philbot500

Hi all Think I'm looking for a magic box that will make my admin life simple. I'm looking for a solution that will sit at the gateway and block use access to anonymous proxies and scan pages for any kind of malware. This is probablt two problems. 1. Is there a way using squid or something to look at pages and decide in real time whether it as an anonomous proxy or not? these things seem quite clever at disguisig themselves these days and you'd need an army and more to blacklist sites. 2. Is there anything out there to look at a site and see if it has an iframe or the like that points to a bad place and tries to download an exe or dmg? Is this sort of thing legal? Whilst I love the whole Jericho Forum thing I still believe that there is a place for defence in depth. I don't want the hips on 30 PC'S to block something if I can block it once at the gateway or at least before it gets to the end user. Here is the crux of the thing. I work with several schools and I see this as do you want your kids to be able to learn things and get good jobs because they can learn stuff or go and rob your grandmother's pension because their computers were down and they ended up stupid? How can you tell these kids that if they do ssl to a proxy then go to Facebook that some bad guy probably has their password now? One last thing. Would it be unethical to man in the middle any ssl connection that these users make to ensure nothing nasty is happening? It must be trivial to use someting like ssl strip to do this and just install the certificate fom my box on the end machines. over and out, Philbot500

so if I ask for too_long_a_name_for_udp.your_bank.com then DNS will go out over TCP and ask for an answer? Thanks for your reply. Mutch appreciated

Just started a new contract. I have just managed to persuade them that they need to patch for the Kaminsky DNS problem. They turned around and said "Okay, you do it. It's on your shoulders." I'm a bit worried! It's a 2k3 domain with Exchange, DC, DNS, DHCP ctc on 6 boxes. I'm kind of thinking that if I apply this patch (MS08-037) it might try and use ports that other services are listening on. This would cause a problem. Am I right in thinking that if DNS doesn't get an answer on UDP it will try again on TCP? If so are TCP ports randomised in this patch? The only way out thet I can see is to limit the ports that are randomised. If I tell it to only choose between 256 ports to randomise I should still have the 16 bit txID plus the 8 bits from the port randonistation. Is that enough? Please help. What have you done? Philbot500.

Getting a bit away from the post but, are you saying that this airgap means that no matter what i do with your IP I will get no useful results? I've read along time ago about a product that sits between you and the internet that has no IP address, therefor has no ddos problems, and gives you full access. Is this the same thing?

What you mean Airgap Firewall? Got this from securityfocus: The classical "air gap" firewall is pretty darned secure: you have the Email go to a queue file on an externally reachable machine. Every so often (once or twice a day) someone makes a tape of the queue file, carries it to an internal machine, runs a program against it that vets it for attachments, executables, etc, and discards them, then pushes the messages into a mail system. Now, that _is_ good security. It also makes web surfing difficult. :) Which was what prompted my earlier post on the topic: if you can transparently surf the web through it, it's an "ordinary" firewall at best. Is there something I'm missing? Is this a generic term now? Regards, Philbot500.

Thanks for the replies Sparda. I think what I am really trying to say is that, we know there are people out there who can own a box behind any sort of protection. About 3 years ago, before I new much about computers, I used to teach IT(word, Excel.etc) to people in prison. There I met an Israeli guy who was there for selling malicious code to companies to use against their rivals. He told me more that I can ever remember and this is what has sparked my interest in this subject. He could have spent time and worked out how to code all this stuff himself but, there must be places where likeminded people talk about this. And these places must also be full of people who want to understand how this is done so they can stop it happening to their systems. This must be classed as the darkside of the internet. Somewhere that is proactive about malicious code and not reactive. one again thanks for your interest in this. Philbot500

I don't believe it was undetectable. That's just what the post said. I'm sure all the AV guys etc. have a keen eye on these sites. But, can they see the dark side? Is there such a thing these days?

Has anyone seen the dark side of the internet? I just read an article from a commercial AV site about how they found a copy of Vista SP1 from "the dark side of the internet" Where exactly is this "dark Side" Surely it can't be Hack5's own Darren with his cheeky smile and equally cheeky goatee! I've just been looking at a site that has an undetectable Trojan (for now, anyway). Have I been to the darkside? Before you ask, I have googled "darkside of the internet" and it didn't shed much light on it(no pun intended) I also tried " kinda grey side of the internet," much to the same outcome. Please help, I am at the end of my tether! Is there a dark side or isn't there? Do I just not know the right people? See ya, Philbot500.

Thanks, I have heard of the truesec stuff and their Msvctl tool. It appears that this has never been released and never will be. I'm doing my first ever contract and I'm a bit conserned about the same admin password being used for everything. I guess my question is more about how serious this is. I imagine that it's only the guys from trusec that have the Msvctl tool but, is this an easy thing to write or is there a skiddie program out there that will do this for you? There must be loads of companies out there that re-use passwords. How do they get round this? Is it even comon? Even if the same password is used, can hash injection be avoided? Thanks for your help, Philbot

Hey everyone, Do you guys know anything about "pass teh hass" techniques'? I've got a little .exe that will dump all the hashes from the local SAM which I have used on a VMWare macine. All my VM machines have the same admin password ( Just like the real world, right?) I would like to use some "run as" command to inject the hash and gain access to another machine on the network. Now, I know all the Sys Admins on this forum use different passwords for all the machines that you administer and have a copy of Winternals or the like incase a NIC or NIC driver goes down and you need local access but, does anyone have any thoughts on this? Google can't help me, can you? All I'm lookin for is a program that can inject a hash into a session to let me have control of a machine. Philbot. P.S. Before you ask, I'm not stupid enough to try this in real life (yet)

Hey all, Just looking at my firewall log and I see loads of ip's hitting those netBIOS/ip ports, 135 seems to be the one and some others, 32904 seems to be popular. tried to google these but all I get is "IM, Nesend and skype" Is there any way to find out who these people are or do they just spoof IP addresses? They seem to come from the same places i.e. 89.243.x.y It isn't an emergency, as my firewall blocks them, so there no trouble to me, but it's all about learning, isn't it? hope for a constructive reply soon, Phil. (Some time later!!) I think this should probably be in the "questions", but I don't know how to move it.

Does it start-up okay when the new drive is unplugged? Have you tried the DVD burner in another computer?

got a system state backup and all user data is on the D: drive. Think this will be okay, yeh?

Thanks VaKo and kickarse for the reply. Everyone that I have talked to said it's probably the service pack thing. I think because of the problem and the fact that it's such a small(16 cliant) network with no up-time requirement, it's probably easiest and quickest just to rebuild. Talk to you next time I mess up the server(which may well be soon!) Philbot.

IF you want the past papers I can just send them. They're quite small or I can put them on rapidshare if you want!