I run john the ripper on multiple boxes at once by splitting up the input password hash files by type (NT, LanMan, DES, md5, etc.)

Once I’ve let the individual systems run for a while, I run reports using  john - -show. This means I need to combine the john.pot files from each system into a unique file on the system I’m running the reports on.

So, I ran the (fairly standard) commands:

$ cat john1.pot john2.pot john3.pot > combined.pot

$ cat combined.pot | sort | uniq > john.pot
sort: string comparison failed: Illegal byte sequence
sort: Set LC_ALL=’C’ to work around the problem.
sort: The strings compared were `1234567892031276d66b123456789:user’ and `abcdefghijklmnop4ab38:l\4327367qrstuvwxyz’.

Oops! I wasn’t expecting that command to bomb out like that. To fix the sort, do exactly as sort suggests. Type:

$ export LC_ALL=’C’

What’s going on here?

I found this reference webpage on Google. Here’s the relevant bits:

LC_ALL

This variable determines the values for all locale categories. The value of the LC_ALL environment variable has precedence over any of the other environment variables starting with LC_ (LC_COLLATE, LC_CTYPE, LC_MESSAGES, LC_MONETARY, LC_NUMERIC, LC_TIME) and the LANG environment variable.

If the LANG environment variable is not set or is set to the empty string, the implementation-dependent default locale is used.

If the locale value is “C” or “POSIX”, the POSIX locale is used and the standard utilities behave in accordance with the rules in POSIX Locale , for the associated category.

Related posts:

1. John the Ripper Password Cracking Now Obsolete
2. Complete Unix Cron Job Crib Sheet
3. AUC #2: ls

Shopping List
Before we start, make sure you have the following ingredients ready to go:

• Fydor’s nmap – The true king of network scanners
• OpenVAS – The glamor queen of vulnerability assessors

Start Here
The first thing you need to determine is if you will be performing a black box test or a glass box (often referred to as crystal box) test. I will only quickly go over the differences here.

The Fairest Box of All
Black box testing is the “simplest” as you are only provided the IP Addresses in scope of the assessment. That’s it. You are not told how many Windows systems to expect, how many firewalls may be in your way or even if an IPS may shut down your scan if you are too aggressive with your timing options (we’ll touch on that later in this article.) It is difficult to accurately predict how long this may take as the composition of every network is different. An extreme example is if you are scanning through ocean floor fiber it could take quite some time when each packet suffers 250ms+ latency.

Glass box testing is typically much quicker to perform as your client will be providing architectural details of how the network is bolted together. It’s best to ask for network diagrams plus a real live human being to help you decipher them. (I mean seriously, how many UML network diagrams have you seen?) This is important not only because they may use abbreviations unknown to you or how closely the diagram aligns with reality or even all the labels they scribbled on by hand are subject to the lost art that is penmanship. Err, graphmanship.

Scope Up!
Once the transparency of your target environment is agreed upon, you will need to define the scope of which portions of the target organization’s network is within scope for the assessment.

Ask for hosts which must NOT be scanned as they will fall over seizing due to poor IP/TCP stack implementations or other programming bugs. Place into “exclude.list”

Place the authorized IP address ranges and domains you were provided into “inscope.list”

Just a Minor Technicality
Ok, we are now ready to dominate the world with our awesomeness! Or at the very least impress your client with a thorough report…

If you are scanning a class B network (10.10.X.X) or smaller, you will likely want to choose -T4 for your speed setting. If you are attempting to map the Internet, stop now. Fydor has beaten you to it

The Need For Speed
The –n switch will disable DNS lookups, reducing overall start to finish time as you no longer need to wait for all those UDP DNS request / responses to file in.

Setting how fast nmap chucks packets onto the network is controlled with:
-T, –scan-delay and —min-hostgroup
-T5 is balls to the wall and –T0 means you never want it to finish…

A safe choice is –T3 (the default) but again you will likely want to use -T4 to save time.

Top Heavy Servers
Scanning for every in-scope IP Address plus 65,535 port combinations to gather an inventory of live hosts could last longer than your contract engagement. You may need to pick 20 to 30 ports. In a perfect scenario, at least one of these ports will be open on every server that you need to find. Use -p to specify destination ports; a good starting list are the following UDP (U:) and TCP (T:) ports:
-p U:53,111,137,T:21-25,80,135,139,443,445,3389,8080

If your client has no idea what services they expect to find on their network, you now have permission to cry like a baby because they will have problems with your report regardless of what you find. T-T
All seriousness aside, thanks to Fydor’s Internet mapping project I mentioned earlier, you can just substitute the defined list with Fydor’s results by adding:
–top-ports 30 (where 30 is the number of ports you want to scan)

I Know That Look…
nmap is more than just a simple inventory scanner. It can also guess what the target operating system and it’s network accessible service names and versions are. It does this by looking at distinguishing features of a packet or connection (such as what the starting TTL value is or how it responds to an unsolicited RST packet sent to a closed port.) This technique is referred to as fingerprinting. If nmap is unsure about a target host, it will guess (and tell you as much) and if it is completely baffled it will politely ask you to submit a fingerprint to add to the nmap database along with what you determine the target to be (by other means.)

-sV will attempt to match the name and version of each open network service that is discovered
-O will attempt to match the operating system of target boxen

New Implants
nmap has received some really neat upgrades since version 4.something such as the ability to run lua scripts during the scan process. An example:
–script smb-os-discovery

Make sure you are using the latest scripts by running:
nmap —script-updatedb

Putting it all Together

Thus far, we have compiled the following nmap command:

nmap –iL inscope.list —excludefile exclude.list –v –sS –n —reason –T4 —script smb-os-discovery –sV –O —top-ports 30

Sweep 1: I highly recommend swapping out –sS with –sL before you run your final scan. Why? A list of hosts to be scanned is a great piece of information to include in your report to PROVE that you only touched systems that you were expressly authorized to touch. Yes, this is just feeding back information they originally provided you… Hey, this is why consultants get paid the big bucks right?

Sweep 2: swap out –sS with –sP to icmp scan for which hosts you are able to receive echo replies from. Consider sending this list to your client immediately to verify that your are in the ballpark prior to the “real” scan. Obviously, this can be skipped if a networking device (such as a router or firewall) is dropping all your icmp echo request probes.

Sweep 3: -sS for the win! This is your traditional half open SYN scan. Nmap will send out a TCP SYN packet to each IP address and port combination as you specified to determine if it returns a SYN+ACK packet, indicating an open port. If it doesn’t hear back from the target, it’s assumed to be closed. (Yes, this is where the increased timing option pays off.)

Wrapping Up

If you are running up against an IPS blocking your aggressive scans by sending you RSTs or dropping your packets silently, try setting –f to fragment (split up) your packets to a smaller portion of their maximum transmission unit (MTU) or size. This may just be enough to fool (or crash) that pesky IPS into letting them all pass on their merry way for total target box domination. Make sure you have permission to try this from the client first…

This was intended to be a pick up and go article and not dig too deep into how network scanning works nor the intricacies of nmap. If you want WAY more info than I’ve provided here, I highly recommend buying Fydor’s nmap book. If you can’t spare a few bucks, it’s also available online for free.

Stay tuned for Part 2, which covers OpenVAS.

Related posts:

1. Thousands of Sacrificial Lambs
2. Writing a DNS sniffer
3. Detecting bad TCP sessions

As Information Security professionals must focus on threats they are charged to defend against, it’s beneficial for them to acknowledge what the attack vectors of tomorrow might be to better prepare for them today.

Proposition: iPhone user? You’re pwned.

Yes, that is quite a blanket statement. Give me a minute to back up that statement with my evidence.

Let’s start with motivations:

• Authors of malware (malicious software) do so to make money by capturing your resources (bandwidth or storage)
• Malware programmers will choose a target based on the amount of bang for their buck (or time)

Some statistics:

44 million Apple iPhones have been sold to date (and that's not counting iPod Touches)

iPod Touch sales now outpace iPhone sales, so let's assume a one for one iPod Touch sold for each iPhone sold to date. Windows XP was released in 2001 and hit 153 million units within the first 3 years of it's release

Arbitrary remote code execution:
• Receiving a maliciously crafted SMS message
• Playing a maliciously crafted mp4, AAC or MP3 audio file
• Visiting a maliciously crafted website
• Viewing a maliciously crafted PNG or TIFF image
• Viewing a maliciously crafted MPEG-4 video
• Opening a maliciously crafted PDF file
• Accessing a maliciously crafted FTP server

Interception & redirection:
• Susceptible to DNS cache poisoning and may return forged information
• Predictable TCP initial sequence numbers may lead to TCP spoofing or session hijacking
• Look-alike characters in a URL could be used to masquerade a website
• A remote attacker may cause a device reset (via crafted ICMP Ping)

Breach of Privacy:
• Apps can read another Apps data
• User names and passwords in URLs may be disclosed to linked sites

Unauthorized Local access:
• An unauthorized user may bypass the Passcode Lock and launch iPhone applications via Emergency Call
• Deleted email messages may still be visible through a Spotlight search
• Passwords may be made visible via undo
• A person with physical access to a locked device may be able to access the user’s data

Now here comes the real shocker…

In nearly 3 years of availability, the Apple iPhone OS has had 104 security vulnerabilities identified and patched, while Microsoft Windows XP had 86 security vulnerabilities patched in it’s first 3 years

In the same amount of time after release, the iPhone had 18 more security patches than Windows XP did. To skew the number even further, 27 (twenty seven!) of those Windows XP Patches were replaced by another patch so technically there were only 59 patches for Windows XP in the first three years.

Conclusion 2: The iPhone is a more vulnerable target than infant Windows XP was (pre SP2!)

Finally, let’s review what sensitive personal information is stored on these devices and is at risk of being leaked.

• GPS Location
• Safari History
• AutoComplete data
• Call History
• YouTube History
• Emails
• Text Messages
• Address Book
• Pictures
• Name
• Phone Number
• Birthday

Conclusion 3: the iPhone is a sexy, well-organized, treasure trove of personal information, ripe for theft or abuse


This would suggest that the early iPhone 0-day attacks will be spear phishing high profile users such as celebrities, business leaders or government officials.

What do you think?

If you found this article useful, please show it by following my blog.

source source source source

Related posts:

1. A Romance Flowchart: When Is It Inappropriate to Use Your iPhone?
2. Pretty graphs for the malware detection (ftw?)
3. Windows Tune Up! (type: Auto-magic)

The days of using John the Ripper are numbered. Soon, you will perform your password cracking and password strength audits using security tools that utilize the GPU cores in high performance gaming video cards.

Why?

Gaming video cards are designed to churn through metric tons of floating point operations per second; hence the common metric gflops (giga floating point operations per second.) To accomplish this, modern boards come with dozens to hundreds of GPU cores which can run data crunching tasks in parallel.

An astute reader would point out that password hashing algorithms are devised to run on CPU cores which excel in integer operations, not floating point operations.

Luckily for us security folks, the number of processing units on the gaming video boards are so high, they can provide orders of magnitude improved performance versus traditional CPU based password crackers.

Can you recommend any GPU based password cracking tools that could replace JTR today?

Related posts:

1. Quick note on sorting john.pot files
2. Strong Contender for Worst Idea of the Year: Adobe Flash 10.1 Adds Hardware Video Acceleration
3. Fedora 9 Review (Mini-Edition)

SANS 502 – Firewalls, Perimeter Protection & VPNs is an undiscovered gem in the SANS armada of training offerings. It’s an excellent overview of technologies and concepts that any entry level Information Security professional going into a corporate environment needs. While it may not be as sexy as the penetration testing classes SANS also offers, it definitely still holds value for anyone who plans (or ends up) responsible for protecting a corporate network environment. This class corresponds to the GIAC GCFW certification. Personal comments aside, here’s the flyer SANS has just sent out:

Register by December 15th and receive $500 towards any single course* in 2010. Enter in the discount code “BYE09″ in step 3, group discount code.  Instructions to redeem your $500 award will be sent to you upon receipt of your paid registration.

Benefits of the Mentor Program https://www.sans.org/mentor/about.php are:

• Save 25% off the regular SANS tuition fee with the ability to save even more with group discounts (see below)
• No need to spend money on travel outside of your local area
• Small, locally run 10 week classes utilizing the same great SANS courseware presented at larger conferences
• Evening classes do not conflict with daytime commitments
• Direct, hands on contact with a qualified Mentor

The Mentor program reviews the courseware at a slower pace giving the student more time to learn the material. Students can apply the class material the next day when they return to the office and bring questions back to the Mentor each week!

“The SANS Mentor program is a great value. It allowed a learning environment that was local, with a knowledgeable instructor, and fellow like minded individuals.  All of this without having to travel!”
- Sean Nixon – Fidelity National Information Service

EXTRA TUITION DISCOUNTS are available for 2 or more students who register from the same organization. To obtain the Group Discount fee for this course, please contact Heather Kohls directly at mentor@sans.org PRIOR to registering with your company name and contact information of those wishing to attend.

Discover the quality training only The SANS Institute has to offer and register today!  Once again, for complete course details, course outline and to register, visit http://www.sans.org/info/45104.

Related posts:

1. Metasploit Framework 3.3 Released Today
2. Quick note on sorting john.pot files
3. Writing a DNS sniffer

The Metasploit Framework 3.3 was released today (Tue, Nov 17th.)

Tons of bug fixes and more exploits for us to play pentest with!

(via SANS Internet Storm Center.)

Related posts:

1. Fedora 10 Released
2. OS X 10.5.5 Update Released
3. SANS 502 – Get Your GIAC GCFW Cert in Burbank, CA

I’m not claiming to be an expert on how Macromedia / Adobe Flash is bolted together nor it’s security architecture, however adding an API to allow any website to stream HD video to directly to the video card sounds like a terrible idea on the level of badness equal to ActiveX. Makes you wonder what the QA cycle for video card drivers is like.

Luckily, Adobe has only announced support of this new reason to keep all us security folks employed HD Video Acceleration for Microsoft operating systems at this time.

(Feature announcement via Lifehacker.)

Oh, and here’s some performance benchmarks from anandtech

Related posts:

1. John the Ripper Password Cracking Now Obsolete
2. Motor Trend Car Of The Year: 2010 Ford Fusion
3. Fedora 9 Review (Mini-Edition)

Summary:

1. Injection
2. Cross Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Failure to Restrict URL Access
8. Unvalidated Redirects and Forwards
9. Insecure Cryptographic Storage
10. Insufficient Transport Layer Protection

Related posts:

1. Minority Report Computer is Real
2. Spam is unpredictable
3. Motor Trend Car Of The Year: 2010 Ford Fusion

I get asked this question a lot. I provide below how I typically answer it, hoping that someone out there will find it useful as a template for your responses to similar questions to which you must respond.

BEGIN EMAIL REPLY:

Hi So and So,

First of all, great question.

While I typically recommend home users to select security software products from well known commercial vendors, most of these are large companies that structure their pricing model to force you to repurchase their new version every year instead of simply renewing your subscription. As a consolation prize, you get any new features added each year.

Your customer service experience (or lack thereof) is sadly typical for large software companies; the best way to avoid outsourced call-center style support is to choose a boutique software company that hasn’t a large enough customer base to decide outsourcing customer support as viable. If customer support isn’t something you plan to use and commercial security software feels too expensive, there are a number of companies that release free home-use only versions of their software.

Finally, as far as how to select a new anti-virus solution, I unfortunately put a lot of trust into tech review websites such as CNET. When selecting products, typically user reviews for software as complicated as anti-virus provide little insight to how good it really is as experiences vary from person to person. With a tech journal, you at least know they sampled many products. The downside is they only get to it every year or two, so the ratings may be based on last years version.

That said, here’s a link to CNET’s Anti-Virus review page as a starting point.

Here is a link to CNET’s top rated Anti-Virus software which includes free home-use products.

Hope that helps! Happy hunting.

Regards,
Tom

Related posts:

1. Free OSX Tools I Use Everyday
2. Computer Security At Hotels
3. 7 Reasons Why You Should NOT Eat Breakfast

I’ve been looking into home automation gadgets like X10 for quite some time now. My interest in home automation revolves around reducing power consumption, recording anomalous events with cameras as evidence and because I’m super lazy and only like doing things once (but the right way) and want my CFL’s to flick on when I stumble in after a long day at work. I also want to build a DIY BIDS: Burglar Intrusion Detection System.

I even admit to visiting my local library and borrowing books on the subject solely with the goal of pimping the geek out of my home. So did I find true trekkie bliss, full of motion sensing lighting, sexy sounding verbal computer readouts, intelligent power management and enhanced security?

Fat chance. In fact, I have to wonder if any information security kung fu has been applied to this home automation stuff at all.

Looking at this list of criticisms makes Microsoft’s spotty past suddenly look peachy.

For those who haven’t looked into the X10 home automation technology, let me introduce you to a couple of it’s significant figures:

• 256 – The number of unique addresses that are possible using X10
• 16 – Unique transmittable commands
• 4096 – Total number of unique packets
• 0.75 seconds – Time it takes to transmit one X10 packet
• 42 – Number of bikini clad girls on the X10.com website in GIF image glory (unnecessary!)
• 1 hr – Worst case total time it takes to transmit every unique X10 packet towards your neighbors house using a $9.99 X10 universal remote since both X10 RF or OtW transmissions may bleed to neighboring circuits

For example: if two X10 devices (say your glass vibration sensor and motion detector) transmit within a second of each other, the message is garbled, bringing your Jura F90 Ethernet Coffee Pot to boil right when that burglar breaks in to your computer room instead of the Star Trek: TNG Red Alert Klaxon you deny purchasing. Granted, X10 was developed in 1975 but Ethernet has been around nearly as long and it handles transmission collisions just fine. A little piece of mind regarding retransmissions would be nice.

What really worries me about deploying an X10 home is how easy it is to cause mayhem. It’s like guessing the IP Address of computers on a class C LAN (ie: 192.168.1.XXX.) How long will it take to transmit all commands to all X10 IDs using a perl script and a X10 enabled laptop? Really.

In addition, most of these devices do not have backup batteries and are knocked offline during blackouts. While I’m interested in +5-ing the geek of my home, I’m not going to do it because I value sleeping more. And also because my girl gave me “the look” when I brought it up.

So please, please, please let me know if you know of any hacks to fix these issues or if you can suggest a better product.

P.S. Doesn’t it make you wonder about automobile remote entry systems? I wonder how long it really takes to transmit every possible unlock code for every car manufacturer? What are your observations?

Related posts:

1. Computer Security At Hotels
2. Writing a DNS sniffer
3. Spam is unpredictable