Monday, August 6, 2012

Security Rant

Ok, I read... I read a lot. Twitter, news articles, blogs, books, magazines, websites, basically anything that crosses my path. As do most people in the IT and Infosec worlds. Why? Because, Information is valuable. It was once the core belief of "hackers" that information should be freely available, but that is a rant for another time. Today I was pushed over the edge by this article ( Specifically #1... Now before the core of my rant let me just say that the other four items are however solid pieces of advice. Do them! Do them to a "T". 

Now.. the rant......

For the love of all that is holy!!!!! The title of the article is FIVE WAYS TO PREVENT YOUR ACCOUNT FROM BEING HACKED, and your first suggestion is 'go to this random page and input your password to test its strength'.... SERIOUSLY?!?! I really don't care who runs the site or how secure they claim it to be. You should never be telling people to put their passwords into random sites! The average person does not realize the difference and in the end all you are doing is conditioning Joe Public to trust any site with the keys to their kingdom! Yes, some people need to re-evaluate their passwords, but this is not the way to get them to realize it. How about just providing a ranking criteria for them to do a self evaluation... like length, use of numbers, special characters, Alpha-upper, Alpha-lower, maybe even number of each, this could accomplish the same goal.... but NEVER tell them to volunteer their password to ANYONE no matter how seemingly good their intentions may be!!

While I am currently singling out this article/site this is not the only place I have seen this suggestion in the past few months. It usually pops up like clockwork after a password breach or a high profile hack. I am all for constantly reminding people that they need to have good passwords, but I am begging you... if you have the ability to reach people in mass and inform them, do not do it in such a way that conditions them into foolish practices. 


Friday, May 18, 2012

Thoughts on the C|EH

I just got back from taking EC-Council's CEH v7 exam and all I have to say is WOW. However this is not a good wow... this is an "Really guys? Really?" type of wow. Any before you start accusing me of being bitter, yes I did pass :-) . I have heard a lot of good things about this cert and probably the most important is how it relates to DoDD 8570, which honestly is the main reason I took it. I said to myself "Self, you just passed the OSCP so you (should) know how to be a hacker, you should be able to pass this test." That and since I just went through the OSCP training I shouldn't need to do too much studying and I sure as hell don't need to pay for their course. Although, I should mention they hit you up for an extra $100 if you don't take their expensive official training. So for me it ended up being $600 just to sit for the exam.

So I asked a former co-worker, who just got his C|EH about last November, what book he used to study for it and he told me THIS book. Picked up a copy and over two weeks got though the whole thing and was able to do fairly decent on the chapter questions. (Oh by the way this actually is a really good book if your just starting out and I love the fact that it is an easy read, this guy is a great author and needs to write more books.) Now just like anyone who takes exams I felt it was time to move to some practice tests. Now the first thing I did was go to EC-Councils website and look at what practice test they recommend, since I figure they would point me to the best one to use. Boy was I wrong! They pointed me to PrepLogic (See bottom if this page), and boy was that a mistake. The sample questions were simply unrealistic and totally off target. If you are looking for test questions STAY AWAY FROM PREPLOGIC. I could simply not score more than a 40% on these practice test yet was able to answer every question in the book I was reading. It was simply destroying my confidence. As I was talking about how unprepared I am to another co-worker he suggested I check out, "Great another one of these sites.." I thought but I checked it out and ended up using the PDF version of the questions to study from and I was able to a heck of a lot better on these.

Now for the exam itself, sorry, once again I can't go into detail about it :-/ . But I will say this, the PDF I got from was freaking SPOT ON for the questions. I would highly recommend grabbing it from them if you are going to study for this test. I finished the test in under an hour even thought they give you over four (why exactly is beyond me). I did not notice any of the major grammar/spelling errors that I have heard others complain about, I mean I am sure there are more errors here in this write up than there were on the exam.

I did start out with a negative view didn't I? Let me get back to that. This cert is in NO WAY an accurate view of a persons skills as a "hacker". Let me take that back, passing this test actually means they are a GREAT "multiple choice hacker", I am sorry but this is how I feel. This is more along the lines of an entry level/introduction to hacking cert, which is totally defeated by requiring a min of two years experience. You really don't need to know how to hack to pass this test, you need to know the theory and nmap switches. For the love of the Flying Spaghetti Monster, no one should be tested on switches like this... you know why "--help" that's why! We could even go with "man", or how about the almighty "GOOGLE". I do think you should know what some of these tools do and what they are capable of but if you really think that requiring people to be intimately familiar with all switches is what a good cert is all about you should be brought out back and well you get the picture. I'll stop ranting now.

The bottom line is while yes people (read: job recruiters) will look at you in a better light your going to need to know a lot more than what this is claiming you know. I would like to see them blend in some practical questions, like actually preforming a port scan or SQL injection and such, but I don't know if they could do it properly. If not they they should really consider aiming this towards an "Introductory Level" exam, similar to the Security+. It doesn't mean you your a pro but it means your on your way.

To be fair, there are many benefits to being a C|EH, especially for your average sysadmin. Learning the techniques people are going to use against you and to know what you need to look out for or what to ask the infosec pros you should be consulting, but if ya'll want a sales pitch go to the CEH webpage! Now, if you want to REALLY learn how to use all this theory go visit the guys from Offensive Security.

Thursday, March 15, 2012

Anonymous OS

I heard about this last night and honestly my first reaction was, ok this should be cool. Why you ask? Simple, they are getting more publicity than anyone could ever buy for making (what seems to be) very little effort and compromising entities that should be on top of their security game. I was curious to see what someone from a group like this would want in a OS and what tools they think should always be on hand.

Sadly though I was mildly disappointed. Here are my thoughts in no specific order... First, It was based on the current release of Ubuntu. Actually I can live with this, means I can use a mainstream distro and keep up-to-date on all the other updates that a OS needs, a quick look at the sources list and everything seems standard. Then again this technically means its not their OS, just a (slightly) modified version of someone else's. On that note I actually liked the fact that they make you crack an MD5 hash to get the password to login. While this does little for anyone with access to google it still made me chuckle.

The login banner... Ok... seriously... "educational purposes" ... yea... riiiiight. These guys really are not going to win any responsibility brownie points here for this one, but it is still a fair thought. Actually it makes me wonder if that's what Backtrack should have as their login banner. Ok so on to the rest. I actually liked the look then again I like Ubuntu too. The eyes in the tray were a funny touch too, just makes you think about that part of you that does not fully trust this OS. The re-branding was a nice touch, however their motto really needs to stop showing up every where.

Ok, moving on.. looking around a little bit I see something I did expect, there are a few anonymizers installed. Some I use, some that look interesting. The next thing I noticed is that they are pretty light-weight on tools which struck me as odd. The more I look around the more I feel like this is made for the script-kiddie (or as a video I just watched referred to them an 'ankle biter') with enough stuff to get them into trouble.

Although it is nice to see the cannons in one place without having to worry about who is re-branding and  shoving malware in them. Other than that, a hand full of semi-useful websites, some SQL tools (no shock here either), and what seems to me as a focus on DoSing tools. While I understand DoSing to be a power thing I just can't help but view it on a low rung of the "hacking" ladder. I mean it gets you nowhere as far as access goes, its good for attention, both distracting and getting noticed but that is about it. There are also a hand full of other scripts that take some of the work out of researching a target, like the admin page finders.

Oddly enough what I did not notice is anything to make your own backdoors or anything like that. I mean unless I missed it, which is completely possible, I see nothing that would actually help you get root on a machine. Then again they do say it is for "testing" web sites. But I think being able to upload a php or java shell is also a way to test a site.

Ok Bottom line, I actually like it. It has great potential to become a good set of tools for students, good guys, and bad guys alike. I personally think maybe they should have just built in on backtrack but props for going their own way.

Oh and as for the lack of trust thing, simply put no I do not trust them (sorry guys/girls). Then again I am not exactly about to signup for online banking while i am running this, in fact my only real main worry would be them flipping a switch and this OS instantly becoming part of a DDoS and even that is unlikely. Their MO seems to be more of a "For the people" thing and that would certainty not fit. Still not going to turn the network card on until I give it a few more looks over. ;-)

Thursday, January 12, 2012


Now that I do not not have the lovely lab at offsec, I find myself constantly searching for good vulnerable or "boot to root" images to test my skills against. I have found all kinds but I seem to enjoy the ones that are more like a pen test. Meaning I need to scan the machines, ID services, exploit a weakness, get a shell, elevate privs, get root. So far I have found a couple that I like (in no particular order)...

Err... well, I don't actually know the name for this Vulnimage. A co-worker put this up in our VM lab and said go for it, but it was an enjoyable experience. I liked it mainly because it has a bunch of elements to it. There are multiple vectors for an initial attack so you get to practice both website based attacks as well as service based buffer overflow attacks. Once you gain root there is another little nugget that I really enjoyed, a vulnerable custom program running as root and listening. This I have to say was the most fun and educational part of this image. The opportunity to take someone else's program and fuzz and exploit it from scratch. I needed to learn the basics of a linux command line debugger (gdb) to get the information I was used to seeing on the screen for Immunity. It took some time, a chat with a colleague, and a fist full of Google but I finally was able to get the information I needed out of gdb and and write a custom exploit. Definitely a good practice machine for my skill level. Had things I knew and things I needed to learn

The next one I came a crossed was Hackademic.RTB1. Another good machine here and looks to be a promising series, hats off to mr.p0rn for putting this stuff together. Again web based entry, takes some research and the use of tools to get shell and root. Fairly straight forward but fun to explore. No custom apps here but still worth the time to pop.

On the Hackademic note, The RTB1 machine is wonderful and realistic (hell I know several people/companies running vulnerable version of the webapp used), but.... When I tried RTB2 I felt it was more.... I don't know... lacking? non-realistic? classroom-ish?, I don't know if those words are accurate but I ended up not being a fan. I did like the introduction to PK but I cant help but think this one wasn't really a hacking challenge as much as a thinking challenge. I would have like to see a real DB powering the login and a little more hunting/digging/cracking for the sequence needed to get a shell. ... ... ... Actually looking over my notes, I now know what this feels like... it felt like a simple forensic investigation. Something where you were trying to find/decode hidden info. I guess in that aspect it just bumped up a notch in my list. :-)

I tired to keep spoilers to a minimum and make one recommendation to you if you are going to do any vulnimage, Try to do it yourself before researching anything. With these when you even Google a small question you are going to end up with results to posts where you are given a walkthrough for the whole task. I think this sort of takes the fun out. On the flip side if you are looking for walkthroughs go check out g0tmi1k's blog There is a ton of useful stuff here above and beyond just walkthroughs.

Monday, January 9, 2012

My OSCP Experience

Last summer I was tossing around starting to study for a security certification. I got my Security+ at the end of 2010 and felt it was time to look into something a little more advanced. I looked at the CISSP but felt that maybe I wait on that one as i was going to really have to stretch to pull off the professional requirements. Next I came a crossed the Cisco security certs but not even having a CCNA means a very long process and I wanted something a little quicker. Eventually I ended up looking at the CEH and I though this looks pretty promising but in doing some additional research I heard a few people talking about the OSCP from Offensive Security. Now I thought the theory behind the both of them seemed to overlap in a lot of places but from what I could tell (and now believe to be true) the OSCP is a lot more hands on. Since I find I learn better with hands on learning I opted to go after my OSCP.

So, come mid-September I signed up for the 30 day course. Well... I was in for a world of hurt. Once the course begins they give you a bunch of videos to watch and a decent sized lab manual (I recommend printing a hard copy to take notes on) to go through. Also, how could I forget to mention, what I consider the biggest perk of the course, VPN access to the lovely offsec lab. Now since I work full time and have a handful of kids needless to say I did not spent 24 hours a day going through this material. Some days I was able to get in a couple hours at work but most of my progress was made on weekends. So 25 days later I was just finishing up going though the lab manual and videos. Not even really preforming the exercises, just absorbing the all of this new and wondrous information being dumped on me. Looking up some supplemental topics on Google as  I went just either to clarify or because I can't believe I hear about a topic before. Needless to say I had to signup for another 30 days.

My second 30 days were spent... well mostly off topic. Feeling a little overwhelmed and no shortage of other life things happening I spent as much time as I could in the lab. I remember the first day I actually started to attack the machines, I went after, what I considered, the low hanging fruit and in about four hours I had two machines. Thinking that was good for the day I turned to other exercises in an attempt to refine my skills. The next day I got two more machines. I started to think "Hey I'm actually getting the hang of this... Its easier than I thought!" ... ... .. .. A week later I was still in the same spot. Confidence going down the tubes at this point after everything I was trying and nothing was working out. Eventually I was able to get a few more techniques under my belt and my machine count started to slowly add up. Before I knew it my second round of 30 days was nearly up and I needed to grab another 30 days.

On my last 30 days I feel I may have "grown" the most as a student. I was researching topics a bit more, starting to see things in a new light. Hell at this point the course already helped me land a new job just by telling them I was taking it! I had more than a decent chunk of machines popped and I felt now was a good time to organize everything and go back over the lab manual making sure I crossed my "I"s and dotted my "T"s! By the end of this last 30 days I still felt like I had so much to learn but I didn't really want to invest any more money at this point and with the holiday break coming up it was the perfect time to take the exam. So the last two weeks I spent time writing my report and making sure I got all (most) of my extra miles exercises done. I then scheduled my exam to start 5pm on Dec 29th. I figured its 24 hours let me get the night out of the way in the beginning. Not saying this ended up being a good idea or a bad one, with the time crunch I eventually felt wiped out. Now I would love to go into details and specifics but I can't and won't. I don't want to be that guy who shouts out the ending of the moving in the middle of a crowed theater.

What I can say is that after the exam ended I was miserable. I felt like I should have done better but looking back now I think I was a little hard on myself. Either way I shot my full report off to Offsec went to bed!

Much to my surprise come Saturday morning I got the email that I passed. I was ecstatic!! I felt like I had actually proved something to myself. Not only that I few days later I was going through some books that I had read last year while moving them into my new office and found that "Grey Hat Hacking" actually made a lot more sense.

Did I have fun? Yes. Was it hard? Hell yes. Did it build be up and shoot me down? Without a doubt! ..... Was it worth it? Absolutely! and I would do it again. Hell I have spent the past two weeks looking for decent vulnimages that are similar to the lab enshrinement. If you are looking into the course, just do it! You will learn most of what you need to know during the course. Don't be afraid to chat in the IRC, they are there to help you along. Remember, Google is your friend! You may not find specifics (in fact you flat out won't) but you will find enough to point you in the right direction or to make you look at a problem in a new light.

And last but not least, when you have tried everything you can think of, your sleep deprived, on the verge of giving up, and you feel in over your head.... Try Harder!!! (its worth it!)

First Things First....

I have thought about blogging for a while and never could think of things to talk about or even organize my thoughts enough to start. However recently I received a huge jolt of confidence from passing my OSCP and then it hit me... I should use a blog to keep track of all the tools and ideas that I have trouble remembering! I figure at the very least I will have my own reference for the common tools I use and maybe someone else can get a straight forward answer on how to use one or two of them. I may pepper in some thoughts and experiences over time but at least I finally found a place to start!