New Honeynet Challange and irongeek.com

Quick post today. There’s a new Honeynet challange up. Be sure to check it out. I will certainly try it out, I think there’s a lot to learn from just trying.

Also, I’d like to recommend irongeek.com. It’s a good site containing free security videos. There’s videos on password cracking, Metasploit etc… I’ve learned a lot thanks to this website.

Also, I’ve got two security related books to read. Virtual Honeypots as well as The Rootkit Arsenal. Not sure my programming skills are ready for the latter. I’ll be studying C++ and Linux as a development platform in addition to my ordinary networking courses (CCNP Switch and Network surveillance). I think I need to learn assembly as well, haven’t found a good course for this yet though.

Take care!

– wh1sk3yj4ck

Writeup about my submission to the latest Honeynet Challenge!

Edit: I won the challange! :)

The Winners:

  1. William Soderberg (Sweden) – William’s submission – Sha1: 14ec42dcd24162d2e536f5c84820240cb521cad4
  2. Nikunj Shah(USA) – Nikunj’s submission – Sha1: 950aa99eec3b7663ee9f415826e0dfcfe43ab4ac
  3. David Bernal Michelena (Mexico)- David’s submission – Sha1: 58fc0cfeac54cf9fdc490b22b4b5e0e8ed7e92db

End of edit.

A few weeks ago I’ve learned that Honeynet Project had created a new challenge. Link here.

Challenge 5 – Log Mysteries - (provided by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, Sebastien Tricaud from the French Chapter) takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to a virtual server using all the logs from a possibly compromised server.

I totally felt like this would be a very good way to learn something and so I jumped at the opportunity. The deadline has passed and so I’ve done a writeup of how I analyzed the log files and came to certain conclusions. I figured it was a good way to spread knowledge and also get some criticism. I would really love if someone at least skimmed through my writeup (links below) and told me whether I did a decent job or not.

I’m releasing this now because the deadline for the challenge has passed. Though the submissions doesn’t seem to be closed yet, I don’t care. I did this to learn and not to win some prize.

I created this document while I worked on the challenge and I’ve edited it afterwards. So the grammar might be a bit odd. Sometimes it might be in present tense and sometimes not so present tense. I hope I’ve edited it enough so you won’t find it a pain to read.

Forensics Challange 2010 writeup by wh1sk3yj4ck.doc
Forensics Challange 2010 writeup by wh1sk3yj4ck.odt

2nd year of school begins

Today I had the first lesson in Advanced Routing and Switching, it’s based upon the new CCNP ROUTE 642-902. The course litterature is a ~1k pages monster.

Parallelly with that I will be studying Computer Administration and an introductory course for C programming. There’s no course litterature in the former course but the latter course has +1k pages course litterature. Seems like all my spare time is going to disappear.

Additionally, it seems like I will need to get some kind of extra job in order to survive. I’m thinking I might offer my very basic penetration testing skills to the local companies for a cheap price. I’ll let you know how it goes. It would be really neat if some accepted this offer, it would mean that I would learn relevant stuff while gaining some cash.

I’m currently decrypting my system drive so that I can install a secondary OS and then dual boot. I would remove Windows completely and just run Linux but you never know when you might need to get your hands dirty. Found an awesome guide for encrypting both OS installments on a dual boot system.

I’ve been looking at OSSTMM (Open Source Security Testing Methodology Manual). It seems that in order to get the latest version, you need to pay up either $99 or $299. I will ask the campus library if they would like to fund this for me and other students. Would be really cool!

When I came up to my apartment in Skellefteå, Sweden, I was horrified. My broadband connection was not working. They’re digging outside my apartment, they’re going to implement geothermal heating (whoa, new word learned). Anyways, I’m fearing the worst.

All in all, looks like an interesting period ahead. Take care.

Book review: The Art of Deception

The Art of Deception is a book by Kevin Mitnick that covers the art of social engineering. Part of the book is composed of real stories, and examples of how social engineering can be combined with hacking.

Wikipedia

This is a recommended read. It will not teach you how to execute social engineering attacks. It will teach you what the attacks vectors are, what they’re after, what needs to be protected and why someone want’s to use social engineering. The book is well written and informative.

This book brought my attention to another part of security, namely the human element. I would most probably have fallen for an attack if I hadn’t read this book. That’s a fact.

While reading this book, I realized that I had been naive. I got a good look on how other humans are willing to exploit the good in people for their own purposes.

I have some criticism to share.

After a few chapters into the book it starts feeling like you’re reading the same thing over and over again. You’ve got idea on what’s it’s all about and you really don’t need any more information than that. I think the book’s volume could at least be cut in half and it would still serve it’s purpose well.

It’s somewhat of a pain to read but at the same time an absolute must for anyone that’s into computer security . I don’t know whether this book is one of the best or worst, let me know if you have read any else social engineering books that you can recommend.

With social engineering you can bypass the best of firewalls with some deception and social skills. It’s not enough with technical security, you need to firewall your mind as well.

Tutorial: intrace

Discovered a neat little reconnaissance tool today. It’s called intrace. Unlike the traditional UDP traceroute application, this one uses TCP to get a better trace.

A traditional traceroute will send UDP segments to the destination for our trace. The UDP segment is encapsulated in an IP packet. This IP packet has a field called Time To Live (TTL). The first transmission will have a TTL value of 1. The first hop router that will receive this packet will decrease the TTL by 1 and then discard the packet. Because if the TTL has expired, then it shouldn’t go further. This feature is necessary for a loop free network/internetwork. When discarded, if properly configured, the router will then use the Internet Control Message Protocol (ICMP). The router will send back an answer to our machine, telling us TTL Expired. This is crucial for our trace. Because in this response from the router/node, it’s source IP is to be found. Thus, the first IP-address in the trace has been completed. The TTL is increased to 2 and the procedure repeats itself till we reach the destination. When the destination machine gets the UDP segment it will respond with a ICMP message saying destination port unreachable. Because no application is listening on the port. This final step basically tells us that the trace is complete.

Now, firewalls often has rules that block incoming traffic. Be it UDP or TCP. Why let traffic through that shouldn’t belong in the network? Our UDP trace goes to some random destination port number that’s not in the firewall ruleset to let through. When tracing a destination that’s behind a firewall, the last hop according to our trace will probably be either the hop before the firewall or the firewall itself.

This is where intrace comes in. If you’re trying to trace the route to a web server for example. Then you will have to establish a TCP connection to port 80 (usually) with the web server. Since this is legitimate traffic according to the firewall, the connection will be allowed. intrace will then use this legitimate TCP connection to send IP packets to the destination with increasing TTL’s. Thus tracing behind the firewall and to the server. This gives us more information then what a traditional trace route.

A good mitigation technique for firewalls will be to block egress ICMP TTL expired messages. Correct me if I’m wrong but I think that will do it, without breaking anything else.

Here’s a video demonstrating how to use intrace. It’s less than good, so the wiki post on the project site is possibly a better way to learn to use it.

500 most common passwords wordlist

Source: http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time

Download wordlist here.

I’ve read today that someone did an analysis on the leaked phpbb passwords. Quite old news, but interesting nonetheless. It would be fun to do a similar analysis on leaked Swedish sites passwords and then do a write up about the results. Maybe someone already have done it though.

Also, discovered two quite nice websites today:

www.networkworld.com
www.darkreading.com

Be sure to check em’ out.

– wh1sk3yj4ck

Extracting files from a capture file aka. intercepting files

Just learned a cool thing that I’d like to share.  Imagine you’re running a packet sniffer and you want to extract the files that you’ve sniffed. It can be a .pdf, .jpg or whatever. There’s two tools for this once you’ve got the capture file in hand. Namely, tcpflow and foremost.

TCP segments might arrive out of order and needs to be put into the right sequence before you can extract the files from the capture. Else they will probably be corrupted. The reasons why we need to do this is because packet sniffers, or protocol analyzers if you so will, only will display data as they arrive on the interface(s). TCP segments might arrive out of order at the destination and therefore TCP uses something called sequence numbers to keep track of where the data should be put. tcpflow will read your capture file’s TCP sequence numbers and put the segments in the correct order for “convenient protocol analysis or debugging”. The following command do this:

tcpflow -r sniffed.cap

This will create several output files for all the connections you’ve captured. One file per connection. The output will be in your current working directory. So it’s recommended to create a new folder and run the command from that folder to avoid mayhem. The output files can be a pain to work with so we’ll put them together into one single file with the help of concatenate:

cat * > sniffed_organised.cap

Now we can use foremost to extract the files.

foremost -t all -i sniffed_organised.cap

The -t option let’s you choose which file types to extract. The man page will tell you which file formats you can choose from. Unless you specify otherwise, the files will be put into a folder called output. Good luck!

Follow

Get every new post delivered to your Inbox.