dungeons and dragons and networks

This editorial on Dungeons & Dragons & Networks talks about how the boundaries present in both network troubleshooting and the D&D play format promote creativity, while tasks with less boundaries are more difficult.

If people performed preventative maintenance and worked to improve their network, they’d have fewer problems to address in the first place. But because individual problems provide intellectual boundaries and present obstacles to overcome, it is simply a much, much easier task than trying to look at the vast possibilities inherent in the network and try to come up with a vision rather than a solution.

I think there is a lot of truth in that, especially since us IT types tend to be problem-solvers a little more than we are visionaries. I think management (and IT staff ourselves!) can benefit from recognizing initiatives that might be more successful when more properly bounded. I am guessing that many managers and project managers likely know this principle already, but it can definitely help us techs when we’re not being led very much in between fires. (Article found through WhiteDust)

aircrack vulnerability allows a more bristly defense

I see there is a vulnerability in aircrack-ng 0.7. While interesting in itself, this strikes an interesting chord.

First, this means that widespread, fairly static distributions such as BackTrack 2 have a lot of users of their Linux livecd that will continue to run vulnerable versions of aircrack-ng. That’s a bit of concern, or should be, for anyone who uses that distro. Granted, the chances of someone attacking their box with this vuln is downright slim, but unless you roll your own BackTrack, do a full local install to update aircrack-ng, or patch aircrack-ng on the fly, you’re kinda stuck with this issue.

Second, I really believe someday I will have enough time on my hands to have a more bristly defense posture on my networks. In this case, I could have not only an IDS on my wireless network, but I could actually regularly send out packets crafted for just this vulnerability. Anyone leveraging aircrack-ng 0.7 (or BackTrack2) against my wireless network might be in for a brief surprise and could give me additional information or warning about maldoers. Rather than just a fence around the grounds, it can be highly electrocuted as well.

With a lot of vulns like this, it might not make sense to send out traffic for it because you never know if people will still be using it, and the chance gets slimmer as time goes on. But BackTrack 2 is pretty static for a lot of users who never change anything and may be using this distro until a major update comes out.

powershell auditing permissions

Auditing permissions on a Windows server is basically hellish unless you have a very strict policy on subfolder explicit permissions and group usage. You can use tools like CACLS.exe and XCACLS.exe, but for messy folder shares, the output can be utterly unmanageable. Enter a powershell script I wrote. This script take a path as an argument and will dump out all explicit (non-inherited) permissions from the path and all subfolders inside it. Never make the mistake of re-pushing inheritance down on subfolders and wiping out all those restrictions again!

$erroractionpreference = "SilentlyContinue"
function GetExplicits ($folders)
foreach ($i in $folders)
$acllist = get-acl $i.fullname
foreach ($x in $acllist.Access)
If ($x.IsInherited -eq $false)
Write-Host "$($x.IdentityReference.Value) has $($x.FileSystemRights) on $($i.fullname)"
$spacing = $true
If ($spacing){ Write-Host "";$spacing=$null }
If ($args[0]) { } Else {"usage: ./auditperms.ps1 `"`"";break}
$strpath = $args[0]
If (test-path $strpath){ } Else { "bad path, try again, cowboy!";break }
Write-Host "----------------------------------`nROOT FOLDER EXPLICITS"
$folderslist = Get-Item -path $strpath
GetExplicits $folderslist
Write-Host "----------------------------------`nSUBFOLDER EXPLICITS"
$folderslist = Get-ChildItem -path $strpath -recurse | where  {$_.psIscontainer -eq $true}
GetExplicits $folderslist

The output looks like this:

Everyone has Modify, Synchronize on \\fileserver\users\scanner
CREATOR OWNER has Modify, Synchronize on \\fileserver\users\scanner
BUILTIN\Administrators has Modify, Synchronize on \\fileserver\users\scanner
MYDOMAIN\Domain Users has Modify, Synchronize on \\fileserver\users\scanner
Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\FarmBanc
Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\SalesApp
Everyone has ReadAndExecute, Synchronize on \\fileserver\users\scanner\SalesApp\April Visit

is there a reaction to security warnings

I saw this quote today in some news that hit my rhetorical question button:

The Ministry of National Defense located in Taipei has warned their personnel against cyber attack. Awareness at the user level is more important than ever after a recent discovery of an intelligence leak at the National Defense University.

What would you do differently in your job if you received a warning from your boss or from upper management or the security team to be wary of cyberattacks? What will your own employees do differently? Will they even know what that means or what to even begin to do?

I can imagine my mom getting that notice where she works and basically have zero change in behavior because it really means nothing to her (works in a hospital). Should she stop more strangers in the hallways and challenge for ID? Should she refrain from email communication? If the computer crashes unexpectedly, should she more quickly call up IT to report it and investigate?

Does your security training equip employees to be able to process and respond to such a warning? Maybe the company shouldn’t even give these warnings and instead only raise the warning level of technical/security staff? Did you send out a warning to employees the other week to be on the lookout for any ANI/cursor files sent via email or posted on websites? Does that really change anyone’s behavior or do they just talk to their immediate peers about how stupid that email was for 5 minutes?

wispy on linux

So, a while back I got a Wi-Spy, which works great on Windows XP. I saw that there are some wispy tools for Linux, so I thought I would try them out on my Ubuntu laptop. I downloaded the files and extracted to /home/michael/wispy.

michael@orion:/$ cd /home/michael/wispy
michael@orion:~/wispy$ sudo apt-get install libusb-dev libncurses5-dev libgtk2.0-dev
michael@orion:~/wispy$ ./configure
michael@orion:~/wispy$ make
michael@orion:~/wispy$ sudo ./wispy_gtk

This worked out just fine (and yes, libgtk2.0-dev installed a ton of stuff), but the colors look horrid. The whole spectromap takes on this lemony-green color even when nothing much is happening. Very ugly, but then again, this is just a quick set of tools whipped together and really is no replacement for using Chanalyzer on Windows. Still, this is nice in case I ever do want to see what’s going on and only have my Ubuntu with me.

random notes on 2600, hacking exposed, orinoco atheros

The latest 2600 is out. If you don’t typically buy it or have the money, just sit down at the bookstore and flip through it and read what you want.

I also see one of the books I’ve really wanted in the last year has been released. Hacking Exposed: Wireless is currently available and in an odd green color. Anyone aware why this one is green? I didn’t pick it up long enough to find out why, but I’ll be buying the book regardless.

On the wireless front, I got my latest Orinoco wireless PCMCIA card on Friday and am very pleased with its performance. It is the Atheros chipset (8470-WD) which means it plays very nicely with BackTrack 2 and monitor mode. In fact, it plugs in and works just fine unless I’ve been juggling cards on that laptop and the last config still has a different card (my BackTrack is fully installed locally, so my settings are saved).

shmoocon – simple nomad and clarke

More Shmoocon 2007 presentations.

Hacker Potpourri – Simple Nomad.mp4 – Simple Nomad (old skewl) talks about some greylisting of spam mail, OS fingerprinting using PPTP, finding firewalling devices (using FIN flags, UDP port 0 packets, hop counting) and DVR hacking, but the real meat of this talk is about profiling IDS/IPS systems which starts at 32:45. You can use reverse-lookups to profile some IDS/IPS systems, the timing of reports, and whether admins are doing manual checks. Can fiddle with the DNS replies to profile the investigator some more. Abuse the signature sets to further narrow what IDS is in use or how they block things (vulnerability vs exploit). You can really do a lot of information gathering by knowing signatures for various IDS products and doing tests to see if your attacks are either blocked, allowed, or logged and then either manually or automatically investigated. Very cool.

Extend Your Code Into the Real World – Ryan Clarke.mp4 – I really dig Clarke’s enthusiasm and energy. I’d love to hang out with this guy and tinker with electronics and hardware on the weekends. His talk is a beginner blitz into hardware hacking. I consider this talk mandatory for any security or tech guys as Clarke really shows off where some things are going. Very exciting!

When it comes to computers and “hacking” and electronics, I can’t do everything despite my desires and best efforts, but for the things I’m not diving into at the time, I love talks like this because they can give me a nice taste of what I’m missing and keep me at a level that I could dive in if my life ever finds me in a place where I can do it (or have friends who do it that I can learn from).

shmoocon 2007

Some of the Shmoocon 2007 presentations have been posted. There’s a few, and maybe not all of them will be interesting, so I thought I would provide my feedback here (and ongoing) on the talks I checked out, plus a quick impression of what I thought about it.

I really wish I had attended Shmoocon, but I’m not really at a place right now where I could. I really wish I had heard about it back in its first year, 2005, as I was in DC at the time on business. Sadly, I didn’t learn about Shmoocon until after I had gotten back (and I was housed in a hotel very close to it as well!). At any rate, I’ll still whore up the presentations online and still get something out of it. Overall, I really dig the vibe from Shmoocon. It is serious about security but in a fun, friendly, personal kind of way that I think best resembles early Defcon or perhaps CCC. Smart, awesome, but not hoighty and “commercialized” or too anonymous.

Opening Remarks.mp4 – If you want to learn a little bit more about Shmoocon and what it’s all about, this is a useful talk from Bruce Potter of the Shmoo Group and runs a half hour.

Hacking the Airwaves with FPGAs – h1kari.mp4 – 20 minute presentation about cracking WEP and WPA (and FileVault and Bluetooth PINs) using different hardware pieces (FPGA) to speed things up. While that is interesting, the hardware itself is pretty spendy. If you’ve not seen his talk before or know anything about FPGA, watching a longer presentation may be more helpful, but his demos are quick and do work in this one. Tools: jc-wepcrack for WEP, coWPAtty for WPA, vfcrack for FileVault, btcrack for Bluetooth PINs.

No-Tech Hacking – Johnny Long – Johnny is a very cool presence and typically includes a lot of really awesome audience participation where he presents pictures and asks for feedback. This is no different and he presents a lot of pictures and asks, “What does a hacker see?” This is about observation skills, information gathering, opening your mind. I can just also say, “the driver has candy.”

my it autobiography

Everyone has stories to tell. In fact, one of the best secrets to dating is to realize that simple fact and give your date a chance to tell their stories, and for you to show genuine interest in listening. This is one reason the web has blossomed so much: we all have something to say and really hope at least one other person out there wants to hear it.

Likewise, us IT professionals have our stories on how we got started in this field. Recently a thread along this vein was started at the SecurityCatalyst community and Rebecca Herold tagged me to put my story up. So here it is!

Part 1: the geekdom
I’ve long been a geek. I have always been a video gamer (since Atari), I love arcades, and I enjoy science and puzzles. I got my first computer, a Pentium-60 just to play Doom and a handful of other games at the time (Wing Commander, Descent, Hexen…). From there, I really took to computers but I never evolved beyond gaming and online chats.

Part 2: college
I started college in the fall of 1996 at Iowa State U. My roommate and good friend, Ryan, got me interested in having my own web page, so in the winter of 1996 I started learning what View Source did and how to write my own HTML markup. I’ve had a web page ever since. This, along with my addiction to Quake (the first one, you noobs) was my main involvement with computers.

I started out college by going about 2.5 years into Environmental Science. Yes, I wanted to save the whales (and otters!). But I faced some harsh realities during those early, largely unmotivated years. I knew that that field was not quite what I was looking for, was highly competitivem, and really would never be lucrative in pay. And as much as I have a passion for that area, I realized I could do just as much on my own as a hobby or lifelong interest as I could do pursuing it for a career. I spent a semester or two doing some deep soul-searching for what I wanted to do. Eventually I realized that I loved computers and had a bit of a knack for them; I was a go-to guy in my dorms for computer questions. (Years of computer gaming can really enhance your troubleshooting skills…) So I switched majors to Management Information Systems, lost 45 credits that didn’t apply in the transition from sciences, and graduated in 2001 by taking the max number of credits for my remaining semesters. Needless to say, I was very happy even though I walked out into the IT world the year after the .com boom busted.

Part 3: security
Upon graduation I really wanted to get into web design and coding, but with the dot com busting, the IT class of 2001 was really not a lucrative class like the previous years. I spent a lot of my time during job searching to hone my skills and learn new things.

On a whim, I picked up the book Hack Attacks Revealed by John Chirillo. I was immediately hooked and knew that I could happily trade web coding for systems management and eventually security. Since then, I’ve been working in this area and pursuing the field ever since. Picked up my first real job in early 2002. Within a month of working on the technical support team, I was offered a place on the web dev team, but turned it down to hold out for another role I knew would soon become needed: systems administration. I got that a year later, in 2003, and have since been a sysadmin with a big interest in security.

an interesting issue in powershell

I am scripting some file syncing and having a frustrating time. The biggest issue is trying to work around a few files that are flagged as “read-only.” In the examples, assume sourcefile.txt is “read-only.”

PS> copy-item sourcefile.txt c:\sourcefile.txt -force
If this is the first time copying, this will work just fine because the destination file is new.
PS> copy-item sourcefile.txt c:\sourcefile.txt -force
This will now give an error because c:\sourcefile.txt is read only.
PS> move-item sourcefile.txt c:\sourcefile.txt -force
This will always work.

While this isn’t so bad, I don’t want to move folders over without first going through them to make sure the new folder isn’t leaving out something from the old folders, if that makes sense.

So far, my solution is way more complex than I think it should be. I read through all folders and determine if the folder is new or already exists at the destination. If it is new, I move-item it over. I then copy all non-containers that are left. Then I remove all the leftover source containers. Please excuse the variable names and lack of tabs showing up.

$shortpathdest = "\\SERVER\FILES\Installed"
$shortpathsource = "\\SERVER\FILES\ToInstall"
$items = get-childitem $shortpathsource -recurse | where  {$_.psIscontainer -eq $true}
If ($items)
foreach ($i in $items)
$fullsourcepath = $i.FullName
$fullsourcepath = $fullsourcepath.Replace($shortpathsource,"")
$fullpathdest = $shortpathdest + $fullsourcepath
If (test-path $fullpathdest){ }
Else { move-item $($i.FullName) $longpathdest -force}
$items2 = get-childitem $shortpathsource -recurse | where  {$_.psIscontainer -eq $false}
If ($items2) { foreach ($i in $items2) { $fullsourcepath = $i.FullName $fullsourcepath = $fullsourcepath.Replace($shortpathsource,"") $fullpathdest = $shortpathdest + $fullsourcepath move-item $($i.FullName) $fullpathdest -force } } Remove-item $shortpathsource\* -recurse -force

some basics of windows performance tweaking

For any practicing sysadmin, sometimes you just have to tweak servers to milk a little bit more performance. Sometimes the good ol’ basics are still the best things to do. I liked these steps (mostly) from SearchWinComputing. I’ll just give my own notes on the steps.

1. Use a dedicated drive for the pagefile. This makes sense.

2. Keep your hard disks defragmented. I don’t do this much, but when trying to milk a bit more performance out of a server, defragging is still a low-hanging fruit to try out.

3. Use the NTFS file system. I wouldn’t think to do otherwise, not from a performance standpoint necessarily, but definitely for security.

4. Avoid running 16-bit applications. Ok.

5. Look for memory leaks. Basically need to continuously monitor memory usage to catch this. Sometime apps (like ASP) will automatically recycle themselves and clean up, thus lowering the indications of a memory leak. Once a process is identified that has a leak, research it on Google or with your own teams if it is homegrown.

6. Remove seldom-used utilities. I would also suggest making sure server software is inventoried and reviewed regularly. That way when some piece is no longer needed, it can be identified and removed. But yes, it sucks to see unused things running on a server.

7. Disable unused services. A tried-and-true best practice for…just about everything.

8. Log off. Makes sense to me!

9. Compress the hard disk. The author makes a decent case for this, but I would definitely only do this in conjunction with baselining performance and testing after each change otherwise this could be detrimental.

10. Adjust the server response. i.e. Adjust background applications for a higher priority.

kicking wep while it is down

WEP is already known to be broken and weak, but I see Aircrack-ptw is a new tool out that purports to break WEP (most implementations anyway) much quicker. I have not yet tried it, because BackTrack 2 decided to be a bugger about my Hermes Orinoco card and I have yet to replace it or find a solution (Whoppix and BT1 are fine with it, go figure), but once I get that squared away I plan to check this tool out. There is a paper linked on the site, and while some of it gets into some deeper mathematical (mathematical sure sounds more haughty than “math,” eh?) theory, some sections are still concise and informative (1, 5, 8, and 9).

Update: I see ISC has also been made aware of this, although they link just to the paper.

a gaming rig on a budget of $1500

If you’re a sec geek, you’re also likely a gaming geek on some level. And if you do any amount of PC gaming, you’ll likely be building your own systems unless you have extra money to throw at pre-built systems from vendors. And while I’m not in the market to fully upgrade my gaming rig right now, it really helps to casually read up and stay at least somewhat current with what is going on in the PC building gaming market. This article by Corsair is not just a guide to buying bargain gaming parts that still scream performance, but they guys actually go through (with lots of awesome screenshots) overclocking, BIOS settings, benchmarking tools and examples, and even suggestions on different parts. (Personally, I’d swap that frickin’ huge heatsink with a watercooling model.)

In true HardOCP fashion, you can also head to the comments of their news byte on the article and check out some reactions.

On third thought, it wouldn’t hurt to maybe pick up a few parts now and file this guide away…

windows mobile tools

I almost bought a Linux-based PDA earlier this year (Zaurus 5500 or 6000) and I still might, but after reading what is now available for Windows Mobile from both Justin Clark and Andre Gironda, I might have to add a newer Windows Mobile device for myself this year. I hadn’t realized tools had come this far! There are more notes here and likely elsewhere if I were to look.

appliedsec shmoocon challenges

If you have time to check this out or you don’t and still want to learn something (shame on you!) then pick up Applied Sec’s Shmoocon challenge notes and the solutions. I don’t think they’ll be up for a terribly long time, especially the server, so don’t delay. Upon first glance, these challenges look to be a little more varied and interesting than most of the web-based “hacker challenge” sites out there.