Never go to bed mad. Stay up and fight!
Attacks/Exploits
0DAY:ADOBE PDF
Sep 24th
This stuff gets better and better;
Adobe’s representatives can contact me from the usual place. My advise for you is not to open any PDF files (locally or remotely). Other PDF viewers might be vulnerable too. The issues was verified on Windows XP SP2 with the latest Adobe Reader 8.1, although previous versions are also affected.
This was how GNUCitizen closed his post. So apparently there seems to be a defect in Adobe Reader 8.1 on XP SP2 (Verified by him). Read More [...]
Split-Tunneling Good or Bad ?
Jul 19th
In the VPN configuration this seems to be a host discussion; so here we go
There are 2 options of internet traffic for the VPN users;
- Split-Tunneling enabled :: This means all the corporate traffic goes through the vpn tunnel and all the internet (local browsing etc) goes through the user’s local internet connection which improves the browsing speed/experience for the end user.
- Split-Tunneling disabled :: This means all the corporate traffic and local user traffic to internet traverse over the vpn tunnel and the internet traffic first goes to the vpn end-point and then exits to internet
Now, point 1 seems to be interesting to some security professionals for the reason that, while connected through VPN there is no local interaction and thus no ” security risk “. The argument being while connected to the corporate through VPN, the public internet is secluded and thus there is more security in terms of somebody/something from internet gets to the corporate!
Well, let me see; the way I see it – First of all it makes the internet browsing poor for the end user who is probably browsing more but still is *ON* VPN just for mail checking in the late evening (If that is happening 
). Now security-wise, does it mean by just disabling the split-tunneling, an administrator can be assured that the user won’t harm the corporate ? I don’t think so;
How About users’ machine infected with a Virus/Trojan/Some Crap, whether you have enabled split-tunneling or not, this is going to enter corporate ???? YES.
So what security are we talking about ?
The best approach would be to have Network Access/Admission Control which is integrated with an AntiVirus/AntiSpyware/IPS and Firewall module.
Now is there something obvious I’m not seeing here? May be somebody can shed some light and I would really appreciate that!
TCP drop vs reset vs reject
Jun 16th
Since the last post was on unusual tcp connection tear down, it is also important to understand different actions a typical firewalls can take;
Drop -> The packet is dropped and never informed about the sender.
Reset -> A RST is sent to the sender to let him know that the port is not open.
Reject -> Reject is rather interesting, it is almost TCP reset but also sends an ICMP prohibited message saying that the port might be open but you’re not allowed to talk
So if you’re tasked to configure a mode (any of the above), what will you choose for tearing down a connection ?
It depends on the requirement but I’d rather go with drop since “If I want to tear down the connection any ways, why send a message saying that I teared it down ?” Doesn’t it add additional processing on the box which is doing rather other important IO
MAC Address Changer
May 30th
A tool that is released for changing the mac address of Network Interface Cards which would facilitate both the good guys and the bad guys
So taste it here
Feel safe on a switched lan ?
May 17th
So the common belief is that it is very safe when a network is on a *switched* lan compared to a hub.
Story?
In a hub network, traffic is seen by everybody connected so sniffing would be very easy and with the introduction of switches, you see only traffic that is destined for you. So that provides you security from sniffing and attacks later-on! Well not quite true as long as ARP is the way it is now…
So how does arp work? When a machine wants to talk to somebody – an arp broadcast is done for which only the machine intended would reply with its mac address, so that the communication goes through; very IDEAL scenario.
Now if someone were to send in an incorrect arp response [ pretending to be someone else ], the original machine would still entertain this reply and send the packet to this address. Inherently there is no authentication with ARP protocol, was not required at the time it was designed!
So lets see how it works;
- Port1 – Host A is connected with mac A
- Port2 – Host B is connected with mac B
- Port3 – Host C (attacker) is connected with mac C
- So Host C (attacker) sends an arp reply to Host A saying that I’m Host B. Similarly it sends another arp reply to Host B saying that I’m Host A
- So now Host A believes Host B is Host C { AND }
- Host B believes Host A is Host C
So a simple software at Host C (attacker) would be able to read all the communication between Host A and Host B!
High end managed switches might not entertain the unasked ARP replies but the hosts would! For example Windows XP before SP2 entertains any gratuitous ARP packets and change their local ARP cache!
CVE Entry for this [ Here ]
A tool can be used to read the data and then forward the traffic to respective clients, facilitating that those hosts wouldn’t even know that there is something going on like this; the fashion as below;
- Host A sends ‘HI’ to Host B
- Traffic actually reaches Host C
- Host C reads the data and then forwards the packet to Host B
- Host B sends ‘hello’ to Host A
- Traffic actually reaches Host C
- Host C reads the data and then forwards the packet to Host A
Seems impossible? Well, there is rather a simple tool arpspoof which can perform this!
So how do you find out if there is something going on similar to this ? You could use arpwatch to perform the task
OS Obfuscation
May 12th
What is so great about it? Well, heard about OS fingerprinting / “Tcp/IP” Stack fingerprinting. Those who practice security couldn’t imagine a life without nmap ?, yeah that line is familiar…
So many of these tools do this by the changes in tcp/ip stacks. The RFC for tcp/ip defines value types for TTL, Window Size, MTU etc but do not mandate a default value hence different OS implementations have adopted it to have different values. What does it make it easy? Recon… Just a ping packet would let one know the TTL value, so similar correlations for many parameters would yield the OS in place without much trouble.
Operating System Obfuscation is a method, using which you could change those parameters on the OS so that it looks like a totally different Operating System!
If you do not want much of technical details on how you do it, (although I must tell it is a piece of cake) you could use a tool to configure it.
Test it out yourselves;
1. First do an nmap scan [ nmap -O2 <target_ip> ] => See the OS guesses.
2. Run Sec_Cloak on the machine and set it to appear as some linux flavor.
3. Repeat the first step again and watch for the OS guess.
You’d get it by then….
Tini – Backdoor
Mar 25th
If you understand the attacks, then you would also understand the difficulty of placing a backdoor on some machine/server.
Lets meet ‘tini’ ; as the name is, it is tiny (only 3kb in size) and can run without dragging attention.
So here is the behavior, Tini is an executable which listens on port 7777.
Since it is not a true backdoor it doesn’t execute by itself, someone has to execute it. Now by execute what it means is a simple ‘double click’.
On Host A run Tini
On Host B, open up a command prompt and do this ‘telnet <Host A> 7777′, you will be presented with the command prompt of Host A.
Beware that most of the AntiVirii/AntiSpyware products will identify this one and may cause problems so use it with due diligence. This is more of a useful tool than a destructive tool.
Also it is possible to change the port, all you need is a hex editor to open up the Tini binary
If some one would like to know, I would post that as well.