Tuesday, September 2, 2008

Using wget over proxy in Linux

Just need to export an environment variable "http_proxy".

export http_proxy="http://proxy.example.com:8080"

Simple and easy. If you need the system to remember this, you can add this to /etc/profile for all users or ~/.bash_profile for selected individuals.

Friday, July 25, 2008

Gain Access to Any Windows Computer

Sounds great, right?

The concept is simple: reset the local admin account. Resetting the admin account password is not that difficult. Using a bootable linux CD to start the computer, and overwrite the password file can done the job. However, this will leaves a discover problem, as the real administrator will knows this when they do actual maintenance.

A more clever way is to copy the password file in advance, reset the password to gain access and copy back the backed up password file. This will do the track with less likely to be discovered.

An advanced level is to get the password, instead of copy the password file.

There are two interesting files in any Windows system. They are:
  1. WINDOWS\system32\config\system and
  2. WINDOWS\system32\config\sam
Once you have these two files by any means, you actually have all local passwords. You can extract the syskey and dump all the password hashes. Once you obtained the hashes, you can make use of some rainbow tables online to "check" what the password is.

Because in most cases, local admin password of all workstations are the same due to disk cloning technique for fast deployment in a corporate environment. This means once you distribute a notebook to a user, the user will have the local admin password for all workstations in the environment. If your administrator is so careless to have the domain admin password the same as the local admin password, you are now controlling your whole network of Windows computer.


Recently, I implemented a new change to my home networking infrastructure. Originally, I had some port forwards for RDP and SSH open to all Internet space. This was not good as people on the Internet can do brute force attack on these services.

Now, I had implemented a SSLVPN service at my home network to act as the first authentication gate. The product I am using is SSL-Explorer from 3SP (http://www.3sp.com/). The product gives me 1st tier defence by authenticate over a browser. I added two factor authentication by SMS. The product natively support SMS gateway from Clickatel (http://www.clickatel.com/). The implementation experience was great as the whole installation and profile provisioning only costs me less then 3 hours with AD integration.

In order to avoid certification untrust issue every time I connect via the SSLVPN, I bought a SSL certificate from GoDaddy (http://www.godaddy.com/).

After all these implementation, I disabled all direct port forwarding except TCP 443 to SSLVPN service.

The total investment for this project:
  • AD - already have, nothing added, $0
  • 3SP SSLVPN license -using 2 concurrent users free license, $0
  • PC based server - using a virtual machine with CentOS, $0
  • SMS Gateway - Clickatell, HK$100 for about 220 SMS send out credits (about HK$0.45 per authentication)
  • SSL Certificate - GoDaddy, US$14.95 for 1 year
  • My time - 3 hours of design and implementation

In shout, for home use, it does not cost a lot if you do not need SMS OTP. Other methods of two factor authentication can also be used, like digital signatures, OTP tokens, etc. However, I think SMS is the most accessabile way for me.

Sunday, June 15, 2008

Two Reports on Information Security

2008 Data Breach Investigations Report - Verizon Business

2007 Global Security Survey - Deloitte

RDP Encrption - MITM Vulnerability

Just doing regular vulnerability scan and found "Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure Vulnerability" on one of my home servers.

It is a repeatable vulnerability and proven it had problem.

Massimiliano Montoro had written a detailed paper on this and it can be found at http://www.oxid.it/downloads/rdp-gbu.pdf

Will try to do an exercise soon to test using Cain & Abel.


Do you know what is Blackjacking? Playing Blackjack? Nope.

It is a new term refering "BlackBerry Hijacking". Cool... it refers to hacking and hijacking to handheld devices. Yes, enterprises tend to have more mobility by using these tiny devices for mobile communications. However, the security on these new technologies are often missed.

Have you evaluate the risk associate with these wireless technologies together with handheld devices (not limited to BlackBerry, but also other handhelds like iPhone, cell phones, PDAs, etc.)? It is an interesting topic for research.

Welcome to White Hat - Information Security Blog

Wow... welcome to my infosec blog.

I wish this becomes a platform for people around the world to share information security related issues.

Write, write and write... I believe writing can make knowledge sharable.