Comment Re:Credibility anyone? (Score 1) 92
+1. I've been through this exact same thing with Paypal.
Submission + - Openwall Linux 3.0: no SUIDs, anti log spoofing (openwall.com) 2
solardiz writes: Openwall GNU/*/Linux (or Owl for short) version 3.0 is out, marking 10 years of the project. Owl is a small security-enhanced Linux distro for servers, appliances, and virtual appliances. Two curious properties of Owl 3.0: no SUID programs in default install (yet the system is usable, including password changing) and logging of who sends messages to syslog (thus, a user can't have a log message appear to come, say, from the kernel or sshd). No other distro has these. Other highlights of Owl 3.0: single live+install+source CD, i686 or x86_64, integrated OpenVZ (host and/or guest), "make iso" & "make vztemplate" in included build environment, ext4 by default, xz in tar/rpm/less, "anti-Debian" key blacklisting in OpenSSH. A full install is under 400 MB, and it can rebuild itself from source.
Comment Re:A new domain specific language is born (Score 2, Informative) 125
NSE isn't actually domain specific, it's the tried, tested, and fast Lua (with extensions to make it fit with the Nmap scanner). You get the speed of Nmap to find hosts/ports plus the NSE scripts backing it up to do deeper probes.
Wireshark, Snort, Nmap, and plenty of other tools use Lua for scripting, so it's a valuable language to learn. I recommend it!
Submission + - Nmap Developers release a picture of the Web (nmap.org)
iago-vL writes: The Nmap Project recently posted an awesome visualization of the top million site icons (favicons) on the Web, sized by relative popularity of sites. Once again proving that they're the kings of scanning, this project used the Nmap Scripting Engine, which is capable of performing discovery, vulnerability detection, and anything else you can imagine with lightning speed. We saw last month how an Nmap developer downloaded 170 million Facebook names, and this month it's a million favicons. I wonder what they're going to do next?
Comment Cross breeding... (Score 4, Interesting) 435
I'm sure it doesn't help that the plants that are resistant to roundup will cross-pollinate with the weeds that are supposed to be killed with roundup, thereby making everything resistant. I remember people saying a long time ago that this would happen, and here we are!
Comment Re:Multi-page article (Score 5, Informative) 55
Haha, I hadn't even thought of that!
I originally wrote it as a single page, but 60 images + that much text was too much, so I broke it into 4 pages. For what it's worth, I don't have any ads or anything so it's not like I'm profiting from it.
Submission + - Taking apart the Energizer Trojan (skullsecurity.org)
iago-vL writes: Researchers at SkullSecurity have written a tutorial on how they reverse engineered the Energizer Trojan and generated an Nmap probe to remotely detect infections. The Energizer Trojan is a great educational tool because its inner workings are very simplistic and it makes minimal efforts to hide itself or conceal its purpose; it even lists what appears to be the author's name — "liuhong" — in the source! From infecting a test machine to debugging and disassembling the Trojan to writing the actual probe, this tutorial is a great introduction to malware analysis!
Comment Re:Detect it with Nmap (Score 2, Informative) 260
Yeah, the simple xor 'encryption' is pretty oldschool. I can't believe I didn't notice that right away myself. I didn't see it till I started looking at the send/recv functions.
As to the CLSID, good thought, but no -- the CLSID isn't a real CLSID, it's just a way of identifying its own commands. Basically, it's a list of if(!strcmpi(command, "clsid1")) { do_this() } elseif(!strcmpi(command, "clsid2")) { do_that() } etc.
It only has those 9 or so CLSID's included, and if it isn't on the list the command is simply discarded.
And for what it's worth, the initial "'\x00\x00\x00" that you're seeing is a length (0x27 = the length of the CLSID = ').
Comment Detect it with Nmap (Score 3, Informative) 260
I spent the morning reverse engineering the Trojan and wrote an Nmap script to detect if a remote system is infected. Hope it helps out: http://www.skullsecurity.org/blog/?p=563.
Ron
Submission + - NetBIOS Design Allows Traffic Redirection (skullsecurity.org) 1
iago-vL writes: Security researchers at SkullSecurity released research demonstrating how the NetBIOS protocol allows trivial hijacking due to its design; they have demonstrated this attack in a tool called 'nbpoison' (in the package 'nbtool'). If a DNS lookup fails on Windows, the operating system will broadcast a NetBIOS lookup request that anybody can respond to. One vector of attack is against business workstations on an untrusted network, like a hotel; all DNS requests for internal resources can be redirected (Exchange, proxy, WPAD, etc). Other attack vectors are discussed here. Although similar attacks exist against DHCP, ARP, and many other LAN-based protocols, and we all know that untrusted systems on a LAN means game over, NetBIOS poisoning is much quieter and less likely to break other things.
Comment Re:Bloat. (Score 5, Informative) 73
As the original poster, and the author of a dozen or more Nmap scripts, I agree 100%. If you look at the tool itself, you'll see that everything is fairly separate and independent, even if they share a common codebase -- between the scripting and the "bonus" tools, the core is still fairly tight.
My comment at the end about the bloat + Emacs was intended 100% as humour, not actual commentary. I'm hoping nobody took it as a legitimate stab at Nmap, because it wasn't.
Submission + - Nmap 5.00 Released! (nmap.org)
iago-vL writes: "The long-awaited Nmap Security Scanner version 5.00 was just released (download)! This marks the most important release since 1997, and is a huge step in Nmap's evolution from a simple port scanner to an all-around security and networking tool suite. Significant performance improvements were made, and dozens of scripts were added. For example, Nmap can now log into Windows and perform local checks (PDF), including Conficker detection. New tools included in 5.00 are Ncat, a modern reimplementation of Netcat (with IPv6, SSL, NAT traversal, port redirection, and more!), and Ndiff, for quickly comparing scan results. Other tools are in the works for future releases, but we're still waiting for them to add email and ftp clients so we can finally get off Emacs!"
Submission + - Using Conficker's tricks to root out infections (seclists.org)
iago-vL writes: "The folks at Nmap have done it again: despite having their domain blacklisted by Conficker, they released Nmap 4.85BETA8, which promises better detection of the Conficker worm. How? By talking to it on its own peer to peer network! By sending encrypted messages to a suspect host, Conficker.C and higher will reveal itself. This curious case of using Conficker's own tricks to find it is similar to the last trick that Slashdot reported. More info from the author can be found here, and you can download Nmap here (or, if you're a Conficker refugee, try this link instead)."
Comment Re:So... (Score 2, Informative) 288
That's correct. I added a 'safe' parameter last night, since the Connficker check is safe, and have been advocating its use in all my posts (you'll see "script-args=safe=1" in everything). Watch out for that.
And for what it's worth, even if 'safe' is missing, it's only going to crash stuff that isn't patched for MS08-067.
Comment Re:So... (Score 0, Troll) 288
Glad to hear it! When I wrote the ms08-067 script, I was surprised to see it posted around the Internet -- I wrote it as a demo of what Nmap can do, not as a production-grade scanner, and I guess it ended up being more useful than the other scripts that I've put *far* more work into
