Penetration Testing & Capture the Flag

Penetration Testing

Nowadays penetration testing is where it’s at.  Whether trying to learn security, becoming a white hat, or consulting it’s a must have skill.  However, it can be intimidating on where to start.  Besides picking up books the next best way to learn is through capture the flag events.

Important truths about pen testing

Capture the Flag

Computer/hacking capture the flag events are usually team based timed events where you’re pitted against several opponents and trying to earn the highest score.  Points are awarded for both offensive and defensive maneuvers.  Typically each team will have a virtual machine they need to defend while trying to exploit vulnerabilities in other team’s VM.

The best place to find one in your area (besides attending a con) is your local 2600 chapter.  If they don’t hold CTFs then try a local information security club.  If you live in the mountains and can’t find either you can use Hack This Site which runs virtual CTF events 24/7.

Remember, hacker (white hat) and cracker (black hat).

Malware Analyzers Part deuce

Several weeks ago I posted about different free malware analyzers (sandbox environments).  I’ve stumbled across another free tool from Mandiant which is their Red Curtain offering. Red Curtain will scan a given local directory or drive and analyze each file assigning it a threat score. It takes into effect whether the file is signed, packing, and the entropy which could be suspicious.

Another plus is the tool can be remotely deployed which is great for LAN & enterprise environments.

*I believe all their tools only run on Windows.

Sourcefire (Snort) Network Security Seminar

Last week I attended a seminar by Sourcefire.  Their CTO, Martin Roesch, was the speaker.  The topic was “Your Network Security Isn’t Good Enough Anymore“.  This seminar was ultimately a sly sales pitch for Snort, their IDS product.  Roesch talked about how there are several equal quality IDS products available now — there is much less market differentiation between them.

Two problems:

1) No one is taking the time to properly configure / tune the IDS for the environment it’s placed in —> meaning thousands of events with many false positives.

2) The IDS events being generated are not monitored —> the average breach to compromise time is down to minutes in some cases meaning you don’t have time to wait.

The next generation Snort intends to solve both of the problems above.  Their calling their new version “Adaptive IPS” which features their real time network awareness (RNA) technology.  This RNA module constantly surveys your network taking inventory of OSes, services, protocols, and potential vulnerabilities that exist.  The RNA module then pushes configuration changes to Snort — auto tuning the IDS for your network!  I haven’t tried RNA myself but Roesch claimed several customers seeing a 90+% reduction in the number of IDS generated events.  With this dramatic reduction in events to monitor it should mean no excuses to not monitor your network.

Now, if Sourcefire can create a module that will monitor and act on events we won’t need NoCs anymore….

Tip of the Day: Destroying Optical Media

Another tidbit I’ve picked up from reading Bruce Schneier’s “on Security” was how to destroy optical media (cd’s, dvd’s).  Usually I crack them in half or scratch them with a sharp object.

It turns out another method is to place them in the microwave for 3-5 seconds (depending on the wattage of your microwave).

Good Backup Practice: I used to store all of my onsite/offsite backups on CDs and DVDs.  I’ve been sorting through all my backups and moving them into TrueCrypt containers and re-burning the data while being sure to destroy the unencrypted copies.

Great “defeating the firewall” article

I stumbled across an excellent article on freenode #security.  Does your employer use content filtering?  Are you sick of being restricted when using free wifi hotspots?  How about a hotel charging for wifi?

The article talks about methods to circumvent all of the above scenarios.  I actually do the most vanilla technique to overcome my employer’s web filter: dynamic ssh tunneling back to a server I have running at home.

Read it here:  http://blog.sebastien.raveau.name/2009/06/internet-by-all-means.html

Windows Forensics tip of the day…

The Windows page/swap file usually contains very recent information of a user’s activity.  Data is usually overwritten fairly quickly  — depending on how “busy” the system is.  The page file can store potentially sensitive and incriminating evidence.  The legality of admitting evidence found in a page/swap file is still sketchy in the judicial system. However, it’s always a good idea to play it safe.

If you don’t mind a slightly longer shutdown / restart time you can have your system write zero’s to the page file.  This is disabled by default.

Start -> Run -> regedit

Change the following key from a 0 to 1

HKLMSYSTEMCurrentControlSetControlSession ManagerMemory ManagementClearPageFileAtShutdown

*The Microsoft KB article can be found here: http://support.microsoft.com/kb/314834

DD-WRT and wireless observations

I installed DD-WRT over the weekend following this tutorial.  This is something I wish I would have done a lot sooner because of the additional features DD provides.  Unfortunately I have a v8 WRT54g which only has 2mb of flash memory.  This limited me to only being able to run the stripped down “micro” version. DD supports syslog but the micro version does not log firewall events.  I was hoping to pass these to my IDS.  Hopefully I can figure out a way to use iptables to replicate a span or tap port.

I tweaked the TX Power using DD.  Be warned you can overheat your router if you try to crank this up too high.  The biggest signal boost I was raising my access point 2′.  Try to keep your AP elevated as much as possible.  See my image below….

dd-wrt