Monday, December 31, 2012

All these years and I still don't get it.

So back in the day, when the internet was new (and I really mean that, when it was new), a co-worker of mine was blown away. We were NOC techs (and he the senior tech) for one of the original six backbone providers; the people the government turned the DARPANet over to, to be the Internet. I told you I was serious about the internet being new.

Anyway, CIDR was still something everyone was trying to get their heads around. There was a great cheat sheet someone had made, but we couldn't remember where to get it. So my co-worker went to a search engine (back before there was Google), yahoo I think, or maybe dogpile.

Anyway, my co-worker searched for it on the internet. He went from his computer in the Network Operations Center, to a computer in California, only to find that the first link was on a computer sitting 10 feet away from us.

For some reason, this blew his mind, and he spent a good hour of our shift flipping out over it and trying to make me understand just how awesome it was that a computer in California, knew the contents of the computer behind us in the NOC.

Still don't see why it was so awesome...

Probably because I spent time on BBS systems connected to DARPANent when I was teen, and was already used to it.

Saturday, October 20, 2012

looks like someone's tool is a little broken

So got a bunch of emails today, via deny hosts. Lots of traffic at my ssh server. Running failed (there is an old version on the blog, I'll add the latest version below), I saw the typical automated attack mess. But one thing caught my eye. In the invalid user section.


Oct 20 18:56:52 from root
Oct 20 19:23:57 from root

Hmm... those don't conform to my normal search for that section.

Now all failed does, is goes through and parses my auth / secure log for matched failed instances. And here is what was in the log file.


Oct 20 18:56:52 $SERVER_NAME sshd[11347]: Failed password for invalid user root b0#pdl!PP from $ATTACK_IP port 55778 ssh2

Oct 20 19:23:57 $SERVER_NAME sshd[31205]: Failed password for invalid user root c from $ATTACK_IP port 42388 ssh2

From the lines in the logs. It looks like they sent the password as part of the user name. that or my system was being slow and their's faster.


The shell script "failed"

#! /bin/sh
# checks for /var/log/auth.log for login failures.
# version 0.2
# chrisj@rattis.net

# prints failed invalid users
echo "Failed Invalid User Attempts"
grep "Failed" /var/log/auth.log | grep -i 'invalid' | awk '{print $1,$2,$3,$13,$11}' | sort -u

echo ' '
#prints failed vailid users, except for me.
echo "Failed Valid User Attempts"
grep "Failed" /var/log/auth.log | grep -vi 'invalid' |  awk '{print $1,$2,$3,$11,$9}' | sort -u
echo ' '




Tuesday, September 25, 2012

if you want to be a hacker, go read this

Alex, a good friend of mine and a former Eastern Michigan IA student, wrote a great article for his company's blog. You really should go read it

"The first few months of penetration testing, what they don't teach you in school."

Friday, September 21, 2012

One of the ones I didn't like

So I mentioned in the Plan for IA240 blog post, I had some other ideas. Ones that I decided to not go with for various reasons.

One to those ideas that I rejected:

Using a tablet, with my cell phone as a tether. I tried using my cellphone in class the first night. It didn't work too well. It was rather slow Googling questions the professor was asking.

I also didn't like the idea for a hand full of reasons. I could be wrong, because I don't understand all the tech.

First the tethering. I have a rooted (running cyanogen mod) cell phone, but every time I tried, I get messages saying the network I have for service is blocking it.

I'm still creating a wireless network that someone could try attacking. Other people wanting to connect. Not saying people would, but hacking wifi isn't that hard, and if they're willing to go after a laptop, why not go easier with a wifi connection.

I've only used Shark for Root sparingly. As I understand it, it can do 3g packet captures. I'm not sure if that's only for the phone it's on, or if it can grab any 3g signal. I also haven't found much documentation on it. I also don't have the equipment to test it properly at this time. Maybe we can set something like that up to EMU's IA Club, where we can play around with it and see what it does.

Just one of the ideas, I tossed to the side. I'll talk about another one some other time.


Well Tails works...

Sitting at Eastern Michigan University on the wireless network using T.A.I.L.S. It's a little slow, but that's ok. I'm riding across TOR to an exit node in germany.

To get this to work:
I loaded the system from the Live CD.

Then using the unsafe browser, I was able to get to the capture portal. To do that, you need to go to a non-https site. I like to use www.sluggy.com. Going to www.google.com got grabbed by HTTPSeverywhere, and was dragged to encrypted.google.com. Sadly that doesn't work with EMU's capture portal.

After that, started the ice-weasel browser to make sure it worked right. Which it did. Then shutdown the unsafe browser.

So this works.

Thursday, September 20, 2012

Can't wait for Friday

I found out tonight that the IASA (Information Assurance Student Association) is having their kick off meeting Friday. At 5. Time sucks, but meh.

I'm actually thinking of tossing my id in the bit-bucket for an officer position. Don't know which one yet. I'm sure that'll fly like the NX37602. There are some things I think we could do better as students. Yeah it means more work for us, but in the long run, it makes us better students. No it's not hacking each other. Although some Saturday CTF in L6 would't be too bad. If allowed.

I also got to do some reading on T.A.I.L.S. tonight. I figured I could't be the only one that was having problems with capture portals (have to log in to use wireless). Looks like I was right. And I have something to test on Friday now.

Also, new version of T.A.I.L.S came out tonight. Version 0.13.0.

Tuesday, September 18, 2012

Need to look in to T.A.I.L.S some more.

I couldn't get T.A.I.L.S to work on campus tonight. The wireless would assoicate, but I then have to log in to the back end server. However I was never seeing a re-direct. I think I managed to disable tor, in case that was the problem. But I have also seen problems with other systems like that in the past and HTTPS everywhere.

I need to find some time to look in to it.

Monday, September 17, 2012

There will be some more posts coming

So I've tested T.A.I.L.S, it comes with sshfs pre-installed. It's also really easy to use. It looks like all the traffic goes through T.O.R. Next step will to see if it works with the University's wifi.

I've been asked to do a talk on it.

I'm also going to do some write ups on the options I didn't use and why I didn't want to use them.

Saturday, September 15, 2012

Plan for IA-240 at Eastern Mi.

** This has been updated:

So one of the classes I'm taking this term is required for my degree. And I have to worry about protecting my computer in it.

The course:
IA 240. The main point of the class, that I took away from the first night, is to learn how to write Analyst reports. The over all goal is to give us the skills required to go work for a government agency. (The program has a lot of students leave and get jobs in the public sector).

The Final:
The professor will assign us something to do an analysis report on at the end of the semester. To teach us on Operational Security, we have to protect our final project from our class mates. He gives extra credit for each student we got information from.

The Problem:
The professor has already said we are required to bring laptops to class, and class mates, as in the past, will try hacking that computer to get your final project. **Update-1: This was said in a warning, not in a you will be hacking each other in this class.

Over all, knowing the above, one really wants to get your hacks in early, get a back door, and be able to come in to the classmates boxes at will. Lots of way to do that. But I'm about not being an easy target. In fact I don't want my system compromised.

Options to protect me:
- Change operating systems every class, either local install, from USB, or DVD / CD.
- Run Backtrack, and use that as the the desktop (not meant for that).
- Run TAILS
- buy dedicated machine, and use nothing on it, doing forensics on it at the end of the semester, and keep nothing on it.
- Be really evil... (run vm or a dedicated box with a sticky honeypot).

The Plan:
I don't have the money for the dedicated machines.

I thought about putting my money where my mouth is and installing Backtrack, on an old hard drive, then harden it. This would fit in with my Linux Hardening applied to BackTrack talk. However don't like the idea of swapping the hardware that often. Trying to hack my class mates would be un-ethical in my eyes anyway.

I don't have an interest in hacking my class mates. Just not being hacked.

So, I've already got Full Disk Encryption, I'm going run with The Amnesic Incognito Live System (TAILS). I'll take an energy hit, the main hard drive won't be touched.

The only thing I have to worry about is saving my work from class (not that I type much in class, I'm more about pen and paper). But if there is something I need to save, I have things for that. I'm using Google's two factor authentication. I also could look into doing File System over SSH. Not sure if I'll have to go that far.



*Update-1: the professor was not giving permission. he was giving a warning.








Tuesday, August 14, 2012

out of shape

yep... running, between 2.2 and 2.4 miles in 35 minutes (couch to 5k, wearing 20lbs weight vest, and VFF). and that's on week 5. granted took a week off between 3 and 4, and this is my second time on week 5, failed horribly last week. Swings, had to change after every 25 at the fitness center tonight. my 16kg kettlebells. farmer walked there and back, down stairs and up, and 700 feet 1 way. only made it through 2 minutes of Tabata thrusters at 16kg. used to be way better. and could only lift about 5 times every 20 seconds. I hate being out of shape. 246, 22.8% (give or take) body fat. Yes, I know, better shape than I was in almost two months ago, but still just depressing, when I used to do all of that much better.

Thursday, June 21, 2012

Wow, not liking the new look of blogger, but that's something for later. Really need to get my site set up. Time is an issue. I'll have to go back over my time management skills and then get them rolling again. Anyway this post is a public shaming. Updated numbers for body fat checking Weight 260.8 waist 46 inches (at navel) hips 47 inches forearm 13 inches wrist 8 inches works out to be 26.4% body fat or something like that. Started reading The 4 Hour Body (4HB). The personal GPS numbers: Mid-Bicept 14 inches L 14 inches R Waist 46 hips 47 Mid-Thigh 25 inches L 25 inches R Total inches (add all those numbers together) 171. I'm going to modify the slow-carb (almost no carb) diet some. Plus couch to 5k (C25k) with 20lbs weight vest, and a Kettlebell program I have going through my head. good mornings, halos, 2 hand swings, shoulder presses, push-ups, rows, squats. 5 sets. We'll see what happens between now and July 31st.

Wednesday, April 11, 2012

Centos 6 Guest on Virtual Box

Maybe someday I'll get the other blog up and running, but right now I'm working on a project. one of the things I needed to do, was set up a lab.

CentOS 6.2, Virtualbox.

After installing the Development Tools group, and the kernel-devel package, I kept getting errors saying it couldn't find the source code to build. Dug around. finally looked at the run script for the Additions software.

while the kernel and the kernel-devel package were both 2.6.32-220, the directory under /usr/src/kernel/ was called 2.6.32-220.7.1.el6.i686. The installer was looking for 2.6.32-220.el6.i686.

a quick ln -s exiting looked worked magic, it finished with no errors.

The console still doesn't look right, but that is going to have to wait.