Punkrokk's Blog

Moved!

2010-02-10T01:40:00.003-05:00

I have migrated over to my own domain and word press here: http://syncurity.net

Finally found a need for Oinkmaster

2010-02-02T00:19:00.001-05:00

I'm sure many of you already know about oinkmaster. Well, I never had a need to use it, and I did today. I am working on a distibuted OSSIM deployment, and I needed to update my snort rules automatically, once a day. After configuring the /etc/oinkmaster.conf file to point to the link for the latest community rules (you can also do the same for the lastest VRT paid for rules) I created this cron job to update my rules, then run a perl script to update correlation, then restart snort and ossim.

Here's the script:

#/bin/sh
/usr/share/oinkmaster/makesidex.pl /etc/snort/rules/ >autodisable.conf
oinkmaster -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules
perl /usr/share/ossim/scripts/create_sidmap.pl /etc/snort/rules
/etc/init.d/ossim-server restart

/etc/init.d/snort restart

You can get more background on everything on this thread over at the OSSIM forums.

Pentesting With Backtrack

2010-01-30T01:53:00.000-05:00

So I started the Pentesting with Backtrack (PWB) course from Offensive Security. So far, I like what I see. It has shown some pretty good info so far, and while I probably won't write a comprehensive review, for the cost ($700) is seems very worth it, especially just to get you out of your own head and get a different perspective on Pen Testing. I hope to improve my personal Pen Testing methodology and learn more about Back Track while doing this course.

Black Hat/Shmoocon/Shmoo Labs

2010-01-30T01:42:00.001-05:00

Well, the DC area has a busy week coming up. I unfortunately don't have an employer that will foot the bill for Blackhat DC, but I will be at shmoocon! I am most excited for Shmoo Labs. I have worked with Alien Vault's CTO DK to acquire an OSSIM v2.1 appliance for Shmoo Labs. I'm really excited to learn more about SIM/SEMs and get the opportunity to analyze a real time malicious network. Hopefully we'll get the chance to demo the box to attendees! Bring us t-shirts Alien Vault!

There are also a bunch of good talks at shmoo, especially the keynote "Closing the TLS Authentication Gap." I also am ready to see Larry Pesce speak about his Shmoo Launcher, Ben Smith show us what he's up to with wireless hacking, and the TF2 tourney, which I'll probably enter, but lose famously at!

Finally, the best part about a con like shmoocon is to see some of my friends/acquaintances I've met the past few years at other cons, as well as meet new ones. Make sure to follow me on Twitter, and follow the #shmoocon (and #shmoobus, and possibly #shmooflu ;) hash tags) as you know there will be a few awesome surprises there. And don't forget shmoo-ography (sp?) and the new contest Ghost in the Shellcode (GITS)

See ya at shmoo! and hopefully I'll be doing some live blogging from there... If you can't make it, I hear it will be streamed live on uStream!

Backtrack, Shmoocon Schedule and Defcon price Increase

2010-01-13T01:13:00.001-05:00

Backtrack 4 final is out! (as of yesterday) Woot! Thanks to everyone who puts in hard time creating and maintaining this distro. Download here. New forums and website too! The torrents are the best place to get it right now.

Defcon is going up another $20 to $140, I guess this is to be expected. Another $20 and badge will be twice the cost of the rooms. (Which were more for Defcon 15.)

Finally! Shmoocon schedule up! See you there!

Northeast CCDC

2010-01-11T09:58:00.000-05:00

Took me forever to find this link, so here it is for everyone. Info on the 2010 Northeast Collegiate Cyber Defense Competition (NECCDC)

Anyone going?

RIT SPARSA ISTS this March

2010-01-08T22:53:00.000-05:00

SPARSA (RIT's student run Info Sec Club) -- who also ran the CTF at the Rochester Security Summit - to great fanfare I must add -- it preparing for the 7th annual Information Security Talent Search which will take place March 19-21, 2010 at the GCCIS at RIT. I participated as a student in ISTS 5 in 2006 and it was great fun. It similar to CCDC where you have student teams defending, a white team running things, and a Red Team attacking.

I have the honor of being on the Red Team this year and it should be fun! I'm hoping some sweet exploits come out in February/Early March for us to attack with. In the meantime, I'm brushing up on my Metasploit Foo with the Metasploit Unleashed online tutorial over at www.offensive-security.org.

In the meantime, I'm excited to do shmoolabs at shmoo con as well as see friends and meet people I just know online!

Updating BT 4 Pre from remote-exploit repos

2010-01-01T02:29:00.003-05:00

I decided to create a VM that I can easily copy following these BT4 forum instructions. I'll update this post and let you know how it went.

Things I'm curious about:

How well does the kernel upgrade.
Can i still easily upgrade Fasttrack?
will the bt repo's update smoothly?

Update: DECAF is back!

2009-12-29T17:09:00.001-05:00

Well, according to a decafme.org press release, Version 2 is out. It now supports a whole new set of program detection. Seems the big reason he pulled it was due to its phone home functionality, which wasn't really meant to phone home.

From the press release:
"Version 2 is finished. We are now monitoring Microsoft COFEE, Helix, EnCase, Passware, Elcomsoft, FTK Imager Port, Forensic Toolkit, ISOBuster, and ophcrack. We also give the user the ability to add their own custom signatures. We have also added CD-Rom monitoring. We no longer execute a "self destructive lock-down mode" but rather give the user the ability to execute files, to disable the device where the signatures were found, and start-up in monitor mode."

Anyways... a new tool to play with in VMWare!

Bacon Salt

2009-12-28T20:38:00.001-05:00

In good time I would have made this post anyways -- but I'm going to link to this now! Baconsalt! They also have Baconaise! Yummy!

Exchange 2003 RPC over https

2009-12-28T17:46:00.002-05:00

So I was getting an error similar to this:
/rpc/rpcproxy.dll .com:6004 443 - 4 MSRPC 401 (minus ip address)

I searched hi and low, and after editing the IIS rpc ports and double checking the certificate and authentication settings in IIS6 and Exchange 2003, I found this tool: http://www.petri.co.il/software/rpcnofrontend.zip designed for configuring the registry when you don't have a front end E2k3 server. Turns out what I was doing differently/wrong is I didn't have any reg entries for my external DNS name. I could have sworn that I have not needed that in that past, but it works! Here's the page I found this tool at.

DECAF down! & IIS 6 0-day

2009-12-28T17:37:00.001-05:00

I hope everyone had a good holiday or at least a good few days off!

Well the decaf tool I blogged about a few weeks ago was disabled. The site, http://www.decafme.org/ explains why. Well I'm thrilled he'll bring v2 out shortly, I was a little surprised that it phoned home with usage logs. The sites owner also looks like they have forums up here, although I haven't had a chance to check them out yet...

In other news, the Internet Storm Center stated that MS has responded to the IIS 0 day that is currently proof of concept. I haven't seen any code in the Offensive Security database yet, but expect to soon. The next 2 weeks are probably heaven for IIS Web App pentesters. If MS does release a patch on Black Tuesday in January, be prepared to patch!

Facebook Account Hacking, Phishing, and Weird stuff from FB Friends

2009-12-28T17:29:00.000-05:00

Have you had messages from your friends telling you to look at the video of you from last night? While by now (this was a saved post to write about later...) I haven't had one in awhile, I was wondering what else other Facebook Phishing attempts you have seen lately. It has got to be due to weak passwords, users getting phished, or having their computer p0wned by malware. Comments?

Decaf Coffee

2009-12-15T11:43:00.001-05:00

Most of you probably know about Microsoft's tool they give law enforcement called COFFEE (Computer Online Forensic Evidence Extractor). I read over at the Internet Storm Center that some researchers released some proof of concept code called DECAF (Detect and Eliminate Computer Assisted Forensics). While, it's a cool proof of concept evasion tool, I'm curious to know how a few things work such as the "on the fly power down" (does it just kill the power?)

All in all though, you can check out DECAF here, and if I get a chance to see how it works more I'll update this post.

The Great American Hack-a-thon

2009-12-10T16:05:00.000-05:00

The Center for Innovation at RIT is sponsoring an event that is part of the great american hack-a-thon. It appears that this is a nation event put on by Sunlight Labs and it's great to see RIT taking part in it!

The following projects and more will be worked on:
The Fifty State Project

TransparencyCorps

Sunlight Labs API

Capitol Words

National Data Catalog

CIVX.us

I hope to get a chance to stop by, even with Xmas on the way, and our first real snowfall here in WNY, I'm hoping to get out on my snowboard! =)

Some old (well a few months) book reviews I have written

2009-12-09T19:59:00.001-05:00

I have written a few book reviews for the site www.ethicalhacker.net.

Here is a review of Fyodor's Nmap book, and a review of Raffael Marty's Applied Security Visualization book.

They are both great reads. Alot of Fyodor's book is available here.

SQL Server Backups

2009-12-09T16:56:00.001-05:00

If you are new (or used to SQL 2000) SQL 2005, you may notice that after your first full backup, your transaction logs aren't clearing. I ran into this problem today with one of our SQL 2005 servers. When you do a full backup in SQL 2005, you are only backing up the actual database, not the log files. In order to actually backup the SQL logs for a given db, you need to actually run a separate "Log Backup" job. This will actually backup the logs, and then truncate them, keeping your log files from getting to large. You can backup the logs multiple times in between full backups, say if you are a bank and need to backup logs every 5 minutes. You will need to backup jobs in say Backup Exec to perform this type of backup scheme.

Another type of backup is a "Simple Backup" which actually backups up the db, commits the Transaction logs, and is roughly equivalent to the "Full" that you think of in SQL 2000, (or Exchange) with the logs flushing and maintaining a manageable logfile size. Know though, that when you do simple backup you can only restore a full backup, and can't "roll back" your logs.

Here is a thread with more info on technet, and another resource on technet explaining this in more detail.

We ended up choosing simple, as this is the most hands off approach, and we only ever have a need to restore to the last full backup. You can change from Full to Simple in the options section of an individual database's properties.

Blackhat Info Week "dark Reading"

2009-12-08T16:24:00.002-05:00

So Black Hat and Info Week are sponsoring a dark reading virtual event... will this be another regurgitation of stuff we've already heard? I guess I'll check it out for a bit, since work is busy, but with long waits in between.

I recommend the 12pm session with Winn Schwartau (of hacker jeapordy fame) who is talking about "How Next-Generation Technologies Could Endander your Data." I like hearing Winn speak, so I'm hoping it will be good!

Shmoocon Labs

2009-12-08T14:44:00.001-05:00

Me and my friend Joe Testa of Positron Security submitted to participate in Shmoocon Labs. Basically you show up 36 hours before the con starts, and you setup the con network. You setup the wireless, wired network, network monitoring, and get to play around with stuff in "Mutli Vendor on the Fly Interoperability. Here's the link with the description... anyone going to shmoocon 6 in DC planning on applying?

Good Read via Carnal Ownage

2009-12-08T07:20:00.002-05:00

Well I was catching up on my google reader and I ran into this post by Chris Gates/Carnal Ownage, an acquaintance from security cons: http://carnal0wnage.blogspot.com/2009/11/past-present-and-future-of-security-and.html. I agree with a key tenant shown through out these clips: security researchers tend to forget the lessons they learned last year and move onto the next fad (i.e. from virtualization to iPhones)

I know it's not like we can just come up with a security framework, but as Bruce Potter wrote in his article in Security & Privacy this month: "High Times for Trusted Computing" we need to have a better understanding of what is allowed to run on our computer. UAC didn't work. You continue to be able to exploit the browser, so what will we have to do to really have control over what is run on our systems?

Another excellent point FX makes is that the adults and guru's in the security industry need to take more of an interest in training their successors. I agree with this. I teach at a university and I see a lot of student while yea, they didn't grow up building computers, they did learn most of what's important inside one. The difference is that an education in IT is much easily obtained these days, but there's no way that can replace the interest of a 15 year old plugging away in their bedroom with the appeal of controlling some really powerful computers. (Don't get me wrong... I do see some of them) What's the answer to get the kids thinking more like hackers? Nearly everything that's a great learning expereince into how things work from a "what a teenager has access to" is frowned upon these days (modding your iPhone, your XBox -- at least Sony encourages some PSP and PS3 modding)

Another point brought up was a perception of the futility of Pen Testing. I feel Pen Testing has it's place, and you need to be a smart cookie to be effective at it. Problem is you have rules of engagement. You can only attack what they want you to. You don't have the ability -- like the bad guys -- to actually attack anything you want/can. Chris Nickerson does a great job of thinking outside the box on this topic.

I see the next generation of hackers coming from a grass roots movement; a combination of the internet, hackerspaces and similar spaces, and a willingness of adults to take the time to be role models and transfer some of their knowledge over to the next gen of kids getting ready to enter the field. By the time companies realize they need this breed of kid though, it may be already too late... unless we drastically change our security paradigms and ways of thinking to how we compute (TPM?) and how we approach securing ourselves.

Exchange Client Attachment Documentation

2009-12-07T23:15:00.003-05:00

So we added a new Exchange 2007 server a week ago, and we started to migrate mailboxes over the weekend. So Monday morning (EST) china get's ahold of me stating they can't open attachments in outlook 2003. I think "weird.. I didn't disable anything."

Turns out the settings to disable all (or some) attachments for Outlook Web Access (OWA) Outlook as well. In the Exchange Management Console see (Server Configuration/Client Access/Outlook Web Access/owa (Default Web Site), Public Computer Access/ Enable direct file access, Customize) there are attachment settings that you need to enable (or not disable) in order to open attachments in Outlook 2003 and 2007.

What bother's me is that E2k7 SP2 has this behavior and it's not documented anywhere. :(

Dave Josephsen BGP Hijacking to spam!! cool stuff!

2007-08-04T18:28:00.000-04:00

I'm currently at a presentation by Dave Josephsen who is explaining how if you have a AS Number (meaning you participate in BGP) with a /24 public IP range, that you can hijack someone's /24 for a bit (15 minutes to a few hours) and now he "owns" your IP for a bit. This let's him (since you have a /24 that probably are not on a DNSRBL) so now they can send out a bunch of spam; since your IPs aren't filtered.

For example, here's an example of what's left on the internet. (Really cool picture)

This was done by correlating a spam Honeypot and BGP prefix updates.

More info here! Great talk Dave!

Day 1 wrap up

2007-08-04T15:25:00.000-04:00

So I went to the "Managing your Security Career" in which they had some good points, but it reminded me way too much about a IEEE paper I read a few months ago.

I couldn't get into the Dark Tangent "cicsogate" pres., but I heard it was really good.

We went out to some clubs and I blew about $400 dollars today. Woah! Haven't blown that much in awhile!

I'm now getting settled in for the day of the best presentations!

Tor

2007-08-04T15:22:00.000-04:00

Do you use Tor for your internet surfing? If so, you should!!!

Video of Dateline chick at defcon

2007-08-04T14:51:00.001-04:00

Check this out!