inside the man

Thursday, December 22, 2005

SANS Hacker Techniques review

This is an overview post for the series of daily reviews of the SANS Hacker Techniques, Exploits, and Incident Handling course that I have been posting.

You can read the daily posts here:

Overall, I found the course was extremely valuable. A couple of tips:
  • Do not miss the final day.
  • Bring a powerful laptop that preferably dual boots between Windows and Linux; or else bone up on VMWare configuration.

  • Topics: Incident response procedures, reconnaissance, scanning, exploiting, keeping access, covering tracks
  • Overall value: 4 out of 5
  • Coolness: 5 out of 5

Wednesday, December 21, 2005

SANS Hacker Techniques - day 6

Other posts in this thread:
Capture the flag for hackers. This completely hands on day was so amazing that it made up for any other deficiencies in the course. If you must miss a day of the course, do not miss day 6.

Here is the setup. Star configuration LAN. Off of each of the eight ports of the central switch was a six port hub - the team hubs. Each team of two to five students plugged their laptops into their team hub and configured their NIC according to particular settings, one subnet per team. On one hub, however, where four IBM laptops , the targets, and each of them held a text file in their root directory whose name began with "flag" (i.e. flag1.txt). The four targets are also on their own subnet. Within each of these flag files there are hints to discover the secret fifth flag. While connected to the game LAN, players are allowed no other external connections (i.e. no hotel wireless). Although players are permitted to disconnect from the LAN, leave the war room, and download tools or Google exploits, then return.

I was on a team of three with two RCMP tech-crime officers. One of them was a veteran of these sorts of exercises and a wizard with the Metasploit Framework. I came ready with an array of password sniffing and cracking tools thinking that was a wise addition to my colleague's skillz. Our third team member was openly out of his element, being much more comfortable with forensics. While my decision to prepare for good old fashioned password attacks would prove to serve the team well, my decision to focus on Windows as an attack platform would not.

Before the game started, the instructor went over the ground rules (such as no attacking or DoSing the other teams), the simulated publicly available information on the targets (whois and Google search results), and other preliminaries. The instructor's speech was interrupted by one student's Zone Alarm ringing off that his computer was under attack (or at least heavy scan) by four IP addresses on our game LAN! In a moment four names were called and four students were lead out of the room for a stern talking to although they eventually were allowed to return. Meanwhile the game began.

I squandered the first hour or so of the test trying to get nmap to work under Windows. I never did find out exactly what was wrong. Was it wpcap? Was it a network driver issue? Who knows. While I struggled with this issue, my teammate drew first blood. His stated strategy was do not even bother with vulnerability scanning - just find a listening TCP port or two and start hitting them hard with Metasploit (his personal favorite). His paid off as he demonstrated to the instructor that he had flag 1 in hand. I then took my teammate's advice, turned my back on Windows, and inserted the knoppix-std boot CD. This advice was pure gold (and knoppix-std is a sweet set of tools).

Without my technical issues holding me back, I completed my nmap scan in seconds, and turned my attention password attacks against an attractive looking box running telnet and ftp with the help of my RCMP forensics-focused teammate. Our Metasploit jockey continued his exploit onslaught on his own. After a quick review of the whois information, we had some potential passwords to try. The second password that I tried had a blank password! Without further ado, I was in with telnet, straight to the root directory, and opening flag4.txt which happened to by world readable. While several other teams had found either flag 1, 2, or 3 at this stage, I was the first to hit flag four! I have to admit that this made me awfully good.

The host that I had gained user-level access to was a Linux box that was not employing shadow passwords. In moments, I had used the running ftp service to transfer the password file to my laptop in preparation for some cracking. I took a moment to seed John the Ripper's default password dictionary with a few potential tidbits garnered from the publicly available information, and John was on his way. Meanwhile, we confirmed that the user account that got me to flag 4 did not have a blank password on the next host with login services running - in this case ssh and telnet. However, in less than a minute, John had recovered the password for another user from the flag 4 host. Sure enough, this gets me into the next box, also running Linux, and directly to the root directory where flag 3 resides. Unfortunately, flag 3 is readable only by root, and, to make matters worse, this box does properly employ shadow passwords. However, as luck would have I stumbled across a world readable copy of the shadow file in the root directory. The instructor told me after that this was to simulate common shoddy administrative practices. Soon this file was also fed to John who shortly recovered another password...

Cutting to the finish, this is as far as our team got. A team from a Quebec university was the only team to find all four flags and the fifth bonus flag.

Overall, it spectacular to test drive a few of the tools that we had talked so much about. This final exercise tied the entire course together and demonstrated the clear value of the many hours of lecturing that we endured.

  • Day: Day 6
  • Topics: Capture the flag
  • Tools (at least the ones I used): nmap, John the Ripper, hydra, Metasploit Framework, nessus
  • Overall value: 5 out of 5
  • Coolness: 5 out of 5

Friday, December 16, 2005

SANS Hacker Techniques - days 4 and 5

Other posts in this thread:Days 4 and 5 of the course were in many ways more of the same as Day 3 - great material, and lots of it, with only brief simple hands on exercises from time to time (between two and four exercises daily). Of the more interesting exercises was cracking password hashes with John the Ripper. Another was seeing how many anti-virus programs were fooled by simply getting a hex editor and changing the port at which tini listens. The Covert_TCP file transfer was also fascinating - essentially it transfers data one byte at a time within TCP/IP headers. I'd like to see your IDS pick that up!

Unfortunately, I missed a significant portion of the afternoon of Day 4 due to a combination of illness and client demands. Again, over these two days, the balance of lecture to hand-on seemed to be off although the content of the lectures continued to be detailed, wide ranging, well researched, and more than a little frightening.

  • Day: Days 4 and 5
  • Topics: Password cracking, getting a shell, worms, web app attacks, DoS, backdoors, app level trojans, backdoor wrappers, rootkits, hinding files, covering tracks in logs, covert networking, more stego
  • Tools: brutus, hydra, Cain and Abel, Rainbow Crack, SYSKEY, John the Ripper*, PAM, shred, netcat*, phatbot, SQL Slammer, OWASP suite of tools, Achilles, Paros, Windows at command, CpuHog, Ping of Death, Rose, Smurf, synflood, Tribe Flood Network 2000, tini*, VNC, WinVNC, Sub7, Back Orifice 2000, Setiri, wrappers, burneye, Ollydbg, LRK, AFX, Solaris kernel-mode rootkit, KIS, Adore, FU, Rootkit Revealer, LADS*, WinZapper, reverse www shell, Loki, Covert_TCP*, cd00r, s-tools, stegdetect, xsteg (In the appendix but not discussed: red button, campas, aglimpse, crack, lc5, GetAdmin, SecHole, NetMeeting Buffer Overflow, Tooltalk Buffer Overflow, IMAPd Buffer Overflow, WinNuke, land, redir, SMBRelay, TBA Palm OS War Dialer, QAZ, T0rnkit, RDS, jolt2, DumpSec, Tin00, knark)
  • Overall value: 3 out of 5
  • Coolness: 4 out of 5

* Starred items were part of hands on exercises.

Thursday, December 15, 2005

SANS Hacker Techniques report - day 3

Other posts in this thread:Day 3 entered the dark realm of exploiting systems. While we dealt with a wide variety of fascinating material, the balance between lecture and exercise was off today. There was a lot of lecturing about topics that, let's face it, are difficult to lecture about like buffer over flows. First off, it is difficult material that cannot be explained quickly. It would be great to step through some actual running software walking an jumping down the stack, but this is not an assembly language class. Somebody should, and maybe already has, come up with a way to visualize the process of a buffer overflow in an animated form.

The two main exercises were very interesting involving remote command execution using netcat. However both exercises were about, well, netcat, one on Windows and one on Linux. This was a bit of a let down when there are so many other cool tools under discussion. I was itching to take the Metasploit framework for a ride, or to man-in-the-middle my neighbor's TLS session with the DSniff webmitm tool, but alas, it was not to be.

Here is a fun and safe format string attack to try out from the Windows command line:

C:\> sort %x%x%x
7c812ca900The system cannot find the file specified.

Now try adding a few more percent x's and watch the hex grow!

  • Day: Day 3
  • Topics: Expoiting systems, IP spoofing, sniffing, session hijacking, DNS cache poisoning, backdoors, buffer overflows, protocol and parser problems, hiding payloads, steganography
  • Tools: ethereal, snort, Sniffit, Dsniff, hunt, TTYWatcher, IP-Watcher, Ettercap, jizz, Zodiac, netcat*, Metasploit, inetd, tftp, ADMutate, Hydan, printf format strings*
  • Overall value: 3 out of 5
  • Coolness: 4 out of 5

* Starred items were part of hands on exercises.

Wednesday, December 14, 2005

SANS Hacker Techniques report - day 2

Other posts in this thread:On day two, discussion moved onto the lifecycle of a networked computer attack, and we got to use some tools! At a high level, the life cycle of an attack is:
  • Step 1: Reconnaissance
  • Step 2: Scanning
  • Step 3: Exploit Systems
  • Step 4: Keeping Access
  • Step 5: Covering the Tracks

After providing this overview, Day 2 focused on Reconnaissance and Scanning. Essentially, the course explored methods and techniques for "casing the joint" in order to identify potential targets, then probing those potential targets for promising attack vectors. There were a number of hands on exercises that you carried out on your own isolated laptop using Linux and Windows on your own laptop. You could either setup your laptop to dual boot, or use a provided VMWare Linux image with a 30 day demo of VMWare Workstation.

While the material did not cover a great deal of new ground for me, it is fundamental material that all infosec practitioners, and many other IT professionals, need to know. On the down side, it would have been more interesting to try out these recon and scanning tools on a private LAN instead of just on your own host. Overall, it was a good day. I wonder how many of my classmates returned their NetBIOS and Media Sense settings to their pre-enum exercise state? I know I did.

  • Day: Day 2
  • Topics: Trends, Ethics, Attack life cycle, Reconnaissance, Scanning
  • Tools: whois, DNS, Google, SiteDigger, Sensepost, Sam Spade, THC-Scan, NetStumbler*, Wellenreiter, Hospotter, ASLEAP, Cheops-ng, traceroute, nmap*, IP Personality, tcpdump*, P0F2, Firewalk, FragRouter, FragRoute, Nessus*, SATAN, Nikto, Whisker, the Windows net command*, enum*
  • Overall value: 4 out of 5
  • Coolness: 3 out of 5

* Starred items were part of hands on exercises.

SANS Hacker Techniques report - day 1

Other posts in this thread:There are roughly 40 hardened computer geeks in the class. Each has his or her (there are two women in the class) laptop and the corresponding web of power, USB , and other cables. The students are a varied lot from the US and Canada ranging from techies from start up infosec firms, to university security techs, to consultants such as myself.

I took a seat in the back row at a long table with four other occupants - two RCMP cyber-cops to my left and two Cisco pre-sales guys on my right. I should note that there are one or two disruptive influences in the class as well. These one or two, whom I will not identify, have an irritating tendency to monopolize class time. Not by asking too many questions as you might expect, but by offering up their half-informed opinion on every topic of discussion. I suppose they are trying to assert their self-perceived position of alpha geek.

Day one, Monday, focused entirely on incident response and was essentially the preparation session for the corresponding GIAC certification exam. The course material was a thorough overview of SANS recommended incident handling practices.

This was good solid material that everyone in the class needs, even if they were a little anxious to get their hand on some tools by the end of the day. Unfortunately, there was no effort to include any Canadian law in the discussions of computer crime law, rules of evidence, privacy legislation and so on. For the price of the course, SANS should be able to put together a few slides of Canadian material. (SANS - I am available to write course material on a contract basis.)

Here are a couple of entertaining anecdotes from the class:
  • "I don't think that it is morally right to ask users to remember 14-character passwords" - anonymous student
  • I asked the RCMP officer beside me if they use keystroke loggers. He responded in a serious tone, "I cannot answer that question." and regarded me with a dead-pan glare. Then he broke into a smile, "Just kidding. Of course we do!"

  • Day: Day 1
  • Topics: Incident handling
  • Tools: none
  • Overall value: 3 out of 5
  • Coolness: 1 out of 5

Update: I was mistaken. Individuals wishing to challenge the GIAC GCIH certification must master the entire six days of course material, not just the first day.

Structured blogging


"Structured Blogging is a way to get more information on the web in a way that's more usable. You can enter information in this form and it'll get published on your blog like a normal entry, but it will also be published in a machine-readable format so that other services can read and understand it. Think of structured blogging as RSS for your information. Now any kind of data - events, reviews, classified ads - can be represented in your blog."


King Kong review

CBC Radio One Toronto:

"Kong is the Belgian chocolate of eye-candy."

Tuesday, December 13, 2005

Near death experience on Air Canada (audio)

On flight 178 from Edmonton to Toronto, the man sitting in front of me has what appears to be a mild heart attack or stroke. I will never get to hear the final medical assessment of what happened to "Jerry" on the flight, but I was not alone in believing that he might actually die in the seat in front of me.

this is an audio post - click to play

(around 4 minutes)

Monday, December 12, 2005

SANS Hacker Techniques report

I just completed day one of the much lauded SANS 504 Hacker Techniques, Exploits and Incident Handling course at SANS Toronto 2005. I will be providing daily reports here but for tonight I must retire early as my Sunday evening flight was a little more harrowing than anticipated. I will elaborate further tomorrow, but here is a summary of my experience so far.

Air Canada flight 178 from Edmonton to Toronto on Sunday, December 11, 2005. Man in seat 12D nearly dies in flight. I was sitting in 13D. I can confirm that it is not only in movies that flight attendants pick up the intercom and say, "If there is a medical doctor on the plane, please identify yourself to the flight crew."

SANS 504.1: Incident Handling. It was a somewhat dry day spent pouring over standard incident handling procedures and example scenarios. It was disappointing that an expensive session such as this could not cover Canadian legal material.

Again, more on today and yesterday, and tomorrow, tomorrow. Did that make sense?


Saturday, December 10, 2005

40,000 free go game records

Following on the emotional and verbose controversy over the copyright of electronic Go game records that has been raging in and elsewhere for a while, Go software developer Frank de Groot of MoyoGo fame has started a free professional Go game collection that has now exceeded 40,000 games in SGF format. This is a spectacular idea. Go software vendors should focus on putting together great software to attract customers instead of relying on the scarcity of game records to make their living. Hopefully this will jump start a new wave of innovation in Go software.


Thursday, December 08, 2005

Google Desktop godsend or spyware?

I am not embarrassed to say it, I love Google Desktop. It has changed the way I work for the better in a way that has not been matched since WYSIWYG word processing became readily available. However, like many, I am very concerned by GT's threat to my privacy. Not only does GT index every web transaction that I make (other than those at URLs that I have explicitly excluded), every document I have, every email I send or receive, it caches it! This can be a blessing when I am trying to find something from long ago, but it is also a pretty complete log of my online life that I am not comfortable with others having access to.

Mathew Schwartz has published this interesting list of steps to managing Google Desktop securely from an enterprise risk management perspective:

  1. Use an enterprise DSE Google Desktop is like instant messenger software: if you don't explicitly block it, it's guaranteed to be on some users' PCs, therefore consider centrally managing it. Desktop Search for the Enterprise, Google's administrator-controlled version, has a Group Policy control. It also enables centralized distribution and adds the ability to search Lotus Notes e-mails. Microsoft's WDS also offers centralized administration tied to group policies.
  2. Encrypt the index file To secure the actual Google Desktop index -- in case an attacker manages to grab it -- set the Group Policy preference to "encrypt index." Note this only works on NTFS volumes.
  3. Change the index file's location Beyond encrypting the index file, administrators can also change its default location, which makes it more difficult for an attacker to grab it.
  4. Disallow Google Desktop on PCs with shared login names For PCs with multiple users, Google Desktop creates a different index for each user, mitigating many privacy and sensitive information-sharing concerns. However, in organizations where multiple employees share a computer and use the same username and password, prohibit the use of Google Desktop. If you don't, each user's Web sessions will be added to a centralized index.
  5. Disable HTTPS indexing By default, Google Desktop indexes all cached Web pages, even if they're secure (HTTPS). Deactivating the "secure Web pages (HTTPS)" preference will prevent the indexing of sensitive information. Most other DSEs do not offer such functionality.

Wednesday, December 07, 2005

How to hijack a podcast

There is an interesting story about a hijacked podcast at eWeek. It includes details of how a vegan podcaster's feed was hijacked and held for ransom. From the article:

"The manner in which the purported hijacking occurred exemplifies the fact that RSS feeds are far more vulnerable to squatters than Web site domains. The method doesn't require stolen passwords or other overtly illegal methods.

Rather, it merely involves finding a target Podcast and creating a unique URL for it on a Web site that the hijacker can control. The hijacker then points his URL to the RSS feed of the target Podcast.

Next, the hijacker does whatever it takes to ensure that, as new Podcast engines come to market, the page each engine creates for the target Podcast points to the hijacker's URL instead of to the Podcast creator's official URL.


Tuesday, December 06, 2005

New go aggregation site online

Go Aggregator goes live!

There really is a wealth of English language Go / Weiqi / Baduk news, games, discussions, and blogs on the net now, and far too many English speaking go enthusiasts limit their online time to a Go server like KGS or IGS and Sensei's Library. While these places are great - in fact, they are spectacular - there is a lot more Go online that many would enjoy. So, with a little help from Blogger, Feedburner, and Feeddigest, I have put together Go Aggregator to help Go players find and stay on top of the incredible online Go resources that change daily. Check it out.


Terrorism, police, and the NYC subway

There has been an interesting debate over the past couple of days between the authors of the Concurring Opinions blog regarding the wisdom of police conducting random searches on the NYC subway system. The debate centres on whether such searches:
  • Will catch terrorists before they complete their attacks,
  • Will frighten terrorists away from the subway system by the show of power, or
  • Will not impact terrorism but make New Yorkers feel better.
Interesting reading.

Here is an interesting factoid (is this actually true?) from the discussion,

"Measured by its post-9/11 budget and personnel, the NYPD outranks all but nineteen of the world's standing armies."


Friday, December 02, 2005

The ethics of selling nothing

Temple University law professor David Hoffman invites us to consider if selling an empty box, and describing it as just that, for $611 USD constitutes some form of fraud. From his post:

"This is the PREMIUM BUNDLE BOX only. It would include bonus accessories, if it were the actual PREMIUM XBOX 360! DOES NOT Come with 20GB Hard Drive, Console, HD Cables, Wireless Controller, Headset! In other words for those of you who do not understand, YES YOU ARE GETTING AN EMPTY BOX SO DO NOT ASK! Great for gags! DO NOT bid if you don't intend to buy! No excuses, I will not retract bids for you! You will be reported to eBay if you backout after winning the auction. I Cannot be more clear! This is not even a factory made xbox 360 box. I made it myself, just a few minutes ago. It does not contain an Xbox 360 console, just the Xbox 360 home-made box. this box is great hand made by me says XBOX right on it[.] It doesn't look anything like the picture I included in the auction. It looks much better, in my opinion."

Geist challenges politicians on privacy

In an update on the never ending Sony rootkit saga, Michael Geist challenges Canadian politicians to make privacy an election issue. Also, if you are a Canadian whose computer is infected with the Sony rootkit, Geist wants to hear from you. Could he be building a class action law suit (if that term is applicable in Canadian law?)?

"Given all the prior revelations, Canadian action is now long overdue. There is ample evidence to warrant investigations from both the Competition Bureau and the Privacy Commissioner of Canada. Moreover, with the election campaign now in full swing, the various parties should take a stand on what they intend to do about deceptive use of DRM and whether they support much-needed legal protections from DRM. This fiasco has laid bare the dangers of the recording industry' s support for DRM to consumers, artists, and retailers. With thousands of Canadians likely affected (if you are one, I'd like to hear from you), Canadian authorities can no longer sit on the sidelines."


About Me

My photo
Edmonton, Alberta, Canada
Returned to working as a Management Consultant, specializing in risk, security, and regulatory compliance, with Fujitsu Canada after running the IT shop in the largest library in the South Pacific.

CC Developing Nations
This work is licensed under a Creative Commons Developing Nations license.

Site Meter