Note to self: use telnet for email more often than I do now, if nothing else then to just stay familiar with the syntax in a pinch.

Videos are kinda cool. There are a bunch of them at Security-Freak demonstrating various tools and research. Scroll to the bottom to get past some of the topical videos and see common security tools demonstrated.

Serapis and SecureVision released this web defacement video. This demonstrates how easy it can be to deface a website, especially after you become familiar with a particular method of attack. If you know an attack on the current phpBB version, for instance, the hard part is learning how to pull it off the first time. After that, downing 100 vulnerable instances is cake. I like this video, even though the music is maddeningly annoying. (Oh, and for anyone thinking about producing videos, I really don’t like having to scroll up and down to see the whole screen…)

You can’t go wrong with a good ol’ BackTrack2 WEP cracking video. There’s a number of them out there, and for some reason I just like seeing them.

This video doesn’t load every time for me (Ubuntu+Firefox), but when it does, it gives a demonstration of finding and manipulating out an exploit.

And the MPack demonstration video. The size is small, but still illustrates how web attack toolkits have gained traction.

And, of course, I have other videos listed in the aptly named “videos” section on the left menu.

Let’s stick some more with Windows tools. A few years ago it became hip to wow friends and family with tools that would undelete or recover files long through gone from hard disks. This led to the eventual realization that old computers given away and drives lost or stolen could yield a lot of data if not properly wiped. If you ask me, if there is any doubt about a whether a drive’s contents are sensitive or not, just destroy the drive when it is decommission. (Besides, the powerful magnets inside the drives when disassembled make for fun toys for most anyone, if you want to score some points.)

Anyway, FreeUndelete is a tool to recover files. Also, the oldie tool Restoration is still available for the same purpose.

Oh, and PhotoRec is a tool to recover files from flash drives (and I bet other things!). This was described very well in an article on InformIT.

You can use Eraser as a tool to better wipe files from a Windows system. Use it in conjunction with the recovery tools above to see the differences. For full disk wipes, I prefer the bootable DBAN disc.

Of course there are more tools! Here’s a quick list I pulled from a mailing list:
OverWrite
SecureDelete
another Secure Delete
WipeDisk
AutoClave
Wipe (Linux)
and of course, shred for Linux, which should need no link.

If you don’t live on the Internet like I do, you might not know Sysinternals was “bought” by Microsoft (I’m not sure if it was actually bought or if Mark Russinovich just brought it along when he was hired by Microsoft). Now, you might know that, but did you know all those tools are offered in a single download now? Of particular note is ProcessMonitor which is a souped up version of Filemon/Regmon/ProcessExplorer. And if you don’t know what Sysinternals is, well, I can’t help you.

There are a ton of different tools and ways to change your MAC address, let alone simply doing it manually. Here’s a few I’ve accumulated notes about over the past 6 months.
Macshift is a standalone C++ tool run via the command line. Does what it should do!

Technitium is probably the Mercedes of mac changers, sporting tons of information in the GUI and also being scriptable.

Smac is also a old favorite I see mentioned a lot, but the eval version is slightly limited. For such a small tool, I just don’t believe in shelling out money for it.

Speaking of Windows tools, Wirelesskeyview is a quick .exe (no installation required) that will pull out wireless network keys and display them for you. I’m sure these are just stored in a registry entry somewhere and, if encrypted at all, are like just rot13, but still this tool makes life easy.

Heck, I’ll stick with Windows for this whole post. The Windows firewall is still daunting to manage or maintain for most people, even those of us who are comfortable with firewalls! This kb article from Microsoft is surprisingly detailed. I especially like the last section on enabling and checking the logging of dropped packets. Combine this with a tail program and it might turn a spare WinXP box into a network tripwire-like device.

Yesterday I posted a few OS fingerprinting tools. I missed one I had in my box called Satori. This looks like a quick effort that may not be regularly updated, but is a passive OS fingerprinter for a few OS types. I’ve not had a chance to try this out yet as my Windows machines at home are limited, but it might be fun to try, even if it doesn’t make any toolboxes. A related paper on the site is also interesting.

I’ve been going over some of the pending things in my todo lists. Here’s a few things.

I don’t know of anything that can browse shares in Gnome on Ubuntu (Nautilus can using smb:\\server\share, but that requires knowing your target). So I installed smb4k which is available through Synaptic. Seems I needed a bunch of other stuff, including kdelibs. While smb4k is a KDE tool, it seems to run just fine in Gnome. It can be loaded from Applications->Accessories. The initial load will throw a non-terminating KWallet error, but then happily disables itself and continues. One bonus is the ability to manage and see existing mounts.

If you see a system but aren’t sure what OS it might be (if Windows, then you can try those fun admin shares!), you can check it out using an OS fingerprint tool. Yes, nmap and p0f are your typical choices, but SinFP might be a third option. I decided to try this on Windows and followed the instructions given. Everything seemed fine, but when I tried to fingerprint anything on my network, I typically was told I cannot fingerprint a closed or filtered port, even though I know it was open and allowed. Most of the time perl.exe would then spin and I’d have to kill it. Not sure what was going on, but might revisit it at some later date on Linux, perhaps. Regardless of the results of this tool, being able to know some of the differences that operating systems display in various packets and other behavior is some pretty fundamental and “not difficult” stuff. Being written in perl, it might be nice to read through this tool’s signatures and techniques.

XAMPP looks like a nice way to get a full compliment of tools and applications for a web server set up quickly on either Linux or Windows (or others!). I’ve not tried this out as I wanted to do stuff manually with my latest build, but I might consider XAMPP in the future.

Here is a snippet of a Dan Kaminsky presentation on SSL Hell at Toorcon. He talks about the bad things he has found about SSL through his huge scans of the Internet. I really dig that he admits security people can be wrong when trying to require SSL on every page. SSL can be intensive on servers and the hardware doesn’t scale well with it. One thing I didn’t like is a minor quibble. He points out that a lot of sites don’t appear to use SSL (https) on their logins, but I’d like if he just said, “I sniffed this transaction to verify it wasn’t secured underneath what I can see in my browser.” He’s probably correct in saying they were insecure, however.

I can’t remember where I found this originally, but I wanted to document it on my site for future reference. This reg script should add the ability to right-click any Windows folder and launch a cmd prompt at that location. Update: Looks like I maybe found it here.

REGEDIT4

[HKEY_CLASSES_ROOT\Directory\shell\DosHere]
@=”Command &Prompt:”

[HKEY_CLASSES_ROOT\Directory\shell\DosHere\command]
@=”C:\\windows\\SYSTEM32\\cmd.exe /k cd \”%1\””

[HKEY_CLASSES_ROOT\Drive\shell\DosHere]
@=”DOS &Prompt Here”

[HKEY_CLASSES_ROOT\Drive\shell\DosHere\command]
@=”C:\\windows\\SYSTEM32\\cmd.exe /k cd \”%1\””

People often ask me how I like my Razr phone. I tell them it’d be a really nice phone…if I wasn’t on Verizon. Yes, Verizon is well known for crippling their Razr’s to the point where I really do only use it for phone calls and the occassional text message. In the past I have done minor adjustments like getting my own ringtones on the phone (text yourself a .wav file renamed to .mp3 and it will let it through, and play it as a .wav file properly) I’ve never delved too deeply into messing with it, being my first personally-owned cell phone. John Ward over at The Digital Voice has posted an awesome article about hacking the Razr, and he suffered from the same crippling issues from Verizon that I do. Since my contract is quite mature now and I’m more comfortable with pushing the line on my phone, I think I will make a note to try this stuff out. He’s truly right that if I can unlock all this stuff in the article, the phone will take on a whole new level of use in my life. Funny how Verizon doesn’t get that…

About half a year ago I posted about Untangle (and it has remained on my long-term projects list, sadly). I see they got some more press in ComputerWorld as they have turned their product open source. Sounds cool, and I still want to check it out on my home network someday (yeah, one of those projects that keeps getting pushed down…).

Use Snort either on an active link or as a packet inspection tool after the fact? It might be useful to throw down PE Hunter to capture Windows binaries as they pass by. I can think of plenty of uses for this, not just in front of a honeypot, but in front of Internet-facing servers themselves. This is one of those detective tools that won’t necessarily stop or prevent an attack, but can act as a watchguard for something evul going on, or to figure out what an attacker may have done on your network. The real usefulness of this tool won’t be realized until it is used though. Who knows, maybe it will pick up too much junk from malware or software downloads and miss too much other stuff.

Of note, no, I’m not all that great with Snort. It’s on my medium-term project list, probably nearer the fall or winter before I can really dig my fingers into Snort more, even though I may have my own Snort box up in the next month or so just to get it up and familiarized.

I’ve been ramping up my studying lately, which has taken some time away from blogging (both reading them and writing some). I’ve also made headway into my huge list of “pending” items that both sit on my bathroom counter and in my email box.

But I have found time to plug away at some more books. I’ve (finally!) started reading Tao of Network Security by Richard Bejtlich. I’ve put this book off way too long (I wanted more background into TCP/IP and Linux before tackling the book, or so I tell myself) and am finally getting into it. I really dig the tone and how Bejtlich presents the topics. Thankfully, the very academic first chapters were followed-up by excellent later chapters that I found much more interesting (maybe because I already knew his positions and definitions from following his blog).

Last night I also started reading Security Metrics by Andrew Jaquith. I really dig this guy’s writing, and I was amazed by the opening tones of the book. First an opening by one of the most recognizable writing styles in security, Dan Geer, which is also visionary and almost prophetic. Just reading anything he writes feels weighty; old and dustry like an important magical tome hidden in some wizard’s tower. Then into Jaquith’s wonderful presentations. I think this book will go fast.

Yes, I read multiple books at once. Sometimes I read novels which just require me and a chair. Other times technical books that pretty much require a computer nearby to follow along. I typically have two or three going at any given time, depending on my mood and the resources nearby. It is usually too much to be reading 2 hands-on books at a time, so I try to keep it mixed up with different flavors of books.

A few days ago I mentioned ddos mitigation. The referenced article [pdf] concerns UFIRT’s actions in the face of a rather unique incident: a DDOS attack planned to occur in 1 week’s time. Incident Response plans are important to a company’s security posture, but not every imaginable incident needs to have an itemized response plan. And while issues like a DDOS likely should not be painstakingly planned out, it should at least be contemplated now and then as a sort of verbal/introspective exercise. What would you do in such a situation? Do you have extra resources, gear, or skills on your team to deal with an adhoc incident like a DDOS? Do you know where to turn for help on short notice? Can you pull a Joe Stewart out of your back pocket? 🙂 It might be a useful exercise for an IR team, or just for a manager or techie to sit back and think about some lazy afternoon…

Christian Matthies has posted up an explanation of DNS Pinning attacks. While this article is really cool and informative, there are a couple of caveats.

First, this is a great article for people who already are familiar with DNS Pinning, since the author really throws out “Anti DNS Pinning” and “DNS Pinning” quite a lot, and it gets confusing which one he is actually talking about in each example. DNS Pinning is a behavior of a web browser to cache DNS requests until the window (or all windows of that browser) are closed. Any admin supporting DNS or web servers has experienced this behavior. “That should work…did you hit refresh? Oh wait, close all your browser first and retry. Yup that did it!” Christian then explains a way to get around DNS Pinning so an attacker can redirect users without their knowledge by leveraging browser behavior and changes to DNS entries.

Second, while several web security researchers would like to say this is a Big Deal, I consider this an exotic attack, yet. Christian mentions this can be used to attack internal servers, but that requires significant knowledge, and I don’t think most corporations will have to care. Still, there is always the potential for something like this to become a common attack method in the future.

The takeaways for this is to know what DNS Pinning means, what Anti DNS Pinning means, and that there is still a grey area firmly between network and web security when it comes to DNS manipulation.

Via elamb, The Register has an article on hacking World of Warcraft, and also mentions an upcoming book I didn’t know about, Exploiting Online Games: Cheating Massively Distributed Systems, by Gary McGraw and Greg Hoglund.

Exploiting games like this, as I’m sure the authors posit, is something that might not interest a lot of people, but should still be watched. Things like WoW (12 million users! This has become a social network in itself, really!) and Second Life bleed over into the real world, both in relationships with fellow people and business realms. But beyond that, the distributed worlds of gaming on such a large level will, just like the hardware gaming pushes, eventually find more mainstream uses. Being able to know these risks (like offloading some of the work to the client machines), at least just being aware of them, should prove useful someday.

I’ll get this book regardless, since I play WoW [0] and I’ve seen things in past games that exemplify the issues with cheating [1]. It helps a lot to know what is possible out there, and can put the whole gaming world/experience into more of a perspective. The book also looks like it will explore the issues that the game software presents to the users, for instance how far the game software can go in monitoring the user. Thankfully I run gaming on a separate box which does nothing but burn discs and run games, but I’m a rarity in that setup.

[0] I have a 60 Warlock (main) and 60 Priest on Crushridge Alliance, and a 55 Shaman on Kul’Tiras Alliance. Obviously I’ve focused on the Shammy since BC.
[1] Aimbots in Quake 1 (yes, some people earned money using them); farm bots in Diablo II/Battlenet.

A smooth sea never made a skillful mariner. -English proverb

By way of the SecuriTeam blog, I see Joe Stewart has posted a quick technical article about thwarting an HTTP DDoS attack using iptables tarpitting. I also like the cite to a report by Jordan Wiens [pdf] about tarpitting DDoS worms (I’ve not read it yet). I especially like the graph showing the effects of no action, connection dropping, and tarpitting. As a question to myself, I wonder if the attacked system needs to keep track of those sessions as well, and if that might bleed the server a bit over time? Obviously, this is still better than having the server fall over in the first 5 minutes, while tarpitting likely can allow the server to hold out far longer, even if it still bleeds.

One thing that Joe leaves unspoken is tarpitting is not to be used for all HTTP requests. Some of those requests are legitimate users and you certainly don’t want to tarpit them. Tarpitting should be triggered after a connection is determined to be part of the DDoS, so there is some front-end work to be done. I expect Wiens covers this in the longer paper.