I’ve been going over some of the pending things in my todo lists. Here’s a few things.

I don’t know of anything that can browse shares in Gnome on Ubuntu (Nautilus can using smb:\\server\share, but that requires knowing your target). So I installed smb4k which is available through Synaptic. Seems I needed a bunch of other stuff, including kdelibs. While smb4k is a KDE tool, it seems to run just fine in Gnome. It can be loaded from Applications->Accessories. The initial load will throw a non-terminating KWallet error, but then happily disables itself and continues. One bonus is the ability to manage and see existing mounts.

If you see a system but aren’t sure what OS it might be (if Windows, then you can try those fun admin shares!), you can check it out using an OS fingerprint tool. Yes, nmap and p0f are your typical choices, but SinFP might be a third option. I decided to try this on Windows and followed the instructions given. Everything seemed fine, but when I tried to fingerprint anything on my network, I typically was told I cannot fingerprint a closed or filtered port, even though I know it was open and allowed. Most of the time perl.exe would then spin and I’d have to kill it. Not sure what was going on, but might revisit it at some later date on Linux, perhaps. Regardless of the results of this tool, being able to know some of the differences that operating systems display in various packets and other behavior is some pretty fundamental and “not difficult” stuff. Being written in perl, it might be nice to read through this tool’s signatures and techniques.

XAMPP looks like a nice way to get a full compliment of tools and applications for a web server set up quickly on either Linux or Windows (or others!). I’ve not tried this out as I wanted to do stuff manually with my latest build, but I might consider XAMPP in the future.

Here is a snippet of a Dan Kaminsky presentation on SSL Hell at Toorcon. He talks about the bad things he has found about SSL through his huge scans of the Internet. I really dig that he admits security people can be wrong when trying to require SSL on every page. SSL can be intensive on servers and the hardware doesn’t scale well with it. One thing I didn’t like is a minor quibble. He points out that a lot of sites don’t appear to use SSL (https) on their logins, but I’d like if he just said, “I sniffed this transaction to verify it wasn’t secured underneath what I can see in my browser.” He’s probably correct in saying they were insecure, however.

I can’t remember where I found this originally, but I wanted to document it on my site for future reference. This reg script should add the ability to right-click any Windows folder and launch a cmd prompt at that location. Update: Looks like I maybe found it here.

REGEDIT4

[HKEY_CLASSES_ROOT\Directory\shell\DosHere]
@=”Command &Prompt:”

[HKEY_CLASSES_ROOT\Directory\shell\DosHere\command]
@=”C:\\windows\\SYSTEM32\\cmd.exe /k cd \”%1\””

[HKEY_CLASSES_ROOT\Drive\shell\DosHere]
@=”DOS &Prompt Here”

[HKEY_CLASSES_ROOT\Drive\shell\DosHere\command]
@=”C:\\windows\\SYSTEM32\\cmd.exe /k cd \”%1\””

People often ask me how I like my Razr phone. I tell them it’d be a really nice phone…if I wasn’t on Verizon. Yes, Verizon is well known for crippling their Razr’s to the point where I really do only use it for phone calls and the occassional text message. In the past I have done minor adjustments like getting my own ringtones on the phone (text yourself a .wav file renamed to .mp3 and it will let it through, and play it as a .wav file properly) I’ve never delved too deeply into messing with it, being my first personally-owned cell phone. John Ward over at The Digital Voice has posted an awesome article about hacking the Razr, and he suffered from the same crippling issues from Verizon that I do. Since my contract is quite mature now and I’m more comfortable with pushing the line on my phone, I think I will make a note to try this stuff out. He’s truly right that if I can unlock all this stuff in the article, the phone will take on a whole new level of use in my life. Funny how Verizon doesn’t get that…

About half a year ago I posted about Untangle (and it has remained on my long-term projects list, sadly). I see they got some more press in ComputerWorld as they have turned their product open source. Sounds cool, and I still want to check it out on my home network someday (yeah, one of those projects that keeps getting pushed down…).

Use Snort either on an active link or as a packet inspection tool after the fact? It might be useful to throw down PE Hunter to capture Windows binaries as they pass by. I can think of plenty of uses for this, not just in front of a honeypot, but in front of Internet-facing servers themselves. This is one of those detective tools that won’t necessarily stop or prevent an attack, but can act as a watchguard for something evul going on, or to figure out what an attacker may have done on your network. The real usefulness of this tool won’t be realized until it is used though. Who knows, maybe it will pick up too much junk from malware or software downloads and miss too much other stuff.

Of note, no, I’m not all that great with Snort. It’s on my medium-term project list, probably nearer the fall or winter before I can really dig my fingers into Snort more, even though I may have my own Snort box up in the next month or so just to get it up and familiarized.

I’ve been ramping up my studying lately, which has taken some time away from blogging (both reading them and writing some). I’ve also made headway into my huge list of “pending” items that both sit on my bathroom counter and in my email box.

But I have found time to plug away at some more books. I’ve (finally!) started reading Tao of Network Security by Richard Bejtlich. I’ve put this book off way too long (I wanted more background into TCP/IP and Linux before tackling the book, or so I tell myself) and am finally getting into it. I really dig the tone and how Bejtlich presents the topics. Thankfully, the very academic first chapters were followed-up by excellent later chapters that I found much more interesting (maybe because I already knew his positions and definitions from following his blog).

Last night I also started reading Security Metrics by Andrew Jaquith. I really dig this guy’s writing, and I was amazed by the opening tones of the book. First an opening by one of the most recognizable writing styles in security, Dan Geer, which is also visionary and almost prophetic. Just reading anything he writes feels weighty; old and dustry like an important magical tome hidden in some wizard’s tower. Then into Jaquith’s wonderful presentations. I think this book will go fast.

Yes, I read multiple books at once. Sometimes I read novels which just require me and a chair. Other times technical books that pretty much require a computer nearby to follow along. I typically have two or three going at any given time, depending on my mood and the resources nearby. It is usually too much to be reading 2 hands-on books at a time, so I try to keep it mixed up with different flavors of books.

A few days ago I mentioned ddos mitigation. The referenced article [pdf] concerns UFIRT’s actions in the face of a rather unique incident: a DDOS attack planned to occur in 1 week’s time. Incident Response plans are important to a company’s security posture, but not every imaginable incident needs to have an itemized response plan. And while issues like a DDOS likely should not be painstakingly planned out, it should at least be contemplated now and then as a sort of verbal/introspective exercise. What would you do in such a situation? Do you have extra resources, gear, or skills on your team to deal with an adhoc incident like a DDOS? Do you know where to turn for help on short notice? Can you pull a Joe Stewart out of your back pocket? It might be a useful exercise for an IR team, or just for a manager or techie to sit back and think about some lazy afternoon…

Christian Matthies has posted up an explanation of DNS Pinning attacks. While this article is really cool and informative, there are a couple of caveats.

First, this is a great article for people who already are familiar with DNS Pinning, since the author really throws out “Anti DNS Pinning” and “DNS Pinning” quite a lot, and it gets confusing which one he is actually talking about in each example. DNS Pinning is a behavior of a web browser to cache DNS requests until the window (or all windows of that browser) are closed. Any admin supporting DNS or web servers has experienced this behavior. “That should work…did you hit refresh? Oh wait, close all your browser first and retry. Yup that did it!” Christian then explains a way to get around DNS Pinning so an attacker can redirect users without their knowledge by leveraging browser behavior and changes to DNS entries.

Second, while several web security researchers would like to say this is a Big Deal, I consider this an exotic attack, yet. Christian mentions this can be used to attack internal servers, but that requires significant knowledge, and I don’t think most corporations will have to care. Still, there is always the potential for something like this to become a common attack method in the future.

The takeaways for this is to know what DNS Pinning means, what Anti DNS Pinning means, and that there is still a grey area firmly between network and web security when it comes to DNS manipulation.