McGrewSecurity

Agents of the Revolution
  • Content count

    335
  • Joined

  • Last visited

Everything posted by McGrewSecurity

  1. Haven't posted here in a while, but I thought I could chime in on this, since I have something to show for myself for a change. I've implemented a very small SysLinux com32 app that will boot from USB dump memory to another partition on the USB drive. This is similar to what the Princeton guys have done, but haven't released: http://mcgrewsecurity.com/projects/msramdmp/
  2. This ought to get you started: http://mcgrewsecurity.com/research/hackingU3/
  3. I've pretty much switched over to OS X for all of my activities since I bought my MacBook recently, with some VMs of Ubuntu and XP for things that absolutely have to be done in them (far less than I imagined, though I'll probably use a Linux server in a VM more often once I get the 4 gigs of RAM I just ordered). I'm really loving it: A good solid Unix OS with a very well designed user interface. It's great for general web/email tasks and is a really enjoyable development environment too (Xcode is the IDE to finally tear me away from the screen-full of vim's and shells that was my usual environment).
  4. Yes, I believe you have it right. I'd double check what the endian-ness of the 32 bit words should be as well, though. The wikipedia entry for MD5 has a pseudocode implementation, which might help you check any assumptions you are making.
  5. Yes. Without some kind of authentication through SSL or whatever, this is possible. Ideally, you'd want to be in a position to prevent the real responses from reaching the destination. You'd want to do some testing to see, but if I recall correctly, it may result in the destination sending a RST and tearing down the connection. Yes, again, if you're in a position to modify the packets in-transit. Edit: to point you at some tools: Ettercap will do a lot of this by ARP spoofing, so you can play around with that. There are also other tools like Hunt for session hijacking. You could also roll your own in something like Scapy.
  6. Google up the model number of his computer if it's something he bought from Dell or whatever and hasn't upgraded. If all else fails just pop the case and see what kind of video card is in it.
  7. Sounds like it's running with plain vanilla SVGA drivers or whatever Windows thinks is appropriate. Grab the drivers for the laptop's video card off the manufacturer's website and it should improve the situation. Sounds like it's running with plain vanilla SVGA drivers or whatever Windows thinks is appropriate. Grab the drivers for the laptop's video card off the manufacturer's website and it should improve the situation.
  8. Less directly related to culture, but still useful to have in there, would be things like: "computer security", "information security", "web security", "social engineering", "penetration test(ing)".
  9. No. Normally, Windows will only auto-run things on CD's and drives with the "non-removable" bit set (this isn't something you can just toggle on most flash drives). An interesting side note here, is that every iPod I've ever seen is marked "non-removable", and therefore can be used to auto-run. The U3 drives do their auto-running by emulating two completely separate drives (note that these aren't "partitions" in the usual sense, although a lot of people use that terminology talking about this). This is accomplished with specific hardware on the U3 drives that allow for dividing up the flash memory into segments that are presented to the host as different devices. The part that auto-runs emulates a USB CD-ROM drive. Some folks have had luck with taking "normal" USB drives and using U3 update tools to "convert" them over, but it's not what it seems. The drives that this works on already have the hardware in them, and it's unlikely that you are going to run into many drives that have that in them that aren't marketed as U3 drives. I personally haven't seen one, but I have seen mention of them on the hak5 forums.
  10. I wrote that a while back. I didn't want to chance "bricking" the drive, so I kept my ISOs under the size of the one that came with the drive, and just had a small autorun payload that would find and run things from the writable division. Since then, others have written larger ISOs to the "CD" division, and it works for them just fine.
  11. I finally got around to posting my review of "The Web Application Hacker's Handbook". It's excellent, and one of the authors happens to have written one of my favorite tools: Burp Suite. I figured the review would be of interest, since it seems there are some people here who are into (or want to get into) web application security: http://www.mcgrewsecurity.com/blog/?p=70
  12. There's a certain procedure you need to go through to modify the read-only "CDROM" division of a U3 drive. I picked one up cheap last year and managed to figure out how to convince the update utility to write an arbitrary ISO to that division: http://mcgrewsecurity.com/research/hackingU3/ It set off a good bit of interest in U3 drives for penetration testing. The hak5 show and forums have taken it pretty far from there.
  13. I don't really have the time or resources to devote to it, but if someone does: one could get a good foundation for this started by grabbing a dump of Wikipedia and sort out articles with a script that looks for keywords (such as "hacking", "computer security", etc.) and possibly following links to related articles. There would probably be some weird unrelated thing pulled in by this, but I think it would be easier to pick out the false positives than to manually go through finding pages in the current Wikipedia. The bad news for this is that the generation and availability of dumps of Wikipedia is a mess. The ideal would be to grab "pages-meta-history.xml.bz2", which is a database dump of every page, with every revision (this way you could sort out situations where folks have removed things that you would want for docdroppers). There are a few problems with this, though: 1) It's going to be *massive*. The last complete one I believe was 1 terabyte uncompressed. 2) It's hard for the wikimedia folks to even generate. It's been months and months since a complete dump finished successfully. 3) They started the current dumping process on October 25, and it's not expected to finish generating the file until December 19th. If you want to keep an eye on that, cross your fingers and check up here: http://download.wikimedia.org/enwiki/20071018/ Another option would be to grab "pages-articles.xml.bz2", which has the current revisions of every article. It's "only" 3 gigs compressed (I don't know how much uncompressed). It may be missing some things that have already been taken down that you're wanting for docdroppers unfortunately. You can try hunting down older dumps, or work with some of the static html downloads that are older, like this one from April: http://static.wikipedia.org/downloads/April_2007/en/
  14. I think that for a guy who was very open about his views on hacking schools in another thread, you should be more careful about dropping docs on yourself.
  15. What were the rest of the addresses? Not everything 192.*.*.* is RFC 1918 private. Only 192.168.*.* .
  16. The mp3 of the episode is sitting there in my "to-listen" directory, and I have to admit, I'm a bit intimidated. I'm afraid to even start it because I know I'll just have to put it on hold in 30 minutes to an hour when something comes up. A 7 hour podcast in your "to-listen" is a truly daunting thing. Maybe I'll get started on it this afternoon.
  17. Oh cool! The folks on the eeeuser.com forums have been using ndiswrapper (yuck).
  18. It should be supported very soon, however it's a new revision or modification, so the madwifi folks haven't caught up fully quite yet.
  19. That Samsung definitely has some potential, and since it's basically a PC, you're already several steps ahead (compared with getting Linux going on some other random architecture). All I can say is, when it comes to stuff like this: Do some searching around to see if anyone else is already doing what you want to do with the device. For me, the home-run is if someone over on Ubuntu's forums has what I'm planning to buy, has it up and running, with support for all the hardware. From there, I know I can just apt-get in the tools I need, and I won't have to spend a lot of time messing with it. If you do this searching around, and don't find anyone who's far enough down the path to what you want, then only buy it if you're willing to take it on as a major project. There's nothing wrong with it, if you're confident that you can get it sorted out, and don't mind putting a lot of time into it. You'll likely be a hero to some folks if you do. Somebody has to do it, but you have to be willing and able to do it. Most of the time though, I'm not this person. I have other things that I need to do, and would prefer to have something that "just works", especially if I'm spending a large amount of money on it and plan on relying on it for a good chunk of my productivity. The Eee PC for example, will make a fine portable pentesting computer for a lot of situations, but I'd have to put more time and effort into changing the way I'd naturally go about other tasks. Not the sort of thing I really want to get into right now. Edit: another supporting point to what I'm talking about is the mention of the Nokia n770 and n800 above. Those are devices where people have already put some work into getting a good set of tools up and going, saving you some serious time (if the things you want to do match up with what they wanted to do). Very handy to look stuff like that up.
  20. Yeah, I had considered that, but it'd just be more cost (on top of something that's already going to approach $500 in the configuration I wanted), setup, weight, and complication. A 2.5" enclosure with drive, like I would want for that solution, would be a power hog too. I've seen many that hook up to two USB ports to power it, and while the Eee PC has two USB ports, I'm not sure it's really designed to provide enough juice. I could get an enclosure that had its own power supply, but that'd also be another thing to throw in the bag, find a plugin for, and that can go wrong. Edit: I'm sounding very negative here about it, but I do really like the idea of the Eee PC, and I think that a lot of folks would really enjoy it. If you're on the fence about it, I recommend taking a good look at what you're planning on doing/usage patterns.
  21. Here's a page I found that explains the relationship between short Ethernet frames and collision detection: http://www.industrialethernetu.com/courses/101_4.htm
  22. Well then I imagine it's different clients respecting or disrespecting the minimum lengths.
  23. The eeeuser.com forums are alright, although I'm not sure that anyone really has a handle on what the best practices for putting another linux distribution on the thing should be. With a non-journaling filesystem, message/error logging turned off, no swap, and other sources of frequent writes tuned down, I believe you're right, the lifespan should be comparable (maybe even favorably) to a modern hard drive. Note that it's no coincidence that these are all things that aren't as much of a concern on something like a Zaurus. I think it's a great idea for folks who use it for what it's designed: office app tasks, web browsing, instant messaging, and such My concern is solely with how I would use the thing. I was more interested in it as an ultra-mobile platform for various security/pen-testing tasks. There would be a lot of writes collecting and processing various data (packet logs, access logs, etc etc etc). I feel like I'd probably be a lot more abusive of the SSD than the average user, and it's not replaceable. I don't really think I'd be happy going down the SD card route with it, and to be honest I don't feel like tuning an installation (and my own work habits) to ration out writes. But yeah, I think for most people it'll be fine. It's just not as well suited for myself as I was hoping.
  24. I can definitely understand the concern. Tried booting off a Linux livecd like backtrack and seeing if you get the padding or not then?
  25. No. Even though you're replaying packets, the client machine hasn't initiated a connection, so it's not going to play along like that. Sniff while you replay, and you'll probably notice that if the client does see the traffic, it'll respond with RSTs.