Exploiting the Core

This is the first in a two part blog about utilizing Yersinia to check out the security of your routers and switches. While there are many different exploits and areas of concerns in the routing infrastructures and designs of today, I am going to focus on two areas. Today’s blog is focused on man in the middle attacks (MITM) against routers, specifically, utilizing Yersinia to insert your attack machine in the middle of an HSRP configuration.

——————-

WARNING****Audit Notes

I wanted to put this early on in this post to ensure everyone knows how destructive this tool can be to ones network. This is a very invasive and dangerous exploit for the network. My usual approach is to talk with the IT manager about multiple exploits in this class and to inform them that in my belief it is better to receive a hard copy of the configs and document a simulated attack. If the customer wants us to proceed with a live attack, I always have signed documentation that ensures they know and accept the risks.

Read the rest of this entry »

What is more important password expiration, complexity or something else?

I was holding a conversation today about password expiration and I have decided it isn’t so much about the password strength or the time between password changes. Looking at it passwords are a primary method used to control access to resources. Because authenticated access is seldom logged, a compromised password is a way to explore a system without causing suspicion. An attacker with a compromised password can access any resource available to that user. So it really comes down to protecting the area that passwords are stored not.

A great example is using a password cracker like Ophcrack, you can crack the password “Fgpyyih804423″ in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it “strong”. Now granted it is using Rainbow tables, but ultimately if you your SAM file or /etc/passwd /etc/shadow files are compromised your pretty much history. Additionally, if you limit failed attempts with lock outs (or a limited time lockout) I think you are going to prevent the brute force attacks.

Read the rest of this entry »

Penetration Testing Ninjitsu

I just received this notification and I thought I would pass it on as it is FREE and you sure can’t beat free training. Besides I like to give props to Ed Skoudis of Intelguardians. He is a great teacher and a real riot.

———————————————————————————

WEBCAST

“Penetration Testing Ninjitsu” with Ed Skoudis of SANS

Wednesday, February 27 at 2:00 PM EST (GMT -5:00, New York)

http://www.coresecurity.com/index.php5?module=Form&action=webinar&campaign=ninjitsu

***Register to receive 20% off an upcoming SANS penetration testing course.

Attend for your chance to win free tuition! (see below for details)

Read the rest of this entry »

Using Facts to Disprove DNS Allegations

Let me start by saying I am always interested in finding new techniques. So if you have a way to resolve this problem I had today please drop me a note at secauditor(at)bigstring.com. Thanks!

Most of the time when an incident happens auditors or incident handlers are called in to try to track down the facts to prove something has happened. Today was an exception; I was called in to investigate improper use of corporate assets. Apparently the IT department was suspected of utilizing internal resources to host personal sites.

Read the rest of this entry »

Open source takes encrypted volumes to new levels.

I am a big proponent of the open source community. As such I am always excited when a good product comes out with something better. This month TrueCrypt has released version 5.0.

TrueCrypt is a software application used for on-the-fly encryption (OTFE). It can create a “file-hosted container” or write a partition which consists of an encrypted volume with its own file system, contained within a regular file, which can then be mounted as if it were a real disk. TrueCrypt also supports device-hosted volumes, which can be created on either an individual partition or an entire disk. With version 5.0 it can now encrypt the Windows boot partition. TrueCrypt is available for Microsoft Windows, Mac OS X, and Linux.
Read the rest of this entry »