First Aid Kit for Sys Admins – Free eBook

“You’ve found a virus running on your server. You discover logon IDs on your network that you don’t recognize and you can’t delete them. The logs say someone accessed the payroll admin’s computer and copied the master earning report. A hacker emails you saying they have your credit card database. Any one of these is enough for you to hit the panic button and lose it – don’t.

These things happen, and when they do, just keep a cool head on your shoulders and follow the established procedure for dealing with issues. In our First Aid Kit for Sys Admins, we’re going to give you the steps you need to take to provide immediate aid to hacked systems, infected workstations, compromised services and other computer emergencies that will come up from time to time in any network.”

Network intrusions and cyber attacks are on the rise. Do you know the best techniques to defend your network, or what to do if the worse happens? Our Friends at GFI have released a free eBook (PDF) providing helpful tips to aid in dealing with the myriad of security issues that we face.

The “First Aid Kit for SysAdmins“.

Check it out!

How to Spy on Another Person’s Browser: Man-in-the-Middle Attacks

I dusted off Ettercap the other day and started playing with it again. With Ettercap, you can very easily perform Man-in-the-Middle attacks with ARP poisoning. In layman’s terms, ARP poisoning is simply placing your machine between the target machine and the internet, so you can view all the traffic of the target.

This is done by altering the ARP cache so the target PC thinks you are the router, and the router thinks you are the target PC. Several programs offer ARP poisoning, but Ettercap offers some interesting modules and filters that you can use that do different functions.

Today, I want to look at the “Remote Browser Attack” feature of Ettercap. This basically allows you to remotely spy on a target PC and a copy of the website they are visiting will be displayed on your computer.

To do this attack there are just a couple of settings to change in the Ettercap config file.

Ettercap Instructions in Backtrack 4:

Edit the “/etc/etter.conf” file.
Under the [privs] section,
EC_uid =65534
EC_gid = 65534
EC_uid = 0      #65534
EC_gid = 0       #65534

And, scroll down to the [Strings] section.

If the target is using Firefox, change:
remote_browser = “Mozilla -remote openurl(http://%host%url)”
remote_browser = “firefox -remote openurl(http://%host%url)”

Now start up Ettercap-GTK. 

When it starts up, pick “Sniff” and then “Unified Sniffing” and then pick your network card.

Now, just select “Hosts” and scan the network for hosts. Next, click “Hosts” and “Host list”. A list of the available host’s IP addresses will appear. 

Click on the target PC, then click on “Add to Target 1”, then click on the router, then click “Add to Target 2”.

Click on the “Plugins” menu. Select “Manage the plugins”. Scroll down the list and Double click on “Remote_browser”. An asterisk will appear in front of it when it is selected. Next click the “Mitm” menu tab and select “ARP Poisoning”.

Then just hit “Start” and “Start Sniffing”

Finally, make sure you open the Firefox browser on your Backtrack attacker machine. The webpage for every website your target visits will show up in your Firefox browser.

That’s it, just go to the target machine and surf the web. On the attacker machine, you can see that Ettercap is capturing the target’s surfing:

As the target surfs to different webpages, the Firefox on the attacking machine will also auto-update with the page they are on:

Notice the tabs in Firefox on the attacking machine. These are a history of all the pages that the target has visited since the attack began.

For targets, I used an updated version of Windows 7 and Windows XP SP 3 in this test. Ettercap is an older program, and has not been updated in a while.  This attack used to work very well against older versions of Windows XP. On XP Service Pack 3, normal pages show up fine, but encrypted webpages would not show up on the attacker machine. So, for example, you could go to and login to Gmail on the target machine, but only the login page would show up on the attacker browser.

Also, many of Ettercap’s older password sniffing functions no longer work on updated machines and websites.

Windows 7 fared the best against the Ettercap attack. With just using the ARP poisoning attack, Windows 7 would not allow you to open SSL encrypted sites at all. It sensed something was wrong and gave this error:

If you tried to continue, the web address would turn red and a message came up saying due to security issues the page would not be displayed.

Also, when trying to run the remote browser module attack against the Windows 7 machine, as soon as you tried to surf to any webpage, standard or encrypted, the internet connection would drop completely.

Okay, how to defend against these types of attacks. Man-in-the-Middle attacks are possible because of Arp Poisoning, if your ARP cache could not be modified, this attack would not be possible. Unfortunately, it appears that changing your ARP cache to static is not feasible or practical on many networks.

Some internet security programs protect the ARP cache from being changed. Also many IDS systems will detect when a program tries to change the ARP cache. If you a network manager and are not familiar with these types of attacks, check into it to see what is the best solution for your system. For home users, a quick solution is do not share your wireless router with your neighbors, lock it down!

Windows 7 with its more advanced security features held up better against these attacks than Windows XP SP3 did. It just may be time to consider upgrading from XP to Windows 7.

Cyber Defense: How to Protect Against Hackers – Recon Defense, Part One

As the old saying goes, “One man’s junk is another man’s treasure”. One favorite technique of hackers is to “Dumpster Dive”. Yes, this literally means to dig through your trash.

You would not believe what has been recovered from dumpsters from professional security teams who, while performing a test of a company’s security, dug through the trash.

Trash from banks and health care facilities in particular provide a plethora of sensitive information that hackers look for. Names, addresses, phone numbers, social security numbers, and financial information are the most obvious targets, but what are some of the less obvious? Old software disks from system updates tell the hacker what software you are using. A bill from your utilities or even your computer support company can give away vital information to a hacker who is willing to disguise himself to gain physical access to your building. Though most hackers will not want to risk physical entry to your system, trash recovered from security tests have provided everything from administrator level passwords to layouts of your internal network.

Also, physical machines discarded often offer a wealth of information. The most obvious is hard drives left intact inside the machines. But, also, the outside of the system can provide information too. You have corporate asset tags that tell exactly what company owned the machine. Corporate Network ID tags sometimes have the network name and internal IP Address listed, this information could also be used. Some people even tape passwords to machines and monitors.

Just a side note, many large companies use network ID tags. Great idea, but could you make them smaller, or place them on the back or bottom of the machines? Or, just limit the information on them. They stick out like a sore thumb to any visitor walking through the building.

Continue reading “Cyber Defense: How to Protect Against Hackers – Recon Defense, Part One”

Offensive Cyber Weapon – Cynialating Hackers

The FOSE conference yesterday was pretty good. It used a virtual atmosphere that was interesting. I have seen it only once before, and that was an online HP employment fair. The majority of the buzz I saw there was for the CISSP Exam Prep Clinic. I must admit I have not seen anything like it since Microsoft created the MCSE exam. Also, the Keynote speech by craiglists creator Craig Newmark was very well received. What was great too was some people there knew of the Cyber Arms blog! It was great meeting you!

I must admit though, with all the excitement over the presentations, I was smitten by the very first vendor booth that I visited – Rsignia. This company makes intrusion detection systems on steroids. I was very impressed with their products… then I saw Cyberscope.

Cyberscope is a rackable hardware solution, that not only detects and identifies intrusion attempts, but it also attacks. Yes, this is a true to life offensive weapon. From the above video, here are some of the facts.

Cyberscope Capabilities Include the Ability to:

  • Flow Jam – Locate and then Jam incoming signals.
  • Botnet Capture – Inject software onto Botnet zombie PC’s and turn them against each other.
  • Misinformation – Intercepts data, changes it and then sends it back to the hackers.

According to the video, Cyberscope can identify the target by using several sources, including public domain signatures and law enforcement agencies. The units are stackable and rackable and run at full line speed. Check out the video, I like the presenter, he is like a cool version of a mad scientist. Well, you’ll see. 🙂

Check out Cyberscope, cynialating hackers near you!