Saturday, May 31, 2003
Passive Network Reconaisance
(Note: requires an understanding of packet headers.)
Shadowbane goes berserk
This one's bound to become part of classic lore.
Seems that the MMORG Shadowbane was hacked and unknown persons altered the game world enough that it became very difficult to survive in the game, especially for newbies. Some players are angered, others thought it was a hoot.
Regardless, the parent company has rolled the game back to just before the attack and things are back to normal.
Read more about it at SmartHack.
Online Status Indicator II
Note: if your browser is set up correctly, clicking on the smilie will bring up a chat screen. Clicking on "Status" will take you to OnlineStatus.org.
Friday, May 30, 2003
Online Status Indicator
Perfect for blogging!
iptables
Thursday, May 29, 2003
Oh my aching head!
Uhoh, thought processes slowing! Eyesight getting cloudy! Let me see if I can get this out straight:
SCO is suing IBM for promoting Linux over Unix while selling it's own version of Linux and is thinking about suing Linus for copyright infringement while owning neither copyright or trademark. Somewhere in there, they sold a license to Microsoft which they weren't allowed to sell? Which Microsoft denies was purchased to support SCO's legal fees?
Oh, and what is now the SCO Group used to be known as Caldera who at one point had sued Microsoft for unfair competition for crippling attempts to run IE on DRDOS which at one point was owned by Novell? And that the documents used against Microsoft in that lawsuit are being shredded by the SCO group even after a court order from Sun (because Sun has their own antitrust case against Microsoft)?
Meanwhile there's hints of SCO suing everyone? (Trivia: Where'd Microsoft's original TCP stack come from?)
Is that right? Ouch. brain hertz!
Oh, and can I get my money back from SCO/Caldera if I return the disk that contains that screwed up desktop scheme (so's I don't get sued by SCO/Caldera for owning the d*mn thing!)?
How geeky?
Thanks to Craig @ Compulsive.org for pointing it out.
Wednesday, May 28, 2003
Perl: Finding stuff
Monday, May 26, 2003
Seriously: Coasters
Also, announcing the birth of a new category to the right: Geek Swag.
Enumeration Basics
EBCFG has an simple article about enumeration (what a hacker will often do prior to attacking a site). Another word for it is reconaisance.
Distributed password hacking
Sunday, May 25, 2003
More silly Google stuff
Here's what kept us up late two weeks ago
Entertaining yourself?
Bootable CD's
In my ongoing quest to learn how to create bootable *nix/*BSD CD's, this might be of value.
Source: Freshmeat.
Internet MetaWeather
Links
Friday, May 23, 2003
Zines and stuff
Send me any links you'd like to add.
Using Perl for InfoSec
(Hint: The title of the article is a hint!)
Another comic site
The main URL for the site is Doctor Fun. Thanks to Slashdot for pointing it out.
Bass Ackwards!
From the Microsoft's marketing department strikes again Department:
Just rec'd the latest version of SysAdmin magazine (which, BTW, I highly recommend), tore open the plastic, and discovered a CDROM in the back:
Windows Services for Unix 3.0
Hmm... Intriguing. It even has a "LinuxWorld" logo in the upper-left corner.
"I wonder what it services it has that runs on Unix....?" I had to go find a knife to cut the usual you-open-this-you've-agreed-to-our-licensing-scheme seal before eagerly starting to read.
"Argh!!! #&@#*! It's Unix Services for Windows!"
Would someone please call Redmond and let them know when you say "for Unix", it means it runs on Unix, and that their product should be called Unix Services for Windows!
What!? You expect me to buy and install a Windows server just so's I can use this?
#&@#*!
Seeing your work on the screen
From: Fyodor [mailto:fyodor@insecure.org]
Sent: Thursday, May 15, 2003 5:17 AM
To: nmap-hackers@insecure.org
Subject: Whoa!
Hi Everyone. There is a disturbance in the force! You may recall a couple weeks ago that MS started recommending Nmap on some of their web pages. That was strange, but I did not foresee the anomalous omens that would ensue.
Like almost any self-respecting geek, I bought tickets to
'Matrix: Reloaded' several weeks back (no spoilers, I promise). After all, who can resist the combination of philosophical mind games and Trinity (Carrie-Anne Moss) in that tight leather bodysuit?
So after waiting an hour in a line snaking out of the theatre to the parking lot, I finally got in to my 10pm Wednesday showing. All was going well until Trinity needed to do some hacking. Oh, no! I was sure we'd see a silly "Hackers"-esque 3D animated "hacking scene". Not so! Trinity is as smart as she is seductive! She whips out Nmap (!!!), scans her target, finds 22/tcp open, and proceeds with an
Thursday, May 22, 2003
Using /proc to administer Linux
Wednesday, May 21, 2003
Monday, May 19, 2003
Huh?
While not a recommended sport, the page that it came off of is pretty interesting: WordSpy, a site devoted to recently coined words and/or phrases.
Sunday, May 18, 2003
Hacking the Fizzer Worm
Saturday, May 17, 2003
No OP
Anyways, I've back-filled the last two days. Enjoy!
IPSec Interoperability
SSH Tunneling
Friday, May 16, 2003
RSS Feed HowTo
Thursday, May 15, 2003
DNS Cache Poisoning
While cache poisoining is generally considered a "bad thing" (tm), it can also be used for good (like most hacker tools). For example, say you have a heavily loaded web cache and would like to initiate some sort of content filtering but can't afford the commercial software.
All you have to do is set up an additional Bind DNS server that only the web cache will use. Then grab the various freely available bad-site lists (Google/Yahoo/etc. for them!) and write a perl script to add them to the named.conf file as authoritive zone. All of the zones should reference the same zone file (possible if you use the implicit shortcuts [blank LHS, ampersands, wildcards, etc.]) In that single zone file, you only need the following A record:
* IN A 192.168.4.58
where you change 192.168.4.58 to the IP address of a webserver which displays something innocuous (suggestion: the default page could present your organization's acceptable usage policy).
It's cheesy but works when you don't have a budget for anything better. You can protect the poisoned DNS server by setting up iptables, IPFW, or whatever similar method your OS uses so that only the web cache can access it. I came up with this method after trying to continuously add keywords to Squid filters (the basic filter only allows 256 entries per line and above a certain number of lines noticeably slows) or filters to the firewall (which also noticeably slowed). Poisoning a DNS only eats up additional memory and doesn't affect the speed of the network.
The bad news is that this can turn into a full-time job, keeping up with your in-house surfers, but it is an option. Just for the record, I had over 21,000 zones poisoned and didn't affect network speed.
The article is a good read though.
Wednesday, May 14, 2003
Fizzer Hype
Following is a summary about the Fizzer worm that I've built from various sites. (The summary is aimed more at the service provider or corporate level but you get the idea.) At first glance it's pretty scary (which is why the media liked it) but if you look closer there are very easy-to-perform methods of blocking the worm.
Fizzer is a mass-mailing worm that also attempts to spread through P2P file sharing. It contains an IRC backdoor, a DoS attack tool, a key logger, an AIMbot, an anti-virus killer, a built-in SMTP engine and a built-in web server.
Once the worm has infected a machine, it attempts to connect to Geocities to obtain updates (supposedly Geocities has already disabled the site). The worm scans for e-mail addresses in the Windows address book, Outlook contacts, cookie files, temporary Internet files, and the current user's personal folder and randomly manufactured addresses. It is capable of spoofing the "From:" address in any mail that it sends out. It is capable of using it's own SMTP engine or any of several hundred external mail servers (an open relay list?).
The IRC backdoor connects to one of over a hundred IRC servers. A very extensive list of the IRC servers it can connect to is available at the BullGuard link below. It has been reported that the worm spouts miscellaneous drivel in the IRC channels such as:
the horribly bad wealth
Hate is beauty. :)
This may be the same strings that are used in the subject lines of the mass mailings. The links at the end of this document list those possible strings.
The default port for the web server is TCP port 81. The web server acts as a command console, displays various information about the infected machine and allows various of the attack commands to be executed.
The default ports for the IRC backdoor include TCP ports 2018-2021. This allows remote control of the infected system.
Signs to watch for at the NOC level:
- abnormal increases in mail traffic
- attempts to connect to IRC ports (TCP 6660-6670) (This should already be blocked at the premise router
- attempts to connect to AOL IM services (TCP port 5190)
- active searches should include network scans for services listening on TCP ports 81, 1214, 2018, 2019, 2020, 2021
Recommendations for minimizing risk of infection:
- block outbound IRC traffic
- block outbound AOL IM traffic
- block outbound Kazaa traffic
- log all high-port to high-port traffic. Review logs on a daily basis. High port to high port traffic should be tested to determine if it is Kazaa-based.
- ensure the proper anti-open-relay configurations are applied to all mail servers and e-mail handling systems
- employ visual metrics so that NOC personnel have an idea of what "normal" and "abnormal" traffic looks like.
- use the most recent anti-virus scan engines and signature files
One of the difficulties with the above is the recommendation of blocking KaZaA traffic. While TCP port 1214 is the default, KaZaA is capable of using dynamically assigned ports. This means that NOC personnel will have to monitor high-port to high-port traffic and test anything that looks suspicious.
Systems affected: Win95/98/ME/NT/2K/XP
Sources:
Symantec
McAfee
BullGuard
The McAfee link above has a good analysis of the worm.
Tuesday, May 13, 2003
Trustix 2 Beta 2
MIne? How about: you know you're having a bad week when:
- You find yourself watching a news feed hoping not to see your sister-in-law at her place of employment which also is the current scene of a hostage situation which includes automatic firearms.
- you contract some sort of bug which requires 10 minutes rest for every 5 minutes of movement.
- your friend calls to let you know their dog died a very painful death (massive and abrupt liver failure)(the dog was a friend of the family too)
- and finally, you come home from work, on Monday, with one ankle much bigger than the other.
Luckily, I have a recliner, a big bag of ice and a really long network cable.
Anyways, today's entry comes from HelpNet Security. They have a short announcement concerning the realease of the second beta version of Trustix 2, intended for those of us/you that "just gotta have" the cutting edge stuff.
For those of you that don't know what Trustix is: it's a Linux distribution that's supposed to be very secure and is intended for use as a server (there's no X included). You can read more about it at it's home page.
Sunday, May 11, 2003
Open Source Digest
Saturday, May 10, 2003
Acer 3300u
For the second weekend in a row, I've successfully geeked on the cheap. I recently bought an Acer 3300U flatbed scanner from the clearance bin. Cost me $10 (actually $30 with a $20 instant rebate which the store still honored). It worked nicely under Windows but I rarely use Windows and wanted it over on the Linux box with all my other toys (some work, some don't).
To make a few hours of pounding short, I basically worked from this. I had to change a few things:
- "options scanner vendor=0x04a5 product=0x20de" vice "options scanner vendor=0x04a5 product=0x20b0"
- "firmware /etc/sane.d/u222v062.bin" vice "firmware /usr/local/etc/sane.d/u176v042.bin"
- and had to tell xsane where to find it --> "xsane snapscan:/dev/usb/scanner0" (autodetect didn't work in this case)
but that's all it took to get it to work under XSane.
Mega-thanks to http://homepage.tinet.ie/~mjconry/index.html!!
USB BlueTooth
I've recently had to talk, at length, about the difference between various wireless technologies and even had to explain that BlueTooth is adhoc but adhoc doesn't necessarily mean BlueTooth.
So when LSN pointed this out, I just had to add it to the "For Future Reference" category. Anyone seen these in the states yet?
No entry
Friday, May 9, 2003
Accent reversion
I've made repairs to the previous post. Guess it doesn't help that I've lived in Hawaii, Chicago, and the South during the last 20 years.
Mahalo, y'all!
Basic Snort use
Thursday, May 8, 2003
Michal Zalewski
In short, Michal Zalewski has been a contributor to phrack and has various oddities/interesting items on his site including encryption tools, C tools, security tools and a really odd chatbot. All-in-all, a prolific author.
Tuesday, May 6, 2003
Photos from home
I'll be the first to admit that I grew up in an area populated by old hippies and hillbillies (when the railroad left, the area went into deep recession). What do these people to when one of their own undergoes surgery? Throw a fund-raiser! (This is the same area of the state that sponsored and sold tapes to B.A.N.D.I.T.S.) (Google THAT one!)
Caption from the Evening Tribune:
HOLLY FAWCETT
Garner Rush, front left, hugs a friend while dancing to solar-powered live music at Pollywogg Hollier near Phillips Creek Sunday during a fundraiser for Rush, who is recovering from surgery following a ruptured appendix.
SSH Key Interoperability
Sunday, May 4, 2003
Why forging e-mail should be considered identity theft...
Personally, I don't care if it's made up addresses that most spammers use. The idea is that they're pretending to be someone else when they send those e-mails. (Ignoring the fact that, occasionally, they'll accidentally use the address of a real person.) (Okay, including the fact...)
Geek alert! Geek alert!
Yesssss! I have attained additional geek points this afternoon.
I was killing time in Radio Shack today while my wife was "saving money" in Fashion Bug. I noticed that the price for a SnapDialer cable had dropped to below $20, so I took a chance. Luckily, I decided not to buy the software at the same time.
I took it home, did a quick Google search, and found Nate Carlson's page. It only took a half-hour of tweaking his scripts before I was online (at 9600 baud) at the local chat site.
Slow as it was (I haven't used 9600 baud in over a year), I still consider it a valuable addition to capabilities since I don't have any Internet access if I go visit my parents. Now I won't have to go without for extended periods of time. I may have to drive to the top of the nearest hill to get a signal but at least I'll be able to grab my mail.
Look at this to take a gander at my settings.
Saturday, May 3, 2003
joatBlog templates
(It's not really a template or a style. Rather, consider it a method of handling the templates and styles.)
A couple people requested that I post my blog configs, so here they are. It's the result of constant tweaking (I've been told I fidget too much) and experimenting with various tools. There's a chance that no two of these tarballs will ever be the same. Please note that this is a work-in-progress.
A nice thing about the method I've used is that it breaks up the site config into much smaller, easier-to-manage chunks (heavy use of PHP's include command).
Prerequisites: An MT blog and a PHP-capable web server.
If you use this method, please give me credit, a shoutout, or a trackback. You don't have to. It's just nice to have your work appreciated.
Friday, May 2, 2003
Detectecting NAT Devices
It makes some assumptions about operating systems and where in a network you are able to capture traffic but should be a good starting point for gathering an in-depth picture of, at least, your own network.