Quick note on sorting john.pot files
I run john the ripper on multiple boxes at once by splitting up the input password hash files by type (NT, LanMan, DES, md5, etc.)
Once I've let the individual systems run for a while, I run reports using john - -show. This means I need to combine the john.pot files from each system into a unique file on the system I'm running the reports on.
So, I ran the (fairly standard) commands:
$ cat john1.pot john2.pot john3.pot > combined.pot
$ cat combined.pot | sort | uniq > john.pot
sort: string comparison failed: Illegal byte sequence
sort: Set LC_ALL='C' to work around the problem.
sort: The strings compared were `1234567892031276d66b123456789:user' and `abcdefghijklmnop4ab38:l\4327367qrstuvwxyz'.
Oops! I wasn't expecting that command to bomb out like that. To fix the sort, do exactly as sort suggests. Type:
$ export LC_ALL='C'
What's going on here?
I found this reference webpage on Google. Here's the relevant bits:
- LC_ALL
- This variable determines the values for all locale categories. The value of the LC_ALL environment variable has precedence over any of the other environment variables starting with LC_ (LC_COLLATE, LC_CTYPE, LC_MESSAGES, LC_MONETARY, LC_NUMERIC, LC_TIME) and the LANG environment variable.
If the LANG environment variable is not set or is set to the empty string, the implementation-dependent default locale is used.
If the locale value is "C" or "POSIX", the POSIX locale is used and the standard utilities behave in accordance with the rules in POSIX Locale , for the associated category.
Network Scanning with nmap
Shopping List
Before we start, make sure you have the following ingredients ready to go:
- Fydor’s nmap – The true king of network scanners
- OpenVAS – The glamor queen of vulnerability assessors
Start Here
The first thing you need to determine is if you will be performing a black box test or a glass box (often referred to as crystal box) test. I will only quickly go over the differences here.
The Fairest Box of All
Black box testing is the "simplest" as you are only provided the IP Addresses in scope of the assessment. That’s it. You are not told how many Windows systems to expect, how many firewalls may be in your way or even if an IPS may shut down your scan if you are too aggressive with your timing options (we’ll touch on that later in this article.) It is difficult to accurately predict how long this may take as the composition of every network is different. An extreme example is if you are scanning through ocean floor fiber it could take quite some time when each packet suffers 250ms+ latency.
Glass box testing is typically much quicker to perform as your client will be providing architectural details of how the network is bolted together. It’s best to ask for network diagrams plus a real live human being to help you decipher them. (I mean seriously, how many UML network diagrams have you seen?) This is important not only because they may use abbreviations unknown to you or how closely the diagram aligns with reality or even all the labels they scribbled on by hand are subject to the lost art that is penmanship. Err, graphmanship.
Scope Up!
Once the transparency of your target environment is agreed upon, you will need to define the scope of which portions of the target organization’s network is within scope for the assessment.
Ask for hosts which must NOT be scanned as they will fall over seizing due to poor IP/TCP stack implementations or other programming bugs. Place into “exclude.list”
Place the authorized IP address ranges and domains you were provided into “inscope.list”
Just a Minor Technicality
Ok, we are now ready to dominate the world with our awesomeness! Or at the very least impress your client with a thorough report...
If you are scanning a class B network (10.10.X.X) or smaller, you will likely want to choose -T4 for your speed setting. If you are attempting to map the Internet, stop now. Fydor has beaten you to it 
The Need For Speed
The –n switch will disable DNS lookups, reducing overall start to finish time as you no longer need to wait for all those UDP DNS request / responses to file in.
Setting how fast nmap chucks packets onto the network is controlled with:
-T, --scan-delay and —min-hostgroup
-T5 is balls to the wall and –T0 means you never want it to finish...
A safe choice is –T3 (the default) but again you will likely want to use -T4 to save time.
Top Heavy Servers
Scanning for every in-scope IP Address plus 65,535 port combinations to gather an inventory of live hosts could last longer than your contract engagement. You may need to pick 20 to 30 ports. In a perfect scenario, at least one of these ports will be open on every server that you need to find. Use -p to specify destination ports; a good starting list are the following UDP (U:) and TCP (T:) ports:
-p U:53,111,137,T:21-25,80,135,139,443,445,3389,8080
If your client has no idea what services they expect to find on their network, you now have permission to cry like a baby because they will have problems with your report regardless of what you find. T-T
All seriousness aside, thanks to Fydor’s Internet mapping project I mentioned earlier, you can just substitute the defined list with Fydor’s results by adding:
--top-ports 30 (where 30 is the number of ports you want to scan)
I Know That Look...
nmap is more than just a simple inventory scanner. It can also guess what the target operating system and it's network accessible service names and versions are. It does this by looking at distinguishing features of a packet or connection (such as what the starting TTL value is or how it responds to an unsolicited RST packet sent to a closed port.) This technique is referred to as fingerprinting. If nmap is unsure about a target host, it will guess (and tell you as much) and if it is completely baffled it will politely ask you to submit a fingerprint to add to the nmap database along with what you determine the target to be (by other means.)
-sV will attempt to match the name and version of each open network service that is discovered
-O will attempt to match the operating system of target boxen
New Implants
nmap has received some really neat upgrades since version 4.something such as the ability to run lua scripts during the scan process. An example:
--script smb-os-discovery
Make sure you are using the latest scripts by running:
nmap —script-updatedb
Putting it all Together
Thus far, we have compiled the following nmap command:
nmap –iL inscope.list —excludefile exclude.list –v –sS –n —reason –T4 —script smb-os-discovery –sV –O —top-ports 30
Sweep 1: I highly recommend swapping out –sS with –sL before you run your final scan. Why? A list of hosts to be scanned is a great piece of information to include in your report to PROVE that you only touched systems that you were expressly authorized to touch. Yes, this is just feeding back information they originally provided you... Hey, this is why consultants get paid the big bucks right?
Sweep 2: swap out –sS with –sP to icmp scan for which hosts you are able to receive echo replies from. Consider sending this list to your client immediately to verify that your are in the ballpark prior to the "real" scan. Obviously, this can be skipped if a networking device (such as a router or firewall) is dropping all your icmp echo request probes.
Sweep 3: -sS for the win! This is your traditional half open SYN scan. Nmap will send out a TCP SYN packet to each IP address and port combination as you specified to determine if it returns a SYN+ACK packet, indicating an open port. If it doesn't hear back from the target, it's assumed to be closed. (Yes, this is where the increased timing option pays off.)
Wrapping Up
If you are running up against an IPS blocking your aggressive scans by sending you RSTs or dropping your packets silently, try setting –f to fragment (split up) your packets to a smaller portion of their maximum transmission unit (MTU) or size. This may just be enough to fool (or crash) that pesky IPS into letting them all pass on their merry way for total target box domination. Make sure you have permission to try this from the client first...
This was intended to be a pick up and go article and not dig too deep into how network scanning works nor the intricacies of nmap. If you want WAY more info than I've provided here, I highly recommend buying Fydor's nmap book. If you can't spare a few bucks, it's also available online for free.
Stay tuned for Part 2, which covers OpenVAS.
iPhone: Harbinger of Doomsday Malware
The security guy voice in my subconscious has been yelling at me to pay attention to the iPhone for a while now and that’s been bothering me.
As Information Security professionals must focus on threats they are charged to defend against, it’s beneficial for them to acknowledge what the attack vectors of tomorrow might be to better prepare for them today.
Proposition: iPhone user? You're pwned.
Yes, that is quite a blanket statement. Give me a minute to back up that statement with my evidence.
Let’s start with motivations:
- Authors of malware (malicious software) do so to make money by capturing your resources (bandwidth or storage)
- Malware programmers will choose a target based on the amount of bang for their buck (or time)
Some statistics:
44 million Apple iPhones have been sold to date (and that's not counting iPod Touches)
iPod Touch sales now outpace iPhone sales, so let's assume a one for one iPod Touch sold for each iPhone sold to date. Windows XP was released in 2001 and hit 153 million units within the first 3 years of it's release
Conclusion 1: iPhone OS is as popular as Windows XP was 2001-2003
So far, we’ve established that the iPhone & Mac platforms are a realistic target. Let’s take a look at what vulnerabilities on iPhones look like. I have assembled a list of some of the bad vulnerabilities that have been found and patched to date. Keep in mind that these have all been discovered since the iPhone was announced in summer 2007.
Arbitrary remote code execution:
• Receiving a maliciously crafted SMS message
• Playing a maliciously crafted mp4, AAC or MP3 audio file
• Visiting a maliciously crafted website
• Viewing a maliciously crafted PNG or TIFF image
• Viewing a maliciously crafted MPEG-4 video
• Opening a maliciously crafted PDF file
• Accessing a maliciously crafted FTP server
Interception & redirection:
• Susceptible to DNS cache poisoning and may return forged information
• Predictable TCP initial sequence numbers may lead to TCP spoofing or session hijacking
• Look-alike characters in a URL could be used to masquerade a website
• A remote attacker may cause a device reset (via crafted ICMP Ping)
Breach of Privacy:
• Apps can read another Apps data
• User names and passwords in URLs may be disclosed to linked sites
Unauthorized Local access:
• An unauthorized user may bypass the Passcode Lock and launch iPhone applications via Emergency Call
• Deleted email messages may still be visible through a Spotlight search
• Passwords may be made visible via undo
• A person with physical access to a locked device may be able to access the user's data
Now here comes the real shocker...
In nearly 3 years of availability, the Apple iPhone OS has had 104 security vulnerabilities identified and patched, while Microsoft Windows XP had 86 security vulnerabilities patched in it’s first 3 years
In the same amount of time after release, the iPhone had 18 more security patches than Windows XP did. To skew the number even further, 27 (twenty seven!) of those Windows XP Patches were replaced by another patch so technically there were only 59 patches for Windows XP in the first three years.
Conclusion 2: The iPhone is a more vulnerable target than infant Windows XP was (pre SP2!)
Finally, let’s review what sensitive personal information is stored on these devices and is at risk of being leaked.
- GPS Location
- Safari History
- AutoComplete data
- Call History
- YouTube History
- Emails
- Text Messages
- Address Book
- Pictures
- Name
- Phone Number
- Birthday
Conclusion 3: the iPhone is a sexy, well-organized, treasure trove of personal information, ripe for theft or abuse
This would suggest that the early iPhone 0-day attacks will be spear phishing high profile users such as celebrities, business leaders or government officials.
What do you think?
If you found this article useful, please show it by following my blog.
John the Ripper Password Cracking Now Obsolete
The days of using John the Ripper are numbered. Soon, you will perform your password cracking and password strength audits using security tools that utilize the GPU cores in high performance gaming video cards.
Why?
Gaming video cards are designed to churn through metric tons of floating point operations per second; hence the common metric gflops (giga floating point operations per second.) To accomplish this, modern boards come with dozens to hundreds of GPU cores which can run data crunching tasks in parallel.
An astute reader would point out that password hashing algorithms are devised to run on CPU cores which excel in integer operations, not floating point operations.
Luckily for us security folks, the number of processing units on the gaming video boards are so high, they can provide orders of magnitude improved performance versus traditional CPU based password crackers.
Can you recommend any GPU based password cracking tools that could replace JTR today?
SANS 502 – Get Your GIAC GCFW Cert in Burbank, CA
SANS 502 - Firewalls, Perimeter Protection & VPNs is an undiscovered gem in the SANS armada of training offerings. It's an excellent overview of technologies and concepts that any entry level Information Security professional going into a corporate environment needs. While it may not be as sexy as the penetration testing classes SANS also offers, it definitely still holds value for anyone who plans (or ends up) responsible for protecting a corporate network environment. This class corresponds to the GIAC GCFW certification. Personal comments aside, here's the flyer SANS has just sent out:
Please join in me Burbank, CA starting on February 11 for SANS Security 502: Firewalls, Perimeter Protection & VPNs. Experience this local class and SANS award winning security training first hand in the popular Mentor format! For complete course details and registration information, please click on http://www.sans.org/info/45104.
Register by December 15th and receive $500 towards any single course* in 2010. Enter in the discount code "BYE09" in step 3, group discount code. Instructions to redeem your $500 award will be sent to you upon receipt of your paid registration.
Benefits of the Mentor Program https://www.sans.org/mentor/about.php are:
- Save 25% off the regular SANS tuition fee with the ability to save even more with group discounts (see below)
- No need to spend money on travel outside of your local area
- Small, locally run 10 week classes utilizing the same great SANS courseware presented at larger conferences
- Evening classes do not conflict with daytime commitments
- Direct, hands on contact with a qualified Mentor
The Mentor program reviews the courseware at a slower pace giving the student more time to learn the material. Students can apply the class material the next day when they return to the office and bring questions back to the Mentor each week!
"The SANS Mentor program is a great value. It allowed a learning environment that was local, with a knowledgeable instructor, and fellow like minded individuals. All of this without having to travel!"
- Sean Nixon - Fidelity National Information Service
EXTRA TUITION DISCOUNTS are available for 2 or more students who register from the same organization. To obtain the Group Discount fee for this course, please contact Heather Kohls directly at mentor@sans.org PRIOR to registering with your company name and contact information of those wishing to attend.
Discover the quality training only The SANS Institute has to offer and register today! Once again, for complete course details, course outline and to register, visit http://www.sans.org/info/45104.
Metasploit Framework 3.3 Released Today
The Metasploit Framework 3.3 was released today (Tue, Nov 17th.)
Tons of bug fixes and more exploits for us to play pentest with!
(via SANS Internet Storm Center.)
Strong Contender for Worst Idea of the Year: Adobe Flash 10.1 Adds Hardware Video Acceleration
I'm not claiming to be an expert on how Macromedia / Adobe Flash is bolted together nor it's security architecture, however adding an API to allow any website to stream HD video to directly to the video card sounds like a terrible idea on the level of badness equal to ActiveX. Makes you wonder what the QA cycle for video card drivers is like.
Luckily, Adobe has only announced support of this new reason to keep all us security folks employed HD Video Acceleration for Microsoft operating systems at this time.
(Feature announcement via Lifehacker.)
Oh, and here's some performance benchmarks from anandtech
Top 10 Risks to Web Applications
Summary:
- Injection
- Cross Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross Site Request Forgery (CSRF)
- Security Misconfiguration
- Failure to Restrict URL Access
- Unvalidated Redirects and Forwards
- Insecure Cryptographic Storage
- Insufficient Transport Layer Protection
Selecting Anti-Virus Software for Home
"I purchased X Anti-Virus for my Home PC last year and unimpressed, let it expire. Which anti-virus product should I purchase now?"
I get asked this question a lot. I provide below how I typically answer it, hoping that someone out there will find it useful as a template for your responses to similar questions to which you must respond.
X10 Smarthome Security
I've been looking into home automation gadgets like X10 for quite some time now. My interest in home automation revolves around reducing power consumption, recording anomalous events with cameras as evidence and because I'm super lazy and only like doing things once (but the right way) and want my CFL's to flick on when I stumble in after a long day at work. I also want to build a DIY BIDS: Burglar Intrusion Detection System.
I even admit to visiting my local library and borrowing books on the subject solely with the goal of pimping the geek out of my home. So did I find true trekkie bliss, full of motion sensing lighting, sexy sounding verbal computer readouts, intelligent power management and enhanced security?
Translator
Categories
- Apple
- Games
- How To
- Information Security
- Internet
- Photos
- Programming
- Scripts
- Silly
- Toys
- Travel
- Unix
- Windows
Pages
Archives
- June 2010
- May 2010
- April 2010
- February 2010
- January 2010
- December 2009
- November 2009
- September 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- November 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008