Friday, 20 March 2015

Snmp Traps

Using Snmp Traps

Recently I have been learning snmp  . If you have never heard about snmp , you can find more info about it here . Network management solutions mostly use snmp to monitor devices attached to network .

From the wiki you can find that using mib we can extract required information from managed device .But in large networks  it is impractical for the manager to poll or request information from every object on every device . This brings us to snmp traps , snmp traps enable managed devices to send unsolicited messages to management station . Management station can later decide what to do with the trap notification . There isn't much documentation regarding snmp traps ,so i'm writing this post in hope that someone will find this info useful  .

First configure snmptrapd   , if you have created user named read_only_user for monitoring ,
 
#echo authCommunity log read_only_user >> /etc/snmp/snmptrapd.conf  
 
will let snmptrapd service  process the traps which are received using read_only_user string . now start the snmptrapd service to view the received traps . you can do that by

#systemctl start snmptrapd.service 

now we will send some traps notifications using snmptrap  utility

#snmptrap -v2c -c read_only_user 127.0.0.1 0 SNMPv2-MIB::authenticationFailure

The above command will send a trap notification with authentationFailure as notification name , you can find more notifications here .  You might want to send more information with the trap to process the data more efficiently

#snmptrap -v2c -c read_only_user 127.0.0.1 0 SNMPv2-MIB::authenticationFailure\
 SNMPv2-MIB::sysContact.0 = 'root@locathost'

The above command will send the contact data along with trap notification . If you want to send Hostname you can do that by

# snmptrap -v2c -c read_only_user 127.0.0.1 0 SNMPv2-MIB::authenticationFailure\
 SNMPv2-MIB::sysName.0 = 'LightingBolt'


Sunday, 7 December 2014

IRISSCON CRACKME

Cracking the Irisscon-Crackme

Tools required 

1) Any debugger (I will use immunity. You can download it here)

2) Irisscon-crackme(you can get it here)

3) Windows machine

            After downloading the Irisscon-crackme , Double click on it . It will throw a error stating to insert the irisscon-2012 CD-ROM . So our objective is to bypass that error .



                 Start your Debugger and open Irisscon-crackme using that. And step into(using f7) until you reach a statement which calls  irisscon.00401020

  
                Then right click choose search for  All referenced txet strings and select please insert the disk , double click on that you will see the string at 0040136E, you can observe  that the  function produces the error starts at 00401358.


                       Lets find the address from which function is being called so that we can bypass it . select 00401358 address  and then right click and select  find references to selected command . It will show two adresses one being the 00401358 and other will be 00401503 . Double click on 00401503 to view that address.




                         Just above the call instruction you can see a JE instruction . What JE  does is it will take a jump if  Z flag is set to 1 . So  what's basically happening is when we run the program the flag will be 0 and it will not take a jump and it will show the error .So lets set a hardware breakpoint at JE instruction and run the program . As we have set a breakpoint at JE instruction the debugger will start execution at at the point .



                           In the left-middle windows we can see that jump is not taken as Z-flag is 0. Double click on 0 value of Z-flag(top-right window) to change it's value to 1 .As the value is 1 now jump will be taken , continue running the program and it will open a window showing the key :)  .