Friday, February 29, 2008

Security Torrents

To fill the need to host and download multiple large security related torrents, I have put a tracker online at You will primarily find items on this site in the following categories:

Anything that I or various other contributing members find useful, relevant or fun with respect to security. Current items that will go into this category are the various HeX (all) releases and InProtect LiveUSB releases.

Any custom distributions that have been designed to fit security needs and/or perform specific tasks.

Any large packet captures or trace files that are obviously not going to fit on the site. There is one up there now, it is the malicious traffic that Richard Bejlich captured at the 2007 Shmoocon. This torrent was created and added by a shout out goes to him!

Having said all of that, we will (as with all trackers) need seeders. So if you have a little extra bandwidth and/or want to contribute in any way please let us know!


FreeBSD 7.0 Released

I am pleased to announce (a few days late) that FreeBSD 7.0R has been released as of Feb 27, 2008! More info here on the release.

You might (I hope not) wonder why this is exciting? Really, aside from the dramatic and significant enhancements to the overall functionality and stability of the operating system, it means that several OSS projects will be moving forward with new development work based on the 7.0 Release. Specifically, we will now begin work on HeX 2.0 with new nifty features to suit your packet loving needs! I also suspect that we will see some additional traction from the freesbie folks.

Further, I will be releasing a new version of the InProtect LiveUSB that will be based on FreeBSD 7.0 Release as soon as the build finishes!

Wednesday, February 20, 2008

Shmoocon 4 in review

For those that have not attended or are not familiar with shmoocon, it's an annual hacker con. The event is held in Washington DC and additional event info can be found on their site at

Tickets are released on a timed basis and come in three classes... the early bird ticket for $75, the normal ticket for $150, and the I pissed around and didn't get a less expensive ticket for $300. When I say "timed basis", they have specific dates and times that they will make a certain number of each ticket class available. Needless to say, on the ticket release dates the shmoo ticketing server was quite loaded but luckily I was able to obtain one of the early bird special tickets.

Day One:

The con kicked off on Friday Feb-15 with a single track of talks. I missed the first few talks (schedule here) and caught a little more than the last half. Unfortunately I don't really recall the first talks, so they must not have been altogether that interesting for me. I primarily payed attention to the last three talks:
  • Hacking the Samurai Spirit - Isaac Mathis
  • New Countermeasures to the Bump Key Attack - Deviant Ollam
  • Keynote Address - J. Alex Halderman
Hacking the Samurai Spirit:

The premise of this talk was to discuss the current cultural differences, history and mindset of the Japanese as related to Information Security. While this talk was humerus I did not find it terribly technically relevant. The speaker seemed to more be giving a history of security related events over the past 60 years in Japan, though there were some good and interesting points in the end that did relate to Information Security. Specifically, the speaker detailed how there are several scams occurring concerning the uneducated internet user in Japan. A simple example of this type of scam would be a pr0n site that requires the user to click on an I Agree, Enter type link prior to gaining access to the goods. Once this action has been completed, the user is then told that they have just agreed to paying X amount of money to access the site and that if they do not pay said money they will be sued. The people in Japan are afraid of reprise of any type and typically will pay this immediately. So overall I would rate this talk somewhere in the middle due to it's humerus nature.

New Countermeasures to the Bump Key Attack

Having just sat through the history lesson re: Japan, I was certainly ready for something different and more exciting. New Countermeasures to the Bump Key Attack certainly delivered this for me. I (as many in the security community) have been aware for years about the gross weaknesses that exist in the physical lock world. Thanks to the consistent pounding and education of the world by people such as Deviant Ollam. This talk covered the basics of lock-picking using bump keys and modified bump keys then detailed how may lock manufacturers are dealing with this issue. The media for the presentation itself was well done and clear, further the presenter did a great job at getting the point across.

A challenge was also issued during this talk, the title "Gringo Warrior". The setting for Gringo Warrior is simple, you are a Gringo that got a little blitzed in Tijuana and woke up in a Mexican jail cell with no recollection of the night before. In walks the corrupt policia and tells you that you have to pay a fine, the cost of that fine is whatever money you have in your bank account. He tells you that he will leave you for an hour to consider this. Luckily while they were emptying your pockets they missed your lock-picking tools. Your challenge is to pick the handcuffs that you are in, pick the cell door, disable the cell guard and pick a lock cabinet that has your passport in it. At this point, you have a choice; you must either pick the front door lock to leave, or you can pick an additional locked door in the cabinet to obtain a handgun and shoot out a surveillance camera to sneak out a window. This was a timed event, the event winner took under a minute:30 to complete the entire course and received a social engineering kit (hardhat and several vendor specific polos)!


This talk was concerning the new electronic voting systems and their MANY security flaws. It was both interesting and somewhat technical but more detailing the process that they took to obtain their first voting machine to test (somewhat clandestine in nature and humerus). The short of it is, as we all now know, that these devices have historically been easily compromised both electronically and physically. One key point of humor is that diebold (the primary manufacturer) had a high resolution picture of the actual keys used to access the IO ports of the system on their website, from this picture they were able to successfully create a working keyset.

Day Two and Three:

I am bundling these days together and only writing about the talks that I found interesting for the remainder of this posting.
  • VoIP Penetration Testing: Lessons Learned -John Kindervag and Jason Ostrom
  • Got Citrix? Hack It! - Shanit Gupta
  • Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land" - Enno Rey and Daniel Mende
VoIP Penetration Testing

This talk primarly dealt with using the voiphopper tool to jump onto voice vlans and conduct your activities as needed there. The fun part would be to jump onto the voice vlan and do a little fuzzing using spike or the like ;-). Overall a fairly interesting talk and there were demonstrations that made it a bit more exciting.

Got Citrix? Hack It!

I found this talk to be fairly basic, but that said quite technically relevant. I think that we often do not consider the most simple way to get into something and that is why this was a good talk. The premise of this was hacking Citrix and primarily focused on using the Kiosk mode. The speaker pointed out that often while the kiosk has a limited set of initial applications available to be run, or force-ran that they hotkeys are still often active. Examples include cntl+n to open a new Internet Explorer Browser instance that now has the address bar in it, you can therefore browse wherever you want and grab a payload to further break into your mom's kiosk. Other examples are cntl+h (history) cntl + F1 (shortcut for cntl+alt+del) and so on.

Advanced Protocol Fuzzing

Probably the best talk of the con in my opinion, this talk focused on the steps that some German researches took to fuzz several layer 2 protocols. They worked though creating the protocol definitions in SPIKE and Sulley and their various reverse engineering processes from various sources including Wireshark. This talk also included a live demo of crashing a medium sized Cisco Cat using LLDP fuzzing techniques.

All the other talks...

I am sure that there were several other good talks, unfortunately due to the nature of three being scheduled at the same time, I was not able to see everything. Shmoocon does post videos of the talks on their site, so keep an eye out. Unfortunately I did attend several talks that were presented by fairly well known people, and I believe that this was the only reason that these talks were approved as they contained really no new or relevant information.

Overall I would rate shmoocon as a good time with decent material and good speakers. I mean, for $75 I can't complain, I certainly feel like I got my moneys worth. Perhaps next year or at an upcoming con I will present on HeX with the team, so keep an eye out!


Tuesday, February 19, 2008

InProtect LiveUSB 0.80.3 Beta!

Though the InProtect project has not made a large number of public postings lately (beta releases and the like...) we have been quite busy. We will soon be releasing a tarball of the latest 0.80.3RC1. That is not, however, the purpose of this article but rather I am releasing a liveUSB image that is an entirely self-contained and functioning installation of InProtect on a FreeBSD 6.3-Current system.

I came up with the idea to create the InProtect LiveUSB when someone requested that I build one for another project that I am an active member of (HeX). Unfortunately it has taken me several months to get the time put together to actually build this tool. Having said that, I am quite pleased with the outcome and functionality of the tool. Placing this tool onto a USB thumb drive gives the user extreme versatility from the perspective of security. Obviously the nature of a USB thumb drive is not terribly secure; we can put them in our pocket and have them fall out in a parking lot where anyone could conceivably pick it up and snag the data off of it and multiple other scenarios. I am more talking about the security of the location or client that may have a sensitive environment with sensitive data and the like. In this scenario the USB device could be taken in and left with the organization, post scan, that has such sensitive data. Again though, the primary purpose of this build is to allow for a solid demo of the InProtect system.

As I said earlier, the system was built using FreeBSD 6.3-Current, ontop of this I built fluxbox (and several applications such as firefox), mysql51, apache22, php5 and several perl modules that are InProtect dependencies. I manually configured all of the components to work with InProtect, the installer currently does not work on freebsd though I am in the process of building a port. In-short, and as stated earlier, this is a fully functional InProtect scanner with a few things that need to be completed by the end-user; Nessus 3.0.x install and jpgraph for php5 install.

The Nessus and jpgraph items are not included in this image due to their licensing restrictions (not GPL). It is for this reason they must be manually installed.

First you will need to download the InProtect LiveUSB 0.80.3 image here:
MD5 (inprotect-i386-0.80.3-beta.usb.img.gz) = 605a5b20d754ea7e6305922695f301ba
SHA256 (inprotect-i386-0.80.3-beta.usb.img.gz) = 1d562d17db0ef4e3afefcca18fd40932b7faecdddd673910c3ad11a4aab4434b

After obtaining the image and gunzipping it you will want to use dd to write it to a 2G or larger USB thumb drive. NOTE that you want to write it to the device itself and NOT to a specific partition on the device. Also, if you didn't figure it out... this will overwrite anything that you may currently have on your thumb drive.
dd if=/path/to/foo/inprotect-i386-0.80.3-beta.usb.img of=/dev/da0 bs=1M
Your output file path may be different than /dev/da0 (this is mine on a freebsd boxen). The key is that you are writing directly to the device address and NOT to a partition, that will NOT work. Assuming that you have a thumb drive and computer capable of USB2.0 this process should take around 10 minutes to write all of the data.

At this point you should be able to boot from your new shiny LiveUSB thumbdrive. The initial login details are simple (these ARE case sensitive so pay attention!):
Username: InProtect
Password: inprotect
Once logged in type startx to get into fluxbox. From here, if you are not familiar suggest playing around just a little bit. A few tips, this isn't windoze, you access the main menuwith fluxbox, I by right clicking anywhere on the desktop. The image to the right shows the menu of the InProtect LiveUSB. The highlighted option will take you to the Nessus and jpgraph installation instructions.

Even before you install Nessus or jpgraph you will be able to login to the local instance of InProtect by selecting the InProtect menu option as displayed below. Once you have selected the InProtect menu item, you will be able to use admin / admin for the login and password to access the local instance of InProtect.

Note that until you install Nessus you will not be able to run any scans.

In this image I have already created a default scan zone and default scanner so that once Nessus is installed and the Nessus user created, as noted in the instructions contained on the image, the system is fully functional and scans can be immediately created and executed.

As always please feel free to contact me or leave any comments, criticisms, suggestions or otherwise that you might have.


Friday, February 15, 2008

HeX 1.0.3 LiveUSB (CNY Release)

After much adeau, here it is! Instructions for usage are quite simple, dd it to your usb thumb drive (the drive, not a partition or it will NOT work). This image includes all of the same features as our mainline HeX 1.0.3 release but is on USB not CD, the filesystem is therefore also writable. You will need a minimum of a 2G Thumb Drive or Memory Stick to write this. I say "Memory Stick" because I have heard rumor of some people using SD rather than USB Thumb Drives to use this tool.

So for example on my freebsd system I would dd as follows:

dd if=/path/to/foo/hex-i386-1.0.3.usb.img of=/dev/da0 bs=1M

command is simple... if is the Input File, output is the Output File (in this case it is the da0 device) and bs=1M is setting the block size to 1mb - this helps to speed up the write process.

USA Site (521MB)
USA MD5 Verification
USA SHA256 Verification

Malaysia Mirrors to be populated soon, I'll post them when they are.


Thursday, February 14, 2008

Shmoocon Starts Tomorrow

I trust that we are all prepared for absurdities and enjoyable semi-sober technical security banter? In any event, shmoocon DC 2008 starts tomorrow afternoon and I look forward to seeing you there. You can find the schedule on the shmoocon site itself.

I wanted to comment that if you do not currently have a ticket, there are several for sale on Ebay:
I suspect that there may even be some hockers outside ;-)


HeX 1.0.3, the CNY Release

I am pleased to announce the release of HeX 1.0.3, release info is below. Thanks to the entire development team for their dedication and hard work. This release has been dubbed the CNY, or Chinese New Year release.

With the recent release of FreeBSD 7.0 RC2, we anticipate an actual 7.0 release in the near future. When the Release version of 7.0 becomes available we will begin working on the new HeX 2.0 project.

Get HeX 1.0.3 Here:
US Mirrors:

Malaysia Mirrors:

- pkg_info works after installation
- ping works without sudo
- procfs is correctly mounted on /proc at boot

1. NSM Console 0.6-DEVEL
- 'dump' command added, you can now dump packet payloads into a binary
file for later analysis
- Significant speedups in the harimau module and 'checkip' command if
wget is installed
- tcpxtract configuration file changed to extract more types of files
- Added foremost module
- Added clamscan module (Thanks JohnQPublic)
- Argus and tcptrace have reverse dns turned off by default now, it
was causing the module to hang for extremely large pcap files. Can be
switched on by changed the module options
- rot13 encoding and decoding added :)
- alias command
- urlescape (en|de)coding
- file existence check
- many other things
All the other enhancements, bugfixes and additions since the 0.2
release (there have been many!)

New Application Packages:
- xplot
- uni2ascii
- vnc
- vsftpd
- samplicator
- sflowtool
- pmacct
- ming
- ploticus
- tcpick
- bvi
- elinks
- feh
- tftpgrab
- arpwatch

- New wallpapers with different color schemes

The LiveUSB image will be out shortly, it is undergoing a quick regression test currently.


Monday, February 4, 2008

Column Update - Global Security

I apologize for my lax postings lately but have been largely unavailable to write due to several family matters that required travel and immediate attention.

Note that we are now back on-track for continued analysis of security tools and how-to direction, possibly even some rants and noob bashing ;-).


HeX and NSM-Console Writeup in ISSA Journal

Russ McRee has written a nice piece about the HeX Live project and the included NSM-Console in his 'toolsmith' section of the ISSA Journal. This 3.5 page writeup has clearly captured our intent behind HeX and the NSM-Console created by Mathew Lee Hinman.

If you are not an ISSA subscriber, you can access the writeup at Russ McRee's column or here in the form of pdf.

I would like to thank the community for their continued support and feedback on this project.