JavaSnoop – Debugging Java applications

(Please note this post was published last 12th sept. 2012 in the Spanish version of this blog)

Recently we used a very interesting tool to analyze Java applets: JavaSnoop, developed for BlackHat USA 2010 by Arshan Dabirsiaghi. Broadly speaking, the tool allows us to adhere (attach) to a Java process or start it and intercept the calls made. In addition to intercept these calls and view its contents, we can change the arguments of the methods we are intercepting and modify the return value of the function.

Let’s see how to intercept a Java applet method:

1. Download the latest version of the application:

Note: It is recommended to install the application in a directory that does not contain spaces on Windows (eg C:\JavaSnoop).

2. Download the latest version of Java SDK (requires restart after installation).

3. Set the location of the JAD binary in ““Settings > Manage JAD > Set jad path””. Download from the author website. This will allow us to decompile the classes.

4. We make sure that the JAVA_HOME environment variable for our user is set.

5. To avoid problems with permissions when injecting, JavaSnoop contains in the Resources folder the file unsafe.policy. We copy this file to %USERPROFILE%\.java.policy. This directory should contain a file .java.policy. After our analysis is recommended to restore the initial configuration.

6. It is advisable to activate the Debug Console in Java and keep it active for messages.

7. It is very important the order in which JavaSnoop and the java application are started. With some applets is strictly necessary that JavaSnoop is running before launching the browser.

8. Once started JavaSnoop we use the feature “An existing process“. In this case we see the PID 184 which is an applet that we started in Internet Explorer. Then hit the Attach button to adhere to process 184:

9. Once we have adhered to the process, we will set a “New hook“. To do so, click on the “Add new hook“. If you still do not know what class and method you want to hook, go to Browse, what will open a new window where you can select the class you want.

Now we select the method we are interested in:

Once selected the class and the method, we go back to the main window:

In this window, if we have selected the method (point 1) we will be able to set the actions to be undertaken by JavaSnoop: print the parameters when the method is invoked, print the contents of the stack, modify the parameters that are passed to the function and the return values​​. (points 2 and 3).

10. We can also see features of the process that we have attached to in the Actions menu.

With these steps, you are ready to intercept any Java application in a simple and fast way.

Are you being spied by the chinese government?

(Update 20/feb/2013: New signatures added)

As many of you probably know, Mandiant has issued a report accusing the Chinese People’s Liberation Army of being behind the attacks that different companies, both American and other nationalities, have been suffering in recent years.

The report, which is accessible from its website, provides a variety of technical details and the body of evidence supporting the theory that the Chinese government is actually behind the attacks, as has been advocating for the past years. Although some security experts point to analytical flaws in the study by Mandiant (Mandiant APT1 Report Has Critical Analytic Flaws), I think that there is no doubt that China has cyber espionage programs via the Internet. Does that surprise you? Just as no one should be surprised, as pointed out by @antoniosanzalc on Twitter, that other militar powers such as Israel and U.S. have in place cyber espionage programs. Indeed, one might almost say that it would be unwise not to.

Returning to Mandiant report, annexes show information that could help identify infected systems or organizations, either by connecting to DNS systems, use of SSL certificates or other. Although it is possible that after the publication of the report —provided that the information and conclusions of Mandiant are true— the systems and resources used in the attacks are reduced drastically, based on the information of the annexes we have created a set of Snort signatures that can help identify circumstances and suspicious connection destinations, which can be downloaded from the link below.

Snort signatures from the Mandiant report: apt1-unit68398.rar

The signatures are based in the Mandiant Report annexes, and have been developed by S2 Grupo Security Area and more specifically by Roberto Amado and Raúl Rodriguez. To send any comments, questions, information or requests, use the comments or contact us at

Please note that we are not responsible for any undesirable consequences (increased alerts, etc.) that may cause the signatures provided. Your use of the signatures is at your sole risk.

Challenge: Where will the meeting take place? – Solution

A few days ago we published a new challenge in this blog. We need to get the exact point where the gang was going to meet, using one file that had been sent by one of the gang’s member and two SMS saved in the mobile phone of another gangster recently arrested. In this post we are going to explain the solution :)

If we analyse the captured file, we can see it is an encoded text in base64, but if we do the decoding, we get a new encoded file in base64. To solve this, we have to focus on the first SMS, that said: “Recuerda, la quinta es la importante.”, that translates to: “Remember, the fifth is the important.”, what means we have to decode five times to get the original file. So, the only thing we have to do is decode the files until the fifth decoding.

With previous steps we get the following GIF image: a Barcelona street map (city what can be easily identified because of the “Sagrada Familia”).

Now, if we try “Barcelona” in the first validator we see that we open the file and get the solution for the first part of the challenge.

If we analyse a little bit more this image, the only thing we can find is a comment what says there is nothing more around here, what means we have to keep searching in other place ;)

The next part of the challenge focuses in the content of the second SMS. It said: “Te esperamos en:uÖ%äFeM!”, that translates to: “We will wait you in:uÖ%äFeM!”. It seems to point us to the exact address of the meeting. The problem lies in the text “uÖ%äFeM!”, because it does not look like a usual codification.

The clue in this case is the fact that we are working with an SMS text message. This messages use the GSM 3.40 specification, that establishes that the text messages will be encoded using PDU format.

Studying this format, we see the text characters are encoded with 7 bits instead of 8 in order to send longer messages. In the next image we can see how this codification works.

On the Internet, there are some sites which allow encode/decode PDU messages, thus using one of these (for example and getting the PDU codification of the second message, we get the hexadecimal chain “756E696F2C3743” (extracting the parts we don’t need: SMSC number, receiver’s number, length message, etc.). Decoding it to ASCII we get “unio,7C”. Now trying this result as a password in the second validator we can open it and check out the name of the address and the number where the meeting will be, getting the challenge solution :D

In this point concludes the solution for the challenge. Like always, congratulations to those people who solved the challenge and those who did not, I hope you have had a great time trying it ;)

Nmap –script http-joomla-brute. Where THC-Hydra doesn’t fit.

During a recent audit I wanted to try the strongness of the passwords used and I tried a simple dictionary attack against the login form of Joomla! just in case there was any account with one of those weak passwords. The form was as follows:

The method pointed by Rafa in is post: THC-Hydra: Obtaining user credentials by brute-force is fully valid for simple forms but in this case we can’t use it. If you look at the form HTML code we see that in addition to the parameters username and passwd, it has a hidden field that changes in each session. Let’s see the code:

We can see that the last field, which has a value of 1, consists of 32 hexadecimal digits that are generated every time, so we can not know a priori its value and include it the request for THC-Hydra. The petition using the above tool would be something (security parameter remarked in bold):

$ hydra -l admin -p admin1234 <server> http-post-form "/index.php:username=^USER^&

However, it will not work because the generated code is different every time, so the result will be a message “Invalid Token“. Because of this, and after several unsuccessful attempts trying to retrieve and include unsuccessfully that value in the THC-Hydra request, I jumped to nmap to see if there was any script that could help me in this situation.

Indeed, after searching for information on Google I found a script that seemed to do what I wanted: http-joomla-brute. I checked código“>the code and I saw that it was using the parameter “security token” to build the request, so I figured it would work in this situation.

if response.body then 
	_, _, security_token = string.find(response.body, '<input type="hidden" 
                                           name="(%w+)" value="1" />') 
if security_token then 
	stdnse.print_debug(2, "Security Token found:%s", security_token) 
	stdnse.print_debug(2, "The security token was not found.") 
	return false 

The above code searches the token in the form returned by the server and stores it in security_token, that will be used later to send the POST. Therefore, in case that the form includes this kind of safety mechanism we could use nmap as follows:

$ nmap -p80 --script http-joomla-brute --script-args 'userdb=user.txt,passdb=~/john-1.7.9/run/
brute.firstonly=true' <server>

Starting Nmap 6.00 ( ) at 2013-01-30 14:49 CET 
Stats: 0:07:45 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 
NSE Timing: About 0.00% done 
Stats: 0:09:06 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan 
NSE Timing: About 0.00% done 
Nmap scan report for <server> (192.168.XXX.XXX) 
Host is up (0.0038s latency). 
80/tcp open  http 
| http-joomla-brute: 
|   Accounts 
|     No valid accounts found 
|   Statistics 
|_    Performed 3546 guesses in 605 seconds, average tps: 5 

Nmap done: 1 IP address (1 host up) scanned in 604.97 seconds 

I hope it helps you and saves some time since I spent some time with THC-Hydra trying the tool to take that parameter automatically. However, if anyone knows another way to do this please say it in the comments.

Challenge: Where will the meeting take place?

After a while without proposing any challenge, we return with our research team, which believes to be really close to know the next gang’s meeting point that they have been investigating for the last few months.

Thanks to the last actions performed, our team got the following file: captured_file, which despite being coded, seems to provide the location about the place where the next exchange will be carried. In addition, in the arrest of one of the members who was going to participate in the exchange, the team got a mobile phone that had only two SMS in its memory.

[Read more…]

THC-Hydra: Obtaining user credentials by brute-force

(Please note this post was published last 4th february 2013 in the Spanish version of Security Art Work. See original post: THC-Hydra: Obtener credenciales de usuario por fuerza bruta)

THC-Hydra is a software used to crack login systems of different services such as HTTP, FTP, TELNET, IMAP, SMB, SSH, etc. in a very easy and fast way. Its latest version (7.4.2) was released last 7th January.

This tool has earned a great reputation thanks to its console mode both in Linux and Windows systems (also offering Linux users the option to use a graphical interface) and the possibility to execute the attacks using threads, giving the user the option to choose the number of threads used to perform the attack.

[Read more…]

Introduction to Darknets

A Darknet is a portion of network, a certain routed space of IP Addresses in which there are no active servers o services. I.e., externally no packet should be directed to that address space.

Therefore, any packet entering a Darknet should not be legitimate. It could reach it due to errors such as poor security policies or poor configuration (such as broadcast messages sent to a segment to which the issuer doesn’t belong). However, most of these packages would be associated to some action by a suspicious malware (see Responding to Zero Day Threats) or attacker who is in our network actively searching vulnerable devices.

If we install within our Darknet a server that collects, analyzes and processes the traffic entering it, it would help us to gather more information on the anomalous traffic / malware that may be circulating in the network infrastructure of our organization. This will allow us to reduce the number of false positives, detect attacks in real time and new attack trends making use of forensic analysis of the Darknet traffic.

We can monitor, among others, some strange behaviours, such as (see Aprendiendo del enemigo – Spanish) :

  • Suspicious traffic grouped by ports (TCP, UDP, ICMP, etc.) or related to certain services (SSH, FTP, WEB, etc), brute force attacks against services, scanning, DoS attacks, etc..
  • Specific attacks that use spoofing techniques.
  • IP addresses and domains blacklisted.
  • Certain patterns generated by malware (scans, increased traffic, unavailability of service, spread of worms, bots, etc.).
  • Botnet identification patterns inside and outside of P2 networks.
  • Possible malicious traffic to external networks
  • New attack trends.

From the project “The Darknet Project” by Team Cymru, we have a couple of practical examples of anomaly detection thru monitoring traffic from a Darknet. For example, we know that there are bots that exploit open shares of Microsoft Windows 2000. A common feature of such bots is the scanning of systems listening on port 445/TCP, and looking at the monitoring tools integrated in the collector server of the Darknet we can detect whether there has been a scan to the 445/TCP. Be this confirmed, it would be a warning as packets detected within the Darknet are not legitimate.

Another practical example is about the Slammer, which performs a DoS attack to SQL servers by sending multiple files with the worm code to port 1434. One symptom of the presence of Slammer is the significant increase in network traffic through UDP port 1434 (SQL Server Resolution Service Port). Detecting this in our Darknet would be a warning about the possible presence of the worm in our network.

In short, collecting data on all traffic will allow us to analyze patterns of interest and subsequently automate the entire process through an IDS installed (e.g.) on our collector server.

Before creating a Darknet in our organization it is important to consider, among others, these two aspects:

  • Define the characteristics of the network (topology, scope, visibility).
  • Define hardware and software to install, taking into account what type of data we want to collect, how we want to process it (traffic capture tools, traffic analysis tools, possibility of implementing honeypots, etc.) and the financial budget we have.

Creating a Darknet

  • The first step in the deployment of a Darknet is to place it in a right place, so you should choose a segment(s) of network IP addresses that will be routed to it. We recommend using an address space of at least /24 (the higher the reserved space the higher the visibility achieved).
  • The next step is to reserve physical and logical space for the Darknet. As Team Cymru points, you should not put a Darknet in the same collision domain or VLAN than other subnets; the objective of the Darknet is to supply us with reliable data, so it is important to avoid “poisoning” the Darknet with legitimate traffic nor is recommended to put the IP of the Darknet publicly visible on our DNS.

The CLCERT brings a darknet proposal would be similar to the following architecture (see Diseño e implementación de una Darknet para monitoreo de la red en Chile – CLCERT – Spanish):

  • Darknet Router : configured to forward all content that enters the Darknet. It will forward incoming traffic to the server collector of the Darknet. The router must be configured to accept only inbound traffic (traffic input) directed to Darknet, but not the inverse (output traffic). It must alert when it detects outgoing traffic from the Darknet (in this case, we have a ‘black hole’-type Darknet) since all traffic in the Darknet, as mentioned, is not legitimate. The router also must be configured for SNMP to provide traffic statistics —using tools such as MRTG— because new malware can be easily detected solely on the traffic statistics of the interface darknet.
  • Collector Server: This server will be connected to the Darknet and will analyze the traffic received. It would be interesting to install an IDS, a protocol analyzer, log analysis tools, and you can even think about implementing some type of honeypot, depending the installation of these tools on the type of analysis and processing that you want to perform.
  • Administrative Network: Network especially secured since it will continuously receive malicious traffic. It will also process the data received from the collector server, and generate statistics and reports on detected traffic.

In short, and since all traffic on the Darknet is potentially suspicious, it can be very useful to detect malicious traffic or device configuration anomalies in our organization.

If you are interested to pursue the subject, there are several projects related to darknets (also known as network telescopes; see Darknet y telescopios de red – Spanish) at a big scale whose main objectives are the monitoring of network traffic activity and detection of new trends in Internet:

Second-party audits: security in purchases and contracting (3)

In previous posts we saw a practical approach to the concept of auditing in general (currently only in Spanish) and then we discussed internal audits or first-party audits (currently only in Spanish). Let’s take now a leap, leaving the second-party audits for the next post and go directly to the third-party, external or certification audits.

Third party audits are carried out by certification authorities at the request of an organization. Its main purpose is to certify compliance with the requirements of a specific standard with the purpose to include the audited organization in a register or list of certified organizations. They are performed on a annual basis and, with some exceptions established by law, every organization, public or private, is free to choose to go through a certification process or not.

External audits are more centered in checking the efficacy in the way stated by the standard without getting into, usually, in issues related to efficiency and resource management. As we saw in the first-party or internal audits, the objectives are very different; in theory in an external audit it could be approved the use of cannons to kill flies.

As seen in the first post (currently only in Spanish) of the serie, for an audit to be carried out there are three essential ingredients:

  • High degree of preparation and training in auditing techniques along with good technical knowledge of the activities to be audited (aptitude).
  • Enough time, both a) prior to field work to prepare the site audit as well to b) carry it out in its entirety and then to document the results in a complete audit report appropriate to the objectives of the audit.
  • Professional pride (attitude).

These three ingredients are necessary but not sufficient by themselves and this applies to internal audits, second and third party audits. With missing only one of them the result of the audit may have limited value or even be useless.

From the point of view of the degree of training and experience of auditors, the processes and criteria used by certification bodies for qualifying auditors are often too lax in my opinion, since no previous great experience is required usually to audit a specific activity. Unfortunately, you may find auditors that are not experts in the activity they must assess, or that they have excessive bias towards those standards they know further. At the other extreme, it is noteworthy that there are auditors with extensive experience and knowledge that make audits a process that can be very profitable for the audited organization.

On the other hand, as we have already said in this blog, certification bodies face the target in a way contradictory to get new customers and keep the ones they have, while having to maintain a certain rigor in audits, what can make them to lose customers. Moreover, the current crisis has in many cases led to price discounts (and consequently to the number of days necessary established by the national accreditation bodies) that give auditors less time than the necessary to carry out their work.

On bad sized audits (I dare to say that almost always auditors would like to have more time than they usually have) and auditors that do not audit we discussed in this blog a few months ago so we will not extend.

To finish this post, indicate that one of the benefits that are attributed at the time to certification audits is precisely to provide confidence to lay the foundation of a solid business relationship and mutually beneficial relationship with certified suppliers. This would save both customers and suppliers dedications and costs associated with the second party audits, since it was assumed that a certified company had gone necessarily through an external audit. Objective not accomplished. I know of no single organization that was previously doing audits of its suppliers and that stopped to do so simply because the provider had achieved some sort of certification. That is: in practice, third party audits have failed to reduce the number of second party audits, just as expected.

Long life for the second party audits. Moreover, while this powerful technique of selection and performance monitoring of strategic suppliers is not well known nor is so widespread (excepting large corporations), the second party audit is of great interest, as it is shown it can provide high benefits in terms of improvement of the standards of quality and safety (and therefore costs).

The next post will be dedicated to that interesting and powerful management tool that are second party audits.

The result of pinging all the Internet IP addresses

In the previous post we considered the theoretical cost and feasibility of scanning all Internet IP addresses and it resulted to be very low. Therefore, we decided to conduct a little experiment: see if it was possible to scan the entire Internet, of course without doing anything harmful.

While the action may not be completely harmless (some may have IDS complaning), we have tried to do the experiment as innocuous as possible. In this sense, the safest action we thought was to launch a ping (ICMP echo) to each and every one of the Internet IP addresses. Although we have sent just a single packet per IP, we messed the scans to prevent a network receiving a high number of consecutive packets.

To do so we prepared two threads, in which work I have had the invaluable help of Nacho López, an experienced C programmer. The source code of ping could have been a good source of inspiration also:

Envia_echo-icmp ()
Recibe_echo_icmp ()

The process works in stateless mode: one thread sends the packets blindly, and the second one simply writes down the response packets received, so the connections do not consume any amount of memory.

The increased complexity came from the disk storage resources; it was necessary to adjust well and program the threads considering the disk performance, so the results received were not lost. After 10 hours, we got the following results:

Ping overall results answered: 284,401,158 IP addresses responded to the ping, i.e. 7% of systems. Graphically:

If we group the results in /8 networks we see the following percentages:

NETWORK /8 pongs answered % pongs answered
0.X.X.X 0 0,00% IANA – Local Identification RESERVED
1.X.X.X 1945822 11,60% APNIC ALLOCATED
2.X.X.X 3060724 18,24% RIPE NCC ALLOCATED
3.X.X.X 3 0,00% General Electric Company LEGACY
4.X.X.X 47999 0,29% Level 3 Communications, Inc. LEGACY
5.X.X.X 1476715 8,80% RIPE NCC ALLOCATED
6.X.X.X 41 0,00% Army Information Systems Center LEGACY
7.X.X.X 0 0,00% Administered by ARIN LEGACY
8.X.X.X 76429 0,46% Level 3 Communications, Inc. LEGACY
9.X.X.X 0 0,00% IBM LEGACY
10.X.X.X 3 0,00% IANA – Private Use RESERVED
11.X.X.X 0 0,00% DoD Intel Information Systems LEGACY
12.X.X.X 401646 2,39% AT&T Bell Laboratories LEGACY
13.X.X.X 635 0,00% Xerox Corporation LEGACY
14.X.X.X 2066669 12,32% APNIC ALLOCATED
15.X.X.X 10312 0,06% Hewlett-Packard Company LEGACY
16.X.X.X 18 0,00% Digital Equipment Corporation LEGACY
17.X.X.X 1897 0,01% Apple Computer Inc. LEGACY
18.X.X.X 25281 0,15% MIT LEGACY
19.X.X.X 0 0,00% Ford Motor Company LEGACY
20.X.X.X 2069 0,01% Computer Sciences Corporation LEGACY
21.X.X.X 0 0,00% DDN-RVN LEGACY
22.X.X.X 0 0,00% Defense Information Systems Agency LEGACY
23.X.X.X 2119841 12,64% ARIN ALLOCATED
24.X.X.X 2854162 17,01% ARIN ALLOCATED
25.X.X.X 0 0,00% UK Ministry of Defence LEGACY
26.X.X.X 0 0,00% Defense Information Systems Agency LEGACY
27.X.X.X 1846998 11,01% APNIC ALLOCATED
28.X.X.X 0 0,00% DSI-North LEGACY
29.X.X.X 2 0,00% Defense Information Systems Agency LEGACY
30.X.X.X 3 0,00% Defense Information Systems Agency LEGACY
31.X.X.X 1444805 8,61% RIPE NCC ALLOCATED
32.X.X.X 6791 0,04% AT&T Global Network Services LEGACY
33.X.X.X 0 0,00% DLA Systems Automation Center LEGACY
34.X.X.X 73 0,00% Halliburton Company LEGACY
35.X.X.X 30637 0,18% Administered by ARIN LEGACY
36.X.X.X 447230 2,67% APNIC ALLOCATED
37.X.X.X 1909720 11,38% RIPE NCC ALLOCATED
38.X.X.X 176523 1,05% PSINet, Inc. LEGACY
39.X.X.X 393476 2,35% APNIC ALLOCATED
40.X.X.X 1165 0,01% Administered by ARIN LEGACY
41.X.X.X 1785846 10,64% AFRINIC ALLOCATED
42.X.X.X 905039 5,39% APNIC ALLOCATED
43.X.X.X 13447 0,08% Administered by APNIC LEGACY
44.X.X.X 70 0,00% Amateur Radio Digital Communications LEGACY
45.X.X.X 1 0,00% Administered by ARIN LEGACY
46.X.X.X 2658072 15,84% RIPE NCC ALLOCATED
47.X.X.X 11729 0,07% Administered by ARIN LEGACY
48.X.X.X 0 0,00% Prudential Securities Inc. LEGACY
49.X.X.X 1643097 9,79% APNIC ALLOCATED
50.X.X.X 2086304 12,44% ARIN ALLOCATED
51.X.X.X 0 0,00% UK Government Department for Work and Pensions LEGACY
52.X.X.X 102 0,00% E.I. duPont de Nemours and Co., Inc. LEGACY
53.X.X.X 3 0,00% Cap Debis CCS LEGACY
54.X.X.X 22092 0,13% Merck and Co., Inc. LEGACY
55.X.X.X 0 0,00% DoD Network Information Center LEGACY
56.X.X.X 22 0,00% US Postal Service LEGACY
57.X.X.X 6653 0,04% SITA LEGACY
58.X.X.X 2583602 15,40% APNIC ALLOCATED
59.X.X.X 1508086 8,99% APNIC ALLOCATED
60.X.X.X 1798876 10,72% APNIC ALLOCATED
61.X.X.X 1652124 9,85% APNIC ALLOCATED
62.X.X.X 1561085 9,30% RIPE NCC ALLOCATED
63.X.X.X 569208 3,39% ARIN ALLOCATED
64.X.X.X 1372940 8,18% ARIN ALLOCATED
65.X.X.X 1136397 6,77% ARIN ALLOCATED
66.X.X.X 1835266 10,94% ARIN ALLOCATED
67.X.X.X 2623277 15,64% ARIN ALLOCATED
68.X.X.X 2117113 12,62% ARIN ALLOCATED
69.X.X.X 2335093 13,92% ARIN ALLOCATED
70.X.X.X 1841378 10,98% ARIN ALLOCATED
71.X.X.X 4511701 26,89% ARIN ALLOCATED
72.X.X.X 3287369 19,59% ARIN ALLOCATED
73.X.X.X 3589118 21,39% ARIN ALLOCATED
74.X.X.X 2976565 17,74% ARIN ALLOCATED
75.X.X.X 3341673 19,92% ARIN ALLOCATED
76.X.X.X 2727681 16,26% ARIN ALLOCATED
77.X.X.X 3639746 21,69% RIPE NCC ALLOCATED
78.X.X.X 3505048 20,89% RIPE NCC ALLOCATED
79.X.X.X 3991921 23,79% RIPE NCC ALLOCATED
80.X.X.X 2325444 13,86% RIPE NCC ALLOCATED
81.X.X.X 2380619 14,19% RIPE NCC ALLOCATED
82.X.X.X 3540108 21,10% RIPE NCC ALLOCATED
83.X.X.X 3170669 18,90% RIPE NCC ALLOCATED
84.X.X.X 3276645 19,53% RIPE NCC ALLOCATED
85.X.X.X 2651705 15,81% RIPE NCC ALLOCATED
86.X.X.X 1740467 10,37% RIPE NCC ALLOCATED
87.X.X.X 3251776 19,38% RIPE NCC ALLOCATED
88.X.X.X 4356116 25,96% RIPE NCC ALLOCATED
89.X.X.X 2724476 16,24% RIPE NCC ALLOCATED
90.X.X.X 2344320 13,97% RIPE NCC ALLOCATED
91.X.X.X 2404688 14,33% RIPE NCC ALLOCATED
92.X.X.X 2556074 15,24% RIPE NCC ALLOCATED
93.X.X.X 2878139 17,16% RIPE NCC ALLOCATED
94.X.X.X 3165218 18,87% RIPE NCC ALLOCATED
95.X.X.X 3512883 20,94% RIPE NCC ALLOCATED
96.X.X.X 3490340 20,80% ARIN ALLOCATED
97.X.X.X 970326 5,78% ARIN ALLOCATED
98.X.X.X 4549209 27,12% ARIN ALLOCATED
99.X.X.X 1392114 8,30% ARIN ALLOCATED
100.X.X.X 128763 0,77% ARIN ALLOCATED
101.X.X.X 1290800 7,69% APNIC ALLOCATED
103.X.X.X 93789 0,56% APNIC ALLOCATED
104.X.X.X 0 0,00% ARIN ALLOCATED
105.X.X.X 462111 2,75% AFRINIC ALLOCATED
106.X.X.X 1197732 7,14% APNIC ALLOCATED
107.X.X.X 300499 1,79% ARIN ALLOCATED
108.X.X.X 2426908 14,47% ARIN ALLOCATED
109.X.X.X 2469363 14,72% RIPE NCC ALLOCATED
110.X.X.X 2454778 14,63% APNIC ALLOCATED
111.X.X.X 1903735 11,35% APNIC ALLOCATED
112.X.X.X 2968386 17,69% APNIC ALLOCATED
113.X.X.X 3079706 18,36% APNIC ALLOCATED
114.X.X.X 2800478 16,69% APNIC ALLOCATED
115.X.X.X 2837602 16,91% APNIC ALLOCATED
116.X.X.X 1915863 11,42% APNIC ALLOCATED
117.X.X.X 2128063 12,68% APNIC ALLOCATED
118.X.X.X 2896711 17,27% APNIC ALLOCATED
119.X.X.X 3060064 18,24% APNIC ALLOCATED
120.X.X.X 1199805 7,15% APNIC ALLOCATED
121.X.X.X 2665125 15,89% APNIC ALLOCATED
122.X.X.X 2168852 12,93% APNIC ALLOCATED
123.X.X.X 2687657 16,02% APNIC ALLOCATED
124.X.X.X 2493104 14,86% APNIC ALLOCATED
125.X.X.X 3002885 17,90% APNIC ALLOCATED
126.X.X.X 952186 5,68% APNIC ALLOCATED
127.X.X.X 0 0,00% IANA – Loopback RESERVED
128.X.X.X 773669 4,61% Administered by ARIN LEGACY
129.X.X.X 335098 2,00% Administered by ARIN LEGACY
130.X.X.X 480277 2,86% Administered by ARIN LEGACY
131.X.X.X 181065 1,08% Administered by ARIN LEGACY
132.X.X.X 235630 1,40% Administered by ARIN LEGACY
133.X.X.X 49242 0,29% Administered by APNIC LEGACY
134.X.X.X 288572 1,72% Administered by ARIN LEGACY
135.X.X.X 23972 0,14% Administered by ARIN LEGACY
136.X.X.X 116382 0,69% Administered by ARIN LEGACY
137.X.X.X 178580 1,06% Administered by ARIN LEGACY
138.X.X.X 81333 0,48% Administered by ARIN LEGACY
139.X.X.X 167798 1,00% Administered by ARIN LEGACY
140.X.X.X 293204 1,75% Administered by ARIN LEGACY
141.X.X.X 288597 1,72% Administered by RIPE NCC LEGACY
142.X.X.X 344687 2,05% Administered by ARIN LEGACY
143.X.X.X 81379 0,49% Administered by ARIN LEGACY
144.X.X.X 90422 0,54% Administered by ARIN LEGACY
145.X.X.X 200673 1,20% Administered by RIPE NCC LEGACY
146.X.X.X 257674 1,54% Administered by ARIN LEGACY
147.X.X.X 148189 0,88% Administered by ARIN LEGACY
148.X.X.X 78053 0,47% Administered by ARIN LEGACY
149.X.X.X 301946 1,80% Administered by ARIN LEGACY
150.X.X.X 96794 0,58% Administered by APNIC LEGACY
151.X.X.X 954773 5,69% Administered by RIPE NCC LEGACY
152.X.X.X 147825 0,88% Administered by ARIN LEGACY
153.X.X.X 44430 0,26% Administered by APNIC LEGACY
154.X.X.X 25662 0,15% Administered by AFRINIC LEGACY
155.X.X.X 64935 0,39% Administered by ARIN LEGACY
156.X.X.X 53951 0,32% Administered by ARIN LEGACY
157.X.X.X 78752 0,47% Administered by ARIN LEGACY
158.X.X.X 106178 0,63% Administered by ARIN LEGACY
159.X.X.X 159920 0,95% Administered by ARIN LEGACY
160.X.X.X 120077 0,72% Administered by ARIN LEGACY
161.X.X.X 83081 0,50% Administered by ARIN LEGACY
162.X.X.X 43521 0,26% Administered by ARIN LEGACY
163.X.X.X 161035 0,96% Administered by APNIC LEGACY
164.X.X.X 124244 0,74% Administered by ARIN LEGACY
165.X.X.X 130803 0,78% Administered by ARIN LEGACY
166.X.X.X 256189 1,53% Administered by ARIN LEGACY
167.X.X.X 46554 0,28% Administered by ARIN LEGACY
168.X.X.X 187654 1,12% Administered by ARIN LEGACY
169.X.X.X 79520 0,47% Administered by ARIN LEGACY
170.X.X.X 88594 0,53% Administered by ARIN LEGACY
171.X.X.X 855441 5,10% Administered by APNIC LEGACY
172.X.X.X 41571 0,25% Administered by ARIN LEGACY
173.X.X.X 3501677 20,87% ARIN ALLOCATED
174.X.X.X 2853025 17,01% ARIN ALLOCATED
175.X.X.X 2498128 14,89% APNIC ALLOCATED
176.X.X.X 2036792 12,14% RIPE NCC ALLOCATED
177.X.X.X 3759343 22,41% LACNIC ALLOCATED
178.X.X.X 4004355 23,87% RIPE NCC ALLOCATED
180.X.X.X 2598738 15,49% APNIC ALLOCATED
181.X.X.X 874733 5,21% LACNIC ALLOCATED
182.X.X.X 2167285 12,92% APNIC ALLOCATED
183.X.X.X 3074376 18,32% APNIC ALLOCATED
184.X.X.X 3082669 18,37% ARIN ALLOCATED
185.X.X.X 3806 0,02% RIPE NCC ALLOCATED
186.X.X.X 3650599 21,76% LACNIC ALLOCATED
187.X.X.X 4419158 26,34% LACNIC ALLOCATED
188.X.X.X 3966741 23,64% Administered by RIPE NCC LEGACY
189.X.X.X 5836526 34,79% LACNIC ALLOCATED
190.X.X.X 3628220 21,63% LACNIC ALLOCATED
191.X.X.X 1 0,00% Administered by LACNIC LEGACY
192.X.X.X 180470 1,08% Administered by ARIN LEGACY
193.X.X.X 627709 3,74% RIPE NCC ALLOCATED
194.X.X.X 526129 3,14% RIPE NCC ALLOCATED
195.X.X.X 899577 5,36% RIPE NCC ALLOCATED
196.X.X.X 230604 1,37% Administered by AFRINIC LEGACY
197.X.X.X 348981 2,08% AFRINIC ALLOCATED
198.X.X.X 499496 2,98% Administered by ARIN LEGACY
199.X.X.X 448530 2,67% ARIN ALLOCATED
200.X.X.X 1238090 7,38% LACNIC ALLOCATED
201.X.X.X 2910652 17,35% LACNIC ALLOCATED
202.X.X.X 850551 5,07% APNIC ALLOCATED
203.X.X.X 863842 5,15% APNIC ALLOCATED
204.X.X.X 506084 3,02% ARIN ALLOCATED
205.X.X.X 255758 1,52% ARIN ALLOCATED
206.X.X.X 436237 2,60% ARIN ALLOCATED
207.X.X.X 718085 4,28% ARIN ALLOCATED
208.X.X.X 935239 5,57% ARIN ALLOCATED
209.X.X.X 941352 5,61% ARIN ALLOCATED
210.X.X.X 892003 5,32% APNIC ALLOCATED
211.X.X.X 1475532 8,79% APNIC ALLOCATED
212.X.X.X 1285251 7,66% RIPE NCC ALLOCATED
213.X.X.X 1489497 8,88% RIPE NCC ALLOCATED
214.X.X.X 15 0,00% US-DOD LEGACY
215.X.X.X 0 0,00% US-DOD LEGACY
216.X.X.X 1391324 8,29% ARIN ALLOCATED
217.X.X.X 1721029 10,26% RIPE NCC ALLOCATED
218.X.X.X 1859314 11,08% APNIC ALLOCATED
219.X.X.X 1634348 9,74% APNIC ALLOCATED
220.X.X.X 1714546 10,22% APNIC ALLOCATED
221.X.X.X 2076679 12,38% APNIC ALLOCATED
222.X.X.X 2484533 14,81% APNIC ALLOCATED
223.X.X.X 1803849 10,75% APNIC ALLOCATED
224.X.X.X 0 0,00% Multicast RESERVED
225.X.X.X 0 0,00% Multicast RESERVED
226.X.X.X 0 0,00% Multicast RESERVED
227.X.X.X 0 0,00% Multicast RESERVED
228.X.X.X 0 0,00% Multicast RESERVED
229.X.X.X 0 0,00% Multicast RESERVED
230.X.X.X 0 0,00% Multicast RESERVED
231.X.X.X 0 0,00% Multicast RESERVED
232.X.X.X 0 0,00% Multicast RESERVED
233.X.X.X 0 0,00% Multicast RESERVED
234.X.X.X 0 0,00% Multicast RESERVED
235.X.X.X 0 0,00% Multicast RESERVED
236.X.X.X 0 0,00% Multicast RESERVED
237.X.X.X 0 0,00% Multicast RESERVED
238.X.X.X 0 0,00% Multicast RESERVED
239.X.X.X 0 0,00% Multicast RESERVED
240.X.X.X 0 0,00% Future use RESERVED
241.X.X.X 0 0,00% Future use RESERVED
242.X.X.X 0 0,00% Future use RESERVED
243.X.X.X 0 0,00% Future use RESERVED
244.X.X.X 0 0,00% Future use RESERVED
245.X.X.X 0 0,00% Future use RESERVED
246.X.X.X 0 0,00% Future use RESERVED
247.X.X.X 0 0,00% Future use RESERVED
248.X.X.X 0 0,00% Future use RESERVED
249.X.X.X 0 0,00% Future use RESERVED
250.X.X.X 0 0,00% Future use RESERVED
251.X.X.X 0 0,00% Future use RESERVED
252.X.X.X 0 0,00% Future use RESERVED
253.X.X.X 0 0,00% Future use RESERVED
254.X.X.X 0 0,00% Future use RESERVED
255.X.X.X 0 0,00% Future use RESERVED


We need to keep in mind that we have scanned the entire address space without deleting reserved private addresses or networks. Obviously we see that the reserved addresses do not answer, which fits with what IANA says about the reserved networks.

We have also grouped the number of pongs that each /24 (class C) network has answered, so we can see the density level of IP addresses in these networks: From many C class networks did we receive 20 pongs?

Number of pongs answered Number of /24 networks
1 238877
2 138291
3 103826
4 84879
5 70612
6 68622
7 63042
8 62594
9 58333
10 55617
11 53531
12 52186
13 49189
14 47076
15 45662
16 44469
17 42722
18 41154
19 40506
20 41286
21 44013
22 39223
23 36442
24 35545
25 34471
26 33956
27 32876
28 32421
29 31634
30 31588
31 30484
32 30885
33 29614
34 29713
35 29065
36 28964
37 28204
38 28012
39 27586
40 27011
41 26751
42 26370
43 25801
44 25580
45 25302
46 25233
47 24642
48 24709
49 24396
50 24408
51 24086
52 24367
53 24158
54 24105
55 23730
56 23858
57 23725
58 23582
59 23626
60 23498
61 23583
62 23277
63 22940
64 22582
65 22202
66 22071
67 21547
68 21415
69 20912
70 20511
71 20155
72 19725
73 19194
74 18860
75 18930
76 18241
77 17725
78 17604
79 17134
80 17140
81 16573
82 16306
83 16177
84 15855
85 15660
86 15476
87 15457
88 15386
89 15039
90 14900
91 14802
92 14500
93 14100
94 14079
95 14019
96 13751
97 13409
98 13443
99 13240
100 13052
101 12727
102 12745
103 12143
104 12175
105 11793
106 11567
107 11502
108 11237
109 11088
110 10677
111 10621
112 10524
113 10353
114 10306
115 10048
116 9987
117 9798
118 9673
119 9747
120 9606
121 9398
122 9441
123 8991
124 9181
125 9095
126 8888
127 8556
128 8522
129 8406
130 8406
131 8267
132 8194
133 8252
134 8023
135 7910
136 7692
137 7643
138 7764
139 7566
140 7431
141 7403
142 7382
143 7512
144 7330
145 7261
146 7044
147 7078
148 7158
149 7210
150 6878
151 6941
152 6921
153 7072
154 6965
155 6919
156 6894
157 6909
158 7043
159 6816
160 6844
161 6892
162 6868
163 6958
164 6836
165 6905
166 6954
167 6917
168 7053
169 7005
170 6867
171 6931
172 6887
173 6849
174 6817
175 6781
176 6635
177 6630
178 6657
179 6514
180 6255
181 6310
182 6330
183 6134
184 5864
185 5680
186 5714
187 5559
188 5445
189 5415
190 5325
191 5211
192 5122
193 5110
194 4984
195 4939
196 4712
197 4549
198 4727
199 4582
200 4517
201 4550
202 4488
203 4442
204 4413
205 4210
206 4228
207 4182
208 4158
209 4137
210 4020
211 4013
212 3982
213 3941
214 3958
215 3978
216 3980
217 3924
218 3670
219 3690
220 3696
221 3620
222 3447
223 3483
224 3406
225 3387
226 3391
227 3193
228 3116
229 3233
230 3157
231 3123
232 3118
233 3278
234 3285
235 3430
236 3714
237 3922
238 4333
239 4594
240 5207
241 5740
242 6262
243 6736
244 7136
245 8169
246 9244
247 10536
248 11591
249 12330
250 12567
251 12092
252 9378
253 6096
254 3192
255 1481
256 467


We can see that many networks do not answer anything, mainly because they are reserved networks. Also, there are blocks with many IPs answering.

We have also performed the analysis on the least significant byte of the IP address, taking into account that we have treated them as if they were all normal IP addresses. It is clear that IP addresses finishing in .0 and .255 reply to the ping to a lesser amount. On the other hand we can also see that the IP ending in .1 is the one most answering the pings, because it usually corresponds to the router, and from there to inside the traffic is usually filtered. This can be seen by comparing the X% with the average. We see also some stripes corresponding to networks /25, /26, /27, etc.

Less significative byte of ip address Count of pongs
x.x.x.0 749789
x.x.x.1 2188704
x.x.x.2 1432608
x.x.x.3 1312164
x.x.x.4 1260519
x.x.x.5 1344259
x.x.x.6 1317523
x.x.x.7 1226345
x.x.x.8 1210025
x.x.x.9 1396354
x.x.x.10 1338214
x.x.x.11 1253251
x.x.x.12 1225913
x.x.x.13 1297186
x.x.x.14 1290901
x.x.x.15 1194033
x.x.x.16 1177008
x.x.x.17 1424293
x.x.x.18 1297307
x.x.x.19 1210971
x.x.x.20 1208820
x.x.x.21 1274382
x.x.x.22 1258630
x.x.x.23 1171451
x.x.x.24 1157615
x.x.x.25 1346065
x.x.x.26 1247689
x.x.x.27 1172728
x.x.x.28 1160244
x.x.x.29 1232213
x.x.x.30 1252088
x.x.x.31 1133193
x.x.x.32 1129206
x.x.x.33 1438811
x.x.x.34 1273545
x.x.x.35 1191265
x.x.x.36 1166209
x.x.x.37 1232786
x.x.x.38 1222823
x.x.x.39 1132063
x.x.x.40 1128406
x.x.x.41 1308812
x.x.x.42 1220378
x.x.x.43 1142863
x.x.x.44 1130136
x.x.x.45 1203766
x.x.x.46 1192938
x.x.x.47 1108922
x.x.x.48 1097390
x.x.x.49 1328159
x.x.x.50 1225132
x.x.x.51 1143527
x.x.x.52 1120597
x.x.x.53 1186295
x.x.x.54 1176274
x.x.x.55 1103437
x.x.x.56 1089146
x.x.x.57 1253521
x.x.x.58 1173048
x.x.x.59 1104981
x.x.x.60 1106008
x.x.x.61 1169959
x.x.x.62 1192879
x.x.x.63 1048740
x.x.x.64 1048258
x.x.x.65 1425598
x.x.x.66 1229128
x.x.x.67 1142903
x.x.x.68 1118736
x.x.x.69 1183038
x.x.x.70 1183928
x.x.x.71 1099966
x.x.x.72 1087771
x.x.x.73 1259314
x.x.x.74 1168810
x.x.x.75 1102380
x.x.x.76 1085211
x.x.x.77 1155721
x.x.x.78 1151672
x.x.x.79 1065110
x.x.x.80 1062766
x.x.x.81 1285575
x.x.x.82 1166756
x.x.x.83 1092135
x.x.x.84 1073821
x.x.x.85 1141621
x.x.x.86 1133532
x.x.x.87 1058285
x.x.x.88 1048255
x.x.x.89 1209209
x.x.x.90 1136792
x.x.x.91 1069963
x.x.x.92 1057058
x.x.x.93 1121637
x.x.x.94 1128962
x.x.x.95 1031653
x.x.x.96 1030381
x.x.x.97 1311889
x.x.x.98 1160407
x.x.x.99 1088350
x.x.x.100 1090587
x.x.x.101 1146524
x.x.x.102 1134417
x.x.x.103 1054936
x.x.x.104 1044601
x.x.x.105 1206107
x.x.x.106 1126080
x.x.x.107 1060212
x.x.x.108 1046358
x.x.x.109 1110790
x.x.x.110 1119034
x.x.x.111 1036203
x.x.x.112 1025151
x.x.x.113 1239712
x.x.x.114 1125907
x.x.x.115 1059326
x.x.x.116 1041760
x.x.x.117 1100008
x.x.x.118 1095607
x.x.x.119 1023199
x.x.x.120 1025290
x.x.x.121 1194711
x.x.x.122 1107546
x.x.x.123 1046629
x.x.x.124 1040910
x.x.x.125 1105172
x.x.x.126 1145872
x.x.x.127 985964
x.x.x.128 986104
x.x.x.129 1442315
x.x.x.130 1204525
x.x.x.131 1115891
x.x.x.132 1086213
x.x.x.133 1148537
x.x.x.134 1135487
x.x.x.135 1061941
x.x.x.136 1047919
x.x.x.137 1210584
x.x.x.138 1130277
x.x.x.139 1064659
x.x.x.140 1059272
x.x.x.141 1120880
x.x.x.142 1117912
x.x.x.143 1033455
x.x.x.144 1024556
x.x.x.145 1245701
x.x.x.146 1129222
x.x.x.147 1058225
x.x.x.148 1042170
x.x.x.149 1102226
x.x.x.150 1108112
x.x.x.151 1033029
x.x.x.152 1018604
x.x.x.153 1175163
x.x.x.154 1097739
x.x.x.155 1038438
x.x.x.156 1023688
x.x.x.157 1086790
x.x.x.158 1095228
x.x.x.159 996251
x.x.x.160 1001094
x.x.x.161 1276329
x.x.x.162 1128019
x.x.x.163 1050767
x.x.x.164 1031524
x.x.x.165 1092194
x.x.x.166 1086726
x.x.x.167 1013206
x.x.x.168 1002480
x.x.x.169 1166589
x.x.x.170 1087625
x.x.x.171 1023086
x.x.x.172 1007972
x.x.x.173 1071052
x.x.x.174 1072040
x.x.x.175 993387
x.x.x.176 983700
x.x.x.177 1193184
x.x.x.178 1081461
x.x.x.179 1014492
x.x.x.180 1007535
x.x.x.181 1063379
x.x.x.182 1056237
x.x.x.183 986611
x.x.x.184 974867
x.x.x.185 1130743
x.x.x.186 1054739
x.x.x.187 993950
x.x.x.188 988367
x.x.x.189 1047415
x.x.x.190 1076031
x.x.x.191 948336
x.x.x.192 946319
x.x.x.193 1293959
x.x.x.194 1108300
x.x.x.195 1036982
x.x.x.196 1012541
x.x.x.197 1070404
x.x.x.198 1062760
x.x.x.199 994345
x.x.x.200 1000985
x.x.x.201 1150214
x.x.x.202 1070547
x.x.x.203 1005395
x.x.x.204 990207
x.x.x.205 1055065
x.x.x.206 1053152
x.x.x.207 973577
x.x.x.208 964460
x.x.x.209 1173406
x.x.x.210 1070650
x.x.x.211 1002023
x.x.x.212 983619
x.x.x.213 1039752
x.x.x.214 1035196
x.x.x.215 969089
x.x.x.216 957765
x.x.x.217 1115906
x.x.x.218 1035071
x.x.x.219 972473
x.x.x.220 971376
x.x.x.221 1027993
x.x.x.222 1039586
x.x.x.223 943255
x.x.x.224 942572
x.x.x.225 1214697
x.x.x.226 1067487
x.x.x.227 995786
x.x.x.228 978545
x.x.x.229 1036333
x.x.x.230 1039868
x.x.x.231 973194
x.x.x.232 962046
x.x.x.233 1112893
x.x.x.234 1036105
x.x.x.235 976903
x.x.x.236 964068
x.x.x.237 1024653
x.x.x.238 1025546
x.x.x.239 948607
x.x.x.240 948034
x.x.x.241 1157102
x.x.x.242 1046467
x.x.x.243 977487
x.x.x.244 962750
x.x.x.245 1017034
x.x.x.246 1011215
x.x.x.247 948181
x.x.x.248 944969
x.x.x.249 1108805
x.x.x.250 1039464
x.x.x.251 995880
x.x.x.252 981302
x.x.x.253 1024893
x.x.x.254 1226421
x.x.x.255 679518


Obviously from the number of answers it is not possible to draw conclusions about the density of IP population, as they may be conveniently filtered.

The % of IP addresses answering to ping seems reasonable, given that it is logical that the external equipment answers to this protocol to aid troubleshooting. It is also normal that many others do not answer, but in any case IPv4 does not appear to be so saturated as usually it is said.

This experiment is a proof of concept of how easy it is to make a global action against all Internet, with almost no cost, short time and basic knowledge. We can see that it would be possible to scan a TCP port, or even do some intrusion attack globally (always stateless), for which any UDP attack could be very effective (as it did with slammer). In any case these actions are and would be considered as attacks, so as expected we will not go further and evolve this project.

Probed that IPv4 is really small, we have another argument to answer the usual question: Why would somebody want to attack me? With IPv6, the attack vector is many orders of magnitude higher, preventing scans “so brute”.

Curiously, we did not have any counter response, or received hostile activity in response. However, we were receiving traffic from a server that sent us the pong for hours continuously and repeatedly (DUP!), we think that due to a IP error that we could not determine.

Although the experiment has been the most innocuous and harmless we could thought about, during the experiment we have received some complaints from organizations related to the the scan. However, taking into account the number of “attacked” sites, the complaints have been few and the hosting provider that received the pings acted in any case time communicating the complaint after the end of the experiment, which shows that such a global attack would be really unstoppable.

With the extracted data more interesting analysis can be done, that we leave for next entries, such as the issue with network and broadcast addresses (.0 and .255). I hope you liked the experiment, and in any case I apologize if I annoyed you with my ping.

Defenses against DHCP attacks

After reading @chemaalonso‘s post about DHCP Ack Inyector, I remembered my college years back in 2005 when you just needed to go to the library, plug-in your laptop to the network and voilà, just “listening” network traffic you saw all those vulnerable or misconfigured protocols such as STP, HSRP, DTP, etc..

Not only that. There wasn’t any type of control over the information the users could send, and using tools such as Gobbler, dsniff, ettercap, yersinia, etc., you could perform any man-in-the-middle attack. The most interesting part was that the networking devices used for traffic management were almost entirely Cisco. I.e. devices fully able to control and mitigate virtually most of these attacks, but that were configured to perform basic networking functions: routing, VLANS, ACL, QoS, etc. Either because of ignorance or carelessness, they were not being taken the performance that actually justified his acquisition.

Over time I have realized that this situation is quite common: it is really hard to find a company with strict configuration policies to secure the local network environment. I personally think that many organizations are unaware of the damage that a disgruntled employee could do in a network “poorly controlled”. Without using any sophisticated tools like Loki or Yersinia, it is possible to bring down an entire network with just a couple of packets. Using Scapy, you can perform MitM using ARP / DHCP / VRRP / HSRP or without much effort even more entertaining things like getting a pool of shells with Metasploit browser_autopwn and etterfilters.

[Read more…]