Posted by agent0x0 on November 30, 2007 – 11:02 am
<%image(20071130-ps3.jpg|124|124|ps3)%>
This was a hard one to categorize as I have a Video Game Console Hack section but this really isn’t a hack…it looks like a New Zealand security researcher determined that cracking password hashes on a Playstation 3 via brute force is much faster (100 times actually) then cracking on Intel based hardware. From the article:
“The gaming console is perfect for cracking passwords because the chips it uses are optimized to rapidly perform the calculations required to model 3-D environments. The computing techniques used to crack passwords are similar.”
In addition, the console is pretty affordable (cheaper then a Intel based PC/laptop) so this is great for cracking passwords on the cheap. Be sure to check out the podcast that is linked in the article I referenced above as the researcher explains some of the ramifications of this research (good stuff about cracking Bit Torrent hashes to poison download chunks). Hopefully we get to information down the road about the setup he used on the PS3 to achieve this (I will post an update when I get it).
This relates to the video card password hash cracking technology that Elcomsoft developed but the Playstation 3 cell processor runs way faster (like the tune of 1.4 billion calculations).
Posted by agent0x0 on November 30, 2007 – 10:16 am
As I am sure all of you are already aware…the UK recently had their biggest data breach ever. 25 million (close to half of the population in the UK) personal records which include names of children, the equivalent of the SSN in the US, address, and certain bank info. Interesting read about this incident over at IT Security Expert who was personally affected by this HMRC breach (actually this is the second time for him now). I personally feel just like he does as I had my personal information (SSN and more) compromised by the US government twice this year already. I recently just received my “one year” of free credit monitoring from a third-party service. I could blog about how worthless one year of this service is (one year is not enough by the way) and the problems I have already had with this service but I will leave that for later. Not sure if the UK government will give them the same type of service but I hope it is a hell of a lot better then when the US government has given out.
Sad how you as a citizen of a country could do everything you can to protect your identity. We buy shredders, check our credit reports, etc…but it’s the government of your country (who you assume to trust the most) who loses your personal data and all you get is one crappy year of credit monitoring service.
Posted by agent0x0 on November 20, 2007 – 9:13 pm
<%image(20071120-kismac.jpg|91|91|KisMac Logo)%>
I decided to setup a little wardriving experiment to really get an idea on how many people are still using WEP to secure their wireless access points. I also wanted to find out if people really still setup a wireless network without encryption. You would think that most people would at least use WEP right? Not exactly! The following is Part 1 of my little experiment in which I talk about vendor responsibility and wireless security education…
It still seems that security is never the first thing a vendor thinks about when instructing a new user who just purchased an access point. To confirm this I purchased a cheap “2.4Ghz 802.11g” wireless access point at the local Best Buy and read through the instructions. To my dismay I found all the information about securing your new access point was toward the middle to the end of the instructions. I had my options of 64-bit WEP, 128-bit WEP, and WPA-PSK. When reading about WEP, they said nothing about WEP being easy to crack and nothing about how to choose a long passphrase for either type of encryption (to see why you should choose a long randomly generated passphrase, see this article). Why not right? Would educating your customers possibly lower sales somehow?
I thought for a minute of someone like my Mom reading these instructions…what would she choose? Lucky for her she could call me! Most people won’t be that lucky and will unfortunately make a bad decision of selecting poor encryption, weak password and/or passphrase or a combination of both. Worse yet..selecting encryption is probably too techincal so most average people are going to select no encryption. Who needs silly encryption, right?
So if the vendor doesn’t educate users about basic wireless security who will? The high school girl at the check out? The (god forbid) “Geek Squad”?
In Part 2 of my wardriving experiment I will talk about what wardriving is, how it is evolving, and the wardriving setup I used to conduct my experiment. I will also talk about the results of a wardrive I did in a pretty populated suburban neighborhood.
Posted by agent0x0 on November 16, 2007 – 12:29 pm
Looks like Thomas over at de-ice.net (creator of the De-ICE Pentest LiveCD’s) has started online training for beginning pen testers. Looks pretty affordable at only $395. He also has a special for $100 for the first 100 that sign up. Here are some details on the training from Thomas’ web site:
“PenTesting Fundamentals”
The following topics are covered in the course:
* The need for penetration testing in a corporate environment
* Penetration Testing Methodologies
* Project Management requirements and methods used during the engagement
* How and what to document during the engagement
* Tools and methods used to conduct an extensive Pentest project
* Hands-On experience conducting your own penetration test
“By the end of the week-long course, the student will be able to conduct and document a penetration test independently, using the ISSAF methodology as taught in the class. Successful completion of the course includes the student providing a finished document to the instructor of their independent penetration testing project as detailed by the ISSAF standards. The penetration test required for course completion will be against one of the course-provided LiveCDs. This LiveCD has not been released to the general public, and will only be available through the course offering.”
Good to see that he is following the very detailed methodology of the ISSAF (check the whole 800 page document out here, good stuff). I recommend everyone check out his site as well as the De-ICE LiveCD’s. I am working with Thomas on a Wiki format for the documentation that I started which should be up in the near future.
You can check out the details for the online training here.
Posted by agent0x0 on November 16, 2007 – 10:01 am
In doing a recent pen test…just a reminder to not forget about easy things that a DBA might over look like keeping around a dangerous stored procedure like xp_cmdshell. While most of us spend time trying to figure out complex and creative ways to get into systems…sometimes it’s the simple things that get over looked.
If you find a blank or easy to guess SA password and the database is Microsoft SQL 7, 2000, or 2005 (xp_cmdshell is also available in Sybase but you would use the iSql tool) you can use the “osql” utility to easily connect to the database and run commands if xp_cmdshell is enabled. Osql is installed with a MSDE or SQL Server installation.
If xp_cmdshell is not enabled you can restore the procedure pretty easily as well. Here is a article on this. Note that a Google search can give you more information on restoring xp_cmdshell (even if the .dll was removed).
So what are the commands to use?
osql -S [host name or IP] -U sa -P [password or "" for null]
exec master..xp_cmdshell ‘command to run’
go
So for example…say I want to create a local administrator account on a Windows SQL server with xp_cmdshell enabled:
exec master..xp_cmdshell ‘net user hacker password /add’
go
exec master..xp_cmdshell ‘net localgroup administrators hacker /add’
go
You can run any command you like so you can get creative!
Posted by agent0x0 on November 12, 2007 – 8:09 pm
Found an announcement of an update to a wireless pen test tool called WifiZoo. I have been meaning to play with this tool but I just haven’t had the time. I like the fact that I don’t have to use Wireshark or another tool like Ettercap to get packet data read (ie: user names/passwords). Pretty cool..check it out here. Article below:
WifiZoo v1.2 – Gather Wifi Information Passively | Darknet – The Darkside
Posted by agent0x0 on November 7, 2007 – 11:02 am
<%image(20071107-hotplug.jpg|350|350|WiebeTech HotPlug)%>
Here is a product that is truly revolutionary. A company called WiebeTech has developed a technology that allows forensic investigators (ie: Police) the ability to move a powered on computer. Their product called “HotPlug” basically gives you the ability to unplug a live computer (if plugged into a power strip or wall outlet) and transport the computer via UPS (Uninterpreted Power Supply). Without the power strip, it is a bit more advanced but easily done. You can check out the video demos on their web site.
Also interesting to note that using HotPlug is a way to circumvent whole disk encryption. They have a pretty good procedure around this as described on their web site. Lets not forget about the Mouse Jiggler product they also sell which works in conjunction with circumventing whole disk encryption.
The Mouse Jiggler is a USB key that you can plug into a computer (PC and Mac) to move the mouse courser either slow or fast to prevent the screen saver and/or computer to lock. Great for pranks and investigations! 
Posted by agent0x0 on November 5, 2007 – 1:21 pm
I recently wrote about some other Firefox plugins which allow you to manipulate and hack web pages. Looks like there is another set of tools called “ExploitMe” which allows for SQL Injection and XSS (Cross Site Scripting), and web service testing. From the article:
“The ExploitMe tools — which are in currently in beta form — include SQL Inject-Me, which lets you right-click on an HTML field in your Firefox browser and inject it with SQL injection payloads, and XSS-Me, which works the same way, but with XSS. The tools developers also plan to release Web services exploit tools as well…”
Looks like this is becoming a new trend in application testing tools. Good to see that things are using a good framework like Firefox extensions to add useful tools for testing. Note that I just did a quick search for the ExploitMe set of of tools in the Firefox extensions database and it has not been released yet as the creators will be launching these tools at the SecTor conference later this month.
