As part of my most recent project I had a pool of about 10,000 phone lines to check for modems within a span of a few days. I had left this part of the project to the very end expecting there to be very few problems in this area (boy was I wrong about that – modem testing is the new SQL injection).

I utilized a little tool called WarVOX as part of the metasploit / Backtrack suite of tools. I first tested with my cell phone and our office numbers to verify that it wasn’t going to leave voicemails everywhere. That seemed to work.

As the war-dialing commenced, I very quickly realized that I was not going to make it in time. No problem – during the process I added an additional 8 trunks to my configuration within minutes.

Overall, it worked out quite well. I used Vitelity as the IAX2 provider. IAX2 is what WarVOX uses to talk to a pool of phone lines or trunks. Vitelity told me that use of IAX2 was not supported, but it worked despite the lack of support.

At one point, Vitelity detected a security problem and disabled the service for awhile until they verified I was who I said I was.  That is comforting to know that people with stolen credit cards attempting to do the same thing may get stopped at some point.

As the war-dialing completed, I then had to switch back to an analog phone to do the actual penetration attempts. I had to test about 50 supposed modem connections. It was a bit cumbersome to manually copy and paste the phone numbers using the existing interface to WarVOX. I hacked up the WarVOX code slightly to provide just the phone numbers in a table output to make it easy to copy and paste.

It was something of beauty to watch the phone lines being dialed in such rapid order through an Internet connection of all things. To make this even better, I had left my hacking laptop at work and was using a Windows based UNIX Graphical logon protocol (X11) client through Windows Remote Desktop (RDP) going over a mobile Internet connection to manage the war-dialing.

What a surreal experience if one stops to think about it. I’m not sure when, but one day I’m going to use this as a practical joke to ring all the phone lines in some meeting or something simultaneously.  I shall declare “It must be a sign!”.

To make this even more complex, numerous systems use email to send out alarms in a distributed manner. There may be a portable backup storage box with configured alarms in a non-standard format that still needs to be handled by someone monitoring the network. To make matters worse, often such devices have email alarms configured to an individual’s email address. This can cause problems when there is turnover.

As part of that I had explored all manner of ways of indicating the status of a system.

Borrowing from the Six Sigma tool set, one scheme involved using a 1,3,9 scale for ranking the severity of an item. A 1-3-9 scale forces the ranking of severity into meaningful categories. A 1-10 scale or similar provides room ambiguity.

Many systems use the existing syslog “standards” for ranking the severity of messages. This had to be incorporated.

For example:

AUTH,EMERGENCY
GENERAL,CRITICAL
AUTH,INFO

It made sense to develop a scheme that would incorporate the syslog “standards”, the 1-3-3 scale, and provide unambiguous information to someone who had never seen an alarm unambiguous data on the severity of an alarm.

A number of distribution lists were created based on a target groups.

The following are some examples:

ALL_ALL_CRITICAL
ALL_MGMT_CRITICAL
DEVELOPERS_MGMT_CRITICAL
DEVELOPERS_MGMT_INFO
OPERATIONS_STAFF_INFO
SECURITY_STAFF_EMERG

The last thing was designing the actual messages. It was decided that it would be important to specify fields in emails in the event that automated processing / parsing systems would have some role in reviewing messages from distributed systems in the future.

Here is a sample message:

“PROBLEM: sw3.local.X.com
Interface(10125) inside is Down at least 2 min on Switch: sw3.local.X.com (192.168.10.X).
Details:
Monitors that are down include: Interface(10125) inside Monitors that are up include: Ping,SNMP,HTTP,Telnet,Interface(1) Vlan1,Interface(100) Vlan100 (192.168.10.253),Interface(5010) Port-channel10,Interface(5011) Port-channel11,Interface(5015) Port-channel15,Interface(5016) Port-channel16,Interface(10101) dmz,Interface(10118) Inside – Alltel,Interface(10127) inside,Interface(10131) inside,Interface(10133) prd-003-vmi4, Channel-Group 10,Interface(10134) prd-003-vmi4, Channel-Group 10,Interface(10135) prd-004-vmi4, Channel-Group 11,Interface(10136) prd-004-vmi4, Channel-Group 11,Interface(10145) GigabitEthernet0/45,Interface(10146) sw-1 dmz trunking port,Interface(10147) sw2 inside trunking port,Interface(10148) storage trunking port,Interface(10501) Null0,”

This system has been in place for some time and seems to work well.

I kept thinking about this and realized that one of things to make this register and have people react a bit better still.

As I was thinking about this, I was shocked to discover that one of the Exchange Servers had become self-aware. Not one to waste an opportunity, I asked it about additional ways to improve this process. It reminded me that humans have emotions and perhaps that another way to improve the Health Monitoring system was by associating emotion with the status of various alarms.

So instead of saying that the DISK on Server A is RESTORE, instead we might say “Server A is relieved that it’s disk was replaced before a total system crash!”.

This self-aware exchange server, which we have now dubbed Fred, has a weird sense of humor.

The solution was found here -> http://intertwingly.net/blog/2008/11/23/RubyGems-1-3-1-on-Ubuntu-8-10

I finally got the Ruby upgraded and all the appropriate gems installed. I tested out the cewl.rb tool against a couple of sites.

root@prd-xxx-xxxxx:~/cewl# ./cewl.rb http://www.xyztest.x –email –meta –depth 4
0a4
CompanyName
XYZ
UUT
ZZZ
uvv

Email addresses found

Meta data found

I’m still a bit unsure about the meta data and email functionality, but the rest of it worked like a charm.

As part of a penetration test, Nmap is one of the first tools I use to try to enumerate a network and see what it’s running as well as which ports might be open (or closed).

The new release is supposedly to be faster than prior versions. So far, my testing confirms this.

Aside from speed there are the new tools like Ncat that make Nmap 5 a major release.

According to the insecure.org website:

“The new Ncat tool aims to be your Swiss Army Knife for data transfer, redirection, and debugging,” the Nmap 5.0 release announcement states.

In addition, extensibility is a big part of the release. For example, the Nmap Scripting Engine (NSE) adds quite a bit to Nmap in terms of flexiblity and programability.

NSE is all about automating network scanning task with scripts. According to the release announcement:

“Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. All existing scripts have been improved, and 32 new ones added. New scripts include a whole bunch of MSRPC/NetBIOS attacks, queries, and vulnerability probes; open proxy detection; whois and AS number lookup queries; brute force attack scripts against the SNMP and POP3 protocols; and many more.”

One of the first steps of any network security assessment is scanning  to identify available and exposed network resources. I have no doubts that Nmap 5 will continue to be a valuable tool for network administrators, security nerds, and penetration testers alike.

Version 2.2 has been released recently. I suppose it is time to do the OSSEC upgrade. The 2.1 and 2.2 releases include a number of needed enhancements as follows:

1. Centralized configuration management.
2. Remote agent restart
3. Real time integrity checking
4. New Log Rules
5. WordPress Monitoring

I am mainly interested in items 1 through 3. I’ve had some issues with the integrity scan affecting performance during production hours so hopefully these changes will assist with that.

After installing the new version, I wanted to check out the impact that the integrity checks had on performance. I setup a test server and a test windows client.

From the Linux based ossec server:

root@prd-001-hids:/var/ossec/bin# ./agent_control

OSSEC HIDS agent_control: Control remote agents.
Available options:
-h          This help message.
-l          List available (active or not) agents.
-lc         List active agents.
-i <id>     Extracts information from an agent.
-R <id>     Restarts agent.
-r -a       Runs the integrity/rootkit checking on all agents now.
-r -u <id>  Runs the integrity/rootkit checking on one agent now.

-b <ip>     Blocks the specified ip address.
-f <ar>     Used with -b, specifies which response to run.
-L          List available active responses.
-s          Changes the output to CSV (comma delimited).
root@prd-001-hids:/var/ossec/bin# ./agent_control -r -a

OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on all agents.root@prd-001-hids:/var/ossec/bin#
root@prd-001-hids:/var/ossec/bin#

I noted on the ossec client that there was a bit of a hit on performance during integrity scanning; however, it does not seem to be as bad as previous versions.

apt-get install openssl libssl-dev libx11-dev

Get the source to version 1.50 from www.rdesktop.org

Get the patch http://www.foofus.net/jmk/rdesktop.html

tar -xzvf rdesktop-1.5.0.tar.gz

cd rdesktop1.50/
patch -p1 -i rdp-brute-force-r805.diff
./configure
make
make install

Brute-force attack using password file:

rdesktop -u administrator -p passwords.txt 192.168.0.100

I was working on a setting up a new storage / backup server for one of my networks.

Some of the requirements were data deduplication, compression, etc.

I had first hacked something together using Windows 2003 R2 and Windows Deployment Services’ Single Instance Storage functionality that is baked in.

It worked; however, it was not without problems. Namely it seemed to take forever for SIS to catch up. To be fair, this was volumes holding at least 2TB a piece.

In addition, the solution was lacking many basic tools for manipulating SIS volumes. 

After setting up storage server and logging in, I dropped to a command line.

sisadmin /i e:

Install SIS on the volume.

sisadmin /e e:

Enable SIS on the volume.

Now for testing…

C:\>
e:
copy c:\windows\system32\shell32.dll file1.dll

 Directory of E:\

11/08/2007  02:55 AM        10,508,288 file1.dll
11/08/2007  02:55 AM        10,508,288 file2.dll
11/08/2007  02:55 AM        10,508,288 file3.dll
               3 File(s)     31,524,864 bytes
               0 Dir(s)  1,887,278,223,360 bytes free

E:\>sisadmin /l e:
Listing SIS controlled files on volume ‘e:’.
E3E636E3-F794-11DD-90C3-002219AFCCE9.sis <- E:\file1.dll
E3E636E3-F794-11DD-90C3-002219AFCCE9.sis <- E:\file2.dll
E3E636E3-F794-11DD-90C3-002219AFCCE9.sis <- E:\file3.dll
3 SIS controlled files found on volume ‘e:’.

E:\>dir C:\windows\system32\shell32.dll
 Volume in drive C is OS
 Volume Serial Number is EC25-1163

 Directory of C:\windows\system32

11/08/2007  02:55 AM        10,508,288 shell32.dll
               1 File(s)     10,508,288 bytes
               0 Dir(s)   7,007,498,240 bytes free

E:\>copy c:\windows\system32\shell32.dll file4.dll
        1 file(s) copied.

E:\>dir
 Volume in drive E is LD0-R0-1000
 Volume Serial Number is 8205-C4FF

 Directory of E:\

11/08/2007  02:55 AM        10,508,288 file1.dll
11/08/2007  02:55 AM        10,508,288 file2.dll
11/08/2007  02:55 AM        10,508,288 file3.dll
11/08/2007  02:55 AM        10,508,288 file4.dll
               4 File(s)     42,033,152 bytes
               0 Dir(s)  1,887,267,696,640 bytes free

E:\>sisadmin /l e:
Listing SIS controlled files on volume ‘e:’.
E3E636E3-F794-11DD-90C3-002219AFCCE9.sis <- E:\file1.dll
E3E636E3-F794-11DD-90C3-002219AFCCE9.sis <- E:\file2.dll
E3E636E3-F794-11DD-90C3-002219AFCCE9.sis <- E:\file3.dll
E3E636E3-F794-11DD-90C3-002219AFCCE9.sis <- E:\file4.dll
4 SIS controlled files found on volume ‘e:’.

It works!

Now I have to test this using real data – this is just a few files.

So far I am impressed. It syncs to Exchange, has Cisco VPN, and a number of other things. One of the things I had trouble getting over at first was the idea of a “glass” phone. It looks so breakable and was definitely a turn off as I go through phones about once a year at least due to having bull in china cabinet syndrome. I found this amazing contraption that you put over the phone that then protects it. That seemed to help the psychological block that I had.

I setup my company VPN to go through the phone. To do this, I took the string out of the Cisco VPN pcf file and passed it through a decoder. There is an online version available here ->

http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode

I found a utility called idletunes which helps with removing those pesky (!) dead tracks under ITunes. I know you can hit delete. It seems like there should be a search field by missing track. If it is in ITunes, I couldn’t find it.

If found another tool called the ITunes Library Updater which seems to perform a similar function and much closer to what I was looking for.