Irregular Expressions


August 29, 2011  8:22 PM

RDP Worm



Posted by: Dan O'Connor
Morto, Morto.Gen!A, rdp worm, windows worm

I was toying with something like this a while ago, I was playing with the idea of being able to do this from a *nix box for VA purposes (With out the gui part, I just wanted a yes or no back).

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.gen!A

It’s current state should not get many hosts, the list of passwords is limited.

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
!@#$%^
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

Here is a list of hosts it will attempt to contact for updates.

210.3.38.82 
jifr.info 
jifr.co.cc 
jifr.co.be 
qfsl.net 
qfsl.co.cc 
qfsl.co.be 

Always check your firewall logs just to be safe.

August 25, 2011  9:06 PM

A few more lulz



Posted by: Dan O'Connor

Wikipedia as a good section on the current suspected members of LulzSec that have been picked up.

http://en.wikipedia.org/wiki/LulzSec#Law_enforcement_response

There is a few in there that I have not posted about, it’s worth catching up on.


August 25, 2011  8:54 PM

Software Vulnerability Management at Microsoft



Posted by: Dan O'Connor

http://go.microsoft.com/?linkid=9760867

Nice read.


August 25, 2011  8:53 PM

Steal of a deal



Posted by: Dan O'Connor
atm pin pad, flir atm, flir camera, flir pin pad

http://gizmodo.com/5831837/stealing-atm-pin-numbers-using-a-thermal-camera-is-dead-easy

For as little as 1,600 USD you too can do this.

http://www.transcat.com/Catalog/productdetail.aspx?itemnum=IRC40&TRAPCD=WBGI5&gclid=CLCJ5fzr66oCFQfBKgodrg_rNw

Heck while you are at it order one for the car, cottage and RV!

I can think of a few ways for this to get someone in to trouble, I am suprised that no one else had thought of using it on an ATM pin pad.

Using the camera you can infer in what order the digits are also supposed to go in, based on the strength of the signal.


August 25, 2011  8:34 PM

EXT4



Posted by: Dan O'Connor
ext2, ext3, ext4, FAT, filesystems

The latest version of the EXT file system is 4.  The other previous version are 2 and 3, some of the improvements of 3 are improved indexing for larger directories and journaling.

EXT4 add more features;

  • Volumes up to 1 exbibyte (EiB).
  • Files up to 16 tebibytes (TiB).
  • Extents, improvement of large file performance and reduction of fragmentation.
  • Journal checksumming.
Just to name a few of them, check out wikipedia’s write ups for some pretty good explanations of the EXT.x file systems.
Next we will be getting in to the FAT family of file systems.


August 23, 2011  9:41 PM

SANS Mentoring



Posted by: Dan O'Connor
gcih, sans, sec504, winnipeg

This is exciting, I will be leading a SANS mentor session in Winnipeg.

http://www.sans.org/mentor/details.php?nid=26334

The sessions will run from January 26th, 2012 until March 29th, 2012.

This is Security 504, Hacker Techniques and Incident Handling.  This material is excellent and is something even non-security people should take.  It knowledge is valuable to anyone who needs to defend a network.


August 23, 2011  9:31 PM

The hunt for lulzsec



Posted by: Dan O'Connor
anonymous raids, lulzsecurity, tflow, topiary, viral

Lulzsec Exposed is still on the hunt for Sabu.

http://lulzsecexposed.blogspot.com/2011/08/who-is-sabu.html

We now have to competing ideas on who he is.
One is a guy from New York, the other is from Portugal. Not that I am downing any of the theories but I am still on the fence on who is right if any of them.

I really don’t trust any of the evidence presented, but I also to agree with the conclusions they have made with the rebuttals. I wish they would tests them.

When I talk of evidence I mean any of it from anyone.


August 23, 2011  9:12 PM

The EXT file system – Part 3



Posted by: Dan O'Connor
block bitmap, ext explanation, group descriptor tables, inode bitmap, super block

We also have to deal with the block pointers in the inodes.  Each inode can store the address of 12 blocks to store the data.  So what happens when you need more then 12 blocks to store the data?

You use indirect block pointers, instead of pointing at blocks of data.  You point at blocks that point to the blocks.  Basically lists of lists.

The first layer of this is called single indirect block pointers, the lists of lists.  Then we go to double indirect block pointers.  Lists of lists of lists.  Then down to triple indirect block pointers, lists of lists of lists of lists.

Wikipedia block pointers


August 19, 2011  10:01 PM

The EXT file system – Part 2



Posted by: Dan O'Connor
block bitmap, ext explanation, group descriptor tables, inode bitmap, super block

The still short version of what happens when you need locate a file on the system is the following;

  • The SuperBlock is read, to collect information about the file system.
  • Next to the Group Descriptor Table (After the SuperBlock on the disk), collection of information about the block groups.
  • Once the block group that the file resides in is determined, the group descriptor table is used to locate where the Inode Table is.
  • The Inode Table will point us to the block root directory entries.
  • That is opened to locate the folder that contains the file we are looking for.
  • Now we have the inode of the folder, we then determine the block group it belongs to (we use information from the SuperBlock for that).
  • Then we go to that block group and get the location of the folder.
  • Now we can open the block the contains the folder.
And this will keep going until the location of the file is found depending on the number of sub folders, then the information will be pulled out of the blocks that contain the information.


August 16, 2011  11:34 PM

The EXT file system – Part 1



Posted by: Dan O'Connor
block bitmap, ext explanation, group descriptor tables, inode bitmap, super block

Partitions are just fine, but how does the system get to a file on the disk?

On a EXT based system, the short answer is the information is stored in the Inode Table.

That really does not mean much if you don’t have understanding of what the filesystem looks like.

A little explanation is needed.

The first section of the filesystem is going to contain the Super Block (block 1), there could be boot code in front of that (Unused).  The Super block contains information about the file system, such as block sizes, total number of inodes and the volume name to list a few.

Following the Super Block is the Group Descriptor Tables, this is what we need. This will have a backup of the Super Block, and contains the Block Bitmap, Inode Bitmap and group descriptor data structure for every block in group in the filesystem.  These are the basic structures we need to locate information on the disk.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: