Comments for mishou.org http://mishou.org A site about learning. Tue, 27 Dec 2011 23:32:02 +0000 hourly 1 http://wordpress.com/ Comment on Insecure Programming by Example: abo4.c POINTER MADNESS by InsecureProgramming – ABOF – 4 « secpractice http://mishou.org/2010/08/09/insecure-programming-by-example-abo4-c-pointer-madness/#comment-109 Tue, 27 Dec 2011 23:32:02 +0000 http://mishou.org/?p=220#comment-109 [...] Like many other problems there can be multiple ways to solve this one. In one approach, the second strcpy() is used to write the address of an environment variable which contains the shellcode. http://mishou.org/2010/08/09/insecure-programming-by-example-abo4-c-pointer-madness/ [...]

]]> Comment on Insecure Programming by Example: abo2.c, not vulnerable…o rly? by InsecureProgramming – ABOF – 2 « secpractice http://mishou.org/2010/02/13/insecure-programming-by-example-abo2-c-not-vulnerable-o-rly/#comment-108 Mon, 26 Dec 2011 10:16:36 +0000 http://mishou.org/?p=148#comment-108 [...] is the link http://mishou.org/2010/02/13/insecure-programming-by-example-abo2-c-not-vulnerable-o-rly/ Share this:TwitterFacebookLike this:LikeBe the first to like this post. Categories: [...]

]]> Comment on Insecure Programming by Example: shellcode & stack5.c by 2010 in review « mishou.org http://mishou.org/2009/12/12/insecure-programming-by-example-shellcode-stack5-c/#comment-102 Sun, 02 Jan 2011 15:15:37 +0000 http://mishou.org/?p=96#comment-102 [...] Insecure Programming by Example: shellcode & stack5.c December 2009 1 comment [...]

]]> Comment on Insecure Programming by Example – controlling EIP, stack4.c by 2010 in review « mishou.org http://mishou.org/2009/12/07/insecure-programming-by-example-controlling-eip-stack4-c/#comment-101 Sun, 02 Jan 2011 15:15:34 +0000 http://mishou.org/?p=68#comment-101 [...] Posts (24-48 hrs.) Insecure Programming by Example – controlling EIP, stack4.c « Insecure Programming by Example: abo6/7/8 Ménage [...]

]]> Comment on Insecure Programming by Example: Advanced Buffer Overflows 1 by 2010 in review « mishou.org http://mishou.org/2009/12/23/insecure-programming-by-example-advanced-buffer-overflows-1/#comment-100 Sun, 02 Jan 2011 15:15:32 +0000 http://mishou.org/?p=122#comment-100 [...] Insecure Programming by Example: Advanced Buffer Overflows 1 December 2009 5 comments and 1 Like on WordPress.com, 4 [...]

]]> Comment on automagic Python urllib basic HTTP authentication by 2010 in review « mishou.org http://mishou.org/2009/12/10/automagic-python-urllib-basic-http-authentication/#comment-99 Sun, 02 Jan 2011 15:15:29 +0000 http://mishou.org/?p=88#comment-99 [...] automagic Python urllib basic HTTP authentication December 2009 3 [...]

]]> Comment on Passive DNS mining from PCAP with dpkt & Python by 2010 in review « mishou.org http://mishou.org/2010/04/13/passive-dns-mining-from-pcap-with-dpkt-python/#comment-98 Sun, 02 Jan 2011 15:15:26 +0000 http://mishou.org/?p=210#comment-98 [...] The busiest day of the year was October 28th with 77 views. The most popular post that day was Passive DNS mining from PCAP with dpkt & Python. [...]

]]> Comment on Passive DNS mining from PCAP with dpkt & Python by alfonso http://mishou.org/2010/04/13/passive-dns-mining-from-pcap-with-dpkt-python/#comment-92 Fri, 03 Dec 2010 23:13:03 +0000 http://mishou.org/?p=210#comment-92 12 for ts, buf in pcap:

]]> Comment on Passive DNS mining from PCAP with dpkt & Python by alfonso http://mishou.org/2010/04/13/passive-dns-mining-from-pcap-with-dpkt-python/#comment-91 Fri, 03 Dec 2010 23:11:24 +0000 http://mishou.org/?p=210#comment-91 Traceback (most recent call last):
File “./parserdns.py”, line 12, in
for ts, buf in pcap:
File “build/bdist.linux-i686/egg/dpkt/pcap.py”, line 141, in __iter__
File “build/bdist.linux-i686/egg/dpkt/dpkt.py”, line 75, in __init__
dpkt.dpkt.NeedData

]]> Comment on Passive DNS mining from PCAP with dpkt & Python by mmishou http://mishou.org/2010/04/13/passive-dns-mining-from-pcap-with-dpkt-python/#comment-77 Sun, 12 Sep 2010 23:26:41 +0000 http://mishou.org/?p=210#comment-77 Lou,

First, sorry for the delay in response.

Thanks for the tip. I’m trying to figure out why an A record wouldn’t be 4-bytes. Do you have a sample you can show me? I haven’t found this on our network at work, which is pretty large, but that’s not saying it couldn’t happen.

There is mention on the Wikipedia page here of some RFC’s that might explain the issue, http://en.wikipedia.org/wiki/List_of_DNS_record_types. Notably, they talk about “Returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host, but also used for DNSBLs, storing subnet masks in RFC 1101, etc.”. A subnet mask should still be 4 bytes. But in reading the RFC 1035, I came across this in section 3.4.1:

Hosts that have multiple Internet addresses will have multiple A
records.

Maybe you’re seeing packets with multiple A record addresses in one response? I haven’t tested that, I might have to iterate over answer.rdata, maybe it comes back as an array if there are multiple responses or something. Will test it and report back here.

An example of this:

8 0.658817 192.168.1.1 192.168.1.5 DNS Standard query response CNAME http://www.l.google.com A 72.14.204.147 A 72.14.204.104 A 72.14.204.99 A 72.14.204.103

And:

31 242.110444 192.168.1.1 192.168.1.5 DNS Standard query response A 74.200.243.253 A 76.74.255.123 A 72.233.2.58 A 72.233.2.59 A 76.74.254.123 A 74.200.243.251

Whereas:

21 106.408197 192.168.1.1 192.168.1.5 DNS Standard query response A 64.85.164.40

Thanks again!

]]>