From their website, "Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis."
Ettercap is a very handy auditing tool when performing a pen-test for an organization. The best feature of Ettercap is its extensibility though the use of plug-ins. The most useful and thus most used plug-ins are included with Ettercap, with my favourites being dns_spoof, arp_spoof, and gw_discover. I selected gw_discover because it's usefulness is applicable to the University of Montana. The gw_discover plug-in finds alternative gateways in situations where users are meant to VPN, much like the University of Montana and it's UMAPS WiFi. The U displays UMAPS as an open wireless access point, however once connected students need Cisco's VPN software package to connect. Gw_discover could potentially find a new gateway, allowing students to use the wifi without authenticating. I don't know how bad it would be if students didn't authenticate before using the U's WiFi, but I do know it would be cool if it worked.
Links:
http://ettercap.sourceforge.net/
http://www.irongeek.com/i.php?page=videos/ettercap-plugins-find-ip-gw-discover-isolate
Getting OS Access Using Oracle Unprivledged User
So, I've been on an Oracle stint lately. I have been looking into SQL injection, and Oracle seems like a very interesting implementation of the SQL language. Additionally, I hope my knowledge of Oracle applications will make me more useful in future jobs, as most large corporations use Oracle as their CMS of choice. In this post, I am going to write a little about gaining OS access using an unprivileged user in Oracle (just like my creative title!). I am relying heavily on white-papers published by Digital Security and iDEFENSE.
The method of upgrading privileges relies heavily on the OS Oracle is running on, restricting it to just Windows Server. This restriction is in place because the attack utilizes Windows usage of LM/NTLM hashes in user authentication. Through the utilization of the Oracle text account (or any Oracle account with CONNECT and RESOURCE privileges), an attacker may read local and remote SMB shares allowing the hi-jacking of NTLM hashes to be used for gaining higher access to the Oracle RDBMS.
Additionally, it was found this method was nearly invisible to IDS.
The method of upgrading privileges relies heavily on the OS Oracle is running on, restricting it to just Windows Server. This restriction is in place because the attack utilizes Windows usage of LM/NTLM hashes in user authentication. Through the utilization of the Oracle text account (or any Oracle account with CONNECT and RESOURCE privileges), an attacker may read local and remote SMB shares allowing the hi-jacking of NTLM hashes to be used for gaining higher access to the Oracle RDBMS.
Additionally, it was found this method was nearly invisible to IDS.
Lateral SQL Injection
Lateral SQL injection is a sweet new attack vector against Oracle first written on by David Lichfield in his paper released on the 27 of February, 2008. In it he details how to perform SQL injection in unusual data types in the Oracle RDBMS. This attack vector is especially nifty when used on SQL statements which do not have parameters, thus typically precluding them from being audited.
While the paper goes on to describe the technical nuances required to pull off a lateral SQL attack, it does not go in-depth in describing potential consequences. Lateral SQL injection effects every instance of Oracle, including its most recent release. Companies who do fail to audit ALL of their SQL could potentially be vulnerable, which is a serious risk, especially considering the attack takes advantage of a core function of the Oracle RDBMS. While Oracle's past release's have had their own issues (for instance, http://tinyurl.com/cxfa3r), lateral SQL injection cannot be patched. It is up to Oracle to inform customers about the issue, and work with them to update client SQL statements and validate ALL code to prevent this vulnerability.
While the paper goes on to describe the technical nuances required to pull off a lateral SQL attack, it does not go in-depth in describing potential consequences. Lateral SQL injection effects every instance of Oracle, including its most recent release. Companies who do fail to audit ALL of their SQL could potentially be vulnerable, which is a serious risk, especially considering the attack takes advantage of a core function of the Oracle RDBMS. While Oracle's past release's have had their own issues (for instance, http://tinyurl.com/cxfa3r), lateral SQL injection cannot be patched. It is up to Oracle to inform customers about the issue, and work with them to update client SQL statements and validate ALL code to prevent this vulnerability.
Backtrack 4
Recently I have been playing with BT4 on my Eeepc, and I have found it to be quite an improvement over my copy of BT3. Aside from the fact that BT4 doesn't recognize my track pad, it is quite better than BT3. BT4 surpasses its predecessor in terms of tools available, and ability to upgrade. Building off the new Linux Kernel, BT4 adds many hardware profiles to its compatibility list (track pad aside) and now includes compatibility for my wireless card naively. This allows me to use tools such as Air-crack-ng without having to run NDIS wrapper or use an external wireless adapter. All in all, I find BT4 to be much more useful than BT3, with it becoming an essential part of my tookit.
Green Datacenters
Sustainability in the Age of Information
Eric Fulton
With the dawn of the information age has come the age of the datacenter. Hundreds of giant temperature controlled power hungry datacenters run 24 hours a day, 7 days a week, 265 days a year. Many were hurriedly built during the height of the dot com boom with little thought to sustainability. The architects of today’s datacenters, however, have an opportunity to save both money and the environment utilizing new methods and technologies. The presentation “Sustainability in the Age of Information” will highlight current non-sustainable practices within datacenters, current trends in building datacenters, and why building a sustainable datacenter is both economic and environmentally responsible.
Eric Fulton
With the dawn of the information age has come the age of the datacenter. Hundreds of giant temperature controlled power hungry datacenters run 24 hours a day, 7 days a week, 265 days a year. Many were hurriedly built during the height of the dot com boom with little thought to sustainability. The architects of today’s datacenters, however, have an opportunity to save both money and the environment utilizing new methods and technologies. The presentation “Sustainability in the Age of Information” will highlight current non-sustainable practices within datacenters, current trends in building datacenters, and why building a sustainable datacenter is both economic and environmentally responsible.
Copper Mountain Band
I just wanted to post a quick shout out to the Copper Mountain Band, as they play some amazing music. They are located in Troy, MT which is very near to Libby (the town with the asbestos issues) and travel across Montana playing their country music. I would highly reccomend their concerts to anyone looking for a good time or some good country music.
Subscribe to:
Posts (Atom)