Favorite scripts and hacks?

SocialEngineer · 02-22-2005, 08:08 PM

Anybody here have any favorite scripts/hacks they'd like to share?

I picked up a good one from Hacking: The Art of Exploitation, for defending from port scans.

Code:

#!/bin/sh
HOST="192.168.0.189"
/usr/sbin/tcpdump -e -S -n -p -l "(tcp[13] == 2) and (dst host $HOST)" | /bin/awk '{
# Output numbers as unsigned
  CONVFMT="%u";

# Seed the randomizer
  srand();

# Parse the tcpdump input for packet information
  dst_mac = $2;
  src_mac = $3;
  split($6, dst, ".");
  split($8, src, ".");
  src_ip = src[1]"."src[2]"."src[3]"."src[4];
  dst_ip = dst[1]"."dst[2]"."dst[3]"."dst[4];
  src_port = substr(src[5], 1, length(src[5])-1);
  dst_port = dst[5];

# Increment the received seq number for the new ack number
  ack_num = substr($10,1,index($10,":")-1)+1;
# Generate a random seq number
  seq_num = rand() * 4294967296;

# Precalculate the sequence number for the next packet
  seq_num2 = seq_num + 1;

# Feed all this information to nemesis
  exec_string = "nemesis tcp -fS -fA -S "src_ip" -x "src_port" -H "src_mac" -D "dst_ip" -y "dst_port" -M "dst_mac" -s "seq_num" -a "ack_num;

# Display some helpful debugging info.. input vs. output
  print "[in]  "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "$10;
  print "[out] "exec_string;

# Inject the packet with nemesis
  system(exec_string);

# Do it again to craft the second packet, this time ACK/PSH with a banner
  exec_string = "nemesis tcp -v -fP -fA -S "src_ip" -x "src_port" -H "src_mac" -D "dst_ip" -y "dst_port" -M "dst_mac" -s "seq_num2" -a "ack_num" -P banner";

# Display some helpful debugging info..
  print "[out2] "exec_string;

# Inject the second packet with nemesis
  system(exec_string);
}'

scott_R · 02-23-2005, 05:21 AM

I'd probably post this in programming, just because it's not general enough to attract much attention from most users.

SocialEngineer · 02-23-2005, 08:40 AM

Yeah, didn't realize that. I guess if a mod decides to move it, that's cool.

tangle · 02-23-2005, 09:07 AM

I like this one.

Code:

The following is a script that I add to the beginning of /etc/profile.  While 
the script is a nice idea, it's very easy for someone to avoid .  I've never 
had any of my systems cracked since I've started using it, so I have no idea 
if this script will actually stop anyone.  It would most likely catch someone 
in the act, after they exploited a security hole, but before the system has 
been r00ted.  A r00ted system wouldn't even bother reading /etc/profile.


-- Begin script added to /etc/profile --
# Kick and ban users that are UID 0 but are NOT root!
if [ `id -u` = "0" -a `echo $USER` != "root" ]; then

  # Lock the user out 
  passwd -l $USER

  # Save some info
  date >> /root/SHIT
  netstat -apent >> /root/SHIT
  ps auxww >> /root/SHIT
  w >> /root/SHIT
  
  w | mail -s "$USER has gained ROOT access" root@localhost

# Let EVERYONE know
wall << EOF

***********************************************************

          $USER has gained ROOT access!!!

***********************************************************

EOF

  for i in `ls /dev/pts/`; do
    echo -e "\n$USER has gained ROOT access!!\n" >> /dev/pts/$i
  done

  # Log it 
  logger -is -f /var/log/messages "$USER has gained ROOT access!!"

  # Let the luzer know
  echo -e "\a\n\n You are _NOT_ root!!\\n\n\a"

  # Kill the user and his processes
  skill -9 -u $USER
  
  ifconfig eth0 down
  
  # This should be redundant
  logout 
  exit
fi

# Attempt to catch those that su
alias su="su -"
-- End script added to /etc/profile --

XavierP · 02-23-2005, 10:15 AM

Moved to Programming. Note to all: if you see a post which you think should be moved, click the link which reads "Report this post to a moderator". No one gets a slap for genuinely reporting a post, even if we disagree.