Friday, November 28, 2008

Web Site Advisors

I've been using McAfee's site advisor and recently ran to Norton's Safe Web services. Both tools are pretty good. Both services can analyze Web sites and be able to give you information on how they will affect your computer.

Wednesday, November 26, 2008

More MS08-067 Exploits

"Early last week we blogged about MS08-067 exploits. At that time, the number of exploits in the wild was still low and they were mostly targeted attacks. However, during the weekend we started receiving customer reports for new malware that exploits this vulnerability. During the last two days that malware gained momentum and as a result we see an increased support call volume. The SHA1 hash of the malware is 0x5815B13044FC9248BF7C2DBA771F0E6496D9E536 and we detect it as Worm:Win32/Conficker.A." Technet.com

"At McAfee Avert Labs we have seen a few proof-of-concept binaries using the exploit code that was released into the wild to attack this Windows Server Service vulnerability; the latest is W32/Conficker.worm. According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000." Avert Labs

Why going nuclear on thumbdrives won't win the cyber war

"Last week, the Pentagon confirmed that Defense Department networks were under attack by a computer worm. "We are aware of a global virus for which there are some public alerts, and we've seen some of these on our networks, and we are taking steps to identify and mitigate the virus," Pentagon spokesman Brian Whitman said in a statement on Nov. 21." Read more...

Friday, November 21, 2008

Tips: TCPDump

TCPDump prints our the headers of packets on a network interface that match the boolean expression. You can also use with option -w to save the packet data to a file for later analysis. You can also save the file with the .pcap extension so you can use either wireshark or other packet sniffing program.

TCPDUMP.org

Examples: tcpdump -i eth1 -XxvvnneS host 192.168.1.1 -w host_168.1.1.pcap

-i followed by sniffing interface name (eth0, eth1 , etc.)
-X when printing in hex, print ascii too
-x Print each packet in hex
-vv even more verbose output
-nn do not resolve host name and port service
-e Print the link-level header on each dump line
-S Print absolute, rather than relative, TCP sequence numbers


Few tips from TaoSecurity...


Understanding Tcpdump's -d Option, Part 2

In September I referenced a post by libpcap guru Guy Harris explaining outfrom from Tcpdump's -d switch. After looking at the original 1992 BSD Packet Filter (.pdf) paper and the subsequent 1999 BPF+ (.ps) paper, I understand the syntax for the compiled packet-matching code generated by the tcpdump -d switch. For example:

fedorov:/usr/local/etc/nsm# tcpdump -n -i em1 -d tcp

tcpdump: WARNING: em1: no IPv4 address assigned

(000) ldh [12]

(001) jeq #0x86dd jt 2 jf 4

(002) ldb [20]

(003) jeq #0x6 jt 7 jf 8

(004) jeq #0x800 jt 5 jf 8

(005) ldb [23]

(006) jeq #0x6 jt 7 jf 8

(007) ret #96

(008) ret #0


Here is what each instruction means:

  • 000 says load (using 'ldh') the "half word" or two bytes starting at offset 12 of the Ethernet header. Since we begin counting at 0, bytes 0 to 5 are the destination MAC address and bytes 6 to 11 are the source MAC address. The name of the two bytes beginning at offset 12 differs according to the Ethernet format used.

  • 001 compares the two bytes loaded in 000 with the value 0x86dd. That is the Ethertype of IPv6. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 002. If false, jump ('jf') to 004.

  • 002 loads the byte found at offset 20. If we are evaluating this instruction we are in an IPv6 header. Offset 20 holds the "next header" value.

  • 003 compares the byte loaded in 002 with the value 0x6. This is the IP protocol code for TCP. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 007. If false, jump ('jf') to 008.

  • 004 compares the byte loaded in 000 with the value 0x800. That is the Ethertype of IPv4. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 005. If false, jump ('jf') to 008.

  • 005 loads the byte found at offset 23. If we are evaluating this instruction we are in an IPv4 header. Offset 20 holds the "protocol" value for the protocol following the IP header.

  • 006 compares the byte loaded in 005 with the value 0x6. That is the protocol value for TCP. A comparison is made (using 'jeq'); if equality is true, jump ('jt') to instruction 007. If false, jump ('jf') to 008.

  • 007 is the equivalent of "TRUE", meaning that the indicated number of bytes (96) of packet data will be copied to the calling application (in this case, Tcpdump). You reach this point if the packet being inspected is TCP, either using IPv4 or IPv6.

  • 008 is the equivalent of "FALSE", meaning zero bytes of packet data will be copied to the application. You reach this point if the packet being inspected is not TCP.


Understanding this syntax is a way to troubleshoot BPFs that don't behave as you expect. You can run 'tcpdump -d' and inspect the code as explained above to see if it performs as you want.

For those of you wanting a definition of a packet filter, here is what I've come up with based on the original paper, The Packet Filter: An Efficient Mechanism for User-level Network Code (.pdf): a packet filter is a kernel-resident packet demultiplexer that provides a way for userland processes to tell the kernel what packets they want. For more detail, I recommend reading the three papers mentioned in this story. Guy Harris also posted a message to tcpdump-workers explaining BPF.

Tools: PsExec

PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. Download now...

Tools: Process Explorer

Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. Download now...

Wednesday, November 19, 2008

Sunday, November 16, 2008

The future of fighting fraud

In the days when all hacking was done via a fixed phone line, the first skill a novice learnt was how to get free calls. Without that their exciting new hobby was likely to prove too expensive. Read more...

Friday, November 14, 2008

Wednesday, November 12, 2008

Monday, November 10, 2008

Friday, November 7, 2008

Protect Yourself from Fake Anti-Virus Software

Be aware of fake anti-virus/rogue applications. These rogue applications or scare wares looks like the real ones, if you are not going to pay close attention on banners and pop-up ads, your PC can easily be infected. Below are some links from F-secure and ScamBusters.

http://www.f-secure.com/weblog/archives/00001508.html

http://www.scambusters.org/fakeantivirus.html

Thursday, November 6, 2008

Yahoo for Sale!

After rejecting Microsoft's offer last May, CEO Jerry Yang is willing to sell the company. "To this day the best thing for Microsoft to do is buy Yahoo," according to Mr Yang. Furthermore, Google pulled out of an internet advertising partnership with Yahoo. Read more...

Tuesday, November 4, 2008

Tips:Linux:Yum

*Update all packages in your system - yum update
*Update individual packages - yum update mysql
*Install a package - yum install mysql
*Search for available package - yum search mysql
*Remove a package - yum remove mysql
* Yum cleanup command - yum clean all (this command will remove old packages that your system is no longer using. This will also take care of cached files that are no longer in use).

Installation example of ClamAv.

# yum install clamav
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
core 100% |=========================| 1.1 kB 00:00
updates 100% |=========================| 1.2 kB 00:00
extras 100% |=========================| 1.1 kB 00:00
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for clamav to pack into transaction set.
clamav-0.88.7-4.fc6.i386. 100% |=========================| 20 kB 00:00

Saturday, November 1, 2008

Trojan virus steals banking info

The details of about 500,000 online bank accounts and credit and debit cards have been stolen by a virus described as "one of the most advanced pieces of crime ware ever created".Read more...

Hack the Box Blue

https://arcy24.medium.com/hack-the-box-blue-f5ae5b602a5c