Bejtlich/Bianco ShmooCon DVD

Thanks to David Bianco, I received a copy of a DVD of our ShmooCon 2006 presentation, Network Security Monitoring with Sguil (.ppt). The cover is posted at left, and clicking on it will show a larger version. I am not sure if the Feds will appreciate the Che Guevara theme the next time my security clearance is reviewed. If you want to order you own copy, you can visit MediaArchives.com. As far as I know I do not get a penny from DVD sales, unless there was some hidden clause in the form Heidi Potter asked me to sign!By the way, this blog has...

Read More

Miss the Internet of the 1970s? It's still here.

Imagine the following conversation took place some time before 15 January 2001. Alice: "Why don't we create a Web page that anyone can edit?"Bob: "Cool. How do we prevent 'bad people' from posting 'bad things'?" [Note that "bad people" and "bad things" are entirely subjective.]Alice: "Don't worry, people will be nice."Bob: "What if they are not nice?"Alice: "We'll keep track of the IP addresses people use to post content. We'll block bad IP addresses."Bob: "What if bad people post bad content using anonymous proxy servers? What about NAT,...

Read More

DoD 8570.01-M Posted

Thanks to David Bianco for sending me to this article about the manual for DoD 8570.1 being posted here. The .pdf looks like a scan of a hard copy document. I couldn't search it using xp...

Read More

Review of Running IPv6 Posted

Amazon.com just posted my five-star review of Running IPv6 by Iljitsch van Beijnum. It is so much easier to write reviews for great books! From the review:"When I read and reviewed O'Reilly's IPv6 Network Administration by Niall Richard Murphy and David Malone, I called their book "a must-have book for all network administrators." Upon seeing Apress' Running IPv6 by Iljitsch van Beijnum, I wondered if I would waste my time reading and reviewing...

Read More

IPv6 Behind NAT Using FreeBSD and Miredo

Thanks to the generosity of a TaoSecurity Blog reader, I have been experimenting with a dual-stack IPv4 and IPv6 system at a university. I connect to the IPv4 address using OpenSSH. Once on the box, I can use IPv6.I've been looking for ways to connect my home network directly to IPv6. At the moment I'm using a common gateway/router to perform NAT for my cable network connection. I needed a way to provide IPv6 for systems behind the NAT. Enter Teredo and the Miredo project. Now, before you decide that I'm giving this protocol my "thumbs up,"...

Read More

FreeBSD Networking over FireWire

You might be familiar with Apple's implementation of IP over FireWire. This allows connecting two computers directly over FireWire ports. FreeBSD offers two drivers that provide networking over FireWire. fwe is a non-standard protocol, but it is implemented by default in the GENERIC kernel. fwip implements RFC 2734 (IPv4 over IEEE 1394) and RFC 3146 (Transmission of IPv6 Packets over IEEE 1394 Networks); it is available via kernel module.I decided to have my laptop orr talk to my server janney using FireWire. To implement FireWire, orr uses...

Read More

QEMU on FreeBSD, with Networking

Maybe you've heard of QEMU, an "open source processor emulator." It's not quite VMware, since there doesn't seem to be a concept of persistent state and there are definitely not snapshots. However, when I saw the variety of ready-to-run system images at OSZoo.org, I decided to try it on FreeBSD 6.0.Luckily there are several QEMU ports. I installed emulators/qemu from the latest FreeBSD 6.0 package. I next installed emulators/kqemu-kmod using...

Read More

Black Hat Federal 2006 Wrap-Up, Part 5

Please see part 1 for an introduction if you are reading this article separately.Next I heard Stefano Zanero discuss problems with testing intrusion detection systems. He said that researchers prefer objective means with absolute results, while users prefer subjective means with relative results. This drives the "false positive" debate. Researchers see false positives as failures of the IDS engine to work properly, while users see any problem as the fault of the whole system.Stefano mentioned work done by Giovannii Vigna and others on the Python-based...

Read More

Black Hat Federal 2006 Wrap-Up, Part 4

Please see part 1 for an introduction if you are reading this article separately.I finished Wednesday listening to Irby Thompson and Mathew Monroe discuss FragFS, a way to use the Windows Master File Table (MFT) on NTFS to store data covertly. The MFT can be read as a file if you open C:\$MFT as the administrator. That file can even be written to by administrators, hence the proof of concept tools "hammer.exe" and "looker.exe" provided by the presenters. Their research indicates the average MFT can store around 36 MB of hidden data, and that...

Read More

Black Hat Federal 2006 Wrap-Up, Part 3

Please see part 1 for an introduction if you are reading this article separately.Staying on the rootkit theme, I next heard Joanna Rutkowska discuss "Rootkit Hunting vs. Compromise Detection." She has done some impressive work on network-based covert channels, but she is also a rootkit guru. Joanna talked about "Explicit Compromise Detection," and the need to scan kernel memory for integrity checking. She challenged many of the ideas of traditional...

Read More

Black Hat Federal 2006 Wrap-Up, Part 2

Please see part 1 for an introduction if you are reading this article separately.The first technical talk I attended was presented by Mariusz Burdach, titled "Finding Digital Evidence In Physical Memory." Mariusz really needed two hours or more to give his topic justice. He started his talk buy holding up DoD and DoJ manuals which recommend pulling the plug as an incident response step (argh), and he said commercial tools all focus on inspecting hard drives. Unfortunately, modern rootkits may stay in non-swappable memory pages, and will not...

Read More

Black Hat Federal 2006 Wrap-Up, Part 1

I attended two days of Black Hat Federal Briefings 2006. I paid my own way, and I must say the conference was worth every penny. If you didn't attend, I highly recommend registering for next year's conference. I spoke briefly with Jeff Moss, who said Black Hat will return to DC in February 2007 for another Federal conference. This is welcome news. I taught Foundstone's Ultimate Hacking: Expert class at Black Hat Federal 2003, which was the last Black Hat conference in DC.My summaries cannot do most of the speakers justice. I will attempt...

Read More

Soekris Dies, What Replacement?

Yesterday the UPS powering my Soekris Net4801 died. Now the Soekris no longer finds its internal 2.5 hard drive running FreeBSD 6.0. I was able to update the BIOS using this guide and the comms/lrzsz, but it had no effect. The process was simple> downloadShift ~Shift Clsz -X b4801_128.binIf I want to stick with the Soekris, I may try one of the OS installation options listed here. However, I'm wondering if I should just abandon the Soekris for something more powerful. I saw the 256 MB Net4801 will arrive soon, but I've been looking at these...

Read More

Snort.org Posts BlackWorm Packet Captures

The folks at Sourcefire have done the analyst community a great service by posting traffic captures of CME-24, aka "BlackWorm". Kudos also to the Common Malware Enumeration project for providing an easy way to reference malware! Once OpenPacket.org gets going, I hope to host these sorts of captures there.Update: Check out this Sourcefire VRT analys...

Read More

Additional Thoughts on Amazon.com Reviews

I received some good comments on my previous post about my Amazon.com reviews. A few people at Black Hat Federal yesterday asked similar questions, namely: "Why don't you post bad reviews? We think they are more helpful than good reviews."First, let's consider the definition of "bad review." I've never given a book 1 star. I've only given a few books two stars. For example, this book was awful. It's also got the highest number of fake positive reviews I've ever seen. (Many are written by people who have only reviewed the author's books,...

Read More

Issue 5 of (IN)SECURE Magazine Released

The new (IN)SECURE magazine is out. Issue 5 features another set of interesting articles. I plan to pay particular attention to Ivan Ristic's article on Web application firewalls. Ivan wrote modsecurity, O'Reilly's Apache Security, and the Web Security Blog. The new (IN)SECURE also gives brief but positive reviews of my two newest books, Real Digital Forensics and Extrusion Detecti...

Read More

3000 Helpful Review Votes at Amazon.com

This morning my Amazon.com reviews "helpful votes" count hit 3,000. This means my reviews were considered "helpful" 3,000 times. (Conversely, 299 people thought they were not helpful. Sorry!) Thank you to everyone who answered yes to the question "Was this review helpful to you?"I reported hitting the 1,500 mark in December 2003. Since then I reviewed 62 more books, but my reviewer rank has dropped from 336 to 390. On the positive side, my...

Read More

Nepenthes Discoveries

Earlier today I posted how I installed Nepenthes. Within a few minutes I started getting hits. Monitoring with Sguil makes analysis much easier.Consider this first attack:Sensor Name: soekrisTimestamp: 2006-01-24 18:14:34Connection ID: .soekris_4888215984542487947Src IP: 69.11.44.99 (69-11-44-99.regn.hsdb.sasknet.sk.ca)Dst IP: 69.243.40.166 (pcp0010708738pcs.manass01.va.comcast.net)Src Port: 1734Dst Port: 80OS Fingerprint: 69.11.44.99:1734 - Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) [priority1] OS Fingerprint: -> 69.243.40.166:80...

Read More

Installing Tor

In my last post I mentioned that by default Nepenthes is configured to use Tor to carry IRC traffic. This post documents what I did to get Tor running on FreeBSD 6.0 STABLE.I installed Tor using the security/tor-devel page. Remember to set the environment variable to use the newest package.janney:/root# pkg_add -vr tor-develNext I added the following to /etc/rc.conf so I could use the /usr/local/etc/rc.d/tor.sh script.tor_enable="YES"Next I edited /usr/local/etc/rc.d/tor.sh, because I had an issue with the %%PREFIX%% specification.janney:/usr/local/etc/rc.d#...

Read More

Nepenthes Installation

I've been interested in trying Nepenthes since I saw it added to the FreeBSD ports collection as net/nepenthes. According to the Nepenthes Web site, "Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities."I tried to install Nepenthes using the precompiled package for FreeBSD, like this:janney:/root# setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/janney:/root# pkg_add -vr nepenthesI ran into...

Read More

Web Site Discovery with SensePost SP-DNS-mine.pl

Today I needed to discover Web sites for a client. I'll demonstrate part of my methodology here, using sun.com as a sample domain. I relied on a technique outlined in Johnny Long's Google Hacking for Penetration Testers. He mentions a SensePost tool called SP-DNS-mine.pl. The script uses Google to extract sub domains and DNS names for a given domain. You have to register with SensePost to retrieve SP-DNS-mine.pl; they email a username and password once you register.The first requirement is having a license key for the Google API. You put...

Read More