The classic "Internet Helpdesk" video
It came up again in conversation so I thought I would provide the link. If you have ever worked at the "help desk" here is a clasic video that hits the nail squarely on the head. For a good laugh as we move into a 4th of July weekend, check it out.
Troll XP
Troll XP
Warriors of the Net - An animated tutorial on TCP/IP
Thanks to Rick, a current student, for referring me to this. Its a Flash based movie that uses a very well done visual theme and light humor to describe teh essence of concepts that are fairly challenging to teach and even more difficult to understand; Internet routing and the fundamentals of TCP/IP.
Warriors of the Net clips
Warriors of the Net clips
Javvin | Network Protocols Guide,
Here is a good website with well written and brief (for the time crunched) descriptions of many network protocols. Many of them are very specific to certain situations, so this is a good resource for looking into protocols you may not use everyday.
Javvin | Network Protocols Guide, Network Monitoring & Analysis Tools
Javvin | Network Protocols Guide, Network Monitoring & Analysis Tools
Internet & Networking: Technology Standards and Organizations
Admittedly this is not the most compelling topic about technology, but it can be interesting to look into how something such as the Internet, with supposedly no real "owner" can operate as it does. Standards and protocols have to be created, shared, and communicated in some way, else we have a "tower of babel" situation.
So I did a quick google search and came up with some links that reveal some useful vectors of research. Really, take a look.
Internet & Networking: Technology Standards and Organizations
Open Directory - Computers: Internet: Organizations
The Internet Economy Indicators
Internet Society (ISOC)
CNN.com - Technology - Internet organizations create wiretap hotline - November 10, 2000
So I did a quick google search and came up with some links that reveal some useful vectors of research. Really, take a look.
Internet & Networking: Technology Standards and Organizations
Open Directory - Computers: Internet: Organizations
The Internet Economy Indicators
Internet Society (ISOC)
CNN.com - Technology - Internet organizations create wiretap hotline - November 10, 2000
Packet switching - Wikipedia
This breif article on packet switching from wikipedia include a couple of interesting historical nuggets, as weel as many links to supporting definitions in the finest Wiki tradition.
If in the 1960's someone was writing a paper on "queuing theory" it is impressive to think about how many other obscure weird out-in-left-field nonsense someone can obsessed over that one day inspires an idea that really changes the world.
Packet switching - Wikipedia, the free encyclopedia
If in the 1960's someone was writing a paper on "queuing theory" it is impressive to think about how many other obscure weird out-in-left-field nonsense someone can obsessed over that one day inspires an idea that really changes the world.
Packet switching - Wikipedia, the free encyclopedia
The Cisco CCNA Exam Today: What You Need to Know to Pass the First Time
Good and accurate article on what you can expect to encounter if you are attempting the CCNA exam.
The Cisco CCNA Exam Today: What You Need to Know to Pass the First Time
The Cisco CCNA Exam Today: What You Need to Know to Pass the First Time
Cisco Systems - Easy Links
Since I will be shifting my attention toward Cisco products for the next few weeks, here is a list of a few sites to be frequently visited. Cisco provides tremendous documentation, so it goes without saying that this is not meant to be an exhaustive resource list. It is only meant to help keep focused on the research task at hand.
- General info about protocols and technologies
- Routers - Technical Support & Documentation
- Cisco IOS Software Configuration - Access Command references from here
- Cisco UniverCD Homepage
- Site Map for the main Cisco Site
Obfuscated Shellcode - Hiding from IDS
Shellcode is in essence what an attacker uploads to a victim when exploiting a buffer overflow vulnerability. One of the challenges an exploit author faces is how to get the shellcode past any intrusion detection devices that may exist on the network or host. These IDS systems look for the common signature values of events such as the "NOP sled".
A NOP slep is a series of instructions to the CPU that do nothing, in other words they excecute a "Pay attention but wait for further instructions" type of statement. The NOP sled allows the attacker to be less precise in where the shellcode gets placed into the victim's RAM.
The article below describes some different ways an attacker might hide the NOP sled from Intrusion Detection Systems and how an IDS might be adjusted to look out for them.
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 1)
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 2)
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 3)
A NOP slep is a series of instructions to the CPU that do nothing, in other words they excecute a "Pay attention but wait for further instructions" type of statement. The NOP sled allows the attacker to be less precise in where the shellcode gets placed into the victim's RAM.
The article below describes some different ways an attacker might hide the NOP sled from Intrusion Detection Systems and how an IDS might be adjusted to look out for them.
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 1)
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 2)
Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 3)
Practice your forensic skills
One of the most frequently asked questions upon completion of any CEH or CHFI class is "How do I analyze a system after an attack"?
This is a reasonable question, and the most straightforward answer is in a word - "Practice". Not to sound trite, but the same thing applies to students that take a class in a programming language. After learning the basics, it is now up to the student to apply the concepts in creative ways, and do a lot of it.
In staying with the student programmer analogy, most of what a programmer writes will not work. Either because the student has not broken down the problem into small and discreet enough steps, or because he is simply trying something that is too hard at the present stage. The point is, expect the process to take time, require a lot of failures, and don't worry about it. It is the way it works for everyone.
Here are some suggestions; Visit and read the sans.org and the securityfocus article collections. Also frequent the technical libraries of major anti-virus vendors. These websites have large collections of articles that breakdown the process of analysing a system for particular compromises. Through these case studies, you can pickup important tips and ideas without having to discover them all for yourself the hard way.
When you are ready to, try the monthly scan challenges from the honeynet.org project.
This is a reasonable question, and the most straightforward answer is in a word - "Practice". Not to sound trite, but the same thing applies to students that take a class in a programming language. After learning the basics, it is now up to the student to apply the concepts in creative ways, and do a lot of it.
In staying with the student programmer analogy, most of what a programmer writes will not work. Either because the student has not broken down the problem into small and discreet enough steps, or because he is simply trying something that is too hard at the present stage. The point is, expect the process to take time, require a lot of failures, and don't worry about it. It is the way it works for everyone.
Here are some suggestions; Visit and read the sans.org and the securityfocus article collections. Also frequent the technical libraries of major anti-virus vendors. These websites have large collections of articles that breakdown the process of analysing a system for particular compromises. Through these case studies, you can pickup important tips and ideas without having to discover them all for yourself the hard way.
When you are ready to, try the monthly scan challenges from the honeynet.org project.
Steps for Recovering from a UNIX or NT System Compromise
I present this articla as an example of many that are available on the internet describing step by step procedures for recovering a compromised system. Even if analyzing a honeypot is more of what you are after, getting familiar with the steps to recovery can help you create a methodology for analyzing your breeched system.
This article has important links to relevant law enforcement agencies and supplements to the article itself.
CERT�/CC Steps for Recovering from a UNIX or NT System Compromise
This article has important links to relevant law enforcement agencies and supplements to the article itself.
CERT�/CC Steps for Recovering from a UNIX or NT System Compromise
Web Browser Forensics
Below are links to a two part article describing an investigation of a breached machine involving suspicious internet activity. Although this article does mention a few commercial analysis tools, one point that bares repeating is that an investigator should not forget about the basic and obvious places to look. Sometimes we just dive in and start doing the 'fun' stuff, like hex viewing (actually not that much fun, but it impresses your friends).
They also provide the data so you can follow along. Invest an hour or so into this project and you can gain some important insite.
Web Browser Forensics, Part 1
Web Browser Forensics, Part 2
They also provide the data so you can follow along. Invest an hour or so into this project and you can gain some important insite.
Web Browser Forensics, Part 1
Web Browser Forensics, Part 2
Computer First Aid Using Knoppix
Here is a brief but usefull tutorial for Knoppix beginners that walks you through using the OS an a data recovery tool.
Computer First Aid Using Knoppix
Computer First Aid Using Knoppix
Sample Exam for Computer Forensics
Try this sample exam to test your knowledge of computer forensics. There are a few 'correct' answers that I would dispute, so take it with a grain of salt and see what you think.
Sample Exam for Computer Forensics
Sample Exam for Computer Forensics
Software Firewalls versus Wormhole Tunnels
If your host is running in promiscuous mode so you can view traffic, but there is also a firewall on the same machine, a necessary question to ask is: "Which application does the traffic see first?"
If the captured packets see the firewall first, they might be filtered and not seen by your sniffer. On the other hand, if the sniffer sees them at all, they may have bypassed the firewall altogether.
This article discusses some scenarious that involve a configuration which includes personal firewalls and promiscuous mode drivers running on the same system.
Software Firewalls versus Wormhole Tunnels
If the captured packets see the firewall first, they might be filtered and not seen by your sniffer. On the other hand, if the sniffer sees them at all, they may have bypassed the firewall altogether.
This article discusses some scenarious that involve a configuration which includes personal firewalls and promiscuous mode drivers running on the same system.
Software Firewalls versus Wormhole Tunnels
Scan for promiscuous mode NICs - PromqryUI.exe
Here is a Microsoft tool for scanning a network for the presence of machines that could be used to sniff traffic. Promiscuous mode allows a NIC to pass all network frames to the application layer, not just those with matching destination MAC addresses.
WinPcap, the promiscuous driver, also allows custom packets to be created by anyone with admin rights. These packets could be used in a variety of attacks.
Download details: PromqryUI.exe
WinPcap, the promiscuous driver, also allows custom packets to be created by anyone with admin rights. These packets could be used in a variety of attacks.
Download details: PromqryUI.exe
WinPcap: Sending Packets
This is a more advanced tutorial but I still encourage anyone to take a look at it. It is a how-to style guide on sending packets with programs written in C using the WinPcap driver.
WinPcap: Sending Packets
WinPcap: Sending Packets
The Price of Perfection
Below is a great but tragic story that illustrates the cause and effect of perfectionism. We all strive for this, some of us obsess over it. But how often do we exert exceptional effort for unexceptional outcomes?
A few seconds here or there, retaliation for an honest mistake...Oh, but if we let one thing slide then something else will happen and still more problems will be allowed and next thing you know we aren't competing anymore.
What would we do with ourselves if we were not attaining perfection? Not losing 107 lives to make up 90 seconds.
A Day in the Life of a Project Manager: Issues, Insights, & Implementation: The Price of Perfection
A few seconds here or there, retaliation for an honest mistake...Oh, but if we let one thing slide then something else will happen and still more problems will be allowed and next thing you know we aren't competing anymore.
What would we do with ourselves if we were not attaining perfection? Not losing 107 lives to make up 90 seconds.
A Day in the Life of a Project Manager: Issues, Insights, & Implementation: The Price of Perfection
HSC - Tools - IDSwakeup
One of the best exercises you can perform to help understand firewalls and intrusion detection systems is to run hping2 against a set of rules you have created. This allows you to verify that the rule does what is was designed to do, and also allows you to test for false positives. By doing this manually, you are forced to dive into the protocols a little deeper.
In case you are crunched for time or want a little help with the situation, IDSwakeup is a script that uses hping2 to generate a variety of traffic signatures to test your IDS configuration. It runs only on Linux, and hping2 must already be present on the system.
HSC - Tools - IDSwakeup
In case you are crunched for time or want a little help with the situation, IDSwakeup is a script that uses hping2 to generate a variety of traffic signatures to test your IDS configuration. It runs only on Linux, and hping2 must already be present on the system.
HSC - Tools - IDSwakeup
Do they really work directly with the bytes and registers?
In a recent discussion with a student about buffer overflows and related topics, it was called into question just how 'low' an attacker will get where manipulating a running application is concerned. One opinion stated that exploits are written in higher languages and compiled into assembly before transporting to the victim. While this is true in some cases, it is also true that some attacks take place one byte and a time, and one CPU register at a time.
Check out this example...
Ethical Hacking and Computer Forensics
Check out this example...
Ethical Hacking and Computer Forensics
The 12KB Bomb
As stated from the article referenced below:
"Windows has become bloated into millions and millions of lines code, yet it only takes a mere 12 kilobytes to provide full system compromise and an annoying spam engine."
I am always wrestling with the idea in my head that what these virus writers do is intellectually impressive even though emotionally I would like to.....well I shouldn't say.
The 12KB Bomb
"Windows has become bloated into millions and millions of lines code, yet it only takes a mere 12 kilobytes to provide full system compromise and an annoying spam engine."
I am always wrestling with the idea in my head that what these virus writers do is intellectually impressive even though emotionally I would like to.....well I shouldn't say.
The 12KB Bomb
NTFS Streams - Everything you need to know (demos and tests included)
NTFS streams are one of the most popular subjects discussed in both the CEH and CHFI courses. The fact that it is so easy to hide information in this manner certainly justifies the curiosity. This article discusses NTFS streams in depth.
NTFS Streams - Everything you need to know (demos and tests included)
NTFS Streams - Everything you need to know (demos and tests included)
Preserving Digital Evidence to Bring Hackers and Attackers to Justice
Preserving evidence in a computer crime or security breech can be tricky because there are so many ways in which it can be changed even before we deal with the possibility of the examiner misinterpreting what has been acquired.
Protect the evidence as if it were as a fragile as a spiderweb in a sandstorm. Then copy it as precisely as one would preserve ancient scripture. Then analyse it as though you were creating a masterpiece of classical music. No problem.
Preserving Digital Evidence to Bring Hackers and Attackers to Justice
Protect the evidence as if it were as a fragile as a spiderweb in a sandstorm. Then copy it as precisely as one would preserve ancient scripture. Then analyse it as though you were creating a masterpiece of classical music. No problem.
Preserving Digital Evidence to Bring Hackers and Attackers to Justice
A non-technical description of computer forensics
Articles like this one can come in handy whenever you need to come up with a non-techy description. They can also come in handy when someone isn't too sure about the value proposition in a technical suggestion.
After trying your best to state your case, casually forward an article about your topic in a lite and brief email. Don't be pushy about it or the technique will backfire. But sometimes using respected references can help ease concerns about unfamiliar topics.
law.com - Article
After trying your best to state your case, casually forward an article about your topic in a lite and brief email. Don't be pushy about it or the technique will backfire. But sometimes using respected references can help ease concerns about unfamiliar topics.
law.com - Article
Internet Explorer's AutoComplete function
Here is a brief but interesting article on the autocomplete function used by Internet Explorer. This is what happens when you begin typing characters on a form and IE offers suggestion on how to fill in the rest based on previous entries.
Credit Card numbers might be in there too, good thing for the extra convenience on not having to type in those pesky things....
Thomas Rude - AutoComplete Function - Copyright @2000
Credit Card numbers might be in there too, good thing for the extra convenience on not having to type in those pesky things....
Thomas Rude - AutoComplete Function - Copyright @2000
TCP and Explicit Congestion Notification (ECN bit)
When looking over an Ethereal capture, a student noticed the presence of two flags in addition to the six flags specified in RFC 793 for TCP. One of the bits indicated a change in window size, the other was called ECN (explicate Congestion Notification). Here is a well written article explaining this flag and the RFC references that discuss it further.
TCP and Explicit Congestion Notification
TCP and Explicit Congestion Notification
