zr0crsh,

from using Nipper the report is fairly self explanatory. For each potential issue that it finds it provides:

• Observation(Reason why X is an issue)
• Impact of issue
• Ease of which issue could be exploited
• Basic recommendations for a fix

The key part is 'potential' issues, whilst the tool has provided me with a number of avenues to look at increasing the security of my setup there are several issues that are flagged that can be ignored if you know and understand your environment. For example, an issue that appears in the report is that the SNMP password is not complex enough. However, as the SNMP access is tightly controlled via ACLs this isn't as much of an issue in my environment as it might be elsewhere.
As with most tools, don't just go blindly following the advice of the report without first understanding the issues fully.

I haven't come across the CIS RAT tool before, I've just had a quick look at their website and there appears to be a lot of legalise that you'r required to read/accept before getting access to the tool, along with the benchmarking information documents.

Do you know if there is anyway (I could have missed the relevant section on the site) to access the documentation without giving away my life story first?

Pseudo,

Nipper works offline on a configuration file. In my case I've been playing with Cisco devices, all I've done is supply a text file holding the configuration (usually generated using the show running-config command) on the commandline, for example:

nipper.exe --iso-switch --input=someDevice.conf --output=someDevice-report.html

This way the routine doesn't interact with the device in any way, so can't cause it to fall over or reduce network performance. From reading the documentation it is possible to pull the config from Cisco devices using SNMP strings or TFTP servers, but I won't go down this route as the alternative is fairly simple and cannot effect the clients equipment in anyway.

Avoids the 'everythings dead! What have you done?' questions

Hi All,

just spent the morning playing with a little application called Nipper (http://www.titania.co.uk/nipper.php) so I thought I'd share my experiences.

From the site:
Nipper performs security audits of network device configuration files. The report produced by Nipper includes; detailed security-related issues with recommendations, a configuration report and various appendices. Nipper has a large number of configuration options which are described on this page.

The current version is 0.11.5, whilst I was initially put off by the low (0.) version number it seems to be stable and feature rich. From the changelog the project has been active for over a year and appears to be quite actively developed.

From an external testing viewpoint it isn't going to be much use as it requires a copy of the relevant devices configuration to run. However it could speed up a second stage infiltration if this can be obtained via other methods, such as SolarWinds configuration retrieval tool for cisco devices if an SNMP community with read/write privileges can be obtained. Obviously, those auditing their own networks shouldn't have this problem.

Nipper appears to be a useful tool from an auditing perspective, it investigates the device from a number of different aspects, producing a nicely written and readable report for output (HTML format by default). From the configurations I've run through it so far seem to indicate that I may spend the rest of the day researching the findings whilst completing weakness report forms and change requests 

So far I've only been able to test Nipper's abilities with Cisco IOS switch and router devices. Nipper boasts abilities to function with a broad range of Cisco devices along with most major firewall manuacturers (Juniper, Checkpoint, Nortel and SonicWall). If anyone has used Nipper for other devices I would be interested to know how the functionality compares, especially as the site states "Please note that the level of support for each type of device varies."

Overall seems like I nice tool that I'm going to keep around in my bag of tricks for the time being.

Thanks Don,

Can't wait, roll on November....

H1PPY,

I'll start with the programming aspect of your questions as thats where I got started. I'd recommend that you try to find a small project that you want to complete, I've found that nothing can be harder than trying to learn programming for the sake of programming. If you've got a project it will give you something to work towards, keep you focused and ultimately give you a sense of achievement as you complete various aspects of the project. From experience though, when starting out don't be afraid to through a project away if you realise you should have done it differently. Start again and use what you've learnt to build a better solution and learn more along the way (assuming you haven't got a boss looking over your shoulder.)

Whilst I'd agree with shawal that C (and derivatives) is a good language for systems and network programming, it can be a scary place to start. I've known several programmers and lecturers who advocate the use of web based coding for learning as it is easy to get interaction with the program without a lot of 'black magic'. Personally I think that the intergration between presentation and application logic can be confusing and the lack of structure can allow you to form bad programming habits.

For a starting point I'd recommend trying Visual Basic, although you'll probably want to graduate to a more 'advanced' language after you known the basics, VB can be a great starting point to learn to code and common programming structures. After all, BASIC was originally designed as an educational tool.

As you can probably guess from my response, there is no 'right' language for any programmer, or any situation. From reading your post I'm assuming that you are just starting out, if possible enrol an an introductory programming course. The guidance and assistance from an experienced programmer can make a large difference in your rate of learning and overall proficiency, possible making the difference between you being a 'code hacker' or a programmer.

If you know other programmers, try using the same language and toolsets as them, hopefully they should be able to offer assistance and recommendations whilst you are setting out. It can also be a nice sense of achievement and indication as to your progress when mentors who taught you the ropes starting asking for assitance and thoughts from you for their projects.

For the hacking aspect of your question, I'll mostly leave that to more experience members of this forum. Most of the recent books published should give you a good start, for a complete new entrant into the field Hacking for Dummies and Hacking Exposed seem to be the most accessable and are often recommended. Don't forget about Google aswell, should be every hackers best friend

Good luck

Just finished reading this book after reading the sample chapters on EH-net.

Really liked the book although I thought the ending was a bit tame, but then I jump on the forum to post my thoughts to discover the auther has a sequel in the pipeline for this year, made me all happy inside. Fully recommend it to anyone that hasn't already read it.

Don,

thanks for the link, haven't come across the Firebrand Training in my research,  I'm not entirely sure how looking at the list of courses on the site. I'll keep them bookmarked for when I finally get some funds together for training.

I know of a couple of places near that part of the world. First is the MTC testing centre in Sunderland, UK (http://www.mtc-training.co.uk/). If you don't know the location you're lucky, there are a number of local airports nearby, Newcastle and Durham-Tees, but they are mainly to allow the sensible locals to leave

I have also come across a company called IT Security Training (www.itsecuritytraining.com) that boasts some intensive courses. They work out of a hotel in Scotland (Edinburgh I think) and a hotel in London. If memory serves they advertise with both Computing Weekly and the BCS so they should be fairly reputable.

As I haven't taken any of the courses myself I can't offer any experience, but they both seem to talk a good talk from the interactions I have had with them.

Hope this is of some use, happy hunting

Anton,

which part of europe? Might be my part of the world.

Oh, and welcome to the site

Liked that one, my favourite which I've now lost, was a little VB app that mirrored the windows explorer window and had a pop-up asking if you wanted to delete the contents of the C:\ drive, regardless of user action it then showed a video of the drive being deleted before turning the screen blank

A long 10seconds later it slowly typed "Thank God I'm just joking..."

Managed to get the school admins with that several times in my yoof

Sorry for responding to my own post.

as if by fate I have just received an email informing me that there is a new update for the cyber-ta's bothunter package (www.cyber-ta.org/BotHunter). I havent' had a chance to get this app through the change control process at work to give it a run through, but from reading the site I definitely want to. If anyone has any real-world experience of the tool can you let me know if it lives up to the hype?

Rance,

nicely done my friend

shawal,

the story that started my interest in botnet tracking was written by Steve Gibson of GRC.com. Basically it was a write-up of his investigations into a real life DDoS attack experienced by his company. Included the likes of detailed explanation of the attack experienced to writing a custom IRC bot to snoop on the attackers botnet command and control structure.

I've spent all afternoon trying to find a link to the story but everything I find points to a 404 error on the GRC site so it looks like it has been taken down for some reason. If you have as much luck as I did finding it PM me as I may have a saved copy on one of my works machines.

One of the botnet investigations I have undertaken myself was a an irc bot I cleaned from a client's server. Unfortunately I was unable to take the investigation as far as I would have liked as the c&c deactivated before it could be infiltrated. From packet traces obtained during the incident it appeared the bot was part of a spam sending network And wasn't very subtle, at random times of the day it would max out the server's 100Mb connection, made finding the issue childs play.

An aspect of the bot that I found rather amusing after pulling it's code apart is that it seemed to be programmed to throw random insults to the commandline. I am now the proud owner of a rather large file containing little more than insults about 'yo' mamma'

In response to your question about people getting away with murder, from experience in situations like this is can be very difficult, if not impossible, to find the true 'botmaster'. Often the best you can do is clean-up, inform any parties that have been involved in the investigation and try to prevent a similar intrusion next time. Regularly, the only machines/IPs/people that you can identify are just regular users like yourself, all blissfully unaware or trying to deal with the same issue.

I recently attended a seminar on forensic investigations where one of the talks was given by a member of a police 'cyber-crime' department. Before the talk I believed that the police force would largely ignore these types of activities but was impressed by the level of interest and available resources. I now intend to pass all findings of future investigation to the relevant authorities, something that was actively encouraged during the event.

If you intend to delve deeper into these areas I would highly recomment both the SANs Readin Room and archived webcasts, as well as the Honeynet project. A good starting point in incident response basics is "Dead Linux Machines do tell tales" (http://www.sans.org/reading_room/whitepapers/honors/1491.php)

Hope this rather long rant is of some interest/use, and happy hunting

cheers dean,

as if I wasn't already paranoid enough about hospitals...........

vote for noscript seconded.

I'll have to keep the exceptions tip in mind for some 'specialist' uses (namely some possible office pranks ) cheers iSmtih