recently i spoke at a conference about a network upgrade i did at a previous job.
the upgrade was a very difficult, but rewarding process, and has become one of my favorite topics to speak about.
topics i covered included the basics/easy stuff:
all the way to the not so common or more complex:
here is the prezi from the talk:
this is a quick post about vlan hacking abuse.
specifically, this post will cover how to abuse cisco switches and the DTP (dynamic trunking protocol).
why is this important? typically, most environments segment out servers, workstations, management, etc, into different vlans. if they (mis)configure the switch, you could potentially jump onto the management subnet (where things are usually much less protected) from a user subnet.
in a nutshell, we are taking advantage of a misconfigured switch, not really doing any “hacking”.
recently i was asked to implement a solution to mirror a massive amount of traffic (2-8Gbps of sustained traffic) to several different locations for further analysis.
after comparing gigamon, netoptics, and network critical, i opted for netoptics to fill the roll (because of time i could not do a proof of concept, so the evaluation through reading specs, talking to a few techs, and some googling).
i have spent time over the last few weeks configuring the netoptics and thought it would be worth sharing my experience for someone else’s benefit.
i was recently asked to do a presentation for a local conference. i like coming up with new things to research and investigate and decided to pursue passwords (and how bad they are). below is my presentation and code for the talk:
title: passwords: you can’t do it right
description: some say you’re doing it wrong. i argue you can’t do it right (but some do it better than others). see how ineffective passwords are at protecting your accounts and ways of decreasing the chance of anyone using your passwords to achieve total domination.
i have recently been working through some network forensic challenges from a few locations (http://forensicscontest.com and http://ismellpackets.com/category/pcap/) and wanted to do some network carving (parsing a pcap and getting the files like .exe’s, .jpg’s, etc). to answer some of the questions i wanted to load networkminer on my backtrack 5 r1 box.
fortunately there was a tutorial on how to get networkminer up on linux, but it didn’t fix everything for the newest version of backtrack (specifically, the fonts were off and the menu didn’t show up correctly).
to get networkminer 1.0 up and running on my backtrack 5 r1 VM here is what i did (summary of commands at bottom):
cd /bin wget http://kegel.com/wine/winetricks chmod +x winetricks ./winetricks corefonts dotnet20 gdiplus
first off, the backtrack team rocks. they produce an amazing product for an equally amazing cost. the aesthetics are even top notch, which i can appreciate.
that being said, i don’t usually like to advertise to people that i am running backtrack (people get nervous when they think “hacker”), and a flaming red dragon is no way to keep things on the down low.
so, for anyone else out there i thought i would post where to change the default backtrack 5 menu icon.
the icon file is a svg, and is located at: /usr/share/icons/Humanity-Dark/places/24/start-here.svg
to clean my desktop up to something more benign (and useful), i replaced the backtrack menu logo with a blank svg and changed the wallpaper to corelanc0d3r’s exploit dev cheatsheet.
steps taken:
<note>
i wasted 2 hours of my life getting this working on a fresh install of unbuntu 10.10. turns out that the default version of rsyslog that you get when you ‘apt-get install rsyslog’ is version 4.x, which has a bug that prevents the logging from being directed correctly to /var/log/iptables.log. i had to remove rsyslog (apt-get remove rsyslog), then go get the newest version of rsyslog (5.8) from the site and compile from source. after compiling and pulling in the new conf file (its a little different in rsyslog 5.x than 4.x), things worked as expected. ye be warned.
</note>
recently i wanted to see what packets were getting passed or blocked on a linux server running iptables. i really wanted to see a log that showed every inbound and outbound packet, and both dropped and allowed packets.
you can see all the packets in tcpdump/wireshark/etc, but it doesn’t show you that iptables dropped the connection (you just see there is no syn ack response). so my goal was to create a iptables ruleset that logged every packet to a separate file, distinguished what was allowed and what was dropped, and to have the logs rotating automatically. here is how i did it:
i am working on some wireless testing for my SANS wireless certification (joshua wright’s stuff, who is really good at what he does).
i haven’t been playing with wireless too much lately, so i hadn’t noticed that in backtrack 4 r2 kismet had been upgraded to the newcore version, with no trace of oldcore installed or available via repo’s. i wanted both oldcore and newcore, since newcore doesn’t support things like a strings dump, eap authentication type identification, etc.
here is what i did to install kismet oldcore side-by-side with newcore on backtrack 4 r2 (line-by-line command at bottom):
Continue reading »
earlier this month i presented at my local infragard chapter.
the title of the presentation was “defense in depth: raising the bar”, and it focused on the NSA’s secure computing iniative, high assurance platform (HAP).
the goal of the presentation was more about talking points, discussion, and ideas about what security will look like tomorrow and where we, as the security community, should be leading our organizations. point blank i would say that HAP is not for everyone, but there are certain aspects that i think we can all learn from.
also, one point that was brought out that i thought was interesting was “this HAP stuff is way too much, who could really use this”? i certainly imagine that comment was heard when defense in depth began to be pushed by the NSA 10 years ago (see “we already have a firewall, why would we need to add X product?”)
it may or may not be the way of the future, but it was an interesting infragard discussion!
here is the presentation:
and here is where i got my information:
http://www.nsa.gov/ia/programs/h_a_p/index.shtml
also, this is a video about HAP in action. its a bit drawn out, but it does lay out the situation nicely (albeit in a *very* vanilla fashion):
http://www.nsa.gov/ia/media_center/video/orlando2010/flash.shtml
i have an older copy of backtrack 4 that i have upgraded since the initial release. while working through the PWB course from offensive security, i wanted to upgrade the local version of exploitdb. here is what i got:
1 2 | root@bt:/pentest/exploits/exploitdb# svn update svn: Repository UUID 'c54f1b57-f3df-4c37-b561-881cde1baa19' doesn't match expected UUID '8072406e-18fd-45b5-acae-fc56dbc62dfa' |
apparently in the time i installed backtrack 4 and the current version, they have blown away/moved the svn database. after googling, i found two options.
i have too much time invested in the box, so i found out how to fix the issue. here is what you do (assuming you are in the /pentest/exploits directory):
1 2 | rm -rf exploitdb/ svn co svn://www.exploit-db.com/exploitdb |
just a quick and dirty way to drop the old svn repository and add it from scratch.
