EvilZone

OK so as no one would wipe my ass I done my little research.


UDP is on top of IP.
And NTP should be on TOP of UDP which is on top of IP.


I'll be using raw sockets to forge raw UDP packets with a spoofed address.
So I'll create a struct with all the UDP shit we need to take care, checksum, tos, the lot of it I captured the packet using tcpdump and wireshark.
I've everything figured out concerning this.


Now I understand than when you send a raw UDP packet you're basically sending a string, which is a pointer to an array of chars. and you can send udp packets like "ABC" whatever.


I also understand and read that NTP is protocol on iot's own so I have to create the packet using a struct and here will be the monlist message which is a request message (set the bit) bla bla. Just hsit I have to respect as it's the RFC but don't give a fuck about.




NOW THE QUESTION:
How do I encapsulate the thing to send it in my spoofed UDP raw socket ?
The only way I see is sending it in place of the *buffer, but yeah it seems a bit weird and I actually don't know how I'll do to convert. (just cast the struct to the expected input ?)


Please enlighten me, smartasses. (lawl)


struct iphdr *ip = (struct iphdr *)packet;
06.
struct udphdr *udp = (struct udphdr *)((void *) ip + sizeof(struct iphdr));
07.
 
This is done to encaspulate UDP in IP.
So I just do something similar ?
Still need to look up what's included for the headers and shit.

Wow, so much work, please tell me if I'm in teh right direction.

So I'm pretty sure I've found recursive DNS servers because NMAP and reliable website says so.

That being said, I would like to be able to verify that myself.

i've been using things like dig +notcp -t ANY @rec-server irc.efnet.org for exemple but I'm getting only 400 bytes response when website says people get 4000 bytes back. (http://www.watchguard.com/infocenter/editorial/41649.asp)


Please enlighten me.

EDIT: Just read they're using large TXT records.

Anyway, is there a way to see if the server is vuln with dig ?
DNS amplifications aren't useless without a compromised dns servers with a large TXT record aren't they ? When resolving things like irc.efnet.org for exempl

-- Use the modify button fool!!

Didn't try it out as it seems to need some additional perl libraries on MAC but I'll make sure to try it anytime soon.


If it does what it says, awesome tool I must say.

phpStorm / intelliJ idea


Great skills by the way.

Here ye, here ye....

Look guy. Getting an unprivileged shell alone is an extremely rare thing to accomplish these days, let alone getting root. I'm sorry, but I do not think you have even the skills to do simple privilege escalation on your XP vm, or metasploitable WITHOUT using metasploit to do the dirty work for you.

Here are some things to consider: local privilege escalation exploits will in most cases not work (variety of reasons), and their effectiveness relies on how much information you enumerate from the system, and the inherent luck of the stars aligning in the solar system. If you really want to get the upper-hand of rooting boxes, look into things like exploiting cron jobs, changing environment variables, or even better yet...misconfigured services, or readable configuration files with passwords in plaintext.


Another thing, and this isn't just for the OP this goes for everyone...your effectiveness at owning any box is directly related to how much information you gather from it first. Automated "tools" can only help you to a certain degree, and the key to being effective at everything is being able to take the information you get from the tools, and use your brain to figure the rest out.

Thanks for taking the time to answer me.




As for the Darkvision, I just won't answer what you wrote.
I totally agree with you guys that most people just use exploits / metasploit / nmap and don't have any knowledge. That's not my case. I always try and want to understand what I'm doing, at the very least. And code it myself if I'm able to.


I really don't know why you guys took my head off after my first post. I know get the idea of what the forum is like and I must say I appreciate what you guys are telling in the previous posts.
You just seem to judge me a little fast.

Sorry guys if I seemed to say like I'm the boss of the forums that nowhere near what I meant.


I was just pointing out my skills, because few years ago when I had'nt those skills and tried to get help on some blackhat forums people told me to learn C and unix.
In fact I just graduated in France as sys admin (which, I know, is way below the level of a pen tester). That's why I pointed those skills out.


I don't know how you can tell wether or not I have the said skills just by reading or writing my post.


So just forget the part where I tell about my skills and let's get on the other part: how to find vulnerable targets to achieve my goal ?