root@bt:~# mkdir /mnt/bt4/boot
root@bt:~# mount /dev/sda1 /mnt/bt4/boot
root@bt:~# cp --preserve -R /{bin,home,pentest,root,usr,boot,etc,lib,opt,sbin,var} /mnt/bt4/
root@bt:~# mkdir /mnt/bt4/{dev,mnt,tmp,proc,sys}
root@bt:~# mount -t proc proc /mnt/bt4/proc/
root@bt:~# mount -o bind /dev /mnt/bt4/dev/

Copy the splash screen

root@bt:~# cd /media/cdrom0/boot
root@bt:~# cp --preserve -R {bootsplash,vmlinuz,initrd.gz} /mnt/bt4/boot/

Configure GRUB

root@bt:~# chroot /mnt/bt4/ /bin/bash

root@bt:~# nano /boot/grub/menu.lst
timeout 5 #The number of seconds GRUB should wait before booting an OS
default 0 #The entry which should be booted by default
fallback 1 #The entry which should be booted in the event of the first one failing


# This is an example of using a separate partition for /boot
title              BT4
root              (hd0,0)				# Boot Partition
kernel            /vmlinuz root=/dev/sda3 rw vga=0x317
initrd            /initrd.gz

root@bt:~# grub
grub> find /grub/stage1
    (hd1,0) <-- NOTE: this was the return by GRUB for my external usb hdd and may be different for yours. Same as the following commands.
grub> root (hd1,0)
grub> setup (hd1)
grub> quit

Original thread:

UCSniff 3.0

After playing with UCSniff 3.0 detailing from my last entry, i still got the error:

Not saving conversation media file because either forward or reverse media not received.

This caused ucsniff to only generate a forward wave file.

I looked around for a solution, but it was already built into ucsniff.

One of the problems with this new UCSniff feature is that it is ineffective against intercepting any Skinny messages from the phone to the network. This is because the IP Phone ARPs for its remote IP gateway when it boots up and registers for the first time, and any subsequent spoofed ARP packets are ineffective.

All we have to do is run:

ucsniff -i eth0.20 --tftpm -T -D

One thing that I observed was that –tftpm would only be correctly applied in targeted mode. Even though we can target using the ettercap options /x/ // it still wouldnt work.

When it works properly it will show:

Receiving SEP CNF XML file via TFTP MitM attack
Modified the GARP Setting to GARP Enabled
UCSniff running GARP Disablement bypass flood for IP Phone xxxx

You can still target a single host MitM without ARPing the whole VLAN by generating a targets.txt file.

I may make a basic bash script and post it for generating a targets.txt file, but its easily hand editable and would show something like:


BT4 + EEE 701 + VLAN Hopping + UCSniff 3.0

As part of my recently talked about network security course, I’ve been playing with VoIP security, trying to get everything working on my EEE 701.

Previously I gave instructions on running BT3 on a USB with persistence, this worked great on the EEE, however I ran into problems when running voiphopper. The EEE complained about not being able to add the VLAN interface to eth0 and therefore vlanhopping would not work.

ERROR: trying to add VLAN # to IF -:eth0:- error: Invalid argument

I did the usual and modprobed 8021q, checked other dependencies etc but it wouldnt go. The 701 runs an Attansic L2 card and in linux runs under the atl2 driver, so I did some research and found mixed reports on the net about VLAN tagging not being supported on the atl2. After no luck I even contemplated buying a newer netbook with supported hardware.

I’ve got another persitent distro, Ubuntu Netbook Remix, so I decided to test that as the atl2 drivers are built into the kernel and have changed recently. Long story short, VLAN tagging worked in UNR.

I tried to find newer atl2 drivers and load them manually into BT3, but couldnt find any readily and couldnt really be bothered searching too hard. I downloaded BT4 and made another persistent usb drive. Due to the newer Debian kernel used in BT4, VLAN tagging worked without a problem.

VLAN tagging and therefore voiphopper now worked. Next intercepting SCCP conversations. In my previous testing I was using UCsniff 2.4 to record SCCP conversations via ARP poisoning (MitM). This worked infrequently, and in my production environment (Clustered Cisco Call Manager 4.2(sr3a)) complained about GARP being disabled and that it would not record the conversation. Since then i’ve been hanging out for UCSniff 3.0 which was due to be released on the 24/10/09. They released it early! 😀

Another long story short, UCSniff 3.0 works under BT4 under an EEE 701 and happily records SCCP from CCM4.2.

Happy days!

I’ve yet to test packet injection on BT4, but dont expect too many problems with this.

Heres a step by step of the processes involved.

Create persistent BT4 on USB
Followed the directions outlined here:



VLAN Support + VLAN Hopping

Firstly modprobe to enable VLAN tagging in the environment

modprobe 8021q

Connect to a cisco switchport with a similar switch config

switchport mode access
switchport access vlan 10
switchport voice vlan 20

Try VLAN hopping with voiphopper

voiphopper -i eth0 -c 0


Download and compile UCSniff 3.0
Download UCSniff here:



tar zxvf ucsniff-3.01.tar.gz
cd ucsniff-3.01
make install

To record all SCCP conversations on the voice VLAN

ucsniff -i eth0.20 --garpdb // //

Or to target a particular IP phone, without enumerating the targets on the voice VLAN first

ucsniff -i eth0.20 --garpdb /XXXX.XXXX.XXXX.XXXX/ //




Finally play back the file from the commandline

play filename.mp3


Persistent BT3 on EEE 701

So im currently studying for my Advanced Diploma of Network Security after completing my Diploma of Network Engineering about 12months ago. As part of my course I will be studying CEH, however I’ve decided to get a jump on things by integrating security into all my other subjects. I pulled out the long neglected EEEPC 701 that I was given as part of finishing my NE course and work on CCNA Security and CCNA Wireless.

Heres a pretty simple guide to getting the 701 up and running with a persistent Backtrack 3 on usb, fingerprinting with Kismet and cracking WEP with wesside-ng.

Firstly I followed the persistent usb details outlined at:


Secondly for each time you want to inject packets or use kismet run the following:

wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor


To run kismet, you will have to modify the following file. If you’re running BT3 live without persistence you will have to do this every time.

Edit /usr/local/etc/kismet.conf and change source to:



Finally, I wont record another WEP video like every other person on the net – just run the following to find the bssid mac of the AP (from kismet):

wesside -i ath0 -v MAC


Next I plan on running easside-ng for those networks where something doesn’t go right (occasional). Ill throw the details up for that when I’ve done it.

Great Quote

I found a great quote on the Ubuntu security forums today.

I have been toying with the idea of setting up SNORT and managed AV and found this at the beginning of the tutorial.

“Paranoia will get you through times of no enemies better than enemies will get you through times of no paranoia” ~ Pete Granger

This quote so easily spells out the best approach IT security.


PHP/Obfu.A's Encryption

The other day whilst browsing OC I came across a readable code of the PHP/Obfu.A IRC bot. I’m not sure whether the user contributed the actual readable code or had edited one of the obfuscated versions, but I decided to take a look at it.

It seems that PHP/Obfu.A was detected on the 30h of Jan 08 by two sources:


Obfu.A is a RFI IRC bot that uses vulnerabilities in PHP code to execute remote PHP scripts. It uses the compromised site to load the remote script, join an IRC server (or in this case a number of IRC servers), and is then controllable by the bot-master. It is heavily obfuscated including the variables and server settings.

For more information on RFI exploits, see:


I was about to test the usability of the code, but found that all settings, server details, passwords etc, were encrypted so as to further obfuscate the code. The script included a decrypting function using a cipher-key type of encryption, but had no function to encrypt. I set about analysing the decryption process and reversed it to create an encryption code so it would be usable in my tests.

Heres the original decrypt code:

function decrypt_settings($input)
 $output = '';
 $input = base64_decode($input);
 for ($i = 0; $i < strlen($input); $i++) {
 $character = substr($input, $i, 1);
 $offset_character = substr(
 ($i % strlen(decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYz
 $character = chr(ord($character) - ord($offset_character));
 $output .= $character;
 return $output;
function decode($input)
 $input = base64_decode(remove_spaces($input));
 return $input;
function remove_spaces($input)
 $input = str_replace(" ", "", $input);
 return $input;

Those functions are called by something like decrypt_settings($settings[‘mo’]). In this case mo from the array had the value of cqtrig==

Let’s take a look at what its doing. First the function is called, and $input receives the value of an encrypted string. $input is then base64 decoded. Base64 is a type of encryption which PHP has functions for both encryption and decryption. We will work with the encrypted string cqtrig==.

The base64 decoded value is r«kŠ, which means nothing to us so far.

Next is the for loop, which basically says, increment $i whilst the value of $i is still less than the length of the $input string, which in this case is 4 characters, so run the loop 4 times.

$character gains the value of each letter, so on the first pass though the for loop, it will contain r, second «, etc etc

Then we find the $offset_character. At this point it is easiest for reading if we base64 decode the M0Ah…..
is the resulted value.

Now the substr function will return a portion of the string which is defined by where the starting point is, and how many characters to take. substr ( string $string , int $start [, int $length ] )
3@!#!….. is our string.

The starting point is found by using another equation, $i % strlen(decode(“M0Ah……) -1. This piece of code finds the remainder value of $i divided by the string length value of 3@!#!…. So in essence it takes $i divided by 113 and the result is the remainder minus 1.

From tests that i did, the result of the equation is always one value less than $i. Then it takes one character after its pointer. So if $i is character number 26 in our encrypted string, substr will take the 26th character from the cipher text of 3@!#!….

For example on the first pass through the for loop, $i = 0, which means that substr’s result will be $offset_character = substr(3@!#!…. , -1, 1), so move the pointer one character from the end of the string, then let $offset_character equal that value. So therefore the first run through the for loop, $offset_character will equal E (from the end of 3@!#!….), the second run through $offset_character will equal 3, third @, etc etc.

So back to our example of r«kŠ,
Pass one through the for loop:
$character = r
$offset_character = E
Pass two through the for loop:
$character = «
$offset_character = 3
Pass three through the for loop:
$character = k
$offset_character = @
Pass four through the for loop:
$character = Š
$offset_character = !

Now after we have our $character and $offset_character vars filled, they are put through this: $character = chr(ord($character) – ord($offset_character))

Lets simplify it, ord($character) – ord($offset_character). ord is a built in PHP function which finds the ASCII value of a character. I found a decent ASCII table site here:


So for r and E in our example, r = 114, E = 69, so 114 – 69 = 45. So now in our function $character = chr(45). chr is a built in PHP function which returns the character value of an ASCII value. In this case 45 = –

So at the end of the for loop for the first pass $character equals -, which is the appended to $output by $output .= $character;

After we run through the four passes of the four loop, we should get -x+i, which is our decrypted setting!
In PHP/Obfu.A -x+i is used as the channel mode. However this process can be applied to all settings.

Now we know it decrypts the settings, how about encrypt?

This is what we have so far, r – E = – or 114 – 69 = 45.
So to encrypt we have r as our unknown (x) so x – E = – or x – 69 = 45.
Using maths (:o!) we can find x by, x = – + E and then rearranging to get x = 45 + 69, therefore x = 114

Now the fun part, rearranging the PHP to encrypt. We will reuse the decryption function and just move some things, as most of it stays the same.

Seeing as were starting off with what we want to encrypt, we don’t need to base64 decode it, so we can remove $input = base64_decode($input). The for loop stays the same, as were using the same principles of the cipher text.
Although when it comes to $character = chr(ord($character) – ord($offset_character)), we now want to add the ASCII values to gain our encrypted value, so it becomes $character = chr(ord($character) + ord($offset_character));

Finally we want to base64 encode the entire string, not just the individual characters. This is because the first thing when decrypting, is the string is base64 decoded, so we want to base64 encode. To do this to the entire string it needs to be outside the for loop.

The final encrypt function should look like this:

function encrypt_settings($input)
 $output = '';
for ($i = 0; $i < strlen($input); $i++) {
 $character = substr($input, $i, 1);
 $offset_character = substr(
 ($i % strlen(decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYz
 $character = chr(ord($character) + ord($offset_character));
 $output .= $character;
 return base64_encode($output);

You can call this function using something similar to this:

$encrypted_settings = encrypt_settings("yoursettings");

So then you should have your encrypted string!

Hopefully this week ill be able to analyse the rest of the bot, but now most of the hard work is done by figuring out the encryption.

Hope this helps, have fun 🙂

Windows Explorer DoS

An exploit exists in Windows Explorer when processing a crafted GIF file.

When read from disk, the file will cause a Denial of Service for explorer.exe

Source code available at:

Movie of compiling and exploiting:

Compiling Rainbowcrack on Linux

For those unfamiliar with rainbow tables check out:


Rainbowcrack is typically a windows based package, however as my server runs linux and runs constantly so i thought i would try and use the source package to compile it on linux. My server currently runs Ubuntu 7.04, however varying distros shouldn’t matter greatly.

Compiling Rainbowcrack under linux isn’t hard, however its not as point and click as win32, and as the default makefile.linux packaged with the source didnt work for me, i thought i would fix it up for others wishing to run it on linux.

There are two ways of compiling rainbowcrack under linux, one easy way and one hard way. I chose the hard way not thinking that there was an easy way, however i will only outline the easy way.

Before compiling the source, you must have gcc and/or g++, openssl, libssl and libssl-dev installed. You must also have the source for openssl. Whether these are installed by rpm, a package manager or compiled from source doesn’t make any difference, as i successfully did both and worked.

Firstly put the unzipped rainbowcrack source in the same directory as the untared/unzipped openssl source. Next vi/gedit the makefile.linux in the rainbowcrack-??-src/src directory so that it reads…

all: rtgen rtdump rtsort rcrack

g++ -I ../../openssl-0.9.8e/include Public.cpp ChainWalkContext.cpp HashAlgorithm.cpp HashRoutine.cpp RainbowTableGenerate.cpp -lssl -O3 -o rtgen

g++ -I ../../openssl-0.9.8e/include Public.cpp ChainWalkContext.cpp HashAlgorithm.cpp HashRoutine.cpp RainbowTableDump.cpp -lssl -o rtdump

g++ -I ../../openssl-0.9.8e/include Public.cpp RainbowTableSort.cpp -o rtsort

g++ -I ../../openssl-0.9.8e/include Public.cpp ChainWalkContext.cpp HashAlgorithm.cpp HashRoutine.cpp HashSet.cpp MemoryPool.cpp ChainWalkSet.cpp CrackEngine.cpp RainbowCrack.cpp -lssl -O3 -o rcrack

Pretty much were just defining the includes for openssl in the compilation process. If your using a different directory structure just adjust the ../ as neccessary.

You will most likely receive error warnings like line 2: all:: command not found, and it will repeat that for rtgen, rtdump, rtsort and rcrack, dont worry everything worked, its just the way that the makefile was setup
Also if u receive warnings about /usr/bin/ld: cannot find -lssl and collect2: ld returned 1 exit status it means that you either didnt install the libssl or the libssl-dev