Someday (not soon!) I’ll likely satisfy a curious project of mine in making a more aggressively defensive network. And vulnerabilities like the recently posted Wireshark MMS DoS are a perfect example of having a slightly more dangerous network to interlopers. Put up an outdated Wireshark sniffer while I randomly send out these packets and you won’t get too much. Especially anyone who uses live cds with outdated software. In this case, it is not necessarily about protecting devices and data, but actively knocking off rogue intruders.

Networking is amazingly potent right now in our field. We have an amazingly growing number of XXXsec get-togethers in major parts of the country where like-minded geeks and security nuts can get together to hang out, share war stories, push technology to new limits, or just make new friends. Cons are still popping up here and there, and I think they truly are some of the highlights of the year for many a geek.

This has been growing on me, and I am enamored by the concept. Dan Kaminsky has been espousing the idea of “hackerspaces” on his romp through Europe. Hackerspaces are basically places set up where like-minded people can go and hang out, do things, fraternize, and all in a creative and supportive environment. Basically if you like coffee, you hang out at a coffeeshop and chill out; if you like reading, you hang out in a bookstore; if you like video games, you might try out a cyber bar or two with the buds or adopt someone’s basement as your playpen. Why not a hacker/geek/technology sort of space? It is an amazing idea, especially for someone like me who lives in a “networking-starved” middle of the country.

Metalab is one that Dan posted a link for. This concept is also a project of the Hacker Foundation. I hope Dan and the Hacker Foundation both continue to bring this to our attention; heck, the idea of presenting slideshows of his romps might be a nice shift of pace for Dan to present about! 🙂

I also think there is room for hackerspaces as a smaller concept. For instance, I bet many of us have decked out our offices (either cleanly or cluttered and dark!) at home in a way that best suits our work and helps our creativity. For instance, I tend to have black lights and other glowing things in lieu of lights (alone with the glow of monitors or course), in my workspace.

As a side thought, it is interesting that for such a virtualized culture as we have, and as much as we work and live on the net, we still (for the most part) desire physical proximity with like-minded persons.

The Cisco VPN client for Windows has an interesting advisory out today. The local file cvpnd.exe (C:\Program Files\Cisco Systems\VPN Client) allows a user to replace the file with something else and have it executed with Local System privs. Replace this with a quick script the launches a shell (or does anything else you want) before launching the real cvpnd.exe. I prefer just creating a quick admin account that I control. That’s a nice little pocket-exploit to keep in mind, especially since plenty of systems get an initial install of the Cisco VPN and never get updated again for the life of it.

More information is posted on Cisco’s site. I saw this pass by the Full-Disclosure list. Local priv escalations don’t get much easier…

I’m not sure what to think about GoToSSH.com either. While this is something I’ve been kinda wondering when it would find a web interface (and likely has others, I just don’t know them), I’m not sure I would use it. I certainly would not use it for anything sensitive in nature. It doesn’t look like it supports certificates, but simply username/password challenge instead. This may make it somewhat moot to block outbound SSH anymore… (Yes, it always has been moot since it could use any port, but still…) Might be a site worth bookmarking or blacklisting depending on your view.

Network security continues as holding sand…

Snagged from Alex.

Peter Wood posted two lists to the SecurityFocus pen-test list recently, which I wanted to capture and reproduce here. Feel free to ignore this post.

First, Peter listed a bunch of tools and hardware he takes for on-site work:
1. Test laptop
2. Spare laptop
3. 4-way mains extension lead with regular plug and plug for computer room racks
4. Selection of Ethernet cables and couplers
5. Ethernet / Token Ring adapter (yes, there are still Token Ring users out there!)
6. Mini hub
7. Cisco console cable
8. Cross-over cable
9. External USB hard drive containing rainbow tables
10. USB key for backups
11. DOS bootable USB key
12. Selection of bootable CDs (Ophcrack Live, PasswordChangerPro, NTFSreader)
13. DVD containing copy of all my source files
14. Windows 2000 CD (for rebuilds!)
15. Swiss Army cyber tool
16. Spare laptop hard drive
17. Kensington lock (to comply with client policy if laptop left on site overnight)
18. Vodafone 3G card for Internet access if there’s no wireless
19. Laptop mouse x2
20. Mini USB hub
21. Modem cable and adapters (just in case!)
22. Magic markers
23. Blank CDs
24. Wheelie bag to carry it all in!

Second, he listed the directories found on the above-mentioned DVD of tools:
Absinthe
AccessChk
AccessEnum
Achilles
Active-at
adminpak
Amap
APak
AppDetective
ARPsniffer
ATA HD password
Athena
ATK
Beat LM
Buffer Overflow Utility
Cachedump
cain and abel
Cerberus
C-Force
Checkpoint-Rules
Chntpw
Cisco IOS HTTP Vuln
Citrix clients
Cobra
CommView
CookieViewer
Copernic
Core Impact
CRACKERS
        aefsdr
        AOPB
        AOPR
        APDFPRP
        Brutus
        CacheDump
        CMOSpwd
        IPR (Lotus Notes)
        John the Ripper
        L0phtcrack
        LCP
        LMCrack
        Lotus Notes Key
        LSASecretsDump
        MBSA
        NTPWD
        Ophcrack
        Passwd – recovery FULL
        POPcrack
        PWLTOOL
        SAMInside
        AZPR
Crowbar
Crypto4
CUPASS
Data Thief
Dell laptop cmos erase
DHCP Find
Dictionaries
Dumpsec
EFSdump
Essential NetTools
Ethereal Windows Version
Exploits
FGdump
Flash Decompiler
GetAcct
GetUserInfo
GTwhois
Hydra
Hyena
IDserve
IKE-scan
iShadow
KarenWare
Katapulta
LAN Surveyor
LANguard
LDAP Miner
LG
Locksmith
Maestro
Member of
Metasploit
MingSweeper
MSRDP client
MySQL query browser
NBTdump
NBTscan
Nessus
Netalert
NetBiosSpy
Netcat
NetScanTools Pro
Network Protocols Handbook
NetworkView
niktoogle
Nmap
NT Recover
NTFS Reader
NTFSDOS
NTFSRead
Oat
ObiWaN
oracle-sql-injection
Paros
PasswordsPro
Protected Storage PassView
Protos
PsLogList
Putty
PwdChangerPro
pwdump
Rainbow crack
RegBrws
Rempass
RPC scan
RPC Tools
SAMdump
SamInside
SamSpade
ScoopLM
SecuRemote client
ShareEnum
SID
Siphon
SiteDigger
SiVuS
SmartWhois
SMB Audit Tool
SMBcrack
SNMPing
SNScan
SNSI
SOAPbox
SoapMonitor
SolarWinds
Somar
SPIKEproXy
SSL Proxy
Streams
Subnet Calculator
Superscan
SWB
Sysinternals
SysRQ2
Tamper
Tools4Ever
Trojans
twwwscan
UBCD
Ultimate Boot CD
Unicorn Scan
URL discombobulator
USB boot
USBAuditor
Visual Web Spider
VNC
VOIP TESTING
WAR DIAL
WebDAVExplorer
WebInspect
WebScarab
WebSleuth
WinSID
WIRELESS
Wireshark
WPI
Zlash

I don’t usually pimp sites, but every now and then I see a blog that looks very cool to follow. RaDaJo seems to be an excellent site to add to my feed. Of note, I got linked to their ARP cache poisoning misconceptions post. As a bonus, check the comments for two more links, one to an awesome GIAC paper that is basically everything you’ll ever need to know about ARP poisoning, and the Oxid.it link as well. Maybe all that is left is more details on how to detect ARP cache poisoning, but Raul Siles may have covered that in his paper. I see he has a remediation section, but I’ve not gotten there yet. Arpwatch/Arpalert…anomalous trends in ARP traffic…

Kevin van Zonneveld has posted some notes on using crontab. I don’t use crontab enough, which means I always have to look up the time settings. However, that is easily done via Google. What I really liked about Kevin’s notes dealt with handling the errors and pointing them to a file rather than the user’s mailbox. I can see reasons for doing it either way.

Love me tools; love me tool lists as well, especially with new things. The Security Mentor himself was right, this list is pretty cool and has some things I didn’t know about! If you look closely, pretty much under each of the ten entries are links to MORE similar free tools. Here are the ones that caught my eye. Note that the list is centered on Windows.

Secunia Personal Software Inspector – Holy crap! This is an awesome-sounding tool because trying to keep up with what is patched and what is out of date is one of the least-talked about futile and frustrating efforts in the IT back room! I think this one is going to be a priority to try out this weekend. I don’t know about licensing, but I bet you can buy just one copy for business and use it on a base workstation image that has all your applications installed, then use it as your reference. That’s money right there!

GMER anti-rootkit – This tool looks really cool, and if it doesn’t require an actual installation routine, will likely make it into my desktop toolkit alongside Spybot, Sysinternals tools, and so on. If it requires an install, it could still be useful as another incident response investigation tool. Now, someone needs to make Tripwire free on Windows…

File Shredder – I like the idea of File Shredder, but I’m not sure I really need it. It’s not like I am storing illegal or hugely private junk on my systems, and I certainly have no intentions of selling or giving away my disks anytime soon (like any geek, I can and will find uses for everything). Still, it’s nice to have one in the pocket if the need arises.

Other tools are iffy to me. I’m not a huge fan of loading my web browser with toolbars and plugins. Anything extremely useful really should get built into the browser eventually. I like seeing more options for IE, especially since my love for Firefix has dwindled as it has gotten bigger, slower, and buggier in the past year. Yes, loading up Firefox with testing/security plugins is awesome, but that’s a special purpose and I don’t need to browse with them always loaded. The only ones I use regularly are NoScript (only recently!), Tor, a client banner changer (I can’t think of the damned name for it right now!), and a plugin that displays the target site IP address at the bottom.

For web privacy stuff, just learn how to empty the cache and where else stuff is stored along with browser and OS tracking options. Yeah, that’s not enough, but I’ve got a bias against cleaners. For new system crapware, learn how to welcome your new system into your home with a quick enema (format and reinstall).

I have a Wi-Spy, which is an excellent (and cheap!) specturm analyzer tool. I saw a mention for it on NetGirl’s blog over at ArubaNetworks on her list of cool tools. But I didn’t know what EaKiu was in her Wi-Spy bullet. I thought about emailing or commenting, but this seemed to require more effort on my part to converse with her, so I resorted to a Google search for the tool in the hopes that the unique string was easily found. Indeed, I saw that EaKiu is software to display results from Wi-Spy! And boy does it look fucking sweet. Now I just have to find a Mac-user to try it out for me.

I’d thought that was what EaKiu was, since I’d seen mention of Mac and Linux software back on MetaGeek’s old site, but I could never find that information again on the new site design. Of note, the Linux version, while workable, is still pretty ugly compared to Mac or Windows software.

A list of 5 essential laptop security tips leaves an important one out and includes a rather dubious entry. Tip #5, install tracking software on your laptop in case it gets stolen. While a neat, feel-good type of geeky thing to install, this is pretty lame for inclusion on a top 5 list. Then again, maybe this list was meant as more of a physical security list, in which case, top 5 is really “the 5 things to do.”

Instead, I’d replace #5 with the suggestion to keep backups of all your data on the drive. It is great to not have it stolen, or offer password and encryption options in case it is stolen, but what about the data on the laptop? How much is it worth to you personally? If your laptop is stolen, minimize the damage to only the cost of the hardware and your own stress, not also to the only surviving copies of your son’s little league digital pictures or those important sales emails.

I dig BookPool.com; I’ve used them for many of my book purchases over the years, only occassionally delving into Borders/Barnes & Noble/Amazon when I have gift certs or for impulse buys. Today I pre-ordered Virtual Honeypots. This looks to be an awesome how-to sort of book about honeypots; something I’ve been eagerly waiting to delve into. It should be out any day, really. This was prompted by a welcome spam email from BookPool about a sale on Addison-Wesley and Prentice Hall books.

I’m also eagerly awaiting the Metasploit Toolkit book, despite being published by Syngress (in my opinion, the spottiest tech book publisher with quality all over the place….and I just don’t like holding their books like I do Addison-Wesley books). There’s a lot of new stuff in Metasploit 3, and I’m holding out really getting into it (like I used Metasploit 2x) until this book comes out. I may combine this with looking into Ruby or Python a bit more. Of all the tool-books out there, only BackTrack comes to mind as needing an updated book (BackTrack 3 perhaps?).

I also see Wi-Foo II has been pushed back (or maybe it was really tentative at late 2007 months ago) into 2008. I’m looking forward to this book as well. The first book was awesome, but got mired down in the technical problems of getting wireless working properly in Linux, which is a requirement for the subject. These days, wireless support is much easier and better, which hopefully means less mud devoted to the intricacies and details. Other books cover it well lately anyway, like Hacking Exposed: Wireless and Syngress’ Wardriving and Wireless Penetration Testing. Although not without their own minor faults, are both excellent wireless security books.