About four years ago to the date, I was looking for a DNS brute forcer due to the fact that many people were getting wise and locking down DNS zone transfers. I actually advised our security admin at work that we were allowing internal zone transfers to any IP that requested one. While not getting much help from the request for such a tool and not having time or enough interest to code my own, I dropped the idea. It appears that others in the InfoSec community had the same idea. About a week ago while catching up on old PaulDotCom Security Weekly episodes, I heard them mention a tool called Fierce Domain Scanner. This is a perl script that can be used on Windows using Cygwin (It does require a couple of perl modules). This tool first tries to perform a zone transfer. If that fails it the starts to guess domain names by doing a reverse lookup of the initial domain.com. What’s cool about it is that once it finds a computer in the domain space, it will start doing reverse lookups on either side of that IP five sequential IPs and below the IP it just found. It does this for each IP it finds in that domain using recursion. The number of IPs on either side defaults to 5, but can be set using the -traverse switch or expand it to the entire class C using the -wide switch. This is extremely helpful if the computers who’s IP addresses sequentially numbered. It also probes for internal IPs in case the target uses one DNS server for both internal (RFC 1918 addresses) and external DNS requests. Read the rest of this entry »

I created this site to document projects that I work on. There are a couple of reasons why I go thru the hassle of documentation. The main reason is that I don’t forget anything and the other which is just gravy is that maybe someone else will be able to follow along and not have to jump through all the hoops to learn the same thing that I did. They can also use my documentation to reproduce the steps it took to come to the same end result and hopefully expand upon that. This is the first of many posts to come related to these projects.

My first project will document the steps needed to collect and reverse engineer Windows malware. I’ve never done this before, but have experience with Honeywalls. I used them at the CarolinaCon 2005 Capture the Flag event. For the collection part of this project, I’m going to be using a Honeywall, Nepenthes, HoneyC, and possibly Capture-HPC. The host OS for the Honeywall and Capture will be Windows XP with no service packs installed. Read the rest of this entry »

I’ve reached a bit of happiness in my quest for IRC on windows thru a shell account running a bouncer with SSL encryption from my client to my shell account. I ended up using XChat. After googling, I was able to turn off the internal ident server that comes with it by using the command /set identd 0, which I found in the FAQ. With that turned off, I needed to find a windows ident server that was configurable. After googling, I found one here which is fully configurable. I can now authenticate to my psybnc since ident is properly configured. The only thing left to do that will make me happy is to setup the bouncer so that I can be on two IRC networks at once. I am running into an issue on my Mac. I haven’t found a configurable ident server for os x yet. Snak comes with an ident enabler, but there is no way to configure your username or os/host, so that’s out. I’m still looking for a working solution as time permits. Read the rest of this entry »

Tonight I setup psyBNC so that I could connect to IRC without having to worry about some of the issues that come with being on IRC. I haven’t been active on IRC in about two years and the last time that I was on it was only for a month or so. At every 2600 meeting, I see my friend txs and he always asks me when we are going to start having a work night at the lab to work on projects that we have going on? My response is always I’ve got too much other stuff going. Most recently, the excuse is that there is standing room only in the lab. The reason I have a sudden increased interest in IRC is because he is always in #nc2600 and hopefully I can get some dialog going with him on projects that I’m planing on work on this summer. Read the rest of this entry »