Archive for the ‘Network’ Category
D-Link 500G Authentication Bypass
This morning, while I was testing a bug related to HTTP authentication in Google Chrome, I found an authentication bypass on D-Link 500G.
The original advisory is here.
MiniUPnP frameworks for MacOSX
UPDATE 2010.10.01: Updated the frameworks to the latest versions.
UPDATE 2010.06.20: Created a personal repository to keep track of new changes.
UPDATE 2009.08.20: Completed the redirection support for ipfw, but I’m not having enough free time lately, so I shared my work. The patch was accepted, but it requires some work to complete the support.
I packaged two parts of MiniUPnP into distinct frameworks, so developers can embed in their .app’s. MiniUPnPc is a client implementation of the Internet Gateway Device Protocol. libnatpmp is a client implementation of the NAT Port Mapping Protocol (part of the Bonjour Protocol).
You can download them here. Both frameworks are universal (PPC, x86, x86-64).
Additionally, ipfw isn’t supported by MiniUPnPd, the server implementation, so I’ll work on it during my spare time. Please, let me know if you are interested on it too.
Are you experiencing DHCP problems?
Today I was studying MacOSX Internals, and found an interesting utility to view and change the network interfaces configuration. Its name is ipconfig. What? Correct, I agree that’s TOO Windows, but it’s worth reading the man-page, which IN FACT, discourages the use for purposes other than testing/debugging. But, as usual, I was curious.
So, ipconfig communicates with IPConfiguration agent, which is the brain behind the MacOS network configuration (more specifically, the ipconfigd), and depends on the following frameworks: CoreFoundation, SystemConfiguration, IOKit and Apple80211.
Let’s take a look at the DHCP response packet received from my router (10.1.1.1):
$ ipconfig getpacket en1
op = BOOTREPLY
htype = 1
flags = 0
hlen = 6
hops = 0
xid = 304987153
secs = 0
ciaddr = 0.0.0.0
yiaddr = 10.1.1.16
siaddr = 0.0.0.0
giaddr = 0.0.0.0
chaddr = <my-mac-address>
sname =
file =
options:
Options count is 9
dhcp_message_type (uint8): ACK 0x5
server_identifier (ip): 10.1.1.1
subnet_mask (ip): 255.255.255.0
lease_time (uint32): 0x76a700
router (ip_mult): {10.1.1.1}
domain_name_server (ip_mult): {<router-dns>}
domain_name (string): <router-domain>
interface_mtu (uint16): 0x5d4
end (none):
If you need to see ONLY ONE option from those listed above, you can simply use “ipconfig getoption (interface-name) (option-name | option-code)”, for example:
$ ipconfig getoption en1 router 10.1.1.1 $ ipconfig getoption en1 3 10.1.1.1
You can even consult an option for ALL your interfaces informing “” as the interface name.
And, as the man-page mentions, it’s intended to be useful for test and debugging, so if you’re experiencing problems with DHCP addressing or BOOTP, I suggest you to enable the verbose flag:
$ sudo ipconfig setverbose 1
After that, I forced a DHCP request by disabling and re-enabling my network interface:
$ sudo ifconfig en1 down $ sudo ifconfig en1 up
Then I checked the syslog and the packets dump:
$ tail -f /var/log/system.log
...
Jul 22 13:02:35 pharao configd[36]: service_publish_clear: Remove = {
Jul 22 13:02:35 pharao configd[36]: 0 : State:/Network/Service/LINKLOCAL-en1/IPv4
Jul 22 13:02:35 pharao configd[36]: 1 : State:/Network/Service/LINKLOCAL-en1/DNS
Jul 22 13:02:35 pharao configd[36]: 2 : State:/Network/Service/LINKLOCAL-en1/DHCP
Jul 22 13:02:35 pharao configd[36]: }
Jul 22 13:02:35 pharao configd[36]: LINKLOCAL en1: status = 'operation succeded'
Jul 22 13:02:35 pharao configd[36]: before_blocking: calling S_linklocal_elect
Jul 22 13:02:35 pharao configd[36]: subnet for 169.254/16 still good on interface en1
$ cat /var/log/com.apple.IPConfiguration.bootp
============================
2009/07/22 13:02:31.918077 [en1] Transmit 300 byte packet
op = BOOTREQUEST
htype = 1
flags = 0
hlen = 6
hops = 0
xid = 304987154
secs = 0
ciaddr = 0.0.0.0
yiaddr = 0.0.0.0
siaddr = 0.0.0.0
giaddr = 0.0.0.0
chaddr = <my-mac-address>
sname =
file =
options:
Options count is 8
dhcp_message_type (uint8): REQUEST 0x3
parameter_request_list (uint8_mult): {0x1, 0x3, 0x6, 0xf, 0x77, 0x5f, 0xfc, 0x2c, 0x2e, 0x2f}
max_dhcp_message_size (uint16): 0x5dc
client_identifier (uint8_mult): {<my-identifier>}
requested_ip_address (ip): 10.1.1.16
lease_time (uint32): 0x76a700
host_name (string): pharao
end (none):
----------------------------
2009/07/22 13:02:32.131373 [en1] Receive 548 byte packet
op = BOOTREPLY
htype = 1
flags = 0
hlen = 6
hops = 0
xid = 304987154
secs = 0
ciaddr = 0.0.0.0
yiaddr = 10.1.1.16
siaddr = 0.0.0.0
giaddr = 0.0.0.0
chaddr = <my-mac-address>
sname =
file =
options:
Options count is 9
dhcp_message_type (uint8): ACK 0x5
server_identifier (ip): 10.1.1.1
subnet_mask (ip): 255.255.255.0
lease_time (uint32): 0x76a700
router (ip_mult): {10.1.1.1}
domain_name_server (ip_mult): {<router-dns>}
domain_name (string): <router-domain>
interface_mtu (uint16): 0x5d4
end (none):
This also can be achieved by using tcpdump and dhcpdump together, or simply dhcp-sniff:
$ tcpdump -lenx -s 1500 port bootpc or port bootps | dhcpdump $ dhcp-sniff en1
Hey, don’t forget to disable the ipconfig’s verbose flag.
Dumping DNS cache entries on OSX Leopard
dscacheutil -cachedump -entries Host | grep "Key: " | \ sed 's/.*Key: .*:\(.*\) .*/\1/g' | sort -u
