Sketchymoose's Blog

Perl Script to Look for Meterpreter with Volatility Output

2012-02-11T19:23:00.001-05:00

So I do not know if you guys read my blog posting which talked about memory analysis.One of the things I mentioned was looking for dll's meterpreter uses in processes where they normally should not be. That was based on a post originating from Command Line Kung Foo (we're not worthy! we're not worthy!). So I had to do some meterpreter stuff for work and decided I would do a blog posting about forensics about it.One of the things I did was a memory dump and ran the dlllist module. I started using Mandiant's Highlighter (a pretty awesome tool, wish I started using it sooner) and started to get a bit lazy. I thought.... wouldn't it be awesome if there was a script which would list all processes and then if they used either rsaenh.dll or iphlpapi.dll....

So as I am not feeling too well and sitting here watching my hockey team even though I am +5 from the east coast, I decided why not write a script to do just that. It's not hard!

So here you have my Meterpreter Finder Script!

Its pretty easy to navigate. If you are running from Windows, make sure you have ActiveState Perl installed. It asks for your input file (your dlllist output from Volatility) as well as where you want to direct the output to.


Entering Your Input/Output

It should not take too long and you should then be presented with the following screen. This reminds you which processes uses the two dll's regularly (and valid usage too).

Script Done!

So the output file is not pretty by any means but it gets the jo(r)b done.

Snippet of Output File

So I know there are many ways to do this, YARA would probably work, another meterpreter script, a bit more fiddling with Highlighter... so just consider this (yet another) possibility to quickly see what processes are running these two dll's. If you see the dll's being used by a process other than the normal ones listed and you are unsure if they are normally used... run the program on a known clean system, do a memory dump then run volatility module dlllist and check the process yourself.

Mounting E01 and VMDK in Linux

2012-02-03T11:01:00.000-05:00

So I know there is plenty of documentation out there, but it always seems I have exceptions where these things never work 100% like that are supposed to. Hence I figure why not throw one more HOWTO to the mix, so if someone encounters the same issues they do not have to fret.

E01 files--
So the SANS blog covers this pretty well so I feel no need to expound on it too much. Here are my suggestions:

Switch to root right away and save the heartache
When using the mount command and mounting a NTFS, set the type as ntfs-3g
I noticed SiFT 2.1 does not have ewfmount, has a better backup tool been installed in its place?

VMDK files--

So I had been pointed to a post on Digensics, but I had problems starting with mmls. I first discovered I had to add the '-i aff' parameter to get mmls to determine the disk structure of the vmdk file. And I do not know why, but mounting just was not working, even trying different options.

Sadly... I get this error a lot

I needed to figure out a workaround. I found it here: the Virtual Disk Development Kit from VMWare. Download for your appropriate OS (in my case Linux), untar the file, then run the perl script 'vmware-install.pl'. Let her rip! This installs a few useful tools for us, but the one I am most interested in vmware-mount. You can see the documentation here.

So once the VDDK is installed you can invoke the vmware-mount command. The basic parameters it takes are:

vmware-mount diskPath [partition number] mountPoint

Read the documentation or just run 'vmware-mount' to see all the paramters it accepts. A useful one for forensics is the read-only parameter (-r). So I simply pointed it to my vmdk file and where I wanted it mounted on my Linux workstation.

Currently Trying to Figure Out How to Fix the Error... Still the Command DID Execute Successfully

So now if you have created snapshots, you can only modify the last one, which in my case is 000022.vmdk, so it is telling me 'Sorry I can only mount the one you are asking for as read-only'. Which is fine for me!

The whole point of this was being able to run log2timeline-sift on more than just DD files, I think timeline is a great asset to have when you have a case. Running the tool seemed to work pretty well (ie no errors), but I might just test it but running all the commands myself and comparing the output. Has anyone ran into discrepancies between the automated and the DIY process of log2timeline?

UPDATE: If you get the same VixDiskLib error I did, check out this message board posting. Benichou's fix worked for me, pointing the links to the correct library. Score.

Gathering More Data: SNMP

2012-01-27T12:28:00.001-05:00

So let's say we run Nessus (a vulnerability scanner available in BT) against some machines and we see SNMP running. Now lets say Nessus comes back with "SNMP Agent Default Community Name".. you just got yourself another treasure trove of information :)

Hang on, what is SNMP anyways? SNMP is Simple Network Management Protocol. This is used to help monitor network devices, including routers, switches, workstations (pretty much anything which can get SNMP installed on it) From Microsoft:

You can use SNMP in environments that include large networks with hundreds or thousands of nodes that would otherwise be difficult and costly to monitor. SNMP allows monitoring of network devices such as servers, workstations, printers, routers, bridges, and hubs, as well as services such as Dynamic Host Configuration Protocol (DHCP) or Windows Internet Name Service (WINS).

So it definitely is useful in a network environment, however when in the wrong hands and not locked down properly, it can be used against you. Maybe its better to show you what I mean :) To the Backtrack cave!

I will show you two tools on BT5 which we can use to enumerate devices on the network via SNMP. The first one is SNMPEnum. Its parameters are:

snmpenum.pl

Well if Nessus returned telling us SNMP is running with default community name, we know that is 'public' (Nessus tells you that too, but so would Google). The tool comes with three config files: cisco.txt, windows.txt and linux.txt, choose whichever device you are scanning. Let's fire up wireshark and see what is going across the wire....This will fire up a lot of traffic. Lets focus on the first two packets.

How I Ran the command

SNMP packets are also called PDUs (Protocol Data Units)

What the heck are those numbers?! Those are object identifiers (OID), which is used to call an object in a predefined structure, which in this case is called Management Information Base (MIB). You can do a search of OID's here. So what is this one? Well lets follow it on the website. The first number (top level) is 1... which is ISO (International Organization for Standardization). Ok, click that... next number is:

3 - ISO Identified Organization
6 - US Department of Defense
1 - Internet
2 - Management Section
1 - MIB 2 (not the movie)
25 - Host Resources

Blast we ran out of lookups, luckily, this site lists all the OIDs in the MIB-2 schema. Which a quick ctrl-f gives us: hrSWInstalledName.... all of that to get the name of installed software :) Or we could have looked at the windows.txt file too, which lays it out in plain english for us (phew).

Windows config file

Luckily the get-response is a bit easier to decipher than the request:

Part of the SNMP Response

So we see here we have 10 responses in this packet. We have our base number (1.3.6.1.2.1.25.6.3.1.2.n, where n is 1 and is incremented with every answer for that question. We also see the answers are in readable text (well wireshark converts them from hex for us). Here is a screen shot of te UDP stream for us, the RED is our BT instance (request) and BLUE is the intended victim (response).

UDP Stream in Raw

I know slightly confusing, just think of it as a very complicated way (for us) of checking whats running on machines :)

SNMPenum shows us the following:

running processess
installed software
system info
hostname
domain
uptime
users
shares
disks
services
listening TCP ports
listening UDP ports

Pretty awesome considering we have not even pwned the box yet! All of this for free-- and can be used to increase your attacks on a machine.

SNMPwalk is similar to SNMPenum, however its output is much more verbose and not formatted to look pretty like SNMPenum. However this one is a bit better if you are trying to follow the requests/responses in wireshark. For example, I was confused when I looked at the PDU why it went up to n=108, there definitely are not 108 programs installed on my machine. However looking at the output of SNMPWalk showed me it was returning multiple attributes of the installed software, such as installed dates, what type of software it is, etc. If you want generalities, go for SNMPenum- you want as much information as possible? SNMPwalk. The basic usage is:

snmpwalk -c -v

If you know the OID you want to look up (like the one above), SNMPwalk can only run that one. Below is a quick screenshot of snmpwalk in action.

SNMPwalk output snippet

I should also say here that SNMP version 3 does not have its community name in the clear, so unless you know (or *cough* bruteforce *cough*) the community name these will not work. You should also not be able to do this from outside the internal network.... should.

You can do a whole lotta stuff with SNMP, check out SecurityProNews for more information.Its especially good if you find a router, as seen with Viveks videos.

I will post my findings from snmpenum on pastebin (here it is!) so you see what output can look like, but I suggest you guys go out there and try it yourselves! How do you think this could be used against the victim?

Creation of Database in Metasploit

2012-01-20T02:00:00.002-05:00

So sometimes you gotta whole lotta hosts you need to run a scan against. Its hard to keep track of them all, so I have created a video showing how to create tables in Metasploit on Backtrack 5.

A few notes about the video:

I tried using the xvid codec and it would not work... still tweaking the recording on my test machine so apologies about the sound quality.
I go off on a tangent around minute 8 (read: so if all you care about is the database you can switch it off) about a script I wrote which grabs tables from the database and outputs each table to a file for you. The point of this script was to have something (not in XML) which I could view the information in (ie a spreadhseet program). It is still a work in progress, so it still does not output super pretty like I want it too (especially db_vulns) but I think its a step in the right direction! I also realized I think my method of search/replace would have worked had I clicked 'Match Entire Cell Contents' in Excel... oh well.
I am still interested in getting Dradis to work so if anyone has had any luck getting it on BT5 to import the Metasploit database please let me know! Doing some Googling it seemed like issues with Ruby?
I would be remiss here if I did not talk about Vivek's Metasploit Megaprimer over at Securitytube.net. It is an amazing collection of videos. I hope my blog does not follow his videos too closely, as I will be focusing on finding exploits and vulnerabilities, while his focuses on the amazing power of Metasploit (ie what you do AFTER you pwned someone). Very cool, very worth a watch! Also the metasploit unleashed I discussed earlier is also pretty good at explaning the capabilities of metasploit.

Girl, Unallocated made me aware of Forensic4cast Awards are going on. Now there are a lot of good guys and gals out there with some awesome blogs,books, and podcasts. This is your way of telling the world just how awesome they really are. There are a bunch of different catagories to choose from, so vote for your favs!

For something completely different, I am running a half marathon (I know right) in April and have started training for it. Please bear with me as I am now trying to do work (the thing I get paid for), train, and blog (which helps me in my job but still kinda need to do in my off hours).

Next post I will stick with Metasploit and research services for potential vulnerabilities and exploits. The I will move onto web sites and applications. Stay tuned!

Banner Grabbing: Whats Running!

2012-01-16T16:45:00.000-05:00

So--- let me output the result of some ICMP, TCP, and UDP scans of my victim. I am using Nmap here, but you can use whichever scanning tool you are comfortable with.

If you just type nmap on the console you will get a pretty detailed help with all the switched nmap can run. Lets first start with a ICMP Echo scan... -PE, we are adding -sn , which disables port scanning for now.

ICMP Echo Scans

So we scan our network and discover ourselves (192.168.0.5) and another host 192.168.0.10. We have to be wary of ICMP scans, and ICMP is generally quite restricted on networks, especially when scanning from outside the network. Let's see if we can do a TCP port scan to see what TCP ports are open on our potential victim. Let's go with the TCP Syn Scan (-sS).

TCP SYN Scan

Oh wow what a find! Nmap says we have FTP, SMTP (mail), web, SMB (port 445) AND an MSSQL server! Apparently this user never though of breaking up server functions onto different machines... lucky for us :-)

So now we should figure out what versions those services are running if we can. This was we can research and determine if they are running exploitable versions. So before I show you a way with nmap, I am going to quickly go to an old friend of mine, netcat. So netcat is a great tool which I highly recommend having in your arsenal, it can be used to scan for hosts, set up connections (valid and not so valid) between two machines, allows a remote shell to be shoveled to you from your victim, and even grabs banners for you :) If you want to do all this over a encrypted connection, well there is cryptcat.

Ok so lets do a banner grab for port 25, the SMTP mail service.

NetCat

So the command is quite easy here... the '-v' stands for verbose (I am being EXTRA verbose, using double v's). Then I enter the IP and the port I am querying. As you can see, we found a Microsoft ESMTP MAIL service, Version 6.0.2600.5512, which according to wikipedia, is Exchange 2000. A quick google search takes me to a Securiteam wepage, showing the exploits in Version 6 of ESMTP.

Lets see what wireshark says:

Wireshark Output of Netcat Banner Grab

So we see out three way handshake being established and then our potential victim responding with an SMTP packet and what version it is running. You can actually set this up so the version is not displayed, giving you a little buffer protection from script kiddies. I should also point out that not every port will respond with things like this when you establish a connection, it is only certain protocols and software.

One more for fun, lets try port 80. For this one we need to interact with the prompt to get output, but its quite easy. So first we connect:

NetCat - Port 80

As you can see, we have a prompt waiting for input, so we type in 'GET HTTP', which should get us the information we are looking for.

NetCat - Querying Port 80

So this gives us our Web Server, IIS 5.1. Again, a quick google search reveals a few candidates we could try against this web server. This is looking promising!

Ok now onto something a tad more automated,nmap again has a switch for service detection (-sV). Lets run that on our host and see what it returns:

Nmap -sV parameter

So, as you can see, life is just a tad easier with that little command, here is our banner grabs done automatically for us! Hooray! It even guessed based on responses what OS we are running! If you want nmap to cull deeper in OS detection, try -O on your command line. Nmap uses a lot of the header packet fields to make a guess as to the OS, for more information, check out the namp website.

So, thats all well and good, but what if you have multiple hosts (read more than 3 or 4)? Then what shall we do? Never fear for metasploit has thought of that too :) I will actually make this part a video. Sorry, I can't be asked to type anymore! I am currently trying to get Dradis to play nicely so it will be posted later!

Script to Collect System Information

2012-01-14T18:22:00.001-05:00

Here it is folks, I have decided to try and give something back to the community via this script. I would not call it groundbreaking in the slightest-- but if it makes someone's job out there a tad easier than I am happy :)

This was tested on Windows 7 and 2008. I assume it would work on Vista too, please let me know if it doesnt! Also if you guys would want to see any additions or make any suggestions just email me at icanhazblog[at]gmail[dot]com and I can see what I can do. Like I said I am new to the Powershell world and was blown away at its capabilities so I am sure I am missing some cool tricks.

So now I know there are some blatant issues with this, its using your own system tools which could have been subverted by whatever badness is on the machine. Plus there could be a rootkit which hooks these System Calls so you are not getting correct information--- these have been taken into consideration and I will figure something out :)

You can grab the script code from my Pastebin page, just put into your own ps1 file on your machine.

-- About the Tool --

How to Run: Just invoke from a Powershell was running as Admin.
.
More Info: Each section is put into its own txt file in a folder called ‘output’ located in the directory where the script is ran. You need to be administrator to run some of the scripts on this, and you need to modify your security settings to run it on your system (try ‘Set-ExecutionPolicy unrestricted’ ....just make sure you switch it back when done to be safe! To see what it is first type 'Get-ExecutionPolicy)

Upcoming Additions: I would like to add dumping the contents of the recyclebin too, just trying to figure out how to add it nicely.

What its Grabbing:

--FILE LOCATIONS --

TEMP (as directed in SystemEnvironment Variables)

C:\TEMP

C:\WINDOWS\Temp

Application Data Directory

System32 (dll, sys, and exe files)

C:\ (exe files)

Prefetch files

--INTERNET FILES --

Internet Explorer

Mozilla (I only detect if it exists, need to view via another program for now)

--SYSTEM INFO --

Services (sorted by State)

Tasklist (processes associated with a service)

Tasklist (dlls associated with a process)

--REGISTRY--

hklm\software\microsoft\windows\currentversion\run

hklm\software\microsoft\windows\currentversion\runonce

hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\run

hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce

hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (migrated systems only)

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (migrated systems only)

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

--NETWORK INFO --

DNS cache

Netstat -anob

Scanning Redux: TCP and UDP

2012-01-12T16:14:00.001-05:00

So we wrap up the blog postings on scanning with TCP and UDP scans. Now again I stress that there are other types of scans out there, I just want to highlight some of them.

TCP

TCP stands for Transfer Control Protocol. This is the powerhouse of protocols, many applications ride this bad boy straight to your computer. Example-- this web page! Also your email clients and file transfer programs also use TCP. Why? Because TCP is reliable, it sets up a connection between two hosts... making sure both know what is going on (who is sending? who is receiving? did you receive that? Hey I received the packet, keep sending.. Oh fizzle sticks I never received this one packet, please resend! K, thx bai!)

How does TCP do this? Well with the ever classic 3-way handshake. You can definitely check out the WIKI page for the official description. I liken the 3-way handshake to the best relationship ever, before speaking to his/her mate, the one partner will get the others attention (SYN), the other will then look at him/her to confirm they heard them (SYN-ACK), and then once he/she has their attention, will start to speak (ACK).

I am going to assume people understand TCP enough to go thru the scanning options, if not check out the documentation on there on the interwebs.I will post up from the SANS Cheat Sheet I talked about last post the TCP packet header. You can grab the whole cheat sheet here.

TCP Header

The Flag Byte of the TCP Header

TCP Syn Scan: This is when you start the 3 way handshake described earlier, except you never get past the 2nd step. Nmap here shows the scanning machine sending a RST, cancelling the connection setup (else the port could be sitting there for while waiting for the ACK... what a waste!)

TCP Syn Scan - 192.168.0.10 responded with a SYN-ACK, we have an open port!

Let's take a closer look at the flag bit...

Flag Bits of a TCP SYN Packet

So for those who count in binary we see this byte is 00000010, which is decimal 2. Cool, so when that bit is 'flipped' (or switched to '1') what does that mean? Looking at the SANS cheat sheet, we see that the 'SYN' bit is set to the 2nd bit... or 00000010. Wait, that's what it says! It must mean the SYN flag is on! Hoorah!

So riddle this Mr./Miss Smarty Pants, what would a SYN-ACK flag bit be set to? Well lets go back to the sheet- it says the ACK flag is set on the 5th bit. So if we flipped both SYN and ACK on, it would be 00010010, which is what in decimal? Whip out those calculators or pencils! The answer is 18 in decimal, ah but we are in hex mode here- which is the power of 16! Whaa this is getting complicated! Here go here for an example. Ok so dividing by 16 ::hours pass:: so that gets us the hex value of 0x12! And just to prove it, here is the flag byte of a SYN-ACK packet.

Flag Bits of a TCP SYN-ACK packet

TCP Connect Scan: This is exactly what is sounds like, the full 3 way handshake is done to determine open ports. This scan is slower than the TCP Syn scan (this makes sense, sometimes you have wait ages to get your partner to listen and then start to speak!), and now you have a full connection, it has a better chance of being logged somewhere on the victim network. Not good if you are going for stealth. However, if you are being hampered by firewalls, this could be the way to go, as many devices could be between you and your intended victim, hampering your results.

TCP Christmas Scan: Sounds festive right? This scan flips the FIN, PUSH, and URG flags ("lighting up like a Christmas tree").This is effective against Linux hosts but not Windows machines (remember how I said different OS respond to packets differently?) This is going off RFC 793, Page 65:

“if the[destination] port state is CLOSED .... an incoming segment notcontaining a RST causes a RST to be sent in response.”

So these are a bit sneaky and can evade some firewalls and routers, but like I said, with Linux boxes only. Microsoft by default responds to these types of packets with a 'RST ACK' regardless of if its open or not.This is seen below, using the two hosts we used in the above example.

It was open on the other scan.... Bah humbug!

UDP

UDP is User Datagram Protocol. This is a connectionless protocol. Its like an assault on a port. There is no connection set up like TCP, and it doesn't care too much if some packets get dropped along the way. However, if you stream anything across the internets (like I am right now with internet radio), chances are pretty good you are using UDP. DNS also uses UDP for name resolution, and DHCP is over UDP as well. Because there is no error checking or connection set up, packets move faster and sent to multiple hosts in a quicker fashion. Rock on UDP!

UDP Scan: So as we said before there are many services that use UDP, such as DNS (which is a pretty juicy target!) This scan shows UDP port 124 responding back to our scanner with an ICMP unreachable sign, indicating the port is closed.

Sorry, we are closed!

This is what my nmap output is for that scan, and it is what is should be, port 124 is closed:

nmap result from nmap -sU scan

As people posted in the comments, there are tons of tools out there you can use. Nmap is just one of many. The key is to find the one you like and trust. Nping, which someone mentioned earlier, allows for much more fine tuning of your packets that you send out. p0f does passive host identification. All these other scans I have shown are active-- we are interacting in some way with the intended target. p0f simply listens to network traffic and based on the traffic it sees regarding the target determines the OS, which is the stealthiest you can get, as you are simply observing (well there is always a catch, still its pretty slick). And like Jon said... a new version is coming out!

I did not talk about the multiple states that nmap can report back to the user, a good explanation is here on their website. Heck, I recommend the whole reference guide.

Next we get onto the fingerprinting/version detection... well I may post my powershell script first. That will probably go on Pastebin. Like I said its no where near perfect and always looking for more ways to make scripting better, faster, and more kick ass (because lets face it... we are lazy and want something else to do the grunt work)

A Bit of Fun... Musical Selection

2012-01-10T03:17:00.000-05:00

Amazing photo of David Guetta by ehlo

So when we were setting up for MFIRE in Abu Dhabi, we had to listen to music while setting up. Not just any music, 'hacking' music as we called it. Do you guys listen to a certain type of music when you are doing pen tests/forensics/coding? Just for fun I will post my favourite podcasts/stations/songs I listen to when working, feel free to share.... you may find your new fav groove!

Back to the regular blog postings soon! :) In the meantime, crank it up!

Sunshine Radio: German electronic radio station, also good for me to try and keep up on my German :)
TATW: Trance Around the World, thanks to SecurityBananas for introducing me to it!
Energy98: Dance radio station
Hackers OST: Hack the Planet!!
Anything David Guetta
A Beautiful Mind OST: And now for something completely different...

Beginning Web Pen Testing: ICMP Scans

2012-01-09T04:20:00.000-05:00

Even Trinity has to Scan...

Got Hacme Shipping VM up and running, and the link I posted last post about the setup made life so much easier. In addition to the steps in the tutorial, make sure you also install the .NET Framework 2.0, which can be grabbed here. And there is a typo in the tutorial, if you need to access the ColdFusion via the web-broswer yourself, go to:

http://127.0.0.1/CFIDE/administrator/index.cfm

Oh and make sure you have enough space on your VM, you can expand the space of your VM via the command line vdiskmanager. 15 GB should suffice, 8GB is not enough (I found out the hard way).

So these next few posts will be about scans.I know I know scanning is so -boring- right?! However, what did I say before? If you do not understand the basics and the versatility of your toolkit, you are missing data. Also, it never looks good when someone asks "Why did you try that?" and your response is "Because it was the example in the book and I thought that was good enough." Sorry guys, but you gotta start at the beginning :) I also do not know who my audience is out there in the interwebs, so I figure start small and work my way up to more fun things (its always good for a refresher right?)

Different operating systems respond to scans differently, when Windows XP says 'open' Windows 7 may say filtered. The key is understanding the scan you are running, and then examining the results to determine what it means. The way a machine responds to scan probes is also another way of determining the OS of the host you are scanning against (also known as fingerprinting). That being said, I am not going to go thru all the scans nmap has to offer nor will I break each packet down to every bit and byte, try them on your own networks and see what works!

ICMP Scanning

ICMP stands for Internet Control Message Protocol. This is generally what you run in your internal network when troubleshooting connectivity problems. This is also why you should never allow ICMP responses going outside your network, as it helps an attacker determine your internal network. Let's see a simple example of ICMP ECHO Request, the most common ICMP packet.

ICMP ECHO command

An ICMP Echo request packet is known as 'Type 8' and a reply is Type '0'. This can be seen in the ICMP packet via wireshark or any handy packet sniffer program.

ICMP Request - Type 8 is highlighted

ICMP Reply - Type 0 is highlighted

Ok so lets go back to our command output, we see a TTL field. What is that? Well TTL stand for Time To Live, and it is required for ICMP packets. What it is is a number which gets decremented by 1 every time the packet goes thru a router (known as a 'hop') to get to its destination. The default TTL for Windows XP is 128 (many OS are different, see here for a list). Our TTL is... 128, so that means the packet did not have to go thru any router to get somewhere, it went straight to the destination (so we are definitely on the same network!). By the way, the TTL is another method to help determine the Operating System.

Let's look at a more 'legitimate' ping.

So here we have an ICMP packet going to www.google.com. As you can see, this took a bit longer then our first request, but more importantly, look at the TTL, its definitely no where near 128! TTL becomes more interesting when trying to map for firewall, internet gateways, and routers as it shows you how packets are routed to hosts on a network (using utilities like tracert).

I am going to briefly touch on ICMP broadcast messages. If you are doing an internal network assessment of a company and you send an ICMP broadcast packet to the broadcast address, what do you do if nothing comes up? Pack up and leave? No! Again, different OS respond differently to different requests. For example Windows by default does not respond to ICMP broadcast requests, however Solaris on a whole does respond. So again, you can't just do one scan and expect to grab everything.

So before I wrap up for today, I am going to touch on a few other ICMP scans:

TimeStampRequest (Type 13) and TimeStamp Reply (Type14): Asks the machine for its current time (based on milliseconds from midnight GMT). If it responds... well you know it is alive AND you know roughly where in the world the IP is. So on my backtrack5 box I ran the following command:

ping -T tsonly 192.168.0.9

The '-T' switch specifies the timestamp option, and all I want is timestamps. This gave me the following answer:

64 bytes from 192.168.0.9: icmp_seq=1 ttl=128 time=1.50 ms
TS: 74834377 absolute

If you take 74834377 milliseconds and do some maths on it, that gets you the time of about 2047 or 8:47pm, which is what time it is now in GMT :)

AddressMaskRequest (Type 17) and Reply (Type 18): Used when asking for the subnet mask of an interface. Again if it responds, you got a live host (and now know the broadcast address if you didn't already).

So how to get these scans going in nmap? If you just type 'nmap' on the command line you should get a list of all its parameters. However here are the ones I discussed today.

-PE (ICMP Echo), -PP (ICMP Timestamp) and -PM (ICMP Netmask Discovery)

So get out there, fire up you favourite scanning tool and start playing with the different Host Discovery Scans. What can you see? Do some scan miss some things that others pick up on? Why do you think that is? Get wireshark going and look at the packets... the more you know!

Additional Links:

TTL Defaults: Up to WindowsXP
If you want a great reference of packet headers, SANS has a wonderful one which I have seen adorned on many a nerds cubicle.
Change your TTL on Win2008 Server and Vista: Just for fun :) XP is here.
ICMP Usage In Scanning by Ofir Arkin - PDF- Bet you never thought ICMP was this robust?

A Whole New World... Web External Pen Testing

2012-01-06T12:23:00.002-05:00

Scene from Disney's Aladdin - Image From Fransisca's Portfolio

Ever tried doing an scan of your own network (or one you had permission to?) Awesome... here is some service versions, open ports, operating systems, etc. However, what do you do with that data when you are done with it? Well this is what I am now endeavoring to find out...

I have been doing an external web assessment for work and let me tell you, I have a lot to learn. Luckily for us, there are a ton of resources out there to help someone learn how to do this!

First assumption to throw out the window: it has to be a complicated hack to gain access :)

So how to start? Well there are tons of 'exploitable' systems out there which can be used. Metasploitable seem like a great one to learn from and it even has some tutorial/howtos on the left to which you can throw against your new vulnerable image. I will probably start here (taking notes as I go!). There is also a free tool from McAfee Foundstone called Hacme Shipping which "demonstrate common web application hacking techniques such as SQL Injection, Cross Site Scripting and Escalation of Privileges as well as Authentication and Authorization flaws and how they are manifested in the code". This sounds impressive, but it requires a bit more setup than Metasploitable (which is a VM). However, there is a guide to setting it all up courtesy of pingtrip.com

OK, we got the victim, now what tools do we use to analyze and hopefully pwn our poor little web services? OWASP has a Security Framework on top of a web browser called Mantra, which looks pretty slick. Like Backtrack, it has Information Gathering tools, editors (which means you can edit inline), tools for pentesting, etc, except its focus is on web based offense/defense. You can get a list of all the tools here. Heck Mantra is actually in Backtrack 5.... so Backtrack would be a good bet!

In addition, I found some other fun websites which may prove useful later on:

SQLcourse.com - exactly what it sounds like, even has an SQL interpreter
exploit-db.com - again exactly what is sounds like....
HTML Code/Text Obfuscator - why not use it with JS as well?

This is (of course) serves a dual purpose... I can look at logs after I pwned my service to see what it looks like, so if I ever encounter a similar log in the field then I have a better idea what it is and how a site was subverted. Learning the pen testing will then make me a better network forensic investigator... score :)

Anyone have any additional hints/pointers/sites/tutorials? I would love to hear them!

P.S. I am working on a Powershell script which will grab a ton of artifacts in Vista/XP (read Temp Internet Files, AutoRun registry settings, Temp directories) where badness generally resides. I sent it to my team for a pass to make sure it works and make any adjustments/comments, then I plan on sharing to the community. I am sure it isn't the best tool, but its flexible and can be added upon as needed. If anything it shows how kickass and powerful Powershell can be.

Now With 23% More Memory! Grabbing Skype Data

2011-12-22T09:25:00.000-05:00

I am on a roll finding cool new programs dealing with memory analysis. This one is Skypeex, and it is developed by Nick Furneaux. This one deals with the same concept as the pdgmail tool I had last posting. You run strings against the memory dump and then run the Skypeex python script against it to find remnants of Skype contacts and conversations.

So like in the previous script (pdgmail) you first run strings. From that you then run the Skypeex. Nick created versions that should run on Windows (if you have Python installed), Linux, and MacOSX. There are two different scripts included for Windows/Linux, the one you use depends on the version of Python you are running. Go to the command line and run 'Python -V' to see what you have. There is a helpful readme file as well.

To run Skypeex, simply type from the command line, 'python skypeex.py' -- it will then ask you for the location of the strings output you created earlier. From that the program creates two output files. From the readme:

The output is a CSV file with chats (incl headers) and a txt file with extracted skype sessions and 'carved chats'.Please expect many duplicates and some false positives.

Its a bit hard to show my results just due to me being paranoid, however I can tell you some things I saw:

Group chat windows and conversations
Contacts
IM (one on one) chat windows and conversations

So these two programs clearly show the value of memory dumps from a bit of a different perspective. This will probably not help in malware investigations (never say never though!) but from a LE perspective this could make or break a case.

This is the last post of 2011--- everyone have a great New Year! I will be spending my holiday geocaching around London, what better way to get to know a new city? Enjoy!

More Memory Fun: Grabbing Gmail Data

2011-12-21T17:35:00.002-05:00

Happy Holidays everyone! Hopefully everyone is still on a food coma, but I thought I'd do a quick blog before I go on leave-- a few days to explore my new city :)

Think that just because you run over HTTPS no one could ever see your emails? Well, think again. Behold again the power of memory, which actually stores portions of your gmail unencrypted. I am not doing video today, a lot of this is just waiting around... so please bear with the screenshots :)

So let's say you have a memory dump from your investigation and you know this user uses GMail a lot and you think maybe its contents could be integral to your investigation. Remember good ol strings? Well you can actually run strings against your memory dump, and then use a tool called pdgmail to extract gMail artifacts. How to do this? Read on!

Filename: XP.vmem
Size: 500MB

Ok, first step is to run strings on this badboy, depending on the size of your memory dump this could take a while (still quicker than a subpoena I would imagine).

So the parameters for strings is -q (quiet), you can use -o for offset if you'd like, but its not necessary.

Almost done! Now assuming you have Python installed, go ahead and fire up the pdgmail script, created by Jeff Bryner (read about his analysis and grab the code here). Jeff does a great job with commenting so even a programming n00b (such as myself) can follow along. Make sure you output to a file because this can be beastly!

The one required witch is -f, which is the strings output from your previous command. Other switches you can include are -b (ignore message bodies, apparently the search expressions for this can reveal many false positives) and -v for verbose. The result? About 100K file with a decent amount of data involved... for the sake of my privacy (and my colleagues), email addresses have been blacked out.

So as you can see, the tool parsed out quite a lot of info. A lot of those emails are in my address book- I have not used them in ages... I moved from DC two years ago. I don't remember the last time I emailed Ed Skoudis (I think it was after BlackHat Federal). So, pretty thorough.

Same with e-mails, although it looked like emails from much more recent activity than the email addresses. As you can see, I am supposed to meet at the park at noon and wear one red shoe (does anyone get the reference?--SHHH!!), subscribe to DailyCandy (yes I am a girl, I am intrigued by sample sales), I can never remember by Keynoir password, something about SecretCinema (which is awesome), and even though I live thousands of miles away... still get email about happenings in Buffalo.

You can even put these into a Excel spreadsheet, which would seem useful for filtering.

So, once again showing how powerful memory can truly be. I tried this in XP while running IE, I will run a test with Mozilla and see if I get the same results.

UPDATE: It works a charm with Mozilla, and in Vista! I did notice that it does not contain the address book e-mails, but it does have e-mails from my inbox... if you scroll down the link I have for pdgmail someone else noticed this. Will have to do some research...

PDF Analysis

2011-12-21T16:10:00.003-05:00

So this video is all about PDF analysis. The tools I use in the video are:

Contagio: great place to go for sample malware
PDF Stream Dumper: A bunch of tools thrown together in one amazing program, did I mention it is free?
REMnux: A great RE tool by Lenny Zeltser. Has tools for PDF, JS , shellcode and much more. I was using INetSim in this demo to simulate network services so the malware had something to talk to.
CaptureBAT: Allows the collection of modified/created/deleted files and registry keys after clicking malware. Can also capture network traffic.
Process Explorer: SysInternals... enough said

Now I really do not go into explaining what a PDF is composed of in the video, I wanted to keep it to a reasonable time. So.. consider this the 'fine print'... and is it a doooozy!

A PDF consists of objects which can be multiple things: numbers, strings, code, streams (compressed data), etc. Below is a screen shot to hopefully explain this a bit better:

Ok... so the left pane has all the Objects in this PDF, which is 14. The pane on the right shows what is inside that object, these are called indirect objects but I have seen it called header data too. You see how there are two numbers? The first one is the index number (or the object you can find the data under) and the second is the version number. Version numbers can indicate previous or newer versions of the same object, and can be used by nefarious users to hide their code. The 'R' means Reference, so.... we can tell from this screenshot

Object 1 references 3 additional objects

Pages (go to obj 2 for more information)
OpenAction (go to obj 11 for more information)
AcroForm (go to obj 13 for more information)

Going to these objects may actually reference additional objects, it can become a cat and mouse game and given a lot of objects, it can be tedious to sort thru.

Now what do these things mean? Well a quick run-down of items of interest:

Stream Objects: compressed/encoded data... you gotta decompress/decode to see what's inside
/Page: How many pages are in the document (if its 0... watch out)
/JS -or- /Javascript: self-explanatory, watch out because this can be obfuscated
/AA /OpenAction -or- /Acroform: indicates an automatic action when the PDF is opened
/RichMedia: indicates the presence of Flash (another way to exploit the system)

So lets follow /OpenAction, which is in Object 11:

See what I mean? Another reference... this time to Javascript which is in object 12, which is the obfuscated code in the video.

Oh and headers (indirect objects) themselves can be obfuscated. PDF Stream Dumper is nice and converts them for you, but if you right click on an Object and select 'Show Raw Header' to see what I mean. Here is what object 1's indirect objects look like:

This is using hex to obfuscate the header data. #50 is equal to the ASCII symbol 'P', #61 is 'a' and so on. There are a ton of hex to ascii converters. A good site for tons of string manipulation options is http://www.string-functions.com.

Honestly playing around and research on the internet is the best way to figure this stuff out. Didier Stevens has some awesome tools, which are included in the REMnux image. The guys over at Sourcefire also did a post of PDF analysis using Didier Steven's tools.Oh and did I mention Mr. Stevens wrote a book about PDF analysis?! Best thing: it's free

I would be remiss if I didn't reiterate watching the videos with PDF Stream Dumper too, no one knows the tool better than the guy to created it :) Watch, learn, play... enjoy

So without ado... this video:

Oh and in my haste to finish the video I forgot to show the network data captures by CaputreBAT. Here is a screenshot of Wireshark with the file opened:

Ok, so the first thing we see is the DNS query for googlemail.proxydns.com. This was the TCP item we saw when we looked at the process with Process Explorer. My REMnux box, running dutifully as a DNS server, says the website is at 192.168.10.1 (my REMnux box again). The malware then connects to the web server and posts to it a file index.php. REMnux sends a dummy file, which the malware does not know what to do with... however we now know the domain the malware beacons out to and can block by name and IP. Or, as analysts, we go out there and see what is on that site :)

This is the Virustotal output for the PDF and the subsequent spoolsv file. Both bad.

What I am trying to say is that I barely scraped the surface of PDF analysis. It is always better in the long run to understand the structure of a file you are analyzing rather than depending on a tool to do it for you. This was when something goes wrong, you have a better understanding of what is happening and potentially why. In a court of law, it does not look good as an expert witness if you say "Well your honor, you click this button and this pops out... I don't know how it arrives as that answer"

Never stop learning my friends :)

SANS Pen Testing Christmas Hacking Challenge

2011-12-19T07:18:00.000-05:00

Ho ho ho! There is trouble a-hoof for poor Rudolph in Ed Skoudis and Tom Hessman's Christmas Hacking Challenge. Grab your favourite packet viewer (the file is small enough Wireshark works very well) and start tracing!

I think these exercises are wonderful-- a great (and fun) way to keep fresh on packet analysis. If anyone knows of any other fun exercises like this around the net please leave it in the comments. I am sure there are hundreds out there.

Now that I have most of my workstations set up (hooray!) I can get down to the fun videos. I hope to have one about PDF analysis before the holidays.

Bahumbug!

Black Hat Abu Dhabi Recap

2011-12-15T17:01:00.001-05:00

The 'front door'

As my first visit to the Middle East draws to a close-- I figure I would get down my thoughts on the talks presented at BH Abu Dhabi before the hustle and bustle of the holiday season. It's hard to think about Christmas when you are basking in beautiful 70 degree weather....

So the venue (the Emirates Palace) is absolutely amazing. It is just gigantic, and the staff will bend over backwards to get you what you need, be it AV cables or just more watermelon juice. The food was amazing beyond belief and very plentiful. I didn't miss pork too much :)

Anyways to the talks:

General Hayden was the keynote speaker. He discussed the ever hard to distinguish line between security and privacy in our digital world, and how now US Government Agencies have come to accept that they are hacked and now focus on managing egress outside the network . He also talked about the power of the online communication, in both a good and bad perspective.

I am not sure I agree with the whole 'accepting we are hacked thing', as being a security person I find it utterly depressing. Although I do agree we need to be realistic, we can't just give up entirely in defending our perimeters and retreat to further inside the network. Security in depth is so crucial here, and we need to begin not only worrying about traffic coming in, but traffic going out. How do we detect exfil? How can we make traversal inside our network more difficult for our attacker? If our hacker friends pop one box thats a shame, but if they are not allowed vertical or horizontal traversal on the network it greatly limits the fruits of their labor. Why not have an IDS sitting within your network perimeter montoring network traffic? Why would you allow desktops to have trust relationships with other desktops if it is not necessary? Just limit trust relationships to servers they need access to, and closely monitor those. VLANs are also an idea here-- I know all of these have flaws but again its the layered model approach to contain attackers and limit the information they can receive.

Traditional Arabic Food... amazing!

Being both the former CIA and NSA director, I am pretty sure Gen Hayden knows a lot more about the reasoning for a lot of the topics he discussed, even touching on Stuxnet and CNA/CNE. Did you know most people think America is the most dangerous in terms of hacking (not China or Russia)? The opinion pool? Americans. Thats kind of surreal.

Insulin Pump Hacks

Barnaby Jack of McAfee gave a talk about hardware hacking insulin pumps-- describing the steps needed to be done to gain access to the hardware and assembly code. Hint, it is not just plugging in a USB. Apparently insulin pumps have RF capabilites, and Barnaby was able to create an exploit which would reveal to him the unique serial number and then allow him to either dispense insulin or suspend the device completely. Without any notification to the user, and then he showed a demo of this. Dispensing too much insulin to a person can be lethal, so the implications become quite clear. It seems a la Jason Bourne but given enough resources and dedication, Barnaby shows the threat is real. He then mentioned this could be patched via another vulnerablity he found... great.

Framework Level Securtiy Profiling & Monitor

Trustwave demo'd a framework for catching the subtle web hacks. So in general many web hacks are easy to spot, you see them doing recon using some tool, traversing to the vulnerable page, uploading an exploit, and then them heading to retrieve their payload (in this case login credentials for users). However, what if they use Google for their reconaissance, and use different IPs to make it difficult to trace, and inject php's with fake data so it simply looks like a normal (and not a password file getting larger and larger). Their proof of concept framework FLSPM tries to address this issue.

WifiHacking

Vivek R. of SecurityTube fame also gave a 2 hour lecture on WiFi Hacking. He mentioned how WPA Enterprise can actually be easier to hack if server names are not enumerated for the enterprise servers. If this is the case, the hacker simply needs a valid certificate to present to the users-- doesnt matter what the servername is. No warnings or anything as it met the criteria set by the system administrators. Oops.
Did you know you can use Windows 7 to be a wireless AP even when you yourself are on a wireless network as a client? This has been around for a while, just has not been highly publicized and discussed. What are the implications? Well besides being super convenient for the road warriors, it also has serious security implications. Windows does not inform you about this new AP (you can see it if you click on the network icon in the task bar-- but how many users do that?) NOR does it tell you when people connect to it. Rogue APs anyone? Can one create a PDF whose payload is a simple little batch file setting up this AP network? (at least you need admin privileges, but that's not a reassuring defense at all, especially if the carrier file is a malicious PDF which can probably gain admin rights anyways)

So I leave you guys with the commands to make your Windows 7 box a wifi access point. Be sure you are running as admin when executing these commands.

As you see, I have set up my SSID and password in order to gain access to the network. Next you need to go in and enable internet sharing on your current network connection. When choosing the Home Networking Connection, select "Wireless Network Connection 2". Then, head over to the properties for Wireless Network Connection 2 and only enable IPv4 (or IPv6 depending on your device). Save this. Finally head back to your command line and enable the interface.

I have a screenshot of my iPhone showing my connection. Sweet. This is great when you are roaming, have an ethernet connection in a hotel but not wifi and you want to browse on your mobile devices... like me right now. To disable use the following.

Heading Out and About

2011-12-10T10:29:00.001-05:00

So I know I said I would post a video today... Sorry it is going to have to wait until tomorrow, still have no internets at the new flat. That should be resolved once I get back from Black Hat next week.

So a few updates: I am helping Christiaan (http://securitybananas.com/) teach MFIRE (malware forensics & incident response) at BH Abu Dhabi. Should make for an interesting time-- a bit nervous as this is one of my first teaching gigs. Hopefully all should go well!

Also I joined the Twittersphere (Tweetaverse?) and now trying to figure that all out. My name on Twitter is @Sk3tchymoos3. Come find me and say hello. It might not all be techie/security stuff... But also some nice photos of places I am at. You have been warned! :) Will definitely be tweeting at BH though so stay tuned!

I had a chance to go to a SANS@Night talk last night. The speaker was Bryce Galbraith (http://blog.layeredsec.com/), and he talked a lot about "The Power of One Click"- which basically infers that it takes one user to click on ONE attachment/link to compromise your entire network. He talked about how free, open source tools when in the right hands-- can prove fatal to a company. Why worry about password complexity when Pass the Hash works? Or when there are online Rainbow Tables?

The answer to this is simple: Defense in Depth. I know that is a buzz term but it's true. A company needs to have layers of security and never depend on one thing (AV, firewall, IDS) to do the job. Also user education is key. Restricting admin rights is also critical.

Anyways it was a great talk- Once I get to a laptop instead of my iPhone I will blog a bit more about the key points if people at interested.

Malware Detection Checklist

2011-12-09T04:49:00.001-05:00

Sorry its been a while-- been moving house and everything is a bit hectic. (read: I hate unpacking) I have another video in the queue which should be released tomorrow. For now-- good ol text :)

So recently Harlan Carvey posted something about a malware detection checklist. This would be something one would peform to try and determine if malware is resident on their system . You can see it on Google Docs and download for your enjoyment. I may make something similar to provide to clients, who always seem to be asking "What should I do if I think I am infected?".

Some things I want to highlight on the checklist:

Check AV: This sounds slightly weird, checking to see what your computer blocked so you can see if something is still on your machine. However, gone are the days of simple one-stage droppers and here are the days of multiple stage droppers, obfuscated code, and redirects. Seeing what your AV has snagged could lead to clues as to what (potentially) could still be on your systems. HINT: if is says anything associated with a toolkit, then there probably is something still there. You can also use that timestamp of the file found in AV to look around other files created in that timeframe for suspicious behavior.
MBR checks: Yes, malware can reside in the Master Boot Record, or store traces of itself in there to maintain persistence.
Registry Analysis: I cannot stress this enough. Reviewing the registry gives you a glimpse as to what malware is trying to do on your system. Is it hooking itself into SafeMode so even then it cannot be seen? Is it adding itself to the Run key so it keeps executing even after a reboot? Is it adding a nice little proxy so all your web traffic is being redirected? Its a very confusing place the Registry... Microsoft has some excellent (I should hope so!) documentation on it, and if not thee is always Google.
Internet History: Grab all the index.dat files. Yours, Administrators, LocalService, Default... you name it. Then go download IndexDatSpy. This shows you the websites visited for users (for IE), opened files (locally and remotely), and web queries. You will be amazed at what you can find there.
Temp directories: Another biggie amongst the list. This is the drop point for most malware, from here it skitters off to other areas of your hard drive. Look in here for strange executables, JAR files, and .tmp files. If you clean these regularly you have a bit less clutter to sift thru and its generally a good security practice. Will a file not delete because its in use? First off don't panic, I had this and I traced it make to my Screen Recording Software I used for making videos. Investigate-- which THEN take action (tea or IR)

A few things I would like to add:

Documents and Settings\%USER%\Application Data: Like the Temp files, malware tends to fester here. Again look for suspicious files (exe, bat, tmp, etc)
Network Connections: check and see what connections you have right now on your computer (netstat -ano), anything strange? Use robtex or something similar to look up information about IP addresses. Do you normally send SSL (port 443) traffic to Russia? Do you see some abnormally high process IDs (PID)? Might be an alarm bell.

Best thing here is to push to another file because you will be needing this for the next step.

C:\netstat -ano > networkconnections.txt

Processess: This shows you all processes running on your machine at the current moment. Can you link all the network connections to a process? Do you see any strange processes? Weird dlls?

C:\tasklist /m > tasklist.txt

I would also suggest grabbing a memory dump if possible (this can be done with FTK imager). This saves all the volatile information such as network connections, running processes, opened files, hooked dlls, etc which can then be analyzed later. Also, some rootkits hide themselves from system calls such as 'netstat', however these can be seen in memory (remember my Hacker Defender video?)

This checklist can be used by anyone investigating possible badness on a machine. It is good to have a process and methodology when one peforms these things and this is as good as any. Be sure though you fit it to your site, and develop your own toolkit when responding to these. Are the windows commmands good for you or would you rather use SysInternals? Use what you like-- as long as it works correctly. Put all the necessary tools on a thumb drive or CD (NEVER depend on commands on the suspected infected machine) which you can bring on-site for analysis.

Alternate Data Streams: A Blast from the Past... Still Going Strong

2011-12-09T04:09:00.001-05:00

I was walking to Starbucks and....

You ever wonder the feeling you would have if you saw a unicorn? Something you always heard or read about but never actually saw in the wild? Well I (kinda) got that feeling yesterday when I was searching for Alternate Data Streams in a case I am working. Personally I think I would be more excited if I saw a unicorn... but I digress.

So what are Alternate Data Streams? Well they were basically created for NTFS to deal with Apple file systems and the different ways they handle data. So if we think about the Master File Table, we know its like a library pointing to all the files on you system. NOW, with NTFS, we can have multiple file attributes about our file (like a prequel). One of these attributes is $DATA- which you can add additional data to the file or even point to another file to link the two.

Sound a tad confusing? You can read another explanation here by Dan Mares, or you can click to watch my amazing video. I think I say NPFS for the Apple filesystem, I meant HFS... sorry a bit late in the day here :)

I was actually trying to get AV (I have Microsoft Security Essentials on the VM) to trip on my ADS, and it did not take. I even tried it with an MD5 executable (which AVG did alert on my home system) and an XOR program. AntiVirus detect ADS in different ways-- so mileage may vary. I should also point out legitimate files can use ADS as well, so don't "Panic and Freak Out" if you see some. Investigate, only panic when necessary :)

Links to content mentioned in the video:

LADS (List Alternate Data Streams)
Streams (SysInternals)
FTK Imager
More fun with ADS by IronGeek

In other news... I am heading to Black Hat Abu Dhabi to asisst in teaching MFIRE (Malware Forensics & Incident REsponse) as well as go to the presentations. It should be a good time... will try and post something about it post-con.

Another thing I am hoping to get involved with is Online DFIR Meetups. Do you get sad when you read Harlan Carvey's blog about the latest NOVA forensics meetup and just wish you could go to something similar? Well thanks to the power of this here internet (and Adobe Flash) you can! The next one is December 15th, and if I can determine what time 8pm EST is in Abu Dhabi and its not unreasonable, I may just try to drop in. Harlan will actually be 'guest speaking' on Volume Shadow Copies, a topic I definitely want to get more educated on. Mike Wilkinson will also be speaking on 'Computers as an Alibi'... which I hope the subtitle is "How WoW Saved My Life".

In all seriousness they sound like good talks and if you are free on the 15th check it out.

I have also joined the twittesrphere (tweetaverse?). This is a trial run basis, so please be patient while I figure this all out. I hope to push out my blog updates too (yay for all of you upset with the new Google Reader layout). My twitter name? @sk3tchymoos3. I may tweet some non-technie things in here as well (esp with Santacon 2011 coming up) so be on the lookout!

log2timeline-sift: Set it Up and Running....

2011-11-26T08:48:00.001-05:00

I know sometimes getting things to work in Ubuntu is like trying to tell Fenton to stop chasing deer in Richmond Park. You keep trying and trying only to see it slowly slip from your grasp, all while amusing friends and random people you will never meet (just click the link, trust me you will giggle).

Fear not for Kristinn has created a very lovely installation guide for us all.

So me just saying to sudo apt-get install the log2timeline package was a bit weak sauce of me. You have to ADD the website containing the code to your source list and well as add Kristinn's GPG Key (think PGP but not really). You can figure out what version of linux you are using by running

$cat /etc/issue

Do a bit of apt-get update... THEN run the apt-get install and VOILA, dependencies and log2timeline installed! If you are feeling super nerdy and want to compile yourself, feel free, but there are a decent number of dependencies. I always feel its better to do less work, especially on a Saturday morning :)

Well so maybe I lied again... you also need sleuthkit installed on your machine. Luckily this can be done via

$sudo apt-get install sleuthkit

I also suggest looking at the sift.conf file which is located in /etc/log2timeline.

default sift.conf file.. I had to modify the location of the TSK binaries

Log2timeline makes guesses on where additional dependencies are (I assume based on SiFT workstations),so you may need to point the log2timeline to the path the program are on your machine. This is done with good ol find:

Finding mmls on your system
My mmls command is located at '/usr/bin/mmls' so I modified the sift.config accordingly. You can also change your mount point as well as where output will be saved to-- make sure you are root when you open the file for editing! P.S. If you keep the default options you will have to make these directories, remember this is geared for SiFT.....

Its always good to look at config files so you have a better idea of how the program works, dependencies, and additional variables you can utilize (says the girl who use apt... I know I know)

So executing log2timeline-sift with no parameter gives you the help options. For a more detailed help page go to the man page.

Now when you give it an -i switch (if you omit the timezone it will grab the timezone from the registry) it starts mmls so you can choose the partition you want to run the tool against.

choose the number... in this case 2

Based on this input it will mount the dd for you. Then away it goes.... now is the time to click on the Fenton video or grab some coffee, this may take a while :)

Go baby go!

So about an 1.5 hours later the tool has finished and now I have a pretty hefty (~250mb) file. Now you can open this bad boy up in your spreadsheet program or simply use some grep action to search for the presence of a file.

This is a hard drive image after I opened up a malicious PDF, the file began with RR_11105,so lets do a quick grep of the file to see where we see this file:

To be fair I ran this PDF multiple times on the OS, hence it being seen a few times...this is a snippet of the output, the green number is the line the search term was seen on

Once you know this, you can open up the file and go directly to the timeframe in question and see what other actions took place around that time. With this file encompassing so many different logs and artifacts on the hard drive, it is a pretty thorough timeline.

So, now one can ask, why do all of this setup when the SiFT workstation (which is free) has this all done for you? Sometimes you want this on your own Linux build, or you just don't have the time to download the 1.5 GB VM. My internet speeds at my house can be quite atrocious, and then is something very depressing about waking up to some errors and the failed download. Or maybe you just want to peek a little bit under the hood and see what is underneath the hood.... nothing wrong with that.

Don't be disheartened when a binary does not work right off the bat-- check the error, google the error, check the known bugs page, and see what others have to say about it. Chances are someone has had the same issue and already discovered the solution. Keep at it!

log2timeline-sift: Proof HD analysis is still vital!

2011-11-24T21:50:00.001-05:00

My tummy full of scrumptious turkey and my body slowly breaking down tryptophan (not to mention mildly sore feet from running the longest consecutive running road race in America) -- I decided I really should update the blog.

So I have been talking a lot about timeline creation. Using memory dumps can unearth a ton of information. I would be remiss however if I did not mention timeline analysis using the good ol hard drive.

Rob Lee has made famous SuperTimeline using log2timeline (from Kristinn Guðjónsso), regripper (Harlan Carvey), and a few other tools (including Brian Carrier). In my old job I created a perl script which would automate as much of possible the steps required to produce a timeline from a hard drive. I found out last week that all this work has been done for me-- earlier this year.

Kristinn created the log2timeline-sift application which automates the mounting, extraction, and program execution. You can see the PDF here. It bases the timezone by the timezone used on the hard drive (based on registry settings). So now all you have to do is literally one command and voila-- and it attempts to grab all the NTUSER.DAT files for each user. Its... almost cheating :P

This comes standard with the new SiFT workstation, or you can easily install in linux with:

$sudo apt-get install log2timeline-sift-perl

The arguments passed on the command line depend on if you have a whole disk image or just a partition image, and if you want to tweak some settings. Read the man page to get the low down but the command is generally run as such:

$log2timeline-sift -z (TIMEZONE) (DD FILE)

So what does this grab you? A whole treasure trove of information, here are some artifacts which can be seen using supertimeline:

Modified Accessed Created Birth times of all files on the system

More information about MACB times by filesystem are here

Registry Keys
Internet History for users
Prefetch Files
System Logs
Skype logs
UserAssist
(some) AV logs
Recycle Bin information

So, this is great if you have a timeframe in question or a known bad file, you can simply scroll to the questionable row in Excel (after a quick CTRL-F) and see A) what happened immediately before and B) what happened immediately after.

You can also search against the file (read: grep or FINDSTR) to find the existence of a file/event. This is much quicker than trying to open large files in Excel or whatever spreadsheet program you use so you can limit your search.

Sweet. I found out a bit late (staying on top of everything is insane), however I definitely want to start using this in my forensic investigations. Now I know I said you can do something similar with a memory dump, but you won't always get that memory dump. Plus, well... you only grab what was in memory-- which granted is A LOT but its not everything. AND if you have both you can find discrepancies and further build on your investigation. There is power in corroboration!

I hope everyone had a wonderful Turkey Day and to all those attempting a Black Friday-- best of luck. I will be busy snoozing ^_^

On The Road: But answer me these questions... one

2011-11-12T16:13:00.001-05:00

So I am currently traveling for work but one of my colleagues emailed me about the following problem: getting different results for memory analysis based on the tool he used. He specifically mentioned volatility and Mandiant's Redline. Here is his email:

I've been scratching my head on this memory image because when I do a connscan and sockscan [using volatility], I noticed some WEIRD activity, specifically, high PIDS and one with a PID of 0 and their offsets are just "-------". These PIDS have strange IPs associated with them, some of which are "blacklisted" according to www.robtex.com. Also, when doing a sockscan, one of the strange listings doesn't have a Protocol, instead of TCP or UDP it just shows a hyphen "-" . More importantly, these PIDS don't show up in pslist, psscan or psxview!!

Has anyone else ran into this issue? I am assuming it is because each program parses memory a different way. For example, does Mandiants tool show terminated connections when Volatility's connscan can do exactly that? I am not 100% sure-- so I ask the collective out there. And do not worry, you will not be thrown into a volcano or anything like that regardless of your answer :)

Lazy Sunday Reading

2011-11-06T18:47:00.000-05:00

Thinking about setting up your own lab at home and not sure what tools to use? It can be daunting with the plethora of tools out there, you could spend hours researching... well over at SecTools.org they listed the top 125 Network Security Tools which could be a good place to look.

One thing I am lacking in my VM environment is Servers and Domain Controllers... which is sad because PaulDotCom blogged about grabbing hashes from a live DC via Volume Shadow Copies (VSC). VSCs seem to be a treasure trove for forensic information and a place for malicious to lurk (see the video "Lurking in the Shadows" from Hack3rcon II). Both Rob Lee and Harlan Carvey have blogged about grabbing and parsing through the VSC.

Off to learn some PDF analysis, if you are looking to do your own analysis and need samples try contagio.
While I am waiting to hear back from some issues I have had with Volatility (when I try the printkeys command it says it can't find the key, even when I did a hash dump and am staring at it) and getting Yara to compile in Windows--- I think I will post a video about PDF analysis with REMNux. I will also be trying out Camstudio more than likely.

Enjoy your Sunday... for us we have only 14 minutes left of it :)

PDF Analysis

2011-11-04T20:06:00.000-04:00

So a coworker turned me on to REMnux, a Linux build for reversing malware. It has a ton of good tools (including my fav Volatility) and has a few tools for PDF analysis. You can even set up INetSim and simulate the common internet services you can point your victim box to and see how the bad code acts. *HINT* It helps to configure your IP address right,' almost' only counts in horseshoes and hand grenades....

I have not done much PDF analysis besides for executing in a VM and watching it run... so I figure this may be a source for an upcoming video. I have been reading Didier Stevens work on it and its so amazing how much you can learn about file.... by simply looking at it. That sounds silly but most people are nervous attacking a file in this manner (I won't understand it/I am not a programmer/I need answers fast), when in reality with the tools at your disposal it can actually be a good quick n dirty for determining if a PDF is indeed malicious and what it potentially is doing, thus finding your vulnerability. Heck you may get SO good at it you may write your own tool! That is not to say that you will understand ALL PDF's that cross your path, but everyone is learning... so don't be afraid to ask questions!

In other news:

I may do a video about YARA and show how versatile it can be when added with volatility. It will more than likely tie in with the on-going scenario.

I may even go old school and do a video about tcpdump. I personally have not used it in a long time and I have a feeling I will be using it more in work... so it's time for a refresher :)

Someone has suggested I try Camstudio for my recordings. I see no issue with this as its free. The next video will be made with that. Much thanks for the feedback!

Using Volatility: Suspicious Process

2011-11-02T06:17:00.001-04:00

Wow guys, this video took a long time to finally make. As you can see I actually have two videos because the first one cut out on me. This was the 2nd take and man was it annoying to see I accidentally hit the 'PAUSE' button but kept cheerily talking to myself (I do this a lot anways so it was par for the course). Never mind, here are both videos (the first one should be first).

Like I state in the videos, this is a learning process for me as well so please offer any suggestions/comments. This was a pretty good analysis of a lot of the functionality in Volatility, and probably a bit overkill for what we were up against, but I just wanted to highlight how powerful and extremely useful memory dumps can really be.

Fun Things I Mentioned in the Videos:

HKLM\Enum Registry Keys Information
Fun Command-Line Kung-Fu to find Meterpreter
VirusTotal: upload possibly malicious file/MD5 to determine what the AV guys think
Timeline Analysis: from the SANS website
Timerliner Plugin (and more!) for Volatility: from Gleeda
One of Harlan Carvey's (many) blogs about Timeline Analysis
A article about Sessions, Desktops, and WindowStations...oh my!

Additional Links for Memory Forensics:

Set Up to More Memory Forensics!

2011-10-30T12:18:00.000-04:00

I -really- wanted to make this a cheesy video, but in the interest of time and saving what internet respect I have left I decided screen shots and a storyline would suffice:

Monday 9am. I log onto my computer ready to face the day. I check some e-mails, I read some news sites, look at pictures of cute baby animals... you know important things. It was all going fine until...

I see this text file appear on my desktop... its called 'pwned'. What does -that- mean? I didn't put it there!
I have never seen anything like it before... so I click on it

"Gotcha'. I did not know I was playing tag?? What does that mean? Have I been hacked? Oh my goodness if my company finds out I am in so much trouble, what after the Christmas party debauchery last year....

Luckily my cube buddy is a bit savvy on computer so she comes over to take a dabble. "Have you been browsing the internet lately?" she asked inquisitively. "No, I do not do that on company time", I lied meekly, "I only checked my mail and visited some links... I don't trust that internet." I think she was impressed by my response because she stared at me for a while (in respect I am sure).

The commands she ran and subsequent output are here:

>netstat -ano > victim_Netstat.txt

>WMIC /OUTPUT:C:\victimProcessList.txt PROCESS get Caption, Commandline, Processid

Caption	CommandLine	ProcessId
System	Idle	0
System		4
smss.exe	\SystemRoot\System32\smss.exe	548
csrss.exe	C:\WINDOWS\system32\csrss.exe	608
winlogon.exe	winlogon.exe	632
services.exe	C:\WINDOWS\system32\services.exe	676
lsass.exe	C:\WINDOWS\system32\lsass.exe	688
vmacthlp.exe	C:\Program Files\VMware\VMware Tools\vmacthlp.exe	848
svchost.exe	C:\WINDOWS\system32\svchost -k DcomLaunch	896
svchost.exe	C:\WINDOWS\system32\svchost -k rpcss	980
svchost.exe	C:\WINDOWS\System32\svchost.exe -k netsvcs	1072
svchost.exe	C:\WINDOWS\system32\svchost.exe -k NetworkService	1140
svchost.exe	C:\WINDOWS\system32\svchost.exe -k LocalService	1304
spoolsv.exe	C:\WINDOWS\system32\spoolsv.exe	1512
explorer.exe	C:\WINDOWS\Explorer.EXE	1600
VMwareTray.exe	C:\Program Files\VMware\VMware Tools\VMwareTray.exe	2020
VMwareUser.exe	C:\Program Files\VMware\VMware Tools\VMwareUser.exe	2032
VMwareService.exe	C:\Program Files\VMware\VMware Tools\VMwareService.exe	1712
alg.exe	C:\WINDOWS\System32\alg.exe	736
wscntfy.exe	C:\WINDOWS\system32\wscntfy.exe	1020
cmd.exe	C:\WINDOWS\system32\cmd.exe	1412
taskmgr.exe	C:\WINDOWS\system32\taskmgr.exe	1108
cmd.exe	C:\WINDOWS\system32\cmd.exe	1324
wmic.exe	wmic	364
wmiprvse.exe	C:\WINDOWS\system32\wbem\wmiprvse.exe	1316

>net start

These Windows services are started:

   Application Layer Gateway Service
   Automatic Updates
   COM+ Event System
   Computer Browser
   Cryptographic Services
   DCOM Server Process Launcher
   DHCP Client
   Distributed Link Tracking Client
   DNS Client
   Error Reporting Service
   Event Log
   Fast User Switching Compatibility
   Help and Support
   IPSEC Services
   Logical Disk Manager
   Network Connections
   Network Location Awareness (NLA)
   Plug and Play
   Print Spooler
   Protected Storage
   Remote Procedure Call (RPC)
   Remote Registry
   Secondary Logon
   Security Accounts Manager
   Security Center
   Server
   Shell Hardware Detection
   SSDP Discovery Service
   System Event Notification
   System Restore Service
   Task Scheduler
   TCP/IP NetBIOS Helper
   Terminal Services
   Themes
   VMware Physical Disk Helper Service
   VMware Tools Service
   WebClient
   Windows Audio
   Windows Firewall/Internet Connection Sharing (ICS)
   Windows Image Acquisition (WIA)
   Windows Management Instrumentation
   Windows Time
   Wireless Zero Configuration
   Workstation

"So, what I did was see what connection you have to your machine, what processes you have running, and what services you have started," my co-worker explained. "And besides the connection to port 4444 I do not see anything weird going on, but I do not see anything with the process ID either so that makes me worried..."

"Look all I did was turn on my machine and look at some puppies. I didn't start any services or whatever you said." I was starting to get annoyed now because she was getting into my coffee break time.

"Let me just do a memory dump and take a closer look, I am sure we will get to the bottom of this.... and then you can get your coffee."

See how I did that? I will use my video to mimic the investigation based on what we learned from the command line outputs. Classic.

Not today though, I have many other things to do today. I am picking up my Learning Perl book again in hopes to getting thru Chapter 5 (hashes), doing a bit more German learning on Rosetta Stone, and then maybe starting to go thru "Digital Forensics with Open Source Tools" written by Harlan Carvey and Cory Altheide. The book I hope will expose me to a ton more tools (which are free) and give me a better understanding of what can be accomplished through them. Sometimes those new shiny tools just don't work and you have to have something to fall back on :)

If you haven't gone to Harlan or Cory's blog I definitely suggest you do, these guys are great sources of new tools and processes out in the field. I also want to thank Harlan for giving me credit on his blog, I was totally shocked to see someone I have looked up to for his continuing work taking an interest in my work-- its a good feeling and I hope not to disappoint :)

Before I head off into the void, if anyone out there is curious about the (uber wonderful) world of Linux for forensics/IR I suggest you go to Girl,Unallocated and look for her "Crossing the River Linux" posts. Plus I love her sense of humor, and if she really does live in Utah I am insanely jealous (one reason is this).

Ok time to make spooky cupcakes... enjoy your Sunday everyone!

Facebook Attachment Mayhem

2011-10-28T18:18:00.000-04:00

Nathan Power has posted in his blog an easy way to send executable attachments via facebook.This was basically altering a POST request to the server by adding a space with the filename.So if you want to send 'puppies.exe' what you need to do is alter your POST request to be 'puppies.exe '. (Note the space!)

So it has now been an unreasonable amount of time I have had paros up as a proxy between me and the interwebs.I have not been able to find this illustrious POST request with the line Nathan speaks of. I have seen the filename, but in repsonses, and the corresponding request bore no fruit.

So, this leads me to wonder. Although Facebook said 'NBD' to the whole fiasco, did they change the post request? Or (more likely) am I doing something wrong?

So in anger, I tried a lame thing, I changed 'puppies.exe' to 'puppies.exe.txt' and kablam! It sent! Is FB just looking at extensions or the last character? Very interesting.... I wonder if you can create a payload in metasploit and bind it to a txt/doc/pdf and then send it thru FB. Yet another way to transfer viruses? I guess that would not be such a big deal... and that was not really the point of this blog....

nevermind.

Wrap-up: Although I did not find the string < Dr. Evil voice > Mr. Powers < / Dr. Evil voice> blogged about, I at least got Paros up and running and playing around with some of its features, and even manipulating some requests. If you see something out there being blogged about and you wonder "Are you serious?"... the best way to find out is to try it yourself. And do not be afraid to ask questions! You gotta start somewhere eh? (That being said if someone was able to do this and could walk me thru it...brilliant!)

Partition Tables Revisited

2011-10-27T11:07:00.000-04:00

I bet you all forgot about the poor ol Partition Table blog I did a week back or so... its OK, I kind of did too. However whilst doing something completely unrelated (I think I was cooking) I remembered to go back and see my submissions....

And the winner is :: drumroll:: J. Rajewski!

So for all you people who got a bit wrong or were just too lazy to submit (this is fine I am not offended, as long as you are learning!), the answers are below:

4 partitions....

Partition One:

not bootable
Type: 0x12 (configuration/diagnostics)
Size: ~4GB
Notes: Hilariously I did not even know about this drive. It is a Windows Recovery (WinRE) partition which is included in my MSI wind. I think this is because there are no CD/DVD drives to insert recovery disks when your OS goes south (remember that CD? The one you got with your system but you were too excited to care and probably threw it out with the bubble wrap? Yeah THAT CD.)

Partition Two:

bootable (0x08)
Type: 0x07 (NTFS)
Size: ~ 42GB
Notes: This is my OS install

Partition Three:

not bootable
Type: NTFS
Size: ~93 GB
Notes: This is my data drive for Windows

Partition Four

not bootable
Type: extended DOS partition
Size: ~20GB
Notes: did you notice that my C and D drive amount to roughly 130GB? This 20GB partition is where the extra space went. It is a Linux Partition (which is actually broken down into 2 more partitions) and Windows does not recognize Linux partitions. So.. that answers the bonus question!

Below is a look at my drive thru Windows Management:

Now I am not 100% sure why we have some discrepancies in the Windows Partitions based on the above and Partition Table. I think when I got the machine I only really had 146 GB to play with, Windows just told me I had more....

I feel so cheated. :)

Cracking Passwords with Volatility and John: Now With 34.3% Better Video!

2011-10-26T11:51:00.000-04:00

Note: After viewing the video myself I find it of horrible quality, it has to be played in fullview mode and it is still fuzzy. When I uploaded to YouTube the video was much better--- hooray!

As promised I have an (awesome) video showing how to use Volatility to extract NTLM Windows passwords which can then be cracked by John the Ripper. Please be kind and understanding as this is my first (of many takes) video so I can only get better.. hopefully.

This is nothing new and has been around for, well, a long time. However I just wanted to provide a quick taste of how powerful memory can truly be. I will hopefully show better examples in later videos.

John the Ripper and Volatility are free downloads. Check my previous posting for documentation on how to install Volatility on a Windows system. The site which talks about the Volatility Commands available is here (if you are confused watch the video I mention it there).

Volatility on Windows

2011-10-22T17:36:00.000-04:00


Volatilityyyyyyy!!

Sometimes dedication pays off. You get such a great feeling when (finally) whatever you were trying to do suddenly works. That apple pie recipe your grandma gave you that you have ruined x+1 times.That time you have never been able to beat for a 5k. Getting volatility to work (with plugins) in a Windows environment.

Today. My friends, is the day we are victorious!

This installation guide will be your bible for the next 30-45minutes.Follow it to the letter and you will succeed. The only change I did was for Distorm3 I download 'distorm3-1.0.win32.exe' instead of the zip file. Just execute the file, chose the Python version you are using, and let it go!

Now for the plugins, there is a great list on the Forensic Wiki.Gleeda also just released some plugins for assisting in timeline analysis, eventlogs, and more.You can see her blog post about it here.

So after installing Volatility, I should not have to tell you the importance of reading instructions. The same goes for plugins, some require dependencies. Be sure to read up on them to help stop the tears later.

I had the standalone volatility, but decided (in the long run) its better to do it this way. So the videos will be up and coming shortly!

Full of Sound and Fury...

2011-10-21T18:24:00.000-04:00

With the release of the new 'hot malware' Duqu report by Symantec (read the PDF analysis here), which according to Symantec is the child of Stuxnet, the big bad malware which shivered the timber of SCADA systems everywhere. McAfee, the lead rival to Symantec, differs with them on a few points. You can read McAfee's explanation of the Duqu malware here.

Regardless of its true intent (or who you want to follow), the fact of the matter is that the thing which worries people most about Stuxnet and now possibly Duqu... SCADA systems are really no more secure than when Stuxnet first kept us awake at night.

According to the article SCADA compromises two systems- Human Machine Interface (HMI) and Programmable Logic Controllers (PLC). Most of the exploit we have seen seeing in the public are the ones involved HMI, however the real bump-in-the-night vulnerabilities are still in the PLC. These systems will be running (vulnerable) for years before they get upgraded, and even when they do get upgraded there is no 'security baked in'....

From the article:

Stuxnet showed how programmable logic controllers could be overwritten to send commands that caused equipment to fail, he said. Despite that warning, little has changed. "Prior to Stuxnet there were zero programs for securing PLCs. To this day there are no programs for securing PLCs," Weiss said. [...] In many cases anyone with logical access to a control system can upload firmware on it without authentication, he said. Passwords are often hardcoded into systems many have administrative backdoors, and very basic buffer overflow errors.

So, half the time I feel like we are always playing catch up, we need to get to the ROOT of the problem and figure out how to fix it. If we keep doing what we are doing, we will always be reactive.

I am not saying I know how to fix the problem, but I am sure there are some super smart people who have the ability to bring the deal makers together to make a decision... do we really want the electricity of water systems to go down?

Think of it like this, if you have an infected computer, do you only fix that one or do you check your entire system to ensure your a completely protected? Do you only secure your outer perimeter and leave your OSes completely vulnerable?

In other fun news-- I am hoping to make a couple of videos about volatility. Just to show how powerful memory forensics can be. I did a first run today-- I would not put you guys thru that torture ('Now just hit enter and ... oh that didn't work'). Stay tuned!

Examining Partition Tables

2011-10-18T18:49:00.004-04:00

Now I would not call partition tables sexy by any means of the imagination (however the MBR can be involved in malware), but one of the things I learned is: the best way to learn something is to do it. This goes for pretty much anything. So anyways I was watching a video on SecurityTube and the gentleman was delving into partition tables and I decided to take a look at my own hard drive and see it all for myself.

First off, I downloaded a hex editor (my poor netbook is choking on programs now, its almost time for a refresh). I used WinHex, because its free and I got fed up with CNET giving me a bad download.

Anywhoo... I started small first, use a thumb drive! So I booted up WinHex and navigated to Tools>Open Disk and chose my little 2GB thumb drive.

So our partition table starts at the 446 byte within our 512 bytes MBR. In hex that is 0x01BE. No I didn't just know that I used the handy dandy calculator to figure that out, hex conversions can be covered elsewhere. Each partition is allotted 16 bytes, so I highlight the first 16 below:

Ok, let me give the breakdown along with my example:

Byte 0 : Flag for if the drive is bootable. 0x80 means bootable while 0x00 means its not. My drive is not bootable
Bytes 1-3 : Starting CHS (Cylinder Head Sector) address. We don't really use this anymore thanks to Logical Block Addressing, but still good to know. The first hex value is for head, which is my case is 0x00 (so, mine starts at 0). The second hex is actually broken down, with the first 6 bytes reserved for the sectors and the last two for the cylinder number. Mine is easy with the second hex value at 0x01, so my starting sector for my partition is 1. Finally the 3rd hex value is for cylinder, which is also 0x01.
Byte 4: Partition Type. This shows the partition format type. You can find an extensive list here.Looking up my value 0x0b reveals I have a FAT32 partition type.
Bytes 5-7: Ending CHS Address: This is broken down the same way as the starting address. We still have an ending head of 0, however our sectors and cylinders have changed a bit and now we have to break our hex down into binaray. I will not bore you with how to do that but here are the results:

0x41 : 10000010
0xF: 11011111

Now remember we gotta save the first two bits of 0x41 for the cylinder. So that leaves sad binary 10, which in decimal is 2. My ending sector is 2. My ending cylinder is 1011011111, which in decimal is 735.

I am not going to claim I did the CHS sector right, if I am wrong and someone can explain to me my error I would be happy. Like I said we have mostly switched to LBA since our drives have been getting bigger and bigger....

Bytes 8-11: Logical Block Address (ending)
Bytes 12-15: Size in Sectors (little endian). So our last 4 hex values are as follows: 80 F0 3A 00. What does little endian means? Basically it means the littlest byte (in this case 00) heads to the front. Who was it that said "The first shall become last?"

Anyways, so after doing that we have the new value: 00 3A F0 80. What is that in decimal? Handy calculator says its: 3862656. Thats how many sectors we have, but for petes sake what does that mean? Well! Do you remember how many bytes I said were in a sector? 512! So just multiply the two numbers together and....

1977679872 B

That is an awfully large number, and who really reads in bytes anyways? So you could use a handy dandy online bit calculator to figure it out or if you know how many bytes (roughly) in a GB (answer: roughly a billion and move that decimal over you get...

1.97 GB

That seems a bit more like it... and just to check:

Whoo hoo! It says on the drive itself 2GB, we are pretty close! So even if the CHS is a bit FUBAR you can use the last 4 bytes to determine the size (which seems much easier)

Another quick one:

This one is bootable, as the first hex value is 0x08
PartitionType is FAT32, LBA mapped (hex value 0x0C)
Size is 4 GB (thanks to the last 4 bytes)

How about an actual hard drive? Well mine is 150 GB, so lets see what is going on:

Whoa, my poor netbook! I leave this to you guys as a 'challenge', sorry I am not rich enough to give prizes, but maybe your name will be posted on the blog! whoo-hoo!

Questions to be answered:

How many partitions are there?
For each partition, what is its type?
For each parition, what is its size?
Does this equal 150GB? (give or take)
BONUS:

Now to throw a 'monkey' in the mix: This is what I see when I look in Windows Explorer:

OS_Install is ~40GB, so adding the two drives does not equal 150G. What do you think a reason could be for this?

Email your answers to: icanhazblog[at]gmail[dot]com

Thanks!
--------------------------------------------------------------------------
More Fun Links

Windows 8-- now with more hiberfil

2011-09-09T08:11:00.000-04:00

So, Microsoft is touting that their new OS (Windows 8) will boot up "30-70%" faster than any of their previous OS's. While this is super exciting for normal users (sad for us who use the long boot up times to go for a cup of coffee), it is very interesting for forensic investigators.

So, the way Microsoft does this is creating a 'mini' hiberfil, catching just the kernel session during a shutdown. What is the hiberfil? If you ever hibernate your computer, the OS creates a file called hiberfil.sys which is essentially a snapshot of the machines state and a compressed form of what is residing in memory at the time of hibernation. This way when you get your computer out of hibernation, it is very quick to restore and things were as you left it.

You can see an article about the "hiberfil.sys" from hibernation and what can be extracted from it here.

So now imagine being able to use a hiberfil for boot-up, most of the kernel level stuff is already setup and ready to go, thereby cutting down immensely on driver setup and initialization. (See the link for a pretty diagram).

What does this mean for forensics? Always being able to have a hiberfil means having a portion (not sure how much- the article was a bit fuzzy on this) of RAM to extract and run your favorite memory analysis tool on. At the very least it will have some tasty kernel-level information very useful for rootkit/malware finders.

I guess we shall see come the release of Windows 8!

Windows 7 Forensics

2011-09-01T15:27:00.004-04:00

So I was discussing with an old coworker today about the desire to learn a tad more about Windows 7 in a forensic sense. It is much different than XP (which still has a good chunk of market shares, quite impressive for being 10 years old) and since I am going to be back on the job saddle **cough cough** soon, its good to start thinking about these things...

So, I present some good links on Windows Vista/7 in terms of forensics:

Iron Geeks Forensically Interesting Spots in Windows 7/Vista: So not all of these are new by any stretch, but I see some interesting opportunities for scripting when I see these. I might be playing with Harlan Carvey's RegRipper and my boyfriends Windows 7 box (ahhh there is always a sacrificial lamb) soon.

Windows 7/VISTA Advanced Forensics for LE: Seems to have some interesting downloads, including one on Shadow Volumes

On another note I am trying to pick up Java, because even though I hate (ok maybe not hate, just do not like very much in the words of my granny) programming I do appreciate how useful knowing how to write/read it can be. I am still on baby steps, but I am using the book "Understanding Java" by Barry Cornelius. Very descriptive, good explanations, and no cheesy graphics. Not that I mind cheesy, heck you will never guess where I am headed this weekend!! :: suspense::

Proof Hacks Don't Need to Be 31337

2011-08-26T18:42:00.002-04:00

Remember the RSA hack? The thing which started to freak out companies who distributed those handy little RSA tokens in hopes of securing their data? (If not do not worry, you can read about it here).... Well apparently F-Secure, who run the super awesome site VirusTotal, say the e-mail was submitted to their database a few days after the email was sent, namely 2 days after EMC Corp. released the news of the leak.

The verdict? It was not that sophisticated.

Sure, it was a spoofed e-mail, but the user grabbed it out of the junk box to open it. It was supposed to look like legit traffic from beyond.com, a job recruitment website.

The message? "I forward this file to you for review. Please open and view it."

If that seriously was only what was in the e-mail, that does not seem like something a job recruitment company would send. They would definitely make it sound more-- professional?

Regardless, user opened the attachment, and voila. Meltdown!

Just goes to show you don't have to have the best spear phishing email, all you need is one nibble... and you got em hook, line and sinker.

The Safest Browser: IE9??

2011-08-19T16:34:00.003-04:00

So, although the title of the article was "Google Chrome improves anti-malware blocking score by 340%", what the article really ended up saying was regardless of these improvements, Safari, Firefox, and Chrome do not beat IE9's 99.2% score in blocking malicious sites. It must be noted that this study did not include drive-by malware, it required a user's interaction (ie downloading a file).

How did Microsoft pull it off? With a feature called 'Application Reputation' which uses hashes, history, and reputation. So for example, one downloads "minecraft.exe". Based on its history (has this been around for a while?) and reputation (has it ever been flagged as malicious?) it may be passed as ok. However, if IE has never seen that hash associated with the download, it would notify the user. Now granted, you probably will ignore this because, dangnabbit you really want to minecraft... but don't blame Microsoft for your woes.

This concept reminded me of something I was discussing with friends a while back. Something like cloud-AV. If one could input a hash of a file into a cloud which was seen by all AV-companies, and then based on the same criteria inn Application Reputation "rate" the file as being malicious/clean. This obviously has issues, the main one being what AV company would buy into this, as having a cloud would make competition (ergo making more money than the other guy) obsolete because it wouldnt matter what AV vendor you used as as long as they all put their data (but who really would honestly). Also, what to do if AV comes back saying something has a 45% probability of being malicious... what is a user to do? You would have to still have an override button, so once again you have the weakest link to worry about.

For minecrafting though... I would accept 45%, as would any other human being.

APT: What is it really?

2011-08-11T14:11:00.003-04:00

Ira Winkler recently wrote an article about McAfee's latest report on Shady Rat. This brings about the buzz word Advanced Persistent Threat (APT) out again. Its always interesting to see this word being tossed around. What is it really? It's just putting a fancy name to something which has been around since goodness knows when. Ira breaks down the attacks as generally how all attacks are, except APT tends to have a bit more sophisticated malware than your standard drive-by exploit.

Delivery is never complicated, because generally it doesn't have to be. Sending phishing emails with malicious links/attachments, sometimes spoofed, sometimes not. You only need one user to click on a link to gain access to a system. It is of course always better to gain access to an executives computer/account, but not always necessary.

The shady RAT malware used steganography, something I personally have never seen in the field. APT generally uses something more devious than stand drive by exploits: rootkits, infected MBR's, and even patching holes that other malware utilizes.

Personally- I think the main difference between APTs and other nefarious actors is that nefarious actors are usually after two things: money or CPU time (for botnets etc). APTs are generally after information, and willing to go low and slow to get in, establish persistence (backdoor), and exfilrate data in a secure manner. The other guys don't really care about that because if 5 out of 50 computers get hijacked, its good enough for them (that any they just blast out e-mails/infect websites like crazy).

Regardless of my opinion, Ira makes a good point: Why do vendors over-exaggerate claims and their competitors come out with rebuttals saying it really is no big deal and here's why. Shouldn't collaboration be a better buzzword to be dropping? If we had better dialogue between vendors and security teams from various fields (private and public), maybe we could help the community as a whole.

Black Hat/DefCon Funness

2011-08-06T05:26:00.007-04:00

Ahhh... two weeks in Las Vegas. It's enough to drive a person insane. This year is no different. Lotsa interesting hacks and gizmos seem to have come out this year, not to mention AnonymousSabu and th3j35t3r taking shots at each other on their respective Twitter feeds.

A brief synopsis is available on CW for those who just want a quick overview.

Perhaps one of the more interesting hacks revealed was the vulnerability in OSPF routing by a security researcher in Israel. Open Shortest Path First is the most popular routing protocols within an autonomous system (AS). What exactly is an AS? Wikipedia says its "Within the Internet, an Autonomous System (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet." So think large corporations, ISPs, or Universities.

OSPF works by link-state routing. An interface is a link (so every NIC in a router for example). I remembered this from my Computer Security class days. Lets say you have a few routers in an AS. Routers share link status for themselves using unicast or multicast packets, thereby creating a topology in their databases of router links. There is a designated router (king router) which receives these updates from all the routers and then sends updates to all the routers.

So, below is a horrible mockup of visual link costs for a tiny AS. Link costs are determined by the overhead required to send a packet over the link. So in theory, a 56k modem would have a higher link cost than say a T1 line. Higher bandwidth = lower cost. (Cisco)
So for router A to send to router E you essentially add up the links to determine which is the best path to take. There are a few different possibilities, but the best choice here is A-D-C-E (10).

The Dijkstra algorithm is used to calculate the shortest path, you can read more about it here. This is obviously more complicated than I explained here, and every AS consists of much more than 5 routers.

So ANYWAYS, the security researcher discovered that there is a flaw in the protocol (via the Link State Advertisement sequence number) and he could now send link updates from 'phantom routers' which basically screw up routing tables. So, now traffic can get congested, or be rerouted thru a certain point (maybe one with a sniffer?)

Of course there are some requirements. From the article:

"The exploit requires one compromised router on the network so the encryption key used for LSA traffic among the routers on the network can be lifted and used by the phantom router. The exploit also requires that the phantom router is connected to the network, Nakibly says. To initiate the attack the phantom router introduces itself as being adjacent to the victim router, which must be the designated router on the network. " (ComputerWorld)

Made fun of your boyfriend because of his obsession with model airplanes? Well two researchers unveiled a homemade spy airplane which can intercept phone conversations and hack weak wifi. Well the airplane was an army surplus purchase, but the point is anyone can buy these things and with some elbow grease and time... come up with something a bit nasty. I can totally see geeky parents making this to spy on their kids... intercepting their cell conversations... or making sure they are not talking while driving.

Also fun to note: Metasploit 4 is out... now with more exploits and a database for storing information discovered about the hosts scanned, and which hosts would be able to be possibly susceptible to exploits (RHOST). This makes Metasploit better for IT staff who want to scan their entire networks, where pen-testers usually only test against a sample of machines. This now makes Metasploit more marketable... the man is getting to us all.

Browse the Planet: Anonymously

2011-07-29T12:29:00.016-04:00

Big Brother got you down? Really really really want to watch the latest episode on Fox but, alas, you are not in the United States so you get the "I am sorry but you are not cool enough to watch this" page. Want to listen to Pandora while overseas? Or just don't want 'the man' to know where you are, or what you as a person are searching on?

Enter: Cyber GhostVPN

Now there are a bazillion types of VPN/proxies around the internet. I am not saying CyberGhostVPN is the best, however, its free to try and allows 1GB of traffic. The free option is not good for you people who like to **cough** torrent, but its good when you are in the coffee shop and want to check your e-mail/facebook quickly. This also protects you from people sniffing wifi, as your connection to the VPN server is encrypted with 128-bit AES key. This key is re-established every time you connect, so every coffee shop you visit your key is different.

Below are the steps for getting GhostVPN running:

1. First you need to download the software (duh). You can grab it here: https://cyberghostvpn.com/en/product/download.html
The MD5 hash for the version 4.7.0.0 is: 6576ca7fa2a048fb1356d149b0e39e81
HOW TO CHECK THE VERSION: Right click on the downloaded program icon, Go to Properties, then click the Version tab.
WHAT IS AN MD5: MD5 is a one way hashing operation which provides a unique (enough) hexadecimal string for a file. Its useful for ensuring you have not downloaded a malicious/unofficial release of a file. With Windows you have to download a program to do an MD5, I like this one. You do not HAVE to do this, its optional!

2. You also need to create an account: http://cyberghostvpn.com/page/registration.php. This means you need to submit an email (it can be real/fake, up to you) and also create a username and password. Note if you give a fake email and you forget your password, you are SOL.

3. OK--- click on the downloaded file icon (right) and awayyy we go!

4. Choose the language you prefer, click Next.

5. You also have to decide where you want to save the program to, where you want to place the program in the Start Menu, or if you want a QuickLaunch icon and/or a Desktop icon. Generally the defaults are good.
* The screenshot to the right is the GhostVPN installing a driver on the machine, if you do not allow it, the VPN will not work*

6. Restart your computer... see you in a few

--- minutes pass ---

7. When you click on the snazzy GhostVPN icon, you have the option of creating your account now or skipping ahead to the log-in.

8. For first time set-up, you can specify what mail services you use on mail programs (like Yahoo!, Gmail, Microsoft, etc) as GhostVPN by default shuts down these ports

9. You also have the option of choosing the server you wish to log into (when you have the free account, you really don't have a choice) and if you want your history and cookies deleted after you close the browser. This option is only available with IE.

10. Finally, log-in using your username and password. The connection is established with 1024 bit SSL encryption. Feel the love.

11. Ok, so you are not connected YET. Its pretty obvious from the big red bang (!) and the YOU ARE NOT ANONYMOUS text. To fix this, connect the 'Connect to VPN' button...

12. ... and voila! You are now connected. As you can see I am connected to a German IP (check the flag). To prove this, I browsed to Google and ta da! Guten tag Deutschland!

So if you love this service, you can choose from 3 different options, each increasing the bandwidth as well as traffic allowance. You also get the ability to choose what servers you want to connect to. So, those IP based web sites beware!!

Bring Your Phone to Work Day... or Not

2011-07-29T07:29:00.005-04:00

I never complained about my Blackberry. Well, maybe a few times-- there was this one time the battery inexplicably died and I had to return the entire phone to our distributing center (oddly enough cell phone stores in Germany did not carry the battery... I found this perplexing and utterly annoying). However, despite this, I was grateful that I had a phone which usually worked, had the internet and e-mail at my fingertips, and I never saw a phone bill.

But ohhhh how I wanted an iPhone :( I would drool with envy when I saw all the apps my friends had on their phones, and the usability of the thing. Why don't more corporations use Androids and iPhones? (ironically enough Symantec started allowing iPhones right before I left, figures)

It seems I am not the only one who feels the same way. In a report released by ComputerWorld, half of the workers surveyed (only 500 total, not a large sampling) would prefer the choice of mobile devices to be used for work. Some were even willing to give up some perks including -gasp- paid leave days.

So now the question remains, why can't we? Are Blackberries more secure than the other two? Everyone remembers last year the big to-do in the Middle East, with countries like the UAE and Saudi Arabia banning the devices because messages are encrypted and sent to RIM. Read: They want the keys so they can be on the look out for terrorists and other nefarious actors. Blackberry also allows certain functions to be disabled when dealing with corporate phones. For example I was not allowed to post pictures on FB (however I could go thru the web rather than the app to circumvent that issue). Can the same be done on the other platforms? Like a ACL for mobile devices?

The apps though allowed by the other two devices are astonishing, and really could help in increasing the efficiency of the worker. Apps which aid in PowerPoint presentations, brainstorming, chatting, blogging, etc are astounding. Apple also offers in the US something called the App Store Volume Purchasing for Business. With this companies can buy in bulk applications they want their employees to use, thereby gently steering them towards work-friendly and approved apps. They also offer getting custom apps built for your company which can link to back-end business databases to further empower the mobile workers. Neat.

How about Android? It seems like Android has a ways to go in terms of business applications, although there are a few handy ones around. I would not call them 'business focused' as a lot of them I thought would be great for personal use, especially keyring.

How about security? Iphones are of course a serious market to hackers (I even blogged about one earlier this month) due to their popularity. If a corporate iphone is popped, what threat is there to the corporate backend? I suppose it depends on what is stored on the iPhone (username/passwords/IP addresses/corporate files) It is possible to run metasploit and nmap on the jailbroken iOS...

Android also seems to have its share of nefarious woes, especially with nasty apps. This shows all phone makers the need for a robust filtering process when allowing apps to be sold on the official phone application store. If you jail break it... well its kinda your own fault for just blindly trusting. Of course don't we do that all the time? Oh man such a condundrum!

McAfee offers some protection for Andriod and Apple mobile users via its Mobile Security Division. This is what $30/year gets you:

Backup and data restoration;
Remote locking;
Alarms in case a device is stolen;
Remote data removal;
Anti-malware software and phishing detection;
A portal to manage multiple devices.

McAfee even have a $20 option called WaveSecure which seems to be more about tracking and wiping in case the phone is stolen/lost... still it is a step in the right direction. Strangely enough it does not saw it support iOS on its website, however I found the app in the AppStore. It even works for Blackberry!

Hey-- yeah Blackberry, what about them? A quick perusal did not reveal too much, however I know the golden egg would be hacking the BES (Blackberry Enterprise Server). This one was disclosed earlier this month. That is not to say the device itself is a bastion... here is the vulnerability that was used at Pwn2Own earlier this year.

I think limiting phones comes down to money and streamlining. Tying users to one phone type means less headaches to the IT staff and much easier to manage. Regardless, steps need to be taken to protect the devices and the servers behind them to ensure they are as secure as they can reasonably be. At the end of the day, its a corporate device-- if you don't like it I guess you gotta get your own phone. And don't connect it to the work network-- for the love of God.

Razors vs Lasers: Vision Surgery Explained

2011-07-22T08:44:00.005-04:00

Today I headed into town to see if I qualify for corrective eye surgery. After the rigorous testing, including the ever dreaded air puff test (which measures pressure and tests for glaucoma) I got to sit down and get my options laid down for me.

Laser-Assisted Sub-Epithelial Keratectomy (LASEK is a bit easier to say) is the type of eye surgery I remember from the the earlier days. With this the epithelium- a thin layer of cells separating the external (the air) environment from the internal (your inner cornea) environment - is weakened with an alcoholic solution and then removed from the laser treatment area, and then replaced after the cornea is then reshaped using an excimer laser (which uses UV light) or a microtome (I wish I could use a better analogy than a razor, but sorry its the best I can do). The epthielium regrows itself quickly, the inner cornea however does not regrow. This is a good thing, because it was just reshaped to improve your vision. This is also why however, you have to dress like a pirate while sleeping for your first week or so because the last thing you want is to rub your eye and move the epithelium around and distort your vision. NOT a good wake up.

Laser-Assisted In Situ Keratomileusis (LASIK in this case) is the more popular method now. Instead of removing the epithelium, a flap is created and then replaced after the surgery is completed. How is this flap created... with a microkeratome (so still with a blade... ick). However, with this flap method recovery is a bit quicker. The cornea is again blasted (maybe not the best choice of words, but wikipedia uses vaporize which I don't find any more reassuring) with an excimer laser. You still have to sleep like a pirate however because the flap is also prone being jostled if you rub your eyes.

Custom Wavefront: So... contacts and glasses are not really specifically created for your eyes. Based on the shape of your cornea the optometrist determines the best power lens for you and gives you that, of course accounting for things like astigmatism as well. Regular LASEK/LASIK works the same way. Wavefront technologies however, give the laser a specific layout of your eye (more points of reference if you will), therefore giving you a more customized eye surgery. This means you get better vision than if you went with standard eye surgery (and surprise, it costs more). According to one website, "surgeons can use Wavefront surgery to identify, measure and correct individual's eyes 24 times more precisely than with conventional methods used for glasses and contact lenses"(opticalexpress.co.uk). This is also highly recommended if you have aggravated conditions of astigmatism, myopia, or hyperopia.

IntraLase: Do the thought of little razors near your eye freak you out? Well for more money (of course) you can have a laser create the flap for LASIK rather than a microtome.

You can do a Youtube search and find LASIK/LASEK surgery videos so you can get a better understanding of exactly how the procedure works. Or you can watch the video below. I will warn you its a bit graphic, but personally I would rather know what is going on, like I said its your vision, which is pretty important.

One of the most important thing is if you wear contacts you do not wear them a week before surgery. Contacts actually morph the shape of your cornea (freaky) so if you wear contacts the day before then go for surgery, you run the risk of too much or too little being vaporized/blasted off. When dealing with something like eyesight I don't think this should be taken too lightly. Hard contacts are worse, and industry suggests not wearing those for a month before surgery. Ouch.

So-- a concern I had with this was SCUBA. As some people may know this is my favorite hobby. How long will I have to be sidelined from SCUBA if I get this procedure done? The recommendation for any watersports is one month, but they suggest and extra 2 weeks (6 weeks total) for something like SCUBA. And considering where I am living, this is not a huge deal.

Flying? Fear not. People have done eye surgery and flown the same day.

Google lends a hand...

2011-07-21T08:01:00.006-04:00

Although a bit sketchy on the details, Google will let people know if their computer may be host to malware based on the proxies the computer has been sending requests thru. From the article:

"Google is putting up a notification at the top of Google web search results to users whose traffic is coming through the proxies. The notice warns uses that their computer is infected with software that intercepts their connection with Google and other sites, Damian Menscher , a Google security engineer said in the post."

Malware likes to set up proxies so baddies can intercept web-traffic. Naturally these proxies have to belong to the baddies, or at they at least have to have some control over them. Also, known malware tests to make sure its online by going to a well known IP (like Google) via a proxy to ensure that the machine is online. Well Google puts a nice banner at the top of your
search results letting you know it thinks badness is afoot. The official Google Blog is posted here.

It's an interesting concept, your search engine not only giving you search results but also telling you if can possibly be infected. Such a nice idea-- like someone is looking out for you. But is it also kind of creepy? Or-- is it a sigh of relief? More importantly-- why aren't AV companies picking up on it?

Everyone is Out to Get You: Including your iPhone and Mom

2011-07-18T10:53:00.007-04:00

Remember the X-Files? TRUST NO ONE was Mulder's (*sigh*) favourite saying. Well, thanks to joys in technology you can't really trust anything either.

Skype: Now this one is your classic cross-site scripting oops. According to German security researcher Levent Kayan, a user can insert javascript into their mobile phone field on their profile. Now, when your friend (or mom) logs into Skype YOUR profile is updated on THEIR computer, and the javascript is maybe executed.

Maybe? Well there seems to be some mitigating factors. First, you have to be friends with the person (duh) and it needs to be someone you talk to a lot (ie shows up on your main page). So you talking to your significant other could suddenly become more dangerous than talking politics to your mother.

Skype is downplaying this based on the factors I just described above, and are releasing a patch this week (according to the CW article).

iOS: Now I will be honest this may have been fixed already, but this one utilizes malicious PDF files on a iPad or iPhone. So when a person jailbreaks an iPhone (or an iPad) they are basically hacking their own machines and allowing code to execute which allow a user to do more than originally intended for the machine (use any SIM, download homebrew apps, whatever). Now, what is to stop nefarious people to take that same hole which allowed for jailbreaking and exploit a machine? None. Just the poor user thinking grandma sent them a PDF for the recipe for those cookies they love so much, but really is carrying the exploit and nasty code (maybe it also includes a recipe for cookies, but not the one you wanted.... drats!).

This was brought up by the 'Bundesamt fuer Sicherheit in der Informationstechnik' (BSI) which is a German government entity. Basically unless you downloaded an updated iOS recently you are vulnerable and watch out of sketchy PDF's. Or if you ::cough:: have a jail-broken device, the guys who developed the jailbreak (JailBreakMe) have released a patch called PDF Patcher 2 and is available in the Cydia App Store.

Windows BotNet: Zombies come in three flavours in my mind. There are the really slow (physically and mentally) ones which would be easiest to fight or flee from (think Shaun of the Dead). Then you got ones from 28 Days Later, which are a bit faster and just a tad more scary. No worries, a few more precautions and we are good. Now...imagine zombies that are smart as the things in I am Legend.

Crap.

People are now talking about a botnet called TDL-4 which seems to be the juggernaut of botnets. Coming back to zombies. Cutting the hand (infected node) from the zombie does nothing, that thing is still moving and infecting other. So, learn a thing from the zombie flicks: you gotta cut the head (c2c nodes). TDL uses its own funky encryption, infects the MBR (master boot record) so its has longer shelf life, and utilizes P2P networks in such a way it makes command and control (c2c) difficult to take down.

Man I like this post... any time I get to mention zombies its a good day.

More detailed analysis can be found here at Sergey Golovanov 's (Kaspersky) Blog. If you now feel trapped in a sea of zombies and its just better to give up- fret not. Guys like Richard Boscovich of Microsoft, who have slayed other botnets such as Waledac, Coreflood and Rustock say nothing is indestructible... you just have to think it thru a tad (or maybe a lot) harder.

So, based on this post, your best bet is to switch to Linux and get a flip-phone.

How its Made: Exploits

2011-07-06T23:43:00.004-04:00

So-- I understand the 10,000 foot view of how exploits work. Someone discovers a vulnerability, and then someone attempts to create an exploit which subverts normal security via the said vulnerability. This usually done by making some pointer in the code point to another location where it shouldn't be pointing to (jmp's, buffer overflows, etc) ... namely evil code and then it gets executed and viola, instant magic.

But seriously... how does one get from point A to point B? A one Joshua Drake painstakingly blogs about researching a specific vulnerability (regarding DNS resolution) and trying to figure out how to exploit it. Now I am going to readily admit this is way over my head; machine language and debugging was never my thing. However you have to admire these guys who spend countless hours writing and testing and perfecting code (and sometimes with no luck) so others can use it for penetration testing.

This article made me think a few things: The first being how I have such a long way to go in the world of computer security, two how maybe its a good thing not all vulnerabilities are exploitable (as if baddies and researchers do not have fodder), and three wow I have such a long way to go....

So the next time you whip out metasploit and think how bad-ass you are... think about all the work involved in that exploit you are using, and begin to appreciate all the work that goes into such a product. It's a humbling experience.

So here's to you, vulnerability researcher -- I hope I never piss one of you off :)

BTW- you can still participate in Metasploit's Exploit Bounty until July 20th

It's finally coming true

2011-06-21T15:15:00.004-04:00

So I remember sitting in a class in Graduate School talking about vulnerabilities via the Operating System when they started to theorize about exploits subverting using crazy methods like RAM and BIOS chips and graphics cards... weird how now all of these things have come to fruition.

Context IS wrote a blog about the vulnerabilities inherent in WebGL (Web Graphics Library) and what can be done with it. Basically WebGL allows for the rendering of 3D objects in the browser with Javascript. The issue is HOW it accomplishes this, digging into the GPU in the highly coveted and sacred kernel mode.

Khronos actually has a web page which is a PoC for causing a denial of service.CAUTION: This will probably crash your system. You have been warned.

Interestingly enough, another issue is the stealing of images. Context show a video of using the WebGL to basically scan an image line by line (its not that easy, but I am trying to get you to read their article), therefor ripping it from a site. I wonder if this could be used to snag those images used in mobile banking? How about 'watermarked' images?

Another indicator as to the potential danger of this, Microsoft does not seem to want to implement WebGL on IE (or at least by default as far as I can see) because of these very concerns. However, Chrome and Mozilla have it in their browsers.

It's crazy to think about all the ways a hacker can now pwn a system. My interest in this one is: what forensic artifacts (if any) would remain on the machine if this was used? Memory? Would we now have to somehow read the GPU to see what is in there?

An analysts job is never done.

Well... thats one down

2011-06-19T17:25:00.003-04:00

Autorun is still an issue? I thought people learned their lesson like 5 years ago? Apparently not but Microsoft has finally helped us all out by doing its best to disable autorun viruses and malware from working. Now using Micrsoft's Malicious software Removal Tool, ComputerWorld states there has been a "68 percent decline in the amount of incidents reported across all builds of Windows using Microsoft's Malicious Software Remove Tool".

That is pretty impressive.

Of course this does not stop the malware that embeds itself in DLL's or in the registry, but it is helping to rid the 'low hanging fruits' and protect the Janes and Joes of the internet.

2011-06-17T04:56:00.006-04:00

In an article in Livescience.com, the writer talked about if its necessary to pay for anti-virus. Now the article states (and I concur based on my own research) that there seems to be not a super huge difference in which one performs better. McAfee and Symantec, as well as other pay-for anti-virus companies, do seem to squeeze out better in newer threats (they seem to pump out heuristic signatures better), I really feel no one should really depend on anti-virus to be their last line of defence.

As any computer security person will say security needs to have layers (like an onion!) to be effective. Plus even if you have a free AV (I personally like AVG) you can still get some of those supposed 'bell and whistle' features some AV companies offer when you pay.

Firewall type behavior: why not jut GET a firewall? Comodo gives you a free firewall (its also AV) and even tells you when connections are attempted inbound/outbound. This will annoy people who just like to have a 'hands off' experience. Or those who got annoyed by Vista asking you permission to do things all the time. Microsoft also offers a free firewall for (duh) Windows users.
Sandbox: When you sandbox an application, it protects itself (and other applications) in case something goes awry... like a buffer overflow. So in theory, if your IE gets pwned, it can't inject itself into other running processes. Google Chrome using sandboxing isolation by default to help prevent malicious attacks. You can run IE and Mozilla (or any browser) in a sandbox like SandBoxie to keep your internet browser 'isolated'. Consider it the black sheep of the family.
Web Surfing: There are many sites you can visit which check the legitness of a website. McAfee has SiteAdvisor, Symantec has Norton has SafeWeb. However Web of Trust has a add-on for the major browsers which lists right next to the link if its been considered 'trusted' by the community (which anyone can join) and other sites (like PhishTank). AVG also offers this type of service as well for web browsing.

I like how the article does mention virustotal if you have a suspicious file and you wanted to check its legitimacy. Another website I would suggest is ThreatExpert. You can search by threat name/process name/MD5 hash/mutex and it will return any hits found in the database. Its nice when you want to see more of an overall picture of what the virus is doing to your system. It shows modified/altered/deleted files and registry settings. It also shows any outbound connections to websites and what ports they went over.

What I am trying to say is no matter what AV vendor you go for... you need to make sure you have additional features (host based or network based) to defend yourself.

Photo Fun

2011-06-17T04:05:00.006-04:00

Lightroom is an amazing piece of software. Think like Photoshop but for the poor(ish). Sure it does not have some of the super spanky features like the absolutely insane "highlight something and we can make it disappear and render what we think would be there" button but for most (normal) editng needs, Lightroom does the trick.

This tutorial on earthboundlight.com shows how to use the sharpening tools in Lightroom. I also found out I can use the 'ALT' key to show a photo in black & white as sometimes color skews your judgement.

Photojojo also had some fun ideas on with shadows. Shadows are one of those things you just can't avoid (yay science!) so why not play with them? Another idea which I find fun is going to your local Science Museum and finding a photo-sensitive wall and photographing your shadows doing some silly things.

Back in the Saddle Again..

2011-06-16T08:46:00.003-04:00

Current Mood: unemployed
Current Movie: Indiana Jones and the Last Crusade

So I have been unemployed now for about a month. For two weeks though I was hiking the Coast to Coast trail, a 191 mile trek from the Irish Sea to the North Sea in England. You can read all about that here if you'd like. It was freaking awesome. I know its weird for a geek to be out actually enjoying the outdoors, but, well I guess I am a bit different :)

So I have already become tired of daytime television and at the moment do not feel like walking too much right now. So I decided it would be best to maybe stay semi-involved in the computer security realm so my brain does not become like mushy peas (which are quite tasty!)

So back when I was working as a contractor for Symantec I wrote a perl script which automated many of the processes of Rob Lee's SuperTimeline. Basically enter a few parameters and then go for a coffee break. Theoretically when you came back (some might say this is dependent on the size of the image you are parsing, I say its based on the distance to the coffee shop) you have a nice Excel spreadsheet waiting for you to look at.

Now this was helpful in a few of the investigations I did, so now I suppose I have to rewrite it. This is fine because now it can be bigger, faster, stronger. I have seen a lot of interesting tools out there which would make the timeline more interesting, or if anything automate forensic analysis to make life just a tad easier.

I hope to use this blog to highlight the interesting things going on in the security/forensics community.

So sit tight... and let the games begin.

Online Compiler and Debugger

2011-04-26T04:57:00.001-04:00

http://ideone.com/

Perfect find detemining what the heck exploit code does :)

2011-04-25T04:54:00.004-04:00

So not exactly hot of the presses, but worth a looksee is Verizon's 2010 Data Breach Report. I will let you all peruse the 66 pages of intelligence in terms of data breaches. However there are definitely some interesting facts in just the summary (well duh I suppose):

70% of data breaches occurred from outside sources

48% of data breaches caused by insiders

Of all the breaches:

48% of data breaches were caused by privilege misuse

40% of data breaches were caused by hacking

38% of data breaches utilized malware

28% of data breaches utilized social tactics

85% of all attacks were NOT CONSIDERED DIFFICULT

96% of breaches could have been MITIGATED BY SIMPLE OR INTERMEDIATE CONTROLS

Nevermind the simples maths behind this (I am assuming there is merging in a lot of these factors) but the last two bullets are mind-boggling yet not suprising. How many attacks do people see out in the field which could be blocked by patching? Or by user-awareness. Obviously not all will be caught (and it only takes one!) however its nice to grab the low-hanging fruit to focus on the tougher to find fruits.

Null Shares: Oldie But A Goodie

2011-04-13T02:55:00.001-04:00

Because sometimes all you need is a simple way in: Null Sessions (microsoft or bigfix)

Forensic Stuff

2011-03-31T11:31:00.001-04:00

Access Tokens to Watch out For: http://msdn.microsoft.com/en-us/library/Aa446619 Well Known SIDS: http://msdn.microsoft.com/en-us/library/Aa379649

Repaiting PST Files

2011-03-15T10:51:00.002-04:00

Current Mood: blah
Current Music: whatever Don has on the radio

Repairing Broken PST Files

This is one of those things I wish I knew about starting years ago.... great for forensics. It's like fixevt but for Outlook!

Koobface, down but not out

2010-11-16T03:15:00.002-05:00

Computerworld reported today a blow to the Koobface botnet. Of course, its interesting to note that the owner had multiple botnet severs all on the same IP space. Botnet 'best practices' (I use that term loosely) say the servers should be spread out all over the place, this way if one gets taken down it is still hard to take down the rest. This was also a detrimental blow to the Bredolab botnet, resulting in its televised (albeit staged) take-down. Koobface is interesting because it used almost entirely Social Networking Sites as its method of infection. And people get angry when they can't access Facebook at work...

Linux Infected.. the Age Old Argument

2010-06-14T16:32:00.002-04:00

People have been arguing back and forth for (what seems like) centuries about Windows vs Linux/Unix. I am pooling Mac OS into Linux/Unix, because it is running on those platforms... it is just swaddled in expensive, sexy looking software.

Amidst the talks of Google promoting switching to anything but Windows, there was an article posted on ZDNet talking about an official Gentoo distro of Unreal containing a backdoor.

The scary part... its been there since November 2009! Now I have heard of Windows being vulnerable for long periods of time, but that is generally because users are slow to patch. When Microsoft is informed of a bug (it seems) like they attempt to take it seriously and address it. Of course there are many factors unknown-- like were they informed before and they just never acted on it? Also who knows how many issues are found in Windows but are quietly swept under the rug (think: Anti Trust) The article seems to infer that the admins inherently trust open source software therefor are actually LESS secure than their Windows counterparts...

While that remains to be seen, it is something to chew on... and with Macs gaining a new found market niche, it is only a mtter of time before hackers turn their gaze to the Apple world.

Holy Cow

2007-06-01T11:27:00.000-04:00

Current Mood: glad its Friday
Current Music: none - its lunch break

http://www.wired.com/culture/lifestyle/magazine/15-06/st_waterslides

That first water slide looks horrendously awesome... watch out for people sh#$$ng themselves while going vertical!

Ah the classic battle

2007-02-05T14:59:00.000-05:00

Mac vs PC: It's the funniest thing as I was talking to someone at the superbowl party these commericals got brought up. I was saying how I needed a new MP3 player, but just didn't want to get a iPOD. Yes - i know- they are small and -i know- they are just 'the shizzle', but meh.... something about them makes me want a Gigabeat or a Zen M instead...

I also think the article is great b/c it talks about Peep Show and is just littered with British lingo... Brilliant!

2007-01-30T21:24:00.000-05:00

FBI Turns to Broad New Wiretap Method: Apparantly worse than Carnivore? EFF must be having a field day...

Lifehacker: Alpha Geek

2007-01-23T07:29:00.000-05:00

Lifehacker: Alpha Geek
Oh man- can MP3 life get any better? This program described here by said MP3 guru Rick Brodia, MP3Gain, is wondrous. It scans every file in you music collection and adjusts them so every song sounds like it was from just one album. What I am trying to say is: you get rid of very loud or very soft tracks, something you get when you boy from different source's rip from your friend, record off the internet, or whatever it is you people do :) You can even change the dB level to be louder or softer depending on your preferences, and if you think it sucks you can revert back to your old 'volume knob turning with every new song' ways. The true test for me is when I re-synch with my MP3 player (yes the -original- Dell Digital Jukebox is still kicking, but I am thinking of upgrading)

His RSS feed - Alpha Geek is pretty great anyways.

Go Manning

2007-01-22T15:27:00.000-05:00

I will not even attempt to discuss football here (I still don't understand offsides all too well), but I like this editorial on Sports Illustrated.com about how (almost) everyone is happy that Manning is (finally) going to the SuperBowl

Seriously, I do not know anyone who likes the Patriots. They are a good team, you kind of have to be to get as far as they did, and oh yeah - won multiple (I think 3?) SuperBowls in a row. But -man- Manning is just so likable! Look at his commercials for Mastercard, ESPN, and Sprint... so cute.

Brady's got the looks, but Manning is the boy next door that everyone is rootin for.

Let's of course- not forget the Bills SuperBowl legacy... or maybe we should :P GO BILLS!!

Oh and while we are on the topic of sports- Everyone should watch the NHL All-Star Game on Wednesday 8pm EST. Sabres coach Lindy Ruff, as well as center Danny Briere, Defensemen Brian Campbell, and goalie Ryan Miller will be in full effect supporting the Eastern Conference. There is someone from our coaching staff there too... LETS GO BUFFALO!! My only complaint is that Mr.Afinogenov didn't make it - its a conspiracy I tell you

Wow

2007-01-22T13:39:00.000-05:00

Upright Ms. Pac Man Arcade Game?! Wow - this is beyond exciting

Wahoo to more password changing

2007-01-22T13:12:00.000-05:00

PWDMan sounds some old superhero (almost as old as NTOSKRNL man), but regardless this article sheds some light on this password checker tool.

"PWDMan can query a single computer or a list of computers to determine the age of the local administrator account's password to see if it's time for a change. In the drop down box, enter either the name of a computer or the name of a text file with a list of computer names."

So, keep in mind this is more for business with more than a handful of computers (if you use this at home, you may just be lazy and mkaing more work for yourself... or in my case you may just be curious how it works)

Majorgeeks.com : definitely not a new page by any stretch, but I have found renewed love for the site, it keeps me far behind on 'cool looking software I would like to try out'

And, since Kyle thinks I have 'boring techie' stuff on my website, here is my attempt to appease his with fun little snippets about my life (but still geek related):

Right now the DoD Cybercrime Conference is going down in St.Louis, Missouri. Due to reasons beyond my control I was unable to make it this time. But a few of my buddies will be there, with some good speakers
Thanks to my inablility to go to said conference, I have decided my next course of action will be to shoot for Black Hat 2007 either in DC or Vegas. Hope wise I'm gunning for Vegas, reality/budget wise I am going to the DC one... let's hope I get approved!

Sorry Kyle- that was not too exciting- I apologize

2007-01-14T14:45:00.000-05:00

Current Mood: excited
Current Music: 'Whats In It For Me?' Amy Diamond (via Hamachi!)

Yes so if you could not tell from the above I got Hamachi working. My main problem was allowing the Hamachi IP address to be a trusted IP address. Oh and making sure I was all connected with workgroups and what-not. My suggestion to anyone running Hamachi is make sure your firewall is configured properly. This means not only allowing hamachi.exe but also allowing the IPs to go thru. Oh, hah and having two firewalls, as I apparantly had going on on my laptop does not help either. I was using this tutorial and various other HOWTO's on the website. Make sure you follow their instructions regarding setting up your home network. Hamachi has their own mini 'getting started' tutorial as well. Patience and perserverance young grasshopper.

My next mission is to try and get VNC running over Hamachi. If you have all the necessary folders shared however I am not sure I would need to run VNC. I see VNC as a great way to help people having an issue on their computer and you can't get there physically to help them. To be fair I think the web proxy would be more helpful, but one thing at a time!

WTF

2007-01-13T12:17:00.000-05:00

Current Mood: whatevs
Current Music: 'Into the Fire' - Noa Assembly

Hamachi Update: Why does it always seem the 'easy' things never work for me? I can chat between the two computers, but pings and browsing does not work! I assume the network is set up wrong somewhere or I simply failed to follow the instructions... more on that to come!

However I do have something to report! Last night my roommate could not log on to his computer and he asked me if there was a way to get it. With some Google searching I found this Offline NT Password & Registry Editor. The walk thru guide makes this look horribly scary - but it isn't so bad. It is basically a registry editor and lets you alter the SAM files (read:where the hashed passwords are found) to be whatever you want them to be. The registry is wonderful, but dangerous place!

I was super excited to try this out, but unfortunately roomie simply had a user error (he forgot his user name, how one does that on their home computer I have no idea), so we did not need to run it. I noticed the program worked on NT 3.51, NT 4 (all versions and SP), Windows 2000 (all versions), Windows XP (all versions, also SP2), Windows Server 2003 (at least Enterprise)... XP eh? Hmmm... Virtualization would not work because it required a reboot, and with a reboot everything is refreshed... HMMMMMMM....

I used my own computer to test it, and I must say it worked just fine! I will post up screen shots if I remember, but the walk-through on the website is pretty good. Do not be frightened by the command prompt, embrace it!

NOTE: Tony also said I could have used Backtrack or Auditor with John the Ripper (it's already on them), dumped the SAM files, and cracked the passwords that way.. another good option.

2007-01-12T17:17:00.000-05:00

Current Mood: whoo!
Current Music: Ticks & Leeches - Tool

In true to form 'yay its the weekend' fashion, here are some fun links I saw during the week. I do believe I will tackle my awesome list of things on Monday, seeing as how I have the day off from work, and maybe start on it a little. Actually I do believe I will go thru the Hamachi set-up here, this way I can have a guilt-free weekend.

Before all that, some fun links:

Verizon Increase SMS Rates - Get out Now and avoid that stupid fee

In the spirit of new year's resolutions, I was thinking about buying some Nike shoes, an IPod Nano, and that cool RFID thing and you can track your progress (or lack therof), but after reading a paper from some CS majors at the University of Washington about how they can track people, I feel less inclined (but want to try it myself).

Guys Hack LA traffic lights: I am sure everyone wishes they could do that at times!

Ok back to Hamachi....
Taken from the Hamachi website:

"LogMeIn Hamachi is a zero-configuration virtual private networking (VPN) application.

In other words Hamachi is a program that allows you to arrange multiple computers into their own secure network just as if they were connected by a physical network cable.

Hamachi is fast, secure and simple. Its core version is also free."

Yes there are some differences between the core version and the premium (see a comparison here). I was interested to see that if acting as a web proxy the core version of Hamachi only allowed 2.5 MB of data (to put things into perspective, that MP3 you are listening to right now is probably bigger than 2.5 MB). This saddens me as I was interested in doing secure internet-ing from say, a Starbucks or hotel. I was intrigued by the 'routed tunneling' option, which means if the client in your LAN does not have Hamachi, a person (with all the required information, calm down) can still access it. This enables the P2P idea.

Speaking of MP3s - "Weapon of Choice" just came on my MP3 player. Take a break everyone - go watch the music video!

Ok- enough Walken (ha as if THATS possible!), back to Hamachi.

Right so I downloaded the core version of Hamachi and like all programs you need 'read' the EULA and click 'I agree'. The set up is pretty straightforward ("zero configuration" remember??) Hamachi also very nicely allows you to try the premium edition for 30 days then automatically switches you to the core version. That was the entire set-up.

When you run Hamachi for the first time, you get fun little pop-up:

It gives you a little tutorial as to the basics of how you can use Hamachi, its pretty straight forward so I won't go into detail here. It gives you a 'dummy scenario' where you can see how to do the connecting and what not...

Wonderful, I got it on one computer. I installed on my laptop (which I actually do not have networked to my main computer {stupid networking}). And after being harassed a million times by my firewall I got connected... I set up my very own network (aka sneakermoose), created a password and tried to connect both computers to it... cross your fingers!

The next blog I will talk about the trials and tribulations of actually getting this to work and testing it from somewhere.

2007-01-10T23:54:00.000-05:00

Current Mood: tired (why am I always tired?!)

So thanks to the wonderful world of the Google Homepage and the plethora of tabs and content you can throw on there, I came across a tutorial on how to fix your Nintendo. Now I have not tried this yet, as the mere thought of losing my Nintendo forever based on my own stupidity makes me cringe. I like the connector fixing bit, it does not require cutting anything out of the mobo....

Things I plan to look at:
1. TrueCrypt (namely how it works)
2. Metasploit (yes I know I am such a n00b when it comes to netsec)
3. Wireless STIG (Security Technical Implementation Guides) Actually I am sure there are many more I should look at
4. -some- type of programming (I am looking to C, XML, and Java)

The question is: when will I stop play Lego Star Wars II and DO this stuff??

*Editors Note* After looking at the previous post, #5 would be VPNs using Hamachi

VPN - The most fun one can do on a Friday night

2007-01-05T23:32:00.000-05:00

Current Mood: whatevs
Current Music: Hysteria- Muse

So, this article from ComputerWorld is a great outline for how to protect your precious laptop from wireless hotspot baddies. One of the interesting suggestions was to have a Virtual Private Network for protecting whatever information you send over the public 'wires'. Granted, this idea would mostly (well it SHOULD be mandatory) for doing business on the road. I really hope no one is checking their bank accounts at their local Starbucks *shiver*.

Being kinda foreign to the whole VPN world (brief into here) myself, I have decided I should look into VPN's. Mr. Gralla suggested HotSpotVPN, which for a fee (~$8/month) can protect you from the outside world while mobile. Now, this is all well and good, but what about us poor people who can't afford that, or are just curious. I hope to look more into this, I found a program called Hamachi, an open source (read: free) program that might do the trick, we shall see (any suggestions?). I would do it tonight, but I still think jet lag is tugging at me, and I am exhausted.

Wireless Forensics

2007-01-04T15:48:00.000-05:00

Interesting paper about wireless forensics. Did you know that your AP sends beacon frames 10x a second? Read: dread for the person trying to perform wireless audits...

Cheers from across the pond

2006-12-29T13:10:00.000-05:00

Probably 34 lbs heavier than when I last blogged... I figured I would throw some interesting sites I saw today:

Stuff you (prolly) did not know last year: Heh... now I know why the lion looked so real

People get free Vista laptops...: My only question is, why those people? Does ANYONE really base their opinion of a product based on some person's blog? Microsoft should have given me the Vista laptop, I need a new one anyways... And really people, why are you complaining about free stuff? If you hate Vista, wouldn't the ultimate slam be to just format the drive and throw linux on there? Anyone? Anyone?

Yay on to drink more tea....

A little something something before I head off...

2006-12-19T00:02:00.000-05:00

Current Mood: tired
Current Music: Like Eating Glass - Bloc Party

So before I set off on my holiday - I did find some interesting news going on in the world, here is a quick synapses... as I should get some sleep as I have an early flight :

Privacy Impact Assessment Report from DHS regarding their Automated Targeting System
A 30-page lowdown about DHS's way of targeting terrorism... works with cargo and people, the one aspect not implemented yet is the ATS system for international cargo. This of course, means that CBP (Customs & Border Patrol) collects PII (Personal Identifiable Information) about passengers, both domestic and international. This leads nicely into the articles from the the Washington Post and the EU Observer discussing the letter from sent by the EU to the United States, asking what exactly is being done with this information, and how long is it retained (the EU has stricter control over their information than we do).

TrueCrypt: Just seemed like a neat program, didnt really get a chance to look at it

Happy Holidays!

'Logic bomb' backfires on hacker

2006-12-18T23:53:00.000-05:00

So, call me sadistic, but I found this article found on ComputerWorld.com to be quite priceless. It's nice to see a 'hackers'(I think its moreso the disenfranchised sysadmin) plan completely backfire in their face. I think it would be interesting to know how much (if any) damage these logic bombs wrought upon the system. Apparently not as much as this man thought it would. Being a previous sysadmin of the very system he intended to devastate, you would think he would know the limits and capabilities of the system. Unfortunately the article does not state when thes logic bombs went off, simply that the man quit in 2002 due to "dissatisfaction about his salary and bonuses". IF he set the bombs to go off shortly after his departure (which is a silly move anyways... it makes him look mighty suspicious), why didn't he know that the bombs would cause little damage? What type of sysadmin is this?? PaineWebber is (obviously) better off.

Monkey Island

2006-12-15T16:45:00.000-05:00

Current Mood: Happy (its Friday!)
Current Music: Monkey Island Theme

Yes all.. I *know* its amazing, My mother found our copy of the LusasArts classic, The Secret of Monkey Island. What IS it about these nostalgic games that people go crazy over? I must say I fall victim to its charms myself. Just ask Tom - when we were at the Game On! convention at the London Science Museum, I almost had an accident when I saw some kid playing Monkey Island (albeit horribly) ... I was seething.. "USE gopher repellent ON rats!! DUH!!"

This kind of reminds me of the whole FFVII post, although there are thousands of games out there with 100x better graphics, people are suckers for the classics. Xbox360? Cool. Original Atari? NO WAY THAT'S SO SWEET!

I rest my case.

Final Fantasy

2006-12-14T20:55:00.000-05:00

Current Mood: good - the semester is over, how could I not be??
Current Music: The sabres game... GO SABRES

So I was at EB Games returning Me and My Katamari for the PSP (heck no I will not upgrade my firmware, I won't play your game Sony) and I decided I should try and see if they had Final Fantasy VIII, seeing as how my copy went missing (see the exciting conclusion later!). I asked the overly zealous EB Game employee and he replied with, " We do not have PS 1 games... if we had FF8, I would have it." Ok.....

So, I had my suspicions(hopes) that my sister had my copy, seeing as how I had her copy of X-2. I call her up and she confirms (phew!) my suspicions. We get to talking about buying old Final Fantasies. She informs me that FF VII is expensive to find... I am like really? Ebay tells no lies.

Apparently Final Fantasy VII is the most popular game of the FF series. This makes sense, look at the spin offs: The movie (Advent Children, which I highly recommend), and two spin off games, one with Vincent (Dirge of Cerberus) and the other with Reno and Rude (Crisis Core). True they never did as well as the original (kind of like Star Trek: the Next Generation), but it definitely says something. With all the new high tech graphic games out there, FF VII pushed the envelope with its cut-away scenes and killer graphical capability. True its no FF X, but it had to start somewhere...

So I look behind me and see my own copy of FF VII and smile, at least I bought it when it was only $20. .. and FF VIII is only $20.

This is why I want the Blackberry Pearl

2006-12-14T20:25:00.000-05:00

So this confirms my belief that the Blackberry Pearl is the sexiest phone out there right now. It is unlike its garage door opener-like parents, the Pearl actually looks like a phone but has all the capabilities of a Blackberry. Its sleek, sexy, and utterably geeky. Reminds me of someone I know.... Of course like any super hot device, the price tag is what is stopping me from purchasing one. Thank goodness for Ebay!

Beer Pong: A not so Sanitary Way to get Intoxicated

2006-12-12T14:10:00.000-05:00

Everyone knows beer pong (or Beruit) and how its played. According to this report... playing the game can not only get your sick due to alcohol, but also sick due to bacteria. I always knew this, but its fun to see in the paper. Now... think of playing it with quarters.. who KNOWS where those have been... ICK!

Thus: All political parties are corrupt

2006-12-12T12:23:00.000-05:00

In an article written by the National Review Online, there are reports that the US was wiretapping Princess Diana the night of her death. So if everyone remembers, Diana was killed in a car crash about 10-years ago, the report that was devleoped as a result of the investigation will be released on Thursday. So, disregarding the scintillating facts about Di and her companion, whether the driver was drunk, and if the paparazzi are to blame, let's discuss the wiretapping.

10-years ago was almost like a different time and place. Terrorism was something that happened overseas, the economy was booming, and the Democrats held the executive branch (remember Bill Clinton? the guy between the Bush's?) More importantly (in case of this story), the NSA surveillance act was non-existant.

But hark! If this story is corroborated with the report soon to be released, why was the US wiretapping Princess Diana? Di was a foreign national, if she was talking to another foreign national... well there would be some problems with us not asking British Intelligence for permission, but thats not the story here...

According to the story the US was bugging Diana's phone in relation to US billionaire Theodore Forstmann....I repeat a US citizen . Where have we heard this deabte before. Calls between a US citizen and foreign national who have a link between terorrism.... wait - Princess Diana? WHAT?

So, in order to obtain a wiretap under FISA (Foreign Intelligence Surveillance Act), the agency has to prove that whoemever they are tapping were "agents of a foreign power"which means that the "target... may ... be involved in unlawful clandestine intelligence activities, or in knowingly aiding and abetting such activities." (Judge Ellis -Secrecy News, August 2006) Although it is possible that Princess Di and Mr. Frostmann could be engaging in such activities.... its HIGHLY improbable. So, along those lines its highly improbable that the FISA court would allow such a case to be approved.... so did the Clinton administration, who has said they they ALWAYS followed FISA rules and regulations, NEVER attempted to bypasss them, ILLEGALY wiretap Princess Diana for some unforseen reason?

So (if this is true) now the Democrats can't yell at Republicans for domestic spying, theoretically they were doing the same thing. The real question is... what the heck were they looking for by wiretapping Princess Diana? At least the Bush administration says they are wiretapping for strictly terrorist related activities... Why didnt the US ask British Intelligence (we do have a special relationship with them) for their blessing?

Should be an interesting report. I love watching politicians eat their words.

Holiday Buyers' Guide 2006, Part 6: Gifts For Geeks and Gamers | Tom's Hardware

2006-12-10T12:09:00.000-05:00

Holiday Buyers' Guide 2006, Part 6: Gifts For Geeks and Gamers | Tom's Hardware: "Fossil CallerID Bluetooth Watch"

Oh man, talk about the gift for the guy/gal who has everything... I started to salivate when I saw this. The uses for this thing are gi-normous! You are on a date, your phone is ringing... you want to see who it is.. but its SO RUDE to answer your phone! Well this watch would take the guesswork out of taking that chance. At the gym (if your phone is within distance) you can stay on the treadmill instead of going to check your phone to see if you got that text. Or -my personal favorite- you are watching the hockey game and your phone is ringing/vibrating... shuffling into your purse can make you miss the all important goal... however a simple look at your watch and you can decide "They are not as important as the Stanley Cup... will call them later"

Of course, the bluetooth stack is known to have many flaws. It's already been proven that people can hack into an individuals phone via their bluetooth headset. Can we do the same now via their watch? Probably. This makes me want to get into bluetooth even more... hopefully this (coupled with the fact that the semester is almost over) will light the proverbial match under my bum.

Oh and the price? Well not too shabby. It goes on Fossils website for about $250 (free shipping yippee!) I particularly do not like the all black, being more of a silver chick myself. I would suggest trying it on at the store first and confusing the crap out of the Fossil employee by diving into security risks posed by said device.

Holiday Buyers' Guide 2006, Part 6: Gifts For Geeks and Gamers | Tom's Hardware

2006-12-10T11:59:00.000-05:00

Holiday Buyers' Guide 2006, Part 6: Gifts For Geeks and Gamers | Tom's Hardware

Remember those Mac Mini things? Yeah those were pretty hot... check this baby out too. Core duo mini pcs.... be the envy of all your friends, drag your PC with you everywhere you go. Of course -NOT- included in the price is the processor (~$200 I believe), the hard drive (depends on how much GB you want), and the RAM (~$50-100). So add about $400 to the sticker price of the abrebones kit. Whoa... almost $800, you can get a decent desktop, and SOMETIMES a laptop for $800.

True this would be nice for LAN parties and total geekdom, but like the article states, you can't have a regular graphics card in there... so you are stuck with the graphocs of the 945M chipset. That might not seem so bad, until of course your friend with the Nvidia Geforce 8800 GTX Graphics card walks in....

What a jerk.. this was supposed to be YOUR moment.

[H] Enthusiast - Gaming with the Killer NIC

2006-12-09T18:12:00.000-05:00

[H] Enthusiast - Gaming with the Killer NIC

Wow.... so your frag session can go even smooth... stupid lag... if ony World of Warcraft had these... this way people could camp better :P

Its still very expensive ($250) when you consider you can get NICs for about $10 sometimes... but I guess there are some hardcore gamers that really feel that this is -REQUIRED- in order to be leet.

Beginner's guide to wireless auditing

2006-09-19T19:48:00.000-04:00

Beginner's guide to wireless auditing
A guide to wireless auditing... I love the line,"there is no replacement for time spent reverse engineering binaries"... joy of joys does that sound fun....

FCC keeps deadline for broadband wiretap access - Computerworld

2006-05-05T09:40:00.000-04:00

FCC keeps deadline for broadband wiretap access - Computerworld I wonder what legal paper you will need to grab VoIP conversations... would that be a Title III?

2006-03-01T14:35:00.000-05:00

Your Birthdate: October 9

You are a born idealist, with more pet causes than you can count.
You prefer be around others, both when working and while relaxing.
Generous and giving, you believe you can change the world one person at a time.
You're open minded and tolerant. People feel like they can tell you anything.

Your strength: Your go-with-the-flow flexibility

Your weakness: Your flair for the over dramatic

Your power color: Pine green

Your power symbol: Circle

Your power month: September

What Does Your Birth Date Mean?

Securing an auto logon in Windows XP

2006-02-09T11:42:00.000-05:00

Securing an auto logon in Windows XP

Happy Holidays

2005-12-29T17:17:00.000-05:00

Current Mood: content
Current Music: Pioneers - Bloc Party

W00t to holidays and once again finding myself in Western New York. I am here for a much longer period of time (2 weeks) which will ensure that I will see everyone I want to see, and make my parents glad that I no longer live with them. AND... joy of joys, I am travelling straight to Tampa from here, so I cannot wait to bask in the warm sun. A nice little break before classes start again.

If I said I didnt miss anyone from DC, I would be lying to you. I'm not going to lie to you, I miss DC and my friends there. It's nice to get away from all of it, to step back and try and figure out what exactly you are doing what you hope to accomplish from whatever I left there. Hopefully I will come back resfeshed and ready to start running around like a chicken with my head cut off again. Hopefully also certain things will have been worked out...but I am not going to hold my breath.

Strangely I miss the gym, and I miss swimming, which is really weird. I have been jogging here, but that only works my legs. Still it's better than nothing.

Man I cannot wait to go back to DC... for many reasons.

Knife City

2005-12-20T14:20:00.000-05:00

Knife City Made by the Metropolitan Police in London... guess knives are a big problem over there

In computer science, a growing gender gap - The Boston Globe

2005-12-19T13:39:00.000-05:00

In computer science, a growing gender gap - The Boston Globe

It is true, there is the stereotype out there that women cannot parallel men in the CS field, which I believe is totally false. Although I am no CS major and never claim to be, I think I can hold my own and make knowledgable comments and back up my opinions on certain facets of the computer realm. I'm sure back in the day a woman laywer or firefighter was unheard of... now look at society.

Beaners....

2005-12-13T15:03:00.000-05:00

Current Mood: sad
Current Music: Precious - Depeche Mode

Heidi, the dog we had since I was in third grade was put to sleep today. It was for the best, she was very old. Still, I wish I could have been there to say goodbye, of course I say that because there really was no way for me to get there, or maybe I don't mean that....

Oh beaners I will miss you so much. It will be weird to go home and have no friend to greet me when I open the door. Someone to listen to my problems, and not tell me what I should have done, just listen.

I feel horrible for mom, she must be devasted. At least she recognized that Heidi was not happy anymore finally. Must have been her toughest choice ever.

Love you beaners, you were my first dog, I won't forget you.

Penny Arcade! - One Day In The Future

2005-12-12T22:08:00.000-05:00

Penny Arcade! - One Day In The Future

Haha.. welcome to knowing something about computers, and somehow everyone finds out....

9/11 panel faults government on cybersecurity | CNET News.com

2005-12-07T16:45:00.000-05:00

9/11 panel faults government on cybersecurity | CNET News.com

So weird because a kid in my class mentioned a roundtable discussion with some of the top minds at DefCon discussing if an attack on US cyberstructures/infrastructures is probable. All said it is (how could they say it's not, some of their jobs are to hack into 'unhackable' systems). Now this crappy report card. If I was the US's mother, I'd be pissed with such grades. It's time we stop worrying about stupid beauracratic mumbo jumbo (even if our Commander in Chief can sometimes set himself up) and work this shizzle out, yo. Let's be proactive instead of reactive.

CNN.com - Study: Coffee reduces liver risk - Dec 5, 2005

2005-12-05T23:17:00.000-05:00

CNN.com - Study: Coffee reduces liver risk - Dec 5, 2005

Yet another reason to drink coffee, so now not only does it help you lose more weight, it also reduces liver risk! Double bonus bum!

All you need to know about Xbox 360 - Computerworld

2005-11-30T06:46:00.000-05:00

All you need to know about Xbox 360 - Computerworld

Will they ever (not just Microsoft), comeout with a console that people as a whole will be blwon away with? Sequels are awesome in their own right, but never as good as the original. Talk about a paraphrase.

Yes, its 6:30am, and I am up. Hard to believe, ain't it? Can you believe I did this Monday and Tuesday as well? Conference in Gaithersburg and it takes a while (read: hour metro ride followed by a fun shuttle bus) to get there. At least I am learning?

Things are just frustrating right now as a whole. What the hootnanny is going on? Why is/isn't this happening? How come when I know I have to wake up early I stay up till 1 am working on grad school stuff? What is up with gravity? Things like that. I never have a good answer to my questions, usually I wait things out, I have learned to be patient in certain aspects, for if I jump the gun, it may be enjoyable now, but soon it will crash and burn. Yes, better to wait young grasshopper.

My first semester at grad school is wonderfully coming to an end. So much work yo. How anyone can decide they WANT to go for a PhD after this is crazy or high on drugs. Might change though... it is only first year.

And, of course, not as soon as I book my flight home I see a conference that begins the day before I head back to DC. This conference looks SUPER sweet, with training and everything (and its in Tampa). However, I cancelled my flight with travelocity once and have suffered dearly (or my mom has, which I feel by proxy), and I doubt myself or my mother would be too pleased in trying it again. If I reaaaally want to go, I have to bite down on the nail and leave home early, and swallowing the airline flight price I missed. Gr..... what to do? This goes back up to the frustrating questions section, except this time I really can't just wait it out, becuase there is a deadline. Move your ass young grasshopper!!

2005-11-25T05:33:00.000-05:00

Current Mood: happy
Current Music: "Banquet" -Bloc Party

Yes... look at that spread! Can you imagine that was created without parental supervision and with mass amounts of alcohol consumed? So great! I enjoyed Thanksgiving a lot this year, my first year not being home. Everyone was super awesome, I feel bad though because I feel alseep around 10 and never went to help clean up... hence I am up at 5:30am almost wide awake. I figured I would make breakfast for everyone tomorrow to compensate. I still wish I went home, but I did make flight reservations for Christmas. W00T!

Wanna Be a DJ? - Popular Science

2005-11-23T18:00:00.000-05:00

Wanna Be a DJ? - Popular Science

Be cool.. in your eyes at least :)

POPSCI EXCLUSIVE The 11-Year Quest to Create Disappearing Colored Bubbles - Popular Science

2005-11-23T17:23:00.000-05:00

POPSCI EXCLUSIVE The 11-Year Quest to Create Disappearing Colored Bubbles - Popular Science

Man... slashdot has some great articles today!! Colored bubbles are the shizzle yo

LaCie - Brick Desktop Hard Drive - Hi-Speed USB 2.0

2005-11-23T17:20:00.000-05:00

LaCie - Brick Desktop Hard Drive - Hi-Speed USB 2.0

This is beyond great, I am adding this to 'Things I Want'

Slashdot | Microsoft Loses $126 Per Unit on XBox 360

2005-11-23T17:18:00.000-05:00

Slashdot | Microsoft Loses $126 Per Unit on XBox 360

Tricky, tricky Microsoft... and I still think it's too expensive. Man am I cheap.

New Scientist Breaking News - Gaming fanatics show hallmarks of drug addiction

2005-11-17T03:50:00.000-05:00

New Scientist Breaking News - Gaming fanatics show hallmarks of drug addiction
I always likened Final Fantasy to cocaine....

Star Wars: Episodes�I-VI - The greatest postmodern art film ever. By Aidan Wasley

2005-11-02T10:31:00.000-05:00

Star Wars: Episodes�I-VI - The greatest postmodern art film ever. By Aidan Wasley

Star Wars on a deep level- why almost everyone can watch Star Wars. I love the reference to Pride and Prejudice.

Macleans.ca | Top Stories | Education | Bring on the geekettes

2005-11-02T00:33:00.000-05:00

Macleans.ca | Top Stories | Education | Bring on the geekettes

Call me uncaring... but I did not enter the computer field because I wanted to 'help people'. I entered it because I found it interesting. Why the #$%^ do we always fall back on these stupid stereotypes of male/females. Oh, females like being more caring and kid orientated... blah blah blah. Maybe we need to break down the generalization that men are better than women in the field... god!

The Engineer Online - Spray on sensors

2005-11-02T00:22:00.000-05:00

The Engineer Online - Spray on sensors

Well now.. this sounds a little bit like the Borg does it not? Having little microcomputer like sensors on our skin, telling us we are human and forgot to do something. I wonder if they can give us tiny electroshocks to, you know, to help us remember. Wouldn't that be great if someone could control the shocks? Ha ha, your own personal voodoo doll!