IT Breathes!

This kicks off a project I’ve wanted to do for a while. Recently Backtrack 4 was released. Backtrack is a great resource to learn about security and penetration testing in general. It also has a lot of tools to perform a variety of task. The best feature in Backtrack 4 is the /pentest folder. It contains a lot of tools and resources but it’s a little mystified. For the next few weeks I’m going to attempt to de-mystify and test as many of the tools as I can. To make this even more exiting I’ll be doing it from A to Z. Starting with the first folder listed alphabetically and going from there.  Originally I had thought of just doing this as a folder by folder but after looking through everything I’ll just make a judgment call when I want to stop fiddling around. Posts I’ll cover more than one folder and other times I might only cover a tool or two.

Pentest Folder Listing

So let’s get started shall we?

Not too many programs here!

This one is an easy one. There’s not too many Bluetooth tools here to begin with (mainly because a lot of the Bluetooth tools are built in to the OS (such as HCI Dump).

Taking a look at blueprint it’s a tool which allows you to profile a a Bluetooth device. You tell it the Bluetooth device ID and it will spit out as much information as it can

Bluesmash is a GUI tool designed for getting information from phones and exploiting a range of vulnerabilities.  Since I don’t really have access to Bluetooth on this machines I can’t go in to more detail than that. I have played with these tools in the past but since I didn’t have a vulnerable phone available at the time I couldn’t really test the vulnerabilities.

Moving on to the folder, CISCO we see there are a selection of tools for dealing and finding with Cisco devices (what else did you expect?).  To test these tools out I used GNS3 (basically a Cisco router emulator) and setup a cisco 7200 router. Took me a while to set it up but your best bet is to follow the tutorials at BlindHog (LINK). I won’t be supplying any image files, I’ll leave that up to the reader to find.  The basic GNS3 configuration was setup like this:

Go go gadget Cisco emulator!

Since I’m running all these tests in my lab (running Virtual Box) using an internal network I had to run GNS3 in a virtual machine. Didn’t really give me too many problems getting it setup though.

So once I had setup the practice router I was able to test all the tools available in the cisco folder.

A few more apps here

The first tool I took a look at was CAT, or Cisco Auditing Tool. To call it an auditing tool is a little bit of a misnomer since it’s really just a password brute force tool which connects over port the telnet port (23). It has some other features for exploiting an old IOS bug but other than that it just takes a wordlist and attempts to guess the password. You’d be better served using something like hydra or medusa instead (we’ll get to those later on). But I have to say it did work at bruteforcing my password and successfully told me what the password was.

hack you? don't mind if I do

Cisco-Global-exploiter has some interesting functions:

Wish I could test all of these

However, since I didn’t have an image for any of the above cisco machines to try out I can’t really confirm if any of these work. But if you do have a cisco device and have tested this out let me know in the comments section.

Cisco-OCS simply scans for vulnerable Cisco devices. Turns out the device I was running wasn’t vulnerable, it was found but not vulnerable.

Ciscos-1.3 does the same as CAS but instead of trying multiple passwords it simply tries to connect to every IP trying the default password ‘cisco’.

And finally we’ve got copy-router-config. This really isn’t too hard to guess. Just start up the tftpd daemon in backtrack and provided you know the community name (an SNMP thing) it will strip out the full config. Letting you analyze it later and identify any weaknesses in the config.

And so end part 1 of our series. As part of this series I’m going to also tell you how I put together my practice lab and a list of other tools that you can use in windows which are not included in the backtrack cd.

If you’ve been reading the news recently in the IT security world you’d know that the website Astalavista was recently hacked. Usually I don’t go care too much about these activities, websites get hacked all the damn time and it’s never really a big deal. But what makes this case special is whoever did the attack decided to paste their entire log online.

First some quick history. A while ago a website called Astalavista.box.sk came about to allow people easy access to security files and cracks

At its start in 1994, was one of the first search engines for computer security related information. In reality it turned out to be used as search engine for security exploits, software for usage in hacking and cracking and different keygenerators and software cracks. The site is also known for referencing things such as spyware and viruses. Because of this, the website is known to possibly contain data, links, downloadable files, and information some users would consider spyware, adware, or other unwanted programs.

Thriving off of the success of Astalavista.box.sk another site came along: Astalavista.com. This site was really just a rip-off of Astalavista masking itself as a security ‘community’.  From their own site:

Astalavista.com – the hacking & security community, is one of the world’s most popular and comprehensive computer security web sites. Astalavista.com was originally founded in 1997, by a hacker computer enthusiast. The name of the site came from the unforgettable line in the Terminator 2 movie – “Hasta La Vista Baby”. Since then, the site became the underground’s most respected and well maintained community for anything you ever wanted to know about security. The enormous database, the constant updates, the unique nature of the content published, the new services and features, all offered for free, turned Astalavista.com into what it is today – a cult!

It wasn’t until recently that a group known as Anti.sec decided they had had enough of Astalavista.com and decided to see what they could do. Most obviously they got in (using a 0day exploit no less). But what was interesting about this case was to see how easy it is to go from:

Exploit -> Command Line access -> Local Exploit -> Root Access

But what was even scarier is to see how common tools unix admins use on a daily basis (and current configurations) can be used against them to not only expose  weakness’ in their local machines but in a whole host of machines. Especially when we’re talking about CMS sites.

Let’s start with how they got in. There’s not much here (because the log is purposefully vague here, to keep the script kiddies at bay) but basically they used a 0day (or unknown) exploit against their Light Speed HTTP daemon. Once they had access to the server they were logged in as the ‘apache’ user. This user doesn’t have many rights other than reading websites. So using a local privilege escalation exploit they gained local root access. This is pretty much the end of this machine. Once someone has escalated their privileges to root they ‘own’ the box. They can install rootkits, keyloggers, bots, deface websites etc etc. And normally the hack would end here. But being the industrious kids they are they proceed to poke holes in the rest of their security. A quick scan through the ‘history’ log shows anytime someone used a command. Whoever the admin was for this machine felt it was necessary to log on to their database server passing the password through the command line:

mysql -h -ucontrexxuser2 -p0fEYNZgXz1pKe com_contrexx2_live < /root/defaultp_ports.sql

But the password stealing doesn’t end there. Peppered throughout the site are php scripts used to connect to the database. These scripts are normally used by content management systems (such as Wordpress or cPanel) and because they are databases driven they obviously need access to the database. You can see above that at least the account wasn’t the ‘root’ account, the admin account in mysql, but was instead used for a separate account. At least they didn’t get the admin account…

sh-3.2# cat .my.cnf
[client]
user=da_admin
password=X9dctmRH

Oh nevermind. You see, the above file (my.cnf) is a MySQL configuration file. Some programs let you put this file in your home directory to make it easier on you when logging in to the server. The problem: it stores your password in plaintext. For a IT security website they sure don’t practice good security. And ‘da_admin’ really?

But it gets worse. Through reading a bunch of files the group found a file used for backup. Normally this would be a good thing, showing prudence on the part of the administrators that they were properly conducting backups. The problem? The file was a simple shell script which connected to an FTP server and uploaded the backups:

# ftp for synology backup server
FTP_HOST="212.254.194.163";
FTP_PORT="21";
FTP_USER="astalavista.com";
FTP_PASS="yWHOJbzpWTWC6Xrmg1WnfBk5V";
FTP_DIR="/astalavista.com";

As you can see the attacker has yet another password. Now in the log the attacker simply logs on to this server to see what’s there. Presumably they’re just after astalavista.com. In reality I’d be surprised if they didn’t log on to that server as well using SSH (because nowadays most systems are segregated when it comes to FTP and User logon). And, as demonstrated above, it is trivial to escalate privileges once you have local command line access.

So armed with this information the attackers knew the following:
-    Atalasvista.com website files, scripts, forums and content
-    The Database Admin username and password
-    The backup location (and access to the backups)

Without using much of your imagination you can imagine what they did next:

sh-3.2# rm -rf backup/
sh-3.2# rm -rf backup.14161/
sh-3.2# rm -rf ftp/
sh-3.2# rm -rf jon/
sh-3.2# rm -rf my/
sh-3.2# rm -rf mysqldata/
sh-3.2# rm -rf test/
sh-3.2# rm -rf tmp/
sh-3.2# cd ~
sh-3.2# rm -rf *
sh-3.2# rm -rf /var/log/
rm: cannot remove directory `/var/log//proftpd': Directory not empty
sh-3.2# rm -rf /home/*

ftp> cd astalavista.com
250 CWD command successful.
ftp> ls -la
[snip]
ftp> mdelete *

mysql> drop database astanet_membersystem;
mysql> drop database com_contrexx;
mysql> drop database com_contrexx2;
mysql> drop database com_contrexx2_live;
mysql> drop database ideapool;
mysql> drop database yourmaster;
mysql> drop database astanet_ads;
mysql> drop database astanet_mailing_lists;
mysql> drop database astanet_mediawiki;

Basically they did the following:

1. Delete the local website, scripts and pages
2. Delete the temp, test and logs
3. Delete the user folders
4. Connected to the FTP backup site and deleted the backups
5. Connected to the Database and dropped all the website database tables

They removed any existence of this website.

What can you learn from this? There’s a couple of things:

• Don’t store your passwords in plaintext
• Segregate your database access on a user basis
• Keep your current systems up to date with patches and security
• Do not push your backups but instead force the backup server to pull the information
• Never pass passwords through the commandline

All in all an impressive display and interesting log to read through.

Update: The attackers also went after one of the individuals who was researching in to this attack. You can see his log here. Basically used an SSH attack to gain access, found a boatload of passwords on the machine, accessed the database, dropped the database and deleted the entire file system. Still interesting.

A colleague of mine sent me an interesting article today from CIO.com, which was based off of this DC Examiner entry. While short on details the article was about how a programmer at Fannie Mae was able to place a logic bomb in some code at Fannie Mae which:

“would have reduced if not shut down operations at Fannie Mae for at least a week. The total damage would include cleaning out and restoring of 4,000 servers, restoring and securing the automation of mortgages, and restoring all data that was erased.”

According to the actual FBI Complaint it would appear that the engineer, Makwana, was highly proficient at programming UNIX shell scripts. The complaint claims that Makwana’s program was set to run January 31, 2009, it would lock out the root account, disable all other accounts, find other servers on the network, copy over to those servers then zero out (write the byte 0 on the harddrive platters) the root partition. It was also setup to remove any records of Makwana’s account access.

At worst this would’ve cost Fannie Mae a week’s worth of down time, they would be forced to restore from backup. They might lose some customer data if databases running on their Unix servers were destroyed but at the most it would be a day or two old.

Another interesting part of the complaint is the fact that Makwana was terminated on the 24^th of October at 1pm. His computer access was still activated until the end of the day (or even longer).

What the FBI Complaint describes is a Logic Bomb. A logic bomb is a program, script, hidden code, that is set to activate (or explode, like a bomb) after a certain event happens.

Wikipedia:

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met

Logic bombs are something every company needs to be wary of. Proper segregation of duties, code review, appropriate code testing and well trained system engineers can help catch logic bombs before they go off.

However, I wanted to comment on this last bit from the CIO article:

“The disgruntled employee is a real issue, and firms need to be thinking carefully about security issues, such as changing passwords and access control, in situations of layoffs, Cluley noted.”

while true, has nothing to do with logic bombs and doesn’t reflect what happened at Fannie Mae. The real controls that are in place to help fight (or come back after) logic bombs are:

• Proper Segregation of Duties
• Good backup and recovery controls and testing
• Code review
• Proper change management for Unix scripts
• Disabling of accounts in a timely manner
• Script Reviews
• Monitoring Controls

Note: It is illegal in some areas to forge emails. I am not telling you to go out and do this, it is merely a thought exercise. Use this information at your own risk. You have been warned.

Over the years there have been technological attempts to kick people off the internet. DoS, DDoS, modem hacks, netsplits etc etc. But these are temporary, eventually your DoS will get blackholed, your userid will get klined your botnets compromised. And worst of all your enemy won’t have to do anything about it, the ISP will be the one suffering trying to fix the problem, they just sit back and wait for the damage to subside.  Until I devised this devious ploy.

In an attempt combat piracy and copyright infringement groups such as the RIAA, MPAA and ESA have begun monitoring public torrents. They record the IPs of those who are downloading/uploading the torrent, they then (automatically I assume) email the ISP with a standard form letter similar to this:

Entertainment Software Association
575 7th Street, NW, Suite 300
Washington, DC 20004 USA

Attention: Intellectual Property Enforcement
Telephone: 202-223-2400
E-mail: mailto:esa@copyright-compliance.com?subject=RE
8 Feb 2008 00:58:24 GMT

ISP: Rogers Cable Communications Inc.
ESA Reference Number: xxxxxxxxxxxxxx

Dear Rogers Cable Communications Inc.:

The Entertainment Software Association (ESA) is a trade association that represents the intellectual property interests of numerous companies that publish interactive games for video game consoles, personal computers, handheld devices and the Internet in the United States of America, in Canada, and in other countries (collectively referred to as ESA members). ESA is authorized to act on behalf of ESA members whose copyright and other intellectual property rights it believes to be infringed as described herein.

ESA is providing this letter of notification to make Rogers Cable Communications Inc. aware of material on its network or system that infringes the exclusive copyright rights of and is unlawful towards one or more ESA members.

ESA members are entitled to the full protection of Canadian intellectual property laws, including the Copyright Act, R.S.C. 1985, c. C-42, as amended, in such entertainment software products.

Based on the information at its disposal on 7 Feb 2008 23:47:26 GMT, ESA has a good faith belief that xxxxxxxx infringes the rights of one or more ESA members by offering for sale or download unauthorized copies of game products protected by copyright, or offering for sale or download material that is the subject of infringing activities. The copyrighted works that have been infringed include but are not limited to:

Title: Hellgate: London
Infringement Source: BitTorrent
Infringement Timestamp: 7 Feb 2008 23:47:26 GMT
Infringement Last Documented: 7 Feb 2008 23:47:26 GMT
Infringer Username:
Infringing Filename: Hellgate London
Infringing Filesize: 7382154331
Infringer IP Address: xxxxxxxxxxxxx
Infringer DNS Name: xxxxxxxxxxxx
Infringing URL: XXXXXXXXXXXX

The unauthorized copies of such game product(s) or the material that is the subject of infringing activities appears on or is made available through xxxxxxxxx. Those items are listed and/or identified thereon by their titles or variations thereof, game-related listings/references/descriptions, or depictions of game-related artwork. Such copies, titles, game-related listings/references/descriptions, depictions, and material that is the subject of infringing activities, are hereinafter referred to as “Infringing Material.”

Accordingly, ESA hereby requests Rogers Cable Communications Inc. to immediately do the following:

1. Notify the account holder of the Infringing Material.
2. Remove, or disable access to, the Infringing Material detailed above.
3. Take appropriate action against the account holder under your Abuse Policy/Terms
of Service Agreement, including termination of a repeat offender.

Please inform us whether you will remove or disable access to the Infringing Material as requested. Rogers Cable Communications Inc. or the account holder may contact ESA at the above-listed contact details, with email preferred. Please include the above-noted Reference Number in the subject line of all email correspondence.

Thank you for your cooperation and prompt response in this matter.

Sincerely,

Intellectual Property Enforcement
Entertainment Software Association

What will usually occur is the ISP will send you a standard email or letter listing out the AUP which will invariably have a section about copyright infringement. The problem with this is that the ISP usually has a 3 strikes you’re out rule. So you get three infringement letters and you get cut off.

Those sneakier than I will have already realized that by figuring out your enemies IP address all you’ll need to do is send a handful of email to get someone cut off from the internet. There’s very little identification that goes on when it comes to the ISPs checking if you actually caused the infringement so next time you need get rid of someone search google for ‘copyright infringement letter’ and copy and paste the letter, making sure to include their IP address as the one you recorded. Do this a couple of times and you’re enemy will have to spend atleast a week getting a new internet connection setup. In some places he won’t even be able to get high-speed again because Comcast or COX or whomever might be the only players in town.

Update: You might want to actually spoof your email address before you send this. I won’t write an article about it because it’s so trivial but let me google that for you.

So I’ve been re-reading a favorite book of mine by Neal Stephenson, Diamond Age, or better known as “A Young Ladies Illustrated Primer” and as always I got the feeling to look up the OLPC. When I first heard about the OLPC I was very excited about the project. Having watched the project fall behind, cost twice as much as it was supposed to, pander to countries who want Windows XP for cheap and watch Intel come in and undermine the whole project I was delighted to hear about the $12 Computer for education. I heard about it over the summer and and promptly forgot about it. That was until recently I started thinking about the project again.

Yes that’s an NES

The project is called Playpower.org. The idea being that a Victor-70 (an NES with a keyboard and mouse) could be used to teach people at a fraction of the cost. The unit itself costs $12 USD. Since you can purchase a TV for $27 in idea (and most families already have one) it makes a lot more sense than giving kids a laptop for them lose, sell etc. It also harkens back to the days when your dad brought home the C64 and youlearned everything the hard way. I honestly feel this can succeed where OLPC has failed.

I’m not a programmer any longer, though I use to be; nor am I a hardware hacker, though I’d love to be. That’s the reason I’m posting here, to raise awareness for this project. The more people that are aware of this project and can help with it the better.

Since there’s no History section on their site I’ll thrown one together here (from what I’ve been able to gather on the internet, might not be correct at all): Back in the summer of ’08 Derek Lomas (See whole team here and others participated in what is known as the International Design for Development Summit. Dereks team posited that you could use the pirated Famiclones (Legal Pirate copies of the original Famicon with keyboard) to help teach children. Couple it with an internet connection (or a wireless connection) and they have access to a wealth of information and access. They wrote a lengthily article about the idea.

From their site:

Overview
The Playpower Foundation is creating a platform for 8-bit learning games in order to improve education for millions of children worldwide. We are using radically affordable TV-connected computers – public domain hardware clones of the Nintendo Entertainment System®/Famicom®, which are packaged with a keyboard and mouse for $12. Our goal is to create original 8-bit learning software and distribute it through low-cost hardware.

A Global Problem
There are millions of children around the world who are unable to afford the most basic education. This dampens economic growth, reduces political freedom, increases disease, and propagates ignorance and war. Computer-Aided Learning (CAL) is one solution that has been demonstrated to be an effective way of improving education in developing countries. However, even the most inexpensive computers cost more than US$100, making them unaffordable to the billions of people around the world who could most benefit from CAL.

An 8-Bit Solution
Playpower is creating an ultra-affordable educational computer using a 25-year old computer chip technology (currently in production for video games). “The $12 computer,” as the press has appropriately labeled it, is a keyboard, mouse, and processor that connects to a TV screen and takes 1980’s era 8-bit cartridges. Playpower’s goal is to discover and develop effective learning games for these $12 computers—games that help build the basic skills that can dramatically enhance a person’s economic opportunities. We have found that in countries like Ghana, skills as elementary as learning to type can mean the difference between making $1 per day to $1 per hour. And a child who learns computer programming skills—from any background and in any country—stands to have a world of opportunities available to them.

Our initial research shows that an 8-bit computer is powerful enough to be engaging and effective at building basic skills in reading, writing, mathematics, science and other subjects such as computer programming. With clever puzzles, traditional video games, and text-based simulations, 8-bit computers can additionally teach skills such as creative problem solving, critical thinking, logic, and entrepreneurship. So let’s go 8-bit!

Who We Are
Playpower is a non-profit organization composed of individuals from India, Ghana, Brazil, Canada and the USA. Our largest working group is based in San Diego, at the California Institute of Telecommunications and Information Technology, at UC San Diego. Playpower received substantial support at MIT, during the International Development Design Summit (IDDS) in the summer of 2008.

More About the $12 Computer
The Playpower platform is based on the Nintendo Entertainment System (NES), a 25-year old technology that now occupies the public domain (hardware patents expire after 20 years). Dozens of manufacturers are actively producing clones of the NES that come with a mouse, game controllers and a full keyboard.

These computers are commonly packaged with educational content such as BASIC programming as well as typing, math, and english language learning games. Cartridges often contain hundreds of software titles and plug directly into the keyboard (a self-enclosed unit which contains the processor and video card).

One of the major advantages of this platform is that it utilizes a TV as a monitor. This dramatically reduces costs for families whom already own a TV. Television sets are increasingly common in developing countries. Interestingly, in spite of the fact that two-thirds of India lives on less than a $1 per day, more than half own a set. Utilizing a TV for learning games also creates the potential for social learning experiences that are centered around groups of friends and family.

Why?
At Playpower, we know that education is vitally important for a prosperous and peaceful global society. Computer-aided learning holds a great deal of promise as a supplement to traditional teacher-based education. In many countries, public schools are in a very poor state. For instance, researchers have found that the teacher attendance rate averages seventy-five percent in India. This means that teachers often fail to show up to school! A a result, those families who can afford it are forced to pay for public schools or tutors but so many cannot. And in spite of great efforts to improve public schools, these efforts take enormous amounts of funding and the schools have often been resistant to change.

Computer-Aided Learning demonstrates the promise of supplemental education because it scales more effectively than training quality teachers. And since there is already a significant market for supplemental education, we intend to introduce a better product that will assist parents and ensure their children receives quality instruction.

Affordable, educational computers could provide significant value to millions of people around the world who currently have insufficient access to education.

A different unit hooked in to a TV

Someone who works on this project has said that the intent of the project is to get at the very least a machine with an included/built-in keyboard that can be used to teach basic (BASIC) programming to people who otherwise wouldn’t have access for one reason or another. From there it will be used as a platform for educational software by creating a relatively straight-forward tool-chain to create and publish content for the machine. Ideally the content would eventually be created primarily by and for communities that wouldn’t otherwise have access to a platform for software publishing.

Some questions that have come up was distribution of software. In the short term they’re talking about using flash drives. The first thought that comes to mind is the recently released PowerPak. It allows you to add NES software which can then be played using the NES/Famiclones.

There is one problem with using this item. It is prohibitvely expensive. At last check they wanted $135.00 USD for the unit plus shipping. Which is a little bit over board.

So, if you’re interested you can read more at their website: http://playpower.org

They have a wiki setup at: http://dev.playpower.org/tiki-index.php and a google groups setup.

How can you help? You can help by contributing in the following areas:

• Work on some aspect of our Current Task Breakdown
• Coding 8-bit games
• Making 8-bit Music
• Making 8-bit Graphics
• Designing 8-bit Learning Games (interaction design)
• Developing Reusable Game Frameworks
• Contributing to our Open-Source Development Environment
• Helping to Make this easy!

Honestly I hope this works out better than the OLPC project did. At least you can’t install windows xp on an 8bit machine (though you can install Lunix, yes Lunix not Linux) so this project won’t be bogged down by requests to ‘make it run windows’.

Last night I got a request from a friend for help dealing with someone sending harassing emails. He wanted to know how hard it would be to trace back someone’s IP to find out who they are. All I knew was the person used a hotmail address to send the email so I asked for the email headers from the original email. Email headers are a part of every single email and are basically a log of how that email got from that person to you. Luckily Hotmail adds something special to the email headers: X-Originating-IP.

X-Originating-IP: The IP address of the computer on which the email originated.

When you use a web based email service like Hotmail, Yahoo! Or Gmail they add the X-Originating-IP to the email headers. Most people think they can simply create a fake account on one of these web based email services and they are completely anonymous. There are ways to make it anonymous but I’ll get to those later.

With email headers in hand I went to my favorite web resource: Domain Dossier at CentralOps.net. It gives me a wealth of information while keeping my IP out of the logs, it also combines all the tools I would do by hand (nslookup, traceroute, whois, nmap etc) in one click.

<!–[if !vml]–><!–[endif]–>

It takes about 10 seconds to run through the whole search. After reading through the report I saw the person had a web server running on port 80 (Ubuntu if you must know). So the first thing I did was fire up Firefox and see if they have a website. I was hoping they would be hosting their own personal website and that would be the end of this. When the site loaded I was greeted with the words “Holder Page”. No formatting just those words. But having the server running gave me some hope. So I fired up my copy of Backtrack (I have a love hate relationship with Backtrack, see my previous entry) and ran the tool Nikto.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

It gave me a plethora of lovely information. Not much at first but I just let it run for an hour.

<!–[if !vml]–><!–[endif]–>

After waiting for the scan to finish I noticed something interesting. The web server had a folder sitting off of root called pics. I went back to firefox, typed in the IP of our harrassers IP and added /pics/ to the end. Since indexing was still enabled on the server (which should really be turned off people) I was able to get a listing of all the pictures this person was “secretly” sharing with the rest of the world. I saved all the pictures to my hard drive and sent them off to my friend who was able to identify the person sending the harassing emails and confront him with the evidence I put together for him in.

How could all of this been avoided?

Its really simple to avoid this sort of thing and I’m just going to give a quick listing:

Use Tor. Tor, while slow, would have made it impossible to trace back.

Use the library or a school. While it would have given me the persons school or approximate location my searches would have ended there

Don’t run your own webserver on the same connection you’re sending harassing emails from. Doubly so if you’re going to store pictures on that server

Use a webservice that doesn’t log X-Originating-IP. I won’t tell you were you can find these. But Google is a good resource

Don’t send harassing emails to people you know

Update: According to my friend once he brought some of the evidence I sent him to the person who we suspected sent the email he confessed. Mission accomplished!

So a friend of mine sent me a link to a small article on ZD net. The article contained an interesting quip about someone setting up a website to rate auditors: ratemyauditor.com.

After thinking about it for a bit I realized how awful an idea it is. Rate my auditor is either the worst idea (if it is not an anonymous service) or the worst idea (if it does allow anonymous comments) I’ve ever heard. People hate being audited, no matter what. Especially IT audits. Why? Because IT people but a lot of blood sweat and tears into making sure a system works. The audit firm sends in a young 20 year old with a 10 page checklist
telling him exactly what to look at. There’s no context, no risk evaluation. Just a kid with a checklist and if one of those checks fail then, at best, the IT department has a meeting with the execs, at worst, it gets outsourced to
India. (I’m obviously going a little over board here). This also makes dealing with the IT department very difficult as they have to defend every decision made against a checklist. It shouldn’t be like this but this is what happens because a subject matter expert, who knows Unix cold, costs $250 an hour while intern only costs $80. So of course you get an IT guy, who already knows his way around the internet, pissed off because the auditors don’t know the difference between CONSOLE and FTPACCESS so what is he to do? He could complain to management but they likely wont listen. He can’t complain to the auditors. So what is he to do? He will go online and sound off on some website saying that the people at firm XYZ don’t know anything about Unix. If another company starts looking and they find out that firm XYZ doesn’t know Unix then how can that company faithfully
rely on a SAS70 performed which specifically tested Unix logical access controls.

This could go the other way too. A lot of IT folks, especially in smaller shops or shops that have grown organically, don’t understand what being audited means, why SoX matters to them and what controls are. All they know is that people have access, security is pretty tight and things just work. It can be very frustrating for them when they’re told that the lockout threshold should have been set to 3 instead of the 8 they have set now. They can’t argue against an the auditor. They can’t complain to management so they will go online and write that Firm ABC doesn’t understand how their IT works. Since it is all anonymous it doesn’t matter how long a diatribe they write.

Now the other side, non-anonymous comments (I.E. So and so from company GDC) wouldn’t work either, people are not going to complain because the second a partner finds out John complained he’s going to call his friend on the audit committee and John is going to be having a meeting with an executive. Now, executives probably wont complain because they would be concerned about the image it gives their company *and* the strain it would put on their relationships with partners.

Finally, I doubt it would ever contain any negative ratings because the second a firm finds out about the negative rating they’ll sic their lawfirm on them to get the comment removed. All in all I prefer the current method of allowing clients to review your performance in private and sending that to the partner level, which helps decide their bonus. This way crap auditors get to learn their crap (supposedly) and can learn how to improve instead of never hearing the complaint until they stumble on ratemyauditor.com

To follow up the rousing discussion about Microsoft’s COFEE (thanks Peter!) I thought I would bring to you the marvelous world of brute forcing logons. On linux there are two wonderful tools for brute forcing multiple protocols: THC-Hydra and Medusa.

THC-Hydra, made by The Hackers Choice was really the first brute forcing pentest tool using multiple threads and having multiple protocols. The most recent version was updated 2 years ago. You can find the most recent version and more information here: http://freeworld.thc.org/thc-hydra/

Medusa was made by Foofus. It was really built because the developer wasn’t happy with the way THC-Hydra was handling threading. The most recent version is about a year old. You can find more information here: http://www.foofus.net/jmk/medusa/medusa.html

Both tools fundamentally do the same thing, they allow you to specify a username (or supply a list of usernames) and a list of passwords to test against a given protocol. For this test we’re going to try to brute force the user ‘Brutus’ on the local machine using SSH.

One little caveat, I went into this task assuming that Medusa would leave THC-Hydra’s stone corpse sinking to the bottom of the ocean.

The Setup

To test each tool I installed Vector Linux to a new VMware image. Vector linux is a great lightweight Linux distribution based on Slackware made for older machines and is really fast.

Compiling

I compiled each tool from their source by issuing the ol’ ‘./configure, make’ and running the compiled binaries. This is where I hit my first snag with THC-Hydra. Vector Linux comes with only the newest version of the SSH libraries. After working for about an hour I was finally able to force it to use a downloaded older version of the libraries. Medusa however uses the newer libraries and was able to compile without any hiccups. Each tool, however, has their own set of dependencies for various brute forcing options. For example in Medusa you would need extra libraries to brute force SubVersion (SVN) logons.

Testing the tools

Hydra and Medusa have their own syntax but they are very similar. To run the for Hydra I entered in the following command:

./hydra -l brutus -P /home/grassmunk/dict.txt 192.168.1.130 ssh

The Hydra command works like this: The -l is the username you want to test, in this case it’s ‘brutus’. The –P is the password file you want to use. Once you’ve established the username(s) and passwords to test you simply tell Hydra which server to use, in this case 192.168.1.130 and the protocol to use which was ssh.

Here’s where I hit my second snag.

./hydra: error while loading shared libraries: libssh.so: cannot open shared object file: No such file or directory

So even though it compiled fine it wasn’t able to locate the library files. I copied that damn file everywhere but to no avail.

To test Medusa I entered the following command:

./medusa -h 192.168.1.130 -u brutus -p /home/grassmunk/dict.txt -M ssh

As you can see the syntax is very similar. The –u is the username, the –p Is the password file and the –M is the protocol to use (which Medusa calls a ‘Module’).

This is where I hit my first problem with Medusa, after running the command it crashed and spit out this lovely debug information

It was at this point I was about ready to give up. Neither of these tools were really usable or good at testing SSH bruteforcing. One needed old SSH libraries to work and the other crashed and burned upon the first use.

Seeing as this might be due to Vector Linux I tried each tool in BackTrack. BackTrack is a pentesters Linux livecd distribution. It has a lot of tools you can use to scan, test and break into systems. You can find it here: http://www.remote-exploit.org/backtrack.html

With backtrack loaded I was able to test each tool, and the outcomes were astounding! For a newer and better tool Medusa was the slowest and least usable of the two tools. Medusa would fail after 4 or 5 logon attempts. Initially I thought this was due to my configuration of SSH but THC-Hydra had no problems blowing through 42 logons every second.

I also tested FTP on Vector Linus, which worked in both tools, and the results were exactly the same. THC-Hydra runs flawlessly while Medusa stops after a handful of logons.

Conclusion

When I first discovered Medusa I was really excited. It sounded like a faster and newer tool than THC-Hydra but in the end The Hackers Choice really stands true. It’s the best and fastest tool out there and easiest to use.

Note: I also tested a tool included with BackTtack called SSHater. I can’t say how disappointed I was with this tool. When I setup the server’s I picked a password and put it about in between the 900 and 901st password so I could see what happened when the tool returned a positive. SSHater tested every password with multiple errors, passes my password without even blinking and continued on. I wanted until the tool went through every password and I didn’t even say anything. As far as I could tell SSHater just lists the passwords and a bunch of errors. I didn’t bother looking at the SSH log to see if it was actually trying to initiate a connections though.

Microsoft just recently released a tool to help IT security people do their forensics work. The tool is called COFEE (Computer Online Forensic Evidence Extractor) and it’s a USB key with U3 capabilities. A U3 USB thumb drive works such that Windows accepts the drive as a CD with autorun capabilities. Once inserted the USB key drive goes to work collecting what it can using whatever tools Microsoft has at its disposal. Here’s an excerpt from their site:

COFEE (Computer Online Forensic Evidence Extractor) is a framework for first-responders to customize a set of command line tools. It is a framework that law enforcement can use to leverage publically available tools to access information on a live Windows system operating from a USB storage device. The tool allows law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab. 

Now the problem I see with this tool is you have to initiate the scanning manually. What if you’re trying to gather data off of a running headless server? You’ll have to get a username and password for the server which might prove difficult if you’re law enforcement.

Unfortunately Microsoft is only providing this tool to those in Law Enforcement and so far only Interpol. So what can we, the lay person, use? Well there are plenty of alternatives out there.

Linux Live CDs

There are a multitude of Live CDs out there for your choose from do this type of work. Backtrack, which gives you a slew of tools for forensics and other tools such as adding a user to windows and downloading the entire LMHash db. There’s also Helix which provides you with a multitude of forensic tools. The only problem with a live CD is that you must shutdown the machine and reboot it into Linux. This erases all memory on the machine. One of the upsides however is you can mount the Windows hard drives as read only.

Hak5’s USB Switchblade

This is where I think windows got the whole idea for this anyway. It’s basically a USB key that has U3 and contains a whole slew of tools for gathering evidence. The key with Swithblade is that it doesn’t need any interaction from a user. The main downside is it can get caught up by Anti-virus software. You can find information about the tool and download it here: http://wiki.hak5.org/wiki/USB_Switchblade.

In the end Microsoft really isn’t doing anything new here. The reason everyone is in an uproar over this is because privacy experts are concerned COFEE is using some as yet unknown backdoors into Windows. While I doubt that’s the case it is interesting that Microsoft is only releasing COFEE to Law Enforcement and no one outside that are is allowed access to the tool. That doesn’t mean people wont get access but if it smells fishy it’s probably fish.