all
On our environment we have several servers still using ldap for authentication and I need to filter ldap requests for 8 hours to have an overview on how many different accounts we may have exposed.
The issue is I cannot create captures that are too large. (Just for an example, using a filter to ldap port and marking the flags of a TCP request I barely can capture 3 minutes before my capture is hitting 100MB).
I wonder if there is a way to build a capture filter that would look for a HEX on the DATA part of the packet.
Does anyone have any clue on how I would be able to do that?
Currently I am using a capture filter like:
port 389 && tcp[13] == 24
and a display filter like:
ldap.bindRequest_element && ldap.messageID==1
Another issue is that doing this I couldn't come up with a script that would strip the username so I could inform all possibly compromised users to change their PWDs.
Thanks in advance
I found a way to do this.
Just for people that are still curious or would need something similar I used the following:
port 389 && tcp[((tcp[12:1] & 0xf0) >> 2) + 2:2] = 0x0201 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:1] = 0x01
This check the data part of the packet and since some of the bytes are always in the same position and are all the same for a ldap bind request with message id 1 I used that to build the filter.
Cheers.
Related
Ich have one assignment and I need a little help. I have infected.pcap and the following task:
Hardcoded IP addresses Sometimes, malware contains hardcoded IP addresses to download their payload or to communicate with their command and control (C&C) server. Find all such communication. Hint: Such IPs have no preceding DNS request.
I need to solve it with Bro script. This was my idea, but unfortunatelly all my connections have no DNS request:
#load base/protocols/dns/main.bro
event file_timeout(f: fa_file)
{
for ( cid in f$conns )
{
if(f$conns[cid]?$dns){
print f$conns[cid]$dns;
print "DNS";
}else {
print "No DNS";
}
}
}
Do you know maybe what is wrong with my code?
I would suggest that you're using the wrong event for this. The file_timeout only occurs if a file transfer was occurring and then stopped without completing. A much more interesting event correlation would be:
Track DNS address lookup responses (I would likely use event
dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a:
addr)).
Record the addresses returned in a set; this will provide
you a set of all addresses that were discovered through a DNS query.
Examine outbound requests (where orig_h on the SYN is an internal
address)
Check to see if the address in id$resp_h is in the set of
addresses step 2. If it is, return, if it isn't,
generate a notice since you have an outbound connection attempt with
no corresponding DNS lookup.
My apache server goes down when a random client starts al lot of GET for same url. The problem is it happens with unpredictable url paths. With fail2ban i can ban a predetermined url but not prevent it for unknown url paths. Is there a way to resolve this?
Depending on your Web Server, you should be able to scan your web server logs for GET requests and ban people who make too many of them within a specific time period. You just need to be careful to avoid banning legitimate users, so the frequency of allowable GET requests is something to fine tune carefully.
Create a new Jail Filter: sudo nano /etc/fail2ban/filter.d/GETFlood.conf
Define the regex you need for identifying GET requests based on the logs for your Web server. With a standard Apache access.log, it would be: failregex = ^<HOST>.*\s"GET\s.*$
Add an entry to your /etc/fail2ban/jail.local:
[getflood]
enabled = true
action = iptables-allports[name=getflood]
filter = getflood
logpath = /var/log/apache2/*access.log
maxretry = 30
findtime = 90
bantime = 604800
Here, we let any individual IP Address make up to 30 GET requests every 90 seconds. Again, without more details about your server, you'll need to play around with these timings to avoid banning legitimate users.
When I do something like this, apps/openssl s_client -connect 10.102.113.3:443 -ssl3, client-server communication is created using openSSL.
Now, I want to send application data from the client to the server. For example, after doing apps/openssl s_client -connect 10.30.24.45:443 -ssl3, I get something like this:
...certificate and session details...
---
GET /path/to/file
The GET /path/to/file all goes in one SSL record. I want to send it in multiple records.
I assume I have to edit apps/s_client.c, and find the place where the SSL_write or similar happens.
How do I go about something like that?
For a properly designed application the TCP packet sizes and SSL frame sizes should not matter. But there are badly designed applications out there which expect to get like the HTTP request inside a single read, which often means that it must be inside the same SSL frame. If you want to run tests against applications to check for this kind of behavior you either have to patch your s_client application or you might use something else, like
#!/usr/bin/perl
use strict;
use IO::Socket::SSL;
my $sock = IO::Socket::SSL->new('www.example.com:443') or die "$!,$SSL_ERROR";
print $sock "GE";
print $sock "T / HT";
print $sock "TP/1.0\r\n\r\n";
This will send the HTTP request header within 3 SSL frames (which might still get put together into the same TCP packet). Since on lots of SSL stacks (like OpenSSL) one SSL_read reads only a single SSL frame this will result in 3 reads necessary to read the full HTTP request.
Okay, I figured out that I needed to change the number of bytes I'm writing using the SSL_write.
This is a code snippet, starting at line 1662 of s_client.c:
if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
{
k=SSL_write(con,&(cbuf[cbuf_off]), (unsigned int)cbuf_len);
.......
}
To make the application data be sent in multiple records instead of just the one, change the last parameter in the SSL_write.
For example, do this:
if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
{
k=SSL_write(con,&(cbuf[cbuf_off]), 1);
.......
}
This will result in something like this:
Notice the multiple records for Application Data instead of just the one.
Hi am integrating with Sybase Mobile 365 Services and I have gotten submit_sm and deliver_sm to work fine. I am trying to get submit_multi to work, but no matter what I try I get back a Command Status = 11. Does anyone have any thoughts as to what that command status means? Why I would get that? I have tried different service types and everything else I can think of... with no success.
Thanks,
Stephen
Command Status = 11 (ESME_RINVDSTADR) means "Invalid destination address".
This mean that probably the the dest_address field in your submit_multi request is wrong.
The dest_address field for submit_multi should be a list of destination address structures as defined in SMPP 3.4 Specification - chapter 4.5.1.1.
The number of destination addresses in the list is set in the number_of_dests field.
Additionally, you could also check that the dest_addr_ton (Type of Number) and dest_addr_npi (Numbering Plan Indicator) are correct for each destination address. For more details about this check out this link.
Is there a way to display the system ip address and port number in a text box that is generated dynamically???
I want the system to put the ip address into a text box according to the machine.
Siddharth
Since you mentioned a text box, I can only postulate that you are talking about a web browser, and in that case 99.9% of the time you are talking about http and then 99.999% of the time a TCP connection. This means that your connection will have a 4-Tuple consisting of the source ip:port and the destination ip:port. In most cases the port numbers are fairly standard (80) for the destination (client).
Then you get into the very common issues of NAT and the like, so again I think you need to clarify what type of ip address you want. The publicly routable ip address is obtained server side and the LAN address will be obtained from the localhost.
For the more interesting case (publicly routable ip) I would just use a server side script (python, PHP, C, etc...) to read the incoming ip address and then use a little ajax to set the value of the text box. I did something similar for a project and it worked really well. Our client program was written in Python and C but this will give you an idea...
# Returns the client's public IP address (past any NATs)
def get_public_ip():
return urllib.urlopen('http://ddih.org/ip.php').read().strip()
I think something like set the inner html... from that webpage...
Hope this helps.
Your system does not have a port number. Port numbers are a software concept to differentiate different IP or UDP applications that might want to listen for connections on your IP address.
Also, it is quite possible to have more than one IP address. In fact, your system almost always has two if you count the loopback address (127.0.0.1). Even if you don't these days even many consumer PC's have multiple ethernet jacks.
You didn't say you were using Win32 so I don't know that it will be useful to you, but here's some code I wrote once that puts all local IP addresses (loopback excepted) into a an MFC CComboBox. It's a bit more C-ish than I'd like to see these days, but here it is.
size_t const Max_Expected_Addresses = 20; // Something rediculous
unsigned long IPADDRTBL_Size = sizeof(DWORD) + sizeof(MIB_IPADDRROW) * Max_Expected_Addresses;
PMIB_IPADDRTABLE IP_Address_Table = (PMIB_IPADDRTABLE) malloc (IPADDRTBL_Size);
if (GetIpAddrTable (IP_Address_Table, &IPADDRTBL_Size, TRUE) == NO_ERROR) {
for (DWORD i = 0; i < IP_Address_Table->dwNumEntries; i++) {
// Skip the loopback.
if (IP_Address_Table->table[i].dwAddr == 0x0100007f) continue;
if (m_IP_Address == "") m_IP_Address = String_Address(IP_Address_Table->table[i].dwAddr);
m_IP_Address_List.AddString (String_Address(IP_Address_Table->table[i].dwAddr));
};
}
m_IP_Address_List is an MFC control defined as a CComboBox which gets filled in by this snippet.
m_IP_Address is a CString tied to an MFC textbox control (IIRC) which I use to store the currently selected (or first found on startup) IP address.