VRF - WTF?

While giving classes over the years I have encountered a great number of students who are not familiar with Virtual Routing and Forwarding (VRF) I explain that it's the practice of maintaining separate routing policies for different subnets / interfaces on the same piece of hardware. Well, the guys at Plixer did a great explanation that I wanted to reference that goes into more depth if you care :)

VRF article


Also The Plixer guys maintain a blog with new articles every few days dealing with network analysis.

Netflow rap, from the scrutinizer guys, you know scrutinizer rocks right?

So I love geeky youtube videos to begin with, but add Cisco to it an one of my new favorite toys (Scrutinizer) and you have geek utopia :) The lyrics are great but it's super-fast.

Check it out here

Looking for a big dict?

So it took me longer than it should have to lookup a massive dictionary file for running some WPA attacks. Some how I misplaced the one I was using when I cleaned up my massive collection of hacking files. Anyhow over at ARGON they have two that seem respectable.

Check here


Aircrack is multithreaded by the way, gets all 8CPUs going nicely

Identity 2.0

What is IDENTITY and how is it changing with the world around us? You're username@gmail.com and some other user @ ebay, and something else at Amazon, and facebook.. can't it all by tied together? Is that where things are headed? This is one of the best explanations of how our identities have evolved with the cyberworld and where things are headed

Check out this presentation, it's definitely worthwhile.

Shodan search engine

This is an absolutely phenominal search engine, where you can query for banners of various types of devices. For instance, say you wanted to know which routers on the internet had the HTTP service enabled, one quick query will tell you. A new vulnerability for your favorite mail platform? Again, its' all archived. Check out shodan today!

Here is an example query

144,000+ IOS routers with the web server enabled!

http://shodan.surtri.com/?q=%22cisco-ios%22+port%3A80

How about IIS 4.0 that we use in reference attacks?

7500 and counting!
http://shodan.surtri.com/?q=%22iis+4.0%22

Network visualization with Cisco ASA

I've implemented a lot of Cisco firewalls over the years, and one common thing that was missing was a method of doing external traffic analysis beyond syslog/snmp. Fortunately in recent versions of the ASA code Cisco has added support for Netflow output.

The only catch to this is that is generates Netflow V9 output (v5 is more commonly used). The only missing piece is a netflow collector. I have setup Scrutinizer and so far I'm very pleased.

Web-app punching bag

Chuck Willis over at Mandiant released a web application penetration testing Virtual Machine. This can be handy for learning the ropes, also an alternative to WebGoat (WebApp testing suite).

RIP milw0rm , new exploit repository at remote-exploit

It appears that the guys over at remote exploit have moved in to fill the space left behind after milw0rm quit updating. One of the nice things about the exploit site @ Offsec is that they will occasionally include a link to the vulnerable version of the application which is great for testing.

Security Binge - New hacking podcast

They cover a cool things here, the coolest being GPU-accelerated password cracking. I knew that your GPU could be used in conjunction with your CPU, but I didn't realize how much faster it becomes.

http://securitybinge.com/updates/2009/11/14/securitybinge-episode-002.html

Link to developer of BarsFW and code
http://3.14.by/en/

VIPER VAST

There is another linux STD (Security Tools Distro) that targets VoIP, which is interesting because recently I've emerged myself in voice technologies so for me this is the perfect mix. It has some of the most common tools from backtrack, such as nmap, metasploit, hping, hydra but also UCsniff, video snarf, SIPvicious and more!

http://vipervast.sourceforge.net/

-=pcapr=- Who loves wireshark?

If you're on FD or GCFA mailing lists you may have seen pcapr mentioned. Pcapr is a site dedicated to.. you guessed it packet capture files. They have a broad collection of caps, some as small as 2-3 packets others that are millions, from different types of network communications. SIP call setup and tear down, video, malware, network services, and (what sucked me in) pcaps from Defcon 17 CTF.

If you're not aware Defcon's CTF is a competition between some of the most elite hackers on the planet, and when I say hackers I mean people with great skill that are compromising systems for bragging rights only, no financial motivation at all. So if you've ever wondered what was happening behind the scenes you can see it here.


http://www.pcapr.net/

Google for the soul..

Kind-of-sort-of, there is a new search engine that was developed for searching people specifically. Interesting things it finds includes past addresses, social networking sites, traffic citations, arrest records, business records, date of birth,etc. It found a ton of things that google couldn't. Give www.pipl.com a try!

All the attacks are coming from China right??

Actually.. No. While the statistics vary from day to day, Arbors networks offers statistics on top attacks, top attackers and more. What's interesting though is I've often been a fan of GeoIP blocking, in other words blocking access to my network based on Source IP. Safely assuming that 99.999% of traffic aimed at my particular website source from China is malicious, this is not where the majority of hostile hosts are located. Based on current statics, many attacks are coming from IP's that are located in the U.S. This doesn't mean that the U.S. has the most hackers, actually the contrary. The US has the highest number of victims. Many of the attacks being seen are sent through a relay, or by a zombie that is participating in a large bonet. Check out arbor networks for up-to-date statistics on current threats.

http://atlas.arbor.net/

Mapping Driver letter to direcotry paths in Windows

While doing some contract work I came across a custom written application with a hard coded value to an E: drive that was no longer present. There was plenty of space on the F: drive for files to be created (this was an automated nightly backup) to a set path on E:\somepath\somefile.

Intro stage left the subst.exe command from windows CLI.

As you can imagine it's to substitute and it works like this:

C:\>subst E: F:\customapp\

E:\>cd E:
E:\

E:\>dir
Volume in drive E is New Volume
Volume Serial Number is 0472-8727

Directory of E:\

03/15/2009 07:41 PM dir .
03/15/2009 07:41 PM dir ..
0 File(s) 0 bytes
2 Dir(s) 196,957,515,776 bytes free




These mappings are persistent, however if you wanna dump it use subst E: /D (or whatever your drive letter is).

You can also list mappings with "subst" on it's own
c:\>subst
e:\: => F:\customapp

Not rocket surgery, but pretty handy if you didn't know already :)

VoIP Hopper

If you read many security books you have probably come across the topic of VLAN hopping more than once. Up until now I hadn't seen any tools designed to take advantage of this vulnerability.

From the authors description:
VoIP Hopper is a security validation tool that tests to see if a PC can mimic the behavior of an IP Phone. It rapidly automates a VLAN Hop into the Voice VLAN.

VoIP Hopper can be downloaded here!

MPack - A better explanation

I have mentioned MPack in past CCSP and CEH classes and given a brief description of how it works. I remembered seeing a video this morning and hunted it down again. This is useful for anyone out there who has managed a web server.

While Mpack is no longer affective against patched servers, it's a great example of what current "packs" contain and how they work.

MPACK infection vectors are:

* Web Servers - An Iframe code that allows MPACK installation.
* Spam - Social engineering containing email that links to a legitimate but infected website.

What makes this piece of code successful is that it employs the following exploits:

* WinZip ActiveX overflow
* QuickTime overflow
* MS06-014 Microsoft Windows MDAC Vulnerability
* MS06-006 Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers
* MS06-044 Vulnerability in Microsoft Management Console
* MS06-071 Vulnerability in Microsoft XML Core Services
* MS06-057 Vulnerability in Windows Explorer)
* MS07-017 - Vulnerability in Windows Animated Cursor

The Realm - Cisco is cooler than you thought!

Today I discovered a portion of Cisco's website called "The Realm". This area hosts an anime series that focuses on a team of superheros that battle computer villains such as malware, botnets, and hackers. Check out the episodes today!

Is it still available? The new criagslist email harvester :-(

Last night I listed my camera gear on craigslist, and throughout the night I received about ten inquiries. Why systematically clearing out my inbox from oldest messages to newest, responding to each one I started to look more closely and notice that the name of the sender was not the same as the name of the email address, and that in NONE of these inquiries did the "potential seller" mention the camera. Most of their emails contained typo's typical of 419 / phishing scams. After a bit of research I found postings on forums where several CL users were complaining about lots of "is it still available" requests but no follow up. I hadn't found anywhere that seemed like people have put this togethet yet, but I'm sure it's just a way to harvest email addresses for spamming.

For example:

Hello dear,just to let you know that am very much interested in your item,that is why i want to confirm if the camera is still available for sell.pls get back to me asap.
Regards Andrew.

(This was the most obvious that sparked my suspicions, I'm sure the other are fake as well.)

As I'm writing this blog I recieved:
hello,
i want to buy the item so,let me know it's condition.
get back to me asap.

Too bad the description is about 4 lines in length and I mention twice that the gear is in excellent condition and has only been used three times.

Hopefully the word will get out and people will be more cautious when replying to craigslist.org inquiries that are simply asking "Is the item still available".

That's it for now, stay safe :)
-Ryan

Paypal / eBay security done right!

Protect yourself from the 0-day's, keyloggers, and Trojans with RSA SecurID token for Paypal and eBay . These have been around for over a year now, so if you don't have one of these yet sign up right away (if you use eBay/ PayPal). A security token (random 6 numbers generated every 60 seconds) will be used in conjunction with your password every time you log into eBay and Paypal. Therefore, if someone had stolen your password they would also need your keychain (hard to pull off from Moscow or Kuala Lumpur). It's only $5 and while not impossible to defeat it offers a great deal of protection from account theft.

As you know for every protective measure there is a counter-measure, once authenticated if someone steals your cookie they can masquearade as you. Paypal is currently vulnerable to xss attacks btw..

How I saved about $50 a day on my rental car in Las Vegas

So, while in Las Vegas I wanted to try out the Toyota Prius (Hybrid). The only catch was that it cost about $89 a day, while the economy cars (same size, but gas powered) costs $39 a day. I understand that a Prius is fuel efficient, however I'd have to do an awful lot of driving to compensate for the extra costs, and seeing as how I didn't plan on leaving a 10 mile radius, this was awfully hard to justify. Fortunately I found this website called RetailMeNot which contains user-submitted coupon codes for various websites. Because I won't always remember to check first before making a purchase I installed a firefox plug-in that will glow green whenever I'm on a website that has a coupon code available. The code that was available at the time was for a Hertz employee friends & family rate which shaved about 50% off the cost of the car. When I traveled to Europe this fall, I also saved about 35% using the same code, and rented a Mercedes Benz CLK, convertible, navigation, running across several countries and there were no questions asked about the discount :)

If you use Hertz, I do recommend the online check-in, print your receipt and scan it at the Kiosk when you get there, the less human interaction the better :)

Keeping the bad guys out of my network

I've been looking for a Geo-IP block list for Cisco hardware that will allow me to drop packets sourced from malicous folks like Russia, China, Brazil, Eastern Europe, South American, All of Africa.. you know, most of the world. There are a lot of people on the internet these days, and traffic from certain sources has an extremely high probability of being malicous, and exteremely low chance of being legitimate. Well I haven't found exactly what I'm looking for yet, but one thing that is handy, if you don't know about it already is the drop list from spamhaus.

This list is updated regularly, which means you would need to update regularly.

Here is a guide on automating the udpates to a linux box running ip-tables.

There is another block list on Dshield

While these are decent I'm looking for something much lager the deals not only with spammers, malcious IP's but hostile countries all-together. If you know of something good please comment.

The time has come... to put AV on your MAC :-(

For the past few years I have enjoyed the "Security through obscurity" lifestyle, avoiding the malware trends while using my Macbook Pro laptop. Unfortunately Apple has put itself on the map as a malware target as you may have noticed with last weeks mass infestation with the iServices.A Trojan. While this should have easily been avoided by downloading software directly from apple, then using the key from the bit torrent site, oppoosed to downloading the software from the bit torrent site, many people blindly downloaded this app and installed it, and my bet would be that less than 1% knew what was happening in the background. As if the bombardment of browser bugs, click jacking, xss, and DNS vulnerabilities weren't enough, now I have to worry about infected mac-warez :-(.

Today I broke down and installed AV on all of my mac's which I could have done a while ago, but figured that it wasn't worth the hassle. I'm using ClamAV for OSX (ClamXav). While there are a few vendors offering mac-based AV solutions, I seriously doubt any of them are putting much work into the mac product, and that it will miss the latest trends anyhow, so instead of paying McAfffe $90 I went with the free solution (but donated anyhow). If you are familiar with Cisco Security Agent ( a great HIPS product in my opinion) you know that this is also based upon clam-av, so it can't be too bad :) Cisco was partnering on several solutions with Trendmicro before they offered CSA with intergrated Clam.

So in a nutshell, Cisco likes Clam, it's priced right, and it runs in OSX, go check it out :)



*Note: You may also notice that there is a .plugin file that you can integrate clam into the shell, allowing you to simply right-click on directories or files for quick+easy scanning.

Get it today!

Coupons without the work.. plus MLM.. well done.

Today I discovered "The sweeter deal" which is a website, hooked into affiliate programs, but then they split the cash with you and your friends! Any time I see something of this nature I am skeptical, but after quite a bit of reading they have me sold. Basically if you are going to purchase something, search through their link to buy it, they get a referral bonus, but then they split it with you. I was like hey wait a minute, couldn't I setup my own site and get 100% of the referral.. yes probably but I don't have the time, and here it is ready to go.

So long story short, get 50% of referral fees which are getting paid out anyhow! These people have done all the work, and you still get .5-10% back from your purchases (depending on the site). It's kind of like using a points card to get that 1% cash back, but there are stipulations, limits and sometimes fees. This is a free service, so unless you are going to code your own referral system, use this, it's a no-brainer!

Sign up NOW!

Quick and dirty network sweeps.. Angry IP Now for MAC / Linux

As everyone already knows nmap is the scanner of choice, unless perhaps you are performing simple scans from a Windows environment. In my experience running nmap from Windows is painful if you are used the speed you get while running it from unix. I would often suggest that Windows users move to a real OS (*nix based) or switch to a different scanner. The scanner I enthusiastically recommend is Angry IP, it's lightweight, free, and quick. While discuss scanners with a peer today I became aware that Angry IP has been ported to OS X and Linux. While this will have a smaller audience (due to the fact that nmap does such a great job here) it's still nice to have. My wife is an entry-leven network tech and she's mac based, so while she can use nmap, she does not share my passion for the CLI (understandibly) and while the nmap GUI is really nice, it's more function than she needs. So for a slick easy scanner I can recommend Angry IP for all platforms now.

IKE Scan

When performing audits you can simply sweep for UDP 500, which may indicate that a remote device is listening for IPSec connections, but that's about it. If you were looking for a bit more information you could use ike-scan which will interrogate the remote device and disclose the policy set (aka security parameters). Like most tools I blog about it's free and compact :)

IKE scan can be found:
http://www.nta-monitor.com/tools/ike-scan/

Sample output:
67.78.31.242 Main Mode Handshake returned HDR=(CKY-R=6e69a811525dc72e) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

DNS mining.. Fierce.pl

Ok, so you know those times when you discover that diamond in the rough, the extremely useful yet previously unheard of tool that makes you want to shout to tell the world about it, only to find out that your friends already know... you wonder to yourself, well why the heck didnt' they tell me?
This post is to save the people I know from the aforementioned scneario. Fierce.pl is a perl script (O rly?) that can be used to discover hosts of a target organization simply by performing DNS resolution against a dictionary file. The dictionary file included isn't bad, however I've extended mine by merging with other world lists and gotten better results.

Long story short, fierce is a super handy tool for discovery resources that is lightweight and easy to use. It's been around for a bit, I'm just making sure that you know about it :)

Fierce can be found here
http://ha.ckers.org/fierce/

DNS rewrite on PIX / ASA firewalls, MYSTERY SOLVED!

Ok so DNS Doctoring (aka dns rewrite) on the PIX's and ASA's have stumped me for some time now. I've implemented this a number of times, and sometimes it works flawlessly, other times not at all. Today it all became clear.

First off, what is DNS rewrite? When an internal host makes a query to an external DNS server about an internal resource the IP address returned will be external (see image) . In other words the host making the query is on the same network as the webserver which is Cisco.com. When the user queries a DNS server, for instance Verizon's DNS at 4.2.2.1, the answer returned will be a public IP. If you look at the static DNS mapping, within the ASA's configuration you will see that the public IP is mapped to an internal IP. Well, DNS rewrite monitors DNS traffic, and if a DNS reply contains an IP address that is used in a static statement it will alter the DNS reply to point to the inernal IP( again see image). Therefore, the client connects to the internal resource by it's actual IP address (not the static NAT). Where is the mystery then? Well I have configurd this many times, it's straight foreward, but it doesn't always work.














It turns out that if you are using static PAT, so a single IP address on the outside, doing port forward to different servers on the inside, DNS rewrite simply does not work, it's documented here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#req

If you have individual IP's for each server it works fine.
This has eluded me for years but became clear today :)

OpenDNS

My good friend, mentor even, Steve Marcinek introduced me to a free service today called OpenDNS (www.opendns.com). The scenario goes something like, you have users on corporate machines browsing to places they shouldn't go while using their broadband cellular cards, how do you restrict this? While several solutions come to mind, OpenDNS fits this scenario quite well. Similar to websense you have the ability to control browsing by selecting levels of filtering, which block categories such as pron, hate, violence, social networking, phishing and malware. Once this list is defined you must verify the source IP that you will be filtering from (or subnet) and then configure the users workstation/notebook to use the OpenDNS server for DNS. While an educated user can rearrange these settings, it could be restricted from within Windows. It' s not a perfect solution but once again, for the cost it's incredible.

www.opendns.com

*** Update***
OpenDNS doing conflicker blocking

Spiceworks

I've been meaning to post for several weeks but I've been overwhelmed with work. Anyhow, I had been searching for a network management tool that gave graphs of bandwidth utilization using SNMP, but I was also hoping to manage Windows servers, and look at things like hard drive utilization, and event notification. After testing offerings such as groundwork, nagios, what's up gold, and solarwinds I finally found something that met my needs and budget.

Spiceworks is a network managment, basic network monitoring, notifications and even help desk. I have the ability to perform inventory of the enitre network and do queries against almost any criteria, from service packs, to software applications, to memory installed etc. I've had a great time using it and I'm learning more about it by the day.

Highly recommended.
www.spiceworks.com