2011-04-06

[en] a portscanner killer

Here is a small tool I wrote a while ago: ipqRST
To use it, rewrite your iptables rules and replace -j DROP or -j REJECT on closed ports by -j QUEUE and make sure that you run ipqRST2.pl as root somewhere (screen or nohup will help you).
Do not use it on open ports as you might disrupt your applications or open holes in your filtering policy!

How it works: when packets are received, the tool delays them a little before letting them go. Little by little, the RTT between the scanner and the target seems to increase.
It severely disrupts several known portscanners which slow down to a crawl.
Nessus is immune to that, by the way...

You should not use this toy in production. Firewalls that return rate limited ICMP packets are already very efficient against portscanners . i.e. you should prefer iptables -j REJECT to iptables -j DROP

2011-01-26

Ordinateur fou




Simplicime, anciennement Débitel, était un opérateur téléphonique de bon goût: un poil moins cher que les trois grands, mais surtout, leurs contrats étaient compréhensibles. Je n'ai pas signé avec mon sang un engagement de 42 ans, je ne leur sacrifierai pas mon premier né, et je n'ai pas eu à vendre mon âme pour envoyer une demie douzaine SMS par mois.
Et puis, début 2010, ils ont eu la mauvaise idée de changer de système informatique qui fonctionnait jusqu'alors. "If it ain't broken, don't fix it". À partir de ce moment là, le service commercial est parti en vrille.
J'ai commencé à recevoir des relances pour une facture impayée "de euros", et puis, comme je n'ai pas envoyé un chèque vide, j'ai reçu une mise en demeure avec inscription au GIE Préventel (le genre de truc dont on sort très difficilement). Allez savoir pourquoi, ça ne m'a pas fait rire et je me suis fendu d'un mel assassin au service commercial leur conseillant vivement de mettre ce logiciel de daube sur le trottoir avant qu'il coule leur boite. Je n'ai jamais eu de réponse mais le système est retombé en marche. Aurait-il écouté mes suggestions?

Labels: ,

2010-12-05

[en] Watchdog on Jetway NC9C-550-LF mobo

A watchdog is available on the Jetway NC9C-550-LF mini-ITX motherboard. It is managed by the super IO chip, which appears to be a Fintech F71869.
Linux 2.6.36 has support for some Fintech watchdogs. This small patch adds the F71869.

--- ./drivers/watchdog/f71808e_wdt.c 2010-10-20 22:30:22.000000000 +0200
+++ /tmp/f71808e_wdt.c 2010-12-05 01:19:48.819567802 +0100
@@ -52,6 +52,8 @@
#define SIO_F71882_ID 0x0541 /* Chipset ID */
#define SIO_F71889_ID 0x0723 /* Chipset ID */

+#define SIO_F71869_ID 0x0814
+
#define F71882FG_REG_START 0x01

#define F71808FG_REG_WDO_CONF 0xf0
@@ -98,7 +100,7 @@
MODULE_PARM_DESC(start_withtimeout, "Start watchdog timer on module load with"
" given initial timeout. Zero (default) disables this feature.");

-enum chips { f71808fg, f71858fg, f71862fg, f71882fg, f71889fg };
+enum chips { f71808fg, f71858fg, f71862fg, f71882fg, f71889fg, f71869 };

static const char *f71808e_names[] = {
"f71808fg",
@@ -106,6 +108,7 @@
"f71862fg",
"f71882fg",
"f71889fg",
+ "f71869",
};

/* Super-I/O Function prototypes */
@@ -308,6 +311,10 @@
superio_set_bit(watchdog.sioaddr, 0x29, 1);
break;

+ case f71869:
+ /* GPIO14 --> WDTRST# */
+ superio_clear_bit(watchdog.sioaddr, 0x29, 4);
+ break;
default:
/*
* 'default' label to shut up the compiler and catch
@@ -708,6 +715,9 @@
case SIO_F71882_ID:
watchdog.type = f71882fg;
break;
+ case SIO_F71869_ID:
+ watchdog.type = f71869;
+ break;
case SIO_F71862_ID:
case SIO_F71889_ID:
/* These have a watchdog, though it isn't implemented (yet). */

2010-09-01

[en] Nessus "local checks" for Cisco IOS

Parsing the advisories in HTML was a huge pain in the back, but we have the scripts, at last.

2010-07-26

[en] new web app application tests

New web application tests for Nessus:
Quicker tests based upon the result of torture_cgi_injectable_param.nasl:
  • Cross site scripting
  • Cookie manipulation
  • Header injections

2010-06-19

[en] nmap on a multihomed machine with "Linux advanced routing" -> fail

# nmap -sS scanme.insecure.org

Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-19 18:34 CEST
nexthost: failed to determine route to scanme.insecure.org (64.13.134.52)
QUITTING!
# nmap -sT scanme.insecure.org

Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-19 18:34 CEST
nexthost: failed to determine route to scanme.insecure.org (64.13.134.52)
QUITTING!
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.4.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.4.0 192.168.4.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
81.57.108.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
#

2010-05-14

Vodafone Greece "Mobile Broadband on Demand"

Vodafone sells USB keys with a 10 days "unlimited" 3G access (fair use 10 GB).You'll have only GPRS in remote locations (like small islands).
Linux is unsupported, officially.
On my Gentoo, the key was recognized by the system and I did not even have to configure usb_modeswitch. Just in case, this cannot hurt:
  • in /etc/usb_modeswitch.conf
# Vodafone Mobile
DefaultVendor= 0x19d2
DefaultProduct= 0x2000
TargetVendor= 0x19d2
TargetProduct= 0x0063
MessageEndpoint=0x01
MessageContent="5553424308E0CC852400000080000C85000000240000000000000000000000"

  • in /etc/udev/rules.d/91-usb_modeswitch.rules
# Vodafone Mobile
SUBSYSTEMS=="usb", ATTRS{idVendor}=="19d2", ATTRS{idProduct}=="2000", RUN+="/usr/sbin/usb_modeswitch"


All you need is the PAN. I googled for it and found "internet" or "internet.vodafone.gr". None of them work.
The right PAN is web.session in fact. No username/password.

The key behavior is erratic, even under Windows. Once, I had to unplug it half a dozen times before it worked. I do not know which is responsible, of the phone network or the hardware.

2010-05-03

[en] New Nessus web app tests

2010-03-02

[en] HMAP

HMAP is an HTTP fingerprinting tool that was written by Dustin Lee.
I slightly changed hmap.py (it raised an exception if the Server field was void) and collected several new signatures.
http://michel.arboi.free.fr/download/hmap.tar.gz

2009-12-14

[en] SQL injection test

Another blind SQL injector for Nessus.
It implements an old technique, but it may still be useful.
Unfortunately, it is limited to MS SQL, not too old MySQL, and very new PostgreSQL.