My blog will have a new permanent home soon. A friend and I have setup a small website, and I'll be moving this blog there. Going to be fun, I'll be able to post screen-shots and better serve the public with my small IT tutorials and everyday sysadmin rants...
At the moment the site is not 100% complete. It does have many links to tools, videos, articles and RSS feeds we find interesting. We also have 2 vulnerable VM images one can practice scans and penetration methods. We hope people will enjoy it.
The site's purpose is gather as much information relating to IT security and place it in one neat little package. We are fully aware of the fact that many sites like this exists, but one more won't hurt. If it can help one or two people find an interesting fact on security I'll be happy. The website will be re-written in French so as to better serve the people in my region... and perhaps even a pod-cast (French). We don't pretend to be the best in this field, but we are 2 guys willing to learn and share.
So to everyone who actually reads my blog (yes all 2 of you), thanks hope you visit the site.
Kioptrix
Monday, November 30, 2009
Saturday, November 28, 2009
Twas the Night before Christmas...
[Hope you enjoy this one, wasn't easy]
Original poem
Twas the night before Christmas, when all through the house
Not a creature was stirring, not even a mouse.
The vulnerabilities were left on the system with care,
In hopes no metasploit script would soon be there.
The admins were nestled all snug in their bed,
While visions of security patches danced in their heads.
With project manager in her ‘kerchief’, and I in my cap,
Had just settled our brains to play with ettercap.
When out on the network, there arose such a clatter,
I sprang from my desk to see what was the matter.
Away to the console I flew like a flash,
Tore open the screen and threw up bash.
The logs on the breast of the new-fallen server
Gave a luster of panic on the new hired manager.
When, what to my wondering eyes should behold,
But a miniature script and eight services controlled.
With a little old script, so lively and quick,
I knew in a moment it was an ol’ HDM trick.
More slick than snakes his courses they came,
And he exploited, and rooted, and called them by name!
“Down CUPS! Down Apache, now Samba and Dixie!
On, Muts! On, Bolexx! on, on Dookie and HD!
To the top of the tree! To the edge of the firewall!
Now compile away! Compile away! Using dash wall.”
As fast typists that before the wild hurricane fly,
When they meet with an obstacle, they do not cry.
So up to the firewall the courses they flew,
With a bag full of root-kits, and with Mitnick too…
And then, in a twinkling, I stared at the rack.
The prancing and pwning of each little hack.
As I ran through the office, cursing around,
Down came the server, which was PCI sound.
As it fell to the ground, from RAM to wire,
And its casing had tarnished this I did not desire.
A bundle of overflows thrown on the stack,
The server looked like a peddler, with a hump on its back.
With hard drives dwindling! Its lights not so merry!
Its IO count rising, Its CPU red like a cherry!
Its droll little services all dropping in a row,
The last remnants of the server, stalked by a crow.
With power cable held tight in my crasp,
And the smoke it encircled, it looked like an asp.
It had blown condensers I found on the floor,
That I took and laughed, as I threw out the door.
It was busted and broken, a right jolly old elf,
And I laughed when I trashed it, in spite of myself!
With a wink of my eye, and a twist of my head,
The new manager knew she had something to dread
She spoke not a word, but went straight to her desk.
And looked at the firewall purchase, and then was perplexed.
And laying her face inside her cupped hands,
Unable to move, unable to stand!
As I sprang from the server room, gave the team a whistle,
Away we all went, all flew like down of a thistle.
As we exclaimed while we left, ‘ere we drove out of sight,
"Merry Christmas to all, and to all a good-night!"
Original poem
Twas the night before Christmas, when all through the house
Not a creature was stirring, not even a mouse.
The vulnerabilities were left on the system with care,
In hopes no metasploit script would soon be there.
The admins were nestled all snug in their bed,
While visions of security patches danced in their heads.
With project manager in her ‘kerchief’, and I in my cap,
Had just settled our brains to play with ettercap.
When out on the network, there arose such a clatter,
I sprang from my desk to see what was the matter.
Away to the console I flew like a flash,
Tore open the screen and threw up bash.
The logs on the breast of the new-fallen server
Gave a luster of panic on the new hired manager.
When, what to my wondering eyes should behold,
But a miniature script and eight services controlled.
With a little old script, so lively and quick,
I knew in a moment it was an ol’ HDM trick.
More slick than snakes his courses they came,
And he exploited, and rooted, and called them by name!
“Down CUPS! Down Apache, now Samba and Dixie!
On, Muts! On, Bolexx! on, on Dookie and HD!
To the top of the tree! To the edge of the firewall!
Now compile away! Compile away! Using dash wall.”
As fast typists that before the wild hurricane fly,
When they meet with an obstacle, they do not cry.
So up to the firewall the courses they flew,
With a bag full of root-kits, and with Mitnick too…
And then, in a twinkling, I stared at the rack.
The prancing and pwning of each little hack.
As I ran through the office, cursing around,
Down came the server, which was PCI sound.
As it fell to the ground, from RAM to wire,
And its casing had tarnished this I did not desire.
A bundle of overflows thrown on the stack,
The server looked like a peddler, with a hump on its back.
With hard drives dwindling! Its lights not so merry!
Its IO count rising, Its CPU red like a cherry!
Its droll little services all dropping in a row,
The last remnants of the server, stalked by a crow.
With power cable held tight in my crasp,
And the smoke it encircled, it looked like an asp.
It had blown condensers I found on the floor,
That I took and laughed, as I threw out the door.
It was busted and broken, a right jolly old elf,
And I laughed when I trashed it, in spite of myself!
With a wink of my eye, and a twist of my head,
The new manager knew she had something to dread
She spoke not a word, but went straight to her desk.
And looked at the firewall purchase, and then was perplexed.
And laying her face inside her cupped hands,
Unable to move, unable to stand!
As I sprang from the server room, gave the team a whistle,
Away we all went, all flew like down of a thistle.
As we exclaimed while we left, ‘ere we drove out of sight,
"Merry Christmas to all, and to all a good-night!"
Friday, November 27, 2009
BackTrack Christmas song
On the first day of Christmas my true love gave to me
(And) A copy of the backtrack CD
On the second day of Christmas my true love gave to me
Two short jumps
On the third day of Christmas my true love gave to me
Three local exploits
On the fourth day of Christmas my true love gave to me
Four WEP keys
On the fifth day of Christmas my true love gave to me
FIVE METASPLOIT MODULES....
On the sixth day of Christmas my true love gave to me
Six rainbow-tables
On the seventh day of Christmas my true love gave to me
Seven Window OpCodes
On the eighth day of Christmas my true love gave to me
Eight joomla exploits
On the ninth day of Christmas my true love gave to me
Nine Vista Patches
On the tenth day of Christmas my true love gave to me
Ten zero-days
On the eleventh day of Christmas my true love gave to me
Eleven ruby scripts
On the twelth day of Christmas my true love gave to me
Twelve sa passwords
(And) A copy of the backtrack CD
On the second day of Christmas my true love gave to me
Two short jumps
On the third day of Christmas my true love gave to me
Three local exploits
On the fourth day of Christmas my true love gave to me
Four WEP keys
On the fifth day of Christmas my true love gave to me
FIVE METASPLOIT MODULES....
On the sixth day of Christmas my true love gave to me
Six rainbow-tables
On the seventh day of Christmas my true love gave to me
Seven Window OpCodes
On the eighth day of Christmas my true love gave to me
Eight joomla exploits
On the ninth day of Christmas my true love gave to me
Nine Vista Patches
On the tenth day of Christmas my true love gave to me
Ten zero-days
On the eleventh day of Christmas my true love gave to me
Eleven ruby scripts
On the twelth day of Christmas my true love gave to me
Twelve sa passwords
Saturday, November 21, 2009
Can lack of training cause problems?
A few days ago at work, something extraordinarily stupid happened... The idea of purchasing bigger (more complicated), more powerful servers was suggested to get more performance out of our VMware infrastructure. Logic would agree with that; if you have a bigger hammer you can break bigger stones. Unfortunately in our current situation, we don't need bigger hammers. We need to better use the hammers we already have.
Training, it seems, is something small/medium business seem to overlook. They tend to think they need to spend whatever little money they have in equipment. Well in some circumstances it can be very useful, but in others simple training and understanding of the current technology can also squeeze out performance out of systems.
Let's take for example the growing popularity of visualization (I'm not talking about the little VMs home users run with VMplayer or that free VMware server). Let's face it, it's not easy to configure correctly. Key word is "correctly", if by any chance a manager is reading this... Once installed and correctly tweaked, that HP G5 or G6 can really give your money's worth. Coupled with a good storage system (again properly configured), a few of these machines will give out some good results, and host many virtual systems. Of course the package as a whole needs to be installed and configured correctly. And one way of insuring you get what you deserve out of your setup, is training. If you can't reap the complete benefits out of your current setup, changing everything won't change a thing.
So how can lack of training be a problem? Well lack of training leads to misconfiguration. Ill configured systems tend to not to run as well as they should. And let's face it, there's bound to be some security issues in something that is not properly configured.
VMware training is a few thousand bucks, and that knowledge stays forever...
New servers and that nice looking EMC will run you up in the tens of thousands...
Simple math really...
This rant has gone on for long enough.
Training, it seems, is something small/medium business seem to overlook. They tend to think they need to spend whatever little money they have in equipment. Well in some circumstances it can be very useful, but in others simple training and understanding of the current technology can also squeeze out performance out of systems.
Let's take for example the growing popularity of visualization (I'm not talking about the little VMs home users run with VMplayer or that free VMware server). Let's face it, it's not easy to configure correctly. Key word is "correctly", if by any chance a manager is reading this... Once installed and correctly tweaked, that HP G5 or G6 can really give your money's worth. Coupled with a good storage system (again properly configured), a few of these machines will give out some good results, and host many virtual systems. Of course the package as a whole needs to be installed and configured correctly. And one way of insuring you get what you deserve out of your setup, is training. If you can't reap the complete benefits out of your current setup, changing everything won't change a thing.
So how can lack of training be a problem? Well lack of training leads to misconfiguration. Ill configured systems tend to not to run as well as they should. And let's face it, there's bound to be some security issues in something that is not properly configured.
VMware training is a few thousand bucks, and that knowledge stays forever...
New servers and that nice looking EMC will run you up in the tens of thousands...
Simple math really...
This rant has gone on for long enough.
Monday, November 16, 2009
The new milw0rm... better then before?
Well, the new (or replacement) milw0rm has gone online. As you may, or may not know, the crew of Offensive-Security have taken over. Str0ke was very close to closing the site down. After the initial announcement, Offsec stepped in and offered to relieve him of some of the administrative duties (updates mostly).
So, is the new site better? I mean, how can you improve on such a simple concept. Have an exploit, have a link to said exploit. Well they've found a way to not only make it better, but they succeeded in making the site an educational tool.
With Offensive-Security certifications slowly growing in popularity, it makes perfect sense for a security company such as Offsec to maintain the most popular exploit repository on the web today. It's a great combination; they train you in identifying and using exploits (for defensive purposes) all at the same time guaranteeing the exploit used during the training are available.
Good idea...
But how is the site better. Let's start off by how everything is organized. It's separated in few sections. Remote Exploit, local exploit, web application and denial of service. The old milw0rm had a similar organizational schema, and they even had (or have I suppose... it's still up) a shell code section. Which for me was not very user friendly. What it didn't have was a web application section, which in my opinion is a good add-on by the Offsec crew. Even if they removed a few of the sections originality found on milw0rm, the new site is very easy to navigate.
The search option is also better all around. Searching by description, author, type (remote/local/DoS/etc), platform and port number. It's pretty quick too and gives out very good search results. The submit information is revamped and easy to follow to anyone who wishes to submit anything.
This last part is what makes this site stand-out from the rest. They are actually hosting the applications associated with the exploits. Not all of them mind you, but they do have many downloads available. So in time, I'm sure we'll see lots more vulnerable applications with their respective exploits ready to be transferred in our lab environment.
So in the end, Offensive-Security have legitimized the existence of such a site. With this new avenue, an exploit repository site doesn't have cater to "blackhats" looking to annoy people or deface websites. They are maintaining and making available a valuable knowledge base for the security professional in training.
Congrats to all that worked on the new site. It's fresh, good looking and I'm sure it's going to be around for a long long time...
Check them out:
Offensive-Security
New milw0rm
So, is the new site better? I mean, how can you improve on such a simple concept. Have an exploit, have a link to said exploit. Well they've found a way to not only make it better, but they succeeded in making the site an educational tool.
With Offensive-Security certifications slowly growing in popularity, it makes perfect sense for a security company such as Offsec to maintain the most popular exploit repository on the web today. It's a great combination; they train you in identifying and using exploits (for defensive purposes) all at the same time guaranteeing the exploit used during the training are available.
Good idea...
But how is the site better. Let's start off by how everything is organized. It's separated in few sections. Remote Exploit, local exploit, web application and denial of service. The old milw0rm had a similar organizational schema, and they even had (or have I suppose... it's still up) a shell code section. Which for me was not very user friendly. What it didn't have was a web application section, which in my opinion is a good add-on by the Offsec crew. Even if they removed a few of the sections originality found on milw0rm, the new site is very easy to navigate.
The search option is also better all around. Searching by description, author, type (remote/local/DoS/etc), platform and port number. It's pretty quick too and gives out very good search results. The submit information is revamped and easy to follow to anyone who wishes to submit anything.
This last part is what makes this site stand-out from the rest. They are actually hosting the applications associated with the exploits. Not all of them mind you, but they do have many downloads available. So in time, I'm sure we'll see lots more vulnerable applications with their respective exploits ready to be transferred in our lab environment.
So in the end, Offensive-Security have legitimized the existence of such a site. With this new avenue, an exploit repository site doesn't have cater to "blackhats" looking to annoy people or deface websites. They are maintaining and making available a valuable knowledge base for the security professional in training.
Congrats to all that worked on the new site. It's fresh, good looking and I'm sure it's going to be around for a long long time...
Check them out:
Offensive-Security
New milw0rm
Sunday, November 8, 2009
Hackfest.ca 2009
Well, yesterday I attended my first infosec convention/conference in Quebec City: Hackfest. I must say it was great! Since I have nothing to compare it to (as far as information security related conventions), I'll compare it to the few conventions I did attend in the past.. IT an non IT related. The result is still the same, it was a great learning experience.
The convention was organized by Patrick R. Mathieu, Nicolas-Loic Fortin and Michel Cusin. It was held at the "Hotel Universel" across the street from where it was initial intended (University of Laval). They needed to move out of the University due to the swine flu vaccination campaign, and this with only 3 weeks notice... If they hadn't mentioned it, we never would've noticed. The whole thing was well organized right down to the free RedBull. Smooth, on time and with people behaving correctly all went like clock work.
The day started with registrations at 8am, and ended with lock-picking and a CTF event. Unfortunately due to health issues, I couldn't stay to watch the activities... guess it's just good luck I didn't register for the event, I wouldn't have been able to participate.
9h15am The first speakers of the conference, Eric Gingras and Sebastien Duquette. Their topic was "fuzzing in a pentest". Complete with slides and an entertaining demonstration. It was a good talk to kick off the day.
10h15 This talk was a bit over my head, seeing I'm not a PHP coder. Nonetheless it was extremely interesting. Auditing PHP code for security reasons. It open my eyes to how easy it is to make your server hosting the code vulnerable to attack. This must have made a few coders happy (and a bit scared I hope).
11h30 Botrax came on to explain how the "law" worked, and how it's applied to a "Human" and a "person". Yes according to the law's definition, these two are not the same. You would be surprised how much impact this makes. As for how this applied to White Hat hacker and black... well you needed some imagination. Overall it was worth the hour.
13h30 Henry Stern, senior Security Engineer spooke about social sites attacks in various forms. At the end, seeing the whole crowed attending are computer savvy, we still got a few surprises. I can just imagine now, for the average user, how badly their computers are infected with false anti-virus software.
15h00 David Girard came on to talk about vulnerabilities in virtual machine architecture. Speaking about different technologies used for visualization.. and no VMWare is not the only one. Very eye-opening.. moral of the story update everything when you can, especially if you're running ESX
16h15 Guy Brunneau from SANS spoke about packet analysis and retrieving file directly out of wireshark session. For me this was new. Knowing it was possible, now I have a pretty good idea on how to do it. Again very informative.
17h15 It was Mick Douglas from pauldotcom security weekly's turn to take the stage. This guy is the reason (at least the major reason) I decided to attend. His topic "Offense is the new Defense" was a fresh outlook on how blue team, or system/security/network administrators should act/react to an attack the system. He was obviously passionate about the topic.
After all the talks were done, the lock-picking and CTF started. I stuck around to see all the various laptops boot up and get ready for war. Seeing I have no experience in a CTF (closest thing I've done is OSCP) it was quite impressive. Well organized, enough hardware to supply all teams with an IP the whole setup seemed to be ready in an hour. Great job guys! No waiting for the participants, I'm sure they appreciated it.
To finish this off now, must say it was a great experience and something I hope they are able to redo next year. Canada/Quebec need conventions like these. We can't all afford to go to Shmoocon/DefCon. Not all employers are ready to send their admins to such events either. So me and my colleagues that attended this event, feel that not only this convention is fun and useful, it's essential for Quebec's security consultants and techs be on top of the black-hats.
I spoke to Michel Cusin before leaving, congratulating him and offering any help he may need for next year's event. I truly believe in this event now. I hope he just remembers that a stranger took to the time offer his help. :)
The convention was organized by Patrick R. Mathieu, Nicolas-Loic Fortin and Michel Cusin. It was held at the "Hotel Universel" across the street from where it was initial intended (University of Laval). They needed to move out of the University due to the swine flu vaccination campaign, and this with only 3 weeks notice... If they hadn't mentioned it, we never would've noticed. The whole thing was well organized right down to the free RedBull. Smooth, on time and with people behaving correctly all went like clock work.
The day started with registrations at 8am, and ended with lock-picking and a CTF event. Unfortunately due to health issues, I couldn't stay to watch the activities... guess it's just good luck I didn't register for the event, I wouldn't have been able to participate.
9h15am The first speakers of the conference, Eric Gingras and Sebastien Duquette. Their topic was "fuzzing in a pentest". Complete with slides and an entertaining demonstration. It was a good talk to kick off the day.
10h15 This talk was a bit over my head, seeing I'm not a PHP coder. Nonetheless it was extremely interesting. Auditing PHP code for security reasons. It open my eyes to how easy it is to make your server hosting the code vulnerable to attack. This must have made a few coders happy (and a bit scared I hope).
11h30 Botrax came on to explain how the "law" worked, and how it's applied to a "Human" and a "person". Yes according to the law's definition, these two are not the same. You would be surprised how much impact this makes. As for how this applied to White Hat hacker and black... well you needed some imagination. Overall it was worth the hour.
13h30 Henry Stern, senior Security Engineer spooke about social sites attacks in various forms. At the end, seeing the whole crowed attending are computer savvy, we still got a few surprises. I can just imagine now, for the average user, how badly their computers are infected with false anti-virus software.
15h00 David Girard came on to talk about vulnerabilities in virtual machine architecture. Speaking about different technologies used for visualization.. and no VMWare is not the only one. Very eye-opening.. moral of the story update everything when you can, especially if you're running ESX
16h15 Guy Brunneau from SANS spoke about packet analysis and retrieving file directly out of wireshark session. For me this was new. Knowing it was possible, now I have a pretty good idea on how to do it. Again very informative.
17h15 It was Mick Douglas from pauldotcom security weekly's turn to take the stage. This guy is the reason (at least the major reason) I decided to attend. His topic "Offense is the new Defense" was a fresh outlook on how blue team, or system/security/network administrators should act/react to an attack the system. He was obviously passionate about the topic.
After all the talks were done, the lock-picking and CTF started. I stuck around to see all the various laptops boot up and get ready for war. Seeing I have no experience in a CTF (closest thing I've done is OSCP) it was quite impressive. Well organized, enough hardware to supply all teams with an IP the whole setup seemed to be ready in an hour. Great job guys! No waiting for the participants, I'm sure they appreciated it.
To finish this off now, must say it was a great experience and something I hope they are able to redo next year. Canada/Quebec need conventions like these. We can't all afford to go to Shmoocon/DefCon. Not all employers are ready to send their admins to such events either. So me and my colleagues that attended this event, feel that not only this convention is fun and useful, it's essential for Quebec's security consultants and techs be on top of the black-hats.
I spoke to Michel Cusin before leaving, congratulating him and offering any help he may need for next year's event. I truly believe in this event now. I hope he just remembers that a stranger took to the time offer his help. :)
Wednesday, November 4, 2009
str0ke 1974-04-29 - 2009-11-03
As reported from Black Security blog not too long ago, Milw0rn's founder passed away from heart complications.
He leaves a wife and 4 children.
My thoughts and prayers go out to his wife and children, and the rest of his family. I never knew str0ke (1 email doesn't count as knowing someone), but as a fellow human being... a father... a husband, I can't help feel sadden by this moment.
Please read Black Security's blog entry on the subject, for he is in a better position to talk about the situation.
May whatever god you believe in str0ke, keeps your soul safe and happy for the rest of eternity.
----
EDIT: It appears that this was someone's bad idea for a joke. Let's just hope this didn't cause him AND his family too much unwanted farewell e-mails...
Thanks ronin2307..
----
He leaves a wife and 4 children.
My thoughts and prayers go out to his wife and children, and the rest of his family. I never knew str0ke (1 email doesn't count as knowing someone), but as a fellow human being... a father... a husband, I can't help feel sadden by this moment.
Please read Black Security's blog entry on the subject, for he is in a better position to talk about the situation.
May whatever god you believe in str0ke, keeps your soul safe and happy for the rest of eternity.
----
EDIT: It appears that this was someone's bad idea for a joke. Let's just hope this didn't cause him AND his family too much unwanted farewell e-mails...
Thanks ronin2307..
----
Subscribe to:
Posts (Atom)