.########...######..########..######## .##.....##.##....##.##.....##.##...... .##.....##.##.......##.....##.##...... .########...######..########..######.. .##.....##.......##.##...##...##...... .##.....##.##....##.##....##..##...... .########...######..##.....##.##...... http://blacksun.box.sk Lecturer: Mikestevens Email: mike@unixclan.box.sk Lecture: Cable Modem Hacking k, mikestevens u want to begin second lecture? 3min COME ON WITH 2ND LECTURE *** Joins: Shad0wWa1 ::) ok ok I got my snackies *** mikestevens sets mode: +m grin I've not finish my Weatabix :)( *** Quits: freerider (Quit: Leaving) *** Quits: Serial_Killer (Quit: off) * DigitalFallout has his coochie Hacking @home cable for educational purposes only has anyone sewen kript0n Edit that out by the way :) the REAL one lecture notes at http://blacksun.box.sk/test/cablem.txt *** Joins: Guest6971990 ofcourze :D Hey mikestevens, I've decided you guys over there are a little out of it: you've got Diet Weatabix in the US! *** Guest6971990 is now known as freeque_ all these things were tried out on copperd and perfectly legal revenge for all those crackers heh Only in america would you get a SuperSized Big Mac Extra Value Mean but still Get a diet coke gimme food for my brain! anyways we all know cable is insecure we all hear it Is it true? all broadband is insecure Well at first I didn't think so. yes mr.mikestevens :) When I got my cable modem I tried running a sniffer and got no one else's traffic secure eh? nope well maybe a little but there are several problems infact, the only thing secure is my Casio WX500... and I can lock that took lol * Matt shuts up First we can steal unused IPs *** Quits: bracaman (Killed (NickServ (GHOST command used by fedasdas))) this is on BSRF already, I think you can do this by really normal means even in windows well, my locker in my case is quite save, too... you can just set your IP to some unused one and get online most of the time sometimes you may have to reboot you CM because it can only hold but X many computers *** Quits: Shad0wWa1 (Quit: Leaving) my cablemodem the SurfBoard 3100 (external) can only hold 6MACs and is limited to 5IPs with DOCSIS so, there are limits the cable companies could secure this up more so that theft would be impossible, but they seem to be lazy like what else is new anyone have the link for the BSRF doc on simple IP theft? anyways onto IP hijacking This is when some bastard you don't like has alot of crackers and you want to impersonate them for you to hijack their IP they need to be on the same router, possibly the same port btw: * Edrin wonders if there is a way to takeover a satelite... first you need to be on the same subnet brb *** Quits: Obsidian (Quit: Leaving) geez he isnt suppsot to leave in the mddle of a lecture Edrin: still didn't found your answer? *** Joins: K1llabee *** Joins: Marx-AWA Sup|ED-209|Craft: have we met befor? *** Quits: freeque_ (Quit: i had it all logged as well, before my computer crashed. :/ nite nite all. will look out f) sorry doggie emergency Edrin: no , but i saw your questions had to go out anyways first you need a host on the same subnet mikestevens: heheh :) so you can get their MAC address very important so if you aren't on their subnet do this ifconfig eth0:1 24.x.x.65 broadcast 24.x.x.255 netmask 255.255.255.0 make sure the IP is unused (see above stuff) *** Guy_SJS sets mode: +v Prophecy2K1 thanx then you can see them as a local LAN user, and can get their MAC addy, very important next you want to use arpredirect from the dsniff package Registering 24.x.x.69 to our MAC arpredirect 24.x.x.69& tada *** Joins: gUeSt51 we are stealing them now this sends out bogus arp packets to our yet to be IP saying we are now them now you want to stop services, etc... take down eth0 and bring it up again as their IP you should have no problems go in and add your default gateway again and start up your services tada you are them *** Mikkkeee sets mode: +v TracerT Q&A time *** mikestevens sets mode: -m whu its that easy yup isn't everything any questions people? * Matt trundles off to take down calbeinet.co.uk Matt: i thought you was the big brain here :D * Mikkkeee is editing the first lecture hmm..can you set up a place where we can try this out maybe? heh isnīt the only way to do this with windows by using the libpcap-clone winpcap? (i mean for the arp-fake maybe win2k can do it but win9x, too?) Sup|ED-209|Craft, broadband has never been heard of in the UK :( *** Quits: Guy_SJS (Quit: Oogerbay) where's the point in this exercise ? lol say copperd is giving out crackers and you don't like this and want him to stop and make him be nice so there will be a lecture on ASCII ? :) you would hijack copperd's IP *** TracerT is now known as [T]racer[T] cheese crackers? and log onto IRC as him and start takeing back all the crackers he gave out *** Quits: SpiderMan (Ping timeout) and not impersonate an admin *** Joins: ToRmEnThOr well anyways onto the cool part *** Joins: MasJCrasJ *** Joins: SpiderMan *** ChanServ sets mode: +o SpiderMan intercepting downsteam traffic *** mikestevens sets mode: +m this is better then school lecture, why not make 'BSRF School' ? :P first thing first mikestevens, are there any time when you can't become the stealer? bobbie: node position? later *** Quits: Ralph (Quit: Leaving) Matt: when you are not on the same router *** Quits: K1llabee (Connection reset by peer) *** MasJCrasJ is now known as _MasjCrasj- routers cover alot of ground though usually a few mile range mikestevens: so the data to the IP that is not be used, goes to the router? so people at school, neighbors, etc are all potential victims that slut next door etc... *** mikestevens sets mode: -m mikestevens, I was under the impression most cable companies cluster their routers and create a mesh network? later ppl Sup|ED-209|Craft: I don't really understand what you said i will xplain later *** Quits: _MasjCrasj- (Quit: ) Matt: they have local routers and link them with FDDI later *** Quits: Sup|ED-209|Craft (Quit: ) then the FDDI ring goes to the local datacenter *** Joins: nebunu *** Quits: SileNceR (Ping timeout) anyways onto intercepting traffic if no one has any more questions / comments *** mikestevens sets mode: +m ok first we need to know a little more about the network afk you have the cable router, your cable modem/router, and your PC the cable modem is nothing more than a bridge meaning it sees traffic on both sides and seamlessly forwards as needed <[T]racer[T]> there gonna be an lecture on streamz here? <[T]racer[T]> *stringz *** Joins: K3rNEL[PAn1C] *** Parts: nebunu *** Joins: Pupp3tM *** ChanServ sets mode: +v Pupp3tM the 3100 surfboard has a webserver which you can play with from inside your network http://192.168.100.1/ I found the IP by sniffing and I saw IGMP traffic coming from that IP so I browsed to it anyways, the bridge is based on MAC addresses *** Quits: Pupp3tM (Quit: ) so if it sees your MAC behind the bridge it will let in traffic that is destined to that MAC the outside has no clue what is going on with the Cable modem another issue not all cable modems will detect the MAC how mine does you may have to try arp packets to fool it into it I will provide both ways here so onto the interception first you want to find the targets MAC get onto their subnet and ping them or something then do an arp -an and write down their MAC also do an ifconfig -a and write down your MAC it is best to hard boot your cable modem at this point *** Quits: Prophecy2K1 (Ping timeout) that way it clears the memory of MACs this is done by pressing the little reset button in the back or however you documentation says so it should take a few minutes up to 30 to get back on so in the time being you want to stop all services then bring down eth0 then type this with the target's MAC in place of it ifconfig eth0 hw ether 00:00:00:00:00:00 bring the interface up with your IP address and normal settings add your default gateway and ping the router a few times till it works take back down the interface and bring it up again with your settings start up your services again and ping the router again to make sure your are on you should now be getting the target's downstream traffic *** Joins: Prophecy2K1 *** Quits: Matt (Ping timeout) you can use all your fun sniffer tools to invade their privacy,etc... I will open up a Q&A section while I get the code mods for the ARP section *** mikestevens sets mode: -m any questions? *** Joins: UraniumD <[T]racer[T]> yes ok does the person whose traffic we are stealing have a way of knowing we are doing this? *** Parts: UraniumD i think so *** Joins: MosdestMouse no <[T]racer[T]> NM they can't see it i havnt follow this very well, but is this secure? are the cops gonna come knocking on your door or what? no? your cable modem silently passes on the traffic to you hm probally not cool unless someone checks on your cablemodem hijacking is a little riskier <[T]racer[T]> and what if someone does it? they will probally just think the cable is out interception is less risky well first they have to prove you did it on purpose,etc <[T]racer[T]> but if noone sees my cabel modem? but if you don't tell anyone they probally will never know <[T]racer[T]> hehe actually if you bring up the interface (when you are using their MAC as your MAC) with a local IP sometimes the CM will see that <[T]racer[T]> but on some External cabel modems there is a way to connect to the modem <[T]racer[T]> from the local machine <[T]racer[T]> and check what's up there and there will be no traffic hitting the real network (cable network) <[T]racer[T]> *in there well, in this case you are using spoofed MACs and spoofd IPs on the "same cable" so it would be extremly dificult for others to find you (well, if there are only 2 computers on the cable... anyway: police does not know what an arp table is *** Joins: Nokio <[T]racer[T]> LOL lol good point hey guys anyways for the other method of getting your CM to see you I made a simple mod to arpspoof.c of dsniff *** Quits: Leper (Quit: Leaving) I commented out the arp_send routine on line 193 *** Quits: gUeSt51 (Quit: Leaving) DF: I'm going to DCC the linux networking log to you, ok? you can get the CM to see you like this with the modified arpspoof hey all, is the lecture over? *** Joins: vanished[coding[ *** Parts: vanished[coding[ ./arpspoof -t victimip victimip then controlC it it will send out the needed packets saying their IP is their MAC but the important part *** Quits: Prophecy2K1 (Ping timeout) *** Joins: Exposed_Truth your Cable modem will think that the computer is in your lan *** Joins: jimi mikestevens: i have onece done an ip+mac spoofer for windows using the winpcap. thatīs a nice thing but i never realy found out what use there is on it? well this could be a use for it :-) <[T]racer[T]> for what MAC stends <[T]racer[T]> ? ? *** Joins: zhortrox media access.. or something something *** zhortrox is now known as _ZhorTroX- I forget <[T]racer[T]> yes *** Quits: vanished (Ping timeout) controller? *** Joins: Prophecy2K1 *** _ZhorTroX- is now known as Esamurai no.. <[T]racer[T]> LEMME check in the BOOX:) *** Mikkkeee sets mode: +v Esamurai just call it their ethernet address now on to why you can't get the router's traffic and stay on i think it comes from the BigMac... the inventor once eat a BigMac when he infentedarp and MACs *** Quits: CodE4 (Quit: ) Media Access Control well if you broadcast this stuff and make the CM think that the router is inside your network *** Esamurai is now known as _Esamurai- it won't forward data for it out <_Esamurai-> mikkeee this are masjcrasj and zhortrox at esamurais house actually.. lo so you will then be screwed and can't get online or maybe MacGyver... <[T]racer[T]> MIKESTEEVENS: mac is not only their address, its their Uniqe address, and its hardware address that you cant change so don't try doing this as the router and expect to get everyone's upstream cuz you won't be online yourself <[T]racer[T]> LOL anyways <[T]racer[T]> my router is a backbone <[T]racer[T]> thats KEWL! [T]racer[T]: yes, you can change it by using simply another in softwaremode *** Parts: Nokio *** Joins: gUeSt51 there are some otherways to hack your cable modem that I have to research more the software is updated with TFTP *** _Esamurai- is now known as MasjZhorEsam hehe hi evrybody if you could spoof that you could reload your CM with a new image and enable yourself to sniff all traffic including upstream so that would be really cool other things could include spoofing DOCSIS commands a maybe not related q: we have bought a new switch for the comp. club, and they say it "can ban mt harwhare address", is that MAC? so you could change your limits and the like <[T]racer[T]> thats a nasty one in addition to that only MACs of LAN-cards are fix. i know that the MAC of a modem is created by random in windows and then gets saved in the registry... dunno how it is with cablemodem shellfish: yes ok tnx ok for security i have an issue concerning paltalk: anyone have any idea how to get ip's through paltalk? *** mikestevens sets mode: +m *** Joins: Matt wb <[T]racer[T]> gest: netstat LOL <[T]racer[T]> *gest you can use arpspoof to send out arps for your computer <[T]racer[T]> *guest! netstat -a *** Matt is now known as M[a]tt that way if sometries arpsoofing against you *** Quits: jimi (Ping timeout) your computer has counter arps going out much nicer :-) -M[a]tt- its late, nite :) as for sniffing don't use cable or get a secure tunneled connection elsewhere and use proxies through that use SSH etc... *** Quits: ToRmEnThOr (Quit: good users don't use colored quits) as for local arp security add static arp entries for all your computers for servers this is really important so one sever can't be hijacked as easy that should really be a whole other lecture *** Parts: Y0Yo it would also be good to know your enemy get a program to detect stealth scans or use arpwatch *** Joins: Y0Yo <[T]racer[T]> where are all the lectures stored, cos i am in college, so i cant be on every lecture:( that way you can see people being naughty *** Parts: Prophecy2K1 heh now that is it I will provide a few links then close up with a Q&A section just remember Cable is not secure http://www.gi.com/noflash/sb3100.html <<< page for my Cable modem yes its a bitch http://www.cisco.com/univercd/cc/td/doc/product/cable/bbcwcrg/bbcmts.htm <<< wonderful page on cisco cable router commands, if you would ever need this <[T]racer[T]> whos on linux box outa here? It was on the neworder board I'm not sure, matt might have something to do with its posting http://www.monkey.org/~dugsong/dsniff/ Dsniff this sniffer set is awesome get it yup http://www.ethereal.com Ethereal great sniffer (I use tethereal) can decode aim traffic coming on the downstream one more thing if you want their aim password (naughty naughty) you can find a collection of sniffers at securityfocus e-mail it to them with the password reminder and wait for them to check their e-mail it will be in their downstream for mail well thats it now for Q&A *** mikestevens sets mode: -m *** Parts: Y0Yo mikestevens: i wish i would have a cable modem :) that would be much fun Just a question, was this too technical? <[T]racer[T]> i am geting ADSL soon do you have some firms on the same line? <[T]racer[T]> very soon nah does anyone want anything explained better mike u going to release a tut soon on this topic right <[T]racer[T]> mikesteevens: so wich cable modem to buy? I will post some source code and a better explanation later on my site, and hopefully on bsrf *** Joins: sitech mikestevens: well, I think it was too much of a guide rather than a way of teaching them about networking and cable modems i was looking for in depth registry tutorials does anybody have the complete logs ?? <[T]racer[T]> guest: www.regedit.com <[T]racer[T]> :) *** Joins: PhoeniX <[T]racer[T]> kernel try my cable modem thnx TracerT its nice <[T]racer[T]> I have them. if you have an external surfboard browse to http://192.168.100.1/ <[T]racer[T]> nope play around RCAs are also common I don't like them, I had one and it broke alot *** Joins: CodE4 * Mikkkeee got all the logs well I have to go eat dinner *** Parts: PhoeniX good job mike so if you have any questions e-mail me at mike@unixclan.box.sk <--------------End of lecture------------>