http://carnivore.it/ 2013-05-21T06:06:35+02:00 http://carnivore.it/ http://carnivore.it/lib/tpl/cvnews/images/favicon.ico text/html 2012-11-28T10:26:21+02:00 Markus http://carnivore.it/2012/11/28/libnl_-_example_code In case you need uptodate information of the addresses assigned to your active interfaces, talking to the kernel is required, and libnl helps understanding the kernel. My case was as simple as it could be, live information of the active addresses on my interfaces. Last time I had to do this, I ended up reimplementing my own caches, even though libnl provides caches already. Not really my fault, the cache infrastructure provided by libnl lacked some certain pieces at that point of time, but thin… text/html 2012-10-12T18:26:42+02:00 Markus http://carnivore.it/2012/10/12/python3.3_sendmsg_and_recvmsg Starting with 3.3 python supports sendmsg as well as recvmsg. Over the next lines, I'll outline how to use send/recvmsg on datagram sockets to * receive the destination address of a received packet * sent a packet using a defined source address text/html 2012-05-15T20:56:09+02:00 Markus http://carnivore.it/2012/05/15/embedding_python_cli_in_python_scripts Just in case you ever wanted to debug your python service interactively, and pdb did not do the job you've been looking for, how about the standard python interpreter on stdin? The one below basically wraps PyRun_InteractiveOne via ctypes, sets some tty modes, things not that interesting, they just have to work. text/html 2011-12-28T02:33:57+02:00 Markus http://carnivore.it/2011/12/28/bpf_performance about bpf The BSD or Berkely Packet Filter is a register-based filter evaluator and network tap invented 1990 by Steven McCanne and Van Jacobson to replace the CMU/Stanford Packet Filter (CSPF) and Sun NIT filter technology with a faster alternative. While bpf consists of two components, the filter evaluator and the network tap, we'll ignore the network tap and focus on the filter evaluator instead. text/html 2011-12-27T21:16:52+02:00 Markus http://carnivore.it/2011/12/27/linux_3.0_bpf_jit_x86_64_exploit The bug is fixed already , so lets look into the details. For long conditional jumps the jit compiler would create an jump offset off by one, so we would jump into the instruction instead of infront of the instruction. Taking the filter which made me notice the problem: ”(tcp and portrange 0-1024) or (udp and portrange 1025-2048)” text/html 2011-10-07T18:31:47+02:00 Markus http://carnivore.it/2011/10/07/error_14077458_ssl_routines_ssl23_get_server_hello_reason_1112 I've had some problems with ssl lately, here is what I found to be the problem/solution. Problem The problem is pretty easy, inability to access https services, mwanalysis.org may serve as an example here. Python I was able to reproduce the problem using python(3.2): text/html 2011-08-27T15:21:46+02:00 Markus http://carnivore.it/2011/08/27/sip Taking part in gsoc11 The Honeynet Project offered a project to improve dionaea's SIP stack. PhiBo, the student who got accepted on this project had contributed to dionaea before, and even though I initially choose not to mentor the GSoC dionaea SIP project, given my lack in expertise in SIP, I've been working closely with him to make sure the final results are usable. Working with him was fun, I think both of us have learned something and - even more important - the code written exceeded my ex… text/html 2011-08-21T14:13:35+02:00 Markus http://carnivore.it/2011/08/21/pnrp_for_you Given the code started rotting on my disk, I decided to put it on the interwebs. I even wrote a README which covers some basic aspects. For more information please refer to my first post on pnrp. If you can make something of it - enjoy it. text/html 2011-06-12T13:29:38+02:00 Markus http://carnivore.it/2011/06/12/the_mysql_cmdshelv I pushed some final mysql fixes for dionaea yesterday, and just had a look on the ore if there was some activity already. Yes, there was some activity. Some automaton connected the database , and took some efforts to upload 2 files - exactly what I was looking for. text/html 2011-05-15T09:57:34+02:00 Markus http://carnivore.it/2011/05/15/extending_dionaea Even though there is little action on tcp/3306 I choose MySQL as a protocol to show how to extend dionaea. Over the next lines, we'll implement parts of the MySQL wire protocol for a MySQL service using scapy. MySQL First, get the protocol documentation , in most cases the wire documentation is written sloppy and overall inaccurate and hard to understand but it is the first to start with. After reading the documentation, grab pcaps and see what wireshark makes of it, for MySQL there is a pca… text/html 2011-04-23T16:35:16+02:00 Markus http://carnivore.it/2011/04/23/openssl_-_af_alg Kernel 2.6.38 introduced an API to access the kernel crypto API from userspace. While there was a port of BSD's cryptodev for linux which basically provides the same functionality, the cryptodev code never made it into the mainline of the kernel. Accessing the kernels crypto API from userspace allows making use of crypto hardware, which can't be accessed from userspace directly. Hardware accelerated cryptography as provided by VIA Padlock and Intel AES-NI can be accessed from userspace directly… text/html 2011-04-19T20:18:10+02:00 Markus http://carnivore.it/2011/04/19/rumors [... and beer improves your driving skills!] Twitter is key to spread rumors, nobody even asks for proof. Given the current rumors about MS11-020 exploit code and malware in the wild, I've had a look on the ore. attention please While I could not confirm the rumors, I've found something of interest and asked the ml for assistance. The usual suspect turned in bistreams, and as the hosts in question hat many different bistreams on the day of the interesting attack pattern I received even wa… text/html 2011-04-13T08:47:27+02:00 Markus http://carnivore.it/2011/04/13/convenience dionaea does https, at least tcp/443 is open and you can establish a tls connection. As you need certificates for ssl, and I felt it was easier to create a self signed certificate during startup than having to mess with openssl to create a self signed certificate, dionaea creates a self signed certificate for ssl services by default. text/html 2011-04-01T21:32:54+02:00 Markus http://carnivore.it/2011/04/01/april_fools Inspired by the nature I decided to have an aprils fool this year. In case you missed it, here is the backup. I made use of the government provided material which is available at http://torrent-finder.com for reasons. So for all in doubt, nothing was seized. text/html 2011-03-27T21:12:33+02:00 Markus http://carnivore.it/2011/03/27/pnrp PNRP is the acronym for peer-name resolution protocol, so it basically maps names to addresses, like dns, but using a peer to peer network to publish, resolve and store the records. On Windows, pnrp is even mapped into the regular domain space using .pnrp.net as suffix, so test.pnrp.net would be resolved within the PNRP cloud on Windows. Contrary to DNS, records in the PNRP cloud are free of charge and everybody is allowed to publish every record without providing any information like WHOIS. Fo… text/html 2011-01-24T23:16:23+02:00 Markus http://carnivore.it/2011/01/24/django_postgres_xpath_xml_arrays Having a xml field in your postgres database table, you may want to match something with xpath. Unfortunately the result of the match is an ARRAY, and the django.db.backends.postgresql_psycopg2 engine does not convert it properly to a list of ElementTree's. text/html 2011-01-11T22:47:34+02:00 Markus http://carnivore.it/2011/01/11/ore The ore has arrived. [picture of the ores arrival] Ore is a public and registration less version of the carniwwwhore webinterface which is fed with the anonymous data gathered over xmpp. The hardware is sponsored by Kasperky. Enjoy it. text/html 2011-01-09T16:14:51+02:00 Markus http://carnivore.it/2011/01/09/27c3_recommendations The talks I attended over the wire, including links to the description and video and some comment on the content as I experienced it. * mobile * Running your own GSM stack on a phone Video OsmocomBB - the Open source mobile communications BaseBand - is the first real step in a open gsm stack, which can be used to mess with the GSM networks. I read about the efforts early in 2010, and got the hardware supported by the software early. At this point you can make phone calls with the stack us… text/html 2010-12-25T15:17:49+02:00 Markus http://carnivore.it/2010/12/25/carniwwwhore_visuals I felt carniwwwhore needs some visuals, so I've been playing with pychart lately, and I wanted to point out some aspects of the data which are easily accessible with carniwwwhore. The data used here was gathered using the anonymous xmpp sensor network, which is not that exact as source, as users may nmap their own scanner for testing purposes, or fail to install properly. text/html 2010-12-07T00:06:12+02:00 Markus http://carnivore.it/2010/12/06/man_starring_at_code trigger_cb During the weekend I got some backtraces via email, indicating a problems in dionaea, the common thing in all of them was a reference to trigger_cb in the backtrace: ./dionaea(sigsegv_backtrace_cb+0x26)[0x418686] /lib/libc.so.6(+0x33c20)[0x7faf9cdbbc20] /lib/libglib-2.0.so.0(g_hash_table_destroy+0x9)[0x7faf9dbfa0a9] /opt/dionaea/lib/dionaea/emu.so(emulate_ctx_free+0x170)[0x7faf98d528ea] ./dionaea(trigger_cb+0x44)[0x419128] /opt/dionaea/lib/libev.so.3(ev_invoke_pending+0x61)[0x7faf9…