Way to go Chris, this just made frontpage digg.com

using google code search, someone found a copy of the MS-DOS 6.0 Source Code. Mirrored here:

http://www.nurs.or.jp.nyud.net:8080/~nnn/MS-DOS.6.0.Source.Code.zip

Me and a friend were playing with ad hoc networking from our laptops at school on friday and we found something that might be problematic. I'll need to run a few more trials to get a clear understanding of whats going on but here's a preliminary explanation.

this is the potential attack scenario: first thing I do is trick someone into connecting to my machine ad hoc. I can do this by using the same ssid as a trusted hotspot and hope they pick mine, or if I know the ssid of one of the accesspoints they connect to automatically, like the router at there house etc, I can use that ssid and as long as we're out of range of that router (like at school or a library or something) it will connect to me (this worked with winxp home sp2) ... he wont have an internet connection, as its just an ad hoc connection, i'm going to try figuring out how to bridge two interfaces to allow for internet connectivity... but regardless... here's the weird part: lets say he turns off his machine... goes for a walk to the park... has a seat at a picnic table... there's no hotspots in range, he opens up his machine not expecting to have any connectivity... maybe he turns his firewall/antivirus off to play some game or something cause he doesn't thnik he has anything to worry about. Whats weird is that winxp will automatically start broadcasting that ad hoc network from his machine...

I can connect to it, his machine assigns me a 169.254.x.x apipa IP and I have connectivity to hist host!

Sorry if this post is a little mungy, I'm on a bus.

hopefully there will be a few more eh members there this week.

See you all there

Not really.

Checking the security of a website could technically be done based on a set of sequential instructions, but you'd either be missing something, or checking way more than is necessary.

security auditing is a lot of instinct and experience and deep understanding of technologies. Not a checklist.

Once you start learning tho, here's some tools that might help you with web app pen testing:

*shameless plug* http://yaisb.blogspot.com/2006/08/new-bookmarklets.html

Kev's got it here.

The reason more cards allow faster wep cracking is based on WEP Packet Injection. Rather than passively cracking wep keys by just passively grabbing whatever the wep target is sending out, you can actively pressure the target to send out more packets. aircrack can do this, other tools as well. The more cards, the more traffic you can generate.

I should have indicated 2 things, first that allowing zone transfers doesn't necesarily indicate bad security (for instance, in the LSO example nothing is being displayed that wouldn't be available normally), and second that these alternative methods sometimes produce false positives, as negrita indicated, however they do still give an indication of certain probabilities.

the fact that a word can be hyped so much that it becomes almost entirely detatched from its own concept frightens me. Here's an example. The word FIREWALL! is so detatched from firewalling that its actually causing real problems. I was talking with a friend in class today... He doesn't know LINUX!, but he heard that he could install smoothwall on an old machine and set it up like a FIREWALL!. The machine he uses is now missing a few crucial windows updates, but he assumes this to be trivial because he has a LINUX! based FIREWALL! Of course he doesn't know hte first thing about keeping his smoothwall box secure, but he sure likes using it to practice linux console stuff...

I don't know if this will be helpful/interesting to anyone but its an old malware analysis project I did... Thought I'd put it out there for what its worth:

http://www.freewebs.com/ryancartner/handcuffs.html

Well, to me its not so much the tool as it is the methodology.

We now have a perl module that could be integrated into a lot of other tasks. It might be important to know the OS to come to certain conclusions about forensic data, this can now be automated rather than asking the user what os was used. There are probably many other good reasons.

Port scanning is obviously the most common approach for determining what service daemons exist on a host, but it isn't the only way. An IDS that detects portscans might be a helpful tool to give an admin a headsup in SOME scenarios, but depending on a hacker to portscan is like picking low-hanging fruit.

As researchers, we should be aware of all possible avenues for an attacker to accomplish a goal.

So how else might an attacker enumerate which service ports are available on a remote server?

If SNMP is available and the community strings are default/guessable, often this can provide an interface for listing listening ports. This is interesting because we can often retrieve the entire TCP connection table (including all established connections/listening ports) using only SNMP. This could allow an attacker to glean even MORE information than a portscan would if there was a firewall in place.

Another way would be through a zone transfer. Often times DNS names clearly indicate a service. If zone transfers aren't disallowed to the attacker, this could be a useful feature:


These are only a few. Can anyone else think of uncommon methods for accomplishing common hacker tasks? portscanning or otherwise?

I'm assuming you're talking about TCP ISN's, and the article you read was by Ankit Fadia?

As far as I can tell from the tcp specification, the ISN doesn't have to be set to 1 at bootstrap time to meet standards, but to answer your question directly if it IS set to one at bootstrap, then yes once a machine is restarted the ISN would be 1 again. This is all layed out in the rfc793 (TCP): http://rfc.sunsite.dk/rfc/rfc793.html

for more information on how more secure implementations SHOULD generate/permute ISN's check out steven bellovins RFC on ISN's: http://rfc.sunsite.dk/rfc/rfc1948.html

also, for info on how most implementations actually do their isn generation/permutations (which is poorly for the most part) read Michael Zalewski's research here: http://lcamtuf.coredump.cx/oldtcp/tcpseq.html#abs and here: http://lcamtuf.coredump.cx/newtcp/

-Ryan

Harlan Carvey of the Windows-IR blog has finished developement on a utility for determining the OS from a ram dump either dd-style or a VMWare .vmem file.

http://windowsir.blogspot.com/2006/09/os-detection-explained.html

Hope to see you all for tomorrows rootwar 

if you havn't yet, email Joe at: joe@learnsecurityonline.com

I know this topic is a little dated, but Bruce Schneier posted something relative on his blog today... IMO His views are always views to consider.

http://www.schneier.com/blog/archives/2006/09/what_is_a_hacke.html