Help Johnny Long Go to Uganda

Long-time readers of my blog know I severely limit the number of non-technical stories I write here. I've probably written less than a dozen in over four years. This one definitely deserves to be posted, however.I shook hands with Johnny Long at ShmooCon last week, but we didn't get a chance to chat. If you don't know Johnny Long, you haven't paid attention to the scene during the last few years! In short, Johnny invented Google hacking, and he's one of the nicest guys you could meet at a security conference.Today I received an email from Johnny...

Read More

Cisco 802.1x Voice VLAN Authentication Bypass Vulnerability

Ok, last night i blogged about VoIP enumeration techniques and well it made me want to find exploits for Cisco products. I was reading at jake report and i must admit the guys at fishnet security do write excellent report. In the report, he mentioned that it is possible to bypass 802.1x port based secuirty by spoofing CDP packets and allow an attacker to gain access to the voice VLAN. Below depicts a short summary:"Cisco switches are susceptible...

Read More

BotMaster Spamming

Generating mass traffic to your site in a small amount time = spamming? Ok, i just came across this tool from botmaster.net. Well, personally i wouldn't use this tool at all. What if someone reports me to the authority? Or what if someone proxy forward all the traffic to a FBI webform? On the other hand, you can earn money by telling someone that you can help his/her site to rank no 1 in google, but well that is conning to me. I once had a colleague...

Read More

Full Content Monitoring as a Wiretap

I received the following question today:When installing Sguil, what legal battles have you fought/won about full packet capture and its vulnerability to open records requests from outside parties? I am getting concerns, from various management, regarding the legal ramifications of the installation of a system similar to Sguil in the state government arena. Do you have any advice for easing their worries? I know how important full data capture is to investigating incidents, and I consider it of paramount importance to the security of our state...

Read More

VoIP Enumeration Technique released

Ok, i finally managed to finish my VoIP enumeration experiments and now its time to blog it here. I know it has been long waited, but well, i was rather busy with some other stuffs too. Before i start, i presumed that most of you guys who is reading my blog will have some basic knowledge of how SIP signaling works. There is a plethora of information regarding how SIP signaling works, so just google up and you will find it. The one i visit most is...

Read More

Threat Deterrence, Mitigation, and Elimination

A comment on my last post prompted me to answer here. My thesis is this: a significant portion, if not the majority, of security in the analog world is based on threat deterrence, mitigation, and elimination. Security in the analog world is not based on eliminating or applying countermeasures for vulnerabilities. A vulnerability-centric approach is too costly, inconvenient, and static to be effective. Consider the Metro subway in DC, pictured...

Read More

Cisco PIX Firewall capture command

Ok, so most of us knows about packet sniffer like tcpdump and wireshark. These two are the best open source sniffers that is freely available in the market today. But, most of us also know that majority of the company are using switches now rather than the good old hub because of the bad architecture of how a hub works. Well, to sniff all traffic from a switch you would need to perform ARP spoofing, but to sniff traffic from a hub, just install your sniffer on your machine and start sniffing from the network. Well, i guess for cisco switches,...

Read More

Remember that TJX Is a Victim

Eight years ago this week news sources buzzed about the Melissa virus. How times change! Vulnerabilities and exposures are being monetized with astonishing efficiency these days. 1999 seems so quaint, doesn't it?With the release of TJX's 10-K to the SEC all news sources are discussing the theft of over 45 million credit cards from TJX computers. I skimmed the 10-K but didn't find details on the root cause. I hope this information is revealed in one of the lawsuits facing TJX. Information on what happened is the only good that can come from...

Read More

VMware Server 1.0.2 on Ubuntu 6.10

Previously I documented installing VMware Workstation 6 Beta on my Thinkpad x60s. I decided to uninstall Workstation and install VMware Server 1.0.2. I should have used the vmware-uninstall.pl script but even without using it directly I managed to remove the old Workstation installation without real trouble.Running Server on Ubuntu 6.10 (desktop) required me to add a few packages. I found Martti Kuparinen's installation guide very helpful. I had to add the following packages to ensure a smooth Server installation.sudo apt-get install xinetdsudo...

Read More

Telespoof

Ok, this is my 50th post and i am going to introduce a service call spoofing caller ID. I had known this service a few months back, but it just came into my mind that i had to blog this. Personally, i had not tried it before, so i can't really comment on it. From the reading the FAQ, it is cheap, anonymous and best of all it is simple. Imagine this, calling without anyone knowing your real number? What can you do with it? hehehe, i will let you guys...

Read More

Cracking Wireless Network

Ok, i bet most of the people do know how to break wireless networks, but still it is good to post it here. The software that i am going to use is Aircrack-ng. The reason i use this software is because it is open source, fast and has a suite of tools that can perform a hell lot of tasks. Ok, so in order to sniff and break wiressless networks, you will need to place your wireless network card in promiscuous mode and sniff sufficient amount of Initialization Vectors. For more information on how many IVs to sniff, please visit the aircrack-ng website....

Read More

Googling Cisco Call Manager and Extra VLAN config

ok guys, this is the final series of VLAN configurations i made. Unitl i made new discoveries, enjoy these:Configuring VLAN 10 on multiple interfaces.Configuring dynamic trunk on multiple interfaces, please note that it is not secure due to VLAN hopping.Configuring telnet on the switches, now EVERYONE knows it is very insecure. Use ssh insteadConfiguring IP address on the vlan interface.Ok, as i am still doing the VoIP testing methodology for you...

Read More

Mesh vs Chain

When Matasano Chargen suggested reading Nate Lawson's blog, I immediately added it to my Bloglines collection. Today I read Building a Mesh Vs a Chain and Mesh Approach vs Defense-in-Depth. Nate's basic premise is this:When explaining the desired properties of a security system, I often use the metaphor of a mesh versus a chain. A mesh implies many interdependent checks, protection measures, and stopgaps. A chain implies a long sequence of independent checks, each assuming or relying on the results of the others.With a mesh, it’s clear that if...

Read More

Security Operations Fundamentals

Last year I last wrote:Marcus [Ranum] noted that the security industry is just like the diet industry. People who want to lose weight know they should eat less, eat good food, and exercise regularly. Instead, they constantly seek the latest dieting fad, pill, plan, or program -- and wonder why they don't get the results they want!You might be wondering about the digital security equivalent to eating less, eating good food, and exercising regularly. Addressing that subject adequately would take more than this blog post, but I want to share the...

Read More

VoIP Auditing Tools

Ok, so i am going to go attend a hacking course in Hack in The Box with The Grugq. Yes guys, i do know how to audit VoIP, but i would love to learn advanced VoIP hacking from the best of the west. If you guys read the HITB website, he developed a tool called Tactical VoIP Toolkit which does basic and advanced attacks. Just a few minutes ago, i found another commercial tool called VoIPaudit which cost USD $10000. Personally, i feel that open source tools are much and way better than close source. I don't know how this tool fair, but i think it is...

Read More

TCNiSO Modem Hacking

Ok, i almost forgot about DerEngel for some time now. I was reading his book "Hacking the Cable Modem" 2 months back and i was really amazed by how small little things he found would lead to bigger hacks. The book is very insightful and teaches you how to do soldering and do modem hacking. Well, i am not good in reverse engineering, programming nor soldering. However this book really made me looked into how "real" hackers actually worked. In the...

Read More

Yet Another Content Generator

Ok, guys listen yup. If you have a site and would love to boost your contents, please try YACG. It is open source which means it is free. You can also include your own scripting code if you know how to code and best of all, it is easy to use and you can cuztomize it. Check it out here: http://getyacg.com"It's based on hooks so you can add your own code without having to change anything, also it's very intuitive. For example, if you have a page about 'Ferrari' and you put the script will automatically display a video from Youtube related to 'Ferrari'....

Read More

Testing for Cisco VPNs

Note: image from ike-scan wikiOk guys, I know ike-scan is out there for some time, but still i would love to blog about this. Cisco VPNs runs on UDP port 500 and most of us knows that Cisco VPN Concentrator 3000 is vulnerable to multiple attacks like DoS and Buffer Overflow. ike-scan will actually test for the presence of VPNs and check if the VPN is able to be forced into the Aggressive mode for cracking later on. And once the PSK is cracked, connection...

Read More

VLAN Trunking Protocol configurations

Ok, here is my next installment, configuring VTP. How VTP work is you configure VLANs in your switch and this information is propagated throughout to other domain in other switches with the VTP advertisements. As you know that VLAN hopping attacks is possible by enabling Dynamic Trunking Protocol, so here in my configuration, i manually configure the trunk instead of using DTP. This is shown in my example with the command "switchport mode trunk"....

Read More

Ayoi on the Importance of NSM Data

At my ShmooCon talk I provided a series of case studies showing the importance of Network Security Monitoring data. The idea was to ask how it would be possible to determine if an IDS alert represented a real problem if high-quality data didn't exist. Alert management is not security investigation, and unfortunately most products and processes implement the former while the latter is truly needed.I noticed that Ayoi in Malaysia posted a series of blog stories showing his investigative methodology using NSM data and Sguil (Not Only Alert Data...

Read More

SANS Software Security Institute

Today I attended a free three-plus-hour seminar offered by the new SANS Software Security Institute. This is part of SANS dedicated to software security. I recommend reading their press release (.pdf) for the full scoop, but basically SANS is introducing a Secure Programming Skills Assessement, additional training (eventually), and a certification path. Other people will summarize the program, so I'd like to share a few thoughts from the speakers at today's event.Michael Sutton from SPI Dynamics said that the idea of assembling a team of security...

Read More

Manipulating Packet Captures

While capturing traffic at Hack or Halo I realized the timestamps on the packets were off by one hour. Apparently I didn't patch this infrequently used Hacom box for the recent DST change. I captured traffic using Sguil's log_packets.sh script, which uses Snort to write a new full content trace every hour. For the first round of the contest, the script produced two traces. I combined them using Mergecap, bundled with Wireshark.richard@neely:/var/tmp/shmoocon2007$ mergecap -w shmoocon_hack_rd1.pcap snort.log.1174770982 snort.log.1174773600...

Read More

The Tipping Point

Been reading a lot on the book "The Tipping Point" by Malcom Gladwell. For those of you who are inspired to accomplish big things in life, you should read this amazing book. It illustrates how small little things in life can actually spread rapidly throughout the world and consider them as epidemics. For those who loves marketing or starting to build a brand for yourself, this is absolutely the book for you. An excerpt from the book in chapter 2:" Epidemics have three primary characteristics: 1) contagiousness 2) rapid change 3) very importantly,...

Read More

ShmooCon 2007 Wrap-Up

ShmooCon 2007 ended today. Only four talks occurred today (Sunday), and only two of them (Mike Rash, Rob King/Rohlt Dhamankar) really interested me. Therefore, I went to church with my family this morning and took lead on watching the kids afterwards. I plan to watch those two interesting talks once they are released as video downloads. (It takes me 1 1/2 - 2 hours each way into and out of DC via driving and Metro, so I would have spent more time on the road than listening to speakers.)I also left right after Bruce Potter's introductory comments...

Read More

sla.ckers

Ok, just got a message from Rsnake giving me the permission to use his banner. Rsnake is one of the top web application god in the Web application industry today. I am a huge fan of him and is constantly visiting his forum and blog to gain new sights and information. Recently, people from sla.ckers forum designed a cool banner to be used in the sla.ckers forum and since i am one of his fan, i got to blog his banner down here. Feel free to visit the...

Read More

Cisco IOS Authentication Proxy Vulnerability

Ok, so does the authentication proxy which is vulnerable to remote exploitable buffer overflow condition. Well, this only affects cisco products which is configured for telnet and ftp authentication proxy. Fixes, mitigation and workaround had been published here:http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.sh...

Read More

CBAC vulnerabilities

Ok, last night i blogged about CBAC and its powerful features. It is really a useful feature to have in your firewall. A sample configuration was included in that blog. Well, i only included a small snippet of the configuration but the fact is there is more than that. If you explore deeper, you will find additional features for CBAC. Sad thing to mention is older version of IOS using CBAC suffers from DoS attacks involving fragmentation of IP packets. (you can use hping to actually do fragmentation) So please patch your IOS version. More information...

Read More

Boosting Linksys Router Signal

Ok, i happen to stumble across this site http://www.thibor.co.uk/ where you can upgrade your linksys router firware to enhance your signal strength. So, thats to say that no antennas or any range boosters. Well, sad to say that they only support a few models of linksys routers and mine is not included in their list :(More support for linksys products can be found here: http://www.linksysinfo.org/index....

Read More

IP NAT Pool

Ok, last night i did a small configuration for NATing. I guess most networkers would know what NAT is used for so the configuration is shown as below. Well, in this example you would see the serial interface is down. This reason is simply because i set the interface to a private ip range instead of the public range. As for the other commands, it is pretty simple though. Well, this is just a basic NAT configuration....

Read More

Blogging from ShmooCon Hack or Halo

So much from my lousy camera phone. That's my best attempt to show Sguil monitoring traffic at the ShmooCon Hack or Halo contest. I plan to share the network traffic from the hacking contest when I get the opportunity. Thanks to WXS and the ShmooCon crew for letting my attach a sensor to the netwo...

Read More

Other Cisco Security Router features.

Alright, the other day i provided a list of features that can be used to harden the Cisco router and i am going to finish it here today with the commands.For PAM to work, you can issue the commands below:config tip port-map telnet port smtp 2525exitThis will map a standard smtp port which is port 25 to a non-standard port 2525. You can also attached an access-list to restrict only a specfic hosts or user to the smtp server using list xx (where xx is the access-list number) at the end of the ip port-map command.Cisco Firewall comes with basic configuration...

Read More

Transparent Layer 2 Firewall

Ok, i got to blog this. Personally i had not configure a Layer 2 transparent firewall in a Cisco Router but this seems interesting, useful and powerful feature to me. I never knew that modern cisco routers have Layer 2 firewall capabilities until this very moment. This transparent firewall somehow works similarly to Layer 3 firewall except that it is totally transparent and requires bridging to be configured. Both Integrated Routing Bridging (IRB) and Bridge Virtual Interface (BVI) needs to be configured in order for it to work." A transparent...

Read More

CBAC configuration example

The other day i was blogging about Cisco's CBAC feature that can be used a application firewall to monitor application layer protocols. Since it creates only session tables based on outbound traffic and blocking inbound traffic, this feature also blocks port scanning, a common technique used by hackers. If someone tries to port scan using nmap or some other tools, because this feature is blocking inbound connections, the port scans yields nothing useful, thus protecting the servers and shield off most hackers. Below is a basic CBAC configuration...

Read More

Taking the Fight to the Enemy

ShmooCon started today. ShmooCon leader Bruce Potter finished his opening remarks by challenging the audience to find anyone outside of the security community who cares about security. I decided to take his idea seriously and I thought about it on the Metro ride home. It occurred to me that the digital security community fixates on vulnerabilities because that is the only aspect of the Risk Equation we can influence. Lines of business control assets, so we can't decrease risk by making assets less valuable. (That doesn't even make sense.)...

Read More