Showing posts from January, 2006

Bejtlich/Bianco ShmooCon DVD

Thanks to David Bianco , I received a copy of a DVD of our ShmooCon 2006 presentation , Network Security Monitoring with Sguil (.ppt). The cover is posted at left, and clicking on it will show a larger version. I am not sure if the Feds will appreciate the Che Guevara theme the next time my security clearance is reviewed. If you want to order you own copy, you can visit . As far as I know I do not get a penny from DVD sales, unless there was some hidden clause in the form Heidi Potter asked me to sign! By the way, this blog has been on fire this month. Where are you all coming from? If you started reading this blog this month, would you mind posting a comment saying where you heard of it, and if you plan to return next month? Thank you!

Miss the Internet of the 1970s? It's still here.

Imagine the following conversation took place some time before 15 January 2001 . Alice: "Why don't we create a Web page that anyone can edit?" Bob: "Cool. How do we prevent 'bad people' from posting 'bad things'?" [Note that "bad people" and "bad things" are entirely subjective.] Alice: "Don't worry, people will be nice." Bob: "What if they are not nice?" Alice: "We'll keep track of the IP addresses people use to post content. We'll block bad IP addresses." Bob: "What if bad people post bad content using anonymous proxy servers? What about NAT, such that hundreds of people can be using the same public IP address?" Alice: "Don't frighten me with your sorcerer's ways." Bob: "So what do we call this system?" Alice: " Wikipedia !" Now, people are shocked -- shocked I say -- when anyone can edit pages they would wish

DoD 8570.01-M Posted

Thanks to David Bianco for sending me to this article about the manual for DoD 8570.1 being posted here . The .pdf looks like a scan of a hard copy document. I couldn't search it using xpdf.

Review of Running IPv6 Posted

Image just posted my five-star review of Running IPv6 by Iljitsch van Beijnum . It is so much easier to write reviews for great books! From the review : "When I read and reviewed O'Reilly 's IPv6 Network Administration by Niall Richard Murphy and David Malone, I called their book "a must-have book for all network administrators." Upon seeing Apress ' Running IPv6 by Iljitsch van Beijnum, I wondered if I would waste my time reading and reviewing another book on IPv6. Now I'm glad I digested Running IPv6 -- it's my first must-read book of 2006. The books are complementary, so I recommend them both." What a great book.

IPv6 Behind NAT Using FreeBSD and Miredo

Thanks to the generosity of a TaoSecurity Blog reader, I have been experimenting with a dual-stack IPv4 and IPv6 system at a university. I connect to the IPv4 address using OpenSSH. Once on the box, I can use IPv6. I've been looking for ways to connect my home network directly to IPv6. At the moment I'm using a common gateway/router to perform NAT for my cable network connection. I needed a way to provide IPv6 for systems behind the NAT. Enter Teredo and the Miredo project. Now, before you decide that I'm giving this protocol my "thumbs up," I'm going to explicitly tell you I just wanted to get the software working and use ping6. That's it for now. Teredo, which is now a draft RFC , is a Microsoft protocol. Basically you take IPv6 traffic, tunnel it in UDP, and send it to a relay server. The relay pulls off the UDP and sends the traffic using IPv6 to the destination. The process is reversed for return traffic. Obviously sending your traffic e

FreeBSD Networking over FireWire

You might be familiar with Apple 's implementation of IP over FireWire . This allows connecting two computers directly over FireWire ports. FreeBSD offers two drivers that provide networking over FireWire. fwe is a non-standard protocol, but it is implemented by default in the GENERIC kernel. fwip implements RFC 2734 (IPv4 over IEEE 1394) and RFC 3146 (Transmission of IPv6 Packets over IEEE 1394 Networks); it is available via kernel module. I decided to have my laptop orr talk to my server janney using FireWire. To implement FireWire, orr uses an Adaptec DuoConnect PC Card Adapter and janney uses an Adaptec DuoConnect PCI Adapter . Both provide FireWire and USB 2.0. Each system is running FreeBSD 6.0. The laptop dmesg sees the following when the FireWire adapter is inserted. cardbus0: CIS pointer is 0! cardbus0: Resource not specified in CIS: id=10, size=800 cardbus0: Resource not specified in CIS: id=14, size=4000 fwohci0: mem 0x88004000-0x880047ff,0x88000000-0x88 003f

QEMU on FreeBSD, with Networking

Maybe you've heard of QEMU , an "open source processor emulator." It's not quite VMware, since there doesn't seem to be a concept of persistent state and there are definitely not snapshots. However, when I saw the variety of ready-to-run system images at , I decided to try it on FreeBSD 6.0. Luckily there are several QEMU ports. I installed emulators/qemu from the latest FreeBSD 6.0 package. I next installed emulators/kqemu-kmod using the port. janney:/root# cd /usr/ports/emulators/kqemu-kmod janney:/usr/ports/emulators/kqemu-kmod# make => kqemu-0.7.2.tar.gz doesn't seem to exist in /usr/ports/distfiles/kqemu. => Attempting to fetch from kqemu-0.7.2.tar.gz 100% of 77 kB 102 kBps ===> Extracting for kqemu-kmod-0.7.2_1 => MD5 Checksum OK for kqemu/kqemu-0.7.2.tar.gz. => SHA256 Checksum OK for kqemu/kqemu-0.7.2.tar.gz. ===> Patching for kqemu-kmod-0.7.2_1 ===&g

Black Hat Federal 2006 Wrap-Up, Part 5

Please see part 1 for an introduction if you are reading this article separately. Next I heard Stefano Zanero discuss problems with testing intrusion detection systems. He said that researchers prefer objective means with absolute results, while users prefer subjective means with relative results. This drives the "false positive" debate. Researchers see false positives as failures of the IDS engine to work properly, while users see any problem as the fault of the whole system. Stefano mentioned work done by Giovannii Vigna and others on the Python-based Sploit , which creates exploit templates and mutant operators to test IDS'. He also cited a ICSA Labs project that doesn't appear to have made much progress developing IDS testing methodologies. Stefano said that good IDS tests must include background traffic; running an exploit on a quiet network is a waste of time. Stefano is developing a test bed for network traffic generation in the context of testing ID

Black Hat Federal 2006 Wrap-Up, Part 4

Please see part 1 for an introduction if you are reading this article separately. I finished Wednesday listening to Irby Thompson and Mathew Monroe discuss FragFS, a way to use the Windows Master File Table (MFT) on NTFS to store data covertly. The MFT can be read as a file if you open C:\$MFT as the administrator. That file can even be written to by administrators, hence the proof of concept tools "hammer.exe" and "looker.exe" provided by the presenters. Their research indicates the average MFT can store around 36 MB of hidden data, and that commercial tools neither review nor understand data hidden in the MFT. Beyond their userland implementation, the pair also wrote a Windows device driver that provides greater functionality. They will not release that code for fear of its misuse. Incidentally, prior to this talk I met Sam Stover, who gave me two FragFS stickers for my laptop. Thanks Sam. On Thursday I started with Dr. Arun Lakhotia , who explained probl

Black Hat Federal 2006 Wrap-Up, Part 3

Please see part 1 for an introduction if you are reading this article separately. Staying on the rootkit theme, I next heard Joanna Rutkowska discuss "Rootkit Hunting vs. Compromise Detection." She has done some impressive work on network-based covert channels, but she is also a rootkit guru. Joanna talked about "Explicit Compromise Detection," and the need to scan kernel memory for integrity checking. She challenged many of the ideas of traditional rootkits, such as the need to survive a reboot, the desire to hide processes, open sockets, and so on. It seems like her new DeepDoor rootkit is an all-in-one package that hooks the Windows Network Driver Interface Specification (NDIS) code by modifying four words in the NDIS data section of memory. She demonstrated her ddcli client talking to a DeepDoor'd victim. The client communicated with the server over port 445 TCP. Fair enough, but port 445 TCP was also able to handle normal SMB traffic, even with the

Black Hat Federal 2006 Wrap-Up, Part 2

Please see part 1 for an introduction if you are reading this article separately. The first technical talk I attended was presented by Mariusz Burdach , titled "Finding Digital Evidence In Physical Memory." Mariusz really needed two hours or more to give his topic justice. He started his talk buy holding up DoD and DoJ manuals which recommend pulling the plug as an incident response step (argh), and he said commercial tools all focus on inspecting hard drives. Unfortunately, modern rootkits may stay in non-swappable memory pages, and will not touch the hard drive. Therefore, traditional victim hard drive forensic practices may be useless against modern techniques. Mariusz named three anti-forensic methods. Data contraception: do not create data on the hard drive; keep everything in memory Data hiding: keep processes from appearing in task or process lists Data destruction: remove suspicious information on the file system He mentioned a few cool examples. The Core Securi

Black Hat Federal 2006 Wrap-Up, Part 1

I attended two days of Black Hat Federal Briefings 2006 . I paid my own way, and I must say the conference was worth every penny. If you didn't attend, I highly recommend registering for next year's conference. I spoke briefly with Jeff Moss, who said Black Hat will return to DC in February 2007 for another Federal conference. This is welcome news. I taught Foundstone 's Ultimate Hacking: Expert class at Black Hat Federal 2003 , which was the last Black Hat conference in DC. My summaries cannot do most of the speakers justice. I will attempt to offer highlights for most talks, along with links to relevant techniques or tools. Jeff Moss began the conference by noting its main theme: paranoia. After attending many of the sessions, I understand why. Jeff didn't want Federal to be "Las Vegas-lite," and I think he succeeded in assembling a conference that truly delivered. Dr. Linton Wells II from DoD offered the keynote. He briefly discussed the Quadrenn

Soekris Dies, What Replacement?

Yesterday the UPS powering my Soekris Net4801 died. Now the Soekris no longer finds its internal 2.5 hard drive running FreeBSD 6.0. I was able to update the BIOS using this guide and the comms/lrzsz , but it had no effect. The process was simple > download Shift ~ Shift C lsz -X b4801_128.bin If I want to stick with the Soekris, I may try one of the OS installation options listed here . However, I'm wondering if I should just abandon the Soekris for something more powerful. I saw the 256 MB Net4801 will arrive soon, but I've been looking at these OpenBrick and newer systems. Does anyone have any recommendations for new small form factor systems? Here are my ideal requirements: Very small and flat -- ideally something that would fit in a consultant's brief case for carrying on a plane, along with a laptop. 3 NICs, preferably one or more with Gigabit capability Can use flash or a laptop HDD Runs FreeBSD 6.x Video and keyboard outputs are not required, but I Posts BlackWorm Packet Captures

The folks at Sourcefire have done the analyst community a great service by posting traffic captures of CME-24 , aka "BlackWorm". Kudos also to the Common Malware Enumeration project for providing an easy way to reference malware! Once gets going, I hope to host these sorts of captures there. Update : Check out this Sourcefire VRT analysis .

Additional Thoughts on Reviews

I received some good comments on my previous post about my reviews . A few people at Black Hat Federal yesterday asked similar questions, namely: "Why don't you post bad reviews? We think they are more helpful than good reviews." First, let's consider the definition of "bad review." I've never given a book 1 star. I've only given a few books two stars. For example, this book was awful . It's also got the highest number of fake positive reviews I've ever seen. (Many are written by people who have only reviewed the author's books, which is an indicator of being planted by the author.) The author somehow got to reject my original review. In the second review (which is now posted), I restricted my comments to quoting outrageously bad technical details that neither the author nor could deny. My reading and reviewing habits are usually contrary to posting bad reviews. I am not the typical "r

Issue 5 of (IN)SECURE Magazine Released

The new (IN)SECURE magazine is out. Issue 5 features another set of interesting articles. I plan to pay particular attention to Ivan Ristic 's article on Web application firewalls. Ivan wrote modsecurity , O'Reilly's Apache Security , and the Web Security Blog . The new (IN)SECURE also gives brief but positive reviews of my two newest books , Real Digital Forensics and Extrusion Detection .

3000 Helpful Review Votes at

This morning my reviews "helpful votes" count hit 3,000. This means my reviews were considered "helpful" 3,000 times. (Conversely, 299 people thought they were not helpful. Sorry!) Thank you to everyone who answered yes to the question "Was this review helpful to you?" I reported hitting the 1,500 mark in December 2003. Since then I reviewed 62 more books, but my reviewer rank has dropped from 336 to 390. On the positive side, my average number of helpful votes per review has risen from 12 (or 1,500 / 125 ) to 16 (3,000 / 187). Competition is tough when many high ranking "reviewers" post several times per day, showing they only glanced at a book's contents and read the back cover. The person I have in mind when writing this, however, has received 13,236 votes for 2260 reviews. His vote-to-review ratio is less than 6, indicating his reviews are, on average, not that helpful. Justice, perhaps? I've only just s

Nepenthes Discoveries

Earlier today I posted how I installed Nepenthes . Within a few minutes I started getting hits. Monitoring with Sguil makes analysis much easier. Consider this first attack: Sensor Name: soekris Timestamp: 2006-01-24 18:14:34 Connection ID: .soekris_4888215984542487947 Src IP: ( Dst IP: ( Src Port: 1734 Dst Port: 80 OS Fingerprint: - Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) [priority1] OS Fingerprint: -> (distance 24, link: ethernet/modem) SRC: GET / HTTP/1.0 SRC: Host: SRC: Authorization: Negotiate YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF ...edited... SRC: FBQUFBQUFBQQMAI4IMVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6 ...edited... AwgA+A8BAPgPASOCCDkDggQRAENDQ0Mg8P1/U1ZXZoHsgACJ5ujtAA DST: Microsof

Installing Tor

In my last post I mentioned that by default Nepenthes is configured to use Tor to carry IRC traffic. This post documents what I did to get Tor running on FreeBSD 6.0 STABLE. I installed Tor using the security/tor-devel page. Remember to set the environment variable to use the newest package. janney:/root# pkg_add -vr tor-devel Next I added the following to /etc/rc.conf so I could use the /usr/local/etc/rc.d/ script. tor_enable="YES" Next I edited /usr/local/etc/rc.d/, because I had an issue with the %%PREFIX%% specification. janney:/usr/local/etc/rc.d# diff 26c26 < TORCTL=%%PREFIX%%/bin/torctl --- > TORCTL=/usr/local/bin/torctl I used the default config file. janney:/root# cp /usr/local/etc/tor/torrc.sample /usr/local/etc/tor/torrc I needed to create this tor data directory. janney:/root# mkdir -p /var/db/tor/data janney:/root# chown -R _tor:_tor /var/db/tor/data I also needed to create this log file owned by user _tor. janney:/root#

Nepenthes Installation

I've been interested in trying Nepenthes since I saw it added to the FreeBSD ports collection as net/nepenthes . According to the Nepenthes Web site , "Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities." I tried to install Nepenthes using the precompiled package for FreeBSD, like this: janney:/root# setenv PACKAGESITE janney:/root# pkg_add -vr nepenthes I ran into two problems. First, I had to install the ftp/curl port manually since the package seemed unavailable. cd /usr/ports/ftp/curl make make install Second, and more problematic, I found that the package which offered Nepenthes 0.1.5 did not work properly. Using the package, I could not get my Nepenthes client to connect to a specific IRC channel protected by a key. I decided to install Nepenthes using the FreeBSD port. I made

Web Site Discovery with SensePost

Today I needed to discover Web sites for a client. I'll demonstrate part of my methodology here, using as a sample domain. I relied on a technique outlined in Johnny Long 's Google Hacking for Penetration Testers . He mentions a SensePost tool called The script uses Google to extract sub domains and DNS names for a given domain. You have to register with SensePost to retrieve; they email a username and password once you register. The first requirement is having a license key for the Google API . You put your key into, thus: #$key = "----YOUR GOOGLE API KEY HERE----"; Since I am running the script on FreeBSD, I realized I needed the net/p5-SOAP-Lite package. I added the latest version from the STABLE package collection. Finally I needed the file . orr:/home/richard$ fetch fetch: size of