Here in the CodeCave I run a large Dark Net and report my findings to my Twitter followers. If you are not familiar with darknettin' this is the practice of having servers out on the internet for bait to allow hackers to hack them. Folks do this for many different reasons but my reason is to learn the latest and greatest methods in use on the net today to break into networks.

Many times these servers are just trashed out. Hackers try to destory them if they are discovered. I had a major exploit found in my FireFox add in FlashGot. A hacker got in and trashed my system and then changed the password of the root account. Now this is a big deal since I need to log on to that server to gather the data to learn from this attack. Now what? I remembered a little physical access trick I learned a few years back at SCO users group conf (back when SCO was cool) from a guru. It works like this:
- Boot the system and got to the GRUB screen. I moved the arrow key so I did not go into normal boot mode.
- Select the version and hit the "E" key to edit the kernel
- Arrow key to the line that begins with Kernel and hit the "E" key
- At the GRUB Edit line, I just simply append the load string with a number 1. So it looks like this:
grub edit>/vmlinuz-2.5.9-22.DRnetsmp ro root=LABEL=/ rhgb quiet 1
-   Now hit ENTER and B and the system will boot up into single user mode
- Newcastle time!!!  A simple:
sh-2.51# passwd
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully

I got in and grabbed the data and released the forensics to the open source community. It is like I heard the Olympics theme music playing in the back ground....

Jimmy Ray

I am always looking at new methods for hackin stuff around the CodeCave. I just got done tunin' up my U3 USB key and I thought, hey, I should blog about the power of the U3.

USB hacking is certainly not new, we have been building Linux shells on USB keys for years. The U3 USB drive from SanDisk really changed our methods of launching hacks.

What makes the U3 cool is the little "Launch Pad utility" that comes preinstalled. A Normal USB flash drives only has 1 drive letter but for U3 smart drive, it has 2 drives. One is the normal storage drive and the other one is an emulated CD drive. It is this two drive behavior that allows a hacker to turn a simple USB drive into an Auto-Run powerhouse!!

But how right? First thing we need to do replace the launch pad with a tool…a little more suitable... I love the tool USB Switchblade. Switchblade is cool tool that allows me to use a few different methods of tool set install. I shifted to the GonZor method that allows me to grab LSA hashes, passwords, IP address, etc, silently.  Use a dirty hack machine (not a production one) to customize your U3.

Here is how you install it:

1. Download -=GonZor=- Payload V2.0

2. Download Universal Customizer

3. Unzip the Universal Customizer to “C:\Universal_Customizer”

4. Unzip the GonZor Payload V2.0 to “C:\Payload”

5. Copy the file U3CUSTOM.ISO from C:\Payload to C:\Universal_Customizer\BIN This will over write the older file

6. Run C:\Universal_Customizer\Universal_Customizer.exe and plug in the U3

- Enter your Paypal info and..oh …wait..wrong blog…I mean, Select Accept and click Next.

- Close all U3 apps and any apps that access the U3 drive and click Next.

- Set a password for the backup zip file (Empty password are not cool, but you can use the password  RobbBoydRulez...if you want...)

- No turning back now...Click Next and it will start backing up data. Wait for the Universal Customizer to modify your CD partition and replace your files to the flash drive.

- Now your U3 has just crossed over to the Dark Side. Unplug your and plug it back in (Windows…) 

7. Copy “C:\Payload\SBConfig.exe” to the flash drive

8. Run SBConfig.exe from flash drive

- Select the check boxes of the Payload options you would like to use. You have many power options:

• Dump System Info
• Dump Network Services
• Dump Port Scan
• Dump Product Keys
• Dump SAM (Via PWDump or FGDump)
• Dump Wifi Hex
• Dump Network Passwords
• Dump Cache
• Dump Messenger Passwords
• Dump Firefox Passwords
• Dump IE Passwords
• Dump Mail Passwords
• Dump LSA secrets
• Dump Updates-List
• Dump URL History
• Dump External IP (to the log file)
• Install HakSaw
• Install VNC

- Click “Update Config” button. A friendly confirmation box will let you know the deed is done. You can turn the payload on and off with the “Turn PL On”/”Turn PL Off” button. Same goes with the U3 Launch Pad as well.

9. Now you are ready. Just plug it in and it will run and steal auto-magically!

Very dangerous in the wrong hands. The U3 is a little costly then other USB drives (almost double the price). USB drives that support this hack are labeled as U3 and come from San Disk and Memorex. Yet another solid reason to use a client protector like CSA to protect your systems with the USB protection enabled. When I tested the U3 with CSA USB protection enabled, CSA defeated and reported this attack 10 out of 10 times. 

Happy Hackin!

Jimmy Ray

I was at a customer site the other day conducting some forensics analysis for an upcoming ASA show. This customer was not happy about the SQL injection attacks some of his users were getting. He conducted training with his staff and end users, yet still, folks came back with Bots, keyloggers, etc... Looking at what was going on, it appeared to be an classic drive by download attack and not a SQL injection.

A drive by works kinda like this; A hacker attacks a web server with a baked in SQL injection to act as a man in the middle between the user facing web application and the SQL database that supports it.  Now a SQL injection can really do a lot of different things to get that database to present and do stuff it was not supposed to do. However, in this case, it was a classic ASPROX. It would transparently redirect the user to a hacker mirror that would launch a dark javascript to do an footprinting of the client machine.

After the hacker site determined the type and patch level of the OS, the hacker site just launched a simple iFrame redirect to send the user to the server that hosting the vuln explioter for that OS. This is a simple right excellent method of indirectly attacking a client without any input on their behalf. In the end, we found that many users exploited would go to a online gaming site at lunchtime and play poker. Their machines would be patched up on patch Tuesday, be OK for a bit then all of the sudden these clients would bring back all kinds of nastyware to the LAN.

ASA was good at stopping this data from being delivered back to the Sith Lair of Hackerdom, but in the end we needed two things: Understand the terms. Clients were not being hit by SQL injection. They were indirectly attacked. Many hours of troubleshooting were lost due to terminology. And finally, my old steady as the Mediterranean; CSA was immediately put to use on all clients. Now when we educated the end users, they understood what to look for. This customer really worked hard to solve this issue, but was not making any headway. Network security a lot of times is not like the movie Rudy. Heart does not matter as much as having a hacker mind.

Jimmy ray

I have been messin' round with Keystroke loggers for quite sometime now. Brute forcing and luck of the draw password guessing takes a long time to do. Sure rainbow tables speed up the process, but I still need the username and/or pin. That is were keystroke loggers come in handy. I have tried many types of software loggers but until I wrote one that runs in high RAM, I was never happy with the detectability and accuracy.

I have also used the Snoop stick to monitor my kids usage and it works OK. The problem with that product is it does not scale that well and it wraps itself so tight around the TCP/IP stack that any problems with a patch, update or just plain ole removal results in having to reformat the machine. 

Now I am left with hardware keyloggers. Most of those are PS2 connectors so I have to use an adapter that makes it stick out like a turd in a punchbowl. (ah...college...) Anyway, ordered a hardware logger from KeyGhost and I must admit, I am super impressed. First off, the KeyGhost logger uses a USB connector like 98% of the keyboards out there today. It also works on both my mega awesome Mac and my average Windows based PC's. Set up is like most other hardware loggers; just plug it inline. But that is really the only simularity.

Three things that make the KeyGhost logger far superior to any other product I have tested:

- Timestamping. Hardware loggers stand alone and can record thousands to millions of keystrokes. knowing how fresh the data is, is super important to avoid detection and provide useful analysis.

- No software required/readability. This product requires no software. To view the captured strokes, plug the logger into your analysis system open up Wordpad. I called out Wordpad on Windows, because that seems to work the best, type in the password and the menu opens up. Hit "1" and there you go. The keystrokes are formatted nicely and make sense. please the timestamping really comes into play here. The keystorkes are not jumbled together in a massive pile of hours of analysis to find something useful.

- Detectibility. The KeyGhost logger looks like it should be there! It is designed to look like a EMC balan. I installed this on a machine at a security training and not a single person noticed it at all. Even though I had a sign on the machine that stated: Keystroke logger installed. 37 people looked for software loggers.

You may be wondering what do I do with that data and why would I capture it. Mainly research for upcoming shows. It can be also used to monitor employees and servers. I think it is important to monitor what is going on with our servers. Certainly the City Of San Francisco is seeing the value in that right now...

Jimmy Ray 

Big fan of two factor...

At Cisco Live this year, a lot of folks were discussing using jumbo frames. I love jumbo frames for the data center, but some of the talk was on using jumbo frames without data center implementations. So why are network admins looking to do jumbos? An argument can be easily made that running only 64 byte frames will kill a server with CPU interrupts, so applications are wrote to use frame size up to 1500 bytes to reduce CPU interrupts. So what are jumbos and what is the big deal? Well, let start from the top. Way back when, the 1,518-byte frame size was designed to protect against the high bit error rates of yesterday's physical-layer Ethernet components. The Ethernet ran at a blazing 1Meg. Then came 10Meg then 100Meg and now 10GB with no change to the frame size. But computer processing power has increased by an order of magnitude, and the use of switched Ethernet over unshielded twisted pair or fiber media has significantly lowered Ethernet errors. More importantly, the speed and capacity of today's Ethernets are pushing the processor limits of most installed servers, and more data is being transferred between servers.

For these reasons, extending Ethernet's frame size to reduce server overhead and increase throughput has become an attractive and logical option. In my testing, I have verified that the use of Jumbo Frames can deliver a 50% increase in throughput with a simultaneous 50% decrease in CPU utilization. There is no doubt that jumbos do indeed increase performance until the 9K ceiling.

So then use a frame bigger the 9000 bytes right and the performance will increase in a linear fashion right? Well, 9000 is really a glass ceiling for Ethernet. Why 9000? First because Ethernet uses a 32 bit CRC that loses its effectiveness above about 12000 bytes. And secondly, 9000 is large enough to carry an 8 KB application datagram (e.g. NFS) plus packet header overhead. Is 9000 bytes enough? It's a lot better than 1500, but for pure performance reasons there is little reason to stop there. At 64 KB we reach the limit of an IPv4 datagram, while IPv6 allows for packets up to 4 GB in size. However, the IEEE needs to address the 32CRC issue. Which I believe they will.

If you plan on using jumbo frames use the following check list to avoid some of the issues I had earlier in testing:

- Understand they are not a standard, so testing prior to implementation is critical.

- Do not use anything above 9000 bytes.

- Jumbos must be supported end to end for any benefit. Switch to switch, server to switch. Jumbos are not normally supported on client devices.

- Use TCP Offload Engines with Jumbo Frames on server based NICs.

Jimmy Ray

If you have kids, chances are you have made the mandatory pilgrimage to Orlando to pay homage to the Mouse. Cisco Live was in Orlando this year. I love this event, so much so, I will go to Orlando to attend it. Great event this year. Robb and I are very happy to have met a lot of y'all this time. I talked to a bunch of folks at the Customer Appreciation Event. Man that was cool wasn't it? The point of this blog is to thank you for watching the show, participating on the mytechwisetv.com site and reading the blog. Robb and I have many awesome surprises planned for season three of TechWiseTV and none of then include Ted McGinley... Please let us know anything that would improve the show for you for this upcoming season via this blog post , email or real old school; in person.

Jimmy Ray

This time next week, Robb and I will be heading towards Orlando for Cisco Live. That is still hard to say after years of attending "Networkers" I liked the name; "Networkers" because it was raw enough to keep the marketing scroggs away from such a technical event. With all things there is change and certainly networking and networkers is not exempt from that. The cool thing is that the name may have changed, but the heart of the show is still the same. it's all about us; Networkers.

The one thing (out of many) that I enjoy about Cisco Live is the quality advanced training that goes on there. I certainly hope I get the chance to sit in some of that street level hard core training. That is a big difference about Cisco that impressed me the most coming over here. The brains behind the solutions are sitting in San Jose just a few cubicals down. Other places I have worked, the brains behind the products is sitting in another country and a lot of times in another company that I have zero access to. That is not the case at Cisco. If I have a concern about CSA, then I can walk down a few cubicals and say, "Hey man, what's the deal with..." Those same folks come to Cisco Live to share their knowledge and passion with us; the Networkers.

Robb and I will be gathering content for upcoming shows and meeting with viewers as well. I certainly hope that you stop by and say hey and offer any suggestions that would make TechWiseTV a more powerful resource for you. Robb and I really want to hear from you so if you see us out and about stop us and chat, heck even if we are eating supper pull up a chair! Robb and I do not cater to product pushing like a 2AM info-merical. We absolutely try to make each show a technical "go-back" that you can use in the field. We are always looking for new ideas, topics and comments about the show and we'll point you to the best cigar bar in all of Orlando...maybe we can talk our Executive Producer Brad into tossing down some cash for some cigars for all of us!

Jimmy Ray   

We have had a ton of rain here in Wisconsin the last couple of days. So much so, that a 270 acre lake decided that it did not like it's neighbors so it moved. Lake Delton in Wisconsin Dells drained completely out. Schools were closed here due to high water, roads were washed away, etc...great filler for the local morning, afternoon and evening news. One station had their on site reporter do a slow camera pan to a few dead fish to add that Emmy winning drama shot. I thought I saw one fishing sporting a "Jimmy Ray is a goober" tattoo

As I was driving thru looking at all of this stuff, I noticed that the ducks and geese were swimming around in all of the high water. To us a disaster, to them it is like Six Flags. Living with nature is something some folks do better then others. I am not a tree hugger or save nature at the cost of human advancement kinda dude. Hey, we are the dominate species on this planet. How we act with this power really shows are character. My grandmother used to tell me that if you really want to see someone's character, don't give them money; give them power. 

The green movement in IT is really gaining a ton of speed in the press and therefore leaking over to our data center designs. Truthfully, I believe we need to define our view of "Green" Is it saving green as in cash or saving green as in the environment. As an engineer, I believe we should always design our networking equipment to save energy and be more efficient. Most design level engineers that I have worked with want to do the same thing. Like everything, there is a trade off. Higher efficiency products cost at least 20-30% more to proto, test and manufacture then lower efficiency products. In the world of consumer driven markets; price is everything. When designing gear, many engineers are pushed to meet a market price point vs an efficiency rating. Certainly as a network designer we see the benefit of energy efficient equipment, but when it gets to the bean counters to sign the check on they bulk at a high cost solution that does; "the same thing"

I am so glad that the green movement is picking up speed and now it is cool to report to the bonehead analysist  that we are running a green network. Green is good for all of us. It will ALWAYS cost more up front.  Then when we crest over the curve where higher efficient components come down in cost, then a new break thru is made on better materials (read up on Graphene; I bet this will be the next big thing) and then everything takes a step to the left.

Green is much more then a logo at the bottom of emails or a interview point we must hit when printing out datasheets or talking to folks. Green is just good network design. I believe we owe that to our customers and to our planet. Look at the BIG picture when it comes to green. Not just A switch or A server or A power rack. Look at everything as a solution. More importantly, we really need to educate the decision makers about green. We have been entrusted with the knowledge to share about solid design. Our managers and bean counters have not been. I believe Green starts with education and then naturally moves forth. Just like the high flood water here in Wisconsin, high data cost are a pain for bean counters, but as network designers we are ducks swimming in a brand new pond!

Jimmy Ray    

Last week the Data Center TechWiseTV episode aired. I hoped you got a chance to catch it. I was a really good episode. Working on the show I kept drifting back in time. To a time when I was Hewlett Packard employee 1889723. You see, I am a geeks geek. If given the chance to meet Harrison Ford or Dr. Metcalfe, I would drop Harrison in a uSec. If I would have to skip lunch to attend a webinar hosted by Ron Rivst, I would skip lunch and supper and even breakfast the next day. I read the IEEE spectrum like I am looking for a clue to crack the shooter on the grassy knoll. My wife went to her mom's for a weekend and I did not go fishing, watch TV all night, nope I stayed up for two straight days writing code.

I always wanted to be an engineer. From a very young age of taking apart radios, tractors, lawnmowers, TV's you name it. I loved seeing how stuff worked and modifying it. For example, my wife brought our kids a California GoPed each for Christmas. (They are gas powered scooters) Well, just can't have a stock engine on those things in MY garage. So a bigger bore carb, rocket key, header, larger spindle, ported head, reformed chamber and now we are talking! I got my BSEE degree and after 12 years in the field as an SE, I started at HP in 1999.

I was hoping just to catch a glimpse of some of the legendary engineers I have read about, Paul Congdon, Dan Dove and of course the inventor on 10BaseT, 100VG; Brice Clark. Brice was a very dynamic Dude. He would walk down the hall and had folks following him around hanging on his every word. He even spoke at Cannes about technology in film making! I was just a scrub so I would sidle up and eavesdrop on what word of engineering mastery he would be talking about to folks. Man that Dude is so sharp and he had a real way of busting thru the clutter to get right to the heart of stuff. An engineers engineer.

Of course I would have loved to work on any project Brice was part of. Well at Networld+Interop in Vegas one year, I got my chance. Brice was going to demo iSCSI and he needed a hand so I was selected. I felt like I needed a defabulator. I was going to work with one of early inventors of networking. Not just someone that is good at config'ing stuff but a Dude that started with line 00x01 and started writing the code that drives the employment of millions of SE's today. Brice was the most down to earth and coolest Dude. He would talk about the basis and foundation of the Ethernet over a few beers as smoothly as pouring rain. He showed me the in-outs of iSCSI, the ideas behind it and way it was so important.

Brice believed that the Data Center needed to have a unifying technology like iSCSI to bring the network together as one big utility. He talked about things like the Internet being so important to folks life that businesses will give it away to get people to use it for all walks of life. For that to happen, the Data Center would have to change. It is the weakest link. That was 2001. Over the years, Brice and I talked about the changing data center often. Brice passed away a few years back and in true Brice form, he worked all the way until the he was ready to go home. Brice and I were certainly not best friends or fishing buddies or even go way back. Brice took the time out of his life to help train me and explain stuff to me often. He was always available to share his knowledge and enjoyed it. You never really know how much even a little bit of help can really impact a person. 

Working on the DC show, I kept thinking about Brice. Brice would have loved  FCOE and the Nexus series. Sure HP and Cisco are competitors at the marketing and sales levels, but on the engineering level, engineers admire and appreciate each others accomplishments. The Data Center could finally be unified with the rest of the network to become one powerhouse of computing. The dream can now be achieved. I am certain that this technology would have gotten him fired up.  As the show unfolded, I keep hearing the words Brice would say to me as he was teaching about the DC. This show certainly had a special meaning to me, it brought me back around full circle to when I first learning about the changing DC from a man that embraced change.

Thank you Brice

Jimmy Ray   

I was out on a call this morning and the network admin was mad that the users thought the VOIP system they installed sucked. Truth is it did. If MOS scores could be in the negative, theirs would have been in the Kelvins. They thought that with high speed 10GB switches they did not need QoS in their network. On paper that would make sense, however, when packets start hitting the switch, all bets are off until they start existing. 

Networks are like kids; they start small and grow big then don’t listen to what you have to say. To keep up with the demand vendors have been building faster switches with deeper buffers every single year. This is an example of

Moore's Law at its finest. But is that enough? Of course any Account Manager will say YES! Buy more Cisco, problem solved. But a realistic network engineer needs to consider the role Quality of Service (QoS) will play in their network. Most folks understand how 802.1p works. DiffServ seems to be the big unknown in the world of QoS.

 The real term is Differentiated Services but the alpha geek crowd just says DiffServ. If you say DiffServ folks know you are down with the set yo. If you say Differentiated Services folks will point you to the server admin crowd… DiffServ is concerned with classifying packets as they enter the local network. This classification then applies to a flow of traffic where a flow is defined by 5 elements:

- Source IP address

- Destination IP

- Source port

- Destination port

- Transport protocol.

A flow that has been classified or marked can then be acted upon by other QoS mechanisms. Multiple flows can therefore be dealt with in a multitude of ways depending on the requirements of each flow. Voice this way and data that way, etc… DiffServ uses a Code Point (the cool way to say this is DSCP) to determine the per hop behavior of the flow. Kinda like how you can determine who does what on Star Trek by what color shirt they wear. Blue is Medical, Gold is Command and Red is the one that always gets killed off. Back to DSCP, there are 64 total DSCP values. They range from 0-63. Remember that a high DSCP value does is not equal to a high QoS queue. However, understand that in the Assured Forwarded (more to come…) there are three drop probabilities. The DSCP determines the Per-Hop Behavior (PHB) of a flow. In a nutshell, packets are first classified according to their current DSCP. Then they are separated into queues where one queue may be routed via a marking mechanism and another queue may be examined more closely. After further examination additional packets may be sent for marking or be sent direct to the shaping/dropping mechanisms where all packets end up before leaving the interface. Just like on Star Trek NG, everyone always ends up in 10Forward to pound down some alien Newcastle Pale Ales after a mission.

 How cool is that! Differentiated Services provides a simple and quick (all be it) coarse method of classifying services of various applications. Of course there is more to then that, so let’s get geeky with it man! You don’t get off that easy…  There are currently two standard per hop behaviors (PHBs) defined that effectively represent two service levels. Although others are possible, but these are the most common and most widely used.

 · Expedited Forwarding (EF): This is like riding in First Class on a long trip. This is the best possible. EF has a single codepoint. EF minimizes delay and jitter and provides the highest level of aggregate quality of service and guaranteed bandwidth. Any traffic that exceeds the traffic profile (which is defined by local QoS policy) is discarded.

· Assured Forwarding (AF): This is like riding in coach with extra leg room for business class. AF has four classes and three drop precedence within each class (so a total of twelve codepoints). Excess AF traffic is not delivered with as high probability as the traffic “within profile,” which means it may be demoted but not necessarily dropped.

 As you are mapping your DSCP’s ensure that you understand which traffic flows to map to EF and which flows to map to AF. Although DiffServ is not backward compatible with ToS, DiffServ can be used to actually replace Type of Service if it is mapped correctly. I have included a chart if you ever need to do this:

 DSCP  Precedence  Purpose

0  0 Best effort

8  1 Class 1

16  2  Class 2

24  3   Class 3

32  4  Class 4

40  5  Express forwarding

48  6  Control

56  7  Control

 DiffServ assumes the existence of a service level agreement (SLA) between networks that share a border. The SLA establishes the policy criteria, and defines the traffic profile. It is expected that traffic will be policed and smoothed at egress points according to the SLA, and any traffic “out of profile” (i.e. above the upper-bounds of bandwidth usage stated in the SLA) at an ingress point have no guarantees (or may incur extra costs, according to the SLA). The policy criteria used can include time of day, source and destination addresses, transport, and/or port numbers (i.e. application Ids). Basically, any context or traffic content (including headers or data) can be used to apply policy.

The best part of DiffServ is its simplicity to prioritize traffic and its flexibility and power. Cisco switches fully support DiffServ. When DiffServ is the primary QoS parameter, specific application types can be used to identify and classify traffic, it will be possible to establish well-defined aggregate flows that may be directed to fixed bandwidth pipes. As a result, you could share resources efficiently and still provide guaranteed service. That is the true power and flexibility of QoS.

Jimmy Ray