Go ahead and run

curl -I https://blog.oneiroi.co.uk

You will get

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 19:33:29 GMT
Server: Apache
Vary: Accept-Encoding,Cookie
Cache-Control: max-age=3, must-revalidate
WP-Super-Cache: Served supercache file from PHP
Connection: close
Content-Type: text/html; charset=UTF-8

As an attacker looking to hit a web app, one of the first things you’re going to want to look into is what version of web server is running, in this case you can see this blog in fact runs apache … but there is not much else to go on here is there.

That’s intentional, and by manual configuration changes I have put in place, this is not the case of a default LAMP install, take for instance, this snippet from another website,

Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.2.14

This already has given me a wealth of information to go on and begin prepping an attack, I now know the site is running php version 5.2.14 Apache version 2.2.16 and that the underlying OS is Debian.

See the dilemma? your default roll outs are just declaring their running versions to anyone willing to listen, so lets make it a little more stealthy.

First and foremost if you are using php, edit your php.ini and set the following:

expose_php = off

Now head into your httpd.conf and set the following

ServerTokens prod

and

ServerSignature off

With these 3 simple steps all the headers will now return is Server: Apache this is the first step to shielding your app, I’ll be covering further steps as time allows.

With work returning to “normal” levels I began digging through my backlog of seclist updates, errata updates and security related podcasts,

One particular attack method has me concerned as a typical Paranoid Systems Admin, namely the one covered by Darren @ Hak5.org,

Where combining jasager and airdrop-ng can allow you to easily set yourself up as a m.i.t.m transparently, so I began thinking how would you defend against such an attack, with most if not all wifi clients switching to jasager transparently without the user ever knowing, now remember this is all theory at this point it could be completely wrong, please leave feedback in the comments.

before I beging let’s make a couple of assumptions.

1. You are the admin for your network
2. You are in control of all AP’s on your network

If you can not confirm 1 & 2 then you can land yourself in a whole heap of trouble, so think before you do please …

That said onto a possible defense scenario, making airdrop-ng work as a “shield”.

The main premise of airdrop is to send DeAuth packets forcing a wifi client to reconnect, Darren’s jasager + airdrop  podcast (“Airport wifi challenge”) used this in conjunction with jasager to force clients to reconnect but to jasager instead, essentially denying access to the real AP’s and masquerading as them using jasager.

With me so far?

1. Client is connected to REAL Access Point
2. airdrop-ng sends DeAuth for all BSSIDs except jasager’s
3. Client Attempts to reconnect, jasager masquerades as the REAL AP
4. Client is now pwned.

To re purpose airdrop-ng as a “shield”, we change step 2 above .

1. Client is connected to REAL Access Point
2. airdrop-ng sends DeAuth for all BSSIDs except the REAL access point

Now this does cause a problem for any genuine “pop up” wifi, such as the share functionality on mac osx, and  mobile hotspots (wifi 3g), but it is one possible method of defense.

If you have some theories related to detecting and defeating WiFi m.i.t.m attacks please let me know, I’d love to hear them,

I’ll work on getting a screencast for this up as soon as possible.

• this will not protect against BSSID / MAC spoofing,
• this will only prevent against a rougue AP BSSID masquerading as your valid AP.
• this will only work within range of your wifi device generating the DeAuth packets.
• improper configuration could cause D.o.S of nearby REAL Ap’s and generaly piss people off.

Update 04/10/2011 Seems that this project wifijammer can do exactly what I outlined above. via: Hackaday

So it’s here the big 2 0 1 1,

Is it everything you hoped? or is it everything you feared?

For one thing this year ipv4 address allocation run out (approx 45 days from the date of this post), with only 7 /8’s left at the time of writing …

For me I shall call it the year of certification,I’ve been reading several for 6-7 years now, not ever getting around to taking the exams

On the hitlist:

1. ccna
2. rhcsa
3. rhce
4. ceh

Whilst I will keep my Comp TIA A+ Networks and Hardware books, I am not seeing any real benefit of them, A+ hardware refers to more of more of the inner workings of computing hardware in general (hard hard drives cpu memory prints work, etc … ) same with Networks both seem to cover the underlying theory in depth and whilst I can see they can help to provide a better understanding for the begginer, if you have some university education I would skip them and go strait to CCNA & vendor specific certification (RH* for me).

I’m also going to be writing a lot more documentation this year and authoring more tools, around

• RHCS (Red hat cluster services)
• SNORT (IDS, though ossec is looking good to replace this)
• MAP Reduce in python (Because I can rapidly develop in python … looking at things like rsa decryption ..)
• CUDA … (I know I keep saying it, but looking at security for one parallel programming needs more investigation on my part).

So here’s wishing you all a happy and prosperous 2011.

Or rather the idiocy of your generic “I’ve just been to pc world/ to get on the intarnets”, who for the duration of this post we will refer to as Joe Idiot.

Joe concerned with his online privacy comes across an anonymous proxy service, thinking nothing of it Joe installs said proxy service and uses it for all his online activity “sticking it to the man” as he would say, whether playing farmville on facebook or managing his bank account online, Joe feels overly confident in his ability to remain anonymous on the interwebs,

But this is where things go wrong, this is when Joe finds his Bank account his empty, and perhaps even worse someone has logged into his facebook account and trashed his Farmville, what could have possibly caused this?, no internet type hacker could of found Joe surely with his elite proxy skills keeping him Anonymous on the internet ? … this dear readers is where Joe and by extension the ill informed general population of internet users are wrong.

First some clarification as to what a proxy service is.

You ----> Your proxy service ---> The web page you want

In the simplest of terms when using an anonymous proxy Joe is no longer connecting to the servers upon which Joe’s precious facebook / whatever account resides, Joe is connecting to the proxy service servers, and by extension Joe is sending all his data to the proxy servers.

Slight pause while the market for anonymous proxies dips a few points …

Now by no means am I saying that all proxy service providers log the data you are sending to their servers, I am just pointing out to the Joe’s out there, that they could, and could do so without your consent and you would never even know.

So please just because someone posted to your facebook wall to try this awesome proxy service, don’t jump on the proverbial bandwagon spend some time checking things out like

• Are they a reputable company?
• What does a quick google of their company name turn up?

It astounds me how many people could save month/years of headache by spending 5 minutes actually researching what they are doing, and knowing all the implications of what they are doing.

So for clarification, Anonymous proxies are only anonymous to the end website, being as they originating IP to their eyes is that of your proxy service, there is zero anonymity at the proxy side and all data you send to it can be captured.

ImportError: No module named ma

Fix is to edit the following files:

sudo vi /Library/Python/2.6/site-packages/matplotlib-0.91.1-py2.6-macosx-10.6-universal.egg/matplotlib/numerix/ma/__init__.py
sudo vi /Library/Python/2.6/site-packages/matplotlib-0.91.1-py2.6-macosx-10.6-universal.egg/matplotlib/numerix/npyma/__init__.py

On my installed on lines 16 and 7 respectively replace

from numpy.core.ma import *

with

from numpy.ma import *

and done.