New computers – Windows 7 – XP Mode fixes

I think I may finally be getting the hang of this XP Mode thing.  (I may also be fooling myself …)

As previously noted, XP Mode doesn’t access the “real” drive, but a virtual drive which is contained in one large file.  (Actually, seemingly a minimum of three, but only one appears to contain the drive “contents.”)  XP Mode does provide you with links to the real drives on the computer, but, while accessible from most Windows programs, since they are not mapped to drive letters, you cannot do anything with DOS programs, even though such programs run under XP Mode.

I figured I would have to create the directories, with files I wanted to work on, within the “virtual” drive, and, each time I made any modifications, remember to copy the new versions back to the “real” disk so they could be used under Win7.  Not only is this a nuisance, but it wastes disk space.  XP Mode takes up enough space as it is: starting at about 1.5 gig, by the time you get it up to speed with Windows updates, it has ballooned to 6 or 7 gig.  Any programs or file space you want come on top of that.  (And, since I no longer trust XP Mode to stay stable, I have been making backup copies as I have been doing the updating and adjusting of the virtual machine, wasting even more disk space.)  An annoyance, to say the least.

I can’t remember where I found it, but somehow I noted a reference to the actual description, within XP Mode, of the links to the real drives.  It looks just like a network reference to a shared resource.  So I tried mapping that format and creating a DOS “lettered” drive mapping (from within XP Mode).  So far it seems to work fine.

For those who’d like to try, the “network” name of the real computer seems to be TSCLIENT.  So, in order to create a link to the C: drive on the real computer, map to \\TSCLIENT\C .  (It does not seem to matter what your real machine’s name is, that name does not seem to be used in the reference.)


Conflicting AVs

Well behaved anitvirus programs can safely work together in peace and harmony.

Unfortunately, relatively few AVs are well behaved.

On my new desktop, I’ve got Avast (came with the machine, has a free version, and is a pretty good product) and MSE (it’s free, and it’s pretty safe for most users, although, as a professional, some parts of it irk me).  I’ve set both to ignore the virus zoo, although they aren’t too good at taking that restriction to heart.

MSE quarantined a few samples before I got things tuned.  Of course, it doesn’t have any function to get stuff out of “quarantine.”  (As I say, as a professional this is irksome, but, considering the average user, I’d say this is a darn good thing.)

Today Avast gave me a warning of some dangerous files.  They were the ones MSE quarantined.

(In case anyone is interested, the quarantine seems to be in \ProgramData\Microsoft\Microsoft Antimalware\LocalCopy.)


New computers – Windows 7 – XP Mode oddities

There are some … interesting aspects to running XP Mode.

If you are running XP Mode in a window within Windows 7, the “Windows” key on the keyboard brings up the Start menu on Windows 7, rather than XP Mode, even if XP Mode is the active window.  I suppose that is reasonable, since the Windows key seems to override pretty much anything else that is happening at the time, although it’s annoying that you can’t use the keyboard shortcuts for things like opening Windows Explorer and issuing the “Run” command.

What seems a little odder is that the F1 key seems to be sent to both Windows 7 and XP Mode if XP Mode is the active window.  Whatever action you wanted with F1 within XP Mode (and the active program there) takes place, but you also get the Help box for XP Mode itself (which can also be annoying.)

The Shift-Tab for switching between windows also immediately shifts you out of XP Mode and into the next Windows 7 window.  Understandable, I suppose, but arrgghh!)

You can, of course, avoid these difficulties by switching into Full Screen mode.  Unfortunately, Windows Virtual Machine seems to have some problems there: it seems to momentarily lose all the “integration” functions, and has to re-enable them.  This seems to result in strange effects, such as the loss of access to shared drives (so, if you were pointed at a specific directory, when you switch you are no longer “there”).


Complexity is killing us

The other night Gloria asked me what to do about securing the computer if I die first.  (Yes, we talk about those type of things.)  I really didn’t know what to tell her.  And told her that.

A decade ago, I would have had a list of things to do.  Actually, she knows that list: although she always considers herself ignorant about computers, she’s actually more savvy than most (and a lot more savvy than she gives herself credit for).  But these days I hardly know where to start.  You have to qualify every piece of advice you give, and you have to constantly keep up on the latest attacks and threats.  General classes don’t cut it any more.

This isn’t because the attackers are getting any more imaginative.  In general, they aren’t.  Recently a lot of companies (some, like RSA and Sony, very high profile) have been screaming about getting hit by APT (Advanced Persistent Threat) attacks.  What is APT?  Simply social engineering and malware.  Well, since malware has almost always had a social engineering component, I suppose it’s really only malware.  We’ve had malware for thirty years.  So what’s new?  Nothing.  The companies were sloppy.

What is happening is that all of information and communications technology is getting more and more complex.  Programs are tied into the operating system.  Nothing is clear cut.  The actual workings of the system are hidden from the user.  Hardware is virtual.  Networks are cloudy.  Gene Spafford mentioned this in a recent interview.  Since it was an interview, he really didn’t get a chance to expand on this point: the interviewer was more interested in trying to nail down who to blame for the situation.  Who is to blame?  Well, the vendors are creating sloppy systems: forfeiting security in the name of bells and whistles.  But that, of course, is because only a vanishingly small segment of the population is actually interested in security: everyone wants dancing pigs.

I’ve written before about complexity and security.  (And network complexity.)  But every day brings new examples.  Today, for example, Adobe has finally brought out an easier way to delete or manage Flash cookies.  Flash cookies are a particularly pernicious and tenacious form of cookie.  Those of you who think you are “up” on security may have set your browser to delete cookies.  Good.  Unfortunately, it doesn’t do a thing for Flash cookies.  So, Adobe has finally given us control over Flash cookies.  In version 10.3.  What version of Flash do you have?  Do you even know?  How would you find out?  It took me quite a while, and I know what I’m doing.  And, in spite of the fact that I’ve had numerous (annoying) Adobe updates recently, I don’t have 10.3.

I’m supposed to be a specialist not only in security, but in security awareness.  And the job is just getting overwhelming.

It’s really depressing.


New computers – Mac (learning curve)

I’m working through a book to learn about my new Mac.  (You’ll see the review eventually, and probably recongize some of this text when you do.)  It provides the information necessary to begin to operate the computer, but it also gives the lie to the statement that the Mac is easy to use.  There are a huge number of options for different functions, so many that it is impossible to remember them all.  The material is generally organized by topic, but there are notes, tips, and mentions buried in the text, and it is almost impossible to find these again, when you go back to look for them.  (The “delete” key definitely needs to be listed in either the index or the key shortcuts appendix.)

One of the appendices is a Windows-to-Mac dictionary, which can be quite handy for those who are used to Microsoft systems.  It could use work in many areas: the entry for “Copy, Cut, Paste” says they work “exactly” as they do in Windows, but does not give the key equivalent of “Command” (the “clover” symbol) -C rather than Ctrl-C.  (It was also only in working through some practice that I discovered that what the book describes as the “option” key is portrayed, in Mac menus, with a kind of bashed “T.”  Yes, I suppose that, once you know this, it does look kind of like a railroad switchpoint, but it’s hardly intuitively obvious.)

There is a style issue in the written material of the book: the constant assertions that the Mac is better than everything, for anything.  The first sentence of chapter one says “When you first turn on a Mac running OS X 10.6, an Apple logo greets you, soon followed by an animated, rotating `Please wait’ gear cursor–and then you’re in.  No progress bar, no red tape.”  Well, if the gear cursor isn’t an analogue of a progress bar, I don’t know what it’s supposed to be.  Also, this statement is false: when you first turn on a Snow Leopard Mac, you have to go through some red tape and questions.  This is only one example of many.  This style may have some validity.  After all, anyone who does not use a Mac comes across the same attitude in any Mac fanatic, and, even without the system chauvinism, a positive approach to teaching about the computer system is likely helpful to the novice user.  However, the style should not get in the way of factual information.

I’m used to UNIX, and I’m already into Terminal, but it’s annoying to have that be the only way to access some of the material, given the repeated assertion that the Mac is so easy to use.  Another little quirk today: yes, you can access Windows servers, but you can’t save anything to them.  (I did find a way around that: create the file in Windows, open it on the Mac, copy information into it, and then save.  Easy, right?)


New computers and old network problems

Well, I don’t know if this is a continuation in the “new computers” series, or just rehashing an old problem.

I’ve noted before the problem of the complexity of trying to establish an ad-hoc network under Windows.  And, I’m trying various things with the new Mac.  So, in a situation, right now, where I have one network cable, and two computers downstairs, I decided to see what an ad hoc network was like with a Mac.

I remembered to do the bridging thing on Windows, and I’ve set up an ad hoc network with a pre-shared key.  (At least, I think I have.  That seemed to be the way it worked, and the Mac connected with a password, but, on the Windows machine, when I go back and look at it, it says it’s open.)  The Mac wouldn’t show the network when I looked at the list, but, when I gave it the name and password it seemed to connect just fine.

I got a Web site correctly on the Mac.  Then I went to connect to the Windows machines as servers, and that worked out fine.  Then I went to do some work on the Web, and … nothing.  The Mac wasn’t able to get onto the Internet.  I was still connected to the Windows servers, but couldn’t get a Web page.

And, then, suddenly, I could, again.  And then I couldn’t.  (At the moment, I can’t.)  (Sorry, started working again just before I finished this entry.)
I’ll have to give it a shot with the Mac connected to the cable, and see if I can set up an ad hoc wireless connection that the Windows netbook can use, but, at the moment, Mac networking is not working any better than Windows in the ad hoc environment.

Roll on PopulistNet.


Social Engineering Toolkit 0.7.1

For those of you who have never used the Social Engineering Toolkit (SET), you really are missing out on an amazing tool, and one that is guaranteed to make your lives simpler in the social engineering realm.

SET was written by David Kennedy a.k.a ReL1K, and you can find this amazing tool in either the BackTrack Linux distro, or you can get it via svn directly from Dave’s site. Full info on how to download this via svn can be found here.

SET is also tightly integrated with the Metasploit Framework, so you can easily make use of all the exploits within MSF to perform some really technical social engineering attacks.

I’m guessing that if you’ve never heard of SET before, you’re probably wondering what it can do, well, let’s put it this way, in the context of social engineering, what can’t SET do?

I would say that the best way to familiarize yourself with SET and all it’s features would be to download it and have a play with it. Then to go through some of the many tutorials available online.

There is now a section dedicated to SET over at Offensive Security‘s free Metasploit Unleashed training page, which you can find here.

Dave has also kindly put up a load of tutorial videos to walk you through the basics, and then some on his site. To check these out just head over to the Tutorials section on his site.
If you’d like to see a video of all the new features in SET 0.7, then have a look here.


Caller-ID spoof and voicemail

It’s easy to spoof caller-ID with some VoIP systems.  There are a few Websites that specifically allow it.  It’s a little harder, but geekier, to spoof or overflow caller-ID with a simple Bell 212A modem: it’s transmitted with that tech between the first and second rings of the phone.  (Since most people have caller-ID these days, many telcos don’t play you the first ring.  Since we don’t have caller-ID, we often get accused of answering the phone before it rings.)  (Of course, the rings you hear on the calling side aren’t necessarily the rings heard on the other end, but …)

Apparently AT&T allows immediate access to voicemail on the basis of caller-ID.

Apparently, with Android phones, it’s also gotten even easier to spoof caller-ID.


Nmap Scripting Engine (NSE)

A few days ago, I found myseld playing with the NSE again, and got to thinking about how many people actually know about NSE, and how to use it. This really is one of my favourite features that has been added to nmap over the years, and it really does make your life easier when doing a lot of scanning.

So, what is the NSE, I hear you ask? Well, instead of me trying to come up with a better way to explain, I’ve taken the following from the nmap online book, which can be found here.
“The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.”

Some of the new scripts that were added recently were the following, and from the descriptions, you can see just how beneficial these are:

asn-query—Maps IP addresses to autonomous system (AS) numbers.
auth-spoof—Checks for an identd (auth) server which is spoofing its replies.
banner—A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.
dns-random-srcport—Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
dns-random-txid—Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).
ftp-bounce—Checks to see if an FTP server allows port scanning using the FTP bounce method.
http-iis-webdav-vuln—Checks for a vulnerability in IIS 5.1/6.0 that allows arbitrary users to access secured WebDAV folders by searching for a password-protected folder and attempting to access it. This vulnerability was patched in Microsoft Security Bulletin MS09-020.
http-passwd—Checks if a web server is vulnerable to directory traversal by attempting to retrieve /etc/passwd using various traversal methods such as requesting ../../../../etc/passwd.
imap-capabilities—Retrieves IMAP email server capabilities.
mysql-info—Connects to a MySQL server and prints information such as the protocol and version numbers, thread ID, status, capabilities, and the password salt.
pop3-brute—Tries to log into a POP3 account by guessing usernames and passwords.
pop3-capabilities—Retrieves POP3 email server capabilities.
rpcinfo—Connects to portmapper and fetches a list of all registered programs.
snmp-brute—Attempts to find an SNMP community string by brute force guessing.
socks-open-proxy—Checks if an open socks proxy is running on the target.
upnp-info—Attempts to extract system information from the UPnP service.
whois—Queries the WHOIS services of Regional Internet Registries (RIR) and attempts to retrieve information about the IP Address Assignment which contains the Target IP Address.

All NSE scripts are written in the Lua Programming Language, for the NSE side of things, this languiage is easy enough to pick up, and come up with some decent scripts, and then share them with others. The more people that write these add-on scripts the better it is for everyone.

I hope that this was useful to someone, and if you’d like to see any other articles on tools, etc, then let me know via the comments and I’ll see what I can do to accomodate.


Where To Sell Software Vulnerabilities/Exploits?

So the last post that I wrote, and Aviram’s follow on post really got me thinking, unless you know where to sell software vulnerabilities or exploits, finding places isn’t really that easy at all. I knew about ZDI and VPC, but that was it really, and it took me ages to remember VPC.

So I spent some time Googling, and well that didn’t help me much to me honest. So I’ve decided to compile a list on here, with a subject that’s easy enough to search for.

So what I’m asking all our readers is that if you know of anywhere that buys software vulnerabilities legitimately, please let me know by leaving a comment and I’ll update the list here accordingly.

So without any further ado, here’s the definitive list of where you can sell those exploits and vulnerabilities that you worked so hard on discovering and writing.

Beyond Security

Zero Day Initiative (Tippingpoint)

Vulnerability Contributor Program (iDefense)

Global Vulnerability Partnership


Hack In The Box Security Conference Comes to Europe

The first ever HITB Security conference will be help in Amsterdam on the 1st and 2nd July, so apologies for only posting this now, but there’s still time to register.

The full conference agenda can be found here.

Some of the talks listed are:

- Breaking Virtualization by Switching to Virtual 8086 Mode

- Attacking SAP Users Using sapsploit

- Fireshark – A tool to Link the Malicious Web

- Having Fun with Apple’s IOKit

So all in all, it looks like it’s going to be an interesting couple of days.

Leave a comment if you’re going, it’d be good to hook up.


Sound good?

By the way, in non-Sonne-erous G8/20 news, our government(s) have spent a billions dollars on security for a couple of days of meetings.  Even given the degraded value of the American billion, that’s a lot of money.

Part of it was used to buy sound cannons.  (The police don’t like you saying that: they prefer the term “long range sonic control devices.”)  These sound cannons generate noise at 130 decibels, which the civil liberties folks are concerned will damage human hearing.

That’s the same level of noise a vuvuzela makes.

So, look, why didn’t we save the billion dollars, go down to Canadian Tire, and, for a hundred bucks (possibly in Canadian Tire money) equip the entire riot squad with vuvuzelas?


Your Chance To Get The Tools You Want Added To The Next Backtrack Release (BT4r1)

If there are any tools that you currently use that aren’t already in the Backtrack 4 Linux distribution, then now is your chance to get them added to the next Backtrack release.

The guys over at Offensive Security have set up a page where you can submit your requests. I urge everyone to make use of this if there is anything that you think the Backtrack community could benefit from, and make your lives easier.

The link to submit requests can be found here.


Maltego 3

For all of those who have been eagerly awaiting the release of Maltego 3, it’s now available to download here.

There are new versions of the community and commercial editions, and I have to say that it really is worthwhile getting the commercial version if you can afford it.
I have to say that this is one of the most fascinating tools around at the moment, for those of you who have never heard of Maltego or what it’s capable of, here’s the blurb from Paterva’s web site.

What is Maltego?

With the continued growth of your organization, the people and hardware deployed to ensure that it remains in working order is essential, yet the threat picture of your “environment” is not always clear or complete. In fact, most often it’s not what we know that is harmful – it’s what we don’t know that causes the most damage. This being stated, how do you develop a clear profile of what the current deployment of your infrastructure resembles? What are the cutting edge tool platforms designed to offer the granularity essential to understand the complexity of your network, both physical and resource based?

Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.

Maltego offers the user with unprecedented information. Information is leverage. Information is power. Information is Maltego.

What does Maltego do?

  • Maltego is a program that can be used to determine the relationships and real world links between:
    • People
    • Groups of people (social networks)
    • Companies
    • Organizations
    • Web sites
    • Internet infrastructure such as:
      • Domains
      • DNS names
      • Netblocks
      • IP addresses
    • Phrases
    • Affiliations
    • Documents and files
  • These entities are linked using open source intelligence.
  • Maltego is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux.
  • Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections.
  • Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.
  • Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

What can Maltego do for me?

  • Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
  • Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
  • Maltego provide you with a much more powerful search, giving you smarter results.
  • If access to “hidden” information determines your success, Maltego can help you discover it.

Sometimes it’s just Windows …

As well as the complexity issue I spoke about earlier, computers can do some weird things.

A couple of days ago, Gloria was doing some work that involved comparing two photographs.  She asked me to have a look at the first, then showed me the second, and then wanted to show me the first again.  Which, of course, wasn’t there any more.  Windows Picture and Fax (why fax, in this day and age?) Viewer, I explained, almost uniquely among Windows programs, doesn’t let you have more than one window open at a time.  Why not, she asked.  No reason I can think of.

In some frustration she closed the picture viewer window, preparatory to finding the other picture in the other directory.  She clicked the little red square with the white x in it, up in the top right hand corner.  The Viewer window disappeared.

So did some other stuff.

Windows chose to interpret this action as a command to delete the directory in which she had been working, and from whence came the image she had been showing me.

Why does closing a window get interpretted as a command to delete anything?

Which was rather important, since it was her email directory.  With all her email.  (No, not Outlook.  Of course not Outlook.  This is a security blog, after all.)  And various files that came as attachments.

Normally, when you ask to delete a file (from the Windows Explorer window), you get asked if you really want to delete that file.  Actually, usually you get asked if you want to send that file to the Recycle Bin, which is why I have learned to use Shift-Delete almost as a matter of course, but we’ll let that go for the moment.  In either case, you get asked something.  Not this time.  This time the first indication we got of anything happening was the dialogue box telling us that it couldn’t delete the directory, since the directory was in use.  Windows had, of course, deleted all the files already.  (Maybe Windows randomly deletes your email directory if you don’t use Outlook …)

Why, all of a sudden, no confirmation of intention to delete?

Well, regardless of the fact that we hadn’t asked Windows to delete anything, this is exactly the reason that the Recycle Bin was created in the first place.  So, I opened up the Recycle Bin, sorted the files by place of origin, and found the directory, and files, that had been deleted.  As well as other files, of course, since it had been a while since my wife last “emptied” the Recycle Bin.  No problem: retrieve them all, and then sort them out.  So, we retrieved them all, and Gloria went to work on getting rid of what she didn’t want.

When she finished, she opened a new Windows Explorer window to check and make sure that everything was OK.  It wasn’t.  The directory was still empty.  I got involved again, checking this and that.  Shut down program.  Click on the shortcut on the desktop to start up the email program.  Email comes up just fine, and all the messages are there.  How on earth did it do that, when the message files, and even the email program, didn’t exist, as far as Windows Explorer was concerned.

After a bit more checking, I even rebooted the computer, in case, for some weird Windows reason, it was still “remembering” that the files had been deleted.  Rebooted, and still nothing in the directory.  But the mail program, and mail, came up just fine.

So I started messing around with the shortcut properties.  And, lo and behold, come up with something weird.  It wasn’t looking at the email directory.  It was looking at a directory that didn’t exist.

Except, now it did, when we went to look at it.  And it contained all the files, and all the email.

When retrieving from the Recycle Bin, it had created a new and different directory.  And moved the files there, rather than where they had come from.  And had changed the properties on the desktop shortcut, so that they pointed to the new directory.  (And, we found later, had separately changed the properties on the shortcut calling the email program on startup.  But hadn’t, I confirmed today, changed the properties on the program listing under the Start button.)

Why, when you can’t retrieve to a location other than the original, does Windows randomly do that itself?  Why to a directory that doesn’t exist?  Why are (almost) all the properties changed?  Why aren’t all the properties changed?

Sometimes, when something very weird happens on the computer, and Gloria asks why, I shrug and says “It’s Windows.”  She says it makes me sound like a smart aleck when I say that.

Well, have you got a better explanation?



We’ve all been there before, having to do a demo to show the dangers of not patching, or insecure operating systems, and then spending ages configuring a vulnerable host for the demo. Or even just wanting to set up a host so that you can better familiarize yourself with Metasploit, it takes a while to build a vulnerable machine, in my experience it actually always seems to take me longer to build an insecure machine than a secure one.

The crew over at Metasploit recently released Metasploitable, which is an Ubuntu 8.04 server install as a VMWare image, it includes a number of vulnerable packages, such as tomcat, mysql, tikiwiki, and others.

This is definetely a move in the right direction if you ask me, as this is just the type of thing that I’ve been looking for, as this is going to save me hours of time, and will be perfect for a lot of my presentation needs, and will also help me to train others up on the many facets of Metasploit.

For more info on Metasploitable, read the Metasploit blog post here.

To download the torrent directly, you can get it from here.