Someday (not soon!) I’ll likely satisfy a curious project of mine in making a more aggressively defensive network. And vulnerabilities like the recently posted Wireshark MMS DoS are a perfect example of having a slightly more dangerous network to interlopers. Put up an outdated Wireshark sniffer while I randomly send out these packets and you won’t get too much. Especially anyone who uses live cds with outdated software. In this case, it is not necessarily about protecting devices and data, but actively knocking off rogue intruders.
Month: August 2007
hackerspaces
Networking is amazingly potent right now in our field. We have an amazingly growing number of XXXsec get-togethers in major parts of the country where like-minded geeks and security nuts can get together to hang out, share war stories, push technology to new limits, or just make new friends. Cons are still popping up here and there, and I think they truly are some of the highlights of the year for many a geek.
This has been growing on me, and I am enamored by the concept. Dan Kaminsky has been espousing the idea of “hackerspaces” on his romp through Europe. Hackerspaces are basically places set up where like-minded people can go and hang out, do things, fraternize, and all in a creative and supportive environment. Basically if you like coffee, you hang out at a coffeeshop and chill out; if you like reading, you hang out in a bookstore; if you like video games, you might try out a cyber bar or two with the buds or adopt someone’s basement as your playpen. Why not a hacker/geek/technology sort of space? It is an amazing idea, especially for someone like me who lives in a “networking-starved” middle of the country.
Metalab is one that Dan posted a link for. This concept is also a project of the Hacker Foundation. I hope Dan and the Hacker Foundation both continue to bring this to our attention; heck, the idea of presenting slideshows of his romps might be a nice shift of pace for Dan to present about! 🙂
I also think there is room for hackerspaces as a smaller concept. For instance, I bet many of us have decked out our offices (either cleanly or cluttered and dark!) at home in a way that best suits our work and helps our creativity. For instance, I tend to have black lights and other glowing things in lieu of lights (alone with the glow of monitors or course), in my workspace.
As a side thought, it is interesting that for such a virtualized culture as we have, and as much as we work and live on the net, we still (for the most part) desire physical proximity with like-minded persons.
fully upgraded to ubuntu 7.04 feisty
Last night I finally moved my last (and main laptop) system up to Ubuntu 7.04 (Feisty). The install was painless. Started up the Update Manager, clicked the button to upgrade to 7.04, waited about 40 minutes where I also had to click Ok/Accept/Forward a couple times, and that was it.
I upgraded for a few reasons. First, some things I wanted to get working on my laptop were (supposedly) easily fixed in Feisty, but still overly complicated on Edgy, including using Silc/Tor with IRSSI and OpenVPN client management. Second, I believe in keeping software as updated as possible (within bleeding edge reasons, of course). You don’t want to ever be left behind with unsupported (or unloved!) software that has reduced functionality. It’s a lot like living in the past.
easy cisco vpn client priv escalation vuln
The Cisco VPN client for Windows has an interesting advisory out today. The local file cvpnd.exe (C:\Program Files\Cisco Systems\VPN Client) allows a user to replace the file with something else and have it executed with Local System privs. Replace this with a quick script the launches a shell (or does anything else you want) before launching the real cvpnd.exe. I prefer just creating a quick admin account that I control. That’s a nice little pocket-exploit to keep in mind, especially since plenty of systems get an initial install of the Cisco VPN and never get updated again for the life of it.
More information is posted on Cisco’s site. I saw this pass by the Full-Disclosure list. Local priv escalations don’t get much easier…
updating my status in world of warcraft
For any other WoW players out there, thought I’d throw down an update for no other reason than I want to. My focus has shifted to simply leveling up and a bit towards pvp; something that doesn’t require me to be a slave to other people 6 hours a night 6 days a week. This is fully just a distraction for me, now.
My Draenei Shaman is now level 61 on Kul’Tiras. He’s been Enhancement spec while leveling with a friend who plays a Hunter. I’ll respec him to Resto in a few levels, I think, and likely look into going pvp with him. I don’t anticipate ownage in pvp over any pure classes, but he should do ok once I get him some gear bought through pvp. A fun class, nonetheless.
My “main” is finally getting some love again and putting on some levels and pvp honor. My 64 affliction gnome warlock on Crushridge is having tons of fun in pvp, especially since his previous raiding gear is better than any but the top level 70 pvp gear so I can save up all my points. Likewise, at 64, I don’t shy away from level 70s. Being a warlock has always owned; it fits my playstyle, and I really can’t enjoy a class more. At level 61, I scored my first legit, 1on1 non-BG level 70 kill…another warlock no less! And about half the time, I am top 1 or 2 in overall damage in AB or WSG. Two more talent points and I’ll fully enjoy an instant cast aoe fear.
Lastly, I am also playing my level 60 priest on Crushridge as well. I happily spent his refunded (from last christmas!) talent points and made him a shadow priest (he was a backup dorf healer in raiding back in the day) to see what it is like. So far it has been fun, especially since I solo him in the Outlands. I doubt I’ll ever devote too much time to him, but he’s at least an option and fun.
accessing ssh over the web
I’m not sure what to think about GoToSSH.com either. While this is something I’ve been kinda wondering when it would find a web interface (and likely has others, I just don’t know them), I’m not sure I would use it. I certainly would not use it for anything sensitive in nature. It doesn’t look like it supports certificates, but simply username/password challenge instead. This may make it somewhat moot to block outbound SSH anymore… (Yes, it always has been moot since it could use any port, but still…) Might be a site worth bookmarking or blacklisting depending on your view.
Network security continues as holding sand…
pen-testing lists
Peter Wood posted two lists to the SecurityFocus pen-test list recently, which I wanted to capture and reproduce here. Feel free to ignore this post.
First, Peter listed a bunch of tools and hardware he takes for on-site work:
1. Test laptop
2. Spare laptop
3. 4-way mains extension lead with regular plug and plug for computer room racks
4. Selection of Ethernet cables and couplers
5. Ethernet / Token Ring adapter (yes, there are still Token Ring users out there!)
6. Mini hub
7. Cisco console cable
8. Cross-over cable
9. External USB hard drive containing rainbow tables
10. USB key for backups
11. DOS bootable USB key
12. Selection of bootable CDs (Ophcrack Live, PasswordChangerPro, NTFSreader)
13. DVD containing copy of all my source files
14. Windows 2000 CD (for rebuilds!)
15. Swiss Army cyber tool
16. Spare laptop hard drive
17. Kensington lock (to comply with client policy if laptop left on site overnight)
18. Vodafone 3G card for Internet access if there’s no wireless
19. Laptop mouse x2
20. Mini USB hub
21. Modem cable and adapters (just in case!)
22. Magic markers
23. Blank CDs
24. Wheelie bag to carry it all in!
Second, he listed the directories found on the above-mentioned DVD of tools:
Absinthe
AccessChk
AccessEnum
Achilles
Active-at
adminpak
Amap
APak
AppDetective
ARPsniffer
ATA HD password
Athena
ATK
Beat LM
Buffer Overflow Utility
Cachedump
cain and abel
Cerberus
C-Force
Checkpoint-Rules
Chntpw
Cisco IOS HTTP Vuln
Citrix clients
Cobra
CommView
CookieViewer
Copernic
Core Impact
CRACKERS
aefsdr
AOPB
AOPR
APDFPRP
Brutus
CacheDump
CMOSpwd
IPR (Lotus Notes)
John the Ripper
L0phtcrack
LCP
LMCrack
Lotus Notes Key
LSASecretsDump
MBSA
NTPWD
Ophcrack
Passwd – recovery FULL
POPcrack
PWLTOOL
SAMInside
AZPR
Crowbar
Crypto4
CUPASS
Data Thief
Dell laptop cmos erase
DHCP Find
Dictionaries
Dumpsec
EFSdump
Essential NetTools
Ethereal Windows Version
Exploits
FGdump
Flash Decompiler
GetAcct
GetUserInfo
GTwhois
Hydra
Hyena
IDserve
IKE-scan
iShadow
KarenWare
Katapulta
LAN Surveyor
LANguard
LDAP Miner
LG
Locksmith
Maestro
Member of
Metasploit
MingSweeper
MSRDP client
MySQL query browser
NBTdump
NBTscan
Nessus
Netalert
NetBiosSpy
Netcat
NetScanTools Pro
Network Protocols Handbook
NetworkView
niktoogle
Nmap
NT Recover
NTFS Reader
NTFSDOS
NTFSRead
Oat
ObiWaN
oracle-sql-injection
Paros
PasswordsPro
Protected Storage PassView
Protos
PsLogList
Putty
PwdChangerPro
pwdump
Rainbow crack
RegBrws
Rempass
RPC scan
RPC Tools
SAMdump
SamInside
SamSpade
ScoopLM
SecuRemote client
ShareEnum
SID
Siphon
SiteDigger
SiVuS
SmartWhois
SMB Audit Tool
SMBcrack
SNMPing
SNScan
SNSI
SOAPbox
SoapMonitor
SolarWinds
Somar
SPIKEproXy
SSL Proxy
Streams
Subnet Calculator
Superscan
SWB
Sysinternals
SysRQ2
Tamper
Tools4Ever
Trojans
twwwscan
UBCD
Ultimate Boot CD
Unicorn Scan
URL discombobulator
USB boot
USBAuditor
Visual Web Spider
VNC
VOIP TESTING
WAR DIAL
WebDAVExplorer
WebInspect
WebScarab
WebSleuth
WinSID
WIRELESS
Wireshark
WPI
Zlash
radajo’s common misconceptions on arp cache poisoning
I don’t usually pimp sites, but every now and then I see a blog that looks very cool to follow. RaDaJo seems to be an excellent site to add to my feed. Of note, I got linked to their ARP cache poisoning misconceptions post. As a bonus, check the comments for two more links, one to an awesome GIAC paper that is basically everything you’ll ever need to know about ARP poisoning, and the Oxid.it link as well. Maybe all that is left is more details on how to detect ARP cache poisoning, but Raul Siles may have covered that in his paper. I see he has a remediation section, but I’ve not gotten there yet. Arpwatch/Arpalert…anomalous trends in ARP traffic…
notes on crontab including redirecting output
Kevin van Zonneveld has posted some notes on using crontab. I don’t use crontab enough, which means I always have to look up the time settings. However, that is easily done via Google. What I really liked about Kevin’s notes dealt with handling the errors and pointing them to a file rather than the user’s mailbox. I can see reasons for doing it either way.
notes on netcat
One paper on netcat uses is fine, but two sites in two days exceeds my Recollection Buffer and defaults back to needing a post.
Dean De Beer offered up a paper on Netcat for the Masses which gives some good initial infomation on playing with netcat.
And I found Luke posted even more uses for netcat.
techrepublic list of some free security tools
Love me tools; love me tool lists as well, especially with new things. The Security Mentor himself was right, this list is pretty cool and has some things I didn’t know about! If you look closely, pretty much under each of the ten entries are links to MORE similar free tools. Here are the ones that caught my eye. Note that the list is centered on Windows.
Secunia Personal Software Inspector – Holy crap! This is an awesome-sounding tool because trying to keep up with what is patched and what is out of date is one of the least-talked about futile and frustrating efforts in the IT back room! I think this one is going to be a priority to try out this weekend. I don’t know about licensing, but I bet you can buy just one copy for business and use it on a base workstation image that has all your applications installed, then use it as your reference. That’s money right there!
GMER anti-rootkit – This tool looks really cool, and if it doesn’t require an actual installation routine, will likely make it into my desktop toolkit alongside Spybot, Sysinternals tools, and so on. If it requires an install, it could still be useful as another incident response investigation tool. Now, someone needs to make Tripwire free on Windows…
File Shredder – I like the idea of File Shredder, but I’m not sure I really need it. It’s not like I am storing illegal or hugely private junk on my systems, and I certainly have no intentions of selling or giving away my disks anytime soon (like any geek, I can and will find uses for everything). Still, it’s nice to have one in the pocket if the need arises.
Other tools are iffy to me. I’m not a huge fan of loading my web browser with toolbars and plugins. Anything extremely useful really should get built into the browser eventually. I like seeing more options for IE, especially since my love for Firefix has dwindled as it has gotten bigger, slower, and buggier in the past year. Yes, loading up Firefox with testing/security plugins is awesome, but that’s a special purpose and I don’t need to browse with them always loaded. The only ones I use regularly are NoScript (only recently!), Tor, a client banner changer (I can’t think of the damned name for it right now!), and a plugin that displays the target site IP address at the bottom.
For web privacy stuff, just learn how to empty the cache and where else stuff is stored along with browser and OS tracking options. Yeah, that’s not enough, but I’ve got a bias against cleaners. For new system crapware, learn how to welcome your new system into your home with a quick enema (format and reinstall).
eakiu is short for mac software for wi-spy
I have a Wi-Spy, which is an excellent (and cheap!) specturm analyzer tool. I saw a mention for it on NetGirl’s blog over at ArubaNetworks on her list of cool tools. But I didn’t know what EaKiu was in her Wi-Spy bullet. I thought about emailing or commenting, but this seemed to require more effort on my part to converse with her, so I resorted to a Google search for the tool in the hopes that the unique string was easily found. Indeed, I saw that EaKiu is software to display results from Wi-Spy! And boy does it look fucking sweet. Now I just have to find a Mac-user to try it out for me.
I’d thought that was what EaKiu was, since I’d seen mention of Mac and Linux software back on MetaGeek’s old site, but I could never find that information again on the new site design. Of note, the Linux version, while workable, is still pretty ugly compared to Mac or Windows software.
five essential laptop security tips from security-hacks
A list of 5 essential laptop security tips leaves an important one out and includes a rather dubious entry. Tip #5, install tracking software on your laptop in case it gets stolen. While a neat, feel-good type of geeky thing to install, this is pretty lame for inclusion on a top 5 list. Then again, maybe this list was meant as more of a physical security list, in which case, top 5 is really “the 5 things to do.”
Instead, I’d replace #5 with the suggestion to keep backups of all your data on the drive. It is great to not have it stolen, or offer password and encryption options in case it is stolen, but what about the data on the laptop? How much is it worth to you personally? If your laptop is stolen, minimize the damage to only the cost of the hardware and your own stress, not also to the only surviving copies of your son’s little league digital pictures or those important sales emails.
bookpool sale on addison-wesley and prentice hall books
I dig BookPool.com; I’ve used them for many of my book purchases over the years, only occassionally delving into Borders/Barnes & Noble/Amazon when I have gift certs or for impulse buys. Today I pre-ordered Virtual Honeypots. This looks to be an awesome how-to sort of book about honeypots; something I’ve been eagerly waiting to delve into. It should be out any day, really. This was prompted by a welcome spam email from BookPool about a sale on Addison-Wesley and Prentice Hall books.
I’m also eagerly awaiting the Metasploit Toolkit book, despite being published by Syngress (in my opinion, the spottiest tech book publisher with quality all over the place….and I just don’t like holding their books like I do Addison-Wesley books). There’s a lot of new stuff in Metasploit 3, and I’m holding out really getting into it (like I used Metasploit 2x) until this book comes out. I may combine this with looking into Ruby or Python a bit more. Of all the tool-books out there, only BackTrack comes to mind as needing an updated book (BackTrack 3 perhaps?).
I also see Wi-Foo II has been pushed back (or maybe it was really tentative at late 2007 months ago) into 2008. I’m looking forward to this book as well. The first book was awesome, but got mired down in the technical problems of getting wireless working properly in Linux, which is a requirement for the subject. These days, wireless support is much easier and better, which hopefully means less mud devoted to the intricacies and details. Other books cover it well lately anyway, like Hacking Exposed: Wireless and Syngress’ Wardriving and Wireless Penetration Testing. Although not without their own minor faults, are both excellent wireless security books.
venting on vagueness and vagary
The past weeks’ worth of business days I took some vacation time, not just from work, but also from reading security blogs for the most part. I also was able to look at my own time spent here (in between rediscovering WoW pvp), and decided to shift things up a bit (or so the plan goes).
I’m really…I want to say sick or tired, but those words are too strong. I guess I’m just really bored reading security industry or business commentary (with some exceptions for those people who do excel at writing) with almost zero technical content or anything beyond feel-good vagueness (or maybe vagary), otherwise known as best practices. A lot of this is common sense and while I understand other people have things to say (I do too!), I sometimes just find myself skimming fluffy posts that really leave me with absolutely nothing new.
Sometimes it is cathartic to vent (or as most people call it, “post commentary”), and I’ll likely still do so now and then, but I really see little need for it most of the time, at least on my site. I can vent just fine in person, on IRC, on IM, or in comments. And maybe Skype someday if I get back on it.
This is just me telling myself to stay technical and actionable, for now. 🙂 I used to post a lot more information about tools and things to do, and have gotten away from that in the past year. I can see a correlation between this shift and my personal and work lives, so I think I know the problems and the measures on how to fix them.
Of course, this itself is a rant, but it is one I have the compulsion to post for my own benefit.