Computer Security, etc.

As part of a penetration test, before you start sending out exploits and attacks you have to do some information gathering. The first phase of a pentest is reconnaissance. Two good tools that can help you out in doing some information gathering is from the guys at Edge Security. The two tools I want to go over are The Harvester and Metagoofil.

You can download them here:

http://www.edge-security.com/soft.php

The Harvester:
Screen shot below is of the usage instructions for the script. You can use the Harvester to search google, bing, linkedin or pgp for email addresses or possible user names of a target network. This information can then be used to perform password guessing, or even better client side attacks via phishing emails.

Megagoofil:
The screen shot below shows the help for metagoofil. You notice the switches are similar, with -d indicating the domain you want to search. This tool will search google for documents of the types listed below. It will then download the documents and run this tool to extract metadata from each files. This metadata can include usernames, or file paths that the files contain. These file paths can contain usernames such as c:\documents and settings\<username>\My Documents\

Soon I hope to be able to provide video tutorial of these and other tools and techniques. Stay tuned,

2 great training courses for pen testing are done by SANS and Offensive Security. If you are working in IT security and are interested in learning new skills or if you are starting out in pentesting, these courses are both worth your effort to look at.

SANS Security 560: Network Penetration Testing and Ethical Hacking.

This is a course that is taugh at the bigger SANS conferences by Ed Skoudis. Ed also wrote the material for the course. He works for InGuardians, which is an information security firm in DC. He is one of the top security guys out there and you can tell from the course. This course goes over the whole pentesting process, from start to finish. From getting a pentest gig to turning in the final report to your client. Very good information on preparation, recon, as well as in depth technical skills to penetrate systems. I took the mentor course and found it to be very informational and provided lab access to practice what you learn and even a capture the flag exercise at the end. I highly recommend this training course, whether it be at a SANS conference or by other delivery means, such as Mentor.

Offensive Security: Penetration testing with Backtrack

This next training course, I am currently going through, and I am impressed so far. Pentesting with Backtrack (PWB) is a course developed from the creators of Backtrack, themselves. You get connectivity to laps, so you can run the tools in Backtrack, scan, exploit and revert VM if you need. You use your downloaded instance of Backtrack to go through the course and I can say that it is very in-depth. You are given videos explaining the teaching and labs/exercises. You also get a document with all the course information to go along with the videos. This training is all hands on, with steps such as recon, scanning, even some exploit creation all using the suite of tools provided in Backtrack. Backtrack is such a huge tool to pentesters, so this course is very essential training. The site has reviews from those of HD Moore, Kevin Mitnick and others. I am going through the Online version of this training but there is also an in class course.

I hope to post some videos from my own research and work with the skills learned in these both courses. Penetration testing is very important to test your security controls. It gives you real insight into your security posture and what you should really be concerned with.

How do you know your users aren’t using easy to guess passwords? You rely on your Operating system/Active Directory password complexity requirements. You force users to create passwords with Upper case, lower case, number and maybe even a special characters. You can even make the minimum number of characters be 8 or 9 or even more.

This is not enough. Look at this password, you may even have used it:

ZAQ!1qaz

This password complies with all the requirements I mention above. Take a moment and look and your keyboard and how easy it would be to type that password in. You hold down Shift key and go up the keys on the far left, then let go of shift and go back down. This is called a keyboard combination, and you can imagine there are many. Just go down your keyboard and you can find many possible easy to remember or type in passwords.

Problem with this is you can also create a pretty good password file to then crack passwords. If you audit your domain passwords you might use pwdump or fgdump to extract the hash from your domain controller or even local computer. Then with the hashes you can run them through john the ripper and use a dictionary file with these password combinations. Just like that you can catch users that put this bad habit in practice. So it would seem our initial control of AD password complexity is not fully working.

This is where a program like PPE, password policy enforcer can help you out. PPE gives you the ability to put a dictionary file in the AD complexity rules. In addition to complexity requirements, you can force users to not create passwords that exist in a dictionary file of your choice. This way the next time you crack passwords, theoretically you should crack 0 passwords, if you are using the same dictionary file.

There are additional security measures such as multi factor authentication, biometrics, etc, but this is a good start.

On April 6, 2010, I will be mentoring SEC560 Penetration Testing and Ethical Hacking in Austin TX.

See link for details and sign up!

If you click on the ad at the bottom right of the site, you can help me out with a referral to the training.

http://www.sans.org/mentor/details.php?nid=21188

Wether it be nmap port scan, Nessus discovery scan, or any scanner that tries to find open ports on a server, you have probably heard atleast once, “hey! that scan broke my server/app”. I must admit I have.

I was reading Fyodor’s book on nmap and want to share some interesting quotes.

This is on page 19 of the book that talks about port scanning systems.

“…no application, host, or network component should ever crash based on an Nmap scan. If they do, that is a bug in the system which should be repaired by the vendor.”

“…poorly written applications, TCP/IP stacks, and even operating systems have been demonstrated to crash…”

“…finding that a machine crashes from a certain scan is valuable information. After all, attackers can do anything Nmap can do…”

“Reducing the ports/hosts scanned reduces the number of state entries and thus might help those sorry devices stay up.”

This sums up my beliefs exactly. If I scan a system and it crashes, they need to fix it. I am not exploiting or doing anything nobody else can do.

In adition to the descriptive words of these systems used by Fyodor, I would add the word finicky.

So a thread on the FD mail list gave me an idea to make a post on a list of password websites:
http://www.passwordsdatabase.com
http://www.phenoelit-us.org/dpl/dpl.html
http://cirt.net/passwords
http://dopeman.org/default_passwords.html
http://www.cyxla.com/passwords/passwords.html

News on the latest privacy capabilities have been going around a lot lately. I posted a vid of an overview, as well as a 10 things you need to know article(i think). There has been a lot of talk, and I actually like the new capabilities. I made good use of the previous settings, mostly for pictures.

One thing that came up in all this hoopla, is that Facebook’s default setting or recommended setting is to share with everyone. This will then imply that it is internet accessible. If you dont want that but havent changed the setting, then Facebook will remove it from their servers or you can delete your account. Is your information really gone though?

Some people are even flaming FB for the sharing with everyone or the fact that once it is internet accessible and indexed or spidered or archived by search engines, there is no way it is taken off the internet. This is common knowledge though. Everything you type into your browser should be considered exposed. We can take exception to banking or legitimate -commerce, because they are held accountable by law to protect your information. However Facebook or your blog or google archiving your FB wall or blog or FB possible passing your info via apps or you passing your info via malware spread through FB mail should be considered exposed and out there for everyone to see.

Even with privacy settings hardened I would not post private information on FB. Who are they anyway? Just a company trying to make money, be popular and be successful. Do I know them, to actually store my private information on their servers. If I even store private information on my own computer, that I physically have, I make sure I encrypt it. So why am i going to post private information on FB or blogspot or anywhere else? I am not.

http://ezinearticles.com/?The-Case-of-the-Teacher-and-the-Teen-Tricksterand160;&id=3208559

A teacher gets spied on via her computer complains, takes her PC to forensics, who finds trojan.

So I changed the theme, I added some add-ons, most significant one being the twitter feed on the side bar. I retweet a lot of interesting news that I find on twitter.

Let me explain my use of twitter. I follow all the well known security professionals and to be able to see their point of view on subjects as well as get the latest news and information that is going around. Twitter provides good information when following the correct people. I will often retweet interesting articles that people post and they will in turn appear on the website.

I encourage you to follow me if you are interested in information security.

Check out this link for access to my RSS shared news.

http://www.google.com/reader/shared/09423364391415399129