Working in forensics, I can tell you that there are few things out there faster then dd/dcfldd.   FTK Imager is a great tool (although windows only) that also support compression.   Linen is another tool from Guidance Software.   Again, it's slower then dd.   There are tons of front ends to dd, including Adelpto and Air.   We use a Helix boot cd for imaging with dd.

One thing that works for me is to send a few messages describing the incompetence of tech support to the company's executives.  They typically don't like to be bothered with such email, but can't really ignore them.  I usually google private company contact information and use edgar online search for public companies' records.   Propellerhead is a private company.   I believe the executives are as follows:

CEO - Ernst Nathorst-Böös
Marketing Director - Tage Widsell
Public Relations, US - Marsha Vdovin

Marsha has a public website with her private email and phone number listed on it.   You can google it.

Tage's email address is tage@propellerheads.se (from a google search).   You can extrapolate the others from this.

If nothing else works, you can try variations of first and last names to determine what the correct email address format is.   Once you do, send your message to them.

Good luck...

Yep, Vista officially sucks.  Network performance is abysmal, even with all those supposed performance patches.   I am also not a fan of the aero interface.   It's cool for the first few times you use it.   At some, you just want to click and get where you are going without having to wait for the window to zoom in.   I found myself turning everything that Vista introduced off.   Then I put XP back

Anyone else thinks Office 2007 sucks as well?

That is fantastic news for me and the organization I work for.  We use virtualization extensively.   Awesome!

I agree with RR.  I don't know where you live, but in the United States, it would likely be possible to go after these guys in civil court after the feds get done with them. 

If you do go after them in civil court, I would speak with an attorney as soon as possible.   In United States, it is recommended to have a 3rd party forensics investigator perform the investigation.  When you are dealing with forensics, documentation, evidence preservation and chain, and repeatability are just as important as the investigation itself.     A forensic investigator with a good relationship with the feds may also be able to get a copy of their evidence.

RR,

Thanks.   If I am doing it for defensive monitoring, I definitely choose the port mirroring option.   Most newer switches have the ability to copy all traffic to a monitoring port.    I don't know if I can do it as part of a pen test though.   An attacker wouldn't ask the client to turn on port monitoring (unless through social engineering).    I suppose one thing I can attempt to do is to gain access to the switch config, perhaps through SNMP and configure a monitor port on my own.   

Thanks again,

Ketchup

What do you think about ARP poisoning as part of a penetration test?  Do you make it part of the procedures?   Or do you avoid it?

It is very easy to do, but can cause some havoc on an already overtaxed network.  One thought is that an attacker won't hesitate to do it, so you should as well.  However, we also have to be concerned about the sensitive 24/7 systems they may have running.  I have seen instances where after a reboot, switches reverted back to older configurations.   (I tend to think the config wasn't saved to flash, but that's me.) 

Is there a better way?   Can you effectively sniff traffic from a switched network without ARP poisoning?

Ketchup

Stupid question, but you are running x64 on it, right?

Chris, since I don't consider myself a hacker yet, I will defer to you on the Metasploit subject.   I have much learn as a young gwasshoppa

Still, it seems that Metasploit is a bit of a large footprint to move around with you.   If you develop a exploit in Metasploit, can you use it outside of the framework?

Also, with so much 0day stuff other, coupled with great rootkits, do experienced hackers really need tools like Metasploit?   I am primarily speaking of black hat hackers.   Remember, they are not after penetrating a machine from all different angles.

Again, not arguing, just curious what some of the more experienced folks think on this subject.

I definitely see what Kev is talking about.   You can upload a small footprint of tools that you normally use to the exploited machine, like cryptcat, rootkits, a small scanner, and a couple of well written exploit scripts.    If you had sufficient time, this method definitely works and is probably the most stealthy thing you can do, provided you know what you are doing.

There are issues with this in today's world though.  If you are dealing with Windows boxes, then you have to port your python, perl, or c code over to something windows can interpret on the fly.   I am not an expert in this, but porting Perl code to something like VBScript or another Shell, seems like a difficult task.   

Another issue is that many of us are doing this as part of a penetration test, we are not simply hacking.   As part of a pen test, we have to find the most number of vulnerabilities that we possibly can, in the smallest amount of time.   No one is going to pay me to hack a network for a few months manually, unfortunately.   It comes down to time and money.

At the same time, I do have to agree with Kev to some degree.   You at least have to be able to use the manual methods before you spend the money on an expensive tool, you don't fully understand.   At the same time, the advanced hackers out there won't use a tool like Core.   They probably will not use Metasploit either.  They also have access to tons of 0day code that most of us are unaware of.   A pen test will not simulate a determined hacker in my opinion.   It more simulates a determined script kiddie. 

Those are just my two cents.   

Ketchup

I was just looking at CANVAS as an additional exploit engine.   They seem to have some of the exploits that Metasploit doesn't.   At $1400 or so, it's not a bad investment to compliment Metasploit, maybe?

Why do you run ZoneAlarm? 

I am sticking with Nessus for a while.   I don't think GFI LanGuard is a legit product replacement for Nessus.   I will also be watching OpenVAS, like Chris.   Nessus is still free for "home" users for now.   It's accuracy has picked up in the last couple of releases and it seems dependable.   

At the same time, I see no reason to switch, even if there is a $1200 fee.   If you look at SAINT, Retina, Qualsys, etc, they are about the same on the accuracy scale.   I don't think that they have anything on Nessus.  I may just spend the $1200 a year if OpenVAS doesn't pan out.   

Anyone think that CANVAS is worth the investment?   Or is Metasploit plenty?

Ketchup

Can't wait til war games 2!   

What about these?

Real Genius (there is some hacking there)
Office Space - I believe that's hacking on a Mac there...
Lawnmower Man

Also, all the Ocean's XX movies, and the Italian Job have some sort of hacking happening.   Some of it is cool.   

My favorite is the stuff they do in shows like CSI where they connect a usb device and download the entire hard drive in about 15 seconds.   I just love watching the progress bar go.   If you have ever imaged a hard drive, that's soooo funny.

Ketchup

Chris,

Thank you!  I read your blog entries on using pivoting with Metasploit.   If I understood correctly, you can use meterpreter to basically route though a particular session.  This seems like 50% of what Core does for $20k.    The trick is going to be identifying a vulnerability on the remote host.   This could be tough if your pivot host is your only point of entry. 

The pass the hash and token stealing options are also very cool and new to me.  Chances are if you exploit a machine that's on the domain, there is going to be a domain user on the box.  Makes privs escalation easier.

Ketchup