Friday, August 17, 2018

Remote CIDR Surveying

Remote CIDR Surveying from Eric Gragsone

Slides from a talk I gave recently at Unallocated Space. The talk still needs a bit of polish and practice. I'll update these slides as the talk improves.

Wednesday, August 26, 2015

Parsing Kismet Logs

We have all been there.  We get a tool to do exactly what we want and then suddenly we have to parse the log.  The log file that we want to use is in a format that we have never heard of is standing in our way of moving to the next project.  I found a simple tool that allows  me to do just that.

The tool is called KLV.  KLV v2 is a tool that combines multiple Kismet log files in the .netxml format, summarizes the data, and outputs an easy-to-read html or csv file.  It is located at the following URL:

Pretty simple and straight forward to use.

Wednesday, January 21, 2015

PwnAdventure 3

Last weekend I participated in Ghost in the Shellcode, a capture the flag competition (ie. hacker contest) which included several unique challenges that involved hacking (cheating) at an MMORPG style game. The game was built using the Unreal 4 Engine, so it's possible that this protocol is same across other games with the same engine, but I have yet to confirm that.

As someone who loves huffing ethernet and inspired by talks such as "DEFCON 19: Hacking MMORPGs for Fun and Mostly Profit", I immediately went for reverse engineering the protocol so that I could build a proxy to perform all sorts of cheats. Sadly, I didn't have enough time to build a proxy, but I was able to write a Wireshark plug-in that parses most of the protocol (available here).

There is a lot to cover in this protocol, so this post will only cover some highlights.

For starters, this is a TCP based protocol that hops around on port 3000 through 3016. This is typical of MMORPGs that spread what looks like a unified map and environment over multiple servers and instances.

Tuesday, October 28, 2014

BSides-DC '14 Industrial Control Systems Lab

I love exploring knew technologies and protocols. What hacker doesn't? When BSides-DC announced it was going to have an Industrial Control Systems (ICS or SCADA to most people) lab, I knew this would be my favorite part of the convention.

Obligatory robot arm photo is obligatory

Wednesday, September 17, 2014


Welcome to the Dead Packet Society.  What is the Dead Packet Society?  We are a group of people who like to research and analyse pcap files.

Tuesday, March 20, 2012

Reasons for Abnormal Traceroute Results

Results due to ICMP Filters

When performing a ICMP based traceroute, there are a few reasons for not receiving a reply. Packet loss on congested networks can explain away singular dropped replies. If all three probes for one or more links go missing, it's likely that a firewall is blocking ICMP or the routers are configured to not return an ICMP error. If however the traceroute ends with a successful reply after reporting multiple failed probes, then this is the result of a firewall configured to pass ping requests, and not traceroute.

Thursday, March 15, 2012

Reasons for Abnormal ICMP errors

[Orginially posted in the MD2600 newsletter. February 2001]

Continuing the reasons for abnormal packet series, we explore the presence of ICMP Host Unreachable" (Type 3 Code 3) packets. The normal reason for a host unreachable error to occur is that for some reason the host is not online. As stated in the last article. When a packet destined for a network reaches a router attached to the network, the router sends an arp request for the destination host. If the reply does not return, the router will generate an ICMP "Host Unreachable" error back to the sender. However, this is the textbook example on what generates the error.

Now we place a packet filtering firewall in our picture of the network. packet filters have a few things they can perform on a packet. Generally it is Pass, Deny, or Drop. If the filter rule has Pass selected, then the firewall will allow the packet to transverse. If the filter rule has Drop selected, then the packet will be destroyed and forgotten. However if Deny is the action of choice, the firewall will destroy the packet and return the wonderful ICMP "Host Unreachable" error.