by Javantea aka. Joel R. Voss
Analysis: Sept-Oct 2006
Write-up: Nov 9, 2006
LSASS Vulnerability Analysis
Botnets
In my previous essay on botnets, I referenced my work in May 2004 analyzing the threat posed by the LSASS vulnerability and worm. I also wrote that LSASS continues to suffer from vulnerabilities, the latest being Aug 10, 2006. I ran a honeypot quite similar to the one ran in 2004 (updated to capture traffic) and produced the results found in the data section. As we can plainly see, worms are still exploiting these vulnerabilities.
A simple analysis of traffic captured by a honeypot on TCP ports: 135, 139, and 445. These are ports normally open on Windows computers.
Read more »Webcam Algorithm Input Method 5
jvoss@altsci.com
jvoss@myuw.net
Sept 16, 2006 - Oct 26, 2006
Webcam Algorithm Input Method 5 0.1 Source
[sig]
Webcam Algorithm Input Method 5 Beta Source
[sig]
Webcam Algorithm Input 1 0.1 Source
[sig]
For many projects, using a webcam hooked up to a Linux-based PC is an
excellent input method. Since many laptops also contain serial and parallel ports, a program can be written that uses a USB webcam and serial port for input and serial ports and parallel ports for outputs.
The simplest way to get webcam input is from a program that is already good at getting this input. For the first alpha versions of webc5, I used Transcode, but others are available. With
Transcode, I was able to get input properly. However, latency between Transcode and my program was enough to require a rewrite. Luckly, Transcode is open source, so I was able to copy the source, modify it, and rerelease it GPL. It ends up that the v4l interface is actually pretty straightforward. Using this method, I can import frames and do mathematical functions on them at 20 fps average on a fast computer with a fast camera (a lesser camera gets 8 fps average). This version 0.1 is a simple motion tracking system that simply shows a double buffer system and the output of the function td(p) = threshold(diff(p[n], p[n-1]));
Good Bad Attitude
jvoss@altsci.com
jvoss@myuw.net
May 26 - June 2, 2006
This program grabs a list of good processes from /proc, then it monitors /proc and kills any new process. It is meant to be used in extremely hostile environments. It is a general use tool, but it can and should be modified as necessary. Obviously it should be modified to allow the user to re-login in case s/he loses shell.
It's original use is for Defcon 14 ACTF. If a vulnerable server gives non-root access (quite likely), attackers that re-attack the server will be able to kill the original attacker. This means that the original attacker should put up defenses quickly to ensure that attackers are ejected. One way is to fix the vulnerability in the server. If this is not possible, this script is a simple solution.
Read more »OpenSSL Blowfish Bruteforce Attack
jvoss@altsci.com
jvoss@myuw.net
Jan 20, 2006
OpenSSL Blowfish Bruteforce Attack 0.2 Source
[sig]
OpenSSL Blowfish Bruteforce Attack 0.1 Source
[sig]
OpenSSL is a useful tool with many uses. The openssl command is not used much by normal users, but for hackers, it is essential for encryption, generation of keys, encryption attacks, and so forth. A specific command, enc has been used by hackers for encrypting data with various ciphers. An especially useful cipher is Blowfish.
openssl enc -bf-cbc is the command used. A simple bruteforce
attack can be successful on bad passwords and good password. Since Blowfish
takes a long time to generate keys, it is slow, but works. My code uses any
known parts of the password to make the search faster. The attack requires a
know file regularity to test the crack.
In this case we use tar archive filename plus nulls at
the start of the tar archive. A similar known plaintext can be used on a
large variety of file types (avi, zip, jpeg, png, etc).
