extreme makeover: network edition

recently i spoke at a conference about a network upgrade i did at a previous job.

the upgrade was a very difficult, but rewarding process, and has become one of my favorite topics to speak about.

topics i covered included the basics/easy stuff:

  • anti-virus
  • content filtering
  • password policies
  • firewalls

all the way to the not so common or more complex:

  • egress firewall rules
  • patching (system & OS)
  • running with user rights
  • software restriction policies/GPO’s

here is the prezi from the talk:

read more

vlan abuse

this is a quick post about vlan hacking abuse.

specifically, this post will cover how to abuse cisco switches and the DTP (dynamic trunking protocol).

why is this important? typically, most environments segment out servers, workstations, management, etc, into different vlans. if they (mis)configure the switch, you could potentially jump onto the management subnet (where things are usually much less protected) from a user subnet.

in a nutshell, we are taking advantage of a misconfigured switch, not really doing any “hacking”.

read more

networkminer on backtrack 5 r1

i have recently been working through some network forensic challenges from a few locations (http://forensicscontest.com and http://ismellpackets.com/category/pcap/) and wanted to do some network carving (parsing a pcap and getting the files like .exe’s, .jpg’s, etc). to answer some of the questions i wanted to load networkminer on my backtrack 5 r1 box.

fortunately there was a tutorial on how to get networkminer up on linux, but it didn’t fix everything for the newest version of backtrack (specifically, the fonts were off and the menu didn’t show up correctly).

to get networkminer 1.0 up and running on my backtrack 5 r1 VM here is what i did (summary of commands at bottom):

  1. downloaded winetricks and installed the .NET framework, some core fonts, and the GDI+ package
    cd /bin
    wget http://kegel.com/wine/winetricks
    chmod +x winetricks
    ./winetricks corefonts dotnet20 gdiplus

read more

i wasted 2 hours of my life getting this working on a fresh install of unbuntu 10.10. turns out that the default version of rsyslog that you get when you ‘apt-get install rsyslog’ is version 4.x, which has a bug that prevents the logging from being directed correctly to /var/log/iptables.log. i had to remove rsyslog (apt-get remove rsyslog), then go get the newest version of rsyslog (5.8) from the site and compile from source. after compiling and pulling in the new conf file (its a little different in rsyslog 5.x than 4.x), things worked as expected. ye be warned.

recently i wanted to see what packets were getting passed or blocked on a linux server running iptables. i really wanted to see a log that showed every inbound and outbound packet, and both dropped and allowed packets.

you can see all the packets in tcpdump/wireshark/etc, but it doesn’t show you that iptables dropped the connection (you just see there is no syn ack response). so my goal was to create a iptables ruleset that logged every packet to a separate file, distinguished what was allowed and what was dropped, and to have the logs rotating automatically. here is how i did it:

read more

high assurance platform

earlier this month i presented at my local infragard chapter.

the title of the presentation was “defense in depth: raising the bar”, and it focused on the NSA’s secure computing iniative, high assurance platform (HAP).

the goal of the presentation was more about talking points, discussion, and ideas about what security will look like tomorrow and where we, as the security community, should be leading our organizations. point blank i would say that HAP is not for everyone, but there are certain aspects that i think we can all learn from.

also, one point that was brought out that i thought was interesting was “this HAP stuff is way too much, who could really use this”? i certainly imagine that comment was heard when defense in depth began to be pushed by the NSA 10 years ago (see “we already have a firewall, why would we need to add X product?”)

it may or may not be the way of the future, but it was an interesting infragard discussion!

here is the presentation:

and here is where i got my information:


also, this is a video about HAP in action. its a bit drawn out, but it does lay out the situation nicely (albeit in a *very* vanilla fashion):


read more