Archive for the ‘ Security ’ Category

Writeup about my submission to the latest Honeynet Challenge!

Edit: I won the challange! 🙂

The Winners:

  1. William Soderberg (Sweden) – William’s submission – Sha1: 14ec42dcd24162d2e536f5c84820240cb521cad4
  2. Nikunj Shah(USA) – Nikunj’s submission – Sha1: 950aa99eec3b7663ee9f415826e0dfcfe43ab4ac
  3. David Bernal Michelena (Mexico)- David’s submission – Sha1: 58fc0cfeac54cf9fdc490b22b4b5e0e8ed7e92db

End of edit.

A few weeks ago I’ve learned that Honeynet Project had created a new challenge. Link here.

Challenge 5 – Log Mysteries – (provided by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, Sebastien Tricaud from the French Chapter) takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to a virtual server using all the logs from a possibly compromised server.

I totally felt like this would be a very good way to learn something and so I jumped at the opportunity. The deadline has passed and so I’ve done a writeup of how I analyzed the log files and came to certain conclusions. I figured it was a good way to spread knowledge and also get some criticism. I would really love if someone at least skimmed through my writeup (links below) and told me whether I did a decent job or not.

I’m releasing this now because the deadline for the challenge has passed. Though the submissions doesn’t seem to be closed yet, I don’t care. I did this to learn and not to win some prize.

I created this document while I worked on the challenge and I’ve edited it afterwards. So the grammar might be a bit odd. Sometimes it might be in present tense and sometimes not so present tense. I hope I’ve edited it enough so you won’t find it a pain to read.

Forensics Challange 2010 writeup by wh1sk3yj4ck.doc
Forensics Challange 2010 writeup by wh1sk3yj4ck.odt

Book review: The Art of Deception

The Art of Deception is a book by Kevin Mitnick that covers the art of social engineering. Part of the book is composed of real stories, and examples of how social engineering can be combined with hacking.

Wikipedia

This is a recommended read. It will not teach you how to execute social engineering attacks. It will teach you what the attacks vectors are, what they’re after, what needs to be protected and why someone want’s to use social engineering. The book is well written and informative.

This book brought my attention to another part of security, namely the human element. I would most probably have fallen for an attack if I hadn’t read this book. That’s a fact.

While reading this book, I realized that I had been naive. I got a good look on how other humans are willing to exploit the good in people for their own purposes.

I have some criticism to share.

After a few chapters into the book it starts feeling like you’re reading the same thing over and over again. You’ve got idea on what’s it’s all about and you really don’t need any more information than that. I think the book’s volume could at least be cut in half and it would still serve it’s purpose well.

It’s somewhat of a pain to read but at the same time an absolute must for anyone that’s into computer security . I don’t know whether this book is one of the best or worst, let me know if you have read any else social engineering books that you can recommend.

With social engineering you can bypass the best of firewalls with some deception and social skills. It’s not enough with technical security, you need to firewall your mind as well.

Tutorial: intrace

Discovered a neat little reconnaissance tool today. It’s called intrace. Unlike the traditional UDP traceroute application, this one uses TCP to get a better trace.

A traditional traceroute will send UDP segments to the destination for our trace. The UDP segment is encapsulated in an IP packet. This IP packet has a field called Time To Live (TTL). The first transmission will have a TTL value of 1. The first hop router that will receive this packet will decrease the TTL by 1 and then discard the packet. Because if the TTL has expired, then it shouldn’t go further. This feature is necessary for a loop free network/internetwork. When discarded, if properly configured, the router will then use the Internet Control Message Protocol (ICMP). The router will send back an answer to our machine, telling us TTL Expired. This is crucial for our trace. Because in this response from the router/node, it’s source IP is to be found. Thus, the first IP-address in the trace has been completed. The TTL is increased to 2 and the procedure repeats itself till we reach the destination. When the destination machine gets the UDP segment it will respond with a ICMP message saying destination port unreachable. Because no application is listening on the port. This final step basically tells us that the trace is complete.

Now, firewalls often has rules that block incoming traffic. Be it UDP or TCP. Why let traffic through that shouldn’t belong in the network? Our UDP trace goes to some random destination port number that’s not in the firewall ruleset to let through. When tracing a destination that’s behind a firewall, the last hop according to our trace will probably be either the hop before the firewall or the firewall itself.

This is where intrace comes in. If you’re trying to trace the route to a web server for example. Then you will have to establish a TCP connection to port 80 (usually) with the web server. Since this is legitimate traffic according to the firewall, the connection will be allowed. intrace will then use this legitimate TCP connection to send IP packets to the destination with increasing TTL’s. Thus tracing behind the firewall and to the server. This gives us more information then what a traditional trace route.

A good mitigation technique for firewalls will be to block egress ICMP TTL expired messages. Correct me if I’m wrong but I think that will do it, without breaking anything else.

Here’s a video demonstrating how to use intrace. It’s less than good, so the wiki post on the project site is possibly a better way to learn to use it.

500 most common passwords wordlist

Source: http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time

Download wordlist here.

I’ve read today that someone did an analysis on the leaked phpbb passwords. Quite old news, but interesting nonetheless. It would be fun to do a similar analysis on leaked Swedish sites passwords and then do a write up about the results. Maybe someone already have done it though.

Also, discovered two quite nice websites today:

www.networkworld.com
www.darkreading.com

Be sure to check em’ out.

— wh1sk3yj4ck

swedish wordlist/dictionary for security auditing

I scoured the net for a good Swedish wordlist and found all to be inadequate. Hence, I’ve created a script that formatted Göran Andersson’s “Den stora svenska ordlistan” so it could be used for security auditing. I’m now posting the output from that script here. The result 400 549 swedish words (974.9 KB compressed). The list is free from duplicates and has been sorted alphabetically.

Note: All name starts with a capital letter.
Note #2: Implicitly understood is that you have to modify the wordlist for your own needs.

Download the wordlist here.

Mirror #1

Said script might be released later, it’s not 100% complete (some entries was not formatted correctly and so needed manual intervention to correct).

simple password generator script

Wrote a small script in Python for generating passwords of various lengths. There’s plenty of password generators out there, it’s just that I saw it to be a good exercise to learn some Python. Will add a GUI and an option to choose from different charsets later on.

The script will let you choose the length of the password as well as how many passwords you want generated. The charset used is a mix of specialized characters/digits/upper and lower letters.

Usually I visit a website that generates the password for me. Alas, I’ve been quite paranoid (thank SSLstrip and ettercap for this) of late and so I thought I’d better generate my passwords locally instead.

Download script here.

I would like to publish the code right here on the blog, but wordpress doesn’t include a syntax highlighting feature and so code doesn’t display well. There’s plugins for this but for me to use them I need to host the server myself.

I’m going to add a GUI to this as well as adding more options for customizing the generation of passwords. Like, which charsets to use. 🙂