average admins

Personally, I have an AdBlock entry that blocks Google AdWords and a lot of other advertising sites. I know that by displaying ads, you’re opening yourself up to HTML, Javascript, and any other nastiness that doesn’t originate from the site you’re trying to visit. I also don’t click on those paid advertising links from a Google search because usually they’re for a commercial product when all I need are simple instructions.

Here are two sites by people that have personally dealt with the maliciousness of Google AdWords.

http://www.dynamoo.com/blog/2007/04/malware-via-adwords.html
http://explabs.blogspot.com/2007/04/google-sponsored-links-not-safe.html

Originally posted on cocoacrusty.com on Monday, April 16th, 2007.

This post is the reason I posted my previous blog entry on installing the Metasploit framework on my Apple MacBook. Chris sent me a link to this movie showing someone exploiting a vulnerability in Microsoft’s Windows. The .ANI Header Stack Overflow vulnerability allows a remote attacker to send a malicious e-mail to an unsuspecting user with an unpatched Windows machine and gaining remote shell access.

After Metasploit was installed on my MacBook, I followed the steps in the movie as they were shown and it worked like a champ. The recipient of the e-mail has to be viewing the e-mail in HTML. I was only able to exploit this vulnerability when using Microsoft Outlook or Microsoft’s Outlook Express e-mail client’s when the client was setup to view messages in HTML. Either way, I gained access to one of my own machines using this exploit and it showed me just how easy it would be for someone with malicious intent to really wreak havoc on a novice or unsuspecting user.

I am impressed at the whole concept behind the Metasploit framework for exploiting known vulnerabilities and delivering payloads with basically the push of a button. The interface and command logic is easy to understand, for this exploit anyway, and I look forward to learning more about the framework, the exploits, and the payloads in the near future.

Until next time…

I haven’t read all of this yet, but it looks like an awesome article describing the research involved in finding the vulnerabilities and in writing the exploit code.

http://isc.sans.org/diary.html?storyid=2375

Building a remote buffer overflow for the Snort 2.6.1 DCE/RPC flaw
Published: 2007-03-07,
Last Updated: 2007-03-07 13:35:22 UTC
by Arrigo Triulzi (Version: 1)
Every so often I get asked about buffer overflow research in practice and for once there is a lengthy, worked-out example for me to point at.

Trirat Puttaraksa recently blogged in two parts his work in turning the Snort 2.6.1 DCE/RPC flaw into a working exploit. The first part discusses the “easy bit”, that is to say how to turn the vulnerability into a denial-of-service attack whereas the second part discusses how to exploit it to actually execute code.

It is a very thorough write-up, including pretty pictures explaining how he uses the Snort source code to figure out the layout of the packets he is going to send, the setup of the packets to ensure that he triggers the fault and, in part 2, how to inject the payload to execute. The final result is that he runs calc.exe from Snort.

I found a machine in my organization a few days ago that never recieved the local admin password that is standard in my organization after taking it off the domain.  I paniced a little then went to the Google altar to save my tail.  The computer was very important to the business process.  Here is what Google turned up for me:  http://home.eunet.no/pnordahl/ntpasswd/.   Nice little ethical (or non-ethical) hacking tool if I ever did see one.  Enjoy.

If you’ve never heard of IronGeek, you’re missing out. He’s big into the security scene and “illustrates” a lot of different hacking techniques by recording video files.

He has a collection that he’s done himself:
http://www.irongeek.com/i.php?page=security/hackingillustrated

and a page of other’s work that he’s mirroring:
http://www.irongeek.com/i.php?page=security/vids-by-others

It looks like he’s added a lot of new material since the last time I’ve checked.

GovernementSecurity.org also has a collection of videos. Registration is required there.

I stumbled across this link, Hacking Techniques in Wireless Networks, while reading through some blogs this morning. Although not as technical as Chris’s post, THE Visual Guide to Penetration Testing, this documentation seems to provide a lot of good information on wireless networks and the possibilities of hacking wireless networks.

I haven’t read through this documentation line by line, but it appears to be well organized and somewhat helpful for an overview. There are also some links for further reading and other references. I will definitely check this out as time permits.

THE Visual Guide To Penetration Testing

As posted on one of my favorite blogs, A Day in the Life of an Information Security Investigator

What’s that? You really want a visual guide to penetration testing? Something that covers:

- Enumeration tools (nmap, firewalk, amap, nbtscan, hping, scanrand, sinfp, etc.)

- General Vulnerability Scanning Tools (nessus, typon, NGS Squirrel, MatriXay, SARA)

- Exploit Engine Tools (metasploit, manual SQL injection, etherape, netwox, hijetta)

- Pre-inspection visit steps (EVERYTHING!)

- Password Cracking (JtR, L0pht, Rainbow, pwdump)

- Network Recon (whois, samspade, google, social engineering, dumpster diving, zone transfers)

- Enumeration results steps (what if a certain port IS open?)

- Command line examples of each tool

Something that could be printed out and be your all-in-one guide to penetration testing?

SHAZZAM!

Behold, your wish has been granted.

This is a must see!

Chief

This is a great, and long, story about a student at Auburn University who clicked on a link in an email. Of course, clicking on a link in an email isn’t always a bad thing, unless the web server you’re visiting installs maclicious code on your PC!

Even if you’re not interested in botnets or computer security, this is a good read. It’s very informative and offers a glance into the lives of these “bot masters”.

Think you’re safe because your internal network is NAT’d behind a coporate proxy? Think your safe because you’re firewall rules are tight? Think you’re safe because you patch every computer on your network the first Tuesday of every month?

Think again.

http://www.baselinemag.com/article2/0,1540,1946404,00.asp

This is an awesome idea! These guys wrote a program that will monitor your web traffic while you browse sniffing for malware attacks. Once it detects an attack, it will emulate a valid response and log all communications. That’s just cool.

I learned about the tool from Richard Bejtlich’s blog, TaoSecurity. It’s called nepenthes and you can downlaod it from http://nepenthes.mwcollect.org/

One thing I really like about Richard Bejtlich’s blog posts is that he’s very thorough. You can read about his experience installing and using nepenthes at the following URLs:

http://taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html
http://taosecurity.blogspot.com/2006/01/nepenthes-installation-ive-been.html

This tool comes prepackaged for all the cool distros: Gentoo, Debian, and FreeBSD, but of course the source is also provided along with instructions with getting it compiled and running in Windows.

You can find the README at http://nepenthes.mwcollect.org/documentation:readme.

I saw a post over at SecurityMonkey’s blog regarding sleep cell bots and immediately became interested - http://blogs.ittoolbox.com/security/investigator/archives/008389.asp

Apparently, there’s a bot running around creating accounts on various phpBB bulletin boards. No one really knows the true purpose of this activity. It’s possible, as you’ll read in SM’s blog entry, that this bot is registering all of these accounts so it will have access to thousands of phpBB sites for quick access when the next phpBB vulnerability comes out. And who’s to say they aren’t currently using an unpublished phpBB vulnerability?

Of course, that’s just speculation. We have a few users on our gaming site, oldschoolplayers.com, that are obviously bots. Their signatures have links to various websites that offer who-knows-what, possibly even automatic spyware(keylogging) software. These bots could be a simple way to generate traffic for these sites they’re promoting, or they could be malicous.

Big deal, you’re thinking. Who cares if a phpBB forum gets hacked? Who cares if they use XSS to get my password? Well, I guess that’s not so much a bad thing unless you use the same username/password for other sites. Surely you don’t use your forum username/password anywhere else, like oh, say eBay, Gmail, Paypal, Hotmail, other forums …etc. A simple Google search of your phpBB username and you can easily find other sites you’re registered at. How many of those share the same password? You get the point. People like to be mean so what would stop them from changing your password at every one of the sites you’ve registered at?

But phpBB isn’t just vulnerable to XSS. Do a search over at milw0rm.com or osvdb.org and you’ll find lots of cool phpBB hacks, including remote code execution on the phpBB server itself!

Here are links to some of the URLs mentioned in this post:
http://blogs.ittoolbox.com/security/investigator/archives/008389.asp
http://www.issociate.de/board/post/312809/phpBB_mass-hack_being_p…
http://area51.phpbb.com/phpBB/viewtopic.php?sid=&f=6&t=22880
http://www.milw0rm.com
http://www.osvdb.org
http://www.oldschoolplayers.com