Friday, October 17, 2008

Using session-monitor to span ports and make a aggregation tap on a Cisco 2950

Like most I don't have the funds to purchase a $1000 port agregator for my IDS to sniff traffic so instead I just use a 2950 Cisco Switch:
!
interface FastEthernet0/1
switchport access vlan 100
duplex full
!
interface FastEthernet0/2
switchport access vlan 100
duplex full
!
interface FastEthernet0/3
!
so the first two ports are where the traffic comes in and back out to the destination device, the third will go to my network sensor. Next let's setup the port spanning.
!
monitor session 1 source interface Fa0/1
monitor session 1 destination interface Fa0/3
Note that you may check other options such as spanning multiple ports are even vlans...

posted by Stephen Reese at 10/17/2008 04:13:00 PM 0 Comments

Thursday, October 09, 2008

Using metasploit to pwn MS06-067

In a graduate course I'm taking right now our professor wanted us to tool around with the Metasploit project. This tool makes exploiting vulnerabilities that it has signatures for a joke. After the client takes the bait I run 'ipconfig' just to ensure I had remote connectivity.



Here a shell that I ran 'ipconfig' on just to confirm the operation. Simple as that.

Labels:

posted by Stephen Reese at 10/09/2008 08:02:00 PM 0 Comments

Friday, October 03, 2008

Erase slack space on Microsoft Vista

A lot of information may be stored on a drives slack space. If you want to get rid of these artifacts then run the usual tools to clean up the system like 'Disk Cleanup', 'Defrag', etc.. and then run the following command.

C:\Users\Crypto>cipher.exe /w:C:\
To remove as much data as possible, please close all other applications while
running CIPHER /W.
Writing 0x00
................................................................................
...................
Writing 0xFF
................................................................................
...................
Writing Random Numbers
................................................................................
...................

posted by Stephen Reese at 10/03/2008 12:34:00 AM 0 Comments

Monday, September 08, 2008

Gentoo Linux auto update script

A script that I had been using for sometime to update my Gentoo servers needed a few additions in my opinion. I spoke to the original developer of the script and he allowed me to make additions to the script and post them here on Google's code hosting server. The following is a basic description of the script. So if you're looking for something to update your Gentoo boxes then cruise over and pickup a copy.

"Shell script for Gentoo Linux to preform nightly system administration tasks from a cron job. This is reminiscent of OpenBSD's /etc/daily, weekly, monthly scripts. Includes auto updating for Nikto, Snort sigs, and Nessus plugins. Also includes MySQL dump support, file system backups, and remote backups via SSH/rysnc."

posted by Stephen Reese at 9/08/2008 12:14:00 AM 0 Comments

Tuesday, August 26, 2008

Passed the GIAC Certified Forensic Analyst (GCFA)


The GCFA was not nearly as painful of a test as the GCIA was. This was largely in part due to my forensic analysis skills from my master program that I am currently wrapping up in Digital Forensics at UCF. Next on the agenda is Cisco's CCSP ;-).

posted by Stephen Reese at 8/26/2008 05:54:00 PM 0 Comments

Tuesday, August 05, 2008

Mounting drives/volumes read-only in Microsoft Windows (Vista)

I needed to analyze a drive for a company that suspects an ex-employee may have taken corporate material (training exercise or else I would use a hardware write blocker and follow a chain of custody). I don't have a write blocker and rather then fire up a copy of Helix or a similar tool a my spare machine (which is painfully slow) I would rather perform analysis on my workstation. Most of this information was derived from this post.

First step is to disable auto mounting of devices in Microsoft Vista by running 'cmd' in an administrative user context and then execute 'mountvol /N' to enable readonly mounting of newly attached drives and volumes.

Here's how to list the drives and volumes:

DISKPART> list disk
Disk ###  Status      Size     Free     Dyn  Gpt
--------  ----------  -------  -------  ---  ---
Disk 0    Online       233 GB      0 B
Disk 1    Online       932 GB      0 B        *
Disk 2    Online       932 GB      0 B        *
Disk 3    No Media        0 B      0 B
Disk 4    Online      3911 MB      0 B

DISKPART> list vol
Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
----------  ---  -----------  -----  ----------  -------  ---------  --------
Volume 0     E                       DVD-ROM         0 B  No Media
Volume 1     H   BLACK_DAHLI  UDF    DVD-ROM     3214 MB  Healthy
Volume 2     F   U3 System    CDFS   CD-ROM         8 MB  Healthy
Volume 3     C                NTFS   Partition    233 GB  Healthy    System
Volume 4     D   data         NTFS   Partition    931 GB  Healthy
Volume 5                             Partition    931 GB  Healthy
Volume 6     G                       Removable       0 B  No Media
Volume 7     I                FAT32  Removable   3911 MB  Healthy

So I decided to try a spare drive in the system and I found that when attempting to mount a TrueCrypt volume I got an error telling me that auto-mount is not support and I would have to re-enable it.


So anyhow continuing on my quest I was able to mount a spare hard drive volume read only, note you may also set the whole disk to read only.

DISKPART> select volume 5

Volume 5 is the selected volume.

DISKPART> att vol set readonly

Volume attributes set successfully.

DISKPART> detail vol

Disk ###  Status      Size     Free     Dyn  Gpt
--------  ----------  -------  -------  ---  ---
* Disk 2    Online       932 GB      0 B        *

Read-only              : Yes
Hidden                 : No
No Default Drive Letter: Yes
Shadow Copy            : No
Dismounted             : Yes
BitLocker Encrypted    : No
The next step will clear the read only status.

DISKPART> att vol clear readonly
Volume attributes cleared successfully.

Don't forget you may want to enable auto mounting again.

C:\Windows\system32>mountvol /N

A second and much easier alternative for USB devices is a small application that changes a registry entry called ThumbScrew. It alters a registry entry though there is still no guarantee that windows still won't access the drive. My plan is to use both methods. First disable the registry setting and then using drive part set the read only flag.

If you have any ideas about mounting drives in a Windows environment then please feel free to contact me and tell me about it.

posted by Stephen Reese at 8/05/2008 05:35:00 PM 0 Comments

Tuesday, July 29, 2008

Converting Microsoft OS to VMWare Guest

A friend had two notebooks running Microsoft XP Home and Professional editions in which the notebooks were no longer functional but the hard drives were in good shape so I recommend running them in a VM guest. I knew I could use VMWare converter tool that was freely available and it supports converting from live hosts and images created from several software programs. I was disappointed to find that VMWare's converter would not convert from Ghost enterprise (*.gho) images, but the latest version of Symantec Norton Ghost 14.0 would so I created images of the drives.

After the images were created I next fired up VMWare's converter and let perform it's magic.

This operation performed flawlessly. I ran both notebook images with two hitches, I had to reactivate both XP installations because running the guests inside VMWare workstation caused the operating system to assume it was running a different hardware but this wasn't a big deal. The second problem was trying to run the guest operating systems in VMWare's free server product. I received an error message that the guest were created with more capabilities then what VMWare server could handle so the friend decided to purchase the workstation product in order to run the products.

posted by Stephen Reese at 7/29/2008 09:03:00 PM 0 Comments