Mike´s Blog

MGMT - Kids

me@mike.com.mx (Miguel Hernandez y Lopez) — Sat, 12 Jun 2010 11:00:15 -0700

Challenge 1 of the Forensic Challenge 2010 - pcap attack trace

me@mike.com.mx (Miguel Hernandez y Lopez) — Fri, 22 Jan 2010 08:06:03 -0800

Forensic Challenge 2010

Challenge 1 - pcap attack trace - (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack. Send submissions (please use the MS word submission template or the Open Office submission template) forensicchallenge2010@honeynet.org no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.

Skill Level: Intermediate

The Challenge:
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

1. Which systems (i.e. IP addresses) are involved? (2pts)
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
3. How many TCP sessions are contained in the dump file? (2pts)
4. How long did it take to perform the attack? (2pts)
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
7. What specific vulnerability was attacked? (2pts)
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
11. Do you think this is a manual or an automated attack? Why? (2pts)

Download:
attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f

Flores sobre las piedras

me@mike.com.mx (Miguel Hernandez y Lopez) — Sun, 13 Dec 2009 16:23:58 -0800

- En tus pensamientos distingo un valle de lagrimas que desaparese pero existe
- Toca mi cara y escuchame sentado, escucha mi dolor.
- Dolor ?
- Prefiero sentirme a salvo escuhando el indicio de un sonido que me hace vivir
- Te refieres al terrible sonido tan vacio de la brisa o de los momentos en que las sombras despiertan ?
- Al silencio final, al silencio del dolor
- Si estas en un error estas cofundido

http://bit.ly/8bshsn

BTBAM - More of myself to kill...

me@mike.com.mx (Miguel Hernandez y Lopez) — Wed, 25 Nov 2009 12:10:50 -0800

You have all wept once more... why? I would never ask for such. Go. I have realized for once in my existence my true happiness. This is a first time for me... I feel innocent, caring, and non-threatening.

Reincarnation for a better life... becoming one with true harmony. No gods have caressed or burned me, only nature is willing to comfort me. Salvation is dead and all of you have passed away with me today. I will never have to entertain or please any of you ever again. I am alive.

My memory is the only thing keeping the old tears in my eyes.

I still know that all of you are taking for the sake of not leaving. You are killing the innocent for your so-called nutrition. You are infecting our lands with your filth. You are killing for the sake of your promotions in life.

One day we will all be in this soil... with no gods to slave to, and no heroes to kill for.

CSS a través de Atom y RSS en Opera & Chrome

me@mike.com.mx (Miguel Hernandez y Lopez) — Sat, 19 Sep 2009 15:20:59 -0700

Existe un error en el sistema de análisis de contenido de los navegadores Opera y Google Chrome. Un atacante remoto podría explotar esto para ejecutar código JavaScript arbitrario a través de un enlace que devuelva un "mime type" del tipo "text/xml", "text/atom-xml" o "text/rss-xml" con JavaScript incrustado. Estos navegadores lo procesarían sin motivo.

El sistema de análisis de contenido de un navegador web debería comprobar qué tipo de datos son los que va a mostrar y activar o desactivar ciertas funcionalidades dependiendo del tipo; por ejemplo, no tendría sentido que un navegador ejecutara código JavaScript si accede a un fichero cuyo "mime type" en el servidor es "image/jpeg", puesto que en teoría, no debería existir ningún tipo de código JavaScript en un fichero de ese formato.

Google ya ha solucionado esta vulnerabilidad y ha publicado un parche para su versión 3 que se puede aplicar desde el propio Chrome.

En este momento Opera no ha actualizado ni notificado oficialmente esta vulnerabilidad en su sitio oficial, pero al parecer su equipo de desarrollo y seguridad están trabajando para solucionar este problema.

Prueba de concepto: http://securethoughts.com/2009/09/exploiting-chrome-and-operas-inbuilt-atomrss-reader-with-script-execution-and-more/

Advisory de Chrome: http://googlechromereleases.blogspot.com/2009/09/stable-channel-update.html

Sitio de Advisories de Opera: http://www.opera.com/support/kb/advisory/page1/

Fuente: Hispasec