crazylazy.info

txtSniffing is useful to determine whether there're unencrypted services running in your environment; and if there's malicious traffic going on and you've to reconstruct what's exactly happing. Malicious traffic, as I define it, contains clear-text passwords, too. Any clear-text authentication is malicious traffic. It's just bad.

In case you've to debug those authentications or whatever, tryout dsniff. There's dnsiff control for the osX. A very neat GUI. dsniff supports automated filtering for Site Sniffing (urlsnarf), Mail Sniffing (mailsnarf), ArpSpoofing (arpspoof), IP forwarding for MIM, Protocoll Detection and you can do DNS rerouting, too. A complete suite.



If you sniff traffic for ten minutes, you can create a job, that automatically analyses it with flowtag e. g.:



And if you're a regular reader here, I don't even need to explain what this is. I love portscanning these days, where nmaps gets developed to me more professional every day.


While I was listening to hak5, I found Malwaredatabse.net. A somehow huge collection of Malware and stuff to play around with in a VM. While installing Sasser and MyDoom on my WindowsLive environment (a reboot takes the crap away!) I searched for analyzers. At hak5 Chris mentions sysinternals - of course. But that's not enough! A Malware can plant a Kernel-mode rootkit and you just get faked information. It's quite hard to detect those. Another way to monitor the activity of a compromised VM is a honeynet. I set up a Windows 2000 VM, gave it dhcp, and when the WindowsLive VM accessed the 2k VM, I sniffed the traffic and I'm analyzing it now. I used dsniff ;).

I guess only very few people ever heared of honeyspiders. A honeyspider is a new attempt primarily to secure browsers. It's similar to the sandbox-exec technology Apple uses to shield DNSresponder, Safari and other applications. The project describes itself:

The system focuses primarily on attacks against, or involving the use of, Web browsers. These include the detection of drive-by downloads, malicious binaries and phishing attempts. Initially, the main area of exploration is drive-by downloads. Apart from identifying browser exploits (including 0day attacks), the system is expected to automatically obtain and analyze the attacking malware and ultimately generate its signature.

It's not ready jet, but as it seems, reading the material, it's going to be a 0day identification option for Web-based attacks, like ClickJacking. I know that stuff is DND now.


I found myself giggling like a school-boy: LOL.


One of the things in IT which I don't understand: Malware in a PDF affects the Acrobat Reader. I mean: why the hell does a normal user, who just reads pdfs, and doesn't create them, need the feature bloated Acrobat Reader? And why do all people use such bloatware! There (Mac)GhostView for Unices, there's the very small Sumatra PDF. Why the hell do people install Acrobat? Usability? No - there's Foxit. There's no reason to let people use over-bloated software in a productive environment.


So... just for this week, have fun,
wishi