Fun with USBPcap

For quite some time now i use Windows and Linux in parallel. First as a dual-boot system; but for quite some time with Windows as a Virtualbox host and Linux as a guest. Using USB devices in Linux was never a real problem.

But then this suddenly changed and i was no longer able to use USB devices. When i tried to connect a USB device to the guest the system responded with „device busy“. After some troubleshooting i thought the problem were outdated guest tools. But the update of the tools didn’t fix the problem.

Ok, back to Google…

In a Virtualbox forum i found the solution. I reinstalled Wireshark under Windows and this time i installed everything; that included USBPcap for sniffing USB traffic.

Unfortunately Virtualbox and USBPcap aren’t best buddies. You can only have one of them.

After removing USBPcap and a reboot i could use my USB devices again also under Linux.

So maybe it would be a good idea to write down when i install/change something on my laptop. Would have saved me quite some time…

 

Veröffentlicht unter computer | Kommentare deaktiviert für Fun with USBPcap

Quick Tip: Error accessing the CUPS admin website

Someone gave me a used color ink printer as a gift. This printer doesn’t have a network interface so i had to look for a way to connect it to my home network. I didn’t want to buy a small print server because they are not really cheap and it would be another power consuming device. My home router has a USB interface and can be used as a print server; unfortunately the router is in the wrong room.

But there is a Raspberry Pi in the same room as the printer and i use it already for some server tasks. So i installed CUPS on it and tried to get access to http://servername:632/admin (the admin website of CUPS). But the server answered with „Forbidden“.

I searched through several log files but couldnt find any related error message. A quick search through the CUPS config file also didn’t gave any hint what was wrong. I suspected a problem with my NGINX web server (that i use instead of the resource consuming Apache), but everything looked unsuspicious.

On the command line i looked for any tool that started with „cups“ and there i found „cupsctl“. When i ran it without any parameter the output was:

root@raspberrypi:/var/log/cups# cupsctl
_debug_logging=0
_remote_admin=0
_remote_any=0
_remote_printers=1
_share_printers=0
_user_cancel_any=0
BrowseLocalProtocols=CUPS dnssd
DefaultAuthType=Basic
JobPrivateAccess=default
JobPrivateValues=default
MaxLogSize=0
SubscriptionPrivateAccess=default
SubscriptionPrivateValues=default
WebInterface=Yes

„remote_admin“ looked like something promising; but i had to find out when to use 0 or 1.

So i ran „cupsctl -?“ and the (shortened) output was

–[no-]debug-logging Turn debug logging on/off.
–[no-]remote-admin Turn remote administration on/off.
–[no-]remote-any Allow/prevent access from the Internet.
–[no-]remote-printers Show/hide remote printers.
–[no-]share-printers Turn printer sharing on/off.
–[no-]user-cancel-any Allow/prevent users to cancel any job.

I typed in „cupsctl –remote_admin“ and the again „cupsctl“. Now the line was

_remote_admin=1

Now i was able to get access to the admin web page.

PS: a Google search returned a discussion where the workaround was to run „system-config-printer“ as root. For me such advice look like some dirty hack…

PS II: I still couldn’t login because my user wasnt in the correct group and the root user isn’t enabled on the Raspberry Pi by default. After i ran „usermod -aG lpadmin insertyouruserhere“ i was able to log in.

Veröffentlicht unter blog, computer | Verschlagwortet mit | Kommentare deaktiviert für Quick Tip: Error accessing the CUPS admin website

Its fascinating what people connect to the Internet

My blog informed me that one particular IP address was banned for 24 hours after 16 unsuccessful login attempts. I checked this IP with WHOIS and it seems that someone in the Netherlands was very interested in my login page. When i tried to do a reverse lookup for this IP the hostname contained a part with „static“. Because of that i assumed that this must be a server. So i decided to look which services the server offered for the Internet community:

02102014-login-attempts-A-2

We can see that the server offers some services that are not unusual for an older version of Windows. When i tried to connect via RDP i could see that the server really is a Windows 2003 box. The FTP service offers anonymous login and the IIS is not configured.

The really funny part can be seen if someone tries to connect with the mail server. You can see that the hostname of the server is SRVPDC001 so that is not unlikely that it is a Windows domain controller.

02102014-login-attempts-B-2

I think i will tell the provider so that he can have a nice talk with his customer about IT security.

We have a lot of work to do if we want to make the Internet a safe place.

 

Veröffentlicht unter blog, computer, security | Kommentare deaktiviert für Its fascinating what people connect to the Internet

BRUCON 2014 – A short review

Disclaimer: this is my first blog entry in English; so be warned;-)

Like the two years before i visited this year the BRUCON conference in the nice city of Gent. Unfortunately, because of lack of budget, i couldn’t attend any training so i can only write about the conference.

As usual i had to decide which workshops i want to attend because several interesting workshops were at the same time. You can watch the talks later so i prefer to attend the workshops.

You could create on a website your own schedule. What i didn’t know: with a click on a workshop you registered for it. Instead of „first come, first serve“ this year it was „first the registered attendees then „first come, first serve““. Because it was (at least for me) not clear some people couldn’t get into their preferred workshop; but at least i could attend any workshop i wanted to attend.

The conference started on the first day with a Keynote by Jennifer Minella. She was talking how we can get more people interested in working in IT security (because we have a lot of work to do, but a shortage in people). She used for her talk citations from the books of Dr Seuss. Two points that i really like are:

– Leadership is about creating leaders, not followers

– you can’t have people interested in IT Security if you always complain how much your job sucks

Usually i don’t like Keynotes, but this was  a good one.

The next talk was Investigating PowerShell Attacks by Matt Hastings and Ryan Kazanciyan. They showed how PowerShell introduce new attack vectors into a company and how you can use PowerShell for attacks. I will definitely go through the slides again and use the information in my consulting work.

Then followed Windows Crash Dump Exploration Vehicles by Aaron Lemasters. He explained what happens during a crash in Windows and how you can use it for forensic analysis (like reading the MBR on root-kit infected computers). Not an easy talk, but i recommend it.

Next i could choose between three workshops; unfortunately i had chosen the „wrong“ one. Daniela Zapata and Wim Remes wanted to give a workshop with the title The dirty secrets of client-side exploitation and protection. Unfortunately the labs were in the suitcase that didn’t make its way to Gent (note to self: always have a backup). Wim presented for one hour some slides with general information how to prepare an attack on clients, but most of the information wasn’t new to me. But he asked some attendees to go out and ask people on the street for their mail addresses and telephone numbers and they didn’t return without some prey;-)

It was a pity that we couldn’t use this information in the labs for the preparation of a (theoretical) attack.

Now i had to decide what to do with the extra free time. I went to the workshop given by Vivek Ramachandran with the title Javascript for Pentesters with over 20 Challenges. This workshop was planned for four hours but they suggested that Vivek would do two 2-hour workshops so that more people could attend. For that reason he had to cram his examples in a much shorter time. But even i as a Javascript newbie could follow most of his examples and i was surprised what you can do with a few lines of code. This workshop really needed to be recorded! What a pity that workshops aren’t recorded…

I will only say this about the party: nobody danced but the music was so loud that talking to each other was nearly impossible. Can we return for the next year to the location of the party from two years ago?

On the next day we decided spontaneously for the workshop Splinter the Rat Attack: Create your own Botnet to exploit the network given by Solomon Sonya. Because of some changes in the schedule this workshop moved to the first slot which was good for us;-) Solomon showed us how we can build (with the help of his tool SPLINTER and some other tools) a botnet and use this to extract data from a company. We discussed also some counter-measures. This was a very interesting workshop and with his tools someone can build a different scenario for a live hacking demo instead of the usual „here is the shell“.

Now followed Willi Ballenthin with his workshop „EID 1102 The Audit Log was cleared“ wont stop me: Advanced Windows Event Log Forensics. He talked about some of the internas of Windows Event logs and the differences between the Pre-Vista and „Vista and later“ versions. He showed us some tools how you can even in the case someone deleted the Event log recreate some information from it. A very good workshop delivered by someone who knows what he is talking about,

The last workshop was Network Device Forensics by Didier Stevens. For the attendees Didier brought with him 20 CISCO devices (yes, we had to give them back after the workshop). Unfortunately i wasn’t able to get my serial interface working so i had to use the dumps he provided with his workshop material. Didier first explained some of the internals of CISCO IOS and then he showed how to create a dump. He used then some of his tools to analyze these dumps. Good for me that i have an old ISDN CISCO router at home;-)

This workshop was also very interesting and whoever is working with CISCO devices should have a look at his tools.

With this workshop the conference ended for us and we headed back to the car for our drive home.

I learned a lot, met old friends and made some new. That is what makes BRUCON for me special;-)

I hope i will be back next year and then also for some training.

What i couldn’t see but wanted to:

– Michael Sikorski: Counterfeiting the pipes with Fakenet 2.0 (at least i have the slides)

– Hal Pomeranz: Linux Forensics Workshop (i saw too late that this workshop was given also on Thursday evening)

– Jake Valletta: Exploiting the bells and whistles: Uncovering OEM vulnerabilities in Android (as far as i know from one attendee this workshop was good too; luckily i have all the material)

 

 

 

 

Veröffentlicht unter blog, conferences, security | Verschlagwortet mit , , | Kommentare deaktiviert für BRUCON 2014 – A short review

The idea behind this blog

I already have a blog, but the postings are in German. My idea is to have a blog where i can publish in (bad) English. This blog will be focusing on technical topics.

My areas of interest are Microsoft Exchange, Active Directory and IT Security.

Cebit 2014

Veröffentlicht unter blog | Kommentare deaktiviert für The idea behind this blog