Author Archives: mcontino

External IP Address Lookup Service

Posted on by

As a penetration testing having the ability to easily preform an internet facing or external IP address lookup is very important. Weather you end up on a box in a clients DMZ or you just need to set up that handler for your social engineering engagement, being able to quickly get the IP makes things a lot easier. I for one, like to do a great deal of automation and I’ve used several of these external IP address lookup services over the years. However, as I’m sure many people are aware, these services some and go like the wind.

One of my favorites that I’ve come to relay on over the years is ifconfig.me. Not only did this external ip address lookup service have some of the coolest domain names ever, but it also responded very quickly via the terminal with just the IP; while offering additionally information if you viewed the web page directly. Needless to say, I kinda just fell in love and mindlessly used its services for over a year.

Sadly ifconfig.me and several other external IP address lookup services have since slowed to a crawl or been shutdown. Likely because they begin to receive heavy traffic once they take off and generate little to no revenue for the host. Nevertheless, I’ve decided that instead of finding a new external ip address lookup service to fall in love with, I would just piggy back off my blog to release my own simple version of the site. My goal being, to maintain the external IP address lookup service, via the terminal, that I’ve come accustom to using for scripting and automation.

So without further a due I give you hackersvanguard.com/ip.php, your one stop stop for external ip address lookup. I know some people like be wondering why the heck they would ever trust me so I’ve included the complete source code bellow.

 

<?php
function getIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check to see if the ip is internal
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //check and to if the ip is being properly proxied
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR']; //else use the value given in the remote ip address header
}
return $ip;
}
?>

NCL Summer 2015 Skyline Thoughts and Challenges Walk through

Posted on by

NCL recently ran a pilot to introduce there new skyline platform. Although this will likely be the NCL Summer 2015 competition i’ll be able to compete in, I wanted to give my honest opinion on the platform and walk through some of the challenges that I thought were well done.

Review:

First of all I find that this new Skyline platform had far better performance then old NCL scoring engine. This is likely due to the lower number of players in this summer round, but I hope the stability remains. Additionally, I thought the step by step approach with hints available will make challenges far more approachable to player who are new to the infosec competition space. My only real criticism would be the web app challenge, having it embedded into the skyline interface made it much harder to work with. In the further maybe still host web app challenges in AWS.

Challenges:

QR Code Images

There were really two very similar QR image challenges. These were among my favorite present, in this NCL round. Since some of the guided questions were very similar I will just cover them once. Now the latter image is given to you in 4 pieces and you are meant to use your forensic skills to reassemble the image based on some hex headers, footers, and commonalities. However, I just wrote a quick script to cat each of the files together in each of the possible permutations; then just opened the one that showed a valid thumbnail of the image.

What is the md5 hash of the image? In both chases the following command on that trust kali box will get you the

Webservers love Syn Cookies

Posted on by

In a few posts now, I’ve mentioned this concept of syn cookies. Syn cookies is a lesser known technique that allows for each incoming syn packet to be tagged with a unique identifier by the kernal. These identifiers are encoded into the TCP timestamp and then SYN is droped from the socket qeue.

This allows for these identifiers to be used to control the flow of a TCP communication. These cookies could be used for something as simple as killing outstanding sessions (which is does by defualt by removing them from the qeue) or as complex as load balancing active connections between servers in a web cluster (having multiple servers using the same encoding algorithm with an intermediate controling the flow). However, these days syn cookies are more often used to limit the amount of active connections are in the socket qeue, in an effort to stop DOS attacks.

This feature comes precompiled into Linux kernals 2.6+ and can be easily implemented.

To check and see if syn cookies is already enabled use the following command. Note, a 1 is enabled and a 0 is disabled.

cat /proc/sys/net/ipv4/tcp_syncookies

To enable syn cookies edit the /etc/sysctl.conf file and apend the following line.

net.ipv4.tcp_syncookies = 1

After the chnage, relaod the config file with the following command.

sysctl -p