tag:blogger.com,1999:blog-4088979.post113530373825495383..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Pre-Review: Penetration Tester's Open Source ToolkitRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4088979.post-1135487290916368092005-12-25T00:08:00.000-05:002005-12-25T00:08:00.000-05:00live cd's are useful. it's nice to load up the too...live cd's are useful. it's nice to load up the tools when you need them and run them whenever, then revert the machine back to whatever you usually use it for. rememeber, not everyone does security 100% of the time. my time is split up between 50% windows scripting , 25% bash scripting, and maybe 25% security which includes everything under the sun (patching, centalized AV, centralized anti-spyware, policy writing, e.t.c..).<BR/><BR/>on a side note, if i was an evil meannie beannie and i managed to get into your network, i wouldn't bother with WHAX. i would just install rootkits on the VP and his secreatiries machines and perhaps try to steal as many of your backup tapes as I can get my hands on. <BR/><BR/>;-0Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1135355677796059362005-12-23T11:34:00.000-05:002005-12-23T11:34:00.000-05:00Hi John,I do not personally use live CDs for any s...Hi John,<BR/><BR/>I do not personally use live CDs for any security work. I may boot a live CD in a research environment to learn about new tools that may be installed on the live CD. Then I add that tool to my own laptop. I am never comfortable doing work in someone else's environment, whether it's a live CD or on a system provided by a client.<BR/><BR/>I agree that live CDs have really serious security implications inside companies. Setting a BIOS password and disabling booting from CD-ROM can help, as long as the user can't physically erase the BIOS settings.<BR/><BR/>A system running a live CD will have the same MAC, unless the live CD decides to change the MAC.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1135350566783648142005-12-23T10:09:00.000-05:002005-12-23T10:09:00.000-05:00Sounds interesting. I've started tooling around w...Sounds interesting. I've started tooling around with both Auditor and Whax recently. I know of one particular Red Team that uses Whax occasionally and has experimented with Auditor. Besides mobility, what are the advantages of having these live attack CD's over adding these tools to a permanent OS? For example, Whax has a google email enumerator called goog-mail.py. What is the advantage of having this in Whax versus just installing it on my Core 4 box? My point is, all of the tools found in Auditor and Whax are open source and can be installed on any Linux distro. I know you can install Whax to the hard drive, but it doesn't come with all the functionality of Core 4.<BR/><BR/>With that said, I see this as a potential security oversight by many sysadmins. On large scale Windows networks like the one's I work with, I have never seen the BIOS password feature enabled. So what? Well, what is to stop an insider from bringing in a live CD like Whax and booting up their workstation with it. If the network switch has port security turned on it doesn't matter because the box will still have the same MAC address. I may not be 100% right on that, if not let me know. This individual has bypassed the firewall (physically) and is on the inside network. They can perform a full enumeration and footprint of the internal network. My coworker is saying to me right now, "You can install scanning software for Windows, so why would you want to waste time with the live CD?" Not true, I don't have admin rights on my Windows box so I can't install anything. But with a live CD and boot sequence change rights, I don't need admin rights. I'm root on my box now with my own little hacker suite.<BR/><BR/>Just something to think about while you're stuffing your mouth with Christmas dinner. Ho Ho Mofo's!Anonymousnoreply@blogger.com