I decided to play around with Spike fuzzer and encountered some weird errors during installation. I was using gcc 4.1.2.

gcc -ggdb -o generic_listen_tcp generic_listen_tcp.o dlrpc.o 
dlargs.o spike.o listener.o hdebug.o tcpstuff.o 
spike_dcerpc.o base64.o udpstuff.o spike_oncrpc.o -ldl -L. -ldlrpc
/usr/bin/ld: generic_listen_tcp: hidden symbol `__stack_chk_fail_local' in
/usr/lib/libc_nonshared.a(stack_chk_fail_local.oS) is referenced by DSO
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: ld returned 1 exit status
make: *** [generic_listen_tcp] Error 1

If you are also getting the same error, I would recommend that you do the following

SPIKE/SPIKE/src$ ./configure

Now open the Makefile in your favorite editor and edit the CFLAGS line to include the following option:

-fno-stack-protector

This is how my CFLAGS line looks like in the Makefile:

CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-protector

This should make it build fine (I do get a few warnings but that’s cool…it still does not result in a no-build.

It can get interesting to test the security of thick client applications. If you start debugging you could end up losing a lot of time with not too many results. Of course, time is always at a premium when you pen testing in a week long gig. There are a couple of tools that can really help you to gain insight into a thick client (i.e., an application written in a binary format such as an executable, ActiveX control, flash object, etc.) and communicating to a server using the client/server model.
The need for a proxy to hook into the communications is a prime need and EchoMirage can do a great job of hooking into function calls related to win32 sockets, openssl functions. You have to select an active process for Echomirage to inject into or you can even spawn a process from the menu options in EchoMirage itself. It’s a great tool with a built-in editor so you can edit the traffic. However, sometimes you have to be careful because it’s binary data that you are editing so while editing it is easy to mess up a few flags, etc.
Another great tool is actually a plugin for OllyDbg called UHooker that can let you specify which functions you want to place a hook into. You have to configure a binary editor of your choosing and the functions to be hooked into in a .cfg file. The documentation for Uhooker is located here.

I have used Michal Zalewski’s Ratproxy on Google code. I like it a lot. But I also like to have it on Windows. But it seems that the makefile that comes with ratproxy is not really compatible with cygwin.
If you have the gcc, make, openssl, openssl-dev packages installed on cygwin, all you need to do is remove the -Wno-pointer flag from the CFLAGS entry from the Makefile.
So my Makefile’s CFLAGS line looks like:

CFLAGS  = -Wall -O3 -D_GNU_SOURCE

I also replaced $(CC) with gcc just because I felt like it. 🙂
Compile it with make command.
Do not forget to dos2unix the ratproxy-report.sh otherwise you will get some errors with ‘\r’ and some other random stuff when you run the report generator shell scripts.
Run ratproxy as :
c:\tools\ratproxy>ratproxy.exe -p 8000 -v c:\testdir -w ratlog -d example.com -extifscfjmXCk
Once you have the log to generate a nice looking pretty report:
bash$ ./ratproxy-report.sh ratlog >reportname.html

Update 06/20/2012:
If you get the error shown below:
ratproxy.c: In function `listen_loop':
ratproxy.c:1635:5: error: incompatible type for argument 2 of `waitpid'
/usr/include/sys/wait.h:43:7: note: expected `__wait_status_ptr_t' but argument
is of type `unsigned int *'
Makefile:30: recipe for target `ratproxy' failed
make: *** [ratproxy] Error 1

Do the following:
1. Go to line # 1635 and change the line to while (waitpid(-1,(int*)&x,WNOHANG) > 0);
2. Goto the command line and type

make

You should be able to compile ratproxy.

The question was:
Question: This is semi-real. 🙁
140.197.217.85:10435
Password: 5fd78efc6620f6

When you would connect using netcat you would see a 9 numbers and a user PIN. This would repeat thrice and then you would have to choose the right pin for the fourth pair 6×6 matrix of numbers. My first reaction was either the PINS were constant or they were following a pattern. So I wrote up this quick python script to solve this puzzle which helped me understand the problem also.

#!/usr/bin/python
import socket, re, threading, time
 
lookupdict = []

def process_array_pin(fs,s):
	i = 6
	temp = ''
	pin = ''
	while i > 0:
		line = fs.readline()
		#print line
		#re.match(".{11}(.).{12}(.).{12}(.)", line).group(1)
		test = re.split(' ',line)
		#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]
		i = i - 1
		try:
			temp += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]
		except IndexError:
			pass
			#i = 15
			#while i > 0:
			#	print fs.readline()
			#	i = i - 1
			#s.send('2\n')
			#i = 15
			#while i > 0:
			#	print fs.readline()
			#	i = i - 1
	line = fs.readline()
	try:
		pin = re.match("..........User entered: (.*)", line).group(1)
	except:
		pass
	#pin = fs.readline()
	#print 'Line: '+line
	#print 'Pin is : '+pin
	strpin = re.sub(' ','',pin)
	#strpin = re.split(' ',pin)
	#lookupdict[temp] = strpin
	print 'Pin for : ' + temp+' is '+strpin+'\n'
	return temp,strpin
def play():
	global fs, s
	s = socket.create_connection(('140.197.217.85', 10435))
	fs = s.makefile()
	s.send('5fd78efc6620f6\n')
	print fs.readline()
	print fs.readline()
	print fs.readline()
	answer = []
	numTimes = 0
	while numTimes < 5:
		j = 3
		while j > 0:
			test = process_array_pin(fs,s)
			lookupdict.append(test[0])
			lookupdict.append(test[1])
			j = j - 1
			if j > 0:
				numlines = 3
				while numlines > 0:
					fs.readline()
					numlines = numlines - 1
		fs.readline()
		pindigits = list(lookupdict[1])
		#print pindigits
		pinpos = 0
		for num in pindigits:
			i = 0
			start = 0
			end = len(lookupdict[0])
			while i < lookupdict[0].count(num):
				indofinterest = lookupdict[0].find(num,start,end)
				#print 'index of interest '+str(indofinterest)
				if lookupdict[2][indofinterest] == lookupdict[3][pinpos]:
					if lookupdict[4][indofinterest] == lookupdict[5][pinpos]:
						answer.append(indofinterest)
						break
				i = i + 1
				start = indofinterest+1
			pinpos = pinpos + 1
		#print answer
		# Get question
		i = 6
		temp1 = ""
		while i > 0:
			line = fs.readline()
			#print line
			#re.match(".{11}(.).{12}(.).{12}(.)", line).group(1)
			test = re.split(' ',line)
			#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]
			temp1 += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]
			i = i - 1
		#fs.read(14)
		#fs.flush()
		print "Question : " +temp1+'\n'
		answerstr = ''
		count = 0
		for i in answer:
			answerstr += temp1[i]
			#print temp1[i],
			count = count + 1
			if count < 4:
				answerstr += ' '
			else:
				answerstr += '\n'
		print "Answer : "+answerstr
		s.send(answerstr)
		output = fs.readline()
		#output = fs.readline()
		print output
		if output.find('Sun') > -1:
			output = fs.readline()
		else:
			a = 10
			while a > 0:
				print fs.readline()
				a = a - 1
			#output = fs.readline()
			#print 'Inside else\n'
			#if output.find('NOVA') > -1:
			#	print 'NOVAFOUND!!!!!\n'
			s.send('2\n')
			print 'Sent last\n'
			a = 100
			while a > 0:
				print fs.readline()
				s.send('%d%n\n')
				a = a - 1
			#print fs.readline()
			break
		del answer[:]
		del lookupdict[:]
		del pindigits[:]
		numTimes += 1
	
	s.close()
#for i in range(2000):
#threading.Thread(target=play).start()
play()

The above file reads the numbers, filters out the formatting that adds color to the digits and picks out the indices that would be chosen as the key.

So to solve this, each pattern of digits had fixed matrix positions that would be chosen as the pin. Once you successfully solve the puzzle four time you are presented with an ATM screen as follows:

 ***NOVABANK ATM menu***

 Balance: $9238740982570237012935.32

 1) withdraw
 2) deposit
 3) transfer
 4) exit

 <disconnected>

The real part is the balance i.e., 9238740982570237012935.32 is the answer. It took me various attempts to solve this one because the answer was for some reason not being accepted by the scoreboard until my teammate submitted it at which time it worked.

This was a really cool problem. Thanks DDTEK.

If you’re like me and recently upgraded to Verizon FiOS and you have your PS3 on the wired segment and the Media Server (such as PS3 Media Server, TVersity, etc.) on the wireless segment, you’re in for a ride with the configuration.
By default, you can’t route the traffic between the wired and wireless segments over UDP! You can send ICMP echo packets (i.e., ping) but the PS3 just won’t detect the Media server. You may disable the Host-based firewall (e.g., Norton, Kaspersky, McAfee, etc.) but it still won’t work.

If you happen to read posts like these, you will see that you have to disable “IGMP proxy”. IGMP Proxy basically reduces the traffic on the multicast addresses to a bare minimum. Unfortunately for you, this causes the traffic between PS3 Media Server and PS3 to drop.

So you log into your FiOS router’s administration console typically located at 192.168.1.1. Click on Advanced -> Yes -> Firmware Upgrade and check the firmware version. You will see that it is an ActionTec router (based on the Auto-update URL). But nowhere do you see the option to update the “IGMP Proxy” settings. That’s because that feature is “hidden” in the latest firmwares.

So you just need to copy/paste the following URL into the browser address bar and you will see the option to disable “IGMP proxy”.
http://192.168.1.1/index.cgi?active_page=6059
Disable it and Voila! The PS3 Media Server and PS3 can now talk to each other.

I wanted to install Cisco VPN client on BackTrack3. You can get the Cisco VPN client source using the following command:
wget ftp://ftp.cs.cornell.edu/pub/rvr/upload/vpnclient-linux-4.8.00.0490-k9.tar.gz
tar zxvf vpnclient-linux-4.8.00.0490-k9.tar.gz
cd vpnclient/
wget http://tuxx-home.at/projects/cisco-vpnclient/vpnclient-linux-2.6.22.diff
patch < vpnclient-linux-2.6.22.diff
./vpn_install

I got this information from the following blog.
I ran into an error whereby the kernel sources were not found for the VPN client to install. I then got the BackTrack3 kernel sources.
cd /lib/
wget http://www.offensive-security.com/kernel.lzm
mkdir test
lzm2dir kernel.lzm test

Now go into the vpnclient directory and execute the following:
./vpn_install

Accept the defaults (except in my case I selected “No” on automatically start VPN client). When it asks for the sources point it to:
/lib/test/usr/src/linux-2.6.21.5

Then the VPN Client should compile without any issues. Then you just need to place your Cisco VPN client Profile (.pcf) in the /etc/opt/cisco-vpnclient/Profiles directory. You will need to first start the VPN client service first using:

/etc/init.d/vpnclient_init start

Once the service is started just connect using:

vpnclient connect mypcffile user test password <whatever>

Please note that the full name of the Profile file in the above case is mypcffile.pcf but I’ve deliberately excluded the .pcf extension.
This should work.

This is not a post but nostalgia. This post is actually a transcript of the first interview of my life. It was for a top Indian Software Consultancy Company (referred to as “XYZ” from now on). I remember that it was July 9th, 2001 and it was a really rainy day in Bombay. While coming to the college I was totally drenched and was looking rather distraught! I cleared the aptitude test and then came the Big One – The Interview!
I went to the interview thinking that i wanted to completely screw up the interview (coz I was interested in some other company) so i went there casually dressed with a demonic smile on my face >:-) . In hindsight, I think the way I appeared for this interview was really gutsy for me and I probably couldn’t have done that had I been craving to get a job in this company. Here is the transcript of the interview.

XYZ: So Mr Rajat … tell me about urself and ur family in *short*
Me : In the year 1980 i was born in allahabad and spent the initial yrs of mylife in blah blah blah ….and completed my schooling in Shree Ram Welfare Society’s High School, Andheri(W), Mumbai . therafter i went to Sathaye College….(blah blah blah) and i came to this college thinking that this college would be good.
XYZ: & how did u find this college?
Me : (thinkin for a while and then with a heavy heart ) ok !
XYZ: Rajat y did u chose our company (XYZ) instead of other companies.
Me : i did not choose XYZ i’ve just come for this interview ! In fact u guys have come to our college (for on-campus placements) i haven’t come for this interview.
XYZ: but would u like to join our co.?
Me: i’ve come for this interview ! what does this indicate to u?
XYZ: give me one reason why u want to join XYZ?
Me: i don’t want join XYZ… i’ll goto any other co. that comes next…as a matter of fact any other co. will take me!
XYZ: Mr Rajat in this form (these guys had given us a form to fill in whichwe were supposed to write the salary we desired which i forgot to fill… oops faux pas ? well not quite) which we have given to u , uhaven’t mentioned the salary u want…. what r ur expectations?
Me : I want more!
XYZ: MORE !%#$%$#$ y do u want more?
Me: because i know i’m worth it!
XYZ: u say so but it is for us to see whether u r worth it!
Me: put me to test and i’ll prove i’m worth it !
XYZ: but why do u want more ?
Me : everybody wants more so what is wrong if i want more!(the guy seems to be pissed off to my delight)
XYZ: but u must be having some expectations , don’t u?
Me : yes of course , i have . but u r not gonna live up to them. u had made it quite clear the salary u’ll be offering to us … so it doesn’t matter what my expectations are u r gonna give only what *you* want to give us , so there rests the matter.
XYZ: tell me about this person whom u know & works in XYZ.
Me : He is my cousin and he stays at andheri.
XYZ: so what have u heard from him about our co. ?
Me : NOTHING!
XYZ: but u might have heard something at least!!!!!
ME : we meet at social gatherings and the last thing we want to speak about is XYZ!!!
XYZ: ok tell me about ur project … this assembler
Me : blah blah blah
XYZ: ok … so in ur form u write u want “A GOOD NETWORKING PROJECT PREFERABLY BASED ON NETWORK SECURITY” . what do u know about networking?
Me : NOTHING!
XYZ: (a very surprised Mr. Sleepy said) NOTHING !?!? then how can u say u want a project in it?
Me: well , i’ve attended a few seminars @ IIT and it ensured me that that was the only field i’m interested in.
XYZ: then ur interest may change after studying the subject!
Me : No, it won’t change!!!!
XYZ: wat do u know bout networkin?
Me: latest happenings … blah blah blah
XYZ: suppose that we don’t have a project in network securities for you then what will u do?
Me: i have written that it is my ambition to work on a networking project…AMBITIONS ARE NOT ALWAYS FULFILLED.
XYZ: Rajat … there is a rule in ur college that if u get 1 co. u r noteligible for the rest.we offer u 16k .. so if tomorrow infosys comes and offers u 20k wat will u do?
Me : I WILL GO !!!!!
XYZ: u’ll go !?! that means you are after money ?
Me : who said that !? i never said that ! i want more money but more important than that is the work environment & the kind of projects i get. if i getbetter projects there i’ll go money is secondary but still important .
XYZ: (as if trying to juistify a lesser salary) u know rajat that on paper their (Infosys) salary may look large but 20% blah blah blah ….. 12.5 % blahblah blah …6% blah blah blah … (and lots more statistics which lasted foran eternity as far as my viewpoint goes)
XYZ: do u realise that XYZ has a 3yr. service agreement or u r chargedRs.50,000/- . what are your feelings about that?
Me : it is absolutely wrong.
XYZ: why?
Me: The word “bond” itself says that u r “bound” to the co. no matter what.
XYZ: that is why we don’t call it a “bond” we call it a “service agreement”.
Me: ok…that’s just another name for it. i personally think that instead of”binding” people to ur co. u should create such an environment that people like to stay in ur co. with their wishes and so the co. will benefit if peoplework with their wishes.
XYZ: do u havre any questions for us?
Me: yes , sir i do! in ur qns a few minutes back u mentioned infosys and in ur pre-placement talks u said u r no.1 software co. of india. how can u say thatwhen all that we see in the newspapers is infosys and with u comparing urself to infosys?
XYZ: infosys is 12% blah blah blah … 19% blah blah blah …(and lots morestatistics that made me feel as miserable as our indian cricket team witheverything out of control)does that answer ur qn?
Me: ya! sir may i ask another question ?
XYZ: ya sure! (with some uneasiness)
Me: sir, this yr. we have seen our seniors get whole lot of “back out” letters! what r ur feelings about that?
XYZ: OUR FEELINGS !!??!
Me: i mean r u people going to do the same with us?
XYZ: (i think this was it and he lost his complete cool and he pointed to me & said sternly) till this date our company has not given any “back-out” letters to anybody.
Me: Thank u .sir. it was a pleasure!

This was the first interview of my life and I ended up getting selected for this company. It was a great experience working there and I realized that money is not everything! At the end of it I think I was not rude but dangerously honest in giving my answers and this plan could have backfired on me but it didn’t … may be I was lucky or may be this was destiny!