Posted by agent0x0 on August 29, 2006 – 10:26 pm
Ahh..netcat..how useful you are to me! If you don’t use netcat for pen testing you absolutly have to. Good article below on how you can use netcat. Some examples:
* Outbound or inbound connections, TCP or UDP, to or from any ports
* Full DNS forward/reverse checking, with appropriate warnings
* Ability to use any local source port
* Ability to use any locally-configured network source address
* Built-in port-scanning capabilities, with randomizer
* Built-in loose source-routing capability
* Can read command line arguments from standard input
* Slow-send mode, one line every N seconds
* Optional ability to let another program service inbound connections
Netcat – The TCP/IP Swiss Army Knife
Posted by agent0x0 on August 29, 2006 – 9:28 pm
I remember awhile back reading this article about how a pen testing company came up with a a really neat way to social engineer the employees of a company. How? Place USB thumb drives at strategic locations (like the main entrance) and see if employees plug them in and open up applications or pictures contained on the drives. Great way to test your security policies! You can also conduct this type of test with CD-ROM’s and even floppy disks.
digg – Social Engineering, the USB Way
Posted by agent0x0 on August 23, 2006 – 1:58 pm
This is a nice suprise from Microsoft! The patch to fix an exploit..causes a crash the is able to be exploited! (say that fifty times in a row) What to do?
- Windows XP: Make sure you are on XP Service Pack 2. SP2 is not vulnerable. Or, disable HTTP1.1 functionality.
- Windows 2000 IE SP1: Disable HTTP1.1 functionality or better yet, upgrade to XP w/SP2.
Hopefully Microsoft releases a patch for the patch soon!
SecuriTeam – MS06-042 Related Internet Explorer ‘Crash’ is Exploitable
Posted by agent0x0 on August 22, 2006 – 9:25 am
Very good article from the NY Times today about wireless security in airports and public hotspots. With an article in the “business” section of the NY Times, it goes to show that wireless security is becoming more of an issue. Some key points from the article:
- Educate your employees on how small of a circle you travel in, noting that when you are on your cell phone others are listening to your conversation.
- Someone could easily be using a packet sniffer at the airport or hotspot to sniff all of the traffic from your machine. Sniffers are easy to download and use.
- You should always use a VPN when surfing or checking email. That way all the traffic from your machine is encrypted. Most (smart) corporations provide VPN access to their employees. You can also use subscription services like HotSpotVPN for about $10 a month or use a free solution like Hamachi (highly recommended) to connect back to your home network via VPN and surf from your home Internet connection.
- Never use a public computer to access the Internet! It is way to easy to install a keylogger on these computers and everything you type (passwords, CC#’s) could be logged and sent to a malicious person. If you must use a public computer, use a solution like RoboForm ($30 shareware) that defeats keyloggers and encrypts your passwords to a USB key.
- Use a cable lock to lock your laptop to a chair or table if you leave your laptop unattended. This is especially important at a conference or hotel room.
- Use a Notebook Privacy Filter. This cool device only allows you to read your laptop screen. You can’t view anything on the screen when looking at it from any angle but head on.
Web Surfing in Public Places Is a Way to Court Trouble – New York Times
Posted by agent0x0 on August 21, 2006 – 11:08 pm
A few months ago I heard on the “Security Now!” podcast that there was a really good open-source encryption application that is so good that it is literally scary. It is so good, and so well done that you can use it for “plausible deniability“. In TrueCrypt, this provides you with (from the TrueCrypt website):
1. True hidden volumes.
2. It is impossible to identify a TrueCrypt volume. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any kind of “signature”). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted.
Pretty cool eh? As a bonus, you can create a TrueCrypt volume on a USB flash drive for portablity. So now you can carry a USB flash drive around with nothing but “random data”…and if you are caught with the secret plans to take over the world..they can be safely hidden within a secret volume..which on the outside contains your income tax returns that you were safeguarding. 
I hope to do a full review of TrueCrypt in the near future and let you know how the installation and ease of use is.
TrueCrypt – Free Open-Source On-The-Fly Disk Encryption Software for Windows XP/2000 and Linux
Posted by agent0x0 on August 21, 2006 – 9:37 am
So the truth comes out…here is a great quote from the article:
“Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is,” Apple Director of Mac PR, Lynn Fox, told Macworld. “To the contrary, the SecureWorks demonstration used a third party USB 802.11 device–not the 802.11 hardware in the Mac–a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”
So much for credibility huh?
Macworld: News: MacBook Wi-Fi hack didn’t use Apple drivers
Posted by agent0x0 on August 17, 2006 – 10:53 am
<%image(20060817-header01a.gif|185|67|Immunity)%>
So Immunity is about to release a wireless handheld called “SILICA” that includes hundreds of exploits to perform automated pen testing. If you are not aware Immunity sells a product called “Canvas” which is in direct competition with “Core Impact” from Core Security Technologies. Basically, both these companies offer products very similar to the Metasploit Framework but a bit more automated. Whether or not commercial products are better then Metasploit for pen testing is a hot topic..I personally think you can get everything you want (and more) from Metasploit..but I really like the idea of putting all of this together in a handheld wireless device. As a bonus you can apparently connect this up to a “wired” network as well through ethernet via USB cable so it can be used on non-wireless networks as well. Too bad the going rate will be $3,000! However, I would think that his is just the beginning of open source tools and software that will be ported or available to pocket pc type of devices in the future.
‘Pen’ Testing in the Palm of Your Hand
Posted by agent0x0 on August 15, 2006 – 9:33 pm
LURHQ once again has done a very good analysis of how the latest Mocbot (which exploits the MS06-040 vulnerability) works in detail. It also is a good overview on how bots, botnets, and botherders’s control thousands of Zombie machines to do thier bidding. Also shows you how security researchers spy on the botherders to learn how these bots work…be careful though, you could get DDoSed!
LURHQ – Mocbot Spam Analysis
Posted by agent0x0 on August 15, 2006 – 8:55 am
Interesting article on Biometric polygraph for airport security. This works by detecting emotional responses to a series of questions. If the person was nervous or worried the system could determine that. In tests it has flagged 85% “mock” terrorists and 8% of innocent passengers! 8% is a large amount….
So the question is..what if you are just nervous to fly, had a bad day or are just a emotional wreck to begin with? Biometrics is still an young technology that should be allowed to mature before sending this into every airport in America. The more undeveloped technology that is deployed for airport security, the longer it’s going to take to get though security thats for sure.
Biometric polygraph next for airport security?
Posted by agent0x0 on August 14, 2006 – 11:29 am
LURHQ has relased a very good analysis of the MS06-040 IRC Bot which started exploiting vulnerable systems this weekend. You can view the analysis at the LURHQ website. SANS also has a very good article on some steps to take to block or detect this on your network. Note the following:
- Lookout for laptops coming back into your internal network. Telecommuters that VPN in from home then come back to the corporate network could be vulnerable if not patched.
- Outgoing traffic to 18067/TCP bniu.househot.com, ypgw.walloan.com.
- Outgoing traffic to port 445/TCP (scans could be internal and external) looking for computers to infect.
- Anti-virus vendors may not be up-to-date with definitions so patching is your best defense right now.
