The last couple of days I was on site at a customer that is one of the big players in the Belgian national infrastructure. I am just there to help out roll out some systems, not as a DBA or a security guy but ... I had my little fun.
The first thing I noticed when I got in was that with just a name drop and telling that I am an IT guy the friendly guy at the front desk opened the doors. No calling to verify my story, just walked on the site to the other buildings. Always be polite and ask for directions smiling :).
Then I got to the building of the IT department and first thing I noticed where all the print outs on the walls, one of them was a procedure with a password on it ... sweeeet.
Later that day I got an email with my login credentials. Yes my dear reader, plain text passwords emailed over the dhcp network. I was asking my new colleagues if I was the only one thinking that it shouldn't be that way but apparently they did not understand the problem.
Now I have access badges and can come in through the employee entrance. At the entry point there is a security guard to open the gate for the cars and verify the people walking in. The only problem is, the guy is about 6 meters from you when you show your badge. The badge is a classic (white) RFID card with the company logo and your name printed on it. Just by curiosity I showed the guy a membership card of something else that is red and blue and got in smiling.
But the customer is security-aware ... they are doing an audit of their email system at the moment, they have firewalls, anti-virus and VPNs.
Thursday, October 22, 2009
Sunday, September 27, 2009
Python workshop at HSB
Yesterday I went to a python workshop organized at the hackerspace Brussels. We gathered at the void*pointer around 14 hours. fs111 gave us a very nice introduction to python.
There where programmers and people who who had not programmed in ages but it was ok. You could ask any question you had and there were some exercises, classics like the number guessing games, to get you up and programming.
We have a home work assignment, writing a very simple port scanner :). Have a look at the hackerspace website if you want to join for the follow up.
My conclusion is simple python is a very powerful language, easy to learn (that is the credit of the instructor) and it is worth to sit down an afternoon and learn it. It will be certainly become a weapon of choice to handle some of my day-to-day admin problems.
There where programmers and people who who had not programmed in ages but it was ok. You could ask any question you had and there were some exercises, classics like the number guessing games, to get you up and programming.
We have a home work assignment, writing a very simple port scanner :). Have a look at the hackerspace website if you want to join for the follow up.
My conclusion is simple python is a very powerful language, easy to learn (that is the credit of the instructor) and it is worth to sit down an afternoon and learn it. It will be certainly become a weapon of choice to handle some of my day-to-day admin problems.
Sunday, September 6, 2009
BiLE - finding out relationships
BiLE is a Bi-directional Link Extractor, a tool suite of Perl scripts create by Sensepost. It uses HTTrack and Google to give you a view on what websites have a strong relationship with the website of your target.
The first interesting script is is called BiLE.pl when you run it against a target website it starts HTTrack to get the target website and all websites to which it can find hyperlinks. BiLE will also query Google using the "link:" directive. Using this Google hack it can find all websites linking to the target website.
BiLE.pl produces 2 output files. The first one is a .mine file the other one is a .walrus file. If you have a look at the .mine file you'll see that the output is of the form source:destination.
Here is a sample of the output when I tested it:
www.target.org:jaxb.dev.java.net
www.target.org:jbind.sourceforge.net
www.target.org:jigsaw.w3.org
www.target.org:lists.w3.org
www.target.org:lists.xml.org
www.target.org:lucas.ucs.ed.ac.uk
This file only tells you that there is a link from your target website to a destination website. So there is a relationship between target and destination but you can't tell how important it is. This is why you have the script BiLE-weigh.pl.
BiLE-weigh.pl uses the output file of BiLE.pl and uses a weighing algorithm to determine the importance of the relationships between the target and the destinations. In the readme is a little description how it works.
To get the BiLE-weigh.pl up and running I had to alter the code since I got the error "BiLE-weigh.pl gives sort: open failed: +1: No such file or directory – error".
Change this line from:
`cat temp | sort -r -t “:” +1 -n > @ARGV[1].sorted`;
to:
`cat temp | sort -r -t “:” -k 1 -n > @ARGV[1].sorted`;
I found the solution on the minimalistic transparent x-desktop blog.
The output of BiLE-weigh.pl is something like this:
www.somesite.com:6.6
www.anothersite.com:4.02439024390244
subdomain.yetanothersite.com:75
The value at the end is the weight. It is a meaningless value, we are only interested in the rate of decay. To get this done in a reasonable easy way, you copy the content of the .sorted file (This is the output file of BiLE-weigh) and paste it into a spreadsheet. In OpenOffice Calc a wizard pops up asks you how it should handle the data. Your delimiter is a semicolon (:). Once you got the data in your spreadsheet the last action is to sort it by the weight descending.
Now you have a nice little list that tells you what relationships exist between your target website and other websites.
My output was:
www.target.com: 298.62
sub1.target.com: 165
target.wordpress.com: 165
tools.emailgarage.com: 75
www.mapsonline.be: 75
The next website has a weight of 6.6, so it drops dramatically and therefore you can assume that the interesting part stops here.
So these 5 lines of output will allow you to assume that the target organization has real life relations with wordpress.com, emailgarage.com and mapsonline.be
Don't toss away the offline copies you have now from your targets website and the website which have a relationship with it because source code analysis can may be tell us more about their systems.
The first interesting script is is called BiLE.pl when you run it against a target website it starts HTTrack to get the target website and all websites to which it can find hyperlinks. BiLE will also query Google using the "link:" directive. Using this Google hack it can find all websites linking to the target website.
BiLE.pl produces 2 output files. The first one is a .mine file the other one is a .walrus file. If you have a look at the .mine file you'll see that the output is of the form source:destination.
Here is a sample of the output when I tested it:
www.target.org:jaxb.dev.java.net
www.target.org:jbind.sourceforge.net
www.target.org:jigsaw.w3.org
www.target.org:lists.w3.org
www.target.org:lists.xml.org
www.target.org:lucas.ucs.ed.ac.uk
This file only tells you that there is a link from your target website to a destination website. So there is a relationship between target and destination but you can't tell how important it is. This is why you have the script BiLE-weigh.pl.
BiLE-weigh.pl uses the output file of BiLE.pl and uses a weighing algorithm to determine the importance of the relationships between the target and the destinations. In the readme is a little description how it works.
To get the BiLE-weigh.pl up and running I had to alter the code since I got the error "BiLE-weigh.pl gives sort: open failed: +1: No such file or directory – error".
Change this line from:
`cat temp | sort -r -t “:” +1 -n > @ARGV[1].sorted`;
to:
`cat temp | sort -r -t “:” -k 1 -n > @ARGV[1].sorted`;
I found the solution on the minimalistic transparent x-desktop blog.
The output of BiLE-weigh.pl is something like this:
www.somesite.com:6.6
www.anothersite.com:4.02439024390244
subdomain.yetanothersite.com:75
The value at the end is the weight. It is a meaningless value, we are only interested in the rate of decay. To get this done in a reasonable easy way, you copy the content of the .sorted file (This is the output file of BiLE-weigh) and paste it into a spreadsheet. In OpenOffice Calc a wizard pops up asks you how it should handle the data. Your delimiter is a semicolon (:). Once you got the data in your spreadsheet the last action is to sort it by the weight descending.
Now you have a nice little list that tells you what relationships exist between your target website and other websites.
My output was:
www.target.com: 298.62
sub1.target.com: 165
target.wordpress.com: 165
tools.emailgarage.com: 75
www.mapsonline.be: 75
The next website has a weight of 6.6, so it drops dramatically and therefore you can assume that the interesting part stops here.
So these 5 lines of output will allow you to assume that the target organization has real life relations with wordpress.com, emailgarage.com and mapsonline.be
Don't toss away the offline copies you have now from your targets website and the website which have a relationship with it because source code analysis can may be tell us more about their systems.
Monday, August 31, 2009
Getting to know your target: find a job
Introduction
There are 2 ways of gathering information. You can go for passive reconnaissance or active reconnaissance. Recon can be done online but there is no reason that it can't be done offline.
During passive recon you go after the information that is out there? It is either out there intentionally or leaked. You do not engage any contact with the other party. You try to discover information about the organization, the employees, the third parties, the systems, naming conventions, ... anything that you can lay your hands on.
The active form of information gathering is the part where you engage a limited form of contact. Nothing intrusive but just enough to get a better view on the other party.
I don't know who you are and if the knowledge in this article can get you in trouble with the law but I suggest you only try these techniques on your own infrastructure or one for which you have the necessary (written) permissions.
The idea behind this articles is to get feedback, so give me your side on the story. If you think I am wrong, tell me and if you agree or want to add something let me know too.
Relations
Organizations do not exist on their own. In the real world you got suppliers, customers, users, ... you get the idea. One of the ways to reveal this is just visit the website of your target and look for company info.
To look for an example I got on one of the large ISP's in Belgium their website and found this out:
- The members of the different boards: names and functions
- The have a daughter that is a hosting company
- Locations of different company locations
- Their logos and for what they are used
- Customer service, communication department info
- Phone numbers
- The use of webeventservices.com for communication
- The email address of the VP Corporate Counsel is firstname.lastname@staff.companyname.be
- The list of the different analysts in all major financial institions that follow the company and conviently their email addresses
- subdomains
- department names
- Jobs and these contain information about the systems they use
They use:
Cognos (7, Series 8, Powerplay, BCM), BO, SPSS, SAS, MS Outlook, MS Office, Salesforce.com (CRM), IBM Ascential Datastage, Oracle databases, Java, J2EE, MS Sharepoint 2007, Windows 2000 Server & Advanced Server, Windows 2000 Professional, Windows 2003 Server, Windows Vista, VMWare, Juniper & Alcatel backbone routers, linux, solarix, AIX, DNS, DHCP, POP3, SMTP, http, LDAP, IBM & Sun application servers (java), ...
This information was gathered just by looking around on their website, but the next step I use is by looking at jobsites if I can find anything on that company. For this example I used one of the most popular job sites in Belgium called vacature.com and it returned 12 job openings. On another jobsite called monster.be I found other information and stuff like what the interim offices they use.
To manage all the information I gather I use mind-mapping software. Since I like open source I looked for a good open source one and personally I like Freemind.
Next post will be about BiLE from Sensepost. A nice tool suite to get more info about relations between websites.
There are 2 ways of gathering information. You can go for passive reconnaissance or active reconnaissance. Recon can be done online but there is no reason that it can't be done offline.
During passive recon you go after the information that is out there? It is either out there intentionally or leaked. You do not engage any contact with the other party. You try to discover information about the organization, the employees, the third parties, the systems, naming conventions, ... anything that you can lay your hands on.
The active form of information gathering is the part where you engage a limited form of contact. Nothing intrusive but just enough to get a better view on the other party.
I don't know who you are and if the knowledge in this article can get you in trouble with the law but I suggest you only try these techniques on your own infrastructure or one for which you have the necessary (written) permissions.
The idea behind this articles is to get feedback, so give me your side on the story. If you think I am wrong, tell me and if you agree or want to add something let me know too.
Relations
Organizations do not exist on their own. In the real world you got suppliers, customers, users, ... you get the idea. One of the ways to reveal this is just visit the website of your target and look for company info.
To look for an example I got on one of the large ISP's in Belgium their website and found this out:
- The members of the different boards: names and functions
- The have a daughter that is a hosting company
- Locations of different company locations
- Their logos and for what they are used
- Customer service, communication department info
- Phone numbers
- The use of webeventservices.com for communication
- The email address of the VP Corporate Counsel is firstname.lastname@staff.companyname.be
- The list of the different analysts in all major financial institions that follow the company and conviently their email addresses
- subdomains
- department names
- Jobs and these contain information about the systems they use
They use:
Cognos (7, Series 8, Powerplay, BCM), BO, SPSS, SAS, MS Outlook, MS Office, Salesforce.com (CRM), IBM Ascential Datastage, Oracle databases, Java, J2EE, MS Sharepoint 2007, Windows 2000 Server & Advanced Server, Windows 2000 Professional, Windows 2003 Server, Windows Vista, VMWare, Juniper & Alcatel backbone routers, linux, solarix, AIX, DNS, DHCP, POP3, SMTP, http, LDAP, IBM & Sun application servers (java), ...
This information was gathered just by looking around on their website, but the next step I use is by looking at jobsites if I can find anything on that company. For this example I used one of the most popular job sites in Belgium called vacature.com and it returned 12 job openings. On another jobsite called monster.be I found other information and stuff like what the interim offices they use.
To manage all the information I gather I use mind-mapping software. Since I like open source I looked for a good open source one and personally I like Freemind.
Next post will be about BiLE from Sensepost. A nice tool suite to get more info about relations between websites.
Monday, August 17, 2009
HAR2009
I've been to HAR2009 and it was the first security conference I've ever been to. It was great, it was on a camping site and there where 2000 tickets sold. I met a lot of interesting people and went to quite some cool presentations. Not all topics where technical infosec topics, but that was okay. Next conference will be BruCon and I'm looking forward to it.
I've your in the neighborhood of Brussels and want to meet nice people at a hackerspace make sure to drop by the Hackerspace Brussels (HSB). For those who don't know what a hackerspace is, just come. The people you'll meet are not the ones who'll break into your bank.
I've your in the neighborhood of Brussels and want to meet nice people at a hackerspace make sure to drop by the Hackerspace Brussels (HSB). For those who don't know what a hackerspace is, just come. The people you'll meet are not the ones who'll break into your bank.
Sunday, May 10, 2009
My struggle with VMWare server
Like so many of my fellow IT collegues I run VMWare server on my laptop to do tests. I had my laptop scratched by our internal IT a couple of days ago and when I installed the latest VMWare Server (2.0.1) it worked fine and suddenly I got this.
The first thing I got was this error message:
Failed to Connect
The connection was refused when attempting to contact:8333.
Though the site seems valid, the browser was unable to establish a connection.
* Could the site be temporarily unavailable? Try again later.
* Are you unable to browse other sites? Check the computer's network connection.
* Is your computer or network protected by a firewall or proxy? Incorrect settings
can interfere with Web browsing.
When I had a look at the services I noticed that the VMWare Host Agent service was down.
I tried to start it but no luck. It stayed down. In the Windows System Event log mentioned
"The VMware Host Agent service terminated with service-specific error 4294967295 (0xFFFFFFFF)." I googled it and found in the VM communities that my datastores.xml file was corrupted.
The way to repair this is to go to "C:\Documents and Settings\All Users\Application Data\VMware\VMware Server\hostd" and rename the old datastores.xml and make a copy of the datastores.xml.default and rename that copy to datastores.xml. I started the service and the service started without any problem.
But I was still not at the end of the tunnel. The error message in my browser was still the same. Next thing I tried was to change the computername by localhost. I got a message to tell me the SSL certificate was not installed. So I installed it and it loaded the login interface :).
The situation is now that I can open it through localhost but not via computername nor through the IP-address. Interestingly enough I tried the loopback IP address 127.0.0.1 and got the message again that the certificate was not installed. I added my hostname to the hosts file with no success. So I wonder how the name resolution is done, I thought the first place where Windows looks to resolve a name is in the hosts file. I talked to a VMWare specialist at my job and although he is only familiar with ESX he thinks that I should look at the implementation of the tomcat. If anybody has a clue about this, please contact me.
On my linux box at home I run the same VMWare server and there I did not have the same problem since I made the shortcut in my browser myself and pointed it to localhost :). I guess there are just some bugs in it.
The first thing I got was this error message:
Failed to Connect
The connection was refused when attempting to contact
Though the site seems valid, the browser was unable to establish a connection.
* Could the site be temporarily unavailable? Try again later.
* Are you unable to browse other sites? Check the computer's network connection.
* Is your computer or network protected by a firewall or proxy? Incorrect settings
can interfere with Web browsing.
When I had a look at the services I noticed that the VMWare Host Agent service was down.
I tried to start it but no luck. It stayed down. In the Windows System Event log mentioned
"The VMware Host Agent service terminated with service-specific error 4294967295 (0xFFFFFFFF)." I googled it and found in the VM communities that my datastores.xml file was corrupted.
The way to repair this is to go to "C:\Documents and Settings\All Users\Application Data\VMware\VMware Server\hostd" and rename the old datastores.xml and make a copy of the datastores.xml.default and rename that copy to datastores.xml. I started the service and the service started without any problem.
But I was still not at the end of the tunnel. The error message in my browser was still the same. Next thing I tried was to change the computername by localhost. I got a message to tell me the SSL certificate was not installed. So I installed it and it loaded the login interface :).
The situation is now that I can open it through localhost but not via computername nor through the IP-address. Interestingly enough I tried the loopback IP address 127.0.0.1 and got the message again that the certificate was not installed. I added my hostname to the hosts file with no success. So I wonder how the name resolution is done, I thought the first place where Windows looks to resolve a name is in the hosts file. I talked to a VMWare specialist at my job and although he is only familiar with ESX he thinks that I should look at the implementation of the tomcat. If anybody has a clue about this, please contact me.
On my linux box at home I run the same VMWare server and there I did not have the same problem since I made the shortcut in my browser myself and pointed it to localhost :). I guess there are just some bugs in it.
Tuesday, May 5, 2009
Quick format or regular format?
Yesterday I worked side by side with a collegue specialized in storage (SAN) and when he presented the disks to the Windows Operating System I mounted the drives and told Windows to start formating.
After a while my collegue asked me how far the formatting was and when I said X %, he told me I should have taken quick format to go quicker. Always willing to learn something I asked him what the actual difference is. The guy said that when you do a quick format, you actually don't do a format but the formatting will be done when you need the space. Quick format only defines the beginning and the end of the partition. Whereas the full format does a real format and goes through every sector on the partition. By doing this you will gain I/O performance my storage specialist said. This is interesting since one of the classic bottlenecks is the disk I/O.
So, OK it takes time to format 300GB but if I gain some I/O performance and in the best of cases I can do it at night while sleeping it is worth I think considering it.
After a while my collegue asked me how far the formatting was and when I said X %, he told me I should have taken quick format to go quicker. Always willing to learn something I asked him what the actual difference is. The guy said that when you do a quick format, you actually don't do a format but the formatting will be done when you need the space. Quick format only defines the beginning and the end of the partition. Whereas the full format does a real format and goes through every sector on the partition. By doing this you will gain I/O performance my storage specialist said. This is interesting since one of the classic bottlenecks is the disk I/O.
So, OK it takes time to format 300GB but if I gain some I/O performance and in the best of cases I can do it at night while sleeping it is worth I think considering it.
Subscribe to:
Posts (Atom)
Posts
