hacking the friendly skies

NRMC has posted a presentation delivered at Schmoocon this year on Hacking the Friendly Skies. The presentation starts out like most any discussion on wireless security, but then takes a turn for the sinister by delving into FakeAP attacks. What really makes this presentation excellent are the later reports of just how many systems were found. When you combine Windows XP’s affinity for associating to anything that says hello and user affinity for not patching their systems and running a firewall you get some pretty satisfying results. And if you look closely, some of the vulnerable systems were some pretty trusted/important-sounding people. Yikes!

open source hotspots

PublicIP.net has open source (read: free!) tools for hotspot operators. Granted, the tools are not *quite* as feature-laden as expensive commercial tools, but I must say this looks pretty darn amazingly useful anyway, especially for small coffeeshops or local hotspots as opposed to the national franchises or hotels or something.

cracking cached windows domain credentials

Cleaning out some old bookmarks I came across this pretty cool find: a forum tutorial on recovering and then cracking cached domain credentials on a Windows machine. Not only is this tutorial practical to follow and use, but it gives ammunition to anyone who challenges setting Windows cached credentials to 0. Sadly, this butts right up against laptop users who, when they log in at home, need the cached credential to use the system.

For possible future pen-test work that I’d love to do someday, this might be useful to test policy. If I can get my hands on a system or even get a local admin to come over and troubleshoot my system by logging in as himself, I can use that cached credential and crack it. This is exactly why I made sure to let users log in right after I had been logged into their machines to clear the 1 cached credential that I allowed my systems to retain.

scripted secure runas

Sometimes you need to regularly runas an admin in Windows, but you might not necessarily want to give the user the local or domain admin password or save it in a cleartext file or shortcut or run over to type it in when needed. These are some options for secure ways of performing a runas. I’ve once used CPAU and it worked rather well. I had to give a SQL DBA access to production SQL servers and allow him to access other servers through admin shares via Enterprise Manager. Rather than give him a domain admin account or mess with permissions or store it in cleartext in a file or shortcut where he could look it up if he wanted to, I made a “secure” shortcut using CPAU. Pretty slick, and while it may have holes, it likely will stop any insiders from easily obtaining the credentials. This can be used for lesser instances like a user’s program that might need some admin rights somewhere and not run otherwise.

Thie page has a bunch of choices for situations where runas needs to be secure.

attacks and defenses for web apps

Article on attacks against web servers (app level) and mitigations to stopping them, with full examples on the attacks. Some interesting things to try out someday would be mod_security and Tripwire-like programs to monitor file integrity. I would love to start getting alerts like these on my own systems whenever something changes, even if it is me updating a web page on my site. I also have a project to get some sort of centralized monitoring on my network to check for creation/changes to local user accounts and other things. I’d love to be able to centrally pull my firewall logs (Sygate), but I bet that will require my own scripting. At any rate, the paper is much of the same tried-and-true stuff with security, but the examples are pretty cool.

Posted in web