[Full-disclosure] Question about IPTV pentestng - packet manipulation for subscribing charged content

2010-01-25 Thread 김무성 
Hello list.

2010.1.14, I sent to list Below e-mail.

So someone gave me information. about netsed

http://lcamtuf.coredump.cx/soft/netsed.tgz

It was a tool which I want

 

Structure)

Monitor - IPTV STB - PC(attacker) - VDSL modem - internet

 

PC have two NIC.

Bridge mode.

 

Ex)  ifconfig eth0 0.0.0.0

   Ifconfig eth1 0.0.0.0

   Brctl addbr br0

   Brctl addif br0 eth0

   Brctl addif br0 eth1

   Ifconfig br0 up

 

And then run tcpdump

 

bash# tcpdump -n -i eth0 

   ...

 (lots of funny stuff)

   ...

bash# tcpdump -n -i eth1

   ...

 (lots of funny stuff)

 

And I could watch IPTV normally.

 

Netsed have a localport.

So if packet is sent localport, netsed will edit this packet and forward.

 

Bash# netsed tcp  1  0   0   s/abc/def

 Protocol  localport  remoteIP   rPort rule

 

For IPTV packet forwarding to netsed’s localport, run these command. 

 

bash# ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \

--ip-destination-port 80 -j redirect --redirect-target ACCEPT

 

bash# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \

-j REDIRECT --to-port 1

 

Because IPTV is on bridge network, I use ebtables and iptables.

 

Finally, when IPTV want to look for VoD list, it send http packet.

But netsed cannot receive forwarded packet. So I cannot watch VoD list.

 

All of this is to subscribe charged content.

What was wrong?

 



Hello list.

 

I’m pen testing IPTV.

 

Example)

 

Monitor - IPTV STB - PC(attacker) - VDSL modem - internet

PC has two NIC

Two NIC are bridge mode

 

IPTV STB sends request packet for knowing that where is specific file for 
playing.

 

To server port 8080.

POST /VoD/whereisvod.cgi

a1d1.mpg

 

 

Server’s response is 

 

HTTP/1.1 200 OK

192.168.10.10

 

And then

IPTV STB sends RTSP packet to 192.168.10.10.

 

To server port 554

   DESCRIBE a1d1.mpg

 

And play.

 

I wanna edit this file name. (a1d1.mpg is free, a1d2.mpg not free)

 

POST /VoD/whereisvod.cgi

a1d2.mpg

 

DESCRIBE a1d2.mpg

 

For this, I have to packet sniffing and blocking them and manipulation packet 
and resend.

Are there tools?

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Question about IPTV pentestng - packet manipulation for subscribing charged content

2010-01-25 Thread Michael Holstein 

 I wanna edit this file name. (a1d1.mpg is free, a1d2.mpg not free)


If this is all that needs to be done, why not use a transparent proxy
(on the bridge) :

http://www.faqs.org/docs/Linux-mini/TransparentProxy.html

and just use rewrite rules :

http://www.squid-cache.org/Doc/config/rewrite/

Cheers,

Michael Holstein
Cleveland State University

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/