Friday, November 30, 2007

New 'Change Connect()' uhooker script

I uploaded the following uhooker script:

Change Connect(): This script displays all calls to connect() and allows you to change the IP address:Port of the connection. This is useful for debugging, to redirect traffic to some other place instead of the original server, for example, you can redirect traffic to proxy_hooker and use the 'Visual Fuzzing :)' script to observe/modify traffic.

Available here:
http://oss.coresecurity.com/uhooker/doc/index.html#scripts

Direct Download:
http://oss.coresecurity.com/uhooker/doc/change_connect.cfg
http://oss.coresecurity.com/uhooker/doc/change_connect.py

Thursday, November 29, 2007

New & Updated Uhooker scripts

I updated the uhooker scripts on the uhooker's web page (http://oss.coresecurity.com/uhooker/doc/index.html) some of them were pre-1.2 but did not work with uhooker v1.2 because of minor things, but anyways, now you can download them and they will work :).

I also 'improved' and added the following scripts:

Intercept Network Traffic With Hex Editor: These scripts will intercept sendto(), send() and recv() and for every packet received, an hex editor will be displayed. You can use the hex editor to change bytes of the packet, and then close it to pass the modified packet to the application. Is fuzzing with a GUI! :).
tcpnet.cfg
tcpnet.py
udpnet.cfg
udpnet.py


I'll try to create an screencast so you can get a visual idea of what these scripts do. I'm gonna start uploading some other scripts I think you may find useful.


And.. I've also changed the 'look and feel' of the uhooker's web site, mmm, if you think is bad now go to web.archive.org and prepare to be amazed!.

Monday, November 19, 2007

Anti-debugging Techniques

I just woke up and saw this article that caught my attention (yes, i have a problem, the first thing i read in the morning is not the newspaper but securityfocus.com)

Windows Anti-Debug Reference

by Nicolas Falliere

I haven't read it yet, but i'm a sucker for articles/papers with hex numbers and assembler source code :).

I'll read it later today and make a post if i can think of sthg worth saying about it :).

Saturday, November 17, 2007

WifiZoo working on the Nokia N800

Yes!, wifizoo works on the Nokia N800! this is very cool! you won't need to carry around your notebook on your next wireless assessment! :)


Thanks go to Matias Brutti, he's the proud owner of the N800 :) and he's the one that made it work. It is actually pretty straightforward, you only need to change a few lines of code.


For more info and photos, click here.

Wednesday, November 07, 2007

Simple script to automatically generate uhooker hooks

I've just uploaded a very simple script that can be used to automatically generate hooks for all the functions exported by a DLL to be used with uhooker.

So, let's say you want to intercept all the functions exported by kernel32.dll? well,
having to write by hand the .cfg file and the .py file with the handlers can be a daunting task :), it has hundreds of functions.

So, instead of doing that, just use genhooks.py like this:


genhooks.py -f kernel32.dll -t b -c kernel32.cfg -p kernel32.py




-f: specifies the name of the DLL
-t: specifies the hook type. b = before, a = after, * = address (you would normally use b or a)
-c: OPTIONAL. specifies the name of the .cfg file. if it is not specified, the dllname_without_the_extesion.cfg will be used
-p: OPTIONAL. name of the .py file with the hooks for all the functions. if it is not specified the dllname_without_the_extension.py will be used.



And that's it. It's a very simple script that I coded 300 hundred times already, the only difference is that now I'm keeping a copy around :).

The script can be found here:

http://oss.coresecurity.com/uhooker/doc/index.html#scripts


Direct download link:


http://oss.coresecurity.com/uhooker/scripts/genhooks.py

Patching WifiZoo to support kismet dumps/pcap capture files

A user emailed me asking for a way to use kismet dumps/pcap capture files with WifiZoo, this is going to be included in the next version of WifiZoo, but you can patch/hack the current version to support kismet dumps/pcap capture files very easily:

Edit wifizoo.py and change the following code:


webproxy.start()
print "Waiting..."

while 1:
  # mm, would be better to use callback perhaps. TODO
  p = sniff(filter=None, iface=conf.iface, count=1)
  pkt = p[0]


to:


webproxy.start()
print "Waiting..."

#capture.pcap is the name of the capture file. Yes, it's hard-coded :)
pcapr = PcapReader('capture.pcap')

while 1:
  # mm, would be better to use callback perhaps. TODO
  #p = sniff(filter=None, iface=conf.iface, count=1)
  pkt = pcapr.next()
  #pkt = p[0]



Is a quick hack, but it works.

Friday, November 02, 2007

Numb

I'm still here! hang on! soon I'll be releasing a new version of wifizoo, a new version of the pass-the-hash toolkit and also new stuff/scripts and probably a new version of the universal hooker too!

Soon!