Security via obfuscation: MAC Address

A view of a man from the back wearing a security shirt

Every network interface card has a unique 48 bit identifier known as a MAC address. This address is burned into the EEPROM on the card, and often is used by networking equipment to track users as they come and go, frequently associating MAC address to a hotel, credit card, credentials, and so on.

In fact, even most consumer gear will record the MAC addresses of all computers that have ever issued DHCP requests to them, and these logs usually cannot be purged. When you combine this with the fact that most Cable/DSL service providers will also record your MAC address and bind it to your account, and the fact that some of them don’t even seem to wait for a court order to turn your info over, it becomes apparent that your MAC address essentially is your identify, but I of course disagree with this!

One particularly useful hack is to change your MAC address. This can be useful if you want to make it a bit more difficult to track your device down. Thus, changing your MAC address is highly desirable for a number of reasons.

If you curious about finding the manufacturer and location of a given MAC address, be sure to check out MAC Address Lookup – MAC/OUI/IAB/IEEE Vendor Manufacturer Search. This site is very useful both in learning about your MAC address and you can also generate random MAC addresses that you can use as you see fit.

Here are the commands to change your MAC for the three major platforms:

Linux operating system

In Linux, you just need to issue two commands, and then re-run dhcp or reconfigure the interface.

ifconfig eth0 down
ifconfig eth0 hw ether de:ad:be:ef:f0:0d
ifconfig eth0 up

You can also use the tool macchanger, which is available in most of the repositories, just search using your preferred package manager.

ifconfig eth0 down
macchanger -r eth0
ifconfig eth0 up

Windows operating system

Under Windows, in many ways things are a bit more complicated depending upon your approach. There are a number of ways to accomplish this task so select the approach that works best for you. You can always look to the registry hive, and I will discuss this approach here. Go ahead and open regedit and find the following key:

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Class > {4D36E972-E325-11CE-BFC1-08002BE10318}

You will need to create a new entry in the folder so that you can store the information for the new MAC Address. To do this right click anywhere in the right-hand pane and select “New” > “String Value”. Now you need to rename this new entry to “NetworkAddress” and modify the details of this entry to the desired result. To edit the details simply right click the entry and select “modify”. Remember to ensure that the value is exactly 12 digits long, the length of a MAC Address. For example, I am using the following F6F2356DCF82.

regedit dialog

At this point your all set. Restart your network adapter and then view your MAC Address using an ipconfig /all command in command prompt. Of course, if you do not want to take the before mentioned steps, then you may want to look into using Technitium MAC Address Changer. This software is freeware and very user friendly. In fact, it is simply point and click.

Technitium MAC Address Changer

Mac operating system

In Mac OS, it is easy to change the MAC address of your interface. One of the following two commands should work:

sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff
sudo ifconfig en0 lladdr 00:01:02:03:04:05

Of course if you want a GUI interface then you can use AppleScript.

AppleScript GUI

AppleScript GUI

Download the SpoofMyMAC AppleScript : MD5 (SpoofMyMAC.zip) = 6769a7da9fe5140256d9b7f320ddabcf

Conclusion

Security via obfuscation can be useful and it can also have adverse impacts. Before you travel down this road, it is important that you understand the pros and cons to spoofing a MAC address. As I have demonstrated, it is not difficult to spoof your make address and depending upon you needs you too can begin to stand in the shadows.

Rip music from YouTube using youtube-dl, ffmpeg, and lame

A retro jukebox showing a stack of 45 recordsIn a previous post I wrote about how to Rip DEFCON videos from YouTube and this got me to thinking about music. Is it possible to take a video that contains a music track and extract the audio to MP3 format? Well the answer surprisingly enough is yes. Now before you get to excited, you must understand that doing this clearly violates copyright laws and for that reason, I am writing about this purely from an educational point of view.

Everything I am covering here is done on OS X and I used the homebrew package manager to install the required tools to accomplish the task at hand. I also want to state that I ran into a handful of installation issues that were rooted in ownership of various files and folders. I am not going to go into detail about these issues, rather I suggest you search Google as I did and you will very like find a solution, I know I did.

The tools you will need are:

  • youtube-dl: a small command-line program to download videos from YouTube.com and a few more sites
  • ffmpeg: the powerful utility to process and convert any kind of video or sound file
  • lame: the perfect choice for encoding sound data into MP3

Execution

Now go find the video that you want to rip. In this case I will use For Those About to Rock from AC/DC since my brother recently talked about this music track.

Jump out to your Terminal and execute the following taking note of the file path you are currently in. In my case I am setting at the Desktop.

youtube-dl https://www.youtube.com/watch?v=fKhTk0IynHM&feature=youtu.be

At this point you will have a MP4 named ACDC- For Those About To Rock (with lyrics)-fKhTk0IynHM.mp4 sitting on your desktop. Now you could try and run ffmpeg on this MP4, but your going to receive an error due to the filename. Simply rename the file or create a regular expression to do this for you. For our purpose I simply renamed the file to ForThoseAbouttoRock.mp4 and now we are ready to execute the following, which will convert the media from MP4 to a WAV file.

ffmpeg -i ForThoseAboutToRock.mp4 ForThoseAboutToRock.wav

No comes the final step where all the magic happens. Using lame we will now convert the WAV file to MP3. Go ahead and execute the following:

lame ForThoseAboutToRock.wav ForThoseAbouttoRock.mp3

Conclusion

There you have it! You now have a MP3 file of For Those About to Rock that you can place on your favorite listening device. Remember, never break the law and do not pirate software, audio, or video. I do all of this in the name of education purposes only.

Are you a Google Dork?

Are you a Google Dork? Do you know what it means to be a Google Dork? The fact is Google is a wonderful search engine and it can very easy point you into the direction of your interest. However the darker side of Google, well depending upon how the search engine is used can often lead to information that you would never think would be indexed by Google. Before you begin thinking Google is evil here take note that the data is placed online by anyone with an Internet connection, therefore Google is doing nothing evil rather the search engine is acting in the manner in which it was designed.

For example, recently Telstra Communications out of Australia somehow posted Excel documents online which was was then indexed by Google and uncovered by someone performing a search on Telstra Communication. If you are interested, you can read the full story at The Sydney Morning Herald.

A word of warning to everyone who owns data that must not be public facing. Always ensure you control that data both with physical and computer security measures. Often there will be policies and procedures in place within your organization that provides guidance and if you are still not sure what to do then ask!

All companies invest in software and staff to ensure they are able to control access to critical information that’s stored in applications and databases because it’s part of standard business and IT operations. Despite those investments, companies don’t put the same amount of resources toward protecting unstructured stores like file shares. View the archive of this educational webinar to learn how your company can effectively manage access to data in file shares.

Google Dork

How To

  • Search in URLs: inurl
  • Search in text: intext
  • Search specific site: site:www.somesite.com
  • Search forums: inforum

GoogleDorkism Music

Are you a Nina Simone fan? I love that album I Put A Spell On You, but be sure that you do not do anything that violates the law or copyrights. Jump over to Google and run the following search:

Nina Simone intitle:”index.of” “parent directory” “size” “last modified” “description” I Put A Spell On You (mp4|mp3|avi|flac|aac|ape|ogg) -inurl:(jsp|php|html|aspx|htm|cf|shtml|lyrics-realm|mp3-collection) -site:.info

Surprised? As you can see the power of knowledge is very powerful! Of course the negative is that obviously there are individuals who for one reason or another are posting data that should not be publicly available.

GoogleDorkism Books

Bill Gates intitle:”index.of” “parent directory” “size” “last modified” “description” Microsoft (pdf|txt|epub|doc|docx) -inurl:(jsp|php|html|aspx|htm|cf|shtml|ebooks|ebook) -site:.info

GoogleDorkism Web.Config

filetype:config inurl:web.config inurl:ftp

General Examples

  • “Index of /admin”
  • “Index of /password”
  • “Index of /mail”
  • “Index of /” +password.txt
  • “Index of /” +.htaccess
  • gobal.asax index
  • allintitle: “index of/admin”
  • allintitle: “index of/root”
  • inurl:iisadmin
  • allinurl:html_colors.html

Explanations

  • cache: If you include other words in the query, Google will highlight those words within the cached document. For instance, [cache:www.google.com web] will show the cached content with the word “web” highlighted. This functionality is also accessible by clicking on the “Cached” link on Google’s main results page. The query [cache:] will show the version of the web page that Google has in its cache. For instance, [cache:www.google.com] will show Google’s cache of the Google homepage. Note there can be no space between the “cache:” and the web page url.
  • link: The query [link:] will list webpages that have links to the specified webpage. For instance, [link:www.google.com] will list webpages that have links pointing to the Google homepage. Note there can be no space between the “link:” and the web page url.
  • related: The query [related:] will list web pages that are “similar” to a specified web page. For instance, [related:www.google.com] will list web pages that are similar to the Google homepage. Note there can be no space between the “related:” and the web page url.
  • info: The query [info:] will present some information that Google has about that web page. For instance, [info:www.google.com] will show information about the Google homepage. Note there can be no space between the “info:” and the web page url.
  • define: The query [define:] will provide a definition of the words you enter after it, gathered from various online sources. The definition will be for the entire phrase entered (i.e., it will include all the words in the exact order you typed them).
  • stocks: If you begin a query with the [stocks:] operator, Google will treat the rest of the query terms as stock ticker symbols, and will link to a page showing stock information for those symbols. For instance, [stocks: intc yhoo] will show information about Intel and Yahoo. (Note you must type the ticker symbols, not the company name.)
  • site: If you include [site:] in your query, Google will restrict the results to those websites in the given domain. For instance, [help site:www.google.com] will find pages about help within www.google.com. [help site:com] will find pages about help within .com urls. Note there can be no space between the “site:” and the domain.
  • allintitle: If you start a query with [allintitle:], Google will restrict the results to those with all of the query words in the title. For instance, [allintitle: google search] will return only documents that have both “google” and “search” in the title.
  • intitle: If you include [intitle:] in your query, Google will restrict the results to documents containing that word in the title. For instance, [intitle:google search] will return documents that mention the word “google” in their title, and mention the word “search” anywhere in the document (title or no). Note there can be no space between the “intitle:” and the following word. Putting [intitle:] in front of every word in your query is equivalent to putting [allintitle:] at the front of your query: [intitle:google intitle:search] is the same as [allintitle: google search].
  • allinurl: If you start a query with [allinurl:], Google will restrict the results to those with all of the query words in the url. For instance, [allinurl: google search] will return only documents that have both “google” and “search” in the url. Note that [allinurl:] works on words, not url components. In particular, it ignores punctuation. Thus, [allinurl: foo/bar] will restrict the results to page with the words “foo” and “bar” in the url, but won’t require that they be separated by a slash within that url, that they be adjacent, or that they be in that particular word order. There is currently no way to enforce these constraints.
  • inurl: If you include [inurl:] in your query, Google will restrict the results to documents containing that word in the url. For instance, [inurl:google search] will return documents that mention the word “google” in their url, and mention the word “search” anywhere in the document (url or no). Note there can be no space between the “inurl:” and the following word. Putting “inurl:” in front of every word in your query is equivalent to putting “allinurl:” at the front of your query: [inurl:google inurl:search] is the same as [allinurl: google search].

Dangers

Why does any of this matter and what is the power of a Google Dork? Take the following as an example and I have obfuscated the domain.

Google Dork

Following the link from the search result I am presented the following. Note that I have the database name, username which is SA and that in itself is a problem, passwords, and much more.

Google Dork

Of course one can browse to the root folder of the FTP since anonymous authentication is enabled.

Google Dork

Conclusion

The point here not to give you the knowledge to carry out activities that are illegal or unethical. Rather those who use Google Dorks appropriately can help to find gaps in security no matter if that falls to electronic documents, books, music, movies, and more. Remember before you post that electronic artifact ask yourself one simple question. That question is, what if someone who does not have a need to know was to gain access? If you have any doubt then stop!

What is your favorite Google Dork? Leave a comment!

Learning BackTrack 5: The Art Of Penetration Testing

BackTrack is an absolutely amazing Linux based penetration testing environment that is entirely dedicated to hacking. I must say that you should use common sense when you begin digging into the security tools provided because the last thing you want to do is break the law and find yourself in trouble.

Now to say that there are many security tools available in BackTrack would be an understatement. In fact there is so many available that I would never start to list theme here. If you wish to see for yourself, simply execute the following within your terminal instance:

dpkg –list

To be honest I have just recently begun experimenting with BackTrack and I have a great deal of learning ahead of me. For that reason I felt compelled to share the following video tutorials, books, and how-to guides that I could locate. Should you have any tips or resources please leave a comment.

Video Tutorials

Guides

Microsoft Baseline Security Analyzer

If you’re running a Windows platform then you must secure your operating system and the Microsoft Baseline Security Analyzer (MBSA) makes it a breeze. Securing your operating system is absolutely the single most important step you can take to protect yourself. Computers have become so mainstream in homes today that often daily activities that they were previously down with pen and paper are all but extinct. There are a number of actions that should be taken which include staying up to date with patches and of course controlling user account but this just begins to scratch the surface. Unless you’re a security expert the typical end user most likely does not understand what the next steps are. This is where the Microsoft Baseline Security Analyzer is beneficial.

Introduction to MBSA

Microsoft Baseline Security Analyzer is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems. A number of options include:

  1. Administrative vulnerabilities
  2. Week Passwords
  3. IIS administrative vulnerabilities
  4. SQL administrative vulnerabilities
  5. File shares
  6. … and more

Best of all Microsoft Baseline Security Analyzer it absolutely free from Microsoft!

Executing MSBA

Once you have downloaded and installed Microsoft Baseline Security Analyzer go ahead and run the application.

If you’re scanning a single computer then go ahead and click “scan a computer”. Once the next dialog has loaded, you will need to uncheck IIS and SQL administrative vulnerabilities unless of course you are running these two services.

The next step is to start the scan. Go ahead and click the button “start scan. The scan can take a few minutes so be patient. Once the scan has completed you are then presented a dialog that tells you exactly what was scanned, the score, issue, and the result. Reporting includes:

  1. Microsoft Office Updates
  2. Critical Updates or Patches
  3. Weak Password Check
  4. Services
  5. Firewall
  6. File Sharing

The scan resulted in a number of critical failures. The failures must be correctly properly secure you system and while you in the process address each line item to further fortify your operating system. Take for example the critical failure of local account password test. The result states user accounts have simple or no password which can lead to others being able to quickly determine your password.

If you’re not positive how to correct the problem then Microsoft has you covered here as well. Go ahead and click “how to correct this” and the issue is explained as well a solution with instructions is provided. Now it just cannot be any simpler and now you have no reason to not properly secure your operating system.

Conclusion

Microsoft Baseline Security Analyzer does a great job of pointing out the holes in security and by following the best practices and guidelines provided you will quickly find yourself on a path of security prosperity. Just remember, security is a never ending process and with that being said you may want to re-run the scan on a monthly or even a quarterly basis.

Have you used Microsoft Baseline Security Analyzer previously? If so what are you thoughts? Does this product provide a valuable tool set that helps in your security endeavors?

References

Credits

Featured image: Casey Serin