arp_fl00d

The Peacefire initiative

2008-10-15T11:43:00.000-07:00

Sooo

I've been selected by the founder of Peacefire to participate on a team of researchers to test out new and innovative ways to avoid those pesky web filtering proxies we are all afflicted with. As I come across anything hot, I'll be sure to post here.

The REAL Layer 2 attack

2008-10-15T11:24:00.000-07:00

Sooo..

There was this talk at this year's DEFCON talking about attacks which can occur at Layer 2 of the OSI model. This will without a doubt go down as probably the worst talk in the history of any Security Conference. Not to really bust on the guys giving the talk as they appeared to know the content of there talk very well..the problem was just that; the content of there talk.

These guys talked about different attacks against VLANs, which as cool as it is...is not a reality anymore! Any network administrator worth a sack of poop would not have a network succeptible to any type of VLAN hopping attack. The true threat in Layer 2 clearly lies within ARP.

Now, I'm not saying that ARP poisoning is the be all end all...but what I'm saying is that in 90% of networks I look at, ARP poisoning can be accomplished with great ease and minimal detection. The fact of the matter is that nobody is implementing static ARP entries for there gateway, and we know that it is rare for anyone to monitor internal traffic. In fact on my most recent pentest I went back to the old school well and decided to poison the ARP tables within the management subnet I sat on. Not only did it go unnoticed, but I managed to man in the middle a password hash for the domain admin acct. crossing the network.

The scary thing about this is that even if they did detect the bogus ARP traffic i was spewing across my subnet and blocked my IP or even launched a forensic investigation against me, they would have no idea that I had the hash for the domain admin. Rock a little Pass the Hash, and it's game over...they would never detect me!

So, if you decide you wanna have a little old school fun, fire up Ettercap....grab a few beers...and reminisce about the good ol' days!!!!!

back to websense.....

2008-09-29T16:30:00.000-07:00

Sooo

I figured I'd revisit an old flame. Here is some of Websense's greatest hits..

KinderGarten.org -- an organization funding free vaccinations for children in India. Blocked as "Sex".
The Navarra, Spain chapter of the Red Cross -- in Spanish. Blocked as "Sex".
Keep Nacogdoches Beautiful -- a Nacogdoches, Texas cleanup project affiliated with Keep America Beautiful. Blocked as "Sex".
Autism Behavioural Intervention Queensland -- an Australian organization promoting treatment of children suffering from autism. Blocked as "Gambling".
The Shoah Project -- in German. A Holocaust remembrance page that includes criticism of various "revisionist" historians who deny the Holocaust. Blocked as "Racism/Hate", probably because the page contains the names of several Holocaust deniers, including David Irving, even though the site itself is attacking Holocaust denial.
Dignity of Victims Everywhere -- a crime victims' organization. Blocked as "Sex", possibly because of the presence of some words such as "Rape" and "Incest" on the pages.
His Glory Ministries -- a religious ministry organization. Blocked as "Tasteless". WebSENSE's category list defines "tasteless" sites as sites that "offer offensive, grotesque, frightening, lurid, material with no redeeming value".
Arizona Council on Compulsive Gambling -- a site providing information treatment for compulsive gamblers. Blocked as "Gambling". WebSENSE's category list defines "gambling" sites as: "Sites that provide information about or promote gambling or that support online gambling. Risk of losing money possible." While the Council site does "provide information about" gambling, WebSENSE's definition was probably not intended to include this kind of Web site.
The Jewish Federation of Northeastern Pennsylvania -- a Jewish community site promoting local activism and community building. Blocked as "Sex". Formerly the Scranton Jewish Federation, located at http://www.scrantonjewishfed.org/, which is also blocked as "Sex".
The Red Letter Project -- a "forum for Christians and non-Christians alike" to discuss religious issues. Blocked as "Sex".
The Poster Project -- an organization that makes posters promoting liberal political causes, including views on the death penalty and abortion. Blocked as "Sex".
The Pro-Choice Resource Center -- a site listing resources for pro-choice political activism. Blocked as "Sex".
DisabilityGuide.org -- an online information resource about disability issues, based in Washington, DC. Blocked as "Gambling".

damn...these people are retarded... Internet censorship is something that has to go. If you are as against it as I am, then visit www.peacefire.org to see what you can do to help!

the audacity of some people.....

2008-09-18T14:37:00.000-07:00


Hacker impersonated Palin, stole e-mail password

Sep 18 03:25 PM US/Eastern
By TED BRIDIS
Associated Press Writer

36 Comments

Republican vice presidential candidate, Alaska Gov., Sarah Palin, answers...

This screenshot from Gawked.com shows an email account of Republican vice...

WASHINGTON (AP) - Details emerged Thursday behind the break-in of Republican vice presidential candidate Sarah Palin's e-mail account, including a first-hand account suggesting it was vulnerable because a hacker was able to impersonate her online to obtain her password.

The hacker guessed that Alaska's governor had met her husband in high school, and knew Palin's date of birth and home Zip code. Using those details, the hacker tricked Yahoo Inc.'s service into assigning a new password, "popcorn," for Palin's e-mail account, according to a chronology of the crime published on the Web site where the hacking was first revealed.

The FBI and Secret Service launched a formal investigation Wednesday. Yahoo declined to comment Thursday on details of the investigation, citing Palin's privacy and the sensitivity of such investigations.

The person who claimed responsibility for the break-in did not respond Thursday to an e-mail inquiry from The Associated Press.

"i am the lurker who did it, and i would like to tell the story," the person wrote in the account, which circulated on the Internet. What started as a prank was cut short because of panic over the possibility the FBI might investigate, the hacker wrote.

Investigators were waiting to speak with Gabriel Ramuglia of Athens, Ga., who operates an Internet anonymity service used by the hacker. Ramuglia told the AP on Thursday he was reviewing his own logs and promised to turn over any helpful information to authorities because the hacker violated rules against using the anonymity service for illegal activities.

"If you're doing something illegal and causing me issues by doing this, I'm willing to cooperate," Ramuglia said. "Obviously this is the most high profile situation I've dealt with."

The break-in of Palin's private account is especially significant because Palin sometimes uses non-government e-mail to conduct state business. Previously disclosed e-mails indicate her administration embraced Yahoo accounts as an alternative to government e-mail, which could possibly be released to the public under Alaska's Open Records Act.

At the time, critics of Palin's administration were poring over official e-mails they had obtained from the governor's office looking for evidence of improper political activity.

Details of this week's break-in, if authentic, were consistent with speculation by computer security experts who said Yahoo's "forgot-my-password" service almost certainly was exploited. The mechanism allows customers to retrieve or change their password if they can verify their identity by confirming personal information such as birthdate, zip code and the answer to a "secret question," such as a childhood pet's name or school mascot.

Palin's hacker was challenged to guess where Alaska's governor met her husband, Todd. Palin herself recounted in her speech at the Republican National Convention that the pair began dating two decades ago in high school in Wasilla, a town near Anchorage.

"I found out later though (sic) more research that they met at high school, so I did variations of that, high, high school, eventually hit on 'Wasilla high'," the person wrote.

The McCain campaign issued a statement describing the hacking as an invasion of Palin's privacy.

Helpdesks can be so helpful!!!!!!

2008-09-17T07:10:00.000-07:00

So.... I recently did a Social Engineering project for a major US financial institution. The goal was to try and get someone at the helpdesk to reset a users password. This helpdesk was in Ft. Wayne Indiana. I found the user name through some google searches on the company and had previously called another one of there helpdesks where they generously gave me the format of user ids..... Here is a play by play of how this went down....

HD - Helpdesk, Charlie speaking
me - Hey Charlie, I think I'm having a problem with my passwd
HD - What is the problem?
me - I just got back from a break and when I tried to unlock my computer it said the password was no good
HD - alright, that happens from time to time..What's your user id ?
me - v3pXXX
HD - John Doe?
me - yeah, that's me.
HD - like I said, this happens sometimes, the only way to fix this is to reboot your computer and start over
me - alright, so just hit the power button?
HD - yeah, you will have to since you can't log back in
me - alright..hold on i guess this will take a minute
HD - alright, I'll stay on the phone with you to make sure you get in alright....
(Pause for 10-15 secs)
me - so did you watch the hall of fame game last night?
HD - Yeah, I watched a little bit, but it's hard to get excited about preseason football.. You a colts fan?
me - of course!!!!!!
HD - Oh, I'm a cowboys fan
me - the cowboys should be very good this year now that they fixed there secondary, I think they'll probably win there division
HD - yeah, if they can get past the Giants
me - alright, I'm back.... nope just tried to login, still says my password is no good.... I know I'm typing the right password!
HD - are you sure the caps lock is not on?
me - oh, let me try it again... (put phone close to keyboard so he could hear me hitting keys ) nope still didn't work....
HD - alright, looks like we are gonna have to reset your password...What's your employee number?
me - 529406
HD - 529406??? should be a 5 digit number
me - Oh sorry....11865
HD - no, that's not what I have on file with you...it should begin with a 2
me - no, it's definitely 11865
HD - is that the number you log on to ??????? system with?
me - yeah
HD - well we can go ahead and reset your password.. Hopefully there will not be a problem with ??? system
HD- What's your current password?
me - aren't we not supposed to give out our passwords to anyone?
HD - it's alright, you can give it to us, sometimes we can login as you without having to reset your password
me - Oh, I didn't know that, I remember going to some training and they said not to give your password to anyone...
HD - yeah, that's right, tell you what, I can just reset your password, and it'll force you to change it.. try Summer08
me - (phone next to keyboard again) alright, cool... it worked, now its asking me to change my password...thanks alot!
HD - Your'e welcome....have a good day
me - thanks...you too!

Websense???? more like NO sense

2008-09-17T06:23:00.000-07:00

So....Who are all of the content monitoring companies getting there blacklists from??? Take Websense for example..... I as a penetration tester am not allowed to go to insecure.org while I'm at work because it is classified as "Hacking;Computers/Internet". This is inherently wrong on multiple levels....

First off... why would anyone not be able to go anywhere because it is labeled Computers / Internet. I guess in my profession it is only acceptable to visit sites pertaining to food recipes.

Second.....Insecure.org is not a "Hacking" website. It's not like I'm visiting the webpage for the Canadian Mafia. Insecure.org is a website for security professionals to download the award winning NMAP scanner which is a tool EVERY security professional should know like the back of there hand.

Metasploit.com NOPE
Milw0rm.com NOPE
Packetstorm.org NOPE

Not only does Websense deny visits to insecure.org but it also will prohibit you from visiting sectools.org

ARE YOU KIDDING ME??? websense in there infinite wisdom declares that a security professional should not have the ability to go view or download the top 100 security tools? I would definitely say that a computer security professional going to sectools.org is probably going to get a tool for use in there daily job function...

That's enough ranting for now... I could have sworn that we don't live in China.....