IPv6 in Wireshark

IPv6 address beginning with fe80::.. is used for local network.

http://en.wikipedia.org/wiki/IPv6_address

fe80::/10 — Addresses in the link-local prefix are only valid and unique on a single link. Within this prefix only one subnet is allocated (54 zero bits), yielding an effective format of fe80::/64. The least significant 64 bits are usually chosen as the interface hardware address constructed in modified EUI-64 format. A link-local address is required on every IPv6-enabled interface—in other words, applications may rely on the existence of a link-local address even when there is no IPv6 routing. These addresses are comparable to the auto-configuration addresses 169.254.0.0/16 of IPv4.

You will see strange packets when you open IPv6 pcap files.

Just decode it

1. Decode AS...

2. select 'Network' tap and then IPv6

3. Now we have IPv6's packet streams

 

 

[qemu #2] debugging ARM

Launch qemu..

Then connect to qemu (ARM based system) through an ssh tunnel.

ssh User@IP Address -p [port number]

 Now you can debug with gdb~

[Essay] malcolm gladwell - Outliers '10000 hours rule'

오늘 강연 중에 좋은 말들이 있어서 몇 가지 남겨두려고 한다.

#1 mannerism

많이 들어본 단어인데, 매너리즘... 매너리즘... 위키에서 정의한
매너리즘의 뜻은 아래와 같다.

Mannerism

http://en.wikipedia.org/wiki/Mannerism

그러니깐 매너리즘은 현상 유지하는 상태, 발전이 없는 상태,
, 노력도 하지 않고, 전혀 새로울 게 없는 상태...

이럴 때 우리는 "매너리즘에 빠졌다"라고 말한다.


#2  꿈..?!

George Clooney가 주연한 "Up in the Air"라는 영화,

조지 클루니가 해고 전문가로 등장하는데,
가족을 위해 헌신한 중견 간부를 해고시키는 과정에서 던진 말...

"자신의 꿈을 포기한 대가로 얼마나 벌었습니까?"

'업 인 디 에어' 요거 챙겨봐야지

#3 '10000 hours rule' by malcolm gladwell

한 3년 전쯤 읽었나,,
아직도 기억난다 이 책은,, 아마 집으로 돌아가는 버스 안에서 봤었다
뒷쪽 하차하는 문 바로 뒤에 자리에 앉아서....
이상하게도 기억이 생생하다.

'만 시간의 법칙'
하루 세 시간씩 10년을 하면 만 시간이다
일년은 8,760 시간.. 내 생각엔 매일할 수는 없으니 하루 4시간 씩,
일주일에 적어도 5일 이상은 꾸준히 해야하는 수준일 듯 하다.
이정도면 어느 분야에서건 전문가라는 소리를 듣지 않을까?

Practice makes perfect.

[qemu #1] installing on ubuntu 12.04

You can download qemu from the following URL.

http://wiki.qemu.org/Download

extract the package

$ tar -jxvf qemu-1.3.1.tar.bz2

$ tar -jxvf qemu-1.2.0.tar.bz2

* note
First, I downloaded and installed qemu-1.3.1 in Ubuntu 12.04.
It doesn't work.

 (cd /home/.../qemu-1.3.1/pixman; autoreconf -v --install)
/bin/sh: 1: autoreconf: not found
make: *** [/home/.../qemu-1.3.1/pixman/configure] Error 127

http://stackoverflow.com/questions/14814889/cant-install-qemu-1-3-1-in-ubuntu-12-10
$ sudo apt-get build-dep qemu

$ ./configure --target-list=arm-softmmu

$ make

$ make install

will be continued

codegate 2012 prequal network 100

자, 패킷 포맷을 제대로 이해했다면 이제 실전에 적용해 보자.

실전에 적용해 보기 위해 아주 좋은 예제가 있다.

코드게이트 2012년 prequal 네트워크 100 문제~

파일 이름은 10_Floor.pcap으로 명명했다.

See on the link below to refer to pcap file format.

http://n20kim.blogspot.kr/2013/02/pcap-file-format.html

Wireshark can't open the pcap file.

If you understand pcap file format, you could notice what is weird.
Yeah, right!
pcap has global header at the beginning of the pcap. :)

# recover the pcap's global header.

1.make global header to add global header to the pcap.
   To make this, I made this code. It's simple but entering line by line is a little bit annoying

import binascii
binary=binascii.unhexlify("d4c3b2a1020004000000000000000000ffff000001000000")
f=open('header.pcap','w')
f.write(binary)
f.close()

2. add global header to the pcap

But an error still occurs because of size. phew...

Fix it again!

3. Did you notice something? The problem is size... and 22nd packet is normal.
   So you can infer that 23rd packet is probably abnormal.
   22nd packet byte streams is following:

4. The last line from 0x0038 is "16 d0 e3 42 ... "
    Find that byte streams in the 10_Floor.pcap
    23rd packet starts with "3e ec 60 ..".
    Packet header has 16bytes as you know.
    You can see "GET .." instead of packet header bytes. weird...

 

 

5. The final task is removing 23rd packet. Then you can open the pcap.




 

pcap file format

http://wiki.wireshark.org/Development/LibpcapFileFormat#File_Format

패킷 헤더의 구조를 알면 패킷을 분석할 때 유용하다. 잘 알아둘 필요가 있다. wireshark에서 제공하는 문서를 잘 이해해 두기 바란다~

The Libpcap's format is following:

Global header | Packet Header | Packet Data | Packet Header | Packet Data | ...


# Global header has the following structure:

typedef struct pcap_hdr_s {
        guint32 magic_number;   /* magic number */
        guint16 version_major;  /* major version number */
        guint16 version_minor;  /* minor version number */
        gint32  thiszone;       /* GMT to local correction */
        guint32 sigfigs;        /* accuracy of timestamps */
        guint32 snaplen;        /* max length of captured packets, in octets */
        guint32 network;        /* data link type */
} pcap_hdr_t;


# Record (Packet) Header has the following structure:

typedef struct pcaprec_hdr_s {
        guint32 ts_sec;         /* timestamp seconds */
        guint32 ts_usec;        /* timestamp microseconds */
        guint32 incl_len;       /* number of octets of packet saved in file */
        guint32 orig_len;       /* actual length of packet */
} pcaprec_hdr_t;

install cx_Oracle on Ubuntu 12.04 or Windows

#1 Windows + cx_Oracle


1) download the Oracle instant client
http://www.oracle.com/technetwork/topics/winsoft-085727.html

2) place it on some directory.

3) Add the directory path to your PATH environment variable

4) run the following code to test

import cx_Oracle
conn = cx_Oracle.connect(ID/PW@DB.com)


#2 Ubuntu 12.04 + cx_Oracle
http://rahadianokta.wordpress.com/2012/09/15/oracle-instant-client-python-cx_oracle-ubuntu-server-12-04/

1) download the Oracle instant client
http://www.oracle.com/technetwork/topics/linuxsoft-082809.html

2) unzip to your lib path
 /usr/local/lib/

3) soft link libclntsh.so.11.1 to libclntsh.so and libocci.so.11.1 to libocci.so

4) add Oracle instant client path to ld.so.conf.d

 # ldconfig

5) edit your system environment variable (/etc/environment)

Finally~~ yeah~

Practical man-in-the-middle attack on pip

I got an interesting article that warns installing packages using pip
in an untrusted environment

You can  intercept and manipulate packages downloaded by PyPi
using the below python code

https://gist.github.com/4698537

yeah~ poc time~

Proof Of Concept

1. run a proxy to see all HTTP traffic through the proxy
2. redirect traffic over your local machine
3. intercepts all traffic
4. use the python script to manipulate downloads by PyPi