Mark M Maning

Kaspersky Uninstallation Tool

noreply@blogger.com (Mark M Manning) — Sat, 23 May 2009 23:35:00 +0000

I've become a big fan of Kaspersky and their security products but I've only been using them for a year or so. I ran into an issue with a client the other day that had been using a Windows Server 2003 member server for some basic needs and wanted to upgrade to 2008. It was successfully upgraded and I re-installed Kaspersky Total Security which is their business security product. Not a good idea.

Kaspersky 2008 Support

As of writing this, Kaspersky's only product that supports Windows Server 2008 is Kaspersky Antivirus Enterprise Edition. I've read about some people that are using another Kaspersky product on Server '08 with some success or with "quirky" networking issues. For me it was more severe and had a Blue Screen of Death on every boot.

This was a bigger problem than expected because if I went into Safe Mode I wasn't abled to uninstall it because the Windows Installer service doesn't run in Safe Mode. I tried to disable the Kaspersky service as well as stop the Kaspersky program from starting in msconfig. Neither helped and the server kept rebooting itself.

Official Kaspersky Uninstall Tool

Luckily like most other Antivirus vendors, there is a tool to remove their application. Here is a link to that tool. It supports all the version 6 software and works like a charm.

External Links

http://www.kaspersky.com/support/kav6/install?qid=193239348 Kaspersky Uninstall Tool

Lenovo S10 Part 1: Splashtop

noreply@blogger.com (Mark M Manning) — Sat, 16 May 2009 19:43:00 +0000

Now that I've had some time to hack around with the Lenovo S10, I think someone will find some of this information useful. This entry is about re-installing Splashtop, Lenovo's Quick Start software on the S10.

What is Splashtop

Like I wrote before, the Lenovo S9,S10, and S10e, uses a streamlined Linux based environment that gets you from pressing power to surfing, chatting, Skyping, listening to music or checking out a photo gallery in 30 seconds or less. Oh and the not to be overlooked feature - it works!

The really interesting part is not that it's just one of those quick booting linux OS's like Ubuntu 9.04 is claiming to be. It actually is leveraged by the motherboard by using a small amount of flash memory which stores persistent changes to a location on the hard drive which unfortunately requires windows.

Re-installation

Let me say this right now - reinstalling splashtop is not fun! The only reason that this would happen to you is if you've deleted the files that came with the laptop or there was a problem with the hard drive itself. In mycase, the problem with the hard drive was me re-formatting the entire thing and installing Ubuntu Netbook Remix.

After a lot of research, here's how you do it:

Install Windows XP on some partition of the hard drive. This could be interesting if you don't have an external CDROM. If you're good, you can try to install XP from a USB stick like I did with partial success.
Install the latest Lenovo Quickstart software you can find here. NOTE: There may be an updated version that also works
OPTIONAL: From Windows XP, upgrade the BIOS of the S10. See Lenovo's Support Site for the latest version.
Download the patch that came from S10Lenovo.com here.
Unzip the files and copy them to the C: drive of your computer.

This worked for my Lenovo S10 4231 but the guys at S10Lenovo.com have done a lot of good work on figuring out the quirks. On some S10's all you needed to do was install the newest Quick Start and you are on your way but for me the patch was the key.

If that doesn't work for some reason, I'd be interested in getting the feedback.

Last Security Warnings

I wrote last time that Splashtop was extreme functionality at the cost of security and after more research, it's still true.

In version 1.0.17.0, the Splashtop browser is based off of Firefox 3.0.6, the instant messaging software is based on an old version of Pidgin and Skype is Linux version 2.0.0.72. It's older software but it looks like someone is attempting to update it.

There are some good security precautions in place like you're not allowed to directly access the hard drive and you can't open a terminal and the persistent files are encrypted and signed so not just anyone can make changes to the config.

Still don't belive me? Here's an exploit proof of concept that can crash your browser and possibly allow an attacker to inject a payload:

Do not click if you have Firefox 3.0.8 or less!!

What's Next: BackTrack 4

I'm still working out some of the quirks of using the laptop with BT4 Beta and have gotten them pretty much ironed out but I just want to streamline the process a little better.

External Links

http://www.splashtop.com/ - Official Splashtop Website

http://s10lenovo.com - Great site for S10 hacking

http://hg.mozilla.org/releases/mozilla-1.9.1/file/cb01d655a1b1/content/xslt/crashtests/ - Exploit for Firefox 3.0.8 or less

http://s10lenovo.com/viewtopic.php?f=42&t=2283 - forum with more information related to Splashtop on the S10

Lenovo S10 Part 0

noreply@blogger.com (Mark M Manning) — Fri, 08 May 2009 01:21:00 +0000

This will be the first of a few entries about my new Lenovo Ideapad (NOT iDeapad) S10. It's a netbook with great support for Linux and an interesting "Quick Start" environment which is a super fast booting OS that's built into the motherboard. To be honest the only two reasons why I bought it was the low cost (<$300) and I've become a Lenovo fan boy ever since my Thinkpad T43.

Quick Start/Splashtop

The most intriguing part of this laptop is something that Lenovo calls Quick Start. It's a linux based ultra-fast booting stripped down OS that includes things like Pidgin, Firefox, and Skype. It's actually called Splashtop and is made by DeviceVM. The idea here is that the motherboard boots from a small amount of flash memory so that it's extremely quick to start up.

When I opened the S10 I immediately booted into their Quick Start environment, played around with it and then immediately installed Ubuntu's Netbook Remix. I tell you this so you can be very impressed by my radical anti-Microsoftic act (did I mention I'm an MCSE?) but also to tell you that you really shouldn't do this because the Splashtop OS requires files on the FAT32 windows directory. The revolution has a cost. :/

There are a few problems with Splashtop besides the fact that you can't make any customizations to the OS:

It uses outdated software like Firefox 2 that can't be manually updated
It requires that you have a windows partition to hold the applications

I just want to say again, I love the idea of a quick boot environment but it seems like Splashtop is going to be another example of when innovation takes precedence over security.

I'm not going to go into this anymore since one of my projects is to get Splashtop to play nicely with Linux and I'll be able to have some more information.

Ubuntu Jaunty Jackalope Netbook Remix

Ubuntu 9.04 Jaunty Jackalope was released last month and with this version comes the Ubuntu Netbook Remix distribution or UNR. This is a customized Ubuntu distribution that is specifically designed to make it easier to work with a smaller screen and to maximize the potential of the Intel Atom processor. I'd highly recommend it on a netbook compared to the standard Ubuntu install.

Installation was different but very easy. You need to download the 1GB .IMG file and install it to a USB drive. I found the easiest way to do this is to install the Ubuntu package "usb-imagewriter" which is a GUI that walks you through the steps of putting the image onto a pen drive. Once you've installed it, plug it into the netbook and install it like normal.

Once again, if you delete the FAT32 partition of the S10 hard drive, you will not be able to use the Quick Start environment.

Backtrack 4 Support

I've had this conversation three times now and all my friends want to know is "Does it work with Backtrack 4??" Really this just means does Backtrack support the wifi card to do packet injection. The answer is almost. The internal wireless card is a Broadcom BCM4312 chipset which requires you to use the closed source driver supplied by Broadcom. This causes some other configuration problems you'll need to overcome. I haven't played around with being able to inject packets yet. That will be a subject for another day though.

Next Steps

There's a lot of talk right now about the Splashtop option and a lot of netbooks are using it or something like it for the ultra fast boot. Because nothing comes with recovery CD's anymore, you have to download everything from Lenovo's website at 17kb/s. UNR is going to need some customizations especially for the security tools that I like. There is a BIOS update that came out just yesterday that fixes an issue I was having so more on that later. The biggest problem I'm having is getting people to stop laughing at a 6'5" guy trying to type on this tiny laptop. :)

External Links

http://www-307.ibm.com/pc/support/site.wss/product.do?doccategoryind=50520&template=%2Fproductpage%2Flandingpages%2FproductPageLandingPage.vm&brandind=10&familyind=431250&machineind=433197&modelind=0&partnumberind=0&subcategoryind=0&operatingsystemind=49979&validate=true - Lenovo S10 Support

http://www.splashtop.com" - Splashtop

http://www.canonical.com/projects/ubuntu/unr - more about Canonical's work on netbooks

http://www.s10lenovo.com/ - great site for S10 specific discussion

War Driving Notacon 2009

noreply@blogger.com (Mark M Manning) — Mon, 27 Apr 2009 15:29:00 +0000

I know this isn't a new subject by any means but I think it's still interesting and most of the material that's useful out there right now is antiquated so I thought I'd write my own version.

Background

The reason I got into war driving was to:

Learn the specifics about the technologies (Kismet, gpsd)
Have something to do on the drive to Notacon
Be a geek

Hardware

Here is the list of hardware that I used:

Laptop (Wireless card, serial port)
Garmin eTrex - Craigslist $35
Garmin eTrex serial cable - $8
Edimax RT73 (optional) - $43

Software

Software I used:

Kismet - wireless sniffing tool
GPSD - receives GPS data
Ubuntu 8.10 - OS
GPSDrive - (optional) Maps your current location as you drive
Festival - (optional) Text to speech plugin for announcing when an access point is found
KisGearth - convert kismet data to KML for GoogleEarth
Google Earth - place access points on a map

GPS Setup

sudo apt-get install gpsd
Telnet to gpsd server and type "r" to receive the coordinates and "b" to confirm the console settings
>telnet localhost gpsd Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. >r GPSD,R=1 >b GPSD,B=9600 8 N 1
Plug in garmin using the console cable
In the garmin, page over to the setup > Interfaces and make sure the output format is NMEA and the transfer rate is 9600 baud
If you are successful you should see coordinates pop up in console of GPSD

Kismet Setup

sudo apt-get install kismet festival
Configure kismet.conf for your wifi cards (see KismetWireless.net under the Capture Sources section for a listing of your network card)
#Edimax RT73 Usb source=rt2500,wlan0,RT73 #Intel Ipw2200 for Lenovo T43p laptop source=ipw2200,eth1,Intel
Configure kismet.conf for festival
festival=/usr/bin/festival
Configure kismet.conf to save waypoints for GPSDrive
# Do we write waypoints for gpsdrive to load? Note: This is NOT related to # recent versions of GPSDrive's native support of Kismet. waypoints=true # GPSDrive waypoint file. This WILL be truncated. waypointdata=%h/.gpsdrive/way.txt # Do we want ESSID or BSSID as the waypoint name ? waypoint_essid=true
Configure kismet.conf to save GPS data in the log files
logtypes=dump,network,csv,xml,weak,cisco,gps
Start kismet to use your wifi cards. (only put in the cards you've setup in the sources or leave blank)
sudo kismet -C Intel,RT73

GPSDrive Setup

NOTE: GPSDrive is a fun tool to show you access points while you drive. It's unnecessary if you're going to be mapping the coordinates on Google Earth later

Download the latest deb from the GPSDrive website or download the stable release with apt-get sudo apt-get install gpsdrive
Before you go on your war drive, make sure you download the maps for the location you'll be driving, otherwise you won't be able to get the specific streets. I'd suggest getting used to how gpsdrive works because there's a little bit of a learning curve.

The Drive

This is a no brainer but I wanted to give a few tips that I learned:

Plan laptop power settings before hand - make sure your laptop isn't going to shut off the hard drive after 15 minutes of inactivity
Setup the equipment beforehand so it doesn't slide

kitchen drawer sponge - a friend of mind gave me the idea of using that spongy material that goes at the bottom of a silverware drawer. Throw it on your dash and put your hardware on it so that it's not sliding around during turns.
Secure the laptop however you can in your car
Ideally buy a magnetic antenna to latch onto the top of your car so nothing is sliding around

Test everything a couple of times before trying to do it in the car - reboot, unplug, undo everything because sometime or another it's going to happen and you're going to need to know what to do
Make sure your GPS always has a good signal or your maps will be inaccurate

Importing into Google Earth

So you've finished your drive and you want to map out everywhere you've been. Google earth is perfect for this.

Install google earth either from Google Earth's site or from the Ubuntu repositories
sudo apt-get install googleearth
Download an extract KisGearth
Run kisgearth to use the kismet .xml file and .gps file. (You can use just .xml but using the .gps file as well makes it more accurate)
./kisgearth.pl --gps /var/log/kismet/Kismet-Apr-26-2009-6.gps -oN Kismet.kml -- /var/log/kismet/Kismet-Apr-26-2009-6.xml
Open Google Earth and go to file>open and open the KML file you created

With a little luck you should have an accurate map of where all the access points are using Google Earth's satellites. Just for fun I've attached the KML file that I used for Notacon.

You can download it here.

External Links

http://code.google.com/p/kisgearth/ - Kisgearth

http://www.gpsdrive.de/download.shtml - GPSDrive

http://www.kismetwireless.net - Kismet

Remote System Monitoring with Tasklist and PSexec

noreply@blogger.com (Mark M Manning) — Mon, 27 Apr 2009 11:00:00 +0000

Remote administration is a subject that's open to a lot of interpretation because one way could work for one environment and just not fit in for the next. It's pretty easy to setup a client to have a secure remote shell or remote desktop viewing software but a lot of my environments are not setup ideally so you're forced to use the tools that are on the system and free tools that you can download. Also add to the picture that you don't want to disrupt an employee working and answer may be at the command line.

In this example I'm investigating a report from the antivirus protection on a machine that its process is attempting to be disabled by a certain PID. I want to know what process is associated to that PID and why that's happening. My computer name is WORKSTATION and the PID in question is 1055.

You'll see that PID 1055 is a certain executable. In my case it was winlogon.exe and because the event was happening at 3:00AM, I knew that it was caused by Windows Updates being installed.

But if you noticed that a process named something like virus_hack_death.exe was running under this PID and it was trying to access your antivirus, you can use tasklist's cousin, taskkill.

Obviously this is a pretty weak example because whatever process you killed will most likely start again but you could also help those machines that are hung up and not accessible from the keyboard or through RDP. Connect in and kill the frozen process.

Notacon #6

noreply@blogger.com (Mark M Manning) — Thu, 23 Apr 2009 18:44:00 +0000

The sixth installment of the annual hacker convention, Notacon happened this last weekend. It drew the same crowd as other hacker cons like Defcon, Shmoocon, and Random but as the name implies, Notacon wasn't like the others. The general subject for the talks asked the question, what would geeks like to hear? So it ranged from rules of the board game GO to SQL injections to silly internet videos to healthy cubicle life to hacking consumer routers - all over the place.

The scene was the same as a standard con with all of the same characters we've grown to know and love. Because the talks were all over the place, some people didn't have interest in listening to them. This lead to more off the field antics where you had more time to take in the Lockpick village, check out HackerSpaces.org and the guys from PumpingStation:One, hang out with Deviant and have a go at his Gringo Warrior. There was a guitar hero/karaoke/Commodore64 game room that was a lot of fun. There was also a pirate radio that asked anyone to just walk in and talk.

PS:One

I don't get to really talk about these guys to many people around here because it's completely out of context in Rochester but Pumping Station One is the newest if not the only open hacker space in Chicago. One of the founders Eric who helped start HacDC teamed up with Rogue Clown and many others to create a not for profit organization, hold regular meetings, and find their own space which they just signed the lease for. You'll see a lot more of these hacker spaces popping up as the HackerSpaces.org team becomes more and more organized and provide templates for other people around the world.

Check them out here: http://pumpingstationone.org

DualCore

Dual Core is a nerdcore group from Cincinatti. Int Eighty is the rapper/frontman for the group and happens to show up at all the popular cons. If you haven't listened to them you may have the assumption that oh it's just another one of those nerdcore groups that focus on geeky lyrics and lack rapping skills but you'd be wrong. Eighty is a seriously skilled rapper who is into the hip-hop scene and the hacker scene. It's like if Emminem and Kevin Mitnick had an illegitimate child together. You know it'll be a party when DualCore is there.

External Links

http://notacon.org/ - Notacon's website

http://dualcoremusic.com/nerdcore/ - DualCore's website

http://pumpingstationone.org - PS:One website

http://hackerspaces.org - HackerSpaces.org

Blame Dan for IAS Socket Error

noreply@blogger.com (Mark M Manning) — Tue, 24 Mar 2009 18:21:00 +0000

Here's the error you see in the event logs:

Only one usage of each sock address (protocol/network address/port) is normally permitted.

The whole event log looks like this:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 24/03/2009
Time: 7:13:42 AM
User: N/A
Computer: THISCOMPUTER
Description:
The Internet Authentication Service service terminated with the following error:
Only one usage of each sock address (protocol/network address/port) is normally permitted.

The issue is that your DNS server has allocated some of the ports used by the Internet Authentication Service which means that you can't log into your routers, or vpn users can't connect anymore, or whatever you were using IAS for does not work. It actually causes the IAS service to stop completely. You may have seen this when you opened the admin MMC:

There was an error getting connection to the datastore. The handle is invalid

The Fix

Straight to the workaround:

Open up the IAS admin console (administrative tools)
Right click on "Internet Authentication Services" and go to "Properties"
Click on ports and write down the ports that it's using
Open up regedit -- insert warning of death here --
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Double-click the ReservedPorts value, type the range of ports used by IAS (1645-1646)
Save it and restart the DNS Server service (you may need to reboot the whole server but not in my case)

Now when DNS restarts it'll make sure not to use those ports that you have already allocated for IAS and you're back working.

The Background

This is all caused by Dan Kaminsky so you should email him and tell him how many problems he's caused. (Just kidding but he still might enjoy that).

The real issue was the hotfix that Microsoft released MS08-037 which fixed a flaw in DNS servers and clients and was originally discovered by Dan Kaminsky. The MS08-037 security update randomizes the DNS transaction ID's of DNS servers, changes the logic when handling DNS caching, and most importantly to this error - randomizes the socket that the DNS server uses each time. That means that when DNS is running, it could be using that socket you have reserved for another application like IAS.

External Links

http://www.capslockassassin.com/2009/01/28/ms08-037-causes-port-conflicts-with-dns-and-ias-services/ - nice write up about the issue with screen shots

http://support.microsoft.com/kb/956188/ - MS support KB about the issue

http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx - MS08-037 security bulletin

Goodbye Chicago

noreply@blogger.com (Mark M Manning) — Mon, 09 Mar 2009 21:53:00 +0000

Today is the end of my three month contract with one of my clients' Chicago area sites. It's been a blast while I've been here and I want to thank everyone for their hospitality. Hopefully everything is in a better place than when I got there. :)

This also marks the end of me working with this client in general as they're making an effort to trim back outside consultants for echonomical reasons which is understandable. I've been lucky enough to work for with this company for more than six years during which time they've let me work at their Vancouver, Chicago, Virginia, Pennsylvania, Florida, and Rochester sites. I've learned a ton through the years working with the IT staff and management as they grown the IT dept in all kinds of directions.

I'll be heading back home to Rochester, NY and continue to work for my employer, Hurricane Technologies, Inc. and they already have new projects lined up for me that look pretty interesting.

Detecting Computers in Promiscuous Mode

noreply@blogger.com (Mark M Manning) — Sun, 01 Mar 2009 16:57:00 +0000

I had a late night discussion on the L this weekend about detecting someone sniffing on your network. I think his question meant to be "how do you detect if someone is performing a man-in-the-middle attack" which is just too much of an open question to go into right now. But, if the question was how do you detect if someone is sniffing traffic on your network, that could be answered in a simpler more blogable way.

Promiscuous Mode

When most(all?) systems attempt to sniff network traffic, their network cards run in promiscuous mode. But what does this mean exactly? Wikipedia has a succinct explanation:

Promiscuous mode is a configuration of a network card that makes the card pass all traffic it receives to the central processing unit rather than just packets addressed to it — a feature normally used for packet sniffing.

Detecting Promiscuous Mode Network Cards

So if know that promiscuous mode is used for sniffing and if you're attempting to control your local network, you're going to want to know which systems are sniffing on the network so lets find out who's running in promiscuous mode. There are a ton of tools out there to just detect promiscuous mode (see External Links below) but once again it's Nmap ftw.

Development versions of NMap include a script called "sniffer-detect.nse" and in current/old versions this script is called "promiscuous.nse." You can run it like this:

If a system has been detected to be running in promiscuous mode, you'll see this:

We can see that the system has been detected to be running in promiscuous mode and the result is "11111111." Different operating systems report different combinations of 1's. Linux reports "11111111", Windows 2k, XP, Vista, and Windows 7 reports "111___1_", and Windows 98 reports "1111__1_". By default, the script will only report NICs in promiscuous mode so if you don't see get any results, that's because the scan returned false.

When This Doesn't Work

So that's neat, we can detect when systems are sniffing the network using wireshark or other sniffing tools but what about if someone installs a hub or network tap? These are devices that are designed to forward copies of packets to another interface without making any noise thereby sniffing traffic that goes through the device.

The short answer is you can't.

The longer answer is that it depends on the hub and how you've setup your network. As far as I know Cisco and other higher end network equipment give you some control but it's not perfect.

Detection vs Prevention

Of course I have to say that detecting a sniffer is not a good way of maintaining control of the network. Even if you automate this process, it most likely will be too late to protect from anything being stolen.

These are the preventative measures that I've compiled and if someone has other suggestions, please let me know.

Host to host encryption (IPSEC)
Force other encrypted protocols (SSL,FTPS,SSH)
Have a switch only policy for your network
Implement a NAC/NAP system
Keep physical access to network closets/rooms restricted and controlled
Perform regular physical inspection of all your network interfaces in the facility (offices, conference rooms, hidden in drop down ceilings - no seriously)
Implement a secure proxy server for web traffic (Squid)

External Links

http://www.mnin.org/?page=promisc&left=off - good break down and detection script using perl and nemesis
http://www.securityfriday.com/promiscuous_detection_01.pdf - the original paper describing how to detect NICs in promiscuous mode using ARP packets
http://nmap.org/nsedoc/scripts/sniffer-detect.html - quick description of what sniffer-detect.nse does
http://www.microsoft.com/downloads/details.aspx?familyid=1a10d27a-4aa5-4e96-9645-aa121053e083&displaylang=en - Microsoft GUI tool that can scan for promiscuous mode NICs
http://www.securityfocus.com/tools/3333 - tool to run locally on a *NIX system to detect promiscuous mode enabled NICs
http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm - Cain and Abel have the ability to scan for promiscuous mode MAC's too. (wasn't able to get it to work though)

Shmoocon 2009

noreply@blogger.com (Mark M Manning) — Mon, 09 Feb 2009 05:42:00 +0000

There are a lot of people already blogging about their perspectives of Shmoocon this year so go check them out if you're interested. I wanted to dump some thoughts for posterity.

Shmoocon rocked. I haven't really heard any perspectives that would disagree. Most of the people that went, knew what to expect and I think it lived up to those expectations.

Shmoo VS Defcon

Every year 9000 hackers - er I mean security professionals - turn out for Defcon. The culture ranges from script kiddies to 1337 h@x0rz and from overpaid business men to Feds. It's all over the board. Usually once you get there, the crowd partitions off into separate factions. Skiddies look for things to hack (see steal), 1337's start working on the challenges, business men keep track of their receipts, and Feds quietly hover in a cloud of self-content. Good times are had by all that know how to have good times and the technical information in the talks is very informative.

In contrast, Shmoocon had a gathering of 1300+ people with less skiddies and Feds, and more of the in between. There were a lot of black shirts and alot of business casual. The aren't as many talks as Defcon but there seems to be more of an open community. In my opinion it seems friendlier.

What seemed to be the best part was the smaller amount of people in a smaller area which made it more likely for the same people to be in the same place over and over. Same thing with the parties. Smaller parties, same people attending. But anyone that can throw a party in a church is pretty awesome in my book

Lessons Learned

Script the registration to get lower costs - it's very unlikely that someone clicking register now over and over again can beat a multi-threaded instance of curl.
Play the contests - there are a lot of cool contests and games that not a lot of people play. If you're good at that stuff, you're likely to place somewhere
Don't make fun of the Steel Workers Union's Mullets - learned the hard way (sorry Sysmin)

CEH Self Study

noreply@blogger.com (Mark M Manning) — Tue, 27 Jan 2009 19:32:00 +0000

Yesterday I passed my Certified Ethical Hacker test making me a CEH. I really don't put much personal information in this blog but since I wish I'd found more information about the possibility of self studying for the CEH before I took the exam, I'm going to write this entry in the hopes that someone else will find it before they take their's.

CEH's Perception

The Certified Ethical Hacker certification came around years ago but I first heard about it at Defcon 15. You can go look at what the CEH is and read why you need to get it but I'm more interested in writing about how I personally have seen it perceived.

One of the Goons at Defcon was making fun of the certification saying that he was going to start his own test to be a CEH - Certified Ethical Harpoonist and that the CEH cert was less than desirable. He used more colorful adjectives. Goons are at least two steps up from the "Humans" at Defcon so their opinion has some sway (especially among n3wbs and scene whores) no matter how beer fueled it is.

None of the people that I know or are friends with have the CEH cert and I've never really had a conversation with anyone saying how they're going to work towards it. Most look at the CISSP to be a manager or some of the SANS certs if you want to actually know how to hack. The best example of how CEH is not widely known or desired was I told a techie friend that I'd passed my CEH exam and his response was, "Congratulations. What's that?"

Why get the CEH?

So if it's been planted in my mind that the CEH is really not that big of deal and most people don't even know what the CEH is, why even go for it right? More than anything else it added a structure to the security projects I had been working on. Up til now, I was working on 15 different projects using all kinds of different technology from encryption games and anonymity utilities to programming projects and improving my soldering skills. I found the CEH study guide and looking through the table of contents, it seemed like something that could teach me new skills to wrap into my projects. So it just really put everything I had been studying into a specific achievable goal.

I would say to anyone expecting the CEH cert to open doors or make it easier for you to get a job, don't waste your time. In my opinion, CEH is the A+ of security.

Is Self Study an Option?

The short answer is a big maybe.

I'm lucky enough to work for a company that pays for my training. That being said, I really didn't want to take a week of to do the CEH training course knowing that the CEH really wouldn't do much for anyone. Since I'm on sabbatical for a few months, what better time to study towards something like this.

I bought the CEH review guide which in one of the first paragraphs of the books states something to the affect of

"This book does not contain all the information you need to pass the test."

Ok, I understand. I'll look at the information it's talking about and apply some real world examples. The review guide was missing a LOT of information. In fact, if I had no previous experience in security and was starting from scratch, the review guide wouldn't have even touched upon half of the subjects in the test.

I know what you're going to say, it's called a _REVIEW_ guide but in fact, there is no official book of information for the CEH which means that the only book to study from is this review guide. Maybe this is normal but for all the other certifications I have, there's always been a gigantic book that you studied from. So it was like having the cliff notes instead of the original novel and then trying to pass a 150 question exam. It wasn't like that, it WAS that.

The alternative to the review guide is that you hook up with the EC Council training and they tell you the secret subjects that you should study for in one of their week long training classes. Lets just say that thanks to the openness of the Internet, I was able to track down some more information to study.

Subjects not covered

I looked up as much information as I could and I talked to people in some forums and IRC channels that I frequent and they all basically said the same thing. "Nothing really surprising. Few gotcha questions. Pretty straight forward." And in response to did you self-study - "No." In fact out of the 5 or 6 people I directly talked to that had passed the CEH, they all shelled out the more than $1000 for the week training and then took the test.

The biggest item that I didn't study for was programming. They don't expect you to write any exploits or anything like that but you need to be able to debug C to point out locations for buffer overflows. I don't know C or C++ but can hack my way through so it was a stretch and not in any thing that I was studying. Luckily there were only two of these questions.

Conclusion

My major conclusion is the test material is really good for security professionals but if you're going to be able to pass the exam with the review guide, you are probably already in the security industry and this test will do nothing for you. If not, you'll end up spending the same amount of money re-taking the test that you would have if you did the week long training. The reason that I was successful was because of all the extra study materials I found and generally because I am a geek.

Securely Erasing Hard Drives With Single Swipe Research - Win and Fail

noreply@blogger.com (Mark M Manning) — Mon, 19 Jan 2009 18:09:00 +0000

Heise Security, SecurityFocus, and Slashdot, are all reporting on new research from SANS Forensics Blog that comes to the conclusion that it's unnecessary to perform multiple pass erase methods on a hard drive to make sure that data is forensically unrecoverable. In fact it recommends that simply overwriting data with all zeros or all ones will do the trick.

From the research:

Although there is a good chance of recovery for any individual bit from a drive, the chances of recovery of any amount of data from a drive using an electron microscope are negligible...

What about DoD 5220.22-M and Gutman

This sounded pretty shocking to me as that I've wasted countless hours wiping hard drives up to 35 times (Gutman) when all it would have taken would be 1 swipe. But is it true? Peter Gutmann, yes _the_ Peter Gutmann, claims that the testing methodology is incorrect but the conclusions are correct.

the article confuses two totally unrelated techniques. One is the use of an MFM[Magnetic Force Microscope] to recover offtrack data... The other is the use of an error-cancelling read ... to recover overwritten data. ...Given that these are totally different techniques exploiting completely unrelated phenomena, it's not surprising that trying to use one to do the other didn't work.

Gutmann goes on to concede that it's impossible to recover any useful amount of data on any modern hard drive no matter if you wipe it with all zeros one time, or use an erasing method with multiple passes:

Any modern drive [recovery] will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording...

NIST backs up this comment in a special report entitled Special Publication 800-88 which states

Studies have shown that most of today's media can be effectively cleared by one overwrite

For Posterity

So if nothing else, the argument made me go look up what each of those erase methods do and the differences between Gutmann, pseudorandom overwrites, and 5220-22.M erase methods. It seems to be the common consensus that hard drives cannot be recovered once they have been overwritten by data but if you want to burn through a day wiping hard drives still, I'm sure you could convince an unknowing boss otherwise.

Insecure Methods

There are still insecure ways of erasing hard drives. One of those is the Windows "Quick Erase" that you see when you're loading up the OS. This is an NTFS trick that deletes the reference to the Inode making the data hidden to the OS, but still available to forensic analysis. You should always choose "Full Format" unless you really need that extra twenty minutes of your life.

Gutmann

The most (in?)famous method of erasing and definitely the most interesting is Peter Gutmann's method. This is defined by a 35 pass wipe to include some pseudorandom, some specific statics(e.g. 01100110011), and some just all 0's and 1's. The reason for this was older hard drives used different encoding methods so this way of erasing data would cover everything. The Windows tool aptly named "Eraser" is thankfully open source so that we can have an example:

/* Define the Gutmann method. */
 dwipe_pattern_t book [] =
 {
  { -1, ""             }, /* Random pass.    */
  { -1, ""             }, /* Random          */
  { -1, ""             }, /* Random          */
  { -1, ""             }, /* Random         */
  {  3, "\x55\x55\x55" }, /* Static pass: 0x555555  01010101 01010101 01010101 */
  {  3, "\xAA\xAA\xAA" }, /* Static pass: 0XAAAAAA  10101010 10101010 10101010 */
  {  3, "\x92\x49\x24" }, /* Static pass: 0x924924  10010010 01001001 00100100 */
  {  3, "\x49\x24\x92" }, /* Static pass: 0x492492  01001001 00100100 10010010 */
  {  3, "\x24\x92\x49" }, /* Static pass: 0x249249  00100100 10010010 01001001 */
  {  3, "\x00\x00\x00" }, /* Static pass: 0x000000  00000000 00000000 00000000 */
  {  3, "\x11\x11\x11" }, /* Static pass: 0x111111  00010001 00010001 00010001 */
  {  3, "\x22\x22\x22" }, /* Static pass: 0x222222  00100010 00100010 00100010 */
  {  3, "\x33\x33\x33" }, /* Static pass: 0x333333  00110011 00110011 00110011 */
  {  3, "\x44\x44\x44" }, /* Static pass: 0x444444  01000100 01000100 01000100 */
  {  3, "\x55\x55\x55" }, /* Static pass: 0x555555  01010101 01010101 01010101 */
  {  3, "\x66\x66\x66" }, /* Static pass: 0x666666  01100110 01100110 01100110 */
  {  3, "\x77\x77\x77" }, /* Static pass: 0x777777  01110111 01110111 01110111 */
  {  3, "\x88\x88\x88" }, /* Static pass: 0x888888  10001000 10001000 10001000 */
  {  3, "\x99\x99\x99" }, /* Static pass: 0x999999  10011001 10011001 10011001 */
  {  3, "\xAA\xAA\xAA" }, /* Static pass: 0xAAAAAA  10101010 10101010 10101010 */
  {  3, "\xBB\xBB\xBB" }, /* Static pass: 0xBBBBBB  10111011 10111011 10111011 */
  {  3, "\xCC\xCC\xCC" }, /* Static pass: 0xCCCCCC  11001100 11001100 11001100 */
  {  3, "\xDD\xDD\xDD" }, /* Static pass: 0xDDDDDD  11011101 11011101 11011101 */
  {  3, "\xEE\xEE\xEE" }, /* Static pass: 0xEEEEEE  11101110 11101110 11101110 */
  {  3, "\xFF\xFF\xFF" }, /* Static pass: 0xFFFFFF  11111111 11111111 11111111 */
  {  3, "\x92\x49\x24" }, /* Static pass: 0x924924  10010010 01001001 00100100 */
  {  3, "\x49\x24\x92" }, /* Static pass: 0x492492  01001001 00100100 10010010 */
  {  3, "\x24\x92\x49" }, /* Static pass: 0x249249  00100100 10010010 01001001 */
  {  3, "\x6D\xB6\xDB" }, /* Static pass: 0x6DB6DB  01101101 10110110 11011011 */
  {  3, "\xB6\xDB\x6D" }, /* Static pass: 0xB6DB6D  10110110 11011011 01101101 */
  {  3, "\xDB\x6D\xB6" }, /* Static pass: 0XDB6DB6  11011011 01101101 10110110 */
  { -1, ""             }, /* Random pass.                                      */
  { -1, ""             }, /* Random pass.                                      */
  { -1, ""             }, /* Random pass.                                      */
  { -1, ""             }, /* Random pass.                                      */
  { 0, NULL }
 };

Pseudorandom

This is a tried and true method of simply generating random data to cover the entire drive. Apparently a single swipe of this is still a good means of cleaning off a hard drive. Here's one way to do it using the linux dd command: dd if=/dev/random of=/dev/sda

DoD 5220-22.M

Slightly more interesting than others, this is the DoD 5220-22.M which actually isn't a specification. I have yet to find the original document that states this procedure but again, Eraser source code as an example:

NSA Method

Probably the most paranoid and comical is the NSA instructions which insist that the drive be degaussed and/or destroyed. My favorite method is Hack-A-Day's Thermite destruction:

External Links

http://www.heise-online.co.uk/security/Secure-deletion-a-single-overwrite-will-do-it--/news/112432 - Heise Security article discussing the subject
http://www.securityfocus.com/brief/888 - SecurityFocus discussion on the subject
http://hardware.slashdot.org/article.pl?sid=09%2F01%2F19%2F1422246
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
http://en.wikipedia.org/wiki/Data_erasure#Full_disk_overwriting - Good article on Wikipedia about this kind of stuff.
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

Creating a Fake Printer (/dev/null for Windows)

noreply@blogger.com (Mark M Manning) — Thu, 15 Jan 2009 02:36:00 +0000

These directions will create a printer in Windows that will receive print jobs and then automatically delete them. This is probably only going to be useful for one in a million situations but I thought it was an interesting exercise none the less. If anyone does find this useful, I'd be interested to hear about it.

The reason I did this was because a program was hard coded that when you press the print icon, it would print. Then it would ask you if you wanted to print and select a which printer to print to. It would cause pages to be printed twice, and no matter where you wanted to print, they would go to your default. So I changed the default to just dump them using the Windows NUL function which works the same as /dev/null in Linux.

Open up your printers and go to "Add Printer"
Add it as a local printer and uncheck "Automatically Detect"
Click on "Create a new port:"
Choose "Local Port"
The port name is "nul" (yes one "l")
Name the printer Printer of Death (or whatever you want)

Test it by printing something out. A better test to believe that "nul" works is to run this from command line:

Normally this would print out to a file named "nul" if the concept of nul didn't work

Force HTTPS for Sites Using NoScript

noreply@blogger.com (Mark M Manning) — Sun, 21 Dec 2008 22:55:00 +0000

This is a simple solution for those of us wishing to use SSL whenever possible. Sites like Facebook, LinkedIn, The Pirate Bay, many more and hopefully soon to be many others offer an HTTPS as an option but only to those that try to use it.

HTTPS != Secure

I should probably say this because HTTPS/SSL is turning into a mindless buzzword.
Websites offering SSL do NOT...

protect you from system attacks - a virus can be installed over SSL
inherently hide the websites you're visiting - the browser URL will still be https://www.someweb2.0site.com/markmmanning
mean that the website will always use HTTPS - Yahoo lets you connect using HTTPS and then automatically redirects you to HTTP after you've logged in

Websites offering SSL do...

encrypt your web traffic from browser to web server
protect you from attackers sniffing on your network

NoScript

NoScript R0ckz! I'm not even going to talk about them because you should know. Check them out here.

Install NoScript
Click on the the icon and go to options
Click the Advanced tab and HTTPS
In the "Force the following sites to use secure (HTTPS) connections:" add in all of your favorite websites
Click ok and test it out

External Links

http://noscript.net/ - NoScript website
http://fscked.org/projects/cookiemonster - the reason why HTTPS doesn't mean you're secure. CookieMonster is a sidejacking tool with support for attacking SSL connections.

Ping Sweep With Bash

noreply@blogger.com (Mark M Manning) — Tue, 09 Dec 2008 03:24:00 +0000

I'm adding this entry for the following reasons:

Bash scripting is fun!
I like minimalistic ways of doing things
It makes me laugh

Why

I know this doesn't matter but adds to why I'm doing this. I'm trapped in a far off land for three months and even though I've setup my servers in a remote location, I failed to realized how little a VMWare ESX server has from command line. I discovered this when I had forgotten all of the IP's for the other servers on my network. I know someone is going to say why didn't you just create a tunnel with ssh and blah blah blah but yes, ESX has limited configuration settings for that as well.

So here is what no one is waiting for: the extremely slow way of performing a ping sweep on your network from bash. If nothing else, it's given me an even better appreciation for nmap and other network scanning tools.

UPDATE: 3/4/2009 Just look at this and realized a for loop would be better.

Obviously change 10.0.0. to whatever your subnet is.

Overriding Symantec Endpoint Protection's Unininstall Password

noreply@blogger.com (Mark M Manning) — Thu, 13 Nov 2008 01:54:00 +0000

Standard story, I had a user today with Symantec Endpoint Protection and it was causing her CPU to redline. SEP said everything was fine so I thought I'd just save some time and uninstall and re-install like a good Sys-admin would do. Most people know that with Symantec's more corporate products they require that you put in a password in order to uninstall the application. This is a simple protection from an attacker manually removing the antivirus. I didn't realize until today just how simple that was.

I did some looking for the password and asked a few people and I tried to look up what the default password was because knowing this client, that's what it would be. No luck. Then I discovered something, I was watching the processes in the task manager and saw that when I went to uninstall SEP, msiexec ran as I expected but right as the password prompt came up, another instance of msiexec appeared. What are the odds that I just end that process and I'm allowed to get through? Very good.

So then I looked online about this and of course I'm not the first person to find this out. If you can end the process msiexec.exe that is being run as the current user (not system), then the password prompt will disapper and uninstallation will continue. There is a protection built into SEP and other Symantec products that blocks access to the task manager while the password prompt is showing. That's why my favorite windows tool Process Explorer comes in handy. So here's the steps:

Download Process Explorer from Microsoft or Sysinternals
Uninstall the symantec product of your choice
wait for the password prompt to appear
run Process Explorer and find msiexec.exe that is being run as the current user (not the system)
end that process and continue with the uninstallation

I know this really isn't a revelation to most people but I had never done it before and it goes right along with some of my anti-anti-virus research I'm doing.

External Links

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx - Process Explorer download
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=4852 – link to a forum that has other suggestion to resetting the password like “calling support”

Hide Your Private IP in Mozilla Thunderbird

noreply@blogger.com (Mark M Manning) — Thu, 30 Oct 2008 23:23:00 +0000

A friend of mine brought up an issue that I never noticed before: In Mozilla Thunderbird, when you send an email, the private IP address of your computer is also transmitted. So the header will look something like this:

Received: from ?192.168.1.108? (cpe-66-666-666-666.res.rr.com [66.666.666.666])

That 192.168.1.108 is the private IP address of which ever computer you sent the email from.

Who Cares?

Now I get that my public IP must be known to properly route the connection from my gateway to the SMTP server I'm trying to connect to but there's no reason to give out my private IP. Knowing it makes it easier for an attaker to find my computer on the network for specific attacks against me or even worse, know which range of computers to attack to evade some intrusion detection systems.

That being said, it was put there for a reason. Some anti-spam solutions - specifically SpamAssasin - request that you provide the private IP address of the computer you're sending from even if the system is behind a NAT. It doesn't care what IP address you fill in, just that you put something there. If you're going to override it like I show below, you should probably spoof it with a number that could possibly be a private IP address or something that is in the form of a fully qualified domain name else you risk your messages being flagged as spam more often.

How to Fix This

There is an easy workaround:

Open Thunderbird
(In Linux) Open Preferences > Advanced > General
(In Windows) Go to Tools > Options > Advanced > General (thanks)secret
Click on Config Editor
Type in "smtp" and find the number of the SMTP server you want to adjust (usually it will say smtp1)
Right click on the table and create a new string
name it mail.smtpserver.smtp*.hello_argument where * is the number of the smtp server settings that you're changing. Usually 1
assign it whatever value you'd like
NOTE: Changing this setting will result in your messages more likely to be marked as spam by SpamAssasin. Choosing a private IP would be better than just putting something like im.not.telling

Now when you go to send messages your header will look like this:

Received: from 172.25.66.6 (cpe-66-666-666-666.res.rr.com [66.666.666.666])

External Links

https://bugzilla.mozilla.org/show_bug.cgi?id=279525 - link to the mozilla bug discussing this issue in length
http://forums.mozillazine.org/viewtopic.php?f=39&t=574630&start=0&st=0&sk=t&sd=http://forums.mozillazine.org/viewtopic.php?f=39&t=574630&start=0&st=0&sk=t&sd=a - Mozillazine website where I first found discussion about this issue

Defcon XVI - Tor Part II

noreply@blogger.com (Mark M Manning) — Thu, 04 Sep 2008 01:18:00 +0000

Nathan Evans did the last talk on the first night of Defcon called De-TOR-iorate Anonymity. It had a lot of people sweating on the Tor mailing list and even generated a huge debate about whether Tor should even be attempted to be used on a multi-purpose system versus a dedicated machine or virtual machine like JanusVM or AnonymOS. The information was pretty thick to process at the time, but a few minutes later, it finally sunk in. Here's how it works.

Overview of Tor

A quick review of how Tor works. Tor is a anonymity tool that creates a circuit of proxy servers to relay connections through. For instance, in the figure below we see Alice trying to connect to Bob. Alice sends traffic to node 1, node 1 relays that traffic to node 5, node 5 relays that traffic to node 8 and node 8 finally sends the request to Bob. If Bob replies, the data travels back the direction that it came. Simple enough?

Overview of Attack

Nathan's attack would fall under the "partitioning" label as the goal of the attack is to partition the Tor network smaller and smaller until it can find the entry node the user is coming from. Because this attack assumes you have control of the exit node, obtaining the entry node confirms the second node used as a relay thus showing every node in a user's circuit. This makes Tor as anonymous as a single proxy.

Circular Circuits

Nathan found that an attacker can create looped circuits. That is Node 1 relays to Node 2 and then relays to Node 3 but at Node 3 an EXTEND command is issued so the circuit length is increased infinitely. This causes the queue of traffic waiting to be relayed to fill up and the latency to increase by a large amount.

Why it works

Doing a DoS attack and measuring the latency is not new. It was actually talked about at last year's Defcon. The difference with this attack is the attacker actually creates circular circuits so nodes are actually looping traffic back to the beginning instead of relaying properly.

This is why the attack worked:

Tor is hard coded to only uses 3 nodes in a circuit(debatable whether or not to change)
Tor does not provide padding to keep latency at the same rate (and never will)
Tor allows for infinite circuit lengths (to be fixed in proposal 110)

The Attack

To attack the network, he used the following environment

a "Bad Exit Node" owned by the attacker
Tor client used to generate circular circuits (Defined as "DoS Client")
Web server to act as the destination and to keep track of latency (Defined as "DoS Server")
Normal user that is using the Bad Exit Node ("Alice")

The attack is done by a denial-of-service attack on many nodes using circular circuits discussed above. If the user's latency stays low during a circular circuit creation, then the attacker knows that the entry node is NOT one of the DoS'd relays and tries different nodes. In this case, latency is measured by injecting a javascript command to ping a web server collecting stats. The process of generating circular circuits and recording the results is repeated until the user's latency increases substantially at which time the attacker knows that the entry node is one of the three nodes used in the last DoS attack.

Example

In this figure, you can see that Alice is trying to connect to Bob via nodes 1, 5, and the Bad Exit Node that is owned by the attacker. During this time the attacker is creating circular circuits between 1, 2, and 3 which generate large amounts of traffic causing a slow down.

The Fix

Tor has been been updated at least 3 times since writing this blog. Among many other bug fixes and feature additions are the changes related to Proposal 110. This is the proposal to change Tor to handle circular circuits. The proposal splits up relay requests into "Relay" and "Relay_Early." Relay requests do not have the ability to issue the EXTEND command that is used to generate the circular circuits and Relay_Early can as these would be the beginning of the circuits.

The 0.2.0.30 version also makes an addition to block "risky" extend cells.

Relays now reject risky extend cells: if the extend cell includes a digest of all zeroes, or asks to extend back to the relay that sent the extend cell, tear down the circuit. Ideas suggested by rovv.

The fix is not complete. They are still implementing parts of proposal 110. They have to maintain backwards compatibility in case a version 1 circuit is created.

External Links

http://www.torproject.org - Tor Project Website
https://www.torproject.org/svn/trunk/doc/spec/proposals/110-avoid-infinite-circuits.txt - Details of the proposal for the fix
http://archives.seul.org/or/talk/Aug-2008/msg00148.html - just for accuracy's sake, Roger Dingledine's follow up to my explanation on the or-talk list
http://web.cs.du.edu/~natevans/ - Nathan Evan's website. Nothing there really
https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-evans-grothoff.pdf - Original powerpoint presentation called De-Tor-iorate Anonymity
https://www.torproject.org/svn/trunk/ChangeLog - the always updating changelog of Tor

Using Windows Server 2003 Admin Pack on Vista

noreply@blogger.com (Mark M Manning) — Mon, 01 Sep 2008 01:13:00 +0000

If you haven't found out, the Windows Server 2003 Admin Pack does not work on Vista. This can be annoying for sys admins that aren't lucky enough to have Server 2008 installed everywhere. Luckily, there's a quick fix

Download and install the Server 2003 Admin Pack
Copy and and paste the following code into notepad and save it as "Adminpackfix.cmd" or something like that
@echo off REM RegisterAdminPak.cmd REM (c) 2006 Microsoft Corporation. All rights reserved. set filelist=adprop.dll azroles.dll azroleui.dll ccfg95.dll set filelist=%filelist% certadm.dll certmmc.dll certpdef.dll certtmpl.dll set filelist=%filelist% certxds.dll cladmwiz.dll clcfgsrv.dll clnetrex.dll set filelist=%filelist% cluadmex.dll cluadmmc.dll cmproxy.dll cmroute.dll set filelist=%filelist% cmutoa.dll cnet16.dll debugex.dll dfscore.dll set filelist=%filelist% dfsgui.dll dhcpsnap.dll dnsmgr.dll domadmin.dll set filelist=%filelist% dsadmin.dll dsuiwiz.dll imadmui.dll lrwizdll.dll set filelist=%filelist% mprsnap.dll msclus.dll mstsmhst.dll mstsmmc.dll set filelist=%filelist% nntpadm.dll nntpapi.dll nntpsnap.dll ntdsbsrv.dll set filelist=%filelist% ntfrsapi.dll rasuser.dll rigpsnap.dll rsadmin.dll set filelist=%filelist% rscommon.dll rsconn.dll rsengps.dll rsjob.dll set filelist=%filelist% rsservps.dll rsshell.dll rssubps.dll rtrfiltr.dll set filelist=%filelist% schmmgmt.dll tapisnap.dll tsuserex.dll vsstskex.dll set filelist=%filelist% w95inf16.dll w95inf32.dll winsevnt.dll winsmon.dll set filelist=%filelist% winsrpc.dll winssnap.dll ws03res.dll for %%i in (%filelist%) do ( echo Registering %%i ... regsvr32 /s %%i ) echo. Echo Command Completed
Run the script as administrator and you're set

External Links

http://support.microsoft.com/kb/930056 - KB article about this subject. Gives you more specifics than I go into.
http://www.microsoft.com/downloads/details.aspx?familyid=e487f885-f0c7-436a-a392-25793a25bad7&displaylang=en - Server 2003 SP1 Admin Pack

Defcon XVI - Tor Part 1

noreply@blogger.com (Mark M Manning) — Wed, 20 Aug 2008 07:00:00 +0000

I was kind of excited about this years Tor talks because it was almost skipping over the details of what is Tor and going strait to some more advanced subjects. Roger Dingledine made a great presentation about the vulnerabilities of Tor where he went through each major security bug that was ever discovered. He is very honest about some of the future attacks like Latency Tables, SSL Website Fingerprinting, automatic control port authentication problems, attackers buying old certificate authorities so that SSL MITM attacks would be available anytime, and even how governments are starting to make laws forcing Tor admins to have an real time access to current Tor nodes.

Latency Tables

This was actually pretty interesting to me. Roger made a comment about how an attack would be easier if the attacker had access to a latency table which would keep track of the latency between one point to another on a global scale. This is a theoretical attack as no one has been able to do this effectively.

SSL Website Fingerprinting

This is the theory that it would be possible to document the size of an SSL encrypted web site request so that although an attacker cannot see the data going over the connection, it is possible to see what website the user is visiting. It could even be taken one step further where the table could not only have the initial website size but the first page, and then the redirected page after login. For instance, if someone visits their bank, they first get an initial login, and then a secondary authentication screen, and finally their actual online banking information. Each of those pages have a size that when put together, makes a pretty unusual fingerprint. If you tie this fact together with Mike Perry's SSL cookie exploit, one can imagine a situtuation where an attacker finds the website the user is visiting, inject an <img src="http://www.visitedwebsite.com"> where the cookie is sent in clear text and then a session hijack occurs.

Automatic Control Port Authentication

There has been an addressed issue that shows how an attacker could gain control of a Tor client's control port (which is what's used to generate tunnels) thereby granting the ability to redirect the tunnel or something even more malicious. The work around for this was to provide authentication done either by a password or by a session cookie. Clients like Vidalia now support the authentication mechanism but the problem currently is how is the authentication done at the boot time when a user installs Tor as a Windows Service. Roger didn't have an answer yet to this issue besides that it was currently being worked on.

Purchasing Old CA's

If you look in Firefox or IE or Opera or whatever, you'll see a pretty long list of pre-trusted certificate authorities that come when you install the browser. These are some of the most popular ones that have been trusted for years and come with the browser itself. It just so happens that a lot of these CA's are not even in business anymore but they're still in the browsers in case someone has purchased a certificate that extends through 2020. So what? Well the issue is what if an attacker purchased one of those old CA's, if they wanted to do a MITM attack with SSL, they could and the browser would have no problem with it. There was even a comment about how China is interested in purchasing one to help out with deep packet inspection even on SSL connections.

Governments and Law Enforcement

The last big issue that I thought was interesting to bring up was how some governments (see Germany and others) are pressuring Tor to provide "real time access to law enforcement." Whatever real time and law enforcement really ends up being. Roger makes the point that if it becomes this hard and this illegal, it may not be possible to run a Tor server in that country and it may be difficult to do so in the future.

External Links

http://www.torproject.org - Tor Project Website
http://www.kreativrauschen.com/blog/2007/11/09/german-bundestag-decides-to-implement-data-retention/ - Blog about the new German data retention logs
http://en.wikipedia.org /wiki/Data_retention - Wikipedia entry about data retention laws in other countries

Defcon XVI Overview

noreply@blogger.com (Mark M Manning) — Sat, 16 Aug 2008 23:50:00 +0000

Last year was my first year at Defcon so I was sucking up as much information as possible but generally I just went to the talks and then back to the room to play with the things that I had learned. I didn't get into the social scene very much.

This year I still attended a ton of the talks but instead of taking time to go back to the room and play, my friends and I made more of an effort to get into the Defcon social scene.

Overall Experience

Just like last year I had a blast but I think even more this year because of some of the people we met. I've seen some posts complaining about the situation at Defcon about how it was too crowded and they missed some talks because of this. It sounds to me like a lot of people have gone to things like Microsoft Events where you stand around some muffins and coffee and then sit through 2 hours of talks.Defcon hacks the conservative convention idea and takes into account the amount of hackers that have ADD.They offer 5 tracks of talks at the same time, lock picking training, wireless village, general hang outs, and more. Then when the talks are all done, there are parties all over the city. It's not cup of coffee, stand in line, polite conversation kind of gathering but rather a red bull and vodka, bum rush, punch in the face cluster of people from all over world meeting to show solidarity in the hacker community. At least that's the my ideal perspective of what Defcon should be, it may be growing in a different direction.

List of talks I attended:

Welcome by DT & Making the DEFCON 16 Badge with Joe "Kingpin" Grand
Clinton Wong - Web Privacy & Flash Local Shared Objects.
Roger Dingledine -Security and anonymity vulnerabilities in Tor: past, present, and future
Robert Ricks -New Tool for SQL Injection with DNS Exfiltration.
Magnus Bråding -Generic, Decentralized, Unstoppable Anonymity: The Phantom Protocol.
Eric Schmiedl -Advanced Physical Attacks: Going Beyond Social Engineering and Dumpster Diving Or, Techniques of Industrial Espionage
Fyodor -NMAP-Scanning the Internet.
Matt Yoder-Death Envelope: Medieval Solution to a 21st Century Problem.
John Fitzpatrick -Virtually Hacking.
Nathan Evans -De-TOR-iorate Anonymity
Movie Night With DT: Premiere of "Hackers Are People Too
Cameron Hotchkies-Under the iHood.
Jay Beale-Owning the Users with Agent in the Middle.
Luciano Bello & Maximiliano Bertacchini-Predictable RNG in the Vulnerable Debian OpenSSL Package, the What and the How.
Panel: All your Sploits (and Servers) are belong to us.
Mike Perry-365-Day:Active https cookie hijacking.
Tony Howlett-The death of Cash: The Loss of anonymity & other danger of the cash free society.
Ryan Trost-Evade IDS/IPS Systems using Geospatial Threat Detection.
Rick Hill-War Ballooning-Kismet Wireless "Eye in the Sky"
Jay Beale-They're Hacking Our Clients! Introducing Free Client-side Intrustion Prevention.
DAVIX Visualization Workshop
Stealing the Internet

Tor

I've been following Tor for a while now so it was interesting to go to the two Tor specific talks – both about vulnerabilities in Tor. Roger Dingledine presented a general overview of past, present, and future vulnerabilities in the Tor network and Nathan Evans went over a specific vulnerability which allowed an attacker to find out all nodes in a circuit. Both talks were interesting and I'm going to go into much more detail in future blog entries.

Sidejacking Redux

Last year, the concept of sidejacking was in its infancy. Sidejacking or session hijacking is when an attacker uses a man in the middle to steal the current session of something a user is accessing. For instance, with this attack, an attacker could steal the cookies used to authenticate a person's gmail account which would grant the attacker access to Gmail and all other Google services for the amount of time that session was valid. This year Jay Beale of the company Intel Guardians released a tool called “The Middler” which automates this process and Mike Perry of Riverbed and the Tor Project pointed out a flaw in the way that some companies have tried to protect users from this exploit.

Since last year, services like Gmail have offered SSL encryption to protect from this attack but they didn't force users to use SSL which lead to Mike Perry's talk. He pointed out an attack on a Gmail where even though the user was using an SSL connection, the cookie could be transmitted in clear text allowing a session hijack. This was done by doing a MITM attack, using a tool to check which online service the user was using, inject a piece of html that pointed to the non-SSL encrypted version of that online service and then perform a session hijack after reading in the credentials. He even pointed out a simple fix that he has told Gmail and Yahoo about where you can set a bit in the cookie to only transmit in SSL.

War-Ballooning

One of the most fun talks that I attended was Rick Hill's War-Ballooning demonstration. They were planning on doing a live demo from the roof of the Riveria but at the last minute, some authorities decided to stop them. War-Ballooning was a development of last years idea of War-Rocketing which shot a rocket in the air and then searched for wireless signals while it parachuted to the ground. This year they took a professional balloon that was used by photographers for shooting aerial shots, attached a cooler filled with various wireless gear, and configured a orbital webcam that controlled which direction the yagi antenna was pointing. So they gave a video of the demonstration which was recorded the day before in a park five miles out of town. For added drama, they used Kismet's feature to read wireless networks out loud as it found them. They had the balloon up for ten minutes and found over 300 wireless signals as it broadcast a 7 mile radius. 30% of those were unsecured.

Hackers Are People Too - Ashley Schwartau

And how could I forget to add something about my acting debut in the documentary Hackers Are People Too which was premiered at Defcon XVI. Well ok, maybe I was on the screen for less than 2 seconds and I wasn't quoted as saying anything but hey, to be in a hacker documentary was really cool. Ashley even recognized me when I came up to her vendor booth. But enough of my vanity, the documentary was so cool and people really should pick it up to show to their friends and family and get the scarey idea of what hackers are out of their heads.

External Links

http://www.hackersarepeopletoo.com - link to the Hackers Are People Too official website (BUY BUY BUY!!!)
http://fscked.org/ - Mike Perry's website
http://www.defcon.org-Defcon
http://www.intelguardians.com/ - Intel Guardians will soon be releasing "The Middler"
s

Defcon XVI - Day 0

noreply@blogger.com (Mark M Manning) — Fri, 08 Aug 2008 14:42:00 +0000

I arrived Thursday morning to Las Vegas in an attempt to do some of the pre-Defcon social events this year. We posted our room availability on the Defcon forums and picked up two roomates to help with the costs; Riot and Matt.

I reserved the "deluxe" room at the Riveria which although being nicer, doesn't have any more space than the non-deluxe. It does look much more romantic but filling it with 4 guys takes care of that feeling pretty quickly.

Badges this year include an IR port, an SD slot, and supposedly a way to shut off all TV's in a certain radius, and a transmit mode that may allow you to talk to other badges as you walk around the floor.

Ethical Hackers

Ethical Hackers was doing a get together at Hofbrauhaus, a German brew house at 8:00pm. Dan who runs the site was putting it all together and had a $500 tab for us to use. The whole event was a lot of fun and had a lot of interesting people. Timmy of Red Rock Security, Brian of Cisco, Ed of Intel Guardians, David an extreme baby sitter, Collin of Training Camp, Mike the Military Vet, Naps, and a bunch of others of whom I may have forgotten their names. Check out ChicagoCon for anyone that will be in the area. Sounds like a very worthwhile event. I think the whole get together was a success.

EFF Summit

We also grabbed a few of the guys to make it back to the EFF Summit at the top of the Monaco tower back at the Riveria. Donations were $40 to get in and included a one year membership. Once the sound system was working at around 10:30 or 11:00, some of the EFF guys went up to talk about some of the cases that were won and some of good things that the EFF does. I think it was kind of preaching to the choir but the event went pretty well.

External Links

http://www.ethicalhackers.net
Red Rock Security
ChicagoCon
Intel Guardians

Running Windows Programs in Ubuntu with SeamlessRDP

noreply@blogger.com (Mark M Manning) — Wed, 06 Aug 2008 21:22:00 +0000

While looking for what's happening at this years Defcon that I'll be attending, I stumbled across a blog entry from 360 Security talking about SeamlessRDP. After seeing how easy it is to setup and use, I don't know why I haven't heard more about it. But that's probably because I've never really looked into running Windows apps in Ubuntu.

What is SeamlessRDP

SeamlessRDP is an extension for remote desktop/terminal servers that allows a single application to be remoted into instead of the entire computer. In my scenario, I have an Ubuntu system and I run a virtual Windows XP in the background. I install SeamlessRDP onto the Windows VM and I can now run individual applications without messing around with the VM itself.

The company Cendio created SeamlessRDP when they were trying to get their own products to work with rdesktop. They realized that it could be of use to other in the community and released it under GPL.

How to

It's extremely easy to setup:

On the remote desktop server, download SeamlessRDP binary file.
Extract it to an easy to use location like C:\seamlessrdp
On the client, make sure you have at least version 1.5 of rdesktop installed (Hardy is all set). Download it from here if you need
Now you're ready to use it - here's an example of running Word 2007: rdesktop -A -s "c:\seamlessrdp\seamlessrdpshell.exe c:\program files\microsoft office\office12\winword.exe" 192.168.1.5:3389 -u administrator -p password
Running Internet Explorer: rdesktop -A -s "c:\seamlessrdpshell.exe c:\program files\internet explorer\iexplore.exe" 192.168.1.5:3389 -u administrator -p password

I admit, I haven't done any research into other products or alternatives that may work better, so let me know if you find anything

External Links

http://www.cendio.com/seamlessrdp/ - Cendio's page about seamless RDP
http://www.rdesktop.org/ - rdesktop.org for the client
http://blog.ncircle.com/ - where I originally found the post

Precreating Computers In Active Directory

noreply@blogger.com (Mark M Manning) — Mon, 04 Aug 2008 21:00:00 +0000

This is a simple one that goes back to a conversation I had with a consultant. We were talking about adding a computer to a domain and then moving the computer to the designated OU that was dedicated to that site. I made the comment that it might be even better to precreate the computer account in the appropriate OU and then you don't need to bug a domain administrator to do the moving around. His reply was something like "Yea I haven't had good luck with that." That's one of my favorite reasons for technical problems. It's kind of like saying, I tried it once, it didn't work, so it must be broken.

Why Do This?

Anyways, the real reason that you would want to do this is if you have a team of IT staff where a few have domain administrators rights but most of them are just local admins on the workstations to provide support and install software. Adding a computer to the domain would be a normal task for these kind of support staff.

Problem

So you have a brand new computer that you want to add to your network. You assign on of the non domain admins to install necessary software and join it to the domain. When he adds it to the domain, the computer is dumped into the "computers" folder in AD where the appropriate group policies and delegated access is NOT applied. You want the new computer to go into a separate OU but you don't want to grant the user access to move or manipulate Active Directory AND you want to delegate the entire process to the admins so that you don't need to be involved in the specifics. So what do you do?

Solution

If you precreate the computer in the appropriate OU in Active Directory, when that computer is joined to the domain, it will have the group policies and permissions that it needs. As a domain admin, you can precreate the computer account yourself but you'd rather delegate access the IT support team. Here's how you do it:

Delegate Control To Non-Domain Admins

Open Active Directory Users and Computers
Right click on the OU and then click All Tasks>Delegate Control
Click Add and put in the appropriate user or group (IT Admins)
Click "create a custom task to delegate"
Click "only the following objects in this folder"
Check Computer Objects
Check "Create selected objects in this folder"
Under "Show these permissions" uncheck everything and click "Next"

You've now granted non-admins access to create computers inside of that OU.

Pre-Create New Computer

These are the tasks for the non-admin to perform using the Server 2003 Admin Pack

In Active Directory Users and Computers, right click the target OU the computer should go to and choose New>Computer
Name the computer
Under "The following users or group can join this computer to the domain" choose a group that has appropriate access like "IT Admins" or "Domain Users" to allow anyone do it.
This is the step that is usually missed. If you don't do this, then by default Domain Admins are the only one that can add the computer to the domain.
Click Next

Now on the client you go through the normal process of adding the computer to the domain.

Enable SID History / Disable SID Filtering

noreply@blogger.com (Mark M Manning) — Fri, 25 Jul 2008 15:12:00 +0000

I've been getting a lot of experience with the Active Directory Migration Tools [ADMT] but it seems like I always have a problem with using SID history between domains. This is more of a reminder for myself how to get SID History to work.

What is SID History

SID History is an attribute of an Active Directory object that stores an old Security IDentifier(SID) mostly commonly used during a migration. So you have an old domain, and you move to a new domain, and the user on the new account maintains access to all of their old files and folders. This saves the hassles of having to re-permission network shares, folder access, applications, etc. In order to use SID history, you must disable SID Filtering and enable SID History on the trust between the domains.

To enable SID History on a trust issue this command:

What is SID Filtering

The nemesis of SID History is SID Filtering. This is a security measure put into place by default that protects your new environment from attackers that may have broken into the old domain. Although you may think, no one's going to get into the old domain, I think that just about every migration I've done, they leave the original domain up and running and then starts to put a low priority on everything in that domain; patches, access control management, event log review all becomes secondary because no one is on it any more and now becomes a fairly large new attack vector. While it makes sense to leave the old environment up and running, it still needs that same care it has always needed.

So that's why SID Filtering is good, but unfortunately, it completely blocks the use of SID History which would be very important during a migration. This command below disables SID Filtering:

External Links

http://technet2.microsoft.com/windowsserver/en/library/52b395b4-0313-47d8-87d4-fb1dd4d5c4701033.mspx?mfr=true - Technet article about disabling SID filtering
http://technet2.microsoft.com/windowsserver/en/library/31915de7-ff58-4f26-a8ec-450ffca759121033.mspx?mfr=true - Technet article about external trusts