Offensive Countermeasures: The Art Of Active Defense: SANSFIRE June 15-16, Blackhat USA July 27-28 & 29-30
Defensive Countermeasures: Foundations for Becoming A Devious Defender: Blackhat USA July 27-28 & 29-30
Check out the entire PaulDotCom crew at BsidesRI June 14-15th!
Sponsored By:
Follow Us On:
In this episode of PaulDotCom Security Weekly we have a very special guest, Daniel Suarez the author of "Daemon", one of the best books we've ever read here at PaulDotCom. You can read my full review of the book, and listen to a full interview with Dan on this episode!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds: 
Daniel Suarez's "Daemon" gives new meaning to "blue screen of death", and is hands down the best techno-thriller you will ever read, period. I've thought long and hard about an opening line for this post, and I truly mean what I say, this book changed my perspective on how I view the world. Not only that, but it is "pee your pants" scary as well. But not horror movie "Oh my God look zombies!" scary, more like the way that we as security professionals scare people by telling them about the evil things people do with computers and the Internet.
I have to admit, I have a love/hate relationship with Daniel Suarez. On the one hand, I love the guy for putting out one of the few books that I simply could not put down. Top that off with the "life changing experience" bit, outstanding technical accuracy, a story that is second to none, sex, violence, artificial intelligence, and we have a winner! On the other hand, I hate Daniel Suarez for causing tension between my wife and I because I thought I would take in some "light reading" on our recent vacation, and ended up with my face buried in my Amazon Kindle for a good portion of the trip.
I read my copy on the Amazon Kindle. It was very creepy to read it on the Kindle, as it is connected to the Amazon Wispernet (if you enable it). The kindle can automatically download new content and software. As I was reading "Daemon", my kindle screensaver became more dynamic and started to display new content. Very scary!
There are few books that grab my attention immediately and captivate me that I just can't put them down. I have to admit, I'm not much of a book person. I guess I have a bit of A.D.D, so its tough for me to stick with a book the whole way through. There are exceptions though. The last exception was "The Cuckoo's Egg" by Clifford Stoll, and that was 10 years ago. Then along came "Daemon", which just takes things to a whole new level.
The story revolves around a video game designer named Matthew Sobol. Sobol is a genius programmer that develops first class artificial intelligence that is built into the hottest video games. However, he's been working on a side project, a program that looks for his obituary in the news, and if found, well, thats when the fun begins...
One of the things that impressed me the most, and made me wet myself, was the fact that the technology was believable. I found out after I finished the book that its not only believable, but its based on fact. If you visit the daemon web site you will find a page dedicated to proving that the technology talked about in the book is based on real concepts, products, and theory. The hacking used in the book is not the popcorn, laugh out loud, crap that we are used to seeing in the movies. There is SQL injection, cracking wireless networks with Asleap, and kernel level rootkits. How can you go wrong?
I've always wondered how well the automated parking system worked in the higher end cars. You know, the ones that claim they can park themselves? The DARPA Urban challenge takes it to a whole new level and invites teams to create vehicles that can drive themselves. If you think thats impressive, read "Daemon" and see how they are put to use.
I don't want to give away too much about the plot in this post, but I will say that I highly recommend this book to everyone. After listening to Daniel speak, and give his reasons for writing the book, his mission is very much aligned with ours here at PaulDotCom, make people aware of the risks. Not just techie people either, but regular people who should give a damn but have become content thinking that things will never happen to them. "The Daemon" will make you question how much we rely on computers. It will make you feel funny when you get that automated call from Southwest airlines telling you your flight has been delayed. You will distrust the automation built into computers and networks that support our every day well being. It will make you think, "Could this be the Daemon"?
[Note: Daniel Suarez will appear on episode 165 of PaulDotCom, more information here.]
Please join us and Daniel Suarez, author of runaway hit Daemon Thursday night for Episode 165 of PaulDotCom Security Weekly. The live stream should be active around 18:45 EDT (6:45 PM), Thursday, August 27th. Please keep in mind that the recording time is an estimate.
Episode 165 will also feature a Tech Segment by John Strand, following up on his fabulous posting on 'Scanning through TOR'.
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- John, Paul, Mick, Larry & Carlos.
One of the issues that comes up on regular basis when I talk with a group of penetration testers is how to approach scanning. Some would argue that a penetration test should not include scanning of the target network. The reason given is external attackers would seldom perform these activities as it would give away their position and the target environment may shun the attacking IP address.
On the other hand, there is a group of testers who would argue that we are hired to evaluate risk. As part of this task we need to take a wider view of our customers networks and include scanning with tools such as Nessus and Nmap.
I would like to propose that a good attacker uses everything in their means to achieve their goals. In some situations they would focus on the social engineering aspect and in others they would use more traditional scanning techniques.
A good tester should be versed in both.
Valsmith and his crew gave an excellent presentation on client side attacks at Defcon 17 this year. There was a great section in their presentation on using Tor networks for scanning. I wanted to elaborate on scanning with Tor and find ways to do it faster and better as a professional tester. The reason is many environments utilize dynamic shunning to block attack IP addresses. Now for a picture of a bunny with a pancake on his head to demonstrate just how effective this defense is:
What if we had a number of "disposable" IP addresses we could use when we get shunned? Turns out we do. In order to follow the instructions on how to set this up, you will need to have the following software installed:
When you have all of the above software installed we are ready to start scanning through a Tor network. The video below uses Ubuntu Jaunty and demonstrates how to configure the tools listed above to scan through Tor:
Tor and nmap with tortunnel from PaulDotCom on Vimeo.
Lets review the commands and configuration associated with running a portscan through the Tor network:
# proxychains nmap 209.20.73.195
At first glance it looks like this is a fast and efficient way to run a scan. Unfortunately, it does not work. For the default SYN Scan you are not scanning through your Tor nodes.
Rather, try this:
# proxychains nmap -sT 209.20.73.195
Now you are scanning through the TorTor network. Painful, huh? The issue is all of your packets are going through three Tor nodes. Further, these nodes may not be the fastest nodes on the planet. This reduces a full nmap scan to something that will take hours, if not days for a larger network.
But there is the little issue that you are not completely anonymous in your scanning. I have seen a few sites that reference the exact same scan I just ran above and say it is "safe". Not true! Nmap by default "pings" the remote host. As part of its detection of which host are alive and which are not it sends ICMP packets to the target system(s). Lets fix this:
# iptables -A OUTPUT --dest [TargetIP or range] -j DROP
The above iptables rule will cause packets sent to the target environment that are not going through the Tor network to be dropped.
Lets address the issue of speed with torrtunnel by Moxie. Moxie is quickly becoming my favorite security researcher. Moxie wrote this program so your Tor activity goes directly to an exit node. This bypasses two of the three hops, greatly improving the overall speed of your scans. It is still not great, but it is bearable.
Ti get tortunnel up and running you will need to edit your proxychains.conf file to use socks5. Also note that tortunnel listens on TCP port 5060. Below is the config line I have in my /etc/proxychains.conf file.
socks5 127.0.0.1 5060
We have to look up some fast, stable exit nodes to scan through. A complete list can be found at this URL. Next, we can start tortunnel:
# ./torproxy [ExitNodeIP]
The above command will set up the torproxy connection. Next, re-run your Nmap scan as follows:
# proxychains nmap -sT -p 80,443,21,23 209.20.73.195
It should now be faster. If it is still slow, try a different exit node. We can also surf to our target IP addresses through this node. But first we need to set up Privoxy to work through tortunnel. I edited my /etc/privoxy/config file to reflect the port and socks5 changes required to make the scan work. The like should look like this when you are done:
forward-socks5 / 127.0.0.1:5060 .
Now you can start firefox, enable Tor and you can do your manual checks.
There are a couple of areas during a test where this works well. First, port scanning. Pick your ports wisely and scan. I see very little risk to the customer doing this. The second area where this rocks, is manual web checks over ssl. Just please verify that your session is ssl before you start launching attacks.
Some would argue that scanning through a Tor network has more then a few problems. First, it is not completely anonymous. Someone can sniff your traffic on the exit nodes (Moxie's excellent tool sslstrip will allow you to do that). This may have implications in regards to your contract scope and rules of engagement. Just spend a few seconds thinking of a SQL injection attack where some third party gets the data too.
In closing, I just want to say that shunning should not stop your testing. Further, shunning is not a 100% effective attack deterrent. Most IPS systems do not shun right away. It takes a certain threshold of scanning activity to get them to block you. But, they will block you. If they do, simply move on down the line to another node.
Remember, pancakes on ones head are not an effective deterrent.
-strandjs (Fr. John)
The Splunk Ninja himself, Michael Wilde, appears on the show to talk about all things log searching and management! Paul, Mick, and Carlos do a fabulous segment on Security FAIL.
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
Please join us live at 22:45 UTC tonight for Episode 164 of the award winning, completely unabashed PaulDotCom Security Weekly. The live stream should be active around 18:45 EDT (6:45 PM), Thursday, August 20th. Please keep in mind that the recording time can be fluid, especially so in proportion to our intake of fluids (beer!).
Episode 164 features Michael 'Splunk Ninja' Wilde, who promises to "take the sh out of IT" and discuss version 4 of Splunk.
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- Larry, Mick, Carlos, John & Paul.
Ever since Nick Harbour won the "Race to Zero" contest with some radical anti-virus evasion techniques I have been looking for a copy of PE-Scrambler. But shortly after defcon, his site disappeared and his application was not very easy to come by. Today I stumbled upon Nick's site and it is back up! I know several of pauldotcom listeners were also looking for a copy. Nick has several other cool tools out there such as command-line to clipboard I/O utilities, a pcap parser that extract files, and APIThief for monitoring applications API calls. What an awesome collection of work! Get it while the getting is good!
If the original source does go down here is a copy.
MarkMac:Downloads mark.baggett$ openssl sha1 PEScrambler_v0_1.zip
SHA1(PEScrambler_v0_1.zip)= 4da298902ee3db0eb0c42261819ba0132349f1d0
MarkMac:Downloads mark.baggett$ openssl md5 PEScrambler_v0_1.zip
MD5(PEScrambler_v0_1.zip)= 141cee7fbc8f620dca9bcfea9c47a4a5
Roelof Temmingh and his henchman "Andrew" from Paterva / Maltego discuss penetration testing evolutions, information gathering, drinking, and the latest features in the soon to be released version 3 of Maltego!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
We go back to our regular recording time for Episode 163 at 7 PM EDT. The live stream should be active around 18:45 EDT (22:45 UTC), Thursday, August 13th. Please keep in mind that these times are estimates.
Please join us for Episode 163: "The Replicant Episode" to hear Roelof Temmingh from Paterva / Maltego discuss his upcoming virtual populace. We will also feature a new PaulDotCom's technical segment: "Web Spidering Tips And Tricks".
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- Paul, Larry, Mick, John & Carlos.
Our guest this week is Renaud Deraison, author of the Nessus the world best vulnerability scanner!
Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas, Carlos "Dark0perator" Perez
Audio Feeds:
By: Mark Baggett
I recently read a very good article on tuning Snort's Stream5 preprocessor to avoid "TCP Fragment Overlap" attacks. It's a great article, but the wording confused me. I thought to myself, "TCP Fragments, that must be a mistake. The TCP Header doesn't have a 'more fragments bit', a 'fragment offset' or anything to support fragmentation. How can there be any TCP fragments?" Typically when we talk about fragmentation attacks we think about Layer 3 attacks. Attackers manipulate the IP packet headers to pull off various insertion and evasion attacks. Examples of layer3 attacks include overlapping fragment attacks and temporal evasion (host reassembly timeout evasion). These attacks are explained pretty well in an article titled "Evading NIDS, revisited".
So what is TCP or Layer 4 "fragmentation"? Really, its overlapping or retransmitted datagrams with the same TCP Sequence number. To demonstrate the concept I fired up a virtual machine running Backtrack 3. I ran a netcat listener on my host (nc -l -p 9000) and used a netcat client in backtrack to connect to it. I fired up wireshark to watch the packets and I transfered the text "This is a test of the emergency broadcast system. If it were an actual emergency" between the two hosts. This is what Wireshark captured.
Figure #1
Perfect. Exactly what we would expect. Since my packet doesn't exceed the MTU of the established TCP connection a single packet is transfered to the client with a single acknowledgment in return. If it had exceeded the MTU it still wouldn't have fragmented. It would have sent more than one datagram, each with its own unique IP ID.
Then I created a fragroute configuration file with one line in it:
tcp_seg 16
This will cause fragroute to break the packets down so that they can only carry 16 bytes of TCP traffic. I start fragroute (fragroute -f ~/myfrag.conf 192.168.100.12) and transfer the same text between the hosts...
Figure #2
View image
Fragroute works as expected and breaks the packets down such that only 16 bits of data can be transfered in each packet. Each packet sequence number increases by the number of bytes transmitted. Sequence numbers increase in order. Also, notice that each packet has its own unique IP ID field. There is NO FRAGMENTATION. The "More Fragments bit" isn't set. The fragment offset isn't set. No fragments. Instead, fragroute is transferring packets as if the MTU of the segment is only enough for 16 TCP bytes.
So now lets do some "tcp fragmentation overlaps". I change my fragroute.conf file to say this:
tcp_seg 16 new
This will cause fragroute to transmit frames with overlapping sequence numbers. This attack takes advantage of the fact that the TCP layer doesn't pass data up the stack to the application until it has acknowledged the data and that packets are acknowledged in sequential order. So if we skip datagram #3 and transmit datagrams #4, #5 and #6, duplicates of #4 and overlaps of #5 and #6 then the TCP stack needs to hold datagrams #4,#5 and #6 (as long as they are within the window size) and figure out what to do with duplicates/overlaps once it receives fragment #3.
To see this in action I fire up fragroute and retransmit the text "This is a test of the emergency broadcast system. If it were an actual emergency"Figure #3
View image
Lets look at it in the fragroute packets in figure#3. The first two datagrams (#1 and #2) are garbage. Their payload is random junk. Then fragroute transmits good data in packets 4 and 5. The payload here is the end of our payload "If this had been an actual emergency." After the 4th packet the receiving host begins screaming to the transmitting client "HEY DUDE, ACK 2933750986. I didn't get that one yet". The receiving TCP stack is complaining about not receiving the first datagram. Then fragroute sends 2 packets with 32 TCP bytes in each. These two datagrams include the FIRST datagram (Notice packet #10 has the lowest sequence number and the embedded text payload). Parts of these two packets overlap packets 1 and 2. Packet #9 overlaps 16 bytes of packet #2. 16 bytes of packet #10 overlap packet #1. If the TCP reassembly engine favors NEW packets then it will reassemble the text as expected. If the IDS reassembles the packets favoring the OLD packets then we can bypass the IPS. If we were drawing analogies to layer three fragment attacks holding the low sequence number datagrams is equivalent to setting the "more fragments bit" and the sequence number is the equivalent to the fragment offset. So how to fix this? The attacks aren't new. Snort has the STREAM5 preprocessor. Just be sure that you tune STREAM5 just like your FRAG3 preprocessor.
Snort's Stream5 and TCP overlapping fragments An article by Richard Bejtlich that sparked my interest in this topic. Its a very good article with more explanation on tuning the snort preprocessor.
All:
For your listening pleasure I have (finally!) edited the podcaster meetup audio. You can hear the likes of:
At this meetup we took questions from the audience, performed strip teases, and did some general ranting.
Special guest appearance by none other than Twitchy!
Audio Feeds:
Now that DEFCON 17 is over, we promised the solution to our party pass challenge. I knwoo that many have been waiting patiently, here it is:
Remember the original post? Here is the challenge in case you forgot.
As stated in the original post, everything that you needed to complete the challenge was in the posting. If you listen to our show, all of the tools you need to complete it were also discussed in previous episodes and technical segments! Of course, knowing our recent projects and humor makes it all that much easier.
Enter document metadata. Remember that nice badge picture?
Save it to disk and run exiftool on it as follows:
exiftool -r -a -u -g1 party_badge.jpgor, at an absolute minimum:
exiftool party_badge.jpg
This command will give all sorts of information about the picture. A shortened version is shown below.
ExifTool Version Number : 7.23 File Name : party_badge.jpg File Size : 189 kB File Modification Date/Time : 2009:08:07 10:40:07 File Type : JPEG MIME Type : image/jpeg JFIF Version : 1.2 Exif Byte Order : Big-endian (Motorola, MM) Image Description : http://www.captainmetadata.com Camera Model Name : http://www.freelarrypesce.com X Resolution : 100 Y Resolution : 100 User Comment : http://www.defconpartychallenge.com Flashpix Version : 0100 Color Space : Uncalibrated GPS Version ID : 2.2.0.0 GPS Latitude : 413551403 deg 0' 0.00" GPS Longitude : 413551403 deg 0' 0.00" GPS Map Datum : 0413551403 Quality : 100% Image Size : 553x465 GPS Position : 413551403 deg 0' 0.00", 413551403 deg 0' 0.00"
Well, look at that. Three websites! Let's take a look at them, one at a time.
http://www.defconpartychallenge.com: We are presented with a pop up requiring authentication via username and password. Hmmm. Let's move on for a bit.
http://www.freelarrypesce.com: A Clue!
Need a password? It is the unique number from Larry's RFID implant. There are multiple ways to obtain it, but here are a few suggestions. 1. Find it mentioned somewhere. 2. Ask someone other than the PDC crew if they know it. 3. As a last result, ask to read Larry's RFID tag at DEFCON (EM4x05 series tag, and if asked, he'll let you) 4. Re-read the blog post.
Ok, those we can do! So, where to find the RFID tag unique number? Well, one option was to actually read Larry's tag. You could have asked someone if they knew it, such as Major Malfunction, who cloned Larry's tag on stage at Shmoocon. Then there was the "find it mentioned somewhere". The tag number was featured in TWO videos; once in the implant procedure, and the other from the Shmoocon cloning video.
Wow, that was hard. Downloading and watching all those videos. But, wait Larry, you told me everything I needed was in the blog post!
It was.
Look at the image again with exiftool. See these funny numbers?
GPS Version ID : 2.2.0.0 GPS Latitude : 413551403 deg 0' 0.00" GPS Longitude : 413551403 deg 0' 0.00" GPS Map Datum : 0413551403
Well, if you plug that location in to google maps, it is in the middle of an ocean somewhere. But what about the GPS map datum? A quick google search would reveal that that is a VERY odd datum type. In fact, so odd, that it isn't valid.
So, there is the password: 0413551403
Yes, the password is in the image metadata several times, but most of them without the leading zero! Yeah, I got lazy, and just started pumping the number in to various interesting fields, until one kept the leading zero...
On to our next clue.
http://www.captainmetadata.com/
Need a username? Like we told you, EVERYTHING you needed was in the blog post.
Hmm, I seem to remember those crafty PaulDotCom guys talking about creating custom username and password lists from web pages... Ok, so how do I do that? In Episode 129, we talked about creating a custom wordlist. If we concatenate all of the commands (for unix text processing and wget) and use the single blog entry as a source, we get:
wget -r -l 1 http://pauldotcom.com/2009/07/the-pauldotcomi-hacked-
defcon.html | grep -hr "" pauldotcom.com/ | tr '[:space:]' '\n' |
sort | uniq > wordlist.lst | egrep -v '('\,'|'\;'|'\}'|'\{'|'\<'|'\>'|'\:'|'\='|'\"'|'\/'|'\/'|'\['|'\]')' wordlist.lst | sort -u
> wordlist.clean.lst
Ouch.
Note that we did not use john the ripper to add additional passwords to the list as we did in Episode 129. Technically it wouldn't hurt, but the word was already in the page, no additional words needed.
Now that we have a wordlist and a password, we can brute force the login with Hyrda, which we mentioned in the White Hat World's Best Of Network Penetration Testing Tools:
hydra -s 80 -L wordlist.clean.lst -p 0413551403 -t 36 defconpartychallenge.com http-head /index.html
Woohoo! We get results back!
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes. Hydra (http://www.thc.org) starting at 2009-08-07 13:25:44 [DATA] 36 tasks, 1 servers, 2249 login tries (l:2249/p:1), ~62 tries per task [DATA] attacking service http-head on port 80 [80][www] host: 66.203.130.200 login: strippers password: 0413551403 [STATUS] attack finished for defconpartychallenge.com (waiting for childs to finish) Hydra (http://www.thc.org) finished at 2009-08-07 13:25:52
See, I told you strippers were awesome. Now go log in to the website with your credentials, and retrieve the picture that pays.
Mmmm, BACON! Two varieties, beans and mints! YOU WIN!
I hope you all enjoyed the challenge, even if you weren't going to DEFCON, or didn't get to complete it. We know a lot of you want PaulDotCom baubles so we are attempting to run another batch of "party badges" that we can exchange for a modest fee (to cover materials and postage). Stay tuned!
- Larry "haxorthematrx" Pesce
For tonight, we are recording Episode 162 at 8:30 PM EDT. The live stream should be active around 20:45 EDT (8:45 PM Eastern), Thursday, August 6th. Please keep in mind that these times are estimates.
Please join us to wish John "livin' off the land" Strand another happy year on Earth and to hear Renaud Deraison, the primary author and manager for the Nessus project rap with the PDC crew.
Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.
When active, the live stream(s) can be found at:
Ustream: PaulDotCom UStream Channel
Icecast: PaulDotCom Radio
Please join us, enjoy the show live, and thanks for listening!
- Mick, Paul, Carlos, Larry & John.
I wanted to address one of my major concerns over the past few months. REd Team vs BLue Team events, or REBL. It seems to me that every CTF/REBL event the Blue Team gets a bunch of un-patched systems. Most of the time the Blue team fumbles around trying to fight off the attackers for quite some time before they get their feet under them, but they often do get it. We are currently having a very conversation on this topic on the PaulDotCom mailing list. So far we have had some great recommendations about techniques that the Blue Team can use as leverage in these events.
Russell Butturini had a great run at some recommendations and I wanted to share them with all of you:
"On the Windows side, off the top of my head without looking at the links (so if any of these are repeats from the links below I apologize), from the CLI:1. Capturing the date and time on the system for establishing timelines-date /t and time /t
2. Enumerating local accounts-net users
3. Enumerating users and IPs remotely connected to system resources-net sessions
4. Enumerating local groups/members of local groups-net localgroup and net localgroup groupname
5. Networking "stuff"-ipconfig and its many switches, like ipconfig /displaydns to show the DNS cache.
6. ARP table enumeration-arp -a
7. Linking open TCP/UDP connections to the processes that spawned them: netstat -anob
8. Displaying the routing table-route print or netstat -r (I think this one has cleaner more detailed output)
9. Enumeration of the hosts file from the command line-type %systemroot%\system32\drivers\etc\hosts
10. Viewing firewall status/making firewall changes-netsh firewall show state/show service for verifying status, a myriad of other commands for manipulating and opening/closing ports and adding deny rules from the CLI.
11. Enumerating mapped drives-net use
12. Enumerating the NetBIOS name cache-nbtstat -c
13. Task enumeration using built in tools (depends on how "modern" the OS we are working with is)-tasklist (tasklist /svc gives us the associated services running from each process)
14. Service manipulation from the command line-sc query, sc start, sc pause, etc.
15. Find group polices applied to a machine-gpresult (requires different command line switches if Vista/server 2k8), apply new policies to a machine in a hurry-gpupdate /force, need to use secedit with different switches if earlier than Windows XP/2003
16. Enumerate drivers on a machine in use-driverquery
17. Enumeration of system variables/Setting new system variables-set
18. Enumeration of scheduled tasks-at/schtasks19. Registry manipulation-reg
20. Manipulate printers on a machine-Use the VBScript in the System32 folder prnmngr.vbs for enumeration and changes.
21. Verify the OS build-ver
22. Review the event logs-use the eventquery.vbs script located in the System32 folder"
This is a great start, but we need to go deeper. It would be easy for the Blue Team to bitch that we need AV and we need IDS, but I think that is a cop-out. Take this suggestion from Nathan Sweaney and Dave Hull:
route add att.ack.ers.ip mask 255.255.255.255 att.ack.ers.ip
In the real world we cannot count on these tools to be 100% effective. Rather than complain, we need to focus on how we can win in this type of environment. We need to learn to "live off the land" and work with what is given us. Expect more on this topic over the next few months. I am hoping on creating a "Spy vs. Spy" series with Carlos where he develops an attack and I will work on the detection and the defense of the attack.
Stay tuned.
Till then, subscribe to the PaulDotCom mailing list and join the discussion.
-strandjs (aka Fr. John)
PaulDotCom will be running a Hacklab in Boston at SANS Boston 2009 hosted by strandjs this Friday August 7th from 6:00PM till ???. "Hack Naked" T-shirts will be on sale for $10!
We will be at the:
Hyatt Regency Boston
One Avenue de Lafayette
Boston, Massachusetts, USA 02111
Telephone: 617 912 1234
Fax: 617 451 2198
The even will take place on the fourth floor. This event is open to the public, so come on down and hack some systems. Better yet, bring some cool systems to hack.
That and it is kind of my birthday.
-strandjs
Some of you may remember my list from Shmoocon 2009, here's the list for Defcon 17:
10. Defcon is one the largest computer security conference in the world with over 10,000 attendees this year (According to reports from Defcon staff).
[CORRECTION: Reports are coming in about the number of attendees at Defcon, and the RSA security conference. If anyone has a reliable source to get numbers from both conferences this year I would be interested. Thanks!]
9. "Hack Naked" shirts sell well at Defcon, pink "Hack Naked" shirts are a hit and we need to print more because we've only got 5 left in inventory. Another interesting factoid, the Defcon 7 t-shirt included a logo similar to the Hack Naked girl on our shirts.
8. SSL is broken, in a variety of ways, not "panic now" broken, and not "do nothing about it" broken, but somewhere in between.
7. Getting a Mohawk just for Defcon is lame, except if it benefits a good organization like EFF.
6. Lock picking is a useful skill, and comes in handy when you need to open the doors between two of the hottest parties at Defcon, PaulDotCom and 303 :)
5. There was no FAIL blog party.....FAIL!
4. Chris Nickerson does not look "sexy" in a women's tank top (click at your own risk!), or give good lap dances. Actually, none of the security podcasters looked "sexy" in the ladies tank top (gouging my eyes out now...).
3. There is no better group to host a party with than i-hacked heavsnt and surbo. DJ Great Scott, fog machine, laser line, t-shirt cannon. Nuf said. Special thanks to Tenable Network Security for sponsoring our party.
2. Going to the shooting range with PaulDotCom listeners is fun, especially when it involved fully automatic weapons!
1. Getting the entire PaulDotCom crew together and going to Defcon to hang out with friends, hack, and talk security is totally awesome!
