Good Bad Attitude
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
May 26 - June 2, 2006
This program grabs a list of good processes from /proc, then it monitors /proc and kills any new process. It is meant to be used in extremely hostile environments. It is a general use tool, but it can and should be modified as necessary. Obviously it should be modified to allow the user to re-login in case s/he loses shell.
It's original use is for Defcon 14 ACTF. If a vulnerable server gives non-root access (quite likely), attackers that re-attack the server will be able to kill the original attacker. This means that the original attacker should put up defenses quickly to ensure that attackers are ejected. One way is to fix the vulnerability in the server. If this is not possible, this script is a simple solution.
Read more »OpenSSL Blowfish Bruteforce Attack
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
Jan 20, 2006
OpenSSL Blowfish Bruteforce Attack 0.2 Source
[sig]
OpenSSL Blowfish Bruteforce Attack 0.1 Source
[sig]
OpenSSL is a useful tool with many uses. The openssl command is not used much by normal users, but for hackers, it is essential for encryption, generation of keys, encryption attacks, and so forth. A specific command, enc has been used by hackers for encrypting data with various ciphers. An especially useful cipher is Blowfish.
openssl enc -bf-cbc is the command used. A simple bruteforce
attack can be successful on bad passwords and good password. Since Blowfish
takes a long time to generate keys, it is slow, but works. My code uses any
known parts of the password to make the search faster. The attack requires a
know file regularity to test the crack.
In this case we use tar archive filename plus nulls at
the start of the tar archive. A similar known plaintext can be used on a
large variety of file types (avi, zip, jpeg, png, etc).
by Javantea aka. Joel R. Voss
Sept. 7, 2006
Slideshow format
Botnets Neg9 Hands-On Tutorial
Botnets are groups of computers running malicious software that group together to achieve a common goal. Botnets are possible because of rampant security flaws in commonly used operating systems and programs. While software developers release patches, there isn't a perfect system of updating in place and there is evidence that there never will be. Lack of patching leaves programs open to exploitation. However, many exploits could be prevented by using simple security software (firewall, anti-virus) or by simple design of the operating system (no ports open). Some exploits, however, are in programs that are required for business (eg. web servers). I plan to discuss the methods and motivations for botnets and the methods for discovery and destruction of Botnets. I don't have perfect solutions, but I have some good ideas that can be put into use today to affect the number of botnets.
Botnets are a quite recent addition to security literature. They have appeared mainly as a result of obvious security vulnerabilities. Most botnets are targeted at the Win32 OS because of the number of vulnerabilities [1] and the massive number of unpatched machines available (250,000-1.5M+ Sasser infections, 200M update downloads) [2]. However, botnets have targeted many platforms. The first Linux/Apache worm was quite recent (Dec 20 2004), targetting a vulnerability in phpBB which was caused by PHP. The worm used Perl, Google, and left an obvious trace [3]. Although it did not become a botnet, it easily could have. More recently I have detected a botnet gathering using the AWStats and Mambo vulnerabilities [4]. In response to increased patching and firewalls in remote services of Microsoft Windows, botnets have targetted IE6, which is often unpatched.
Read more »
by Javantea aka. Joel R. Voss
Sept 8, 2006
Botnets
Spam Server Analysis
Spam Server Passive/Active Analysis 0.4
[sig]
50 MB of Test Spam
[sig]
At the above Neg9 Seattle meeting (Sept 8, 2006), a group of four Neg9 security researchers gathered to discuss botnets and various other ideas. I, Javantea, led the discussion of botnets, but as expected, the three other participants were far more knowledgeable than I on the topic of botnets. Quite a lot of research, development, and interest is going into botnets currently. This is a very positive note because everyone benefits from better knowledge and control of botnets.
It begs to be said that nothing illegal was done at the Neg9 meeting. Nothing unethical was done at the Neg9 meeting. Polite portscans are legitimate techniques of security researchers and criminals alike. I limited the output of my box to a maximum of 6 packets per second at maximum and 2 packets per second at nominal. Connecting to any machine on the internet is legitimate because open ports are public information. Anyone who disagrees is a complete idiot and should go straight to /dev/null.
Read more »
