P0f version 3 install issues

Since thing disappear off the interweb all the time:

The original is at https://isc.sans.edu/diary.html?date=2013-12-19

Kali  comes with an older (v2.08) version of p0f.  The newer version, 3.06b, downloaded from http://lcamtuf.coredump.cx/p0f3/

 

Install

  • P0f 3 needs the development libraries from libpcap. To get these run “sudo apt-get install libpcap-dev“.
  • NOW you can likely run build.sh successfully!
  • “build.sh” installer which checks dependancies then installs.

 

The application needs promiscuous mode.

  • p0f runs by sniffing the network and then reporting on what it sees
  • Give it something to see by setting your network card to promiscuous mode
  • You must choose the right network cards from the Vbox config.

 

Ready to run the app.

  • There are a few different modes to run in.
    The basic text output from “sudo p0f -i eth0” ( make sure this is the correct ethernet interface)
  • You probably want to output to a file, which will create a CSV file that you can parse into a spreadsheet or database table, using
  • “pvs -i eth0 -o pvsout.txt”.

You can also run p0f against an existing saved PCAP file.

 

 

CEH v7 iPhone app Support and Errata

Dean
Quiz at iTunes Store Coming soon 400 minutes of CEH v7 video!

If anyone reports a bug or a question error that cannot be fixed until next version it will be listed here with credit for the find.

Date         Section    Question #     Bug hunter      Issue & Fix

Aug.12    C12           31023            M. Brandon      Spelling of correct answer should read XSS not XXS

Details – none

Aug.15    C14           31052            T. Belso              Question starts ” the tool for executing… Key is correct, more info is wrong.

Details – http://www.securiteam.com/tools/5GP081P75C.html and http://msdn.microsoft.com/en-us/library/1x933c7s(v=vs.80).aspx

This is a roll up page of all the links so you can get the data from a full featured browser.

For those who are in the iphone video app – This page can be found at http://www.expandingsecurity.com/?p=2467

CEH v7 Footprinting Study guide

CEH v7 Law and Ethics Study guide

CEH v7 Scanning Study guide

CEH v7 Enumeration Study guide

CEH v7 System Hacking Study guide

CEH v7 Trojans and Backdoors Study guide

CEH v7 Sniffers Study guide

CEH v7 Denial of Service Study guide

CEH v7 Social Engineering Study guide

CEH v7 Session Hijacking Study guide

CEH v7 Hacking Web Servers Study guide

CEH v7 Web Based Password Cracking Techniques Study guide

CEH v7 Web Application Vulnerabilities Study guide

CEH v7 SQL Injection Study guide

CEH v7 Hacking Wireless Networks Study guide

CEH v7 Viruses Study guide

CEH v7 Layer 2 and 3 Study guide

CEH v7 Linux Hacking Study guide

CEH v7 Evading IDS Firewalls and Honeypots Study guide

CEH v7 Buffer Overflows Study guide

CEH v7 Cryptography Study guide

CEH v7 Penetration Testing Study guide

Pain pi!! #28 Buffer Overflows it is like what?

What is “The Pain Pill” ? Every Tuesday I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better.

Come to free class on Buffer overflows. Click here Thursday 2011-07-28 11:00:00 AM Central Time

This post  is located here and the video is here.

Just the other day I was thinking to myself, is a buffer overflow like a toilet overflow? Before you start thinking this is going to degrade into bathroom humor, I will stop you. Then I thought,  What is a good analogy for a buffer overflow? I want to understand buffer overflows enough to limit this security flaw, right? I went digging around and I found some great books and papers on the subject. Smashing the Stack for Fun and Profit is this great paper for really geeky people to learn about buffer overflows, but what about the rest of us?

Hmmm? Smashing the stack reminded me of when I was in the restaurant business as a kid. We had these huge plate warmers for the buffet lines. They were really great. You pick up a stack of clean, dry plates and drop them in the spring-loaded hopper. People starting in line grabbed the top one and moved down the line, one-by-one the plates would be removed from the warmer until they were all gone. Why I remember it was because it was my job to load it.  I would grab a whole stack of plates from the dishwashing area, run out front and load the warmer before it was empty. One time I grabbed a two-foot stack that was not quite dry and started to turn a corner to go out to the buffet line and I smashed the whole stack. It made a lot of noise. I MEAN A LOT OF NOISE!

It turns out that busboys smashing plates and the geeks smashing memory stacks have a lot in common. I put the two together in class and VoiLA! Plates are stacked last-in-first-out (LIFO) LIFO is the key ingredient in understanding the memory stack. The memory stack is the set of buffers that is abused in a buffer overflow.  This leads to a long discussion that is not high level enough for this three minute format, so come to class below for more details.

But, why do we care about buffer overflows? Because like plates and buffet lines they are so prevalent. They are everywhere. They are easy to create and easy to abuse. How easy? Well… Someone who can read a book, learn to program, and who has a real persistent nature could decompile your custom programming and 20-80 hours later, BOOM! The problem is, not many people are willing to put in the time, except your adversaries.

So what can we do about it?

It turns out that software vendors are finding and fixing buffer overflows all the time. It is our job to patch ASAP.

What about custom code, the stuff we build in-house? You cannot be as diligent as the big firms, or can you? I think you can learn safe coding practices and use tools like ESAPI for the web. You can also limit exposure to the outside. Keep that internal code from being used on the web.

What can we do to make it better for us, for you?

Policy:

  • Incorporate third party code review as a requirement before releasing to production
  • Require ESAPI for all web applications
  • Build patch management into all processes

Action items:

  • Review vendor patches
  • Learn the ESAPI for the web

Don’t know how to do these activities? Come to class FREE on Buffer overflows.

CEH: 20 Buffer Overfllows Thursday 2011-07-28 11:00:00 AM Central Time

Click here

Or bit.ly/painpill_28

Painpi!! #27 Penetration Testing a business approach

What is “The Pain Pill” ? Every Tuesday I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better.

Do you like the plain or the Red logo format? Email me back!

This post  is located here and the video is here.

Free class is Thursday 7:30 – 8:30 Central Time click here.

Recently I have been asked to do more and more penetration tests. A penetration test is a fancy way of saying:  hire someone to attack your systems, hopefully before the attacker, hopefully in all the old ways and some new ways, so that you can improve your defenses.

What a pen test does and doesn’t do:

  • It doesn’t prove you are secure.
  • It doesn’t tell you what controls to install.
  • It doesn’t reveal to what degree you are insecure.
  • It does prove you are insecure, if a true breach is committed.
  • It does tell specifically where your controls failed.

As a tester – I will not tell you that your network is secure. Why? Because the customer sets the scope. If the customer ties my hands behind my back in a test by taking away a vector of attack, then there is no way I can guess the “what if…” A customer is definitely going to tell me I cannot do a denial of service. So right there, I cannot do what attackers do… or could I? (Come to class I will explain how.)

You pay for X number of days, you get those days.  If we can take a few roadblocks to testing down, I can spend more time testing and less time fighting with your business process, your controls, and your people (again more in class). You will get a more detailed test.

An attacker can attack anywhere at anytime and in very new ways. Testers must at least keep up, very good testers get out ahead of the attackers. This is not a skill that many have. Thinking of the next way to attack requires practice. Thinking of a new way to attack that will not take down the service, but will still prove the attack is possible requires more skill.

What can we do to make it better for us, for you?

Most important quality in a tester: Testers must be very trusted advisors. Trust above all else.

Most important quality in a testee: Don’t be embarrassed or defensive when the tester cuts through your defenses like a hot knife through butter. We concentrate so hard on what is in front of us, we forget to turn around and look. A tester’s job is to turn around and look in a new way, not spare our feelings.

Policy:  (this is different than we normally discuss)

  • Policy is general and exceptions are supposed to be rare.
  • Write exceptions process for pen testing, a separate policy that supersedes other exceptions.
  • Write emergency change control for critical flaws found in testing.

Action items:

  • Testers need highest level approval, seek approval first before engagement.
  • Tie internal project management goals for fixes to the end of the report.

Don’t know how to do these activities? Come to our free class! Thursday 7:30 – 8:30 PM Central- Click here

Or http://www.bit.ly/painpill27

Painpi!! #35 Social engineering of social networking

What is “The Pain Pill” ?

Every Tuesday (well youtube was down so… Wednesday this week) I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better. There is a free class on the topic so you can have a deep dive. If you need continuing education credits, this counts. A related reading is posted to expandingsecurity.com

Commercial- We have online classes for CISSP and CEH!

This post and the video are located here

Last week I received an email message asking me to link on linkedin. No wait, it says, If I invite him he will not turn me down. What kind of crap is that? Either invite me or don’t, but don’t make me do the work. I never met him. He is going to grace me with his backhanded invitation? deleted nasty comment .

In another instance I had someone send me a personal message. In the message they ask me to link with their company; not them, but their company.  (This was before company profiles were a feature of Linkedin.) For what reason? So they can have a lackey pick through my contacts for business?

And here it is. The social engineering of social networking.

If  you link with someone they now have access to your contacts. Think of it like letting someone look in your rolodex or your outlook contact list. (boy did I just date myself with the rolodex reference) If they use your name to connect to someone else, it is like using you as the authority or reason for linking. This is the heart of social engineering- convincing someone to do something they would not normally do for a good reason.

Rules for linking:

  1. If we have met face to face and interacted a few times it is reasonable to invite.
  2. If we did not meet face to face: try to meet virtually or post to one of the groups we share.
  3. When you invite, make it personal. Show something about yourself.
  4. If they have Zero contacts, NO!
  5. If they don’t link, don’t be offended.

Let’s go back to the original tenants of linkedin: “We recommend you only connect with those you know and trust.”

  • How many people do you know?
  • What does it mean to know someone?
  • What is trust?

People say if you can count your friends on one hand, you are blessed. If you need more hands, they might not be your friends. My ultimate goal is to have very few very valuable people in my linkedin group, when I reach out, I want a reply. If you reach out to me, I am going to reply. My goal is to make my network smaller, tighter, more trusted. I think I should kick people out of my network. We should get more selective not less.

What do you think?

Painpi!! #25 Social Network vs Social Engineer

— Special note: We have made class easier to attend. Even if you cannot make it this week, will you please give the link a try and see if the new system makes sense? It should tell you you are really early, a little early, or too late. Please, send me a note and tell me what you think.

What is “The Pain Pill” ? Every Tuesday I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better. Free class is June 9 6-7PM Central. Click here

This post  is located here and the video is here.

Social Network vs. Social Engineer

Everyone loves sharing, showing and telling their latest trip, latest party, or what they had for lunch. Personally, I don’t care what Justin Beeber had for lunch, what he thinks, or how much he likes the fans from his tour. But the rest of the world seems pretty interested in what everyone else is doing on spacebook, faceplace, and twit. The social network seems to be a big part of getting a life these days. As an ethical hacker, am I going to take full advantage of social networks? Am I going to take full advantage of social engineering?  Am I going to use your personal information against you? Anyone who gives out enough personal information like where they live,  their daily routines, or their favorite color is going to regret it.  Oh No wait, I am not going to use it against you because I have ethics, but attackers are going to use it against you.

Social Engineering starts with taking advantage of human nature. What does it feel like when I say these statements:

  • That is my favorite color, too!
  • I drive the same car you do!
  • Oh, I can’t stand that band either.

With each statement we grow closer, you trust me more. Now you might not trust me if I listen and parrot back, but if I make the statements that echo your sentiments and If I am willing to defend the same things you do, then you really want to get close to me. People like people who are like them; it is human nature.

Now let’s take this human nature and start using it in a security setting. I could call you on the phone, tell you I know you, prove it with some data from your personal page and start asking you for other data like your password. You think this will not work on you, but will it work on the regular person? Oh YEAH! Now that I have their account, I will go after yours.

Think about it: All the things that make you unique in a database gives the attacker data for guessing your current passwords and the next password you might use. Think about it: Auditors go crazy when a company leaks even the smallest amount of data.Regulators start threatening fines when they hear of exposures. It is called Personally Identifiable Information (PII).  If you ask companies to protect PII, then why don’t you protect it, too?

What can we do to make it better for us, for you?

Policy:

  • Limit commingling of social networking data and PII.
  • Define what information should and should not be posted to social networking sites.

Action items:

  • Disable social networking in email clients.
  • Teach children about predatory practices and how to avoid them.

Don’t know how to do these activities or work in faceplace’s insecurity department? Come to our free class! June 9, 6-7PM Central.

Click here

Or bit.ly/painpill25

Totally off topic –  a director of engineering at Facebook posted the following nonsensical statements on his blog.

  1. “Today, we’re improving HTTPS…”
  2. “starting to introduce Two Factor Authentication…”

This kind of  crap makes our job of implementing security measures impossible because we must explain that neither of these statements are true. Oh, you are going to change a protocol for me? I don’t think so! And just because you have two passwords doesn’t mean it is two factor!

Painpi!! 23 let go my Stego

Most of the time I pose a problem and then give you my answer. Let’s do a change up. Mostly because I don’t have an answer that I am willing to support this week.

Come to our CISSP/CEH class for free this week on Saturday May 28 at 12:30 Central. Click this link 5 minutes before class, type your name, email and the site will put you in the class with our regular students.

Steganography is a covert channel of communication, hiding one communication inside another.

In this example, two people want to talk about something that they don’t want YOU to know they are talking about. In your country it might be illegal to discuss a revolt against the government. You could still talk about mundane topics like how much you like the latest movie. What you decide to do is use the whitespace in an online posting about movies to communicate covertly. For every extra space at the end of a word that means bit 0 and every two extras spaces means bit 1. If I did a long enough post with extra line breaks I could communicate my intensions… some  inane   drivel  like   this  sentence   about  nothing   that  goes   on  for   too  long   could  hide   plenty  of   extra bits  . That is steganography. The only rule is the carrier file must be larger than the carried file.

What does this have to do with business? Revolts are one thing, but business is something else. What about:

Hanjuan Jin of Schaumburg, Ill., a naturalized U.S. citizen who was born in China. She was stopped at Chicago’s O’Hare International Airport on Feb. 28, 2007, in a random search. She got busted with Motorola’s intellectual property trying to leave the U.S. on a one way ticket to Beijing. If she would have stepped up her game and used steganography, she could have uploaded pictures of her Siamese cat to a KATLovers blog and never left the country. Or left with no laptop, no drives, no DVDs, just left and transmitted all the data she wanted.

How many Jins are out there that don’t get caught? Now that is a business problem!

Let’s take this one step further- You are pissed because the free coffee has been stopped, the break has been cut from 20 minutes to 10, your bonus did not happen this year. Instead of leaving the company you decide to make some side cash. Posting your own company’s IP inside cat pictures. Your company would never know.

Now switch roles: You are in charge of protecting and securing the company’s assets. What do you do?

Policy & Action Items:

  • The best thing I can come up with to protect us is: better employee screening?

This week it is all about YOU and your answer because I don’t really know if there is answer. This week tell me what you think about the technical topic, the business problem, and you come up with an answer that fits your business. If you don’t know, say “I don’t know.”

We are going to meet on Saturday May 28 12:30 Central. If you cannot make it, send me your email comments. I will post them and talk about them.

Oh and by the way- If you have something better to do with your Saturday?  The spies, the cheats, the international jerks who want to rip you off don’t have any plans so you can relax. <G>

Hope you like this, tell me if you do or don’t.

If you need the link to class you can get it from this page. Remember 5 minutes before 12:30 Central May 28.

http://www.expandingsecurity.com/?p=2169

Dean

Preventing deer-in-headlights look.

P.S. Below is some great data on the technical details of steganography without the typical drinking from a fire hydrant.

http://www.garykessler.net/library/fsc_stego.html

PainPi!! #22 Scanning Defense and Attack

Scanning!

Free CEH class Thursday 7:30-8:30 PM central – Click this link, type your name, turn up your speakers.

To see the video version click here

If you take a look at any firewall log today, you will see 100’s of scans per hour. The last report I read said the average time for first port scan of a public IP address was 7- 10 seconds. I thought that was a load of crap designed to scare all of us: so I put it to the test. I built a computer, put it in front of my firewall and turned on the logging for all packets. Sure enough 1,2,3,…15 seconds later ping, ping, port, port, port, BOOM!

My IP address was pinged, my ports were scanned, then the attack.

Most of us would say, “All our ports are closed except our web server and our mail server, so we are safe.”

Wrong! Yes you are safe on the closed ports, but the open ports are still open.

What can we do?

Policy items:

  • Identify or define:
  • The roles and who reviews firewall and IDS log data.
  • The review interval, escalation process and reporting for firewall and IDS data.

Action items:

  • Monitor the open ports and connection attempts from IDS or firewalls on a regular basis.
  • Tar Pit the closed ports on servers that are Internet addressable.
  • If this is just you running the whole show- outsource either the services or the review process.

We have some great deals on a 10-week Live on Line. Click here for CISSP or CEH

If you want someone to subscribe to the pain pi!! Click here

CEH raw topic links

CEH_SRC

01 Intro Ethical hacking

SecureDeath[d0t]com
Corsaire: Experts at Securing Information
RootPrompt — Nothing but Unix
Contact Us – The Community’s Center for Security
Glossary – OUSPG
Antionline – Maximum Security for a Connected World
EFF “Hacker” Archive
http://bak.spc.org/dms/archive/britphrk.txt
Google Directory – Computers > Hacking
Google Directory
http://bak.spc.org/dms/archive/profile.html
Hacking < Security and Encryption in the Yahoo! Directory
Penetration testing

02 Footprinting

02 Reading

Footprinting, scoping and recon with DNS, Google Hacking and Metadata (Hacking Illustrated Series InfoSec Tutorial Videos)
DOMAIN NAMES – CONCEPTS AND FACILITIES [RFC-Ref]
Regional Internet registry – Wikipedia, the free encyclopedia
http://www.packetwatch.net/documents/papers/osdetection.pdf
Information Gathering Tools
http://simson.net/clips/academic/2009.BL.InternetFootprint.pdf
http://www.ecqurity.com/wp/footprinting-encored.pdf
http://www.ietf.org/rfc/rfc1034.txt
http://web.textfiles.com/hacking/footprinting.txt
NEOHAPSIS – Peace of Mind Through Integrity and Insight
SecuriTeam – Analysis of Remote Active Operating System Fingerprinting Tools
Remote OS Detection via TCP/IP Fingerprinting
Remote OS detection via TCP
Chapter 8. Remote OS Detection
Fingerprinting Merit Badge
http://freeworld.thc.org/thc-ffp/
CJ625 Student Paper
Footprinting: The Basics of Hacking :: Hack In The Box :: Keeping Knowledge Free
Readings the hacker’s choice – THC
What is competitive intelligence?
Know Your Enemy: Passive Fingerprinting | The Honeynet Project
IMS General Web Services glossary

02 IP and telephone networks

American Registry for Internet Numbers (ARIN)
IP Trace, IP Tracing tools – by TialSoft software
APNIC – About network abuse and spamming
Sandstorm PhoneSweep 4.4 War Dialer Telephone Line Scanner
Port monitor – CallerIP – IP connection monitor, port monitoring, spyware monitoring, adware monitoring, whois and network reports

02 DNS

DNS-Digger – Trying to digg deeper into the information behind the net
Dig web interface
Domain Recon
host – Linux man page
DNS tools
DNS Tools | Ajax DNS
DNS RIPE.NET
DNS APNIC
DNS LACNIC

02 Whois

The Prefix WhoIs Project – Greetings
Free online network tools – traceroute, nslookup, dig, whois lookup, ping – IPv6
DomainTools | Whois Lookup, DNS Lookup, Reverse Whois Lookup
Whois 2010 PRO
Freeware Programs: NetInspector
Whois By IP Address
Better Whois: The WHOIS domain search that works with all registrars.
Whois
Domain Research Tool – Typein domains, Pagerank domain, Link Popularity domains, Bulk whois
Domain Name Management Software – Internet Business Asset Management : DomainPunch.Com

02 Tracerout

3d Traceroute
Path Analyzer Pro – Graphical Traceroute, WhoIs, Charts, Maps, Performance Testing, ip location, tracert, trace route
Traceroute – VisualRoute Live Demo – Diagnosing your connection problems.
Visual IP Trace – IP, website and doamin location trace tool
Roadkil.Net – Roadkil’s Trace Route Program Download
vTrace
Ping Plotter Download
Ping-Probe (Essential Network Toolkit Suite)
Traceroute Tool
Traceroute, Ping, Domain Name Server (DNS) Lookup, WHOIS

02 Website offline cache

PageNest Free Offline Browser
HTTrack Website Copier – Offline Browser
website monitoring KeepNI
BlackWidow will download part or complete website.
Website Ripper Copier, Download Website Downloader, Extract Web site, Webspider – high-speed tool for saving website data!
WebSite-Watcher – Software to check websites for updates and changes (web page monitoring)

03 Scanning

03 Readings

Internet Anonymizers
TCP/IP Fingerprinting Methods Supported by Nmap
Nmap – Scan Modes | Openxtra
Classnotes: UNIX03/Introduction To Nmap
OS Fingerprinting with ICMP
Nmap: The Art of Port Scanning
Port Scanning / Internet Security Lectures by Prabhaker Mateti
http://www.in-f-or.it/informatica/docs/portscan.pdf
http://www.lancemueller.com/blog/Create%20Reverse%20SSH%20to%20reach%20servlet%20inside%20firewall.pdf
http://cobweb.ecn.purdue.edu/%7Ekak/compsec/NewLectures/Lecture23.pdf
http://www.nordu.net/development/2nd-cnnw/tcp-analysis-based-on-flags.pdf
hping security tool – man page
http://www.systemexperts.com/assets/tutors/wardial0299.pdf
IMS General Web Services Security Profile
Network Security Library / Misc
Thc- Ed video
news at Netcraft

03 Multi layer

Nmap
Free Application Monitoring
AutoScan-Network : Free Network Scanner
Network Scanner – Port Scanner – Host Monitor – Network Utilities
HP Network Node Manager (NNM) Advanced Edition software – HP – BTO Software

03 IP

Hping – Active Network Security Tool
Ping Tester – Visual Ping Test Tool
Home – Ultra Ping
Lumeta – IPsonar
PingInfoView – Ping to multiple host names/IP addresses
NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer
Network Map Generation Software from SolarWinds
Network Mapper and Monitor
Switch Center: Network Discovery and Mapping Monitoring Software
1234XXX.COM | 1234xxx

03 Telephone

THC-SCAN – the worlds most used opensource wardialer!
Scanning the hacker’s choice – THC all tools
SecureLogix® Home Page

04 Enumeration

04 Reading

GRAPE-INFO-DOT-COM
AT&T hack exposes 19,000 identities – CNET News
Network management, network discovery, SNMP, MIB and WMI browsers, NetBIOS and port scanner

04 LDAP

Overview | LDAP Account Manager
LEX – The LDAP Explorer
Softerra LDAP Administrator & Browser: Directory Management Tool for Windows
Open Channel Foundation: LDAP Browser Editor
LDAP Explorer Tool: a multi platform LDAP browser and editor
Using Ldp.exe to Find Data in the Active Directory
JXplorer – an open source ldap browser
Virtual Directory Server, LDAP Proxy and Federated Identity Management for Single Sign-On Solutions
LDAP Admin Tool Pro. Edition – Professional LDAP Administration Tool

04 Windows SMB Acct NetBIOS

Windows Enumeration: USER2SID & SID2USER
NetBIOS Enumerator
Men & Mice download for Windows

04 Time

Bytefusion:Download
NTP Servers GPS & MSF | Time Servers | NTP Time Servers | Synchronised Network Clocks | Large Digital Wall Clocks | Galleon Systems
EmTec – Terminal Emulator, Telnet and Secure Shell (SSH/SSH2) Client and Comm. Software for Windows
Meinberg der Funkuhr und Time Server Spezialist

04 SNMP

OID VIEW MIB Browser – SNMP Analysis Network Fault Management – SNMP MIBS Tools
snmp monitoring – monitoring software – network management
SNMP
SNMP4tPC – What is SNMP?
Windows 2000, SNMP and Security | Symantec Connect Community
Internetworking Technology Handbook – Simple Network Management Protocol (SNMP) – Cisco Systems
iReasoning Inc. – Network Management / Application Management Solutions
WTCS.ORG – Williams Technology Consulting Services

04 Multi

OpenVAS Open Vulnerability Assessment System Community Site
Nessus
Switch Port Management, IP Address Management, Rogue Detection, Wake on LAN and Network Monitoring Tools from ManageEngine OpUtils
SuperScan | McAfee Free Tools
Network Security Audit Software and Vulnerability Scanner
Home of NetScanTools® Network Engineering Tools and the Managed Switch Port Mapping Tool

04 Nix

enum4linux – Portcullis Labs
Linux and UNIX finger command.

05 System Hacking

05 Reading

Using passwords as a defense mechanism to improve Windows security (Part 2)
http://www.blackhat.com/presentations/bh-asia-04/bh-jp-04-pdfs/bh-jp-04-seki.pdf
http://research.microsoft.com/en-us/um/people/wdcui/papers/hookmap-raid08.pdf
http://www.symantec.com/avcenter/reference/when.malware.meets.rootkits.pdf
Brute-force attack – Wikipedia, the free encyclopedia
http://media.techtarget.com/searchSecurity/downloads/HackingforDummiesCh07.pdf
Authernative, Inc. | Products | FAQs
The Hack FAQ: Password Basics
Luigi Dragone Home Page – NTLM Authentication in Java
Securing Windows 2000 Server
Sunbelt TECH BRIEFING
Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP
coolersky.com
Detecting Alternate Data Streams
Linux Today – ZDNet Australia: Threats Move Beyond Linux to Windows
NEOHAPSIS – Peace of Mind Through Integrity and Insight

05 Streams Stego Covert Communication

Sidebar: A Simple Rootkit Example – Computerworld
Rootkits offer the lure of total control – Feature – Techworld.com
Infosecwriters.com
Steganography – Word Information
CS 450 Homework 4
SecurityFriday [Hazard of “My Network Places” on Windows XP]
NBName
MD5 Digest
CS 513 System Security — Authentication


05 Alt data Streams Stego

Streams
NT Kernel Resources: Merge Streams
Frank Heyne Software – LADS
ntsecurity.nu – toolbox
SilentEye – Steganography is yours
The SNOW Home Page
The Gifshuffle Home Page
JPHS 0.3 free download. JPSEEK and JPHIDE are 2 programs that allows you to hide a file in a jpeg visual image
QuickStego – Free Steganography Software
wbStego Steganography Tool
StegParty
Data Stash v1.5 – Steganographic security tool :: skyjuicesoftware.com
Hydan: Information Hiding in Program Binaries
SourceForge.net: FoxHole – Steganography filemanager – Project Web Hosting – Open Source Software
Hide files and folders – Masker 7.5
RT Steganography in Video Streaming | Download RT Steganography in Video Streaming software for free at SourceForge.net
mp3stegz | Download mp3stegz software for free at SourceForge.net
MP3Stego
MAXA Tools – Security Software
Steghide
BitCrypt The Strongest Encription on Earth
folder security software – Hide files and folders
StegoStick | Download StegoStick software for free at SourceForge.net

06 Trojans and Backdoors

06 Reading

NetCAT tutorial http://www.ol-service.com/sikurezza/doc/netcat_eng.pdf
http://www.telecomworx.com/Adobe/Files39087.pdf
http://www.niscc.gov.uk/niscc/docs/tn-20040216-00080.html?lang=en
Anti Trojan source – How to protect your network against trojans – News.my-install.com
Remote Access Trojan FAQ and Port List Computer Security – Network Security Virus Hacking
http://www.cgisecurity.com/lib/placing_backdoors_through_firewalls.txt
Exploder
Wrappers
FAQ / Trojans FAQ
VPN
Microsoft – Windows File Protection
how to block ICMP tunneling?
Newbie: Security

07 Viruses and Worms

07 Reading

Wired 11.07: Slammed!
http://download.norman.no/manuals/eng/BOOKON.PDF
http://www.symantec.com/avcenter/reference/striker.pdf
The Spread of the Sapphire/Slammer Worm
Random Scanning Worms and Sapphire/Slammer’s PRNG…
Optus myZOO Learning Centre
http://www.mpl.org.eg/doc/eBOOKs/vtutor.pdf
Virus History Summary
Cybercrime : Piercing the darkness
Technical Briefs – Information on Computer Viruses

08 Denial of Service (10)

08 Reading

CERT/CC Denial of Service
Defeating DDoS
http://www.pentics.net/denial-of-service/white-papers/smurf.cgi
DoS attacks: crime without penalty
http://www.damballa.com/downloads/r_pubs/WP%20Botnet%20Communications%20Primer%20%282009-06-04%29.pdf
http://www.iv2-technologies.com/FightingBotnetEcosystem.pdf
An Analysis of Fragmentation Attacks
Hardening the TCP/IP stack to SYN attacks | Symantec Connect Community
http://www.princeton.edu/%7Erblee/ELE572Papers/Fall04Readings/DDoSSurveyPaper_20030516_Final.pdf
DOS Defenses Against TCP SYN Flooding Attacks – The Internet Protocol Journal – Volume 9, Number 4 – Cisco Systems

09 Social Engineering

09 Reading

social-engineer.org framework
Social Engineering Fundamentals, Part II: Combat Strategies | Symantec Connect Community
http://www.pewinternet.org/%7E/media/Files/Reports/2009/PIP_Adult_social_networking_data_memo_FINAL.pdf.pdf
http://www.infosecwriters.com/text_resources/pdf/Social_Engineering_Can_Organizations_Win.pdf
Social Engineering: The Human Side Of Hacking

09 Phishing

Bank Safe Online
APWG: Resources
azuzi.me | Information Security Task Force
Internet Research, Anti-Phishing and PCI Security Services | Netcraft
PhishTank | Join the fight against phishing

10 Session Hijacking (11)

10 Reading

http://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri.pdf
{LANG_NAVORIGIN}
http://www.cgisecurity.com/lib/SessionIDs.pdf
Anatomy of an ARP Poisoning Attack | WatchGuard
http://adventuresinsecurity.com/Papers/DNS_Cache_Poisoning.pdf
http://www.rootsecure.net/content/downloads/pdf/arp_spoofing_intro.pdf
Session hijack script
Session hijacking attack – OWASP
http://www.infosecwriters.com/text_resources/pdf/SKapoor_SessionHijacking.pdf
The Web Application Security Consortium / Credential and Session Prediction
CLIENT-SIDE ATTACKS | The Honeynet Project
Technology Bytes: Prevention from Session Hijacking
Session Hijacking
IP Security (IPSec)
How To Protect Your Login Information From Firesheep
arpspoof

11 Hacking Webservers (12)

11 Reading

Website basics W3Schools Online Web Tutorials
An Overview of a Web Server | Bodvoc’s Blog
IIS Security Monster 440 Page Jason Coombs ( dated but great)
Techno Freak: IIS 7.0 Architecture
Chapter 5 – Managing Web Server Security
Firewall Penetration Testing.pdf
SSL 3.0 Specification
ATTRITION Defacement Mirror
Insecure Configuration Management – OWASP

11 Attacks

Web-Server-Hacking | Darknet – The Darkside
HTTP Response Splitting – OWASP
Tunneling protocol – Wikipedia, the free encyclopedia

12 Hacking Web Applications (13)

12 Reading

Basic HTML Examples
PDF of Hacking Exposed chapter 1
OWASP Top 10 2010 Web Application Vulnerabilities
WebGoat Web Hacking Simulation Series
w3af – Web Application Attack and Audit Framework
Components and Web Application Architecture
A New Threat To Web Applications: Connection String Parameter Pollution (CSPP) | ORA600
WGET 1.11.4 for Windows (win32)
Bugtraq: Re: Bad news on RPC DCOM vulnerability

12 Authentication

Maximum Security – Chapter 10 – Password Crackers
How to Choose a BAD Password
Password Checker: Using Strong Passwords | Microsoft Security
What is an ISAPI Extension? – CodeProject
Introduction to password cracking – Xatrix Security
http://www.cs.jhu.edu/%7Erubin/courses/sp03/papers/passport.pdf
ASP.NET Forms Authentication – Part 1 – O’Reilly Media
The Simplest Security: A Guide To Better Password Practices | Symantec Connect Community
IPSec Authentication Extended Authentication (XAUTH)
Public Key Certificates, Digi Cert, Digicert, Certificates
http://www.ietf.org/rfc/rfc2617.txt
Documentation: Apache HTTP Server – The Apache HTTP Server Project
Hacking techniques

13 SQL Injection (14)

13 Reading

SQL Injetion by LANG NAVORIGIN
EvilSQL
SQL Injection Attacks by Example
SQL Hacking Truths: Top 10 Tricks to exploit SQL Server Systems
Blind SQLInjection.pdf
SQL classification of atacks
SQL Injection
SQL Injection Cheat Sheet
SQL Injection – Hakipedia
http://www.ijcaonline.org/journal/number25/pxc387766.pdf
https://www.owasp.org/images/8/8e/One_Click_Ownage-Ferruh_Mavituna.pdf
Oracle_sql_crashcourse_for_developers.pdf
Code Injection – OWASP
Reviewing Code for SQL Injection – OWASP
Cross Site Scripting Flaw – OWASP
Injection Flaws – OWASP
http://www.toorcon.org/tcx/16_Alonso.pdf
Data Security and Compliance Terms | Glossary
‘SQL injection’ attacks on the rise in Atlanta | Atlanta Business Chronicle

16 Penetration Testing / Metasploit (19)

16 Reading

Penetration Testing Framework 0.57
Penetration testing guide
http://www.net-security.org/dl/newsletter/txt/issue059.txt
http://www.netdesignplus.net/publications/victor_sawma_thesis.pdf

16 metasploit

Open Security Training – Security and Hacking Tools
Metasploit Unleashed By Offensive Security
Metasploit Penetration Testing Framework – Module Search
Armitage Tutorial – Cyber Attack Management for Metasploit
Metasploit Megaprimer (Exploitation Basics And Need For Metasploit) Part 1
Metasploit — PenTestIT

17 Sniffers (08)

17 Reading

Traffic Talk: Testing Snort with Metasploit
Undetectable Sniffing On Ethernet
Packet Sniffing: Sniffing Tools Detection Prevention Methods
Top Ten Ethereal Tips and Tricks – O’Reilly Media
http://www.securityfriday.com/promiscuous_detection_01.pdf

18 Hacking Wireless Networks (15)

18 Reading

Wi-Fi Tutorials – Wi-Fi Planet
How 802.11 Wireless Works: Wireless
Service set (802.11 network) – Wikipedia, the free encyclopedia
madwifi-project.org – Trac
Trusted Computing Group – Developers – Trusted Network Connect
Different Types of Wireless Network
Identifying Rogue Access Points
Advantages and Disadvantages of WLANs
Antenna Cabling Guide – Gumph
TKIP (Temporal Key Integrity Protocol)
Cracking WPA Network
Cracking WPA / WPA2 – SmallNetBuilder
Cracking WEP Using Backtrack: A Beginner’s Guide
Cracking wep wpa
Hacking Techniques in Wireless Networks
Wireless LAN Security / Wardriving / WiFi Security / 802.11
Wireless Network Security
Wireless.pdf
wireless_hacking.pdf
http://forskningsnett.uninett.no/wlan/download/wlan-mac-spoof.pdf
Warchalking Symbols
WPA2: Second Generation WiFi Security

19 Evading IDS, Firewalls, and Honeypots (16)

19 Reading

Evading NIDS, revisited | Symantec Connect Community
Unblock Blocked Websites like Myspace, Bebo and Orkut
Infosecwriters.com
Honeypots for Windows
http://www.netprotect.ch/downloads/webguide.pdf
Free Intrusion Detection (IDS) and Prevention (IPS) Software
How to Bypass Firewalls Restrictions using Proxy Servers. | Hacking
http://www.terena.org/activities/tf-csirt/meeting9/gowdiak-bypassing-firewalls.pdf
SecurityFocus | Symantec Connect Community
Compupros Unlimited – Computer consultants specialising in the network security, firewall configuration and VPN including SonicWALL systems for SME’s in ocean and monmouth counties and New Jersey, New York, Pennsylvania, and Delaware
B.I.S.S. Forums (Powered by Invision Power Board)
Network Security, Cryptography, Firewalls, Anti Virus, BS7799, ISO 17799, Consultancy, and much more!
Enterasys Dragon Host Sensor
http://insecure.org/stf/secnet_ids/secnet_ids.pdf
Hardware Firewalls
Circuit-Level Gateway
Firewall Q&A
statoo.htm: some simple stalking tools
http://www.gray-world.net/papers/covertshells.txt

20 Buffer Overflows (17)

20 Reading

Buffer Overflow – OWASP
RJohndas_Buffer_Overflow_SEH_Handler.pdf
What is an ISAPI Extension? – CodeProject

21 Cryptography (18)

21 Reading

CrypTool – Educational Tool for Cryptography and Cryptanalysis
SecuriTeam – Cracking S/MIME encryption using idle CPU time
Introduction to Encryption – Developer.com
http://www.ietf.org/rfc/rfc2617.txt
IPSec Authentication and Authorization Models > Digital Certificates for IPSec VPNs
The TLS Protocol Version 1.0
RSA Laboratories – 2.1.6 What is a hash function?
RSA Laboratories – 3.6.4 What are RC5 and RC6?
>A Taxonomy for Key Escrow Encryption Systems
RSA Laboratories – 2.1.1 What is public-key cryptography?
Q3: What is Public-Key Cryptography

XX Linux

comp.os.linux.security FAQ
Linux Online – Linux Courses
linux from scratch
ftp.osuosl.org :: Oregon State University Open Source Lab
Discussion Forum Active Users
How to Start Networking in Backtrack
Steve Friedl’s Tech Tips
http://www.tldp.org/REF/ls_quickref/QuickRefCard.pdf

Painpill #21 What hackers want

Everyone wants to do their job with ease and elegance. You want to sell or deliver your product or service, right? What about when you buy something? You just want it to …WORK the first time and every time after that, right?

Free CEH review class-  the real final review for my regular students-

Thursday 12:30 Central- Click here 5 minutes before and sign in with your name and email.
Buying and selling. Delivering and producing. We all feel good. We do this amount of input; we get this amount of  cash. This has nothing to do with security?

Ahh you are SO wrong! If people could do a little less and get a little more, would they? I know I would. (I look at some bathing suits these days and know they cost a fortune, but they don’t look like more than a dash and two dots worth of material.)

How far would you go? Would you sell the emperor the finest invisible material? Others are willing to do a LOT less than you!

The bad guy, the attacker, the misnomered hacker – wants to do almost nothing and get at lot in return. Or they want to do something once and get big money. If they can get YOU to do all the work and then they take the money… That sounds good to me! How about you? So we start to think like the bad guy.

Can you peer into the mind of an attacker?  Are you willing to learn what the bad guys do? For most of us the answer is No!

And this is where security meets business. Your product or service should be safe. We think we are buying stuff that is safe! There is no way to know unless someone, either buyer or seller, does what the bad guy does.

This is exactly what a Certified Ethical Hacker does.

  • Think like the attacker
  • Attack it
  • Report it
  • Gives us the chance to fix the security hole first.

What one thing could we do?

Policy actions:

  • Plan for penetration testing in your design or product.
  • Have a response plan when customers find flaws

Action items:

  • When you think of a new product or service, you need ask, if I were bad, how would I abuse this?
  • Become a Certified Ethical Hacker

You could come to class on Thursday and see what it takes to become certified – it don’t cost nothin’ to look and listen. Our next class starts with an orientation this week, May 7th.

Free CEH review class-  the real final review for my regular students-

Thursday 12:30 Central- Click here 5 minutes before and sign in with your name and email.