Thanks everyone!  I am so excited about this!  Don, I can't thank you enough for this.  rvs, you are awesome!  I can't thank you enough either.   I hope that someday I can return the favor.   Dynamik and sil, it's too bad you couldn't go.  You both deserve it.  How awesome is this community? 

Very cool and well deserved!

Isn't one of the requirements for CTP to sever all ties with the outside world? 

The same IP-based attacks should work. Many iSCSI implementations rely on IP addresses restrictions, CHAP authentication, etc.  If you can get to the storage network, you should be able to use traditional methods to determine what you need to do to access a LUN or two.   

As I understand, you are setting the 4 byte buffer location to a specific address in memory (0x08048415).  You are typecasting the address of the 4 byte buffer as a long pointer and dereferencing it, so that you can set its value.  At least, that's the way I understand it.

Which page of the Shellcoders Handbook are you on? 

You are probably running into some stack randomization and protection with the newer gcc versions.  Try compiling with the -fno-stack-protector option set. 

WARNING:  Use at your own risk.  If you screw up the registry, you will break your computer and will have to reinstall.  This is not recommended.


There are a few files that make up the Windows registry.   The following are located in %systemroot%\system32\config:

SYSTEM - HKEY_LOCAL_MACHINE \SYSTEM
sam - HKEY_LOCAL_MACHINE \SAM
security - HKEY_LOCAL_MACHINE \SECURITY
SOFTWARE - HKEY_LOCAL_MACHINE \SOFTWARE
default - HKEY_USERS.DEFAULT

The following is located under each user profile and maps to the HKEY_CURRENT_USER when the user is logged, and the HKEY_USERS.<SID>

ntuser.dat

If you want to view and edit these files from another machine, you must copy them offline.   Windows will lock these files at all times.   You can them load them into the Regedit command as follows:

1.  Make a temporary folder underneath your profile (HKEY_CURRENT_USER).   For example, you can call it, "DEADMACHINE_SOFTWARE".   

2.  Select this folder.  This is important, otherwise you will override data.

3.  File / Load Hive...

While China doesn't officially support hacking, they do little to discourage it.   There are all kinds of rumors about government funded hacker groups circling around.  Hackers are equivalent to rock stars there, from what I understand.  It's certainly different from how hacking is perceived in the US. 

Still, 1,000 is an extremely low number.

This is definitely a good methodology, sil.   I use something similar.  I am a big fan of using sentences I can easily remember.  To me, remembering a word vs remember a sentence requires about the same amount of effort.  Of course, I do add some complexity to the sentences I use. 

Still, I find myself locking out my accounts quite a bit.  While my brain remembers the 20 character password, my fingers don't always cooperate. 

Again, great write up.

This is pretty impressive.  Interesting, the method is not dissimilar from a blind SQLi attack.

OSSIM has a nice web-based management console.   It will let you management everything from a single point.  You will still need to tune Snort.  I have yet to install any IDS and have it be useful out of the box.  In most cases, you will just turn on and turn off rules packages that make sense for your environment.   OSSIM should make this easier for you.

I don't have experience with either of the honeypot packages.

I have used both Snort and Bro-IDS.   If you are going to use Bro-IDS, use BSD as the OS.   The documentation for Bro is quite bad for anything other than BSD.  I had quite a few issues getting it up and running.  I couldn't get any sort database logging going at all.  It performed reasonably well, but I found it detected much less than Snort.  It was also inconsistent.  I put it through quite a few tests.   In general, i wouldn't recommend this product from personal experience.

Snort, is much easier to configure.  I had it running on Redhat and Ubuntu boxes without any issues.  Most distributions even include it as package.  Database integration was also easy to configure and well documented.  The most difficult part is learning the exception, processor, and rules syntax.  If you get stuck, pick up the "Snort IDS and IPS Toolkit" book.  Also, make sure that you install a front-end for Snort, otherwise you will end up managing it through config files only.   Snort, has much better documentation and much more support in the community.   I would go with Snort.

Finally, you can look into the OSSIM package, which includes Snort, Arpwatch, Nessus, and a bunch of other tools.  It's a good security management console.

http://www.alienvault.com/community.php?section=Home

I can't stand this buzzword, "cloud computing."   That's gotta be up there with some of the worst ones to come out of some CIO magazine.  I think that the same security concerns that have to do with any hosted services apply here.

I will agree with the above as well.   I took a bunch of programming languages in school.   I left without any real understanding of programming.  I didn't really grock it until I starting programming.  At some point, you go through a eureka moment, and then it makes sense.

To quote South Park:

Interesting.   I wonder if this is a one off thing, or there are going to be others "defending" Tavis Ormandy.   I don't think that we have the complete story on the vulnerability released by Tavis.  I gotta think that he didn't set out to release his code 5 days after contacting Microsoft, but freaked out when they couldn't agree on a time line 

One thing is clear, while there is cloud surrounding the Tavis Ormandy situation and some people view his code release as irresponsible, this incident certainly tops that on the list of asinine things to do.