Disclaimer: What I am about show you can get you fired at work. I have explicit written permission to do this where I work. I would suggest you do the same. The reason this can get you fired is because you can use it evade website blocking. If a company has gone through the trouble to implement website blocking, you can be certain that they have a policy that says if you circumvent it, you will be terminated. Don’t be stupid.

Have you ever been to a coffee shop or an airport or a technology conference where you wanted to login to webmail or a web forum that isn’t completely SSL encrypted, but you didn’t want someone to sniff your passwords or authentication cookies? You could use a VPN, but unless you already have that setup, that’s just another hoop to jump through. Why not use something you already have available to you to keep you safe. You can do this by using Secure Shell or SSH Tunneling. SSH is a protocol that was created to connect to a remote computer with a secure interactive shell. SSH can also do many other things - from copying files securely to remote systems using SCP to acting like a proxy server for your local client applications. For all the uses of the SSH protocol, look at the Secure Shell wikipedia article referenced above.

I’m going to show you how to use SSH to connect to remote SSH server and make this connection look like a SOCKS proxy to your applications. Once the connection is setup and created, you will need to configure your local programs to use the SOCKS proxy. Do this by telling them to connect to a port on your local computer that is tunneled over the encrypted connection to the SSH server. In order to do this, you will need an external SSH server to connect to you. You can run one at home or connect to a webhosting company where you have an account. I use DreamHost. If you run one at home, I’d recommend that you not run it on the default port (22) due to SSH brute force attacks. Read the rest of this entry »

About four years ago to the date, I was looking for a DNS brute forcer due to the fact that many people were getting wise and locking down DNS zone transfers. I actually advised our security admin at work that we were allowing internal zone transfers to any IP that requested one. While not getting much help from the request for such a tool and not having time or enough interest to code my own, I dropped the idea. It appears that others in the InfoSec community had the same idea. About a week ago while catching up on old PaulDotCom Security Weekly episodes, I heard them mention a tool called Fierce Domain Scanner. This is a perl script that can be used on Windows using Cygwin (It does require a couple of perl modules). This tool first tries to perform a zone transfer. If that fails it the starts to guess domain names by doing a reverse lookup of the initial domain.com. What’s cool about it is that once it finds a computer in the domain space, it will start doing reverse lookups on either side of that IP five sequential IPs and below the IP it just found. It does this for each IP it finds in that domain using recursion. The number of IPs on either side defaults to 5, but can be set using the -traverse switch or expand it to the entire class C using the -wide switch. This is extremely helpful if the computers who’s IP addresses sequentially numbered. It also probes for internal IPs in case the target uses one DNS server for both internal (RFC 1918 addresses) and external DNS requests. Read the rest of this entry »

Lately I have been catching up on podcasts that I hadn’t had time to listen to. One of my favorites is SecurityMonkey podcast. It’s by the same guy who writes A Day in the Life of an Information Security Investigator blog. I really wish it would come out more regularly. I always get something out of every single episode.

The last episode I listened to was episode 15. One of the things I got out of this podcast was information about a utility called VoIPong. I’ve copied the description and features from the VoIPong webpage. The next time I have an opportunity to test this program, I will and post my results.

Read the rest of this entry »

I really wish the press would stop feeding the public the idea that the word hacker is bad. Defcon is place where trust has been established over the years between information security researchers, the press, and the feds. People who break the law should be labeled a criminal and not a hacker. Reporters who report this misinformation, like this lady, Michelle Madigan (Associate Producer of NBC Dateline) , finally got exactly what they deserved.

Quote from Wired:

According to DefCon staff, Madigan had told someone she wanted to out an undercover federal agent at DefCon. That person in turn warned DefCon about Madigan’s plans. Federal law enforcement agents from FBI, DoD, United States Postal Inspection Service and other agencies regularly attend DefCon to gather intelligence on the latest techniques of hackers. DefCon holds an annual contest called Spot the Fed, in which attendees out people in the audience they think are undercover federal agents. The contest is good-natured, but the feds who get caught are generally ones who don’t mind getting caught.

Originally posted by ZDNet reporter George Ou

While doing my presentation at CarolinaCon 2007, “How to 0wn CTF”, the question of the winner came up as to if they were actually the winner or did they cheat by using SQL injection. I’ve been racking my brain off and on whenever I get a chance try to come up with a way to do a SQL injection to attack my application. It’s pretty trivial to just add the following to an item in the flag file to get the sql command to execute:

‘;<sql statement you want to run>

The issue that I take with this is that you need to know the table and field names to do any type of INSERT or UPDATE.

I ran across a SQL injection cheat sheet while doing some SQL injection googling. Read the rest of this entry »

I’ve reached a bit of happiness in my quest for IRC on windows thru a shell account running a bouncer with SSL encryption from my client to my shell account. I ended up using XChat. After googling, I was able to turn off the internal ident server that comes with it by using the command /set identd 0, which I found in the FAQ. With that turned off, I needed to find a windows ident server that was configurable. After googling, I found one here which is fully configurable. I can now authenticate to my psybnc since ident is properly configured. The only thing left to do that will make me happy is to setup the bouncer so that I can be on two IRC networks at once. I am running into an issue on my Mac. I haven’t found a configurable ident server for os x yet. Snak comes with an ident enabler, but there is no way to configure your username or os/host, so that’s out. I’m still looking for a working solution as time permits. Read the rest of this entry »

Tonight I setup psyBNC so that I could connect to IRC without having to worry about some of the issues that come with being on IRC. I haven’t been active on IRC in about two years and the last time that I was on it was only for a month or so. At every 2600 meeting, I see my friend txs and he always asks me when we are going to start having a work night at the lab to work on projects that we have going on? My response is always I’ve got too much other stuff going. Most recently, the excuse is that there is standing room only in the lab. The reason I have a sudden increased interest in IRC is because he is always in #nc2600 and hopefully I can get some dialog going with him on projects that I’m planing on work on this summer. Read the rest of this entry »