Monkey - House

CentOS 5.5 Upgrade Bug

2010-07-23T00:51:00.003-04:00

After upgrading a few production servers from CentOS 5.4 to CentOS 5.5, I have identified a potential bug in the upgrade. For some reason the checkconfig setup for postfix gets deleted and postfix doesn't start automatically after a reboot. I couldn't find references to this anywhere else, so posting in hopes that it may help somebody else. This is an easy fix, but something you need to watch for as you update any servers running postfix.

After upgrade and reboot, running chkconfig no longer shows postfix in the list.

[root@mx1 ~]# chkconfig --list

[..snip..]

ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

oddjobd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

pand 0:off 1:off 2:off 3:off 4:off 5:off 6:off

pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off

psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off

rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off

rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off

[..snip..]

I was able to get to to show up, simply by typing "chkconfig postfix on". I assumed I would need to do "chkconfig --add postfix" to *ADD* it first, but does not appear that this is the case.

[root@mx1 ~]# chkconfig postfix on

[root@mx1 ~]# chkconfig --list

[..snip..]

oddjobd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

pand 0:off 1:off 2:off 3:off 4:off 5:off 6:off

pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off

postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off

psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off

rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off

rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off

[..snip..]

Google-Hacking Google's Safe Browsing List

2009-08-07T01:57:00.006-04:00

I discovered a kind of cool trick the other day with the Google safe browsing service. When doing a client vulnerability assessment or pen-test, if the customer has an assigned AS number, you can quickly check the Google safe browsing list to see all the sites from their network, found to be serving up malware in the past 90 days. For example, if you were doing an assessment for a customer than owned the AS number 11643, you would use the URL in the following format:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:11643

As your customer is probably not knowingly going to host malware, identifying these sites proves valuable as it is probably still exploitable. More often than not, I have discovered that these sites have been compromised through weak/ easily guessable FTP or SSH usernames and passwords.

Taking this a couple steps further, I noticed that Google has published an API for this service.
An interesting application of this would be to take all the discovered host names, when enumerating a client's IP space with something like Fierce Domain Scan, and feeding each of those sites into the Google Safe Browsing list.

There are several other applications of this. Say for instance you are a web hosting provider. You can semi-monitor your hosted customers and notify them when they ended up on the "bad list". This can either be done by plugging in your AS number or by enumerating all the sites and plugging those into the API.

Another application for this, could be for a security company to identify potential customers. For example, working for a security vendor here in Thailand, all I would need to do is identify a few Thailand specific AS numbers, and away we go:

AS 7470 , AS 9737 , and AS 9931

Please note, for those who are not familiar with the naming conventions in the .th TLD, go.th is reserved for government sites and mi.th is reserved for military sites. With that knowledge, the results above are sort of shocking, no?

Scam Protection - Open Letter to the bar owners of Thailand

2009-07-28T08:35:00.002-04:00

Here in Chiang Mai, as well as various other parts of Thailand, one seemingly popular scam, is collection of music royalties and levying of fines for infringement. These "copyright police" show up with dodgy documents and a uniformed police officer in tow. These uniformed officers, either through sheer ignorance or an agreement for a cut of the profits, allow the "copyright police" to seize computer equipment, confiscate CD's, and even will arrest "violators" and take them down to the jail.

You can read more about this horrible scam here and here.

So, obvious legalities aside, I asked myself, "Why are they making it so easy?" "What would *I* do, if I was running bar in Thailand?" [Something that is actually part of my long-term goals, but that is a story for another day!]

So, Bar Owners of Thailand, here is what I would do:

First off, I would stop storing questionable items on my computer. On my personal computer, you will not find any mp3s, boot-legged movies, pornography, pictures of old girlfriends, etc.. Not saying I don't possess these items, I am just saying they are NOT stored on my personal computer. Now if I was going to have a PC sitting out in a public place of business, I think this rule of thumb should be infinitely more applicable.

So, how can I make this work? Easy! First I would head down to Pantip (or any other computer mall of choice) and buy a nice, cheap, external USB hard-drive. Next I would down the free/ open-source tool, TrueCrypt. I would use this to create one or two large encrypted volumes on the USB device. In these encrypted volumes, I now have a handy, safe, and very portable place to store my all questionable items!

If anyone ever tried to catch me with said questionable materials, hopefully me or my staff might have time to quickly disconnect the USB drive and physically move it out of sight. If not, it does provide me with some measure of plausible deniability.

There are no questionable items to be found on my computer, nor the encrypted device... Go ahead and take a look... I challenge you to show me these items! Most likely they aren't going to be able to.

If for some strange reason, the "inspector" is somewhat intelligent enough to figure out the encrypted USB storage trick, and presses me for the password, no problem! A simple white lie, for instance, "an unknown person accidentally left it behind.. I have no clue what the password is. I, being nothing short of a good Samaritan with the best of intentions, simply plugged it into my computer in hopes that I could determine the proper owner and return it to them."

What can they do? And better yet, what can they prove in a court of law? :)

[Disclaimer, I am NOT a Lawyer. I am NOT advocating unauthorized possession of copy-written materials and/ or the mis-leading of authorities. I have carefully reviewed the prevailing law here, the Thailand Computer Crime Act of 2007, and do not see indication of what I am proposing is in violation of any sections of this law. However, again, I am NOT a lawyer and more importantly I am NOT a Thai lawyer.]

On the off chance this helps someone and you end up saving 50,000 THB, feel free to comp my drinks next time I visit your fine establishment.

A Big F-U to GoDaddy

2009-03-26T08:55:00.003-04:00

So its been a very busy month. I took some holiday time at the beach. From there I was in Bangkok for a week of Vendor training. My return home was filled with long days and nights trying to get caught up as well as, prepare for a week long business trip to Singapore next week.

During all this hubbub of activity, I accidentally let my domain expire. Opps! Oh well, there is a grace period, I can just renew it right? Not exactly. Turns out that the grace period is only 12 days. After that GoDaddy penalizes you with on outragous $80 USD "Registry Redemption Fee". Umm, what? Srsly?

"Ok, no problem", I think. I'll just re-register it at another Registrar. NOPE! The domain still shows up as registered to me, but locked by GoDaddy.

So..... Just wait for it to expire and then pounce on it again to re-register? NOPE! Not so easy. Then GoDaddy puts your domain up for Auction for 10 days! Ok, so wait for the auction to finish and hope nobody bids on it? WRONG AGAIN! GoDaddy then puts your domain up on a 5-day Closeout auction /Firesale!

So, in reality when GoDaddy says "Registry Redemption Fee" what they really mean is "We Are Holding Your Domain Hostage Until You Pay an Ungodly Ransom".

Now, because I am in Thailand, lets put that $80 USD into prospective. The average Thai salary here in Chiang Mai is about 10,000 THB/ month. Assuming a 4 week month and 40 hours per week (most work more hours and days than that), that means the average pay here is 62.5 THB/ hour. Exchange rate is approximately 35 THB per $1 USD. That means that GoDaddy's ransom money equates to about 45 hours of work here. MORE than one weeks pay!! Or in other terms, about 93 average lunches (30 THB).

So GoDaddy, as I really have no recourse other than to publize your horrible business practises. Additionally, did a little bit of google searching, and seems I'm not the only one upset with GoDaddy.

I urge everyone to take a look at (nmap) Fyodor's NoDaddy site.

So, again, screw you GoDaddy. Enjoy the extortion money.

Tip of the Day: Keeping Web Directories Clean

2009-02-18T07:41:00.003-05:00

Just a simple system admin tip of the day.

One issue that I tend to run into quite frequently, are linux directories that are full of crude from other people and their OS's. A perfect example of this, is a web server, where multiple people have access to the directory to upload new content, etc. Invariably you end up with backup files, systems files from VSS, Windows Thumbs.db files, Apple OSX .DS_Store files, etc.

So to help me clean house, I add 5 or 6 simple rules to the end of my mightly cron jobs:

cd /var/www/html

find . -name "*.bak" -exec rm -rf {} \;
find . -name "vssver.scc" -exec rm -rf {} \;
find . -name "Thumbs.db" -exec rm -rf {} \;
find . -name ".DS_Store" -exec rm -rf {} \;

This will seek out and all these files for me, on a nightly basis.

CentOS patching

2009-02-13T02:32:00.004-05:00

In my normal everyday job, I am tasked with managing and maintaining about 30-40 production CentOS servers. Being a security guy, I maintain a pretty rigorous patching routine. However, because these servers are customer production servers, one very important caveat is that I need to do everything I can to minimize customer downtime.

Normally when I patch a server, my routine is:

yum check-update (check what updates are available)

yum -y update (update everything)

And if the list produced by check-update shows the kernel or kernel-headers packages in the list, I promptly reboot the server. This translates into about 5 minutes of downtime for the customer as the server reboots.

So that got me thinking. Is every kernel update critical or can they easily be delayed? So then I stumbled across this excellent plug-in for yum.

yum-changelog-1.1.10-9.el5.centos

Name : yum-changelog
Arch : noarch
Version: 1.1.10
Release: 9.el5.centos
Size : 12 k
Repo : installed
Summary: Yum plugin for viewing package changelogs before/after updating
Description:
This plugin adds a command line option to allow viewing package changelog
deltas before or after updating packages.

Perfect! That will allow me to see exactly what is changing with each new version of the kernel. So I install that with:

yum install yum-changelog

Now we can use yum to show us the change log for certain packages. So, if I want to see the change log for the kernel related package, I could run something like:

yum update kernel kernel-headers --changelog

This will produce output similiar to:

Changes in packages about to be updated:

kernel-headers - 2.6.18-92.1.22.el5.x86_64
* Wed Dec 17 06:00:00 2008 Karanbir Singh [2.6.18-92.1.22.el5.centos]
- Roll in CentOS Branding

* Sat Dec 6 06:00:00 2008 Jiri Pirko [2.6.18-92.1.22.el5]
- [misc] hugepages: ia64 stack overflow and corrupt memory (Larry Woodman ) [474347 472802]
- [misc] allow hugepage allocation to use most of memory (Larry Woodman ) [474760 438889]

Ah, ha. As I suspected. Two memory related bugfixes and CentOS branding. Because we are currently not expirencing any memory related issues, this patch does NOT rate as critical and warrent immediate customer downtime. This can be delayed.

So now I can apply the other patches and exclude the kernel upgrades with:

yum update --exclude=kernel,kernel-headers

Now, I have a script that runs nightly on all my CentOS servers. This script gathers nightly statistics, logs entries, etc from my servers and emails it to me. This is pretty much jsut a CentOS port of my old Gentoo Update Script, with some CentOS speficic changes and additional features. The other thing it does, is generate a list (via yum check-update) of all the updates required. So the question now is, now can I get this interactive command to run via an automated script? The easiest way I could come up with is:

echo n | yum update kernel kernel-headers --changelog

Probably not the cleanest way, but does the job very well.

Bungling Sys Admin Gets It Right

2009-01-11T01:48:00.006-05:00

Wanted to point out an excellent post on The Bungling Sys Admin Blog. It's a response to TaoSecurity's Recommendations for Introduction to UNIX post. Bejtlich, who tends to be a bit of a FreeBSD homer, recommends FreeBSD with Ubuntu and/or Debian as alternatives.

Matt, who has about 10 years of corporate linux administration expirence under his belt, makes an excellent counterpoint. His arguement is, if you are going to spend the time to learn, why not learn on a distribution that there is a high probability you will encounter in a real world production environment? He offers up Red Hat Enterprise Linux, CentOS, and Solaris as much more applicable alternatives.

I wholeheartedly agree with both both the choice of OS's and the reasoning behind them. Although I do have specific figures to back up my assertions, I would say that based on my expirences, these 3 OS's compose the lion's share of the *NIX market place and that if you were going to be maintaining a unix/linux based system in a real worl corporate environment, very high likely hood it will be one of these.

Cudo's to Matt for hitting the nail squarely on the head.

Undelete Snooping Fun

2008-12-22T09:34:00.003-05:00

Alright, I have a confession to make..

One of my guilty pleasures in life, is to take USB drives that coworkers, friends, and family leave laying around and examine their contents. Not the contents that they KNOW are there, I'm more excited by what they have deleted. Using the free windows tool, FreeUndelete, you can very quickly and easily view and restore deleted content from any NTFS or FAT formatted drive. Can usually find some interesting things.

All well and good. But of course my compulsive snooping side can't stop there. I also like to keep a cheap 100 Baht, all-in-one USB memory card reader handy. I will then temporarily swipe the memory cards from digital cameras and mobile phones. As it turns out, most of these devices use a FAT formatted file system as well. It is absolutely AMAZING what you can find on these cards!

Moral of the story,

A.) most people will go out of thier way to protect or remove embarassing content from their PC. Most people don't think twice about these other devices. Makes for an interesting (and entertaining) "attack" vector.

B.) Maybe its time that digital camera manufacturers, mobile phone makers, and the lot, start offering "secure delete" options on their devices?

Blog Personality

2008-12-22T07:02:00.002-05:00

I came across this post over on the Bungling Sys Admin Blog (does this mean this is a post about a post about a post about a post about a site??), that points to a tool called Typealyzer. This tool analyzes the writing style of your blog in an attempt to determine your personality type.

I let it analyze Monkey - House, and here is what it had to say about me:

INTJ - The Scientists

The long-range thinking and individualistic type. They are especially good at looking at almost anything and figuring out a way of improving it - often with a highly creative and imaginative touch. They are intellectually curious and daring, but might be pshysically hesitant to try new things.

The Scientists enjoy theoretical work that allows them to use their strong minds and bold creativity. Since they tend to be so abstract and theoretical in their communication they often have a problem communcating their visions to other people and need to learn patience and use conrete examples. Since they are extremly good at concentrating they often have no trouble working alone.

So, folks that know me, what do you think? Sound like me?

Blog Disclaimer

2008-11-12T04:28:00.004-05:00

Due to unexpected corporate pressures, I feel compelled to add this disclaimer to my blog. All though it's nothing but a blatant restatement of the obvious, here it goes:

This is a personal blog. The opinions expressed here represent my own and not those of my employer, past or present. Additionally, this blog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my own personal opinion.

Feel free to challenge me, disagree with me, or tell me I’m completely nuts in the comments section of each blog entry, but I reserve the right to delete any comment for any reason whatsoever (abusive, profane, rude, or anonymous comments) - so keep it polite, please.

In addition, my thoughts and opinions change from time to time. I consider this a necessary consequence of having an open mind. This blog is intended to provide a semi-permanent point in time snapshot and manifestation of the various thoughts running around my brain (see banner graphic), and as such any thoughts and opinions expressed within out-of-date posts may not the same, nor even similar, to those I may hold today.

Additional disclaimer, most of the verbiage in this disclaimer has been borrowed from various other sources. :)

Barracuda RBL - Open to Public

2008-11-03T05:18:00.005-05:00

Ran across this announcement from Barracuda on Mike Rothman's blog and a coworker also pointed it out to me. Barracuda has made their DNSRBL publicly available on the Barracuda Central website .

Basically the way it works is that queries are crafted as the inverse IP address following by .b.barracudacentral.org. So, for example, if you had a mail server with the IP address of if you wanted to check if your mail server with the IP address 131.107.1.71, was listed in the Barracuda RBL, you would reverse the IP address (71.1.107.131), append .b.barracudacentral.org (71.1.107.131.b.barracudacentral.org), and do an nslookup of that hostname.

If your server is NOT listed in the BRBL, nslookup would return similiar to:

** server can't find 71.1.107.131.b.barracudacentral.org: NXDOMAIN

If your server IS listed in the BRBL, nslookup would return similiar to:

Name: 71.1.107.131.b.barracudacentral.org Address: 127.0.0.2

All IP's listed in the BRBL will return an A record of 127.0.0.2 for the queried hostname.

So, to use this BRBL to help identify spam, all you need to do is visit the site, register for an account, provide a list of the DNS servers that your mailserver will use, and add it to the RBL configuration of you mailserver. Barracuda Central will send you an verification email with a link you must click

Example SpamAssassin configuration (unverified):

# URL: http://www.barracudacentral.org/rbl/
header __RCVD_IN_BRBL eval:check_rbl('brbl', 'b.barracudacentral.org')
describe __RCVD_IN_BRBL received via a relay in b.barracudacentral.org
header RCVD_IN_BRBL_RELAY eval:check_rbl_sub('brbl', '127.0.0.2')
tflags RCVD_IN_BRBL_RELAY net
describe RCVD_IN_BRBL_RELAY received via a relay rated as poor by Barracuda
score RCVD_IN_BRBL_RELAY 1.00

There are unconfirmed rumors that bb.barracudacentral.org have been reserved for SpamAssassin users and that using "bb" in lieu of "b" does not require registration. I was able to use both without registration, so your mileage may vary.

Although the Barracuda Central site has some pretty decent lookup tools to check the status of IP addresses, they are limited to a single address and require a CAPTCHA challenge for every lookup.

So, I wrote a quick (and very dirty) perl script to enumerate a netblock and check each IP against the blacklist:

--------CUT---------

#!/usr/bin/perl

use strict;
use Net::DNS;
use Net::IP;

my $network = $ARGV[0];
if($network !~ /^\d+\.\d+\.\d+\.\d+\/\d+$/)
{
print "Usage: $0 x.x.x.x/x\n";
print "Where x.x.x.x/x is the network to examine\n";
exit;
}

my $res = Net::DNS::Resolver->new;

my $IP= new Net::IP($network) or die("Unable to create network object for $network\n");

do
{
my $target_IP = join('.', reverse split(/\./, $IP->ip())).".b.barracudacentral.org";
my $org_ip = $IP->ip();
my $query = $res->query("$target_IP", "A");

if ($query) {
foreach my $rr ($query->answer) {
next unless $rr->type eq "A";
print "ALERT!!! $org_ip is BLACKLISTED!!! - Returned ($target_IP : ", $rr->rdatastr, ")\n";
}
} else {
print "$org_ip = Not Listed. - ($target_IP : ", $res->errorstring.")\n";
}

} while (++$IP);

--------CUT---------

Because we know that 127.0.0.2 is included in the list, we can run a simple test with the 127.0.0.0/30 netblock. Expected output should look something like this:

$ ./BRBL.pl 127.0.0.0/30
127.0.0.0 = Not Listed. - (0.0.0.127.b.barracudacentral.org : NXDOMAIN)
127.0.0.1 = Not Listed. - (1.0.0.127.b.barracudacentral.org : NXDOMAIN)
ALERT!!! 127.0.0.2 is BLACKLISTED!!! - Returned (2.0.0.127.b.barracudacentral.org : 127.0.0.2)
127.0.0.3 = Not Listed. - (3.0.0.127.b.barracudacentral.org : NXDOMAIN)

Hat's off to Barracuda for giving something back to the community.

ShmooCon 2008 Videos - ONLINE!

2008-06-04T05:56:00.002-04:00

On the heels of my last post, it appears that the ShmooCon 2008 Videos have now been posted online.

(IN) Secure Magazine Issue 16

2008-04-23T07:57:00.002-04:00

Just a quick heads up to let you know that the newest issue of (IN) Secure Magazine has been published.

This issue has an interesting article regarding SCM (software configuration management), security, and how they apply to the Japan market/ workforce. The author touches on some interesting points/ challenges that most American companies never have to deal with.

ShmooCon 2008 Presentations - ONLINE!

2008-04-23T00:39:00.004-04:00

I haven't seen this mentioned anywhere else, but it looks like at least some of the ShmooCon 2008 presentations are now available on their website.

ShmooCon 2008 Presentations

Hopefully the videos won't be too far behind!

Barracuda Spam "Firewall" Drowns in The Ping River

2008-03-27T04:56:00.007-04:00

During the course of an average day's work, I often run across numerous IT and security products that quite frankly, belong in the garbage. When I run across these products, I often joke with my coworkers that the fix for the problem product, is to remove it and throw in the Ping River which flows right through the heart of town here. Therefore, in honor of this running joke, I have decided to start a new section on the Monkey House blog where I can draw special attention to these garbage products. I call it "Bottom of the Ping River", the only real place that these products belong. A sidebar has been added to keep a running list. Think of it as a wall of shame of sorts.

At the top of my list to toss into the river, is the Barracuda Spam "Firewall". The product in and of itself is not actually too bad. Its fairly tolerable, now ever its support team is not. Barracuda support could easily be replaced with a couple of monkeys pressing a random solution generator button. Everytime I have contacted them, it has been one random solution after another, with the most recent being instructions to rebuild the appliance! Normally I could live with a lackluster support team for a product and make every attempt to troubleshoot and resolve the issue myself. However, Barracuda does NOT allow its customers to have the root login or ssh access for the device that they paid for. Let that sink in for a second. As the author mentions in this excellent article, "I wouldn't trust everyone at Microsoft to have the only Administrator account to my Exchange server, so why would I trust Barracuda Networks to have the only root password to my SF Appliance?"

Just for kicks, I decided to open a Barracuda Support Ticket and request SSH access. Here is the response I received from the Barracuda Support Monkey:

Thank you for contacting Barracuda Networks. We can not provide you with SSH credentials. In order to have support access to any Barracuda Device you need to be a Barracuda employee or have gone through certified training to do so. The firmware and information on the Barracuda units are strictly Barracuda property. We do not allow anyone to have access unless they have gone through our Barracuda certified training and pass. If you are interested in this training and would like to know more, please contact your Barracuda Sales person.

So essentially, in order to gain access to the device we have already paid for, we must pay Barracuda FURTHER for training?? I'll pass. And for that Barracuda, you must shall now meet your ultimate demise at the Bottom of The Ping River. ....R.I.P.

***UPDATE***

Disclaimer:

This is a personal blog. The opinions expressed here represent my own and not those of my employer, past or present. Additionally, this blog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my own personal opinion.

Feel free to challenge me, disagree with me, or tell me I’m completely nuts in the comments section of each blog entry, but I reserve the right to delete any comment for any reason whatsoever (abusive, profane, rude, or anonymous comments) - so keep it polite, please.

In addition, my thoughts and opinions change from time to time. I consider this a necessary consequence of having an open mind. This blog is intended to provide a semi-permanent point in time snapshot and manifestation of the various thoughts running around my brain (see banner graphic), and as such any thoughts and opinions expressed within out-of-date posts may not the same, nor even similar, to those I may hold today.

Sawat Dee Krap! - (I Am Still Alive)

2008-03-26T23:08:00.005-04:00

Sawat Deep Krap (Hello) from Thailand! I am alive and well here in Thailand. To the left, is a breathtaking view of my new home from the mountain top.

I have purposely taken a few months hiatus from blogging to settle into my new job and adjust to my new life 10,000 miles away. As of today, I plan to resume regular blogging activities. I've already got a few blogs written out on paper that I have been saving for some time now. :)

Over the next couple months, my blogs will start to examine some of the differences that exist between the security mindsets of the US and that of companies in south east Asia. The Monkey House blogs will also start to containing more view points from the system administrator and developer standpoints, as they relate to security. Think of this as more of a security view from "down in the trenches", which coincides with my new roles and responsibilities here with my new company. Stay tuned...

Security Links - 11/06/07

2007-11-06T16:21:00.000-05:00

Serversniff.net - Fantastic little tool for auditing SSL. Easy way to test for the presence of SSL v2 and weak/export grade ciphers.

Hungry Machine - The guys over at Hungry Machine less show us how to quickly and effectively perform Geo-Locating by IP address in Ruby on Rails. Just goes to show that the 'net is alot less anonymous than people think. [For those that are unaware, IP address Geo-Locating is how adult friend finder always manages to display banner ads with lovely ladies from your present location! Now if only they could find a way to display a different set of women based on my location. I find it hard to believe that the exact same set of Caucasian women waiting for me in Arlington, VA are also patiently waiting for me when I travel to Bangkok, Thailand. ;) ]

ToorCon 2007 - Alot of the presentations are now available for download. (Hint: Click the [M])

Overlooked SQL Injection Techniques - Another presentation from ToorCon but not linked on their page. Great presentation that shows alot of often overlooked SQL Injection techniques.

The Bungling Sys Admin - A coworker's blog. I think its good for us security folks to be reminded of what its like working down in the trenches and on the front lines. Also some fairly useful information there.

OpenSSH Brute Password Capture Patch

2007-10-30T20:04:00.000-04:00

Today I took was dealing with one of the countless ssh brute force grinders running wild out there on the net. I was thinking that it would be cool if I could capture all the username/password combinations they were supplying. During a search I ran across this nifty little patch. I downloaded and attempted to use it, but could not get the patch to apply. After a bit of investigation, I determined that this patch was written for the OpenBSD-specific version of OpenSSH and would not work on OpenSSH Portable. Since I wanted to use this on my Linux box, I had modify the patch to get it work.

The next thing I discovered, is that I really didn't like the logging format... The logs record Epoch time, username, password, and IP address... However, these are spread across 4 separate lines. So, a sample entry looks something like this:

1193780392
root
test
10.0.6.147

Not very easy to parse. Since I was interested in using the data for other things, I also decided to modify the logging as well. The format is still all the same fields, but now in a colon-delimited format, with one attempt per line. It now looks something like this:

1193780828:root:test2:10.0.6.147
1193788608:test:test:127.0.0.1

I've placed the patch on my Google code site for now. Its not very clean, but appears to work with the portable version of openssh for Linux. I tested it on version 4.7p1 on CentOS.

I'll attempt to clean it up and refine it later.

CapSec October - 10/25

2007-10-24T07:08:00.000-04:00

Reminder: CapSec meet up tomorrow.

CapSec October
October 25 (Thursday) 7:30 PM
The Brickskellar
1523 22nd St, NW
Washington DC 20037

View Larger Map

Published! .... well, sorta

2007-10-22T10:00:00.000-04:00

Last month I was contacted by a professor from a university in the midwest. He had run across my posting on DNS Best Practices and was requesting permission to include those in his course material. This material is being included in the curriculum for a Systems Administration class he teaches.

While this is both an honor and a privilege, the real kicker is that I am extremely jealous. I really wish that these sort of courses existed back in my college days. The closest thing available for me at the University of Houston where I majored in Physics, was an intro to computers they provided as part of my Physics major curriculum. We briefly learned about hardware (486 vs Pentium, ISA cards vs PCI, etc) and then we jumped into Mathematica and how we could use it to do our physics homework. Unfortunately, like many of my fellow UofH students that year, about the only thing I did learn was which computers could and could not effectively run the now classic Civ I game. ;)

Security Links - 10/22/07

2007-10-22T09:40:00.000-04:00

Just a few links for security related tools and sites that piqued my interested in the past few weeks.

Hashmaster - Have a tool or application that is encrypting data, but you are unsure what algorithm is being used? Pass your application a string to encrypt and then pass those tow values to Hashmaster. It will make compare the values and attempt to identify the algorithm in question.

HITB Presentations - All the presentations from last months HackInTheBox Security Conference in Malaysia have been posted and are available to download. Pretty interesting stuff.

fierce.pl - By far, the best tool available for enumerating hosts via DNS. I had played with the very first version when it was announced, but had never bothered to follow up on subsequent releases. I recently downloaded and played with the most current version (0.9.9 - Beta) and was wholly impressed. A must have in any pen-testers toolbox.

Knoppix-NSM - A bootable LiveCD based on the popular Knoppix distro. This one has been customized to provide almost-instant NSM capabilities. Comes with Snort, BASE, Barnyard, ntop, and Squil. Was covered in this months copy of Information Security Mag.

Thailand or Bust!

2007-10-18T17:34:00.001-04:00

(This is a bit more of a personal post than security related, but I will try to tie it in as much as possible.) I have a blogging policy that I don't mention my employers by name in my post or talk about issues directly related to them. However, today I am going to violate my own policy. ;) As of today, I have resigned my position here in the US as Director of Security Operations for Revolution Health and have accepted a new role with a Thailand-based company. Aware Corporation is a premier IT services, headquartered in Chiang Mai, Thailand. This is an truly exciting company that I have been communicating with and tracking for 3+ years and the opportunities are practically endless. In my 10-year IT/ Security career, I can't recall ever being as excited to work for a company as this one!

I will be leaving the US later next month and beginning in my new role the first part of December. For those of in the industry and traveling to the region or already working in the region, please feel free to contact me. I'm hoping to start occasionally attending BangSec, HITB, becoming active in the SE Asian security community, and building up my network of contacts on that side of the world.

Wish me luck!

Simple Website Security - 4.5 Tips!

2007-10-12T04:44:00.001-04:00

When setting up a secure website, system administrators and webmasters often fail to perform very basic tasks that would greatly "shore up" the webserver. Here are 4 and half simple tips to secure your webserver, make it easier to monitor, and prevent it from sticking out like a sore thumb during a security audit.

1.) There are known security vulnerabilities and weaknesses in some SSL versions and encryption ciphers. SSL2 along with all weak and export grade SSL encryption ciphers should be disabled. In addition to being a good overall security practice, this is also mandated by the PCI Data Security Spec. (4.1). This can be easily done in apache by adding the following line to your config file:

#Disable SSLv2 and weak/ export grade ciphers
SSLCipherSuite ALL:+HIGH:+MEDIUM:!SSLv2:!EXP:!eNULL

2.) When hosting a secure portal'ish site where the landing page is simply a login page, I like to force SSL only without requiring the user to remember that the site is SSL only. This can be easily accomplished in Apache by using a rewrite rule. This allows my server to still listen for regular http requests, but automatically rewrite those to https. Adding the following to your Apache config file will achieve this behavior.

#Redirect to SSL
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]

3.) TRACK and TRACE are not very well-known HTTP request methods that allow you to debug HTTP problems. These methods are very seldomly used (if ever) and there are a few known Cross Site Scripting (XSS) vulnerabilities related to them. This is a very common vulnerability that will be reported by almost every automated security scanner in the world and can also lead to failed security audits. Because of this, its best to disable them. Again we can use Apache rewrite rules to do this by adding the following lines to the apache config file:

#Disable TRACE & TRACK Methods
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

4.) Monitoring application logs is an essential part of any security program. Often time your access and error logs will be polluted with error messages that "robots.txt" file is not found. Essentially all this really is, is a list of rules that a search engine spider should follow when crawling your site. Each time an automated crawler visits your site, this file is the first thing they request. To prevent this error from filling your logs, you should create a simple text file named "robots.txt" and place it in the root of your web directory which will still allow crawling of everything. The contents of the file should be:

User-agent: *
Disallow:

4.5) The next thing you will see constantly polluting your error logs are failed requests for a file named "favicon.ico". This file is the small little logo you see in your browser's address bar when you visit some sites or in your bookmarks when you bookmark that same site. This file is requested by the users browser at the beginning of EVERY visit to your site. Because of this, the failed request can quickly fill up your log files! An easy way to fix this is to copy a blank favicon.ico in to the root of your web directory. Alternatively, if you are feeling especially creative you can create a custom favicon here or here.

Security Links - 10/12/2007

2007-10-12T02:23:00.000-04:00

Just a few links for security related tools and sites that piqued my interested in the past few weeks.

EasyIDS - Installable IDS system based on CentOS. Includes a web GUI, snort, barnyard, ntop, etc.

SecureDVD - Bootable DVD containing 10 popular Security LiveCD distros. A bit dated as it still ships with BackTracks 1.0

SecurityDistro.com - Great site that lists and tracks security related Linux distros.

Nipper - Fantastic little open source tool for auditing configurations of many network devices. Similiar to the Cisco Router Auditing Tool (RAT), but supporting so many more devices, including Juniper/Netscreen Firewalls.

Ruby on Rails Security Cheatsheet - Great list of security best practices for Ruby on Rails.

(IN)Secure Mag - 13th Edition

2007-09-26T16:28:00.000-04:00

Just a quick heads up to point out that the 13th issue of (IN)Secure mag is out. There is another bit on PCI Compliance and a piece on automated log management for HIPAA compliance in this issue that look fairly interesting. This mag is usually a pretty good read and I recommend you check it out!

GAUS 1.5 - New Features/ Bugfixes

2007-09-21T08:01:00.000-04:00

A couple bugfixes and a few more features have been added to the Gentoo Auto-Update Script. The new features include:

Convenient variable enabling/disabling of functions to eliminate the tedious need to un-comment desired sections
Optional cleanup of /tmp directory
Listing of all files on the system larger than a predetermined size
A GAUS project wiki page

The GAUS script can be downloaded from Google Code. Please review the README.txt file for complete list of changes/ bugfixes and additional information.

Additionally, please note that due to limitations in the Google Code system, I've had to re-engineer the way GAUS self update checking works. Users of version 1.4 will not be automatically notified that version 1.5 is now available. This should be now corrected going forward.

Monkey-House survives to Thailand

2007-09-11T12:26:00.001-04:00

I'm happy to report that I once again survived my trip to Thailand. I deftly maneuvered myself through buckets of booze (pictured on left), hordes of hungry temple monkeys (below), and crazy drunken taxi drivers (something you don't want to see). In the process I managed to meet some great people, make several fantastic contacts, and might even end up with a couple of job offers after all!

Additionally, I have an update on my previous report regarding Thailand's Internet Filtering. There is a blog, FACT - Freedom Against Censorship Thailand, dedicated to the dissemination of information regarding Thailand's filtering. (Thanks Ed!) One of the interesting things they provide, is the secret block list compiled by MICT and pushed down to all of the ISPs in Thailand.

Basic DNS Auditing

2007-09-11T11:06:00.000-04:00

I seem to run across alot of security consultants and professionals that just don't seem to have a basic understanding of DNS and what sort of basic things to look for when performing an audit. I previously posted a high level guide on DNS best practices, so this posting is meant to demonstrate the technical methods for checking some of these things. This guide only provides a basic starting point and by no means is complete and exhaustive.

The first thing I like to do when externally examining someone's DNS configuration is to perform a whois on the domain name.

# whois some-domain.com

The important part of that information is the domain servers.

Domain servers in listed order:

NS1.SOME-DOMAIN.COM
NS2.SOME-DOMAIN.COM

The other things I like to check is that the contact information is semi-generic. The place this comes in handy, is in an enterprise environment where there will enevitabley be employee turnover. If the contact information is spefic to a single user, i.e Billy J. Bob, billy.bob@some-domain.com, etc, then it becomes very painful to update this information or have changes made once that employee leaves the company. I instead prefer to see something more along the lines of hostmaster@some-domain.com or dns@some-domain.com which is a distro list pointing to operations team Billy Bob is apart of.

The next thing I check, is that the NS records supplied for that domain by the name servers, match those supplied by the whois record.

dig ns @NS1.SOME-DOMAIN.COM some-domain.com

;; QUESTION SECTION:
;some-domain.com. IN NS

;; ANSWER SECTION:
some-domain.com. 7200 IN NS ns1.some-domain.com.
some-domain.com. 7200 IN NS ns2.some-domain.com.

Any mismatch between the NS records supplied by the name server and those listed in the whois record can cause intermittent DNS resolution failures and sometimes even mail delivery problems.

For redundancy purposes, the supplied domain servers should be located in geographically diverse regions on seperate networks, and should also be carrier diverse as well. Resolving these server names and performing traceroutes to each of them should allow you to make educated inferences into whether this is true or not.

Now its time to examine the DNS servers themselves. I first like to check to see if the DNS servers will provide version information. There are two ways to do this. With dig:

dig @ns1.some-domain.com version.bind txt chaos
;; ANSWER SECTION:
VERSION.BIND. 0 CH TXT "8.3.4-REL"

Or alternatively with nslookup:

nslookup -type=txt -class=chaos version.bind ns1.some-domain.com
VERSION.BIND text = "8.3.4-REL"

The easiest way to obscure this information on a server running BIND, is to use the version statement within the options section of the named.conf file.

options { version "None of Your Business!"; }

The next thing to check is if zone transfers are enabled. Again, there are two ways to do this. With dig:

dig @ns1.some-domain.com some-domain.com axfr

Or alternatively with nslookup:

nslookup
> server ns1.some-domain.com
Default Server: ns1.some-domain.com
> set type=any
> ls -d some-domain.com

If zone transfers are enabled, you will see something similar to the dig output below:

;; global options: printcmd
some-domain.com. 3600 IN SOA ns1.some-domain. admin.some-domain. 4 900 600 86400 3600
some-domain.com. 3600 IN NS ns1.some-domain.com
some-domain.com. 3600 IN NS ns2.some-domain.com
some-domain.com. 3600 IN MX 10 mail.some-domain.com.
mail.some-domain.com. 3600 IN A 208.209.251.12
www.some-domain.com. 3600 IN A 208.209.251.243
ns1.some-domain.com. 3600 IN A 208.209.251.8
ns2.some-domain.com. 3600 IN A 208.209.251.9
some-domain.com. 3600 IN SOA ns1.some-domain. admin.some-domain. 4 900 600 86400 3600
;; Query time: 681 msec
;; SERVER: 208.209.251.11#53(208.209.251.11)
;; WHEN: Tue Sep 11 10:04:12 2007
;; XFR size: 6 records (messages 6, bytes 429)

Remember to also check for zone transfers for the reverse DNS as well:

dig @ns1.some-domain.com 251.209.208.in-addr.arpa axfr

To prevent unauthorized zone transfers, use the allow-transfer statement within the options section of your named.conf file.

allow-transfer { ns2.some-domain.com; };

Alternatively, TSIG (Transaction SIGnature) keys can be used to authenticate zone transfer requests.

All domains should also have at least two MX records for redundancy. Like DNS servers, these servers should be on separate netblocks, and be both geographically and carrier diverse.

dig ms @ns1.some-domain.com some-domain.com

Another good thing to check for, are the presence of SPF records. To do this with dig:

dig -t TXT some-domain.com +short
"v=spf1 mx ?all"

One more common mistake is to have your public authoritative nameservers configured to allow recursion. The simplest way to check for this, is to use nslookup to send a non-related request to that server. For example:

nslookup www.monkey-house.org ns1.some-domain.com

Server: ns1.some-domain.com
Address: 208.209.251.11#53

Non-authoritative answer: Name: www.monkey-house.org Address: 216.98.141.250

For more intensive testing, I also like to run the domain through tools such as:

DNS Report - http://www.dnsreport.com

So, how are you auditing DNS? What are your favorite tools?

The Resurrection of KisMac

2007-08-30T06:30:00.000-04:00

Now that I have a bit of down time here in Thailand and am trying to give my liver a well deserved day or rest, although a bit late, I wanted to provided an update to a previous posting regarding the demise of KisMac.

The primary developer, Michael Rossberg had decided to halted the project due to restrictive changes in German law. Well, I'm happy to report that this project has been relocated to a site in Switzerland and by the looks of things, is alive and well. The new site is here and the old site has been replaced with some interesting political commentary. It will be interesting to see if Mr. Rossberg continues to commit code to the project or not.

PCI - Lost in Interpretation

2007-08-30T05:49:00.000-04:00

Several people commented on my previous PCI postings and have recommend that when implementing PCI DSS, it should be done in the spirit and intent of the spec, and not necessarily in accordance with the exact wording.

The primary point of my posts were that the spec is vague in many areas and should be rewritten or clarified.

The argument of "Use the spirit, not the letter" is only good until I squander thousands of dollars for a failed PCI audit because the Auditor was not interpreting the requirements in the same "spirit" as I was.

Things of this nature should be specifically spelled out and carefully worded. Leaving them open to interpretation can and will cause problems. This is especially concerning when State Governments (Texas and Minnesota) start adapting this Spec as State Law. I believe its only a matter of time before some poor shmuck fails an expensive PCI audit and drags this into the court system. And with it now becoming a government mandated requirement, its inevitable that without improvement, interpretation is going to ultimately fall in the hands of judicial courts that lack the proper technical background.

Green Screen of Death?

2007-08-30T04:14:00.000-04:00

(Standard Disclaimer: As always, views, opinions, and actions expressed in this post are solely mine and in no way reflect that of my employer. Additionally, in no way is this meant to reflect negatively on Thailand, its people, or its government.)

Thailand's Internet Filtering Gone Awry

While browsing my companies website, I noticed that alot of pages were failing to render properly. After a bit of digging, I noticed some strange behavior. Some of our CSS and Javascript files are being blocked.

For instance, the following HTTP request:

GET http://www.revolutionhealth.com/stylesheets/65919/common.css HTTP/1.1
Host: www.revolutionhealth.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Paros/3.2.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://www.revolutionhealth.com/omag/?ipc=B00145
Cookie: (Cookies Removed!)
Cache-Control: max-age=0

Returns the following 302 HTTP Redirect:

HTTP/1.0 302 Moved Temporarily
Server: squid/2.5.STABLE11
Mime-Version: 1.0
Date: Wed, 29 Aug 2007 10:27:00 GMT
Content-Type: text/html
Content-Length: 0
Expires: Wed, 29 Aug 2007 10:27:00 GMT
Location: http://w3.mict.go.th/ci/blocked.html
X-Squid-Error: 403 Access Denied
X-Cache: MISS from proxy
X-Cache: MISS from 192.168.0.1
Connection: keep-alive

This of course redirects us to what is apparently locally known as "The Green Screen of Death". It seems that the local ISP used by my hotel, PROEN Internet (while a mistake, is ironically enough is listed as one of Google Badware Sites!), is filtering all web traffic through a caching/ filtering Squid proxy server.

So all requests which pass through this service appear as:

GET / HTTP/1.0
Host: (Removed)
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Via: 1.1 192.168.0.1:8080 (squid/2.5.STABLE1), 1.0 proxy:8080 (squid/2.5.STABLE11)
X-Forwarded-For: 192.168.0.198, 202.151.184.194
Cache-Control: max-age=259200
Connection: keep-alive

And in my case are coming from 202.151.191.38 as seen by:

Aug 30 04:03:22 10.54.54.254 Aug 30 2007 04:03:30: %PIX-5-304001: 202.151.191.38 Accessed URL (Removed):/

Squid is running on port 8080 of this machine, but use is limited by source IP address.

However, when the proxy server sees something that it does not like, it redirects to the http://w3.mict.go.th/ci/blocked.html site. An IIS 6 webserver hosted by Thailand's Ministry of Information and Communication Technology (ICT).

So, the obvious questions become:

How are the block lists generated and maintained?
Is it controlled by a central authority or is supplied as part of a commercial product?
What is the process to report and remove false positives?
Is any dynamic and/or keyword filtering being utilized, or is it solely based on a list of URLs?
Is participation mandatory for all ISPs or is it elective?

Can anyone in Thailand or with knowledge of this, provide further insight on the matter?

**I know there are several ways to bypass this including Tor (which is also blocked in Thailand), various anonymous proxies, tunneling web traffic over SSH to a remote machine, etc. This post is not about that, so please don't post circumvention methods. I am much more interested in sharing knowledge of the system's design and operations.

Monkey-House goes to Thailand

2007-08-22T03:34:00.000-04:00

In just a few short hours I will be making that ever so long flight back to Thailand. From August 23rd until Sept 6th, I will be pounding the pavement in Bangkok in search of gainful employment. If anybody out there is looking for a security guru or experienced network admin based in Bangkok, please feel free to contact me. Additionally, if there is anybody in the area that is interested in a BangSec - CitySec meeting, please let me know.

VMWare Fusion

2007-08-08T17:08:00.000-04:00

Looks like VMWare has taken its MAC OSX Virtualization platform out of beta and is now shipping a finished product.

Although I am fairly happy with Parallels, I like the idea of being able to run pre built VM images and I am sort of intrigued by some of the new Fusion features such as:

Create powerful multi-core virtual machines

Only VMware Fusion gives you the ability to leverage the power of the dual-core processors found in most Intel-based Macs with exclusive support for VMware Virtual SMP technology.

Although the price war I hoped for didn't happen, the are current offering a $20 rebate.

More PCI Woes

2007-08-08T13:32:00.001-04:00

Another major complaint of mine is that the defined scope of the PCI DSS 1.1 spec does not scale very well for today's modern architectures. The applicable scope is defined as:

These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.

This is all well and good for most traditional networks, however they fail to account for key components of modern networks. Take for instance the following examples:

Virtualization - What happens when the machines that accept and process card holder data are virtualized? Do PCI requirements extent to every virtual machine that these machines may share hardware with? If your virtualization software allows for real time transitioning of machines across a virtulization cluster, is every machine in the cluster now subjected to PCI? What if administrative authentication to the virtualization management console is controlled by your internal Active Directory structure? Is that now also within scope?

Service-Oriented Architecture/ Enterprise Service Bus - The big trend in modern web applications is to provide a type of service-oriented architecture. A key component of this is whats known as an enterprise service bus (ESB). The ESB is used to connect all the machines in your production architecture to facilitate the passing of data. So, if the web server that accepts the card holder data utilizes the ESB to transfer that data to the processing server and/ or a fulfillment application, does that mean that the ESB and every machine which touches it are now subjected to the PCI requirements?

The common response is to limit the scope of PCI DSS requirements by means of network segmentation. However, given the following examples some things simply transcend past network segmentation.

(Warning, rant below!)

So surely there must be some way I can do more than whining to help address these short comings in the PCI DSS spec. Of course there is! For the low low fee of $2,000 USD, I too can pay the PCI Security Standards Council to *allow* me to help them. For some odd reason, this just seems a bit backwards to me.

PCI Shortcomings

2007-08-08T12:58:00.000-04:00

Often times I run across security recommendation from security individuals that plainly have no operational experience. While in theory they sound good, they don't really work from an operational standpoint. Much to my dismay, it appears that these same sort of individuals played a large role in composing the PCI DSS 1.1 spec.

There are several items within the PCI DSS 1.1 spec that seem simple enough on the surface, but are extremely difficult once you dive into the implementation details. For example:

10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

I am finding this item difficult to truly get my hands around. I am find with using a tool like trip wire to md5sum the log file post log rotation. However, I can't figure out how to handle the logs that are actively being appended too. The premise of file integrity tools is to notify of changes to that file, regardless of whether its an addition or subtraction. Continual appending of an active log file, means that the file is constantly changing. If file integrity monitoring is configured not to alert on the new data being added, how can it alert on data be subtracted?

For instance, how does this protect against a rogue administrator going in and removing certain log entries from the active log to cover his tracks?

Short of spending extremely large sums of money on extravagant appliance solutions such as loglogic, how are others addressing this requirement?

GAUS v 1.4 - New Features

2007-07-30T03:20:00.000-04:00

In a rare bout of motivation, I added some additional features to the Gentoo Auto-Update Script. The new features include:

AES-256 Encryption of backups (requires openssl)
Automatic checking of available GAUS updates.
Listing of installed Linux kernel sources.

The GAUS script can be downloaded from Google Code. Please review the README.txt file for additional information.

R.I.P. KisMAC?

2007-07-29T19:12:00.000-04:00

It seems that the very popular wireless scanning tool for OS X, KisMAC, has hit a very serious roadblock. The primary developer, Michael Rossberg has halted the project due to restrictive changes in German law. He provides the following explanation:

There has not been a lot of time for KisMAC lately. However the motivation for this drastic step lies somewhere different. German laws change and are being adapted for "better" protection against something politicians obviously do not understand. It will become illegal to develop, use or even posses KisMAC in this banana republic (backgound: the change of § 202c StGB).
While I cannot do much about that for now, you probably can. Make copies of KisMAC and its source as long as the website is up! Do further development outside of Germany, even better outside the US and EU! If you are a German resident, you will need to fight for your rights.

From the KisMAC mailing list, it appears that work is underway to host the KisMAC elsewhere. However, its highly questionable how much additional development effort on long awaited features such as packet injection on Ralink-base USB devices, will now be made given the loss of the primary developer. As a security professional with a Macbook Pro as my primary platform, this is especially painful. Has anyone else out there discovered viable alternative wireless tools for the MBP?

(IN)Secure Mag - 12th Edition

2007-07-24T15:43:00.000-04:00

Just a quick heads up to point out that the 12th issue of (IN)Secure mag is out. The cover story regarding log management and PCI looks very interesting as does the interview with Jeremiah Grossman. This mag is usually a pretty good read and I recommend you check it out!

GAUS v 1.3 (now with Metasploit!)

2007-07-17T11:56:00.000-04:00

I recently had a chance to spend a little quality time with Metasploit again. One of the first things I did, was attempt to update. However, using the msfupdate in default Gentoo package resulted in the following:

# msfupdate

[*] The msfupdate command is no longer supported, please use
Subversion to update your Framework installation.

Updating with Subversion:
$ cd framework-2.x/
$ svn update

So, I naturally decided that I needed to add a "module" to the Gentoo Auto-Update Script to keep my install automagically updated. However, I also remembered that Gentoo only ships a 2.X version of the framework (currently 2.7). On my box I have upgraded to 3.x of the Framework. So, the newest version of the GAUS script, version 1.3, now has the ability to first attempt to determine what version of the framework you are running, and then svn sync up to the newest build.

The GAUS script can be downloaded from Google Code. Please review the README.txt file for additional information.

Gentoo Auto-Update Script - v1.2

2007-07-09T18:03:00.000-04:00

After some initial feedback of my Gentoo Auto-Update Script, version 1.2 has been released with several bug fixes. See README.txt for more.

Download script from Google Code.

iPhone HTTP User-Agent String

2007-06-30T12:46:00.000-04:00

Just a quick FYI.. The following is the HTTP User-Agent string supplied by the iPhone browser:

Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3"

URL Deobfuscation

2007-06-14T14:58:00.000-04:00

A few days ago, I was having a little fun with a coworker. I sent him several obfuscated URL's through Outlook Web Access (OWA) from Internet Explorer (IE)7.

The 3 URLs I sent were:

http://1096965168/

http://0x41.0x62.0x5c.0x30/

http://0101.0142.0134.0060/

(Warning, links NSFW!!)

Which all resolve to: http://65.98.92.48/ (http://goatse.cz)

Strangely enough, as I sent the email, the links were transformed to the "real" IP address, 65.98.92.48 before being sent. Originally I wrote it off as either a feature of OWA or Exchange, but I then resent using OWA via Firefox and also through Entourage. The last two test delivered the email with the URL's in their obfuscated form.. So, it appears that its the IE7 browser that is DE-obfuscating those URL's before they sent!

Additionally, while composing this post, I've noticed that neither Firefox on OSX, nor Safari on OSX was able to resolve the obfuscated URL's and display the site. Using Thunderbird on WindowsXP, I was also surprised to see that not only did Thunderbird label the email as a potential scam, it presented me with a pop-up warning when I attempted to click the links.

(Click for full size view)

As someone who "cut my teeth" working the Security/ Abuse desk at UUNET, I remember URL obfuscation as a major tool in the spammer/ phisher arsenal. Alot of these bad guys would hide their sites by doing something like http://www.bankofamerica.com@0x41.0x62.0x5c.0x30/.

VMware Fusion Beta 4

2007-06-11T18:15:00.000-04:00

VMware has just released Beta 4 of its Fusion product. If you are not familiar with Fusion, this is VMware's Mac OSX version of its workstation product. Although they appear to be borrowing a lot of the cutting-edge features from Parallels [Unity (called Coherence in Parallels), booting of Boot Camp partitions, and DirectX 8.1 support (introduced with Parallels 3.0)], it will be interesting to see how they compete price-wise with Parallels. While Parallels 3.0 is currently retailing for a hefty $79.99, the Fusion Beta is a free download. According to the Fusion FAQ, the final pricing has not been set. The introduction of Fusion should provide for some great old fashion competition between VMware and Parallels in the arenas of performance, features, and price which will benefit us all.

Additionally, having Fusion now allows me to finally tinker with all those pre-built VMware appliances/ images!!

(Click for full size view)

Here is a screen shot of the Smoothwall Firewall VMware appliance running on my machine.

[UPDATE] Looks like VMware has set the price. From the updated FAQ:

Customers can pre-order VMware Fusion for $39.99 from www.vmware.com/mac until the product is GA (generally available) prior to the end of August 2007, which is a 50% savings over the suggested retail price of $79.99 when it is released in August 2007.

Gentoo Auto-Update Scripts

2007-06-06T14:38:00.000-04:00

Being a old OpenBSD user, I have grown quite accustom to receiving the daily email outputs from the fantastic /etc/daily, /etc/weekly, and /etc/month cronjobs. Now that I am supporting several Gentoo based servers, I find myself longing for that same system maintenance automation.

To addressed this, I have created a shell script for Gentoo to preform various nightly system administration tasks from a cron job and then email me a report reminiscent of OpenBSD's /etc/daily reports. This script is generic enough to run on all of my Gentoo based boxes. Additionally, since most of the servers I support serve some sort of security function, I've included optional auto-updating for Nikto plugins, Snort signatures, and Nessus plugins.

This script is released AS-IS under the New BSD License and is available from the "Downloads" section of my Google Code page. While I am currently running this script in production environments, it should still be considered Beta. Please feel free to change/add/ improve as you see fit. If anyone would like to contribute, please drop me a comment.

Idle Hands are the Devil's Tools

2007-05-30T13:00:00.001-04:00

In all my years of travel, other than dealing with TSA, nothing has inexplicably bothered me more than airports that charge for wireless access. Due to ever growing unpredictability of security lines, ticket counter hassles, less frequent parking lot shuttle buses, and the like, I've have to continually adjust my schedule to arrive at the airport earlier and earlier. Because of this, I often find myself sitting at the airport waiting. To compensate for this, it seems like the least they could do is provide me with some complimentary wireless access so that I can entertain myself or even catch up on some work. (Without me having to squat outside the Red Carpet lounge and "borrow" some wireless access!)

The old saying goes, "Idle hands are the devil's tools".. And its no different for me. With copious amounts of "wait" time, I often found myself honing my wireless sniffing and attack skills. ;)

Well, briefly passing through BWI Airport last week, I decided to check for free wireless. Upon connecting and trying to reach cnn.com, I was instantly presented with a captive portal page.

(Click for full size view)

Of course, the first thing I check were obvious combinations (guest/guest, admin/ admin, etc). These all led to an Access Denied page. But, what if there was someway that I didn't have to supply a password. Surely in this day and age there was no way that the login page would be vulnerable to basic kindergarten-grade SQL Injection attacks. This is a very large wireless provider with presence in airports across the world. Surely they have seen other people try this before and have fixed this. But, curiosity got the best of me, and I tried the ol' admin' --

(Click for full size view)

I guess I was wrong.

Security Feeds

2007-04-30T17:11:00.000-04:00

Recently several people have inquired about easy and efficient ways to stay on top of what is going on in the security community. The answer of course is by aggregating all of your security news "inputs" into a RSS reader.

For Mac OSX platforms, I highly recommend Vienna. This is what I use 90% of the time.

For Win32 platforms, I am currently using Feedreader, however, I am still not completely sold on it. If anyone knows of a better free RSS Client please let me know.

Another amazing resource is the Security Blogger's Network created by Alan Shimel and of which www.monkey-house.org is a proud member. This is essentially a large collection of top-notch IT Security related blogs, aggregated and served out as a Feedburner Feed. To take advantage of this, simply subscribe your RSS client to:

http://networks.feedburner.com/Security-Bloggers-Network/feed

Addtionally for anyone that is interested, I have exported my current list of Security/IT related feeds to an opml file. To use this, simply download my security.opml file and import this into your RSS reader.

***Please note that because my current job duties include performing web application security tests against Ruby on Rails platforms, I have alot of feeds specific to these two areas.

Google Calendar Session Auth.

2007-04-30T16:10:00.001-04:00

While reviewing IDS logs at work today, I noticed that the Snort Bleeding-Edge rule "BLEEDING-EDGE CURRENT EVENTS Google Calendar in Use" (Snort SID 1:2003597) had fired.. Looking at the logged request, I noticed that it logged a URL similar to:

http://www.google.com/calendar/feeds/COWORKER%40gmail.com/private-98d32c472
5baf853a1c50c4485c9XXXX/full?start-min=2007-04-30T00:00:00&start-max=2007-05
-05T00:00:00

(note, actual calendar name and Session-ID have been changed to protect the innocent, so link will not work)

But the URL basically includes: /username/auth-token

Upon clicking on the initial unmodified link, it allowed me to view my coworker's private Google calendar..

It appears that Google is ignoring a fundamental rule of web application security. "Thall shall not expose any credentials in URLs"

Referencing item A3 Broken Authentication and Session Management of the OWASP Top 10

From the Session ID Protection section: First, they should never be included in the URL as they can be cached by the browser, sent in the referrer header, or accidentally forwarded to a ‘friend’.

This also includes web proxy logs and IDS logs.

Quote from a friend of mine: " but it's Google.. you don't have to be secure, you just have to be easy "

Hotel Wireless IDS (Oppsie!)

2007-04-06T07:08:00.000-04:00

I was recently out in Las Vegas for some compliance training. After a long night of honing my Blackjack skills, I returned to the hotel to catch up on e-mail. The hotel had free wireless, and since 24 hours had expired from when I initially connected, I was redirected to the captive web portal to agree to terms of service, see their marketing stuff, etc. Well, when I clicked accept, I noticed that the captive portal was utilizing a series of CGI scripts to authorize clients. Definitely piqued my interest.

So, first step in any good "investigation" is to do some fingerprinting. I fired up nmap -sT -A to identify listening services and make an OS guess. Being the impatient person that I am, I also fired up nikto in parallel. But of course, that wasn't enough to immediately satisfy my curiosity, so I started conduction some web tests by hand. And then something happened that I completely did not expect. I got this web message:

Opps!

Has anyone else experienced something like this before? The interesting thing is the URL. I wonder if I sniffed the IP / MAC address combinations off my local segment and did HTTP POST's to that URL if I could blacklist everybody else.

Revolution On Rails

2007-04-06T05:56:00.000-04:00

As I've previously noted, Revolution Health is currently the largest Ruby on Rails site on the internet. There has been alot of discussion in the industry that Rails could not scale well in a full blown enterprise environment. So, in an effort to dispel this myth and help others who may follow in our footsteps, my coworkers are attempting to document the trials and tribulations of Ruby On Rails from an Enterprise level in their Revolution On Rails Blog

My Kudos to them for also releasing alot of the custom written tools, plug-ins, Gems, and scripts they have developed along the way. I think its fantastic when corporations that heavily leverage open-source tools and platforms in their business environments can find a way to give back to the open-source community.

Pantera WAS Documentation

2007-04-06T05:25:00.000-04:00

It looks like all of the Pantera on OSX Documentation I did here on Monkey-House has been officially incorporated in the OSX Install guide bundled in Pantera:

Pantera_Release_0.1.3/doc/en/install-osx.html

Metasploit Frame on Gentoo

2007-04-06T04:56:00.000-04:00

Today I discovered a bug while installing the new Metasploit3 Framework on Gentoo, according to the provided instructions. The essence of the problem is a mixing of a new version of rails (1.2.2) with an old version (< 0.9.0) of RubyGems. This is a problem for anybody that is running Gentoo Stable, as Gentoo is currently shipping RubyGems version 0.8.11-r6. The work around is to install the testing branch of RubyGems. To do this in Gentoo, simply appending: dev-ruby/rubygems ~x86 to the file: /etc/portage/package.keywords and rerunning emerge rubygems.

I've also opened up a defect ticket with metasploit so the documentation can be updated.

SQL Injection and MyODBC

2007-01-23T17:24:00.000-05:00

Recently I was attempting to exploit what have should have been a very vanilla SQL Injection attack. The webserver was Microsoft IIS6 serving ASP pages. This server was using MySQL's MyODBC Driver to allow this application to connect to a backend MySQL database. However, everything I tried only yielded an error message similiar to:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[MySQL][ODBC 3.51 Driver][mysqld-5.0.26-standard-log]You have an error in your SQL sytanx; check the manual that corresponds to your MySQL server version for the right sytanx near ';DROP table userinfo' at line 1

/test/test.asp, line 192

Having access to the asp file, I could see that the SQL Query was basically:

SELECT * FROM userinfo where user = Request.QueryString('user_id');

Normally it would be trivial to modify the HTTP Request to be:

/test.asp?user_id=bob%3BDROP%20table%20userinfo%20--

So that the SQL query would effectively become:

SELECT * FROM userinfo where user ='bob'; DROP TABLE userinfo; --

However, for some reason I could not get this to behave as expected. I was able to append other SQL syntax (AND, OR, etc) and get the desired results, but I was not able to DROP that particular table. After much digging, I ran across the following email thread:

gmane.comp.db.mysql.odbc/2003-06/msg00142.html

As it turns out the MyODBC does NOT support multiple SQL commands. While this seems to be a minor irritant for the developer in the email thread, it does provide the unintentional benefit of preventing alot of SQL Injection attacks..

There appears to be a "bug" ticket open with MySQL on this, and it appears that this could potentially be addressed in the upcoming release of MyODBC. In the meantime, for all of you web application security testers out there, maybe this can conserve some of your valuable testing time.

Largest Ruby on Rails Site to Date

2007-01-03T20:07:00.000-05:00

For those of you that are not aware, I am the Director of Security Operations for Revolution Health, founded by the likes of AOL Co-Founder Steve Case, Colin Powell, and Carly Fiorina among others. The main goal of this site is provide an all encompasing health care portal. There are forumns, blogs, Doctor Directories and Ratings, etc.. While this site was developed using a wide range of technologies, it is majority based on the relatively new web framework, Ruby on Rails. Our site is currently the largest Ruby on Rails project to date and presents its own unique set of security challenges.

Because of this, you can expect to see alot more RoR focused posts on this blog.

While the site is still in "Preview Mode", you are welcome to sign up and have a sneek-peek.

* http://www.revolutionhealth.com/preview?code=IHoUuq3GYg

Please let me know what you think.

Pantera 0.1.2 Released

2006-11-30T12:49:00.000-05:00

Today a new version of Pantera WAS was released!. If you previously installed on OSX according to my directions here and here then there is only one thing you need to do to get this update working.

After you have downloaded and decompressed the new version, change into that director and run the command: python ez_setup.py FormBuild.

After that, you should be able to start the new 0.1.2 version with the command: python ./pantera.py

-Patrick

Pantera WAS on Mac OSX / Python Update

2006-11-07T13:46:00.000-05:00

This is a follow up to the previous post. After much help from Simon Roses Femerling, we were able to determin that step #13 below is due to OSX shipping with older versions of Python (2.3.5). Before installing Pantera, it is recommended that you first update to version 2.4.X of Python (2.4.4 as of this writing). This can be downloaded from the Python.Org website.

The new version of Python will install the executable in /usr/local/bin . Depending on your PATH varible, this may conflict with the default version in /usr/bin. To aleviate this issue, run the command: sudo mv /usr/bin/python /usr/bin/old.python

After this is done, you should be able to skip step #13 in the previous post.

***Please note that upgrading to 2.5 of Python will NOT work.

Pantera Web Assessment Studio on Mac OSX

2006-10-31T19:37:00.000-05:00

Recently a new web-app testing tool was donated to the OWASP project. This tool, Pantera can be installed on Mac OSX(Intel), using the following instructions:

1.) Download the pyOpenSSL python module from here.

2.) Cd into the directory and run the command python setup.py build.

3.) Install the module, python setup.py install.

4.) Download the MAC OSX binary package of the MySQL database from the mySQL site.

5.) Install MySQL according to these instructions.

6.) Start MySQL by running the follwing commands:
shell> cd /usr/local/mysql
shell> sudo ./bin/mysqld_safe
(ENTER YOUR PASSWORD, IF NECESSARY)
(PRESS CONTROL-Z)
shell> bg
(PRESS CONTROL-D OR ENTER "EXIT" TO EXIT THE SHELL)

7.) Download mysql-python from here.

8.) You will need to modify your pather varible to get the mysql-python package to compile correctly. First run the command, set | grep PATH you should get something resembling PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin now cut and paste that output and append "/usr/local/mysql/bin" to the end so that your resulting command should look something like:
PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin:/usr/local/mysql/bin.

9.) Now run python setup.py build from inside the mysql-python directory. When that completes run python setup.py install.

10.) Next we need to configure the pantera database. Do this by running mysql -u root and then CREATE DATABASE pantera; from the mysql prompt.

11.) **optional, feel free to lockdown the mysql database and assign a password to root at this point. Google and the pantera documentation are your friends for this.

12.) After you have created the database, from inside the pantera directory, run the following command: mysql -u root panteradb < doc/pantera_sql_create_script.txt

13.) Now, you are almost ready to run pantera. However, the panteraPlugins.py file seems to have a syntax error in it. So, use vi to edit the file. Skip down to line 458 and insert a # sign in from of the line reading "remove(c for c in self.plugin_list if c == d)"

14.) Once this is done, edit the panteracfg.xml file to include your database username and password. If you skipped step #11 above, then you just need to modify the db_login to look like: root

15.) Configure firefox to use 127.0.0.1 port 8080 as your proxy, run the command python pantera.py from inside the pantera directory, and point your browser to http://pantera.

Ruby on Rails for Gentoo

2006-10-23T13:18:00.000-04:00

First use emerge to install Ruby, next use emerge to install "rubygems"..

Now you can use rubygems to install Rails, ActiveRecord, etc.. You will need to answer Y to each of the dependencies.

# gem install rails
Bulk updating Gem source index for: http://gems.rubyforge.org
Install required dependency rake? [Yn]
Install required dependency activesupport? [Yn]
Install required dependency activerecord? [Yn]
Install required dependency actionpack? [Yn]
Install required dependency actionmailer? [Yn]
Install required dependency actionwebservice? [Yn]
Successfully installed rails-1.1.6
Successfully installed rake-0.7.1
Successfully installed activesupport-1.3.1
Successfully installed activerecord-1.14.4
Successfully installed actionpack-1.12.5
Successfully installed actionmailer-1.2.5
Successfully installed actionwebservice-1.1.6
Installing ri documentation for rake-0.7.1...
Installing ri documentation for activesupport-1.3.1...
While generating documentation for activesupport-1.3.1
... MESSAGE: Unhandled special: Special: type=17, text=""
... RDOC args: --ri --op /usr/lib/ruby/gems/1.8/doc/activesupport-1.3.1/ri --qui et lib
(continuing with the rest of the installation)
Installing ri documentation for activerecord-1.14.4...
Installing ri documentation for actionpack-1.12.5...
While generating documentation for actionpack-1.12.5
... MESSAGE: Unhandled special: Special: type=17, text=""
... RDOC args: --ri --op /usr/lib/ruby/gems/1.8/doc/actionpack-1.12.5/ri --quiet lib
(continuing with the rest of the installation)
Installing ri documentation for actionmailer-1.2.5...
Installing ri documentation for actionwebservice-1.1.6...
Installing RDoc documentation for rake-0.7.1...
Installing RDoc documentation for activesupport-1.3.1...
Installing RDoc documentation for activerecord-1.14.4...

Installing RDoc documentation for actionpack-1.12.5...
Installing RDoc documentation for actionmailer-1.2.5...
Installing RDoc documentation for actionwebservice-1.1.6...

After this completes, you can now create a test rails project by issuing the command: "rails test", after changing to your web directory (/var/www/localhost/htdocs/) by default.

# cd /var/www/localhost/htdocs/
# rails photos
create
create app/controllers
create app/helpers
create app/models
create app/views/layouts
create config/environments
create components
create db
create doc
create lib
create lib/tasks
[...SNIP...]

You can now start the WeBrick webserver included with Rails.

# ruby ./script/server -d test
=> Booting WEBrick...
=> Rails application started on http://0.0.0.0:3000
[2006-10-23 12:52:56] INFO WEBrick 1.3.1
[2006-10-23 12:52:56] INFO ruby 1.8.5 (2006-08-25) [i686-linux]

At this point you should be able to point your browser to http://127.0.0.1:3000/ and get the Ruby on Rails Welcome page.

For more information on integration your Ruby on Rails installation with apache2 and FastCGI, please refer to: http://gentoo-wiki.com/HOWTO_RoR.

Mac OSX Essential Security Tools

2006-08-22T17:08:00.000-04:00

Having recently converted to a Mac Book Pro, I have been on a quest to locate security tools capable of running on this platform. Here is are the tools I found that I now cannot live without:

KisMAC - This tool is supposed to allow you to do all the cool wireless stuff from OSX. I downloaded it and whil it did look cool, I quickly discovered one huge drawback. It turns out that is monitor/ passive mode is not supported with the Airport Extreme wireless cards in the new Mac Book Pro's. However, I have downloaded the newest Alpha version and found that it now supports passive mode in these cards! The only functionality now lacking is the ability to reinject packets. Hopefully this functionality will be there soon. Packet reinjection is necessary to perform the different Auth/ Deauth flood attacks used to generate more traffic for cracking WEP. This video provides a cool overview of cracking WEP with KisMAC.

Nessus 3.X - New with version 3.x of nessus, the Nessus developers decided to stop distribuing source code. As we have seen, it is possible to get Nessus 3.x running on other platforms. However, it turns out that OSX is now one of the supported platforms. The install and operation of OSX package is seamless. It comes with both the client and the server.

Paros Proxy - Paros proxy is an extremely well designed proxy that is a must for doing web application security testing. Because it is coded in java, it is cross platform. As long as you have JRE installed, Paros proxy functions right out of the box.

Parallels - Think of this as VMWare for MAC, only better. No annoying need to add "vmware" tools into your guest OS, etc. Using Parallels I was able boot all of my favorite Linux-based LiveCD Security Toolkits, such as Backtrack. This gives you instant access to a wealth of security tools (nmap, spike proxy, etc). By editing the CDROM setting to "Use an Image File:", you can now configure Parallels to boot from an ISO file. The only limitation I noticed was that the wireless card is not virtualized. However, since most wireless security tools won't function properly when operating though an abstration layer anyway, this is definately a minor limitation.

VirtueDesktops - Although this application is not actually a security tool, it is unbelievably cool. Its a desktop switching tool that is adds a high level of functionality while adding a super high level of eye-candy as well. Check out this video to see exactly what I am talking about. --Note, this video only shows 2 desktops in a left to right config. You can also add additional desktops on a vertical axis as well.

Top 10 DNS Infrastructure Best Practices

2006-08-09T16:20:00.000-04:00

(This is something I wrote for my company's public newsletter)..

Top 10 DNS Infrastructure Best Practices

A corporation's Domain Name System (DNS) Infrastructure plays an integral, but often overlooked role, in the overall security posture of the network environment. Not only should these services be configured securely, they should also be designed to provide a very high level of availability and redundancy.

1. "Split Horizon" DNS refers to the practice of separating DNS into an external and internal view. This provides a logical separation between the DNS information available to internal network clients and what is made publicly available to the internet at large. DNS store a wealth of information regarding the configuration of a network. Being able to enumerate this information is an invaluable resource for would-be attackers. By separating the publicly available information from that required by internal clients, adds a very critical layer of protection. Split horizon DNS can be accomplished in several methods, but separation on physical devices is the preferred.

2. Recursion in simple terms is the ability of a DNS server to answer client requests for domains which it is not authoritative for. Using a split horizon DNS deployment model, there are two primary sets of DNS servers, internal and external. Internal servers should be configured to perform recursion to service the requests of the internal network clients. However, external DNS servers should be explicitly configured to deny recursion. External DNS servers should solely answer requests for the domains for which they are the authoritative for. Public DNS servers which allow recursion have been recently exploited in as amplification machines in Distributed Denial of Service (DDoS) attacks. Not only does this consume valuable machine and bandwidth resources, but there also could be legal ramifications for an organization whose servers were exploited.

3. DNS by design has the ability to offer a high level of availability and redundancy. An organization should have two or more primary DNS servers. These devices should be both geographic and carrier diverse. Having multiple DNS servers in the same physical location on the same internet connection provides very limited redundancy. A single carrier outage or fiber cut can instantly isolate all of your DNS servers. Instead, these should be distributed in across different geographical regions utilizing different internet providers. This can be accomplished by placing the servers in either a remote office, a collocation facility, or utilizing a hosted DNS provider. Ideally an organization should have a minimum of two (2) DNS servers with three (3) being the recommended number.

4.The NS records for an organization's domain name provide public DNS servers with the information needed to find the authoritative nameservers for that domain. These records are uploaded from your domain registrar to the Top Level Domain (TLD) DNS servers. As changes are made to your DNS infrastructure, its imperative that your NS records updated to reflect these changes.

5. Lame Delegation is a term that is used to refer to servers that are listed as authoritative for a specific domain but do not answer authoritatively. This can cause delayed responses, increased workload on both an organization's and the TLD DNS servers and is a problem that has plagued the internet for several years now. The extent of this problem can be seen by looking for the "Lame" keyword in the server logs of any active recursive DNS server. This problem can be avoided by keeping the NS and SOA records for your domains accurate and up to date.

6. Zone transfers are the ability for a slave DNS server to pull records from a master server to a slave. This allows you to host all of your zonefiles on a master machine and have them automatically propagate to slave machines after a change is made. The ability to transfer an entire zonefile for a domain also provides a easy way for would-be attackers to enumerate an organizations network. Because of this DNS servers should be configured to limit zone transfer requested to the IP addresses of designated slave machines.

7. MX records are the DNS records that allow your organization to receive email. Each domain should have a minimum of two (2) MX records. These records also have a preference number associated with them. The lower numerical value of the preference translates into the higher priority mail gateway. Therefore, if you have two (2) gateways, a primary and a secondary, then the primary would have a MX preference value of ten (10) and the secondary of twenty (20) so that the primary would be the higher priority mail gateway.

8. All MX records should have a corresponding PTR record. RFC1912 dictates that all mail gateways should have Reverse DNS entries configured. Many mail servers are configured to not accept email from gateways which don't have proper Reverse DNS entries.

9. DNS server versions often provide a would-be attacker with valuable information about the DNS application running on that machine. Published exploits corresponding to that specific version of the application can quickly be located and launched. For this reason, DNS server versions should be modified to obfuscate the actual running version number.

10. Zone file serial numbers are used by master DNS servers to inform the salve servers when a zone file has been changed and needs to be transferred. Every time a change is made to the zone file, the serial number should be incremented. If this is not done, DNS zone data can quickly become out of sync, causing enterprise-wide problems.

Nessus 3.0 on Gentoo

2006-08-09T16:16:00.000-04:00

With the release of Nessus 3.x, the developers have made the decision to no longer distribute source code. Because of this, nessus binaries will only install on "supported platforms". However, I have recently discovered a way around this severe limitation.

This is a quick and dirty guide to get Nessus 3.0 to install on Gentoo.

First, download Nessus-3.0.3-fc5.i386.rpm from nessus.org

Use rpm2targz Nessus-3.0.3-fc5.i386.rpm to convert the package from RPM format to a gzip'ed tar file.

Move the resulting file to your / directory.

Use tar -zxvf Nessus-3.0.3-fc5.i386.tar.gz to decompress and un'tar the file.

Edit /etc/ld.so.conf and append /opt/nessus/lib to the end of the file.

Run ldconfig to make those changes take effect.

Next, cd into your /usr/lib directory and do the following:

ln -s libssl.so.0.9.7 libssl.so.6
ln -s libcrypto.so.0.9.7 libcrypto.so.6

You can now finish installing nessus as normal (e.g /opt/nessus/sbin/nessus-mkcert). You can also test your installation by running the command: /opt/nessus/sbin/nessusd -d

[UPDATE] You will need to edit /opt/nessus/sbin/nessus-update-plugins . Look for the line reading "gzip=/usr/bin/gzip" and change it to read "gzip=/bin/gzip"

[UPDATE 2] Instead of making the change to /etc/ld.so.conf above, you should create a file in the /etc/env.d/ directory called 08nessus. Then file should only contain the line: LDPATH=/opt/nessus/lib. This change is necessary because the env-update script will overwrite the changes you make directly to /etc/ls.so.conf.