Irongeek's Security Site

Compiling Nmap form source on Ubuntu

Sat, 18 Jul 2009 14:27:19 -0400

Link: Compiling Nmap form source on Ubuntu
Along the way to making a video on Ncat I needed to compile Nmap 5 from source, so I figured I might as well do a video on that as well. There are many reasons why you might want to compile Nmap from source instead of just using the package manager, so enjoy.

Windows 7: Copy A Modified User Profile Over The Default Profile

Fri, 17 Jul 2009 21:05:52 -0400

Link: Windows 7: Copy A Modified User Profile Over The Default Profile
While this is not directly security related, it should be helpful to those who are testing Windows 7. I'm posting it to help those who are searching the Internet for details on copying user profiles in Windows 7.

NDiff: Comparing two Nmap 5 scans to find changes in your network

Thu, 16 Jul 2009 12:20:34 -0400

Link: NDiff: Comparing two Nmap 5 scans to find changes in your network
Fyodor gave me a heads up that Nmap 5 was coming out, so I figured I'd do a couple of videos on useful new features that come with Nmap 5 and later. For a better understanding of Nmap in general, check out my older videos which I will link to after the presentation. In this video I will cover the basics of using NDiff to compare two seperate Nmap scans. This is really useful for change management, where you want to know what new devices have appeared on your network or about ones that have disappeared for some reason. You could easily schedule Nmap to run on your network weekly, and then compare the differences with NDiff to see what has changed.

As a side note, looks like I'm going to Defcon. Thanks to Haxorthematrix, Sereyna, Minoad, Mr. Bradshaw, George and anyone else who donated to my Paypal so I could go.

Exotic Liability Episode 25: Irongeek sits in

Sat, 11 Jul 2009 22:58:20 -0400

Link:Exotic Liability Episode 25: Irongeek sits in
I came in as a guest of the Exotic Liability podcast, episode 25. I've not listened to it yet, hope I came off ok. Some of the things we discussed include: Incident response switchblade, Tiger Team: The Whole Story, Our neighborhood memories, Kon-boot, Cool tools for data collection, P/W cracker speed test challenge, Look at my thumb, Olympic games, Louisville Info Sec Conference, Anti-forensics and Legalities. Thanks for having me on.

As a sidenote, I may be going to Defcon after all but nothing is confirmed yet. I'll need to find someone's floor to crash on Wednesday night as I think I'll be arriving a day before the person I'm staying with the rest of the con.

Incident Response U3 Switchblade From TCSTool

Thu, 9 Jul 2009 20:59:55 -0400

Link:Incident Response U3 Switchblade From TCSTool
In Russell's own words: "The U3 incident response switchblade is a tool designed to gather forensic data from a machine in an automated, self-contained fashion without user intervention for use in an investigation. The switchblade is designed to be very modular, allowing the investigator/IR team to add their own tools and modify the evidence collection process quickly." This video shows you how to setup u3ir, and modify it.

Using Kon-Boot from a USB Flash Drive: Bypass those pesky Windows and Linux login passwords completely

Wed, 8 Jul 2009 00:48:10 -0400

Link:Using Kon-Boot from a USB Flash Drive: Bypass those pesky Windows and Linux login passwords completely
Kon-Boot is a neat little tool that you can boot from a CD or a floppy, change memory before booting a full OS, and then login to Windows or Linux without knowing a proper password. The above link contains my notes and config files to get Kon-Boot to work from a bootable USB drive.

PHPIDS Install Notes and Test Page

Tue, 7 Jul 2009 20:06:19 -0400

Link:PHPIDS Install Notes and Test Page
I've been playing around with PHPIDS and have posted my notes on installing it as well as details on the kinds of attacks by web site gets. Interesting, I get a lot of attacks, mostly RFI.

As a side note, GFI was kind enough to sponsor my site for two months, show our appreciation by trying out some of their log and vulnerability scanning software.

How to change your MAC address article updated, added information on OS X 10.5.6 and latter

Mon, 29 Jun 2009 20:39:49 -0400

Apparently there are some problems changing your MAC address in versions of OS X 10.5.6 and latter. Stefan Person sent me a note about it, so I added it to the article.

Also, Mubix recently did a presentation for Dojo Sec on getting a job in information security. In it he mentions my article on how to cyber stalk potential employers. Thank much Rob!

OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF)

Sat, 20 Jun 2009 00:00:44 -0400

Link:OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF)
This is a recording of the presentation I gave to the Louisville Chapter of OWASP about the Mutillidae project. A while back I wanted to start covering more web application pen-testing tools and concepts in some of my videos and live classes. Of course, I needed vulnerable web apps to illustrate common web security problems. I like the WebGoat project, but sometimes it's a little hard to figure out exactly what they want you to do to exploit a given web application, and it's written in J2EE (not a layman friendly language). In an attempt to have something simple to use as a demo in my videos and in class, I started the Mutillidae project. This is a video covering the first 5 of the OWASP Top 10.

Louisville Infosec Conference Looking For Sponsors/Speakers

Fri, 12 Jun 2009 23:18:08 -0400

As many of you know, I'm involved with the local ISSA group here in the Louisville area. They are looking for sponsors for the upcoming Louisville Infosec conference (Thursday, October 8, 2009 at Churchill Downs). We had about 250 attendees last year, so it could be a good spot for advertising your company via a booth. One of our keynotes this year is Johnny Long. John Strand and Eugene Schultz should also be presenting. If you are interested in being a sponsor email marketing (at) issa-kentuckiana.org and let them know Adrian sent you. We also may have a few speaker slots open for the breakout sessions, contact chair (at) louisvilleinfosec.com if you have a proposal. For more information, check out the Louisville Infosec Conference site.

Speaking at the OWASP Louisville meeting, June 19th 2009

Wed, 10 Jun 2009 06:19:10 -0400

Hi all, the local OWASP chapter has asked me to speak about the Mutillidae project. While I'd like to cover all of the OWASP Top 10 that it implements, I think there will only be time for the top 5. The description as posted on their site follows:

The second OWASP meeting will feature a presentation from Adrian Crenshaw of Irongeek. Adrian is a Louisville based Security professional that has worked in the IT industry for the last twelve years.

Adrian runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools. He's currently working on an MBA, but is interested in getting a network security/research/teaching job in academia. Please see the description from Adrian on his presentation on the 19th.

Title: Mutillidae: Using a deliberately vulnerable set of PHP scripts to illustrate the OWASP Top 10 Description: A while back I wanted to start covering more web application pen-testing tools and concepts in some of my videos and live classes. Of course, I needed vulnerable web apps to illustrate common web security problems. I like the WebGoat project, but sometimes it's a little hard to figure out exactly what they want you to do to exploit a given web application, and it's written in J2EE (not a layman friendly language). In an attempt to have something simple to use as a demo in my videos and in class, I started the Mutillidae project.

Mutillidae is a deliberately vulnerable set of PHP scripts meant to illustrate the OWASP Top 10. This talk will cover installing Mutillidae in a test environment, and how to use it to illustrate the OWASP Top 10 web vulnerabilities in easy to understand terms.

Our meeting location will be at Memorial Auditorium, located at 970 S. 4th Street (Corner of 4th Street and Kentucky Street).

ARPFreeze: A tool for Windows to protect against ARP poisoning by setting up static ARP entries

Sun, 7 Jun 2009 00:02:25 -0400

Link: ARPFreeze: A tool for Windows to protect against ARP poisoning by setting up static ARP entries
As many of you know, I've created quite a bit of content about ARP poisoning, such as:

A Quick Intro to Sniffers
Intro to ARP poisoning
Using Cain to do a man in the middle attack by ARP poisoning

I've even done some work on detection:

Decaffeinatid: A Simple IDS/arpwatch for Windows
Finding promiscuous and ARP poisoners and sniffers on your network with Ettercap

This tool is for prevention. ARPFreeze lets you setup static ARP tables so that attackers (using Cain, Ettercap, Arpspoof or some other tool) can't pull off an ARP poisoning attack against you.

XSS, Command and SQL Injection vectors: Beyond the Form

Wed, 3 Jun 2009 19:59:10 -0400

Link: XSS, Command and SQL Injection vectors: Beyond the Form
We are all familiar with XSS via a form field in a web application, but what about other vectors? The article talks about using User Agent strings, even logs, object properties and other odd alternative vectors for XSS, SQL and command injection. What other vectors can you think of?

Another book for the list

Tue, 2 Jun 2009 19:42:28 -0400

Link:Another book for the list
Looks like my site has been mentioned in another book, Security+ Guide to Network Security Fundamentals by Mark Ciampa. Thanks Mark.

In other news, Irongeek.com was a nominee for “Best Technical Blog” at the recent RSA Conference. Congratulations to PaulDotCom for winning the best security podcast award. And while I'm on the subject of great podcasts for infosec folks to listen to, check these out:
http://securabit.com/
http://securityjustice.com/
http://www.exoticliability.com/

802.11 Wireless Security Class for the Louisville ISSA Part 1

Sun, 24 May 2009 19:10:40 -0400

Link: 802.11 Wireless Security Class for the Louisville ISSA Part 1
Originally, this was going to be one 4hr class, but Jeff had something come up so he could not cover WEP/WPA cracking, and my section took so long that Brian never got a chance to present his material on DD-WRT. I'm hoping to get them back to do a part 2 of this video. In this section I cover the basics of WiFi, good chipsets, open file shares, monitor mode, war driving tools, testing injection, deauth attacks and the evil twin attack. Some of this comes out as kind of a stream of consciousness, but hopefully you can find some useful nuggets from my brain dump of what I've learned about 802.11a/b/g/n hacking. As far as classes goes this is the mostly complicated one I've set up, and for a wireless class Brian and I had to run a lot of wires. :)