More Shmoocon 2007 presentations.

Hacker Potpourri – Simple Nomad.mp4 – Simple Nomad (old skewl) talks about some greylisting of spam mail, OS fingerprinting using PPTP, finding firewalling devices (using FIN flags, UDP port 0 packets, hop counting) and DVR hacking, but the real meat of this talk is about profiling IDS/IPS systems which starts at 32:45. You can use reverse-lookups to profile some IDS/IPS systems, the timing of reports, and whether admins are doing manual checks. Can fiddle with the DNS replies to profile the investigator some more. Abuse the signature sets to further narrow what IDS is in use or how they block things (vulnerability vs exploit). You can really do a lot of information gathering by knowing signatures for various IDS products and doing tests to see if your attacks are either blocked, allowed, or logged and then either manually or automatically investigated. Very cool.

Extend Your Code Into the Real World – Ryan Clarke.mp4 – I really dig Clarke’s enthusiasm and energy. I’d love to hang out with this guy and tinker with electronics and hardware on the weekends. His talk is a beginner blitz into hardware hacking. I consider this talk mandatory for any security or tech guys as Clarke really shows off where some things are going. Very exciting!

When it comes to computers and “hacking” and electronics, I can’t do everything despite my desires and best efforts, but for the things I’m not diving into at the time, I love talks like this because they can give me a nice taste of what I’m missing and keep me at a level that I could dive in if my life ever finds me in a place where I can do it (or have friends who do it that I can learn from).

Some of the Shmoocon 2007 presentations have been posted. There’s a few, and maybe not all of them will be interesting, so I thought I would provide my feedback here (and ongoing) on the talks I checked out, plus a quick impression of what I thought about it.

I really wish I had attended Shmoocon, but I’m not really at a place right now where I could. I really wish I had heard about it back in its first year, 2005, as I was in DC at the time on business. Sadly, I didn’t learn about Shmoocon until after I had gotten back (and I was housed in a hotel very close to it as well!). At any rate, I’ll still whore up the presentations online and still get something out of it. Overall, I really dig the vibe from Shmoocon. It is serious about security but in a fun, friendly, personal kind of way that I think best resembles early Defcon or perhaps CCC. Smart, awesome, but not hoighty and “commercialized” or too anonymous.

Opening Remarks.mp4 – If you want to learn a little bit more about Shmoocon and what it’s all about, this is a useful talk from Bruce Potter of the Shmoo Group and runs a half hour.

Hacking the Airwaves with FPGAs – h1kari.mp4 – 20 minute presentation about cracking WEP and WPA (and FileVault and Bluetooth PINs) using different hardware pieces (FPGA) to speed things up. While that is interesting, the hardware itself is pretty spendy. If you’ve not seen his talk before or know anything about FPGA, watching a longer presentation may be more helpful, but his demos are quick and do work in this one. Tools: jc-wepcrack for WEP, coWPAtty for WPA, vfcrack for FileVault, btcrack for Bluetooth PINs.

No-Tech Hacking – Johnny Long – Johnny is a very cool presence and typically includes a lot of really awesome audience participation where he presents pictures and asks for feedback. This is no different and he presents a lot of pictures and asks, “What does a hacker see?” This is about observation skills, information gathering, opening your mind. I can just also say, “the driver has candy.”

I am scripting some file syncing and having a frustrating time. The biggest issue is trying to work around a few files that are flagged as “read-only.” In the examples, assume sourcefile.txt is “read-only.”

PS> copy-item sourcefile.txt c:\sourcefile.txt -force
If this is the first time copying, this will work just fine because the destination file is new.
PS> copy-item sourcefile.txt c:\sourcefile.txt -force
This will now give an error because c:\sourcefile.txt is read only.
PS> move-item sourcefile.txt c:\sourcefile.txt -force
This will always work.

While this isn’t so bad, I don’t want to move folders over without first going through them to make sure the new folder isn’t leaving out something from the old folders, if that makes sense.

So far, my solution is way more complex than I think it should be. I read through all folders and determine if the folder is new or already exists at the destination. If it is new, I move-item it over. I then copy all non-containers that are left. Then I remove all the leftover source containers. Please excuse the variable names and lack of tabs showing up.

$shortpathdest = "\\SERVER\FILES\Installed"
$shortpathsource = "\\SERVER\FILES\ToInstall"
$items = get-childitem $shortpathsource -recurse | where  {$_.psIscontainer -eq $true}
If ($items)
{
foreach ($i in $items)
{
$fullsourcepath = $i.FullName
$fullsourcepath = $fullsourcepath.Replace($shortpathsource,"")
$fullpathdest = $shortpathdest + $fullsourcepath
If (test-path $fullpathdest){ }
Else { move-item $($i.FullName) $longpathdest -force}
}
}
$items2 = get-childitem $shortpathsource -recurse | where  {$_.psIscontainer -eq $false}

If ($items2)
{
foreach ($i in $items2)
{
$fullsourcepath = $i.FullName
$fullsourcepath = $fullsourcepath.Replace($shortpathsource,"")
$fullpathdest = $shortpathdest + $fullsourcepath
move-item $($i.FullName) $fullpathdest -force
}
}
Remove-item $shortpathsource\* -recurse -force

For any practicing sysadmin, sometimes you just have to tweak servers to milk a little bit more performance. Sometimes the good ol’ basics are still the best things to do. I liked these steps (mostly) from SearchWinComputing. I’ll just give my own notes on the steps.

1. Use a dedicated drive for the pagefile. This makes sense.

2. Keep your hard disks defragmented. I don’t do this much, but when trying to milk a bit more performance out of a server, defragging is still a low-hanging fruit to try out.

3. Use the NTFS file system. I wouldn’t think to do otherwise, not from a performance standpoint necessarily, but definitely for security.

4. Avoid running 16-bit applications. Ok.

5. Look for memory leaks. Basically need to continuously monitor memory usage to catch this. Sometime apps (like ASP) will automatically recycle themselves and clean up, thus lowering the indications of a memory leak. Once a process is identified that has a leak, research it on Google or with your own teams if it is homegrown.

6. Remove seldom-used utilities. I would also suggest making sure server software is inventoried and reviewed regularly. That way when some piece is no longer needed, it can be identified and removed. But yes, it sucks to see unused things running on a server.

7. Disable unused services. A tried-and-true best practice for…just about everything.

8. Log off. Makes sense to me!

9. Compress the hard disk. The author makes a decent case for this, but I would definitely only do this in conjunction with baselining performance and testing after each change otherwise this could be detrimental.

10. Adjust the server response. i.e. Adjust background applications for a higher priority.

WEP is already known to be broken and weak, but I see Aircrack-ptw is a new tool out that purports to break WEP (most implementations anyway) much quicker. I have not yet tried it, because BackTrack 2 decided to be a bugger about my Hermes Orinoco card and I have yet to replace it or find a solution (Whoppix and BT1 are fine with it, go figure), but once I get that squared away I plan to check this tool out. There is a paper linked on the site, and while some of it gets into some deeper mathematical (mathematical sure sounds more haughty than “math,” eh?) theory, some sections are still concise and informative (1, 5, 8, and 9).

Update: I see ISC has also been made aware of this, although they link just to the paper.

If you’re a sec geek, you’re also likely a gaming geek on some level. And if you do any amount of PC gaming, you’ll likely be building your own systems unless you have extra money to throw at pre-built systems from vendors. And while I’m not in the market to fully upgrade my gaming rig right now, it really helps to casually read up and stay at least somewhat current with what is going on in the PC building gaming market. This article by Corsair is not just a guide to buying bargain gaming parts that still scream performance, but they guys actually go through (with lots of awesome screenshots) overclocking, BIOS settings, benchmarking tools and examples, and even suggestions on different parts. (Personally, I’d swap that frickin’ huge heatsink with a watercooling model.)

In true HardOCP fashion, you can also head to the comments of their news byte on the article and check out some reactions.

On third thought, it wouldn’t hurt to maybe pick up a few parts now and file this guide away…

I almost bought a Linux-based PDA earlier this year (Zaurus 5500 or 6000) and I still might, but after reading what is now available for Windows Mobile from both Justin Clark and Andre Gironda, I might have to add a newer Windows Mobile device for myself this year. I hadn’t realized tools had come this far! There are more notes here and likely elsewhere if I were to look.

If you have time to check this out or you don’t and still want to learn something (shame on you!) then pick up Applied Sec’s Shmoocon challenge notes and the solutions. I don’t think they’ll be up for a terribly long time, especially the server, so don’t delay. Upon first glance, these challenges look to be a little more varied and interesting than most of the web-based “hacker challenge” sites out there.

OmniNerd posted a rather lengthy article comparing various default installations of most modern operating systems (released in 2006, I think) using nmap and nessus to determine the vulnerability of said distributions to remote attacks. While simplistic in assessment and lengthy in discourse, the biggest takeaway I got from this article in my brief skim aligns with what I believe anyway. Operating systems have weaknesses, strengths, and problems, but ultimately it is a knowledgeable and diligent admin that makes a system secure (or more secure, if you will), and normal users can turn an OS into swiss cheese very easily.

PowerShell is pretty cool so far, even if the remote capability requires some heavy scripting/.NET experience for now. I just found out today that I can actually write functions, put them into my profile file (%My Documents%\WindowsPowerShell\Microsoft.PowerShell_Profile.ps1), and have them load on start-up. This means my little function to start and stop remote services can be a simple one-line job and always preloaded, kinda like my own little command shell. Type $profile to make sure you have the right location. Mine is weird since I start mine with network admin privs as opposed to my normal workstation account.

Windows PowerShell
Copyright (C) 2006 Microsoft Corporation. All rights reserved.

RemoteServices loaded

PS C:\Documents and Settings\mdickey> remoteservices
usage: RemoteServices [servername] [Stop|Start|Check|List|GetName] [service name]

From an article:

About 11 buildings have lost air conditioning because of the failure,
Stone said. The problem threatens to overheat computer servers, and
officials are warning that the state’s main web page will be out of
service periodically throughout the day.

It is hard to realize how important cooling is in a data center or even a small switch room until the AC cooling said room goes out. It can heat up pretty fast if you’re not decisive and that can really cripple business.

How do you plan for such an event?

– Make sure you have redundant cooling solutions; while you might not need multiple heavy industry coolers, at least have something available to either vet warm air or introduce cool air. While normal fans are absolutely no replacement to AC cooling, moving air is better than stagnating warm air.

– Keep AC repair service numbers or contracts readily available for quick remediation.

– In your inventory of servers and systems and services, make sure you know which ones are critical and which ones are expendable over short periods of time. Just like trying to milk juice out of your UPS in a power outage, you want to milk the temperature in your server room as long as possible. Shut down all unnecessary servers and devices to minimize heat generation. Be ready to determine when critical temps are reached that will almost certainly damage equipment and/or data and be prepared to invoke a business continuity plan or…be ready to have the company take the day off…

Dave Aitel posted to DD a link to a review of SILICA. SILICA is awesome and one of those gadgets I really want to get my hands on. But at a price of $3600, it is definitely a major purchase for someone like me; just low enough to be doable, but higher than even a good laptop or gaming rig with a far fewer uses. Nonethless, if this device stays current and highly supported by Immunity for many ongoing years, I really am going to plan on picking this up in the next year or just after (my car gets paid off next summer which means some freed up monies…).

There is some interesting talk going on about mesh security over on Nate Lawson’s blog. Really cool stuff, although I don’t understand it quite well enough yet to regurgitate the topic on here, so just check out the link. Also, Matasano and Bejtlich have added to the discussion.