All files are for educational and/or historic purposes only. [back to library]
.########...######..########..######## .##.....##.##....##.##.....##.##...... .##.....##.##.......##.....##.##...... .########...######..########..######.. .##.....##.......##.##...##...##...... .##.....##.##....##.##....##..##...... .########...######..##.....##.##...... http://blacksun.box.sk Lecturer: Mikestevens Email: [email protected] Lecture: Cable Modem Hacking <Mikkkeee> k, mikestevens u want to begin second lecture? <mikestevens> 3min <Y0Yo> COME ON WITH 2ND LECTURE *** Joins: Shad0wWa1 <Y0Yo> ::) <mikestevens> ok ok <mikestevens> I got my snackies *** mikestevens sets mode: +m <Sup|ED-209|Craft> grin <Matt> I've not finish my Weatabix :)( *** Quits: freerider (Quit: Leaving) *** Quits: Serial_Killer (Quit: off) * DigitalFallout has his coochie <mikestevens> Hacking @home cable for educational purposes only <Guy_SJS> has anyone sewen kript0n <DigitalFallout> Edit that out by the way :) <Guy_SJS> the REAL one <mikestevens> lecture notes at http://blacksun.box.sk/test/cablem.txt *** Joins: Guest6971990 <Sup|ED-209|Craft> ofcourze :D <Matt> Hey mikestevens, I've decided you guys over there are a little out of it: you've got Diet Weatabix in the US! *** Guest6971990 is now known as freeque_ <mikestevens> all these things were tried out on copperd and perfectly legal revenge for all those crackers <Matt> heh <DigitalFallout> Only in america would you get a SuperSized Big Mac Extra Value Mean but still Get a diet coke <Sup|ED-209|Craft> gimme food for my brain! <mikestevens> anyways we all know cable is insecure <mikestevens> we all hear it <mikestevens> Is it true? <Matt> all broadband is insecure <mikestevens> Well at first I didn't think so. <Sup|ED-209|Craft> yes mr.mikestevens :) <mikestevens> When I got my cable modem I tried running a sniffer and got no one else's traffic <mikestevens> secure eh? <Mikkkeee> nope <mikestevens> well maybe a little <mikestevens> but there are several problems <Matt> infact, the only thing secure is my Casio WX500... and I can lock that took <mikestevens> lol * Matt shuts up <mikestevens> First we can steal unused IPs *** Quits: bracaman (Killed (NickServ (GHOST command used by fedasdas))) <mikestevens> this is on BSRF already, I think <mikestevens> you can do this by really normal means <mikestevens> even in windows <Edrin> well, my locker in my case is quite save, too... <mikestevens> you can just set your IP to some unused one and get online most of the time <mikestevens> sometimes you may have to reboot you CM because it can only hold but X many computers *** Quits: Shad0wWa1 (Quit: Leaving) <mikestevens> my cablemodem the SurfBoard 3100 (external) can only hold 6MACs <mikestevens> and is limited to 5IPs with DOCSIS <mikestevens> so, there are limits <mikestevens> the cable companies could secure this up more <mikestevens> so that theft would be impossible, but they seem to be lazy <mikestevens> like what else is new <mikestevens> anyone have the link for the BSRF doc on simple IP theft? <mikestevens> anyways onto IP hijacking <mikestevens> This is when some bastard you don't like has alot of crackers and you want to impersonate them <mikestevens> for you to hijack their IP they need to be on the same router, possibly the same port <Edrin> btw: * Edrin wonders if there is a way to takeover a satelite... <mikestevens> first you need to be on the same subnet <mikestevens> brb *** Quits: Obsidian (Quit: Leaving) <Guy_SJS> geez <Guy_SJS> he isnt suppsot to leave in the mddle of a lecture <Sup|ED-209|Craft> Edrin: still didn't found your answer? *** Joins: K1llabee *** Joins: Marx-AWA <Edrin> Sup|ED-209|Craft: have we met befor? *** Quits: freeque_ (Quit: i had it all logged as well, before my computer crashed. :/ nite nite all. will look out f) <mikestevens> sorry <mikestevens> doggie emergency <Sup|ED-209|Craft> Edrin: no , but i saw your questions <mikestevens> had to go out <mikestevens> anyways <mikestevens> first you need a host on the same subnet <Edrin> mikestevens: heheh :) <mikestevens> so you can get their MAC address <mikestevens> very important <mikestevens> so if you aren't on their subnet do this <mikestevens> ifconfig eth0:1 24.x.x.65 broadcast 24.x.x.255 netmask 255.255.255.0 <mikestevens> make sure the IP is unused <mikestevens> (see above stuff) *** Guy_SJS sets mode: +v Prophecy2K1 <Prophecy2K1> thanx <mikestevens> then you can see them as a local LAN user, and can get their MAC addy, very important <mikestevens> next you want to use arpredirect from the dsniff package <mikestevens> Registering 24.x.x.69 to our MAC <mikestevens> arpredirect 24.x.x.69& <mikestevens> tada *** Joins: gUeSt51 <mikestevens> we are stealing them now <mikestevens> this sends out bogus arp packets to our yet to be IP <mikestevens> saying we are now them <mikestevens> now you want to stop services, etc... <mikestevens> take down eth0 <mikestevens> and bring it up again as their IP <mikestevens> you should have no problems <mikestevens> go in and add your default gateway again <mikestevens> and start up your services <mikestevens> tada <mikestevens> you are them *** Mikkkeee sets mode: +v TracerT <mikestevens> Q&A time *** mikestevens sets mode: -m <Matt> whu <Matt> its that easy <mikestevens> yup <mikestevens> isn't everything <mikestevens> any questions people? * Matt trundles off to take down calbeinet.co.uk <Sup|ED-209|Craft> Matt: i thought you was the big brain here :D * Mikkkeee is editing the first lecture <Ellis_D> hmm..can you set up a place where we can try this out maybe? <Mikkkeee> heh <Edrin> isn´t the only way to do this with windows by using the libpcap-clone winpcap? (i mean for the arp-fake maybe win2k can do it but win9x, too?) <Matt> Sup|ED-209|Craft, broadband has never been heard of in the UK :( *** Quits: Guy_SJS (Quit: Oogerbay) <Frydo> where's the point in this exercise ? <Sup|ED-209|Craft> lol <mikestevens> say copperd is giving out crackers <mikestevens> and you don't like this <mikestevens> and want him to stop <mikestevens> and make him be nice <TracerT> so there will be a lecture on ASCII <TracerT> ? <Leper> :) <mikestevens> you would hijack copperd's IP *** TracerT is now known as [T]racer[T] <Matt> cheese crackers? <mikestevens> and log onto IRC as him <mikestevens> and start takeing back all the crackers he gave out *** Quits: SpiderMan (Ping timeout) <mikestevens> and not impersonate an admin *** Joins: ToRmEnThOr <mikestevens> well anyways <mikestevens> onto the cool part *** Joins: MasJCrasJ *** Joins: SpiderMan *** ChanServ sets mode: +o SpiderMan <mikestevens> intercepting downsteam traffic *** mikestevens sets mode: +m <Sup|ED-209|Craft> this is better then school lecture, why not make 'BSRF School' ? :P <mikestevens> first thing first <Matt> mikestevens, are there any time when you can't become the stealer? <Matt> bobbie: node position? <Ralph> later *** Quits: Ralph (Quit: Leaving) <mikestevens> Matt: when you are not on the same router *** Quits: K1llabee (Connection reset by peer) *** MasJCrasJ is now known as _MasjCrasj- <mikestevens> routers cover alot of ground though <mikestevens> usually a few mile range <Sup|ED-209|Craft> mikestevens: so the data to the IP that is not be used, goes to the router? <mikestevens> so people at school, neighbors, etc are all potential victims <mikestevens> that slut next door <mikestevens> etc... *** mikestevens sets mode: -m <Matt> mikestevens, I was under the impression most cable companies cluster their routers and create a mesh network? <Sup|ED-209|Craft> later ppl <mikestevens> Sup|ED-209|Craft: I don't really understand what you said <Sup|ED-209|Craft> i will xplain later *** Quits: _MasjCrasj- (Quit: ) <mikestevens> Matt: they have local routers and link them with FDDI <Sup|ED-209|Craft> later *** Quits: Sup|ED-209|Craft (Quit: ) <mikestevens> then the FDDI ring goes to the local datacenter *** Joins: nebunu *** Quits: SileNceR (Ping timeout) <mikestevens> anyways onto intercepting traffic if no one has any more questions / comments *** mikestevens sets mode: +m <mikestevens> ok <mikestevens> first we need to know a little more about the network <Matt> afk <mikestevens> you have the cable router, your cable modem/router, and your PC <mikestevens> the cable modem is nothing more than a bridge <mikestevens> meaning it sees traffic on both sides and seamlessly forwards as needed <[T]racer[T]> there gonna be an lecture on streamz here? <[T]racer[T]> *stringz *** Joins: K3rNEL[PAn1C] *** Parts: nebunu *** Joins: Pupp3tM *** ChanServ sets mode: +v Pupp3tM <mikestevens> the 3100 surfboard has a webserver which you can play with from inside your network <mikestevens> http://192.168.100.1/ <mikestevens> I found the IP by sniffing <mikestevens> and I saw IGMP traffic coming from that IP <mikestevens> so I browsed to it <mikestevens> anyways, the bridge is based on MAC addresses *** Quits: Pupp3tM (Quit: ) <mikestevens> so if it sees your MAC behind the bridge it will let in traffic that is destined to that MAC <mikestevens> the outside has no clue what is going on with the Cable modem <mikestevens> another issue <mikestevens> not all cable modems will detect the MAC how mine does <mikestevens> you may have to try arp packets to fool it into it <mikestevens> I will provide both ways here <mikestevens> so onto the interception <mikestevens> first you want to find the targets MAC <mikestevens> get onto their subnet <mikestevens> and ping them or something <mikestevens> then do an arp -an and write down their MAC <mikestevens> also do an ifconfig -a and write down your MAC <mikestevens> it is best to hard boot your cable modem at this point *** Quits: Prophecy2K1 (Ping timeout) <mikestevens> that way it clears the memory of MACs <mikestevens> this is done by pressing the little reset button in the back or however you documentation says so <mikestevens> it should take a few minutes up to 30 to get back on <mikestevens> so in the time being <mikestevens> you want to stop all services <mikestevens> then bring down eth0 <mikestevens> then type this with the target's MAC in place of it <mikestevens> ifconfig eth0 hw ether 00:00:00:00:00:00 <mikestevens> bring the interface up with your IP address and normal settings <mikestevens> add your default gateway <mikestevens> and ping the router a few times till it works <mikestevens> take back down the interface <mikestevens> and bring it up again with your settings <mikestevens> start up your services again <mikestevens> and ping the router again to make sure your are on <mikestevens> you should now be getting the target's downstream traffic *** Joins: Prophecy2K1 *** Quits: Matt (Ping timeout) <mikestevens> you can use all your fun sniffer tools to invade their privacy,etc... <mikestevens> I will open up a Q&A section while I get the code mods for the ARP section *** mikestevens sets mode: -m <mikestevens> any questions? *** Joins: UraniumD <[T]racer[T]> yes <mikestevens> ok <Ellis_D> does the person whose traffic we are stealing have a way of knowing we are doing this? *** Parts: UraniumD <ToRmEnThOr> i think so *** Joins: MosdestMouse <mikestevens> no <[T]racer[T]> NM <mikestevens> they can't see it <shellfish> i havnt follow this very well, but is this secure? are the cops gonna come knocking on your door or what? <ToRmEnThOr> no? <mikestevens> your cable modem silently passes on the traffic to you <Ellis_D> hm <mikestevens> probally not <ToRmEnThOr> cool <mikestevens> unless someone checks on your cablemodem <mikestevens> hijacking is a little riskier <[T]racer[T]> and what if someone does it? <mikestevens> they will probally just think the cable is out <mikestevens> interception is less risky <mikestevens> well first they have to prove you did it on purpose,etc <[T]racer[T]> but if noone sees my cabel modem? <mikestevens> but if you don't tell anyone they probally will never know <[T]racer[T]> hehe <mikestevens> actually if you bring up the interface (when you are using their MAC as your MAC) <mikestevens> with a local IP <mikestevens> sometimes the CM will see that <[T]racer[T]> but on some External cabel modems there is a way to connect to the modem <[T]racer[T]> from the local machine <[T]racer[T]> and check what's up there <mikestevens> and there will be no traffic hitting the real network (cable network) <[T]racer[T]> *in there <Edrin> well, in this case you are using spoofed MACs and spoofd IPs on the "same cable" so it would be extremly dificult for others to find you (well, if there are only 2 computers on the cable... anyway: police does not know what an arp table is *** Joins: Nokio <[T]racer[T]> LOL <mikestevens> lol <mikestevens> good point <Nokio> hey guys <mikestevens> anyways for the other method of getting your CM to see you <mikestevens> I made a simple mod to arpspoof.c <mikestevens> of dsniff *** Quits: Leper (Quit: Leaving) <mikestevens> I commented out the arp_send routine on line 193 *** Quits: gUeSt51 (Quit: Leaving) <SpiderMan> DF: I'm going to DCC the linux networking log to you, ok? <mikestevens> you can get the CM to see you like this with the modified arpspoof <Nokio> hey all, is the lecture over? *** Joins: vanished[coding[ *** Parts: vanished[coding[ <mikestevens> ./arpspoof -t victimip victimip <mikestevens> then controlC it <mikestevens> it will send out the needed packets saying their IP is their MAC <mikestevens> but <mikestevens> the important part *** Quits: Prophecy2K1 (Ping timeout) *** Joins: Exposed_Truth <mikestevens> your Cable modem will think that the computer is in your lan *** Joins: jimi <Edrin> mikestevens: i have onece done an ip+mac spoofer for windows using the winpcap. that´s a nice thing but i never realy found out what use there is on it? <mikestevens> well this could be a use for it <mikestevens> :-) <[T]racer[T]> for what MAC stends <[T]racer[T]> ? <mikestevens> ? *** Joins: zhortrox <Ellis_D> media access.. <Ellis_D> or something <mikestevens> something *** zhortrox is now known as _ZhorTroX- <mikestevens> I forget <[T]racer[T]> yes *** Quits: vanished (Ping timeout) <Ellis_D> controller? *** Joins: Prophecy2K1 *** _ZhorTroX- is now known as Esamurai <Ellis_D> no.. <[T]racer[T]> LEMME check in the BOOX:) *** Mikkkeee sets mode: +v Esamurai <mikestevens> just call it their ethernet address <mikestevens> now <mikestevens> on to why you can't get the router's traffic <mikestevens> and stay on <Edrin> i think it comes from the BigMac... the inventor once eat a BigMac when he infentedarp and MACs *** Quits: CodE4 (Quit: ) <SpiderMan> Media Access Control <mikestevens> well if you broadcast this stuff and make the CM think that the router is inside your network *** Esamurai is now known as _Esamurai- <mikestevens> it won't forward data for it out <_Esamurai-> mikkeee this are masjcrasj and zhortrox at esamurais house actually.. lo <mikestevens> so you will then be screwed and can't get online <Edrin> or maybe MacGyver... <[T]racer[T]> MIKESTEEVENS: mac is not only their address, its their Uniqe address, and its hardware address that you cant change <mikestevens> so don't try doing this as the router and expect to get everyone's upstream <mikestevens> cuz you won't be online yourself <[T]racer[T]> LOL <mikestevens> anyways <[T]racer[T]> my router is a backbone <[T]racer[T]> thats KEWL! <Edrin> [T]racer[T]: yes, you can change it by using simply another in softwaremode *** Parts: Nokio *** Joins: gUeSt51 <mikestevens> there are some otherways to hack your cable modem that I have to research more <mikestevens> the software is updated with TFTP *** _Esamurai- is now known as MasjZhorEsam <Mikkkeee> hehe <gUeSt51> hi evrybody <mikestevens> if you could spoof that you could reload your CM with a new image and enable yourself to sniff all traffic including upstream <mikestevens> so that would be really cool <mikestevens> other things could include spoofing DOCSIS commands <shellfish> a maybe not related q: we have bought a new switch for the comp. club, and they say it "can ban mt harwhare address", is that MAC? <mikestevens> so you could change your limits and the like <[T]racer[T]> thats a nasty one <Edrin> in addition to that only MACs of LAN-cards are fix. i know that the MAC of a modem is created by random in windows and then gets saved in the registry... dunno how it is with cablemodem <mikestevens> shellfish: yes <shellfish> ok tnx <mikestevens> ok <mikestevens> for security <gUeSt51> i have an issue concerning paltalk: anyone have any idea how to get ip's through paltalk? *** mikestevens sets mode: +m *** Joins: Matt <Mikkkeee> wb <[T]racer[T]> gest: netstat LOL <[T]racer[T]> *gest <mikestevens> you can use arpspoof to send out arps for your computer <[T]racer[T]> *guest! <Mikkkeee> netstat -a *** Matt is now known as M[a]tt <mikestevens> that way if sometries arpsoofing against you *** Quits: jimi (Ping timeout) <mikestevens> your computer has counter arps going out <mikestevens> much nicer :-) -M[a]tt- its late, nite :) <mikestevens> as for sniffing <mikestevens> don't use cable <mikestevens> or get a secure tunneled connection elsewhere <mikestevens> and use proxies through that <mikestevens> use SSH <mikestevens> etc... *** Quits: ToRmEnThOr (Quit: good users don't use colored quits) <mikestevens> as for local arp security <mikestevens> add static arp entries for all your computers <mikestevens> for servers this is really important <mikestevens> so one sever can't be hijacked as easy <mikestevens> that should really be a whole other lecture *** Parts: Y0Yo <mikestevens> it would also be good to know your enemy <mikestevens> get a program to detect stealth scans <mikestevens> or use arpwatch *** Joins: Y0Yo <[T]racer[T]> where are all the lectures stored, cos i am in college, so i cant be on every lecture:( <mikestevens> that way you can see people being naughty *** Parts: Prophecy2K1 <Mikkkeee> heh <mikestevens> now that is it <mikestevens> I will provide a few links <mikestevens> then close up with a Q&A section <mikestevens> just remember Cable is not secure <mikestevens> http://www.gi.com/noflash/sb3100.html <<< page for my Cable modem <Edrin> yes <mikestevens> its a bitch <mikestevens> http://www.cisco.com/univercd/cc/td/doc/product/cable/bbcwcrg/bbcmts.htm <<< wonderful page on cisco cable router commands, if you would ever need this <[T]racer[T]> whos on linux box outa here? <mikestevens> It was on the neworder board <mikestevens> I'm not sure, matt might have something to do with its posting <mikestevens> http://www.monkey.org/~dugsong/dsniff/ <mikestevens> Dsniff <mikestevens> this sniffer set is awesome <mikestevens> get it <Mikkkeee> yup <mikestevens> http://www.ethereal.com <mikestevens> Ethereal <mikestevens> great sniffer (I use tethereal) <mikestevens> can decode aim traffic coming on the downstream <mikestevens> one more thing <mikestevens> if you want their aim password (naughty naughty) <Edrin> you can find a collection of sniffers at securityfocus <mikestevens> e-mail it to them with the password reminder <mikestevens> and wait for them to check their e-mail <mikestevens> it will be in their downstream for mail <mikestevens> well thats it <mikestevens> now for Q&A *** mikestevens sets mode: -m *** Parts: Y0Yo <Edrin> mikestevens: i wish i would have a cable modem :) that would be much fun <mikestevens> Just a question, was this too technical? <[T]racer[T]> i am geting ADSL soon <Edrin> do you have some firms on the same line? <[T]racer[T]> very soon <Mikkkeee> nah <mikestevens> does anyone want anything explained better <Mikkkeee> mike u going to release a tut soon on this topic right <[T]racer[T]> mikesteevens: so wich cable modem to buy? <mikestevens> I will post some source code and a better explanation later on my site, and hopefully on bsrf *** Joins: sitech <b0iler> mikestevens: well, I think it was too much of a guide rather than a way of teaching them about networking and cable modems <gUeSt51> i was looking for in depth registry tutorials <K3rNEL[PAn1C]> does anybody have the complete logs ?? <[T]racer[T]> guest: www.regedit.com <[T]racer[T]> :) *** Joins: PhoeniX <[T]racer[T]> kernel <mikestevens> try my cable modem <gUeSt51> thnx TracerT <mikestevens> its nice <[T]racer[T]> I have them. <mikestevens> if you have an external surfboard <mikestevens> browse to http://192.168.100.1/ <[T]racer[T]> nope <mikestevens> play around <mikestevens> RCAs are also common <mikestevens> I don't like them, I had one and it broke alot *** Joins: CodE4 * Mikkkeee got all the logs <mikestevens> well I have to go eat dinner *** Parts: PhoeniX <SpiderMan> good job mike <mikestevens> so if you have any questions e-mail me at [email protected] <Mikkkeee> <--------------End of lecture------------>