» Carding

C – Parsing UDP data sniffed with WinPcap

carrumba — Tue, 22 Feb 2011 13:42:35 +0000

#define HAVE_REMOTE
#define MAX_BUF_SIZE 1024
#define snprintf _snprintf
 
#define ETH_ALEN 6
#define IP_ALEN 4
 
#define ARP_REQUEST 1
#define ARP_REPLY 2
 
#include 
#include 
#include 
 
#pragma comment(lib, "wpcap.lib")
#pragma comment(lib, "Ws2_32.lib")
 
 
 
/*
 * Our data types
 *
 */
 
typedef struct ethern_hdr
{
  unsigned char ether_dhost[6];  // dest Ethernet address
  unsigned char ether_shost[6];  // source Ethernet address
  unsigned short ether_type;     // protocol (16-bit)
} ETHDR, *PETHDR;
 
typedef struct ipaddress
{
  unsigned char byte1;
  unsigned char byte2;
  unsigned char byte3;
  unsigned char byte4;
} IPADDRESS;
 
typedef struct iphdr
{
  unsigned char  ver_ihl;        // Version (4 bits) + Internet header length (4 bits)
  unsigned char  tos;            // Type of service 
  unsigned short tlen;           // Total length 
  unsigned short identification; // Identification
  unsigned short flags_fo;       // Flags (3 bits) + Fragment offset (13 bits)
  unsigned char  ttl;            // Time to live
  unsigned char  proto;          // Protocol
  unsigned short crc;            // Header checksum
  IPADDRESS      saddr;      // Source address
  IPADDRESS      daddr;      // Destination address
  unsigned int   opt;        // Option + padding
} IPHDR, *PIPHDR;
 
typedef struct udpheader
{
  unsigned short sport;          // Source port
  unsigned short dport;          // Destination port
  unsigned short len;            // Datagram length
  unsigned short crc;            // Checksum
} UDPHDR, *PUDPHDR;
 
 
 
/*
 * Function forward declarations.
 *
 */
 
void packet_handler(u_char *param, const struct pcap_pkthdr *header, 
					const u_char *pkt_data);
void MAC2String(unsigned char pMAC[6], char *pOutput, int pOutputLen);
void stringify(char *pInput, int pInputLen, char *pOutput);
void processIP4(PIPHDR pIPHdr);
void processUDP(PUDPHDR pUDPHdr, int pTotLen);
 
 
/*
 * Program entry point
 *
 */
 
int main(int argc, char **argv)
{
  int lRetVal = 0;
  pcap_if_t *lAllDevs = NULL;
  pcap_if_t *lDevice = NULL;
  char lTemp[PCAP_ERRBUF_SIZE];
  char lAdapter[MAX_BUF_SIZE + 1];
  int lCounter = 0;
  int lIFCnum = 0;
  pcap_t *lIFCHandle = NULL;
  struct bpf_program lFCode;
  unsigned int lNetMask = 0;
 
 
 
 
  /*
   * Open device list.
   *
   */
 
  if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &lAllDevs, lTemp) == -1)
  {
    printf("Error in pcap_findalldevs_ex() : %s\n", lTemp);
    lRetVal = 1;
    goto END;
  }
 
 
 
  /*
   * Print device name + description.
   *
   */
 
  lCounter = 0;
  for(lDevice = lAllDevs; lDevice; lDevice = lDevice->next, lCounter++)
  {
    printf("\n%d. %s\n    ", lCounter, lDevice->name);
 
    if (lDevice->name)
      printf("%d : (%s)\n", lCounter, lDevice->description);
    else
      printf(" (%d : No description available)\n", lCounter);
  }
 
 
 
  /*
   * Dialog which adapter to open.
   *
   */
 
  printf("\n\nOn which adapter do you want to start the sniffer : ");
  scanf("%d", &lIFCnum);
  if ((lIFCnum > 9 && lIFCnum < 0))
  {
    printf("The adapter you chose does not exist\n");
	lRetVal = 2;
	goto END;
  }
 
 
 
  ZeroMemory(lAdapter, sizeof(lAdapter));
  lCounter = 0;
 
  for(lDevice = lAllDevs; lDevice; lDevice = lDevice->next, lCounter++)
  {
    if (lCounter == lIFCnum)
    {
      strcpy(lAdapter, lDevice->name);
      break;
    }
  }
 
 
 
  /*
   * Open interface.
   *
   */
 
  if ((lIFCHandle = pcap_open(lAdapter, 65536, PCAP_OPENFLAG_PROMISCUOUS, 
	                          1000, NULL, lTemp)) == NULL)
  {
    fprintf(stderr,"\nUnable to open the adapter.\n");
    lRetVal = 5;
	goto END;
  }
 
 
 
 
 
  /* 
   * Compiling + setting the filter
   *
   */
 
  if (lDevice->addresses != NULL)
    lNetMask = ((struct sockaddr_in *)(lDevice->addresses->netmask))->sin_addr.S_un.S_addr;
  else
    lNetMask = 0xffffff;	
 
 
  ZeroMemory(&lFCode, sizeof(lFCode));
  if (pcap_compile(lIFCHandle, &lFCode, "", 1, lNetMask) < 0)
  {
    printf("Unable to compile the packet filter.\n");
    lRetVal = 3;
	goto END;
  }
 
 
  if (pcap_setfilter(lIFCHandle, &lFCode) < 0)
  {
    printf("Error setting the filter.\n");
    lRetVal = 4;
	goto END;
  }
 
  // We dont need this list anymore.
  pcap_freealldevs(lAllDevs);
 
  // Start intercepting data packets.
  pcap_loop(lIFCHandle, 0, packet_handler, NULL);
 
 
 
END:
 
  /*
   * Release all allocated resources.
   *
   */
 
  if (lAllDevs)
    pcap_freealldevs(lAllDevs);
 
 
 
  return(lRetVal);
}
 
 
 
 
 
/* 
 * Callback function invoked by libpcap for every incoming packet 
 *
 */
 
void packet_handler(u_char *param, const struct pcap_pkthdr *header, 
					const u_char *pkt_data)
{
  struct tm *ltime;
  char timestr[16];
  time_t local_tv_sec;
  PETHDR lEHdr = (PETHDR) pkt_data;
  char lSrcMAC[64];
  char lDstMAC[64];
  char lProto[MAX_BUF_SIZE + 1];
 
 
  ZeroMemory(lDstMAC, sizeof(lDstMAC));
  ZeroMemory(lSrcMAC, sizeof(lSrcMAC));
  ZeroMemory(lProto, sizeof(lProto));
 
 
  /*
   * Convert the timestamp to readable format
   *
   */
 
  local_tv_sec = header->ts.tv_sec;
  ltime=localtime(&local_tv_sec);
  strftime( timestr, sizeof timestr, "%H:%M:%S", ltime);
 
 
  MAC2String(lEHdr->ether_shost, lSrcMAC, sizeof(lSrcMAC) - 1);
  MAC2String(lEHdr->ether_dhost, lDstMAC, sizeof(lDstMAC) - 1);
  printf("\n\nTIME\t%s.%06d\nPHYS\t%s -> %s\n", timestr, header->ts.tv_usec,
	     lSrcMAC, lDstMAC);
 
 
 
  /*
   * Read source + destination MAC addresses
   *
   */
 
  switch (htons(lEHdr->ether_type))
  {
    case 0x0800 : printf("IPv4");
                  processIP4((PIPHDR) (pkt_data + 14));
                  break;
  }
}
 
 
 
/*
 *
 *
 */
 
void MAC2String(unsigned char pMAC[6], char *pOutput, int pOutputLen)
{
  if (pOutput && pOutputLen > 0)
  {
    snprintf(pOutput, pOutputLen, "%02X:%02X:%02X:%02X:%02X:%02X", pMAC[0], 
             pMAC[1], pMAC[2], pMAC[3], pMAC[4], pMAC[5]);
  }
}
 
 
 
/*
 * Process IP packet
 *
 */
 
void processIP4(PIPHDR pIPHdr)
{
  int lIPLen = (pIPHdr->ver_ihl & 0xf) * 4;
  int lTotLen = ntohs(pIPHdr->tlen);
 
  printf("\tHdr lenght : %d\tTot length : %d\n", lIPLen, lTotLen);
  printf("\t%d.%d.%d.%d -> %d.%d.%d.%d\n", pIPHdr->saddr.byte1, 
	  pIPHdr->saddr.byte2, pIPHdr->saddr.byte3, pIPHdr->saddr.byte4,
	  pIPHdr->daddr.byte1, pIPHdr->daddr.byte2, pIPHdr->daddr.byte3, 
	  pIPHdr->daddr.byte4);
 
 
  /*
   *
   *
   */
 
  if (pIPHdr->proto == 17)
    processUDP((PUDPHDR) ((u_char*) pIPHdr + lIPLen), lTotLen);
}
 
 
 
 
 
/* 
 * Process UDP packet
 *
 */
 
void processUDP(PUDPHDR pUDPHdr, int pTotLen)
{
  u_short sport = ntohs(pUDPHdr->sport);
  u_short dport = ntohs(pUDPHdr->dport);
  int lDataLen = pTotLen - sizeof(IPHDR) - sizeof(UDPHDR);
  char lData[MAX_BUF_SIZE + 1];
  char lRealData[MAX_BUF_SIZE + 1];
 
  ZeroMemory(lData, sizeof(lData));
  ZeroMemory(lRealData, sizeof(lRealData));
 
  strncpy(lData, (unsigned char *) pUDPHdr + sizeof(UDPHDR), lDataLen);
  stringify(lData, lDataLen, lRealData);
 
  printf("UDP\tsport %d -> dport %d\n", sport, dport);
  printf("\tLen : %d\tData : \"%s\"\n", lDataLen, lRealData);
}
 
 
 
 
/*
 *
 *
 */
 
void stringify(char *pInput, int pInputLen, char *pOutput)
{
  int lCounter = 0;
 
  for (;lCounter < pInputLen; lCounter++)
  {
    if (pInput[lCounter] < 32 || pInput[lCounter] > 176)
      pOutput[lCounter] = '.';
	else
      pOutput[lCounter] = pInput[lCounter];
  }
}

C# – Listing all files in a directory

carrumba — Thu, 02 Dec 2010 12:31:31 +0000

using System.IO;
 
namespace Files
{
    public class Files
    {
        static void Main(string[] args)
        {
            string[] lFiles;
 
            lFiles = Directory.GetFiles("c:\\");
 
            foreach (string lFile in lFiles)
                System.Console.WriteLine(lFile);
        }
    }
}

Credit card trafficker cuffed after nine-month manhunt

carrumba — Fri, 13 Aug 2010 07:42:35 +0000

A Russian accused of being one of the “most prolific” sellers of stolen credit-card data has been arrested in France, following a nine-month manhunt.

Vladislav Anatolievich Horohorin, 27, was taken into custody in Nice, France, as he was attempting to board a flight bound for Moscow, federal prosecutors in Washington said. He is being detained by French authorities pending extradition to the US.

View full article.

Safer ebanking

carrumba — Sun, 25 Jul 2010 09:22:09 +0000

Recently I read an article in the newspaper about a new product incorporated in a Swiss bank where they use a security token with fingerprint check and visual data transmission interpreted by the token. Check this site if you want to know more about it and you understand German : http://www.axsionics.ch/ .
The point where many attacks will fail is the transaction combined with account information. If the Go or No Go of the transaction is controlled by the token, outside of the attackers reach, all of the known transaction attacks are useless. An attack is detected easily and the transaction won’t be conducted.
Good job. One step ahead. Now it’s the attackers turn to react to this.

How online card security fails

carrumba — Wed, 27 Jan 2010 13:14:57 +0000

Yesterday on www.lightbluetouchpaper.org.

Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as “Verified by VISA” and “MasterCard SecureCode”. This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It’s getting hard to shop online without being forced to use it.

In a paper I’m presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it’s becoming a fat target for phishing. So why did it succeed in the marketplace?

Quite simply, it has strong incentives for adoption. Merchants who use it push liability for fraud back to banks, who in turn push it on to cardholders. Properly designed single sign-on systems, like OpenID and InfoCard, can’t offer anything like this. So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure. We conclude with a suggestion on what bank regulators might do to fix the problem.

Pizza delivery man cops to life in DarkMarket

carrumba — Sat, 16 Jan 2010 22:03:28 +0000

A former London pizza delivery man faces a 10-year prison sentence after admitting he helped found the notorious DarkMarket forum for computer crime, several news sites reported.

Renukanth Subramaniam, a 33-year-old Sri Lanka-born man from North London, pleaded guilty at Blackfriars Crown Court in London to conspiracy to defraud and furnishing false information. Authorities say he joined DarkMarket on its first day of operation in late 2005 and helped build it into an online resource for payment card fraud, with a thriving exchange for buying and selling stolen data and its own secure payment system.

DarkMarket operated for three years and had about 2,500 members at its peak. To be accepted, candidates had to provide details of 100 compromised cards to reviewers, who would then verify their validity. Members were required to adhere to a strict code of conduct that forbid foul language and pornography and demanded a kind of honor among thieves.