Iain

Thank you. I recalled how he'd set them up using Proxmox and then VNC (or similar) to "spy" on folks who were attempting the challenge. It's the more specific tinkering, like generating traffic on port 1337, that interests me. Maybe he could include that sort of information when he runs through the "how it was solved" for future challenges.

I've enjoyed seeing the challenges and, in particular, details about how the last challenge was completed. I realise that Darren sets everything up for folks to have a go and wondered if he might do a brief segment about exactly how he set it up. I'm happy to e-mail feedback, but someone on the forum might be able to provide some pointers. For instance, Darren mentioned something about the server transmitting some information periodically from port 1337 (hence the need to listen carefully on that port to get the clue), but what did he use to do this? I'm not really interested in how he edited photos of Kerby to have overlying text etc., but rather the server and configurational side of things. It might sound as if I want to set up my own challenge, but far from it! I just want to know about what's happening "under the hood".

I looked into this a little while ago and drew a blank. I don't think it's possible. If it were, I'm sure that there would be lots of "how to" notes floating around. Whenever I've seen anything about using a live Linux CD, it's often dealt with pulling data from the hard drive, or leaving something there, such as a backdoor or resetting/bypassing passwords.

I'm grateful for the tips. For some reason, I couldn't download episode 8.26. I'll check it out on Revision 3. At least I know that it's feasible now so I'll invest some time researching into it.

I work with a small business in IT and we are a Windows "shop". We have a number of network printers and I access the web server that each contains for configuration information, the state of the toner cartridges etc. I know that the printers have RAM and a hard drive. Does anyone know how easy it would be to mount the hard drive remotely and access the stored print jobs, scans etc.? I suspect that the printers/MFPs run a version of Linux which may be bespoke. I know that I could take a screwdriver to the hardware to pull out the hard drive but it would be more elegant to access the material remotely. If this is feasible, I'll do some more research but if it's likely to be a non-starter, I won't waste my time. Finally, I saw an article a while ago about using Netcat as a form of "man in the middle" to collect print jobs before forwarding them to the printer but I know just how easily AV products pick up Netcat (or one of it's variants).

Thanks for the help. The script indicates 2 NICs (eth0 and eth1) but my scenario involves only one NIC and the routing is to another host (the real DG at the ADSL router) on the same network. I'll look at the script in detail though I think it will be similar to several others that I've seen posted on the 'net. There seems to be very few which deal with just one NIC. Maybe I'll post a question on one of the Linux or, more specifically, Ubuntu fora. I thought that this would be a doddle to resolve!

I've tried several permutations but there's no logic in what I've done because I don't really understand iptables. It's almost been like the blind leading the unsighted! I've tried "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT -d 192.168.0.1" (plus similar statements referring to ports 25 and 110) but not got it to work (yet). It seems that the Squid/iptables computer isn't forwarding the relevant traffic to the ADSL router.

I've set up a Squid proxy on Ubuntu 9.04 desktop in my home lab (with the intention of transferring to a small business environment eventually) and everything works fine. I want to take it to the next stage by making it transparent. Here's the setup and what I've done: 1. The "real" DG at the ADSL router is 192.168.0.1 2. The squid box has a single NIC (eth0) which is 192.168.0.250 / 24 (static) 3. Squid.conf modified to have the line <http_port 3128 transparent> 4. Executed the line "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128" 5. Configured the Windows client DG to 192.168.0.250 and removed reference to the proxy in Internet Options > Connections I can access the internet via the client and the transparent squid proxy logs the sites that I visit, however any https traffic and e-mail send or receive via Outlook are blocked. I know that squid doesn't "play nicely" with or cache https traffic. I suspect that I need to have some iptables rules to check the destination port of the packets and, if it's 25, 110 or 443, the packet should be sent to the "real" DG at 192.168.0.1. I've tried MANY permutations of various iptables commands but haven't hit on the correct syntax. I've also read some articles that suggest that ip forwarding has to be enabled (via echo 1 > /proc/sys/net/ipv4/ip_forward) but others say it's not necessary. Am I correct about what I need iptables to do? Do I need to enable ip forwarding? Can someone help me with the syntax that I must use to do what I need? Thanks in advance.

Great going Darren - I'm amazed by just how prolific you are in creating the weekly episodes. I agree that not all episodes will please everyone but, over a period of maybe 4 weeks, I'm sure that everyone will find at least one episode that really gets them "tingling" and makes them want to get hardware or software to follow up what you've discussed or demonstrated. I just don't know how you find the time to learn about all the new items, given the fact that you also work for a living (to put food on the table and beer in the fridge!). I watch eagerly for my weekly shot of Technolust.

Why not post back on the forum with a selection of links to articles and videos (such as that in which Rob gave the demonstration) about the reality of the attack. If you're polite (I've no reason to think that you wouldn't be), they should thank you for your input and (perhaps) apologise for their earlier comments.

I found the Firewall forums very good when I was studying for my CCNA a couple of years ago. There are lots of important "How to" documents and the senior members are perfectly happy to advise about a physical lab (preferable) as well as Packet Tracer configurations.

Darren did a couple of segments on IPv6 and Teredo a couple of months ago. I'd suggest that you take a look at them. I found them very useful and have done some further research about this whole topic since then. IPv6 is on the horizon (and has been for quite a while!) so we're all going to have to get familiar with it.

What tools did you use to try to find the network? You said that it doesn't show up on any of the scans. There are tools on BT4 that should pick up the network even if it's not broadcasting it's SSID.

No, I don't mean why 2^128 addresses, that bit's easy! Like many here, I've been aware of IPv6 for a while but the last few episodes have focussed my mind. In the most recent episode, Joe Klein said that each device/adapter will have up to 5 IPv6 addresses. As far as I know, there will be a Link Local (FE80) which is the equivalent of IPv4 APIPA, a Unique Local (FC00) which is non-routable on the internet and the equivalent of an RFC1918 address and there will be a Global address which will be visible publicly. There may also be a Tunnel address (2001 or 2002), depending upon the configuration. As the Link Local and Unique Local addresses appear to relate only to the LAN and are generated automatically, why need both? I'm just starting to get my head around IPv6 and I suspect there are members here who understand more, for instance by administering a Windows 2008 network.

When I saw your response to my initial post, I thought that you were mistaken so I went off and did some research. While I was doing that, Sparda posted his explanation about how several websites can be hosted at a single IP address that concurred with how I understood that it worked. In summary, I did understand your first post ... but it was wrong! We all make mistakes, as you recognised. Having said that, the reason for the unusual tracert output still eludes me. I don't think it's my DNS cache or router because someone else (using different hardware and ISP) has experienced exactly the same display.

I'm glad that you cleared up Infiltrator's interpretation about what happens. I understood it as you have described, rather than Infiltrator's explanation. After I had seen the unusual tracert output (and final hop resolution to just one site hosted on the server), I closed IE8 completely and cleared the DNS cache (ipconfig /flushdns). I ran tracert again (without IE8 open) but it still reported the final hop as the website. I also examined the DNS cache (ipconfig /displaydns) and the specific website wasn't listed. This made me think that the unusual behaviour wasn't due to DNS cache. I rebooted the router and computer and ran tracert (without opening IE8) but it didn't resolve the last hop to the website but it reported the hosting server! I visited the website (to put the entry into the DNS cache) and ran tracert. It still didn't report the website but retained the hosting server details. I know it's somewhat academic but I'm intrigued to know WHY this happened. I can't conceive of a use, or a misuse, of this behaviour!

I have XP Pro SP3 and IE8 (not connected to a domain). I visited a friend's website and then discovered the IP address of the server that hosts it. I did a tracert (without any switches) to the IP address. The final hop in the path resolved the IP address to his website. I did a reverse lookup against the IP address and found that there are >1500 sites hosted at that IP address so I wondered why it had resolved to his website (rather than one of the many other sites or, more likely, the hosting company). I wondered if it was due to my DNS cache so I closed IE8 then flushed the cache (ipconfig /flushdns). I repeated the tracert and it still resolved the last hop to his website! I rebooted the PC and router then repeated the tracert (without visiting his site) ... it didn't resolve the final hop to his site. Does anyone know what's going on here? Why would the tracert resolve to his site when the server hosts >1500 sites? It doesn't look like it was due to my DNS cache.

That's quite an intereting read. I've also been around for quite a while but have never ventured onto IRC. Like DarkBlueBox, I never connected the dots and thought that people come and go and decisions are made for a reason. I realise that the forums and episodes have changed over the years and thought that it was just a matter of everything taking a natural course. I'll continue to visit as often as I always have done and will also continue watching the episodes, the majority of which I find very interesting. I, too, am sorry to see that moonlit has resigned from being an Administrator but hope to continue seeing his posts.

Forgive me if this question seems dumb ... In the ESXi episode, Matt and Darren used a USB thumb drive/memory stick (call it what you will) to load the host OS and this was attached to the motherboard via a lead. I've been contemplating doing something similar and found this. I'm not sure what the performance difference would be between a DoM and the methodology that Matt/Darren used. I understand that USB flash drives/memory sticks don't like repeated and frequent read/write operations. Is a DoM, in effect, a mini SSD mounted directly to a connector that can attach to USB, SATA or IDE on the motherboard?

I just stumbled upon Antimeter which detects and kills meterpreter shells. It's also available here It seems that an updated version is imminent. I know that many of the episodes that Darren and colleagues produce include a "How to use Tool A to break in", followed by a "How to prevent Tool A breaking in" so this might be something to watch.

Are you sure that it will work on XP? I've just tried the raw commands and it failed. It's not possible for a Limited user to create a user account via net user ... then add it to the local admins group. If it was possible, it would be a huge security hole. This brings up something about the Ducky which has been perplexing me. I use my laptop whilst logged on as a Limited user. I rarely log on with Admin rights, preferring to use runas /user:..... I guess that all the code that would do anything "interesting" would have to be run whilst the user is logged on with Admin rights (unless something from Metasploit was included in the code). As far as I am aware, the Ducky is simply typing very quickly so, if I couldn't do something nefarious whilst sat at the user's keyboard, why would a Ducky? Bottom line: I suspect that the hope is that an unsuspecting victim is logged on with Admin rights if the Ducky is going to do it's "stuff"?

Thanks digip - that's interesting. I've never come across Double Driver before and it looks a VERY useful piece of software. As far as XP MCE is concerned, I realise that it's XP Pro with the extras but didn't know that the key will (or is likely to) work with XP Pro. I'll look into it for him because I don't think that he needs all the extras. A question that springs to mind though is about the licencing of the OS. I know that MS licencing is a very complicated matter and, whilst it would be unlikely for the "licence police" to investigate his system, I wouldn't want to do anything that would make his system illegal.

Thank you digip. I had thought about reinstalling from scratch from a standard OEM disk but there are two problems (as far as I know): 1. He needs to use a projector attached to the laptop's VGA output for presentations and also use the laptop-specific hotkeys (mute, volume, screen brightness etc.). When I looked at this functionality on a laptop previously, the necessary executables, dlls or services were only available with the manufacturer's recovery CD and not packaged with the standard OEM installation disk. I'd add that the utilities weren't available on the manufacturer's website to be applied following a standard OEM installation. 2. The OS is XP MCE and I've not been able to get hold of an original OEM installation CD. I suspect that I could download one from one of various sites but I can't be 100% sure that it would be "clean".

Thanks for the tips - I hadn't thought of using dd. If I don't get anywhere with that, I'll look into Clonezilla.

I've been asked to look at a friend's laptop that's died. I've repaired the HD with MHDD then I backed up the data. I have installed a new HD and had hoped to reinstall the OS (XP MCE) to factory default using the recovery DVD. However, when I booted it, it whinged because the new HD doesn't contain any information! I've done some digging around and it seems that I need to have the hidden recovery partition on the new HD. I'm familiar with Ghost (boot floppy) but, when I examined the old HD with it, the hidden partition wasn't recognised. I attached the old HD to an XP Pro installation and the hidden partition was shown in Disk Management as 5GB (approx) FAT32. I'm not familiar with any other imaging software. Can anyone give me recommendations (cheap, or preferably free!) about what I can use to copy the hidden partition from the old HD to the new one? I thought of cloning the whole HD (160GB) using Ghost and deleting the Data partition but my desktop is very old and it's BIOS doesn't like such a large HD.