You can't have a pentest platform without BOTH Windows and Linux in the mix. There are too many tools that are either exclusive to one platform or the other, OR there are serious performance issues on a particular platform - nmap on Windows come to mind.

I have tried various setups including VMWare, unixutils, native ports of *nix tools, Co-Linux & cygwin on Windows and VMWare & Wine on Linux and dual boot setups.

I think I have found the best of both worlds, Windows base (2003 server) with andLinux. andLinux is built on Co-Linux with KDE (or xfce). Co-Linux is a port of the Linux kernel to Windows.

AndLinux is built on Co-Linux and Ubuntu. It behaves exactly like a normal Ubuntu box and can use any Ubuntu repository. It allows KDE application windows to co-mingle with Windows, giving you the best of both worlds.

It is working so well that I am going to delete my Linux partition on my pentest platform. Linux will always be primary OS for everything else though.

Labels: Linux, Penetration Testing, Windows

I have always chosen complex passwords over longer passwords, but which is actually most secure?

Lets consider a standard password creation scheme where we use a phrase and take the first letter of each word and substitute the occasional letter with punctuation or a number. So "Mary had a little lamb its fleece was white as snow" would become Mh4l1ifwWa$ - nice and complex. But how does that compare against a password like "mary had a little lamb."

Lets calculate the keyspace, in the complex password example each, of the 11 characters has 72 possible combinations assuming 26 uppercase, 26 lowercase, 10 digits and 10 punctuation characters. In the long password example each of the 23 characters can have 30 possible combinations assuming 26 lowercase and 4 punctuation (space, comma, fullstop and exclamation mark).

Complex password = possible combinations to the the power of the length = 72^11 = 2.7 x 10^20
Long password = possible combinations to the the power of the length = 30^23 = 9.4 x 10^33

So "mary had a little lamb." is 34,924,596,548,080 times more complex than Mh4l1ifwWa$. Length trumps complexity!

Labels: Security

As I use a variety of computers on a daily basis, keeping my bookmarks sync'd is a real pain. I've been using Google Browser Sync to keep them all sync'd, but there are issues with this, especially as I don't want some of my personal bookmarks on my work computers.

I have switched all my bookmarks (over 1000 of them!) to Google Bookmarks. Not only can I access them from anywhere on any computer, but Google Bookmarks allows me to not only search through my bookmarks but it also searches the pages that the bookmarks point to.

Labels: Google

OK I really don't like my MacBook Pro... and with good reason. So here's my list:

1. No docking station - clearly the "Pro" version is targeted towards business users, how can you have a Pro version without a docking station?
2. No hard disk light - you can never tell if the system is dead or just thrashing away
3. Spinning wheel of death - OK it's more elegant than the M$ BSoD but it still means the system is dead
4. No delete button - It says it's a delete button but it's really backspace
5. No right click button on the trackpad - most Mac software implements right click menus but Mr Jobs insists on omitting it from their hardware
6. Non-standard keyboard - it's just a PITA to work with if you multi-boot
   
7. Un(der) powered USB port - only one of the USB ports has enough voltage to power an external USB hard drive
8. Heat, heat, heat - the MacBook runs stupidly hot, hot, hot. Use it as a laptop at your own risk to your future parenthood

* There are workarounds to alot of the above, but i still hate the Mac

Labels: Apple Mac

I couldn't find the old nvu web page editor on Gutsy, it is now available as KompoZer, which is a bug fix to the aging nvu 1.0 code. Just apt-get install kompozer

Labels: Linux, Ubuntu

I am a big fan of PortableApps, most of which are Open Source such as Firefox, Gimp & OpenOffice. PortableApps allows you to run these applications from your USB thumb drive without leaving a trace (registry) on the client machine.

PortableApps is Windows focused, however I have found that almost all of the applications run quite happily under Wine. So I now have a truly portable virtual environment of my favourite applications where ever I go.

Labels: Linux, Open Source

I was happily working on my Kubuntu box when the hard disk light went solid. I shut down all the running apps and the disk light stayed on, so I dutifully rebooted only to be greeted with a Hard Disk Not Found message from the BIOS.

I have a great backup scheme where I backup to the RAID array on my server which gets backed up weekly to tape. My automated backups stopped working 4 months ago after a system rebuild (yes I know). So I really need to get my data back.

I purchased an external USB enclosure for the dead disk, having had success with these before where a system BIOS couldn't see a drive but the limited electronics in an external USB could. Under Linux the USB came up as a device, so I duplicated it using ddrescue onto a brand new disk and then used gpart (not gparted) to rebuild the partition table. The whole process took about 6 hours and I got every single file back. I love Linux.

Having learnt my lesson I did some research into various backup options and chose to use rsync to backup all my laptops and desktops to my servers RAID array and then rsync that data to an external 500GB drive. I use native rsync on my Linux boxes and DeltaCopy on my Windows machines. Not a perfect solution but a fast and automated system - a backup of 200GB of data runs in under a minute by only copying the file differences via rsync.

Labels: Linux

I recently discovered SQLite, a lightweight cross platform SQL database. SQLite can create in memory or on disk databases and is quite feature rich. It stores all data in a single disk file which can be easily copied or moved to another machine and/or platform.

SQLite readily imports and exports data from text formats. I was able to create two tables, import and populate them with delimited text files, cross query them and export the results in under 10 lines on the SQLite CLI interface.

There are interfaces for a variety of programming languages including an ODBC connector and a bunch of 3rd party GUI's like one of my favourites - Kexi.

Unfortuneately some web sites require the use of IE exclusively to work. I try to avoid such poorly written sites however sometimes it's a neccessary evil.

Now that I run Linux exclusively this was a real pain until I found IEs4Linux, which is project that automates the installation of Internet Explorer under Wine.

Labels: Linux, Wine

I have been a subscriber to the Security Focus Pen-Test mailing list for a long time. Over the years the same questions keep coming up and I wish the moderators would stop letting them through. I have compiled my Top 3 Most Annoying questions on the Pen-Test list.

1. What's the best way to learn?/How do I set up a lab?
   This is essentially the same question with the same answer... Virualization. Use free VMWare server and download free tools and practice against your own machines, not other peoples without permission.
   
   
2. What's the best OS/Linux/Bootable CD for Pen-Testing?
   Backtrack - bootable or install it. Any Linux. Windows with Co-Linux or Cygwin.
   
   
3. How to I report a vendor vulnerability?
   OK this is just bragging or attention seeking. There is lots of doco on the net about how to do this.

And finally, I wish newbies (and not so newbies) would use Google before posting questions.

Labels: Security

I think one of the biggest stumbling blocks for any new/alternative OS, be it Vista or Linux is driver support by hardware vendors.

My primary server is a Windows 2003 box. The server is running so many open source apps (ssh, squid, tor, popfile) that it no longer made sense to run Windows. So I formatted the OS partition and installed CentOS, everything worked fine except CentOS could not recognise my Promise SX4000 RAID card. Given that this is where ALL my data is located, this was a big problem.

After much Googling, it turns out that the Linux drivers for my RAID card are closed source, not compatible with the 2.4 kernel and only support a few flavours of Linux. I can understand the hardware vendor not supporting newer versions of Linux but how about releasing the source to the driver? It seems that the hardware vendors are still a handbrake to alternate OS adoption.

I don't know what has happened in the last month, but there seems to be a worldwide explosion of SPAM. I have several email accounts across multiple ISP's and my daily SPAM tally has jumped from 3 or 4 a day to 160 a day across all my accounts.

After much Googling and trying out a bunch of open source & free anti-SPAM solutions I settled on the brilliant Spamihilator. What sets Spamihilator apart from the other solutions, most of which are wrappers around SpamAssassin, is the ability to delete SPAM before it hits your inbox, coupled with a large array of SPAM identification techniques including email address white/black lists, DNS Black lists, filtering based on number of recipients, Bayesian learning filter, bad word lists etc.

I have found after a week of training that Spamihilator is above 99% accuracy for SPAM filtering. I have only seen a couple of SPAMs in my inbox since I installed it plus there is a nice recycle bin in case you get any false positives.

Using the AnalogX Portmapper I was able to give access to Spamihilator (normally bound to localhost) to all the machines on my network.

Sync it in Windows first.

I lost an entire afternoon trying to get my new Nokia 6300 to sync with multisync and kitchensync. After trying everything on the forums I sync'd it with Windows then went back to Linux and everything worked without a configuration change.

I am guessing the official Nokia software turns on sync'ing on the phone.

Full credits go to my colleague w0ndrboi for this tip.

When using an interception proxy like Paros or Burp and you want to trap/log the interaction with one (or limited) number of addresses, you can create or modify a custom PAC file. You configure the PAC file to tell the browser to only use your interception proxy when browsing your target sites. You then configure your brower's "Automatic proxy configuration URL" to point to the location of the PAC file. Very nifty!

My advice for endusers when a new OS comes out is usually to wait a while before installing, like waiting for the first service pack for a Windows OS. This is because upgrades inevitably break software or are incompatible with hardware.

Well I should listen to the stuff that comes out of my own mouth... I rushed out and installed Leopard. My rush was mainly to fix stability issues that were bugging me, plus I was mesmerised by the Apple eye candy. Anyway, two of primary apps - encryption (PGP) and corporate email (Lotus Notes) broke and it looks like it will be in the new year before these problems are fixed!

Also, somehow in the rebuild two crucial VM's were corrupted. This was not a happy or fun upgrade for me. Plus "stacks" which look really cool are a total pain, I now need to find a way to disable them.

Labels: Apple Mac

I am still running Linux for my primary home desktop but have dropped Sabayon and switched to Kubuntu.

Why the swap?

• The pain of updating packages and breaking the system (did it twice)
• Time wasted compiling packages with lots of dependencies (sometimes 24 hours)
• Conflicting packages preventing installs
• Constantly having to messing around with /etc/portage/package.*
  

I tested the most popular KDE based distros (inc PCLinuxOS & OpenSUSE) and chose Kubuntu for it's simplicity and large package repository.

It was a no brainer to install but not that great with my hardware detection. I had a lot of probs getting TwinView and my nVidia card working properly.

I would never use Kubuntu for pentesting, I will always stick with Gentoo/Sabayon there, as all the tools I need and use are in the source tree (which is not the case for Kubuntu).

Similarly for my headless servers I would only ever run Gentoo.

So the lesson is "horses for courses", use the right Linux distro for the task at hand.

Labels: Linux, Ubuntu