Category Archives: Code

Code of course.

Code, Posts

Blocking your wp-admin log in page from strangers..

Leave a comment 
######Redirect strangers away from the page#######

  $client = $_SERVER['REMOTE_ADDR'];
  $reg = "/192\.168\.10\.*/";
  $home = `printf $(cat /location to where you can get your WANIP/)`;

  if (preg_match($reg, $client))
   {
        echo "";
   }
  elseif (mb_ereg($home, $client))
   {
        echo "";
   }
  else
   {
     header("Location: http://yoursite");
   }

Wanting to cut off access from strangers to my wp-admin login page, I spent a night toiling around with a few possible solutions, while repairing a laptop for a client, whom was quite computer illiterate. I would consider myself illiterate in the sense of programming in assembly language. Ergo, at some level, in all things we are ignorant, which is the deviated point I’m trying to establish. Sorry to meander..

Considering the fact that if you don’t have SSL setup on your server , and even if you do, you still are susceptible to MITM attacks via programs like Ettercap-ng, in certain scenarios. (i.e. Malicious networks) So for my own sense of peace, decided to block of access to the rest of the world to my wp-admin page. You might be able to still access it if you can modify your HTTP requests to make yourself look like me….

If you want to use this, I put this piece of code at about line 25, and I would test it from different proxies just to be safe. More info and tutorials to come.

Let me know if you have any questions, comments or concerns.

Code, Posts

Cool Perl prompt

1 Comment 
#!/usr/bin/env perl

do
  {
     print "perl#: ";
     chop($_ = <>);
     eval($_);
  }
while ($_ ne "exit")

There are times when I get an itching to start writing perl programs and tonight was no exception. I was curious as to how perl handled exceptions and so forth. After doing some reading on line I found a merely 9 lines of code that will serve you as an interactive perl prompt (think typing in python without any arguments.. and you’ll understand what I’m saying, or just give this piece of code a try yourself.)

http://feyd.ldc.usb.ve/docs/perl/practical-perl/www.cs.cf.ac.uk/Dave/PERL/node114.html

Code, Posts

mysqldict.py

Leave a comment

After taking a few months to dilly about with python and learn the ins and outs of it to a certain extent, I decided to write a program that does dictionary attacks on mysql.

Plain text:
http://zitstif.no-ip.org/mysqldict.txt

Tar archive:
http://zitstif.no-ip.org/mysqldict.tar
MD5Sum: f0e07ca29cc783c6c27f3829f579d37e

The beauty of this program, is that it actually does a test on the remote host and tells you whether or not that the remote host allows remote MySql authentication.

Here’s a quick peek of mysqldict.py in action used inside of a bash shell script (IP addresses hidden of course):

:~/for i in $(httplast | egrep -v "${WANIP}|127.0.0.1|192.168."  | awk '{print $1}' | sort | uniq); do nc -z -w1 ${i} 3306; if [[ "$?" == "0" ]]; then ./mysqldict.py -t ${i}; fi; done
mysqldict.py:
Port 3306 on 115.##.##.#1 appears to be open..
A connection has been made and here are the results of the test:
This host does not allow remote administration on MySQL
mysqldict.py:
Port 3306 on 62.##.##.#1 appears to be open..
A connection has been made and here are the results of the test:
This host is open to MySQL dictionary attacks!
mysqldict.py:
Port 3306 on 66.##.##.#1 appears to be open..
A connection has been made and here are the results of the test:
This host is open to MySQL dictionary attacks!

If you’re wondering what the command ‘httplast’ is, let me explain. I’m too lazy to type out: cat /var/log/apache2/access.log , so I created an alias to do handle this for me.

The tool itself, I feel is pretty self explanatory, but if you have any questions feel free to leave a comment or shoot me an e-mail.

Code

SSH2, How I love Thee

Leave a comment

A while ago, I read an article regarding SSH2 and an insecurity that it possessed. Being a person who depends on SSH2, I was highly intrigued about this insecurity.

The insecurity involves with the handling of credentials in memory when a client is connecting to an openssh server. When the client is authenticating to the server, on the server side, the password in memory is in clear text. So, this attack is merely a local one. For one to worry about this attack, they would have to have their openssh server compromised and the would attacker run the shell script that I wrote.

I’m not taking credit for the discovery of this flaw. I merely wrote a program to automate the capture of the ssh client’s credentials. Once I find the discoverer of the flaw, I will post it. Keep in mind that this program isn’t perfect, but it does work.

Here’s the program in plain text:
http://zitstif.no-ip.org/capturessh2.txt

Here’s the program in a tar file:
http://zitstif.no-ip.org/capturessh2.tar

MD5sum: f9ebfe85ff73641f06625a8c21261d4f

#Tested to work on SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
#Tested to work on SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
#Tested to work on OpenSSH 5.2 (protocol 2.0) Fedora 11

If you want to test this on your ssh server, first log into your ssh server and then execute the script with sudo.

Then posing as the victim yourself, login to the same ssh server and do your usual business and then log out.

In the attacker’s console, you will see the victim’s user name and password that the used to authenticate in the ssh server.

Also a quick side note, I’m reminded of a pretty nasty attack on ssh clients that can be performed with Ettercap. It’s known as a downgrade attack. Essentially, instead of the client authenticating through the Protocol 2.0 version of SSH, the attacker modifies the traffic in transmit and downgrades it to Protocol 1.0, which is susceptible to password sniffing via Ettercap.

Here’s a link to a tutorial on how to perform this attack:
http://openmaniak.com/ettercap_filter.php

This attack only affects servers that allow ssh 1.0 authentication, ergo it’s not a very high level of threat.

Code, Posts

ipchicken.py

Leave a comment

If you are one of the very very few to remember a shell script that I wrote a while back that let’s you know your WAN IP address from the command line (ipchicken), I wrote a replacement for it in python. I hope this is useful to you:

ipchicken.py

#!/usr/bin/env python
import re
import urllib
import socket
import sys

#Test that ipchicken.com is up#
var = socket.socket()
try:
        var.connect(('www.ipchicken.com', 80))
        var.close()
except socket.error:
        var.close()
        print "www.iphicken.com seems to be down.."
        sys.exit(1)

var = urllib.urlopen('http://www.ipchicken.com')
var = str(var.readlines())

reg = "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"

for ip in re.findall(reg, var):
        print """Your WAN IP address is: %s \nBrought to you by www.ipchicken.com""" % ip
sys.exit(0)

Also, the beauty behind this, is that all you need is python and it should work on any operating system that supports python.

Of course, if you have dog for Linux, then you can get the same affect with just a quick one liner:

dog http://www.ipchicken.com | egrep -wo "[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}"

http://www.google.com/search?hl=en&source=hp&q=dog+is+better+than+cat+linux&aq=f&oq=&aqi=