cable.txt

黑客培训教程

 		     .########...######..########..########
                     .##.....##.##....##.##.....##.##......
                     .##.....##.##.......##.....##.##......
                     .########...######..########..######..
                     .##.....##.......##.##...##...##......
                     .##.....##.##....##.##....##..##......
                     .########...######..##.....##.##......
			       http://blacksun.box.sk
			        Lecturer: Mikestevens
			      Email: mike@unixclan.box.sk
		     	    Lecture: Cable Modem Hacking



<Mikkkeee> k, mikestevens u want to begin second lecture?
<mikestevens> 3min
<Y0Yo> COME ON WITH 2ND LECTURE
*** Joins: Shad0wWa1
<Y0Yo> ::)
<mikestevens> ok ok
<mikestevens> I got my snackies
*** mikestevens sets mode: +m
<Sup|ED-209|Craft> grin
<Matt> I've not finish my Weatabix :)(
*** Quits: freerider (Quit: Leaving)
*** Quits: Serial_Killer (Quit: off)
* DigitalFallout has his coochie
<mikestevens> Hacking @home cable for educational purposes only
<Guy_SJS> has anyone sewen kript0n
<DigitalFallout> Edit that out by the way :)
<Guy_SJS> the REAL one
<mikestevens> lecture notes at http://blacksun.box.sk/test/cablem.txt
*** Joins: Guest6971990
<Sup|ED-209|Craft> ofcourze :D
<Matt> Hey mikestevens, I've decided you guys over there are a little out of it: you've got Diet Weatabix in the US!
*** Guest6971990 is now known as freeque_
<mikestevens> all these things were tried out on copperd and perfectly legal revenge for all those crackers
<Matt> heh
<DigitalFallout> Only in america would you get a SuperSized Big Mac Extra Value Mean but still Get a diet coke
<Sup|ED-209|Craft> gimme food for my brain!
<mikestevens> anyways we all know cable is insecure
<mikestevens> we all hear it
<mikestevens> Is it true?
<Matt> all broadband is insecure
<mikestevens> Well at first I didn't think so.
<Sup|ED-209|Craft> yes mr.mikestevens :)
<mikestevens> When I got my cable modem I tried running a sniffer and got no one else's traffic
<mikestevens> secure eh?
<Mikkkeee> nope
<mikestevens> well maybe a little
<mikestevens> but there are several problems
<Matt> infact, the only thing secure is my Casio WX500... and I can lock that took
<mikestevens> lol
* Matt shuts up
<mikestevens> First we can steal unused IPs
*** Quits: bracaman (Killed (NickServ (GHOST command used by fedasdas)))
<mikestevens> this is on BSRF already, I think
<mikestevens> you can do this by really normal means
<mikestevens> even in windows
<Edrin> well, my locker in my case is quite save, too...
<mikestevens> you can just set your IP to some unused one and get online most of the time
<mikestevens> sometimes you may have to reboot you CM because it can only hold but X many computers
*** Quits: Shad0wWa1 (Quit: Leaving)
<mikestevens> my cablemodem the SurfBoard 3100 (external) can only hold 6MACs
<mikestevens> and is limited to 5IPs with DOCSIS
<mikestevens> so, there are limits
<mikestevens> the cable companies could secure this up more
<mikestevens> so that theft would be impossible, but they seem to be lazy
<mikestevens> like what else is new
<mikestevens> anyone have the link for the BSRF doc on simple IP theft?
<mikestevens> anyways onto IP hijacking
<mikestevens> This is when some bastard you don't like has alot of crackers and you want to impersonate them
<mikestevens> for you to hijack their IP they need to be on the same router, possibly the same port
<Edrin> btw: 
* Edrin wonders if there is a way to takeover a satelite...
<mikestevens> first you need to be on the same subnet
<mikestevens> brb
*** Quits: Obsidian (Quit: Leaving)
<Guy_SJS> geez
<Guy_SJS> he isnt suppsot to leave in the mddle of a lecture
<Sup|ED-209|Craft> Edrin: still didn't found your answer?
*** Joins: K1llabee
*** Joins: Marx-AWA
<Edrin> Sup|ED-209|Craft: have we met befor?
*** Quits: freeque_ (Quit: i had it all logged as well, before my computer crashed. :/ nite nite all. will look out f)
<mikestevens> sorry
<mikestevens> doggie emergency
<Sup|ED-209|Craft> Edrin: no , but i saw your questions
<mikestevens> had to go out
<mikestevens> anyways
<mikestevens> first you need a host on the same subnet
<Edrin> mikestevens: heheh :)
<mikestevens> so you can get their MAC address
<mikestevens> very important
<mikestevens> so if you aren't on their subnet do this
<mikestevens> ifconfig eth0:1 24.x.x.65 broadcast 24.x.x.255 netmask 255.255.255.0
<mikestevens> make sure the IP is unused
<mikestevens> (see above stuff)
*** Guy_SJS sets mode: +v Prophecy2K1
<Prophecy2K1> thanx
<mikestevens> then you can see them as a local LAN user, and can get their MAC addy, very important
<mikestevens> next you want to use arpredirect from the dsniff package
<mikestevens> Registering 24.x.x.69 to our MAC
<mikestevens> arpredirect 24.x.x.69&
<mikestevens> tada
*** Joins: gUeSt51
<mikestevens> we are stealing them now
<mikestevens> this sends out bogus arp packets to our yet to be IP
<mikestevens> saying we are now them
<mikestevens> now you want to stop services, etc...
<mikestevens> take down eth0
<mikestevens> and bring it up again as their IP
<mikestevens> you should have no problems
<mikestevens> go in and add your default gateway again
<mikestevens> and start up your services
<mikestevens> tada
<mikestevens> you are them
*** Mikkkeee sets mode: +v TracerT
<mikestevens> Q&A time
*** mikestevens sets mode: -m
<Matt> whu
<Matt> its that easy
<mikestevens> yup
<mikestevens> isn't everything
<mikestevens> any questions people?
* Matt trundles off to take down calbeinet.co.uk
<Sup|ED-209|Craft> Matt: i thought you was the big brain here :D
* Mikkkeee is editing the first lecture
<Ellis_D> hmm..can you set up a place where we can try this out maybe?
<Mikkkeee> heh
<Edrin> isn磘 the only way to do this with windows by using the libpcap-clone winpcap? (i mean for the arp-fake maybe win2k can do it but win9x, too?)
<Matt> Sup|ED-209|Craft, broadband has never been heard of in the UK :(
*** Quits: Guy_SJS (Quit: Oogerbay)
<Frydo> where's the point in this exercise ?
<Sup|ED-209|Craft> lol
<mikestevens> say copperd is giving out crackers
<mikestevens> and you don't like this
<mikestevens> and want him to stop
<mikestevens> and make him be nice
<TracerT> so there will be a lecture on ASCII
<TracerT> ?
<Leper> :)
<mikestevens> you would hijack copperd's IP
*** TracerT is now known as [T]racer[T]
<Matt> cheese crackers?
<mikestevens> and log onto IRC as him
<mikestevens> and start takeing back all the crackers he gave out
*** Quits: SpiderMan (Ping timeout)
<mikestevens> and not impersonate an admin
*** Joins: ToRmEnThOr
<mikestevens> well anyways
<mikestevens> onto the cool part
*** Joins: MasJCrasJ
*** Joins: SpiderMan
*** ChanServ sets mode: +o SpiderMan
<mikestevens> intercepting downsteam traffic
*** mikestevens sets mode: +m
<Sup|ED-209|Craft> this is better then school lecture, why not make 'BSRF School' ? :P
<mikestevens> first thing first
<Matt> mikestevens, are there any time when you can't become the stealer?
<Matt> bobbie: node position?
<Ralph> later
*** Quits: Ralph (Quit: Leaving)
<mikestevens> Matt: when you are not on the same router
*** Quits: K1llabee (Connection reset by peer)
*** MasJCrasJ is now known as _MasjCrasj-
<mikestevens> routers cover alot of ground though
<mikestevens> usually a few mile range
<Sup|ED-209|Craft> mikestevens: so the data to the IP that is not be used, goes to the router?
<mikestevens> so people at school, neighbors, etc are all potential victims
<mikestevens> that slut next door
<mikestevens> etc...
*** mikestevens sets mode: -m
<Matt> mikestevens, I was under the impression most cable companies cluster their routers and create a mesh network?
<Sup|ED-209|Craft> later ppl
<mikestevens> Sup|ED-209|Craft: I don't really understand what you said
<Sup|ED-209|Craft> i will xplain later
*** Quits: _MasjCrasj- (Quit: )
<mikestevens> Matt: they have local routers and link them with FDDI
<Sup|ED-209|Craft> later
*** Quits: Sup|ED-209|Craft (Quit: )
<mikestevens> then the FDDI ring goes to the local datacenter
*** Joins: nebunu
*** Quits: SileNceR (Ping timeout)
<mikestevens> anyways onto intercepting traffic if no one has any more questions / comments
*** mikestevens sets mode: +m
<mikestevens> ok
<mikestevens> first we need to know a little more about the network
<Matt> afk
<mikestevens> you have the cable router, your cable modem/router, and your PC
<mikestevens> the cable modem is nothing more than a bridge
<mikestevens> meaning it sees traffic on both sides and seamlessly forwards as needed
<[T]racer[T]> there gonna be an lecture on streamz here?
<[T]racer[T]> *stringz
*** Joins: K3rNEL[PAn1C]
*** Parts: nebunu
*** Joins: Pupp3tM
*** ChanServ sets mode: +v Pupp3tM
<mikestevens> the 3100 surfboard has a webserver which you can play with from inside your network
<mikestevens> http://192.168.100.1/
<mikestevens> I found the IP by sniffing 
<mikestevens> and I saw IGMP traffic coming from that IP
<mikestevens> so I browsed to it
<mikestevens> anyways, the bridge is based on MAC addresses
*** Quits: Pupp3tM (Quit: )
<mikestevens> so if it sees your MAC behind the bridge it will let in traffic that is destined to that MAC
<mikestevens> the outside has no clue what is going on with the Cable modem
<mikestevens> another issue
<mikestevens> not all cable modems will detect the MAC how mine does
<mikestevens> you may have to try arp packets to fool it into it
<mikestevens> I will provide both ways here
<mikestevens> so onto the interception
<mikestevens> first you want to find the targets MAC
<mikestevens> get onto their subnet
<mikestevens> and ping them or something
<mikestevens> then do an arp -an and write down their MAC
<mikestevens> also do an ifconfig -a and write down your MAC
<mikestevens> it is best to hard boot your cable modem at this point
*** Quits: Prophecy2K1 (Ping timeout)
<mikestevens> that way it clears the memory of MACs
<mikestevens> this is done by pressing the little reset button in the back or however you documentation says so
<mikestevens> it should take a few minutes up to 30 to get back on
<mikestevens> so in the time being
<mikestevens> you want to stop all services
<mikestevens> then bring down eth0
<mikestevens> then type this with the target's MAC in place of it
<mikestevens> ifconfig eth0 hw ether 00:00:00:00:00:00
<mikestevens> bring the interface up with your IP address and normal settings
<mikestevens> add your default gateway
<mikestevens> and ping the router a few times till it works