NRMC has posted a presentation delivered at Schmoocon this year on Hacking the Friendly Skies. The presentation starts out like most any discussion on wireless security, but then takes a turn for the sinister by delving into FakeAP attacks. What really makes this presentation excellent are the later reports of just how many systems were found. When you combine Windows XP’s affinity for associating to anything that says hello and user affinity for not patching their systems and running a firewall you get some pretty satisfying results. And if you look closely, some of the vulnerable systems were some pretty trusted/important-sounding people. Yikes!
Airpwn is a quick C tool that can inject http content (and other content) into wireless 802.11b networks. Tested at Defcon12; supposedly the only reliable part of the tool is to replace all http images with an image/redirect of your choosing. Might be interesting to play with on a nix box.
Update: article on using airpwn.
PublicIP.net has open source (read: free!) tools for hotspot operators. Granted, the tools are not *quite* as feature-laden as expensive commercial tools, but I must say this looks pretty darn amazingly useful anyway, especially for small coffeeshops or local hotspots as opposed to the national franchises or hotels or something.
This is a LinuxExposed article on wireless hacking.
Cleaning out some old bookmarks I came across this pretty cool find: a forum tutorial on recovering and then cracking cached domain credentials on a Windows machine. Not only is this tutorial practical to follow and use, but it gives ammunition to anyone who challenges setting Windows cached credentials to 0. Sadly, this butts right up against laptop users who, when they log in at home, need the cached credential to use the system.
For possible future pen-test work that I’d love to do someday, this might be useful to test policy. If I can get my hands on a system or even get a local admin to come over and troubleshoot my system by logging in as himself, I can use that cached credential and crack it. This is exactly why I made sure to let users log in right after I had been logged into their machines to clear the 1 cached credential that I allowed my systems to retain.
A SANS Tool Talk Webcast: Anatomy of an Attack.
A thorough examination of sql injection attacks using examples.
Sometimes you need to regularly runas an admin in Windows, but you might not necessarily want to give the user the local or domain admin password or save it in a cleartext file or shortcut or run over to type it in when needed. These are some options for secure ways of performing a runas. I’ve once used CPAU and it worked rather well. I had to give a SQL DBA access to production SQL servers and allow him to access other servers through admin shares via Enterprise Manager. Rather than give him a domain admin account or mess with permissions or store it in cleartext in a file or shortcut where he could look it up if he wanted to, I made a “secure” shortcut using CPAU. Pretty slick, and while it may have holes, it likely will stop any insiders from easily obtaining the credentials. This can be used for lesser instances like a user’s program that might need some admin rights somewhere and not run otherwise.
Thie page has a bunch of choices for situations where runas needs to be secure.
Article on attacks against web servers (app level) and mitigations to stopping them, with full examples on the attacks. Some interesting things to try out someday would be mod_security and Tripwire-like programs to monitor file integrity. I would love to start getting alerts like these on my own systems whenever something changes, even if it is me updating a web page on my site. I also have a project to get some sort of centralized monitoring on my network to check for creation/changes to local user accounts and other things. I’d love to be able to centrally pull my firewall logs (Sygate), but I bet that will require my own scripting. At any rate, the paper is much of the same tried-and-true stuff with security, but the examples are pretty cool.
Having just watched Dan Kaminsky’s Black Ops of TCP/IP 2005 presentation that he gave at the 22nd Chaos Communications Congress, I have a couple links on dns snooping, which he (in typical Kaminsky fashion) utilized in creative fashions. First, a paper on dns cache snooping. And second, a site on how dns snooping actually works.
The paper, Insertion, Evasion, and Denial of Service: Eluding Intrusion Detection, is the definitive guide to beating IDS and has been the foundation of IDS attacks ever since. I must read this sometime, for historical reasons and more.