SoldierX.com SquidBlackList - the world's largest porn blacklist! HAX Radio - The stream the FBI Listens to! Offensive Security Wireless Professional PWNIE 2012 Nominations The Hip-Hop Realm

Archive for December, 2010

Penetration Testers Rapidly Becoming Narrow Minded

Friday, December 31st, 2010

Read this: http://carnal0wnage.attackresearch.com/node/440

He’s got some good points, but there are a few things overlooked. To write something like this post, he should have backed it up with better examples and real stats.

Originally, pen testing was a simulation of what real attackers would do. Then it became more about validating vuln scan/assessment results. Now its essentially about compliance check boxing. (PCI)

I’m pretty sure these PCI “compliance checks” don’t assess the (most of the time “extreme”) stupidity of the employees or even owners / administrators of the hardware. Those who author said compliance checks really believe that social engineering, physical security, phishing, advanced WiFi relay attacks and even hardware planting can be done with automated scripts? An automated script is going to reroute your companies SIP traffic to eve’s drop on your conversations for tiny, but important, morsels of data that can be further used to penetrate even deeper into your institution?

…you can productize a device or a software tool more than you can productize a skilled person.

You’re definitely right about that, but people like Kevin Mitnick, Chris Hadnagy, and many others HAVE productized” themselves rather well using techniques that cannot be scripted. Trying to raise awareness in the human factor of all of this “security.” Maybe it simply takes knowledge and gifts that only few have to “productize” a person.

…hiring people who can emulate real attackers is overkill, too expensive…

You’re right about the expense part, but doesn’t that come with getting a master of the trade? I have seen institutions/corporations/universities/etc drop far more money on things far less important.

If you look at the direction these tools [Metasploit, Core, Canvas] are going, it is to automate more and more of this process.

My recent post about “Information Security Awareness” stated that any organization should have a single person capable enough of clicking though one of those frameworks on a regular basis and record the results for the developers of his or her organization to analyze. This is compliance checking and NOT penetration testing.

I would like to stress to my readers that there are many more vectors of attack on any particular system than simply remote exploits. This was the sole purpose of WeakNet Linux Lite and WEAKERTHAN. It was to force users to use imagination and skill. I too, cringe at the sight of bloated frameworks that do nothing to teach the user or exercise his or her hacking talents. I have to “productize” Weakerthan. If I want you all to use it and like it, I have to commit to your wishes. Unfortunately, Mr. Ownage is %100 right in this aspect. You all demand things to be automated and easy to use. I once spent countless hours teaching someone to connect their wireless card to their router which had WPA enabled. After which he begged me to add “Network -Manager” to my next release. This is just one reason why I gave up and decided the next release will be a DVD/USB release.

Well, I can only take your word for it, Mr. Ownage, as you are a professional in the field, and I am not. If this is true, then man,… what a sad state our security has become in this nation; nothing more than a government regulated peep show through our own privacy / security practices. I personally would choose a different career path if all pentesting was simply “compliance testing.” I would really like to urge any computer security enthusiast out there reading this to not trust his opinion. Use your brains and imagination, study, work overtime, write code, drink caffeine, and most importantly – do what you love, practice safe hacking, and have fun! ;)

I guess the Black Hats have it better than ever now!?
Go corporate America, go!

~Douglas

WEAKERTHAN 3 Update

Thursday, December 30th, 2010

Thank you all for the supportive Emails, I really do appreciate your enthusiasm! :)

I had a free day today and decided to re-begin development for WeakNet Linux – WEAKERTHAN 3. First I grabbed Debian Squeeze (which for some reason I keep calling “Cheese”) minimal, rm’ed the initial work I did with Ubuntu, and removed even more junk. I got a nice compiled kernel (WT3) from version 2.6.36. I patched it all up for packet injection/fragmentation/channel hopping, etc for wireless radios and tested it; all is good! I had to downgrade Libevent for Fragroute to install properly. Libevent dropped a few functions I that were needed by Fragroute to compile correctly, like event_gotsig and event_sigcb.

I installed CUDA libraries and binaries, Pyrit, and all the python dependencies for use with CUDA. I also installed NVIDIA 260.19.29 drivers for anyone who has an up to date NVIDIA card; you can check compatibility here (actually, I found that this driver works well with mostly all NVIDIA cards made within the last few years, if it’s not listed it will probably still work). I will only offer 2 bootable choices (besides memtest+) one with NVIDIA and one with simple xforcevesa. If you boot into the CUDA option you can start cracking WPA keys instantly with Pyrit (out of the box awesomeness).

I subversion’ed the latest and greatest Metasploit (which I do right before each release as well, and include updating scripts for easy updates right from the menu) which contained Armitage, and I installed and completely configured PostGRESQL for use with msfconsole. The password, like all others in the past is “weaknet” for the postgres user. Other than that, I have been customizing and patching, configuring and gardening. I even went so far as to completely pack Firefox with pentesting add-ons!

As I stated a while back, this is going to be a large release, probably my biggest in years. So far the ISO is around 1.3GB in size with all of the tools, libraries and things I have compiled in. I even left a lot of things in the kernel for those who needed them in the past and complained about.

I will be working on this project off and on for the next 2 months or so. I really would like your input as to what else you would like to see me add. Pretend I am making this only for you and I can customize anything you want! Tell me what drivers you need, send me links, patches, etc.

Thanks, I hope you all have a good New Year!
~Douglas.

Phone Losers of America – The Book.

Wednesday, December 22nd, 2010

I should have written this a while ago, but I finished reading the book written by Brad Carter himself.

Why I Bought This Book (3 of them actually)

My first thoughts about exploring our digital world were almost haunting. It was about 2002, or so, and I was molded into what society wanted me to be; scared. Horror stories from the news channels, “Freedom Downtime,” old text files, and more all beat any thoughts of exploring out of me in fear of being beaten by law enforcement, or worse, thrown in prison (to which I am actually highly allergic to, I believe).

So I decided to rather explore what other people my age were doing. I started with BinRev forums, which I thought was very informational. I would write down test numbers people had posted for my area and would run down to a payphone and test them out. Eventually, I landed a job at a cellular provider. I was very interested in wireless technology at the time, and by then cracking WEP was also hot subject. I soon realized that the phone the company provided me with wasn’t logged or monitored in anyway, so I decided to do more things with it. I started wardialing and dialed several thousand phone numbers provided by the local CO, or switch near my home. I liked the phone system. It was concrete and hid secrets all over the place. I started looking at telephone poles, and learned which wires did what. I started examining the boxes attached to the poles and some in rural areas that stuck out of the ground. I climbed up poles and took pictures, wrote down phone numbers left behind by the technicians and even started making lists.

Finally, around 2006 or so, I found the Phone Losers of America. The PLA helped me to see things. For instance, their website and forums were so welcoming, that it felt more like a community than BinRev did. BinRev had nice info on phreaking, but it soon found it’s way to the PLA forums anyways, so after a while I decided to just stop going to BinRev. I discovered PLA radio and thought it was amazing. I had a small 4GB ipod at the time and put them on it. Soon after, I found more and more awesome phone phreaking radio shows and sound clips. The Evan Doorbell – Phone Trips was my all time favorite. These were sound clips of a man calling and recording sounds and things that the phones would make while in operation. The show that made me realize, it’s okay to explore was Default Radio. Those guys found things that sounded awesome. There were a few episodes of Doug TV in which Lucky225 was messing around with a cool sounding test set call a Proctor Test Set, and talking about hybrid payphones, and having random fun exploring things digitally that inspired me. I started doing more. I even obtained a Bearcat scanner and listened to a few cordless phone calls (though for some reason, I could only hear one way of the conversation sometimes.?) all because of the PLA.

So, I started buying random parts from radio shack and making phreaking boxes. I had about 5 or 6 different boxes to play with and test. I started rummaging through dumpsters and started keeping track of all the best nights to find cool hardware / files from different local phone companies and cellular providers. I started some free websites on homestead.com, and made a lot of great friends in #lunatics on EFNET. Finally, I had enough content to buy a sub-domain and have a cooler website; 2Dial*Phreak

At first, I was just using it to learn Javascript, Dreamweaver and HTML. It never was really anything special until one day I noticed something. A telco truck as parked with orange cones on the side of a street in my neighborhood. It had a metal structure that resembled a railing around an open sewer hole. The lid pushed to the side and a large pipe running from the truck down into the hole was draining water or some liquid out of the hole. I walked by and leaned over the railing and saw another world. It was cavernous. It had all of the boxes and hubs and things that the poles above had, but more. Ladders, pipes, signs, and all sorts of things that I never knew were underground. I read text files about “canning” but never really took it seriously. I finally decided that I wanted to come back and explore for myself, and get some great content for my new website.

I prepared for the worst. I thought up a lot of scenarios about being busted and knew pretty much exactly what to do. At this point in my life I had already been busted a few times for phone phreaking activities, but cops really had no idea what to do, or what I was doing. I would just show them my physics tattoo on my arm (yeah, I am a nerd), say i was a student (lie) and that I was testing out a new device i had built that was going to one day make me millions of dollars. Heh. Ethermine and I made it into the can. It was big, but not very exciting. It smelled bad and Ethermine, being a photographer, had a really expensive camera that he didn’t want to damage, so he stood back and shot a lot of photos. The photos became my website, and I tried my best to make canning a, less hazy, topic. Without going too far into details, that I would rather not share anyways, I was taken by this exploration for years into places that I still regard, not only as “exciting” but “creepy” too. Then I found a way to enter the “cans” using only my bare hands. This was a thrust forward, as I didn’t need to carry around a crowbar any longer! What the hell would I say to authorities if they found me with that? LOL!

I am a musician, in what tiny amount of spare time I actually never have, and I started integrating phone recordings into my songs. RBCP once made a thread asking for music suggestions for his show, and I gathered up enough gumption to suggest a song I made with red box tones in it. He actually used it in an episode that caught me way off guard and made me have one of those “Scream Like an Excited Cheerleader” moments, or SLAEC for short. Man, I was so excited! How did this happen?!


payphone under streetlamp

Dj Boo! | Myspace Music Videos

After a few years, the owner of the subdomain, Tekk, went off to work for some secret project in the UK for Apple and dropped my hosting without returning any files (that I didn’t have backed up). The website was then dead, but not my curiosity. By this time WEP was a dead technology, but everyone in the world seemed to use it. I decided that wireless technology and penetration testing was where I wanted to go. So I started writing lots of posts in the “Hack / Phreaking / Social Engineering” board of the Phone Losers forums.

From then on, I didn’t pay much attention to phreaking but PLA Radio continued to enlighten me. To this day, I can still laugh my ass off at the jokes and pranks that the PLA does on that show. I love making music for the show too. More importantly, I made a lot of great friends that I will never forget in those forums. A lot of which I had the privilege of staying with at the hotel in Washington D.C. for Shmoocon in 2009. Man, what a ride. They were the most interesting and funniest people I have ever met.

And Finally, The Book Review

That’s enough history, I guess. Getting into phreaking was one of the coolest things ever, but I don’t think I would have stuck with it so long if it wasn’t for the PLA. The PLA kept it going by adding humor to it all and simply not stopping. Taking social engineering to a whole different level, using it for the weirdest things possible. The book describes times where professional social engineering was used for the sole purpose of making the author laugh!

Let me put bias aside and forget that I love the PLA for a moment and say one thing:

This is, hands down, the funniest book I have ever read.

Okay, back to being obsessed with the PLA:

The forward is written by Rob Vincent, a guy I have met on multiple occasions. Putting his face to those words makes the forward that much more heart warming to me.

The first chapter, is there because of me I was told by the author. One of the first things I read at the PLA site was part of this book, which at the time was many bits and pieces, nothing full. It was awesome. Again, very haunting and just plain gripping. When the book was announced in the forums, I begged Brad to put that chapter back in, not just because of “Love and Rockets” but so it was in print. I would have it forever then. He did, and used my name! (Yet another SLAEC moment, the original name was “Scott”)

The next chapter is about Dino Alsman. Dino is ridiculous. I have met many people just like him in my life and now wished that I, too, were as creative as Brad and took the initiative to simply prank the crap out of them. Call forwarding is the topic of the next chapter. This is cool because I had some experience with making people confused before when I was a kid too by doing this. Brad simply takes it to another level, as usual, and makes the phone company confused too! Credit Card Fraud is a chapter that somehow bleeds into the rest of the book. I mean, how is a guy supposed to survive who is always on the move / run? This theme that carries through the book, is analogous to the movie “Catch me if you Can.” This is a bit different though, as credit cards are a bit more complicated than false checks.

Again, social engineering and tactful thinking seems to be a continuous theme throughout the book, making it a phone phreaking joyride! The next chapter covers the “Fred Meyer” incident, where the PLA takes over the P.A. system in the store. This, I have read about in old issues of the PLA zine, but not to this level (or maybe I just don’t remember all the details.) This chapter had some sentences that made my face hurt from laughing. I don’t want to ruin it for anyone else, but just be prepared!

The next few chapters involve much history and pranking. Automated harassment, the PLA magazine, and then a chapter about homelessness, which, is what happens when you are on the run / slacking off. The McDonald’s prank is funny, but the website for it has nice color pictures :D The rest of the book contains TONS of social engineering, technical mayhem, revenge, and many ways Brad Carter found to amuse himself. The last chapter “Back” wraps up the book with an insane twist of events. After which Brad gives credit for all who contributed. Seriously, if Brad was serious about using my name for the first chapter character, I would finally be ready to die. I can finally say that I was truly happy. But, it’s hard to take him seriously sometimes and there is such thing as coincidence.

This book wraps up fuzzy warm memories of phone phreaking and conference calls from the past, all into something I can only compare to…a yearbook. All wrapped up nice and warm in my hands. It’s a culmination. There was no part of the book that was boring in anyway. Hell, there’s even a chapter that seems plagarized from a romance/porn novel that swaps all nouns with the word “Cactus.” Einstein would love this book. In fact, he’d probably like Brad a lot. Einstein regarded humor and imagination with the highest esteem. Brad Carter is, without a doubt, the funniest guy I have ever met. He kinda looks like Ben Folds, and he’s always smiling and ready to mess with someone, or make someones life a living hell – all just for a laugh.

~Douglas.

Setting up PostGRESQL for Metasploit Unleashed

Monday, December 20th, 2010

A while back, people were Emailing me about postGRESQL issues and Metasploit when I released WEAKERTHAN 1.0 I looked into it, but never gave it as much time as I should have. Finding good, up-to-date documentation on installing and configuring PostGRESQL is rough. the command postgres is gone. If you find that somewhere and think, “hey, maybe i just need to install more stuff?…“; don’t. It’s now simply psql now. I started breezing through the Metasploit Unleashed Course, and am simply using Debian Squeeze. To use the db_create command is deprecated according to msfconsole so ignore it in the MSFU course. To use the db_connect, you need PostGRESQL installed and running (yay, another open port.) Let’s cover that process quickly for those who have never done so. All of this assumes you are running as “root,” UID 0, or NULL.

1. Install PostGRESQL.

Source is nice, but we are just using the DB [database] for the purpose of this course. do the following:
apt-get install postgresql
This will create a new user “postgres” that you can see in the /etc/shadow file. Now let’s pretend we are him/her
su postgres

2. Edit the server configuration file.

Remove all of the “ident sameuser” strings and make them “trust” This simply allows anyone to access the database using postgres’s credentials.

3. Change the postgres user’s PostGRESQL password.

psql -u postgres -W
\password
New password for user postgres: ******
Repeat Password: ******
\quit

4. Create a database

This is to use with the msfu course and make sure you can connect to it using the user “root”
createdb msfu -u postgres -W
^D
(CTRL+d or type exit)
psql -u postgres -W -d msfu
If all goes well, you should now have the correct environment for using the db commands in metasploit’s msfconsole.

5. Start msfconsole

./msfconsole
db_connect postgres:******@127.0.0.1/msfu

6. Fix some issues

You will also need postgresql-server-dev-8.3 for all of this to work properly. Update your Ruby gems by downloading the latest Gems tgz file and unpacking it to a safe location. Then, run the setup.rb file inside of it.
wget < URL >
tar vvvvxzf < file >.tgz
cd ruby*
ruby setup.rb

After that, I was still getting this old:

[-] Error while running command db_add_host: undefined method `created_at’ for nil:NilClass

error each time I tried to add a host with db_add_host. This problem took me down two rabbit holes so far. Then, I found a post reply from H.D. Moore himself to someone that simply said to type:
gem install postgres
Then, some fantastically ugly errors told me that I needed pg_install. “What’s that?” Thanks to this mailing list post, I guess I needed to install postgresql-server-dev-8.3 first! I ‘ve actually never seen a “dev” package in Linux install actual applications. I always thought that was reserved for simply adding (sometimes huge) libraries into the /lib directory. “Should I install that?
apt-get install postgresql-server-dev-8.3
This does solve the gem error. So now you can heed H.D. Moore’s response and type:
gem1.8 install postgres
which works. As far as the db_add_host error. “Hrrmm…. What else could be causing this issue?…” What if the failure of adding the host/IP is cached/inserted-anyways? I tried a new IP.

-_- It worked. Now, I feel stupid.

db_del_host 127.0.0.2
[*] Host 127.0.0.2 deleted
msf > db_add_host 127.0.0.2
[*] Adding 1 hosts...
[*] Time: Mon Dec 20 19:52:44 UTC 2010 Host: host=127.0.0.2

Now, if you try that with “127.0.0.1” you’ll get NO output, and if you try to add “127.0.0.1″ you’ll get the same error!

You’re good to go!

Postfix, SpamCop and SpamAssassin!

Monday, December 20th, 2010

Switching servers made me realize that GoDaddy actually did quite a good job at cutting out the spam from my Inbox. As per this post: http://weaknetlabs.com/main/?p=50 I had to figure out a way to stop the spam! I searched Google for a while and found this site, which worked perfectly for me: http://www.debuntu.org/postfix-and-pamassassin-how-to-filter-spam Then I realized that this method only appends a string to the subject “[***** SPAM *****],” which is lame.

I found in my filters that I could make the whole div red if the subject contained the string. This was a little better and easier to delete the emails, etc, but I want this automated. I then ran the Perl configuration file again, and found a plugin called “SpamCop” which actually reports spam to an administrator of the spam’s source!

SquirrelMail Configuration
---------------------------------------------------------
Plugins
Installed Plugins
1. abook_take
2. delete_move_next
3. listcommands
4. message_details

Available Plugins:
5. administrator
6. bug_report
7. calendar
8. filters
9. fortune
10. info
11. mail_fetch
12. newmail
13. newplugin
14. sent_subfolders
15. spamcop
16. squirrelspell
17. translate

R Return to Main Menu
C Turn color on
S Save data
Q Quit

Command >>

This is cool! I can even set it up to automatically delete the Email. Also, this adds a “report spam” button to the options of the message while reading. You need to go Here to register for SpamCop and get a special ID value that gets associated with your Email address.

:) Fighting spam one day at a time and trying to be a good administrator.

~Douglas.