Monday, February 28, 2005
VoIPong
able to (supposedly) detect and capture SIP, H323, Skinny, RTP and RCTP-
based conversations. According to the home page, this thing worked
properly when stuck into a 45MB/sec feed.
Sunday, February 27, 2005
Asterisk
I've got it installed on the laptop so that I can take a play around
with configuration and poke at the software.
Take a look at the
feature list (<a href="http://www.asterisk.org/index.php?
menu=features">here) and see if you have the same response that I
had: OMFG! (heh) I only need about two of those features for what I
want to do but I'll probably stand up a full blown install at a later
date.
IA & Digital Evidence
- Authentication of Evidence
- Information Assurance Services
- Information Assurance Applied to Digital Evidence
- Digital Video Evidence System
- Generalized Information Assurance Solution
- Daubert Compliance
Saturday, February 26, 2005
Convergence or just more trouble?
numerous "stars" were inconvenienced or lost part of their "privacy".
The local news show did the usual sensationalist "what can hackers get
from your cell phone" bit.
I just wanted to make a comment that things
are only going to get worse as we buy personal video players with
wireless capabilities and camera cell phones with Internet capability.
The politics are only going to get worse also.
As an example, there's
a group in DC called "Enough is Enough" that is upset that Congress has
not prevented Playboy from making their content available via WAP.
Seems that parents are concerned what their teenagers can download with
their Internet-enabled cell phones.
Ten points to anyone who can come
up with what parents should do if they're actually concerned what their
children do with cell phones.
Friday, February 25, 2005
Bloat
post, I'd like to suggest the term "bloat" for the condition
described. We all suffer from it from time to time (on a regular
basis?).
Thursday, February 24, 2005
IPv6 Cookbook
Cookbook will probably come in handy.
Wednesday, February 23, 2005
AODV
but, what the heck, I like tweaking the wireless box.
In any case,
here's the page for the Adhoc On-
demand Distance Vector (AODV) kernel module for reactive routing.
In other words, I want to try mesh networking. I'll keep you posted.
Tuesday, February 22, 2005
Under construction
What did I learn today?
Monday, February 21, 2005
w00t! IPv6!
today. I was using the wrong prefix in my radvd.conf file which was
causing my return traffic to go to someone else's network. At one
point, I had a nasty routing loop which spiked the traffic level.
I
did get it corrected and I'm now able to ping6 sites. In any case, I've got a basic write-up of it here.
Props to Sysmin and Quigon (The Hacker Pimps) for reminding me about IPv6 and turning me on to OpenWRT. Try to find the PDF of their presentation for a little extra help in playing with the 54G.
OpenWRT
to OpenWRT's. So far, it has a lot less load issues (less junk running
on it) and I'm able to separate the wired from the wireless in-house
networks. Things I learned in getting the system up and
running:
- RTFM - it helps to read the docs and the stuff available
on the website (especially the part about what happens if you hold in
the reset button while power cycling) - most of your custom
changes goes in S99done, NOT S10boot! - trying to
stand up an additional AP is harder than replacing the original
AP - keep notes on everything, draw a basic network diagram and
label the interfaces - have a backup copy of a working
firmware before you make any changes - extra cables come in
handy - installing the tcpdump package as early as possible helps
immensely - and, again, RTFM!
I have a request to all
the other OpenWRT users --> document how you did it so the rest of us
can benefit (I'll post mine shortly).
Sunday, February 20, 2005
Arrg!!
can be a frustrating experience. I know I have the tunnel part up and
running as I can "ping6 www.kame.net" from the 54G. Tcpdump shows the
packets going out and coming back. The ping6 output looks okay.
The
problem is when I "ping6 www.kame.net" from the computer. Tcpdump shows
the packets going out but not coming back. I suspect the problem is in
the radvd configuration (i.e., the wrong prefix is being
assigned??).
Maybe someone can reading this can tell me what I'm doing
wrong, so I'll post the data here. I use Hurricane Electric's tunnel
broker (http://www.tunnelbroker.net).
Tunnel Information:
Server IPv4 address: | 64.71.128.82 |
Server IPv6 address: | 2001:470:1F00:FFFF::656/127 |
Client IPv4 address: | My IP Address |
Client IPv6 address: | 2001:470:1F00:FFFF::657/127 |
Assigned /64: | none |
ASN: | none |
Last Ping6: | Sun, Feb 20 3:07 pm PST |
Last Inbound Packet: | none |
Registration Date: | Sun, Feb 20, 2005 |
Update: You have to click on the "Submit" button on the "/64 Allocation" page, whether or not you fill in the DNS entries. Otherwise, you don't get the /64 allocation. So, "Assigned /64:" in the table above should read: 2001:470:1F00:911::/64
From /etc/init.d/S99done:
insmod ipv6
insmod ip6_tables
insmod ip6table_filter
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
From /etc/init.d/rcS:
# set up the IPv6 tunnel
ip tunnel add he.net mode sit remote 64.71.128.82 local MYIPADDRESS ttl 255
ip link set he.net up
ip addr add 2001:470:1F00:FFFF::657/127 dev he.net
ip route add ::/0 dev he.net
ip -f inet6 addr
ip -6 addr add 2001:470:1F00:CAFE::1/64 dev eth1
radvd
Am I missing something?
GoogleMaps XML
and <a href="http://jgwebber.blogspot.com/2005/02/mapping-
google.html#c110798361261777788">this GoogleMaps output can be
switched to XML by adding "output=xml" to the URL.
The feature
probably won't last that long if it gets abused (now that it's known)
but it'll be interesting to see what happens with it...
GooglePot?
Honeypot is the reaction to a new type of malicious web traffic: search
engine hackers.
Here's my take on it (please correct me if I'm
wrong):
- It's not a new type of malicious web traffic. Google's
spider generates the traffic (it's legitimate traffic). At that point,
exposure is your (the owner's) problem. - It's not a new type of
malicious web traffic. It's a reconnaissance technique and is not
necessarily malicious as the tools/techniques are available to
all. - I think it slightly misses the definition of a honeypot in
that attackers are researching known exploits via Google and are getting
pointed towards GHH. At best, you might get a list of IPs attempting to
exploit a vulnerability. - As GHH relies on Google entries to
point to the honeypot, it lessens Google's accuracy just a bit more
(little though it may be).
That said, I'd still like to try
it out as it IS an interesting approach.
Comments, thoughts,
beatings?
Saturday, February 19, 2005
Huh?
Two amateurs performed a make-believe (the article says "hypothetical") study of that old horse called "mine-is-more-secure-than-yours" and announced a winner, but then said that they couldn't afford to include any other OS's other than the two worst to begin with? Does anyone else smell sensationalism? Or stinky feet (sock puppets)? Why don't they just say that your kids are danger or that old people will die?
Anyone else in 757 want to help do a study on these studies? It might get us into a Con or two...
Why Johnny Can't Encrypt
Encrypt" is referenced often when discussing cryptography and
crypto tools. Basically, it's a study of the shortcomings in the PGP
interface. Some of it may be OBE as the paper is over five years old
and external interfaces (e.g. mail clients) have matured somewhat.
Friday, February 18, 2005
Security Links
page of security-related links.
Thursday, February 17, 2005
Wireless
Now to figure out how to get an IPv6 connection up and running. I've
added various applicable links in the Wireless section of the wiki.
Not a solution
off" or "make the problem so obnoxious that you cannot fail to notice
it". His
solution is based on the assumption that people pay attention to
things.
Quick quiz: without looking, what color is the lock in the
corner of your browser? Okay, how about in its other state?
Wednesday, February 16, 2005
Spammer profile
The following URL's show up in unending attempts to post comment spam to the blog:
|
All of the above translate to IP address 219.150.118.16
A WHOIS lookup of 219.150.118.16 results in:
|
A WHOIS lookup of future-2000.net results in:
|
A WHOIS lookup of ronnieazza.com results in:
|
As both registrants are in the middle of Manhattan Island at addresses that do not correspond to any mailing address known to Google or Yahoo, I'm willing to bet that they're fake. Let's take a look at the mailing addresses for the technical and administrative contacts.
A WHOIS lookup for support-2000.net returns:
|
Ah, it's that nice Registrar in France: Gandi. How about the other? A WHOIS lookup for support-24x7.biz returns:
|
Yep, the nice Registrar again. Let's look at mail servers...
The mail server for future-2000.net is:
|
Hmm... Doesn't exist. If we ask ns0.future-2000.net we get:
|
So it doesn't exist. An "A" query for future-2000.net (just in case it's an explicit name rather than a MX) yields the similar results. Actually, any query to ns0.future-2000.net returns only pointers to the root servers. This might be valuable later in complaining about the domain.
Also, please note that the root servers indicate that the domain is served by ns0.future-2000.net and that it is at 219.150.118.16. This most definitely is valuable when we look at server headers below.
The mail server for support-24x7.biz is:
|
Let's see if we can grab web server headers:
|
This could be the standard redir that some of the registrar's have started doing. (Yeah, even Network Solutions uses this unethical practice.)
|
Ah! Not a redirect! Grabbing www.future-2000.net returns a page that looks like:
This former info is currently under investigation - Due to mis-proper use of the hosting account Service Unavailable!
|
In the above, I disabled the following two lines:
<form name=frm method='post' action=' http://64.234.220.141/submitAbuse.php' onsubmit='return checkSubmit()'> |
Somehow, I'm still not convinced. Let's take a look at that IP address. A reverse lookup of 64.234.220.141 returns:
|
A Google lookup on "shetef.com" leads to a slew of bloggers who've gotten this far and have complained about a spammer and are looking for someone to pound.
A WHOIS lookup on the 64.234.220.141 returns:
|
Just to play it safe, let's look at WebStream also. A WHOIS returns:
|
A DNS MX lookup on shetef.com returns:
|
The mail server for shetef.com is in yet another IP range? A WHOIS lookup on 67.18.52.66 returns:
|
A DNS reverse lookup on 67.18.52.66 returns:
|
Remember the WHOIS lookup for future-2000.net? It had the following DNS servers:
|
A WHOIS lookup on dns2005.net returns:
|
Again, Gandi.net. Also note the IP addresses for the DNS servers: 64.234.220.141. We've seen that one. It's our friend shetef.com again!
How about the DNS servers for ronnieazza.com? A WHOIS lookup on manage-dns.net returns:
|
Again, the Gandi registrar and the shetef.com DNS server. How about MX records for those two?
A DNS MX lookup on dns2005.net returns:
|
A familiar failure. A DNS MX lookup on manage-dns.net returns:
|
So MX records for manage-dns.net aren't configured. Remember that the WHOIS lookup for manage-dns.net points back to 64.234.220.141. Let's take a closer look at that IP. Remember the reverse lookup on 64.234.220.141 returned:
|
and that the MX record for shetef.com returned:
|
Connecting to port 25 on the mail server returns:
|
Pointing a browser at http://shetef.com () indicates that shetef.com is an Israeli software seller with the following info:
|
Grabbing the server headers for shetef.com returns:
|
The domain websitewelcome.com is registered via Enom, Inc. who does not give out their customer's domain info.
Grabbing the web server headers for http://escape.webserverwelcome.com returns:
|
Pointing a browser at http://escape.websitewelcom.com brings up the standard cPanel default page. So does pointing the browser at the IP address.
Performing a Google lookup on websitewelcome.com reveals that that domain appears to be a reseller client of hostgator.com. Suspiciously, it appears to be their only reseller client. One of HostGator's features is that reseller clients are allowed to host unlimited sites.
Pointing a browser at http://www.websitewelcome.com returns a directory listing.
Going back to shetef.com, a Google search reveals that CodyTheFreak is quite unhappy with shetef.com. He also points out a few extra domains. It appears that CodyTheFreak and I are the only ones that have traced the spammer back that far and have complained about it. All other Google entries appear to be spam for the shareware/software available on shetef's site.
I've probably missed a bunch of stuff associated with this spammer, but as I've spent the better part of a Saturday afternoon working on this, I'm going to drop it here.
Tuesday, February 15, 2005
Monday, February 14, 2005
Sunday, February 13, 2005
Kostya Kortchinsky
+kortchinsky&btnG=Search">Kostya Kortchinsky who seems to be very
prolific in the IPv6, honeypots, and security areas.
Saturday, February 12, 2005
Tivo Upgrade
between Thanksgiving and Christmas. I read in Tivo's support forums
that it's been taking about a month to get the 7.x upgrade. For me,
it's going on five weeks so it's supposedly going to happen any day
now.
Tivo! Save my wife's sanity! She can't stand to hear my
continuous kvetching about waiting for the upgrade. (heh)
Anti-419
devoted to DoS'ing the scam artists' fake bank sites. I don't know that
I'd recommend this approach as you can be prosecuted in most places for
DoS'ing someone.
It is interesting to watch though.
Blogging
Steganography pages to the wiki (links at the top-center of this page).
More ShmooCon
Friday, February 11, 2005
PodCasting
I recently started listening to various people's podcasts on the way into work (a 1-hour drive).
Thursday, February 10, 2005
Wednesday, February 9, 2005
ShmooCon end
To add to what Richard has said:
- Brian was pressed for time towards the end so he started talking faster (syllables and inflections intact). So much so that only those of us from NY could understand him.
- There were some shenanagins at the conference but not enough to involve evictions or law enforcement. (Those involved will have to incriminate themselves.)
- Richard's picture of Renderman wearing his warpack doesn't do it justice. In the picture, it's disassembled, missing the two antennas that stick up about two feet higher than that hat, missing the cables, and missing the other hand-held antenna (that's only one he's holding). Someone out there has a better picture.
- Here's a version of the story about the vulnerability that the Shmoo Group demo'd during the closing of the Con.
On behalf of the entire conference, I'd like to apologize to the religious group(s) occupying the two floors (of conference rooms) above us. We're not evil, we're just drawn that way. (At least three older women ignored my attempted Jedi warning of "you don't want to go down there" and rounded the corner just in time to see the word "fuck" displayed on a large plasma screen display.) Someone in hotel booking had a sense of humor, booking the hacker convention on the bottom floor and filling in with church groups above.
Lastly, I propose a game for next year. DefCon has "Spot the Fed". Given the location and the size of the conference, spotting a Fed would have been too easy. How about we run "Spot the Author" as an east coast game? I was able to meet/talk to/drink beer with Jason Scott and Richard Thieme. I molested Johnny Long for an autograph and would have liked to meet Richard Bejtlich and a few others. Rather than throwing a party at a club across town, have the authors hold court in the lobby bar and pay their tab (Rumor has it that the mostly non-author liquor sponges went through $6K of free booze at the club in less than a hour.) (For the math challenged, that's a bit over $100 of alcohol per minute.).
Oh, and thanks to the GrayArea.info bunch for fronting for those of us that were avoiding the dress code and the DC cab ride.
Tuesday, February 8, 2005
Shmoo Presentations
want to anger the quota gods here.)
Monday, February 7, 2005
Caezar
Saturday: "Life sucks." However, he wasn't talking about his own life.
He was justifying why we, as security professionals, should make things
simple and safe enough for the inbred yokel to use.
None of that is a
direct quote but you get the idea...
Target-based IDS
interesting stuff is coming for Snort: New data acquisition modules
(you'll be ablt to take the packets rejected by your IPFW/IPTables/etc.
and feed them into Snort for analysis). New stream reassembly modules.
IPv6. New defrag modules.
Based on the presentation and depending on
how it's implemented, Snort could get very complicated for production
environments.
Sunday, February 6, 2005
Saturday, February 5, 2005
WRT54G
To be fair, I won't name it/talk about it until they post it.
Friday night
In any case, the con started nicely. Bruce Potter gave the opening speech, embarassing both his wife and his mother. (If Heidi blushed any harder, she'd probably fall over.) Bruce needs more hecklers (he can handle 'em). He introduced the rest of the Shmoo Group (that were present). Anyone missing was declared "at the liquor store" by those plants in the audience.
Although Brian Caswell's (AKA Cazz) talk on autoloading Snort rules amounted to watching someone show off a script, it was entertaining and evoked some thought. Brian needs fewer hecklers but the argument over crypto was funny.
It was a bit scary seeing Tina Bird wander through the audience with her CAT-5 of nine tails. The guys in the front row were having a good time with the Guiness and shots. Rodney needs to get over the little things.
Sightings include: the Shmoo Group (of course), various of the Ghetto Hackers, Dark Tangent (who autographed at least one book at the Culture Junkie stand), various acronym'd people and 757. I haven't seen so much leather, hair (or lack of), and body piercings since the Friday night when I was stranded in Port Authority (NYC).
Immediately after the scheduled talks, Tina was seen with a group in tow, headed into town. People that were interested in the whip? Where were they going?
Friday, February 4, 2005
IPSec Howto
On the road
Thursday, February 3, 2005
Forensic discovery with MACtimes
sid=04/12/17/1618241">article on forensic discovery via MACtime
examination by Dan Farmer and Wietse Venema.
Wednesday, February 2, 2005
Wine + Java
biga=15">Running Wine on the Sun Java Desktop System".
Tuesday, February 1, 2005
IBM's networking series
- <a href="http://www.ibm.com/developerworks/edu/l-dw-linux-lpndns-i.html?
ca=drs-l5004">Part 1 - Build a DNS server with ISC BIND - <a href="http://www.ibm.com/developerworks/edu/l-dw-linux-lpndhcp-i.html?
ca=drs-l5004">Part 2 - Set up a DHCP server to manage IP
addresses - <a href="http://www.ibm.com/developerworks/edu/l-
dw-linux-lpnsamba-i.html?ca=drs-l5004">Part 3 - Integrate Linux and
Windows with Samba
Shmoo Registration Closed!
WAY over 400 people are attending ShmooCon 2005! We're pleased to announce that ShmooCon 2005 has SOLD OUT! Registration is CLOSED as of 4 PM EST! w00t! However, five (5) ShmooCon attendee registrations, each with coveted speaker party passes, are being auctioned on eBay by the Shmoo Group, with all proceeds going to the Electronic Frontier Foundation. If there's anyone you know that is still trying to get to ShmooCon, they can view the available attendee registrations on eBay here: http://search.ebay.com/_W0QQsassZshmoocon Bidding closes in less than 3 days! Sincerely, Beetle |