Hacking CAPTCHA

One way to hack one type of CAPTCHA is as follows:

Assuming the web app sets the captcha code in a session variable and assuming it only checks it for equality, you can use Paros Proxy to trap and alter the captcha url in the image tag (assuming, once again, this is the method used to display the image).

First clear all of the target website's cookies (including session cookies -- still not sure how to do this in IE), then open the target web page form with Paros running with "Trap response" checked in the Trap tab. Then edit or remove the link in the image tag to the captcha image generator, then click Continue. When the page is resolved the captcha image will appear broken, indicating the script that produced it never was run for this session and hence no security session variables were set. Finally, leave the captcha input box empty and submit. If all goes well the form will submit successfully.

The way to protect against this kind of attack is to set another secret session variable in the captcha script then check for it in the form validation.

(this advice is provided to assist newbie web developers with no guarantees. Malicious hackers and script kidies are not welcome.)

udp_scan on Debian 4

Download & Setup:

lftp -c 'open -e "mget port-scan*" ftp.porcupine.org/pub/security'
tar zxvf port-scan.tar.gz
cd port-scan
make CFLAGS=-D_BSD_SOURCE

There will be some errors.

Then, run udp_scan on target:
./udp_scan 10.10.10.10 1-1024

Note: udp_scan also comes with the SATAN package (and its successors).

Installing SATAN 1.1.1 on Debian 4.0

wget http://www.ibiblio.org/pub/packages/security/Satan-for-Linux/satan-1.1.1.linux.fixed2.tgz

unpack in /tmp and cd to satan-1.1.1

edit reconfig:

sed -i 's/version 5/v\(ersion \)\?5/' reconfig

if no dev environment:

apt-get install make
apt-get install build-essential

then:

perl reconfig
make linux

run:

./satan


vtund Experimentation part 3 - Bridging

Picking up from "vtund Experimentation part 2" we are going to set up the bridge interface, which will bridge tap0 and eth1 as depicted in http://blog.kovyrin.net/2006/04/05/connecting-two-remote-local-networks-with-transparent-bridging/ (although there it's eth0).

On both server and client sever the vtund connection (if any) and kill the vtund process.

On the server:
in the lion config of vtund-server.conf, replace
"ifconfig "%% 10.1.0.1 netmask 255.255.255.0";
with the following lines:
ifconfig "%% up";
program "brctl addif br0 %%";
comment out the route command.
change the password (recommended)

On the client:
in the lion config of vtund-client.conf, replace
"ifconfig "%% 10.1.0.2 netmask 255.255.255.0";
with the following lines:
ifconfig "%% up";
program "brctl addif br0 %%";
change the password to same as server's (if changed on server).

On the server:
in /etc/network/interfaces
remove the eth1 ip configuration, except for the line
auto eth1 # to bring up eth1
Add the br0 ip configuration:
iface br0 inet static
address 192.168.100.99
netmask 255.255.255.0
bridge_ports eth1

On the client:
in /etc/network/interfaces
remove the eth1 ip configuration, except for the line
auto eth1 # to bring up eth1
Add the br0 ip configuration:
iface br0 inet static
address 192.168.100.100
netmask 255.255.255.0
bridge_ports eth1

On both server and client bring up br0:
ifup br0

On the server:
vtund -n -s -f /etc/vtund-server.conf

Then on client:
vtund -n -f /etc/vtund-client.conf lion server_public_ip_address

With luck, a UDP connection (tunnel) will be initialized. From client you should be able to ping 192.168.100.99 (server's br0 ip address).

On the server, type
brctl show
results:

bridge name bridge id STP enabled interfaces
br0         xxxxxxxx  no          eth1
                                  tap0

Now set up another machine on the 192.168.100.x network on either side and ping both machines from it. If the machines can't ping eachother, ensure that the switch (vSwitch if in VMware) is set to Accept in Promiscuous Mode Policy Exceptions.

(see also Building Linux Virtual Private Networks (VPNs) on Google Books for example of the Ethernet Tunnel)

vtund Experimentation part 2

On both client and server:
fresh stable (ubuntu LTS 8.04) Ubuntu, get all updates.
then apt-get install bridge-utils (per http://blog.kovyrin.net/2006/04/05/connecting-two-remote-local-networks-with-transparent-bridging/)
then:
apt-get install uml-utilities
tunctl -u root -t tap0
ifconfig tap0 0.0.0.0 promisc up

then apt-get install vtun

modprobe tun

Then on server, copy /usr/share/doc/vtun/examples/vtund-server.conf to /etc
comment out: bindaddr { iface lo; };
in lion configuration:
change: "compress lzo:9;" to "compress no;"
change: "encrypt yes;" to "encrypt no;"
comment out firewall lines

Then on client, copy /usr/share/doc/vtun/examples/vtund-client.conf to /etc
edit /etc/vtund-client.conf: under the "lion" configuration, change "device tap1" to "device tap0"

Then on server:
edit /etc/network/interfaces:
auto lo
iface lo inet loopback

iface eth0 inet static
address public_ip_address
netmask public_mask
gateway public_gateway
auto eth0

Then on client:
edit /etc/network/interfaces:
auto lo
iface lo inet loopback

iface eth0 inet static
address public_ip_address
netmask public_mask
gateway public_gateway
auto eth0

Then on server:
vtund -n -s -f /etc/vtund-server.conf

Then on client:
vtund -n -f /etc/vtund-client.conf lion server_public_ip_address

With luck, a UDP connection (tunnel) will be initialized. From client you should be able to ping 10.1.0.1 (server's tun0 ip address).

Read latest log entries created on Linux

find / -name \*.log\* -mmin -3 -print | xargs tail


This lists all the log entries on the machine in the last three minutes.

Ubuntu Default Gateway

auto eth0 -- sets eth0 to come up on /etc/init.d/networking restart

tip: put auto eth1 before auto eth0 in /etc/network/interfaces in order to make eth0 the default gateway